Best Practices for Managing Laptops?

[James T.]

We would like to begin managing our portable (laptop) systems with CFEngine 3 Community Edition. We have been managing our desktops and servers this way for years and have been extremely happy with it, but nearly all of those systems are on the wired corporate network at all times. My question is what is the best way to deal with laptop systems that will be frequently changing networks and coming into/out of sleep mode. I have been simulating the case where the policy hub in not reachable by using iptables rules on our development policy server. With the policy hub unreachable, running cf-agent (by hand) now takes over a minute (versus ~ 1 second) and the client records 'nable to establish any connection with server' in syslog, the outputs directory and in an e-mail to the cfengine admin. I can live with the increase in execution time, but am not sure what to do about the logging. I like the logging in the outputs directory (and e-mail) when a report is triggered or a shell command produces some output, but I don't want to be notified when a copy fails because the policy hub is unreachable. Is there a way to silently fail during a remote copy or are there any other best practices for managing systems that are frequently off network?

Thank you for any thoughts or suggestions.

Jim

[Neil Watson]

Greetings,

I do not recommend using the email feature in cf-execd. I view it as a
spammer. Better to rely on good reporting like a simple lastseen report,
or cf-key -s, or CFEngine Enterprise, or Rudder, or Delta Reporting.

IIRC, the server should accept a key from a laptop even it if changes
networks, provided that the server's own access promises allow the
laptop's IP address to pass.

I use CFEngine on my laptop and I've never noticed any problems when
on other networks. If the agent can't reach the server, I know it will
when I get home again.

--
Neil H Watson
Reporting with Cfengine Community http://evolvethinking.com/products/delta-reporting/
http://evolvethinking.com/evolve-thinkings-free-cfengine-library/
VIM and Cfengine https://github.com/neilhwatson/vim_cf3

[Marco Marongiu]

Hi Jim

I manage my laptop with CFEngine, but I don't poll a remote hub. I have
suggestions though :)

The first and simplest: write a module that tries to open a socket to
$(sys.policy_hub):5308; run it as early as possible. If it doesn't
succeed, make it raise a class that is listed among the abortclasses, so
that the agent won't try running.

This has the downside of hitting the hub's cf-serverd twice per cycle,
so you may be better off trying to connect to another service that can
handle the traffic better -- e.g.: you could install an http server
somewhere in the same network segment as the hub, only to answer to
these "call-home" requests -- all you need is a socket to be opened and
closed immediately.

But this still has the downside that the agent will abort completely,
thus won't apply any promise, not even those that don't depend on the
hub reachability. That can still be fixed: instead of having the
aforementioned class among the abortclasses, use it to condition the
execution of any remote action -- this requires you to modify all the
policies where remote actions are performed, possibly including
update.cf, but it works.

Writing a module that checks if a socket is reachable is easy. In my
bashrc, I have a function called socktest that does exactly that using Perl:

> function socktest {
> for SOCK in $*
> do
> export SOCK
> perl -MIO::Socket::INET -le 'my ($host,$port) = split(/:/,$ENV{SOCK}) ; my $sock = IO::Socket::INET->new(PeerHost => $host, PeerPort => $port, Timeout => 3) ; print qq{$host:$port }, defined $sock? q{OK} : q{KO}'
> done
> }

I don't expect it to be terribly difficult to do in other languages, or
to make a module out of this one liner.

Another possible approach is to use a location detection system. I wrote
about that more than one year ago, the post is aged and definitely needs
cleaning, but it could be a starting point: http://wp.me/p3wWVC-aZ

Basically, you could try and detect the locations where you are supposed
to be able to reach the hub, and act accordingly. A least sophisticated
system, yet effective, would be relying on a class that is defined when
you are in a location that you know, and you'll use that to allow remote
actions to happen:

classes:
"hub_is_reachable"
or => { iprange("1.2.3.0/24","10.20.30.0/24","11.22.0.0/16" } ;

...

files:
"/etc/something"
copy_from => remote_cp(...),
ifvarclass => "hub_is_reachable" ;

# or

some_class::
hub_is_reachable::
"/etc/something"
copy_from => remote_cp(...) ;

HTH, ciao!
-- bronto

[James T.]

Thank you both for your useful suggestions. I need to do some more testing/tweaking, but I think this will get things working the way I want them to.

[The BSD Dreamer]

I've been mulling how to manage my laptop, though I haven't gotten around to trying anything yet.  I have yet to make much headway in bringing any of my legacy ubuntu systems into CFE, so should get those going before I work on the mobile one.

But, I think all my contact with policy server is down to one agent bundle ... maybe two.

My thinking was to look at the IP autoclasses to decide where it is to decide if it should even try to contact my policy server.  Though I've been wondering how bad would it be to expose my policy server to the Internet?   Though I might limit it to from certain IPs.  Or if ssh tunnel is a possibility.

But, then there are other questions....is it reasonable to enforce policies the same way on a laptop as with a desktop.

Since a laptop changes networks....so my regular resolv.conf promise wouldn't make sense when its not on my home network.  (though that's a bad example as on a laptop the dhcp client is going to be making changes to it, and I should allow it.)  Plus there'll probably be occasions in the field where I need to manually change something or fix something.

Though I have dabbled in something like that.  Like promise that a user's .cshrc file is the latest version, unless the user has made modifications to it.  But, doing that for all files on a host would get really messy (or perhaps I need to rethink how I'm doing this when its more than a handful of files.)

-- 
  Name: Lawrence "The Dreamer" Chen    Call: W0LKC
 Snail: 1530 College Ave, A5          Email: bea...@tardisi.com
        Manhattan, KS 66502-2768       Blog: http://lawrencechen.net

[Diego Zamboni]

Hi Lawrence,

I think it makes perfect sense to manage a laptop using CFEngine. Of course, you may be managing a different (though overlapping) set of things than on a server. Some examples off the top of my head:

- the network configuration might be better left to your DHCP client, but you can use CFEngine to install and configure the DHCP settings

- you can use CFEngine to manage configurations according to the location of your laptop. For example, if there are certain things that you want to do at home and others at work, you can use the network address hard classes (or any other classes that allow you to tell where the machine is at the moment) to trigger them. For example:

192_168_12::    # home network

    some promises;

9_4_8:: # work network

    some other promises;

Of course, if you are using private address ranges, you have to take care about false positives. There's a Design Center sketch that allows you to do this by verifying IP addresses against known MAC addresses (to prevent false positives): https://github.com/cfengine/design-center/tree/master/sketches/utilities/ipverify

- If you need to make manual changes for some reason and need CFEngine to stay off your back, you can build this into your policies as well - the most common way of doing it is to touch a "flag file" which CFEngine policy checks for existence, and if it's there, CFEngine aborts. There's also a sketch for that: https://github.com/cfengine/design-center/tree/master/sketches/utilities/abortclasses

Hope this helps,

--Diego

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.

[Nick Anderson]

On Mar 19, 2014 6:59 AM, "Diego Zamboni" <diego....@cfengine.com> wrote:

> Of course, if you are using private address ranges, you have to take care about false positives. There's a Design Center sketch that allows you to do this by verifying IP addresses against known MAC addresses (to prevent false positives): https://github.com/cfengine/design-center/tree/master/sketches/utilities/ipverify

Time zone changes have been annoying me recently. I've been pondering writing some geoip lookup. Maybe I could coordinate something from my phone and some kind of sync service like Dropbox.

> - If you need to make manual changes for some reason and need CFEngine to stay off your back, you can build this into your policies as well - the most common way of doing it is to touch a "flag file" which CFEngine policy checks for existence, and if it's there, CFEngine aborts. There's also a sketch for that: https://github.com/cfengine/design-center/tree/master/sketches/utilities/abortclasses

This one is lovingly referred to as "/COWBOY" mode.

[Brian Bennett]

On Mar 19, 2014, at 12:13 AM, Nick Anderson <ni...@cmdln.org> wrote:
> Time zone changes have been annoying me recently. I've been pondering writing some geoip lookup. Maybe I could coordinate something from my phone and some kind of sync service like Dropbox.

Like what? In my experience as long as the tzdata files are up to date there shouldn't be any problems.

Since I haven't experienced any tz issues I'm both curious and fascinated.

—
Brian Bennett
Looking for CFEngine training?
http://www.verticalsysadmin.com/

[Marco Marongiu]

On 03/19/2014 12:56 AM, The BSD Dreamer wrote:
> Since a laptop changes networks....so my regular resolv.conf promise
> wouldn't make sense when its not on my home network.

As in my example, you can have a "library" of the locations you know
(very easy with iprange()) and apply that promise only if you know where
you are, otherwise skip it.

> Though I have dabbled in something like that. Like promise that a
> user's .cshrc file is the latest version, unless the user has made
> modifications to it.

recent OSs have support for a /etc/csh/login.d directory, so you may
always put your stuff there and let users override it in their configs.
And if you don't have that support it's really easy to add that.

ciao!
-- bronto

[Marco Marongiu]

On 03/19/2014 07:59 AM, Diego Zamboni wrote:
> the network configuration might be better left to your DHCP client, but
> you can use CFEngine to install and configure the DHCP settings

I actually use CFEngine to "supplement" the resolv.conf settings I get
on my laptop, depending on where I am, e.g. the search list, or even to
override domain name servers when a crappy ADSL router suggests that it
can handle my requests but I have a different opinion :)

Ciao!
-- M

[Neil Watson]

I use hardening policy on my laptop the most. It manages iptables,
ip6tables, file permissions, disables services, disables
crtl-alt-del/bcksp, among other things. Now I'm ready for the next
BlackHat.

[The BSD Dreamer]

I should find time to skim through these resources.... keep finding things that I wish we had done or didn't reinvent.

Don't know why it didn't occur to me to look to users outside of our organization for tools, ideas and help.  And, until after my last LISA.

On 2014-03-19 01:59, Diego Zamboni wrote:

Of course, if you are using private address ranges, you have to take care about false positives. There's a Design Center sketch that allows you to do this by verifying IP addresses against known MAC addresses (to prevent false positives): https://github.com/cfengine/design-center/tree/master/sketches/utilities/ipverify

 

Probably easier than changing my home network to a private public address range (don't recall how I pulled off the last address change...to avoid collision when using VPN with previous employer, probably had a simpler home network then.)  Though someday I'll want to use current VPN from home network.

 

Once I get everything CFEngine'd, hoping it'll make it more possible to do...?

- If you need to make manual changes for some reason and need CFEngine to stay off your back, you can build this into your policies as well - the most common way of doing it is to touch a "flag file" which CFEngine policy checks for existence, and if it's there, CFEngine aborts. There's also a sketch for that: https://github.com/cfengine/design-center/tree/master/sketches/utilities/abortclasses

 

This would be much better than our old way that completely disables CFEngine, or our new way that doesn't have a way to extend the window.

We don't have a lester to pester... though at one time we had 3 admins named Travis (now have none), two of which would more than likely be the one needing pestering for this...   Though I could lose track of things if I got swamped (though I usually do it because its doing something wrong, and I need more than 5 minutes to fix it.  Or I'm making some semi-manual change...and regular agent runs are interfering with my manual runs (and vice-versa.)

What we do now is send messages to our loghost, since most of us kept an eye on the kern log...though now its full of failed CPU fans that we won't fix.  Though I try to still check it once in a while, so I can see a host complaining every 10 minutes that my co-worker had made a mistake in a firewall change....last month. (and that the user that requested the change, hasn't noticed that they still don't have access...)  Or a failed disk or power supply that we have to fix.

I had looked a CFEngine pestering us through Nagios, but seems I'm the only one that pays attention to pages, and I want to get less noise...

But, we'll probably always have two James's....we had one retire, so later another one transferred in....

[The BSD Dreamer]

On 2014-03-19 03:30, Brian Bennett wrote:
> On Mar 19, 2014, at 12:13 AM, Nick Anderson <ni...@cmdln.org> wrote:
>> Time zone changes have been annoying me recently. I've been pondering
>> writing some geoip lookup. Maybe I could coordinate something from my phone
>> and some kind of sync service like Dropbox.
>
> Like what? In my experience as long as the tzdata files are up to date there
> shouldn't be any problems.
>
> Since I haven't experienced any tz issues I'm both curious and fascinated.
>

This could be a cool thing to do....I'm always forgetting to change the
timezone on my laptop when I travel into a different one, until it makes me
late for something. And, then it takes a while to remember to change it back
when I'm home.

Pretty sure my (Wifi only) Android tablet switched automatically....or maybe
I didn't pay any attention to its clock...while playing games on it.

[Nick Anderson]

>> Like what? In my experience as long as the tzdata files are up to date there
>> shouldn't be any problems.
>

> This could be a cool thing to do....I'm always forgetting to change the timezone on my laptop when I travel into a different one, until it makes me late for something

That's exactly it. My phone changes automatically, and I want the same for my laptop.

[Brian Bennett]

Ah, that kind. It actually doesn't sound too hard. I might take a crack at it if I can get some spare time. Maxmind has a freely available GeoIP lookup database with binaries. The free one isn't very granular, but it would be close enough to map to the correct time zone.

-- 

Brian

--

[Shane McEwan]

On 19/03/14 20:09, Brian Bennett wrote:
> Ah, that kind. It actually doesn't sound too hard. I might take a crack
> at it if I can get some spare time. Maxmind has a freely available GeoIP
> lookup database with binaries. The free one isn't very granular, but it
> would be close enough to map to the correct time zone.

I believe the Maxmind databases already have timezone information in
them so it should be very simple to pull that out and use it to set the
system timezone.

Shane.