oreilly.comSafari Books Online.Conferences.


Top Five Open Source Packages for System Administrators
Pages: 1, 2

Here is a slightly more complicated tidy example:

   split = ( " " )
   dirlist = ( tmp var/tmp 1/scratch 2/scratch )
   /$(dirlist) pattern=* age=3 recurse=inf

The control section specifies the list separator character and then defines the variable dirlist as a list of four directories. This variable is then used in the tidy specification, and the three options will apply to each directory in turn.

The files action is used to specify various desired characteristics and corrective actions for files. Here is an example section:

   /etc/security mode=600 owner=root group=0 recurse=inf action=fixall
   /home recurse=inf include=*.dat action=compress
   /var/log/messages owner=root mode=644 action=create

The first entry specifies the required ownership and protection of the directory /etc/security and everything under it. By default, Cfengine will check whether the current settings conform to these specifications. Here, however, action=fixall tells Cfengine to modify the current settings if necessary to match the pecified ones.

The second entry causes all files with an extension of .dat under /home to be compressed. The third entry create the file /var/log/messages if it does not exist.

The files action can also be used to verify the integrity of system executables in /usr/bin:

   ChecksumDatabase = ( /usr/local/admin/cfengine/cksums 

   /usr/bin checksum=md5 exclude=*.sav action=warnall

The database file used to store the correct checksums for files is specified in the control section, and the checksum option in the files entry specifies that the comparison be made. A warning will be issued for each incorrect checksum.

The disable action causes Cfengine to rename files which ought not to be present on this system:

   home/.rhosts inform=true
   /var/log/messages rotate=6

The first two entries will cause Cfengine to rename the indicated files if they exist, adding the extension .cfengine. In the second case, the special directory keyword home is used to refer to all user home directories. In this case, Cfengine will also issue a warning message when such files are found.

The third entry illustrates another use for the disable section: log file rotation. The entry tells Cfengine to maintain six old copies of the /var/log/messages file. As with other log rotation facilities, the saved files are given the extensions .1 through .6.

Finally, the processes action may be used to tell Cfengine to verify that important processes are running, restarting them if necessary, as well as to have Cfengine signal processes:

   "sendmail" restart "/usr/sbin/sendmail" useshell=false inform=true
   "inetd" signal=hup
   "kudzu" signal=kill
   "g02" matches<=2 signal=suspend action=bymatch inform=true

The first field in each entry is a pattern which is matched against the output of the ps command. In general, Cfengine will apply the entry's specifications to each matching process.

The first entry causes Cfengine to determine if there is a sendmail daemon running. If not, one will be started using the specified command.

The next two entries specify signals to be sent to the inetd and kudzu process if they are present.

The final entry causes Cfengine to search for processes matching the string "g02," and it will count the number of such processes. The entry specifies that the desired system state will include no more than two such processes. The action=bymatch option tells Cfengine to correct the situation when this condition is not met, according to the directives of the other options. In this case, if there are more than two such processes--i.e., if the desired condition specified by matches=<2 is not met--then it will suspend all of them (signal=suspend) and a message will be output indicating this.

Using a Configuration File for Multiple Systems: Classes

Cfengine uses classes to allow a single configuration file to be created for even large groups of system. Classes serve to make parts of the configuration file conditional, dependant on the exact environment in which Cfengine is currently running.

Cfengine classes are made up of one or more of the following components:

  • An operating system keyword. These include: hpux, aix, solaris, freebsd, linux, osf, and NT. The cfagent -p -v command shows keywords defined for the current system.
  • A host name.
  • A host group name (as defined in the groups section)
  • A name of a day of the week.
  • An hour of the day, in the format Hrnn: Hr14 for 2:00 pm.
  • A minute of the hour, in the format Minnn: Min33 for 33 past the hour.
  • A 5 minute interval, in the format Minn_n+5: Min00_05 for the first five minutes of the hour. Note that n must be divisible by 5.
  • A quarter hour, in the format Qn: Q2 for the second quarter hour. This construct can also be combined with an hour: e.g., Hr02_Q3 for 2:30-2:44 pm.
  • A day of the month, in the format Dayn: Day1 for the first.
  • A month name.
  • A year, in the format Yrnnnn: Yr2004 for 2004.
  • A locally defined class name, as in this example:
    addclasses = ( myclass )

The default class is any, which matches any host at any time. Unspecified time and date classes default to all. Multiple classes are joined by periods (AND logic) or vertical bars (OR logic); ANDs bind more tightly than ORs in the absence of parentheses. Date and time classes refer to the time that the associated Cfengine process started.

Here are some examples:

Class specification Matches ...
solaris.Monday.Hr01:: Solaris systems on Mondays at 1:00 am
aix|hp-ux:: AIX and HP-UX systems.
aix.!vader:: AIX systems except host vader.
December.Day31.Friday:: December 31 if it is a Friday.

Here is a another copy section which illustrates some simple Cfengine classes:

      $(masteretc)/rc.config dest=/etc/rc.config o=root mode=644
      $(masteretc)/passwd server=$(pwdmaster) dest=/etc/passwd 
         owner=0 group=0 mode=644 trustkey=true
      $(masteretc)/shadow server=$(pwdmaster) dest=/etc/shadow 
         owner=0 group=0 mode=600 trustkey=true encrypt=true

The first copy operation will occur only on Linux systems, and it consists of copying the file rc.config from the location specified in the masteretc variable (defined elsewhere in the configuration file) to /etc and assigning the specified ownership and protection.

The second subsection applies only to the host group ShadowHosts, and it contains two copy specifications. They tell Cfengine to update /etc/passwd and /etc/shadow from master copies located on a remote host, specifying the required ownership and permissions. In both cases, the copy operation must use the Cfengine trusted key security mechanism (to ensure that the data is really coming from the source it purports to), and the shadow password file will be transmitted in encrypted form. The cfkey utility is used to set up trusted keys on systems using Cfengine. It must be run before these features can be used.

We've only had space to scratch the surface of Cfengine's capabilities here. For more information about Cfengine, consult the following sources:

Æleen Frisch has been a system administrator for over 20 years, tending a plethora of VMS, Unix, Macintosh, and Windows systems. If you liked this article and would like to receive the free ESA3 newsletter, you can sign up at

O'Reilly & Associates released (August 2002) Essential System Administration, 3rd Edition.

Return to

Sponsored by: