Frequently Asked Questions (General)

What is the best way to learn cfengine?

If you are starting from scratch, consider taking a course. Training can be arranged privately, or you can join a course at a major conference.

We believe that the best introduction to cfengine is the new book by Aeleen Frisch and Mark Burgess. "A System Engineers Guide to Host Configuration and Maintenance using Cfengine." We have worked hard to make this the best possible introduction that we can currently write.

Why is cfengine the best tool for the automated system configuration?

"Best" is an over-used word, and not very scientific. We try not to use words like "best" without qualifying them in a special context. What is best for you is not necessarily best for me. Above all cfengine tries to be flexible and do a few things robustly and well. It is a powerful tool targeted for anyone interested in developing a disciplined practice. It is not a panacea to any system ailment. However, it goes further than most in addressing modern autonomic computing concerns.

Some configuration tools are simply change management tools. They expect you to make a change and then keep "hands off" the computer until the next programmed change. The trouble with this it that prying hands interfere with systems in between and if one does do not verify that the changes are maintained over time the process loses its integrity. Accidents, runtime degradation and interference from other software can all spoil intended configuration. Cfengine continuously monitors and repairs systems.

Cfengine does not inflict a model on you like most other tools for configuration. But it does inflict a security principle on you. Computers running cfengine never have to give up their autonomy to be part of a configuration collective. Pushing information to cfengine is strictly disallowed. Most users agree that this has kept cfengine users secure over the years.

Cfengine is the only tool that integrates monitoring with repeatable maintenance.

Cfengine's development goals are centered around

  • Achieving optimum safety and correctness in tried and tested functions
  • Ambitious new technology that pushes the boundaries of automation

Is the cfengine language imperative or declarative?

This is a question that has been used to misrepresent cfengine in some articles about configuration management. Cfengine is pragmatic hybrid between mostly declarative with a hint of imperative. It was the first configuration language to separate decision evaluation from operations.

Features like editfiles would be extremely cumbersome to write in a completely declarative way, nevertheless cfengine makes a not bad attempt. Cfengine does not randomize the order of declarations unless the user asks for this, so coincidentally some operations will be ordered in the same way they are declared. But to call cfengine imperative is a misrepresentation.

Is cfengine extensible and modular?

Cfengine 2 has two mechanisms for user extensibility: modules (a generic interface for adding user scripts to extend its functionality) and methods (subroutines that use cfengine's own language to separate out and encapsulate issues). Methods can also be used for procedural cooperation between hosts, using a kind of Remote Procedure Call that is compatible with cfengine's security principles. There is also cfperl, which adds its own level of extension.

The cfengine language has grown by user involvement into an inconsistent jungle. In cfengine 3 much research and effort has gone into making a simple and consistent interface to all functions that is trivially extensible and adaptable to other problem domains such as robotics, space and bio-tech applications.

What do you think of Puppet, LCFG, BCFG, etc.?

These are projects and tools that are written by colleagues both in research and commercial world. They have some admirable qualities but often have somewhat different focus than cfengine. If we agreed with these approaches, cfengine would already be different. Cfengine is not perfect, but it is moving in the right direction. Beyond this, we do not wish to make any comments about them positive or negative. To do so might be to misrepresent others' software. We recommend similarly that you take any comments made by the maintainers of these tools about cfengine with a pinch of salt. Cfengine aims to solve the problems of configuration management in a general way through research rather than through competition.

Does Cfengine have an open development community?

Cfengine accepts ideas and patches from an open community of users. Many ideas from users request simple conveniences that can be added within a day or two, and this is a frequent development. The svn repository shows active development. The cfengine contributors include a formidable list of talent from some of the most experienced administrators or large installations in the world. It also benefits from student projects at many universities.

However, the development is not run as a democracy. The custodians of cfengine make sure that the key safety principles of cfengine are never violated by code additions, including: host autonomy should never be compromisied to add functionality, dependencies should be minimized, the agent should continue to protect the system during loss of network connectivity, and parsimony: solutions should be generally applicable rather than local or specific hacks for whim or fancy. In fact, the contributors to cfengine all maintain very high standards and require little or no moderation. The cfengine project has inspired the very best minds in system administration to come together in support of sound principles.

Is cfengine secure?

This is too simplistic a question. Security is a complex issue, not something that can be summarized so succinctly. Compared to a lot of other software cfengine has had few code vulnerabilities over the years. Indeed it has had far fewer reported vulnerabilities (three in total since 1993) than other "security code", e.g. secure shells and firewalls etc, in spite of rigorous security testing by companies specializing in the location of such vulnerabilities.

Don't forget that cfengine is a powerful tool, and with powerful tools you can make powerful mistakes. When used responsibly and expertly, it can provide systems with unparalleled security from a wide range of threats.

I am having trouble with cfservd communication - what should I do?

Don't forget:

  1. To make keys with cfkey
  2. To grant access in cfservd using AllowConnectionsFrom and AllowMultipleConnectionsFrom.
  3. To grant access for key exchange using TrustKeysFrom (cfservd) and trustkey=true (cfagent).
Try running both sides of the connection with the -d2 option to see exactly what is going wrong.

Can I run cfenvd monitoring without running cfagent?

Yes, cfenvd is a standalone part of cfengine. It records system activity in a database which can be viewed by using the cfenvgraph program. It also records the its state analysis in the file /var/cfengine/state/env_data and can be imported into other programs.

Do I have to run cfservd?

You need to run cfservd only if you want to:

  • Copy files remotely from a host running cfservd.
  • Execute cfagent remotely on a host running cfservd.

How can I check whether my cfagent program will do what I intended

Try examining the output: 

cfagent -p -d3

I am seeing SIGPIPE messages - what should I do?

SIGPIPE is a signal that occurs when one half of a Unix pipe is broken. This can happen if

  • A program executed as a shell command crashes without warning.
  • Cfservd breaks off a connection (try cfservd -d2 to see why)