Distributed Systems Administration Utilities User's Guide, Linux, March 2009
the client’s domain could be determined based on the client’s IP address or subnet, as
follows:
classes:
# host in these ip address ranges
xyz_domain = ( IPRange(10.0.0.1-15) )
abc_domain = ( IPRange(192.0.0.1-254) )
control:
xyz_domain::
domain = ( “xyz.example.com” )
abc_domain::
domain = ( “abc.example.com”)
Use the cfagent -p (or --parse-only) flag to verify the syntax of update.conf.
4. Distribute the master update.conf to each managed client. This step is described in
“Configuring a Synchronization Managed Client” (page 38).
5. Create the master server’s security keys. cfengine uses a public/private key exchange to
authenticate remote clients. A public/private key pair is generated on the master server and
all managed clients. The public key for each managed client is copied to the master server
and from the master server to the managed clients. It is important to exchange keys securely
using a tool like secure copy, (see scp(1)) or using tape or CD-ROM. Start by generating the
keys for the master server:
# /opt/dsau/sbin/cfkey
# cd /var/opt/cfengine/ppkeys
This creates the files localhost.pub and localhost.priv.
Copy the public key to root-master_server_IP_address.pub. For example, assuming
this system’s IP address is 10.0.0.5, use this command:
# cp localhost.pub root-10.0.0.5.pub
See “Configuring a Synchronization Managed Client” (page 38) for details on copying the
client keys to this master server.
6. On the master server, configure the cfservd daemon to start at system startup. Edit /etc/
rc.config.d/cfservd and change the line CSYNC_CONFIGURED=0 to
CSYNC_CONFIGURED=1. Optionally, if you want to be able to push changes out to the
managed clients using cfrun, replicate this change on all of the managed clients.
7. cfrun requires that the managed clients be listed in the file cfrun.hosts. In the default
configuration, this file is located in /var/opt/dsau/cfengine_master/inputs. Edit
it and add the hostnames of each managed client, one per line. It is simplest to make sure
that all the host names are fully qualified. When using fully qualified hostnames, the "domain
= " line is not required and can be deleted. If using unqualified hostnames, find the line
"domain = " variables and replace the token with the DNS domain of the master system.
This restricts all of the unqualified clients to be members of that single domain.
8. The file /var/opt/dsau/cfengine_master/inputs/cfagent.conf is the master
policy file. The default cfagent.conf includes the default cf.main template file with
examples of common synchronization actions for both standalone systems and Serviceguard
clusters. cf.main contains the POLICY HOST_NAME and “domain = “ variables. Perform
the same edits described in Step 3 above.
Note that this default cf.main file performs no management actions. All the action lines
are commented out. This is a starting point for creating a custom set of cfengine policies and
actions for your managed clients. The cfengine reference manual that documents the syntax
and all the management actions defined in this file is located in /opt/dsau/doc/cfengine.
Other example cfengine configuration files that are included with the open source cfengine
distribution are located in /opt/dsau/share/cfengine/examples.
2.3 Configuring cfengine 31