Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace: » cfengine

Today, after wrote a small script (related to my previous one, about zones backup), to clean a FTP server which contains lot of archived filed, I decide to try cfengine. This tool help sysadmin to maintain a collection of server (config files for example) updated. Even if it seem interesting, it's not a trivial tool, especially for the begins. Though, I success to copy files via cfengine from a server to a client, after few hours wasted about the undocumented authentication stuff.

Here what I done :

Server side

(Non global zone running on Solaris 10) 

 
 * Build cfengine 2.1.15
 * Run cfkey
 * Write a small cfagent.conf
 * Write a small cfservd.conf
 * Copy client's localhost.pub to /var/cfengine/ppkeys/root-<ip of client>.pub
 * Run cfservd

cfagent.conf 

control:

        actionsequence = ( links copy )
        cfengineserver = ( cfengine.asyd.net )

links:

        /root/tmp/titi  ->      /root/tmp/prout
        /root/tmp/toto  ->      /root/tmp/prout

copy:

        /etc/ldap.conf          dest=/etc/ldap.conf
                                mode=644
                                owner=root
                                group=root
                                server=$(cfengineserver)

cfservd.conf 

control:                                                                                    

  AllowUsers = ( root )
  domain = ( asyd.net )
  HostnameKeys = ( false )
  AllowConnectionsFrom = ( 192.168.34.0/24 )
  TrustKeysFrom = ( 192.168.34.0/24 )

  solaris::

     cfrunCommand = ( "/usr/pkg/sbin/cfagent" )

  linux::

     cfrunCommand  = ( "/usr/bin/cfagent" )

  any::


  IfElapsed = ( 1 )
  MaxConnections = ( 10 )

#########################################################

admit:   # or grant:

        /etc                    *.asyd.net
        /var/cfengine/inputs    *.asyd.net

Client side

Debian GNU/Linux (sid), cfengine v2.1.15

  • Install cfengine (via debian packages)
  • Write update.conf
  • Copy server's localhost.pub to ppkeys/root-<ip of server>.pub
control:

    actionsequence = ( copy )
    domain = ( fimasys.fr )
    policyhost = ( cfengine.intranet.fimasys.fr )
    workdir = ( /var/cfengine )

linux::

    destdir = ( /var/lib/cfengine2 )

solaris::

    destdir = ( /var/cfengine )

copy:

    $(workdir)/inputs       dest=$(destdir)/inputs
                            r=inf
                            mode=600
                            server=$(policyhost)

Description

Let me explain all this stuff. The file cfagent.conf is read by cfagent to execute some operations. On clients, the first one is to synchronize cfengine's configuration file (including cfagent.conf). The file update.conf describe how contact the cfengine server. On server, cfservd must run, it use cfvserd.conf. One section of this file stand for ACL files access. The others are about clients's authentication.

As explain above, the cfagent.conf contains some actions to process. Lot of options are available, for example : copy, links for files managements, but also process, packages, shellcommands are available.

Comments