Getting Startedwith CFEngine

Agenda

• Infrastructure Automation with CFEngine• Theory Concepts• Software Components• Language Concepts• Examples• Q&A

Productivity

Costs

Security

• Global changes in minutes• Unlimited scale and complexity• Remove human bottlenecks

• Reduced need for labor• Reduced costs related to instability/outages• Reduced license costs

• Billions of compliance checks per day• Real-time compliance repairs• Granular and pattern based

Benefits of Infrastructure Automation

Architected for Speed, Security and Web Scale

1. Define Desired State

2. Ensure Defined State

CFDB

3. Verify Actual State

Policy-ServerDesign Center

Knowledge Center

CFE Agents

History• 1993: Open Source project• 2001: CFEngine version 2• 2004: Promise Theory• 2009: CFEngine version 3• 2014: CFEngine version 3.6

Customer Validation

Technology Validation• Infrastructure Automation, Continuous

Delivery• Distributed, Lean, Secure architecture• IT Automation at Web-Scale (size, agility)• Community (Open source), Enterprise edition

Market Validation• >10 million servers• 10,000 companies• 100 countries• Tens of thousands of servers (individual

customer deployments)

CFEngine – IT Automation at Web-Scale

CFEngine Enterprise - Mission Portal GUI

- Proprietary and Confidential -

PROMISES

Our Promise – Mashed Potatoes

The Way To Get There - CONVERGENCE

OR

Basic Concepts

• Convergence• To Converge - To come from different directions to

reach the same point (location, conclusion, etc.)

• Desired state may not be reached on the first pass

• Change can be incremental

• 3 passes over the policy on each run, to accelerate

convergence

• Declarative vs. Imperative• Declarative is descriptive

• Imperative is sequential

• Promise TheoryVoluntary cooperation between individual, autonomous

actors or agents who publish their intentions to one

another in the form of promises

--

Mark Burgess

The Promise Universe

A Promise Is A Statement of Intention

Promiser Promises to… If not currently kept, CFEngine will

A variable… …hold a certain value of a certain type

…store the appropriate value in the variable

A file …have certain characteristics (permissions, ownership, etc.)

…set the desired properties on the file

A user account …exist and have certain characteristics (home directory, group, etc.)

…create the user account with the desired characteristics

A process …be running on the system

…run the appropriate command to create the process

Basic Concepts

• Promise States

• Promise kept ✔

• Promise repaired ✘ → ✔

• Promise not kept ✘ → ✘

SOFTWARE COMPONENTS

Basic Components

Server

cf-serverdClient

cf-agent

cf-execd

cf-monitord

LANGUAGE COMPONENTS

Anatomy of a Promise

Promise TypeWhat?

ContextWhen/Where?

Promiser

Why?

AttributesHow?

Packages:

solaris.tuesday::

“apache”

comment => “Front end webserver”,

package_policy => “add”,package_version => “2.0”,package_method => solaris;

Bundles & Bodies

• A bundle is a collection of promises• For example, a bundle to configure Apache might:

• Install the apache2 package• Edit the configuration file• Copy the web server content• Etc.

• A body is a collection of attributes that constrains the promise• Internal (in-line in the promise)• External (shareable with other promises)

EXAMPLES

Example #1 – File Securitybody common control{ bundlesequence => { "file_security" };

inputs => { "libraries/cfengine_stdlib.cf" };

}

bundle agent file_security {

files:

"/etc/.” -> { “SecurityPolicy513”, “security@cfengine.com” }

handle => "etc_tripwire", comment => ”Bubble up possible security breaches", changes => detect_all_change, depth_search => recurse("inf");}

Example #2 - MOTD

body common control { bundlesequence => { "edit_motd" }; inputs => { "libraries/cfengine_stdlib.cf" };}

bundle agent edit_motd { vars: "motd" string => "/etc/motd";

files: "$(motd)" create => "true", edit_line => insert_lines("This system is managed by CFEngine 3"), handle => "edit_motd", comment => "Inform sysadmins this system is managed by CFEngine";}

Example #3 – Install Packagesbody common control {

bundlesequence => { "packages" }; inputs => { "libraries/cfengine_stdlib.cf" };}

bundle agent packages {

packages:

"nano"

handle => "install_nano", comment => "nano is John's favorite editor", package_policy => "add", # Ensure that a package is present package_method => apt;}

cf-demo# nano bash: /usr/bin/nano: No such file or directorycf-demo# cf-agent -f package_add.cfcf-demo# nano -V GNU nano version 2.2.6 (compiled 14:12:08, Oct 1 2012)...cf-demo#

Example #3 – Install Packages – Cont.

cf-demo#bash: /usr/bin/nano: No such file or directorycf-demo# cf-agent -I -f package_add.cfQ: apt-get update ...:Ign http://dl.google.com stable InRelease...Q: apt-get update ...:Hit http://us.archive.ubuntu.com saucy-backports/universe Translation-enQ: apt-get update ...:Reading package lists...Q: apt-get update ...:Q:apt-get --yes instal ...:Reading package lists...Q:apt-get --yes instal ...:Building dependency tree...Q:apt-get --yes instal ...:Reading state information...Q:apt-get --yes instal ...:Suggested packages:Q:apt-get --yes instal ...: spellQ:apt-get --yes instal ...:The following NEW packages will be installed:Q:apt-get --yes instal ...: nanoQ:apt-get --yes instal ...:0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.Q:apt-get --yes instal ...:Need to get 0 B/194 kB of archives.Q:apt-get --yes instal ...:After this operation, 614 kB of additional disk space will be used.Q:apt-get --yes instal ...:Selecting previously unselected package nano.Q:apt-get --yes instal ...:(Reading database ... 236090 files and directories currently installed.)Q:apt-get --yes instal ...:Unpacking nano (from .../nano_2.2.6-1ubuntu1_amd64.deb) ...Q:apt-get --yes instal ...:Processing triggers for doc-base ...Q:apt-get --yes instal ...:Processing 2 added doc-base files...Q:apt-get --yes instal ...:Processing triggers for install-info ...Q:apt-get --yes instal ...:Processing triggers for man-db ...Q:apt-get --yes instal ...:Setting up nano (2.2.6-1ubuntu1) ...Q:apt-get --yes instal ...:update-alternatives: using /bin/nano to provide /usr/bin/editor (editor) in auto modeQ:apt-get --yes instal ...:update-alternatives: using /bin/nano to provide /usr/bin/pico (pico) in auto modeQ:apt-get --yes instal ...:cf-demo# nano -V GNU nano version 2.2.6 (compiled 14:12:08, Oct 1 2012)...cf-demo#

Example #3 – Install Packages – Cont.

Example #4 – Convergencebundle agent create_user_file { files: "/home/cfetest/files/cfe_test_file" perms => mog("644","cfetest","cfegroup"), create => "true";}bundle agent create_user_directory { files: "/home/cfetest/files/." perms => mog("755","cfetest","cfegroup"),

create => "true";}bundle agent adduser {commands: "/usr/sbin/useradd cfetest -d /home/cfetest -g cfegroup -m";}bundle agent addgroup {commands: "/usr/sbin/groupadd -g 1001 cfegroup";}body common control { bundlesequence => { "create_user_file", "create_user_directory", "adduser", "addgroup" }; inputs => { "/var/cfengine/inputs/libraries/cfengine_stdlib.cf" };}

2014-03-18T16:46:42+0100 notice: Q: "...in/useradd cfet": useradd: group 'cfegroup' does not exist

/home/cfetest:drwxr-xr-x 2 root root 4096 Mar 18 16:46 files/home/cfetest/files:-rw-r--r-- 1 root root 0 Mar 18 16:46 cfe_test_file

groups: cfetest: No such user

Example #4 – First Run

/home/cfetest:drwxr-xr-x 2 root cfegroup 4096 Mar 18 16:46 files/home/cfetest/files:-rw-r--r-- 1 root cfegroup 0 Mar 18 16:46 cfe_test_filecfetest : cfegroup

Example #4 – Second Run

/home/cfetest:drwxr-xr-x 2 cfetest cfegroup 4096 Mar 18 16:46 files/home/cfetest/files:-rw-r--r-- 1 cfetest cfegroup 0 Mar 18 16:46 cfe_test_filecfetest : cfegroup

Example #4 – Third Run

The agent is at the desired state!

Q & A

• Join the conversation on our community help forumhttp://groups.google.com/forum/?fromgroups&hl=en#!forum/help-cfengine

Next Steps

• Learn More check out our documentationhttp://cfengine.com/docs/3.5/getting-started.html

• Read Learning CFEngine 3 by Diego Zamboni