Successfully reported this slideshow.

Tomáš Čorej: Configuration management & CFEngine3

1

Share

Loading in …3
×
1 of 33
1 of 33

Tomáš Čorej: Configuration management & CFEngine3

1

Share

CFEngine is the oldest tool for configuration management that inspired Puppet & Chef. Features like model-based monitoring, promise theory and knowledge management support makes it an reasonable alternative for IT system automatization.

CFEngine is the oldest tool for configuration management that inspired Puppet & Chef. Features like model-based monitoring, promise theory and knowledge management support makes it an reasonable alternative for IT system automatization.

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Tomáš Čorej: Configuration management & CFEngine3

  1. 1. Configuration management Why? What? How?
  2. 2. Why? ● example: ○ imagine that we want to prevent root logins on 100 nodes
  3. 3. Why? ● example: ○ imagine that we want to prevent root logins on 100 nodes ○ we want to set PermitRootLogin option in sshd_config to "no"
  4. 4. Why? ● example: ○ imagine that we want to prevent root logins on 100 nodes ○ we want to set PermitRootLogin option in sshd_config to "no" ○ we have to execute this command on every node: echo "PermitRootLogin no" >> /etc/ssh/sshd_config
  5. 5. for node in node{1..100};do ssh root@$node "echo "PermitRootLogin no" >> /etc/ssh/sshd_config" ;done ● bug: string will be appended every time we run this for cycle ○ no problem, we gonna fix it
  6. 6. for node in node{1..100};do ssh root@$node "(grep -iq 'PermitRootLogin' /etc/ssh/sshd_config || echo " PermitRootLogin no" >> /etc/ssh/sshd_config) && sed -i 's/^.*PermitRootLogin. *$/PermitRootLogin no/;' /etc/sshd_config" ;done ● it's complicated, i'll put it into script
  7. 7. What if? ● option is already set to "no"
  8. 8. What if? ● option is already set to "no" ● option is commented out
  9. 9. What if? ● option is already set to "no" ● option is commented out ● sshd_config does not exist on specified path
  10. 10. What if? ● option is already set to "no" ● option is commented out ● sshd_config does not exist on specified path ● sshd is not installed at all
  11. 11. What if? ● option is already set to "no" ● option is commented out ● sshd_config does not exist on specified path ● sshd is not installed at all ● operation fails on node 2,4,9,31 and 83 (wrong permissions?)
  12. 12. What if? ● option is already set to "no" ● option is commented out ● sshd_config does not exist on specified path ● sshd is not installed at all ● operation fails on node 2,4,9,31 and 83 (wrong permissions?) ● node 70 and 71 is openindiana
  13. 13. What if? ● option is already set to "no" ● option is commented out ● sshd_config does not exist on specified path ● sshd is not installed at all ● operation fails on node 2,4,9,31 and 83 (wrong permissions?) ● node 70 and 71 is openindiana ● sshd fails to restart on node 19,21
  14. 14. What if? ● option is already set to "no" ● option is commented out ● sshd_config does not exist on specified path ● sshd is not installed at all ● operation fails on node 2,4,9,31 and 83 (wrong permissions?) ● node 70 and 71 is openindiana ● sshd fails to restart on node 19,21 ● node 13 is in maintenance
  15. 15. Script ● would be too complicated ○ different operation systems and flavors ○ handling all situations ● can't handle offline nodes ● hard to maintain ● hard to use ● human error is inevitable complex processeses or orchestration through the for cycle is NO GO
  16. 16. What is configuration management good for ? ● can handle a lot of details ● handling deviation from defined configuration ○ accidentally removed packages,files,configuration by hand... ○ would return system to original state ● infrastructure configuration as a code ○ code is repeatable ○ using VCS (git,svn,hg,...) you may create environment for change management ● change deployment ○ in controled manner ● automatic server deployment ○ new server is deployed using existing code
  17. 17. "I don't need to use it" ● do it, you won't regret it ○ even on your computer alone ○ or with few servers
  18. 18. How? ● there are a lot of tools available: ○ Puppet ○ Chef ○ Bcfg2 ○ CFEngine3 ○ Salt ○ Ansible ○ ...and others ● choose the right tool for your needs
  19. 19. CFEngine 3 Tomas Corej @tomas_corej
  20. 20. History of CM tools src: http://bit.ly/acuidi
  21. 21. CFEngine ● developed in 1993 by @markburgess_osl ○ also created whole field ● CFEngine 1 ○ domain-specific language ● CFEngine 2 (1998) ○ idea of convergence ■ tool discover state of system ● CFEngine 3 (2009) ○ complete rewrite ○ based on Promise Theory developed by Mark Burgess
  22. 22. CFEngine 3 ● written in C ● strong theoretical background ○ it should be same for years ● cross platform ○ Linux,*BSD,Solaris,Windows.... ○ from Rasberry Pi to big IT deployments (Facebook) ● small footprint ○ small cpu usage - http://bit.ly/QJcrg8 ● very scalable ○ can handle hundreds of thousands servers ○ policy hierarchy ● zero reported vulnerabilities
  23. 23. CFEngine 3 design principles ● desired-state configuration ○ declarative policy language ○ you only specify your desired final state of system ○ CFEngine will handle everything else automatically ○ but if operation is not native, you have to tell CFEngine "how" ● promise theory ○ models behaviour of agents in an environment without central authority ○ voluntary cooperation ● convergent configuration ○ you don't need know current state of system ○ convergence in incremental steps
  24. 24. Architecture src: cfengine.com
  25. 25. Architecture ● no clear distinction between agent (client) and policy hub (server) ● every agent can be policy hub for another set of agents ● agents updates policy files from hub ○ if policy hub is unreachable => policy files are not updated ○ every 5 minutes ○ no other mechanism to tell agents what to do
  26. 26. Show me the code! bundle agent sshd_norootlogin { files: "/etc/ssh/sshd_config" edit_line => replace_or_add(".*PermitRootLogin.*", "PermitRootLogin no"); }
  27. 27. Code ● covers many situations: ○ commented option ○ non-exist option ○ option set to other value than "no" ● how to handle various environments ? ○ using context ○ they're known also as the classes but their meaning is not the same as in OOP
  28. 28. Context ● as a conditionals to handle different environments or state ○ does a file exist ? is pkg installed ? yes/no ○ is this system debian,ubuntu or windows? ○ is this system with hostname matching web* ? ● hard classes ○ discovered by cfengine ○ hostname, ip addresses, interfaces... ● soft classes ○ classes defined during runtime
  29. 29. code++ bundle agent sshd_norootlogin { vars: debian:: "sshdconf" string => "/etc/ssh/sshd_config"; !debian:: "sshdconf" string => "/usr/local/etc/ssh/sshd_config"; files: "$(sshdconf)" edit_line => replace_or_add(".*PermitRootLogin.*", "PermitRootLogin no"); }
  30. 30. Who am I and why CFEngine ● sysadmin @ Websupport.sk ● the biggest webhosting provider in Slovakia ● tens thousands of services (domains,vps, hostings) ● we're going to move all of them to new hardware infrastructure in few months ● we choosed CFEngine3 because of it features:
  31. 31. The features that works for us ● strong theoretical background ○ where will be Puppet and Chef when hype ends ? ● small CPU and memory overhead ● scalability ○ we may need to handle 1000-2000 virtual servers ● model based monitoring http://bit.ly/Vle8zc ○ CFEngine can be used as a monitoring tool or as a addon to other monitoring tool ○ monitoring is self-learning => no need to setup anything ○ learns state of system for past 7 days ○ if metric value is larger than standard deviation => something unusual is happening
  32. 32. Features that works for us ● knowledge maps ○ you may generate logical maps of subsystems from code ● is not written in ruby :) ○ we have strong experience with C
  33. 33. Questions ?

×