Slashdot Mirror

I call that CFengine. Except I don't have to a mouse, so that's even better.

Puppet is a tool made to do exactly what you're asking for by abstracting the specific operating system into a generic interface. It might be worth checking out. Also there's a newcomer called chef. And then there's the oldies like cfengine.

cssh is great for a handful of computers, but for the 40,000 boxen, try cfengine

cssh is great for a handful of computers, but for the 40,000 boxen, try cfengine

We're using v2 also, but a friend and I were recently discussing v3 and he pointed me at http://www.cfengine.org/downloads/cf3-reference.html#Upgrading-from-cfengine-2, which seems to indicate that there is decent support to transition between the two versions, thus doing incremental changeover.

I haven't looked further into it, but on the surface, it looks like a good option.

-Ben

This kind of stuff is why NFS-mounted home directories are just wonderful. If my machine kicks the bucket, I can grab a new one, install an OS on it, and get back to where I was before in half an hour. In a larger organization, an imaged system would work even better.

Now, as for mass configuration changes, cfengine is your friend.

CFEngine can be used to enforce IT policies on UNIX desktops, servers, etc.

It's free and works quite well. All of the large enterprises I've ever worked on use this extensively.

          http://www.cfengine.org/

I don't know about a full blown certificate agency, but where I'm working it shouldn't be too much work, since we use CF Engine to distribute certificates out to our servers from a central repository.

It would still be nice if we didn't have to fix problems caused by some idiot with no understanding of crypto though.

One word: cfengine

http://www.cfengine.org/

http://www.cfengine.org/

How exactly does this compare to CFengine? From the short slack description it would seem like cfengine is a much more mature solution ...

Sounds very much like CFEngine http://www.cfengine.org/ with subversion?

... and you'll have something that looks a lot like Radmind.

Combine a Tripwire-like tool with a computer-immune-system like CFEngine, add in a Change Control workflow that isn't too painful and you'll be in good shape. Reconcile the Tripwire reports with the change control paperwork to check that changes are being properly recorded in the workflow.

cfengine is your friend.

Check out cfengine.

CFEngine is an excellent tool for managing OpenSSH or any other system tool configuration.

A previous poster mentioned cfengine briefly. If I understand cfengine correctly, it may be just what you're looking for.

Also, if you're the sort who can/does go to conferences, the LISA '05 conference (Dec. 4-9 2005) features several sessions on cfengine by Mark Burgess. (LISA is the "Large Installation System Administration Conference", put on by USENIX and SAGE. There's also a conference BLOG, and this is the link to the tech program info.

check out cfengine

Since it's impossible to reason about security except with respect to a given configuration, this is a subject which deserves close attention, especially at larger sites where economies of scale are most effective.

Mark Burgess at the University of Oslo developed a mechanism called cfengine as a solution to the configuration management problem. It's multiplatform, mature, stable, comprehensive, secure, and it scales very well. I recommend it.

I've used GNU cfengine for automated updates at a company I used to work for. Basically, you write rules about how the system shoudl look and cfengine enforces them.

However, we used to automate updates, apply system patches and rebuild the world if necessary. With about 5 lines changed to a single server, I could force all the workstations to re-install themselves overnight.

We also used this system to push out passwd file updates (poor-man's centralized auth).

http://www.cfengine.org/

I don't know about Windows machines but for maintaining *nix ones you can use projects like radmind or Cfengine. Someone else in this discussion mentioned sblim but it doesn't look that project is ready to be used in production environments. Hopefully someone else will point to some other decent software.

stability

Below standard. Bleeding Edge, often beta.

Wrong, its only as bleeding edge as you make it. /etc/portage/package.mask is your friend here.

high-level support options

None?

Ya the windows guys I work with try this excuse all the time with me, but if you can't read you shouldn't be doing what your doing. Sitting on hold for two hours is not support. I can find most resolutions on the forums in under two minutes. Of course if its that critical you should be running a dual server setup with failover so that you have a backup when things go wrong and they you have time to fix them. Besides you can take all the money your saving from not having expensive support contracts and buy that second server :-)

security

Standard. Maybe a bit above due to easy, high customizablity.

Most security issues are caused by bad configs and failure to deal with security updates in a timely manner. Understand your software, watch the security lists for issues, and have a test server to install updates on for testing before loading on a production server.

rapid updates

No. Bleeding edge is not equivalent to rapid.
apt-get upgrade apache is rapid - it takes 15s on a fast system.
emerge apache isn't rapid. It takes half a hour.

Create a build host
HOWTO Download Cache for LAN-Http-Replicator
HOWTO Distcc server on Windows
Using a shared portage via NFS
Share Directories Using SHFS (cause NFS doesn't have the most secure history)

and ease of administration?

Below standard. All typical manual administration by editing standard config files. No centralized "managers".

Very few if any distros have a centralized manager thats worth the cost of the keyboard you access them with. If you are working on many boxes setup the same you need something like CFEngine and a copy of Automating Unix and Linux Administration

But hey what do I know I just admin 27 gentoo linux boxes :-)

Unless you're running a single-system-image cluster (i.e. mosix), and perhaps even then, cfengine is a godsend. It may seem a chore the first time you use it, but it's worth it. Just learn it. Use e.g. a pxe kickstart install that installs cfengine in postinstall, and sets it to run on boot. Make changes to your cfengine configuration, not on the nodes. That way when you inevitably replace something, it's brought right up to speed.

http://www.cfengine.org/

I use CfEngine a lot, mostly at the computer lab at uni, with about 20 machines. It scales very well. I also use it on a small network at the office, it's great to setup a workstation in a hurry. It's also good for single host admining. The Perl lovers outthere will probably enjoy PICA (Perl Installation and Configuration Agent) aswell.

While I haven't had the pleasure of working with any of these $10M install of a network management suite, I've been able to accomplish much of what you talk about using an assortment of the following open source tools:

OpenNMS
cfengine
nagios

Granted, none of these have real slick guis, and there is a bit of a learning curve to get over before you master them. However, for somebody who knows how to use the above tools, it's amazing the number of machines can be administered by one person.

And how do you plan to manage those OpenBSD (or whatever) boxes evenly distributed around the globe?

Wow, there are certainly no tools at all that I could think of that would help me do that...

To quote one of my favorite legendary assholes: "This is unix. Stop acting so helpless."

(In all seriousness: yes, there are probably plenty of cases where there's no business case to be made for rolling your own system, and where Checkpoint's management console or a similar tool is probably a good choice.)

What if you add VPN to the soup?

Using Checkpoint? I'd say that you now have a pressing need for an aspirin. YMMV.

Here is a better solution that will work with multiple different types of machines:

1. Set up CFengine on all of your boxes (microsloth windows too).
2. Configure a master system with all of your working files.
3. Configure your slave systems to query the master and copy over new/changed files.

Once you have this set up properly, it takes care of itself. As an added benefit it makes managing multiple machines a snap.

You can even have it kick off an application/script (like CVS) when something changes - to capture it in your archive if you like (so you can roll back as needed).

I love revision control, but managing it by hand is a pain in the behind.

Ultimately, I want to not have to worry about locations of files at all - depending instead on meta-data to provide searchable, annotatable links into the actual files with overlays of my own notes, similar to the 'Annotea' project module in the W3C AMAYA web browser (this is pretty cool - you can 'annotate' documents without altering their content - even documents on other servers; the system keeps 'RDF' xpointers and xlinks on your home system, and amaya renders your notation links in the web page as you view it).

I own the book and have been using it for a couple of weeks now. All in all, I think it's a great resource if you already have a fair amount of linux knowledge. I purchased it primarily because of its coverage of cfengine but found it useful for other purposes as well.

Definitely not for the newbie system administrator (nor does it pretend to be). But it is a great resource if you're looking to administer more boxes with less bodies.

Use configuration management so you can control and know exactly what is running on your systems.

Papers have been written about automating patch management using cfengine and a database.

CFengine is an excellent tool for configuration management and automation - and it is just celebrating its 10th birthday.

It can run under *nix as well as Windoze, and has a 'self healing' capability (so that if you removed the sshd from the system, for example, and were not able to login after a reboot - it would detect this [provided you set it up to look for this] and restore it)

I like to wind things up, then let them go about their merry way...

Ideally, one would never want 100 PCs to deal with. I've worked in such environments before, and there are constantly parts breaking, etc, - its just a major headache. Thin clients with no moving parts are a much better solution. Check out this article on Largo, Florida, and the link to the original article:

http://newsforge.com/article.pl?sid=02/12/04/234 62 15

However, suppose you already made the mistake of buying a big pile of PCs, so you want to make use of them until you migrate to something that makes more sense. Rolling out Linux on them all would be relatively painless, and there are numerous ways of doing this. One method would be to go with the Linux Terminal Server project:

http://www.ltsp.org/

Supposing you want to keep the "PC" model, because, say, you don't have the network or server resources for a central login server setup, then there are many ways of rolling out a group of linux PC installs as well. Here's an article that discusses some of them:


http://www.linux-mag.com/2002-12/cloning_01.html


In UNIX/Linux, by default, normal users do not have the ability to modify the system. They have authority only over their own home directories. There is a great deal of security measures that one could take to "lock down" the system to a far greater degree than the average defaults, but the default configuration for most distributions likely offers more protection to the systems integrity than a professionally locked down Windows box.

You can set up Linux in several ways for centralized system accounts and authentication, to achieve, in effect, the type of "domain-like" logins that you are used to in Windows. LDAP servers are a great mechanism to do this (LDAP is actually the protocol on which MS DS is based).

There are numerous ways to centrally manage all of the software installs, configuration files (which determine all system settings), etc., on a network of Linux machines. Linux/UNIX philosophy is that tools are made to be simple and flexible, and to work easily with other tools. This gives the administrator the freedom to set things up the way s/he sees fit for his/her specific environment. Rsync is a good example of a tool with remarkable flexibility for keeping files in sync: http://rsync.samba.org/index.html

Perl has infinite potential and flexibility in systems management. http://www.perl.org

Cfengine is a powerful distributed configuration system: http://www.cfengine.org/

So basically you can patch together a system that works best for you. There are hundreds, maybe thousands of tools that you can use. Many of them are built in, others you might have to download and install.

If you want a commercial "out-of-the-box" management solution, those are available too. Ximian's Red Carpet product is an example of centralized package management. I think I read that Novell was working on some type of management software... I've never looked into commercial solutions, since the free & roll-your-own ones are more than sufficient for me.

As for your quip about no support and problems with drivers - that just shows your lack of experience with the platform. Support is generally a lot better with open source software than it is for commercial software, and its usually free. As for drivers, wouldn't you check to make sure they exist before buying the hardware? Chances are extremely high that any hardware you have in the enterprise today is fully supported in Linux. Its the bleeding edge, just released this month gaming hardware that isn't.

If you are a nerd, what the heck are you doing running windows anyway?

You should have several linux boxes and do all of your configurations via VI(M) or EMACs on your primary box, and use perl/expect.pm and/or Cfengine for remote administration of the others.

Why is everyone so enamored with GUIs anyway? It takes me almost no time at all to configure an application or service using a text editor, whereas I spend hours searching through dross in GUIs to get one simple thing done in windoze.

The key difference is you have to know something about the underlying operating system - which I thought defined 'geekitude' and general 'nerdishness' best... I guess modern geeks can't handle groking details anymore. It is a sad state of affairs - a sad time we live in...

Welcome to cfengine. Systems don't even have to be particularly similar.

As some comments have already pointed out configuration changes on different Unices will be a pain. You need scripts which distinguish between them and this can be quite messy with all the clauses. cfengine makes this a lot easier and also keeps the configuration files readable. In addition it has some nice file mangament (moving, archiving, deleting, permissions) and text editing functionality. It also allows you to deploy changes from a central workstation to hundreds of clients with ease.