CFEngine On CentOS

CFEngine is a policy manager that ensures each machine it is installed upon meets the policy system’s create for different groupings of machines. Can be configured to monitor, install, check, update, remove, create just about anything


Install CFEngine
Getting Started
CFEngine Reference Guide


CFEngine is a very powerful tool. You can make it do ANYTHING to a large number of machines. Proceed with caution, remember machines are stupid they will do EXACTLY what you tell them to do. Treat this tool with respect, start new promises with small groups before expanding cluster wide.


A sysadmin must create promises that define what a machine should be doing, what it should be running, what it should have installed, etc. I am just showing snippets of these as these are quite long as we have many promises, mostly for ensuring all of our services are up 24/7 and if they do fail start them with 5 minutes. Systems receive emails each time a promise does not meet the expected result(i.e. repeated failures to start a daemon, disk running out of room)

the two most important ones are, which tells the system which promises to keep

bundle common z01_promise_setup
    "bundles" slist     => {
   "promise_files" slist
                        => {

and, which tells CFEngine which machines fall into which class, machines can be in many classes or excluded from a class should the match a regex.

bundle common z02_global_classes


"mesosslaves" or => {


        "app" or => {

        "web" or => {


Promise Format

Below is the format of a promise to ensure all machines in the base group that are not centos_5 or Centos_4 machines have sssd running.

bundle agent w01_check_sssd
# tells it which group that can run this chech_sssd
        "w01checksssd" usebundle => check_sssd;


bundle agent check_sssd

        "grep_name" slist => { "sssd" }; # similar to ps fax | grep sssd
        "service" slist => { "sssd" }; # name of executable in /etc/init.d
        "init_scripts_path" string => "/etc/init.d";


        comment => "Check if the process for '$(service)'",
        restart_class => "restart_$(service)";


        "${init_scripts_path}/${service} start"
        comment => "Restarting the service",
        ifvarclass => "restart_${service}";

         "Heads up - the $(this.promise_filename) promise restarted $(service) on $(sys.fqhost). "      ;

        "$(service) is running on $(sys.fqhost).";



A user can have files/packages/libraries, etc that need distributed to each machine in the policy group.
first copy the file to mastercf:/var/cfengine/masterfile/myTemplates
from there I have it sub divided by the same groupings as in
rename it so it ends in a .txt .conf .cf or cfengine will ignore it.

then make a promise to distribute, example to copy the ssh message of the day to each machine.

bundle agent b21_manage_config

#all machine in the zedxinc domain are in "base"
    base::                                              # <1>
    "b21manageconf" usebundle
                        => b21_run ;


bundle agent b21_run

# notice the source dir is /var/cfengine/inputs and NOT /var/cfengine/masterfiles. When cfengine distributes policies to each machine that is bootstrapped to the master, the cf-agent can only execute local files in /var/cfengine/inputs.
    "source_dir" string
                        => "/var/cfengine/inputs/myTemplates" ;   # <2>

    "source_file" string
                        => "$(source_dir)/motd.txt" ;

#creates file and assigns permissions
    perms               => mog("640","root","root"),
    create              => "true",
    edit_defaults       => empty,
    edit_line           => expand_template("$(source_file)") ;    # <3>


  1. remember to always update each time you add a new promise or it will not be kept.


Checks consistency of policy file to ensure nothing is incorrect syntax wise. If there is a syntax issue ALL machines start complaining.

 $ cf-agent -f /var/cfengine/masterfiles/ 

Updates available policies for slave machines. copies to /var/cfengine/inputs

 $ cf-agent -IKf /var/cfengine/masterfiles/ 

Machines should check in every five minutes but if you are testing sometimes this is too slow.


Pull the latest promise update from the server on the agent machine:

 $ cf-agent -IKf /var/cfengine/inputs/

Immediately execute promises:

 $ cf-agent -IKf /var/cfengine/inputs/

Show how much of each promise is able to be kept on the agent machine

 $ cf-agent -vn


To install the agents on slave machines with cfengine’s install script.

 $ wget -O- | sudo bash
 $ cf-agent --bootstap 10.0.0.[CF]

For Private Networks

or for any local install that you wish to not go out to the internet to get the latest version for your servers

 $ rpm -Uvh
 $ cf-agent --bootstap 10.0.0.[CF]

The cfengine-community package is practically OS version agnostic and will install on CentOS 4,5,6, and 7 without any dependencies.