Note: cfengine 3 is a revisional version, compare to cfengine 2.
Go to the website and dowload rpm (http://www.cfengine.org)
[root@host]#rpm -ivh ./cfengine-community-3.0.5-1.el5.x86_64.rpm
安裝完成後,請查看一下所安裝的檔案位置。
[root@h masterfiles]# rpm -ql cfengine-community /etc/default/cfengine3 /etc/init.d/cfengine3 /usr/local/share /usr/local/share/doc /usr/local/share/doc/cfengine /usr/local/share/doc/cfengine/ChangeLog /usr/local/share/doc/cfengine/INSTALL /usr/local/share/doc/cfengine/NEWS /usr/local/share/doc/cfengine/README /usr/local/share/doc/cfengine/cfengine_stdlib.cf /usr/local/share/doc/cfengine/inputs /usr/local/share/doc/cfengine/inputs/failsafe.cf /usr/local/share/doc/cfengine/inputs/library.cf /usr/local/share/doc/cfengine/inputs/promises.cf /usr/local/share/doc/cfengine/inputs/site.cf /usr/local/share/doc/cfengine/inputs/update.cf /usr/local/share/doc/cfengine/promise_knowledge.cf ....
cfengine 的預設工作目錄是 /var/cfengine, 第一步要做的就是把 /usr/local/share/doc/cfengine/inputs 下的所有檔案 copy 到 /var/cfengine/inputs
接著到 /var/cfengine/inputs/bin 下去執行 cf-key
[root@h bin]# ./cf-key
它會產生這台機器的 public-private keys 到 /var/cfengine/ppkey/
啟動 cf-serverd
cf-serverd 是一個 daemon, 啟動後會 listen port 5308, cf-serverd 指令預設會讀取 /var/cfengine/inputs/promises.cf 檔案,以下是它的主要控制段 。
body common control
{
bundlesequence => {
"update",
"main",
"cfengine"
};
inputs => {
"update.cf",
"failsafe.cf",
"library.cf",
"site.cf"
};
}
update (update.cf) 用來向 cf-server 溝通,以更新本地端的 /var/cfengine/inputs 下的所有檔案。
main (site.cf) 用來啟動本地端的 cf-monitord, cf-serverd
cfengine (site.cf) 用來更新 cfengine2 的一些設定檔,並且會 insert 一筆記錄到 contab 裡。
0,5,10,15,20,25,30,35,40,45,50,55 * * * * /var/cfengine/bin/cf-execd -F
cf-execd 可以啟動成 daemon 模式,也可以啟動成 foreground 模式,就像在 cron 裡的一樣。cf-execd 會去啟動本地端的 cf-agent 用以更新設定檔。
cf-serverd 即然是 server ,當然會有所謂的 acl (access control list),它有分 server acl(設定的地方在 site.cf), 及 file acl (設定的地方在 promises.cf)
### site.cf ###
bundle server access_rules()
{
access:
"/var/cfengine/masterfiles"
admit => { "192\.168\.0\..*" };
roles:
".*" authorize => { "kluo" };
}
### promises.cf ###
body server control
{
allowconnects => { "192\.168\.0\..*" };
allowallconnects => { "192\.168\.0\..*" };
trustkeysfrom => { "192\.168\.0\..*" };
# Make updates and runs happen in one
cfruncommand => "$(sys.workdir)/bin/cf-agent -f failsafe.cf && $(sys.workdir)/bin/cf-agent";
allowusers => { "root" };
}
上面說明的是,這段 ip 的主機, 可以來跟我連線,用以下載 /var/cfengine/masterfiles 底下的所有檔案。根據你的環境,修改 ip 位置。那個 roles 暫時不理他。
先在 /var/cfengine/masterfiles 底下,試著隨便放幾個檔案,例如: test1.txt, test2.txt.
接著,就先手動來跑 cf-agent,cf-agent 預設也會去讀取 /var/cfengine/inputs/promises.cf , 修改一下底下的幾個片段。
### promises.cf ###
bundle agent update
{
vars:
"master_location" string => "/var/cfengine/masterfiles";
"policy_server" string => "192.168.0.100";
files:
"/var/cfengine/inputs"
perms => u_p("600"),
copy_from => mycopy("$(master_location)","$(policy_server)"),
depth_search => recurse("inf"),
action => immediate;
}
body copy_from mycopy(from,server)
{
source => "$(from)";
servers => { "$(server)" };
compare => "digest";
encrypt => "true";
verify => "true";
trustkey => "true";
}
cf-agent 跑完之後,你就會發現在 /var/cfengine/inputs 底下,多了 test1.txt 及 test2.txt .
つづく
待續...
0 意見:
張貼留言