Cfengine: Difference between revisions
Jump to navigation
Jump to search
Differences with
mNo edit summary |
|||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{|style="float: right;" | {|style="float: right;" | ||
|[[cfplaypen]] is a server running a stripped-down<br />execute-alike implementation of cfengine<br />which can be used to learn about cfengine's<br />operation and promises files. | |[[cfplaypen]] is a CSE server running a stripped-down<br />execute-alike implementation of cfengine<br />which can be used to learn about cfengine's<br />operation and promises files. | ||
|} | |} | ||
cfengine is the configuration management tool used in [[New World]]. | '''cfengine''' is the configuration management tool used in [[New World]]. Its main job on managed hosts is to install configuration files in <code>/etc</code> and CSE-specific files and CSE-specific software under <code>/usr/local</code>. Installation of standard [[Debian]] packages is handled by <code>apt-get</code> from lists installed by cfengine. | ||
Here is cfengine's [https://www.cfengine.com website] where you can find full documentation. | Here is cfengine's [https://www.cfengine.com website] where you can find full documentation. Importantly, this is where you can find out about "promises". | ||
cfengine is a standard Debian package so it is auto-updated along with all other packages on New World systems. | cfengine is a standard Debian package so it is auto-updated (see [[unattended-upgrades]]) along with all other packages on New World systems. | ||
== Differences with <code>[[conform]]</code> == | |||
* cfengine, as used in New World, does not install software packages. Instead, it mainly installs configuration files (mostly in <code>/etc</code>) and | The main differences between cfengine and [[Old World]]'s <code>[[conform]]</code> are: | ||
* cfengine, as used in New World, does not install software packages. Instead, it mainly installs configuration and other files (mostly in <code>/etc</code> and under <code>/usr/local</code>) and installs lists of desired Debian packages on each host which are then subsequently installed by separate scripts. | |||
* cfengine is a well- and widely-supported set of tools, rather than a custom CSE-only jobbie. | * cfengine is a well- and widely-supported set of tools, rather than a custom CSE-only jobbie. | ||
* cfengine works on what could be described as a successive-approximation model, where each run gradually moves a host towards a fully-convergent state in line with a CSG-supplied set of "promises" (of what needs to be | * cfengine works on what could be described as a successive-approximation model, where each run gradually moves a host towards a fully-convergent state in line with a CSG-supplied set of "promises" (of what the host's state needs to be). Implicit in this is that some individual promises may not necessarily be kept straight away but that cfengine will keep trying to fulfill them each time it is run. | ||
* cfengine runs every five minutes rather than nightly (as does conform). | * cfengine runs every five minutes rather than nightly (as does <code>conform</code>). | ||
== cfengine components == | == cfengine components == | ||
| Line 23: | Line 25: | ||
Rather than being one single program, as is <code>conform</code>, cfengine consists of a number of components or tools. | Rather than being one single program, as is <code>conform</code>, cfengine consists of a number of components or tools. | ||
{| | {|class="firstcolfixed" | ||
!Tool/program | !Tool/program | ||
!Description | !Description | ||
| Line 39: | Line 41: | ||
|Unused in CSE, this program can be run on cfengine-managed hosts to collect local data and make it available to other hosts. | |Unused in CSE, this program can be run on cfengine-managed hosts to collect local data and make it available to other hosts. | ||
|} | |} | ||
Generally speaking, when we refer to "running cfengine" we're actually talking about running the <code>cf-agent</code> component of cfengine. | |||
== Configuration of cfengine == | == Configuration of cfengine == | ||
* | cfengine lives (for want of a better term) on a host called nw-syd-cfengine-hub. This is where component promise files are created and edited, and which are then merged into a single <code>promises.cf</code> file for <code>cf-agent</code>, <code>cf-execd</code> and <code>cf-serverd</code> to read. | ||
* | |||
These "master" promise component files are located in: | |||
:<code>/var/lib/cfengine3/masterfiles</code> | |||
<code>cf-agent</code> itself looks for <code>promises.cf</code> in: | |||
:<code>/var/lib/cfengine3/inputs</code> | |||
The component promise files are checked and then "compiled" into the final <code>promises.cf</code> file by the script: | |||
:<code>/usr/local/administration/bin/[[check_and_install_promises]]</code> | |||
<code>cf-agent</code> on each host will then download the updated <code>promises.cf</code> file the next time it runs. | |||
It is worth noting that the standard cfengine package includes a large library of common/standard promises which can be used by promise developers. These libraries are discussed in the cfengine documentation mentioned above but ARE NOT USED in CSE's implementation. This is solely to reduce the footprint and impact of cfengine on CSE systems. | |||
== CSE promises == | |||
As mentioned above, CSE's source promises component files are located in <code>/var/lib/cfengine3/masterfiles</code>. | |||
* <code>m4</code> is used to combine the individual promise file components into the file. The m4 source file is <code>promises.m4</code> and the individual promise files are all named <code>*.inc</code>. | |||
* <code>cfexecdconf.inc</code> contains configuration for <code>cf-execd</code> which controls when <code>cf-agent</code> is run. | |||
* <code>cfserverdconf.inc</code> contains configuration for <code>cf-serverd</code>. This mostly has to do with access control — which client hosts can access the cfengine promises file and can download files from the [[warehouse]]. | |||
* <code>defjson.inc</code> downloads the per-host configuration file (<code>defs.json</code> used to individually tailor cfengine's operation on each host. | |||
* <code>config.inc</code> contains general [[host class]] configuration applicable fleet-wide. | |||
* <code>utility.inc</code> is a small library of CSE-specific utility promises and constructs which can be used in other promises. | |||
[[Category:Pages needing work]] | [[Category:Pages needing work]] | ||
Latest revision as of 10:40, 5 September 2023
| cfplaypen is a CSE server running a stripped-down execute-alike implementation of cfengine which can be used to learn about cfengine's operation and promises files. |
cfengine is the configuration management tool used in New World. Its main job on managed hosts is to install configuration files in /etc and CSE-specific files and CSE-specific software under /usr/local. Installation of standard Debian packages is handled by apt-get from lists installed by cfengine.
Here is cfengine's website where you can find full documentation. Importantly, this is where you can find out about "promises".
cfengine is a standard Debian package so it is auto-updated (see unattended-upgrades) along with all other packages on New World systems.
Differences with conform
The main differences between cfengine and Old World's conform are:
- cfengine, as used in New World, does not install software packages. Instead, it mainly installs configuration and other files (mostly in
/etcand under/usr/local) and installs lists of desired Debian packages on each host which are then subsequently installed by separate scripts.
- cfengine is a well- and widely-supported set of tools, rather than a custom CSE-only jobbie.
- cfengine works on what could be described as a successive-approximation model, where each run gradually moves a host towards a fully-convergent state in line with a CSG-supplied set of "promises" (of what the host's state needs to be). Implicit in this is that some individual promises may not necessarily be kept straight away but that cfengine will keep trying to fulfill them each time it is run.
- cfengine runs every five minutes rather than nightly (as does
conform).
cfengine components
Rather than being one single program, as is conform, cfengine consists of a number of components or tools.
| Tool/program | Description |
|---|---|
cf-agent
|
This is the part of cfengine which does the actual work of installing configuration files, copying over other files and package lists from the cfengine hub and running any scripts or programs specified in the promises. It runs on the host-to-be-configured either manually or at regular intervals by cf-execd (see below).
|
cf-execd
|
This is cfengine's equivalent of crond. It runs cf-agent according to a schedule which, by default, is once every five minutes 24/7. cf-execd will only run one instance of cf-agent at a time. cf-execd runs on each cfengine-managed host.
|
cf-serverd
|
A glorified file server with client-host authentication and access control, cf-serverd runs on the cfengine hub and serves files to clients. These can be promises or any other files which need to be installed on a client.
|
cf-monitord
|
Unused in CSE, this program can be run on cfengine-managed hosts to collect local data and make it available to other hosts. |
Generally speaking, when we refer to "running cfengine" we're actually talking about running the cf-agent component of cfengine.
Configuration of cfengine
cfengine lives (for want of a better term) on a host called nw-syd-cfengine-hub. This is where component promise files are created and edited, and which are then merged into a single promises.cf file for cf-agent, cf-execd and cf-serverd to read.
These "master" promise component files are located in:
/var/lib/cfengine3/masterfiles
cf-agent itself looks for promises.cf in:
/var/lib/cfengine3/inputs
The component promise files are checked and then "compiled" into the final promises.cf file by the script:
/usr/local/administration/bin/check_and_install_promises
cf-agent on each host will then download the updated promises.cf file the next time it runs.
It is worth noting that the standard cfengine package includes a large library of common/standard promises which can be used by promise developers. These libraries are discussed in the cfengine documentation mentioned above but ARE NOT USED in CSE's implementation. This is solely to reduce the footprint and impact of cfengine on CSE systems.
CSE promises
As mentioned above, CSE's source promises component files are located in /var/lib/cfengine3/masterfiles.
m4is used to combine the individual promise file components into the file. The m4 source file ispromises.m4and the individual promise files are all named*.inc.cfexecdconf.inccontains configuration forcf-execdwhich controls whencf-agentis run.cfserverdconf.inccontains configuration forcf-serverd. This mostly has to do with access control — which client hosts can access the cfengine promises file and can download files from the warehouse.defjson.incdownloads the per-host configuration file (defs.jsonused to individually tailor cfengine's operation on each host.config.inccontains general host class configuration applicable fleet-wide.utility.incis a small library of CSE-specific utility promises and constructs which can be used in other promises.