Created at: 2012-05-15

Modified at: 2013-10-01

Cfengine notes

Introduction

This is just a brief introduction on how to setup CFEngine 3. For a detailed explanation, a bit of theory and a very nice document on philosophy about design of configuration management systems, I highly recommend the following tutorial:

CFEngine3 Tutorial

Basic dataflow

Let's first introduce the conception. CFEngine3 can be used as a centralized system, where the computers that hold information to be distributed are called "distribution servers" or "hubs" in cf3 nomenclature but we will call just *servers*. The "end hosts" are the computers controled by CFEngine3, that receive the configuration. We will call them *clients*.

Supposing your CFEngine3 setup is in /var/cfengine. Inside this directory we see two important ones. One is called masterfiles and the other inputs.

masterfiles directory

This is the directory where we will work. We make changes in *.cf files here, *not anywhere else*. From time to time, CFEngine3 daemons in clients (via cf-execd and cf-agent) pull the server for changes in the masterfiles directory.

inputs directory

This is the directory where clients receive CFEngine3 files to be applied on the system. These files are used to apply configuration to the clients. One should not edit these files, but change the ones in masterfiles directory on the server.

Note that, on the server, there is also a inputs directory. The server also works as a client of itself.

How it works

Basically, dataflow is something like that:

1. cfengine3, on server, check for update in masterfiles;

2. changes are copied to inputs/;

3. clients pull from files from masterfiles/ directory of the server.

Bootstrapping

CFEngine3 setup is so simple that I got confused. Key exchange, server reconnaissance and everything is made with a simple command::

    # /var/cfengine/bin/cf-agent --bootstrap --policy-server 123.456.789.123

Simply that. If the IP you see above is the same as the machine, it will be the server of your CFEngine3 setup. If it is not, it will be a client and look to the server on that IP.

If you have a problem at this phase, check the Troubleshooting section.

Simply, uhm? How does key exchange and everything else works? There is a nice section on the CFEngine3 Tutorial that discuss this and other things related to security and networks:

CFEngine 3 Tutorial: Remote access explained

Troubleshooting

Bootstrapping not working

If bootstrap misteriously fails, with no great detail, check if all binaries in /var/cfengine/bin exist. In some GNU/Linux distributions, like CentOS, they are symbolic links to elsewhere CFEngine3 is installed and the package doesn't create all links.