Josh England wrote:
LCFG does indeed sound like a highly capable configuration deployment engine (how does it compare with cfengine, in your opinion?).
They are very similar in terms of what happens - central configuration is "enacted" in some way on the clients via a number of agents. But their methods and models differ somewhat.
LCFG (there are others that can explain cfengine better) for example is entirely declarative in terms of the central database. Nothing procedural is encoded in the profile for a machine as doing so means having to deal with ordering of configuration changes (A->a->B->b->C vs A->C, where upper = states and lower = transitional procedures). It's left to the agents to work out the procedures making disconnected operation simpler (it doesn't matter if a laptop misses the update from A to B as A->B->C "should" give you the same as A->C. Procedural models often mean that all the intermediary transformations have to be applied.
One thing that is particularly powerful about LCFG is the idea of spanning maps. Client configuration descriptions can export collections of information into a global namespace that other conponents can then subscribe to. For example in the client config for the web server I'd put:
firewall.holes 80 443
.. then because the schema for the firewall component says that the "holes" property is to be a member of a spanning map, on the firewall host itself the firewall component automatically gathers the information and opens the holes. The definition of the "hole" though is in the same config file as the configuration for the web server.
This can be extended to:
# In a file called i-want-to-be-a-web-server.h apache.port 80 firewall.holes <%apache.port%> # reference to above.
.. then in the source profile for each member of a web cluster:
#include <i-want-to-be-a-web-server.h>
As soon as I write the file packets fly all over the place and a few seconds later the firewall has holes to all the machines in the cluster on port 80. Edit i-want-to-be-a-web-server.h to add 443, write it and again a few seconds later you have those holes too. If we add an extra gateway firewall for redundancy it can be told to subscribe to that particular map and add the holes too.
We can do the same for which rpms are installed on machines. One minute a lab full of machines could be a fedora minimal install, a few mins later they are all members of a beowulf cluster, software installed and configuration applied (assuming you've prepared the config template earlier obviously). Uninclude the header file for being in the beowulf and a few mins later again they are back to being fedora minimal installs.
Part of the research effort here is to extend this idea so that the description is even more abstract. I.e. be able to take a group of machines and write the equivalent of:
"I want a workgroup setup with a file server, web server, firewall and special laptop to control the bluetooth light in the fishtank."
The configuration engine should then go off and work out which machine the printer is connected to, which one is the laptop and just make it all happen (I did say research effort!).
Carwyn
