Cfengine JLab - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Cfengine JLab

Description:

Cyber Security Review, April 23-24, 2002, 0. Operated by the Southeastern ... [Additonal config output] Run /local/cfengine/bin/cfinstall hostname as root ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 19
Provided by: ccJ4
Category:

less

Transcript and Presenter's Notes

Title: Cfengine JLab


1
Cfengine _at_ JLab
  • David J. Bianco
  • bianco_at_jlab.org

2
Table of Contents
  • Introduction
  • JLabs Environment
  • What is cfengine?
  • JLabs cfengine architecture
  • Summary
  • Questions

3
JLabs Unix Environment
  • 90 central computing Unix servers (Linux,
    Solaris, HP)
  • General computing resources, web, email, etc.
  • 50 CAD nodes (HP)
  • 185 compute farm nodes (Linux)
  • A large number of user-managed Unix workstations
    (mostly Linux)

4
JLabs Unix Environment
  • The labs Unix admin staff is just 6 people.
  • Changes are made to these machines all the time
  • As with any environment, proper communication
    documentation can be a problem
  • Once a problem is fixed will it remain fixed?
  • Several recent incidents have underscored the
    need for proper configuration management
  • In January 2002, JLab started looking into
    cfengine to help solve these problems

5
What is cfengine?
  • Stands for Configuration Engine
  • Policy driven configuration management for a
    network of machines
  • Open source
  • Unix NT/2000
  • Mostly Unix, though

6
What is cfengine?
  • Developed by Mark Burgess _at_ Oslo University
    College in 1993
  • Used on an estimated 100,000 nodes worldwide
  • Currently in version 2.0

7
What is cfengine?
  • Three main parts
  • cfagent
  • Network services
  • Declarative configuration templates
  • Optional anomaly detection service

8
Simple Examples Templates
sample.cf Sample cfengine config file
David J. Bianco ltbianco_at_jlab.orggt control
SplayTime ( 5 ) IfElapsed ( 30 )
SecureInput ( on ) access ( root bianco )
domain ( jlab.org ) actionsequence (
links copy disable files processes shellcommands
)
9
Simple Examples Templates
classes SMTP_Servers ( mail1 mail2
mail.acc.jlab.org ) links any
/etc/sendmail.cf -gt /usr/local/mail/sendmail.cf
redhat_7 /etc/gdm/gdm.conf -gt
/usr/local/config/gdm.conf copy any
/cfengine/REPOSITORY/etc/resolv.conf
dest/etc/resolv.conf
mode444
ownerroot grouproot

typechecksum
servercfengine.mydomain.com
10
Simple Examples Templates
disable any /etc/hosts.equiv
informtrue files any
/etc/nsswitch.conf mode444 ownerroot grouproot
actionfixall !IBM_Linux_Thin_Clients
/etc/resolv.conf mode444 ownerroot grouproot
actionfixall
11
Simple Examples Templates
processes !SMTP_Servers sendmail
signalkill defineRUNNING_SENDMAIL shellcommands
RUNNING_SENDMAIL.!SMTP_Servers
"/bin/rm -f /etc/rc.d/sendmail
/etc/rc.d/rc.d/sendmail"
12
JLabs cfengine Architecture
Configuration Database
Critical File Database
Cfengine master server
Cfengine Unix Clients (Desktops Servers)
13
JLabs cfengine Architecture
  • Cfengine master server contains
  • Cfengine binaries for all platforms
  • All configuration templates
  • Master copies of critical system/software
    configuration files
  • Cfengine clients contain
  • Local copies of their own binaries
  • A complete copy of the configuration templates

14
JLabs cfengine Architecture
  • Clients use crontab to run cfexecd F every 30
    minutes
  • Wrapper to run cfagent and email any output to
    the system administrator
  • splay time keeps all client from overloading
    the master at once
  • Cfagent automatically copies updated binaries and
    config templates from master
  • Most configuration checks are performed during
    each run
  • Expensive checks (file sweeps) performed only
    during the midnight run

15
JLabs cfengine Architecture
  • Administrator can also run cfengine manually
  • Local root user (on a single client) cfagent
    (local root user)
  • Cfengine admin (remotely from the master) cfrun

16
Installing cfengine on a host
  • Run /local/cfengine/bin/cfinstall lthostnamegt as
    root
  • Log is /tmp/cfinstall-lthostnamegt

Starting cfengine installation for sysdevs1 _at_ Tue
Mar 5 090842 EST 2002 Installation host is
SunOS Generating keypair... DONE Exchanging
keypairs... Running cfagent for the first
time... cfenginesysdevs1 Update of image
/home/janed/.ssh/authorized_keys from master
/local/cfengine/REPOSITORY/common/home/janed/.ssh
/authorized_keys on cfm.jlab.org Additonal
config output
17
Summary
  • JLab uses cfengine 2.0 to manage configuration on
    a network of hundreds of Unix hosts
  • The configuration master contains full copies of
    all configuration binaries, templates and
    important system files
  • All network connections are encrypted and
    mutually authenticated
  • The template files are modular, enabling us to
    pick and choose among the pieces we run for a
    particular host

18
Questions?
  • David J. Bianco
  • ltbianco_at_jlab.orggt
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Cfengine JLab" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!