From e7fe6c1dcaa905bddcb27e23706e842df0da43a1 Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Tue, 13 Mar 2018 17:57:11 +0100 Subject: Moved to a more traditional update.cf mechanism without overwriting the builtin failsafe.cf --- update.cf | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 131 insertions(+), 3 deletions(-) (limited to 'update.cf') diff --git a/update.cf b/update.cf index 94cd97a..7f0d6ff 100644 --- a/update.cf +++ b/update.cf @@ -4,7 +4,135 @@ body common control bundlesequence => { main, }; - inputs => { - "failsafe.cf", - }; + inputs => {}; +} + +bundle agent main +{ + vars: + any:: + "input_name_patterns" slist => { + "authorized_keys", + "cf_promises_release_id", + ".*templates.*", + ".*\.cf", + ".*\.dat", + ".*\.txt", + ".*\.cfg", + ".*\.conf", + ".*\.json", + ".*\.mustache", + ".*\.pl", + ".*\.py", + ".*\.rb", + ".*\.sh", + ".*\.yaml", + }; + files: + !am_policy_hub:: + "$(sys.inputdir)/cf_promises_validated" + copy_from => secure_cp("$(sys.masterdir)/cf_promises_validated"), + action => immediate, + classes => if_repaired("validated_updates_ready"); + "$(sys.workdir)/modules" + copy_from => secure_cp("modules"), + depth_search => recurse("inf"), + perms => m("755"), + action => immediate, + file_select => exclude_vcs_files; + am_policy_hub:: + "$(sys.masterdir)/." + perms => m(700), + depth_search => recurse_basedir("inf"), + action => immediate; + am_policy_hub|validated_updates_ready:: + "$(sys.inputdir)" + copy_from => secure_cp("$(sys.masterdir)"), + depth_search => recurse("inf"), + file_select => input_files, + action => immediate, + classes => results("bundle", "update_inputs"); + update_inputs_not_kept:: + "$(sys.inputdir)/cf_promises_validated" + delete => tidy; +} + +body file_select exclude_vcs_files +{ + leaf_name => { "\.git.*" }; + file_result => "!leaf_name"; +} + +body file_select input_files +{ + leaf_name => { @(main.input_name_patterns) }; + file_result => "leaf_name"; +} + +body perms m(mode) +{ + mode => "$(mode)"; +} + +body copy_from secure_cp(from) +{ + any:: + source => "$(from)"; + compare => "digest"; + encrypt => "true"; + verify => "true"; + !am_policy_hub:: + servers => { "$(sys.policy_hub)" }; + portnumber => "$(sys.policy_hub_port)"; } + +body action immediate +{ + ifelapsed => "0"; +} + +body classes if_repaired(x) +{ + promise_repaired => { "$(x)" }; +} + +body depth_search recurse(d) +{ + depth => "$(d)"; + xdev => "true"; +} + +body depth_search recurse_basedir(d) +{ + include_basedir => "true"; + depth => "$(d)"; + exclude_dirs => { "\.svn", "\.git", "git-core" }; +} + +body delete tidy +{ + dirlinks => "delete"; + rmdirs => "true"; +} + +body classes results(scope, class_prefix) +{ + scope => "$(scope)"; + + promise_kept => { "$(class_prefix)_reached", + "$(class_prefix)_kept" }; + promise_repaired => { "$(class_prefix)_reached", + "$(class_prefix)_repaired" }; + repair_failed => { "$(class_prefix)_reached", + "$(class_prefix)_error", + "$(class_prefix)_not_kept", + "$(class_prefix)_failed" }; + repair_denied => { "$(class_prefix)_reached", + "$(class_prefix)_error", + "$(class_prefix)_not_kept", + "$(class_prefix)_denied" }; + repair_timeout => { "$(class_prefix)_reached", + "$(class_prefix)_error", + "$(class_prefix)_not_kept", + "$(class_prefix)_timeout" }; +} \ No newline at end of file -- cgit v1.2.3