Economy Size Geek

I’m about to be without a sys admin on my team. That totally sucks for me :(

That means that I’m stuck doing a lot more sys admin work than I would like. Normally this wouldn’t bother me, but right now I have a lot of development projects in play. They all have different deployments and it means there are a lot of details to manage. In the long run, that translates to making it harder to get someone to take it over when I do get a new sys admin.

So in the interim - I figured I’d take some time and get things a little more ship shape. Enter Cfengine. Basically, this is a tool you can use to audit, manage, and maintain servers under your control. In my case, I’m going to be focused on a set of machines that will operate as a Ruby On Rails cluster.

Although my final deployment will be focused on doing multiple web heads and replicating database servers, this series of posts is going to focus on the simple two server configuration.

web1.ubuntu.com - The web server
db1.ubuntu.com - The MySQL database server.

Please note I don’t own ubuntu.com. But if you following the examples you’ll be setting up a hosts file to make resolution work - so it doesn’t really matter. I have no idea how to do that on Windows or Mac OSX - but I’m sure someone will figure it out.

This is part one. It will deal with the pre-setup. Part two will focus on some of the most basic cfengine stuff. Part three will show it all working together so you can actually “rake deploy” to your little virtual cluster.

Read on for more details…

More about Cfengine

I was warned a lot about Cfengine. It was described as technology that can very easily remove your fingers. Basically you have to keep in mind this tool is designed to handle a lot of very very complicated situations. When you are first getting started that can make things difficult to wrap your head around. I’m going to try to step through it all in a way to gets you up to speed with the minimal amount of pain.

Push Me Pull You

Right off Cfengine starts off weird. It is designed as a pull system. Meaning, each server in the group polls some master configuration server (which can also be under management). There is a command - cfrun - which can be called to poke each server and tell them to pull but it doesn’t push things.

This is actually a good thing. With pushing, you have to make sure that each server you want to talk to is up and available. With pulling, you can know that eventually the server will get into conformance once it gets around to talking to the master config server.

Great Overview

I started with this pdf. It is basically a chapter from a book on how to use Cfengine. It explains a bunch of the concepts and even models some of the start up configs. I thought it was a great overview. I’m going to be starting from a simliar place, but my goal (to deploy a Ruby on Rails app) is more specific that what he goes through in the sample chapter.

Playing Along At Home

I’m doing this entire experiment in a way that makes it easy for you to play with it at home. I’m going to be using VMWare Player to run virtual servers to manage.

To do that you need the player : Get VMWare Player(Or if you are running dapper just

apt-get install vmware-player vmware-player-kernel-modules


All the examples I’m going to be doing the ips are as follows
gateway 172.16.251.2
web1 172.16.251.129
db1 172.16.251.131

I set up all the networks as NAT (Set by right clicking on the Ethernet button in VMWare).

I modified /etc/vmware/vmnet8/nat/nat.conf

[host]
ip = 172.16.251.2
netmask=255.255.255.0

Restart vmware if you need to make this modification.

The servers I’m deploying on are my standard Dapper Drake Ubuntu servers. To get images for them:

Go Here To Get Ubuntu For The Player
Notes: There is no root account. Login as user “notroot”, password is “thoughtpolice”

Once I got the image down I extracted it. The server seems to be using a DHCP address by default. That doesn’t work well for Cfengine which requires that servers keep to their IP addresses.

I copied the image twice - one I named the folder db1 the other web1. I then edited a file in each called ” ubuntu-server-6.06-i386.vmx”

I commented out the floppy0 line (I don’t have a floppy). And I modified displayName to be either “db1.ubuntu.com” or “web1.ubuntu.com”

Do the following to each machine - from start to finish. Basically when you copy images the system sometimes doesn’t recognize their new mac addresses yet. If you reboot them, the problem usually gets fixed.

Become root and modify the following files:

/etc/hostname (set to either web1 or db1)
/etc/hosts - needed to add both

Example from db1
127.0.0.1 localhost
127.0.1.1 db1.tiemendorf.com db1

172.16.251.129 web1.ubuntu.com web1
172.16.251.131 db1.ubuntu.com db1


/etc/resolv.conf (make sure it points to 172.16.251.2)

Configured the network. In my case, I had to remove eth0 and setup a static eth1.

/etc/network/interfaces (from db1)
auto lo
iface lo inet loopback

auto eth1
iface eth1 inet static
address 172.16.251.131
gateway 172.16.251.2
netmask 255.255.255.0

I modifed /etc/apt/source.list - uncomment all the lines with universe in them, and comment out the line about deb cdrom

Once this is done - you have to


apt-get update
apt-get install cfengine2


Reboot and go on to the next server.

In my actual lab, I built an image that had a neutral ip (x.x.x.135) and then put a special script on that would make it easy for me to turn any image into a given role, but that’s only really useful if you are planning on making a lot of images.

Getting Down To Business

You now have two servers that both have cfengine. They can’t do anything yet because they haven’t been configured and they haven’t exchanged keys.

There are two paths you can follow. One is to install sshd on the servers and use ssh to transfer them back and forth. This isn’t bad but it means later when you setup cfengine you have to make sure it handles all the sshd stuff or when you restore a box from bare metal you will be missing a package. The other is to scp the key to a third box and then copy it down. I chose this path.

On each box:

cd /var/lib/cfengine2/ppkeys
cp localhost.pub root-127.0.1.1.pub
cp localhost.pub root-{ip}.pub

You create the 127.0.1.1 key because ubuntu has an entry for your server as 127.0.1.1 in the /etc/hosts file. The other one should be the ip for the box you are on (db1 = 172.16.251.131 or web1 = 172.16.251.129)

scp the root-{ip}.pub to a third box. On each box you need to have a copy of three pub keys for the localhost (localhost,127.0.1.1, and its ip) and one key for each server it is going to talk to. So for our config you should end up with 4 public keys on each system.

You’re now ready to start playing with Cfengine - which is exactly what we will do in the next installment.