« Previous 1 2 3
Configuration management with CFEngine 3
Principled
Getting Started
The initial setup of CFEngine 3 took place with the bootstrapping section at the end of the listings for installation on the various systems. Among other things, sample configurations were copied from the installed package, and important directory structures were created under /var/cfengine/
. The predefined contents in detail are described in the online documentation [7].
On Policy Hub cf3-ubsrv
, I stored several of my own CFEngine files with instructions in /var/cfengine/masterfiles/
. The folder there already contained files that CFEngine created automatically. For the sake of order, CFEngine 3 wants you to store DIY-created policy files in /var/cfengine/masterfiles/services/
. If you want a policy file to be executed automatically, as I did in this article, you need store it in /var/cfengine/masterfiles/services/autorun/
.
All files stored on the central Policy Hub at /var/cfengine/masterfiles/
(Figure 3) download the agents at five-minute intervals by default and make them available locally at /var/cfengine/inputs/
. Following the principle of infrastructure as a code, the developers recommend that the content of /var/cfengine/masterfiles/
be placed under version control through SVN or Git.
To illustrate how CFEngine 3 works, I introduced a simple policy that installs the lightweight Nginx web server on the target systems and enables the associated systemd service, starting it at the same time. To do this, I launched a text editor on Policy Hub to create the /var/cfengine/masterfiles/services/autorun/webserver.cf
file and filled it with life (Listing 4). The "webserver.cf
in Detail" box provides more information. The command
# cf-promises -f /var/cfengine/masterfiles/services/autorun/webserver.cf
Listing 4
webserver.cf
bundle agent nginx_installed_running { meta: "tags" slist => { "autorun" }; vars: "package_list" slist => { "nginx" }; packages: "$(package_list)" package_policy => "add", package_method => generic; services: "$(package_list)" service_policy => "start"; }
webserver.cf in Detail
Listing 4 starts with the definition of a bundle that includes several promises in curly brackets. The bundle name, here nginx_installed_running
, can be freely chosen, but CFEngine 3 makes clear specifications for the bundle type [8]. Bundles of the agent
type contain promises that make changes directly on the target systems. The promise of the meta
type includes a list variable with a single autorun
element, which tells CFEngine 3 to include this bundle in every automatic run.
The vars
type promise includes a list of packages to install. You can list multiple packages here. The packages
promise uses a trick: instead of a name or the specification of the package to be installed, it specifies the name of the package_list
list, which tells CFEngine 3 to iterate automatically across all the entries in the list and apply for each element the package_policy
attribute add
and the generic
instruction package_method
, which means "use the appropriate package manager."
The services
type promise also iterates through the package list and applies the service_policy
attribute in each case, with the start
value activating and starting the associated systemd service. More about the different promise types can be found in the online documentation [9].
checks the content of the file for errors.
To enable automatic execution of your own policy files on the Policy Hub, create the def.json
file under /var/cfengine/masterfiles/
to configure the services_autorun
option (or, more precisely, the CFEngine class):
{ "classes": { "services_autorun": [ "any" ] } }
The comments in the /var/cfengine/masterfiles/promises.cf
file show its effect.
In the default configuration, the CFEngine agent on the target systems implements the promises every five minutes. The command
cf-agent --dry-run --inform
shows what it will trigger the next time it is executed automatically (Figure 4).
After the next automatic execution, the installed nginx
package and the matching service, enabled and running, can be found on the target systems (Figure 5), but on the cf3-centcli
lab system, systemd seems to have failed to start Nginx because of an Nginx configuration problem, which I did not investigate further. CFEngine 3 will always try to start Nginx on the CentOS system in the future.
If you want to delve deeper, you can now add instructions to the webserver.cf
file about what to do in case of unfulfillable promises. Also, Nginx can only be reached from other systems by opening the local firewall. Configuring this for two different distributions by promise is not so easy and another possible exercise for the future.
Documentation and Community
In this article, custom policy files were included and executed by the autorun method. However, sys admins have other ways to activate bundles and policies [10].
The use of CFEngine 3 gets more exciting with the use of preconfigured bundles from the creators and the community. You can find these several places on the web – the CFEngine Design Center [11] with its Sketches being one of the best known. Ready-made bundles are intended to facilitate the tasks for newcomers and act as templates for your own configuration snippets.
Somewhat confusingly the CFEngine documentation appears to be distributed several places. The official website http://cfengine.com has a Quickstart Guide with mini-documentation, whereas http://docs.cfengine.com has the official documentation. An archive [12] also houses a hodgepodge of old manuals, some of which are easier to read than the current documentation.
If you want to go further into CFEngine 3, you have to allocate plenty of time. The approach seems a bit unwieldy in places, and the comparatively small community makes it difficult to get good learning resources or even help online. However, you can find a few good books. The members who are involved in the community seem to have been around for a long time and know all the tricks. In researching for this article, I often stumbled across the same names I did in 2012 and 2013 when researching previous articles.
Strengths and Weaknesses
CFEngine shows its strengths wherever admins need to manage a large number of heterogeneous systems with the smallest possible footprint. According to statements from the community, environments with a million or more agents can be realized, which is also attributable to the ability to cascade the central Policy Hub (e.g., with one hub per data center).
Once it's up and running, CFEngine 3 proves to be a powerful and lean machine that takes very little performance away from the applications on the target systems. Unlike Puppet or SaltStack, for example, the CFEngine agent also assumes virtually no dependencies. The ability to manage Linux, Unix, and Windows (in the enterprise variant) with a common tool proves to be an advantage in many environments.
The weaknesses of CFEngine 3 reveal themselves if getting started needs to be a fast and simple process, which would presuppose a large number of up-to-date libraries with prefabricated configuration snippets. Moreover, CFEngine 3 lacks the popularity of Puppet and the like, which will slow down the influx of new users and, in turn, new cash flow to fund development.
However, if you choose to get involved with CFEngine 3 and give the tool some time, you can use it to build a solid and functional configuration management system. If you are eager to experiment, you can also take a look at a SlideShare presentation [13], in which the CFEngine makers demonstrate the orchestration of Docker containers with CFEngine 3.
Infos
- CFEngine 3: https://cfengine.com/product/community/
- Promise Theory: https://en.wikipedia.org/wiki/Promise_theory
- Component documentation: https://docs.cfengine.com/docs/3.15/reference-components.html
- Installing the community edition: https://docs.cfengine.com/docs/3.15/guide-installation-and-configuration-general-installation-installation-community.html
- Installation packages: https://cfengine.com/product/community/
- CFEngine 3 documentation: https://docs.cfengine.com/docs/3.15/reference-components.html
- Online documentation: https://docs.cfengine.com/docs/3.15/reference-masterfiles-policy-framework.html
- Bundle types: https://docs.cfengine.com/docs/archive/manuals/cf3-Reference.html#Bundles-for-agent
- Promise types: https://docs.cfengine.com/docs/3.15/reference-promise-types.html
- Enabling bundles and policies: https://docs.cfengine.com/docs/3.15/guide-faq-integrate-custom-policy.html
- CFEngine Design Center: https://docs.cfengine.com/docs/3.10/reference-design-center.html
- Documentation archive: https://docs.cfengine.com/docs/archive/manuals
- Orchestrating Docker containers: https://de.slideshare.net/cfengine/the-benefits-of-using-cfengine-with-docker
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)