CFengine
CFengine is a program that helps distribute configuration files to many different machines. Its homepage is http://www.cfengine.org/ and its reference documentation can be found at http://www.cfengine.org/docs/cfengine-Reference.html We run cfengine version 2.
Details
CFengine is run by a series of configuration files in /etc/cfengine on each machine. Quite cleverly, cfengine is used to push these files out too. All files are pulled over NFS from demeter:/srv/cfengine, which is mounted as /ug/nfs/cfengine on every machine. These files are technically a part of a CVS repository, but this hasn't been used for a long time. /srv/cfengine is broken down into serveral different hierarchies. Some of them are self-explanatory, but here are the important ones:
- global: Files that all machines need
- global/inputs: Actual cfengine configuration files. They are named by the service that they configure.
- hosts: Files that are specific to a host or a service are put here.
Once the configuration files are in place, you can run "cfengine" to have it process its directives. However, since running that on every machine would be tedious, there is a program called "cfrun" that lets you do it remotely. It uses public-key authentication to handle access control.
How to fix key auth
Sometimes the public key auth gets messed up. CFengine stores the keys in /var/lib/cfengine2/ppkeys. Each machine should have localhost.{pub,priv}. This is the keypair that it uses to identify itself. It may also have keys of the form <user>-<ip>.pub (where user is usually root). Most importantly, it should have one for demeter (root-131.215.176.66.pub). If the authentication is failing, you may have to replace demeter's public key.
On demeter, the directory contains public keys for all the other machine. If no key exists, cfrun will let you accept a key based on trust (which we usually do).
Shellservers get their keys copied from /srv/keys/<machine>
