Config Management

Configuration
Management
for
System
Administrators & DevOps
Contents
1 Introduction to Configuration Management 3
2 Abstraction, intention and state 55
3 Growing and planning 57
4 The same but different 59
Index 61
In conjunction with IT Masters & ITPA (IT Professionals Association) 1

Configuration Management for System Administrators & DevOps
Copyright notice
This work is
c 2016, 2017 Mike Ciavarella. All rights reserved.
You are granted a non-exclusive right to use any example code included in these notes without fee, payment
or notification. If your organisation does not permit such usage without fee, then I ask that you make a small
donation to your local adult literacy program in lieu of any fee. Alternatively, please consider donating some
unneeded computer hardware to a technology education program for under-privileged children.
Trademarks, Products, Disclosures

These notes make nominative reference to various trademarks, trade names, service marks, product names,
and other identifying marks. The marks remain the property of their respective owners. This specifically
includes, but is not limited to, instances where a formal mark identification is not applied in this text.
Use of such marks should not be considered endorsement, either positive or negative, of the organisation or
products described by the mark. You are solely responsible for determining suitability of any vendor or product
to meet your specific requirements.
The author receives no inducement or financial benefit from the mention of a product or product vendor, and
reserves the right to add, change, modify or replace mentions of vendors and/or products at their sole discretion
and without referral or notice.
On-site classes and workshops

Some organisations have provided feedback that it is difficult to send more than one or two staff at a time to
conferences where this class is delivered, due to overall cost, and, more importantly for system administration,
reduced coverage when larger numbers of staff are away from the office. To address this, the full version of
this short course is available for private, on-site training. On-site classes are typically delivered over 2-4 days,
using a different structure to the short-course or half-day conference format. The class schedule includes deeper
theory and examination of issues in the context of your organisation. Exercises are tailored to your organisation,
allowing students to quickly become productive in your specific environment.
The class content and delivery can also be tailored in other ways, such as:
Use of your organisations existing configurations and policy as example and exercise material (Subject
to Non-Disclosure Agreement).
For larger teams and to reduce impact on local workloads, running two interleaved classes over a week,
with a morning session and an afternoon session.
Attaching to other classes with topics such as Shell Programming (Introductory and Advanced), Founda-
tions of System Administration, and Documentation Techniques for System Administrators, etc.
If you would like to discuss this option further, please send a short e-mail outlining your requirements to:
training-onsite @ coffee net au.
Comments and feedback

This is a living document feedback and suggestions are welcome and can be sent to:
itpa2016-config @ coffee net au.
2 c 2017. M Ciavarella
7 @mxcia r1.2
Introduction to
Configuration
1
Management

Welcome System Lifecycles and Maturity Models System Administration activities Is this DevOps?
Course objectives
This course is a primer the purpose is to learn about the

issues and key features of configuration management.
The emphasis is on what and why more than how.
learn.itmasters.edu.au www.itpa.org.au
Course structure
Four weeks teaching, plus exam

Each week:
Webinar (45m) plus moderated Q&A (up to 45m)
Reading (1-2 articles; 90m)
Exercises (30m up; depends on you!)
Technology choices
Ansible for demonstration but NOT an Ansible class.

Linux as target platform but NOT a Linux class
Examples of other technology will be shown!
Basic coding skill assumed (loops, variables, types)
Warning!
Use/mention of products in this course is not an endorsement
or recommendation. Examples have been chosen to support
teaching objectives.
7 @mxcia r1.2
Course support
Webinar Q&A
Forums
Your experiences may be different and relevant to the
class - please share!
Remember!
The only stupid question is the question you didnt ask
(Attributed to Dr Paul Macready)
A few comments on learning styles and this course

Each person has their own way of learning effectively, and this often depends on many factors time of day,
experience with a subject, or even the group of people you are learning with. For some people, reading from
a book may be the best way to learn. Other people may find it easier to watch video tutorials and webinars, or
to watch how others perform a particular task. There is absolutely nothing wrong with any of these styles of
learning you need to find the style that works best for you.
My experience with teaching technical subjects to thousands of students with different skills and experience
is that a single learning style simply doesnt work all the time. A combination of styles and source material
is required, to cater for different students and different learning objectives. Teaching in this course takes the
following forms:
Webinar/lecture (aka broadcast aural knowledge) provided by a teacher

(myself) with extensive technical and educational experience.
Forum discussion providing interaction with your peers and instructor(s)
Question and answers in lecture and forums, to refine and clarify learnings
Hands-on exercises to explore and build technical skills
Additional reading aimed at providing further background.
How you make use of these resources will, ultimately, be the main factor in determining your learning
experience in this course. If you have limited time, then the best advice I can give you is to spend 1520
minutes reading the course notes for each week before listening to the webinar. At the very least this will start
you thinking about the content. Obviously attempting the hands-on work is important too, but if you have to
make a choice, then prepare before the webinar, You can always do the exercises later, when you have more
time. I hope this helps!
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Disclaimer
This class is held under the Chatham House Rule.
We may mention specific companies, products, etc. The intention in using

real-world examples like this is to provide concrete examples for education
purposes. Our experiences with any companies or products mentioned
may not be your experiences. Any trademarks used are the property of
their respective owners and used here as identifying marks.
The following notes are taken from the Wikipedia entry for Chatham House Rule, accessed 22 October 2006, from http:
//en.wikipedia.org/wiki/Chatham_House_Rule.
The Chatham House Rule (colloquial use: under Chatham House Rules) is a rule that governs the confi-
dentiality of the source of information received at a meeting. Since its refinement in 2002, the rule states:
When a meeting, or part thereof, is held under the Chatham House Rule, participants are free
to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that
of any other participant, may be revealed.
The rule originated in June 1927 at what is now best known as Chatham House (officially: The Royal
Institute of International Affairs) with the aim of guaranteeing anonymity to those speaking within its walls in
order that better international relations could be achieved. It is now used throughout the world as an aid to free
discussion. The original rule was refined in October 1992 and again in 2002.
Meetings, or parts of meetings, may be held on the record or under the Chatham House Rule. In the
latter case, the participants are understood to have agreed that it would be conducive to free discussion that they
should be subject to the rule for the relevant part of the meeting. The success of the rule may depend on its
being considered morally binding, particularly in circumstances where a failure to comply with the rule may
result in no sanction.
The Rule allows people to speak as individuals, and to express views that may not be those of their organi-
zations, and therefore it encourages free discussion. Speakers are then free to voice their own opinions, without
concern for their personal reputation or their official duties and affiliations.
The Chatham House Rule resolves a boundary problem faced by many communities of practice, in that it
permits acknowledgement of the community or conversation while protecting the freedom of interaction that is
necessary for the community to carry out its conversations.
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
A simple question
Where do servers come from?
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Basic lifecycle
Identify
Requirement
Procure
Physical Logical Operate

installation installation
Decommission
External image sources:

Computer wizard https://clipartfest.com/download/8f2b77fd0636ab7c493d3ff65cd887a4abdb1a63.html
Overworked programmer http://www.lessonsoffailure.com/wp-content/uploads/2010/04/overworked1.jpg
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Logical installation
1
Install operating system
2
Configure operating system (incl. security)
3
Apply operating system patches
4
Install application software
5
Configure application software
6
Do some testing
7
Do some integration, communicate
8
More testing
9
Ready for production!
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Operation
1
Operating system patching
2
Operating system upgrades
3
Operating system reconfiguration
4
Application patching
5
Application upgrades
6
Application reconfiguration
7
Diagnosis
8
Monitoring
9
More testing
10
etc.
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
A simple lifecycle (2)
Slide borders have been omitted here to make the diagram easier to read in your class notes.
Identify
Requirement
Proactive patching, O/S upgrades
Application upgrades
Procure
Oops
Operating
Physical Install Configure Integration Handover to
system Operate
installation Applications Applications Testing Operations
setup
Defect remediation
Functional Develop- (bug fixes) Fault
testing ment Diagnosis
Reactive patching, O/S upgrades
Happens somewhere other Decommission

than production. Right?
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

The cost of a single server
From notes:
Application $4000
Hardware $4000
Setup $1240 (about 25% of HW)
Operational budget 23 events over lifetime
Cost estimates for a single server

Lets try some very rough estimation, based on the following numbers; all figures in $AUD.
Staff paid at USD$60/hour; one (1) FTE = 8 hours from a single, suitably-skilled staff member.
H = $4000 Per-server hardware cost

A = $120 Per-purchase administration @0.25 FTE
P = $120 Per-server Physical install @0.25 FTE
L = $1000 Per-server Logical install @2.0 FTE
Note that the cost of application/site development is not considered, but is likely to be substantially more
than the cost of hardware in any case.
More interesting is what happens after installation:
w = $120 Per-activity cost @0.1 FTE

t = unknown # of work activities
t = (4000 1240)/120
= 23 Number of activities before ops cost >= H
. . . spread over the lifetime of the server.
What about the people cost?
In very simple terms:
One (1) sysadmin 2 servers/week setup only
Most time in Logical configuration
7 @mxcia r1.2
The cost of larger installations?
Economies of scale: Buy multiple servers at once

cheaper admin, bulk pricing
Automation
If servers are identical, clone to reduce logical setup
Write scripts to configure machines (automation)
Optimise processes
But where will this get us?
Things to think about:
What is the cost of a single change to one server? (Hint: cost is not just in dollars. . . )
What is the cost of a single change to multiple servers?
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Reasons to automate
Professional laziness
Repetition
Consistency
Assurance
Support Delegation
Complex tasks are easy to . . . get wrong
Cant avoid it. Think: scale
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Automation Lies
///// Fibs
////// Myths
Automation will reduce head count

Automation reduces need for high-end SysAdmins z
We dont need to automate because this is only
temporary/one-off
Its Windows we have to use the GUI
Everything needs to be automated
In the very specific case where you have large numbers of identical (i.e. homogeneous) servers, then au-
tomation certainly allows you to manage that server fleet with less staff. When it comes to fleets with varied
server configurations and applications (heterogeneous servers), its less clear on whether fewer staff will be
required. It turns out that that is a function of overall process maturity, which well talk about next. If youd
like to discuss hiring policy/philosophy for system staff, lets wait until the class is completed.
Relax, were not going to learn Windows scripting today. This bullet point is here to point out that systems
which are traditionally managed using GUIs can also have great scripting capability. Microsofts PowerShell
has some neat features that suit Windows environments, similarly AppleScript on OSX. Both PowerShell and
AppleScript have access to platform objects and standardised methods, which is a fancy way of saying that
they can deal with more than streams of characters (aka pipes). For the programmers among you, think:
marshalled objects (including collections of objects) being passed between processes. Event-driven scripts are
also possible. Neat!
z See next slide
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Targeting tasks
Not all tasks can (or should) be automated

Key questions:
1 What is the Return On Investment if I automate Task X?
2 What is the Cost of getting this wrong? z
3 What are you really trying to achieve?
z Automation doesnt remove the need to actually know what youre doing. An automation mistake has the
potential to be much more than Oops. Think about how youd stop a script running incorrectly on a single
server. Now imagine how youd stop that script running on 20 servers. . .
Think back to our opening question: Where do servers come from?
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Targeting tasks (2)
Example: Building a server once a year.

When would you automate?
What would you automate?
What resources would you spend?
Example: Standardised ntp.conf

Example: User account creation
Example: Is this server OK for production?
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

What is a maturity model?
A way to assess (measure) an organisations people,

processes and resource usage against a set of defined
practices and baselines.
Trying to answer questions:
Can we do better ? How? Where? Why?
What does better actually mean?
A model is a tool its not perfect
Depending on who you ask and the particular industry or field youre asking about, a maturity model can mean
very different things.
One simplistic way to start thinking about maturity models is to consider that any process is subject to
going wrong. What matters is how you respond to a problem. At one extreme, where you have no idea what
to do, you might Panic. At the other extreme, you know exactly how you are going to handle the problem
youre Prepared. Its pretty clear that its better to be Prepared, and the way to get there is by Planning.
Perfecting
PANIC!!!!! Planning Prepared
Low maturity Moderate maturity High maturity
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Maturity Models (2)

Ad-hoc demand and (typ- Typed commands based on user
ically) ad-hoc execution Ad-Hoc experience/expertise
Typed commands following docu-
Steps are docu-
Repeatible ment; some scripting/automation,
mented and followed possibly parameterised
Understand the environments.
Full system is well-defined. Defined Secondary parameters.
Infrastructure services support

Consistent, structured approach. Managed
automation.
Factor in performance and re-

Optimising
source utilisation.
The model shown here is almost identical to the Capability Maturity Model (CMM) originally developed in the
1980s by the Software Engineering Institute (https://sei.cmu.edu) at Carnegie Mellon University. Part
of the motivation in developing the CMM was to provide a way to objectively assess whether subcontractors
had a high likelihood of successfully delivering a software project. Analysis of previous software projects had
identified organisational and process attributes which were common to success (and failure). By mapping those
attributes to different levels, the hope was that a useful assessment model would result. The CMM has now
been replaced by the Capability Maturity Model Integrated (CMMI) but the same principles apply.
Note that its entirely possible to have different parts of an organisation and its processes at different levels.
For example, software development could be assessed at Defined and software release management could be
Ad-hoc.
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Maturity Models (3)

Slide borders have been omitted here to make the diagram easier to read in your class notes.
Ad-hoc Repeatible
Managed
Scripting
Manual Schedule
and Generalise
Commands and deploy
Doco
Tools for
Review &
specific
Analysis
problems
Optimising
Defined
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Maturity Models (4)
Moving from ad-hoc is hardest step
Consistency is critical for longevity and maintainability

Approaches to design, implementation, testing, deployment
Reduce number of tools/languages
Keep infrastructure similar
Infrastructure (read: API+policy) will be needed

eventually; plan early
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

System Administration Activities
Sysadmins work centres around configuration (settings,

files, software packages, status)
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Local settings
Setting
A setting is a value which specifies or determines the behavior
of a system (or a part of a system).
A setting may be changeable, but doesnt have to be.
Changing a setting may not have an immediate effect.
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Local settings (2)
Filesystem In configuration files

In databases (special case of files)
Implicitly within scripts
Network Stored externally and retrieved on-demand
Other Within flash/firmware
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Configuration files
Plain text
Semi-structured text e.g. ini, yaml files
Fully structured e.g. XML, JSON
Executable code
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Settings in databases
Canonical example: Windows Registry

Databases(!!)
Need to use specific tools to make changes
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Local settings stored externally
Examples: DHCP, some DNS record types

Cloud provider settings
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Common concerns
Security (Access control, Authorisation, Audit)

Syntax (correct structure)
Semantics (meaningful settings)
Activation
Reversion i.e. What to do when changes dont work
Verification and flow-on effects
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
The right way to change a setting?
Safe shouldnt break anything thats currently working

Generic process not limited to local files
Able to be automated
Able to be tracked/traced
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

The right way to change a setting? (2)
1
Pre-check: Its working now
2
Make a copy: Just in case
3
Make the change
4
Verify the change was made
5
Activate the change
Question: How would this process apply to dependent changes? What about co-dependent changes (e.g. a
multi-part change where all changes must be successful, or none, in order for the change to be successfully
applied)?
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
System Administration Activities
Domain Specific Language (DSL) to describe

configurations
Tools to implement these DSLs, distribute policies, etc.
A configuration here is a collection of all attributes which uniquely define a system at a point in time. This
includes, for example, configuration files, software installed, which processes are allowed or required to be
running, which processes should never be run, etc. The description of that configuration is given various names
by configuration management tools,with the names generally reflecting the particular approach taken by that
tool. For example:
CFE NGINE uses promise to describe desired/enforceable attributes, and policy to describe a collection of
promises
A NSIBLE uses playbooks which describe sequences of operations (tasks) grouped into roles.
P UPPET uses manifests to describe managed resources (including methods for management), and catalog for
a compiled collection of manifests to be applied to a target,
C HEF uses recipe files to hold descriptions of resources and resource management directives, cookbooks to
group recipes that are related, and roles to mark and group instantiations of cookbooks
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Configuration management tools (2)
Focus tends to be on system state, not operational tasks.

You can abstract some operational activities into config
management primitives
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
DSL Examples
Context is important!
The following examples are excerpts showing typical activities
in popular configuration management tools. These examples
will not work as-is.
Activities:
File owner/group and permissions, file contents
Service status
Software packages
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Example: File attributes, shell script
Issues: Platform specific; stat(1) required.

Reusable but brittle
Assumes POSIX-style filesystem
What about directories?
Please see following page for the shell script discussed in this slide. Typical usage would be to call this
from another shell script.
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
1 #!/bin/sh
2 # Test that a file exists, with given owner & group & permissions.
3 # Assumptions:
4 # * The stat command is present on your system
5 # * The owner and group given are alphanumeric, not UIDs
6 # * Permissions are given in octal, and exclude SUID/SGID
7 # * You have sufficient access to ALL directories above file
8
9 usage() {
10 echo Usage: checkfile file owner group perms
11 echo e.g. checkfile /etc/passwd root root 644
12 exit 1
13 }
14
15 case $# in
16 4) FILE="$1"
17 USER="$2"
18 GROUP="$3"
19 PERMS="$4"
20 ;;
21 *) usage()
22 ;;
23 esac
24
25 if [ ! test -e "${FILE}" ]; then
26 echo "${FILE} does not exist"
27 exit 11
28 fi
29
30 if [ ! test -f "${FILE}" ]; then

31 echo "${FILE} is not plain"
32 exit 11
33 fi
34
35 F_USER=stat -f %Su "${FILE}"

36 if [ z"${F_USER}" != z"${USER}" ]; then
37 echo "${FILE} not owned by user ${USER}"
38 exit 12
39 fi
40
41 F_GROUP=stat -f %Sg "${FILE}"

42 if [ z"${F_GROUP}" != z"${GROUP}" ]; then
43 echo "${FILE} not owned by group ${GROUP}"
44 exit 13
45 fi
46
47 F_PERMS=stat -f %p "${FILE}" | cut -c4-6

48 if [ z"${F_PERMS}" != z"${PERMS}" ]; then
49 echo "${FILE} different perms to ${PERMS}"
50 exit 14
51 fi
52
53 echo "${FILE} ok"

54 exit 0

Example: File attributes, CFEngine
bundle agent itpa_file_example

{
files:
"/var/run/hello-world.txt"
handle => "say_hello",
comment => "Hello ITPA short course!",
create => "true",
perms => mog("644", "mikec", "staff");
}
This example actually does more than the shell script on page 35, although some of the additions arent exactly
obvious:
If a target file doesnt exist, then it gets created. Adding this to the shell script is admittedly pretty easy.
but the CFE NGINE snippet can easily be extended to specify how to generate the contents of the new file
(see below for one way this can be done), or even to ensure that it has (or does not have) certain contents.
1 bundle agent itpa_file_example

2 {
3 files:
4 "/var/run/hello-world.txt"
5 handle => "say_hello",
6 comment => "Hello ITPA short course!",
7 create => "true",
8 perms => mog("644", "mikec", "staff"),
9 edit_line => replace_or_add("hello everyone");
10 }
This rule (or as CFE NGINE calls it, a files promise) has a name, and a description. The name is sim-
ilar to creating a dedicated shell script to check owner/group/permissions for each file of interest, and
consistently appears in log output.
If the promise detects that the given file doesnt conform, CFE NGINE will fix the file according to the
promise specification and log that a promise was repaired.
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Example: File attributes, Puppet
file { "/var/run/hello-world.txt":
ensure => "present",
mode => "644",
owner => "mikec",
group => "staff",
content => "hello everyone",
}
The P UPPET syntax is pretty straightforward. Although it resembles CFE NGINE, thats partly coincidence. The
big hint is the trailing comma that follows the last clause in this P UPPET file resource. The Ruby programmers
among you will recognise Ruby Hash syntax P UPPET is a DSL mainly implemented in Ruby.
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Example: File attributes, Chef
file /var/run/hello-world.txt do
owner mikec
group staff
mode 0644
content hello everyone!
end
Like Puppet, Chef makes heavy use of the Ruby programming language, but with a different approach. As
you can see in this example, individual attributes are specified by commands executed in a function (in this
case: the file function). This makes it very easy to leverage Ruby when a particular configuration item needs
something extra. The tradeoff is that more care is needed to keep separate code and data.
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Example: File attributes, Ansible
- name: Hello ITPA and ITMasters students

lineinfile: >
dest=/var/run/hello-world.txt
state=present
owner=mikec
group=staff
mode=0644
line=hello everyone
Our first A NSIBLE example! This particular snippet uses the A NSIBLE lineinfile module, which is specif-
ically designed to implement rules about line-based files. If you wanted a more fair comparison to the shell
script, that would use the A NSIBLE file module as shown below (additions and modifications to the slide
highlighted):
1 ---
2 - name: Hello ITPA and ITMasters students
3 file : >
4 dest=/var/run/hello-world.txt
5 state=file
6 owner=mikec
7 group=staff
8 mode=0644
9 # Removed: /line=hello/
////////////////// /everyone
///////////////
A NSIBLE configuration files use the YAML (Yet Another Markup Language) file format. This is a plain text
format, able to represent structured data. If you look at the last line above youll see an example of a YAML
comment. Like many other file formats, YAML uses the # (hash) to mark the start of a comment. A NSIBLE
will ignore anything after the # and you should make use of this to document all of your A NSIBLE plays.
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Example: File templates, Ansible (1)
---
- name: NTP | Create ntp.conf
template: >
src=ntp.conf.j2
dest=/etc/ntp.conf
owner=root
group=wheel
mode=0644
register: ntp_changed
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Example: File templates, Ansible (2)
<head><title>{{ title }}</title></head>

<body>
<ul>
{% for item in people %}
<li>{{ item.name }}</li>
{% endfor %}
</ul>
</body>
Full example:
Note that this is not related to the YML file on the previous slide; this example was chosen to illustrate
general Jinja2 syntax.
1 <html>
2 <head><title>{{ title }}</title></head>
3 <body>
4 <ul>
5 {% for item in people %}
6 <li>{{ item.name }}</li>
7 {% endfor %}
8 </ul>
9 </body>
10 </html>
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

File contents summary
Inline Given within policy

File copy From a known, good source
Edit Add/modify/delete a file in-place (e.g.
lineinfile)
Templates Expand a template, possibly with embedded
variables/logic
Command Run a command to generate; remember this was
done
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Example: Services, Ansible (1)
- name: NTP | Ensure ntpd is enabled

service: >
name=ntpd
enabled=yes
- name: NTP | Ensure ntpd is running

service: >
name=ntpd
state=started
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Example: Services, Ansible (2)
- name: ntpd restart

service: >
name=ntpd
state=restarted # Will always restart
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Services summary
Install/Remove Is the service installed?

Enable/disable Is the service enabled (e.g. at boot)
Start/Stop/Restart Current service state
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Example: Software, CFEngine
bundle agent manage_packages

{
packages:
"httpd"
policy => "present",
version => "latest",
package_module => yum;
"telnet"
policy => "absent",
package_module => yum;
}
1 bundle agent manage_packages

2 {
3 packages:
4
5 centos::
6 "httpd"
7 policy => "present",
8 version => "latest",
9 package_module => yum;
10
11 freebsd::
12 "apache2"
13 policy => "present",
14 version => "latest",
15 package_module => pkg;
16 }
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Example: Software, Ansible
- name: BASE | Install common packages

yum: name={{ item }} state=present
with_items:
- sudo
- bash
- name: BASE | Remove unwanted packages
yum: name={{ item }} state=absent
with_items:
- telnet
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Software summary
Packaging system Some platforms have multiple options for

packaging and/or installation method
Install/Remove Is the software installed?
Upgrade/Rollback Is automated upgrade/rollback
supported?
Start/Stop/Restart May be different to services
Enable/Disable Anything special needed to activate?
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Developer, System Administrator, or DevOps?
Discussion
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................

Homework for Week 1
Reading Two papers

Lab Set up Git account
Register for AWS free tier account and create
an EC2 instance
Install Python and Ansible locally (in a VM)
Forums Participate!
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
...............................................................................................
7 @mxcia r1.2
Week 1 Homework
Overview
This weeks exercises are aimed at:
1. Providing extra background about configuration management history and theory; and
2. Getting your personal machine set-up and ready for the hands-on part of the course.
Reading
This weeks reading list is a mix of history and basic background.
Before you start reading, review the questions below so that you have some idea of why you are reading
these particular articles. When you have a new question, write it down immediately so that you dont forget.
M Burgess. A Site Configuration Engine. Computing systems (MIT Press: Cambridge MA). 1995. Avail-
able at https://www.usenix.org/legacy/publications/compsystems/1995/sum_burgess.
pdf.
When reading this paper, concentrate on the features that the original version of the
r CFE NGINE language implemented, rather than the language itself (which has changed
a lot since those days).
The Wikipedia page on Group Policy; the general URL is at https://en.wikipedia.org/wiki/

Group_Policy. The version at https://en.wikipedia.org/w/index.php?title=Group_
Policy&oldid=770333152 is the version accessed on 19 Apri 2017.
Group Policy is not a complete configuration management system, but its interesting
r because of the features it does provide. You might want to do some additional reading
about Microsofts Active Directory.
v Promise Theory Basic Concepts (part 1). https://www.youtube.com/watch?v=2TPsB5WuZgk

Dealing with uncertainty is central to reliably configuring systems; this is a general (non-technical) video
that talks about Promise Theory a way to think about planning and intent, to achieve consistent out-
comes.
Questions
1. What are the benefits of separating system configuration from system control?
2. Where does the order of changes matter? Where does the order not matter?
3. What features of a Configuration Management system would be of most benefit to your site: software
distribution, file permissions, settings, rapid deployment, state consistency?
4. Why are you being asked to read papers describing systems that originated more than 15 years ago?

Exercise 1: Set up a Git account

This exercise is pretty easy. If you dont already have a personal Git account, register for a free plan at one of
the popular Git-as-a-serviceproviders:
GitLab https://gitlab.com/users/sign_in
BitBucket [ https://bitbucket.org/account/signup/
Github https://github.com/join
Youll need to have at least one free private repository available, and a basic understanding of how Git
works including:
How to create a new repository.
The difference between a repository, a workspace, and staging
How to add files to staging (git add)
How to commit files (git commit)
How to update a repository (git pull, git push, etc)
Tip: Some people will find it easier to use a text editor which has built-in support for Git, or a dedi-
cated Git client. I personally swap between Git Tower (https://www.git-tower.com/) and Source-
Tree (https://www.sourcetreeapp.com); both are available for Mac and Windows machines but
are paid software. You can also find a fairly comprehensive list of GUI clients, including free options, at
https://git-scm.com/downloads/guis. The same site includes a Git tutorial and documentation
that might be helpful.
7 @mxcia r1.2
Exercise 2: Create a Linux Virtual Machine (VM) and install Ansible
The objective of this exercise is to have a current version of Ansible and suitable Git repository available for
use in following weeks.
Create the VM
Using your preferred Virtulasation platform, and then install Ansible into your new VM (Virtual Machine). In
this exercise, you need to install Linux in a Virtual environment on your own machine,
1.
Install Python and Ansible
There are three reasons why this exercise is structured around installing Linux into your own
VM:
Isolation means that your class work is kept separate from your local machine you wont
(well, shouldnt) accidentally break anything and lose access to your local machine.
Gaining experience with installing Linux manually, assuming you havent already. Think of
3 this as learning how to do things the hard way so that you can better appreciate the
easy way.
Commonality of platforms. Not all students will be running a Unix-like platform, and this
means everyone has the same base, making it easier to provide support in forums
If youre comfortable using Python and working locally on your own machine, thats OK, but
please remember that youll be primary support for that environment.

Exercise 3: Create an AWS EC2 instance

Register for AWS free tier
Create an EC2 instance
7 @mxcia r1.2
Abstraction,
intention and state
2
To be released
7 @mxcia r1.2
Growing and
planning
3
To be released
7 @mxcia r1.2
The same but
different
4
To be released
7 @mxcia r1.2
Index
Active Directory (AD), 51 OSX, 15
Amazon Web Services (AWS), 54 OSX, 15
EC2, 54 AppleScript, 15
A NSIBLE, 31, 39
Ansible modules PowerShell, 15
file, 39 P UPPET, 31, 37
lineinfile, 39 Python, 50
API, 21
Scripting Languages
Apple
AppleScript, 15
OSX, 15
PowerShell, 15
AppleScript, 15
Python, 50
Application Programming Interface (API), 21
Templating language
Capability Maturity Model (CMM), 19
Jinja2, 41
Integrated (CMMI), 19
CFE NGINE, 31, 36, 37, 51 Windows
Chatham House Rule, The, 6 PowerShell, 15
C HEF, 31 Windows Server
Cloud services Active Directory, 51
Amazon Web Services (AWS), 54 Group Policy, 51
Configuration management
A NSIBLE, 31, 39 XML (eXtensible Markup Language), 25
CF ENGINE, 31, 36, 37, 51
C HEF, 31 YAML (Yet Another Markup Language), 25, 39
Git, 50, 52
P UPPET, 31, 37
Domain Specific Language (DSL), 31
EC2 (Amazon Web Services), 54
file Ansible module, 39

File formats
ini files, 25
Jinja2 j2 files, 41
xml files, 25
yaml files, 25, 39
Git, 50, 52
Group Policy, 51
Heterogeneous systems, 15
Homogeneous systems, 15
ini files, 25
Jinja2 templating language, 41
lineinfile Ansible module, 39
Microsoft
Active Directory, 51
Group Policy, 51
Operating systems

Config Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Config Management

Uploaded by

Copyright:

Available Formats

Configuration

In conjunction with IT Masters & ITPA (IT Professionals Association) 1

Trademarks, Products, Disclosures

On-site classes and workshops

training-onsite @ coffee net au.

Comments and feedback

itpa2016-config @ coffee net au.

In conjunction with IT Masters & ITPA (IT Professionals Association) 3

This course is a primer the purpose is to learn about the

The emphasis is on what and why more than how.

Four weeks teaching, plus exam

Ansible for demonstration but NOT an Ansible class.

A few comments on learning styles and this course

Webinar/lecture (aka broadcast aural knowledge) provided by a teacher

Forum discussion providing interaction with your peers and instructor(s)

Hands-on exercises to explore and build technical skills

Additional reading aimed at providing further background.

In conjunction with IT Masters & ITPA (IT Professionals Association) 5

This class is held under the Chatham House Rule.

We may mention specific companies, products, etc. The intention in using

Where do servers come from?

In conjunction with IT Masters & ITPA (IT Professionals Association) 7

Physical Logical Operate

External image sources:

Overworked programmer http://www.lessonsoffailure.com/wp-content/uploads/2010/04/overworked1.jpg

In conjunction with IT Masters & ITPA (IT Professionals Association) 9

Reactive patching, O/S upgrades

Happens somewhere other Decommission

In conjunction with IT Masters & ITPA (IT Professionals Association) 11

The cost of a single server

Cost estimates for a single server

H = $4000 Per-server hardware cost

More interesting is what happens after installation:

w = $120 Per-activity cost @0.1 FTE

. . . spread over the lifetime of the server.

What about the people cost?

In very simple terms:

One (1) sysadmin 2 servers/week setup only

Most time in Logical configuration

The cost of larger installations?

Economies of scale: Buy multiple servers at once

But where will this get us?

Things to think about:

What is the cost of a single change to multiple servers?

In conjunction with IT Masters & ITPA (IT Professionals Association) 13

Automation will reduce head count

In conjunction with IT Masters & ITPA (IT Professionals Association) 15

Not all tasks can (or should) be automated

Targeting tasks (2)

Example: Building a server once a year.

Example: Standardised ntp.conf

In conjunction with IT Masters & ITPA (IT Professionals Association) 17

What is a maturity model?

A way to assess (measure) an organisations people,

A model is a tool its not perfect

PANIC!!!!! Planning Prepared

Low maturity Moderate maturity High maturity

Maturity Models (2)

Infrastructure services support

Factor in performance and re-

In conjunction with IT Masters & ITPA (IT Professionals Association) 19

Maturity Models (3)

Maturity Models (4)