On Nov 13, 2014, at 7:17 AM, John Stoffel wrote:
> This has been an awesome suggestion, and a discussion I've been
> following with alot of enjoyment and hope to actually get off my ass
> and start deploying some sort of CM.
>
> I have compute clusters with identical systems which I'd like to bring
> into cohesion with each other, but the learning curve of cfengine2 and
> cfengine3 has always turned me off, even though I keep making half
> hearted efforts to deploy it.
>
> The other holdback is legacy systems. Lots of them. Old crufty
> Solaris 5.8 systems, slightly better 5.9 and now a group of Solaris
> 5.10 Sparc and x86_64 systems, along with 5.11 starting to appear.
> Sigh...
>
> The other big issue has been just getting the rest of the team to
> agree to use this setup. No sense in doing all this work if I'm not
> going to get anyone else to use it as well. Which is a management
> issue really, but the biggest stumbling block of all.
>
> So using chef/puppet/salt/ansible/blueprint all fall down on the
> legacy support. But maybe that's just me being too perfectionist
> here. But I do want to automate even these Sparc systems, esp the
> standalone Oracle servers which need accounts sync'd between them,
> though not all accounts on all systems.
>
> A pain. And the one which cfengine with it's C base seems the best
> way to solve...
>
> So please keep up this discussion, and please keep posting solutions,
> pointers and maybe even recipes for some of this would be solved.
As someone else suggested in this thread, start with one file. Choose something
simple, that's probably the same or similar on all your hosts, and won't
completely break the system if you mess up. For example, ntp.conf. Set up a
simple config that looks something like:
copy:
any::
$(cfroot)/etc/ntp.conf
dest=/etc/ntp.conf
type=checksum
m=444 o=root g=root
server=$(policyhost)
Before this, you'll need an update.conf and cfagent.conf, for which there are
standard examples. You should also be checking everything out of some kind of
revision control repository. Install cfengine on the designated policy host,
and get cfservd and friends running.
Then start deploying it to clients. Install cfengine, copy the update.conf to
it, and run cfagent. Play around with it, and when you have it working, set up
a call to cfexecd from cron. Then start distributing it more widely.
Next you can start controlling more files: resolv.conf, snmpd.conf, logrotate
configs, etc. You can get fancy by adding automated process control. For
instance, restart ntpd automatically if ntp.conf changes:
copy:
any::
$(cfroot)/etc/ntp.conf
dest=/etc/ntp.conf
type=checksum
m=444 o=root g=root
server=$(policyhost)
define=restart_ntpd
shellcommands:
restart_ntpd::
"/etc/init.d/ntpd restart"
And keep it running if it ever dies for some reason:
processes:
any::
"ntpd" restart "/etc/init.d/ntpd start"
Start controlling directory and file permissions, perform automated installs of
software packages, etc.
Finally, every time you build a system, take note of every single thing you
have to do by hand after the initial OS load. Put every step you can into a
cfengine config. The goal is to have cfengine take care of everything after the
OS is loaded, but you can get there at your own pace. Don't do it all at once;
it's too much, and you need to gain confidence in the tool. But keep pushing
and you'll get there.
BTW, at the point at which you put this into a cron job, your colleagues will
have to join in, because any changes they make to cfengine-controlled entities
will be wiped out the next time the cron job runs. Although they could just
disable the cron job if they get frustrated, so you definitely want to get some
buy-in.
- Leon
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
