Today, after wrote a small script (related to my previous one, about zones backup), to clean
a FTP server which contains lot of archived filed, I decide to try [[http://www.cfengine.org|cfengine]].
This tool help sysadmin to maintain a collection of server (config files for example) updated.
Even if it seem interesting, it's not a trivial tool, especially for the begins. Though, I success
to copy files via cfengine from a server to a client, after few hours wasted about the //undocumented//
authentication stuff.

Here what I done :

=== Server side ===

(Non global zone running on Solaris 10)
   
   * Build cfengine 2.1.15
   * Run cfkey
   * Write a small cfagent.conf
   * Write a small cfservd.conf
   * Copy client's localhost.pub to /var/cfengine/ppkeys/root-<ip of client>.pub
   * Run cfservd                                                                            

__cfagent.conf__
<code>
control:

        actionsequence = ( links copy )
        cfengineserver = ( cfengine.asyd.net )

links:

        /root/tmp/titi  ->      /root/tmp/prout
        /root/tmp/toto  ->      /root/tmp/prout

copy:

        /etc/ldap.conf          dest=/etc/ldap.conf
                                mode=644
                                owner=root
                                group=root
                                server=$(cfengineserver)
</code>

__cfservd.conf__
<code>
control:                                                                                    

  AllowUsers = ( root )
  domain = ( asyd.net )
  HostnameKeys = ( false )
  AllowConnectionsFrom = ( 192.168.34.0/24 )
  TrustKeysFrom = ( 192.168.34.0/24 )

  solaris::

     cfrunCommand = ( "/usr/pkg/sbin/cfagent" )

  linux::

     cfrunCommand  = ( "/usr/bin/cfagent" )

  any::


  IfElapsed = ( 1 )
  MaxConnections = ( 10 )

#########################################################

admit:   # or grant:

        /etc                    *.asyd.net
        /var/cfengine/inputs    *.asyd.net
</code>

=== Client side ===

Debian GNU/Linux (sid), cfengine v2.1.15

   * Install cfengine (via debian packages)
   * Write update.conf
   * Copy server's localhost.pub to ppkeys/root-<ip of server>.pub

<code>
control:

    actionsequence = ( copy )
    domain = ( fimasys.fr )
    policyhost = ( cfengine.intranet.fimasys.fr )
    workdir = ( /var/cfengine )

linux::

    destdir = ( /var/lib/cfengine2 )

solaris::

    destdir = ( /var/cfengine )

copy:

    $(workdir)/inputs       dest=$(destdir)/inputs
                            r=inf
                            mode=600
                            server=$(policyhost)
</code>

=== Description ===

Let me explain all this stuff. The file //cfagent.conf// is read by cfagent to execute some
operations. On clients, the first one is to synchronize cfengine's configuration file (including
cfagent.conf). The file //update.conf// describe how contact the cfengine server. On server,
cfservd must run, it use //cfvserd.conf//. One section of this file stand for ACL files access.
The others are about clients's authentication.

As explain above, the //cfagent.conf// contains some actions to process. Lot of options are
available, for example : copy, links for files managements, but also process, packages,
shellcommands are available.

[[geeklog:comments:20050801|Comments]]