One restriction with cfengine is that cfagent must be able to tell if it has already performed an action, and this is especially important when editing files. For example, the cfengine configuration line
ReplaceAll "server 192\.168.*" with "server 192.168.42.1"
will not work. The problem is that the regular expression "server 192\.168.*" matches both the strings that cfagent is trying to find and replace, so cfengine will refuse that action.
Cfengine is sensitive to how multiple machines running identical tasks simultaneously can wreak havoc on servers, so it has a configuration option called SplayTime (it's off by default, but you will most likely want to turn it on). SplayTime directs cfengine to wait a random amount of time before beginning its work. Additionally, cfagent by default will not restart more than once per minute to protect against loops.
Security is an important feature of cfengine. No communication can occur until you set up the proper public key exchanges, and the cfagent can operate only in "pull" mode. Client cfengines can respond only to the cfrun command "do some work," and only when the client and server exchange the correct encryption keys.
Getting your initial configuration in place can be difficult if you're new to it. It also can be frustrating to figure out whether cfengine is responding to your commands (See "Step By Step," page page 76).
Then, once you have cfengine running, adding hosts is easy. Simply add a new host's public key into the cfengine ppkeys directory on your cfengine server, and the cfengine server's public key on the host's ppkeys directory.
Version 2 of cfengine includes software-package management, which lets cfagent install, for example, the most current version of the image-manipulation program ImageMagick on your Web servers. If you bring up a new Web server, cfengine will install that software package for you automatically.
Last and certainly not least is cfengine's ability to do environmental monitoring, letting cfengine's cfenvd examine different aspects of your system, from the number of root processes to the number of connections on well-known services like HTTP. It also looks at the averages over time of each of these levels and at the standard deviation. Anything three or more times the standard deviation is considered an anomaly and reported to the cfagent next time it runs. For instance, in the case of a huge crush of HTTP connections to your Web server, you can have cfagent send an e-mail alert, log this data to syslog, throttle the Web server or halt backups until the load decreases.
Cfengine is clearly the most sophisticated of the open-source tools for centrally managing your Linux machines. The key is to choose the right tool for your environment and make sure you get the most out of it.
How to Deploy cfengine
Run the cfengine server initially with cfservd -v -F. This tells cfengine to run its server daemon with verbose mode in the foreground, which helps you determine the source of any problems you encounter.
Configure security properly. Most initial problems are in the public/private key exchange.
Be sure to run other programs in debug mode (adding -d). That's often the only way to find out why cfengine is not performing the way you want it to.
Add IfElapsed = ( 0 ) to the control section of your cfagent's configuration file while testing. This will override the once-per-minute default time between repeating an action, which you don't need while testing.
Cfengine information, www.cfwiki.org
Cfengine's main Web site, www.cfengine.org
ClusterSSH home page, clusterssh.sf.net
Rsync home page, rsync.samba.org
Mixing It Up With Rsync
Jeff Ballard is the Unix systems manager for the Computer-Aided Engineering Center at the University of Wisconsin-Madison. Send your comments on this article to [email protected].
Mixing It Up With Rsync
Here's a simple script for setting a random time for an rsync task. Put it at the top of the script you are about to run. The amount of time to wait, in minutes, is its "argument"--so randomwait.pl 5, for example, will wait for a random time up to five minutes.
randomwait.pl:
#!/usr/bin/perl
sleep ( rand( $ARGV[0] * 60 ) );