Running CFEngine on RedHat Linux

Compiling CFEngine | Stoping services | PGP Key Management | Setting Environment Variables

Notes on using CFEngine on Redhat Linux.

Compiling CFEngine

Use cfengine.spec to build a RedHat Package Manager (RPM) for CFEngine. A KickStart install can then easily install CFEngine.

CFEngine may break if the underlying Berkeley DB library version changes. Either compile the library in statically, or link the CFEngine RPM package to a specific Berkeley DB version.

Requires: db4 = 4.1.25

Stoping services

To stop services by process name, define a custom class, then use a shell command to turn off the service. Otherwise, on non-client systems, enable and run Sendmail.

processes:
redhat.mail_client::
"sendmail" define=kill_sendmail

redhat.!mail_client::
"sendmail" restart "/sbin/service sendmail restart"

shellcommands:
redhat.!mail_client::
"/sbin/chkconfig sendmail on" ifelapsed=1439

redhat.kill_sendmail::
"/sbin/service sendmail stop; /sbin/chkconfig sendmail off"

PGP Key Management

For RPM verification, maintain a directory of Pretty Good Privacy (PGP) keys, and export them to clients via copy, then use update-rpm-keys to install the keys onto the client systems.

copy:
redhat::
$(masterfiles)/etc/rpm-pgp-keys
dest=/var/cfengine/etc/rpm-pgp-keys
owner=root group=$(zerogroup) mode=444
recurse=1
backup=false
server=$(policyhost)
type=checksum
purge=true
define=rpm_pgp_keys_copied

shellcommands:
rpm_pgp_keys_copied::
"/usr/sbin/update-rpm-keys /var/cfengine/etc/rpm-pgp-keys"

More information on building packages is available, along with how to host packages via Yellowdog Updater, Modified (YUM).

Setting Environment Variables

Startup scripts read from /etc/sysconfig/* configuration files, where shell environment variables set features. The iptables /etc/sysconfig/iptables-config configuration file uses the IPTABLES_MODULES environment variable to list additional modules to load. The following shows a way to set multiple values in this variable.

redhat::
{
/etc/sysconfig/iptables-config
AutoCreate
Backup "false"

DeleteLinesMatching "^IPTABLES_MODULES.*$"

BeginGroupIfDefined "amanda_server"
AppendIfNoSuchLine "IPTABLES_MODULES=\"${dollar}
{IPTABLES_MODULES:+${dollar}IPTABLES_MODULES} ip_conntrack_amanda\""
EndGroup

BeginGroupIfDefined "ftp_server"
AppendIfNoSuchLine "IPTABLES_MODULES=\"${dollar}
{IPTABLES_MODULES:+${dollar}IPTABLES_MODULES} ip_conntrack_ftp\""
EndGroup

BeginGroupIfDefined "tftp_server"
AppendIfNoSuchLine "IPTABLES_MODULES=\"${dollar}
{IPTABLES_MODULES:+${dollar}IPTABLES_MODULES} ip_conntrack_tftp\""
EndGroup

}

These ugly long lines result in the following iptables-config entries for a server that is both an FTP server and a TFTP server.

IPTABLES_MODULES="${IPTABLES_MODULES:+$IPTABLES_MODULES} ip_conntrack_ftp"
IPTABLES_MODULES="${IPTABLES_MODULES:+$IPTABLES_MODULES} ip_conntrack_tftp"

When the /etc/init.d/iptables startup script reads iptables-config, the IPTABLES_MODULES environment variable will contain ip_conntrack_ftp ip_conntrack_tftp, and the two modules will be loaded.