Cfengine
|
cfengine
1. Cfengine °³·« ¶CfengineÀº À¯´Ð½º ÄÄÇ»ÅÍ ½Ã½ºÅÛ ¼³Á¤ ¹× À¯Áöº¸¼ö¸¦ ȯ»óÀûÀ¸·Î ÇØÁÖ´Â À¯¿ëÇÑ ÅøÀÌ´Ù. CfengineÀº µ¶¸³Çü(stand-alone) µµ±¸¸ðÀ½À¸·Î ¼³Á¤ ÆÄÀÏ¿¡ ÀÖ´Â ¸í·É¿¡ µû¶ó ÄÄÇ»Å͸¦ ¼³Á¤ÇÏ°í °ü¸®ÇÑ´Ù. ¼³Á¤ ÆÄÀÏÀº ½ÀµæÇؼ »ç¿ëÇϱ⠽¬¿î °í±Þ ¾ð¾î·Î ´Ù¾çÇÑ ½Ã½ºÅÛ ÄÄÆ÷³ÍÆ®¿¡ ÀûÇÕÇÑ ¼Ó¼ºÀ» Á¤ÀÇÇÏ°í ÀÖ´Ù(ÇÁ·Î±×·¡¹ÖÀº ÇÏÁö ¾Ê¾Æµµ µÊ). ÀÌ·± ¹æ½ÄÀ¸·Î CfengineÀº °¢°¢ÀÇ ½Ã½ºÅÛÀ» Á¤ÀÇµÈ ¼³Á¤ ½ºÆå¿¡ ¸Â°Ô ÀÚµ¿À¸·Î ¿©·¯ ½Ã½ºÅÛÀ» ¼³Á¤ÇØ ÁÙ ¼ö ÀÖ´Ù. ¶ÇÇÑ, °è¼ÓÇؼ ½Ã½ºÅÛÀ» °¨½ÃÇÏ¸é¼ ÇÊ¿ä¿¡ µû¶ó ¼³Á¤À» Á¶ÀýÇØÁÖµµ·Ï ÇÒ ¼öµµ ÀÖ´Ù.
2. CfengineÀ¸·Î ÇÒ ¼ö ÀÖ´Â ÀÛ¾÷ ¶
3. ÇÁ·Î±×·¥ ±¸¼º ¶cfagent ·ÎÄà ½Ã½ºÅÛ¿¡ ¼³Á¤ ÆÄÀÏÀ» Àû¿ëÇÏ´Â ÁÖ¿ä À¯Æ¿¸®Æ¼
cfrun ¸®¸ðÆ® ½Ã½ºÅÛ¿¡ ¼³Á¤ ÆÄÀÏÀ» Àû¿ëÇÏ´Â À¯Æ¿¸®Æ¼
cfservd cfrunÀ» Áö¿øÇÏ´Â ¼¹ö ÇÁ·Î¼¼½º. ¸®¸ðÆ® ½Ã½ºÅÛÀ¸·ÎºÎÅÍ Cfengine ¿¡ÀÌÀüÆ® ±â´ÉÀ» »ç¿ëÇÒ ¼ö ÀÖ°Ô ÇØÁÜ.
cfexecd ÀÛ¾÷ ½ºÄÉÁ층 ¹× º¸°í µîÀ» ÀÚµ¿È ÇØÁÖ´Â µ¥¸ó
cfenvd ¹®Á¦ °¨Áö µ¥¸ó
cfkey º¸¾È Å° »ý¼º À¯Æ¿¸®Æ¼
°¢ È£½ºÆ®º°·Î cfagent ¸¦ ÀÌ¿ëÇÏ¿© ÀÛ¾÷ÇÒ ³»¿ëÀ» ¹Ì¸® Á¤ÀÇÇسõ´Â´Ù. À̸¦ ÀÌ¿ëÇÏ¿© ¼¹ö 1´ëº°·Î ½Ã½ºÅÛ°ü¸® ÀÛ¾÷À» ÀÚµ¿ÈÇÒ ¼ö ÀÖ´Ù. ±×·¯³ª ¿ì¸®°¡ ¿øÇÏ´Â °ÍÀº ÀÌ°ÍÀÌ ¾Æ´Ò °ÍÀÌ´Ù. Áß¾ÓÀÇ °ü¸®¼¹ö¿¡ ÇÊ¿äÇÑ ÆÄÀÏ µîÀ» ¿Ã·Á³õ°í °¢ ¼¹ö¿¡¼ Áß¾ÓÀÇ °ü¸®¼¹ö¿¡¼ ÆÄÀÏÀ» °¡Á®¿À°Ô ÇÒ ¼öµµ ÀÖ°í Áß¾ÓÀÇ °ü¸®¼¹ö¿¡¼ ¿ø°ÝÀ¸·Î °¢ ½Ã½ºÅÛÀÇ cfagent ¸¦ ½ÇÇàÇÒ ¼öµµ ÀÖ´Ù. Áß¾ÓÀÇ °ü¸®¼¹ö¿¡¼ cfrun À» ÀÌ¿ëÇÏ¿© °¢ È£½ºÆ®¿¡ Á¢¼ÓÇÒ ¼ö°¡ Àִµ¥ À̶§ °¢ È£½ºÆ®¿¡´Â cfservd °¡ µ¹¾Æ°¡°í ÀÖÀ¸¸é µÈ´Ù.
cfexecd ´Â °¢ È£½ºÆ®¿¡¼ cron ó·³ »ç¿ëÇÏ´Â °ÍÀÌ´Ù.
cfkey ´Â º¸¾È Å° »ý¼º À¯Æ¿¸®Æ¼·Î °¢ °ü¸®ÇÒ È£½ºÆ®¿¡¼ ½ÇÇàÇÏ¸é µÈ´Ù. ÀÌ Å°¸¦ ÀÌ¿ëÇÏ¿©(°³ÀÎÅ°/°ø°³Å° ¹æ½Ä) Áß¾Ó°ü¸®¼¹ö¿Í °¢ È£½ºÆ®°£¿¡ Åë½ÅÀ» ÇÑ´Ù.
¼¹ö¿¡¼´Â cfservd°¡ ¶° ÀÖ¾î¾ß ´Ù¸¥ ´ë»ó ÄÄÇ»ÅÍ¿¡¼ ¸¶½ºÅͼ¹öÀÇ ÆÄÀÏÀ» °¡Á®¿Ã ¼ö ÀÖ´Ù.
´Ù¸¥ ´ë»ó ÄÄÇ»ÅÍ¿¡¼´Â ¼öµ¿À¸·Î ¶Ç´Â ÀÚµ¿À¸·Î(cfexecd ¶Ç´Â cron ÀÌ¿ë) cfagent¸¦ ½ÇÇàÇÏ¸é µÈ´Ù.
4. »ç¿ëÀü ÁÖÀÇ»çÇ× ¶°¢ È£½ºÆ®´Â hostnameÀÌ ÀÖ¾î¾ßÇÏ°í DNS lookupÀ» Çϸé ip¸¦ ¹ÝȯÇϸç ip·Î ÁúÀǸ¦ ÇÏ¸é µ¿ÀÏÇÑ hostnameÀÌ ³ª¿Í¾ßÇÑ´Ù.
º¸Åë hostname-> ip´Â ³×ÀÓ¼¹ö¿¡ ¼¼ÆÃÀ» ÇÏÁö¸¸ ip-> hostnameÀ» dns¿¡ ¼¼ÆÃÇÏÁö ¾Ê´Â °æ¿ì°¡ ¸¹Àºµ¥ ÀÌ·² °æ¿ì¿¡´Â /etc/hosts¿¡ ¸ðµç È£½ºÆ®¸íÀ» ³Ö¾îµÎ¾î¾ßÇÑ´Ù.
5.1. ¼Ò½º ¼³Ä¡ ¶http://www.cfengine.org/pages/download ¿¡¼ ´Ù¿î·Îµå
¸ÕÀú md5sumÀ» ÀÌ¿ëÇØ ¼Ò½ºÇÁ·Î±×·¥ÀÇ ¹«°á¼º È®ÀÎÇÑ´Ù.
¼Ò½º¸¦ Ǭ´Ù.
# ./configure --prefix=/usr/local/cfengine (±âº»Àº /usr/local ¿¡ ¼³Ä¡) # make # make check (¼¿ÇÁ Å×½ºÆ®) # make install¿©±â¼ ¼³Ä¡½Ã µÎ°¡Áö °³¹ß°ü·Ã ÇÁ·Î±×·¥ÀÌ ÇÊ¿äÇÏ´Ù. Berkeley Database obtainable from http://www.sleepycat.com OpenSSL obtainable from http://www.openssl.org RHEL, CentOS¿¡¼´Â db4-devel, openssl-devel ÀÌ ÇÊ¿äÇÏ´Ù.
# yum -y install db4-devel openssl-devel ¼³Ä¡ÆÐÅ°Áö´Â ¾Æ·¡¿Í °°´Ù. /usr/local/cfengine ¿¡ ¼³Ä¡ÇÑ´Ù.
> ./sbin/cfagent > ./sbin/cfservd > ./sbin/cfrun > ./sbin/cfkey > ./sbin/cfenvd > ./sbin/cfenvgraph > ./sbin/cfexecd > ./sbin/cfshow > ./sbin/cfetool > ./sbin/cfetoolgraph > ./sbin/cfdoc 21a33,57 > ./share/cfengine > ./share/cfengine/cfengine.el > ./share/cfengine/cf.chflags.example > ./share/cfengine/cf.freebsd.example > ./share/cfengine/cf.ftp.example > ./share/cfengine/cf.groups.example > ./share/cfengine/cf.linux.example > ./share/cfengine/cf.main.example > ./share/cfengine/cf.motd.example > ./share/cfengine/cf.preconf.example > ./share/cfengine/cf.services.example > ./share/cfengine/cf.site.example > ./share/cfengine/cf.solaris.example > ./share/cfengine/cf.sun4.example > ./share/cfengine/cf.users.example > ./share/cfengine/cfservd.conf.example > ./share/cfengine/cfagent.conf.example > ./share/cfengine/cfagent.conf-advanced.example > ./share/cfengine/update.conf.example > ./share/cfengine/cfrc.example > ./share/cfengine/cfrun.hosts.example > ./share/cfengine/README > ./share/cfengine/ChangeLog > ./share/cfengine/INSTALL > ./share/cfengine/NEWS 5.2. RPM ÀÌ¿ëÇϱ⠶
# cd /usr/src/redhat/SPEC # rpmbuild -ba --target i686 cfengine.spec
# rpm -ivh http://cfengine.tunelinux.pe.kr/tune/4.4/i386/RPMS/cfengine-2.1.21-2.i686.rpm 6.1. Ãʱⱸ¼º ¹× Å×½ºÆ® ¶
6.2. ¸¶½ºÅͼ¹ö±¸¼º ¶
6.2.1. cfagent.conf ¶
##################################################
#
# cfagent.conf
#
# This is a simple file for getting started with
# cfengine. It is harmless. If you get cfengine
# running with this file, you can build on it.
#
##################################################
###
#
# BEGIN cfagent.conf (Only hard classes in this file )
#
###
classes:
# cfengine master server
master_server = ( cfengine.tunelinux.pe.kr )
# server group
testingservers = ( cent.tunelinux.pe.kr cent2.tunelinux.pe.kr )
#testingservers = ( cent2.tunelinux.pe.kr )
webhosting = ( cent.tunelinux.pe.kr )
mailhosting = ( '/usr/bin/test -d /var/qmail' )
dnshosting = ( '/usr/bin/test -f /etc/named.conf' )
dnsservers = ( '/usr/bin/test -f /etc/named.conf' )
intraservers = ( cfengine.tunelinux.pe.kr intranet.tunelinux.pe.kr project.tunelinux.pe.kr )
#intra_ip_range = ( IPRange(111.112.137.1-100) )
intra_ip_range = ( IPRange(111.112.137.0/24) )
# tune servers
tuneservers = ( testingservers webhosting mailhosting dnshosting intraservers intra_ip_range )
# specific server
centosservers = ( '/usr/bin/test -d /usr/share/doc/centos-release-4' )
cfengineservers = ( '/usr/bin/test -f /usr/sbin/cfagent' )
yumservers = ( '/usr/bin/test -f /etc/yum.repos.d/CentOS-Base.repo' )
techlabservers = ( 111.112.137.141 techlab.tunelinux.pe.kr )
##################################################
control:
domain = ( tunelinux.pe.kr )
timezone = ( MET )
smtpserver = ( localhost ) # used by cfexecd
sysadm = ( joon@tunelinux.pe.kr ) # where to mail output
# IfElapsed = ( 0 )
schedule = ( Hr00 )
ChecksumUpdates = ( on )
# cfengine tune repogitory
master_files = ( /usr/local/var/cfengine/tune )
master_server = ( cfengine.tunelinux.pe.kr )
# html repogitory
html_files = ( /var/www/html/tune )
# security check
SpoolDirectories = ( /var/spool/mail /var/spool/cron )
WarnNonOwnerMail = ( true )
WarnNonUserMail = ( true )
#!techlabservers::
# NonAlphaNumFiles = ( on )
actionsequence = ( disable copy editfiles files shellcommands directories tidy processes )
##################################################
resolve:
# Add these name servers to the /etc/resolv.conf file
210.220.163.82 # local nameserver
210.94.6.67 # backup nameserver
##################################################
# 111.112.137 tune intra
# 222.239.157 IDC monitor
# 66.600.5 IDC intra
editfiles:
{
/etc/crontab
AppendIfNoSuchLine "* 0 * * * root /usr/bin/rdate -s time.bora.net && /sbin/hwclock -w"
}
tuneservers::
{
/etc/security/access.conf
AppendIfNoSuchLine "-:root:All EXCEPT LOCAL localhost.localdomain 111.112.137. 222.239.157. 66.600.5."
}
{
/etc/pam.d/sshd
AppendIfNoSuchLine "account required pam_access.so"
}
{
/etc/vsftpd/vsftpd.conf
ReplaceAll "anonymous_enable=YES" With "anonymous_enable=NO"
DefineClasses "modified_ftp"
}
intraservers|intra_ip_range::
{
/etc/aliases
AppendIfNoSuchLine "root: joon@tunelinux.pe.kr"
DefineClasses "modified_aliases"
}
centosservers::
{
/etc/updatedb.conf
ReplaceAll "DAILY_UPDATE=no" With "DAILY_UPDATE=yes"
}
tuneservers.cfengineservers::
{
/etc/crontab
AppendIfNoSuchLine "* 0 * * * root /usr/sbin/cfexecd -F"
}
intra_ip_range|testingservers::
{
/etc/bashrc
AppendIfNoSuchLine "alias ll='ls -alF'"
}
##################################################
copy:
# Get a file from some trusted server, e.g. password sync
# To do this, you need to use cfkey to install keys
# tune yum repository
tuneservers::
$(master_files)/tune.repo dest=/etc/yum.repos.d/tune.repo mode=644 server=$(master_server)
# master file copy
master_server::
/etc/hosts dest=$(master_files)/hosts backup=true
/usr/local/var/cfengine/inputs/update.conf dest=$(html_files)/update.conf mode=644
$(master_files)/tune.repo dest=$(html_files)/tune.repo mode=644 server=$(master_server)
# iptables
intra_ip_range|intraservers::
$(master_files)/intra-iptables dest=/etc/sysconfig/iptables mode=600 server=$(master_server) backup=true define=modified_iptables
testingservers.!master_server::
$(master_files)/hosts dest=/etc/hosts mode=644 server=$(master_server) backup=true
##################################################
files:
tuneservers::
# file check
/tmp mode=ugo-x recurse=inf action=fixall syslog=true inform=true
/var/tmp mode=ugo-x recurse=inf action=fixall syslog=true inform=true
/proc mode=700 owner=root action=fixall
# password
/etc/passwd mode=644 owner=root action=fixall checksum=md5 syslog=true inform=true
/etc/shadow mode=600 owner=root action=fixall checksum=md5 syslog=true inform=true
/etc/group mode=644 owner=root action=fixall checksum=md5 syslog=true inform=true
#cfengine program file
cfengineservers::
/usr/sbin mode=700 owner=root action=fixall include=cf* recurse=inf
##################################################
shellcommands:
# security check
# "/usr/bin/find /tmp/ '(' -nouser -o -nogroup ')' "
tuneservers.yumservers::
"/bin/rm -f /etc/yum.repos.d/CentOS-*"
tuneservers.yumservers.Sunday.Hr00::
"/usr/bin/yum clean all"
modified_ftp::
"/etc/init.d/vsftpd restart"
modified_iptables::
"/etc/init.d/iptables restart"
modified_aliases::
"/usr/bin/newaliases && /etc/init.d/sendmail restart && /sbin/chkconfig --level 345 sendmail on"
any.Hr07::
"/usr/bin/rdate -s time.bora.net && /sbin/hwclock -w" timeout=30
##################################################
directories:
# /tmp mode=1777 owner=root group=root syslog=true inform=true
tidy:
#tuneservers.intra_ip_range::
tuneservers::
/tmp recurse=inf pattern=* age=7 rmdirs=sub syslog=true inform=true
/var/tmp recurse=inf pattern=* age=7 rmdirs=sub syslog=true inform=true
/home recurse=inf
pat=core
pat=a.out
pat=*.o
age=1
rmdirs=sub
syslog=true
inform=true
# pat=*%
# pat=#*
disable:
tuneservers::
/root/.rhosts syslog=true inform=true
/etc/hosts.equiv syslog=true inform=true
##################################################
processes:
# "xinetd" signal=hup
# "httpd" signal=kill
# "cfservd" signal=hup
# "cexecd" signal=hup
tuneservers.cfengineservers::
"cfexecd" restart "/usr/sbin/cfexecd"
"cfservd" restart "/usr/sbin/cfservd"
###
#
# END cfagent.conf
#
###
control ¿¡´Â Àüü ¼³Á¤°ú °ü·ÃµÈ ³»¿ëÀÌ µé¾î°£´Ù.
smtpserver, sysadm ´Â cfexecd µîÀ¸·Î ½ÇÇàÇÒ °æ¿ìÀÇ ½ÇÇà³»¿ëÀ» ¸ÞÀÏ·Î º¸³»ÁÖµµ·Ï ÇÏ´Â ¼³Á¤ÀÌ´Ù. smtp ¼¹ö¿Í ¹ÞÀ» »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÏ¸é µÈ´Ù.
IfElapsed ´Â cfagent ÀÇ ½ÇÇà°ú °ü°è°¡ ÀÖÀ¸¸ç ¾Æ·¡¿¡¼ µð¹ö±ë ºÎºÐÀ» ÂüÁ¶ÇÑ´Ù.
schedule : cfexecd¸¦ ¶ç¿üÀ» °æ¿ì (cfagent¸¦ ÁÖ±âÀûÀ¸·Î ½ÇÇàÇÏ´Â ¿ªÇÒÀ» ÇÏ´Â ÇÁ·Î±×·¥ÀÓ) schedule ¿¡ ¼³Á¤µÈ ³»¿ë¿¡ µû¶ó ÁÖ±âÀûÀ¸·Î cfexecd ¸¦ ½ÇÇàÇÑ´Ù. cfexecd´Â º°µµÀÇ ¼³Á¤ÆÄÀÏÀÌ ¾øÀ¸¸ç cfagent.confÀÇ schedule ¼³Á¤À» º¸°í ½ÇÇàÀ» ÇÑ´Ù. cfexecd¸¦ ¶ç¿ö¼ »ç¿ëÇÒ ¼öµµ ÀÖ°í cronÀ» ÀÌ¿ëÇÏ¿© ½ÇÇàÇϵµ·Ï ÇÒ¼öµµ ÀÖ´Ù.
class¸¦ ÀÌ¿ëÇÏ¿© Á¤Ã¥À» ±×·ìº°·Î Àû¿ëÇÒ ¼ö ÀÖ´Ù. ¿©±â¼ ( ) ¾ÈÀÇ È£½ºÆ®´Â /etc/hosts ÆÄÀÏÀ» ÂüÁ¶ÇÑ´Ù. ƯÁ¤ ¸í·ÉÀ» ½ÇÇàÇÑ °á°ú¸¦ °¡Áö°í ±×·ì(Ŭ·¡½º)¸¦ ³ª´ ¼öµµ ÀÖ´Ù.
/etc/hosts ÆÄÀÏ·Î ºÐ·ùÇϱâ Èûµç °æ¿ì »ç¿ëÇϸé ÁÁÀ» °ÍÀÌ´Ù. Ŭ·¡½º¾È¿¡ ´Ù¸¥ Ŭ·¡½º¸¦ ³ÖÀ» ¼öµµ ÀÖ´Ù.
ChecksumUpdates ´Â files ¿¡ ÁöÁ¤ÇÑ ÆÄÀÏÀÇ Ã¼Å©¼¶À» üũÇÏ¿© ´Ù¸¦ °æ¿ì °æ°í¸¦ º¸¿©ÁØ´Ù.
NonAlphaNumFiles ´Â ".. ." µî ÀÏ¹Ý ¹®ÀÚ¿¡¼ ¹þ¾î³ µð·ºÅ丮¸¦ üũÇÑ´Ù. (?)
¿©±â¼ master_server ´Â ÀÓÀÇÀÇ º¯¼ö¸¦ ÁöÁ¤ÇÑ °ÍÀ¸·Î ÀÌ·¯ÇÑ ÇüÅ·Π°¢ÀÚ º¯¼ö¸¦ ¸¸µé¾î »ç¿ëÇÒ ¼ö ÀÖ´Ù.
files µî¿¡¼ syslog ´Â syslog¿¡ ÇØ´ç º¯È³»¿ëÀ» ±â·ÏÇÏ´Â °ÍÀÌ°í inform Àº ½ºÅ©¸°À̶ó À̸ÞÀÏ·Î Á¤º¸¸¦ ¾Ë·ÁÁØ´Ù. true¿Í onÀÇ Â÷ÀÌÁ¡Àº ¸Å´º¾óÀ» ºÁµµ Àß ¸ð¸£°Ú´Ù.
6.2.2. cfservd.conf ¶
#########################################################
#
# This is a cfd config file
#
# The access control here follows after any tcpd
# control in /etc/hosts.allow and /etc/hosts.deny
#
#########################################################
#
# Could import cf.groups here and use a structure like
# in cfengine.conf, cf.main, cf.groups
#
control:
domain = ( tunelinux.pe.kr )
AllowUsers = ( root )
linux::
cfrunCommand = ( "/var/cfengine/bin/cfagent" )
any::
# ChecksumDatabase = ( /tmp/testDATABASEcache )
IfElapsed = ( 1 )
MaxConnections = ( 30 )
# access control
Split = ( " " )
hostlist = ( "111.112.137 222.239.157 66.600.5" )
# hostlist = ( "111.112.137.162" )
dirs = ( "inputs tune" )
base = ( /usr/local/var/cfengine )
#########################################################
admit: # or grant:
$(base)/$(dirs) $(hostlist)
# /usr/local/var/cfengine/inputs *
# /usr/local/var/cfengine/tune *
cfservd.conf´Â cfservd¿¡ ÇÊ¿äÇϸç Á¢±ÙÇÒ ¼ö ÀÖ´Â ±ÇÇÑÀ» ¼³Á¤ÇÑ´Ù.
AllowUsers ºÎºÐÀÌ ¾÷À¸¸é cfrun ÀÌ ½ÇÇàÀÌ µÇÁö ¾Ê¾Ò´Ù.
admit Àº Á¢±Ù±ÇÇѼ³Á¤À» ÇÏ´Â ºÎºÐÀÌ´Ù.
6.2.3. update.conf ¶
#######################################################
#
# cf.update - for iu.hio.no
#
#######################################################
###
#
# BEGIN cf.update
#
###
#######################################################################
#
# This script distributes the configuration, a simple file so that,
# if there are syntax errors in the main config, we can still
# distribute a correct configuration to the machines afterwards, even
# though the main config won't parse. It is read and run just before the
# main configuration is parsed.
#
#######################################################################
control:
actionsequence = ( copy processes tidy ) # Keep this simple and constant
domain = ( tunelinux.pe.kr ) # Needed for remote copy
#
# Which host/dir is the master for configuration roll-outs?
#
policyhost = ( cfengine.tunelinux.pe.kr )
master_cfinput = ( /usr/local/var/cfengine/inputs )
AddInstallable = ( new_cfenvd new_cfservd )
#
# Some convenient variables
#
workdir = ( /var/cfengine )
linux::
cf_install_dir = ( /usr/local/cfengine/sbin )
###################################################################
#
# Spread the load, make sure the servers get done first though
#
###################################################################
!AllBinaryServers::
SplayTime = ( 1 )
############################################################################
#
# Make sure there is a local copy of the configuration and
# the most important binaries in case we have no connectivity
# e.g. for mobile stations or during DOS attacks
#
copy:
$(master_cfinput) dest=$(workdir)/inputs
r=inf
mode=700
type=binary
exclude=*.lst
exclude=*~
exclude=#*
server=$(policyhost)
trustkey=true
#####################################################################
tidy:
#
# Cfexecd stores output in this directory.
# Make sure we don't build up files and choke on our own words!
#
$(workdir)/outputs pattern=* age=7
#####################################################################
processes:
new_cfservd::
"cfservd" signal=term restart /usr/sbin/cfservd
new_cfenvd::
"cfenvd" signal=kill restart "/usr/sbin/cfenvd -H"
###
#
# END cf.update
#
###
update.conf´Â cfagent ¿¡¼ ¸¶½ºÅͼ¹ö¿¡ Á¢±ÙÇϱâ À§Çؼ ÇÊ¿äÇÑ ¼³Á¤ÀÌ´Ù. ¿©±â¼ ÁöÁ¤ÇÑ ¼¹ö¿Í µð·ºÅ丮¿¡¼ ÇÊ¿äÇÑ ÆÄÀÏÀ» °¡Á®¿Â´Ù.
6.3. Ŭ¶óÀ̾ðÆ® ±¸¼º ¶
[root@localhost cfengine]# mkdir -p /var/cfgneine/inputs [root@localhost cfengine]# mkdir -p /var/cfengine/bin [root@localhost cfengine]# cd /var/cfengine/bin [root@localhost cfengine]# scp cent.tunelinux.pe.kr:/usr/local/cfengine/sbin/* . [root@localhost cfengine]# scp cent.tunelinux.pe.kr:/usr/local/var/cfengine/inputs/update.conf /var/cfgneine/inputs
[root@localhost cfengine]# cfkey Making a key pair for cfengine, please wait, this could take a minute... Writing private key to /var/cfengine/ppkeys/localhost.priv Writing public key to /var/cfengine/ppkeys/localhost.pub
[root@localhost cfengine]# scp /var/cfengine/ppkeys/localhost.pub cent.tunelinux.pe.kr:/var/cfengine/ppkeys/root-111.112.137.140.pub [root@mytest inputs]# ll /var/cfengine/ppkeys/ ÇÕ°è 24 drwx------ 2 root root 4096 10¿ù 10 16:05 ./ drwxr-xr-x 9 root root 4096 10¿ù 19 13:58 ../ -rw------- 1 root root 1743 10¿ù 10 15:15 localhost.priv -rw------- 1 root root 426 10¿ù 10 15:15 localhost.pub -rw------- 1 root root 426 10¿ù 19 14:39 root-111.112.137.140.pub -rw------- 1 root root 426 10¿ù 10 15:28 root-111.112.137.162.pub
[root@mytest inputs]# cfagent -q -v (-q ¿É¼ÇÀº µô·¹À̾øÀÌ ¹Ù·Î ½ÇÇà¿É¼Ç)
6.4. µð¹ö±ëÇϱ⠶
6.5. µð·ºÅ丮 ±¸Á¶ ¶
[root@localhost cfengine]# tree -d /var/cfengine/ /var/cfengine/ |-- bin |-- inputs |-- modules |-- ppkeys |-- ppkeys1 |-- rpc_in |-- rpc_out `-- state 6.6. cfrun ¶¸¶½ºÅͼ¹ö¿¡¼ ¿ø°ÝÀ¸·Î ¿©·¯°¡Áö ¸í·ÉÀ» ½ÇÇàÇÏ´Â °ÍÀÌ´Ù. ¸¶½ºÅÍ¿¡¼ °¢ ¼¹ö·Î ½ÇÇàÀ» ÇÏ´Â push ¹æ½ÄÀÌ´Ù.
ÀÌ ÇÁ·Î±×·¥À» ½ÇÇàÇÏ·Á¸é cfrun.hosts ÆÄÀÏÀÌ ÇÊ¿äÇϸç /var/cfengine/inputs ¿¡ ³Ö¾îµÎ¸é µÈ´Ù.
¶ÇÇÑ °¢ È£½ºÆ®¿¡´Â cfservd°¡ ¶° ÀÖ¾î¾ßÇÑ´Ù. cfservd°¡ ¸¶½ºÅÍ¿¡ ¶° ÀÖÀ»¶§´Â °¢ Ŭ¶óÀ̾ðÆ®¿¡¼ Á¢¼ÓÀ» ÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â ¿ªÇÒÀÌÁö¸¸ cfrunÀ» ÀÌ¿ëÇÒ °æ¿ì¿¡´Â °¢ ´ë»ó ÄÄÇ»ÅÍ¿¡ ´ë¸óÀÌ ¶° ÀÖ¾î¾ß ÇÑ´Ù.
# cat cfrun.hosts domain=tunelinux.pe.kr cent.tunelinux.pe.kr cent2.tunelinux.pe.kr ¾Æ¹« ÀÎÀÚ¾øÀÌ cfrun À» ½ÇÇàÇϸé ÀÚµ¿À¸·Î cfrun.hosts ÆÄÀÏÀ» Àоîµé¿© °¢ ½Ã½ºÅÛ¸¶´Ù cfagent¸¦ ½ÇÇàÇÑ´Ù.
ȸ鿡¼´Â ½ÇÁ¦ Àû¿ëµÈ ºÎºÐ¸¸ °£´ÜÇÏ°Ô º¸¿©ÁØ´Ù. ¾Æ·¡´Â ÀϺη¯ cent2 ÀÇ /etc/crontab, /etc/security/access.conf ÆÄÀÏÀ» ¼öÁ¤ÇÑ °ÍÀÌ´Ù.
# cfrun cfrun(0): .......... [ Hailing cent.tunelinux.pe.kr ] .......... cfrun(0): .......... [ Hailing cent2.tunelinux.pe.kr ] .......... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cfengine:cent2: Saving edit changes to file /etc/crontab cfengine:cent2: Saving edit changes to file /etc/security/access.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7.1. Ŭ·¡½º ¶
# cfagent -p -v | grep -i define Additional hard class defined as: 32_bit Additional hard class defined as: linux_2_6_9_42_0_3_EL Additional hard class defined as: linux_i686 Additional hard class defined as: linux_i686_2_6_9_42_0_3_EL Additional hard class defined as: linux_i686_2_6_9_42_0_3_EL__1_Fri_Oct_6_05_59_54_CDT_2006 Defined Classes = ( 222_112_137 222_112_137_162 32_bit DNSservers Day3 Friday Hr18 Hr18_Q2 INTRAservers MAILservers Min25_30 Min27 November Q2 WWWservers Yr2006 addr_ allservers any c1 call cent cent_tunelinux_pe_kr centos centos_4 centos_4_4 cfengine_2 cfengine_2_1 cfengine_2_1_21 cfengineservers compiled_on_linux_gnu dnsservers fe80__20c_29ff_fe14_2f08 i686 ipv4_222 ipv4_222_112 ipv4_222_112_137 ipv4_222_112_137_162 kr linux linux_2_6_9_42_0_3_EL linux_i686 linux_i686_2_6_9_42_0_3_EL linux_i686_2_6_9_42_0_3_EL__1_Fri_Oct_6_05_59_54_CDT_2006 net_iface_eth0 net_iface_lo pe_kr redhat tunelinux_pe_kr )
c1 = ( cent.tunelinux.pe.kr ) mailservers = ( '/usr/bin/test -d /var/qmail' ) dnsservers = ( '/usr/bin/test -f /etc/named.conf' ) cfengineservers = ( '/usr/bin/test -f /usr/sbin/cfagent' ) yumservers = ( '/usr/bin/test -f /etc/yum.repos.d/CentOS-Base.repo' ) allservers = ( c1 c2 mailservers dnsservers cfengineservers yumservers ) 7.2. ÁÖÀÇ»çÇ×, »ç¿ëÇÏ¸é¼ À̽´°¡ µÇ¾ú´ø »çÇ× ¶
Nov 10 11:33:15 mirrot cfservd[9610]: Unable to lookup hostname (techlab.tunelinux.pe.kr) or cfengine service: Name or service not known  ÀÌ·² °æ¿ì IPRange ¸¦ ÀÌ¿ëÇϸé Æí¸®ÇÔ. ip´ë¿ªÀ» ÁöÁ¤ÇÏ¸é µÊ. ÀÌ°æ¿ì¿¡´Â dns µî·ÏÀ» ÇÏÁö ¾Ê¾Æµµ ±¦Âú¾ÒÀ½.
8. Âü°íÀÚ·á ¶
Contributor: ¹®ÅÂÁØ (http://tunelinux.pe.kr http://database.sarang.net)
|
   
|
![[ftp]](/imgs/ftp.png)
