Published on (
 See this if you're having trouble printing code examples


Top Five Open Source Packages for System Administrators

by Æleen Frisch, author of Essential System Administration, 3rd Edition

Author's note: This is the final installment of a five-part series in which I introduce my current list of the most useful and widely applicable open source administrative tools. In general, these tools can make your job easier no matter what Unix operating system your computers run.

Other articles in this series:

#1: Cfengine


Related Reading

Essential System Administration
Tools and Techniques for Linux and Unix Administration
By Æleen Frisch

The top honor in my top five tools list goes to Cfengine, written by Mark Burgess. Cfengine is a wonderful tool for configuring and maintaining Unix computer systems. Cfengine is a stand-alone tool (set of tools), which administers and configures computers according to the instructions in its configuration files. The configuration files describe the desired characteristics of various system components using a high-level language that is easy to learn and use (and involves no programming). In this way, Cfengine can automatically bring one or a large number of systems into line with each one's individually defined configuration specifications. It can also make sure they stay that way by monitoring them and correcting them as needed on an ongoing basis.

What Cfengine Can Do

In more practical terms, the following list will give you some idea of the breadth of administration and configuration tasks that Cfengine can automate:

Cfengine's home page is

Cfengine includes the following components:

Program Purpose
cfagent The main utility that applies a configuration file to the local system.
cfrun A utility which applies a configuration file to remote systems.
cfservd A server process which supports cfrun; It enables the Cfengine agent functionality to be invoked from a remote system.
cfexecd Another daemon which automates job scheduling and reporting.
cfenvd An anomaly detection daemon.
cfkey A security key generation utility.

Cfengine uses several configuration files (generally stored in /var/cfengine/inputs). The central configuration file is cfagent.conf, which specifies the characteristics of the system that Cfengine is to establish and maintain. Note that in general, cfagent.conf defines the final desired state of the system; it does not explicitly define the steps to take to achieve it.

Configuring Cfengine

The best way to introduce this file is with a simple example:

   domain = ( )            Specify local domain.
   access = ( chavez root )           Who can run cfagent.
   actionsequence = ( links tidy )    Actions to carry out, in this order.
   maxage = ( 7 )                     Define a variable for later use.
   groups:                            Define a list of hosts.
   HaveNoBin = ( blake yeats bogan toi robin )
tidy:                                 Action: remove unwanted files.
   /tmp pattern=* age=$(maxage) recurse=inf
   /home pattern=*~ recurse=inf
links:                                Action: maintain symbolic links.
   /logs -> /var/log                  Create this link if needed.
   HaveNoBin::                        Next link applies only to these hosts.
   /bin -> /usr/bin

This file contains four sections, each headed by a keyword followed by a colon. The first section, control, is used to specify general settings for the file, to define variables, and for other similar purposes. In this case, it specifies a list of users who are allowed to run cfagent using this file as input, specifies the sequence of actions that should be carried out when the file is invoked and defines a variable named maxage, setting its value to 7.

Assignment statements use the syntax illustrated in the example, using parentheses as delimiters:

name = ( value )

Actions are operations that Cfengine knows how to perform, and they are referred to by keywords. Here, we specify that the tidy action be performed first, followed by the links action. Each referenced action must have a section defining it somewhere in the configuration file.

The next section, groups, defines a list of groups which we've named HaveNoBin. This list will be used in the links section.

The next section in the file is the tidy section, which specifies unwanted files which Cfengine is to remove. These entries have the following general syntax:

start-dir [pattern=regexp] [recurse=n] options

where start-dir is the directory in which to start searching, regexp is a regular expression against which to match filenames, n indicates how many levels of recursion are wanted (inf means infinite), and options are additional options further specifying the files to be selected for removal.

In this case, files under /home ending with a tilde (and not starting with a period) are chosen (emacs backup files), as are files under /tmp last modified more than 7 days ago. Note that the parameter to the age option is specified using the maxage variable.

The final section in the file is the links section, which specifies symbolic links that Cfengine is to maintain. In this case, two such links are listed, using the format:

link -> target

Here, we specify that the /var/log directory should be linked to /logs and also that /bin should be a link to /usr/bin. When run, Cfengine will check whether these links exist, creating them if necessary. However, the latter link will only apply to hosts in the list HaveNoBin. This is specified by preceding the link specification with a class designation (indicated by the double colons). In this case, the class is defined by the host group name, but much more complex classes are possible

More About Actions

The following table lists the most important Cfengine actions:

Action Purpose
links Create/maintain symbolic and hard links.
tidy Remove unwanted files.
files Set file ownership, protection, and/or check for modification.
directories Set directory ownership, protection.
disks Verify that file systems are available and contain sufficient free space.
disable Rename undesirable files to name.cfengine.
copy Copy local or remote files to the local system.
editfiles Edit ASCII text files.
Specify servers for automatic NFS file system mounting by Cfengine.
mountables Specify local file systems available for NFS mounting by Cfengine.
Specify file systems to mount or unmount by Cfengine.
processes Verify the existence of and control processes.
interfaces Specify characteristics of network interfaces.
resolve Maintain /etc/resolv.conf.
defaultroute Specify the static default gateway.
shellcommands Execute arbitrary shell commands from within Cfengine.
module:name Use an add-on module.

Here is a slightly more complicated tidy example:

   split = ( " " )
   dirlist = ( tmp var/tmp 1/scratch 2/scratch )
   /$(dirlist) pattern=* age=3 recurse=inf

The control section specifies the list separator character and then defines the variable dirlist as a list of four directories. This variable is then used in the tidy specification, and the three options will apply to each directory in turn.

The files action is used to specify various desired characteristics and corrective actions for files. Here is an example section:

   /etc/security mode=600 owner=root group=0 recurse=inf action=fixall
   /home recurse=inf include=*.dat action=compress
   /var/log/messages owner=root mode=644 action=create

The first entry specifies the required ownership and protection of the directory /etc/security and everything under it. By default, Cfengine will check whether the current settings conform to these specifications. Here, however, action=fixall tells Cfengine to modify the current settings if necessary to match the pecified ones.

The second entry causes all files with an extension of .dat under /home to be compressed. The third entry create the file /var/log/messages if it does not exist.

The files action can also be used to verify the integrity of system executables in /usr/bin:

   ChecksumDatabase = ( /usr/local/admin/cfengine/cksums 

   /usr/bin checksum=md5 exclude=*.sav action=warnall

The database file used to store the correct checksums for files is specified in the control section, and the checksum option in the files entry specifies that the comparison be made. A warning will be issued for each incorrect checksum.

The disable action causes Cfengine to rename files which ought not to be present on this system:

   home/.rhosts inform=true
   /var/log/messages rotate=6

The first two entries will cause Cfengine to rename the indicated files if they exist, adding the extension .cfengine. In the second case, the special directory keyword home is used to refer to all user home directories. In this case, Cfengine will also issue a warning message when such files are found.

The third entry illustrates another use for the disable section: log file rotation. The entry tells Cfengine to maintain six old copies of the /var/log/messages file. As with other log rotation facilities, the saved files are given the extensions .1 through .6.

Finally, the processes action may be used to tell Cfengine to verify that important processes are running, restarting them if necessary, as well as to have Cfengine signal processes:

   "sendmail" restart "/usr/sbin/sendmail" useshell=false inform=true
   "inetd" signal=hup
   "kudzu" signal=kill
   "g02" matches<=2 signal=suspend action=bymatch inform=true

The first field in each entry is a pattern which is matched against the output of the ps command. In general, Cfengine will apply the entry's specifications to each matching process.

The first entry causes Cfengine to determine if there is a sendmail daemon running. If not, one will be started using the specified command.

The next two entries specify signals to be sent to the inetd and kudzu process if they are present.

The final entry causes Cfengine to search for processes matching the string "g02," and it will count the number of such processes. The entry specifies that the desired system state will include no more than two such processes. The action=bymatch option tells Cfengine to correct the situation when this condition is not met, according to the directives of the other options. In this case, if there are more than two such processes--i.e., if the desired condition specified by matches=<2 is not met--then it will suspend all of them (signal=suspend) and a message will be output indicating this.

Using a Configuration File for Multiple Systems: Classes

Cfengine uses classes to allow a single configuration file to be created for even large groups of system. Classes serve to make parts of the configuration file conditional, dependant on the exact environment in which Cfengine is currently running.

Cfengine classes are made up of one or more of the following components:

    addclasses = ( myclass )

The default class is any, which matches any host at any time. Unspecified time and date classes default to all. Multiple classes are joined by periods (AND logic) or vertical bars (OR logic); ANDs bind more tightly than ORs in the absence of parentheses. Date and time classes refer to the time that the associated Cfengine process started.

Here are some examples:

Class specification Matches ...
solaris.Monday.Hr01:: Solaris systems on Mondays at 1:00 am
aix|hp-ux:: AIX and HP-UX systems.
aix.!vader:: AIX systems except host vader.
December.Day31.Friday:: December 31 if it is a Friday.

Here is a another copy section which illustrates some simple Cfengine classes:

      $(masteretc)/rc.config dest=/etc/rc.config o=root mode=644
      $(masteretc)/passwd server=$(pwdmaster) dest=/etc/passwd 
         owner=0 group=0 mode=644 trustkey=true
      $(masteretc)/shadow server=$(pwdmaster) dest=/etc/shadow 
         owner=0 group=0 mode=600 trustkey=true encrypt=true

The first copy operation will occur only on Linux systems, and it consists of copying the file rc.config from the location specified in the masteretc variable (defined elsewhere in the configuration file) to /etc and assigning the specified ownership and protection.

The second subsection applies only to the host group ShadowHosts, and it contains two copy specifications. They tell Cfengine to update /etc/passwd and /etc/shadow from master copies located on a remote host, specifying the required ownership and permissions. In both cases, the copy operation must use the Cfengine trusted key security mechanism (to ensure that the data is really coming from the source it purports to), and the shadow password file will be transmitted in encrypted form. The cfkey utility is used to set up trusted keys on systems using Cfengine. It must be run before these features can be used.

We've only had space to scratch the surface of Cfengine's capabilities here. For more information about Cfengine, consult the following sources:

Æleen Frisch has been a system administrator for over 20 years, tending a plethora of VMS, Unix, Macintosh, and Windows systems. If you liked this article and would like to receive the free ESA3 newsletter, you can sign up at

O'Reilly & Associates released (August 2002) Essential System Administration, 3rd Edition.

Return to

Copyright © 2009 O'Reilly Media, Inc.