With the advent of virtualization and cloud computing, modern IT management relies more and more on the concept of "create, set up, use and throw away" servers. In this context, the benefits of automating and rationalizing the "set up phase" are obvious. This is where configuration management tools come in to play.
This presentation kicks off with a discussion of some key points of configuration management and their benefits and drawbacks, building on real world examples (well, pseudo examples, mostly too silly to have ever really happened... or maybe not?)
The main contender will then be introduced: CFEngine 3. Released in 2009, this is a brand new version of the open source configuration management solution, built on 17+ years of experience from previous versions of the software. We'll introduce the technology's key points, comparing approaches with similar devops-type tools, such as Puppet and Chef (where possible).
I then cover the basics of setting up a minimal environment to start automating your configuration with CFEngine 3, and simple but illustrative examples.
Configuration management: automating and rationalizing server setup with CFEngine 3 (Open World Forum 2011)
1. 24/09/2011
Configuration Management
Automating and rationalizing server setup with CFEngine 3
Jonathan Clarke <jcl@normation.com>
2. About the speaker
Jonathan Clarke → CTO →
Sysadmin background Startup created in 2010
Infrastructure management Based in Paris
FLOSS contributor: Configuration management:
CFEngine
CFEngine (partner)
Others (OpenLDAP, LSC,
FusionInventory...) Rudder (creator)
8. A server crashed.
Install a new one, people
can't work without it!
OK, it'll be done in
about two days...
Why configuration management?
There's a new critical security patch
we must deploy on all our servers!
Get it out quickly!
Right, I'll put the whole
team on it.
10. How do we setup
service X?
Ask Jim, he's
the expert on that.
But he left the company...
Why configuration management?
Huh, this server has been logging
errors for a few weeks.
Oh? I think Michael changed
something on it recently...
He'll tell you what it was.
Damn, he's on vacation!
11. Documentation History
Building-up
knowledge
Why configuration management?
12. An intruder just stole our data
using a vulnerability in a
module we don't need...
I thought the project specification
ensured that we disabled that?
Er, it did, but we enabled it to
solve a problem and forgot to
disable it afterwards... sorry...
Why configuration management?
14. I don't understand how this
server is setup. It doesn't match
our best-practices.
Oh, that's a legacy server...
Why configuration management?
Give me details on our
current security policy.
Well, it's a collection of little
things, here and there...
Ah... Well, OK.
Tell me: is it fully applied
on all our critical servers?
Er...
19. Main tools available: history
Relative origins of CFEngine, Puppet and Chef
Source:
http://verticalsysadmin.com/blog/uncategorized/relative-origins-o
f-cfengine-chef-and-puppet
20. The tools: similarities
CFEngine 3 Puppet Chef
Common origins Designed specifically Text-based / CLI
for configuration interface
management
Client-server model
(sometimes optional) Open Source
21. The tools: some differences
CFEngine 3 Puppet Chef
C Ruby Ruby
Language
GPL Apache Apache
(ex-GPL)
License
Yes Preliminary Partial
Windows support
23. CFEngine 3: Features
Multi platform
Windows support
Two versions:
1. Community (open source)
Runs in Cygwin
2. Nova (commercial)
● Native Windows service
24. CFEngine 3: Features
Multi-OS
Multi-distribution
Adapted to
Make it ”transparent” (forget heterogeneous
about the complexity) environments
Existing standard library
handling the differences
between each OS and
distribution
25. CFEngine 3: Features
Lightweight, non-intrusive
Non-intrusive
Daemon consumption on managed hosts
Only two dependencies:
- BerkeleyDB
- OpenSSL
26. CFEngine 3: Features
Evolution of CPU utilization
for an increasing number of managed hosts Highly scalable
From 25 to 400 clients (x16)
CPU utilization increases by 1.16%
Notes:
• Each host runs CFEngine every 5 minutes
• Configuration tested sets up Apache web server
• Tests and monitoring using AWS
27. CFEngine 3: Features
Multi platform
Adapted to
Lightweight, non-intrusive heterogeneous
environments
Autonomous
Fault-tolerant Highly scalable
Progressive
roll-out
30. CFEngine 3: Client-Server
Using a server is optional!
Get started by running standalone
CFEngine's server daemon is cf-serverd
Dedicated protocol: TCP port 5308
Requires SSL key exchange
31. CFEngine 3: Configuration
Minimal configuration:
body common control
{
bundlesequence => { "HelloWorld" };
}
Syntax notes
bundle agent HelloWorld Whitespace doesn't count
{ Comments follow #
# This will output "Hello World!"
commands:
"/bin/echo Hello World!";
}
Structure notes
● Structures are created using { }
● Structures are bundles or bodies