getting started with cfengine - webinar
DESCRIPTION
Learn how to avoid downtime by tracking system drifts, how to increase the robustness and security of your system, and make sure you adhere to compliance standards using CFEngine. This slide deck accompanied our "Getting Started with CFEngine" webinar, where we covered how to achieve all those benefits using CFEngine policies, promises, and sketches. Use the examples in these slides to start your own CFEngine implementation. A recording of the webinar can be found at http://www.youtube.com/watch?v=riMkdQKBI0M&feature=share&list=UUAiKge7NwhuWi-KNKt3U4HATRANSCRIPT
Getting Startedwith CFEngine
Agenda
• Infrastructure Automation with CFEngine• Theory Concepts• Software Components• Language Concepts• Examples• Q&A
Productivity
Costs
Security
• Global changes in minutes• Unlimited scale and complexity• Remove human bottlenecks
• Reduced need for labor• Reduced costs related to instability/outages• Reduced license costs
• Billions of compliance checks per day• Real-time compliance repairs• Granular and pattern based
Benefits of Infrastructure Automation
Architected for Speed, Security and Web Scale
1. Define Desired State
2. Ensure Defined State
CFDB
3. Verify Actual State
Policy-ServerDesign Center
Knowledge Center
CFE Agents
History• 1993: Open Source project• 2001: CFEngine version 2• 2004: Promise Theory• 2009: CFEngine version 3• 2014: CFEngine version 3.6
Customer Validation
Technology Validation• Infrastructure Automation, Continuous
Delivery• Distributed, Lean, Secure architecture• IT Automation at Web-Scale (size, agility)• Community (Open source), Enterprise edition
Market Validation• >10 million servers• 10,000 companies• 100 countries• Tens of thousands of servers (individual
customer deployments)
CFEngine – IT Automation at Web-Scale
CFEngine Enterprise - Mission Portal GUI
- Proprietary and Confidential -
PROMISES
Our Promise – Mashed Potatoes
The Way To Get There - CONVERGENCE
OR
Basic Concepts
• Convergence• To Converge - To come from different directions to
reach the same point (location, conclusion, etc.)
• Desired state may not be reached on the first pass
• Change can be incremental
• 3 passes over the policy on each run, to accelerate
convergence
• Declarative vs. Imperative• Declarative is descriptive
• Imperative is sequential
• Promise TheoryVoluntary cooperation between individual, autonomous
actors or agents who publish their intentions to one
another in the form of promises
--
Mark Burgess
A Promise Is A Statement of Intention
Promiser Promises to… If not currently kept, CFEngine will
A variable… …hold a certain value of a certain type
…store the appropriate value in the variable
A file …have certain characteristics (permissions, ownership, etc.)
…set the desired properties on the file
A user account …exist and have certain characteristics (home directory, group, etc.)
…create the user account with the desired characteristics
A process …be running on the system
…run the appropriate command to create the process
Basic Concepts
• Promise States
• Promise kept ✔
• Promise repaired ✘ → ✔
• Promise not kept ✘ → ✘
SOFTWARE COMPONENTS
Basic Components
Server
cf-serverdClient
cf-agent
cf-execd
cf-monitord
LANGUAGE COMPONENTS
Anatomy of a Promise
Promise TypeWhat?
ContextWhen/Where?
Promiser
Why?
AttributesHow?
Packages:
solaris.tuesday::
“apache”
comment => “Front end webserver”,
package_policy => “add”,package_version => “2.0”,package_method => solaris;
Bundles & Bodies
• A bundle is a collection of promises• For example, a bundle to configure Apache might:
• Install the apache2 package• Edit the configuration file• Copy the web server content• Etc.
• A body is a collection of attributes that constrains the promise• Internal (in-line in the promise)• External (shareable with other promises)
EXAMPLES
Example #1 – File Securitybody common control{ bundlesequence => { "file_security" };
inputs => { "libraries/cfengine_stdlib.cf" };
}
bundle agent file_security {
files:
"/etc/.” -> { “SecurityPolicy513”, “[email protected]” }
handle => "etc_tripwire", comment => ”Bubble up possible security breaches", changes => detect_all_change, depth_search => recurse("inf");}
Example #2 - MOTD
body common control { bundlesequence => { "edit_motd" }; inputs => { "libraries/cfengine_stdlib.cf" };}
bundle agent edit_motd { vars: "motd" string => "/etc/motd";
files: "$(motd)" create => "true", edit_line => insert_lines("This system is managed by CFEngine 3"), handle => "edit_motd", comment => "Inform sysadmins this system is managed by CFEngine";}
Example #3 – Install Packagesbody common control {
bundlesequence => { "packages" }; inputs => { "libraries/cfengine_stdlib.cf" };}
bundle agent packages {
packages:
"nano"
handle => "install_nano", comment => "nano is John's favorite editor", package_policy => "add", # Ensure that a package is present package_method => apt;}
cf-demo# nano bash: /usr/bin/nano: No such file or directorycf-demo# cf-agent -f package_add.cfcf-demo# nano -V GNU nano version 2.2.6 (compiled 14:12:08, Oct 1 2012)...cf-demo#
Example #3 – Install Packages – Cont.
cf-demo#bash: /usr/bin/nano: No such file or directorycf-demo# cf-agent -I -f package_add.cfQ: apt-get update ...:Ign http://dl.google.com stable InRelease...Q: apt-get update ...:Hit http://us.archive.ubuntu.com saucy-backports/universe Translation-enQ: apt-get update ...:Reading package lists...Q: apt-get update ...:Q:apt-get --yes instal ...:Reading package lists...Q:apt-get --yes instal ...:Building dependency tree...Q:apt-get --yes instal ...:Reading state information...Q:apt-get --yes instal ...:Suggested packages:Q:apt-get --yes instal ...: spellQ:apt-get --yes instal ...:The following NEW packages will be installed:Q:apt-get --yes instal ...: nanoQ:apt-get --yes instal ...:0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.Q:apt-get --yes instal ...:Need to get 0 B/194 kB of archives.Q:apt-get --yes instal ...:After this operation, 614 kB of additional disk space will be used.Q:apt-get --yes instal ...:Selecting previously unselected package nano.Q:apt-get --yes instal ...:(Reading database ... 236090 files and directories currently installed.)Q:apt-get --yes instal ...:Unpacking nano (from .../nano_2.2.6-1ubuntu1_amd64.deb) ...Q:apt-get --yes instal ...:Processing triggers for doc-base ...Q:apt-get --yes instal ...:Processing 2 added doc-base files...Q:apt-get --yes instal ...:Processing triggers for install-info ...Q:apt-get --yes instal ...:Processing triggers for man-db ...Q:apt-get --yes instal ...:Setting up nano (2.2.6-1ubuntu1) ...Q:apt-get --yes instal ...:update-alternatives: using /bin/nano to provide /usr/bin/editor (editor) in auto modeQ:apt-get --yes instal ...:update-alternatives: using /bin/nano to provide /usr/bin/pico (pico) in auto modeQ:apt-get --yes instal ...:cf-demo# nano -V GNU nano version 2.2.6 (compiled 14:12:08, Oct 1 2012)...cf-demo#
Example #3 – Install Packages – Cont.
Q & A
• Join the conversation on our community help forumhttp://groups.google.com/forum/?fromgroups&hl=en#!forum/help-cfengine
Next Steps
• Learn More check out our documentationhttp://cfengine.com/docs/3.5/getting-started.html
• Read Learning CFEngine 3 by Diego Zamboni