cfengine - what's that about?

It's a (old) software that is used to make sure that (for example) the same config files are used on all machines. There are several other CMSs, for example puppet. Wikipedia has a nice overview of them.

Let's use the lustre   machines we set up in a previous post.

On there are many examples too.

Inside a policy you have a promise.


Installing on an RPM-based distribution is easy, cfengine has their own repository where the community edition is available.

Get the gpg-key, import it, set up the repository-file and install "cfengine-community".

Check if "cfengine3" is set to start on boot.


A small example how to write a promise.

  • "cf-promise -f " can be used to test that a promise is valid (syntax and more is OK)
  • "cf-agent -f" run the promise, so if we use the example in the link above it echoes a Hello World.


Client pulls policies from the server.

policy-server: mds - client1: client1 - client2: oss1 -

on the policy-server hit: "/var/cfengine/bin/cf-agent --bootstrap --policy-server"

open port 5308 on the policy-server.

After you see "-> Bootstrap to completed successfully" you can run the same cf-agent command on the client. This points it to use as the policy-server.

No need to open port on the clients.

On the policy-server add this to /var/cfengine/masterfiles/

bundle agent test { files: "/tmp/cf_test_file" comment => "Promise that a plain file exists with stated permissions", perms => mog("644", "root", "sys"), create => "true"; }

Then in /var/cfengine/masterfiles/ you can't follow the guide verbatim, the needs to look like this (really important to have ", " as a separator between the bundles, notice the space after the ",".

body common control { bundlesequence => { "main", "test" }; inputs => { "", "", }; version => "Community 1.0.0"; }

After that you can run "cf-agent -Kv" on the client, and it will do what is promised in the file!

Try to change ownership/permissions on the file, in a while it will have been changed back :)

In /var/cfengine/promise_summary.log you'll see if it couldn't keep a promise and if it corrected the mistake.

Distribute it

And to get oss1 the same file. Just run the good old "/var/cfengine/bin/cf-agent --bootstrap --policy-server" on it and eventually that file /tmp will pop up in there too. Nice!

Some useful stuff

I'll probably try out some more useful things in the near future.

Streamline resolv.conf settings, ip routes, config files for software like to make sure /etc/dcache/dcache.conf is the same on all pool servers or why not a kind of user database? Like for /etc/passwd? Check out the solutions on!