Getting Started
with CFEngine
Agenda
•
•
•
•
•
•

Infrastructure Automation with CFEngine
Theory Concepts
Software Components
Language Concepts
Examples
Q&A
Benefits of Infrastructure Automation

Productivity

•
•
•

Global changes in minutes
Unlimited scale and complexity
Remove human bottlenecks

Costs

•
•
•

Reduced need for labor
Reduced costs related to instability/outages
Reduced license costs

Security

•
•
•

Billions of compliance checks per day
Real-time compliance repairs
Granular and pattern based
Architected for Speed, Security and Web Scale
1. Define Desired State
2. Ensure
Defined State

Design Center

PolicyServer
CFDB

3. Verify Actual State

CFE Agents

Knowledge Center
CFEngine – IT Automation at Web-Scale
History

Technology Validation

•
•
•
•
•

•
•
•
•

1993: Open Source project
2001: CFEngine version 2
2004: Promise Theory
2009: CFEngine version 3
2014: CFEngine version 3.6

Infrastructure Automation, Continuous Delivery
Distributed, Lean, Secure architecture
IT Automation at Web-Scale (size, agility)
Community (Open source), Enterprise edition

Market Validation

Customer Validation
•
•
•
•

>10 million servers
10,000 companies
100 countries
Tens of thousands of servers (individual
customer deployments)
CFEngine Enterprise - Mission Portal GUI
- Proprietary and Confidential -
PROMISES
Our Promise – Mashed Potatoes
The Way To Get There - CONVERGENCE
Basic Concepts
• Convergence
• To Converge - To come from different directions to
reach the same point (location, conclusion, etc.)
• Desired state may not be reached on the first pass
• Change can be incremental

• 3 passes over the policy on each run, to accelerate
convergence

• Declarative vs. Imperative
• Declarative is descriptive
• Imperative is sequential
• Promise Theory
Voluntary cooperation between individual, autonomous
actors or agents who publish their intentions to one
another in the form of promises
-- Mark Burgess
A Promise Is A Statement of Intention
Promiser

Promises to…

If not currently kept,
CFEngine will

A variable…

…hold a certain value of a
certain type

…store the appropriate value
in the variable

A file

…have certain
characteristics
(permissions, ownership,
etc.)

…set the desired properties
on the file

A user account

…exist and have certain
characteristics (home
directory, group, etc.)

…create the user account
with the desired
characteristics

A process

…be running on the
system

…run the appropriate
command to create the
process
Basic Concepts
• Promise States
• Promise kept

✔

• Promise repaired

✘ →

✔

• Promise not kept

✘

✘

→
SOFTWARE COMPONENTS
Basic Components
Server
Client

cf-serverd
cf-agent

cf-execd
cf-monitord
LANGUAGE COMPONENTS
Anatomy of a Promise
Promise Type
What?

Packages:

Context
When/Where?

solaris.tuesday::

Promiser
Why?
Attributes
How?

“apache”
comment => “Front end webserver”,
package_policy => “add”,
package_version => “2.0”,
package_method => solaris;
Bundles & Bodies
• A bundle is a collection of promises
• For example, a bundle to configure Apache might:
•
•
•
•

Install the apache2 package
Edit the configuration file
Copy the web server content
Etc.

• A body is a collection of attributes that
constrains the promise
• Internal (in-line in the promise)
• External (shareable with other promises)
EXAMPLES
Example #1 – File Security
body common control
{
bundlesequence => { "file_security" };
inputs => { "libraries/cfengine_stdlib.cf" };

}
bundle agent file_security {
files:

"/etc/.” -> { “SecurityPolicy513”, “security@cfengine.com” }
handle
=> "etc_tripwire",
comment
=> ”Bubble up possible security breaches",
changes
=> detect_all_change,
depth_search => recurse("inf");
}
Example #2 - MOTD
body common control {
bundlesequence => { "edit_motd" };
inputs
=> { "libraries/cfengine_stdlib.cf" };
}
bundle agent edit_motd {
vars:
"motd" string => "/etc/motd";
files:
"$(motd)"
create => "true",
edit_line => insert_lines("This system is managed by CFEngine 3"),
handle => "edit_motd",
comment => "Inform sysadmins this system is managed by CFEngine";

}
Example #3 – Install Packages
body common control {
bundlesequence => { "packages" };
inputs => { "libraries/cfengine_stdlib.cf" };
}

bundle agent packages {
packages:
"nano"

handle
=> "install_nano",
comment
=> "nano is John's favorite editor",
package_policy => "add", # Ensure that a package is present
package_method => apt;
}
Example #3 – Install Packages – Cont.
cf-demo# nano
bash: /usr/bin/nano: No such file or directory
cf-demo# cf-agent -f package_add.cf
cf-demo# nano -V
GNU nano version 2.2.6 (compiled 14:12:08, Oct 1 2012)
...
cf-demo#
Example #3 – Install Packages – Cont.
cf-demo#
bash: /usr/bin/nano: No such file or directory
cf-demo# cf-agent -I -f package_add.cf
Q:
apt-get update ...:Ign http://dl.google.com stable InRelease
...
Q:
apt-get update ...:Hit http://us.archive.ubuntu.com saucy-backports/universe Translation-en
Q:
apt-get update ...:Reading package lists...
Q:
apt-get update ...:
Q:apt-get --yes instal ...:Reading package lists...
Q:apt-get --yes instal ...:Building dependency tree...
Q:apt-get --yes instal ...:Reading state information...
Q:apt-get --yes instal ...:Suggested packages:
Q:apt-get --yes instal ...: spell
Q:apt-get --yes instal ...:The following NEW packages will be installed:
Q:apt-get --yes instal ...: nano
Q:apt-get --yes instal ...:0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Q:apt-get --yes instal ...:Need to get 0 B/194 kB of archives.
Q:apt-get --yes instal ...:After this operation, 614 kB of additional disk space will be used.
Q:apt-get --yes instal ...:Selecting previously unselected package nano.
Q:apt-get --yes instal ...:(Reading database ... 236090 files and directories currently installed.)
Q:apt-get --yes instal ...:Unpacking nano (from .../nano_2.2.6-1ubuntu1_amd64.deb) ...
Q:apt-get --yes instal ...:Processing triggers for doc-base ...
Q:apt-get --yes instal ...:Processing 2 added doc-base files...
Q:apt-get --yes instal ...:Processing triggers for install-info ...
Q:apt-get --yes instal ...:Processing triggers for man-db ...
Q:apt-get --yes instal ...:Setting up nano (2.2.6-1ubuntu1) ...
Q:apt-get --yes instal ...:update-alternatives: using /bin/nano to provide /usr/bin/editor (editor) in auto mode
Q:apt-get --yes instal ...:update-alternatives: using /bin/nano to provide /usr/bin/pico (pico) in auto mode
Q:apt-get --yes instal ...:
cf-demo# nano -V
GNU nano version 2.2.6 (compiled 14:12:08, Oct 1 2012)
...
cf-demo#
Q&A
Next Steps
• Learn More check out our documentation
http://cfengine.com/docs/3.5/getting-started.html

• Read Learning CFEngine 3 by Diego Zamboni

• Join the conversation on our community help forum
http://groups.google.com/forum/?fromgroups&hl=en#!forum/help-cfengine

Getting started with CFEngine - Webinar

  • 1.
  • 2.
    Agenda • • • • • • Infrastructure Automation withCFEngine Theory Concepts Software Components Language Concepts Examples Q&A
  • 3.
    Benefits of InfrastructureAutomation Productivity • • • Global changes in minutes Unlimited scale and complexity Remove human bottlenecks Costs • • • Reduced need for labor Reduced costs related to instability/outages Reduced license costs Security • • • Billions of compliance checks per day Real-time compliance repairs Granular and pattern based
  • 4.
    Architected for Speed,Security and Web Scale 1. Define Desired State 2. Ensure Defined State Design Center PolicyServer CFDB 3. Verify Actual State CFE Agents Knowledge Center
  • 5.
    CFEngine – ITAutomation at Web-Scale History Technology Validation • • • • • • • • • 1993: Open Source project 2001: CFEngine version 2 2004: Promise Theory 2009: CFEngine version 3 2014: CFEngine version 3.6 Infrastructure Automation, Continuous Delivery Distributed, Lean, Secure architecture IT Automation at Web-Scale (size, agility) Community (Open source), Enterprise edition Market Validation Customer Validation • • • • >10 million servers 10,000 companies 100 countries Tens of thousands of servers (individual customer deployments)
  • 6.
    CFEngine Enterprise -Mission Portal GUI
  • 8.
    - Proprietary andConfidential -
  • 9.
  • 10.
    Our Promise –Mashed Potatoes
  • 11.
    The Way ToGet There - CONVERGENCE
  • 12.
    Basic Concepts • Convergence •To Converge - To come from different directions to reach the same point (location, conclusion, etc.) • Desired state may not be reached on the first pass • Change can be incremental • 3 passes over the policy on each run, to accelerate convergence • Declarative vs. Imperative • Declarative is descriptive • Imperative is sequential
  • 13.
    • Promise Theory Voluntarycooperation between individual, autonomous actors or agents who publish their intentions to one another in the form of promises -- Mark Burgess
  • 15.
    A Promise IsA Statement of Intention Promiser Promises to… If not currently kept, CFEngine will A variable… …hold a certain value of a certain type …store the appropriate value in the variable A file …have certain characteristics (permissions, ownership, etc.) …set the desired properties on the file A user account …exist and have certain characteristics (home directory, group, etc.) …create the user account with the desired characteristics A process …be running on the system …run the appropriate command to create the process
  • 16.
    Basic Concepts • PromiseStates • Promise kept ✔ • Promise repaired ✘ → ✔ • Promise not kept ✘ ✘ →
  • 17.
  • 18.
  • 19.
  • 20.
    Anatomy of aPromise Promise Type What? Packages: Context When/Where? solaris.tuesday:: Promiser Why? Attributes How? “apache” comment => “Front end webserver”, package_policy => “add”, package_version => “2.0”, package_method => solaris;
  • 21.
    Bundles & Bodies •A bundle is a collection of promises • For example, a bundle to configure Apache might: • • • • Install the apache2 package Edit the configuration file Copy the web server content Etc. • A body is a collection of attributes that constrains the promise • Internal (in-line in the promise) • External (shareable with other promises)
  • 22.
  • 23.
    Example #1 –File Security body common control { bundlesequence => { "file_security" }; inputs => { "libraries/cfengine_stdlib.cf" }; } bundle agent file_security { files: "/etc/.” -> { “SecurityPolicy513”, “security@cfengine.com” } handle => "etc_tripwire", comment => ”Bubble up possible security breaches", changes => detect_all_change, depth_search => recurse("inf"); }
  • 25.
    Example #2 -MOTD body common control { bundlesequence => { "edit_motd" }; inputs => { "libraries/cfengine_stdlib.cf" }; } bundle agent edit_motd { vars: "motd" string => "/etc/motd"; files: "$(motd)" create => "true", edit_line => insert_lines("This system is managed by CFEngine 3"), handle => "edit_motd", comment => "Inform sysadmins this system is managed by CFEngine"; }
  • 27.
    Example #3 –Install Packages body common control { bundlesequence => { "packages" }; inputs => { "libraries/cfengine_stdlib.cf" }; } bundle agent packages { packages: "nano" handle => "install_nano", comment => "nano is John's favorite editor", package_policy => "add", # Ensure that a package is present package_method => apt; }
  • 28.
    Example #3 –Install Packages – Cont. cf-demo# nano bash: /usr/bin/nano: No such file or directory cf-demo# cf-agent -f package_add.cf cf-demo# nano -V GNU nano version 2.2.6 (compiled 14:12:08, Oct 1 2012) ... cf-demo#
  • 29.
    Example #3 –Install Packages – Cont. cf-demo# bash: /usr/bin/nano: No such file or directory cf-demo# cf-agent -I -f package_add.cf Q: apt-get update ...:Ign http://dl.google.com stable InRelease ... Q: apt-get update ...:Hit http://us.archive.ubuntu.com saucy-backports/universe Translation-en Q: apt-get update ...:Reading package lists... Q: apt-get update ...: Q:apt-get --yes instal ...:Reading package lists... Q:apt-get --yes instal ...:Building dependency tree... Q:apt-get --yes instal ...:Reading state information... Q:apt-get --yes instal ...:Suggested packages: Q:apt-get --yes instal ...: spell Q:apt-get --yes instal ...:The following NEW packages will be installed: Q:apt-get --yes instal ...: nano Q:apt-get --yes instal ...:0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded. Q:apt-get --yes instal ...:Need to get 0 B/194 kB of archives. Q:apt-get --yes instal ...:After this operation, 614 kB of additional disk space will be used. Q:apt-get --yes instal ...:Selecting previously unselected package nano. Q:apt-get --yes instal ...:(Reading database ... 236090 files and directories currently installed.) Q:apt-get --yes instal ...:Unpacking nano (from .../nano_2.2.6-1ubuntu1_amd64.deb) ... Q:apt-get --yes instal ...:Processing triggers for doc-base ... Q:apt-get --yes instal ...:Processing 2 added doc-base files... Q:apt-get --yes instal ...:Processing triggers for install-info ... Q:apt-get --yes instal ...:Processing triggers for man-db ... Q:apt-get --yes instal ...:Setting up nano (2.2.6-1ubuntu1) ... Q:apt-get --yes instal ...:update-alternatives: using /bin/nano to provide /usr/bin/editor (editor) in auto mode Q:apt-get --yes instal ...:update-alternatives: using /bin/nano to provide /usr/bin/pico (pico) in auto mode Q:apt-get --yes instal ...: cf-demo# nano -V GNU nano version 2.2.6 (compiled 14:12:08, Oct 1 2012) ... cf-demo#
  • 30.
  • 31.
    Next Steps • LearnMore check out our documentation http://cfengine.com/docs/3.5/getting-started.html • Read Learning CFEngine 3 by Diego Zamboni • Join the conversation on our community help forum http://groups.google.com/forum/?fromgroups&hl=en#!forum/help-cfengine

Editor's Notes

  • #2 Good morning/afternoon/evening depending on where you are, and welcome to our webinar “getting started with CFEngine”. My name is Adi Aloni and today I will be both a moderator and a presenter. With me also are Martin Simons and Aleksey Tsalolikhin from Vertical SysAdmin, both are very active members and great supporters of the CFEngine community. Vertical SysAdmin is partnering with CFEngine to do training and professional services and we’re glad to have them as our webinar co-hosts today.
  • #3 We hope that by the end of this webinar you will be able to write your first CFEngine policy. We will address as many of your questions as we can at the end of the session, please enter them in the chat window or the Q&A window in your webex event center, they are accessible by pulling the green tab on the top of your webex session. Also, we ARE recording this webinar and will send you a link to the recording together with some additional resources by tomorrow.
  • #4 If you’re here with us in this webinar today you are probably already bought into the idea of infrastructure automation and know that the benefits of IT automation come in the shape of improved productivity, improved efficiency, or reduced costs, and improved security. We discussed the business value of IT automation at length in our webinar “IT Automation with CFEngine”, we encourage you to watch the recording on our website if you haven’t had a chance to attend it.
  • #5 In its high level architecture, CFEngine helps you realize those benefits by maintaining a closed loop of definition and verification. The user will define the desired state and CFEngine will ensure this state is maintained and close the loop by verifying it and notifying the user. CFEngine can be installed on a wide range of platforms and operating systems, from Linux in its different distributions, through desktops and even mobile devices.
  • #6 CFEngine as a technology is out there for many years and makes for a mature and robust offering. It was completely re-architected in 2009 and is due for major enhancements with version 3.6 that will be released soon. It is used across different industry verticals and across companies small and big, among them LinkedIn and JP Morgan Chase.
  • #7 Most of this webinar applies to both CFEngine Enterprise and Community, but we wanted to briefly mention the unique capabilities of CFEngine enterprise – what you see now is a screenshot of the current version of mission portal, our self-service infrastructure management tool, where the user can manage and monitor the infrastructure using pre-written policies and reports. We see here the hosts grouped by production tier, this grouping can be customized as needed.
  • #8 Looking at design center within the mission portal, we see our sketches, which are pre-written policies that you can activate using parameters. The number of supported sketches is expected to grow significantly in the next few months. Sketches are a great way to implement policies without direct interaction with the CFEngine DSL.
  • #9 To give you a glimpse into enterprise version 3.6 that will be released in the coming months, here is the new and improved dashboard of the mission portal, with visuals that give you immediate insight into your infrastructure and its state.And with this I will hand it over to Martin, who will start, unexpectedly, in the CFEngine kitchen.
  • #13 Why this makes CFEngine better than other tools in the market?GPS analogy, or mashed potatoes analogy
  • #14 Why this makes CFEngine better than other tools in the market?GPS analogy, or mashed potatoes analogy
  • #16 Why this makes CFEngine better than other tools in the market?GPS analogy, or mashed potatoes analogy
  • #17 Why this makes CFEngine better than other tools in the market?GPS analogy, or mashed potatoes analogy
  • #19 cf-serverd – file transferscf-agentcf-promises – syntax checkercf-execd – runs cf-agent
  • #22 Promises must be contained in a bundle/body
  • #26 Mention using an editor with color highlightingComments are about WHY
  • #32 Tutorials:https://cfengine.com/docs/3.5/new-users.htmlhttps://github.com/bahamat/cf-primer/blob/master/slides.mdExample policies:https://cfengine.com/docs/3.5/examples-policy.html