Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Configuration managementWhy? What? How?
Why?● example:○ imagine that we want to prevent rootlogins on 100 nodes
Why?● example:○ imagine that we want to prevent rootlogins on 100 nodes○ we want to set PermitRootLogin optionin sshd_conf...
Why?● example:○ imagine that we want to prevent rootlogins on 100 nodes○ we want to set PermitRootLogin optionin sshd_conf...
for node in node{1..100};do sshroot@$node "echo "PermitRootLoginno" >> /etc/ssh/sshd_config";done● bug: string will be app...
for node in node{1..100};do sshroot@$node "(grep -iqPermitRootLogin/etc/ssh/sshd_config || echo "PermitRootLogin no" >>/et...
What if?● option is already set to "no"
What if?● option is already set to "no"● option is commented out
What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path
What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not...
What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not...
What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not...
What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not...
What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not...
Script● would be too complicated○ different operation systems and flavors○ handling all situations● cant handle offline no...
What is configuration managementgood for ?● can handle a lot of details● handling deviation from defined configuration○ ac...
"I dont need to use it"● do it, you wont regret it○ even on your computer alone○ or with few servers
How?● there are a lot of tools available:○ Puppet○ Chef○ Bcfg2○ CFEngine3○ Salt○ Ansible○ ...and others● choose the right ...
CFEngine 3Tomas Corej@tomas_corej
History of CM toolssrc: http://bit.ly/acuidi
CFEngine● developed in 1993 by @markburgess_osl○ also created whole field● CFEngine 1○ domain-specific language● CFEngine ...
CFEngine 3● written in C● strong theoretical background○ it should be same for years● cross platform○ Linux,*BSD,Solaris,W...
CFEngine 3 design principles● desired-state configuration○ declarative policy language○ you only specify your desired fina...
Architecturesrc: cfengine.com
Architecture● no clear distinction between agent (client)and policy hub (server)● every agent can be policy hub for anothe...
Show me the code!bundle agent sshd_norootlogin{files:"/etc/ssh/sshd_config"edit_line =>replace_or_add(".*PermitRootLogin.*...
Code● covers many situations:○ commented option○ non-exist option○ option set to other value than "no"● how to handle vari...
Context● as a conditionals to handle differentenvironments or state○ does a file exist ? is pkg installed ? yes/no○ is thi...
code++bundle agent sshd_norootlogin{vars:debian::"sshdconf" string => "/etc/ssh/sshd_config";!debian::"sshdconf" string =>...
Who am I and why CFEngine● sysadmin @ Websupport.sk● the biggest webhosting provider in Slovakia● tens thousands of servic...
The features that works for us● strong theoretical background○ where will be Puppet and Chef when hype ends ?● small CPU a...
Features that works for us● knowledge maps○ you may generate logical maps of subsystems fromcode● is not written in ruby :...
Questions ?
Upcoming SlideShare
Loading in …5
×

Tomáš Čorej: Configuration management & CFEngine3

888 views

Published on

CFEngine is the oldest tool for configuration management that inspired Puppet & Chef. Features like model-based monitoring, promise theory and knowledge management support makes it an reasonable alternative for IT system automatization.

Published in: Technology
  • Be the first to comment

Tomáš Čorej: Configuration management & CFEngine3

  1. 1. Configuration managementWhy? What? How?
  2. 2. Why?● example:○ imagine that we want to prevent rootlogins on 100 nodes
  3. 3. Why?● example:○ imagine that we want to prevent rootlogins on 100 nodes○ we want to set PermitRootLogin optionin sshd_config to "no"
  4. 4. Why?● example:○ imagine that we want to prevent rootlogins on 100 nodes○ we want to set PermitRootLogin optionin sshd_config to "no"○ we have to execute this command onevery node:echo "PermitRootLogin no" >>/etc/ssh/sshd_config
  5. 5. for node in node{1..100};do sshroot@$node "echo "PermitRootLoginno" >> /etc/ssh/sshd_config";done● bug: string will be appendedevery time we run this for cycle○ no problem, we gonna fix it
  6. 6. for node in node{1..100};do sshroot@$node "(grep -iqPermitRootLogin/etc/ssh/sshd_config || echo "PermitRootLogin no" >>/etc/ssh/sshd_config) && sed -is/^.*PermitRootLogin.*$/PermitRootLogin no/;/etc/sshd_config";done● its complicated, ill put itinto script
  7. 7. What if?● option is already set to "no"
  8. 8. What if?● option is already set to "no"● option is commented out
  9. 9. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path
  10. 10. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not installed at all
  11. 11. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not installed at all● operation fails on node 2,4,9,31and 83 (wrong permissions?)
  12. 12. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not installed at all● operation fails on node 2,4,9,31and 83 (wrong permissions?)● node 70 and 71 is openindiana
  13. 13. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not installed at all● operation fails on node 2,4,9,31and 83 (wrong permissions?)● node 70 and 71 is openindiana● sshd fails to restart on node19,21
  14. 14. What if?● option is already set to "no"● option is commented out● sshd_config does not exist onspecified path● sshd is not installed at all● operation fails on node 2,4,9,31and 83 (wrong permissions?)● node 70 and 71 is openindiana● sshd fails to restart on node19,21● node 13 is in maintenance
  15. 15. Script● would be too complicated○ different operation systems and flavors○ handling all situations● cant handle offline nodes● hard to maintain● hard to use● human error is inevitablecomplex processeses or orchestration throughthe for cycle isNO GO
  16. 16. What is configuration managementgood for ?● can handle a lot of details● handling deviation from defined configuration○ accidentally removed packages,files,configuration byhand...○ would return system to original state● infrastructure configuration as a code○ code is repeatable○ using VCS (git,svn,hg,...) you may createenvironment for change management● change deployment○ in controled manner● automatic server deployment○ new server is deployed using existing code
  17. 17. "I dont need to use it"● do it, you wont regret it○ even on your computer alone○ or with few servers
  18. 18. How?● there are a lot of tools available:○ Puppet○ Chef○ Bcfg2○ CFEngine3○ Salt○ Ansible○ ...and others● choose the right tool for your needs
  19. 19. CFEngine 3Tomas Corej@tomas_corej
  20. 20. History of CM toolssrc: http://bit.ly/acuidi
  21. 21. CFEngine● developed in 1993 by @markburgess_osl○ also created whole field● CFEngine 1○ domain-specific language● CFEngine 2 (1998)○ idea of convergence■ tool discover state of system● CFEngine 3 (2009)○ complete rewrite○ based on Promise Theory developed by MarkBurgess
  22. 22. CFEngine 3● written in C● strong theoretical background○ it should be same for years● cross platform○ Linux,*BSD,Solaris,Windows....○ from Rasberry Pi to big IT deployments (Facebook)● small footprint○ small cpu usage - http://bit.ly/QJcrg8● very scalable○ can handle hundreds of thousands servers○ policy hierarchy● zero reported vulnerabilities
  23. 23. CFEngine 3 design principles● desired-state configuration○ declarative policy language○ you only specify your desired final state of system○ CFEngine will handle everything else automatically○ but if operation is not native, you have to tellCFEngine "how"● promise theory○ models behaviour of agents in an environmentwithout central authority○ voluntary cooperation● convergent configuration○ you dont need know current state of system○ convergence in incremental steps
  24. 24. Architecturesrc: cfengine.com
  25. 25. Architecture● no clear distinction between agent (client)and policy hub (server)● every agent can be policy hub for anotherset of agents● agents updates policy files from hub○ if policy hub is unreachable => policy files are notupdated○ every 5 minutes○ no other mechanism to tell agents what to do
  26. 26. Show me the code!bundle agent sshd_norootlogin{files:"/etc/ssh/sshd_config"edit_line =>replace_or_add(".*PermitRootLogin.*","PermitRootLogin no");}
  27. 27. Code● covers many situations:○ commented option○ non-exist option○ option set to other value than "no"● how to handle various environments ?○ using context○ theyre known also as the classes but their meaningis not the same as in OOP
  28. 28. Context● as a conditionals to handle differentenvironments or state○ does a file exist ? is pkg installed ? yes/no○ is this system debian,ubuntu or windows?○ is this system with hostname matching web* ?● hard classes○ discovered by cfengine○ hostname, ip addresses, interfaces...● soft classes○ classes defined during runtime
  29. 29. code++bundle agent sshd_norootlogin{vars:debian::"sshdconf" string => "/etc/ssh/sshd_config";!debian::"sshdconf" string => "/usr/local/etc/ssh/sshd_config";files:"$(sshdconf)"edit_line =>replace_or_add(".*PermitRootLogin.*","PermitRootLogin no");}
  30. 30. Who am I and why CFEngine● sysadmin @ Websupport.sk● the biggest webhosting provider in Slovakia● tens thousands of services (domains,vps,hostings)● were going to move all of them to newhardware infrastructure in few months● we choosed CFEngine3 because of itfeatures:
  31. 31. The features that works for us● strong theoretical background○ where will be Puppet and Chef when hype ends ?● small CPU and memory overhead● scalability○ we may need to handle 1000-2000 virtual servers● model based monitoring http://bit.ly/Vle8zc○ CFEngine can be used as a monitoring tool or as aaddon to other monitoring tool○ monitoring is self-learning => no need to setupanything○ learns state of system for past 7 days○ if metric value is larger than standard deviation =>something unusual is happening
  32. 32. Features that works for us● knowledge maps○ you may generate logical maps of subsystems fromcode● is not written in ruby :)○ we have strong experience with C
  33. 33. Questions ?

×