Managing Windows with CFEngine and Perl

How to manage Windows XP desktop systems under CFEngine. Together with Perl and sufficient application of force, CFEngine can manage user accounts, printer configuration, local group policy edits, and software installation. Additional infrastructure management pieces for the site in question included:

• Authenticate Windows to Unix Kerberos Servers.
   
• Automate installations with Unattended.
   
• module:policy - modify local group policy by CFEngine class. The source code for module:policy is available by request.
   
• module:print - print queue configuration.
   
• module:users - user account management.

The work documented here was done primarily by Alex Dioso to support Windows XP Professional desktop systems in the department of Genome Sciences.

Also consider WPKG for software management on Windows.

Initial Setup

CFEngine on Windows requires:

• cygwin - required to compile and run CFEngine.
   
• ActiveState Perl - required for Perl modules such as Win32::OLE and Win32::TieRegistry used by various scripts (user and printer management, software installation).
   
• Custom *.msi installer for CFEngine. Use Advanced Installer or similar to build *.msi packages. Visual Studio can build packages, but the process is long and difficult.

Install these via Unattended to automate host setup. Another option: use nLite to create a custom Windows installation CD, or create install images if the supported hardware has been standardized (via Norton Ghost or similar).

Other concerns:

• CFEngine must be patched, to workaround the special meaning of : in Windows filenames versus CFEngine’s requirement for a colon in module names.

Files on the (Unix) CFEngine server (and the recommended supporting version control repository) will still have : in their names. On Windows systems with the above patch applied, the : will be converted to + when copied to or used on Windows.

• Hosts used the Dynamic Host Configuration Protocol (DHCP) to obtain network configuration information; the CFEngine interfaces and other network configuration actions were not explored.

Configuration

CFEngine configuration tips and example for Windows. These notes rely on CFEngine Classes for class naming conventions and how the configuration files use import.

Configuration Tips

• Variables

In update.conf and cfagent.conf, consider setting the following variables. cf_install_dir varies by platform, as does the “default group for the superuser account”.

control:
compiled_on_cygwin::
cf_install_dir = ( /usr/sbin )
zerogroup = ( Administrators )

• Create windows class.

Consider shortening the long compiled_on_cygwin class to windows:

classes:
compiled_on_cygwin::
windows = ( compiled_on_cygwin )

Also create classes for different releases and revisions of Windows, to allow actions to target only Windows XP, or Windows XP service pack 1. These classes may require FileExists calls or shell scripts to set.

• Trailing slash required on copy sources.

Ensure directories copied (for example in update.conf) have a trailing slash after the source directory path:

copy:
any::
# note the trailing slash:
/var/cfengine/inputs/
dest=${workdir}/inputs backup=false recurse=inf
type=checksum encrypt=true
server=cfengine.example.org

• awk.exe buggy under cygwin: replace with gawk.exe.

copy:
compiled_on_cygwin::
/usr/bin/gawk.exe
dest=/usr/bin/awk.exe
owner=root group=${zerogroup} mode=700
recurse=1
backup=false
server=localhost
type=checksum

Example Configuration

Configuration example adapted from the main cf.windows configuration file. cfagent.conf, when read by cfagent, imports the cf.windows file after parsing other configuration files.

• cfagent.conf

import:
any::
# main config, groups (classes) definitions, site-wide actions
cf.main
cf.groups
cf.site

# contains application-specific imports
cf.applications

compiled_on_cygwin::
cf.windows

• cf.windows - example configuration for CFEngine on Windows.
   
• desktop-base.inf - security policy file, referenced in cf.windows.

Running

CFEngine should be run by two different methods, to ensure CFEngine will still run should one method fails. Scheduled tasks were found to randomly corrupt themselves.

Use schedule_cfexecd.pl and the statements in the cf.windows configuration file to run cfexecd as a Windows service.

Installing Software

The install_software.pl script can install software. See the cf.windows configuration file for examples.

To create *.msi installers, use either Visual Studio (long and difficult) or the freeware software Advanced Installer.

Modify Local Policy

Copying *.reg files based on CFEngine classes, then applying these files may be sufficient. Other tasks may require a script to make the necessary modifications, such as vscan_whitelist.pl.

lgp_edit.pl in conjunction with module:policy is another method. The source code for module:policy is available by request.

Utilities

• cmdwrap.pl - command wrapper, runs *.pl files under ActiveState Perl. Used by various other scripts listed on this page.
   
• fork_cmd.pl - Forks a command under cygwin.
   
• fork_dos_cmd.pl - Forks a DOS command, adds Perl or cscript if needed.
   
• get_software_version.pl - Get the highest version of all software that matches the argument (sometimes).
   
• install_software.pl - software installation script.
   
• lanmac.pl - return Medium Access Control (MAC) address of first network connection.
   
• lgp_edit.pl - Interface to modify the Local Group Policy.
   
• lpadmin.pl - Printer definition management script. Used by module:print.
   
• schedule_cfexecd.pl - Run cfexecd as Windows service.
   
• sys_shell.pl - Open a cmd window as System.
   
• useradmin.pl - Manage users on windows. Used by module:users.
   
• vscan_whitelist.pl - add or remove a program from VirusScan whitelist.