Cfengine
cfengine
1. Cfengine °³·« ¶CfengineÀº À¯´Ð½º ÄÄÇ»ÅÍ ½Ã½ºÅÛ ¼³Á¤ ¹× À¯Áöº¸¼ö¸¦ ȯ»óÀûÀ¸·Î ÇØÁÖ´Â À¯¿ëÇÑ ÅøÀÌ´Ù. CfengineÀº µ¶¸³Çü(stand-alone) µµ±¸¸ðÀ½À¸·Î ¼³Á¤ ÆÄÀÏ¿¡ ÀÖ´Â ¸í·É¿¡ µû¶ó ÄÄÇ»Å͸¦ ¼³Á¤ÇÏ°í °ü¸®ÇÑ´Ù. ¼³Á¤ ÆÄÀÏÀº ½ÀµæÇؼ »ç¿ëÇϱ⠽¬¿î °í±Þ ¾ð¾î·Î ´Ù¾çÇÑ ½Ã½ºÅÛ ÄÄÆ÷³ÍÆ®¿¡ ÀûÇÕÇÑ ¼Ó¼ºÀ» Á¤ÀÇÇÏ°í ÀÖ´Ù(ÇÁ·Î±×·¡¹ÖÀº ÇÏÁö ¾Ê¾Æµµ µÊ). ÀÌ·± ¹æ½ÄÀ¸·Î CfengineÀº °¢°¢ÀÇ ½Ã½ºÅÛÀ» Á¤ÀÇµÈ ¼³Á¤ ½ºÆå¿¡ ¸Â°Ô ÀÚµ¿À¸·Î ¿©·¯ ½Ã½ºÅÛÀ» ¼³Á¤ÇØ ÁÙ ¼ö ÀÖ´Ù. ¶ÇÇÑ, °è¼ÓÇؼ ½Ã½ºÅÛÀ» °¨½ÃÇÏ¸é¼ ÇÊ¿ä¿¡ µû¶ó ¼³Á¤À» Á¶ÀýÇØÁÖµµ·Ï ÇÒ ¼öµµ ÀÖ´Ù.
2. CfengineÀ¸·Î ÇÒ ¼ö ÀÖ´Â ÀÛ¾÷ ¶
3. ÇÁ·Î±×·¥ ±¸¼º ¶cfagent ·ÎÄà ½Ã½ºÅÛ¿¡ ¼³Á¤ ÆÄÀÏÀ» Àû¿ëÇÏ´Â ÁÖ¿ä À¯Æ¿¸®Æ¼
cfrun ¸®¸ðÆ® ½Ã½ºÅÛ¿¡ ¼³Á¤ ÆÄÀÏÀ» Àû¿ëÇÏ´Â À¯Æ¿¸®Æ¼
cfservd cfrunÀ» Áö¿øÇÏ´Â ¼¹ö ÇÁ·Î¼¼½º. ¸®¸ðÆ® ½Ã½ºÅÛÀ¸·ÎºÎÅÍ Cfengine ¿¡ÀÌÀüÆ® ±â´ÉÀ» »ç¿ëÇÒ ¼ö ÀÖ°Ô ÇØÁÜ.
cfexecd ÀÛ¾÷ ½ºÄÉÁ층 ¹× º¸°í µîÀ» ÀÚµ¿È ÇØÁÖ´Â µ¥¸ó
cfenvd ¹®Á¦ °¨Áö µ¥¸ó
cfkey º¸¾È Å° »ý¼º À¯Æ¿¸®Æ¼
°¢ È£½ºÆ®º°·Î cfagent ¸¦ ÀÌ¿ëÇÏ¿© ÀÛ¾÷ÇÒ ³»¿ëÀ» ¹Ì¸® Á¤ÀÇÇسõ´Â´Ù. À̸¦ ÀÌ¿ëÇÏ¿© ¼¹ö 1´ëº°·Î ½Ã½ºÅÛ°ü¸® ÀÛ¾÷À» ÀÚµ¿ÈÇÒ ¼ö ÀÖ´Ù. ±×·¯³ª ¿ì¸®°¡ ¿øÇÏ´Â °ÍÀº ÀÌ°ÍÀÌ ¾Æ´Ò °ÍÀÌ´Ù. Áß¾ÓÀÇ °ü¸®¼¹ö¿¡ ÇÊ¿äÇÑ ÆÄÀÏ µîÀ» ¿Ã·Á³õ°í °¢ ¼¹ö¿¡¼ Áß¾ÓÀÇ °ü¸®¼¹ö¿¡¼ ÆÄÀÏÀ» °¡Á®¿À°Ô ÇÒ ¼öµµ ÀÖ°í Áß¾ÓÀÇ °ü¸®¼¹ö¿¡¼ ¿ø°ÝÀ¸·Î °¢ ½Ã½ºÅÛÀÇ cfagent ¸¦ ½ÇÇàÇÒ ¼öµµ ÀÖ´Ù. Áß¾ÓÀÇ °ü¸®¼¹ö¿¡¼ cfrun À» ÀÌ¿ëÇÏ¿© °¢ È£½ºÆ®¿¡ Á¢¼ÓÇÒ ¼ö°¡ Àִµ¥ À̶§ °¢ È£½ºÆ®¿¡´Â cfservd °¡ µ¹¾Æ°¡°í ÀÖÀ¸¸é µÈ´Ù.
cfexecd ´Â °¢ È£½ºÆ®¿¡¼ cron ó·³ »ç¿ëÇÏ´Â °ÍÀÌ´Ù.
cfkey ´Â º¸¾È Å° »ý¼º À¯Æ¿¸®Æ¼·Î °¢ °ü¸®ÇÒ È£½ºÆ®¿¡¼ ½ÇÇàÇÏ¸é µÈ´Ù. ÀÌ Å°¸¦ ÀÌ¿ëÇÏ¿©(°³ÀÎÅ°/°ø°³Å° ¹æ½Ä) Áß¾Ó°ü¸®¼¹ö¿Í °¢ È£½ºÆ®°£¿¡ Åë½ÅÀ» ÇÑ´Ù.
¼¹ö¿¡¼´Â cfservd°¡ ¶° ÀÖ¾î¾ß ´Ù¸¥ ´ë»ó ÄÄÇ»ÅÍ¿¡¼ ¸¶½ºÅͼ¹öÀÇ ÆÄÀÏÀ» °¡Á®¿Ã ¼ö ÀÖ´Ù.
´Ù¸¥ ´ë»ó ÄÄÇ»ÅÍ¿¡¼´Â ¼öµ¿À¸·Î ¶Ç´Â ÀÚµ¿À¸·Î(cfexecd ¶Ç´Â cron ÀÌ¿ë) cfagent¸¦ ½ÇÇàÇÏ¸é µÈ´Ù.
4. »ç¿ëÀü ÁÖÀÇ»çÇ× ¶°¢ È£½ºÆ®´Â hostnameÀÌ ÀÖ¾î¾ßÇÏ°í DNS lookupÀ» Çϸé ip¸¦ ¹ÝȯÇϸç ip·Î ÁúÀǸ¦ ÇÏ¸é µ¿ÀÏÇÑ hostnameÀÌ ³ª¿Í¾ßÇÑ´Ù.
º¸Åë hostname-> ip´Â ³×ÀÓ¼¹ö¿¡ ¼¼ÆÃÀ» ÇÏÁö¸¸ ip-> hostnameÀ» dns¿¡ ¼¼ÆÃÇÏÁö ¾Ê´Â °æ¿ì°¡ ¸¹Àºµ¥ ÀÌ·² °æ¿ì¿¡´Â /etc/hosts¿¡ ¸ðµç È£½ºÆ®¸íÀ» ³Ö¾îµÎ¾î¾ßÇÑ´Ù.
5.1. ¼Ò½º ¼³Ä¡ ¶http://www.cfengine.org/pages/download ¿¡¼ ´Ù¿î·Îµå
¸ÕÀú md5sumÀ» ÀÌ¿ëÇØ ¼Ò½ºÇÁ·Î±×·¥ÀÇ ¹«°á¼º È®ÀÎÇÑ´Ù.
¼Ò½º¸¦ Ǭ´Ù.
# ./configure --prefix=/usr/local/cfengine (±âº»Àº /usr/local ¿¡ ¼³Ä¡) # make # make check (¼¿ÇÁ Å×½ºÆ®) # make install¿©±â¼ ¼³Ä¡½Ã µÎ°¡Áö °³¹ß°ü·Ã ÇÁ·Î±×·¥ÀÌ ÇÊ¿äÇÏ´Ù. Berkeley Database obtainable from http://www.sleepycat.com OpenSSL obtainable from http://www.openssl.org RHEL, CentOS¿¡¼´Â db4-devel, openssl-devel ÀÌ ÇÊ¿äÇÏ´Ù.
# yum -y install db4-devel openssl-devel ¼³Ä¡ÆÐÅ°Áö´Â ¾Æ·¡¿Í °°´Ù. /usr/local/cfengine ¿¡ ¼³Ä¡ÇÑ´Ù.
> ./sbin/cfagent > ./sbin/cfservd > ./sbin/cfrun > ./sbin/cfkey > ./sbin/cfenvd > ./sbin/cfenvgraph > ./sbin/cfexecd > ./sbin/cfshow > ./sbin/cfetool > ./sbin/cfetoolgraph > ./sbin/cfdoc 21a33,57 > ./share/cfengine > ./share/cfengine/cfengine.el > ./share/cfengine/cf.chflags.example > ./share/cfengine/cf.freebsd.example > ./share/cfengine/cf.ftp.example > ./share/cfengine/cf.groups.example > ./share/cfengine/cf.linux.example > ./share/cfengine/cf.main.example > ./share/cfengine/cf.motd.example > ./share/cfengine/cf.preconf.example > ./share/cfengine/cf.services.example > ./share/cfengine/cf.site.example > ./share/cfengine/cf.solaris.example > ./share/cfengine/cf.sun4.example > ./share/cfengine/cf.users.example > ./share/cfengine/cfservd.conf.example > ./share/cfengine/cfagent.conf.example > ./share/cfengine/cfagent.conf-advanced.example > ./share/cfengine/update.conf.example > ./share/cfengine/cfrc.example > ./share/cfengine/cfrun.hosts.example > ./share/cfengine/README > ./share/cfengine/ChangeLog > ./share/cfengine/INSTALL > ./share/cfengine/NEWS 5.2. RPM ÀÌ¿ëÇϱ⠶
# cd /usr/src/redhat/SPEC # rpmbuild -ba --target i686 cfengine.spec
# rpm -ivh http://cfengine.tunelinux.pe.kr/tune/4.4/i386/RPMS/cfengine-2.1.21-2.i686.rpm 6.1. Ãʱⱸ¼º ¹× Å×½ºÆ® ¶
6.2. ¸¶½ºÅͼ¹ö±¸¼º ¶
6.2.1. cfagent.conf ¶################################################## # # cfagent.conf # # This is a simple file for getting started with # cfengine. It is harmless. If you get cfengine # running with this file, you can build on it. # ################################################## ### # # BEGIN cfagent.conf (Only hard classes in this file ) # ### classes: # cfengine master server master_server = ( cfengine.tunelinux.pe.kr ) # server group testingservers = ( cent.tunelinux.pe.kr cent2.tunelinux.pe.kr ) #testingservers = ( cent2.tunelinux.pe.kr ) webhosting = ( cent.tunelinux.pe.kr ) mailhosting = ( '/usr/bin/test -d /var/qmail' ) dnshosting = ( '/usr/bin/test -f /etc/named.conf' ) dnsservers = ( '/usr/bin/test -f /etc/named.conf' ) intraservers = ( cfengine.tunelinux.pe.kr intranet.tunelinux.pe.kr project.tunelinux.pe.kr ) #intra_ip_range = ( IPRange(111.112.137.1-100) ) intra_ip_range = ( IPRange(111.112.137.0/24) ) # tune servers tuneservers = ( testingservers webhosting mailhosting dnshosting intraservers intra_ip_range ) # specific server centosservers = ( '/usr/bin/test -d /usr/share/doc/centos-release-4' ) cfengineservers = ( '/usr/bin/test -f /usr/sbin/cfagent' ) yumservers = ( '/usr/bin/test -f /etc/yum.repos.d/CentOS-Base.repo' ) techlabservers = ( 111.112.137.141 techlab.tunelinux.pe.kr ) ################################################## control: domain = ( tunelinux.pe.kr ) timezone = ( MET ) smtpserver = ( localhost ) # used by cfexecd sysadm = ( joon@tunelinux.pe.kr ) # where to mail output # IfElapsed = ( 0 ) schedule = ( Hr00 ) ChecksumUpdates = ( on ) # cfengine tune repogitory master_files = ( /usr/local/var/cfengine/tune ) master_server = ( cfengine.tunelinux.pe.kr ) # html repogitory html_files = ( /var/www/html/tune ) # security check SpoolDirectories = ( /var/spool/mail /var/spool/cron ) WarnNonOwnerMail = ( true ) WarnNonUserMail = ( true ) #!techlabservers:: # NonAlphaNumFiles = ( on ) actionsequence = ( disable copy editfiles files shellcommands directories tidy processes ) ################################################## resolve: # Add these name servers to the /etc/resolv.conf file 210.220.163.82 # local nameserver 210.94.6.67 # backup nameserver ################################################## # 111.112.137 tune intra # 222.239.157 IDC monitor # 66.600.5 IDC intra editfiles: { /etc/crontab AppendIfNoSuchLine "* 0 * * * root /usr/bin/rdate -s time.bora.net && /sbin/hwclock -w" } tuneservers:: { /etc/security/access.conf AppendIfNoSuchLine "-:root:All EXCEPT LOCAL localhost.localdomain 111.112.137. 222.239.157. 66.600.5." } { /etc/pam.d/sshd AppendIfNoSuchLine "account required pam_access.so" } { /etc/vsftpd/vsftpd.conf ReplaceAll "anonymous_enable=YES" With "anonymous_enable=NO" DefineClasses "modified_ftp" } intraservers|intra_ip_range:: { /etc/aliases AppendIfNoSuchLine "root: joon@tunelinux.pe.kr" DefineClasses "modified_aliases" } centosservers:: { /etc/updatedb.conf ReplaceAll "DAILY_UPDATE=no" With "DAILY_UPDATE=yes" } tuneservers.cfengineservers:: { /etc/crontab AppendIfNoSuchLine "* 0 * * * root /usr/sbin/cfexecd -F" } intra_ip_range|testingservers:: { /etc/bashrc AppendIfNoSuchLine "alias ll='ls -alF'" } ################################################## copy: # Get a file from some trusted server, e.g. password sync # To do this, you need to use cfkey to install keys # tune yum repository tuneservers:: $(master_files)/tune.repo dest=/etc/yum.repos.d/tune.repo mode=644 server=$(master_server) # master file copy master_server:: /etc/hosts dest=$(master_files)/hosts backup=true /usr/local/var/cfengine/inputs/update.conf dest=$(html_files)/update.conf mode=644 $(master_files)/tune.repo dest=$(html_files)/tune.repo mode=644 server=$(master_server) # iptables intra_ip_range|intraservers:: $(master_files)/intra-iptables dest=/etc/sysconfig/iptables mode=600 server=$(master_server) backup=true define=modified_iptables testingservers.!master_server:: $(master_files)/hosts dest=/etc/hosts mode=644 server=$(master_server) backup=true ################################################## files: tuneservers:: # file check /tmp mode=ugo-x recurse=inf action=fixall syslog=true inform=true /var/tmp mode=ugo-x recurse=inf action=fixall syslog=true inform=true /proc mode=700 owner=root action=fixall # password /etc/passwd mode=644 owner=root action=fixall checksum=md5 syslog=true inform=true /etc/shadow mode=600 owner=root action=fixall checksum=md5 syslog=true inform=true /etc/group mode=644 owner=root action=fixall checksum=md5 syslog=true inform=true #cfengine program file cfengineservers:: /usr/sbin mode=700 owner=root action=fixall include=cf* recurse=inf ################################################## shellcommands: # security check # "/usr/bin/find /tmp/ '(' -nouser -o -nogroup ')' " tuneservers.yumservers:: "/bin/rm -f /etc/yum.repos.d/CentOS-*" tuneservers.yumservers.Sunday.Hr00:: "/usr/bin/yum clean all" modified_ftp:: "/etc/init.d/vsftpd restart" modified_iptables:: "/etc/init.d/iptables restart" modified_aliases:: "/usr/bin/newaliases && /etc/init.d/sendmail restart && /sbin/chkconfig --level 345 sendmail on" any.Hr07:: "/usr/bin/rdate -s time.bora.net && /sbin/hwclock -w" timeout=30 ################################################## directories: # /tmp mode=1777 owner=root group=root syslog=true inform=true tidy: #tuneservers.intra_ip_range:: tuneservers:: /tmp recurse=inf pattern=* age=7 rmdirs=sub syslog=true inform=true /var/tmp recurse=inf pattern=* age=7 rmdirs=sub syslog=true inform=true /home recurse=inf pat=core pat=a.out pat=*.o age=1 rmdirs=sub syslog=true inform=true # pat=*% # pat=#* disable: tuneservers:: /root/.rhosts syslog=true inform=true /etc/hosts.equiv syslog=true inform=true ################################################## processes: # "xinetd" signal=hup # "httpd" signal=kill # "cfservd" signal=hup # "cexecd" signal=hup tuneservers.cfengineservers:: "cfexecd" restart "/usr/sbin/cfexecd" "cfservd" restart "/usr/sbin/cfservd" ### # # END cfagent.conf # ### control ¿¡´Â Àüü ¼³Á¤°ú °ü·ÃµÈ ³»¿ëÀÌ µé¾î°£´Ù.
smtpserver, sysadm ´Â cfexecd µîÀ¸·Î ½ÇÇàÇÒ °æ¿ìÀÇ ½ÇÇà³»¿ëÀ» ¸ÞÀÏ·Î º¸³»ÁÖµµ·Ï ÇÏ´Â ¼³Á¤ÀÌ´Ù. smtp ¼¹ö¿Í ¹ÞÀ» »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÏ¸é µÈ´Ù.
IfElapsed ´Â cfagent ÀÇ ½ÇÇà°ú °ü°è°¡ ÀÖÀ¸¸ç ¾Æ·¡¿¡¼ µð¹ö±ë ºÎºÐÀ» ÂüÁ¶ÇÑ´Ù.
schedule : cfexecd¸¦ ¶ç¿üÀ» °æ¿ì (cfagent¸¦ ÁÖ±âÀûÀ¸·Î ½ÇÇàÇÏ´Â ¿ªÇÒÀ» ÇÏ´Â ÇÁ·Î±×·¥ÀÓ) schedule ¿¡ ¼³Á¤µÈ ³»¿ë¿¡ µû¶ó ÁÖ±âÀûÀ¸·Î cfexecd ¸¦ ½ÇÇàÇÑ´Ù. cfexecd´Â º°µµÀÇ ¼³Á¤ÆÄÀÏÀÌ ¾øÀ¸¸ç cfagent.confÀÇ schedule ¼³Á¤À» º¸°í ½ÇÇàÀ» ÇÑ´Ù. cfexecd¸¦ ¶ç¿ö¼ »ç¿ëÇÒ ¼öµµ ÀÖ°í cronÀ» ÀÌ¿ëÇÏ¿© ½ÇÇàÇϵµ·Ï ÇÒ¼öµµ ÀÖ´Ù.
class¸¦ ÀÌ¿ëÇÏ¿© Á¤Ã¥À» ±×·ìº°·Î Àû¿ëÇÒ ¼ö ÀÖ´Ù. ¿©±â¼ ( ) ¾ÈÀÇ È£½ºÆ®´Â /etc/hosts ÆÄÀÏÀ» ÂüÁ¶ÇÑ´Ù. ƯÁ¤ ¸í·ÉÀ» ½ÇÇàÇÑ °á°ú¸¦ °¡Áö°í ±×·ì(Ŭ·¡½º)¸¦ ³ª´ ¼öµµ ÀÖ´Ù.
/etc/hosts ÆÄÀÏ·Î ºÐ·ùÇϱâ Èûµç °æ¿ì »ç¿ëÇϸé ÁÁÀ» °ÍÀÌ´Ù. Ŭ·¡½º¾È¿¡ ´Ù¸¥ Ŭ·¡½º¸¦ ³ÖÀ» ¼öµµ ÀÖ´Ù.
ChecksumUpdates ´Â files ¿¡ ÁöÁ¤ÇÑ ÆÄÀÏÀÇ Ã¼Å©¼¶À» üũÇÏ¿© ´Ù¸¦ °æ¿ì °æ°í¸¦ º¸¿©ÁØ´Ù.
NonAlphaNumFiles ´Â ".. ." µî ÀÏ¹Ý ¹®ÀÚ¿¡¼ ¹þ¾î³ µð·ºÅ丮¸¦ üũÇÑ´Ù. (?)
¿©±â¼ master_server ´Â ÀÓÀÇÀÇ º¯¼ö¸¦ ÁöÁ¤ÇÑ °ÍÀ¸·Î ÀÌ·¯ÇÑ ÇüÅ·Π°¢ÀÚ º¯¼ö¸¦ ¸¸µé¾î »ç¿ëÇÒ ¼ö ÀÖ´Ù.
files µî¿¡¼ syslog ´Â syslog¿¡ ÇØ´ç º¯È³»¿ëÀ» ±â·ÏÇÏ´Â °ÍÀÌ°í inform Àº ½ºÅ©¸°À̶ó À̸ÞÀÏ·Î Á¤º¸¸¦ ¾Ë·ÁÁØ´Ù. true¿Í onÀÇ Â÷ÀÌÁ¡Àº ¸Å´º¾óÀ» ºÁµµ Àß ¸ð¸£°Ú´Ù.
6.2.2. cfservd.conf ¶######################################################### # # This is a cfd config file # # The access control here follows after any tcpd # control in /etc/hosts.allow and /etc/hosts.deny # ######################################################### # # Could import cf.groups here and use a structure like # in cfengine.conf, cf.main, cf.groups # control: domain = ( tunelinux.pe.kr ) AllowUsers = ( root ) linux:: cfrunCommand = ( "/var/cfengine/bin/cfagent" ) any:: # ChecksumDatabase = ( /tmp/testDATABASEcache ) IfElapsed = ( 1 ) MaxConnections = ( 30 ) # access control Split = ( " " ) hostlist = ( "111.112.137 222.239.157 66.600.5" ) # hostlist = ( "111.112.137.162" ) dirs = ( "inputs tune" ) base = ( /usr/local/var/cfengine ) ######################################################### admit: # or grant: $(base)/$(dirs) $(hostlist) # /usr/local/var/cfengine/inputs * # /usr/local/var/cfengine/tune * cfservd.conf´Â cfservd¿¡ ÇÊ¿äÇϸç Á¢±ÙÇÒ ¼ö ÀÖ´Â ±ÇÇÑÀ» ¼³Á¤ÇÑ´Ù.
AllowUsers ºÎºÐÀÌ ¾÷À¸¸é cfrun ÀÌ ½ÇÇàÀÌ µÇÁö ¾Ê¾Ò´Ù.
admit Àº Á¢±Ù±ÇÇѼ³Á¤À» ÇÏ´Â ºÎºÐÀÌ´Ù.
6.2.3. update.conf ¶####################################################### # # cf.update - for iu.hio.no # ####################################################### ### # # BEGIN cf.update # ### ####################################################################### # # This script distributes the configuration, a simple file so that, # if there are syntax errors in the main config, we can still # distribute a correct configuration to the machines afterwards, even # though the main config won't parse. It is read and run just before the # main configuration is parsed. # ####################################################################### control: actionsequence = ( copy processes tidy ) # Keep this simple and constant domain = ( tunelinux.pe.kr ) # Needed for remote copy # # Which host/dir is the master for configuration roll-outs? # policyhost = ( cfengine.tunelinux.pe.kr ) master_cfinput = ( /usr/local/var/cfengine/inputs ) AddInstallable = ( new_cfenvd new_cfservd ) # # Some convenient variables # workdir = ( /var/cfengine ) linux:: cf_install_dir = ( /usr/local/cfengine/sbin ) ################################################################### # # Spread the load, make sure the servers get done first though # ################################################################### !AllBinaryServers:: SplayTime = ( 1 ) ############################################################################ # # Make sure there is a local copy of the configuration and # the most important binaries in case we have no connectivity # e.g. for mobile stations or during DOS attacks # copy: $(master_cfinput) dest=$(workdir)/inputs r=inf mode=700 type=binary exclude=*.lst exclude=*~ exclude=#* server=$(policyhost) trustkey=true ##################################################################### tidy: # # Cfexecd stores output in this directory. # Make sure we don't build up files and choke on our own words! # $(workdir)/outputs pattern=* age=7 ##################################################################### processes: new_cfservd:: "cfservd" signal=term restart /usr/sbin/cfservd new_cfenvd:: "cfenvd" signal=kill restart "/usr/sbin/cfenvd -H" ### # # END cf.update # ### update.conf´Â cfagent ¿¡¼ ¸¶½ºÅͼ¹ö¿¡ Á¢±ÙÇϱâ À§Çؼ ÇÊ¿äÇÑ ¼³Á¤ÀÌ´Ù. ¿©±â¼ ÁöÁ¤ÇÑ ¼¹ö¿Í µð·ºÅ丮¿¡¼ ÇÊ¿äÇÑ ÆÄÀÏÀ» °¡Á®¿Â´Ù.
6.3. Ŭ¶óÀ̾ðÆ® ±¸¼º ¶
[root@localhost cfengine]# mkdir -p /var/cfgneine/inputs [root@localhost cfengine]# mkdir -p /var/cfengine/bin [root@localhost cfengine]# cd /var/cfengine/bin [root@localhost cfengine]# scp cent.tunelinux.pe.kr:/usr/local/cfengine/sbin/* . [root@localhost cfengine]# scp cent.tunelinux.pe.kr:/usr/local/var/cfengine/inputs/update.conf /var/cfgneine/inputs
[root@localhost cfengine]# cfkey Making a key pair for cfengine, please wait, this could take a minute... Writing private key to /var/cfengine/ppkeys/localhost.priv Writing public key to /var/cfengine/ppkeys/localhost.pub
[root@localhost cfengine]# scp /var/cfengine/ppkeys/localhost.pub cent.tunelinux.pe.kr:/var/cfengine/ppkeys/root-111.112.137.140.pub [root@mytest inputs]# ll /var/cfengine/ppkeys/ ÇÕ°è 24 drwx------ 2 root root 4096 10¿ù 10 16:05 ./ drwxr-xr-x 9 root root 4096 10¿ù 19 13:58 ../ -rw------- 1 root root 1743 10¿ù 10 15:15 localhost.priv -rw------- 1 root root 426 10¿ù 10 15:15 localhost.pub -rw------- 1 root root 426 10¿ù 19 14:39 root-111.112.137.140.pub -rw------- 1 root root 426 10¿ù 10 15:28 root-111.112.137.162.pub
[root@mytest inputs]# cfagent -q -v (-q ¿É¼ÇÀº µô·¹À̾øÀÌ ¹Ù·Î ½ÇÇà¿É¼Ç)
6.4. µð¹ö±ëÇϱ⠶
6.5. µð·ºÅ丮 ±¸Á¶ ¶
[root@localhost cfengine]# tree -d /var/cfengine/ /var/cfengine/ |-- bin |-- inputs |-- modules |-- ppkeys |-- ppkeys1 |-- rpc_in |-- rpc_out `-- state 6.6. cfrun ¶¸¶½ºÅͼ¹ö¿¡¼ ¿ø°ÝÀ¸·Î ¿©·¯°¡Áö ¸í·ÉÀ» ½ÇÇàÇÏ´Â °ÍÀÌ´Ù. ¸¶½ºÅÍ¿¡¼ °¢ ¼¹ö·Î ½ÇÇàÀ» ÇÏ´Â push ¹æ½ÄÀÌ´Ù.
ÀÌ ÇÁ·Î±×·¥À» ½ÇÇàÇÏ·Á¸é cfrun.hosts ÆÄÀÏÀÌ ÇÊ¿äÇϸç /var/cfengine/inputs ¿¡ ³Ö¾îµÎ¸é µÈ´Ù.
¶ÇÇÑ °¢ È£½ºÆ®¿¡´Â cfservd°¡ ¶° ÀÖ¾î¾ßÇÑ´Ù. cfservd°¡ ¸¶½ºÅÍ¿¡ ¶° ÀÖÀ»¶§´Â °¢ Ŭ¶óÀ̾ðÆ®¿¡¼ Á¢¼ÓÀ» ÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â ¿ªÇÒÀÌÁö¸¸ cfrunÀ» ÀÌ¿ëÇÒ °æ¿ì¿¡´Â °¢ ´ë»ó ÄÄÇ»ÅÍ¿¡ ´ë¸óÀÌ ¶° ÀÖ¾î¾ß ÇÑ´Ù.
# cat cfrun.hosts domain=tunelinux.pe.kr cent.tunelinux.pe.kr cent2.tunelinux.pe.kr ¾Æ¹« ÀÎÀÚ¾øÀÌ cfrun À» ½ÇÇàÇϸé ÀÚµ¿À¸·Î cfrun.hosts ÆÄÀÏÀ» Àоîµé¿© °¢ ½Ã½ºÅÛ¸¶´Ù cfagent¸¦ ½ÇÇàÇÑ´Ù.
ȸ鿡¼´Â ½ÇÁ¦ Àû¿ëµÈ ºÎºÐ¸¸ °£´ÜÇÏ°Ô º¸¿©ÁØ´Ù. ¾Æ·¡´Â ÀϺη¯ cent2 ÀÇ /etc/crontab, /etc/security/access.conf ÆÄÀÏÀ» ¼öÁ¤ÇÑ °ÍÀÌ´Ù.
# cfrun cfrun(0): .......... [ Hailing cent.tunelinux.pe.kr ] .......... cfrun(0): .......... [ Hailing cent2.tunelinux.pe.kr ] .......... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cfengine:cent2: Saving edit changes to file /etc/crontab cfengine:cent2: Saving edit changes to file /etc/security/access.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7.1. Ŭ·¡½º ¶
# cfagent -p -v | grep -i define Additional hard class defined as: 32_bit Additional hard class defined as: linux_2_6_9_42_0_3_EL Additional hard class defined as: linux_i686 Additional hard class defined as: linux_i686_2_6_9_42_0_3_EL Additional hard class defined as: linux_i686_2_6_9_42_0_3_EL__1_Fri_Oct_6_05_59_54_CDT_2006 Defined Classes = ( 222_112_137 222_112_137_162 32_bit DNSservers Day3 Friday Hr18 Hr18_Q2 INTRAservers MAILservers Min25_30 Min27 November Q2 WWWservers Yr2006 addr_ allservers any c1 call cent cent_tunelinux_pe_kr centos centos_4 centos_4_4 cfengine_2 cfengine_2_1 cfengine_2_1_21 cfengineservers compiled_on_linux_gnu dnsservers fe80__20c_29ff_fe14_2f08 i686 ipv4_222 ipv4_222_112 ipv4_222_112_137 ipv4_222_112_137_162 kr linux linux_2_6_9_42_0_3_EL linux_i686 linux_i686_2_6_9_42_0_3_EL linux_i686_2_6_9_42_0_3_EL__1_Fri_Oct_6_05_59_54_CDT_2006 net_iface_eth0 net_iface_lo pe_kr redhat tunelinux_pe_kr )
c1 = ( cent.tunelinux.pe.kr ) mailservers = ( '/usr/bin/test -d /var/qmail' ) dnsservers = ( '/usr/bin/test -f /etc/named.conf' ) cfengineservers = ( '/usr/bin/test -f /usr/sbin/cfagent' ) yumservers = ( '/usr/bin/test -f /etc/yum.repos.d/CentOS-Base.repo' ) allservers = ( c1 c2 mailservers dnsservers cfengineservers yumservers ) 7.2. ÁÖÀÇ»çÇ×, »ç¿ëÇÏ¸é¼ À̽´°¡ µÇ¾ú´ø »çÇ× ¶
Nov 10 11:33:15 mirrot cfservd[9610]: Unable to lookup hostname (techlab.tunelinux.pe.kr) or cfengine service: Name or service not known ÀÌ·² °æ¿ì IPRange ¸¦ ÀÌ¿ëÇϸé Æí¸®ÇÔ. ip´ë¿ªÀ» ÁöÁ¤ÇÏ¸é µÊ. ÀÌ°æ¿ì¿¡´Â dns µî·ÏÀ» ÇÏÁö ¾Ê¾Æµµ ±¦Âú¾ÒÀ½.
8. Âü°íÀÚ·á ¶
Contributor: ¹®ÅÂÁØ (http://tunelinux.pe.kr http://database.sarang.net)
|
You have an ability to sense and know higher truth. |