Cfengine and package management

Anchor's automation specialist takes a moment to show off a simple enhancement to cfengine's management of host services.

Cfengine just gets better and better. In the last few versions, a new section packages has been added to the input language, which lets us test for the existence of a package by asking the operating systems package manager about it. The syntax is flexible enough that we can specify certain criteria about the package, and as you'd expect, we can define some classes based on the results of that test. Let's dive straight in:

control:

  DefaultPkgMgr = ( rpm )

packages:

  httpd

Awesome. We tell cfengine to use the Red Hat Package Manager, and then ask it to test if the package httpd is installed. Pretty simple, and right now as useful as a string condom -- the test occurs but nothing is done based on the results. Time to embellish:

packages:

  httpd_server::

    httpd version=2.0.40 cmp=ge
      elsedefine=httpd_install

shellcommands:

  httpd_install::

    "/usr/sbin/up2date httpd"
          useshell=false

We want to test on all those machines designated as httpd_servers (used for website hosting that the installed version of httpd is greater or equal to 2.0.40, using the package managers package comparision algorithms. (Actually I don't know that for sure, but I'd hope that for the Debian package manager it does defer comparisons to dpkg --compare-versions.) If the package isn't installed or doesn't meet the version criteria, then define the class httpd_install. Finally, the defined class instructs cfengine to make sure that the package gets installed.

Previously we'd build our dedicated servers with just about everything installed, which is undesirable for a few reasons: backup sizes are unnecessarily large as unused system software is indistinguishable from important software, and as any piece of software carries a risk of being an attack vector it's useful to reduce that risk by only having software installed that is actually used. Now we build bare systems, lock them down tight, and let cfengine (which already knows what services it needs to configure on a machine) take care of installing the required software options.