Re: cfengine architecture comparisons?

[Mark Burgess]

On  4 Nov, Nate Campi wrote:
> I'm evaluating cfengine for deployment at work, basically to automate
> host security policy (file perms, process management, editing text
> files).
> 
> In order to accomplish that, I can simply run the agent from cron once
> a day and call it complete. I can dist out the config with rsync over
> ssh and ssh pubkey auth, so dist of the conf file is taken care of.
> 
> What I'm wondering about is whether I should put together a "full"
> cfengine architecture now (cfenvd, cfexecd, etc). I'm sure the
> flexibility would be nice, change how often the agent runs without
> editing cron on the hosts, dist files, stuff like that.
> 
> Two things make we wonder if I should keep it simple:
> 
> - Mark B himself says in his book "If it isn't broken, don't fix it",
>   so I don't know if I should be looking to implement things I don't
>   have an immediate need for.
> 
> - I'm looking to improve security, and usually this means *not* running
>   more daemons running as root on every machine, not adding more.


Hey there. Just briefly (really busy). There is little risk from running
cfexecd since it takes no input from anything. cfservd is also
pretty safe, as long as you don't grant access to unnecessary
files. Again, it does not accept any instructions from the
net except to check an existing configuration. DO look at the security
pages at www.cfengine.org

 
> - Things are less simple, so I deviate from the K.I.S.S. principle
>   (another one Mark talks about in his book).
> 
> Ok, so that's three things. Anyways, has anyone every written about the
> pros/cons of different ways to run cfengine? Perhaps I've covered most
> of them right here, or perhaps people discuss this in the achives.
> 
> I'd be willing to donate a write-up along these lines if a) it's never
> been done and b) people think it could be useful.
> 
> TIA

Version 2 of cfengine is meant to be as plug'n'play as possible.
I would keep the installation simple, as the risk is quite low.
Always start with a few things in the config and build up slowly.
You don't need cfenvd, but it can tell you stuff about load etc.

I would be more careful with version 1 of cfengine. With version 2
I have worked hard to make it as simple and secure as possible.

I would tend to start by getting cfengine running on all hosts
with all its pieces and once it is running smoothly, start building
up the complexity of the configuration. We are aiming for
"predictability of system" - so get cfengine working predictably
first, then work on everything else :)

Hope someone else will contribute their experiences too.

If you want to write about cfengine 2, why not write up something for
;login: ?

good luck,
Mark