CFEngine is the oldest tool for configuration management that inspired Puppet & Chef. Features like model-based monitoring, promise theory and knowledge management support makes it an reasonable alternative for IT system automatization.

1. Configuration management
Why? What? How?

2. Why?
● example:
○ imagine that we want to prevent root
logins on 100 nodes

3. Why?
● example:
○ imagine that we want to prevent root
logins on 100 nodes
○ we want to set PermitRootLogin option
in sshd_config to "no"

4. Why?
● example:
○ imagine that we want to prevent root
logins on 100 nodes
○ we want to set PermitRootLogin option
in sshd_config to "no"
○ we have to execute this command on
every node:
echo "PermitRootLogin no" >>
/etc/ssh/sshd_config

5. for node in node{1..100};do ssh
root@$node "echo "PermitRootLogin
no" >> /etc/ssh/sshd_config"
;done
● bug: string will be appended
every time we run this for cycle
○ no problem, we gonna fix it

6. for node in node{1..100};do ssh
root@$node "(grep -iq
'PermitRootLogin'
/etc/ssh/sshd_config || echo "
PermitRootLogin no" >>
/etc/ssh/sshd_config) && sed -i
's/^.*PermitRootLogin.
*$/PermitRootLogin no/;'
/etc/sshd_config"
;done
● it's complicated, i'll put it
into script

7. What if?
● option is already set to "no"

8. What if?
● option is already set to "no"
● option is commented out

9. What if?
● option is already set to "no"
● option is commented out
● sshd_config does not exist on
specified path

10. What if?
● option is already set to "no"
● option is commented out
● sshd_config does not exist on
specified path
● sshd is not installed at all

11. What if?
● option is already set to "no"
● option is commented out
● sshd_config does not exist on
specified path
● sshd is not installed at all
● operation fails on node 2,4,9,31
and 83 (wrong permissions?)

12. What if?
● option is already set to "no"
● option is commented out
● sshd_config does not exist on
specified path
● sshd is not installed at all
● operation fails on node 2,4,9,31
and 83 (wrong permissions?)
● node 70 and 71 is openindiana

13. What if?
● option is already set to "no"
● option is commented out
● sshd_config does not exist on
specified path
● sshd is not installed at all
● operation fails on node 2,4,9,31
and 83 (wrong permissions?)
● node 70 and 71 is openindiana
● sshd fails to restart on node
19,21

14. What if?
● option is already set to "no"
● option is commented out
● sshd_config does not exist on
specified path
● sshd is not installed at all
● operation fails on node 2,4,9,31
and 83 (wrong permissions?)
● node 70 and 71 is openindiana
● sshd fails to restart on node
19,21
● node 13 is in maintenance

15. Script
● would be too complicated
○ different operation systems and flavors
○ handling all situations
● can't handle offline nodes
● hard to maintain
● hard to use
● human error is inevitable
complex processeses or orchestration through
the for cycle is
NO GO

16. What is configuration management
good for ?
● can handle a lot of details
● handling deviation from defined configuration
○ accidentally removed packages,files,configuration by
hand...
○ would return system to original state
● infrastructure configuration as a code
○ code is repeatable
○ using VCS (git,svn,hg,...) you may create
environment for change management
● change deployment
○ in controled manner
● automatic server deployment
○ new server is deployed using existing code

17. "I don't need to use it"
● do it, you won't regret it
○ even on your computer alone
○ or with few servers

18. How?
● there are a lot of tools available:
○ Puppet
○ Chef
○ Bcfg2
○ CFEngine3
○ Salt
○ Ansible
○ ...and others
● choose the right tool for your needs

19. CFEngine 3
Tomas Corej
@tomas_corej

20. History of CM tools
src: http://bit.ly/acuidi

21. CFEngine
● developed in 1993 by @markburgess_osl
○ also created whole field
● CFEngine 1
○ domain-specific language
● CFEngine 2 (1998)
○ idea of convergence
■ tool discover state of system
● CFEngine 3 (2009)
○ complete rewrite
○ based on Promise Theory developed by Mark
Burgess

22. CFEngine 3
● written in C
● strong theoretical background
○ it should be same for years
● cross platform
○ Linux,*BSD,Solaris,Windows....
○ from Rasberry Pi to big IT deployments (Facebook)
● small footprint
○ small cpu usage - http://bit.ly/QJcrg8
● very scalable
○ can handle hundreds of thousands servers
○ policy hierarchy
● zero reported vulnerabilities

23. CFEngine 3 design principles
● desired-state configuration
○ declarative policy language
○ you only specify your desired final state of system
○ CFEngine will handle everything else automatically
○ but if operation is not native, you have to tell
CFEngine "how"
● promise theory
○ models behaviour of agents in an environment
without central authority
○ voluntary cooperation
● convergent configuration
○ you don't need know current state of system
○ convergence in incremental steps

24. Architecture
src: cfengine.com

25. Architecture
● no clear distinction between agent (client)
and policy hub (server)
● every agent can be policy hub for another
set of agents
● agents updates policy files from hub
○ if policy hub is unreachable => policy files are not
updated
○ every 5 minutes
○ no other mechanism to tell agents what to do

26. Show me the code!
bundle agent sshd_norootlogin
{
files:
"/etc/ssh/sshd_config"
edit_line =>
replace_or_add(".*PermitRootLogin.*",
"PermitRootLogin no");
}

27. Code
● covers many situations:
○ commented option
○ non-exist option
○ option set to other value than "no"
● how to handle various environments ?
○ using context
○ they're known also as the classes but their meaning
is not the same as in OOP

28. Context
● as a conditionals to handle different
environments or state
○ does a file exist ? is pkg installed ? yes/no
○ is this system debian,ubuntu or windows?
○ is this system with hostname matching web* ?
● hard classes
○ discovered by cfengine
○ hostname, ip addresses, interfaces...
● soft classes
○ classes defined during runtime

29. code++
bundle agent sshd_norootlogin
{
vars:
debian::
"sshdconf" string => "/etc/ssh/sshd_config";
!debian::
"sshdconf" string => "/usr/local/etc/ssh/sshd_config";
files:
"$(sshdconf)"
edit_line =>
replace_or_add(".*PermitRootLogin.*",
"PermitRootLogin no");
}

30. Who am I and why CFEngine
● sysadmin @ Websupport.sk
● the biggest webhosting provider in Slovakia
● tens thousands of services (domains,vps,
hostings)
● we're going to move all of them to new
hardware infrastructure in few months
● we choosed CFEngine3 because of it
features:

31. The features that works for us
● strong theoretical background
○ where will be Puppet and Chef when hype ends ?
● small CPU and memory overhead
● scalability
○ we may need to handle 1000-2000 virtual servers
● model based monitoring http://bit.ly/Vle8zc
○ CFEngine can be used as a monitoring tool or as a
addon to other monitoring tool
○ monitoring is self-learning => no need to setup
anything
○ learns state of system for past 7 days
○ if metric value is larger than standard deviation =>
something unusual is happening

32. Features that works for us
● knowledge maps
○ you may generate logical maps of subsystems from
code
● is not written in ruby :)
○ we have strong experience with C

33. Questions ?