Configuration Management under FreeBSD with Cfengine 3

Table of Contents

• General Information
• Requirements
• Installation of Tinderbox
  • Apache configuration for Tinderbox
  • Database configuration for Tinderbox
  • Configuration of Tinderbox itself
    • 1. Setup of configuration files and database initilialization
    • 2. Web front-end configuration of Tinderbox
    • 3. Database schema creation of Tinderbox
    • 4. Setup of tinderbox.ph and inc_tinderbox.php
    • 5. Further configuration of the web front-end
    • 6. Initialize the Tinderbox
    • 7. Creating Tinderbox jails
    • 8. Building i386 packages on amd64 machine
    • 9. Creating a Ports Tree
    • 10. Creating Tinderbox builds
    • 11. Configuration of tinderd for port build scheduling
    • 12. Caching of distfiles
  • Using Tinderbox
• Installation of Cfengine 3
  • Building the Cfengine 3 package
  • Preparing the Cfengine 3 master servers
  • Installing the Cfengine 3 package
  • Preparing the Cfengine 3 Git repository
  • Basic configuration of Cfengine 3
    • 1. promises.cf
    • 2. update.cf
    • 3. failsafe.cf
    • 4. cf-serverd.cf
    • 5. cf-execd.cf
    • 6. cf-report.cf
    • 7. classes.cf
    • 8. cleanup.cf
    • 9. library.cf
  • Commiting the configuration to Git
  • Cloning the Git repository on the policy servers
  • Creating the authentication keys
  • Validating the Cfengine 3 promises
  • Enabling Cfengine 3 during boot-time
  • First time run of Cfengine 3!
  • Client configuration of Cfengine 3
    • Creating the ezjail(5) flavours of the environments
    • Creating the authentication keys for the clients
    • Starting Cfengine 3 on the clients
  • Example Cfengine 3 configurations
    • Domain configuration with Cfengine 3
    • Package management with Cfengine 3
    • Managing webservers with Cfengine 3
  • Additional information and resources

General Information

Administrating a couple of hundreds systems might easily become a tedious tasks, even for the very experienced system administrators.

Keeping a mindset where you automate every possible aspect of an Operating System and the tasks you do on it, is a must when you are responsible for that many (or even more) systems.

The FreeBSD Ports collection is a great thing to use when installing software distributions, but installing multiple ports on several hundreds of machines is not a pleasant tasks - it is time consuming, needs user attention, and not to forget - things might blow up.

Having central systems that take care of building the packages and then distributing them to all systems in the domain, not only saves the time needed to build a package, but also allows us to be more flexible in the package deployment, in the sense of having different environments - a TEST environment where we test the newly built packages, which we can later safely deploy to our production environment.

The following handbook is organized into different chapters, each of them outlining the steps needed to setup a certain part of our environment.

The first chapter takes a look into Tinderbox - a system for testing and building packages under FreeBSD. We will be using Tinderbox for building our packages, which will then be distributed to all the clients.

The second chapter is about Cfengine 3, which describes how to install and configure Cfengine 3 and put it's configuration under revision control with Git.

We will see how to automate a configuration deployment to our systems with Cfengine 3, and also do package installations and upgrades.

In the last chapter we will take a look into different examples of using Cfengine 3, and how to accomplish specific tasks with it.

Requirements

• root access or sudo rights
• Apache web server with PHP support. If you do not have Apache installed, you may consider checking the handbook for installing and configuring Apache
• FTP server for storing the Tinderbox packages. If you do not have an FTP server installed, you may want to check the handbook for installing and configuring vsFTPd
• Git repository for storing the Cfengine 3 configuration. The following handbook explains how to get Git installed on your FreeBSD system, if you do not have Git installed already.
• MySQL database for Tinderbox. If you do not have a MySQL database, consider checking the MySQL handbook, which explains how to install and configure MySQL under FreeBSD.

Tinderbox

Installation of Tinderbox

Tinderbox is a package building system system, which we will be using in order to build our packages and then install them to our FreeBSD hosts and jails.

The information you will find below more or less is part already of the Tinderbox README, although you will find some additional information here as well.

If you already have Tinderbox installed and configured, you may safely skip this chapter and proceed with the next one, where we take a look into Cfengine 3.

Please consider checking the documentation of Tinderbox in order to understand how Tinderbox works and what you can do with it.

Assuming you have installed Apache webserver with PHP support already, as it is listed in the requirements, let's go ahead and install Tinderbox.

# cd /usr/ports/ports-mgmt/tinderbox-devel && make install clean

NOTE: Please, note that LSOF option requires that you have the kernel sources to be present on your system.

You can safely leave the options as they are, and continue with the port build.

Once the installation of Tinderbox is over, you should see something similar:

===============================================================================
ports-mgmt/tinderbox is now installed, but it requires some additional setup.

****************************************************
Please do read: /usr/local/tinderbox/scripts/README
****************************************************

=============================================================================

If you installed the port with WITH_TMPFS option:
To enable the usage of FreeBSD's tmpfs implementation you need to add the
tmpfs kernel module to your /boot/loader.conf:
tmpfs_load="YES"

If you installed the port WITH_PARALLEL option:
The parallel patch allows to run multiple tinderd instances at the same time.
You can enable multiple tinderd instances via /etc/rc.conf with:
tinderd_instances="N"

Both patches are experimental and are not official supported by the Tinderbox
distribution.

=============================================================================


The following walkthrough is the webserver setup, if you installed the WebUI:

- In your Apache configuration add the following lines:

  Alias /tb/logs/ "/usr/local/tinderbox/logs/"
  Alias /tb/packages/ "/usr/local/tinderbox/packages/"
  Alias /tb/errors/ "/usr/local/tinderbox/errors/"
  Alias /tb/wrkdirs/ "/usr/local/tinderbox/wrkdirs/"
  Alias /tb/ "/usr/local/tinderbox/scripts/webui/"
  <Directory "/usr/local/tinderbox/">
      Order allow,deny
      Allow from all
  </Directory>

- In your Lighttpd configuration:

Turn on "mod_alias" and add the following lines:

alias.url = (   "/tb/logs/" => "/usr/local/tinderbox/logs/",
                "/tb/packages/" => "/usr/local/tinderbox/packages/",
                "/tb/errors/" => "/usr/local/tinderbox/errors/",
                "/tb/wrkdirs/" => "/usr/local/tinderbox/wrkdirs/",
                "/tb/" => "/usr/local/tinderbox/scripts/webui/" )
dir-listing.activate = "enable"


- In your Hiawatha configuration:

Alias is a built in command, no need to load any special mod

Alias = /tb/logs:/usr/local/tinderbox/logs
Alias = /tb/packages:/usr/local/tinderbox/packages
Alias = /tb/errors:/usr/local/tinderbox/errors
Alias = /tb/wrkdirs:/usr/local/tinderbox/wrkdirs
Alias = /tb/:/usr/local/tinderbox/scripts/webui

  Check your system by going to http://localhost/tb/

=============================================================================

===>   Compressing manual pages for tinderbox-devel-3.4.20110101
===>   Registering installation for tinderbox-devel-3.4.20110101

Now that Tinderbox is installed, let's continue with it's configuration in the next chapter.