controls/def.cf

Table of Contents

This is where most common variables and classes are defined. Note its variable scope can be augmented with def.json.

common bodies

def

Prototype: def

Implementation:

bundle common def
{
  classes:
    "_workaround_CFE_2333" -> { "https://tracker.mender.io/browse/CFE-2333" }
      or => { "cfengine_3_7_3", "cfengine_3_8_1", "cfengine_3_8_2" };

    # If the augments_file is parsed from C then we do not need ot do this work
    # from policy
    !(feature_def_json_preparse)|(_workaround_CFE_2333)::
      "have_augments_file" expression => fileexists($(augments_file)), scope => "bundle";
      "have_augments_classes" expression => isvariable("augments[classes]"), scope => "bundle";
      "have_augments_inputs" expression => isvariable("augments[inputs]"), scope => "bundle";

    have_augments_classes.!(feature_def_json_preparse)|(_workaround_CFE_2333)::
      "$(augments_classes_data_keys)"
        expression => classmatch("$(augments[classes][$(augments_classes_data_keys)])"),
        meta => { "augments_class", "derived_from=$(augments_file)" };

  vars:

    !(feature_def_json_preparse)|(_workaround_CFE_2333)::
      "augments_file" string => "$(this.promise_dirname)/../../def.json";

      "defvars" slist => variablesmatching("default:def\..*", "defvar");

    have_augments_file.!feature_def_json_preparse|(_workaround_CFE_2333)::
      "augments" data => readjson($(augments_file), 100k), ifvarclass => "have_augments_file";

      "augments_inputs" slist => getvalues("augments[inputs]");
      "override_vars" slist => getindices("augments[vars]");
      "override_data_$(override_vars)" data => mergedata("augments[vars][$(override_vars)]");
      "override_data_s_$(override_vars)" string => format("%S", "override_data_$(override_vars)");

    any::
      "augments_inputs"
        slist => {},
        ifvarclass => not( isvariable( "augments_inputs" ) ),
        comment => "It's important that we define this list, even if it's empty
                    or we get errors about the list being unresolved.";

    have_augments_classes.!(feature_def_json_preparse)|(_workaround_CFE_2333)::
      "augments_classes_data" data => mergedata("augments[classes]");
      "augments_classes_data_keys" slist => getindices("augments_classes_data");

    any::
      # Begin change

      # Your domain name, for use in access control
      # Note: this default may be inaccurate!
      "domain"
        string => "$(sys.domain)",
        comment => "Define a global domain for all hosts",
        handle => "common_def_vars_domain",
        ifvarclass => not(isvariable("domain"));

      # Mail settings used by body executor control found in controls/cf_execd.cf
      "mailto"
        string => "root@$(def.domain)",
        ifvarclass => not(isvariable("mailto"));

      "mailfrom"
        string => "root@$(sys.uqhost).$(def.domain)",
        ifvarclass => not(isvariable("mailfrom"));

      "smtpserver"
        string => "localhost",
        ifvarclass => not(isvariable("smtpserver"));

      # List here the IP masks that we grant access to on the server

      # Only define here if we are not capable of parsing augments from C
      "acl"
        slist => getvalues("override_data_acl"),
        comment => "JSON-sourced: Define an acl for the machines to be granted accesses",
        handle => "common_def_json_vars_acl",
        ifvarclass => and(isvariable("override_data_acl"), "!feature_def_json_preparse"),
        meta => { "defvar" };

      "acl"
        slist => {
                   # Allow everything in my own domain.

                   # Note that this:
                   # 1. requires def.domain to be correctly set
                   # 2. will cause a DNS lookup for every access
                   # ".*$(def.domain)",

                   # Assume /16 LAN clients to start with
                   "$(sys.policy_hub)/16",

                   # Uncomment below if HA is used
                   #"@(def.policy_servers)"

                   #  "2001:700:700:3.*",
                   #  "217.77.34.18",
                   #  "217.77.34.19",
        },
        comment => "Define an acl for the machines to be granted accesses",
        handle => "common_def_vars_acl",
        ifvarclass => and(not(isvariable("override_data_acl")), not(isvariable("acl"))),
        meta => { "defvar" };

      # Out of the hosts in allowconnects, trust new keys only from the
      # following ones.  This is open by default for bootstrapping.

      # Only define here if we are not capable of parsing augments from C
      "trustkeysfrom"
        slist => getvalues("override_data_trustkeysfrom"),
        comment => "JSON-sourced: define from which machines keys can be trusted",
        ifvarclass => and(isvariable("override_data_trustkeysfrom"), "!feature_def_json_preparse"),
        meta => { "defvar" };

      "trustkeysfrom"
        slist => {
                   # COMMENT THE NEXT LINE OUT AFTER ALL MACHINES HAVE BEEN BOOTSTRAPPED.
                   "0.0.0.0/0", # allow any IP
        },
        comment => "Define from which machines keys can be trusted",
        ifvarclass => and(not(isvariable("override_data_trustkeysfrom")),
                          not(isvariable("trustkeysfrom"))),
        meta => { "defvar" };

      ## List of the hosts not using the latest protocol that we'll accept connections from
      ## (absence of this option or empty list means allow none)
      "control_server_allowlegacyconnects"
        slist => {},
        ifvarclass => not( isvariable( "control_server_allowlegacyconnects" ) );


      # Agent Controls

      "control_agent_default_repository"
        string => ifelse( isvariable( "control_agent_default_repository"),
                          $(control_agent_default_repository),
                          "$(sys.workdir)/backups"),
        if => "mpf_control_agent_default_repository";

      "control_agent_maxconnections"
        int => "30",
        ifvarclass => not( isvariable( "control_agent_maxconnections" ) );

      # Because in some versions of cfengine bundlesequence in body common
      # control does not support does not support iteration over data containers
      # we must first pick out the bundles into a shallow container that we can
      # then get a regular list from using getvalues().

      "tbse" data => mergedata( "def.control_common_bundlesequence_end" );

      # Since we have @(def.bundlesequence_end) in body common control
      # bundlesequence we must have a list variable defined. It can be empty, but it
      # must be defined. If it is not defined the agent will error complaining
      # that '@(def.bundlesequence_end) is not a defined bundle.

      # As noted in CFE-2460 getvalues behaviour varies between versions. 3.7.x
      # getvalues will return an empty list when run on a non existant data
      # container.  On 3.9.1 it does not return an empty list.
      # So we initialize it as an empty list first to be safe.

      "bundlesequence_end" slist => {};
      "bundlesequence_end" slist => getvalues( tbse );
      # Agent controls

      "control_agent_files_single_copy"
        slist => { },
        ifvarclass => not( some( ".*", "control_agent_files_single_copy") ),
        comment => "Default files_single_copy to an empty list if it is not
                    defined. It is expected that users can override the default
                    by setting this value from the augments file (def.json).";

      "control_server_maxconnections"
        int => "200",
        ifvarclass => not( isvariable( "control_server_maxconnections" ) );


    debian::
      "environment_vars"
        handle => "common_def_vars_environment_vars",
        comment => "Environment variables of the agent process. The values
                    of environment variables are inherited by child commands.",
        slist => {
                   "DEBIAN_FRONTEND=noninteractive",
                  # "APT_LISTBUGS_FRONTEND=none",
                  # "APT_LISTCHANGES_FRONTEND=none",
                 };

      # End change #

    any::
      "dir_masterfiles" string => translatepath("$(sys.masterdir)"),
      comment => "Define masterfiles path",
      handle => "common_def_vars_dir_masterfiles";

      "dir_reports"     string => translatepath("$(sys.workdir)/reports"),
      comment => "Define reports path",
      handle => "common_def_vars_dir_reports";

      "dir_bin"         string => translatepath("$(sys.bindir)"),
      comment => "Define binary path",
      handle => "common_def_vars_dir_bin";

      "dir_modules"     string => translatepath("$(sys.workdir)/modules"),
      comment => "Define modules path",
      handle => "common_def_vars_dir_modules";

      "dir_plugins"     string => translatepath("$(sys.workdir)/plugins"),
      comment => "Define plugins path",
      handle => "common_def_vars_dir_plugins";

      "dir_templates"
        string => ifelse( isvariable( "def.dir_templates"),
                          $(def.dir_templates),
                          "$(sys.workdir)/templates"),
      comment => "Define templates path",
      handle => "common_def_vars_dir_templates";


      "cf_apache_user" string => "cfapache",
      comment => "User that CFEngine Enterprise webserver runs as",
      handle => "common_def_vars_cf_cfapache_user";

      "cf_apache_group" string => "cfapache",
      comment => "Group that CFEngine Enterprise webserver runs as",
      handle => "common_def_vars_cf_cfapache_group";

    policy_server|am_policy_hub::

      # Only hubs serve software updates

      "dir_master_software_updates" -> { "ENT-4953" }
        string => "$(sys.workdir)/master_software_updates",
        handle => "common_def_vars_dir_serve_master_software_updates",
        comment => "Path where software updates are served from the policy hub.
        This variable is overridable via augments as
        vars.dir_master_software_updates. All remote agents request this path
        via the master_software_updates shortcut.",
        if => not( isvariable( "def.dir_master_software_updates" ));

    solaris::
      "cf_runagent_shell"
        string  => "/usr/bin/sh",
        comment => "Define path to shell used by cf-runagent",
        handle  => "common_def_vars_solaris_cf_runagent_shell";

    !(windows|solaris)::
      "cf_runagent_shell"
        string  => "/bin/sh",
        comment => "Define path to shell used by cf-runagent",
        handle  => "common_def_vars_cf_runagent_shell";

    any::
      "base_log_files" slist =>
      {
        "$(sys.workdir)/cf3.$(sys.uqhost).runlog",
        "$(sys.workdir)/promise_summary.log",
      };

      "enterprise_log_files" slist =>
      {
        "$(sys.workdir)/cf_notkept.log",
        "$(sys.workdir)/cf_repair.log",
        "$(sys.workdir)/state/cf_value.log",
        "$(sys.workdir)/outputs/dc-scripts.log",
        "$(sys.workdir)/state/promise_log.jsonl",
        "$(sys.workdir)/state/classes.jsonl",
      };

      "hub_log_files" slist =>
      {
        "$(sys.workdir)/httpd/logs/access_log", # Mission Portal
        "$(sys.workdir)/httpd/logs/error_log", # Mission Portal
        "/var/log/postgresql.log",
      };

      "max_client_history_size" -> { "cf-hub", "CFEngine Enterprise" }
        int => "50M",
        unless => isvariable(max_client_history_size),
        comment => "The threshold of report diffs which will trigger purging of
                    diff files.";

    enterprise.!am_policy_hub::
      # CFEngine's own log files
      "cfe_log_files" slist => { @(base_log_files), @(enterprise_log_files) };

    enterprise.am_policy_hub::
      # CFEngine's own log files
      "cfe_log_files" slist => { @(base_log_files), @(enterprise_log_files), @(hub_log_files) };

    !enterprise::
      # CFEngine's own log files
      "cfe_log_files" slist => { @(base_log_files) };

  # Directories where logs are rotated and old files need to be purged.

    any::
      "log_dir[outputs]" string => "$(sys.workdir)/outputs";
      "log_dir[reports]" string => "$(sys.workdir)/reports";

    enterprise.am_policy_hub::
      "log_dir[application]" string => "$(sys.workdir)/httpd/htdocs/application/logs";

    any::
      "cfe_log_dirs" slist => getvalues( log_dir );

      "purge_scheduled_reports_older_than_days" -> { "ENT-4404" }
        string => "30",
        if => not( isvariable( purge_scheduled_reports_older_than_days ) ),
        comment => "This controls the maximum age of artifacts generated by the
                    asynchronous query API and scheduled reports.";

  # Enterprise HA Related configuration
  # enable_cfengine_enterprise_hub_ha is defined below
  # Disabled by default

    enable_cfengine_enterprise_hub_ha::
      "standby_servers" slist => filter("$(sys.policy_hub)", "ha_def.ips", false, true, 10);
      "policy_servers" slist => { "$(sys.policy_hub)", "@(standby_servers)" };

    !enable_cfengine_enterprise_hub_ha::
      "policy_servers" slist => {"$(sys.policy_hub)"};

    enterprise_edition.policy_server::
      "control_hub_exclude_hosts"
        slist => { "" },
        unless => isvariable(control_hub_exclude_hosts);

      "mpf_access_rules_collect_calls_admit_ips"
        slist => { @(def.acl) },
        unless => isvariable(mpf_access_rules_collect_calls_admit_ips);

    enterprise_edition.client_initiated_reporting_enabled::
      "control_server_call_collect_interval"
        string => "5",
        unless => isvariable(control_server_call_collect_interval);

    enterprise_edition.policy_server::
      "default_data_select_host_monitoring_include"
        comment => "Most people have monitoring systems, so instead of collecting data people won't use we save the work unless its requested.",
        slist => { },
        unless => isvariable( default_data_select_host_monitoring_include );

      "default_data_select_policy_hub_monitoring_include"
        comment => "Collect all the monitoring data from the hub itself. It can be useful in diagnostics.",
        slist => { ".*" },
        unless => isvariable( default_data_select_policy_hub_monitoring_include );

  classes:

      ### Enable special features policies. Set to "any" to enable.

      # Auto-load files in "services/autorun" and run bundles tagged "autorun".
      # Disabled by default!
      "services_autorun" -> { "jira:CFE-2135" }
        comment => "This class enables the automatic parsing running of bundles
                    tagged with 'autorun'. Evaluation limitations require that
                    this class is set at the beginning of the agent run, so it
                    must be defined in the augments file (def.json), or as an
                    option to the agent with --define or -D. Changing the
                    expression here will *NOT* work correctly. Setting the class
                    here will result in an error due to the autorun bundle not
                    being found.",
        expression => "!any";

      # Internal CFEngine log files rotation
      "cfengine_internal_rotate_logs" expression => "any";

      # Enable or disable agent email output (also see mailto, mailfrom and
      # smtpserver)
      "cfengine_internal_agent_email" expression => "any";
      "cfengine_internal_disable_agent_email" expression => "!any";



      # Enable or disable external watchdog to ensure cf-execd is running
      "cfe_internal_core_watchdog_enabled" expression => "!any";
      "cfe_internal_core_watchdog_disabled" expression => "!any";

      # Transfer policies and binaries with encryption
      # you can also request it from the command line with
      # -Dcfengine_internal_encrypt_transfers

      # NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN update.cf

      "cfengine_internal_encrypt_transfers" expression => "!any";

      # Purge policies that don't exist on the server side.
      # you can also request it from the command line with
      # -Dcfengine_internal_purge_policies

      # NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN update.cf

      "cfengine_internal_purge_policies" expression => "!any";

      # Preserve permissions of the policy server's masterfiles.
      # you can also request it from the command line with
      # -Dcfengine_internal_preserve_permissions

      # NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN update.cf

      "cfengine_internal_preserve_permissions" expression => "!any";

      # Allow the hub to edit sudoers in order for the Apache user to
      # run passwordless sudo cf-runagent. Enable this if you want the
      # Mission Portal to be able to troubleshoot failed Design Center
      # sketch activations on a host.
      "cfengine_internal_sudoers_editing_enable" expression => "!any";

      # Class defining which versions of cfengine are (not) supported
      # by this policy version.
      # Also note that this policy will only be run on enterprise policy_server
      "postgresql_maintenance_supported"
        expression => "(policy_server.enterprise.!enable_cfengine_enterprise_hub_ha)|(policy_server.enterprise.enable_cfengine_enterprise_hub_ha.hub_active)";

      # This class is for PosgreSQL maintenance
      # pre-defined to every Sunday at 2 a.m.
      # This can be changed later on.
      "postgresql_full_maintenance" expression => "postgresql_maintenance_supported.Sunday.Hr02.Min00_05";

      # Run vacuum job on database
      # pre-defined to every night except Sunday when full cleanup is executed.
      "postgresql_vacuum" expression => "postgresql_maintenance_supported.!Sunday.Hr02.Min00_05";

      # Enable CFEngine Enterprise HA Policy
      "enable_cfengine_enterprise_hub_ha" expression => "!any";
      #"enable_cfengine_enterprise_hub_ha" expression => "enterprise_edition";

      # Enable failover to node which is outside cluster
      #"failover_to_replication_node_enabled" expression => "enterprise_edition";

      # Enable cleanup of agent report diffs when they exceed
      # `def.max_client_history_size`
      "enable_cfe_internal_cleanup_agent_reports" -> { "cf-hub", "CFEngine Enterprise" }
        expression => "enterprise_edition",
        comment => "If reports are not collected for an extended period of time
                    the disk may fill up or cause additional collection
                    issues.";

  reports:
    DEBUG|DEBUG_def::
      "DEBUG: $(this.bundle)";

      "$(const.t) def.json was found at $(augments_file)"
        ifvarclass => fileexists( $(augments_file) );

      "$(const.t) override request $(override_vars) to '$(override_data_s_$(override_vars))'; new value '$($(override_vars))'"
      ifvarclass => isvariable("override_data_$(override_vars)");

      "$(const.t) defined class '$(augments_classes_data_keys)' because of classmatch('$(augments[classes][$(augments_classes_data_keys)])')"
      ifvarclass => "$(augments_classes_data_keys)";

      "$(const.t) $(defvars) = $($(defvars))";
      "DEBUG $(this.bundle): Agent parsed augments_file"
        ifvarclass => "have_augments_file.feature_def_json_preparse";
      "DEBUG $(this.bundle): Policy parsed augments_file"
        ifvarclass => "have_augments_file.!feature_def_json_preparse";
}

inventory_control

Prototype: inventory_control

Description: Inventory control bundle

This common bundle is for controlling whether some inventory bundles are disabled.

Implementation:

bundle common inventory_control
{
  vars:
      "lldpctl_exec" string => ifelse(fileexists("/usr/sbin/lldpctl"), "/usr/sbin/lldpctl",
                                     fileexists("/usr/local/bin/lldpctl"), "/usr/local/bin/lldpctl",
                                     "/usr/sbin/lldpctl");

      "lldpctl_json" string => "$(lldpctl_exec) -f json",
        unless => isvariable("def.lldpctl_json");
      "lldpctl_json" string => "$(def.lldpctl_json)",
        if => isvariable("def.lldpctl_json");

      "lsb_exec" string => "/usr/bin/lsb_release";
      "mtab" string => "/etc/mtab";
      "proc" string => "/proc";

  vars:

    freebsd::

      "dmidecoder" string => "/usr/local/sbin/dmidecode";

    !freebsd::

      "dmidecoder" string => "/usr/sbin/dmidecode";

  classes:
      # setting this disables all the inventory modules except package_refresh
      "disable_inventory" expression => "!any";

      # disable specific inventory modules below

      # by default disable the LSB inventory if the general inventory
      # is disabled or the binary is missing.  Note that the LSB
      # binary is typically not very fast.
      "disable_inventory_lsb" expression => "disable_inventory";
      "disable_inventory_lsb" not => fileexists($(lsb_exec));

      # by default disable the dmidecode inventory if the general
      # inventory is disabled or the binary does not exist.  Note that
      # typically this is a very fast binary.
      "disable_inventory_dmidecode" expression => "disable_inventory";
      "disable_inventory_dmidecode" not => fileexists($(dmidecoder));

      # by default disable the LLDP inventory if the general inventory
      # is disabled or the binary does not exist.  Note that typically
      # this is a reasonably fast binary but still may require network
      # I/O.
      "disable_inventory_LLDP" expression => "disable_inventory";
      "disable_inventory_LLDP" not => fileexists($(lldpctl_exec));

      # by default run the package inventory refresh every time, even
      # if disable_inventory is set
      "disable_inventory_package_refresh" expression => "!any";

      # by default disable the mtab inventory if the general inventory
      # is disabled or $(mtab) is missing.  Note that this is very
      # fast.
      "disable_inventory_mtab" expression => "disable_inventory";
      "disable_inventory_mtab" not => fileexists($(mtab));

      # by default disable the fstab inventory if the general
      # inventory is disabled or $(sys.fstab) is missing.  Note that
      # this is very fast.
      "disable_inventory_fstab" expression => "disable_inventory";
      "disable_inventory_fstab" not => fileexists($(sys.fstab));

      # by default disable the proc inventory if the general
      # inventory is disabled or /proc is missing.  Note that
      # this is typically fast.
      "disable_inventory_proc" expression => "disable_inventory|freebsd";
      "disable_inventory_proc" not => isdir($(proc));

      # by default don't run the CMDB integration every time, even if
      # disable_inventory is not set
      "disable_inventory_cmdb" expression => "any";

  reports:
    verbose_mode.disable_inventory::
      "$(this.bundle): All inventory modules disabled";
    verbose_mode.!disable_inventory_lsb::
      "$(this.bundle): LSB module enabled";
    verbose_mode.!disable_inventory_dmidecode::
      "$(this.bundle): dmidecode module enabled";
    verbose_mode.!disable_inventory_LLDP::
      "$(this.bundle): LLDP module enabled";
    verbose_mode.!disable_inventory_mtab::
      "$(this.bundle): mtab module enabled";
    verbose_mode.!disable_inventory_fstab::
      "$(this.bundle): fstab module enabled";
    verbose_mode.!disable_inventory_proc::
      "$(this.bundle): proc module enabled";
    verbose_mode.!disable_inventory_package_refresh::
      "$(this.bundle): package_refresh module enabled";
    verbose_mode.!disable_inventory_cmdb::
      "$(this.bundle): CMDB module enabled";
}