« Previous 1 2 3 Next »
Configuration management with CFEngine 3
Principled
Of Promises and Policies
The smallest self-contained and executable unit in CFEngine is the promise, which contains at least one concrete statement (e.g., make sure an account is created). Several of these statements are then bundled into a policy.
The name reveals how CFEngine 3 ticks: Since version 1, the CFEngine makers have considered systems to be entities that are supposed to comply with enterprise policies. Logically, a group of instructions (policies) then enforces the individual measures (promises). If you need to bundle multiple policies, you can use the next higher grouping form, which is conveniently named bundle .
Toolkit
CFEngine 3 does the usual work that you might expect from a configuration tool. It can obtain information about a target system and its state and modify text files in various formats. It can set file permissions and ownership, as well as POSIX access control lists (ACLs).
Users, groups, firewall entries, processes, services, launching third party programs – everything needed for system administration under Linux (CentOS/RHEL, Debian, Ubuntu, SLES), Unix (AIX, HP-UX, Solaris), and Windows (Enterprise variant only) is included in CFEngine 3 by default. Additionally, it supports numerous advanced operations such as querying and modifying databases. Thanks to a connection to VMware, KVM, Xen, and VirtualBox, virtual machines can also be managed by the standard statements in promises.
The declarative approach makes CFEngine policies idempotent; they can therefore be executed as often as required and always achieve the same results. Permanent monitoring of the local system by the CFEngine agent ensures that changed states are detected and corrected.
Setting Up CFEngine 3
To run CFEngine 3 you need to install the central server (Policy Server or even Policy Hub) and at least one agent; these components [3] can run on the same system for test purposes. In regular operation, the policy server distributes its policy files to agents running on different systems. (Figure 1).
Because I always use Linux, I set up a small test environment for this article (Table 1) and carried out the installation manually in line with the official instructions for the community edition [4]. The linuxmag account was set up and given Sudo rights during the operating system installation on all systems.
Table 1
Lab Systems
Hostname | OS | IP Address | Role |
---|---|---|---|
cf3-ubsrv
|
Ubuntu 20.04 | 192.168.38.131 | Policy Hub, provides policy files |
cf3-ubcli
|
Ubuntu 20.04 | 192.168.38.132 | System with CFEngine agent |
cf3-centcli
|
CentOS 8 | 192.168.38.133 | System with CFEngine agent |
The necessary software packages are available directly from the manufacturer's website [5]. An installation from the distribution repositories is not recommended because they often contain outdated software versions. The CFEngine 3 package in the Ubuntu 20.04 repositories, for example, was incomplete and poorly maintained at the time of testing.
CFEngine v3.15.3 was installed on all participating test systems (Listings 1-3). Corresponding packages are available for download, even though the online documentation of CFEngine 3 does not list Ubuntu 20.04 or CentOS 8 in the list of supported platforms, probably because the online documentation was simply not adapted after its release; the respective previous versions of both distributions can be found in the list.
Listing 1
Installation on cf3-ubsrv
$ sudo wget https://cfengine-package-repos.s3.amazonaws.com/community_binaries/Community-3.15.3/agent_ubuntu18_x86_64/cfengine-community_3.15.3-1.ubuntu18_amd64.deb ** $ sudo apt install ./cfengine-community_3.15.3-1.ubuntu18_amd64.deb ** $ sudo cf-agent --bootstrap 192.168.38.131 R: Bootstrapping from host '192.168.38.131' via built-in policy '/var/cfengine/inputs/failsafe.cf' R: This host assumes the role of policy server R: Updated local policy from policy server R: Triggered an initial run of the policy R: Restarted systemd unit cfengine3 notice: Bootstrap to '192.168.38.131' completed successfully!
Listing 2
Installation on cf3-ubcli (Agent)
$ sudo wget https://cfengine-package-repos.s3.amazonaws.com/community_binaries/Community-3.15.3/agent_ubuntu18_x86_64/cfengine-community_3.15.3-1.ubuntu18_amd64.deb $ sudo apt install ./cfengine-community_3.15.3-1.ubuntu18_amd64.deb $ sudo cf-agent --bootstrap 192.168.38.131 notice: Bootstrap mode: implicitly trusting server, use --trust-server=no if server trust is already established notice: Trusting new key: MD5=d67ad40160db5f79a616eea18bb9073c R: Bootstrapping from host '192.168.38.131' via built-in policy '/var/cfengine/inputs/failsafe.cf' R: This autonomous node assumes the role of voluntary client R: Updated local policy from policy server R: Triggered an initial run of the policy R: Restarted systemd unit cfengine3 notice: Bootstrap to '192.168.38.131' completed successfully!
Listing 3
Installation on cf3-centcli (Agent)
$ wget https://cfengine-package-repos.s3.amazonaws.com/community_binaries/Community-3.15.3/agent_rhel8_x86_64/cfengine-community-3.15.3-1.el8.x86_64.rpm ** $ sudo yum localinstall cfengine-community-3.15.3-1.el8.x86_64.rpm ** $ sudo /var/cfengine/bin/cf-agent --bootstrap 192.168.38.131 notice: Bootstrap mode: implicitly trusting server, use --trust-server=no if server trust is already established notice: Trusting new key: MD5=d67ad40160db5f79a616eea18bb9073c R: Bootstrapping from host '192.168.38.131' via built-in policy '/var/cfengine/inputs/failsafe.cf' R: This autonomous node assumes the role of voluntary client R: Updated local policy from policy server R: Triggered an initial run of the policy R: Restarted systemd unit cfengine3 notice: Bootstrap to '192.168.38.131' completed successfully! ** ### Open port 5308/TCP on the local firewall $ sudo firewall-cmd --zone=public --add-service=cfengine
After installing the Policy Hub and agents on the lab systems, I logged in as the linuxmag user on host cf3-ubsrv and carried out a short connection test (Figure 2) with the command:
# /var/cfengine/bin/cf-net -H 192.168.38.131,192.168.38.132, 192.168.38.133 connect
CFEngine 3 best practices dictate executing all the commands with the root account, which the listings that follow take into account. CFEngine 3 starts several processes per system, all of which perform different tasks. A short overview can be found in the official documentation [6].
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.