Interview with CFEngine user Natxo Asenjo

This interview was conducted by Aleksey Tsalolikhin / 3 Aug 2016 Q: What can you tell our readers about yourself? How did you start using CFEngine? A: I am a Spanish sysadmin living and working in The Netherlands (Dutch spouse). All round (multidisciplinary) sysadmin, with a focus on automation, bootstrapping infrastructures, high availability, disaster recovery, storage. I started using CFEngine about 8/9 years ago (or was it 10?). Back in the day I was the only admin doing Linux at our company, and the Linux infrastructure was growing every week and it was getting impossible to manage everything by hand. So CFEngine to the rescue. I found the tutorials on the debian-administration.org site, looking at the publication dates, it must have been 10 years ago, time flies) and it seemed quite doable. Later I came across the Campi/Bauer book: Automating Linux and Unix System Administration and re-implemented quite a bit of stuff with their tips, not only CFEngine but also FAI/Kickstart. Q: Could you give us an example of something you’ve automated with CFEngine that stands out as having made your life easier, helps you to sleep better at night, or has really made a difference for the business? A: Stuff I’ve used CFEngine for: - disabling/enabling services; - configuration mail routing; - seLinux; - iptables; - yum/apt repositories; - installation software; - configuration syslogd/journald/logstash forwarders for ELK; - distribution of sysadmin scripts/configuration files/motd’s; - distribution known_hosts files for ssh clients; - distribution and configuration of monitoring software (nagios: nrpe/snmpd); - configuration ntpd/chronyd; Anything that needs doing basically. We have a number of host types (apache2, tftpd, mysqld, java application servers, etc). Our Linux infra is coupled to a freeipa environment with the automember plugin, so if the host is called tftp\* (where \* is ‘whatever’ ) then that host will be member of an LDAP hostgroup, which in FreeIPA gets populated as a netgroup as well. We can use those netgroups to automatically define classes in CFEngine and those classes are coupled to actions (install apache2, configure it according to x, y, z, etc.). My colleagues install the OS using PXE and the only thing they need to do once the installation is done is give the host a name (part of joining the FreeIPA domain). The rest gets done automatically. So this is about it in a nutshell. Without CFEngine this company would not have the Linux infrastructure it now has and I would not have had time to accomplish many other projects (I became much more efficient, so I got assigned to many more projects). Q: You said you have about 150 Linux nodes in your network. How many are still on cf2 and how many are on cf3? A: cf2: 70%, cf3 the rest (growing). Q: When we corresponded earlier, you said you “left the old cf2 environment alone (it basically never dies and does not need new modifications)”. What led you to start using cf3? A: Lack of support for cf2. We use CentOS and with CentOS 7 the cf2 binaries were a bit long in the tooth. Q: What’s the biggest advantage of cf3 over cf2 for you? A: cf3 is more consistent in its syntax. Plus the standard library has a lot of scaffolding already set up for us (services, for instance). The packages method is much nicer as well. Q: What are you most proud of about your setup? A: Difficult to say, in the end this is just a tool. It’s nice to see things work the way they are supposed to, but that is our work. Q: What do you enjoy most about the CFEngine community? A: Very fast (good) answers and advice for alternative solutions to the issues one posts to the mailing list. Nice, polite, civil, discussions. All communities should be like this. Q: Any advice for the CFEngine 2 users out there? a: Even though cf2 is an excellent tool, the fact that it is no longer supported means that you will be on your own if something happens to your setup. This could be an issue. if you have a very stable and static environment where cf2 just works, leave that alone and set a new cf3 environment next to it. Sooner or later you will get a system where cf2 will not run without much effort, and at that time you will have a problem. Q: Anything else you’d like to share with the CFEngine community? A: I learnt a lot using your tutorial and Brian Bennett’s (@bahamat) posts, specially the cf-primer: from zero to hero. Those are the hands on tutorials that the community needs. CFEngine has a reputation for being hard, but it’s not really true. Aleksey Tsalolikhin is a CFEngine consultant and trainer at Vertical Sysadmin.