FAI & cfengine

Tim Cutts tjrc at sanger.ac.uk
Fri Jan 15 19:49:40 CET 2010 

On 15 Jan 2010, at 5:21 pm, John G. Heim wrote:

> I am currently trying to set up a cfengine system on my network. The  
> first thing I want to do is try to make sure all of the client  
> machines have the same config files for things like NTP, cron, etc.  
> It occured to me that the canonical copies of those files are within  
> my FAI config directory. So it should be possible for me to make a  
> change to a file with my FAI config directory and have cfengine  
> automatically ship it out to all the machines that have already been  
> set up. But how to do that?
>
> I'm thinking of moving the FAI files to a "normal" heirarchy within  
> the cfengine space. So my canonical nntp config file would be in / 
> var/lib/cfengine2/clientfiles/etc/ntp.conf. And within the FAI  
> space, there'd be a symlink from /srv/fai/config/files/etc/ntp.conf/ 
> MYCLASS to the "real" file.
>
> Has anybody ever managed a configuration like this? Any other  
> (better) ways to do what I want to do?

I don't know about 'better', but I can tell you what we do.  :-)

1)  cfengine makes sure that the FAI config space has a copy of the  
current cfengine inputs and files

2)  We don't generally use FAI's config/files directory at all, except  
for things which are required to configure hardware early in the FAI  
process; as I said in another post today, we separate hardware/ 
networking config (done by FAI) from application configuration (done  
by cfengine)

3)  At the end of the FAI install, we run cfagent, but without an  
update.conf file, so it doesn't try to update the policy from the  
cfengine server (this is done so that the server doesn't perform its  
key exchange with the client until the client has booted its full OS,  
is running with its proper IP address, and is no longer in the FAI NFS  
root - we have a system where the IP address the machine has while it  
is FAI installing is not necessarily the same as its final IP address;  
I realise this is somewhat unusual)

4)  We have a module within cfengine which defines cfengine classes  
based on FAI's classes, by parsing the FAI log's FAI_CLASSES file.   
So, for example, an HP ProLiant server will be in the FAI class  
PROLIANT, which appears as a class fai_proliant in our cfengine setup.

You may think this is all rather complex (and it is), but at the time  
it was all set up, we had a more heterogeneous world than we do now,  
and cfengine was the only thing that could configure everything, so we  
went with that.  Basic operating system installs were done in fairly  
platform specific ways (Tru64 had its way, our IBM Red Hat cluster had  
its own thing, we were using FAI for newer things, and so on).  FAI is  
much more widespread here now, but the old division of roles of the  
two pieces of software continues, and I actually like the separation  
of basic OS installation from role-specific configuration.

Tim


-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

More information about the linux-fai mailing list