Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:linux:cfengine3 [2013/07/19 12:35]
PROCACCIA [cfengine3]
+++ docpublic:systemes:linux:cfengine3 [2013/12/24 15:14] (current)
procacci@tem-tsp.eu [references]
@@ Line 18: / Line 18: @@
   * http://pix-mania.dyndns.org/mediawiki/index.php/Cfengine_-_tutoriels
   * http://www.k-tux.com/cfengine-cet-outil-qui-facilite-la-vie-des-asr/2
-===== install =====
+  * https://cfengine.com/blog/ten-reasons-for-5-minute-configuration-repair
+===== install server =====
   * https://cfengine.com/docs/3.5/getting-started-installation.html
@@ Line 93: / Line 94: @@
 ===== install client =====
-here we install manually cfengine package on the client (next we'll do it automatically via cobbler)
+here we install manually cfengine package on the client (next we'll do it  [[.:cfengine3&#bootstrap_cfengine_from_cobbler|automatically via cobbler)]]
 <code>
@@ Line 227: / Line 228: @@
-==== Access control ====
+===== Server Access control =====
-in def.cf
+==== IP subnets control ====
+in order to allow clients on from specific subnets , declare our subnets in def.cf
 <code>
@@ Line 248: / Line 251: @@
 <code>
 Jul 17 15:21:53 cfengine3 cf-serverd[8890]: Not allowing connection from non-authorized IP '157.157.61.196'
+</code>
+===== sample site policy =====
+Now that client and server are installed and communicate correctly, we are going to really get some job done with cfengine.
+==== ldap + nfs context ====
+In that sample site / lab auto configuration we want to allow users to connect to client station through ldap authentication and NFS mount of homedirectories. that involves creating / copying files and restart services upon chnages to these files.
+==== classes ====
+we create a promise file to declare our local classes => groups of machines (beware that - are replace with _ for hotsname classes association)
+<code>
+[root@cfengine3 masterfiles]# cat cf-disi-classes.cf
+bundle common disi_classes
+{
+classes:
+"salle_b09" or => { "b09_01", "b09_02" };
+"salle_b01" or => { "b01_01", "b01_02" };
+"disi_hosts" or => { "arve", "arvin" };
+}
+</code>
+==== policy ====
+then we translate our needs in terms of cfengine promises in a dedicated promise file for that purpose
+<code>
+[root@cfengine3 masterfiles]# cat cf-disi-policies.cf
+bundle agent disi_policies
+{
+files:
+	salle_b01|disi_hosts::
+	"/etc/sssd/sssd.conf"
+	copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/sssd.conf","cfengine.int-evry.fr"),
+	perms => m("600");
+	b01_02::
+	"/etc/sssd/sssd.conf"
+	copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/sssd.conf","cfengine.int-evry.fr"),
+	perms => m("600");
+	salle_b01|disi_hosts::
+	"/etc/sysconfig/autofs"
+	copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/autofs","cfengine.int-evry.fr"),
+	perms => m("644"),
+	classes => if_repaired("autofs_restart");
+	"/usr/local/bin/bash"
+        link_from => ln_s("/bin/bash");
+commands:
+	autofs_restart::
+		"/usr/bin/systemctl restart autofs.service";
+}
+</code>
+==== bundlesequence ====
+finally we need to tell cfengine server bundlesequence to use our promises above through promises.cf file
+<code>
+[root@cfengine3 masterfiles]# cat promises.cf
+###############################################################################
+#
+#   promises.cf - Basic Policy for Community + DISI inputs
+#
+###############################################################################
+body common control
+{
+ bundlesequence => {
+                 # Common bundles first for best practice
+                    "def",
+                 # Design Center
+                    "cfsketch_run",
+                 # Agent bundles from here
+                    "main",
+                 # classes / groups de machines
+                    "disi_classes",
+                 # disi policies
+                    "disi_policies",
+                   };
+ inputs => {
+         # Global common bundles
+            "def.cf",
+         # Control body for all agents
+            "controls/cf_agent.cf",
+            "controls/cf_execd.cf",
+            "controls/cf_monitord.cf",
+            "controls/cf_runagent.cf",
+            "controls/cf_serverd.cf",
+         # COPBL/Custom libraries
+            "libraries/cfengine_stdlib.cf",
+         # Design Center
+             # MARKER FOR CF-SKETCH INPUT INSERTION
+             "cf-sketch-runfile.cf",
+         # User services from here
+            "services/init_msg.cf",
+         # classes disi
+            "cf-disi-classes.cf",
+         # disi policies
+            "cf-disi-policies.cf",
+           };
+ version => "Community Promises.cf 3.4.0";
+}
+###############################################################################
+bundle agent main
+{
+ methods:
+  any::
+   "INIT MSG" usebundle => init_msg,
+                comment => "Just a pre-defined policy bundled with the package",
+                 handle => "main_methods_any_init_msg";
+}
+###############################################################################
+</code>
+==== directory access rules ====
+note that in cf-disi-policies.cf above we ditribute/copy files from a personnal (disi) added directory , as in
+<code>
+copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/sssd.conf","cfengine.int-evry.fr"),
+</code>
+ /var/cfengine/master_disi_files/ beeing create by ourself, cfengine needs to allow acces to that directory tree from its def.cf global vars:
+<code>
+ # disi masterdir
+   "dir_master_disi_files" string => translatepath("$(sys.workdir)/master_disi_files"),
+                    comment => "Define master_disi_files path",
+                     handle => "common_def_vars_dir_master_disi_files";
+</code>
+Now that "$(sys.workdir)/master_disi_files" is a defined variable, we can use it in the acces rules of cf_served :
+<code>
+[root@cfengine3 masterfiles]# vim controls/cf_serverd.cf
+bundle server access_rules()
+{
+ access:
+  any::
+  # disi
+   "$(def.dir_master_disi_files)"
+       handle => "server_access_rule_grant_access_disi_policy",
+      comment => "Grant access to the policy disi updates",
+        admit => { ".*\.$(def.domain)", @(def.acl) };
+</code>
+otherwise you get an error on the client telling you
+<code>
+verbose: Server returned error ' Unspecified server refusal (see verbose server output)'
+-07-11T18:29:19+0200     info: /disi_policies/files/'/etc/sssd/sssd.conf': Can't stat '/var/cfengine/master_disi_files/fedora19/sssd.conf' in files.copyfrom promise
+</code>
+==== secure_cp ====
+I first used remote_cp instaed of secure_cp to ciopy files, howerver when the file changed on the server it wasn't replaced on the client because it was more recent !
+indeed from libraries/cfengine_stdlib.cf we can read the definitions :
+<code>
+body copy_from secure_cp(from,server)
+{
+source      => "$(from)";
+servers     => { "$(server)" };
+compare     => "digest";
+encrypt     => "true";
+verify      => "true";
+}
+##
+body copy_from remote_cp(from,server)
+{
+servers     => { "$(server)" };
+source      => "$(from)";
+compare     => "mtime";
+}
+</code>
+and from https://cfengine.com/docs/3.5/reference-promise-types-files.html reference we learn that what we needed was a compare based on digest and not mtime in our case !
+===== bootstrap cfengine from cobbler =====
+we use cobbler to install +100 stations (fedora) via PXEboot + kickstart.
+in order to fully automate the install + configuration of those stations we need to tell cobbler in its post install process to install cfengine and bootstrap the client station on the cfengine server
+reference
+  * https://lists.fedorahosted.org/pipermail/cobbler/2011-July/006553.html
+  * https://groups.google.com/forum/?fromgroups&hl=en#!topic/help-cfengine/bQRv0vHpWLs
+in our kickstart template we call 2 snippets to do the job
+<code>
+[root@cobbler2 cobbler]# grep disi kickstarts/basef19.ks
+$SNIPPET('disi_post_install_packages')
+$SNIPPET('disi_cfengine_bootstrap')
+</code>
+those snippet repectlively install cfengine and then bootstrap the client the easy way since the version 3.2.0, if you are willing to automatically accept keys from the clients , cf http://blog.normation.com/en/2012/01/03/interactive-key-exchange-with-cfengine/
+<code>
+[root@cobbler2 snippets]# cat disi_post_install_packages
+yum -y install cfengine-community
+yum -y install autofs
+[root@cobbler2 snippets]# cat disi_cfengine_bootstrap
+# start cfengine3 registration
+/var/cfengine/bin/cf-agent -B --policy-server 157.157.211.144 > /root/disi_cfengine3_bootstraped.txt
+# end cfengine3 registration
 </code>

docpublic/systemes/linux/cfengine3.1374237300.txt.gz · Last modified: 2013/07/19 12:35 by PROCACCIA

Show page Old revisions

[unknown link type]Back to top