This document discusses configuration management and CFEngine 3. It begins with an introduction to configuration management principles like reproducibility, industrialization, and automation. It then discusses the main configuration management tools including CFEngine 3, Puppet, and Chef. The document focuses on CFEngine 3, describing its features like being lightweight, scalable, and adapted to heterogeneous environments. It concludes with instructions on installing and getting started with CFEngine 3, including examples of using it to install and configure servers.

1. 24/09/2011
Configuration Management
Automating and rationalizing server setup with CFEngine 3
Jonathan Clarke <jcl@normation.com>

2. About the speaker
Jonathan Clarke → CTO →
Sysadmin background Startup created in 2010
Infrastructure management Based in Paris
FLOSS contributor: Configuration management:
CFEngine
 CFEngine (partner)
Others (OpenLDAP, LSC,
FusionInventory...)  Rudder (creator)

3. Introduction
1. CREATE
2. SETUP
3. USE
4. THROW AWAY
Cloud Computing

4. Introduction
1. CREATE
2. SETUP
3. USE
4. THROW AWAY
Cloud Computing
→ APIs and tools are available

5. Introduction
1. CREATE
2. SETUP
3. USE
4. THROW AWAY
Cloud Computing
Three approaches:
1. Manually
2. Imaging
3. Configuration tool

6. Agenda
1) Configuration Management principles
2) Configuration Management tools
3) About CFEngine 3
4) Getting started

7. Configuration Management
Principles through examples...

8. A server crashed.
Install a new one, people
can't work without it!
OK, it'll be done in
about two days...
Why configuration management?
There's a new critical security patch
we must deploy on all our servers!
Get it out quickly!
Right, I'll put the whole
team on it.

9. Reproducibility Industrialization
Automation
Why configuration management?

10. How do we setup
service X?
Ask Jim, he's
the expert on that.
But he left the company...
Why configuration management?
Huh, this server has been logging
errors for a few weeks.
Oh? I think Michael changed
something on it recently...
He'll tell you what it was.
Damn, he's on vacation!

11. Documentation History
Building-up
knowledge
Why configuration management?

12. An intruder just stole our data
using a vulnerability in a
module we don't need...
I thought the project specification
ensured that we disabled that?
Er, it did, but we enabled it to
solve a problem and forgot to
disable it afterwards... sorry...
Why configuration management?

13. Why configuration management?
Continuous
vigilance
Automatic repairs Alerts

14. I don't understand how this
server is setup. It doesn't match
our best-practices.
Oh, that's a legacy server...
Why configuration management?
Give me details on our
current security policy.
Well, it's a collection of little
things, here and there...
Ah... Well, OK.
Tell me: is it fully applied
on all our critical servers?
Er...

15. Why configuration management?
Rationalization
Normalization Control

16. Reproducibility Industrialization Documentation History
Automation Building-up
knowledge
Configuration management benefits
Continuous
Rationalization
vigilance
Automatic repairs Alerts Normalization Control

17. Configuration Management
The tools

18. Main tools available
CFEngine 3 Puppet Chef

19. Main tools available: history
Relative origins of CFEngine, Puppet and Chef
Source:
http://verticalsysadmin.com/blog/uncategorized/relative-origins-o
f-cfengine-chef-and-puppet

20. The tools: similarities
CFEngine 3 Puppet Chef
Common origins Designed specifically Text-based / CLI
for configuration interface
management
Client-server model
(sometimes optional) Open Source

21. The tools: some differences
CFEngine 3 Puppet Chef
C Ruby Ruby
Language
GPL Apache Apache
(ex-GPL)
License
Yes Preliminary Partial
Windows support

22. A bit about CFEngine 3...

23. CFEngine 3: Features
Multi platform
Windows support
Two versions:
1. Community (open source)
Runs in Cygwin
2. Nova (commercial)
● Native Windows service

24. CFEngine 3: Features
Multi-OS
Multi-distribution
Adapted to
Make it ”transparent” (forget heterogeneous
about the complexity) environments
Existing standard library
handling the differences
between each OS and
distribution

25. CFEngine 3: Features
Lightweight, non-intrusive
Non-intrusive
Daemon consumption on managed hosts
Only two dependencies:
- BerkeleyDB
- OpenSSL

26. CFEngine 3: Features
Evolution of CPU utilization
for an increasing number of managed hosts Highly scalable
From 25 to 400 clients (x16)
CPU utilization increases by 1.16%
Notes:
• Each host runs CFEngine every 5 minutes
• Configuration tested sets up Apache web server
• Tests and monitoring using AWS

27. CFEngine 3: Features
Multi platform
Adapted to
Lightweight, non-intrusive heterogeneous
environments
Autonomous
Fault-tolerant Highly scalable
Progressive
roll-out

28. Getting started with CFEngine 3

29. CFEngine 3: Installing
 Install from sources:
 http://www.cfengine.com/source_code
 Prebuilt packages:
 Debian / SuSE / Fedora / RHEL / Ubuntu
 Requires free signup
 https://cfengine.com/inside/myspace

30. CFEngine 3: Client-Server
 Using a server is optional!
 Get started by running standalone
 CFEngine's server daemon is cf-serverd
 Dedicated protocol: TCP port 5308
 Requires SSL key exchange

31. CFEngine 3: Configuration
 Minimal configuration:
body common control
{
bundlesequence => { "HelloWorld" };
}
Syntax notes
bundle agent HelloWorld Whitespace doesn't count
{ Comments follow #
# This will output "Hello World!"
commands:
"/bin/echo Hello World!";
}
Structure notes
● Structures are created using { }
● Structures are bundles or bodies

32. CFEngine 3: Configuration
 Promise types:
Promise types Promise types
(all versions) (commercial versions)
files environments
packages services
processes databases
commands
storage
interfaces (for future use)
Special types Special types
(all versions) (commercial versions)
vars outputs
classes
methods
reports

33. CFEngine 3: Examples
 Install and update the LAMP stack
bundle agent lamp {
vars:
"packages" slist => { "httpd", "php5", "mysql" };
packages:
"${packages}"
package_method => generic,
package_method => "addupdate";
}

34. CFEngine 3: Examples
 Install Apache with distribution variations
packages:
debian::
"apache2"
package_policy => "add",
package_method => apt;
centos|redhat::
"httpd"
package_policy => "add",
package_method => yum;

35. 24/09/2011
Thanks for participating!
Stay in touch...
Jonathan Clarke
Email: jcl@normation.com
Twitter: jooooooon42