CFengine on FreeBSD
Quick start to running a CFengine server on FreeBSD
Warning: This page specifically deals with Cfengine 2. The current main version is Cfengine 3 (as of September 2010), which is different in many ways. Checkout http://cfengine.org/ for more details.
Install cfengine package
cd /usr/ports/sysutils/cfengine
make install clean
Create public/private keys (run cfkey)
/usr/local/sbin/cfkey
Setup namespace
Pick a domain name. This is just an administrative domain and does not have to correspond to an actual DNS domain name. In this example I use cf1.example.org
Bootstrap cfservd configuration
Create some missing folders
mkdir -p /var/cfengine/master /var/cfengine/outputs
Bootstrap /var/cfengine/inputs/cfservd.conf file
control:
domain = ( cf1.example.org )
any::
IfElapsed = ( 1 )
MaxConnections = ( 30 )
HostnameKeys = ( true )
AllowConnectionsFrom = ( # RFC1918
192.168
172.16
10
)
TrustKeysFrom = ( # RFC1918
192.168
172.16
10
)
admit: # or grant:
/var/cfengine/master 192.168.\* 172.16.\* 10.\*
Make sure to adjust network ranges as appropriate above!!!
Now you have the basic frame, time to add some flesh, you need a cfagent.conf to define control, actionsequences and so on.
This basic cfagent.conf should be a decent starting point. Put into /var/cfengine/master/cfagent.conf
control:
any::
editfilesize = ( 300000 )
domain = ( cf1.example.org )
cvs_repository = ( /var/cvs )
repository = ( /var/cfengine/repository )
smtpserver = ( mail.example.org ) # site MTA
netmask = ( 255.255.255.0 )
sysadm = ( "root" )
EmailMaxLines = ( inf ) # max lines of output to email
EmailFrom = ( cfengine@example.org )
actionsequence = ( directories files editfiles copy links processes
disable shellcommands )
# When should cfexecd in daemon mode wake up the agent?
schedule = ( Min00_05 Min30_35 )
#=============================================================================
classes:
any::
has_netbackup = ( FileExists(/usr/openv/netbackup/bp.conf) )
has_postfix = ( FileExists(/etc/postfix/main.cf) )
#=============================================================================
this ensures that these directories will exist or be created when
cfengine runs
directories:
any::
/var/log/cfengine
#=============================================================================
files:
any::
/etc/hosts mode=0644 owner=root group=wheel action=fixall inform=true
#===========================================================================
editfiles:
#=========================================================================
copy:
#=========================================================================
links:
#=========================================================================
processes:
all::
# Always run cfexecd
"cfexecd" restart "/usr/local/etc/rc.d/cfexecd forcestart"
#=========================================================================
disable:
any::
/etc/cron.hourly/cfengine
#===========================================================================
shellcommands:
Enable and start daemon cfservd
echo 'cfservd_enable="YES"' >> /etc/rc.conf
/usr/local/etc/rc.d/cfservd start
Log messages may appear in /var/log/messages
Try to connect from a client (see next section).
If necessary, run the server in debug mode
/usr/local/etc/rc.d/cfservd stop; /usr/local/sbin/cfservd -d2
Quick start to running a CFengine agent (client) on FreeBSD
This section is draft - I need to validate the steps on an actual system --fostermarkd 08:48, 25 January 2008 (PST)
Install cfengine package
cd /usr/ports/sysutils/cfengine
make install clean
Create public/private keys (run cfkey)
/usr/local/sbin/cfkey
Bootstrap update configuration
Bootstrap /var/cfengine/inputs/update.conf
Contents of update.conf
control:
actionsequence = ( copy processes tidy )
domain = ( example.org )
policyhost = ( cfmaster.example.org )
master_cfinput = ( /var/cfengine/master )
AddInstallable = ( new_cfenvd new_cfservd )
workdir = ( /var/cfengine )
!AllBinaryServers::
SplayTime = ( 1 )
copy:
$(master\_cfinput) dest=$(workdir)/inputs
r=inf
mode=700
type=binary
exclude=*.lst
exclude=*~
exclude=#*
server=$(policyhost) trustkey=true tidy:$(workdir)/outputs pattern=* age=7
Run cfagent to initialize
/usr/local/sbin/cfagent -q -v
This will do the initial setup by reading update.conf, connecting to the cfservd on the server, copying over the cfagent.conf and acting on what it contains.
Enable and start daemons: cfexecd and cfenvd
echo 'cfexecd_enable="YES"' >> /etc/rc.conf
echo 'cfenvd_enable="YES"' >> /etc/rc.conf
/usr/local/etc/rc.d/cfexecd start
/usr/local/etc/rc.d/cfenvd start
There after the agent will connect every half hour between :00-:01 and :30-:31 subject to splay time settings.
Log messages may appear in /var/log/messages