How do you use CFEngine?

[cody-valle]

Hi Everyone! I wanted to start a new thread specifically to learn more about how each of you are currently using or have used CFEngine in the past. I think this would be a good way to learn from each others experiences and explore new ways to use CFEngine.

For example, you can try to answer some of these questions:

• What problem(s) were you trying to solve?
• What solution were you using before CFEngine?
• What was the impact CFEngine made?
• What was your favorite feature of CFEngine?

As a thank you for sharing your story, I'd like to send you some new CFEngine t-shirts and other SWAG.

[brontolinux]

Hello!
Interesting questions, hmmm... 🤔

What problem(s) were you trying to solve?
Keeping a consistent configuration over all my PCs (home, work...)

What solution were you using before CFEngine?
None 😊

What was the impact CFEngine made?
Well... it worked! I am at the fifth generation of my "personal configuration management" and so far it's being working great and it's still manageable. I am able to keep a consistent configuration across the board, and propagate configuration changes to all machines as soon as they are able to reach out to the policy server. Good stuff.

What was your favorite feature of CFEngine?
Not sure I get what you mean here, if it's a particular feature or qualities of the product in general. I like that it's lightweight and consistent; I like that clients keep working even when the server is out of reach for any reason; and I like the community: although small, there is a handful of experts out there (both in and outside Northern.tech) who do their best to be helpful!

[cody-valle]

Thank you for being a part of the community and your insights! If you send me an email ([email protected]) then I will be sure to send you some cool SWAG. :)

[brontolinux]

You are welcome 😄 I have done some extensive CFEngine work in the past on production environments, but it's quite some time ago now and didn't seem relevant to your question.

[atsaloli]

I've used CFEngine to ensure a uniform configuration at large scale (tens of thousands of servers, multiple IT organizations) across an enterprise. Compliance with enterprise security standards was a big part of it. By our calculations, CFEngine saved the company millions in labor costs each year -- well over the cost of the license.

When I had started out with CFEngine, I did so on the Community edition, and I thought this is great! It does everything I need! I am not interested in Enterprise, how could it possibly get better than this?

And now, having used Enterprise for 5 years, I can't imagine going back to Community. I absolultely love the visiblity CFEngine Enterprise reporting provides -- the superhub database (which I can login into and query on the command-line) gives me data that's at most 15 minutes old, and that's regardless of the size of the infrastructure. Having psql access (Postgres command line client) lets me play with the data, and write reports incrementally / iteratively -- and then once I have what I need, I can save it and make it available as a regularly scheduled report.

I have never had insight into infrastructure as I did with CFEngine Enterprise. I can aggregate data, so I can monitor compliance at a high level (across data centers) or I can zoom in and check compliance for any group of servers that is of interest at that moment.

The reason I got into CFEngine in the first place was to solve configuration drift, and CFEngine sure does that!

[cody-valle]

Thanks @atsaloli! Compliance is a great use case to upgrade to Enterprise, especially with the recent Compliance Reports functionality.

[nickanderson]

Swweeeeeet, I can't wait to get some new CFEngine SWAG.

What problem(s) were you trying to solve?

• Compliance/Consistency
• Knowledge Management

What solution were you using before CFEngine?

I used very early versions of Puppet ~0.20 iirc when I first discovered CFEngine, but it was a few years before I decided I wanted to make the change.

What was the impact CFEngine made?

Well-intentioned admins stopped creating configuration drift.

Changes could be made very quickly.

We never wondered how something was supposed to be configured, who cared about it, or why various changes were made (because version control).

It was easier to manage the management software.

What was your favorite feature of CFEngine?

Am I really limited to just one? CFEngine can do so much given so little.

The things that really drew me to CFEngine were the knowledge management aspects, small footprint, and wide platform portability.

I really liked being able to inject things like who cared (Business unit, email address etc …) about a given promise in a structured way. I hadn't ever seen a system that had this as part of the specification. It was very satisfying when working with very old infrastructure to know that this documentation about how the infrastructure was supposed to be, why, and who cared was accurate (because it's being run every 5 minutes) unlike a wiki or some detracted documentation that tends to become out of date with the next change in behavior. Very low effort to update comments and metadata on active policy than to chase down whatever the current information store is (i recall an organization where I had multiple old versions of different wiki software locally to try and figure out how things were supposed to be, not all info gets ported from one to the next, not all info gets updated as people make changes to the actual infrastructure, etc ….).

CFEngine has a really small footprint on an individual node and it's fast. Architecturally it's simple. I really didn't want to have a bunch of infrastructure to manage my infrastructure. I wanted something that more or less stays out of my way and does its thing, doesn't need me to pamper the infrastructure that supports the tooling.

When I got started with CFEngine I had very many different operating systems and versions of each operating system to manage. I liked how easy it was to get CFEngine running the same version of the software on many different platforms, and that I didn't have to run the same version for things to work.

In the more recent past, a favorite feature for me has been integration with org-mode, shameless plug for ob-cfengine3.

[basvandervlies]

What problem(s) were you trying to solve?

As Sys Admin I managed a lot of machines for our Visualization Lab (Silicon Graphics). We had all kind of scripts written in shell, Perl, Python and C to see if the systems were up and running. This was our first framework and I wanted to have a better one that could do a better job in automatisation, configuring and monitoring the system. That is why I started with CFengine version 1

What solution were you using before CFEngine?

At that time 1996 CFengine was the only one. That is why I started with CFengine and made a lot of contributions to the project. When CFengine 3 was released we have looked at the other tools like Puppert/Chef. Because CFengine 3 was a radical change compared to version 1 and 2. After some experiments we decided to keep on using CFengine as it its light weighted and we liked the push/pull model. We have our own framework and build an open source library for managing services like apache. As today we are experimenting with the SALT beacons/reactor/event framework to have an event driven setup. So one host can trigger an action on other host(s), the action can be to start CFengine.

What was the impact CFEngine made?

we started small with a few hosts and now maintaining our HPC clusters and Office Automation (LInux/Unix). It has done a great job at reducing our workload and that hosts are compliant.

What was your favourite feature of CFEngine?

My favourite feature is the multiple augments aka def.json in combination with mustache/json functions. This allow us to build a framework for easy service management. It gave us the ability to configure the services with external JSON data instead of editing CFengine configuration files. Now less experience people can change service properties.

Further I am looking at the custom promise development, That is really a nice development.

[cody-valle]

Thank you @basvandervlies. I think you may give @nickanderson a run for his money as a CFEngine historian. :) If you email me ([email protected]) and include your t-shirt size, I will make sure to get some SWAG to you soon.

[nickanderson]

Oh, there is not even a competition there. I am way newer to CFEngine than many people in the community. from the top of my head it's easy to name several people @neilhwatson @zzamboni @tzz @basvandervlies @atsaloli @skreuzer @brontolinux and many others whos github names I don't know!

[zzamboni]

What solution were you using before CFEngine?

When I started working as a sysadmin during college, I read the original CFEngine paper A Site Configuration Engine, published in the Usenix Computing Systems journal (I had the physical journal isssue - yes, back when those things were still printed and distributed on paper!). I remember being fascinated by it, but never got a chance to use it.

Fast forward 14 years, hearing of CFEngine here and there but never having used it. I was working as a consultant, I was appalled to see a junior sysadmin that had the unenviable task of sitting on the floor of a data center, connected via an Ethernet cable to a server rack, connecting manually to >100 VMs that had just been created, and configuring them one by one, by hand. It was then that I started looking into CFEngine.

What was the impact CFEngine made?

By using CFEngine, I was able to help my employer at the time finish deployments like the one I have witnessed in a much shorter time and with fewer mistakes.

CFEngine also enabled me to publish my first book, now Learning CFEngine, and to work for a while with the brilliant people at CFEngine :)

[cody-valle]

Thank you @zzamboni. Your book is great and I personally recommend it all the time! If you send me an email ([email protected]) with your t-shirt size, I will send some SWAG your way.

[Hoekstraa]

Introduction

Hello, I'm a Dutch IT student, for quite a few years now. I have a lot of projects related to system administration and programming.
These projects, even though they are usually small in scope, need to be managed in terms of systems.

What problem(s) were you trying to solve?

From the start of my career, I wanted to make system administration as easy as possible.
Be smart and lazy, as they say. When I started out, I'd build a system and leave it running for a while. But due to school and the amount of projects, I wouldn't have time to keep everything up to date and remember exactly what each system did and have installed. Now, usually you'd say, go document it all, but again, I wanted to be smart and lazy. Documentation becomes out of date quickly and is almost never an accurate, complete representation of your systems. So I went looking for automation.

What solution were you using before CFEngine?

I tried a few different configuration management tools, but none of them were satisfactory.
Chef for example requires quite a lot of resources (which I can't afford) and Ansible is only really suitable for push-configurations.
So before really settling on CFEngine, I'd do my configuration by hand.

What was the impact CFEngine made?

Due to CFEngine requiring so few resources, I have it running everywhere I can.
Everything from a Raspberry Pi through laptops, to servers.
CFEngine itself is rock-solid and once you know the syntax of it, it is very easy to deploy and use.

What was your favorite feature of CFEngine?

Through the use of CFEngine, I can rest easy, knowing my systems are kept in check.
I can go back to the configuration, tweak it, and know that everything is synchronized.

For me it is worth so much to be able to prove my systems are correct and safe.
There is never any old cruft on my systems, because I know to the tee what is running on them.

[cody-valle]

Thanks @JanSHoekstra! It's great to hear that you're using CFEngine across all types of devices. The fact that it's so lightweight has led to some really cool use cases. Send me a quick email ([email protected]) and I will get some SWAG to you.

[andrewbulin]

What problem(s) were you trying to solve?

General automated configuration management in a sane way, pulled not pushed, and with less custom scripts which often are at risk of being too niche abandoned, and the little resource consumption required while always being on and active.

What solution were you using before CFEngine?

A lot of cloud-init customizations and bash-ing, handcrafting images, some ansible or puppet, copy-paste setup scripts from wikis used on a need-to basis, etc. (quite hodge-podge depending on the situation).

What was the impact CFEngine made?

I can take a uniform approach to configuration management no matter the need, applying much detail for well thought-out, specifically purposed environments, or basic setup of general environments where I expect certain things just to be there and "just work." I can sleep easier. :^)

What was your favorite feature of CFEngine?

The total automation and independent nature of CFEngine when disconnected from the policy hub is something I can get enough of. I rest easier knowing systems keep standards and configuration, can "check-in" periodically, and this being an okay scenario. I'm also curious and eager to see how I might go about pairing CFEngine with today's container orchestration offerings. Much of that world seems to me to be an all or nothing hands-on push-based approach, requiring me to compromise how I would prefer to manage systems.

(A bonus "feature" I love about CFEngine: I've been reading some of my personal wiki notes on CFEngine from nearly 10 years ago, and I'm surprised how much has remained relevant!)

[cody-valle]

Thank you @andrewbulin! Glad to have you here! If you send me an email ([email protected]), I will send out some SWAG to you.