[[cfengine3]]
Trace:
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:linux:cfengine3 [2013/07/19 12:31]
PROCACCIA [bootstrap client] 		docpublic:systemes:linux:cfengine3 [2013/12/24 15:14] (current)
procacci@tem-tsp.eu [references]
Line 1: Line 1:
-==== cfengine3 ====+===== cfengine3 =====
  
 ===== references ===== ===== references =====
Line 18: Line 18:
   * http://pix-mania.dyndns.org/mediawiki/index.php/Cfengine_-_tutoriels   * http://pix-mania.dyndns.org/mediawiki/index.php/Cfengine_-_tutoriels
   * http://www.k-tux.com/cfengine-cet-outil-qui-facilite-la-vie-des-asr/2   * http://www.k-tux.com/cfengine-cet-outil-qui-facilite-la-vie-des-asr/2
-===== install =====+  * https://cfengine.com/blog/ten-reasons-for-5-minute-configuration-repair 
 +===== install server =====
  
   * https://cfengine.com/docs/3.5/getting-started-installation.html   * https://cfengine.com/docs/3.5/getting-started-installation.html
Line 93: Line 94:
 ===== install client ===== ===== install client =====
  
-here we install manually cfengine package on the client (next we'll do it automatically via cobbler)+here we install manually cfengine package on the client (next we'll do it  [[.:cfengine3&#bootstrap_cfengine_from_cobbler|automatically via cobbler)]]
  
 <code> <code>
Line 227: Line 228:
  
  
-==== Access control ====+===== Server Access control =====
  
-in def.cf+==== IP subnets control ==== 
 + 
 +in order to allow clients on from specific subnets , declare our subnets in def.cf
  
 <code> <code>
Line 248: Line 251:
 <code> <code>
 Jul 17 15:21:53 cfengine3 cf-serverd[8890]: Not allowing connection from non-authorized IP '157.157.61.196' Jul 17 15:21:53 cfengine3 cf-serverd[8890]: Not allowing connection from non-authorized IP '157.157.61.196'
 +</code>
 +
 +===== sample site policy =====
 +
 +Now that client and server are installed and communicate correctly, we are going to really get some job done with cfengine. 
 +
 +==== ldap + nfs context ====
 +
 +In that sample site / lab auto configuration we want to allow users to connect to client station through ldap authentication and NFS mount of homedirectories. that involves creating / copying files and restart services upon chnages to these files.
 +
 +==== classes ====
 +
 +we create a promise file to declare our local classes => groups of machines (beware that - are replace with _ for hotsname classes association)
 +
 +<code>
 +[root@cfengine3 masterfiles]# cat cf-disi-classes.cf
 +bundle common disi_classes
 +{
 +classes:
 +
 +"salle_b09" or => { "b09_01", "b09_02" };
 +"salle_b01" or => { "b01_01", "b01_02" };
 +"disi_hosts" or => { "arve", "arvin" };
 +}
 +</code>
 +
 +==== policy ====
 +
 +then we translate our needs in terms of cfengine promises in a dedicated promise file for that purpose
 +
 +<code>
 +[root@cfengine3 masterfiles]# cat cf-disi-policies.cf
 +bundle agent disi_policies
 +{
 +files:
 +
 + salle_b01|disi_hosts::
 +
 + "/etc/sssd/sssd.conf"
 + copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/sssd.conf","cfengine.int-evry.fr"),
 + perms => m("600");
 +
 + b01_02::
 +
 + "/etc/sssd/sssd.conf"
 + copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/sssd.conf","cfengine.int-evry.fr"),
 + perms => m("600");
 +
 + salle_b01|disi_hosts::
 +
 + "/etc/sysconfig/autofs"
 + copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/autofs","cfengine.int-evry.fr"),
 + perms => m("644"),
 + classes => if_repaired("autofs_restart");
 +
 + "/usr/local/bin/bash"
 +        link_from => ln_s("/bin/bash");
 +
 +
 +commands:
 + autofs_restart::
 + "/usr/bin/systemctl restart autofs.service";
 +
 +
 +}
 +</code>
 +
 +==== bundlesequence ====
 +finally we need to tell cfengine server bundlesequence to use our promises above through promises.cf file
 +
 +<code>
 +[root@cfengine3 masterfiles]# cat promises.cf
 +###############################################################################
 +#
 +#   promises.cf - Basic Policy for Community + DISI inputs
 +#
 +###############################################################################
 +body common control
 +{
 + bundlesequence => {
 +
 +                 # Common bundles first for best practice 
 +                    "def",
 +                 # Design Center
 +                    "cfsketch_run",
 +                 # Agent bundles from here
 +                    "main",
 +
 +                 # classes / groups de machines
 +                    "disi_classes",
 +                 # disi policies
 +                    "disi_policies",
 +                   };
 + inputs => {
 +         # Global common bundles
 +            "def.cf",
 +         # Control body for all agents
 +            "controls/cf_agent.cf",
 +            "controls/cf_execd.cf",
 +            "controls/cf_monitord.cf",
 +            "controls/cf_runagent.cf",
 +            "controls/cf_serverd.cf",
 +         # COPBL/Custom libraries
 +            "libraries/cfengine_stdlib.cf",
 +         # Design Center
 +             # MARKER FOR CF-SKETCH INPUT INSERTION
 +             "cf-sketch-runfile.cf",
 +         # User services from here
 +            "services/init_msg.cf",
 +            
 +         # classes disi
 +            "cf-disi-classes.cf",
 +         # disi policies
 +            "cf-disi-policies.cf",
 +           };
 + version => "Community Promises.cf 3.4.0";
 +}
 +###############################################################################
 +bundle agent main
 +{
 + methods:
 +  any::
 +
 +   "INIT MSG" usebundle => init_msg,
 +                comment => "Just a pre-defined policy bundled with the package",
 +                 handle => "main_methods_any_init_msg";
 +}
 +###############################################################################
 +</code>
 +
 +==== directory access rules ====
 +
 +note that in cf-disi-policies.cf above we ditribute/copy files from a personnal (disi) added directory , as in
 +
 +<code>
 +copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/sssd.conf","cfengine.int-evry.fr"),
 +</code>
 + /var/cfengine/master_disi_files/ beeing create by ourself, cfengine needs to allow acces to that directory tree from its def.cf global vars:
 +
 +<code>
 + # disi masterdir
 +   "dir_master_disi_files" string => translatepath("$(sys.workdir)/master_disi_files"),
 +                    comment => "Define master_disi_files path",
 +                     handle => "common_def_vars_dir_master_disi_files";
 +</code>
 +
 +Now that "$(sys.workdir)/master_disi_files" is a defined variable, we can use it in the acces rules of cf_served :
 +<code>
 +[root@cfengine3 masterfiles]# vim controls/cf_serverd.cf 
 +bundle server access_rules()
 +{
 + access:
 +  any::
 +  # disi
 +   "$(def.dir_master_disi_files)"
 +       handle => "server_access_rule_grant_access_disi_policy",
 +      comment => "Grant access to the policy disi updates",
 +        admit => { ".*\.$(def.domain)", @(def.acl) };
 +</code>
 +
 +otherwise you get an error on the client telling you 
 +
 +<code>
 +verbose: Server returned error ' Unspecified server refusal (see verbose server output)'
 +2013-07-11T18:29:19+0200     info: /disi_policies/files/'/etc/sssd/sssd.conf': Can't stat '/var/cfengine/master_disi_files/fedora19/sssd.conf' in files.copyfrom promise
 +</code>
 +
 +==== secure_cp ====
 +
 +I first used remote_cp instaed of secure_cp to ciopy files, howerver when the file changed on the server it wasn't replaced on the client because it was more recent !
 +
 +indeed from libraries/cfengine_stdlib.cf we can read the definitions :
 +
 +<code>
 +body copy_from secure_cp(from,server)
 +{
 +source      => "$(from)";
 +servers     => { "$(server)" };
 +compare     => "digest";
 +encrypt     => "true";
 +verify      => "true";
 +}
 +
 +##
 +
 +body copy_from remote_cp(from,server)
 +{
 +servers     => { "$(server)" };
 +source      => "$(from)";
 +compare     => "mtime";
 +}
 +</code>
 +
 +and from https://cfengine.com/docs/3.5/reference-promise-types-files.html reference we learn that what we needed was a compare based on digest and not mtime in our case !
 +
 +
 +===== bootstrap cfengine from cobbler =====
 +
 +we use cobbler to install +100 stations (fedora) via PXEboot + kickstart.
 +in order to fully automate the install + configuration of those stations we need to tell cobbler in its post install process to install cfengine and bootstrap the client station on the cfengine server
 +
 +reference
 +
 +  * https://lists.fedorahosted.org/pipermail/cobbler/2011-July/006553.html
 +  * https://groups.google.com/forum/?fromgroups&hl=en#!topic/help-cfengine/bQRv0vHpWLs
 +
 +in our kickstart template we call 2 snippets to do the job
 +<code>
 +[root@cobbler2 cobbler]# grep disi kickstarts/basef19.ks
 +$SNIPPET('disi_post_install_packages')
 +$SNIPPET('disi_cfengine_bootstrap')
 +</code>
 +
 +those snippet repectlively install cfengine and then bootstrap the client the easy way since the version 3.2.0, if you are willing to automatically accept keys from the clients , cf http://blog.normation.com/en/2012/01/03/interactive-key-exchange-with-cfengine/
 +
 +<code>
 +[root@cobbler2 snippets]# cat disi_post_install_packages
 +yum -y install cfengine-community
 +yum -y install autofs
 +
 +[root@cobbler2 snippets]# cat disi_cfengine_bootstrap
 +# start cfengine3 registration 
 +/var/cfengine/bin/cf-agent -B --policy-server 157.157.211.144 > /root/disi_cfengine3_bootstraped.txt
 +# end cfengine3 registration
 </code> </code>
docpublic/systemes/linux/cfengine3.1374237064.txt.gz · Last modified: 2013/07/19 12:31 by PROCACCIA
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0