1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
|
# Failsafe file
# - Always ensured to run the update bundle. Do not modify. Ever.
# Failsafe imports and promises
body agent control {
any::
abortclasses => { "no_ppkeys_ABORT_kept" }; # Bootstrapping can't continue without keys
ifelapsed => "0"; # Make sure that running failsafe many times in a row does not change functionality
}
bundle agent main {
methods:
any::
"Check Keys"
usebundle => failsafe_checkkeys,
comment => "Without a valid keypair we aren't going to be able to establish trust";
"Copy binaries"
usebundle => failsafe_copy_binaries,
comment => "Not all distributions populate /var/cfengine/bin";
"Fetch Inputs"
usebundle => failsafe_update,
comment => "We need to fetch policy from upstream if we are bootstrapping or if we are performing failsafe recovery.";
"Report"
usebundle => failsafe_report,
comment => "It's important to let the user know what happened as the result of the bootstrap or failsafe operation.";
}
bundle agent failsafe_checkkeys
{
classes:
any::
"have_ppkeys" expression => fileexists("$(sys.workdir)/ppkeys/localhost.pub");
reports:
!have_ppkeys::
"No public/private key pair is loaded, please create one by running \"cf-key\"" classes => failsafe_results("namespace", "no_ppkeys_ABORT");
}
bundle agent failsafe_copy_binaries
{
vars:
freebsd::
"binaries" slist => {
"cf-agent",
"cf-execd",
"cf-key",
"cf-monitord",
"cf-promises",
"cf-runagent",
"cf-serverd",
"cf-upgrade",
};
files:
freebsd::
"$(sys.bindir)/$(binaries)"
copy_from => failsafe_cp("/usr/local/sbin/$(binaries)"),
action => failsafe_u_immediate,
classes => failsafe_results("namespace", "copy_binaries");
reports:
copy_binaries_repaired::
"cf-engine binaries updated";
}
bundle agent failsafe_update {
vars:
any::
# A policy server cannot use the shortcut feature to resolve
# masterfiles since cf-serverd is potentially not yet up and
# running.
# The unqualified path is used for non policy servers so that
# the policy server can use a shortcut to decide on behalf of
# the client which policy to serve by default. This is useful
# when running binaires from mixed sources (for example CFEngine
# produced binaries vs packages from the debian repository).
"masterfiles_dir_remote" string => ifelse( "policy_server", $(sys.masterdir), "masterfiles" );
classes:
systemd::
"cfengine3_service_running" expression => returnszero("/bin/systemctl status cfengine3", "noshell");
files:
any::
"$(sys.inputdir)"
copy_from => failsafe_scp("$(masterfiles_dir_remote)"),
depth_search => failsafe_recurse("inf"),
action => failsafe_u_immediate,
file_select => failsafe_exclude_vcs_files,
classes => failsafe_results("namespace", "inputdir_update");
inputdir_update_error::
"$(sys.inputdir)"
copy_from => failsafe_scp("$(sys.masterdir)"),
depth_search => failsafe_recurse("inf"),
file_select => failsafe_exclude_vcs_files,
classes => failsafe_results("namespace", "inputdir_update"),
comment => "If we failed to fetch policy we try again using the legacy default in case we are fetching policy
from a hub that is not serving masterfiles via a shortcut.";
!am_policy_hub::
"$(sys.workdir)/modules"
copy_from => failsafe_scp("modules"),
depth_search => failsafe_recurse("inf"),
perms => failsafe_u_m("755"),
action => failsafe_u_immediate,
file_select => failsafe_exclude_vcs_files,
classes => failsafe_results("namespace", "modulesdir_update");
processes:
!(windows|systemd)::
"cf-serverd" restart_class => "cf_serverd_not_running";
!systemd.inputdir_update_repaired::
"cf-execd" restart_class => "cf_execd_not_running";
commands:
cf_execd_not_running::
"$(sys.cf_execd)" classes => failsafe_results("namespace", "cf_execd_running");
cf_serverd_not_running::
"$(sys.cf_serverd)" classes => failsafe_results("namespace", "cf_serverd_running");
systemd.(!cfengine3_service_running|inputdir_update_repaired)::
"/bin/systemctl restart cfengine3"
contain => failsafe_noshell_and_silent,
classes => failsafe_results("namespace", "systemctl_restart_cfengine3");
}
bundle agent failsafe_report {
classes:
any::
"have_promises_cf" expression => fileexists("$(sys.inputdir)/promises.cf");
reports:
# !bootstrap_mode::
# "Built-in failsafe policy triggered";
bootstrap_mode::
"Bootstrapping from host '$(sys.policy_hub)' via built-in policy '$(this.promise_filename)'";
bootstrap_mode.policy_server::
"This host assumes the role of policy server";
bootstrap_mode.!policy_server::
"This autonomous node assumes the role of voluntary client";
# inputdir_update_repaired::
# "Updated local policy from policy server";
inputdir_update_repaired.!have_promises_cf::
"Failed to copy policy from policy server at $(sys.policy_hub):$(sys.masterdir)
Please check
* cf-serverd is running on $(sys.policy_hub)
* CFEngine version on the policy hub is 3.6.0 or latest - otherwise you need to tweak the protocol_version setting
* network connectivity to $(sys.policy_hub) on port $(sys.policy_hub_port)
* masterfiles 'body server control' - in particular allowconnects, trustkeysfrom and skipverify
* masterfiles 'bundle server' -> access: -> masterfiles -> admit/deny
It is often useful to restart cf-serverd in verbose mode (cf-serverd -v) on $(sys.policy_hub) to diagnose connection issues.
When updating masterfiles, wait (usually 5 minutes) for files to propagate to inputs on $(sys.policy_hub) before retrying.";
bootstrap_mode.systemctl_restart_cfengine3_repaired::
"Restarted systemd unit cfengine3";
systemctl_restart_cfengine3_error::
"Error restarting systemd unit cfengine3";
cf_serverd_running_repaired::
"Started the server";
cf_serverd_running_failed::
"Failed to start the server";
cf_execd_running_repaired::
"Started the scheduler";
cf_execd_running_failed::
"Failed to start the scheduler";
}
############################################
body copy_from failsafe_cp(from)
{
any::
source => "$(from)";
compare => "digest";
encrypt => "true";
verify => "true";
copy_backup => "false";
purge => "true";
}
############################################
body copy_from failsafe_scp(from)
{
any::
source => "$(from)";
compare => "digest";
encrypt => "true";
verify => "true";
copy_backup => "false";
purge => "true";
# This class is always set when bootstrapping. You can deactivate
# this class with --trust-server=no when bootstrapping
trust_server::
trustkey => "true";
!policy_server::
servers => { "$(sys.policy_hub)" };
portnumber => "$(sys.policy_hub_port)";
}
############################################
body depth_search failsafe_recurse(d)
{
depth => "$(d)";
exclude_dirs => { "\.svn", "\.git" };
}
############################################
body file_select failsafe_exclude_vcs_files
{
leaf_name => { "\.git.*", "\.mailmap" };
file_result => "!leaf_name";
}
############################################
body classes failsafe_results(scope, class_prefix)
# @brief Define classes prefixed with `class_prefix` and suffixed with
# appropriate outcomes: _kept, _repaired, _not_kept, _error, _failed,
# _denied, _timeout, _reached
#
# @param scope The scope in which the class should be defined (`bundle` or `namespace`)
# @param class_prefix The prefix for the classes defined
{
scope => "$(scope)";
promise_kept => { "$(class_prefix)_reached",
"$(class_prefix)_kept" };
promise_repaired => { "$(class_prefix)_reached",
"$(class_prefix)_repaired" };
repair_failed => { "$(class_prefix)_reached",
"$(class_prefix)_error",
"$(class_prefix)_not_kept",
"$(class_prefix)_failed" };
repair_denied => { "$(class_prefix)_reached",
"$(class_prefix)_error",
"$(class_prefix)_not_kept",
"$(class_prefix)_denied" };
repair_timeout => { "$(class_prefix)_reached",
"$(class_prefix)_error",
"$(class_prefix)_not_kept",
"$(class_prefix)_timeout" };
}
body contain failsafe_noshell_and_silent
{
useshell => "noshell";
no_output => true;
}
body perms failsafe_u_m(p)
{
mode => "$(p)";
}
body action failsafe_u_immediate
{
ifelapsed => "0";
}
|
