Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docpublic:systemes:linux:cfengine3 [2013/07/19 12:43]
PROCACCIA [IP subnets control]
docpublic:systemes:linux:cfengine3 [2013/12/24 15:14] (current)
procacci@tem-tsp.eu [references]
Line 18: Line 18:
   * http://pix-mania.dyndns.org/mediawiki/index.php/Cfengine_-_tutoriels   * http://pix-mania.dyndns.org/mediawiki/index.php/Cfengine_-_tutoriels
   * http://www.k-tux.com/cfengine-cet-outil-qui-facilite-la-vie-des-asr/2   * http://www.k-tux.com/cfengine-cet-outil-qui-facilite-la-vie-des-asr/2
 +  * https://cfengine.com/blog/ten-reasons-for-5-minute-configuration-repair
 ===== install server ===== ===== install server =====
  
Line 93: Line 94:
 ===== install client ===== ===== install client =====
  
-here we install manually cfengine package on the client (next we'll do it automatically via cobbler)+here we install manually cfengine package on the client (next we'll do it  [[.:cfengine3&#bootstrap_cfengine_from_cobbler|automatically via cobbler)]]
  
 <code> <code>
Line 256: Line 257:
 Now that client and server are installed and communicate correctly, we are going to really get some job done with cfengine.  Now that client and server are installed and communicate correctly, we are going to really get some job done with cfengine. 
  
-==== ldap + nfs ====+==== ldap + nfs context ====
  
 In that sample site / lab auto configuration we want to allow users to connect to client station through ldap authentication and NFS mount of homedirectories. that involves creating / copying files and restart services upon chnages to these files. In that sample site / lab auto configuration we want to allow users to connect to client station through ldap authentication and NFS mount of homedirectories. that involves creating / copying files and restart services upon chnages to these files.
  
 +==== classes ====
  
 +we create a promise file to declare our local classes => groups of machines (beware that - are replace with _ for hotsname classes association)
  
 +<code>
 +[root@cfengine3 masterfiles]# cat cf-disi-classes.cf
 +bundle common disi_classes
 +{
 +classes:
 +
 +"salle_b09" or => { "b09_01", "b09_02" };
 +"salle_b01" or => { "b01_01", "b01_02" };
 +"disi_hosts" or => { "arve", "arvin" };
 +}
 +</code>
 +
 +==== policy ====
 +
 +then we translate our needs in terms of cfengine promises in a dedicated promise file for that purpose
 +
 +<code>
 +[root@cfengine3 masterfiles]# cat cf-disi-policies.cf
 +bundle agent disi_policies
 +{
 +files:
 +
 + salle_b01|disi_hosts::
 +
 + "/etc/sssd/sssd.conf"
 + copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/sssd.conf","cfengine.int-evry.fr"),
 + perms => m("600");
 +
 + b01_02::
 +
 + "/etc/sssd/sssd.conf"
 + copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/sssd.conf","cfengine.int-evry.fr"),
 + perms => m("600");
 +
 + salle_b01|disi_hosts::
 +
 + "/etc/sysconfig/autofs"
 + copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/autofs","cfengine.int-evry.fr"),
 + perms => m("644"),
 + classes => if_repaired("autofs_restart");
 +
 + "/usr/local/bin/bash"
 +        link_from => ln_s("/bin/bash");
 +
 +
 +commands:
 + autofs_restart::
 + "/usr/bin/systemctl restart autofs.service";
 +
 +
 +}
 +</code>
 +
 +==== bundlesequence ====
 +finally we need to tell cfengine server bundlesequence to use our promises above through promises.cf file
 +
 +<code>
 +[root@cfengine3 masterfiles]# cat promises.cf
 +###############################################################################
 +#
 +#   promises.cf - Basic Policy for Community + DISI inputs
 +#
 +###############################################################################
 +body common control
 +{
 + bundlesequence => {
 +
 +                 # Common bundles first for best practice 
 +                    "def",
 +                 # Design Center
 +                    "cfsketch_run",
 +                 # Agent bundles from here
 +                    "main",
 +
 +                 # classes / groups de machines
 +                    "disi_classes",
 +                 # disi policies
 +                    "disi_policies",
 +                   };
 + inputs => {
 +         # Global common bundles
 +            "def.cf",
 +         # Control body for all agents
 +            "controls/cf_agent.cf",
 +            "controls/cf_execd.cf",
 +            "controls/cf_monitord.cf",
 +            "controls/cf_runagent.cf",
 +            "controls/cf_serverd.cf",
 +         # COPBL/Custom libraries
 +            "libraries/cfengine_stdlib.cf",
 +         # Design Center
 +             # MARKER FOR CF-SKETCH INPUT INSERTION
 +             "cf-sketch-runfile.cf",
 +         # User services from here
 +            "services/init_msg.cf",
 +            
 +         # classes disi
 +            "cf-disi-classes.cf",
 +         # disi policies
 +            "cf-disi-policies.cf",
 +           };
 + version => "Community Promises.cf 3.4.0";
 +}
 +###############################################################################
 +bundle agent main
 +{
 + methods:
 +  any::
 +
 +   "INIT MSG" usebundle => init_msg,
 +                comment => "Just a pre-defined policy bundled with the package",
 +                 handle => "main_methods_any_init_msg";
 +}
 +###############################################################################
 +</code>
 +
 +==== directory access rules ====
 +
 +note that in cf-disi-policies.cf above we ditribute/copy files from a personnal (disi) added directory , as in
 +
 +<code>
 +copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/sssd.conf","cfengine.int-evry.fr"),
 +</code>
 + /var/cfengine/master_disi_files/ beeing create by ourself, cfengine needs to allow acces to that directory tree from its def.cf global vars:
 +
 +<code>
 + # disi masterdir
 +   "dir_master_disi_files" string => translatepath("$(sys.workdir)/master_disi_files"),
 +                    comment => "Define master_disi_files path",
 +                     handle => "common_def_vars_dir_master_disi_files";
 +</code>
 +
 +Now that "$(sys.workdir)/master_disi_files" is a defined variable, we can use it in the acces rules of cf_served :
 +<code>
 +[root@cfengine3 masterfiles]# vim controls/cf_serverd.cf 
 +bundle server access_rules()
 +{
 + access:
 +  any::
 +  # disi
 +   "$(def.dir_master_disi_files)"
 +       handle => "server_access_rule_grant_access_disi_policy",
 +      comment => "Grant access to the policy disi updates",
 +        admit => { ".*\.$(def.domain)", @(def.acl) };
 +</code>
 +
 +otherwise you get an error on the client telling you 
 +
 +<code>
 +verbose: Server returned error ' Unspecified server refusal (see verbose server output)'
 +2013-07-11T18:29:19+0200     info: /disi_policies/files/'/etc/sssd/sssd.conf': Can't stat '/var/cfengine/master_disi_files/fedora19/sssd.conf' in files.copyfrom promise
 +</code>
 +
 +==== secure_cp ====
 +
 +I first used remote_cp instaed of secure_cp to ciopy files, howerver when the file changed on the server it wasn't replaced on the client because it was more recent !
 +
 +indeed from libraries/cfengine_stdlib.cf we can read the definitions :
 +
 +<code>
 +body copy_from secure_cp(from,server)
 +{
 +source      => "$(from)";
 +servers     => { "$(server)" };
 +compare     => "digest";
 +encrypt     => "true";
 +verify      => "true";
 +}
 +
 +##
 +
 +body copy_from remote_cp(from,server)
 +{
 +servers     => { "$(server)" };
 +source      => "$(from)";
 +compare     => "mtime";
 +}
 +</code>
 +
 +and from https://cfengine.com/docs/3.5/reference-promise-types-files.html reference we learn that what we needed was a compare based on digest and not mtime in our case !
 +
 +
 +===== bootstrap cfengine from cobbler =====
 +
 +we use cobbler to install +100 stations (fedora) via PXEboot + kickstart.
 +in order to fully automate the install + configuration of those stations we need to tell cobbler in its post install process to install cfengine and bootstrap the client station on the cfengine server
 +
 +reference
 +
 +  * https://lists.fedorahosted.org/pipermail/cobbler/2011-July/006553.html
 +  * https://groups.google.com/forum/?fromgroups&hl=en#!topic/help-cfengine/bQRv0vHpWLs
 +
 +in our kickstart template we call 2 snippets to do the job
 +<code>
 +[root@cobbler2 cobbler]# grep disi kickstarts/basef19.ks
 +$SNIPPET('disi_post_install_packages')
 +$SNIPPET('disi_cfengine_bootstrap')
 +</code>
 +
 +those snippet repectlively install cfengine and then bootstrap the client the easy way since the version 3.2.0, if you are willing to automatically accept keys from the clients , cf http://blog.normation.com/en/2012/01/03/interactive-key-exchange-with-cfengine/
 +
 +<code>
 +[root@cobbler2 snippets]# cat disi_post_install_packages
 +yum -y install cfengine-community
 +yum -y install autofs
 +
 +[root@cobbler2 snippets]# cat disi_cfengine_bootstrap
 +# start cfengine3 registration 
 +/var/cfengine/bin/cf-agent -B --policy-server 157.157.211.144 > /root/disi_cfengine3_bootstraped.txt
 +# end cfengine3 registration
 +</code>
docpublic/systemes/linux/cfengine3.1374237836.txt.gz · Last modified: 2013/07/19 12:43 by PROCACCIA
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0