Everything began 4 years ago, CFEngine 3 had just been released, documentation and expertise were in short supply. We had to accept the reality of a steep learning curve.
As CFEngine grew so did we. We discovered bugs, submitted pull requests, designed workarounds for various pitfalls, gained advances in productivity (thanks to the knowledge and experience gained working with CFEngine 3) and evaluated design choices available to us. This journey led us to become one of the most advanced CFEngine users in Europe.
I'll recount our journey, share insights on solution architecture with CFEngine and show examples of what we had to overcome and how we achieved that using less well-known features of CFEngine. Our examples will cover advanced use of CFEngine 3 code. Finally, I will present our retrospective: what we did right, what we did wrong and share where we have got to thus far in our journey.
1. CFEngine, 4 years later
___________________________
A song of code and configuration
Matthieu CERDA
Normation – CC-BY-SA
normation.com
2. Who are you ?
Name
Matthieu CERDA
Email :
matthieu.cerda@normation.com
Web site :
http://www.normation.com
Twitter :
@Kegeruneku
Job
System engineer at Normation
CFEngine
Enthusiast, power user and trainer
Rudder
Integrator, packager
Infrastructure
Team member
Normation – CC-BY-SA
normation.com
2
3. What are we going to talk about
CFEngine 3
●
How we began with it, what we gained from it
●
“Funky” use cases
●
The future
Normation – CC-BY-SA
normation.com
3
4. Why CFEngine ?
http://www.cfengine.com | http://www.github.com/cfengine
Few dependencies (LMDB,
OpenSSL, [PCRE])
●
●
Small memory footprint
●
Highly compatible
Working “close to the OS”
(Can be seen as a flaw for some
people)
●
Normation – CC-BY-SA
normation.com
4
5. CFEngine 3 : 20 % cooler !
●
Created in 2009
●
Complete rewrite from CF2
●
Promise theory
Based on what has been
learnt from Puppet and CF2
●
●
Alive and kicking !
Normation – CC-BY-SA
normation.com
5
7. A long path 'till today !
Learnt to use CFEngine
properly
●
Acquired knowledge about
best practices, worked with
great people
●
Helped to build Rudder from
the ground
●
Began working on ncf with
Normation's team
●
●
Became a trainer :)
Normation – CC-BY-SA
normation.com
7
8. The beginning
●
Back to 2009 !!!
●
Sparse documentation
●
Inexperience
Advice: Start small, to manage
few machines
●
e
Normation – CC-BY-SA
normation.com
8
9. Funky example 1: Rug
●
Rug was SLES 10 default package manager (Now, it is Zypper)
Problem ? Rug relies on a Mono backend (ZMD) that hangs if
you stress it too much or call it repeatedly...
●
Needed a way to make an exclusion for this specific kind of
machines !
●
Normation – CC-BY-SA
normation.com
9
10. 2 – ALWAYS modularize when you can
●
Example: Package installation definition
Normation – CC-BY-SA
normation.com
10
11. 2 – ALWAYS modularize when you can
●
Example: … and the “utility” bundle that goes with it !
Normation – CC-BY-SA
normation.com
11
12. A word about promises layout
●
Everything begins with a bootstrap
cf-agent -B <my ip address>
Never do everything in one file, always split
your promises using a hierarchical order:
●
●
Always separate utilities, zones and services
Normation – CC-BY-SA
normation.com
12
13. 3 – Reporting is important
Example: When something bad happens, you'll be happy to see
where the problem is (without having to go for the debug output) !
●
You need a “verbose” mode. =>
●
As always: modularization is important !
Static and redundant reports are a good way to make your code
fat and unreadable in the long term.
●
Normation – CC-BY-SA
normation.com
13
14. 3 – Reporting is important
Normation – CC-BY-SA
normation.com
14
15. 3 – Reporting is important
Normation – CC-BY-SA
normation.com
15
16. Funky example 2: Internal database bloat
CFEngine uses a database to store internal state value
(BerkeleyDB for < 3.3, TokyoCabinet for 3.3 to 3.5 and LMDB for
3.6+)
=> https://cfengine.com/dev/issues/2560
●
BDB / TokyoCabinet do bloat when using reporting with highly
volatile values (reporting a date everytime with seconds)
●
●
Result:
Normation – CC-BY-SA
normation.com
16
17. Funky example 2: Internal database bloat
Solutions:
●
●
Stop reporting all the time (Only
report relevant changes)
Mount the “state” directory on a
RAMdisk
http://blog.normation.com/en/20
13/09/09/speed-up-your-cfengine
-by-using-a-ram-disk
Bonus effect: Up to 2/3 times
faster during I/O on databases
●
Destroy the databases regularly
(every month or week)
Normation – CC-BY-SA
normation.com
17
18. 4 – Backup your stuff
Example: When CFEngine does something with a file, you would
like to keep a backup of this file beforehand
●
<= You need a backup repository.
https://cfengine.com/docs/3.5/reference-promise-types-files.html#
repository
●
File name is preserved, along with backup timestamp
Normation – CC-BY-SA
normation.com
18
20. 5 – Tame the agent
Example: You want to make sure CFEngine only operates in
safe environments
●
You need way to make
CFEngine only operate in =>
certain conditions
●
CFEngine can be told to abort if certain conditions are not met
https://cfengine.com/docs/3.5/reference-components-cfagent.htm
l#abortclasses
Normation – CC-BY-SA
normation.com
20
21. 5 – Tame the agent
Normation – CC-BY-SA
normation.com
21
22. 6 – Always a damn DNS problem (tm)
Example: Your network interfaces resolutions are not always
working properly (AWS ?)
●
You need to make CFEngine
ignore some interfaces
CFEngine can be told to ignore some network interfaces if
needed
●
●
It is a workaround, not a solution !
Normation – CC-BY-SA
normation.com
22
23. 6 – Always a damn DNS problem (tm)
Normation – CC-BY-SA
normation.com
23
24. BONUS STAGE: Beware of the allmighty Cron
●
A word of warning:
Cron(d) is not a
configuration management
engine !!!
Easy to “fix” things quickly
with a cron job
●
KISS: Let every tool do its job,
do not fall in the trap
●
Normation – CC-BY-SA
normation.com
26
25. Future
●
●
Work on the ncf framework (See Jon's presentation !)
●
Work with the Debian packaging team
●
e
Continue to improve Rudder
Train more people !
Normation – CC-BY-SA
normation.com
27