|
So you want to get cfengine running under FreeBSD? This is the start of the total beginner's guide...
I'll assume you know what cfengine is, and you have basic FreeBSD knowledge. This tutorial was written using cfengine 2.2.3 on FreeBSD 7.0. Install cfengine on each host you wish to manage, using either ports or packages: - cd /usr/ports/sysutils/cfengine
make install clean
or cfengine requires both bdb and OpenSSL. OpenSSL is already part of FreeBSD, but bdb will be installed if it's not already present. By default, cfengine's configuration files live in /var/cfengine, and some folders will be automatically created within this folder, however we now need to add a couple of directories for input files and output files: - mkdir -p /var/cfengine/inputs /var/cfengine/outputs
There are (at least) two ways to structure the cfengine infrastructure. One is to run a daemon on each host. The other is to run the daemon on only the management server, and run cfexed periodically using cron on the managed hosts. Each method has advantages and disadvantages: | | Daemon on each managed host | Daemon on management server only | | Advantages | Configuration changes can be pushed out | Configuration changes are only checked as often as specified in crontab | | | An extra process is running on each managed host | | | | Configuration changes can be staggered | No load management on management server | | | | |
For the sake of simplicity, we're going to run the daemon on all hosts, as we like the load management functionality it provides. On the management server, add the following to /etc/rc.conf - cfexecd_enable="YES"
- cfservd_enable="YES"
We'll also these lines to the managed hosts, but we'll get cfengine to do that (if we can). We need a cfservd.conf for cfservd to start up. This will live in /var/cfengine/inputs. The file will go here... cfengine uses private/public key pairs for authentication between managed hosts and the management server. The keys need to be created, by running cfkeys on each sever and host. The private and public keys will be created in /var/cfengine/ppkeys. They then need to be manually copied and renamed (e.g. using SCP) before we can get the server talking to the hosts. On the management server: On the managed host: cfkeysscp /var/cfengine/ppkeys/localhost.pub username@management_server:/var/cfengine/ppkeys/root-host's_IP_address.pubSome more stuff... One of the nice features of cfengine is that it splits it's configuration into two parts. The first part of the configuration (which lives in update.conf) is used for updating cfengine's own configuration. The second part (which lives in cfagent.conf) is used for applying the configuration rules. This means that update.conf rarely needs modifying, and if you break cfagent.conf, cfengine can still update itself.
|
