I've used cfengine in a production environment, and found it to be very
useful and powerful. I'll just list the features (pro and con) below.
PROS
----
* Distributed operations
* Well-supported and open-source leader in its field
* Widely-used
* Supports many "selection critera" such as hour of day, hostname, IP
address, network, cfengine version, operating system, kernel version"
* Battle-tested with environments numbering in thousands (including that
most hostile of environments, the college campus)
* Integrates well with other systems such as CVS, RCS, et al
* Works well in isolation as well in distributed fashion - and can keep
system protected while server is offline
* Extremely flexible
* Comprehensive documentation
* Can replace cron entirely (if one has a notion to...)
* Can keep excess files from cluttering up /tmp or /var/tmp
* Can keep unwanted files or processes from appearing at all (such as
.rhosts, etc).
* Can "edit" files as well as maintain complete files
* Utilizes public-key encryption to identify clients (encrypted links
available)
* "Selection criteria" (classes) can be set programmatically by scripts
* Can be used in place of samhain or tripwire (and *reacts*!)
* Works well with NFS-mounted home directories
* Works under Windows as well
* Can manage processes - including "must be present" and "must *not* be
present" and more
* Active mailing list for support
* Can be used to configure new systems from startup (using a minimal
configuration)
CONS
----
* Documentation - comprehensive but can be hard to know where to start
with new installations
* Configuration is unlike anything you've ever seen
* The "editfiles" section of the configuration is also unlike anything
you've ever seen - and is different than any other configuration section
(looks a lot like a computer language without reasonable syntax)
* The customizability of the configuration can be overwhelming
* Doesn't necessarily "play nice" with file integrity checkers like
samhain or tripwire - i.e., if cfengine restores a file to its original
state or changes the permissions samhain may flag it as being changed.
* Inclusion in configuration files ("include file") is
counter-intuitive: "included files" are actually concatenated to
currently scanned file
* "Regexes" in the EditFiles configuration section match the entire
line, not a substring (unless using proper EditFiles command)
Most of the down-side to cfengine revolves around the unique
configuration file syntax (and the EditFiles section most of all) and
the comprehensive documentation (which does not provide for an
oft-requested 1-2-3 steps to get started).
The latter problem will be solved with an upcoming book ;-)
--
David Douthitt
HP-UX, Unixware, Linux, FreeBSD
RHCE, SCSA, Linux+, LPIC-1
http://www.lulu.com/ssrat