Today, after wrote a small script (related to my previous one, about zones backup), to clean a FTP server which contains lot of archived filed, I decide to try cfengine. This tool help sysadmin to maintain a collection of server (config files for example) updated. Even if it seem interesting, it's not a trivial tool, especially for the begins. Though, I success to copy files via cfengine from a server to a client, after few hours wasted about the undocumented authentication stuff.
Here what I done :
(Non global zone running on Solaris 10)
* Build cfengine 2.1.15 * Run cfkey * Write a small cfagent.conf * Write a small cfservd.conf * Copy client's localhost.pub to /var/cfengine/ppkeys/root-<ip of client>.pub * Run cfservd
cfagent.conf
control: actionsequence = ( links copy ) cfengineserver = ( cfengine.asyd.net ) links: /root/tmp/titi -> /root/tmp/prout /root/tmp/toto -> /root/tmp/prout copy: /etc/ldap.conf dest=/etc/ldap.conf mode=644 owner=root group=root server=$(cfengineserver)
cfservd.conf
control: AllowUsers = ( root ) domain = ( asyd.net ) HostnameKeys = ( false ) AllowConnectionsFrom = ( 192.168.34.0/24 ) TrustKeysFrom = ( 192.168.34.0/24 ) solaris:: cfrunCommand = ( "/usr/pkg/sbin/cfagent" ) linux:: cfrunCommand = ( "/usr/bin/cfagent" ) any:: IfElapsed = ( 1 ) MaxConnections = ( 10 ) ######################################################### admit: # or grant: /etc *.asyd.net /var/cfengine/inputs *.asyd.net
Debian GNU/Linux (sid), cfengine v2.1.15
control: actionsequence = ( copy ) domain = ( fimasys.fr ) policyhost = ( cfengine.intranet.fimasys.fr ) workdir = ( /var/cfengine ) linux:: destdir = ( /var/lib/cfengine2 ) solaris:: destdir = ( /var/cfengine ) copy: $(workdir)/inputs dest=$(destdir)/inputs r=inf mode=600 server=$(policyhost)
Let me explain all this stuff. The file cfagent.conf is read by cfagent to execute some operations. On clients, the first one is to synchronize cfengine's configuration file (including cfagent.conf). The file update.conf describe how contact the cfengine server. On server, cfservd must run, it use cfvserd.conf. One section of this file stand for ACL files access. The others are about clients's authentication.
As explain above, the cfagent.conf contains some actions to process. Lot of options are available, for example : copy, links for files managements, but also process, packages, shellcommands are available.