|
Cross Platform System Administration With Cfengine
By Joe Purcell
Expert Author
Article Date: 2011-05-26
Managing system security, system configuration, software deployments, and documenting it all, are enormous tasks on any network. Cfengine is a free tool that attempts to automate those tasks, and more. There are a number of other configuration tools to choose from, but few have the breadth and power Cfengine does. Though Cfengine is used by large organizations like Yale University, the State of New York, eBay, and IBM, it's commercial or free version may be a viable solution even for small networks.
Cfengine is a framework based on Promise Theory for automating major aspects of system administration. It has nearly unlimited functionality. It monitors systems, closes security holes, checks file permissions, creates databases and verifies their integrity, deploys software installs, checks that the right processes are running, ensures the configuration is correct, and many other tasks on any number of computers in a network. Another key feature is that it creates documentation and performance reports. Perhaps the best part is that it runs on and works with Linux, Unix, Mac, and Windows, including some virtualization platforms.
There are plenty of examples on their site, as well as others who are contributing documentation and examples. But, at the very basic, here's an example configuration policy from their site many would be familiar with:
bundle agent application_services
{
processes:
"sshd" restart_class => "start_ssh";
"httpd" restart_class => "start_apache";
commands:
start_ssh::
"/etc/init.d/sshd restart";
start_apache::
"/etc/init.d/apache restart";
}
These configuration files can even have variables. Taking the above example, we can condense it to:
bundle agent application_services
{
vars:
"service" slist => { "ssh", "apache", "mysql" };
#
# Apply the following promises to this list...
#
processes:
"$(daemon[$(service)])" restart_class => canonify("start_$(service)");
commands:
"$(start[$(service)])"
ifvarclass => canonify("start_$(service)");
}
As they admit, it could take a long time to develop enough familiarity with the program for it to be useful. However, they do offer commercial support, Cfengine Nova. Their commercial flyer shows some of the benefits Nova has over the free version and how it can make better use of the breadth and power Cfengine has. Whether the commercial solution is of greater advantage than the free one will likely be determined by the IT department's budget, the complexity of the network, as well as the time and availability of skilled man power to work with the program.
The commercial route may often win out since many IT departments are strapped for time and man power. Yet, smaller networks would require less configuration, thus, tackling the learning curve of the free version may be just as quick and have greater pay offs in the long run. As more IT departments undergo audits and move towards standardization and build documentation for their systems, a program like Cfengine may ease and expedite the process.
About the Author:
Joe Purcell is a technology virtuoso, cyberspace frontiersman, and connoisseur of Linux, Mac, and Windows alike.
|
|
