CFEngine, 4 years later
-
Upload
normation -
Category
Technology
-
view
832 -
download
0
description
Transcript of CFEngine, 4 years later
Normation – CC-BY-SAnormation.com
CFEngine, 4 years laterCFEngine, 4 years later______________________________________________________
A song of code and configurationA song of code and configuration
Matthieu CERDA
Normation – CC-BY-SAnormation.com 2
Who are you ?
Name Matthieu CERDA
Email : [email protected]
Web site : http://www.normation.com
Twitter : @Kegeruneku
Job System engineer at Normation
CFEngine Enthusiast, power user and trainer
Rudder Integrator, packager
Infrastructure Team member
Normation – CC-BY-SAnormation.com 3
What are we going to talk about
CFEngine 3
● How we began with it, what we gained from it
● “Funky” use cases
● The future
Normation – CC-BY-SAnormation.com 4
Why CFEngine ?
● Few dependencies (LMDB, OpenSSL, [PCRE])
● Small memory footprint
● Highly compatible
● Working “close to the OS” (Can be seen as a flaw for some people)
http://www.cfengine.com | http://www.github.com/cfengine
Normation – CC-BY-SAnormation.com 5
CFEngine 3 : 20 % cooler !
● Created in 2009
● Complete rewrite from CF2
● Promise theory
● Based on what has been learnt from Puppet and CF2
● Alive and kicking !
Normation – CC-BY-SAnormation.com 6
e
Overview
Puppet Chef
CFEngine
e
Normation – CC-BY-SAnormation.com 7
A long path 'till today !
● Learnt to use CFEngine properly
● Acquired knowledge about best practices, worked with great people
● Helped to build Rudder from the ground
● Began working on ncf with Normation's team
● Became a trainer :)
Normation – CC-BY-SAnormation.com 8
The beginning
● Back to 2009 !!!
● Sparse documentation
● Inexperience
● Advice: Start small, to manage few machines
e
Normation – CC-BY-SAnormation.com 9
Funky example 1: Rug
● Rug was SLES 10 default package manager (Now, it is Zypper)
● Problem ? Rug relies on a Mono backend (ZMD) that hangs if you stress it too much or call it repeatedly...
● Needed a way to make an exclusion for this specific kind of machines !
Normation – CC-BY-SAnormation.com 10
2 – ALWAYS modularize when you can
● Example: Package installation definition
Normation – CC-BY-SAnormation.com 11
2 – ALWAYS modularize when you can
● Example: … and the “utility” bundle that goes with it !
Normation – CC-BY-SAnormation.com 12
A word about promises layout
● Everything begins with a bootstrap cf-agent -B <my ip address>cf-agent -B <my ip address>
● Never do everything in one file, always split your promises using a hierarchical order:
● Always separate utilities, zones and services
Normation – CC-BY-SAnormation.com 13
3 – Reporting is important
● Example: When something bad happens, you'll be happy to see where the problem is (without having to go for the debug output) !
You need a “verbose” mode. =>
● As always: modularization is important !
● Static and redundant reports are a good way to make your code fat and unreadable in the long term.
Normation – CC-BY-SAnormation.com 14
3 – Reporting is important
Normation – CC-BY-SAnormation.com 15
3 – Reporting is important
Normation – CC-BY-SAnormation.com 16
Funky example 2: Internal database bloat
● CFEngine uses a database to store internal state value (BerkeleyDB for < 3.3, TokyoCabinet for 3.3 to 3.5 and LMDB for 3.6+) => https://cfengine.com/dev/issues/2560
● BDB / TokyoCabinet do bloat when using reporting with highly volatile values (reporting a date everytime with seconds)
● Result:
Normation – CC-BY-SAnormation.com 17
Funky example 2: Internal database bloat
Solutions:
● Stop reporting all the time (Only report relevant changes)
● Mount the “state” directory on a RAMdisk http://blog.normation.com/en/2013/09/09/speed-up-your-cfengine-by-using-a-ram-disk
Bonus effect: Up to 2/3 times faster during I/O on databases
● Destroy the databases regularly (every month or week)
Normation – CC-BY-SAnormation.com 18
4 – Backup your stuff
● Example: When CFEngine does something with a file, you would like to keep a backup of this file beforehand
<= You need a backup repository.
https://cfengine.com/docs/3.5/reference-promise-types-files.html#repository
● File name is preserved, along with backup timestamp
Normation – CC-BY-SAnormation.com 19
4 – Backup your stuff
Normation – CC-BY-SAnormation.com 20
5 – Tame the agent
● Example: You want to make sure CFEngine only operates in safe environments
You need way to make CFEngine only operate in =>certain conditions
● CFEngine can be told to abort if certain conditions are not met
https://cfengine.com/docs/3.5/reference-components-cfagent.html#abortclasses
Normation – CC-BY-SAnormation.com 21
5 – Tame the agent
Normation – CC-BY-SAnormation.com 22
6 – Always a damn DNS problem (tm)
● Example: Your network interfaces resolutions are not always working properly (AWS ?)
You need to make CFEngine ignore some interfaces
● CFEngine can be told to ignore some network interfaces if needed
● It is a workaround, not a solution !
Normation – CC-BY-SAnormation.com 23
6 – Always a damn DNS problem (tm)
Normation – CC-BY-SAnormation.com 26
BONUS STAGE: Beware of the allmighty Cron
● A word of warning:
Cron(d) is not a configuration management engine !!!
● Easy to “fix” things quickly with a cron job
● KISS: Let every tool do its job, do not fall in the trap
Normation – CC-BY-SAnormation.com 27
Future
● Continue to improve Rudder
● Work on the ncf framework (See Jon's presentation !)
● Work with the Debian packaging team
● Train more people !
e
Normation – CC-BY-SAnormation.com 28
Questions ? :)Questions ? :)