Cfengine Automatic System Configuration – Writing Your First Script
Cfengine modifies configuration files on systems. It can also modify configuration files that belong to a package, such as /etc/ssh/sshd.conf.
This is a quick start tutorial to make your very first cfengine configuration. This article aims to fill the gaps in published documentation: 1) show a simple and relatively safe way to test cfengine 2) explain how cfengine works with sudo.
Copyright 2006 Tero Karvinen. GNU General Public License, version 2 or later.
Install
Using Ubuntu, enable universe as described in ubuntu repositories. Then install cfengine
$ sudo apt-get install cfengine2
Create config file
Create a configuration file:
$ nano cftero.conf
# cftero.conf - sample configuration file - www.ik.fi/karvinen/cfengine # (c) 2006 Tero Karvinen, GNU General Public License, versio 2 or later # ChangeLog # 2006-04-12 0642 Initial sample file by Tero control: actionsequence = ( files ) files: /tmp/sample mode=000 action=fixall
This file will remove all permissions on file /tmp/sample.
Create a Sample File
Create sample file and check its inital permissions
$ touch /tmp/sample $ ls -l /tmp/sample -rw-r--r-- 1 tero tero 0 2006-04-12 07:23 /tmp/sample
You can see that there are may “r” and a “w” in the permissions. Cfengine will soon change those permissions.
Run cftero.conf
You must give full path to cftero.conf when using sudo. In the same directory where you created cftero.conf, check the path
$ pwd /home/tero/
Run cftero.conf, use full path to cftero.conf
$ sudo cfagent -f /home/tero/cftero.conf
Nothing is printed on the screen, so it probablly worked. You can use -v for verbose.
Let’s see if it changed the permissions on our sample file:
$ ls -l /tmp/sample ---------- 1 tee tee 0 2006-04-12 07:23 /tmp/sample
If the permissions “r” and “w” are gone like above, it worked. Congratulations, you just run your first cfengine script.
Troubleshooting
Couldn’t Find a Private Key – Use sudo
Problem:
$ ls cfengine.conf $ cfagent -f cfengine.conf cfengine:::0: Warning: actionsequence is empty cfengine:::0: Warning: perhaps cfagent.conf/update.conf have not yet been set up? cfengine:: Couldn't find a private key (/home/tee/.cfagent/ppkeys/localhost.priv) - use cfkey to get one cfengine:: open: No such file or directory
Solution: because cfengine’s purpose is to modify system files, you must use sudo
$ sudo cfagent -f $(pwd)/cfengine.conf
Actionsequence Empty – Type Full Path
Problem:
$ sudo cfagent -f cfengine.conf cfengine:::0: Warning: actionsequence is empty cfengine:::0: Warning: perhaps cfagent.conf/update.conf have not yet been set up?
Solution: When using sudo, environment changes slightly. You must type full path. If you are in the same directory with cfengine.conf (can see it with ‘ls’), you can
$ sudo cfagent -f $(pwd)/cfengine.conf
Syntax Error – Use Spaces With Parenthesis
Problem:
$ sudo cfagent -f $(pwd)/cfengine.conf cf:cfengine::/home/tero/cfengine.conf:8: syntax error
Solution: Of course, there are many ways to do synax terors. However, the most common cause for syntax errors is the weird requirement to use spaces inside parenthesis. It is incorrect to write “(files)”.
You must have space after opening parenthesis “( ” and space before closing ” )”. This is correct:
actionsequence = ( files )
Works Every Once in a While – IfElapsed
Problem: Cfengine first makes changes, then it doesn’t, then it works again after a while.
Why it happens: This is a feature (really), by default it does not make changes more often than once a minute. You can use “-v” to see verbose information on what cfagent is doing.
$ sudo cfagent -v -f $(pwd)/cfengine.conf|grep elapsed cfengine:: Nothing scheduled for [files._tmp_sample_0_7777_1000] (0/1 minutes elapsed)
Solution: Even though the default timer behavior is usefull in production environment, you might want to disable it for testing. Add to “control:” section:
IfElapsed = ( 0 ) # only run cfengine if IfElapsed minutes have passed since last run
See also
Cfengine – an adaptive configuration engine, documentation, on official cfengine homepage.
Ubuntu bug #39245: Only works with full path to cfengine.conf