Automating Linux and Unix System Administration

CHAPTER 4 Configuring Systems with cfengine (S. 49-50)

So far we’ve been discussing automation in a general way. At this point we’ll move beyond single ad hoc measures to a more systematic and robust approach. While you certainly have the option of writing your own collection of automation scripts, we recommend you use a proven automation framework: cfengine.

Getting an Overview of cfengine

Cfengine is software you can use to automate changes on UNIX (and UNIX- like) systems. It is a high- level language that describes system state, not a general- purpose programming language such as Perl or a shell. It’s primarily declarative, meaning that the SA writes out a technical description instead of a list of low- level steps to accomplish the goal. It is high- level enough that someone familiar with UNIX concepts and usage can read a cfengine configuration and understand what is being done without any prior cfengine knowledge. The language drives what you should consider your personal software robot. This robot (called ) does your repetitive work for you while you move on to other tasks. In this chapter we’ll use the current version of cfengine at the time of this writing: version 2.2.7.

Defining cfengine Concepts

Cfengine was designed to save time and reduce errors though automation. Its second, related goal is to enable computer systems to self- correct errors. It might take you some time to set up and configure cfengine, but you will be happier when everything has been said and done. At first, performing a new task with cfengine might take longer than performing the same task manually. But when you upgrade the operating system and lose a change made under the old OS installation, you’ll be glad you used cfengine because it will simply perform the change again. Or, when you realize a few other systems need the same change,you can use cfengine to make this happen in seconds (by adding the new systems to the appropriate class).

If you made the change manually, on the other hand, it might take some time before you even notice that the change was lost. Once you notice, you’ll have to make the change manually all over again—that is, of course, if you remember how you did it the last time. If ten new systems need a specific change, you might spend an hour changing each system yourself, whereas cfengine could have just done it for you.

Cfengine allows you to use one set of configuration files. Each host can transfer the configuration files from one or more cfengine servers before each run. As long as you make all the changes in that set of configuration files, all systems will receive the configuration updates automatically. You will no longer need to remember to make manual system changes.

You will no longer need to use special scripts for special systems and/or scripts that have so many conditionals (based on hostname, operating system, etc.) that they’ve become unreadable and difficult to maintain. Cfengine comes with a rich set of automatically detected UNIX characteristics that the SA can use to perform tasks on only the desired systems. Perhaps most important, this set of configuration files documents every change you make to every system. If you put a few comments in the files along with the commands, you will document not only what you have done but also why you did it.