Tero Karvinen - Articles - Downloads - Courses - Contact

Table of Contents

Cfengine Automatic System Configuration - Writing Your First Script

Cfengine modifies configuration files on systems. It can also modify configuration files that belong to a package, such as /etc/ssh/sshd.conf.

This is a quick start tutorial to make your very first cfengine configuration. This article aims to fill the gaps in published documentation: 1) show a simple and relatively safe way to test cfengine 2) explain how cfengine works with sudo.

Copyright 2006 Tero Karvinen. GNU General Public License, version 2 or later.

Install

Using Ubuntu, enable universe as described in ubuntu repositories. Then install cfengine

 $ sudo apt-get install cfengine2 

Create config file

Create a configuration file:

 $ nano cftero.conf
# cftero.conf - sample configuration file - www.ik.fi/karvinen/cfengine
# (c) 2006 Tero Karvinen, GNU General Public License, versio 2 or later
# ChangeLog 
# 2006-04-12 0642       Initial sample file by Tero

control:
        actionsequence = ( files )
files:
        /tmp/sample mode=000 action=fixall

This file will remove all permissions on file /tmp/sample.

Create a Sample File

Create sample file and check its inital permissions

$ touch /tmp/sample
$ ls -l /tmp/sample
-rw-r--r-- 1 tero tero 0 2006-04-12 07:23 /tmp/sample

You can see that there are may “r” and a “w” in the permissions. Cfengine will soon change those permissions.

Run cftero.conf

You must give full path to cftero.conf when using sudo. In the same directory where you created cftero.conf, check the path

 $ pwd
 /home/tero/

Run cftero.conf, use full path to cftero.conf

 $ sudo cfagent -f /home/tero/cftero.conf

Nothing is printed on the screen, so it probablly worked. You can use -v for verbose.

Let’s see if it changed the permissions on our sample file:

 $ ls -l /tmp/sample
 ---------- 1 tee tee 0 2006-04-12 07:23 /tmp/sample

If the permissions “r” and “w” are gone like above, it worked. Congratulations, you just run your first cfengine script.

Troubleshooting

Couldn't Find a Private Key - Use sudo

Problem:

$ ls 
cfengine.conf
$ cfagent -f cfengine.conf
cfengine:::0: Warning: actionsequence is empty
cfengine:::0: Warning: perhaps cfagent.conf/update.conf have not yet been set up?
cfengine:: Couldn't find a private key (/home/tee/.cfagent/ppkeys/localhost.priv) - use cfkey to get one
cfengine:: open: No such file or directory
 

Solution: because cfengine’s purpose is to modify system files, you must use sudo

$ sudo cfagent -f $(pwd)/cfengine.conf

Actionsequence Empty - Type Full Path

Problem:

$ sudo cfagent -f cfengine.conf
cfengine:::0: Warning: actionsequence is empty
cfengine:::0: Warning: perhaps cfagent.conf/update.conf have not yet been set up?

Solution: When using sudo, environment changes slightly. You must type full path. If you are in the same directory with cfengine.conf (can see it with ‘ls’), you can

 $ sudo cfagent -f $(pwd)/cfengine.conf

Syntax Error - Use Spaces With Parenthesis

Problem:

$ sudo cfagent -f $(pwd)/cfengine.conf
cf:cfengine::/home/tero/cfengine.conf:8: syntax error

Solution: Of course, there are many ways to do synax terors. However, the most common cause for syntax errors is the weird requirement to use spaces inside parenthesis. It is incorrect to write “(files)”.

You must have space after opening parenthesis “( " and space before closing " )”. This is correct:

actionsequence = ( files )

Works Every Once in a While - IfElapsed

Problem: Cfengine first makes changes, then it doesn’t, then it works again after a while.

Why it happens: This is a feature (really), by default it does not make changes more often than once a minute. You can use “-v” to see verbose information on what cfagent is doing.

$ sudo cfagent -v -f $(pwd)/cfengine.conf|grep elapsed
cfengine:: Nothing scheduled for [files._tmp_sample_0_7777_1000] (0/1 minutes elapsed)

Solution: Even though the default timer behavior is usefull in production environment, you might want to disable it for testing. Add to “control:” section:

IfElapsed   = ( 0 )     # only run cfengine if IfElapsed minutes have passed since last run

See also

Cfengine - an adaptive configuration engine, documentation, on official cfengine homepage.

Ubuntu bug #39245: Only works with full path to cfengine.conf

Last modified: 2010-09-23. Permanent url: http://www.iki.fi/karvinen/cfengine.html

Tero Karvinen www.iki.fi/karvinen - Top - Validate HTML - Validate CSS