Monday 25 April 2016

Getting started with CFEngine part 5 (Distributed node management & explaining desired state configuration)


In the last tutorial I created the policy my.cf to create a file named hello-world in /tmp folder.
But that was only on my policy server. I briefly illustrated how to distribute that across clients.
Here is a detailed example:

Copy the policy file to the /var/cfengine/masterfiles directory:

cp my.cf /var/cfengine/masterfiles

Edit the /var/cfengine/masterfiles/promises.cf file.
Note: use vim instead of vi as it makes spotting syntactical errors easier.

Modify the /var/cfengine/masterfiles/promises.cf file and insert the bundle name my_test in the bundlesequence in body common control. By doing so it will look something like this:
Don't forget to put a comma after the bundle name.
Include the my.cf in the inputs section of body common control in promises.cf. By doing so it will look something like this:
Remember to put it in double quotes followed by a comma.
With this done every time a cf-agent running on client contacts the policy server the policy will be executed.

In the basics tutorial I mentioned quite a few times about attaining desired state. I'll try to explain this based on our my.cf policy file example.
When the policy was executed on sever & client the hello world file was created on the server & client. Now I removed the file.
[root@dockertest tmp]# rm hello-world
rm: remove regular empty file ‘hello-world’? y
[root@dockertest tmp]# ls
cfengine-nova-3.7.3-1.x86_64.rpm  edit_motd_helloworld.cf  hsperfdata_root  my.cf  promises.cf  redis.sock
[root@dockertest tmp]# date
Sun Apr 24 15:04:21 EDT 2016

After a few minutes when I checked,  wow the file was there again!
[root@dockertest tmp]# ls
cfengine-nova-3.7.3-1.x86_64.rpm  edit_motd_helloworld.cf  hello-world  hsperfdata_root  my.cf  promises.cf  redis.sock
[root@dockertest tmp]# date
Sun Apr 24 15:13:12 EDT 2016
[root@dockertest tmp]# ls -l hello-world
-rw-------. 1 root root 0 Apr 24 15:06 hello-world
[root@dockertest tmp]#

This happened because when the cf-agent synced up after the 5 minute interval it detected a policy deviation from promises.cf & automatically executed the policy again thereby attaining the desired state of configuration again.
This is really useful when we want to monitor & protect files against unauthorized deletion.
-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Using capture groups in grep in Linux

Introduction Let me start by saying that this article isn't about capture groups in grep per se. What we are going to do here with gr...