Overview – SOE Cfengine v3.4.0 Dec 2013

What is Cfengine v3.4.0 UnixSOE Enterprise Suite v8.3 Cfengine v3.4.0 automates IT infrastructure to ensure the Availability, Security and Compliance of mission-critical applications and services Configuration tool – i.e. software for deploying and patching systems according to a policy. Policy is described using promises A language used to define policies and a run-time environment to interpret and implement these policies A low level language like Perl, Python or Ruby; it is a language of promises, in which you express very high level intentions Distributed solution that is completely independent of host operating systems, network topology or system processes Allow to create a single, central system configuration which will define how every host on your network should be configured, and to do so in an intuitive way.

UnixSOE Cfengine v3.4.0 capabilities It needs less virtual memory compare to other configuration tools lightweight - each binary is quite small and execution time is quite fast few dependencies (pcre, berkeleydb/tokyocabinet, openssl) Check and configure network interface Edit text files for system or users Make/maintain symbolic links Check and set file permissions Delete ‘junk’ files Automatic ‘static’ mounting of NFS files Checks for presence of important system files Controlled execution of user scripts Process management

UnixSOE Cfengine v3.4.0 Architecture cf-agent - Agent: Executes the promises.cf file; ensures that all promises are being kept cf-execd - Daemon: Starts the cf-agent process at a specified time interval. cf-serverd - Daemon: Provides network services; used to distribute policy and data files cf-monitord - Daemon: Collects system statistics cf-promises - Agent: Verifies CFEngine's configuration syntax cf-runagent - Agent: Contacts a remote system to run cf-agent cf-report - Agent: Extracts and presents report data in HTML,XML or graph formats cf-know - Agent: Builds knowledge maps based on promises and data

UnixSOE Cfengine v3.4.0 promises & policy CFEngine uses agents and language to perform automation and configuration tasks Instructions written in CFEngine syntax are known as promises One or more related promises can be written into a text file known as a policy The promise.cf file references policy files that each system will run in order to perform local automation, configuration and security tasks CFEngine maintains a desired system state on networked systems by utilizing client initiated pull technology; changes are never pushed or forced Networked CFEngine clients will check its policy server or hub (Nova Only) in order pull new policy changes when they are updated The cf-agent process verifies the promises.cf file, then applies the policies to ensure that all promises are being kept The cf-execd daemon starts cf-agent process on a regular intervals The cf-serverd runs on a hub or server and allows client systems to retrieve policy changes and files.

UnixSOE Cfengine v3.4.0 Supported OS Operating System Version Architecture Sun Solaris 8 Sun Sparc Solaris 9 Solaris 10 Solaris 11 HP-UX HP-UX11i HP PA-RISC HP-UX11i V2 (11.23) HP PA-RISC/ HP Itanium HP-UX11i V3 (11.31)  AIX AIX 5.3 IBM pSeries AIX 6.1 AIX 7.1 Linux RHEL Server 5.x x86-64 Architecture RHEL Server 6.x RHEL Workstation 6.x Suse 10 Suse11 Cent OS 5.x(5.5 onwards) Cent OS 6.x Oracle Enterprise Linux 5.x Oracle Enterprise Linux 6.x Zlinux Zlinux 6.x

UnixSOE Cfengine v3.4.0 – What is New? New features Allow defining arrays from modules. Allow both `process_stop' and `signals' constraints in `processes' promises at the same time. cf-promises --gcc-brief-format option to output warnings and errors in gcc-compatible syntax which to ease use "go to next error" feature of text editors. cf-promises --parse-tree option to parse policy file and dump it in JSON format Iteration over lists is now allowed for qualified (non-local) lists Changes Major cleanup of database handling code. Should radically decrease amount of database issues experienced under heavy load For the older systems QDBM, which relies only on C89, is a better replacement, and deemed to be as portable, as Berkeley DB. Change of lastseen database schema. Should radically decrease I/O contention on last seen database Automatic reload of policies by cf-execd Documentation is generated during build, PDF and HTML files are retired from repository Rarely used feature retired: peer connectivity intermittency calculation Memory and CPU usage improvements Testsuite now uses 'make check' convention and does not need root privileges anymore

UnixSOE ES Cfengine v3.4.0 – What is New? (contd..) New Promise types Database promises, which allow to maintain schema of MySQL and PostgreSQL databases. Database promises are in "technical preview" status: this promise type is subject to change in future. Guest environments promises, which allow to manipulate virtual machines using libvirt. Services promises for Unix, allows abstraction of details on managing any service New Built-in Function dirname() to complement lastnode() lsdir() maplist() to apply functions over lists

Solution Pack Unix SOE & TI Services Questions & Feedback Product Support Helpline unixsoe@csc.com