cfengine overview - pros and cons

David Douthitt ssrat at ticon.net
Fri Dec 22 19:39:16 UTC 2006 

I've used cfengine in a production environment, and found it to be very 
useful and powerful.  I'll just list the features (pro and con) below.

PROS
----
* Distributed operations
* Well-supported and open-source leader in its field
* Widely-used
* Supports many "selection critera" such as hour of day, hostname, IP 
address, network, cfengine version, operating system, kernel version"
* Battle-tested with environments numbering in thousands (including that 
most hostile of environments, the college campus)
* Integrates well with other systems such as CVS, RCS, et al
* Works well in isolation as well in distributed fashion - and can keep 
system protected while server is offline
* Extremely flexible
* Comprehensive documentation
* Can replace cron entirely (if one has a notion to...)
* Can keep excess files from cluttering up /tmp or /var/tmp
* Can keep unwanted files or processes from appearing at all (such as 
.rhosts, etc).
* Can "edit" files as well as maintain complete files
* Utilizes public-key encryption to identify clients (encrypted links 
available)
* "Selection criteria" (classes) can be set programmatically by scripts
* Can be used in place of samhain or tripwire (and *reacts*!)
* Works well with NFS-mounted home directories
* Works under Windows as well
* Can manage processes - including "must be present" and "must *not* be 
present" and more
* Active mailing list for support
* Can be used to configure new systems from startup (using a minimal 
configuration)

CONS
----
* Documentation - comprehensive but can be hard to know where to start 
with new installations
* Configuration is unlike anything you've ever seen
* The "editfiles" section of the configuration is also unlike anything 
you've ever seen - and is different than any other configuration section 
(looks a lot like a computer language without reasonable syntax)
* The customizability of the configuration can be overwhelming
* Doesn't necessarily "play nice" with file integrity checkers like 
samhain or tripwire - i.e., if cfengine restores a file to its original 
state or changes the permissions samhain may flag it as being changed.
* Inclusion in configuration files ("include file") is 
counter-intuitive: "included files" are actually concatenated to 
currently scanned file
* "Regexes" in the EditFiles configuration section match the entire 
line, not a substring (unless using proper EditFiles command)

Most of the down-side to cfengine revolves around the unique 
configuration file syntax (and the EditFiles section most of all) and 
the comprehensive documentation (which does not provide for an 
oft-requested 1-2-3 steps to get started).

The latter problem will be solved with an upcoming book ;-)

-- 
David Douthitt
HP-UX, Unixware, Linux, FreeBSD
RHCE, SCSA, Linux+, LPIC-1
http://www.lulu.com/ssrat

More information about the Fedora-infrastructure-list mailing list