Date post: | 30-Jun-2015 |
Category: |
Technology |
Upload: | jonathan-clarke |
View: | 720 times |
Download: | 0 times |
www.cfengine.com
What is new in CFEngine 3.6
What is new
• User promises• TLS protocol• Math expressions• Dynamic inputs• New language functions• Tags• Data containers• File templating
User promises
User promises
• A new promise type• Manage local users on hosts• Make promises about user
characteristics• UID
• Group membership
• Home directory
• Password
• Shell
• Description
User promises - Example
bundle agent my_bundle {
users:
“joe”
policy => “present”,
group_primary => “users”,
groups_secondary => { “printers”,
“db_users” },
home_dir => “/nfs/home/joe”,
home_bundle => setup_home_dir(“joe”);
}
TLS protocol
TLS protocol
• Industry standard security protocol• All traffic is fully encrypted• Transparent to the user• Old protocol
• Deprecated, but still supported
• Can be turned off after upgrade is complete
Math expressions
Math expressions
• New math evaluation function: eval()• Works on strings• String contains expression to evaluate
• Example: eval(“ceil($(sys.cpus) / 4)”)
• Previously required shell script
Math expressions
• Accepts common math operators: +, -, *, /
• Some less common ones too: ^, **, %
• Many common math functions• ceil, floor, log10, log2, log, sqrt, sin, cos, tan, asin, acos, atan, abs, step
• Mathematical constants• e, log2e, log10e, ln2, ln10, pi, pi_2, pi_4, 1_pi, 2_pi, 2_srqtpi, sqrt2, sqrt1_2
• SI-units: K, M, G, T, P
Dynamic inputs
Dynamic inputs
• 3.5:• Input files can only be defined in promises.cf
• Inconvenient; all file additions require editing promises.cf
• 3.6:• file control bodies can contain input files
• Body can be specified once per file• body file control {
inputs => “input_file.cf”;
}
Dynamic inputs - Example
• promises.cfbody common control {
inputs => { “input_file.cf” };
}
• input_file.cfbody file control {
inputs => { “nested_input_file.cf” };
}
New language functions
New language functions
• findfiles(glob1, glob2, ...)• Returns a list of files that match glob pattern
• makerule(target, sources)• Determines whether target needs to be rebuilt from sources
• Inspired by the Unix make program
• packagesmatching(...)• Returns list of installed packages
• List can be filtered by name, version and architecture
New language functions
• canonifyuniquely(test)• Convert a string into a legal class name
• Unlike canonify, name is guaranteed to be unique.
• Useful when making class names from a list of files
• bundlesmatching(regex, tag1, ...)• Returns bundles matching criteria
• Result can be used in a methods promise
• Very powerful together with findfiles
bundlesequence - Example
• bundle common global {
vars:
“policies” slist => findfiles
(“/var/cfengine/inputs/*.cf”);
“bundles” slist => bundlesmatching
(“.*”, “production”);
}
body common control {
inputs => { @(global.policies) };
bundlesequence => { @(global.bundles) };
}
New language functions
• Plenty of others• data_readstringarray
• data_readstringarrayidx
• datastate
• datatype
• getclassmetatags
• getvariablemetatags
• max
• mean
• mergedata
• min
• parsejson
• readjson
• storejson
• string_downcase
• string_head
• string_length
• string_reverse
• string_tail
• string_upcase
• variablesmatching
• variance
Tags
Tags
• Labels that you can attach to bundles and promises
• Certain functions can filter based on tags• bundlesmatching
• classesmatching
• variablesmatching
Tags - Example
• bundle agent my_bundle {
meta: ### Bundle tags
“tags” => { “experimental” };
vars: ### Variable tags
“db_server” string => “106.54.21.90”,
meta => { “mysql”, “trusted” };
classes: ### Class tags
“experimental” expression => “any”,
meta => { “tier_spec” };
}
Data containers
Data containers
• Structured containers (JSON)• “container” data => parsejson('[
{ “user”: “joe”, “groups”: “users” },
{ “user”: “jack”, “groups”: “admins” },
]');
• reports:
“$(container[1][user])”;
• --> R: jack
Data containers
• Can read JSON files• readjson(filename, maxbytes)
• Or fields from a text file• data_readstringarray
(filename, comment, split, maxentries, maxbytes)
• data_readstringarrayidx
(filename, comment, split, maxentries, maxbytes)
• Convert back to JSON• storejson(data_container)
Data containers - Example
• records.txt:• joe,/nfs/home/joe,Joe Smith
jack,/home/jack,Jack Jensen
• Resulting JSON after data_readstringarrayidx• [
[ “joe”, “/nfs/home/joe”, “Joe Smith” ],
[ “jack”, “/home/jack”, “Jack Jensen” ]
]
Data containers - Example
• records.txt:• joe,/nfs/home/joe,Joe Smith
jack,/home/jack,Jack Jensen
• policy.cf:• vars:
“users” data => data_readstringarrayidx
(“records.txt”, “”, “,”, 10, 4000);
“index” slist => getindices(“users”);
users:
“$(users[$(index)][0])”
home_dir => “$(users[$(index)][1])”,
description => “$(users[$(index)][2])”,
policy => “present”;
File templating
File templating
• New templating engine: Mustache• Based on the Mustache templating
language• http://mustache.github.io/
File templating - Example
• promises.cf:• files:
"/etc/motd"
edit_line => motd_edit,
edit_defaults => empty;
}
bundle edit_line motd_edit
{
insert_lines:
“Welcome to this CFEngine managed machine.”;
“This machine pulls policy from $(sys.policy_hub).”;
}
• Result:• Welcome to this CFEngine managed machine.
This machine pulls policy from 10.80.80.1.
File templating - Example
• promises.cf:• files:
"/etc/motd"
edit_template => "template.mustache",
template_method => "mustache";
• template.mustache:• Welcome to this CFEngine managed machine.
This machine pulls policy from {{vars.sys.policy_hub}}.
• Result:• Welcome to this CFEngine managed machine.
This machine pulls policy from 10.80.80.1.
Miscellaneous
• cf-serverd allows distinct key/IP/hostname access controls
• New “shortcut” constraint in server policy allows non-absolute paths in copy_from promises
• New log format
• Many new built-in variables:• sys.uptime, sys.masterdir, this.promiser_ppid, ...
• LMDB replaces Tokyo Cabinet as database backend
• Calls to execresult and returnszero are now cached instead of executing repeatedly
www.cfengine.com
Questions?
www.cfengine.com
Questions?
• User promises• TLS protocol• Math expressions• Dynamic inputs• New language functions• Tags• Data containers• File templating
www.cfengine.com
Thank you!