Re: question about architecting a cfengine implementation

[Andrew Stribblehill]

Quoting Kurt Lieber <cfengine@kirpatrick.com> (2003-04-12 05:23:07 BST):
> I'm looking at implementing cfengine to manage the infrastructure servers
> of the Gentoo Linux project. (www.gentoo.org)  My goal is to have one
> master server that maintains and distributes the configration files for all
> our other servers.  My question is regarding the best way to do this.
> 
> I'm not sure I want critical files like /etc/ stuff being updated remotely.
> So instead, I was thinking about having a two-tiered architecture.  The
> first tier would distribute all configuration files to each server, but
> they would be stored in a separate directory (/var/cfengine/files/etc/ for
> /etc/ files, for instance) 
> 
> I would also push out the cfagent.conf files to all the remote servers this
> way as well.

I'm sure you understand the 'push' terminology to mean 'cause the
remote hosts to pull', but I would reinforce that in your mind. IMO
the best way is to have a set of Cfengine config files, one of which
copies the stuff across, and the other (which can be disabled by any
number of means) to copy from there to /etc.

A quick example:

# This is cfagent.conf
control:
  actionsequence = ( copy.remote copy ... )
  SplayTime = ( 5 ) # Avoid network spikes
  repositry = ( /var/cfengine/files/etc )

groups:
  local = ( any )

copy:
  remote::
    $(repositry) server=master.gentoo.org r=inf

import:
  local::
    local.cf


# This is local.cf
copy:
  $(repositry) dest=/etc r=inf

It's up to you how you distribute local.cf -- only to certain named
machines? to hosts not explicitly named? Whatever. Bear in mind that
the local machine is in charge at all times except where it delegates
authority to your remote host. You can pull the rug under your remote
configuration whenever you want by changing update.conf or
cfagent.conf on any machine of your choice. Just know the
consequences of doing that with regard to maintainability!

> Then, I would set up the *local* version of cfengine to actually implement
> those changes via their local cfagent.conf file. (copying
> /var/cfengine/files/etc/ to /etc/ and so on)  This allows me to easily pull
> one server out of the cfengine rotation simply by removing it's local
> cfengine cron job.

With my model, just change your call to cfagent with 'cfagent -N
local' and it doesn't configure; it just pulls in the files to the
local repositry.

> Opinions on this design?  Is there a better way to do it?  I'm still new to
> cfengine, so please let me know if there's an easier way to do all this. :)

You certainly don't need two separate cfengine instances. I suspect
my solution may give you something akin to the compromise between
flexibility and maintainability that you want.

-- 
SHANNON
EAST OR SOUTHEAST BECOMING CYCLONIC 4 OR 5, INCREASING 6 TO GALE 8
FOR A TIME. SHOWERS THEN RAIN. GOOD BECOMING MODERATE

pgpdis94nXRdy.pgp
Description: PGP signature