Archive for the ‘CFEngine’ Category

« Older Entries

Barcamp Rudder 2.4.0 – Portes ouvertes

Monday, February 20th, 2012

Cette semaine, de mercredi à mercredi (du 22 au 29 février donc), Normation va faire son premier Barcamp Rudder !

Mais qu’est-ce qu’un barcamp ? D’après Wikipedia :

Un BarCamp est une rencontre, une non-conférence ouverte qui prend la forme d’ateliers-événements participatifs où le contenu est fourni par les participants qui doivent tous, à un titre ou à un autre, apporter quelque chose au Barcamp. C’est le principe pas de spectateur, tous participants.

(Source et plus d’infos : http://fr.wikipedia.org/wiki/BarCamp)

L’objectif de cette semaine c’est d’améliorer Rudder, de faire qu’il nous plaît à tous, avant la sortie de la version 2.4.0 début mars, et travailler sur les sujets qu’on néglige parfois : communication, communauté, documentation, tests, qualité, ergonomie…

On profite de l’occasion pour faire une opération portes ouvertes : vous êtes les bienvenus chez nous tous les jours de 9h jusqu’à tard… Passez-nous faire un petit coucou, tester la dernière version de Rudder, nous donner votre avis, grignoter un morceau… Promis, on ne vous demandera pas vraiment de travailler :)

L’équipe de Normation au grand complet (9 personnes) vous donne donc rendez-vous tous les jours au 87 rue de Turbigo, 75003 Paris ! C’est au métro Temple sur la ligne 3 ou République sur les lignes 5, 8, 9 ou 11.

En particulier, un évènement communautaire autour de Rudder / CFEngine aura lieu jeudi soir pour se rencontrer et discuter (ou troller) autour d’un verre (ou deux).

Ca nous ferait très plaisir de vous voir ici alors n’hésitez pas à passer ! Si vous ne pouvez pas venir, rejoignez-nous sur IRC (#rudder sur FreeNode) ou suivez-nous sur Twitter (@normation et @RudderProject).

Tags: , , , , , , , , ,
Posted in CFEngine, Configuration Management, Development, Français, Rudder | 1 Comment »

Interactive key exchange with CFEngine

Tuesday, January 3rd, 2012

Here at Normation, we use CFEngine 3 extensively for configuration management across Linux and Windows servers.

CFEngine 3 is a very secure tool, that relies on keys to identify hosts and authorize connections. To set up a secure CFEngine infrastructure, you ought to exchange keys between hosts (note that if you don’t have confidential data on your promises, you can skip the security offered by the public key system).

(more…)

Tags: , , ,
Posted in CFEngine, Configuration Management | No Comments »

Configuration management tools for cloud computing (Open World Forum 2011)

Wednesday, September 28th, 2011

The Open World Forum 2011 edition took place last week in Paris. I was invited to present a workshop in the Cloud Computing track.

This gave me the opportunity to outline the importance of optimizing the “setup” phase of machines when using cloud computing.

Today’s tools and APIs make it very easy to create and destroy instances, but every time you do start a new instance, you’ve got to actually set it up to the state where it’s ready to do what you need (ie, be a web server, load balancer, database, whatever…).

This is an important phase to optimize: it’s the one where you’re paying for, but not yet able to use, the service :-)

Three approaches seem to co-exist here:

  1. Doing it manually: Obviously, this is one to avoid. Not only is it excessively time-consuming, but it’s also error-prone. (Ever tried doing the exact same complicated thing a dozen times over without making the odd mistake or going crazy?)
  2. Pre-configuring in static images: This is a very common approach. You know how you want things, so you set them up once, and make an image of that state (ISO, AMI, whatever…). You can then use your image to create your new machine just the way you want it, no time wasted! That’s great, but wears out over time -it’s a very brittle approach. If you ever need to change that configuration, not only will it take a while (get the image, change it, upload it again, etc…), but you also have no way of propagating the change to existing instances based on the old image.
  3. Using a configuration tool: That’s a deliberately vague title – I’m referring to any software approach to configuring your machine, be it a bunch of home grown scripts or a fully blown configuration management tool, such as CFEngine, Puppet or Chef.

If you’ve read any of the previous posts on this blog, you’ll know that we strongly favor the last approach :-)

Configuration management tools have many benefits over the previous approaches: using a dedicated, purpose-built tool to set up your servers means that you can reach new levels of control and flexibility, that you cannot achieve with static, brittle pre-built images. Need to make a change? Just update your reference configuration rules, and the change will be applied to all your instances, old and new, over the next few minutes.

Enough teasing, the slides below tell the rest of the story. I introduced the main tools I mentioned before, and provided a quick overview of how CFEngine works. Those at the session also got a sneak preview of our own open source project, Rudder, to be publicly announced very soon…

Configuration management: automating and rationalizing server setup with CFEngine 3 (Open World Forum 2011)
View more presentations from Normation

I’d welcome any comments on how you setup your cloud instances… and be happy to discuss all these topics at another open source conference in the future!

Tags: , , , , ,
Posted in CFEngine, Configuration Management, English, System administration, Uncategorized | No Comments »

“Gestion de configuration et disaster recovery avec CFEngine 3″ aux RMLL 2011

Friday, July 8th, 2011

Comme chaque début de juillet, nous [1] nous rendons aux RMLL (Rencontres Mondiales du Logiciel Libre). Ce millésime se tient à Strasbourg, du lundi 11 au mercredi 13 juillet pour les conférences techniques (un weekend grand public se tient avant).

Nous y présenterons une session mercredi à 14:40 (au Patio, Amphi 3), en français, pour raconter notre vécu de la gestion de désastre et comment la gestion de configuration nous a aidé à nous en remettre. On détaillera également les raisons de notre choix d’outil, qui a porté sur CFEngine 3.

En espérant vous y voir nombreux ! N’hésitez pas à venir discuter avec nous, avant ou après la session, et nous nous ferons un plaisir de partager avec vous les dernières avancées que Normation a créé autour de la gestion de configuration…

[1] Toute l’équipe de Normation sera aux RMLL !

Posted in CFEngine, Configuration Management, Disaster Recovery | No Comments »

Formations Cfengine 3 à Paris et Bruxelles

Tuesday, May 10th, 2011

Cfengine 3 est un logiciel de gestion de configuration open source très puissant, permettant de gérer efficacement des parcs informatiques de toutes tailles. Comme la plupart des outils complexe, un temps d’apprentissage est nécessaire pour l’utiliser au mieux.

Nous organisons des sessions de formation à Paris, les 15, 16 et 17 juin, et à Bruxelles les 4, 5 et 6 juillet.

Trois formules sont disponibles :

  • Matinée d’introduction à la gestion de configuration (demie-journée non-technique)
  • Fondamentaux Cfengine (2 jours)
  • Industrialisation Cfengine (Fondamentaux + 1 jour)

Le détail du programme et les tarifs sont disponibles sur notre site web.

L’inscription est ouverte, contactez-nous pour vous inscrire. Plus que quelques jours pour profiter du tarif early bird !

Normation est partenaire officiel de Cfengine AS, et réalise des formations Cfengine certifiées à travers le monde.

Tags: , , , , , , , ,
Posted in CFEngine, Configuration Management, System administration | No Comments »

Cfengine 3.1.5 is nearly out, what can we expect from it?

Thursday, April 28th, 2011

Here at Normation, we use Cfengine 3 extensively for configuration management across Linux and Windows servers. Cfengine 3 is an open source project, and as every good open source project, the trunk version is always available (but not always very reliable) and stable versions are released regularly. Prior to the release of a new version, a beta version is available, for the community to test and rule out any bugs in the stable version.

We’ve been testing this beta version, and we are quite thrilled about it. This post won’t go through every detail of the changelog (Eystein is much better at it that I would be) but will run over the changes that improve our ways of using Cfengine.

(more…)

Tags: , , , ,
Posted in CFEngine, Configuration Management, System administration | 4 Comments »

Why we use Cfengine: file editing

Monday, March 21st, 2011

Here at Normation, we use Cfengine 3 extensively for configuration management across Linux and Windows servers. A question we get often is why Cfengine?

I’d like to focus this post on file editing. Since Configuration Management has a lot to do with configuration files, file editing (either from a template, or just setting parameters) is one of the most common tasks.

(more…)

Tags: , , ,
Posted in CFEngine, Configuration Management | 1 Comment »

Cfengine tip: Keeping cf-execd alive (whatever happens)

Thursday, March 3rd, 2011

As good as your configuration management tool may be, it can only do it’s job if it’s running. Some tips on making sure this is the case, whatever happens.

Why just cf-execd?

With Cfengine, the “heavy lifting” is done by cf-agent, which is normally run on a regular interval by cf-execd (a daemon that runs all the time).

Frequently, servers will also run two other daemons: cf-monitord (keeps statistics on a system) and cf-serverd (allows local file sharing, and remote on-demand execution of cf-agent). Common practice is to include in cf-agent‘s configuration a promise that ensures that the desired daemons are running, and start them if not.

This makes sense, but what happens if cf-execd gets stopped, and then cf-agent is never run again? Well, this should never happen of course. But, out there in the real world, stuff happens:

  • maybe you ran out of RAM, and OOM-killer picked cf-execd for some weird reason
  • an administrator unwisely killed cf-execd without really knowing what it does
  • possibly you messed up your configuration and had it automatically killed (after all, errors are human …)

OK, so how do you avoid that?

Enough rambling, here is what we do:

  1. Use a promise in the configuration that ensures the daemons we want running are indeed running, or start them if not
  2. Configure cron to check on cf-execd, and start it if it’s not running

The promise we use is derived from one provided with the Cfengine sources, as follows:

The above Cfengine example uses some interesting concepts:

  • A list of the daemon names to check, which is iterated over by each of the three following promises, and reused in their attributes.
  • Ordering: the first promise, a processes promise, checks if a daemon is running and defines a class if not; then, the second promise restarts the daemon if that class was set, and finally, a report is printed if the restart went OK.
  • Generic class names: whatever the daemons you want to check, these class names will automatically be set and read.

Last, but not least, here is the line we add to /etc/crontab:

Of course, we wouldn’t add that line manually, but instead, use a Cfengine promise to add it if, and only if it’s not already in /etc/crontab… This is a subject for another post, but here’s a sneak preview:

Using the above promises, you will ensure that the Cfengine components you want will always be running (or at least restarted if they stop). Of course, it’s probably a good idea to monitor these promises, so that you don’t end up with a start/stop fight…

Tags: , , ,
Posted in CFEngine, Configuration Management | 1 Comment »

Why we use Cfengine: memory footprint

Wednesday, February 23rd, 2011

Here at Normation, we use Cfengine 3 extensively for configuration management across Linux and Windows servers. A question we get often is why Cfengine?

This is phrased either as What is so great about Cfengine? or What is the difference between Cfengine and Puppet or Chef? (as a reminder of how these 3 projects are related, check out Relative origin of Cfengine, Puppet and Chef).

I’d like to focus this post on memory consumption. Since Configuration Management software runs an agent on each server you want to manage, you want to be careful about the extra resources you’ll need to run it…

Cfengine components

Before getting into the statistics, we need to know what processes we’re looking at.

The main Cfengine process that applies configuration to a managed node is named cf-agent. When this process is run, it reads it’s local configuration (called promises) and attempts to apply that to the local machine, by running various commands. Three daemons can be run to support this process:

  1. cf-execd: In charge of running cf-agent on a regular basis. By default, it fires up every 5 minutes, then reports any changes to the configuration by email. This daemon would normally be run on all managed nodes.
  2. cf-serverd: Acts as a server, accepting incoming connections from authorized machines, for two reasons: sharing files from the local machine (this is used on a policy server, less frequently on managed nodes) and allowing remote on-demand execution of cf-agent. It is often run on all managed nodes, to allow instant policy application or fetching generated reports, but it’s use is optional.
  3. cf-monitord: Collects system statistics, and makes them available to cf-agent so that it may apply different configuration based on a machine’s current status (for example, if a disk is getting full, run some housekeeping operations). It’s use is also optional, but highly useful.

Statistics

With no further ado, here is the memory consumption we get on our servers for each component:

Graph of RAM (RSS) used by cf-execd, cf-serverd and cf-monitord

Cfengine daemons memory consumption

We couldn’t get graphs for the actual cf-agent process – it’s runtime is just too short for the monitoring probe to pick it up regularly. Running it manually we see it’s memory consumption peaking at 10 megabytes of RAM, with a total runtime of roughly 1.5 seconds.

Analysis

I think the graphs speak for themselves – each Cfengine daemon uses around 3 megabytes of RAM, and doesn’t have any visible memory leak (valgrind does confirm this). The agent itself sees slightly higher peaks, at around 10 megabytes, for a few seconds every execution.

This is why we trust Cfengine to be run on nodes old and new alike, from physical machines with more gigabytes of RAM than you can use down to tiny virtual machines running on only 128 MB (I’m not sure why, but we have more of the latter… I’m told it’s a budget problem).

The CPU usage of Cfengine is also very lightweight – but much harder to graph. Various other optimizations allow it to be extremely non-intrusive… More on these topics soon!

Some details for the curious:

  • No restarts occurred over the graph period.
  • The promises running while graphed cover system basics: ensuring required packages are installed, configured and running (SSH, monitoring, everyday tools, vim, etc), creating users, checking their passwords, copying SSH keys, and the like.
  • We run cf-agent every 5 minutes.
  • The graph is of RSS (Resident Set Size), or, in other words, the non-swapped physical memory used. The server was not using any swap at the time, so this is effectively the memory consumption of each process, excluding any shared libraries. The only shared libraries used are pretty standard on current UNIX systems: PCRE (Perl Compatible Regular Expressions) and BerkeleyDB, so they’re likely to be loaded already.
  • These graphs are based on Cfengine Community 3.1.4, currently the latest version.
  • Graph generated using Munin.

Tags: , , , , ,
Posted in CFEngine, Configuration Management | 3 Comments »

FOSDEM: Configuration Management wishlist

Saturday, February 12th, 2011

We were at FOSDEM in Brussels last weekend (OK, like every year, and like thousand of others – yes it’s that good an event!).

Alongside a huge number of interesting talks, events and people, of particular interest to us was the Configuration Management DevRoom, organized by James and Nigel from Puppet Labs. It hosted brilliant talks all day, ranging from introducing tools (Chef, Vagrant, Geppeto, FusionInventory, GLPI, OPSI, etc), best practives and real-world feedback from small companies up to the aviation industry.

We presented a session about Disaster Recovery, telling the tale of how things went massively wrong with our production systems, and how using configuration management saved us. The slides below include an introduction to Cfengine and some of the reasons why we chose it in 2009 and still love it.

A series of posts on this blog will go into more detail about these reasons in weeks to come – stay tuned!

A tale of Disaster Recovery (Cfengine everyday, practices and tools)

View more presentations from Normation.

Thank you to all those who could wake up early and attended the talk. The room was completely full, so for those who couldn’t get it because of the large attendance, apologies!

Two major wishlist items have come out of our experience:

  1. Backup and Configuration Management tools need real integration. Configuration Management is often highlighted as a life-saver for disaster recovery, but most people only go as far as automating service installation and configuration. Fully rolling out a service requires restoring backups too.
    • How can we automate our backup restoration?
    • How can we contact the “backup manager” to get the latest data and put it in the right place, the right way? (copy files, reload databases then restart services, or even update firewall rules)
    • How can we check whether our current data is up-to-date or not?
  2. Virtualization provisioning should be managed too. Our production systems rely on several big servers running many small virtual machines. Restoring these was the most time consuming aspect of our disaster recovery.
    • With abstraction layers such as libvirt now covering almost all modern virtualization systems, why do our configuration management tools not tie in to them better?
    • How can we define a list of virtual machines to set up, their parameters, the operating system to install and it’s installation settings, so that we can sit back and watch tools doing our work?

On this last point, I must mention that Cfengine Nova (the commercial version of Cfengine) already ties into libvirt to define virtual machines and change their settings. This is awesome, but installing the operating systems by hand is still a pain!

Any ideas or suggestions out there?

Tags: , , , ,
Posted in CFEngine, Configuration Management, Disaster Recovery | 1 Comment »

« Older Entries