Tag Archives: cfengine

Book Review: Thinking in Promises

Posted on by
Reply

Mark Burgess is one of the smartest people I know, and the thought of reading his books was always a little bit daunting. Would I be able to understand what he was trying to tell me? I can’t speak for the other books, but Thinking in Promises is a very approachable introduction to Promise Theory. Although the approach is often academic, Burgess does an excellent job of keeping the reader engaged through a variety of examples, humor, and stick figure drawings.

Promise theory came from the work of Burgess and others in developing the computer configuration management tool CFEngine. However, the theory itself is broadly applicable to a variety of interactions. Promise theory lies somewhere between the vagueness of management buzzwords and the strict formality of mathematical language.

Contrary to Western norms, Promise Theory works from the bottom up, describing the intended state without consideration of the steps to get there. Promises are made by agents instead of being imposed by an outside actor. Thus, Promise Theory requires autonomy, making it a more apt modeling framework for interactions that involve humans.

Thinking in Promises starts by explaining the fundamental concept of a promise, and how promises are made, accepted, and evaluated. Following chapters expand on these concepts individually. The final chapters discuss systems of promises, which often involve one or more layers of proxies.

Burgess does an excellent job of making the concepts understandable by both technical and non-technical readers. Each chapter concludes with thought exercises intended to guide the reader toward a greater understanding. Most of the examples used in the chapters focus on non-computer interactions like getting a taxi ride.

The book does not promise to change the way I view the world, and it might be hyperbolic for me to say it did. Nonetheless, Thinking in Promises gave me an interesting lens through which to view both computer and human interactions. I recommend it to anyone looking for a way to model systems.

Thinking in Promises is scheduled to be released on July 17. It is published by O’Reilly Media.

A Cfengine learning experience

Posted on by
3

Note: This post refers to Cfengine 2. The difficulties I had may quite likely be a result of peculiarities in our environment or the limits of my own knowledge.

A few weeks ago, my friends at the University of Nebraska politely asked us to install host certificates on our Condor collectors and submitters so that flocking traffic between our two sites would be encrypted. It seemed like a reasonable request, so after getting certificates for 17-ish hosts from our CA, I set about trying to put them in place. I could have plopped them all in place easily enough using a for loop, but I decided it would make more sense to left Cfengine take care of it. This has the added advantage of making sure the certificate gets put in place automatically when a host gets reinstalled or upgraded.

I thought it would be nice if I tested my Cfengine changes locally first. I know just enough Cfengine to be dangerous, and I don’t want to spam the rest of the group with mail as I check in modifications over and over again. So after editing the input file on one of the servers, I ran cfagent -qvk. It didn’t work. The syntax looked correct, but nothing happened. After a bit, I asked my soon-to-be-boss for help.

It turned out that I didn’t quite get the meaning of the -k option. I always used it to run against the local cache of the input files, not realizing that it killed all copy actions. Had I looked at the documentation, I would have figured that out. Like I said, I know just enough to be dangerous.

I didn’t want to create a bunch of error email since some hosts wouldn’t be getting host certificates, so I went with a IfFileExists statement that I could use to define a group to use in the copy: stanza. So I committed what I thought to be the correct changes and tried running cfagent again. The certificates still weren’t being copied into place. Looking at the output, I saw that it couldn’t find the file. Nonsense. It’s right there on the Cfengine server.

As it turns out, that’s not where IfFileExists looks, it looks on the server running cfagent. The file, of course, doesn’t exist locally because Cfengine hasn’t yet copied it. Eventually I surrendered and defined a separate group in cf.groups to reference in the appropriate input file. This makes the process more manual than I would have liked, but it actually works.

Oh, except for one thing. In testing, I had been using $(hostname) in a shellcommand: to make sure that the input file was actually getting read. When I finally got the copy: stanza sorted out, the certificates still weren’t being copied out. The cfagent output said it couldn’t find ‘/masterfiles/tmpl/security/host-certs/$(hostname).pem’. As it turns out, I thought $(hostname) was a valid Cfengine variable. Instead, it was actually being passed to the shell command and being executed by the shell. The end result was indiscernible from what I intended in that case, but didn’t translate to the copy: stanza. The variable I wanted was $(fqhost).