This talk will introduce new CFEngine 3.6 features, we have these bullet points:
User promises
TLS protocol
Math expressions
Dynamic inputs
New language functions
Tags
Data containers
File templating
Presentation by Kristian Amlie of CFEngine
4. User promises
• A new promise type
• Manage local users on hosts
• Make promises about user
characteristics
• UID
• Group membership
• Home directory
• Password
• Shell
• Description
7. TLS protocol
•
•
•
•
Industry standard security protocol
All traffic is fully encrypted
Transparent to the user
Old protocol
• Deprecated, but still supported
• Can be turned off after upgrade is complete
9. Math expressions
• New math evaluation function: eval()
• Works on strings
• String contains expression to evaluate
• Example: eval(“ceil($(sys.cpus) / 4)”)
• Previously required shell script
10. Math expressions
• Accepts common math operators: +, -, *, /
• Some less common ones too: ^, **, %
• Many common math functions
• ceil, floor, log10, log2, log, sqrt, sin,
cos, tan, asin, acos, atan, abs, step
• Mathematical constants
• e, log2e, log10e, ln2, ln10, pi, pi_2, pi_4,
1_pi, 2_pi, 2_srqtpi, sqrt2, sqrt1_2
• SI-units: K, M, G, T, P
12. Dynamic inputs
• 3.5:
• Input files can only be defined in promises.cf
• Inconvenient; all file additions require editing promises.cf
• 3.6:
• file control bodies can contain input files
• Body can be specified once per file
• body file control {
inputs => “input_file.cf”;
}
13. Dynamic inputs - Example
• promises.cf
body common control {
inputs => { “input_file.cf” };
}
• input_file.cf
body file control {
inputs => { “nested_input_file.cf” };
}
15. New language functions
• findfiles(glob1, glob2, ...)
• Returns a list of files that match glob pattern
• makerule(target, sources)
• Determines whether target needs to be rebuilt from
sources
• Inspired by the Unix make program
• packagesmatching(...)
• Returns list of installed packages
• List can be filtered by name, version and architecture
16. New language functions
• canonifyuniquely(test)
• Convert a string into a legal class name
• Unlike canonify, name is guaranteed to be unique.
• Useful when making class names from a list of files
• bundlesmatching(regex, tag1, ...)
• Returns bundles matching criteria
• Result can be used in a methods promise
• Very powerful together with findfiles
17. bundlesequence - Example
•
bundle common global {
vars:
“policies” slist => findfiles
(“/var/cfengine/inputs/*.cf”);
“bundles” slist => bundlesmatching
(“.*”, “production”);
}
body common control {
inputs => { @(global.policies) };
bundlesequence => { @(global.bundles) };
}
18. New language functions
• Plenty of others
• data_readstringarray
• readjson
• data_readstringarrayidx
• storejson
• datastate
• string_downcase
• datatype
• string_head
• getclassmetatags
• string_length
• getvariablemetatags
• string_reverse
• max
• string_tail
• mean
• string_upcase
• mergedata
• variablesmatching
• min
• variance
• parsejson
20. Tags
• Labels that you can attach to bundles
and promises
• Certain functions can filter based on tags
• bundlesmatching
• classesmatching
• variablesmatching
24. Data containers
• Can read JSON files
• readjson(filename, maxbytes)
• Or fields from a text file
• data_readstringarray
(filename, comment, split, maxentries, maxbytes)
• data_readstringarrayidx
(filename, comment, split, maxentries, maxbytes)
• Convert back to JSON
• storejson(data_container)
25. Data containers - Example
•
records.txt:
• joe,/nfs/home/joe,Joe Smith
jack,/home/jack,Jack Jensen
•
Resulting JSON after data_readstringarrayidx
• [
[ “joe”, “/nfs/home/joe”, “Joe Smith” ],
[ “jack”, “/home/jack”, “Jack Jensen” ]
]
26. Data containers - Example
•
records.txt:
• joe,/nfs/home/joe,Joe Smith
jack,/home/jack,Jack Jensen
•
policy.cf:
• vars:
“users” data => data_readstringarrayidx
(“records.txt”, “”, “,”, 10, 4000);
“index” slist => getindices(“users”);
users:
“$(users[$(index)][0])”
home_dir => “$(users[$(index)][1])”,
description => “$(users[$(index)][2])”,
policy => “present”;
28. File templating
• New templating engine: Mustache
• Based on the Mustache templating
language
• http://mustache.github.io/
29. File templating - Example
• promises.cf:
• files:
"/etc/motd"
edit_line => motd_edit,
edit_defaults => empty;
}
bundle edit_line motd_edit
{
insert_lines:
“Welcome to this CFEngine managed machine.”;
“This machine pulls policy from $(sys.policy_hub).”;
}
• Result:
• Welcome to this CFEngine managed machine.
This machine pulls policy from 10.80.80.1.
30. File templating - Example
• promises.cf:
• files:
"/etc/motd"
edit_template => "template.mustache",
template_method => "mustache";
• template.mustache:
• Welcome to this CFEngine managed machine.
This machine pulls policy from {{vars.sys.policy_hub}}.
• Result:
• Welcome to this CFEngine managed machine.
This machine pulls policy from 10.80.80.1.
31. Miscellaneous
•
cf-serverd allows distinct key/IP/hostname access
controls
•
New “shortcut” constraint in server policy allows non-absolute
paths in copy_from promises
•
New log format
•
Many new built-in variables:
• sys.uptime, sys.masterdir, this.promiser_ppid, ...
•
LMDB replaces Tokyo Cabinet as database backend
•
Calls to execresult and returnszero are now cached
instead of executing repeatedly