Practical implementation of promise theory in CFEngine Mikhail Gusarov CFEngine AS <mikhail.gusarov@cfengine.com>
Contents <ul><li>Promise theory
&quot;reports&quot;
&quot;processes&quot;
&quot;packages&quot;
&quot;variables&quot;
Summary </li></ul>
Promise theory «Agent A promises to agent B to fulfill C»
Software Implementation <ul><li>Convergency </li><ul><li>Promise essence is the «desired state» </li></ul><li>Embracing er...
Real-world example: e-mail <ul><li>Convergency </li></ul><ul><ul><li>Delivery to address </li></ul></ul><ul><li>Embracing ...
Multiple MXes
Mail queues </li></ul></ul><ul><li>Autonomy </li></ul><ul><ul><li>Independent mail servers
Local routing decisions </li></ul></ul>
Reports body common control { bundlesequence => {&quot;mybundle&quot;}; } bundle agent mybundle { reports: linux:: &quot;H...
Reports body common control { bundlesequence => {&quot;mybundle&quot;}; } bundle agent mybundle { reports: linux:: &quot;H...
Reports bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; }
Reports bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; }
Reports bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; }
Reports bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; }
Reports (translated) def  mybundle() { if  &quot;linux&quot;  in global_contexts { report(&quot;Hello world!&quot;); } } m...
Reports (run) $  cf-agent R: Hello world! $
Reports (run) $  cf-agent R: Hello world! $  cf-agent $
Reports (run) $  cf-agent R: Hello world! $  cf-agent $  cf-agent $
Reports bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; &quot;That's surprising&quot;; }
Reports (run) $  cf-agent R: Hello world! $  cf-agent $  cf-agent $  cf-agent R: That's surprising $
Reports (run) $  cf-agent R: Hello world! $  cf-agent $  cf-agent $  cf-agent R: That's surprising $  cf-agent R: Hello wo...
def  mybundle() { promises.add( report(&quot;Hello world!&quot;, activate =  λ :  &quot;linux&quot; in global_contexts)) }...
«Ensure that specified message is reported to sysadmin as soon as possible, but no more than once per 5 minutes to the sys...
«Ensure that specified message is  reported  to sysadmin as soon as possible, but no  more than once per 5 minutes  to the...
«Ensure that specified message is reported to sysadmin  as soon as possible , but no more than once per 5 minutes to the s...
«Ensure that specified message is reported to sysadmin as soon as possible, but no more than once per 5 minutes to the sys...
Processes bundle agent myprocesses { processes: &quot;nginx&quot; match_range => irange(&quot;1&quot;,&quot;20&quot;); res...
Processes bundle agent myprocesses { processes: &quot;nginx&quot; match_range => irange( &quot;1&quot;,&quot;20&quot; ); r...
Processes bundle agent myprocesses { processes: &quot;nginx&quot; match_range => irange( &quot;1&quot;,&quot;inf&quot; ); ...
def  myprocesses() { nginx_cnt = count_proc(&quot;nginx&quot;) if  nginx_cnt  == 0 { promises.add( command( &quot;/etc/ini...
def  myprocesses() { promises.add( processes(&quot;nginx&quot;, λ  count:  if  count == 0 { define_context(&quot;restart_n...
«Ensure that amount of specified processes is kept in specified range, killing extra processes and communicating the need ...
«Ensure that amount of specified processes is kept  in specified range ,  killing extra processes and communicating the ne...
« Ensure that amount of specified processes is kept in specified range, killing extra processes and communicating the need...
«Ensure that amount of specified processes  is kept  in specified range, killing extra processes and communicating the nee...
Packages bundle agent mypackages { packages: &quot;libapache2-mod-wsgi&quot; package_method => apt, package_policy => &quo...
Packages bundle agent mypackages { packages: &quot; libapache2-mod-wsgi &quot; package_method =>  apt , package_policy => ...
Packages (translated) (Implementation is too large to fit in the  margin slide)
«Ensure that specified package is installed or not installed according to the constraints specified. Do this by instructin...
«Ensure that specified package is installed or not installed according to the constraints specified. Do this by instructin...
«Ensure that specified package is installed or not installed according to the constraints specified. Do this by instructin...
Upcoming SlideShare
Loading in …5
×

FOSDEM 2012: Practical implementation of promise theory in CFEngine

1,865 views
1,771 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,865
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Welcome and thank you for coming. My name is Mikhail Gusarov and I work for CFEngine AS, which is a company backing free software project CFEngine. I expect it to be most interesting to system administrators and software engineers who tried CFEngine and were puzzled by the semantics of operations, and also who read the works on promise theory by Mark Burgess and are trying to figure out how do the theoretical foundation are mapped to real-world CFEngine implementation.
  • We will start with the quick recap of promise theory, and then proceed to dissect several promise types in CFEngine, trying to find how the fundamental principles are reflected in particular design.
  • Let&apos;s start with a quick question: please raise your hand if you have used CFEngine before. And who has read the Mark Burgess&apos; papers on promise theory? The promise theory states that in distributed (or multi-agent) systems you may not adequately describe reality by obliging actors to do something, and instead promise is the building block. Promise in computing is similar to the one in real life: it might be broken (voluntarily or forcedly), it might be fulfilled from time to time, so at the best we may only statistically say that the promise is kept.
  • What does it mean from the software point of view? We need some way do describe and test promises, and the most useful way to do it is to formulate promises in the form of «desired state», with operators to test whether desired state is achieved, and to perform actions on the system to move closer to the desired state. We need to embrace errors, as it&apos;s quite rare situtaion when the promise we are trying to fulfill may be achived by the agent itself, so we need to be able to handle unfulfilled promises by any other agents we communicate with, as well as any internal inconsistencies. We need to be able to work autonomously, as we may not rely to another agents. At least we should be able to fail gracefully and wait until other agents start to fulfill their promises.
  • Here&apos;s an example of a reliable system which uses all of those principles. E-mail «promises» are convergent, in the sense that single promise this system fulfills is to deliver mail to the given address, and every MTA knows how to verify whether this promise is fulfilled or not, and how to advance in achievement of this promise. E-mail embraces errors, and there is huge lot of error handling in all components of-email. E-mail is autonomous in the sense, that any MTA is able to work offline, and does not fail completely if there is no DNS service. Once external services is available, it fetches the necessary data, makes routing decision and contines with delivery.
  • Let&apos;s start with a simple policy.
  • First section declares what _bundles_ are to be taken into account during CFEngine run, and is not particularily interesting. I will skip this part of the policy for the rest of the talk.
  • Let&apos;s have a look at second one. This is a bundle, that is, a building block for CFEngine policy, best approximated as a module in other languages.
  • This module contains a single statement of type &amp;quot;report&amp;quot;.
  • executed only in context &amp;quot;linux&amp;quot;, which is the case on Linux machines.
  • This statement asks to report a string &amp;quot;Hello world!&amp;quot;.
  • Let&apos;s use some imaginary imperative programming language to re-state the policy above. From the look of it, it looks similar to ... But does it behave this way?
  • Let&apos;s run it. Fine nothing unexpected.
  • Let&apos;s run it again. That&apos;s interesting.
  • Let&apos;s run it again. Hmm...
  • Let&apos;s add another report statement.
  • And run it again.
  • And one more time. So, the «reports» statement does not behave like a conventional «print» statement from imperative language.
  • More correct restatement in imaginary language we have used before would be like the following.
  • If we would specify the «reports» promise from CFEngine language in English, it would sound similar to the following.
  • This type of promises is convergent: we know the end state, and how to get closer to it.
  • This type of promises embraces errors, as we know that reporting mechanisms are not always available.
  • And this this type of promise is autonomous in the sense that agent does not need any additional information to decide where to direct the report.
  • Let&apos;s have a look at another promise.
  • This declaration promises that agent will keep number of «nginx» processes in specified range.
  • And if it is not, extra processes will be killed, or the need to spawn new processes will be communicated to another promise.
  • This is a simplistic rewrite of the previous policy in our imaginary imperative language, but it is not accurate in one significant aspect: this code only checks for amount of nginx processes once, while agent is able to re-check it again, if other parts of policy do a corrections, and spawn or kill monitored processes.
  • So the following rewrite would be more adequate, but as you easily see, it is just a restatement of policy in different syntax.
  • Let&apos;s try to formulate what does this promise type say.
  • This promise type is convergent, as we know the target state, and how to reach it.
  • The mere existance of this promise type is admittance of the fact processes may run out of the control.
  • And the promise type is obviously autonomous, as it does not need any external data to proceed.
  • Let&apos;s consider the next promise:
  • Agent promises to ensure that package libapache2-mod-wsgi from APT repository is installed and has version at least 3.3-4.
  • I won&apos;t even try to translate this kind of promise, as it will be either very verbose, or just restate the policy language using DSL of some sort.
  • The following description of package promise type is simplified (as it does not include large number of less-used features, like lack of local package manager, or rarely used operations), but nonetheless useful.
  • Packages promise is obviously convergent, as we know the end state and how to reach it.
  • It implicitly embraces errors, as implementation will patiently wait until local package manager is able to do what is requested (e.g. until network is available to fetch new packages)
  • And the promise is autonomous in the sense that no extra information is needed to verify the state or to try to reach the promised state.
  • Variables are special kind of promises. They belong to the agent itself, and not to the environment.
  • And hence their semantics is pretty similar to the one you might find in functional languages.
  • Variables are trivially convergent and autonomous by definition.
  • But still, there is error-handling component. CFEngine variables will try to evaluate itself until it suceeds. For example, in this variable definition, execresult function may fail if testparm binary is not available, and variable will be evaluated as frequently as deemed necessary to try to get it value, e.g. If testparm binary is installed by another part of policy.
  • So, we have got through three constructs in CFEngine language, and all of them shown the same unifying principles behind: convergency, embracing errors, and autonomy. This approach distinguishes CFEngine from configuration management tools, such as glorified parallel shell wrappers, where you need to think of convergence yourself, and the language does not help you to produce self-healing systems. But also this approach makes CFEngine language so different from conventional languages.
  • As you just saw, the building blocks of CFEngine language are quite different from the functional or imperative languages. CFEngine agent does not execute sequence of commands, and does not evaluate a function changing world as a side-effect, but keeps a number of promises. There are roughly two ways of describing domain knowledge in machine-readable way: * eDSL for general-purpose language * Separate DSL Some promises may require a great deal of context to be bundled in order to be convergent, and do not docempose to more fundamental entities which still have the property of convergency. This makes describing policies as a eDSL pretty cumbersome - resulting eDSL would still have to have all the CFEngine language primitives, including classes and variables, so it would just add another layer of syntactic clutter on top of the same semantics. Considering this issue, CFEngine chose the approach of having a separate DSL.
  • FOSDEM 2012: Practical implementation of promise theory in CFEngine

    1. 1. Practical implementation of promise theory in CFEngine Mikhail Gusarov CFEngine AS <mikhail.gusarov@cfengine.com>
    2. 2. Contents <ul><li>Promise theory
    3. 3. &quot;reports&quot;
    4. 4. &quot;processes&quot;
    5. 5. &quot;packages&quot;
    6. 6. &quot;variables&quot;
    7. 7. Summary </li></ul>
    8. 8. Promise theory «Agent A promises to agent B to fulfill C»
    9. 9. Software Implementation <ul><li>Convergency </li><ul><li>Promise essence is the «desired state» </li></ul><li>Embracing errors </li><ul><li>Promises may be kept occasionally </li></ul><li>Autonomy </li><ul><li>Unable to rely on another agents </li></ul></ul>
    10. 10. Real-world example: e-mail <ul><li>Convergency </li></ul><ul><ul><li>Delivery to address </li></ul></ul><ul><li>Embracing errors </li></ul><ul><ul><li>4xx, 5xx errors
    11. 11. Multiple MXes
    12. 12. Mail queues </li></ul></ul><ul><li>Autonomy </li></ul><ul><ul><li>Independent mail servers
    13. 13. Local routing decisions </li></ul></ul>
    14. 14. Reports body common control { bundlesequence => {&quot;mybundle&quot;}; } bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; }
    15. 15. Reports body common control { bundlesequence => {&quot;mybundle&quot;}; } bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; }
    16. 16. Reports bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; }
    17. 17. Reports bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; }
    18. 18. Reports bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; }
    19. 19. Reports bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; }
    20. 20. Reports (translated) def mybundle() { if &quot;linux&quot; in global_contexts { report(&quot;Hello world!&quot;); } } mybundle()
    21. 21. Reports (run) $ cf-agent R: Hello world! $
    22. 22. Reports (run) $ cf-agent R: Hello world! $ cf-agent $
    23. 23. Reports (run) $ cf-agent R: Hello world! $ cf-agent $ cf-agent $
    24. 24. Reports bundle agent mybundle { reports: linux:: &quot;Hello world!&quot;; &quot;That's surprising&quot;; }
    25. 25. Reports (run) $ cf-agent R: Hello world! $ cf-agent $ cf-agent $ cf-agent R: That's surprising $
    26. 26. Reports (run) $ cf-agent R: Hello world! $ cf-agent $ cf-agent $ cf-agent R: That's surprising $ cf-agent R: Hello world! $
    27. 27. def mybundle() { promises.add( report(&quot;Hello world!&quot;, activate = λ : &quot;linux&quot; in global_contexts)) } mybundle() run_all_relevant_promises()
    28. 28. «Ensure that specified message is reported to sysadmin as soon as possible, but no more than once per 5 minutes to the sysadmin using the specified reporting mechanisms»
    29. 29. «Ensure that specified message is reported to sysadmin as soon as possible, but no more than once per 5 minutes to the sysadmin using the specified reporting mechanisms» Convergence
    30. 30. «Ensure that specified message is reported to sysadmin as soon as possible , but no more than once per 5 minutes to the sysadmin using the specified reporting mechanisms» Embracing errors
    31. 31. «Ensure that specified message is reported to sysadmin as soon as possible, but no more than once per 5 minutes to the sysadmin using the specified reporting mechanisms » Autonomy
    32. 32. Processes bundle agent myprocesses { processes: &quot;nginx&quot; match_range => irange(&quot;1&quot;,&quot;20&quot;); restart_class => &quot;restart_nginx&quot;; commands: restart_nginx:: &quot;/etc/init.d/nginx start&quot;; }
    33. 33. Processes bundle agent myprocesses { processes: &quot;nginx&quot; match_range => irange( &quot;1&quot;,&quot;20&quot; ); restart_class => &quot;restart_nginx&quot;; commands: restart_nginx:: &quot;/etc/init.d/nginx start&quot;; }
    34. 34. Processes bundle agent myprocesses { processes: &quot;nginx&quot; match_range => irange( &quot;1&quot;,&quot;inf&quot; ); restart_class => &quot;restart_nginx&quot; ; commands: restart_nginx:: &quot;/etc/init.d/nginx start&quot;; }
    35. 35. def myprocesses() { nginx_cnt = count_proc(&quot;nginx&quot;) if nginx_cnt == 0 { promises.add( command( &quot;/etc/init.d/nginx start&quot;)) } elif nginx_cnt > 20 { Promises.add(kill(&quot;nginx&quot;, nginx_cnt – 20)) } } myprocesses() run_all_relevant_promises()
    36. 36. def myprocesses() { promises.add( processes(&quot;nginx&quot;, λ count: if count == 0 { define_context(&quot;restart_nginx&quot;)}) promises.add( commands( &quot;/etc/init.d/nginx start&quot;, activate_if = λ : &quot;restart_nginx&quot; in global_contexts)) } myprocesses() run_all_relevant_promises()
    37. 37. «Ensure that amount of specified processes is kept in specified range, killing extra processes and communicating the need to restart if necessary»
    38. 38. «Ensure that amount of specified processes is kept in specified range , killing extra processes and communicating the need to restart if necessary» Convergence
    39. 39. « Ensure that amount of specified processes is kept in specified range, killing extra processes and communicating the need to restart if necessary » Embracing errors
    40. 40. «Ensure that amount of specified processes is kept in specified range, killing extra processes and communicating the need to restart if necessary» Autonomy
    41. 41. Packages bundle agent mypackages { packages: &quot;libapache2-mod-wsgi&quot; package_method => apt, package_policy => &quot;addupdate&quot;, package_version => &quot;3.3-4&quot;, package_select => &quot;>=&quot;; }
    42. 42. Packages bundle agent mypackages { packages: &quot; libapache2-mod-wsgi &quot; package_method => apt , package_policy => &quot; addupdate &quot;, package_version => &quot; 3.3-4 &quot;, package_select => &quot; >= &quot;; }
    43. 43. Packages (translated) (Implementation is too large to fit in the margin slide)
    44. 44. «Ensure that specified package is installed or not installed according to the constraints specified. Do this by instructing local package manager to add, upgrade or remove package»
    45. 45. «Ensure that specified package is installed or not installed according to the constraints specified. Do this by instructing local package manager to add, upgrade or remove package» Convergent
    46. 46. «Ensure that specified package is installed or not installed according to the constraints specified. Do this by instructing local package manager to add, upgrade or remove package» Embracing errors
    47. 47. «Ensure that specified package is installed or not installed according to the constraints specified. Do this by instructing local package manager to add, upgrade or remove package» Autonomous
    48. 48. Variables <ul>bundle agent myvars { vars: &quot;a&quot; string => &quot;My $(string)&quot;; } </ul>
    49. 49. «Maintain in-agent binding of left-side name to the value of right-side expression»
    50. 50. Convergent, autonomous «Maintain in-agent binding of left-side name to the value of right-side expression»
    51. 51. Embracing errors bundle agent myvars { vars: &quot;myvar&quot; string => execresult ( &quot;/usr/bin/testparm /etc/smb/smb.conf&quot;, &quot;noshell&quot;); }
    52. 52. Summary <ul><li>CFEngine building blocks are promises </li></ul><ul><ul><li>Higher-level
    53. 53. Convergent
    54. 54. Error-embracing
    55. 55. Autonomous
    56. 56. Not the things from conventional languages </li></ul></ul>
    57. 57. IRC: #cfengine @ FreeNode Web: http://cfengine.com/tech ML: https://cfengine.org/mailman/listinfo Questions?
    58. 58. DSL vs. eDSL <ul><li>Pro eDSL: </li></ul><ul><ul><li>Familiar host language </li></ul></ul><ul><li>Contra eDSL: </li></ul><ul><ul><li>Radically different building blocks
    59. 59. Different control structure and evaluation </li></ul><li>-> DSL </li></ul>

    ×