Normation – CC-BY-SAnormation.com

CFEngine, 4 years laterCFEngine, 4 years later______________________________________________________

A song of code and configurationA song of code and configuration

Matthieu CERDA

Normation – CC-BY-SAnormation.com 2

Who are you ?

Name Matthieu CERDA

Email : matthieu.cerda@normation.com

Web site : http://www.normation.com

Twitter : @Kegeruneku

Job System engineer at Normation

CFEngine Enthusiast, power user and trainer

Rudder Integrator, packager

Infrastructure Team member

Normation – CC-BY-SAnormation.com 3

What are we going to talk about

CFEngine 3

● How we began with it, what we gained from it

● “Funky” use cases

● The future

Normation – CC-BY-SAnormation.com 4

Why CFEngine ?

● Few dependencies (LMDB, OpenSSL, [PCRE])

● Small memory footprint

● Highly compatible

● Working “close to the OS” (Can be seen as a flaw for some people)

http://www.cfengine.com | http://www.github.com/cfengine

Normation – CC-BY-SAnormation.com 5

CFEngine 3 : 20 % cooler !

● Created in 2009

● Complete rewrite from CF2

● Promise theory

● Based on what has been learnt from Puppet and CF2

● Alive and kicking !

Normation – CC-BY-SAnormation.com 6

e

Overview

Puppet Chef

CFEngine

e

Normation – CC-BY-SAnormation.com 7

A long path 'till today !

● Learnt to use CFEngine properly

● Acquired knowledge about best practices, worked with great people

● Helped to build Rudder from the ground

● Began working on ncf with Normation's team

● Became a trainer :)

Normation – CC-BY-SAnormation.com 8

The beginning

● Back to 2009 !!!

● Sparse documentation

● Inexperience

● Advice: Start small, to manage few machines

e

Normation – CC-BY-SAnormation.com 9

Funky example 1: Rug

● Rug was SLES 10 default package manager (Now, it is Zypper)

● Problem ? Rug relies on a Mono backend (ZMD) that hangs if you stress it too much or call it repeatedly...

● Needed a way to make an exclusion for this specific kind of machines !

Normation – CC-BY-SAnormation.com 10

2 – ALWAYS modularize when you can

● Example: Package installation definition

Normation – CC-BY-SAnormation.com 11

2 – ALWAYS modularize when you can

● Example: … and the “utility” bundle that goes with it !

Normation – CC-BY-SAnormation.com 12

A word about promises layout

● Everything begins with a bootstrap cf-agent -B <my ip address>cf-agent -B <my ip address>

● Never do everything in one file, always split your promises using a hierarchical order:

● Always separate utilities, zones and services

Normation – CC-BY-SAnormation.com 13

3 – Reporting is important

● Example: When something bad happens, you'll be happy to see where the problem is (without having to go for the debug output) !

You need a “verbose” mode. =>

● As always: modularization is important !

● Static and redundant reports are a good way to make your code fat and unreadable in the long term.

Normation – CC-BY-SAnormation.com 14

3 – Reporting is important

Normation – CC-BY-SAnormation.com 15

3 – Reporting is important

Normation – CC-BY-SAnormation.com 16

Funky example 2: Internal database bloat

● CFEngine uses a database to store internal state value (BerkeleyDB for < 3.3, TokyoCabinet for 3.3 to 3.5 and LMDB for 3.6+) => https://cfengine.com/dev/issues/2560

● BDB / TokyoCabinet do bloat when using reporting with highly volatile values (reporting a date everytime with seconds)

● Result:

Normation – CC-BY-SAnormation.com 17

Funky example 2: Internal database bloat

Solutions:

● Stop reporting all the time (Only report relevant changes)

● Mount the “state” directory on a RAMdisk http://blog.normation.com/en/2013/09/09/speed-up-your-cfengine-by-using-a-ram-disk

Bonus effect: Up to 2/3 times faster during I/O on databases

● Destroy the databases regularly (every month or week)

Normation – CC-BY-SAnormation.com 18

4 – Backup your stuff

● Example: When CFEngine does something with a file, you would like to keep a backup of this file beforehand

<= You need a backup repository.

https://cfengine.com/docs/3.5/reference-promise-types-files.html#repository

● File name is preserved, along with backup timestamp

Normation – CC-BY-SAnormation.com 19

4 – Backup your stuff

Normation – CC-BY-SAnormation.com 20

5 – Tame the agent

● Example: You want to make sure CFEngine only operates in safe environments

You need way to make CFEngine only operate in =>certain conditions

● CFEngine can be told to abort if certain conditions are not met

https://cfengine.com/docs/3.5/reference-components-cfagent.html#abortclasses

Normation – CC-BY-SAnormation.com 21

5 – Tame the agent

Normation – CC-BY-SAnormation.com 22

6 – Always a damn DNS problem (tm)

● Example: Your network interfaces resolutions are not always working properly (AWS ?)

You need to make CFEngine ignore some interfaces

● CFEngine can be told to ignore some network interfaces if needed

● It is a workaround, not a solution !

Normation – CC-BY-SAnormation.com 23

6 – Always a damn DNS problem (tm)

Normation – CC-BY-SAnormation.com 26

BONUS STAGE: Beware of the allmighty Cron

● A word of warning:

Cron(d) is not a configuration management engine !!!

● Easy to “fix” things quickly with a cron job

● KISS: Let every tool do its job, do not fall in the trap

Normation – CC-BY-SAnormation.com 27

Future

● Continue to improve Rudder

● Work on the ncf framework (See Jon's presentation !)

● Work with the Debian packaging team

● Train more people !

e

Normation – CC-BY-SAnormation.com 28

Questions ? :)Questions ? :)