Cfengine is a wonderful tool for configuring and maintaining Unix computer systems. MarkBurgess, the author ofCfengine, describes it as follows:
What'd he say? Using Cfengine means that you'll have to get used to some unfamiliar jargon, but it's worth it. Basically, what Mark is saying is that Cfengine is a standalone tool (set of tools) that administers and configures computers according to the instructions in its configuration files. The configuration files describe the desired characteristics of various system components using a high-level language which is easy to learn and use (and involves no programming). In this way, Cfengine can automatically bring one or a very large number of systems into line with each one's individually defined configuration specifications. It can also make sure they stay that way by monitoring them and correcting them as needed on an ongoing basis. In more practical terms, the following list will give you some idea of the breadth of administration and configuration tasks thatCfengine can automate:
Cfengine's home page is http://www.cfengine.org. 14.5.1 About CfengineCfengine includes the following components:
Cfengine uses several configuration files (generally stored in /var/cfengine/inputs). The central configuration file is cfagent.conf, which specifies the characteristics of the system thatCfengine is to establish and maintain. Note that in genera,l cfagent.conf defines the final desired state of the system; it does not define the steps to take to achieve it. The best way to introduce this file is with a simple example: control: domain = ( ahania.com ) Specify local domain. access = ( chavez root ) Who can run cfagent. actionsequence = ( links tidy ) Actions to carry out, in this order. maxage = ( 7 ) Define a variable for later use. groups: Define a list of hosts. HaveNoBin = ( blake yeats bogan toi robin ) tidy: Action: remove unwanted files. /tmp pattern=* age=$(maxage) recurse=inf /home pattern=*~ recurse=inf links: Action: maintain symbolic links. /logs -> /var/log Create this link if needed. HaveNoBin:: Create this link only on these hosts. /bin -> /usr/bin This file contains four sections, each headed by a keyword followed by a colon. The first section, control, is used to specify general settings for the file, to define variables, and for other similar purposes. In this case, it specifies a list of users who are allowed to run cfagent using this file as input, specifies the sequence of actions that should be carried out when the file is invoked, and defines a variable named maxage, setting its value to 7. Assignment statements use the syntax illustrated in the example, using parentheses as delimiters: name = ( value ) Actions are operations that Cfengine knows how to perform, and they are referred to by keywords. Here, we specify that the tidy action be performed first, followed by the links action. Each referenced action must have a section defining it somewhere in the configuration file. The next section, groups, defines a list of groups which we've named HaveNoBin. This list will be used in the links section. The next section in the file is the tidy section, which specifies unwanted files that Cfengine is to remove. These entries have the following general syntax: start-dir [pattern=pattern] [recurse=n] options start-dir is the directory in which to start searching, pattern is a pattern against which to match filenames (possibly containing wildcards), n indicates how many levels of recursion are wanted (inf means infinite), and options are additional options further specifying the files to be selected for removal. In this case, files under /home ending with a tilde (and not starting with a period) are chosen (emacs backup files), as are files under /tmp last modified more than seven days ago. Note that the parameter to the age option is specified using the maxage variable. The final section in the file is the links section, which specifies symbolic links that Cfengine is to maintain. In this case, two such links are listed, using the format: link -> target Here, we specify that the /var/log directory should be linked to /logs and also that /bin should be a link to /usr/bin. When run, Cfengine checks whether these links exist, creating them if necessary. However, the latter link applies only to hosts in the list HaveNoBin. This is specified by preceding the link specification with a class designation (indicated by the double colons). In this case, the class is defined by the host group name, but much more complex classes are possible (as we'll see).
Table 14-2 lists the most importantCfengine actions. We'll look at examples of several of them in the next subsection.
14.5.2 ActionsWe'll begin with a slightly more complicated tidy example: control: split = ( " " ) dirlist = ( "tmp var/tmp 1/scratch 2/scratch" ) tidy: /$(dirlist) pattern=* age=3 recurse=inf The control section specifies the list separator character and then defines the variable dirlist as a list of four directories. This variable is then used in the tidy specification, and the three options apply to each directory in turn. The files action is used to specify various desired characteristics and corrective actions for files. Here is an example section: files: /etc/security mode=600 owner=root group=0 recurse=inf action=fixall /home recurse=inf include=*.dat action=compress /var/log/messages owner=root mode=644 action=create The first entry specifies the required ownership and protection of the directory /etc/security and everything under it. By default, Cfengine checks whether the current settings conform to these specifications. Here, however, action=fixall tells Cfengine to modify the current settings if necessary to match the specified ones. The second entry causes all files with an extension of .dat under /home to be compressed. The third entry creates the file /var/log/messages if it does not exist. The files action can also be used to verify the integrity of system executables in /usr/bin: control: ChecksumDatabase = ( /usr/local/admin/cfengine/cksums ) files: /usr/bin checksum=md5 exclude=*.sav action=warnall The database file used to store the correct checksums for files is specified in the control section, and the checksum option in the files entry specifies that the comparison be made. A warning will be issued for each incorrect checksum. On Solaris systems, Cfengine can also specify ACLs for files: acl: Define an ACL. { secure1 method:overwrite Replace current ACL (default is "append"). fstype:posix default_user:*:=rwx default_group:chem:=rwx default_other:*:= user:chavez:=rwx user:mark:+rx user:toreo:=r mask:*:rwx } files: /private acl=secure1 action=fixall The acl section defines one or more named ACLs, which can then be specified for files (see Section 7.4 for more information about access control lists). The disable action causes Cfengine to rename files which ought not to be present on this system: disable: /etc/hosts.equiv home/.rhosts inform=true /var/log/messages rotate=6 The first two entries cause Cfengine to rename the indicated files if they exist, adding the extension .cfengine. In the second case, the special directory keyword home is used to refer to all user home directories. In this case, Cfengine also issues a warning message when such files are found. The third entry illustrates another use for the disable section: log file rotation. The entry tells Cfengine to maintain six old copies of the /var/log/messages file. As with other log rotation facilities, the saved files are given the extensions .1 through .6. The following actions specify the default gateway and name server list for the system: defaultroute: Specify default gateway. 192.168.20.44 resolve: Name server list. 192.168.1.1 192.168.10.24 Cfengine adds a static route for the specified default gateway if one does not already exist. Similarly, the servers listed in the resolve section are added to /etc/resolv.conf if necessary, and the resulting server list are ordered as indicated in the resolve section of cfagent.conf. The processes action may be used to tell Cfengine to verify that important processes are running, restarting them if necessary, as well as to have Cfengine signal processes: processes: "sendmail" restart "/usr/sbin/sendmail" useshell=false inform=true "inetd" signal=hup "kudzu" signal=kill "g02" matches<=2 signal=suspend action=bymatch inform=true The first field in each entry is a pattern that is matched against the output of the ps command.[9] In general, Cfengine will apply the entry's specifications to each matching process.
The first entry causes Cfengine to determine if there is a sendmail daemon running. If not, one is started using the specified command. The useshell options says not to use a subshell when restarting the daemon (see the Cfengine documentation for the rationale and implementation details). The next two entries specify signals to be sent to the inetd and kudzu processes if they are present. The final entry causes Cfengine to search for processes matching the string "g02", and it will count the number of such processes. The entry specifies that the desired system state include no more than two such processes. The action=bymatch option tells Cfengine to correct the situation when this condition is not met, according to the directives of the other options. In this case, if there are more than two such processes i.e., if the desired condition specified by matches=<2 is not met it suspends all of them (signal=suspend) and outputs a message indicating this. The editfiles action can be used to make changes to ASCII text files. It is very useful for maintaining certain system configuration files. For example, the following section tells Cfengine to disable some inetd-based unwanted services: editfiles: { /etc/inetd.conf HashCommentLinesContaining "rlogin" HashCommentLinesContaining "rexec" HashCommentLinesContaining "finger" HashCommentLinesContaining "tftp" } Similarly, the following section tells Cfengine to add a line to existing user .login scripts if it is not already present: editfiles: { home/.login AppendIfNoSuchLine "/usr/local/bin/motd.pl" } See the Cfengine documentation for full details on the capabilities of this action. The copy action is used to tell Cfengine to copy local or remote files to the local system, as in these simple examples: copy: /aux/save/etc/ntp.drift dest=/etc/ntp.drift mode=644 /aux/save/etc/shells dest=/etc/shells mode=644 /masterfiles/etc/hosts.deny serverfilemaster dest=/etc/hosts.deny owner=root group=0 mode=644 The first two entries specify local files to be copied from the source the first field to the destination location (dest= option). The third entry causes a file to be copied from filemaster:/masterfiles/etc/hosts.deny to /etc/hosts.deny on the local system. The copied file will be assigned the specified ownership and file protection mode. 14.5.3 ClassesHere is a more complex copy section, which also reintroducesCfengine classes: copy: linux:: $(masteretc)/rc.config dest=/etc/rc.config o=root mode=644 ShadowHosts:: $(masteretc)/passwd server=$(pwdmaster) dest=/etc/passwd owner=0 group=0 mode=644 trustkey=true $(masteretc)/shadow server=$(pwdmaster) dest=/etc/shadow owner=0 group=0 mode=600 trustkey=true encrypt=true The first copy operation will occur only on Linux systems, and it consists of copying the file rc.config from the location specified in the masteretc variable (defined elsewhere in the configuration file) to /etc and assigning the specified ownership and protection. The second subsection applies only to the host group ShadowHosts, and it contains two copy specifications. They tell Cfengine to update /etc/passwd and /etc/shadow from master copies located on a remote host, specifying the required ownership and permissions. In both cases, the copy operation must use the Cfengine trusted key security mechanism (to ensure that the data is really coming from the source it purports to), and the shadow password file is transmitted in encrypted form. The cfkey utility is used to set up trusted keys on systems using Cfengine. It must be run before these features can be used.
Cfengine classes are made up of one or more of the following components:
Here are some examples: Class specification Matches ... solaris.Monday.Hr01:: Solaris systems on Mondays at 1:00 A.M. aix|hp-ux:: AIX and HP-UX systems. aix.!vader:: AIX systems except host vader. December.Day31.Friday:: December 31 if it is a Friday. Monday.$(fourtimes):: Four specified each hour times on Monday. The final example uses a list of times defined earlier: control: fourtimes = ( Min03 Min18 Min34 Min49 ) If both AND and OR joins are used, ANDs are evaluated first: Class specificationMatches ... solaris|aix.Monday.Hr01:: Solaris systems always; AIX systems on Mondays at 1:00 A.M. (solaris|aix).Monday.Hr01:: Solaris and AIX systems on Mondays at 1:00 A.M. Classes can be used in any context within the configuration file. In this example, they are used to define a variable differently for different operating systems: control: linux:: swaptest = ( /usr/bin/free -m -o ) aix:: swaptest = ( /usr/sbin/lsps -a ) ... shellcommands: $(swaptest) > $(reportdir)/swap_report.out Cfengine interprets unknown class names as hostnames. If no such host exists, the class is ignored. This fact can be used to temporarily disable a section's classes by altering the associated class name (or adding one): Xlinux:: Xany:: Real cfagent.conf files can become very large, so you may want to use the include file mechanism, the import action. For example, the following configuration file consists entirely of included files whose divisions are used to make each individual file more manageable: import: cf.groupdefs Always include these files. cf.common hpux: cf.hpux Operating system specific includes. aix: cf.aix linux: cf.linux and so on 14.5.4 Configuring cfservdTheCfengine server has its own configuration file. Here is a simple example: # cfservd.conf control: domain = ahania.com cfrunCommand = ( "/var/cfengine/bin/cfagent" ) IfElapsed = ( 1 ) ExpireAfter = ( 15 ) MaxConnections = ( 50 ) MultipleConnections = ( true ) LogAllConnections = ( true ) TrustKeysFrom = ( 192.168.10/24 ) DynamicAddresses = ( 192.168.10.100-200 ) topdir = ( /aux/crengine/masterfiles ) grant: Grant access to files. $(topdir)/outgoing *.ahania.com deny: Deny access to files. $(topdir)/outgoing maverick.ahania.com The daemon also requires an addition to /etc/services: cfengine 5308/tcp Finally, you must start the daemon at boot time by adding it to one of the system boot scripts. 14.5.5 Running CfengineOnce set up, Cfengine may be run manually on the local system with the cfagent command. It has the following useful options:
The cfrun utility is used to initiate Cfengine runs on remote systems. It has the following syntax: cfrun [host-list] [local-options] [-- remote-options] [-- classes] For example, the following command runs Cfengine on hosts smiley, toby, and percy and provides verbose output on the local system: # cfrun smiley toby percy The following command runs Cfengine on all hosts listed in the cfrun.conf configuration file (see the documentation for details), although execution will occur only on remote Linux and Solaris systems: # cfrun -v -- -- linux solaris To automate Cfengine runs, use the cfexecd daemon (which you must also add to the system startup scripts). Once it is running, you can configure when Cfengine runs via a cfagent.conf entry like this one: control: schedule = ( Min00_05 Min15_20 Min30_35 Min45_50 ) This example will cause Cfengine to run four times an hour. |