"Stateless Linux" project
Carwyn Edwards
carwyn at carwyn.com
Thu Sep 23 22:09:43 UTC 2004
Josh England wrote:
> LCFG does indeed sound like a highly capable configuration deployment
> engine (how does it compare with cfengine, in your opinion?).
They are very similar in terms of what happens - central configuration
is "enacted" in some way on the clients via a number of agents. But
their methods and models differ somewhat.
LCFG (there are others that can explain cfengine better) for example is
entirely declarative in terms of the central database. Nothing
procedural is encoded in the profile for a machine as doing so means
having to deal with ordering of configuration changes (A->a->B->b->C vs
A->C, where upper = states and lower = transitional procedures). It's
left to the agents to work out the procedures making disconnected
operation simpler (it doesn't matter if a laptop misses the update from
A to B as A->B->C "should" give you the same as A->C. Procedural models
often mean that all the intermediary transformations have to be applied.
One thing that is particularly powerful about LCFG is the idea of
spanning maps. Client configuration descriptions can export collections
of information into a global namespace that other conponents can then
subscribe to. For example in the client config for the web server I'd put:
firewall.holes 80 443
.. then because the schema for the firewall component says that the
"holes" property is to be a member of a spanning map, on the firewall
host itself the firewall component automatically gathers the information
and opens the holes. The definition of the "hole" though is in the same
config file as the configuration for the web server.
This can be extended to:
# In a file called i-want-to-be-a-web-server.h
apache.port 80
firewall.holes <%apache.port%> # reference to above.
.. then in the source profile for each member of a web cluster:
#include <i-want-to-be-a-web-server.h>
As soon as I write the file packets fly all over the place and a few
seconds later the firewall has holes to all the machines in the cluster
on port 80. Edit i-want-to-be-a-web-server.h to add 443, write it and
again a few seconds later you have those holes too. If we add an extra
gateway firewall for redundancy it can be told to subscribe to that
particular map and add the holes too.
We can do the same for which rpms are installed on machines. One minute
a lab full of machines could be a fedora minimal install, a few mins
later they are all members of a beowulf cluster, software installed and
configuration applied (assuming you've prepared the config template
earlier obviously). Uninclude the header file for being in the beowulf
and a few mins later again they are back to being fedora minimal installs.
Part of the research effort here is to extend this idea so that the
description is even more abstract. I.e. be able to take a group of
machines and write the equivalent of:
"I want a workgroup setup with a file server, web server, firewall and
special laptop to control the bluetooth light in the fishtank."
The configuration engine should then go off and work out which machine
the printer is connected to, which one is the laptop and just make it
all happen (I did say research effort!).
Carwyn
More information about the fedora-devel-list
mailing list