Use cfengine to reinforce Solaris servers (on)

 

1. cfengine Introduction

Cfengine (configuration engine) is a UNIX management tool designed to automate simple management tasks and make difficult tasks easier. It aims to converge the system from any State to an ideal state. According to its author Mark Burgess, cfengine always keeps your system closer to the configuration you have defined; it will never make the system worse. Cfengine will change your system management method. However, cfengine cannot be used for your consideration. Before you put the configuration file into the product, you still need to write it and test it. On the other hand, cfengine does very little damage. Cfengine is suitable for managing various environments, from one host to tens of thousands of hosts. As of Version 2.2, we now know that the maximum number of installation clusters for general management is about 20,000. Cfengine manages system configuration and maintenance in many aspects, including the following:

Complete subsequent installation tasks, such as configuring network interface information.

Edit the system configuration file and other files.

Establish a signal connection.

Verify and correct license and ownership of documents.

Delete useless files.

Compress the selected file.

Distribute files in the network.

Automatically mount the NFS file system.

Check whether important files and file systems exist and their integrity.

Run commands and scripts.

Patch related to application security and correction of similar systems.

Manage System server processes.

　　Ii. pushing and pulling Unix servers

Another advantage of cfengine is to "pull" the operation from the server rather than "push" the operation from the main system. If you have a set of reliable and running local servers, the two will not be much different. However, if the system is extended to an unreliable network and/or the network cannot always run, the pull method is very reliable. If some systems can both boot from Unix and Windows, they can pull content from the server as long as they run in Unix. Conversely, if you use

If the system tries to perform the "push" operation while running Windows, the system ignores the Push technique. The following is another example: You may run UNIX systems on one or more laptops that are not always connected to the network. This type of system may never be updated using the "push" method, because it must be connected to the network each time the "push" Operation occurs. If the "pull" method is used, the notebook will automatically pull out the configuration next time it connects to the configuration server.

Of course, you can rewrite the custom method just discussed to use the pull method. If you need to use the pull method, but do not want to use cfengine for some reason, try using the custom scripts earlier in this chapter-You can start with these scripts.

Either way, you can change the server so that each client can pull the changed content from the server next time.

Although cfengine usually pulls the change information from the server and executes the change once an hour, it also supports the ability to force update all or any subset of the system as needed. Obviously, this may be useful when you execute critical bug modifications (the executed operation may paralyze one or two systems and requires quick correction.

By recording and manually running the cfagent command, you can also directly run the cfengine on each system. Cfengine follows a good theory of Automated System Management: the more ways to perform changes to the system, the better-as long as these changes are done in the same way. In other words, cfengine provides several methods to update the system. All these methods use the same configuration file and run it in the same way (after startup ).

One of the biggest disadvantages (and one of the best features) of cfengine is its complexity. It may take an average of one week for the system administrator to make the cfengine fully functioning On some systems. Of course, since then, it will be easier to expand on hundreds of systems

 

Iii. Cfengine Components

Cfengine software consists of multiple components, which are independent programs that run together. These components of Cfengine are:

Cfagent: interpret the commitments of policies and execute them in a converged manner. The agent can use data generated by the statistical monitoring engine Cfenvd and can obtain data from Cfenvd running on a local or remote host.

Cfexmcm: Execute the Cfagent and record its output (you can choose to send the abstract by email ). It can run in standalone mode, or it can run on a Unix-like system through cron.

Cfservd: monitor Cfengine port: Provides File data and starts Cfagent on the basis of receiving a connection from cfrun. Please note that there is no data available through this background program.

Cfrun: connect to the remote host and ask them to run the cfagent.

Cfenvd: collects statistics on resource usage on each host for exception detection. The information is obtained by the agent in the form of a cfengine class. Therefore, the agent can promptly check and respond to Abnormal dynamic conditions.

Cfkey: generate a "public-private" key pair on the host. Generally, as a step in the Cfengine software installation process, you only need to run the program once.

Cfshow: Once you are interested in its internal storage, cfshow imports the cfagent database content in ASCII format.

Cfenvgraph: imports the Cfenvd database content into a common behavior that can be used to display a host in its environment in the icon format.

Figure-1 shows the relationship diagram of the Cfengine component.

　　

Figure-1 Relationship between components of Cfengine

Cfengine directory structure:

The binary program must be installed in the directory mounted to each host, or independently installed on each host. All files used by cfengine during its normal operation are located in the/var/cfengine/directory. In the/var/cfengine directory, cfengine. centos1.runlog is the running log of the cfagent process. Its content is as follows:

● Bin/: important binary files (cfagent, cfexmcm and cfservd) are copied here to ensure that they are on demand

Yes.

● Inputs/: The standard location for saving the configuration file required by cfengine. We will use three files in this directory:

Cfagent. conf, cfservd. conf, and update. conf.

● Outputs/: saves the output file of cfexmcm every time it is run.

● Ppkeys/: location where the public key and key of the system and other public keys are stored

 

3. Download, install, and run cfengine

1.Set Network

Make sure that the network is ready before using cfengine. It is very difficult to use cfengine with a dynamic IP address. Even if the IP address is assigned to some or all systems using the Dynamic Host Configuration Protocol (DHCP), it should always assign the same IP address to the system controlled by the cfengine. In other words, it does not matter which method is used to assign an IP address. The next task is to ensure that the Domain Name System (DNS) is correctly configured for the host ). Although the DNS problem can be resolved at any time, it is best to configure DNS correctly for the test host. Each host should have a host name. The DNS lookup of this host name should return the IP address of this host name. In addition, if you search for this IP address in DNS, the same host name should be returned. If this installation process is not possible, we recommend that you add each host to the/etc/hosts file on each system. If you use a multi-interface host (MultihomedHost), you must pay attention to the IP addresses used when the host communicates with other cfengine hosts.

2.Basic installation

In either case, you need two libraries: BerkeleyDB for internal databases, and OpenSSL for encryption. These libraries are open resources and are free to use as cfengine. Without these libraries, you will not be able to use cfengine, and you cannot use other libraries to replace these two libraries.

 

# Wget ftp://ftp.sunfreeware.com/pub/freeware/intel/10/db-4.2.52.NC-sol10-intel-local.gz # Wget ftp://ftp.sunfreeware.com/pub/freeware/intel/10/cfengine-2.2.3-sol10-x86-local.gz # Gunzip db-4.2.52.NC-sol10-intel-local.gz # Gunzip cfengine-2.2.3-sol10-x86-local.gz # Pkgadd-d db-4.2.52.NC-sol10-intel-local # Pkgadd-d cfengine-2.2.3-sol10-x86-local

 

You can also install the command pkg_get install cfengine online.

　　

Figure 2 shows the successful installation of cfengine on Solaris.

The next step is to build the basic structure of the cfengine working directory tree:

Create a Cfengine working directory manually

 

# Mkdir/var/cfengine/bin # Mkdir-p/var/cfengine/inputs/var/cfengine/outputs

 

Next, create a local copy of The cfengine executable program under the bin subdirectory of the working directory (for example,/var/cfengine/bin. In actual operation, these copies are executed, so when the network is disconnected during task execution, there is no risk to the system.

3.Copy the Cfengine binary code to the working directory

 

Mkdir-p/var/cfengine/bin Cd/usr/local/sbin Cp cfagent cfenvgraph cfrun cfdoc cfexmcm cfservd cfenvd cfkey cfshow vicf/var/cfengine/bin

 

Run the following command to create localhost. priv:

# Cfkey

Making a key pair for cfengine, please wait, this cocould take a minute...

Writing private key to/var/cfengine/ppkeys/localhost. priv

Writing public key to/var/cfengine/ppkeys/localhost. pub operation.

　　

Figure 3 copy the Cfengine binary code to the working directory

 

4.Run the required process

In the simplest installation, You can manually run cfagent on each host to use cfengine. However, if you run one or more Daemon Processes, you will benefit a lot.

(1) cfexmcm daemon

Although cfagent can be run at any time on demand theoretically, it is best to run cfagent automatically on a regular basis. This is the cfexmcm

Cfexmcm run as a daemon and execute the cfagent according to the defined and predefined plan. Add the time class to the schedule setting of the control block of cfagent. conf to modify the plan. The default value is Min00_05, which means that the cfagent will run 5 minutes before each hour. Run the command twice an hour. For example, you can add the following code to the control section of cfagent. conf:

Schedule = (Min00_05Min30_35)

The cfexmcm daemon does not have its own configuration file, but it does not use this setting outside of cfagent. conf.

You can also use the cron daemon of the system to regularly run cfexmcm. The following entries can be added to the system crontab (usually/etc/crontab) to perform (and report) cfagent hourly:

0 * root/usr/local/sbin/cfexmcm-

The F-F option tells cfexmcm not to enter daemon mode because it is running by cron.

For reliability, run cfexmcm using daemon or cron once a day ).

Then, you can check the crontab entry in cfagent. conf and check whether the cfexmcm daemon is running. If you put the following code into cfagent. conf, perform these checks and correct any problems:

Editfiles:

 

{/Etc/crontab AppendIfNoSuchLine "0 ***** root/var/cfengine/bin/cfexmcm F" } Processes: "Cfexmcm" restart "/var/cfengine/bin/cfexmcm"

 

Through this technology, if one method does not work normally, the other method will fix the problem at last.

(2) cfservd daemon

The cfservd daemon is not required in all systems. It needs to run the cfengine file server. For us, it is just a central configuration server. It also allows remote cfagent execution from other systems. If you need this function, you need to run cfservd in each system. In any case, always check to ensure that it runs together with the following command in cfagent. conf:

Processes:

"Cfservd" restart "/var/cfengine/bin/cfservd"

5.View the Class Identity System

Class is the core of cfengine. Each system belongs to one or more classes. Or, in another way, many classes are created based on different types of information each time the cfagent runs. Each operation in the configuration file is limited to a specific class. Therefore, any given operation can be performed only on one host or multiple hosts running a specific operating system, or on each host. To determine which standard classes are defined in any given system, run the following command:

# Cfagent-p-v-4.

　　

Figure 4 view the Class Identity System

As you can see, my system has a considerable number of predefined classes. They can be divided into the following categories:

Operating System: Unix_i686_2_6_18_8_el5xen

Architecture: i386 pc

Host Name: csung

IP Address: 192_168_40 192_168_40_large

Date/time: Sat May 31 13:33:07 2008

You can use the ps-ef | grep cf Command to view the port used by the Service in the process running status. 5

　　

Figure 5 ports occupied by services

So far, I have installed cfengine (configuration engine) on Unix servers. Next I will configure cfengine security reinforcement for Unix servers.