In this manual the word "host" is used to refer to a single computer system - i.e. a single machine which has a name termed its "hostname".
Cfengine is a tool for setting up and maintaining BSD and System-5-like
operating system optionally attached to a TCP/IP network. You can think
of cfengine as a very high level language--much higher level than Perl
or shell: a single statement can result in many hundreds of operations
being performed on multiple hosts. Cfengine is good at performing a lot
of common system administration tasks, and allows you to build on its
strengths with your own scripts. You can also use it as a netwide
front-end for cron. Once you have set up cfengine, you'll be
free to use your time being like a human being, instead of playing R2-D2
with the system.
The main purpose of cfengine is to allow you to create a single, central system configuration which will define how every host on your network should be configured in an intuitive way. An interpreter runs on every host on your network and parses the master file (or file-set); the configuration of each host is checked against this file and then, if you request it, any deviations from the defined configuration are fixed automatically. You do not have to mention every host specifically by name in order to configure them: instead you can refer to the properties which distinguish hosts from one another. Cfengine uses a flexible system of "classes" which helps you to single out a specific group of hosts with a single statement.
Originally cfengine was conceived of as a tool only for the superuser, but during the course of its development it has become clear that it can also be used as a scripting language by ordinary users. It is a handy tool for tidying your old junk files and for making `watchdog' scripts to manage the access rights and permissions on your files when collaborating with other users. As a bonus it contains a text editing language which can be used to perform controlled edits of line-based text files.
Cfengine grew out of the need to control the accumulation of complex shell scripts used in the automation of key system maintenance at Oslo. There were very many scripts, written in shell and in perl, performing tasks such as file tidying, find-database updates, process checking and several other tasks. In a heterogeneous environment, shell-scripts work very poorly: shell commands have differing syntax across different operating systems, the locations and names of key files differ. In fact, the non-uniformity of unix was a major headache. Scripts were filled with tests to determine what kind of operating system they were being run on, to the point where they became so complicated an unreadable that no-one was quite sure what they did anymore. Other scripts were placed only on the systems where they were relevant, out of sight and out of mind. It quickly became clear that our dream solution would be to replace this proliferation of scripts by a single file containing everything to be checked on every host on the network. By defining a new language, this file could hide all of the tests by using classes (a generalized `switch/case' syntax) to label operations and improve the readability greatly. The gradual refinement of this idea resulted in the present day cfengine.
The remainder of this manual assumes that you know a little about BSD/System-5 systems and have everyday experience in using either the C-shell or the Bourne shell, or their derivatives. If you are experienced in system administration, you might like to skip the earlier chapters and turn straight to the example in the section Example configuration file of the Reference manual. This is the probably quickest way to learn cfengine for the initiated. If you are not so familiar with system administration and would like a more gentle introduction, then we begin here...
To the system administrator of a small network, with just a few
workstations or perhaps even a single mainframe system, it might seem
superfluous to create a big fuss about the administration of the system.
After all, it's easy to `fix' things manually should any problems
arise, making a link here, writing a script there and so on -- and its
probably not even worth writing down what you did because you know that
it will always be easy to fix next time around too... But networks have
a tendency to expand and--before you know it--you have five different
types of operating system and each type of system has to be configured
in a special way, you have to make patches to each system and you can't
remember whether you fixed that host on the other side of the
building... Also, you discover fairly quickly that what you thought of
as BSD or System 5 is not as standard as you thought and that none of
your simple scripts that worked on one system work on the others without
a considerable amount of hacking and testing. You try writing a script
to help you automate the task, but end up with an enormous number of
if..then..else.. tests which make it hard to see what is really
going on.
To manage a network with many different flavours of operating system, in a systematic way, what is needed is a more disciplined way of making changes which is robust against re-installation. After all, it would be tragic to spend many hours setting up a system by hand only to lose everything in an unfortunate disk-crash a week or even a year later when you have forgotten what you had to do. Upgrades of the operating system software might delete your carefully worked out configuration. What is needed is a separate record of all of the patches required on all of the systems on the network; a record which can be compared to the state of each host at any time and which a suitable engine can use to fix any deviations from that reference standard.
The idea behind cfengine is to focus upon a few key areas of basic system administration and provide a language in which the transparency of a configuration program is optimal. It eliminates the need for lots of tests by allowing you to organize your network according to "classes". From a single configuration file (or set of files) you can specify how your network should be configured -- and cfengine will then parse your file and carry out the instructions, warning or fixing errors as it goes.
Some of the important issues in system administration which cfengine can help with.
One of the endearing characteristics of BSD and system 5 systems is
that they are configured through human-readable text files. To add a
new user to the system you edit /etc/passwd, to add a new
disk you must edit /etc/fstab etc. Many applications are also
configured with the help of text files. When installing a new system
for the first time, or when changing updating the setup of an old system
you are faced with having to edit lots of files. In some cases you will
have to add precisely the same line to the same file on every system in
your network as a change is made, so it is handy to have a way of
automating this procedure so that you don't have to load every file into
an editor by hand and make the changes yourself. This is one of the
tasks which cfengine will automate for you.
Each host which you connect to an ethernet-based network running TCP/IP
protocols must have a so-called `net interface'. This network interface
must be configured before it will work. Normally one does this with the
help of the ifconfig command. This can also be checked and
configured automatically by cfengine.
Network configuration involves telling the interface hardware what the internet (IP) address of your system is, so that it knows which incoming `packets' of data to pay attention to. It involves telling the interface how to interpret the addresses it receives by setting the `netmask' for your network (see below). Finally you must tell it which dummy address is to be used for messages which are broadcast to all hosts on your network simultaneously (see the reference manual).
Cfengine's features are mainly meant for hosts which use static IP addresses, if you are using DHCP clients then you will not need the net configuration features.
Probably the first thing you are interested in doing with a network (after you've had your fill of the world wide web) is to make your files available to some or all hosts on the network, no matter where in your corporate empire (or university dungeon) you might be sitting. In other words, if you have a disk which is physically connected to host A, you would like to make the contents of that disk available to hosts B, C, D... etc. NFS (the network filesystem) does this for you. The process works by `filesystems'.
A filesystem is one partition of a disk drive - or one unit of disk
space which can be accessed by a single `logical device'
/dev/something. To make a filesystem available to other hosts
you have to do three things.
/etc/exports. This tells NFS who
is allowed to access the disk and who isn't.
Only after all three of these have been done will a filesystem become available across the network. Cfengine will help you with the last two in a very transparent way. You could also use the text-editing facility in cfengine to edit the exports file, but there are other ways update the exports file using netgroups which we shall not go into here. If you are in doubt, look up the manual page on exports.
Some sites prefer to minimize the use of NFS filesystems, to
avoid one machine being dependent on another. They prefer to
make a local copy of the files on a remote machine instead.
Traditionally programs like rdist have been used for
this purpose. You may also use cfengine to copy files in this
way, See Emulating rdist.
There are two ways to specify addresses on the internet (called IP
addresses). One is to use the textual address like ftp.uu.net
and the other is to use the numerical form 192.48.96.9. Alas,
there is no one-to-one correspondence between the numerical addresses
and the textual ones, thus a service is required to map one to the
other.
The service is performed by one or more special hosts on the network
called nameservers. Each host must know how to contact a
nameserver or it will probably hang the first time you give it an IP
address. You tell it how to contact a nameserver by editing the
text-file /etc/resolv.conf. This file must contain the domain
name for your domain and a list of possible nameservers which can be
contacted, in order of priority. Because this is a special file which
every host must have, you don't have to use the editing facilities in
cfengine explicitly. You can just define the nameservers for each host
in the cfengine file and cfengine will do the editing automatically. If
you want to change the priority of nameservers later, or even change the
list then a simple change of one or two lines in the configuration file
will enable you to reconfigure every host on your network automatically
without having to do any editing yourself!
Security is an important issue on any system. In the busy life of a system administrator it is not always easy to remember to set the correct access rights on every file and this can result in either a security breach or problems in accessing files.
A common scenario is that you, as administrator, fetch a new package using ftp, compile it and install it without thinking too carefully. Since the owner and permissions of the files in an ftp archive remains those of the program author, it often happens that the software is left lying around with the owner and permissions as set by the author of the program rather than any user-name on your system. The user-id of the author might be anybody on your system -- or perhaps nobody at all! The files should clearly be owned by root and made readable and unwritable to normal users.
Simple accidents and careless actions under stress could result in, say, the password file being writable to ordinary users. If this were the case, the security of the entire system would be compromised. Cfengine therefore allows you to monitor the permissions, ownership and general existence of files and directories and, if you wish, correct them or warn about them automatically.
One of the difficulties with having so many different variations on the theme of BSD and system 5 based operating systems is that similar files are not always where you expect to find them. They have different names or lie in different directories. The usual solution to the problem is to make an alias for these files, or a pointer from one filename to another. The name for such an alias is a symbolic link.
It is often very convenient to make symbolic links. For example, you
might want the sendmail configuration file /etc/sendmail.cf to be
a link to a global configuration file, say,
/usr/local/mail/etc/sendmail.cf
on every single host on your network so that there is only one file to edit. If you had to make all of these links yourself, it would take a lifetime. Cfengine will make such a link automatically and check it each time it is run. You can also ask it to tidy up old links which have been left around and no longer point to existing files. If you reinstall your operating system later it doesn't matter because all your links are defined in your cfengine configuration file, recorded for all time. Cfengine won't forget it, and you won't forget it because the setup is defined in one central place.
Cfengine will also allow you to make hard links to regular files, but not other kinds of file. A hard link to a symbolic link, is the same as a hard link to the file the symbolic link points to.
The notes above give you a rough idea of what cfengine can be used for. Here is a summary of cfengine's capabilities.
How do you run cfengine? You can run it as a cron job, or you can run it
manually. You may run cfengine scripts/programs as often
as you like. Each time you run a script, the engine determines whether
anything needs to be done -- if nothing needs to be done, nothing is
done! If you use it to monitor and configure your entire network from a
central file-base, then the natural thing is to run cfengine daily with
the help of cron. (see the reference manual).
A cfengine configuration file for a large network can become long and complex so, before we get down to details, let's try to strip away the complexity and look only to the essentials.
Each cfengine program or configuration file is a list of declarations of
items to be checked and perhaps fixed. You begin by creating a file
called cfengine.conf. The simplest meaningful file you can
create is something like this:
# Comment... control: actionsequence = ( links ) links: /bin -> /usr/bin
The
example above checks and makes (if necessary) a link from /bin to /usr/bin.
Let's examine this example more closely. In a cfengine program:
# symbol
designates a comment and means: ignore the remaining text on this line.
A comment symbol must have a space in front of it, or start a new line
so that cfengine knows you don't mean the symbol as part of another
word.
name=( list ) are
used to assign the value on the right hand side to the name on the left hand side
of the equals sign.
In simple example above has three of the four types of object described
above. The control: section of any program tells cfengine how to
behave. In this example it adds the action links to the
actionsequence. For links you could replace some other action.
The essential point is that, if you don't have an action sequence, your
cfengine program will do absolutely nothing! The action sequence is a
list which tells cfengine what do to and in which order.
The links: section of the file tells cfengine that what follows
is a number of links to be made. If you write this part of the file,
but forget to add links to the actionsequence, then nothing will be
done! You can add any number of links in this part of the file and they
will all be dealt with in order when--and only when--you write
links in the action sequence.
To summarize, you must have:
Now let's think a bit about how useful this short example program is.
On a SunOS system, where the directory /bin is in fact supposed
to be a link, such a check could be useful, but on some other system
where /bin is a not a link but a separate directory, this would
result in an error message from cfengine, telling you that /bin
exists and is not a link. The lesson is that, if we want to use
cfengine to make one single program which can be run on any host
of any type, then we need some way of restricting the above link so that
it only gets checked on SunOS systems. We can write the following:
# Comment...
control:
actionsequence = ( links )
links:
sun4::
/bin -> /usr/bin
# other links
osf::
# other links
The names which have double colons after them are called classes
and they are used to restrict a particular action so that it only gets
performed if the host running the program is a member of that class. If
you are familiar with C++, this syntax should make you think of classes
definitions in C++. Classes works like this: the names above
sun4, sun3, osf etc. are all internally defined by
cfengine. If a host running, say, the OSF operating system executes the
file it automatically becomes a member of the class osf. Since
it cannot be a member more than one of the above, this distinguishes
between different types of operating system and creates a hidden
if..then...else test.
This is the way in which cfengine makes decisions. The key idea is that actions are only carried out if they are in the same class as the host running the program. Classes are dealt with in detail in the next chapter.
Now let's see how to add another kind of action to the action sequence.
# Comment... control: actionsequence = ( tidy links ) links: /bin -> /usr/bin tidy: /tmp pattern=* age=7 recurse=inf
We have now added a new kind of declaration called tidy: which
deletes files. In the example above, we are looking at files in the
directory /tmp which match the pattern * and have not been
accessed for more than seven days. The search for these files descends
recursively down any number of subdirectories.
To make any of this happen we must add the word tidy to the action
sequence. If we don't, the declaration will be ignored. Notice also
that, regardless of the fact that links: comes before
tidy:, the order in the action sequence tells us that all
tidy actions will be performed before links:.
The above structure can be repeated to build up a configuration file or script.
To summarize the previous section, here is a sketch of a typical cfengine configuration program showing a sensible structure. The various sections are listed in a sensible order which you would probably use in the action sequence.
An individual section-declaration in the program looks something like this:
action-type:
class1::
list of things to do...
class2::
list of things to do...
action-type is one of the following reserved words:
groups, control, homeservers, binservers, mailserver, mountables, import, broadcast, resolve, defaultroute, directories, miscmounts, files, ignore, tidy, required, links, disable, shellcommands, editfiles, processes
The order in which declarations occur is not important to cfengine from a syntactical point of view, but some of the above actions define information which you will want to refer to later. All variables, classes, groups etc. must be defined before they are used. That means that it is smart to follow the order above for the sections in the first line of the above list.
The order in which items are declared is not to be confused with the
order in which they are executed. This is determined by the
actionsequence, (see the reference manual). Probably you will want to
coordinate the two so that they match as far as possible.
For completeness, here is a complete summary of the structure of a very general cfengine configuration program. The format is free and use of space is unrestricted, though it is always a good idea to put a space in front before and after parentheses when defining variables.
######################################################################
#
# Example of structure
#
######################################################################
groups:
group1 = ( host host ... )
group2 = ( host host ... )
...
######################################################################
control:
class::
site = ( mysite )
domain = ( mydomain )
...
actionsequence =
(
action name
....
)
mountpattern = ( mountpoint )
homepattern = ( wildcards matching home directories )
addinstallable = ( foo bar )
addclasses = ( foo bar )
######################################################################
homeservers:
class::
home servers
binservers:
class::
binary servers
mailserver:
class::
mail server
mountables:
class::
list of resources
######################################################################
import:
class:: include file
class:: include file
######################################################################
broadcast:
class:: ones # or zeros / zeroes
defaultroute:
class:: my-gw
######################################################################
resolve:
any::
list of nameservers
...
Cfengine doesn't do anything unless you ask it to. When you run a cfengine program it generates no output unless it finds something it believes to be wrong. It does not carry out any actions unless they are declared in the action sequence.
If you like, though, you can make cfengine positively chatty. Cfengine can be
run with a number of command line options (see the reference manual). If
you run the program with the -v or --verbose options, it
will supply you cheerily with a resume of what it is doing. Certain
warning messages also get printed in verbose mode, so it is a useful debugging tool.
You can ask cfengine to check lots of things - the timezone for
instance, or the domain name. In order for it to check these things, it
needs some information from you. All of the switches and options which
change the way in which cfengine behaves get specified either on the
command line or in the control: section of the control file.
Some special control variables are used for this purpose. Here is a
short example:
control:
domain = ( mydomain.no )
netmask = ( 255.255.255.0 )
timezone = ( MET CET )
mountpattern = ( /mydomain/mountpoint )
actionsequence =
(
checktimezone # check time zone
netconfig # includes check netmask
resolve # includes domain
mountinfo # look for mounted disks under mountpattern
)
To get verbose output you must run cfengine with the appropriate command
line option --verbose or -v.
Notice that setting values has a special kind of syntax: a variable name, an equals sign and a value in parentheses. This tells you that the quantity of the left hand side assumes the value on the right hand side. There are lots of questions you might ask at this point. The answers to these will be covered as we go along and in the next chapter.
Before leaving this brief advertisement for control parameters, it is
worth noting the definition of mountpattern above. This declares
a directory in which cfengine expects to find mounted disks. It will be
explained in detail later, for now notice that this definition looks
rather stupid and inflexible. It would be much better if we could use
some kind of variables to define where to look for mounted filesystems.
And of course you can...
Having briefly scraped the surface of what cfengine can do, turn to the example and take a look at what a complete program can look like, (see the reference manual). If you understand it, you might like to skip through the rest of the manual until you find what you are looking for. If it looks mysterious, then the next chapter should answer some questions in more depth.
Cfengine may be invoked in a number of ways. Here are some examples:
host% cfengine host% cfengine --file myfile host% cfengine -f myfile -v -n host% cfengine --help
The first of these (the default command, with no arguments) causes
cfengine to look for a file called cfengine.conf in the current
directory and execute it silently. The second command reads the file
myfile and works silently. The third works in verbose mode and
the -n option means that no actions should actually be carried
out, only warnings should be printed. The final example causes cfengine
to print out a list of its command line options.
The complete list of options is listed in the summary at the beginning
of this manual, or you can see it by giving the -h option,
(see the reference manual).
In addition to running cfengine with a filename, you can also treat cfengine files as scripts by starting your cfengine program with the standard shell line:
#!/local/gnu/bin/cfengine -f # # My config script #
Here we assume that you have installed cfengine under the directory
/local/gnu/bin. By adding a header like this to the first line
of your program and making the file executable with the chmod
shell command, you can execute the program just by typing its
name--i.e. without mentioning cfengine explicitly at all.
As a novice to cfengine, it is advisable to check all programs with the
-n option before trusting them to your system, at least until you
are familiar with the behaviour of cfengine. This `safe' option allows
you to see what cfengine wants to do, without actually committing
yourself to doing it.
Whenever cfengine looks for a file it asks a question: is the filename
an absolute name (that is a name which begins from / like
/usr/file), is it a file in the directory in which you invoke
cfengine or is it a file which should be searched for in a special
place?
If you use an absolute filename either on the command line using
-f or in the import section of your program (a name which
begins with a slash '/'), then cfengine trusts the name of the file you
have given and treats it literally. If you specify the name of the
file as simple . or - then cfengine reads its input from the
standard input.
If you run cfengine without arguments (so that the default filename is
cfengine.conf) or you specify a file without a leading slash in
the import section, then the value of the environment variable
CFINPUTS is prepended to the start of the file name. This allows
you to keep your configuration in a standard place, pointed to by
CFINPUTS. For example:
host# setenv CFINPUTS /usr/local/gnu/lib/cfengine/inputs host# cfengine -f myfile
In this example, cfengine tries to open
/usr/local/gnu/lib/cfengine/inputs/myfile.
If you are a beginner to cfengine, you might not be certain exactly how you want to use it. Here are some hints from Dr. Daystrom about how to get things working quickly.
Running cfengine from cron means that it will be run in parallel on your systems. Cfengine on one host does not have to wait for cfengine on another host to complete.
cfd on all your systems so that cfengine can be executed
remotely, so that you can immediately "push" changes to all your
hosts with cfrun. Think carefully about whom you wish to give permission to run
cfengine from the net, See Configuring cfd. Set up you
cfd.conf file accordingly. You can also use this daemon to
grant access rights for remote file copying.
Cfrun polls all your hosts serially and gives you a concatenated indexed list of problems on all hosts. The disadvantage with cfrun is that each host has to wait its turn.
cfd to the system startup scripts, or to inittab
so that it starts when you boot your system.
cfrun.hosts file. It does not
matter that some may be master servers and others clients. The locking
mechanisms will protect you from silliness, See Deadlocks and runaway loops. Cfengine will work it out. Cfrun allows you to remotely execute
cfengine on groups of hosts which satisfy a list of cfengine classes.
When you have set up these components, you can sit back and edit the configuration files and watch things being done.
The idea of classes is central to the operation of cfengine. Saying
that cfengine is `class orientated' means that it doesn't make decisions
using if...then...else constructions the way other
languages do, but only carries out an action if the host running the
program is in the same class as the action itself. To understand what
this means, imagine sorting through a list of all the hosts at your
site. Imagine also that you are looking for the class of hosts
which belong to the computing department, which run GNU/Linux operating
system and which have yellow spots! To figure out whether a particular
host satisfies all of these criteria you first delete all of the hosts
which are not GNU/Linux, then you delete all of the remaining ones which
don't belong to the computing department, then you delete all the
remaining ones which don't have yellow spots. If you are on the
remaining list, then you are in the class of all
computer-science-Linux-yellow-spotted hosts and you can carry out the
action.
Cfengine works in this way, narrowing things down by asking if a host is in several classes at the same time. Although some information (like the kind of operating system you are running) can be obtained directly, clearly, to make this work we need to have lists of which hosts belong to the computer department and which ones have yellow spots.
So how does this work in a cfengine program? A program or configuration script consists of a set of declarations for what we refer to as actions which are to be carried out only for certain classes of host. Any host can execute a particular program, but only certain action are extracted -- namely those which refer to that particular host. This happens automatically because cfengine builds up a list of the classes to which it belongs as it goes along, so it avoids having to make many decisions over and over again.
By defining classes which classify the hosts on your network in some easy to understand way, you can make a single action apply to many hosts in one go - i.e. just the hosts you need. You can make generic rules for specific type of operating system, you can group together clusters of workstations according to who will be using them and you can paint yellow spots on them - what ever works for you.
A cfengine action looks like this:
action-type:
compound-class::
declaration
A single class can be one of several things:
ultrix, sun4 etc.
This is referred to henceforth as a hard class.
Monday Tuesday Wednesday..).
Hr00, Hr01 ... Hr23).
Min00, Min17 ... Min45).
Min00_05, Min05_10 ... Min55_00)
Day1 ... Day31).
January, February, ... December).
Yr1997, Yr2001).
A compound class is a sequence of simple classes connected by dots or `pipe' symbols (vertical bars). For example:
myclass.sun4.Monday:: sun4|ultrix|osf::
A compound class evaluates to `true' if all of the individual classes
are separately true, thus in the above example the actions which follow
compound_class:: are only carried out if the host concerned is in
myclass, is of type sun4 and the day is Monday!
In the second example, the host parsing the file must be either of
type sun4 or ultrix or osf.
In other words, compound classes support two operators: AND and OR,
written . and | respectively. Cfengine doesn't
care how many of these operators you use (since it skips over blank
class names), so you could write either
solaris|irix::
or
solaris||irix::
depending on your taste. On the other hand, the order in which cfengine
evaluates AND and OR operations does matter, and the rule
is that AND takes priority over OR, so that . binds classes
together tightly and all AND operations are evaluated before ORing
the final results together. This is the usual behaviour in programming
languages. You can use round parentheses in cfengine classes to
override these preferences.
Cfengine allows you to define switch on and off dummy classes so that
you can use them to select certain subsets of action. In particular,
note that by defining your own classes, using them to make compound
rules of this type, and then switching them on and off, you can also
switch on and off the corresponding actions in a controlled way. The
command line options -D and -N can be used for this
purpose. See also addclasses in the Reference manual.
A logical NOT operator has been added to allow you to exclude
certain specific hosts in a more flexible way. The logical NOT
operator is (as in C and C++) !. For instance, the
following example would allow all hosts except for myhost:
action:
!myhost::
command
and similarly, so allow all hosts in a user-defined group mygroup,
except for myhost, you would write
action:
mygroup.!myhost::
command
which reads `mygroup AND NOT myhost'. The NOT operator can also be combined with OR. For instance
class1|!class2
would select hosts which were either in class 1, or those which were not in class 2.
Finally, there is a number of reserved classes. The following are hard classes for various operating system architectures. They do not need to be defined because each host knows what operating system it is running. Thus the appropriate one of these will always be defined on each host. Similarly the day of the week is clearly not open to definition, unless you are running cfengine from outer space. The reserved classes are:
ultrix, sun4, sun3, hpux, hpux10, aix, solaris, osf, irix4, irix, irix64
sco, freebsd, netbsd, openbsd, bsd4_3, newsos, solarisx86, aos,
nextstep, bsdos, linux, debian, cray, unix_sv, GnU, NT
If these classes are not sufficient to distinguish the hosts on your network, cfengine provides more specific classes which contain the name and release of the operating system. To find out what these look like for your systems you can run cfengine in `parse-only-verbose' mode:
cfengine -p -v
and these will be displayed. For example, solaris 2.4 systems
generate the additional classes sunos_5_4 and sunos_sun4m,
sunos_sun4m_5_4.
Cfengine uses both the unqualified and fully host names as classes. Some
sites and operating systems use fully qualified names for their
hosts. i.e. uname -n returns to full domain qualified
hostname. This spoils the class matching algorithms for cfengine, so
cfengine automatically truncates names which contain a dot `.' at the
first `.' it encounters. If your hostnames contain dots (which do not
refer to a domain name, then cfengine will be confused. The moral is:
don't have dots in your host names! NOTE: in order to ensure that
the fully qualified name of the host becomes a class you must define the
domain variable. The dots in this string will be replaced by underscores.
In summary, the operator ordering in cfengine classes is as follows:
()
!
.
|
When you are building up a configuration file it is very useful to be able to use variables. If you can define your configuration in terms of some key variables, it can be changed more easily later, it is more transparent to the reader of the program and you can also choose to define the variables differently on different types of system. Another way of saying this is that cfengine variables also belong to classes. Cfengine makes use of variables in three ways.
Environment variables are fetched directly from the shell on whatever
system is running the program. An example of a special variable is the
domain variable from the previous section. Straightforward macro
substitution allows you to define a symbol name to be replaced by an
arbitrary text string. All these definitions (apart from shell
environment variables, of course) are made in the control part of the
cfengine program:
control: myvar = ( /usr/local/mydir/lib/very/long/path ) # define macro ... links: $(myvar) -> /another/directory
Here we define a macro called myvar, which is later used to
define the creation of a link. As promised we can also define
class-dependent variables:
control: sun4:: myvar = ( sun ) hpux:: myvar = ( HP )
Cfengine gives you access to the shell environment variables and allows you to define variables of your own. It also keeps a few special variables which affect the way in which cfengine works. When cfengine expands a variable it looks first at the name in its list of special variables, then in the list of user-defined macros and finally in the shell environment for a match. If none of these are found it expands to the empty string. If you nest macros,
control: myvar = ( "$(othervar)" )then you must quote the right hand side and ensure that the value is already defined.
You can also import values from the execution of a shell command
by prefixing a command with the word exec.
control: listing = ( "exec /bin/ls" )
This sets the variable `listing' to the output of the command in the quotes.
Variables are referred to in either of two different ways, depending on
your taste. You can use the forms $(variable) or
${variable}. The variable in braces or parentheses can be the
name of any user defined macro, environment variable or one of the
following special internal variables.
AllClasses
CFALLCLASSES=class1:class2.... This
variable is a summary of all the defined classes at any given time. It
is always kept up to date so that scripts can make use of cfengine's
class data.
arch
binserver
class
sun4, hpux).
Non-definable.
date
:.
domain
faculty
fqhost
host
ipaddress
MaxCfengines
OutputPrefix
OutputPrefix = ( "cfengine:$(host):")
RepChar
/ (see the reference manual).
site
$(faculty) and may be used interchangeably.
split
sysadm
timezone
control.
UnderscoreClasses
year
These variables are kept special because they play a special role in setting up a system configuration. See Global configurations. You are encouraged to use them to define fully generalized rules in your programs. Variables can be used to advantage in defining filenames, directory names and in passing arguments to shell commands. The judicious use of variables can reduce many definitions to a single one if you plan carefully.
NOTE: the above control variables are not case sensitive, unlike user macros, so you should not define your own macros with these names.
The following variables are also reserved and may be used to produce troublesome special characters in strings.
cr
dblquote
"
dollar
$.
lf
n
quote
'.
spc
tab
You can use variables in the following places:
$(binserver) variable is not always appropriate in this context. For instance
links:
osf::
/$(site)/${host}/directory -> somefile
shellcommands in the Reference manual).
shellcommands: any:: "/bin/echo $(timezone) | /bin/mail $(sysadm)" '/bin/echo "double quotes!"'
The latter possibility enables cfengine's variables to be passed on to user-defined scripts.
option=$(variable).
Variables can be defined differently under different classes by preceding the definition with a class name. For example:
control: sun4:: my_macro = ( User_string_1 ) irix:: my_macro = ( User_string_2 )
Here the value assigned to $(my_macro) depends on which of the
classes evaluates to true. This feature can be used to good effect to
define the mail address of a suitable system administrator for different
groups of host.
control: physics:: sysadm = ( mark,fred ) chemistry:: sysadm = ( localsys@domain )
Note, incidentally, that the -a option
can be used to print out the mail address of the system administrator
for any wrapper scripts.
Note that macro-variables which are undefined are not expanded as of version 1.6 of cfengine. In earlier versions, undefined variables would be replaced by an empty string, as in Perl. In versions 1.6.x and later, the variable string remains un-substituted, if the varaiable does not exist. For instance,
control: actionsequence = ( shellcommands ) myvar = ( "test string " ) shellcommands: "/bin/echo $(myvar) $(myvar2)"results in:
cfengine:host: Executing script /bin/echo test string $(myvar2)
cfengine:host:/bin/echo test : sh: syntax error at line 1: `(' unexpected
cfengine:host: Finished script /bin/echo test string $(myvar2)
This allows variables to be defined on-the-fly by modules.
Cfengine communicates with itself by passing messages in the form of classes. When a class becomes switched on or off, cfengine's program effectively becomes modified. There are several ways in which you can switch on and off classes. Learning these fully will take some time, and only then will you harness the full power of cfengine.
Because cfengine works at a very high level, doing very many things for very few lines of code it might seem that some flexibility is lost. When we restrict certain actions to special classes it is occasionally useful to be able to switch off classes temporarily so as to cancel the special actions.
You can define classes of your own which can be switched on and off,
either on the command line or from the action sequence. For example,
suppose we define a class include. We use addclasses to
do this.
addclasses = ( include othersymbols )
The purpose of this would be to allow certain `excludable actions' to be defined. Actions defined by
any.include::
actions
will normally be carried out, because we have defined include to
be true using addclasses. But if cfengine is run in a restricted
mode, in which include is set to false, we can exclude these
actions.
So, by defining the symbol include to be false, you can exclude
all of the actions which have include as a member. There are two
ways in which this can be done, one is to negate a class globally using
cfengine -N include
This undefines the class include for the entire duration of the
program.
Another way to specify actions is to use a class to select only a subset
of all the actions defined in the actionsequence. You do this by adding
a class name to one on the actions in action sequence by using a dot
. to separate the words. In this case the symbol only evaluates
to `true' for the duration of the action to which it attached. Here
is an example:
links.onlysome shellcommands.othersymbols.onlysome
In the first case onlysome is defined to be true while
this instance of links is executed. That means that only actions
labelled with the class onlysome will be executed as a result of
that statement. In the latter case, both onlysome and
othersymbols are defined to be true for the duration of
shellcommands.
This syntax would normally be used to omit certain time-consuming actions, such as tidying all home directories. Or perhaps to synchronize certain actions which have to happen in a certain order.
For more advanced uses of cfengine you might want to be able to define a class on the basis of the success or failure of a user-program, a shell command or user script. Consider the following example
groups:
have_cc = ( "/bin/test -f /usr/ucb/cc"
"/bin/test -f /local/gnu/cc" )
Note that as of version 1.4.0 of cfengine, you may use the word
classes as an alias for groups. Whenever cfengine meets
an object in a class list or variable, which is surrounded by either
single, double quotes or reversed quotes, it attempts to execute the
string as a command passed to the Bourne shell. If the resulting command
has return code zero (proper exit) then the class on the left hand side
of the assignment (in this case have_cc) will be true. If the
command returns any other value (an error number) the result is
false. Since groups are the logical OR of their members (it is
sufficient that one of the members matches the current system), the
class have_cc will be defined above if either /usr/ucb/cc
or /local/gnu/cc exist, or both.
Classes may be defined as the result of actions being carried out by cfengine. For example, if a file gets copied, needs to be edited or if diskspace falls under a certain threshhold, cfengine can be made to respond by activating classes at runtime. This allows you to create dynamically responsive programs which react to the changing environment. These classes are defined as part of other statements with clauses of the form
define=classlist
Classes like these should generally be declared at the start of a program
unless the define statements always precede the actions which
use the defined classes, with addinstallable.
If the regular mechanisms for setting classes do not produce the results you require for your configuration, you can write your own routines to concoct the classes of your dreams. Plugin modules are added to cfengine programs from within the actionsequence, (see Reference manual). They allow you to write special code for answering questions which are too complex to answer using the other mechanisms above. This allows you to control classes which will be switched on and the moment at which your module attempts to evaluate the condition of the system.
Modules must lie in a special directory defined by the variable
moduledirectory.
They must have a name of the form module:mymodule and they
must follow a simple protocol. Cfengine will only execute a module which
is owned either by root or the user who is running cfengine, if it lies
in the special directory and has the special name. A plug-in module may
be written in any language, it can return any output you like, but lines
which begin with a + sign are treated as classes to be defined
(like -D), while lines which begin with a - sign are
treated as classes to be undefined (like -N). Lines starting
with = are variables/macros to be defined. Any other lines of
output are cited by cfengine, so you should normally make your module
completely silent. Here is an example module written in perl. First we
define the module in the cfengine program:
control:
moduledirectory = ( /local/cfengine/modules )
actionsequence = (
files
module:myplugin.specialclass
"module:argplugin.specialclass arg1 arg2"
copy
)
...
Note that the class definitions for the module can also be defined in as
AddInstallables, if this is more convenient. NOTE: you must
declare the classes before using them in the cfengine configuration, or else
those actions will be ignored.
Next we write the plugin itself.
#!/usr/bin/perl
#
# module:myplugin
#
# lots of computation....
if (special-condition)
{
print "+specialclass";
}
Modules inherit the environment variables from cfengine and accept arguments, just as a regular shellcommand does.
#!/bin/sh # # module:myplugin # /bin/echo $*Cfengine defines the classes as an environment variable so that programs have access to these. E.g. try the following module:
#!/usr/bin/perl
print "Decoding $ENV{CFALLCLASSES}\n";
@allclasses = split (":","$ENV{CFALLCLASSES}");
while ($c=shift(@allclasses))
{
$classes{$c} = 1;
print "$c is set\n";
}
Modules can define macros in cfengine by outputting strings of the form
=variablename=value
anyThe generic wildcard any may be used to stand for any class.
Thus instead of assigning actions for the class sun4 only you
might define actions for any architecture by specifying:
any::
actions
If you don't specify any class at all then cfengine assumes a default
value of any for the class.
A useful trick when debugging is to eliminate unwanted actions by changing their class name. Since cfengine assumes that any class it does not understand is the name of some host, it will simply ignore entries it does not recognize. For example:
myclass::
can be changed to
Xmyclass::
Since Xmyclass no longer matches any defined classes, and is not
the name of any host it will simply be ignored. The -N option
can also be used to the same effect. (see Reference manual).
It is sometimes convenient to be able to restrict the access of a
program to a handful of users. This can be done by adding an access
list to the control: section of your program. For example,
control:
...
access = ( mark root )
would cause cfengine to refuse to run the program for any other users except mark and root. Such a restriction would be useful, for instance, if you intended to make set-user-id scripts but only wished certain users to be able to run them. If the access list is absent, all users can execute the program.
Note: if you are running cfengine via the cfrun program
then cfengine is always started with the same user identity as
the cfd process on the remote host.
Normally this is the root user identity. This means that
the access keyword will have no effect on the use of
the command cfrun.
In the two actions files and tidy you define directory
names at which file checking or tidying searches should start. One
economical feature is that you can define a whole group of directories
at which identical searches should start in one fell swoop by making use
of wildcards. For example, the directory names
/usr/*/*
/bla/*/ab?/bla
represent all of the directories (and only directories) which match the above wildcard strings. Cfengine opens each matching directory and iterates the action over all directories which match.
The symbol ? matches any single character, whereas *
matches any number of characters, in accordance with shell
file-substitution wildcards.
When this notation is used in directory names, it always defines the
starting point for a search. It does not tell the command how to
search, only where to begin. The pattern directive in
tidy can be used to specify patterns when tidying files and under
files all files are considered, (see Reference manual),
File sweeps are searches through a directory tree in which many files are examined and considered for processing in some way. There are many instances where one uses cfengine to perform a file sweep.
files action, for checking access rights and ownership
of files.
tidy action, for checking files for deletion.
copy action, while recursively checking whether to
copy a file tree.
editfiles action, while recursively checking whether to
edit the files in a tree of files.
The problem with file sweeps is that they can be too sweeping! Often you are not interested in examining every single file in a file tree. You might wish to perform a search
ignore.
The tidy action is slightly different in this respect, since it already
always expects to match a specific pattern. One is generally not
interested in a search which deletes everything except for a named
pattern: this would be too dangerous. For this reason, the syntax of
tidy does not allow ignore,include and exclude. It is documented
in the section on tidying, (see Reference manual).
Items declared under the global ignore section affect files,
copy, links and tidy. For file sweeps within files, copy and links, you
may provide private ignore lists using ignore=. The difference between
exclude and ignore is that ignore can deal with absolute directories. It prunes
directories, while exclude only looks at the files within directories.
For file sweeps within files and copy you can specify
specific search parameters using the keywords include=
and exclude= and as of version 1.6.x filter=.
For example,
files: /usr/local/bin m=0755 exclude=*.ps action=fixall
In this example cfengine searches the entire file tree (omitting
any directories listed in the ignore-list and omitting
any files ending in the extension .ps), (see Reference manual).
Specifying the include= keyword is slightly different since it
automatically restricts the search to only named patterns (using *
and ? wildcards), whenever
you have one or more instances of it. If you include patterns in this
way, cfengine ignores any files which do not match the given patterns.
It also ignores any patterns which you have specified in the global
ignore-list as well as patterns excluded with exclude=pattern.
In other words, exclusions always override inclusions.
If you exclude a pattern or a directory and wish to treat it in
some special way, you need to code an explicit check for that pattern
as a separate entity. For example, to handle the exluded .ps
files above, you would need to code something like this:
files: /usr/local/bin m=0644 include=*.ps action=fixall
Note: don't be tempted to enclose your wildcards in quotes. The quotes will be treated literally and the pattern might not match the way you would expect.
For editfiles the syntax is somewhat different. Here one needs to add
lines to the edit stanza:
editfiles:
{ /tmp/testdir
Include .*
Exclude bla.*
Ignore "."
Ignore ".."
Recurse 6
ReplaceAll "search" With "replace"
}
Cfengine keeps two kinds of log-file privately and it allows you to log
its activity to syslog. Syslog logging may be switched on with the
Syslog variable, (see Reference manual).
The first log cfengine keeps is for every user
(every subdirectory of a home directory filesystem). A file
~/.cfengine.rm keeps a list of all the files which were deleted
during the last pass of the tidy function. This is useful for
users who want to know files have been removed without their blessing.
This helps to identify what is happening on the system in case of
accidents.
Another file is built when cfengine searches through file trees in the
files action. This is a list of all programs which are setuid
root, or setgid root. Since such files are a potential security risk,
cfengine always prints a warning when it encounters a new one (one which
is not already in its list). This allows the system administrator to
keep a watchful eye over new programs which appear and give users root
access. The cfengine log is called /etc/cfengine/cfengine.log. The file
is not readable for general users.
In several cfengine commands, you use quoted strings to define a quantity of text which may contain spaces. For example
control:
macro = ( "mycommand" )
editfiles:
{ $(HOME)/myfile
AppendIfNoSuchLine 'This text contains space'
}
In each case you may use any one of the three types of quote marks in order to delimit strings,
' or " or `
If you choose, say ", then you may not use this symbol within the
string itself. The same goes for the other types of string delimiters.
Unlike the shell, cfengine treats these three delimiters in precisely
the same way. There is no difference between them.
If you need to quote a quoted string, then you should choose a delimiter
which does not conflict with the substring.
Note that you can use special variables for certain symbols in a string See Variable substitution.
Regular expressions can be used in cfengine in connection with
editfiles and processes to search for lines matching
certain expressions. A regular expression is a generalized wildcard. In
cfengine wildcards, you can use the characters '*' and '?' to match any
character or number of characters. Regular expressions are more
complicated than wildcards, but have far more flexibility.
NOTE: the special characters * and ?
used in wildcards do not have the
same meanings as regular expressions!.
Some regular expressions match only a single string. For example, every
string which contains no special characters is a regular expression
which matches only a string identical to itself. Thus the regular
expression cfengine would match only the string "cfengine", not
"Cfengine" or "cfengin" etc. Other regular expressions could match more
general strings. For instance, the regular expression c* matches
any number of c's (including none). Thus this expression would match the
empty string, "c", "cccc", "ccccccccc", but not "cccx".
Here is a list of regular expression special characters and operators.
\
[\] or quoted with a backslash itself \\.
\b
\B
\<
\>
\w
\W
any character
.
*
c*.
If no object precedes it, it represents a literal asterisk.
+
?
{ }
{5} would match exactly 5
instances of the previous object. {6,} would match at least
6 instances of the previous object. {7,12} would match at least
7 instances of, but no more than 12 instances of the preceding object.
Clearly the first number must be less than the second to make a valid
search expression.
|
[list]
[a-z] matches any character in the range a to
z, abcd matches either a, b, c or d. Most characters are
ordinary inside a list, but there are some exceptions: ] ends the
list unless it is the first item, \ quotes the next character,
[: and :] define a character class operator (see below),
and - represents a range of characters unless it is the first
or last character in the list.
[^list]
[:class:]alnum
alpha
blank
cntrl
digit
graph
lower
print
punct
space
upper
xdigit
( )\digit
^
$
Here is a few examples. Remember that some commands look for a regular expression match of part of a string, while others require a match of the entire string (see Reference manual).
^# match string beginning with the # symbol
^[^#] match string not beginning with the # symbol
^[A-Z].+ match a string beginning with an uppercase letter
followed by at least one other character
Shell list variables are normally defined by joining together a list of
directories using a concatenation character such as :. A typical
example of this is the PATH variable:
PATH=/usr/bin:/usr/local/bin:/usr/sbin
It is convenient to be able to use such variables to force cfengine to iterative over a list. This gives us a compact way of writing repeated operations and it allows a simple method of communication with the shell environment. For security reasons, iteration is supported only in the following contexts:
This typically allows communication with PATH-like environment variables in the shell.
In these contexts, any variable which has the form of
a list joined together by colons will be iterated over
at compilation time. Note that you can change the value
of the list separator using the split variable
in the control section of the program (see Reference manual).
For example, to link all of the binary files in the PATH environment variable to a single directory, tidying dead links in the process, you would write
control: actionsequence = ( links tidy ) links: /allbin +> $(PATH) tidy: # Hopefully no-match matches nothing /allbin pattern=no-match age=0 links=tidy
no-match is not a reserved word in cfengine, this is just a string you do not expect to match any file.
Alternatively, you might want to define an internal list using a space as a separator:
control: split = ( " " ) mylist = ( "mark ricky bad-dude" ) tidy: /mnt/home1/$(mylist) pattern=*.cfsaved age=1
This example iterates the tidy action over the directories /mnt/home1/mark,
/mnt/home1/ricky and /mnt/home1/bad-dude.
The number of list variables in any path or filename should normally be
restricted to one or two, since the haphazard combination of two lists
will seldom lead to any meaningful pattern. The only obvious exception
is perhaps to iterate over a common set of child-directories like
bin, lib etc in several different package directories.
This chapter is about building strategies for putting together a site configuration for your entire network.
In order to use any system administration tool successfully, you have to make peace with your system by deciding exactly what you expect and what you are willing to do to achieve the results. You need to decide what you will consider to be acceptable and what is to be considered completely untenable. You need to make these decisions because otherwise you will only be confused later when things don't go the way you expected.
Experience shows that the most successful policies for automation involve keeping everything as simple as possible. The more uniform or alike your machines are, the easier they are to run and the happier users are. Sometimes people claim that they need such great flexibility that all their machines should be different. This belief tends to be inversely proportional to the number of machines they run and generally only applies to very special development environments! Usually you will only need one or to machines to be special and most can be made very similar.
Site configuration is about sharing and controlling resources. The resources include disks (filespace), files, data, programs, passwords and physical machines. Before planning your sitewide configuration you should spend some time deciding how you would like things to work.
In the remaining parts of this chapter, you will find some hints and tips about how to proceed, but remember that when push comes to shove, you must make your own choices.
If you use the network information service (NIS) on your local network
then you may already have defined netgroups consisting of lists
of hosts which belong to specific owners at your site. If you have,
then you can use these groups within cfengine. This means that you can
use the same groups in the /etc/exports file as you use to define
the mount groups and classes.
A netgroup is a list of hostnames or user names which are registered in the network information service (NIS) database under a specific name. In our case we shall only be interested in lists of hostnames.
To make a netgroup you need to define a list in the file
/etc/netgroup on your NIS server. If you are not the NIS
administrator, you will have to ask to have a netgroup installed. The
form of a netgroup list of hosts is:
mylist-name (host1,,) (host2,,) (host3,,) (host4,,) norway-sun4-host (saga,,) (tor,,) (odin,,) foes-linux-hosts (borg,,)
Each list item has three entries, but only the first is relevant for a host list. See the manual pages on netgroups for a full explanation of the meaning of these fields.
The usefulness of netgroups is that they can be used to stand for a list
of hostnames in system files like /etc/exports. This compresses
the amount of text in this file from a long list to a single name. It
also means that if you use the same list of hosts from a netgroup inside
cfengine when defining groups and classes, you can be sure that you are
always using the same list. In particular it means that you don't have
to update multiple copies of a list of hosts.
The netgroups can now be used in cfengine programs by using the +
or @+ symbols in the groups section. (see Reference manual).
File and link management takes several forms.
Actions are divided into three categories called
files, tidy and links. The first of
these is used to check the existence of, the ownership
and permissions of files. The second concerns the systematic
deletion of garbage files. The third is a link manager
which tests, makes and destroys links. The monitoring
of file access bits and ownership can be set up for
individual files and for directory trees, with controlled
recursion. Files which do not meet the specified criteria
can be `fixed' --i.e. automatically set to the correct
permissions, or can simply be brought to the attention of
the system administrator by a warning.
The syntax of such a command is as follows:
files:
class::
/path mode=mode owner=owner group=group
recurse=no-of-levels action=action
The directory or file name is the point at which cfengine
begins looking for files. From this point the search for files
proceeds recursively into subdirectories with a maximum limit set by
the recurse directive, and various options for dealing with
symbolic links and device boundaries. The mode-string defines the
allowed file-mode (by analogy with chmod) and the owner and group
may specify lists of acceptable user-ids and group-ids. The action
taken in response to a file which does not meet acceptable criteria is
specified in the action directive. It includes warning about or
directly fixing all files, or plain files or directories only. Safe
defaults exist for these directives so that in practice they may be
treated as options.
For example,
files:
any::
/usr/*/bin mode=a+rx,o-w own=root r=inf act=fixall
which (in abbreviated form) would check recursively all files and
directories starting from directories matching the wildcard
(e.g. /usr/local/bin, /usr/ucb/bin). By default, fixall
causes the permissions and ownership of the files to be fixed without
further warning.
One problem with symbolic links is that the files they point to can
get deleted leaving a `hanging pointer'. Since cfengine can make
many hundreds of links without any effort, there is the danger that, in time,
the system could become full of links which don't point anywhere. To
combat this problem, you can set the option links=tidy in the files
section. If this is set, cfengine will remove any symbolic links which
do not point to existing files (see Reference manual).
The creation of symbolic links is illustrated in figure 1 and the checking algorithm was discussed in section 2. In addition to the creation of single links, one may also specify the creation of multiple links with a single command. The command
links:
binaryhost::
/local/elm/bin +> /local/bin
links all of the files in /local/elm/bin to corresponding files
in /local/bin. This provides, amongst other things, one simple
way of installing software packages in regular `bin' directories without
controlling users' PATH variable. A further facility makes use of
cfengine's knowledge of available (mounted) binary resources to search
for matches to specific links. Readers are referred to the full
documentation concerning this feature.
The need to tidy junk files has become increasingly evident during the
history of cfengine. Files build up quickly in areas like /tmp,
/var/tmp. Many users use these areas for receiving large
ftp-files so that their disk usage will not be noticed! To give
another example, just in the last few months the arrival of
netscape World Wide Web client, with its caching
facilities, has flooded hard-disks at Oslo with hundreds of megabytes of
WWW files. In addition the regular appearance of core files1
and compilation by-products (.o files and .log files
etc.) fills disks with large files which many users do not understand.
The problem is easily remedied by a few lines in the cfengine
configuration. Files can be deleted if they have not been accessed for
n-days. Recursive searches are both possible and highly practical
here. In following example:
tidy:
AllHomeServers::
home pattern=core r=inf age=0
home/.wastebasket pattern=* r=inf age=14
home/.netscape-cache pattern=cache????* r=inf age=2
home/.MCOM-cache pattern=cache????* r=inf age=2
home/.netscape pattern=cache????* r=inf age=2
all hosts in the group AllHomeServers are instructed to
iterate over all users' home directories (using the wildcard
home) and look for files matching special patterns.
Cfengine tests the access time of files and deletes
only files older than the specified limits. Hence all core
files, in this example, are deleted immediately, whereas files in the
subdirectory .wastebasket are deleted
only after they have lain there untouched for 14 days, and so on.
As a system administrator you should, of course, exercise great caution when making rules which can delete users' files. A single slip of the hand can result in a rule which will irretrievably delete files.
When making a `tidy' strategy you should probably coordinate with your backup policy. You should not delete files until after you have taken a backup, so that -- if the worst should happen -- you are covered against possible accidents.
Cfengine helps to some extent to keep track of what files it deletes.
When tidying users' home directories it creates a log file of all files
which were deleted on the last tidy operation. This log is called
~/.cfengine.rm.
You might consider tidying certain files only once a week, in which case a command such as
tidy:
AllHomeServers.Sunday::
files to tidy
could be useful. Nonsense files, such as `core' files could be tidied every night.
NOTE! Be careful when telling cfengine to delete core files. If
you write a wildcard like core*, then you could risk deleting
important system files such as core.h.
The administration of a system often requires the copying of files. The reason for this is usually that we would like to distribute a copy of a particular file, from some master location and ensure that all of the copies are up to date. Another use for this is to install software from one directory (perhaps on a CD ROM) to another.
Cfengine helps this process by allowing you to copy a single file or a file tree, from one directory to another, perhaps checking the permissions and owners of a file to adjust the copies in some special way. The files are checked by cfengine using one of two methods.
Cfengine allows you to do the following
You can find out more about copying in the reference section.
Cfengine allows you to check for the existence of processes on your
system, send those processes signals (such as kill) and perhaps
restart those processes. Typical applications for this are sending
cron and inetd the HUP signal, after editing their
configuration files, or killing unwanted processes (such as user
programs which hog the system at peak usage times).
You can read more about this in the reference section .
Most of the filesystems that you will want to make available across the
network are going to fall into one of two categories. In cfengine
parlance these are called home directories and binary
directories. A home directory is a place where users' login
directories are kept. This is traditionally a directory called
/home or /users or some subdirectory of these. A binary
directory is a place where compiled software is kept. Such files (which
do not belong to the pure operating system release) are often placed in
a directory called /usr/local or simply /local.
In this chapter we shall consider a scheme for using cfengine to make NFS filesystem management quite painless.
Using the Network File System (NFS) in a large workstation environment requires a bit of planning. The idea of NFS is to share files on one host with other hosts. In most cases, filesystems to be shared across the network fall into two categories: binary filesystems (those which contain compiled software) and user or home filesystems (which contain users' login areas).
The most simple minded way to share resources would be to mount every resource (each available NFS filesystem) onto every host. To avoid collisions, each filesystem would have to have a unique name. This is one possibility, but not a very intelligent one. As experienced users will realize, cross-mounting too many NFS filesystems is a recipe for all kinds of trouble.
Cfengine offers a simple model which can help you pick out only the
resources you need from the list of NFS filesystems. It will then mount
them automatically and edit the appropriate filesystem tables. It does
this by defining classes of hosts. For instance -- you really don't
need to mount a binary filesystem for an ultrix system onto an
HPUX system. There would be no point -- binary resources are
architecture or hard-class dependent. But home directories
are architecture independent.
Cfengine lets you to define a list of allowed servers for various hosts so that only filesystems from the servers will be considered for mounting!
The first step towards treating NFS filesystems as network resources is
to invent a naming scheme so that every filesystem has a unique name on
which it can be mounted. If we don't sort this out now, we could find
two or more hosts with a filesystem called /usr/local, both of
which we might like to mount since they contain different software.
A simple but extremely useful naming scheme is the following. 2 If you don't like this scheme you can invent your own, but the remainder of the text will encourage you to use this one. If you follow this scheme, exactly as described here, you will never have any problems with mount points. We shall describe the scheme in detail below. Here are some points to digest:
/usr/local. If you this involves compiled software and
you do this on one host, you should do it on others which are of the
same type.
Each filesystem is given a directory name composed of three parts:
/site/host/contents
The first directory (which only exists to create a suitable mountpoint) is the name of your local site. If you are a physics department at a university (with a separate setup) you could call this `physics'. It could be your company name or whatever. The second piece is the name of the host to which the disk space is physically attached. The final piece is the name of the filesystem. Here are some typical examples:
/physics/einstein/local # /usr/local for einstein@physics /physics/newton/u1 # user partition 1 for newton@physics
On the machines which are home to the `local' partition, it is better to
make a link to /usr/local than call the filesystem
/usr/local directly. This is because it makes the procedure of
organizing the entire network much clearer.
It is worth noting that, when you ask cfengine to mount such a resource,
it will automatically make the mount directory and can easily be asked
to make a link to /usr/local, so this small amount of extra work
is really no work at all.
The whole naming convention is compactly summarized by defining a mount
point variable, mountpattern. With the present scheme, this can
be defined as
mountpattern = ( /$(site)/$(host) )
so that it evaluates to the name of the host executing the file
regardless of who that may be. This variable is used together with the
homepattern pattern variable, which is used to distinguish
between home directories and binary resources. (See homepattern
in the reference section). You can think of this as being part of the
naming convention. In this text, we use the convention u1 u2
u3... for home disks. You could equally well use home1 home2...
etc. As long as the name is unique, it doesn't matter.
The full list of named resources should now be listed in the
mountables list, which is simply a list of all the resources
available for mounting on the network.
Once you have defined your unique names, how does cfengine know what to mount? The idea is now to define a list of servers for each class of hosts.
Suppose we make a binserver declaration:
binservers:
mygroup.sun4::
einstein
newton
This would tell cfengine that it should mount all binary resources from
hosts einstein or newton onto any host of type sun4
in the group mygroup. Every filesystem which is listed in
mountables and is not a home directory will be mounted.
Home directories and binary resources are kept separate automatically by
cfengine, because a home directory is one whose contents-name matches
the homepattern pattern variable. See Unique filesystem mountpoints.
A homeserver declaration:
homeservers:
mygroup::
einstein
newton
schwinger
feynman
would correspondingly mean mount all the home directory resources on the
hosts in the list on all hosts in the group mygroup. Clearly it
is unnecessary to distinguish between the architecture platform types of
the actual servers for user directories.
In each case, cfengine will mount filesystems, make the appropriate directories for the mount point and edit the filesystem table.
Once you have mounted a resource on a unique directory, you have access
to all of the relevant filesystems on your network -- but you really
wanted the `local' filesystem to be mounted on /usr/local. All
you need do now is to make a link:
links:
any::
/usr/local -> /$(site)/$(binserver)/local
The meaning of this is that, on any host, the directory
/usr/local should be a link to the `nearest' binary server's
`local' resource. The $(binserver) variable can in principle
expand to any binary server in the list. In practice, cfengine goes
through the list in order and picks the first filesystem resource which
matches.
Could this lead to a collision? Suppose we are on the host `einstein'
and we execute the above command. The host `einstein' has a filesystem
/physics/einstein/local on its local disk -- it is in fact the
binary server for the network, so it certainly doesn't need to mount any
NFS filesystems. But this is no problem because cfengine automatically
treats $(host) as the highest priority binary server for any
host. That means that if you have a local filesystem, it will always
have priority.
In contrast, if the host `schwinger' ran the command above, it would
find no local filesystem called /physics/schwinger/local, so it
would go along the list of defined binary servers, find `einstein' and
try again. It will succeed in finding `einstein' provided all the
binary servers were mounted before the link command is executed. This
means that you should structure the actionsequence so that all
filesystems are mounted before any links are made.
With a little practice, the cfengine model can lead to an enormous simplification of the issue of NFS-mountable resources.
NOTE: cfengine does not try to export filesystems, only mount already
exported filesystems. If you want to automate this procedure also, you
can use the editfiles facility to add entries to
/etc/exports (see editfiles in the Reference manual). In practice this is very
difficult to do and perhaps not desirable.
Let's write a very simple configuration for a network with only one server called hal, where all the hosts are of the same operating system type. In such an example we can avoid using classes altogether.
control:
site = ( univ )
domain = ( univ.edu )
actionsequence =
(
mountall
mountinfo
addmounts
mountall
links
)
binservers:
hal
homeservers:
hal
mailserver:
hal:/var/spool/mail
mountables:
hal:/univ/home1
hal:/univ/home2
hal:/univ/local
links:
/usr/local -> /univ/local
In this example, we have only one type of host so the configuration is the same for each of them: no class references are required. If we look through the action sequence we see that the program first mounts all the filesystems which are already defined on each host. It does this to be sure that everything which is already set up to be mounted is mounted. Let's assume that there are no problems with this.
The next thing that happens is that mountinfo builds a list of
the filesystems which each host has successfully mounted. Then by
calling addmounts we ask cfengine to check whether the host is
missing any filesystems. What happens is that cfengine first looks to
see what servers are defined for each host. In this case all hosts on
the network have only one server: hal. Hal is defined as a server for
both binary data and `home' data -- i.e. users' home directories. The
list mountables tells cfengine what filesystems are available
over the network for the server hal. There are three filesystems which
can be mounted, called /univ/home1, /univ/home2 and
/univ/local. Cfengine checks to see whether each of these
filesystems is mounted and, if not, it builds the necessary directories,
edits the necessary files and mounts the filesystems.
Finally we come to links in the action sequence. This tells
cfengine to look at the defined links. There is one link defined: a
link from /usr/local to the mounted filesystem
/univ/local. Cfengine checks and tries to make the link if
necessary. If all goes well, each host on the network should now have
at least three filesystems mounted and a link from /usr/local to
/univ/local.
Here is another simple example program for checking and automatically
mounting an NFS based /usr/local and all home directories onto
all hosts on a small network. Here we have several servers and must
therefore use some classes.
#
# Mounts
#
control:
site = ( mysite )
domain = ( mysite.country )
sysadm = ( mark )
netmask = ( 255.255.255.0 )
actionsequence =
(
mountall
mountinfo
addmounts
mountall
links
)
mountpattern = ( /$(site)/$(host) )
homepattern = ( u? ) # u1 u2 u3 etc..
groups:
MyGroup =
(
host1
host2
binserver1
binserver2
)
######################################################################
homeservers:
MyGroup:: host1
binservers:
MyGroup.sun4:: server1
MyGroup.ultrix:: server2
mailserver:
host1:/usr/spool/mail
mountables:
host1:/mysite/host1/u1
host1:/mysite/host1/u2
server1:/mysite/server1/local
server2:/mysite/server2/local
##########################################################################
links:
/usr/local -> /${site}/${binserver}/local
Let's suppose we run this program on host2 which is an ultrix machine.
This host belongs to the class mygroup and the hard-class
ultrix. This tells us that its homeserver is host1, its binary
server is server2 and its mailserver is host1. Moreover, since the
homepattern matches any filesystem ending in u-something, it recognizes
the two home directories in the mountables list -- and therefore the
two binary directories also.
The action sequence starts by mounting all of the filesystems currently
in the filesystem table /etc/fstab. It then scans the list of
mounted filesystems to find out what is actually mounted. Since the
homeserver is host1, we know that our host has to mount all
home-filesystems from this server, so it checks for
host1:/mysite/host1/u1 and host1:/mysite/host1/u2. If
they are not present they are added to /etc/fstab3. Next, we know that the binary server is server1,
so we should check for server1:/mysite/server1/local. The mail
server is also checked for and added if necessary. Cfengine then tries
to mount all filesystems once again, so that the new filesystems should
be added.
Note that, in the process of adding the filesystems to
/etc/fstab, cfengine creates the directories up to and including
the point at which the filesystems should be mounted. If something
prevents this -- if we try to mount on top of a plain file for instance
-- then this will result in an error.
Finally, we reach the link section and we try to expand the variables.
$(site) expands to mysite. $(binserver) expands
first to the hostname (host2), but /mysite/host2/local does not
exist, so it then goes to the binserver list, which substitutes server1
for the value of $(binserver). Since
/mysite/server1/local does exist and is now mounted, cfengine
makes a link to this directory from /usr/local. The script is
then completed.
If the script is run again, everything should now be in place so nothing happens. If for some reason it failed the first time, it will fail again. At any rate it will either do the job once and for all or signal an error which must be corrected by human intervention4.
The automounter is a daemon based service which replaces static mounting of NFS filesystems with a dynamical model. When the automounter is running, filesystems are mounted only when a user tries to access a file which resides on one of those filesystem. After a given period (usually five minutes) any filesystem which has not been accessed is unmounted. The advantage of this scenario is that hanging servers do not affect the behaviour of hosts which mount their filesystems, unless a specific file is being accessed. In both cases, filesystems must be exported in order to be mountable.
It is not the purpose of this section to explain the use of the automounter in detail, only to offer hints as to how cfengine can be used to simplify and rationalize automount configuration for the already initiated. Let us begin by comparing the behaviour of the automounter with the cfengine model for mounted filesystems.
The automounter is designed to be used together with a global
configuration file, distributed by NIS (the network information
service). As such, all hosts read the same configuration
file. This makes it appear as though all hosts end up mounting every
filesystem in the automount configuration database, but this is not so
in practice because filesystems are only mounted if required. Thus a
system which does not require a filesystem will not attempt to mount it.
Moreover, the existence of a global configuration file does not affect
which hosts have the right to mount certain filesystems (which is specified
by exports or share on the relevant server), thus a request to mount
a non-exported filesystem will result in an access denial. The automounter
is configured locally on each host in files named /etc/auto_master,
auto_direct etc.
In the cfengine static mounting scheme, you define a list of binary
and home servers. The filesystem table is modified on the basis of
these decisions, and filesystems are only added if cfengine deems it
appropriate to mount them on a given host. The idea here is to minimize
the number of filesystems mounted to those which are known to be required.
Again the issue of access permissions must be arranged separately. These
filesystems are placed directly in /etc/fstab, or the equivalent for
your system.
From cfengine, you can use the automounter instead of the static mount model by
addmounts, mountinfo, mountall
from the actionsequence, in the control part
of your cfengine program,
editfiles to edit the relevant configuration files
such as /etc/auto_master, or auto_direct etc,
AutomountDirectResources command in editfiles
to dump the list of cfengine class-based list of mountables
into a file of your choice in the correct format for
autmount's direct maps,
processes to restart the automounter
(send the hangup signal hup), or perhaps stop and restart
the daemon by sending the term signal (you should never
send the kill signal).
files or tidy to
clean up stale links afterwards,
copy to distribute basic automount configuration
files to multiple systems.
The automounter was created to solve certain problems which cfengine now
solves (in the author's opinion) better. For example, the use of the
`hosts' map in the automounter mounts filesystems like
/usr/local on different (uniquely named) mountpoints for each host
in order to avoid name space collisions. Using cfengine and a unique
naming scheme, you can achieve the same thing more cleanly, without all
of the gratuitous linking and unlinking which the automounter performs
by itself. Moreover, the idea of a unique name-space is better practice
and more in keeping with new global filesystem ideas such as AFS and DFS.
The only advantage of the automounter is that one avoids the annoying
error messages from hung servers about "NFS server not responding".
In that respect, it seems sensible to use only direct mounts and a
unique name space.
Some systems advocate grouping all users' login (home) directories
under a common directory called /home or users.
The automounter goes through all manner of contortions to achieve
this task. If you use a unique naming scheme like the one
advocated here, this is a trivial task. You simply arrange to mount
or automount all user directories, such as
/site/host/home1 /site/host/home2 ...
and then link them as follows:
/home +> /site/host/home1 /home +> /site/host/home2 ...
Finally, you should be aware that the automounter does not like to be mixed with static mount and unmount operations. Automounted filesystems take priority over statically mounted filesystems, but the automounter can be confused by manually mounting or unmounting filesystems while it is running.
A very convenient characteristic of BSD/System 5 systems is that they are configured primarily by human-readable textfiles. This makes it easy for humans to configure the system and it also simplifies the automation of the procedure. Most configuration files are line-based text files, a fact which explains the popularity of, for example, the Perl programming language. Cfengine does not attempt to compete with Perl or its peers. Its internal editing functions operate at a higher level which are designed for transparency rather than flexibility. Fortunately most editing operations involve appending a few lines to a file, commenting out certain lines or deleting lines.
For example, some administrators consider the finger service to be a threat to security and want to disable it. This could be done as follows.
editfiles:
{ /etc/inetd.conf
HashCommentLinesContaining "finger"
}
Commands containing the word `Comment' are used to `comment out' certain
lines from a text-file--i.e. render a line impotent without actually
deleting it. Three types of comment were supported originally: shell
style (hash) #, % as used in TeX and on AIX systems, and
C++-style //.
A more flexible way of commenting is also possible, using directives
which first define strings which signify the start of a comment and the
end of a comment. A single command can then be used to render a comment.
The default values of the comment-start string is # and the
default comment-end string is the empty string. For instance, to define
C style comments you could write:
{ file
SetCommentStart "/* "
SetCommentEnd " */"
# Comment out all lines containing printf!
CommentLinesMatching ".*printf.*"
}
Other applications for these editing commands include monitoring and
controlling root-access to hosts by editing files such as .rhosts
and setting up standard environment variables in global shell resource
files-- for example, to set the timezone. You can use the editing
feature to update and distribute the message of the day file,
or to configure sendmail, (see FAQS and Tips in the Reference manual).
An extremely powerful feature of cfengine is the ability to
edit a similar file belonging to every user in the system. For example,
as a system administrator, you sometimes need to ensure that users
have a sensible login environment. Changes in the system might require
all users to define a new environment variable, for instance. This is
achieved with the home pseudo-wildcard. If one writes
{ home/