Of CFEngine and CentOS 7

All the cool DevOps kids are using puppet and chef for configuration management these days, but I’m still sticking with CFEngine, which has served me well since the late 1990s.

CentOS doesn’t have a native cfengine package, so I’ve used the EPEL cfengine package on CentOS 6 machines for some time now. There’s currently no such package for CentOS 7, however, so I’ve relied instead on the one found in the Fedora 20 package set.

On CentOS 7, the Fedora package works fine when running the pull utility, cf-agent, but it fails when trying to launch cf-serverd.

It appears the SELinux policy that ships with CentOS 7 (and Fedora 19) doesn’t allow cf-serverd to bind to its normal port, 5308/tcp. One solution on CentOS 7 and Fedora 19 is to tell SELinux to be permissive with binaries assigned the type cfengine_serverd_t:

semanage permissive -a cfengine_serverd_t

That’s not a good long-term solution, but at least I can manage my CentOS 7 and Fedora 19 machines centrally with cfengine until the package or policy gets fixed.

redhat  linux