Conftero 0.18 Beta

Configuration management system implementing the Hidden Master architecture and Python based configuration. Single binary, no dependencies.

Hidden Master architecture protects against whole categories of attacks, including the type of latest critical Salt vulnerabilities.

*Beta version - don't use on important production systems. All functinality is not implemented yet. *

Download

Download cct 0.18 beta. 0.18 Beta works on Ubuntu Linux. It compiles for many platforms (Linux, Windows, Mac), but current development and experiments are done on Linux.

Benefits

  • Python without Python
    • Configuration uses built-in Python dialect. Leverage your existing skills.
    • It's still idempotent - only makes modifications if needed
    • Which Python required? None, it's built into single binary. Nice on embedded Linux.
  • Protect your Hidden Master
    • Any cheap web server can host your catalogs (instructions to agents).
    • PGP encrypted
    • Master secret key gives root access to all agents. Luckily, master does not have to stay on the Internet.
  • Less to learn
    • You need just a few functions to configure a system. In some production systems, less than 10 functions cover 90% of uses.
    • Conftero has less than 20 key functions
    • If you need more, it's a dialect of Python. But simpler is better.

Common Patterns

Daemon

Install Apache web server and enable user homepages.

installed("apache2")

symlink("/etc/apache2/mods-enabled/userdir.load", "../mods-available/userdir.load")
symlink("/etc/apache2/mods-enabled/userdir.conf", "../mods-available/userdir.conf")

if hasChanges():
	restartNow("apache2")

Configuring a daemon is called package-file-service in many configuration management systems.

Thanks to hasChanges(), you don't need to define relationships between functions. This is different from some leading configuration management systems.

Add Human User

user("tero", password="seeh1AeThi")

Default use follows regular user creation as closely as possible. For example, home directories are created automatically. For a typical Linux, it runs 'adduser()'.

In systems having a lot of users, a centralized user management system could be used.

Add a Technical User

Technical users improve security. For example, a dynamic website could run Python. The code should run as a low privilege user for compartmentalization.

user("pyweb", locked=True)

Scheduled Task

Conftero does not provide hundreds of special functions for special purposes. Instead, key functions are combined to achieve your end result. For example, Conftero does not have a speciel cron function, as it's easy to just use file().

First do it manually, then automate. And once you have done it manually, you probably know what you want your program to do.

file("/etc/cron.d/ccta", "* * * * * root /opt/cctslave/ccta\n")

Cheat Sheet

  • Package - installing software
    • installed("apache2")
    • installed("curl wget tree tmux httpie")
    • removed("telnet")
  • File
    • file("/etc/foo.cfg", "enabled = True")
    • directory("/usr/local/bin/", src="bin/")
    • symlink("/etc/apache2/mods-enabled/userdir.conf", target="../mods-available/userdir.conf")
  • Service
    • if hasChanges(): restartNow("apache2")
    • serviceEnabled("openssh-server")
    • serviceDisabled("terod")
  • User
    • user("tero")
    • user("runners", locked=True)
    • userRemoved("john")
    • group("student")
    • groupRemoved("guest")
  • Exec
    • if hasChanges(): run("touch /tmp/foo")

Known bugs

Bug: Initial agent configuration over ssh requires ssh settings. SSH login must be automated with public keys beforehand.

$ ssh-keygen	# enter, enter, enter
$ ssh-copy-id tero@example.com

Bug: Linux only. 0.18 Beta works on Ubuntu Linux. It compiles for many platforms (Linux, Windows, Mac), but current development and experiments are done on Linux.