Archive for the ‘CFEngine’ Category

statistical packet distribution with iptables

No Comments »

So, Linux iptables has a couple of modules which allow you to distribute traffic across multiple hosts. But there isn’t any good documentation I can find which correctly explains how to use them. I figured it out, so I’m going to share. :)
Read the rest of this entry Ľ


Using a database to configure CFEngine

No Comments »

I’m responsible for a pretty large CFEngine installation. ¬†CFEngine is designed to be pretty self-sufficient even when the network is unavailable, so it basically¬†works by keeping¬†its configuration local on each machine, and running from that local copy. ¬†This is mostly implemented using¬†a file-based configuration structure. ¬†There’s a main configuration file (promises.cf) which includes several additional configuration files. ¬†In pretty much every situation, one of the promises (the name for an individual policy item) or bundles of promises will ensure that the local config files are in sync with the configuration files¬†on the central master.

While it’s possible to use LDAP or define some variables on the central master, the main way configuration is done is by putting the policy into some files on the master and then allowing individual systems to copy those files down; the central master is basically just a fairly efficient file server.

Read the rest of this entry Ľ


Comparing Puppet and CFEngine in recursive file handling

No Comments »

So, we all know that ruby’s memory management is sketchy at best, and the Puppet is generally slow. But how can we quantify that? One of the metrics which is important to my usage is that of verifying the permissions on a large number of files. To that end, I wrote a simple script to compare the performance of ensuring that the contents of a large directory of files are owned by a specific group. Before each test, I remove a temp directory, create a set of sequentially-named files with the wrong group ownership, and then correct the ownership. I then run the same command again to see how quickly it can verify the permissions – which should be the common case.

For the baseline, I use “find | xargs chgrp”, which is slightly slower than “chgrp -R”, but not much slower (and, in my mind, slightly more fair). I then use a simple CFEngine policy and a simple Puppet policy to do the same thing.¬† The summary?¬† Puppet is dog slow at file recursion, while CFEngine is nearly as fast as pure find.¬† CFEngine actually uses less memory than the shell when you get to many files (probably due to the pipe to xargs), and Puppet wastes memory like it’s been surfing the web for weeks using an old version of Firefox.

Read the rest of this entry Ľ


CFEngine vim hilighting

1 Comment »

Get the highlighting code from https://github.com/neilhwatson/vim_cf3, and set it up in a location that will be loaded by default.¬† I’m partial to making¬† directory under /usr/local/share, and then linking the files in.

Read the rest of this entry Ľ