Cfengine configuration directory

Checklist for upgrading to cfengine 2

Relevant classes: any

If you are installing or upgrading cfengine. Use the following checklist. Note that the single likely cause of stumbling blocks will be TRUST issues. You might want to switch off cfservd based copying which you deploy cfengine 2, to minimize headaches.

Installing on a single host

Use the instructions for laptop computers.

Installing at a new site

  1. configure;make;make install
  2. Install and run cfenvd on all hosts immediately. This daemon just runs and collects up to a few megabytes of data. You can used this to boostrap random number generation on hosts which do not have /dev/random.
  3. Wait a week and run cfkey on all hosts.
  4. Install as per manual.

Upgrading

If you are already using cfengine, then you will want to convert your existing setup into the new framework. This is not difficult, but there's a few subtleties, which might trip you up. This checklist is paranoid, to help you to be even more paranoid, where hundreds or even thousands of hosts are concerned.

Version 2 of cfengine cannot talk to version 1, so please be careful to avoid losing communication in switching versions. Encrypted copy in version 2 (as of alpha release 19) will not talk to any earlier versions, but unecrypted copy will talk to previous version 2 alphas.

  1. Compile and install new version
  2. Run cfenvd for a week or more, if you have not already done so, with an alpha versino
  3. Run cfkey on every host. e.g. if you are already running an old cfengine, try this 
    
classes: 

    CfPubKeys = ( '/usr/bin/test -f /var/cfengine/ppkeys/localhost.pub' )

   # or once you have upgraded to v2

   # CfPubKeys = ( FileExists(/var/cfengine/ppkeys/localhost.pub) )

shellcommands:

  !CfPubKeys::

     "/usr/local/sbin/cfkey"
  4. The next steps require committing to the new version.
  5. Rename cfengine.conf to cfagent.conf
  6. Create a file update.conf, which will make sure the hosts have their own distributed copies of programs and policy files.
  7. Comment out any secure copy items for the upgrade: 
    #secure=true
  8. Define a mailer in cfagent.conf 
    smtpserver = ( mailhub )
  9. Run cfagent once to create /var/cfengine and copy cfagent, cfservd binaries there.
  10. Replace any cron items with something like this 
    0,30 * * * * /var/cfengine/bin/cfexecd -F
    This program replaces cfwrap, cfmail etc, with a more robust and flexible program which will be extended in the future. It does not rely on perl or shell anymore. To keep things simple, it looks for cfagent in /var/cfengine/bin/cfagent on each host.
  11. In cfservd, make sure that the server will trust and accept keys 
    TrustKeysFrom = ( IP-series )
  12. OPTIONAL: If you want non-root users to be able to use cfrun or cfagent for copying. In cfservd.conf 
    AllowUsers = ( mark .. )
    in cfservd.
  13. Replace the secure copy items, and rename them by replacing 
    secure=true
    to 
    encrypt=true verify=true trustkey=true
    and observe precautions about accepting RSA keys on trust.
  14. NOTE: even non-encrypted copies need a key, so the first time a copy takes place you must specify 
    trustkey=true
    in cfagent.conf (or imported file).
Cfagent reports "access denied" regardless of the nature of the error, to avoid giving away information which might be used by an attacker. To find out the real reason for a denial, use debugging mode -d2.
Hints:
  • If you are getting Access denied errors -- did the old servers die, and the new ones take over?
  • Did you remember trustkey=true with every server=?, and TrustKeysFrom = ( )?
  • Sporadic failures? Did you remember AllowMultipleConnections?
Back to documentation