This post was authored by Aleksey Tsalolikhin and has been re-published with his consent. I recently spoke at Digital Media Educators Conference (DMEC) on Infrastructure Management at Scale and the skills educators need to impart to up and coming system administrators. This conference serves the California community college system, which is dear to my heart. My mother worked at West Los Angeles College library her entire professional life in America, since we arrived in 1988. I used to volunteer and help her out with shelving in the summer. I was a very poor helper since I kept getting distracted by all the delicous books and did more reading than shelving. While in high school I took computer programming, math and English at West Los Angeles College and at Santa Monica Community College, at first during summer break and then concurrent with eleventh grade, which allowed me to go to University instead of going to 12th grade. So I have a personal connection to the California community college system and I jumped at the chance to contribute a talk: Because my presentation was in the Data Representation track, I focused on Inventory and Compliance Reporting so I could show off CFEngine’s slick UI. I started by laying out CFEngine’s philosophic groundwork: - Promise Theory and the advantages of voluntary cooperation and distributed work over the limitations of imposed direct control. - The advantages of pull over push (see “Push versus pull” in Deconstructing the `CAP theorem’ for CM and DevOps by the author of CFEngine for more on this), and - The Dunbar numbers which constrain the quality and quantity of relationships sysadmins are able to have with their infrastructures. The rest of the talk demonstrated how the design of CFEngine uses Dunbar numbers to focus the information it presents. We also talked about what computer system administration IS, and what the challenges are and how we handle them. Then I introduced the CFEngine dashboard: I pointed out the header which holds the host count (2, including the hub itself) and the health indicator (OK); the graph of Changes made by CFEngine, the fact that both of our hosts have Software Updates available (1 alert triggered on 2 hosts), and that we have 100% compliance on promise compliance and system health (green check-marks). The next slide, adding a third host (notice the hosts indicator up top), shows how the Alert for Software Updates changes to a 2/3 arc, as, right after adding the host, as at this point the hub knows 2 out of 3 hosts are missing software updates. Once the agent runs on the third host and the hub collects the report, the Alert will change back to a full circle with 3 out of 3 hosts are missing software updates. The next slide illustrates how CFEngine communicates the severity of the alert: critical issues are indicated in red, less severe in orange (amber for you Aussies), and mildest level is yellow. I induced a policy non-compliance situation on one of the three hosts (e.g., promised a file edit but prevented CFEngine from accessing the file by filling up the disk), so the Promise Compliance alert spans 1/3 of the circle (1 out of 3 hosts). Notice also that if CFEngine is unable to collect reports from a host or if an agent stops running on a host, the health indicator at the top of the screen changes from OK to a red number indicating the number of issues: You can see the number and type of issues: Notice that the Dunbar numbers are in play here: CFEngine tells you there are issues, and if you want more data, then you can have it. But it doesn’t throw all the detail at you at once, that would be too much. You can get more detail on which hosts are not reporting by selecting “Hosts not reporting” from the health indicator menu: You can then select a host in the list of hosts not reporting to see the info for that host (host detail). That actually takes us to the “Hosts” tab. The “Hosts” tab starts in the “all hosts” view, where you see the promise compliance summary for your infrastructure: You can list the hosts that have less than 100% compliance: You can see which promises were not kept on each host: And that takes us to the “Reports” tab. There are many reports available but let’s take a look at the Inventory Report. It starts out with four basic columns but you can add more: You can extend inventory collection by writing CFEngine promises, for example, here I’ve added inventory of the host’s timezone: Let’s say our company policy says all hosts must be in the UTC timezone. But in reality we have this: You can sort the column contents by selecting the column heading, this groups the outliers and brings them into view: You can graphically summarize column contents by selecting “Chart Data”: Voila! Hover over a slice to get more detail: Or switch to column view: Here is another example: The charts can be exported and embedded in reports to management, auditors, etc. Want to give CFEngine Enterprise a try? It’s very easy to download and install the hub package. Feel free to email me if you have any questions!
By now you have probably heard about the Badlock vulnerability (CVE-2016-2118)in DCE/RPC-based SAMR and LSA protocols used in the Microsoft Windows ActiveDirectory infrastructure as well as other critical security flows in Samba. With CFEngine Enterprise you can simply tag any variable or class and MissionPortals Inventory reporting interface will be automatically extended with the new attributes. This makes it easy to identify vulnerable hosts. Dashboard alerts can be created to alert on vulnerable hosts for specific subsets of infrastructure. Dashboard alerts can be integrated with other systems. For example you could automatically open an issue in Jira when vulnerable hosts are found. If you would like to use CFEngine to detect, repair and report on Badlock in your infrastructure, we have prepared some policies you can use: - Badlock reporting and remediation policy - Implementation Tutorial
Each year we like to take a moment to recognize outstanding community members for their contributions. Contributions come in the form of code contributions to core, organizing community meet-ups, giving talks about CFEngine at conferences, sharing policy, to helping other users on the mailing list and on IRC. This year the Community Advisory Board was responsible for selecting champions from the nominations, and it is my honor to announce the 2015 CFEngine Champion Hall of Fame inductees. Congratulations, and thanks for all of your efforts!
We’re happy to announce that CFEngine 3.8.0 non-LTS beta is now ready for testing! The established CFEngine release schedule shows that the 3.8.0 final version is due before January 2016, so it’s time to test and fix any remaining issues. Please note that this is a non-LTS release, which means that it is maintained for 6 months from the release date and not supported for CFEngine Enterprise customers, but packages are available for testing.
1, 2, 3.7 GO! CFEngine 3.7 was released just over a week ago and one of the neat things with 3.7 is the new augments_file also known as def.json or overrides. What’s so neat about it? It’s going to make your future policy upgrades easier! I will be using the CFEngine Enterprise Vagrant Environment because it’s a really quick and easy way to stand up a test environment. Here is my fresh 3.7.1 environment.
Looks like my instances are ready to go
As CFEngine continues its evolution and adds to the large number of users with a stake in the future of the project, we have established a Community Advisory Board. The aim of the Community Advisory Board is to advise CFEngine AS and the CFEngine project core committers and team leadership on matters relating to supporting the long-term governance, structure, and roadmap of the CFEngine open source project. The Community Advisory Board is not intended to replace existing mechanisms for community input but instead augment it and provide a consolidated opinion from the broader CFEngine community. Feel free to discuss your hopes, dreams, and concerns with any board member. Any outside party may bring an issue before the CFEngine Community Advisory Board by emailing communityadvisoryboard@cfengine.com. The following candidates were selected based on past contributions:
With the slew of recent security issues like Supermarket Point of Sale Compromises not once but twice, other large retailer card breaches, the famed Heartbleed vulnerability and others in the news. We want to share an example of how CFEngine can be used to quickly identify and remediate affected systems. In our documentation please find the “Reporting and Remediation of Security Vulnerabilities” tutorial. The tutorial walks through policy to both identify and remediate the recent #shellshock exploit. For those using CFEngine Enterprise there is guidance on creating dashboard alerts and inventory reports included.
The Host Info Report has been available in CFEngine Enterprise for some time, it will now be available to community users in CFEngine 3.6. The Host Info Report is a great way to get value immediately if you are using CFEngine for the first time.
So what does it do? The Host Info Report contains detailed information on the host that CFEngine is running on. Read on to learn more about how to enable and use the report.
Originally posted by Nick on cmdln.org
You never know when the Zombie or Cloud Apocalypse is coming. It’s good to be able to locate those buried bodies quickly and easily. OK, enough bad jokes, but haven’t you ever looked at some CFEngine policy and wondered to yourself, exactly what does “delete => tidy” or some other body or bundle do?
I have. I even wrote a little perl script to locate the files that contained a specific body or bundle and then print out the single body or bundle. This past week my old script got some love. Ted Zlatanov and Bishwa Shrestha reworked it a bit so that it is no longer a hackjob, and it’s now included in contrib of the CFEngine core repository.
Another year has passed and we would like to take a moment to thank the community members for their contributions. From speaking at conferences, epic blog posts, community meet-ups, to support on the CFEngine help list and in the IRC channel, new and veteran users alike don’t have to look far to find inspiration or a helping hand. Each year we like to reflect on our many community contributors and honor those that have significantly enhanced the CFEngine Community. This year it is my great honor to announce this year’s CFEngine Champion Hall of Fame inductees.
