 |
Top Five Open Source Packages for System Administratorsby Æleen Frisch, author of Essential System Administration, 3rd Edition05/29/2003 |
Author's note: This is the final installment of a five-part series in which I introduce my current list of the most useful and widely applicable open source administrative tools. In general, these tools can make your job easier no matter what Unix operating system your computers run.
Other articles in this series:
|
Related Reading 
|
The top honor in my top five tools list goes to Cfengine, written by Mark Burgess. Cfengine is a wonderful tool for configuring and maintaining Unix computer systems. Cfengine is a stand-alone tool (set of tools), which administers and configures computers according to the instructions in its configuration files. The configuration files describe the desired characteristics of various system components using a high-level language that is easy to learn and use (and involves no programming). In this way, Cfengine can automatically bring one or a large number of systems into line with each one's individually defined configuration specifications. It can also make sure they stay that way by monitoring them and correcting them as needed on an ongoing basis.
In more practical terms, the following list will give you some idea of the breadth of administration and configuration tasks that Cfengine can automate:
Cfengine's home page is www.cfengine.org.
Cfengine includes the following components:
| Program | Purpose |
cfagent |
The main utility that applies a configuration file to the local system. |
cfrun |
A utility which applies a configuration file to remote systems. |
cfservd |
A server process which supports cfrun;
It enables the Cfengine agent functionality to be invoked from a remote
system. |
cfexecd |
Another daemon which automates job scheduling and reporting. |
cfenvd |
An anomaly detection daemon. |
cfkey |
A security key generation utility. |
Cfengine uses several configuration files (generally stored in /var/cfengine/inputs). The central configuration file is cfagent.conf, which specifies the characteristics of the system that Cfengine is to establish and maintain. Note that in general, cfagent.conf defines the final desired state of the system; it does not explicitly define the steps to take to achieve it.
The best way to introduce this file is with a simple example:
control:
domain = ( ahania.com ) Specify local domain.
access = ( chavez root ) Who can run cfagent.
actionsequence = ( links tidy ) Actions to carry out, in this order.
maxage = ( 7 ) Define a variable for later use.
groups: Define a list of hosts.
HaveNoBin = ( blake yeats bogan toi robin )tidy: Action: remove unwanted files.
/tmp pattern=* age=$(maxage) recurse=inf
/home pattern=*~ recurse=inflinks: Action: maintain symbolic links.
/logs -> /var/log Create this link if needed.
HaveNoBin:: Next link applies only to these hosts.
/bin -> /usr/binThis file contains four sections, each headed by a keyword followed by a colon. The first section, control, is used to specify general settings for the file, to define variables, and for other similar purposes. In this case, it specifies a list of users who are allowed to run cfagent using this file as input, specifies the sequence of actions that should be carried out when the file is invoked and defines a variable named maxage, setting its value to 7.
Assignment statements use the syntax illustrated in the example, using parentheses as delimiters:
name = ( value )
Actions are operations that Cfengine knows how to perform, and they are referred to by keywords. Here, we specify that the tidy action be performed first, followed by the links action. Each referenced action must have a section defining it somewhere in the configuration file.
The next section, groups, defines a list of groups which we've named HaveNoBin. This list will be used in the links section.
The next section in the file is the tidy section, which specifies unwanted files which Cfengine is to remove. These entries have the following general syntax:
start-dir [pattern=regexp] [recurse=n] options
where start-dir is the directory in which to start searching, regexp is a regular expression against which to match filenames, n indicates how many levels of recursion are wanted (inf means infinite), and options are additional options further specifying the files to be selected for removal.
In this case, files under /home ending with a tilde (and not starting
with a period) are chosen (emacs backup
files), as are files under /tmp last modified more than 7 days ago. Note
that the parameter to the age option is
specified using the maxage variable.
The final section in the file is the links section, which specifies symbolic links that Cfengine is to maintain. In this case, two such links are listed, using the format:
link -> target
Here, we specify that the /var/log directory should be linked to /logs
and also that /bin should be a link to /usr/bin. When run, Cfengine
will check whether these links exist, creating them if necessary. However, the
latter link will only apply to hosts in the list HaveNoBin.
This is specified by preceding the link specification with a class designation
(indicated by the double colons). In this case, the class is defined by the
host group name, but much more complex classes are possible
The following table lists the most important Cfengine actions:
| Action | Purpose |
| links | Create/maintain symbolic and hard links. |
| tidy | Remove unwanted files. |
| files | Set file ownership, protection, and/or check for modification. |
| directories | Set directory ownership, protection. |
| disks | Verify that file systems are available and contain sufficient free space. |
| disable | Rename undesirable files to name.cfengine. |
| copy | Copy local or remote files to the local system. |
| editfiles | Edit ASCII text files. |
| binservers mailserver homeservers |
Specify servers for automatic NFS file system mounting by Cfengine. |
| mountables | Specify local file systems available for NFS mounting by Cfengine. |
| miscmounts unmount |
Specify file systems to mount or unmount by Cfengine. |
| processes | Verify the existence of and control processes. |
| interfaces | Specify characteristics of network interfaces. |
| resolve | Maintain /etc/resolv.conf. |
| defaultroute | Specify the static default gateway. |
| shellcommands | Execute arbitrary shell commands from within Cfengine. |
| module:name | Use an add-on module. |
|
Here is a slightly more complicated tidy example:
control:
split = ( " " )
dirlist = ( tmp var/tmp 1/scratch 2/scratch )
tidy:
/$(dirlist) pattern=* age=3 recurse=infThe control section specifies the list separator character and then defines the variable dirlist as a list of four directories. This variable is then used in the tidy specification, and the three options will apply to each directory in turn.
The files action is used to specify various desired characteristics and corrective actions for files. Here is an example section:
files:
/etc/security mode=600 owner=root group=0 recurse=inf action=fixall
/home recurse=inf include=*.dat action=compress
/var/log/messages owner=root mode=644 action=createThe first entry specifies the required ownership and protection of the directory /etc/security and everything under it. By default, Cfengine will check whether the current settings conform to these specifications. Here, however, action=fixall tells Cfengine to modify the current settings if necessary to match the pecified ones.
The second entry causes all files with an extension of .dat under /home to be compressed. The third entry create the file /var/log/messages if it does not exist.
The files action can also be used to verify the integrity of system executables in /usr/bin:
control:
ChecksumDatabase = ( /usr/local/admin/cfengine/cksums
files:
/usr/bin checksum=md5 exclude=*.sav action=warnallThe database file used to store the correct checksums for files is specified in the control section, and the checksum option in the files entry specifies that the comparison be made. A warning will be issued for each incorrect checksum.
The disable action causes Cfengine to rename files which ought not to be present on this system:
disable:
/etc/hosts.equiv
home/.rhosts inform=true
/var/log/messages rotate=6The first two entries will cause Cfengine to rename the indicated files if they exist, adding the extension .cfengine. In the second case, the special directory keyword home is used to refer to all user home directories. In this case, Cfengine will also issue a warning message when such files are found.
The third entry illustrates another use for the disable section: log file rotation. The entry tells Cfengine to maintain six old copies of the /var/log/messages file. As with other log rotation facilities, the saved files are given the extensions .1 through .6.
Finally, the processes action may be used to tell Cfengine to verify that important processes are running, restarting them if necessary, as well as to have Cfengine signal processes:
processes:
"sendmail" restart "/usr/sbin/sendmail" useshell=false inform=true
"inetd" signal=hup
"kudzu" signal=kill
"g02" matches<=2 signal=suspend action=bymatch inform=trueThe first field in each entry is a pattern which is matched against the output
of the ps command. In general, Cfengine
will apply the entry's specifications to each matching process.
The first entry causes Cfengine to determine if there is a sendmail
daemon running. If not, one will be started using the specified command.
The next two entries specify signals to be sent to the inetd
and kudzu process if they are present.
The final entry causes Cfengine to search for processes matching the string "g02," and it will count the number of such processes. The entry specifies that the desired system state will include no more than two such processes. The action=bymatch option tells Cfengine to correct the situation when this condition is not met, according to the directives of the other options. In this case, if there are more than two such processes--i.e., if the desired condition specified by matches=<2 is not met--then it will suspend all of them (signal=suspend) and a message will be output indicating this.
Cfengine uses classes to allow a single configuration file to be created for even large groups of system. Classes serve to make parts of the configuration file conditional, dependant on the exact environment in which Cfengine is currently running.
Cfengine classes are made up of one or more of the following components:
cfagent -p -v
command shows keywords defined for the current system.control:
addclasses = ( myclass )The default class is any, which matches any host at any time. Unspecified time and date classes default to all. Multiple classes are joined by periods (AND logic) or vertical bars (OR logic); ANDs bind more tightly than ORs in the absence of parentheses. Date and time classes refer to the time that the associated Cfengine process started.
Here are some examples:
| Class specification | Matches ... |
solaris.Monday.Hr01:: |
Solaris systems on Mondays at 1:00 am |
aix|hp-ux::
|
AIX and HP-UX systems. |
aix.!vader:: |
AIX systems except host vader. |
December.Day31.Friday::
|
December 31 if it is a Friday. |
Here is a another copy section which illustrates some simple Cfengine classes:
copy:
linux::
$(masteretc)/rc.config dest=/etc/rc.config o=root mode=644
ShadowHosts::
$(masteretc)/passwd server=$(pwdmaster) dest=/etc/passwd
owner=0 group=0 mode=644 trustkey=true
$(masteretc)/shadow server=$(pwdmaster) dest=/etc/shadow
owner=0 group=0 mode=600 trustkey=true encrypt=trueThe first copy operation will occur only
on Linux systems, and it consists of copying the file rc.config from
the location specified in the masteretc
variable (defined elsewhere in the configuration file) to /etc and assigning
the specified ownership and protection.
The second subsection applies only to the host group ShadowHosts,
and it contains two copy specifications.
They tell Cfengine to update /etc/passwd and /etc/shadow from
master copies located on a remote host, specifying the required ownership and
permissions. In both cases, the copy operation
must use the Cfengine trusted key security mechanism (to ensure that the data
is really coming from the source it purports to), and the shadow password file
will be transmitted in encrypted form. The cfkey
utility is used to set up trusted keys on systems using Cfengine. It must be
run before these features can be used.
We've only had space to scratch the surface of Cfengine's capabilities here. For more information about Cfengine, consult the following sources:
Æleen Frisch has been a system administrator for over 20 years, tending a plethora of VMS, Unix, Macintosh, and Windows systems. If you liked this article and would like to receive the free ESA3 newsletter, you can sign up at http://www.aeleen.com/esa3_news.htm.
O'Reilly & Associates released (August 2002) Essential System Administration, 3rd Edition.
Sample Chapter 11, "Backup and Restore," is available free online.
You can also look at the Table of Contents, the Index, and the full description of the book.
For more information, or to order the book, click here.
Return to ONLamp.com
Copyright © 2007 O'Reilly Media, Inc.