System configuration with CFEngine 2

Articles | Other Resources | Alternatives | Encryption & Verification | Useful Tips | Mac OS X | OpenBSD | RedHat Linux

These pages cover using CFEngine version 2 to control Unix system configuration. Consult the reference and tutorial documentation included with CFEngine frequently when building out a CFEngine infrastructure.


Other Resources

See also the #cfengine channel on the Freenode IRC network.


Consult Infrastructures.Org and The Practice of System and Network Administration for big picture considerations of system configuration. Alternatives to CFEngine include: Bcfg2, isconf, puppet, and radmind. See also the comparison of open source configuration management software article on Wikipedia.

I strongly recommend against the use of graphical interface tools such as webmin. They have in my experience scaled poorly: many thousands of Domain Name System (DNS) records lead to laughable page load times, never mind the difficulty of editing, auditing, and testing entries trapped within the limitations of the captive web interface. Also, these tools create a dangerous layer of simplification between the actual files and processes being managed, thereby increasing the odds that the admin will remain ignorant of what is actually going on, and that the admin will therefore be unable to handle any software failures or complicated configuration needs that fall outside the limited scope of the interface. These tools may also complicate debugging efforts, unless the user of the tool knows how to translate any advice for directly interacting with the software or operating system into the whatever (or possibly unavailable) methods presented by the configuration tool.

Encryption & Verification

CFEngine uses a custom scheme for encryption and verification of connections. Alternatives include running CFEngine over Secure Shell (SSH) (via OpenSSH) or Transport Layer Security (TLS) (via a wrapper like stunnel). SSH or TLS will be eaiser to setup and debug for most administrators, and does not require learning the different CFEngine way to perform the same thing. Ideally, CFEngine should be fixed and use the standard TLS protocol internally.

CFEngine clients pull data from servers. The pull model has various advantages over pushing out updates. Using SSH or TLS, the CFEngine client would connect to a port on the localhost interface, which would then be forwarded encrypted to the CFEngine server.

Another approach: host the policy files on a regular web server, and require that clients verify a Pretty Good Privacy (PGP) signature before trusting the files.

Useful Tips

Mac OS X

CFEngine on Mac OS X.


The ports system on OpenBSD 3.5 includes an old version of CFEngine, though version 2 can be built from source against the Berkeley DB package.

RedHat Linux

Running CFEngine on Redhat Linux.