The State of Open Source System Automation

The days of DIY system administration are rapidly coming to a close. Why? Because the open source tools available are just too good not to use. Presenting Bcfg2, Cfengine, Chef and Puppet.


Mark Burgess, the author of Cfengine, started his presentation byre-focusing the projector. The image was not blurry to start,just not completely in focus and I had no trouble reading the prior presenter’s slides; but it was very crisp after the adjustment! Such attention to detail inspired my confidence.

Cfengine is the granddaddy of open source configuration management tools, dating back to 1993 and Mark worked as a part-time sysadmin at the University of Oslo struggling with handling many different kinds of Unix and Unix-like systems.

Mark describes Cfengine as an agent-based change management system with “convergent” or “self-healing” behavior. (Cfengine will continuously return a system to the configured state or keep it there if it’s already there. Another way to put it, regardless of where you start from, you can always get to the defined state.)

The Cfengine language is a largely declarative language for describing desired or “promised” states. Like Bcfg2, the language is a pragmatic mix of declarative and procedural.

Cfengine includes a self-learning monitoring framework (to deal with an unknown environment) and a knowledge management framework (to help handle complexity of system configuration). Cfengine introduced the idea of”classes”, which are patterns in space and time and implicit if/then tests.

Examples of Cfengine Classes

  • The name of an operating system (Solaris or Red Hat Enterprise Linux)
  • Architecture (x86 or SPARC)
  • Time (Sunday, or 3 AM – 3:59 AM)
  • The name of a host, or a user-defined name of a group of hosts.
  • Any arbitrary string.

You can use Boolean logic with classes to select systems for a configuration promise. For example: Linux servers on x86 platform with -dev in the name should have their OS updated on Sunday at 3 AM.

Cfengine is model-based in the sense that you describe the model of the end state that you want.

Cfengine is self-documenting because you are using a declarative language.

Cfengine is lightweight (1.9 MB footprint). It has very few prerequisites (Berkeley DB library, crypto library and optional PCRE library). Today, Cfengine runs on everything from unmanned underwater vehicle to Nokia handheld phones to supercomputing clusters.

Because it’s a C binary with very few prerequisites, it has the largest span of systems it runs on out of all the open source CM tools.

At first, Cfengine was modeled as a computer immune system, helping a system stay healthy in an uncertain, changing, and possibly hostile environment.

The current philosophy of Cfengine is “promise theory”, where the defined state is promised by different system components(such as files, packages, processes, etc.), and Cfengine isa “promise engine” — an engine for keeping promises.

Key Principles of Cfengine’s Design:

  • Voluntary cooperation, local autonomy. Cfengine allows local control of policy in anticipation of consensus building amongst human administrators.Voluntary cooperation is expected; so Cfengine always pulls policy, never pushes it. A policy push is indistinguishable from attack. (Cfengine has had 3 security vulnerabilities in 17 years due to this principle.)
  • Pragmatism. Work with what you’ve got: allow shell commands.
  • Resilience Expect the unpredictable (therefore convergence back to promised state). Design allows for a single point of control without a single point of failure. (If a policy server goes away, the Cfengine agents on nodes will keep running using cached policy.)
  • Allow freedom. For example, allow use of package systems.Cfengine is about “constraint”, not “control”. The philosophy back of this is, “You do not control environments, you participate in environments.”
  • Convergence. Run Cfengine many times and the system should always get better and it should never worse. Always move closer to the promised state; or stay there. Stay there by always trying to move closer to it. (This counteracts the natural force of entropy which would result in system state drift over time.)

Promise Theory

Promise Theory is based on the key principles of convergence and autonomy.

Everything is a promise in cfengine language. Files promise to be there (and are created or copied by Cfengine if they are not); packages promise to be installed; processes promise to be running.

Cfengine configuration is composed of promises and patterns. A class is an example of a pattern; a list of packages to be installed is another (see example below).

Another practical pattern in Cfengine is abstraction of promise details so you can see at a glance what is promised, and can still drill down if necessary to get the promise details.

For example:

Abstracted Promise

copy_from => my_secure_cp("myfile","myserver")

Promise Body (Like “Contract Body” – Contains Details)

body copy_from my_secure_cp(file,server)
source      => "$(file)";
servers     => { "$(server)" };
compare     => "digest";
encrypt     => "true";
verify      => "true";
force_ipv4  => "false";
collapse_destination_dir => "false";
copy_size => irange("0","50000");
findertype => "MacOSX";
# etc etc

How Does Cfengine Work?

  1. The agent wakes up and classifies its environment (time, network address, OS, group defined by LDAP, etc.) This sets up all the classes.
  2. The agent reviews and execute promises. It may download the latest promise policy from a server; or use its local copy. Executing the promises, Cfengine will make 3 passes, checking everything and fulfilling as many promises as it can. For example, if SNMP packages promises to be installed, and SNMP daemon promises to be running; on the first pass, Cfengine could install SNMP package; on the second pass, it would start the daemon.
  3. The agent reports on success.

Cfengine Promise: Install the Postfix Package:

     package_policy => "add",
     package_method => yum;

Cfengine Promise: Install Multiple Packages.

First, create a variable of type “list of strings” named @match_package.

Second, use an implicit loop over each element of the list (like in perl,@var is an array, $var is a scalar/string), and promise that package is added using YUM.

Loops are implicit in Cfengine, this is a powerful abstraction.


  "match_package" slist => {


         package_policy => "add",
         package_method => yum;

Next: Chef

Comments on "The State of Open Source System Automation"

Here is a superb Blog You may Uncover Interesting that we encourage you to visit.

We prefer to honor many other world wide web websites on the internet, even when they aren?t linked to us, by linking to them. Underneath are some webpages worth checking out.

nel club e solo la scrittura di una delle più grandi storie nella storia dello sport. è un onore entrare a far parte di questa storia di successo, e non vedo l’ora alla squadra la prossima stagione ancora più paura. ”maglia calcio outlet,nuove maglia calcio serie a,Maglia Barcelona 2017 vendita

Always a huge fan of linking to bloggers that I love but really don’t get a good deal of link adore from.

An outstanding share! I’ve just forwarded this onto a co-worker who has been doing a little research on this.
And he in fact bought me lunch simply because I discovered it for him…
lol. So let me reword this…. Thanks for the meal!!
But yeah, thanx for spending time to talk about this subject
here on your web page.

Very few websites that come about to become comprehensive beneath, from our point of view are undoubtedly nicely really worth checking out.

I simply want to mention I am very new to blogging and site-building and absolutely savored your blog. Probably I’m planning to bookmark your blog post . You certainly have outstanding stories. Regards for revealing your web-site.

There is an obvious but nonetheless deeply impacting
spiritual forged to the participate in of light in the darkish cave,
the miner’s helmet torches illuminating The 33 2015 full movie online free (Marylyn) skyscraper-measurement
rock that seemingly has sealed their destiny.

Here are some links to sites that we link to due to the fact we believe they’re really worth visiting.

Here are a number of the websites we suggest for our visitors.

I found your blog through google and I must say, this is probably one of the best well prepared articles I have come across in a long time. I have bookmarked your site for more posts.

We like to honor numerous other web web sites on the net, even when they aren?t linked to us, by linking to them. Underneath are some webpages really worth checking out.

Here are some links to web sites that we link to mainly because we consider they are worth visiting.

Here are a few of the web-sites we advocate for our visitors.

Below you will uncover the link to some web sites that we think you should visit.

The information mentioned within the post are several of the very best accessible.

He understands Shepherd’s script and achieves The 33 full movie (mybrewguru.com)
tone essential to make this an enduring movie fairly than a getaway throw-away.

Here are a few of the sites we advocate for our visitors.

Every after inside a though we opt for blogs that we read. Listed beneath would be the most recent internet sites that we decide on.

Leave a Reply