CFengine on FreeBSD

From ConShell
Jump to navigation Jump to search


Quick start to running a CFengine server on FreeBSD

Warning: This page specifically deals with Cfengine 2. The current main version is Cfengine 3 (as of September 2010), which is different in many ways. Checkout http://cfengine.org/ for more details.

Install cfengine package

cd /usr/ports/sysutils/cfengine
make install clean

Create public/private keys (run cfkey)

/usr/local/sbin/cfkey

Setup namespace

Pick a domain name. This is just an administrative domain and does not have to correspond to an actual DNS domain name. In this example I use cf1.example.org

Bootstrap cfservd configuration

Create some missing folders 

mkdir -p  /var/cfengine/master /var/cfengine/outputs

Bootstrap /var/cfengine/inputs/cfservd.conf file 

control:
  domain = ( cf1.example.org )
  any::
    IfElapsed = ( 1 )
    MaxConnections = ( 30 )
    HostnameKeys = ( true )
 
    AllowConnectionsFrom = ( # RFC1918
                           192.168    
                           172.16
                           10
                           )

    TrustKeysFrom = ( # RFC1918
                           192.168    
                           172.16
                           10
                   )
    admit:   # or grant:
       /var/cfengine/master 192.168.* 172.16.* 10.*

Make sure to adjust network ranges as appropriate above!!!

Now you have the basic frame, time to add some flesh, you need a cfagent.conf to define control, actionsequences and so on.

This basic cfagent.conf should be a decent starting point. Put into /var/cfengine/master/cfagent.conf 

control:
  any::
    editfilesize   = ( 300000 )
    domain  = ( cf1.example.org )
    cvs_repository = ( /var/cvs )
    repository  = ( /var/cfengine/repository )
    smtpserver = ( mail.example.org ) # site MTA
    netmask = ( 255.255.255.0 )
    sysadm  = ( "root" )
    EmailMaxLines = ( inf )             # max lines of output to email
    EmailFrom = ( cfengine@example.org )
    actionsequence = ( directories files editfiles copy links processes
                       disable shellcommands )
    # When should cfexecd in daemon mode wake up the agent?
    schedule   = ( Min00_05 Min30_35 )
#=============================================================================
classes:
  any::
    has_netbackup = ( FileExists(/usr/openv/netbackup/bp.conf) )
    has_postfix = ( FileExists(/etc/postfix/main.cf) )
#=============================================================================
# this ensures that these directories will exist or be created when 
cfengine runs

directories:
  any::
    /var/log/cfengine

#=============================================================================
files:
 any::
    /etc/hosts mode=0644 owner=root group=wheel action=fixall  inform=true

#=============================================================================
editfiles:

#=============================================================================
copy:

#=============================================================================
links:

#=============================================================================
processes:
  all::
     # Always run cfexecd
    "cfexecd" restart "/usr/local/etc/rc.d/cfexecd forcestart"

#=============================================================================
disable:
  any::
    /etc/cron.hourly/cfengine

#=============================================================================
shellcommands:


Enable and start daemon cfservd

echo 'cfservd_enable="YES"' >> /etc/rc.conf
/usr/local/etc/rc.d/cfservd start

Log messages may appear in /var/log/messages

Try to connect from a client (see next section).

If necessary, run the server in debug mode 

/usr/local/etc/rc.d/cfservd stop; /usr/local/sbin/cfservd -d2

Quick start to running a CFengine agent (client) on FreeBSD

This section is draft - I need to validate the steps on an actual system --fostermarkd 08:48, 25 January 2008 (PST)

Install cfengine package

cd /usr/ports/sysutils/cfengine
make install clean

Create public/private keys (run cfkey)

/usr/local/sbin/cfkey

Bootstrap update configuration

Bootstrap /var/cfengine/inputs/update.conf 

 # Contents of update.conf
 control:

 actionsequence  = ( copy processes tidy )
 domain          = ( example.org )
 policyhost      = ( cfmaster.example.org )
 master_cfinput  = ( /var/cfengine/master )
 AddInstallable = ( new_cfenvd new_cfservd )
 workdir         = ( /var/cfengine )

!AllBinaryServers::
  SplayTime = ( 1 )

  copy:
    $(master_cfinput)           dest=$(workdir)/inputs
                                r=inf
                                mode=700
                                type=binary
                                exclude=*.lst
                                exclude=*~
                                exclude=#*
                                server=$(policyhost)
                                trustkey=true
  tidy:
    $(workdir)/outputs pattern=* age=7


Run cfagent to initialize

/usr/local/sbin/cfagent -q -v

This will do the initial setup by reading update.conf, connecting to the cfservd on the server, copying over the cfagent.conf and acting on what it contains.

Enable and start daemons: cfexecd and cfenvd

echo 'cfexecd_enable="YES"' >> /etc/rc.conf
echo 'cfenvd_enable="YES"' >> /etc/rc.conf
/usr/local/etc/rc.d/cfexecd start
/usr/local/etc/rc.d/cfenvd start

There after the agent will connect every half hour between :00-:01 and :30-:31 subject to splay time settings.

Log messages may appear in /var/log/messages

Retrieved from "https://conshell.net/wiki/index.php?title=CFengine_on_FreeBSD&oldid=4987"