Getting Started With CFEngine - Updated Version

67 %
33 %
Information about Getting Started With CFEngine - Updated Version

Published on March 19, 2014

Author: cfengine



Learn how to avoid downtime by tracking system drifts, how to increase the robustness and security of your system, and make sure you adhere to compliance standards using CFEngine. This slide deck accompanied our "Getting Started with CFEngine" webinar, where we covered how to achieve all those benefits using CFEngine policies, promises, and sketches. Use the examples in these slides to start your own CFEngine implementation. A recording of the webinar can be found at

Getting Started with CFEngine

Agenda • Infrastructure Automation with CFEngine • Theory Concepts • Software Components • Language Concepts • Examples • Q&A

Productivity Costs Security • Global changes in minutes • Unlimited scale and complexity • Remove human bottlenecks • Reduced need for labor • Reduced costs related to instability/outages • Reduced license costs • Billions of compliance checks per day • Real-time compliance repairs • Granular and pattern based Benefits of Infrastructure Automation

Architected for Speed, Security and Web Scale 1. Define Desired State 2. Ensure Defined State CFDB 3. Verify Actual State Policy- Server Design Center Knowledge Center CFE Agents

History • 1993: Open Source project • 2001: CFEngine version 2 • 2004: Promise Theory • 2009: CFEngine version 3 • 2014: CFEngine version 3.6 Customer Validation Technology Validation • Infrastructure Automation, Continuous Delivery • Distributed, Lean, Secure architecture • IT Automation at Web-Scale (size, agility) • Community (Open source), Enterprise edition Market Validation • >10 million servers • 10,000 companies • 100 countries • Tens of thousands of servers (individual customer deployments) CFEngine – IT Automation at Web-Scale

CFEngine Enterprise - Mission Portal GUI

- Proprietary and Confidential -


Our Promise – Mashed Potatoes

The Way To Get There - CONVERGENCE

Basic Concepts • Convergence • To Converge - To come from different directions to reach the same point (location, conclusion, etc.) • Desired state may not be reached on the first pass • Change can be incremental • 3 passes over the policy on each run, to accelerate convergence • Declarative vs. Imperative • Declarative is descriptive • Imperative is sequential

• Promise Theory Voluntary cooperation between individual, autonomous actors or agents who publish their intentions to one another in the form of promises -- Mark Burgess

The Promise Universe

A Promise Is A Statement of Intention Promiser Promises to… If not currently kept, CFEngine will A variable… …hold a certain value of a certain type …store the appropriate value in the variable A file …have certain characteristics (permissions, ownership, etc.) …set the desired properties on the file A user account …exist and have certain characteristics (home directory, group, etc.) …create the user account with the desired characteristics A process …be running on the system …run the appropriate command to create the process

Basic Concepts • Promise States • Promise kept ✔ • Promise repaired ✘ → ✔ • Promise not kept ✘ → ✘


Basic Components Server cf-serverd Client cf-agent cf-execd cf-monitord


Anatomy of a Promise Promise Type What? Context When/Where? Promiser Why? Attributes How? Packages: solaris.tuesday:: “apache” comment => “Front end webserver”, package_policy => “add”, package_version => “2.0”, package_method => solaris;

Bundles & Bodies • A bundle is a collection of promises • For example, a bundle to configure Apache might: • Install the apache2 package • Edit the configuration file • Copy the web server content • Etc. • A body is a collection of attributes that constrains the promise • Internal (in-line in the promise) • External (shareable with other promises)


Example #1 – File Security body common control { bundlesequence => { "file_security" }; inputs => { "libraries/" }; } bundle agent file_security { files: "/etc/.” -> { “SecurityPolicy513”, “” } handle => "etc_tripwire", comment => ”Bubble up possible security breaches", changes => detect_all_change, depth_search => recurse("inf"); }

Example #2 - MOTD body common control { bundlesequence => { "edit_motd" }; inputs => { "libraries/" }; } bundle agent edit_motd { vars: "motd" string => "/etc/motd"; files: "$(motd)" create => "true", edit_line => insert_lines("This system is managed by CFEngine 3"), handle => "edit_motd", comment => "Inform sysadmins this system is managed by CFEngine"; }

Example #3 – Install Packages body common control { bundlesequence => { "packages" }; inputs => { "libraries/" }; } bundle agent packages { packages: "nano" handle => "install_nano", comment => "nano is John's favorite editor", package_policy => "add", # Ensure that a package is present package_method => apt; }

cf-demo# nano bash: /usr/bin/nano: No such file or directory cf-demo# cf-agent -f cf-demo# nano -V GNU nano version 2.2.6 (compiled 14:12:08, Oct 1 2012) ... cf-demo# Example #3 – Install Packages – Cont.

cf-demo# bash: /usr/bin/nano: No such file or directory cf-demo# cf-agent -I -f Q: apt-get update ...:Ign stable InRelease ... Q: apt-get update ...:Hit saucy-backports/universe Translation-en Q: apt-get update ...:Reading package lists... Q: apt-get update ...: Q:apt-get --yes instal ...:Reading package lists... Q:apt-get --yes instal ...:Building dependency tree... Q:apt-get --yes instal ...:Reading state information... Q:apt-get --yes instal ...:Suggested packages: Q:apt-get --yes instal ...: spell Q:apt-get --yes instal ...:The following NEW packages will be installed: Q:apt-get --yes instal ...: nano Q:apt-get --yes instal ...:0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded. Q:apt-get --yes instal ...:Need to get 0 B/194 kB of archives. Q:apt-get --yes instal ...:After this operation, 614 kB of additional disk space will be used. Q:apt-get --yes instal ...:Selecting previously unselected package nano. Q:apt-get --yes instal ...:(Reading database ... 236090 files and directories currently installed.) Q:apt-get --yes instal ...:Unpacking nano (from .../nano_2.2.6-1ubuntu1_amd64.deb) ... Q:apt-get --yes instal ...:Processing triggers for doc-base ... Q:apt-get --yes instal ...:Processing 2 added doc-base files... Q:apt-get --yes instal ...:Processing triggers for install-info ... Q:apt-get --yes instal ...:Processing triggers for man-db ... Q:apt-get --yes instal ...:Setting up nano (2.2.6-1ubuntu1) ... Q:apt-get --yes instal ...:update-alternatives: using /bin/nano to provide /usr/bin/editor (editor) in auto mode Q:apt-get --yes instal ...:update-alternatives: using /bin/nano to provide /usr/bin/pico (pico) in auto mode Q:apt-get --yes instal ...: cf-demo# nano -V GNU nano version 2.2.6 (compiled 14:12:08, Oct 1 2012) ... cf-demo# Example #3 – Install Packages – Cont.

Example #4 – Convergencebundle agent create_user_file { files: "/home/cfetest/files/cfe_test_file" perms => mog("644","cfetest","cfegroup"), create => "true"; } bundle agent create_user_directory { files: "/home/cfetest/files/." perms => mog("755","cfetest","cfegroup"), create => "true"; } bundle agent adduser { commands: "/usr/sbin/useradd cfetest -d /home/cfetest -g cfegroup -m"; } bundle agent addgroup { commands: "/usr/sbin/groupadd -g 1001 cfegroup"; } body common control { bundlesequence => { "create_user_file", "create_user_directory", "adduser", "addgroup" }; inputs => { "/var/cfengine/inputs/libraries/" }; }

2014-03-18T16:46:42+0100 notice: Q: " cfet": useradd: group 'cfegroup' does not exist /home/cfetest: drwxr-xr-x 2 root root 4096 Mar 18 16:46 files /home/cfetest/files: -rw-r--r-- 1 root root 0 Mar 18 16:46 cfe_test_file groups: cfetest: No such user Example #4 – First Run

/home/cfetest: drwxr-xr-x 2 root cfegroup 4096 Mar 18 16:46 files /home/cfetest/files: -rw-r--r-- 1 root cfegroup 0 Mar 18 16:46 cfe_test_file cfetest : cfegroup Example #4 – Second Run

/home/cfetest: drwxr-xr-x 2 cfetest cfegroup 4096 Mar 18 16:46 files /home/cfetest/files: -rw-r--r-- 1 cfetest cfegroup 0 Mar 18 16:46 cfe_test_file cfetest : cfegroup Example #4 – Third Run The agent is at the desired state!

Q & A

• Join the conversation on our community help forum!forum/help-cfengine Next Steps • Learn More check out our documentation • Read Learning CFEngine 3 by Diego Zamboni

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

CFEngine 3.5 Documentation - Getting Started

Getting Started; New in CFEngine; ... CFEngine features an Enterprise version for production environments and a Community ... Updated: 27 June 2014 from ...
Read more

CFEngine 3.5 Documentation - Installing Enterprise Vagrant ...

Getting Started ; Installing CFEngine ; ... The maximum supported in this evaluation version of CFEngine is 25. ... Updated: 27 June 2014 from ...
Read more

Sysadmin and DBA tips – Getting started with CFEngine

... and getting started with CFEngine. ... the client update his policies to the last version. ... Download the latest CFEngine version from the ...
Read more


CFEngine is a configuration management and automation framework that lets you securely manage your mission critical IT infrastructure. Blog; DOCS; Support;
Read more

GNU cfengine:

This manual corresponds to CFENGINE Edition for version as last updated ... at which cfengine started are ... cfengine by getting cron ...
Read more

Upgrading from CFEngine 2 to CFEngine 3 - CFEngine ...

Upgrading from CFEngine 2 to 3. ... and update a global multi-site enterprise every ... and Learning CFEngine 3 will help you in getting up to speed with ...
Read more

Sumo Logic integration, Policy update timestamp - CFEngine

... , edit_line => insert("CFEngine_update: $(sys.last_policy_update)") ... Unless you use version control system, ... Getting Started with CFEngine;
Read more

Cfengine: Getting started - GridPP Wiki

Cfengine: Getting started. From GridPP Wiki. ... (No file /var/cfengine/inputs/update.conf) ... Printable version; Permanent link;
Read more