what is new in cfengine 3.6
DESCRIPTION
This talk will introduce new CFEngine 3.6 features, we have these bullet points: User promises TLS protocol Math expressions Dynamic inputs New language functions Tags Data containers File templating Presentation by Kristian Amlie of CFEngine, given at CfgMgmtCamp 2014 in GhentTRANSCRIPT
www.cfengine.com
What is new in CFEngine 3.6
What is new
• User promises• TLS protocol• Math expressions• Dynamic inputs• New language functions• Tags• Data containers• File templating
User promises
User promises
• A new promise type• Manage local users on hosts• Make promises about user
characteristics• UID
• Group membership
• Home directory
• Password
• Shell
• Description
User promises - Example
bundle agent my_bundle {
users:
“joe”
policy => “present”,
group_primary => “users”,
groups_secondary => { “printers”,
“db_users” },
home_dir => “/nfs/home/joe”,
home_bundle => setup_home_dir(“joe”);
}
TLS protocol
TLS protocol
• Industry standard security protocol• All traffic is fully encrypted• Transparent to the user• Old protocol
• Deprecated, but still supported
• Can be turned off after upgrade is complete
Math expressions
Math expressions
• New math evaluation function: eval()• Works on strings• String contains expression to evaluate
• Example: eval(“ceil($(sys.cpus) / 4)”)
• Previously required shell script
Math expressions
• Accepts common math operators: +, -, *, /
• Some less common ones too: ^, **, %
• Many common math functions• ceil, floor, log10, log2, log, sqrt, sin, cos, tan, asin, acos, atan, abs, step
• Mathematical constants• e, log2e, log10e, ln2, ln10, pi, pi_2, pi_4, 1_pi, 2_pi, 2_srqtpi, sqrt2, sqrt1_2
• SI-units: K, M, G, T, P
Dynamic inputs
Dynamic inputs
• 3.5:• Input files can only be defined in promises.cf
• Inconvenient; all file additions require editing promises.cf
• 3.6:• file control bodies can contain input files
• Body can be specified once per file• body file control {
inputs => “input_file.cf”;
}
Dynamic inputs - Example
• promises.cfbody common control {
inputs => { “input_file.cf” };
}
• input_file.cfbody file control {
inputs => { “nested_input_file.cf” };
}
New language functions
New language functions
• findfiles(glob1, glob2, ...)• Returns a list of files that match glob pattern
• makerule(target, sources)• Determines whether target needs to be rebuilt from sources
• Inspired by the Unix make program
• packagesmatching(...)• Returns list of installed packages
• List can be filtered by name, version and architecture
New language functions
• canonifyuniquely(test)• Convert a string into a legal class name
• Unlike canonify, name is guaranteed to be unique.
• Useful when making class names from a list of files
• bundlesmatching(regex, tag1, ...)• Returns bundles matching criteria
• Result can be used in a methods promise
• Very powerful together with findfiles
bundlesequence - Example
• bundle common global {
vars:
“policies” slist => findfiles
(“/var/cfengine/inputs/*.cf”);
“bundles” slist => bundlesmatching
(“.*”, “production”);
}
body common control {
inputs => { @(global.policies) };
bundlesequence => { @(global.bundles) };
}
New language functions
• Plenty of others• data_readstringarray
• data_readstringarrayidx
• datastate
• datatype
• getclassmetatags
• getvariablemetatags
• max
• mean
• mergedata
• min
• parsejson
• readjson
• storejson
• string_downcase
• string_head
• string_length
• string_reverse
• string_tail
• string_upcase
• variablesmatching
• variance
Tags
Tags
• Labels that you can attach to bundles and promises
• Certain functions can filter based on tags• bundlesmatching
• classesmatching
• variablesmatching
Tags - Example
• bundle agent my_bundle {
meta: ### Bundle tags
“tags” => { “experimental” };
vars: ### Variable tags
“db_server” string => “106.54.21.90”,
meta => { “mysql”, “trusted” };
classes: ### Class tags
“experimental” expression => “any”,
meta => { “tier_spec” };
}
Data containers
Data containers
• Structured containers (JSON)• “container” data => parsejson('[
{ “user”: “joe”, “groups”: “users” },
{ “user”: “jack”, “groups”: “admins” },
]');
• reports:
“$(container[1][user])”;
• --> R: jack
Data containers
• Can read JSON files• readjson(filename, maxbytes)
• Or fields from a text file• data_readstringarray
(filename, comment, split, maxentries, maxbytes)
• data_readstringarrayidx
(filename, comment, split, maxentries, maxbytes)
• Convert back to JSON• storejson(data_container)
Data containers - Example
• records.txt:• joe,/nfs/home/joe,Joe Smith
jack,/home/jack,Jack Jensen
• Resulting JSON after data_readstringarrayidx• [
[ “joe”, “/nfs/home/joe”, “Joe Smith” ],
[ “jack”, “/home/jack”, “Jack Jensen” ]
]
Data containers - Example
• records.txt:• joe,/nfs/home/joe,Joe Smith
jack,/home/jack,Jack Jensen
• policy.cf:• vars:
“users” data => data_readstringarrayidx
(“records.txt”, “”, “,”, 10, 4000);
“index” slist => getindices(“users”);
users:
“$(users[$(index)][0])”
home_dir => “$(users[$(index)][1])”,
description => “$(users[$(index)][2])”,
policy => “present”;
File templating
File templating
• New templating engine: Mustache• Based on the Mustache templating
language• http://mustache.github.io/
File templating - Example
• promises.cf:• files:
"/etc/motd"
edit_line => motd_edit,
edit_defaults => empty;
}
bundle edit_line motd_edit
{
insert_lines:
“Welcome to this CFEngine managed machine.”;
“This machine pulls policy from $(sys.policy_hub).”;
}
• Result:• Welcome to this CFEngine managed machine.
This machine pulls policy from 10.80.80.1.
File templating - Example
• promises.cf:• files:
"/etc/motd"
edit_template => "template.mustache",
template_method => "mustache";
• template.mustache:• Welcome to this CFEngine managed machine.
This machine pulls policy from {{vars.sys.policy_hub}}.
• Result:• Welcome to this CFEngine managed machine.
This machine pulls policy from 10.80.80.1.
Miscellaneous
• cf-serverd allows distinct key/IP/hostname access controls
• New “shortcut” constraint in server policy allows non-absolute paths in copy_from promises
• New log format
• Many new built-in variables:• sys.uptime, sys.masterdir, this.promiser_ppid, ...
• LMDB replaces Tokyo Cabinet as database backend
• Calls to execresult and returnszero are now cached instead of executing repeatedly
www.cfengine.com
Questions?
www.cfengine.com
Questions?
• User promises• TLS protocol• Math expressions• Dynamic inputs• New language functions• Tags• Data containers• File templating
www.cfengine.com
Thank you!