Tag Archives: configuration management software

commando.io – manage servers

https://command.io is up for public beta now. It is a page from where you can manage your servers online in a pretty web interface.

It uses ssh – you need to allow commando.io’s server to ssh into your server. You can specify with which user, which port and then it uses an ssh key to log in.

When you sign up, first you get to choose your own subdomain, like awesome.commando.io and then add your user into there. The subdomain you get, let’s say awesome.commando.io is pointing to an IP. It is with this IP that commando is connecting to your server. So this should be firewalled.

First thing I noticed was that on a CentOS 6 the command you get to copy-paste does not account for that CentOS6 sets permissions to 775 by default when running mkdir ~/.ssh.
I sent a message to commando.io with the built-in messaging tool at 13th of November at 1223. 12 minutes later I had a reply, so quite quick at responding.

Also sent in a suggestion that they look into ssh-copy-id instead of making ~/.ssh and setting permissions manually :)

Real easy to add a recipe and then run it on a server.

I could not find any existing recipes, nor where there any links to a repository or community page where one could share recipes or even example recipes.

All in all:

  • It looks nice and mostly works.
  • Is it safe? Do I want to give access to a third party provider that doesn’t have any obvious information declaring their high intent of security.
  • Some things that would be nice:
    • scheduled executions
    • using states – puppet-like, to insure that something that was done in a recipe once is still the current state of the machine.
    • group import of servers

cfengine – what’s that about?


It’s a (old) software that is used to make sure that (for example) the same config files are used on all machines. There are several other CMSs, for example puppet. Wikipedia has a nice overview of them.

Let’s use the lustre   machines we set up in a previous post.

On cfengine.com there are many examples too.

Inside a policy you have a promise.


Installing on an RPM-based distribution is easy, cfengine has their own repository where the community edition is available.


Get the gpg-key, import it, set up the repository-file and install “cfengine-community”.

Check if “cfengine3” is set to start on boot.


A small example how to write a promise.

  • “cf-promise -f ” can be used to test that a promise is valid (syntax and more is OK)
  • “cf-agent -f” run the promise, so if we use the example in the link above it echoes a Hello World.



Client pulls policies from the server.

policy-server: mds –
client1: client1 –
client2: oss1 –

on the policy-server hit: “/var/cfengine/bin/cf-agent –bootstrap –policy-server”

open port 5308 on the policy-server.

After you see “-> Bootstrap to completed successfully” you can run the same cf-agent command on the client. This points it to use as the policy-server.

No need to open port on the clients.

On the policy-server add this to /var/cfengine/masterfiles/cftest1.cf:

bundle agent test
   comment => "Promise that a plain file exists with stated permissions",
    perms => mog("644", "root", "sys"),
   create => "true";

Then in /var/cfengine/masterfiles/promises.cf you can’t follow the guide verbatim, the promises.cf needs to look like this (really important to have “, ” as a separator between the bundles, notice the space after the “,”.

   body common control 
     bundlesequence => { "main", "test" };
             inputs => { 
            version => "Community Promises.cf 1.0.0";

After that you can run “cf-agent -Kv” on the client, and it will do what is promised in the cftest1.cf file!

Try to change ownership/permissions on the file, in a while it will have been changed back :)

In /var/cfengine/promise_summary.log you’ll see if it couldn’t keep a promise and if it corrected the mistake.

Distribute it

And to get oss1 the same file. Just run the good old “/var/cfengine/bin/cf-agent –bootstrap –policy-server” on it and eventually that file /tmp will pop up in there too. Nice!

Some useful stuff.

I’ll probably try out some more useful things in the near future.

Streamline resolv.conf settings, ip routes, config files for software like to make sure /etc/dcache/dcache.conf is the same on all pool servers or why not a kind of user database? Like for /etc/passwd? Check out the solutions on cfengine.com!