Notes on using CFEngine on Redhat Linux.
Compiling CFEngine
Use cfengine.spec to build a RedHat Package Manager (RPM) for CFEngine. A KickStart install can then easily install CFEngine.
CFEngine may break if the underlying Berkeley DB library version changes. Either compile the library in statically, or link the CFEngine RPM package to a specific Berkeley DB version.
Requires: db4 = 4.1.25
Stoping services
To stop services by process name, define a custom class, then use a shell command to turn off the service. Otherwise, on non-client systems, enable and run Sendmail.
processes:
redhat.mail_client::
"sendmail" define=kill_sendmail
redhat.!mail_client::
"sendmail" restart "/sbin/service sendmail restart"
shellcommands:
redhat.!mail_client::
"/sbin/chkconfig sendmail on" ifelapsed=1439
redhat.kill_sendmail::
"/sbin/service sendmail stop; /sbin/chkconfig sendmail off"
PGP Key Management
For RPM verification, maintain a directory of Pretty Good Privacy (PGP) keys, and export them to clients via copy, then use update-rpm-keys to install the keys onto the client systems.
copy:
redhat::
$(masterfiles)/etc/rpm-pgp-keys
dest=/var/cfengine/etc/rpm-pgp-keys
owner=root group=$(zerogroup) mode=444
recurse=1
backup=false
server=$(policyhost)
type=checksum
purge=true
define=rpm_pgp_keys_copied
shellcommands:
rpm_pgp_keys_copied::
"/usr/sbin/update-rpm-keys /var/cfengine/etc/rpm-pgp-keys"
More information on building packages is available, along with how to host packages via Yellowdog Updater, Modified (YUM).
Setting Environment Variables
Startup scripts read from /etc/sysconfig/* configuration files, where shell environment variables set features. The iptables /etc/sysconfig/iptables-config configuration file uses the IPTABLES_MODULES environment variable to list additional modules to load. The following shows a way to set multiple values in this variable.
redhat::
{
/etc/sysconfig/iptables-config
AutoCreate
Backup "false"
DeleteLinesMatching "^IPTABLES_MODULES.*$"
BeginGroupIfDefined "amanda_server"
AppendIfNoSuchLine "IPTABLES_MODULES=\"${dollar}↵
{IPTABLES_MODULES:+${dollar}IPTABLES_MODULES} ip_conntrack_amanda\""
EndGroup
BeginGroupIfDefined "ftp_server"
AppendIfNoSuchLine "IPTABLES_MODULES=\"${dollar}↵
{IPTABLES_MODULES:+${dollar}IPTABLES_MODULES} ip_conntrack_ftp\""
EndGroup
BeginGroupIfDefined "tftp_server"
AppendIfNoSuchLine "IPTABLES_MODULES=\"${dollar}↵
{IPTABLES_MODULES:+${dollar}IPTABLES_MODULES} ip_conntrack_tftp\""
EndGroup
}
These ugly long lines result in the following iptables-config entries for a server that is both an FTP server and a TFTP server.
IPTABLES_MODULES="${IPTABLES_MODULES:+$IPTABLES_MODULES} ip_conntrack_ftp"
IPTABLES_MODULES="${IPTABLES_MODULES:+$IPTABLES_MODULES} ip_conntrack_tftp"
When the /etc/init.d/iptables startup script reads iptables-config, the IPTABLES_MODULES environment variable will contain ip_conntrack_ftp ip_conntrack_tftp, and the two modules will be loaded.
