cfengine

Releasing 1.6.3

In version 1.6.3 of cfengine, there is an important upgrade to use BerkeleyDB version 3. The new Berekely databases are NOT compatible with the old, but new GNU/Linux distributions are shipping with the new databases. No way around this, everyone has to upgrade and this happens in 1.6.3. In addtition to recompiling cfengine, you must use a different database file, since the data format itself has changed.

Cfengine 2 workshop

This will be held at LISA2001 in San Diego, USA, December 2001. Everyone interested in discussing and learning about the plans for cfengine 2 are welcome to sign up, by visiting the conference site at usenix.

SANS CAUTH security alert

A buffer overflow problem in the cfd daemon could lead to a denial of service attack. In some versions it could be possible to execute arbitrary code. This does not apply to cfengine, only the daemon cfd.

Version 1.6.0.a11 is an alpha snaphot of cfengine 1.6.0 which fixes all known vulnerabilities. All users are recommended to upgrade to this version. This version is fully compatible with cfengine/cfd version 1.5.x. It is compatible with cfengine version 1.x.x, but versions of cfd prior to 1.5.x are not compatible should be upgraded with care.

Cfengine 2

After the release of 1.6.0, later this year, there will be large changes to cfengine. I intend to review

 syntax
 program flow
 extensibility
 communication with other software/the system

In order to improve on cfengine, and still preserve its important features it will be necessary to make radical changes to some of the internals, particularly parsing. I would therefore welcome suggestions for changes/improvements. Please think about this and when you have thought VERY carefully about all of the ramifications let the list know your ideas. Note: I am not thinking about new options to existing comands here, but major changes to modus operandi.

Before submitting your idea, ask yourself: is this something general for everyone, or some weird thing that I would like for myself? I will be the final adjudicator of what cfengine 2 will be like.

At the end of august I shall be inviting interested parties to take part in a meeting to discuss the plans for cfengine 2. So put your thinking caps on and think carefully before replying.

I am open to all suggestions, but my first priority is to preserve cfengine as a too for research.

New documentation project for cfengine, Feb 18, 2000

Contribute your own hints and tips for other users, in a searchable index. Here's how. Or write an article about some special topic to add to the documentation.

Cfengine version 1.5.4 released 1 Feb 2000

Several security issues dealt with, such as improved protection from denial of service attacks.

Cfengine version 1.5.0 released

This version of cfengine focusses on security and efficiency. Several new features have been added to network communication by cfd:

• Encrypted transfers
• Better authentication (by user)
• More efficient transfers over single connection

Other things like Tripwire functionality for md5 checksums has been added for convenience.

• Regular expression libraries use Posix extended regular expressions. This means that you might have to make changes to escape characters in your configuration files in order for them to run.
• User authentication based on pidentd and key exchange for secure lines
• Allow DES-encrypted communication between client and server.
• Remote copy protocol semantics will are not compatible with 1.4.x, owing optimizations which should improve performance on large transfers.
• This version also works on NT, using the cygwin-32 libraries available from http://www.cygnus.com

Upgrading

Please be careful installing this version of cfengine, even if you have been following the beta versions. There are changes in threading policy and protocol which make remote file transfers much more efficient and reliable with cfd. The new threading policy makes it impossible to support the old protocol simultenously. If you rely on cfd for all copying, then upgrading should be done with caution. If you only have a few hosts, upgrading by hand should not be difficult, but if you have many, you might want to think about this: Here are some hints for a safe upgrade.

• Copy the new cfengine files to NEWcfengine NEWcfd NEWcfrun and make sure that they are all copied to every host before running them.
• At some time of day or night when no remote copying is taking place, use a process command in cfengine to kill the old cfd, then move the NEW files to cfengine, cfd and cfrun and restart cfd.

This should take care of all hosts which are alive. If any hosts are down, they will not be upgraded and they will not be able to speak to cfd when they come up again, unless they read cfengine from an NFS server.

NT

The port to NT has been done with my two students: Bjoern Gustafson and Joergen Kjensli. Cfengine 1.5.0 will compile and run on Windows NT, if you have the cygwin32 Free Software installed. Some documentation about the port will be available soon, including tips on the configuration of cygwin. Cfengine can set ACLs on files, but will not work correctly on directories yet. This will be fixed shortly, a long with some reasonable documentation. We have not had sufficient opportunity to test cfengine on NT, at the College, since we do not use NT for any real tasks, so please treat this as beta quality software and work somewhat defensively. It should be possible for us to test it more next year.

Regular expressions

As of 1.5.0 cfengine requires a posix regular expression library. In most modern systems this will work automatically, but on old legacy systems it might cause problems compiling. If your host does not support regcomp() and regexec(), regex.h, you should collect the GNU regular expression library (excerpted from the C library)

 rx-1.5.tar.gz

or later. This should cure the problem. On solaris machines I have experienced trouble with header files getting mixed up. rxposix.h and regex.h. You should probably not install the GNU library on a solaris machine, where the regex library seems to work well. On NT with the cygwin32 library, it was necessary to compile GNU librx on the system. The existing regex functions compiled but did not work.

DES Encryption

You can arrange to encrypt transferred files by symmetric cipher, if you have the SSLeay-0.9.0 libraries installed. The secure=true option instigates encrypted transfer. A new program cfkey can be used to generate a key file

cfkey > /var/run/cfengine/keys
cfkey > /etc/cfengine/keys

which must then be distributed to all participating hosts. The server can REQUIRE hosts to perform encrypted transfer with secure=true in cfd.conf.

Known bugs

The handling of the network interface has grown increasingly difficult. Apart from the fact the internet sockets and ioctl calls are amongst the ugliest, actually disgusting, APIs I have ever encountered, many OSes are going over to routing sockets which I do not know anything about, so this will have to wait. If anyone who understands the new route structures for routing sockets would like to send me a patch to read and set routes netmasks and brodcast addresses, I would be for ever grateful.

--Mark

Return to GNU's home page.

Please send FSF & GNU inquiries & questions to gnu@gnu.org. There are also other ways to contact the FSF.

Please send comments on these web pages to webmasters@gnu.org, send other questions to gnu@gnu.org.

Copyright (C) 2001 Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA

Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.

Updated: $Date: 2001/07/20 07:06:26 $ $Author: brett $