Posted by Steve on Mon 22 Aug 2005 at 02:07
There aren't many systems as powerful or useful in administering a large LAN as cfengine. However the learning curve is pretty steep, which puts a lot of people off using it. In this introduction to cfengine we'll show what kind of things it can do, and how it works.The CFEngine Installation
An installation of cfengine logically breaks down into several major components:
- The Server (cfservd)
- The Client (cfagent)
- The Scheduler (cfexecd)
The role of these components is probably fairly self-explanatory. The server will contain the collection of rules which apply to your LAN. (Most likely you will only have one server regardless of the LAN size.)
Upon each of the hosts which you wish to remotely manage you will have a client, or agent, running. This will be setup to accept connections and instructions from the central server and will then carry out jobs which it is instructed to conduct.
The scheduler is the part of the software which manages the execution of the jobs, and ensures the system operates smoothly.
There are also additional tools for particular jobs, such as setting up access keys (cfkey) and running rules against one host in particular (cfrun).
One of the early jobs will be to setup each of the clients so they will accept connections from the server, like OpenSSH access is controlled via public and private keys. However unlike using passwordless logins with SSH the cfengine requires a two-way trust.
As with many packages in Debian installation of the software is very simple:apt-get install cfengine2
However once the software is installed the real work begins. Configuring the software is both complex and largely site-specific.
This is one reason why so few large examples exist. The job of cfengine is to apply a set of rules to a collection of hosts and these rules are largely specific to particular environments.
Some simple rules can be shared and discussed but the real payoff comes from doing many global jobs with your own set of customised rules.
cfengine rules can be almost arbitrarily complex. It is possible to script and automate many things across the LAN, such as:
- Checking file permissions and ownerships; fixing them if required.
- Restarting failed daemons/servers.
- Installing software remotely, including security updates.
- Editing files remotely.
- Executing commands remotely.
- Configuring network interfaces, routing, and DNS.
- Compressing, deleting, or otherwise managing files or directories.
These are just some highlights, with a bit of creativity and effort you can accomplish many many jobs - all across a whole host of machines.
The cfengine has been ported to most of the major Unix systems, and also to some flavours of Windows.
I hope to cover a basic guide on installing and getting started with cfengine shortly. In the meantime you can find a wealth of information on the internet.
The following resources make good starting points:
O'Reilly's book Essential System Administration also provides a small amount of discussion and is highly recommended resource in its own right.
This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):
This article is copyright 2005 Steve - please ask for permission to republish or translate.