Your SlideShare is downloading. ×
0
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Tomáš Čorej: Configuration management & CFEngine3
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Tomáš Čorej: Configuration management & CFEngine3

427

Published on

CFEngine is the oldest tool for configuration management that inspired Puppet & Chef. Features like model-based monitoring, promise theory and knowledge management support makes it an reasonable …

CFEngine is the oldest tool for configuration management that inspired Puppet & Chef. Features like model-based monitoring, promise theory and knowledge management support makes it an reasonable alternative for IT system automatization.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
427
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Configuration managementWhy? What? How?
  • 2. Why?● example:○ imagine that we want to prevent rootlogins on 100 nodes
  • 3. Why?● example:○ imagine that we want to prevent rootlogins on 100 nodes○ we want to set PermitRootLogin optionin sshd_config to "no"
  • 4. Why?● example:○ imagine that we want to prevent rootlogins on 100 nodes○ we want to set PermitRootLogin optionin sshd_config to "no"○ we have to execute this command onevery node:echo "PermitRootLogin no" >>/etc/ssh/sshd_config
  • 5. for node in node{1..100};do sshroot@$node "echo "PermitRootLoginno" >> /etc/ssh/sshd_config";done● bug: string will be appendedevery time we run this for cycle○ no problem, we gonna fix it
  • 6. for node in node{1..100};do sshroot@$node "(grep -iqPermitRootLogin/etc/ssh/sshd_config || echo "PermitRootLogin no" >>/etc/ssh/sshd_config) && sed -is/^.*PermitRootLogin.*$/PermitRootLogin no/;/etc/sshd_config";done● its complicated, ill put itinto script
  • 7. What if?● option is already set to "no"
  • 8. What if?● option is already set to "no"● option is commented out
  • 9. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path
  • 10. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not installed at all
  • 11. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not installed at all● operation fails on node 2,4,9,31and 83 (wrong permissions?)
  • 12. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not installed at all● operation fails on node 2,4,9,31and 83 (wrong permissions?)● node 70 and 71 is openindiana
  • 13. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not installed at all● operation fails on node 2,4,9,31and 83 (wrong permissions?)● node 70 and 71 is openindiana● sshd fails to restart on node19,21
  • 14. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not installed at all● operation fails on node 2,4,9,31and 83 (wrong permissions?)● node 70 and 71 is openindiana● sshd fails to restart on node19,21● node 13 is in maintenance
  • 15. Script● would be too complicated○ different operation systems and flavors○ handling all situations● cant handle offline nodes● hard to maintain● hard to use● human error is inevitablecomplex processeses or orchestration throughthe for cycle isNO GO
  • 16. What is configuration managementgood for ?● can handle a lot of details● handling deviation from defined configuration○ accidentally removed packages,files,configuration byhand...○ would return system to original state● infrastructure configuration as a code○ code is repeatable○ using VCS (git,svn,hg,...) you may createenvironment for change management● change deployment○ in controled manner● automatic server deployment○ new server is deployed using existing code
  • 17. "I dont need to use it"● do it, you wont regret it○ even on your computer alone○ or with few servers
  • 18. How?● there are a lot of tools available:○ Puppet○ Chef○ Bcfg2○ CFEngine3○ Salt○ Ansible○ ...and others● choose the right tool for your needs
  • 19. CFEngine 3Tomas Corej@tomas_corej
  • 20. History of CM toolssrc: http://bit.ly/acuidi
  • 21. CFEngine● developed in 1993 by @markburgess_osl○ also created whole field● CFEngine 1○ domain-specific language● CFEngine 2 (1998)○ idea of convergence■ tool discover state of system● CFEngine 3 (2009)○ complete rewrite○ based on Promise Theory developed by MarkBurgess
  • 22. CFEngine 3● written in C● strong theoretical background○ it should be same for years● cross platform○ Linux,*BSD,Solaris,Windows....○ from Rasberry Pi to big IT deployments (Facebook)● small footprint○ small cpu usage - http://bit.ly/QJcrg8● very scalable○ can handle hundreds of thousands servers○ policy hierarchy● zero reported vulnerabilities
  • 23. CFEngine 3 design principles● desired-state configuration○ declarative policy language○ you only specify your desired final state of system○ CFEngine will handle everything else automatically○ but if operation is not native, you have to tellCFEngine "how"● promise theory○ models behaviour of agents in an environmentwithout central authority○ voluntary cooperation● convergent configuration○ you dont need know current state of system○ convergence in incremental steps
  • 24. Architecturesrc: cfengine.com
  • 25. Architecture● no clear distinction between agent (client)and policy hub (server)● every agent can be policy hub for anotherset of agents● agents updates policy files from hub○ if policy hub is unreachable => policy files are notupdated○ every 5 minutes○ no other mechanism to tell agents what to do
  • 26. Show me the code!bundle agent sshd_norootlogin{files:"/etc/ssh/sshd_config"edit_line =>replace_or_add(".*PermitRootLogin.*","PermitRootLogin no");}
  • 27. Code● covers many situations:○ commented option○ non-exist option○ option set to other value than "no"● how to handle various environments ?○ using context○ theyre known also as the classes but their meaningis not the same as in OOP
  • 28. Context● as a conditionals to handle differentenvironments or state○ does a file exist ? is pkg installed ? yes/no○ is this system debian,ubuntu or windows?○ is this system with hostname matching web* ?● hard classes○ discovered by cfengine○ hostname, ip addresses, interfaces...● soft classes○ classes defined during runtime
  • 29. code++bundle agent sshd_norootlogin{vars:debian::"sshdconf" string => "/etc/ssh/sshd_config";!debian::"sshdconf" string => "/usr/local/etc/ssh/sshd_config";files:"$(sshdconf)"edit_line =>replace_or_add(".*PermitRootLogin.*","PermitRootLogin no");}
  • 30. Who am I and why CFEngine● sysadmin @ Websupport.sk● the biggest webhosting provider in Slovakia● tens thousands of services (domains,vps,hostings)● were going to move all of them to newhardware infrastructure in few months● we choosed CFEngine3 because of itfeatures:
  • 31. The features that works for us● strong theoretical background○ where will be Puppet and Chef when hype ends ?● small CPU and memory overhead● scalability○ we may need to handle 1000-2000 virtual servers● model based monitoring http://bit.ly/Vle8zc○ CFEngine can be used as a monitoring tool or as aaddon to other monitoring tool○ monitoring is self-learning => no need to setupanything○ learns state of system for past 7 days○ if metric value is larger than standard deviation =>something unusual is happening
  • 32. Features that works for us● knowledge maps○ you may generate logical maps of subsystems fromcode● is not written in ruby :)○ we have strong experience with C
  • 33. Questions ?

×