I have been using Cfengine since 2007-02 to manage some aspects of our Linux Servers. Cfengine (as any automation tool) has a steep learning curve. It is difficult to climb out of the hole and get things up and running.

In 2008 I came in contact with Puppet, a tool I actually prefer to bootstrap new machines after the initial setup.

But cfengine is very handy to take care of a busy system. It is lightweight and fast and very suitable to do garbage collection or e.g. ensure a directory is present and has the proper ownership.

It's just the perfect solution for complex garbage collection setups where you have to deal with up to ~150,000 files in a single directory (I know, not the best solution) but cfengine will happily pick out every single file which has to be deleted by date.

Installation of cfengine

apt-get install cfengine2

Quite easy ;-)

Configuration of cfengine

That's an very complex task which depends mostly on your needs. I recommend reading the very good Tutorial of cfengine at This will give you an idea what can be done.

Some examples:

        actionsequence = ( directories files tidy shellcommands )
        sysadm = ( admin@host )

        /var/somedir/tmp          o=root g=root m=775

        # check permissions
        /path/to/dir    o=user g=grp m=664 r=inf action=fixall

        # Garbage Collection:
        /path/to/dir                   pattern=* r=inf age=8




Normally cfengine will not delete directories. If this option is set to `true' then cfengine will delete any directories which are empty. Non-empty directories will not be touched and no message will be given unless in verbose mode. Note that this option overrides the above option dirlinks, so that even links which point to empty directories will be removed. If this is set to `sub' then the topmost directory will not be removed, only sub-directories.


This value is used to set the type of time comparison made using age. The default is to compare access times (atime) or the last time the file was read. A comparison by modification time (mtime) uses the last time the contents of the file was changed. The ctime parameter is the last time the contents, owner or permissions of the file were changed. Note that on directories, mtime is always used for comparisons, since the very act of stat'ing alters atime and makes this comparison meaningless.

recurse=number/inf -or- r=number/inf

This specifier tells cfengine whether or not to recurse into subdirectories. If the value is zero, only the named file or directory is affected. If the value is 1, it will open at most one level of subdirectory and affect the files within this scope. If the value is inf then cfengine opens all subdirectories and files beginning from the specified filename.

Find the complete documentation at

Useful hints

display all classes defined on your host in 'parse-only-verbose' mode:

cfagent -p -v

run cfagent by hand

# do only display what to do but don't do it actually
cfagent -nvK | less

# define a class to be true (e.g. testing purpose)
# in this example show what is to be done at 3 a.m.
cfagent -nvK -D Hr03 | less

use a standalone config file to be run:

cfagent -vKf /path/to/file
networking/cfengine.txt · Last modified: 2014-06 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready