"Stateless Linux" project

Thu Sep 23 22:09:43 UTC 2004

Josh England wrote:

> LCFG does indeed sound like a highly capable configuration deployment
> engine (how does it compare with cfengine, in your opinion?).

They are very similar in terms of what happens - central configuration 
is "enacted" in some way on the clients via a number of agents. But 
their methods and models differ somewhat.

LCFG (there are others that can explain cfengine better) for example is 
entirely declarative in terms of the central database. Nothing 
procedural is encoded in the profile for a machine as doing so means 
having to deal with ordering of configuration changes (A->a->B->b->C vs 
A->C, where upper = states and lower = transitional procedures). It's 
left to the agents to work out the procedures making disconnected 
operation simpler (it doesn't matter if a laptop misses the update from 
A to B as A->B->C "should" give you the same as A->C. Procedural models 
often mean that all the intermediary transformations have to be applied.

One thing that is particularly powerful about LCFG is the idea of 
spanning maps. Client configuration descriptions can export collections 
of information into a global namespace that other conponents can then 
subscribe to. For example in the client config for the web server I'd put:

firewall.holes 80 443

.. then because the schema for the firewall component says that the 
"holes" property is to be a member of a spanning map, on the firewall 
host itself the firewall component automatically gathers the information 
and opens the holes. The definition of the "hole" though is in the same 
config file as the configuration for the web server.

This can be extended to:

# In a file called i-want-to-be-a-web-server.h
apache.port 80
firewall.holes <%apache.port%> # reference to above.

.. then in the source profile for each member of a web cluster:

#include <i-want-to-be-a-web-server.h>

As soon as I write the file packets fly all over the place and a few 
seconds later the firewall has holes to all the machines in the cluster 
on port 80. Edit i-want-to-be-a-web-server.h to add 443, write it and 
again a few seconds later you have those holes too. If we add an extra 
gateway firewall for redundancy it can be told to subscribe to that 
particular map and add the holes too.

We can do the same for which rpms are installed on machines. One minute 
a lab full of machines could be a fedora minimal install, a few mins 
later they are all members of a beowulf cluster, software installed and 
configuration applied (assuming you've prepared the config template 
earlier obviously). Uninclude the header file for being in the beowulf 
and a few mins later again they are back to being fedora minimal installs.

Part of the research effort here is to extend this idea so that the 
description is even more abstract. I.e. be able to take a group of 
machines and write the equivalent of:

"I want a workgroup setup with a file server, web server, firewall and 
special laptop to control the bluetooth light in the fishtank."

The configuration engine should then go off and work out which machine 
the printer is connected to, which one is the laptop and just make it 
all happen (I did say research effort!).

Carwyn