controls/update_def.cf

Table of Contents

This is where most common variables and classes are defined for the update policy. Note its variable scope can be augmented with def.json.

common bodies

update_def

Prototype: update_def

Implementation:

bundle common update_def
{
  classes:
    !feature_def_json_preparse::
      "have_augments_file" expression => fileexists($(augments_file)), scope => "bundle";
      "have_augments_classes" expression => isvariable("augments[classes]"), scope => "bundle";

    have_augments_classes.!feature_def_json_preparse::
      "$(augments_classes_data_keys)"
        expression => classmatch("$(augments[classes][$(augments_classes_data_keys)])"),
        meta => { "augments_class", "derived_from=$(augments_file)" };
    any::
      "sys_policy_hub_port_exists" expression => isvariable("sys.policy_hub_port");
  vars:
      "current_version" string => "3.11.1a.2ee5566";

    !feature_def_json_preparse::
      "augments_file" string => "$(this.promise_dirname)/../../def.json";

      "defvars" slist => variablesmatching("default:update_def\..*", "defvar");

    have_augments_file.!feature_def_json_preparse::
      "augments" data => readjson($(augments_file), 100k), ifvarclass => "have_augments_file";

      "override_vars" slist => getindices("augments[vars]");
      "override_data_$(override_vars)" data => mergedata("augments[vars][$(override_vars)]");
      "override_data_s_$(override_vars)" string => format("%S", "override_data_$(override_vars)");

    have_augments_classes.!feature_def_json_preparse::
      "augments_classes_data" data => mergedata("augments[classes]");
      "augments_classes_data_keys" slist => getindices("augments_classes_data");

    any::
      # Begin change

      # When parsing the augments_file from policy, we set input_name_patterns
      # based on the data extracted from within policy
      "input_name_patterns"
        slist => getvalues("override_data_input_name_patterns"),
        comment => "JSON-sourced filename patterns to match when updating the policy
                    (see update/update_policy.cf)",
        handle => "common_def_json_vars_input_name_patterns_without_feature_def_json_preparse",
        ifvarclass => and(isvariable("override_data_input_name_patterns"), "!feature_def_json_preparse"),
        meta => { "defvar" };

      # Default the input name patterns, if we don't find it defined in def
      # (from the augments_file).
      "input_name_patterns"
        slist => { ".*\.cf",".*\.dat",".*\.txt", ".*\.conf", ".*\.mustache",
                   ".*\.sh", ".*\.pl", ".*\.py", ".*\.rb",
                   "cf_promises_release_id", ".*\.json", ".*\.yaml" },
        comment => "Filename patterns to match when updating the policy
                    (see update/update_policy.cf)",
        handle => "common_def_vars_input_name_patterns_policy_default",
        ifvarclass => and(and(not(isvariable("override_data_acl")),
                          not(isvariable("input_name_patterns"))),
                          not(isvariable("def.input_name_patterns"))),
        meta => { "defvar" };

      # define based on data in def (which comes from augments file), if
      # present and input_name_patterns is not yet defined.).
      "input_name_patterns"
        slist => { @(def.input_name_patterns) },
        comment => "Filename patterns to match when updating the policy
                    (see update/update_policy.cf)",
        handle => "common_def_vars_input_name_patterns_from_def_with_feature_def_json_preparse",
        ifvarclass => and( isvariable("def.input_name_patterns"),
                           not(isvariable("input_name_patterns"))),
        meta => { "defvar" };

      # the permissions for your masterfiles, which will propagate to inputs
      "masterfiles_perms_mode" string => "0600",
      handle => "common_def_vars_masterfiles_perms_mode",
      meta => { "defvar" };

      "dc_scripts" string => "$(sys.workdir)/httpd/htdocs/api/dc-scripts",
      comment => "Directory where design center scripts are located on Enterprise Hub";

      "DCWORKFLOW" string => "/opt/cfengine",
      comment => "Directory where DC Workflow related things are stored";

      "masterfiles_staging" string => "$(DCWORKFLOW)/masterfiles_staging",
      comment => "Directory where Mission Portal Design Center
                  activations are staged for commit to upstream repository";

      "local_masterfiles_git" string => "$(DCWORKFLOW)/masterfiles.git",
      comment => "Local bare git repository, serves as OOTB upstream repo";

      "cf_git" string => "$(sys.workdir)/bin/git",
      comment => "Path to git binary installed with CFEngine Enterprise";

      "cf_apache_user" string => "cfapache",
      comment => "User that CFEngine Enterprise webserver runs as",
      handle => "common_def_vars_cf_cfapache_user";

      "cf_apache_group" string => "cfapache",
      comment => "Group that CFEngine Enterprise webserver runs as",
      handle => "common_def_vars_cf_cfapache_group";

    # enable_cfengine_enterprise_hub_ha is defined below
    # Disabled by default

    enable_cfengine_enterprise_hub_ha::
      "standby_servers" slist => filter("$(sys.policy_hub)", "ha_def.ips", false, true, 10);
      "policy_servers" slist => { "$(sys.policy_hub)", "@(standby_servers)" };

    !enable_cfengine_enterprise_hub_ha::
      "policy_servers" slist => {"$(sys.policy_hub)"};

  classes:

      # Trigger binary upgrade from policy hub
      # Disable by default
      "trigger_upgrade" or => {
                               "!any",
                              };

      # Update masterfiles from Git
      # Enabled for enterprise users by default
      # you can also request it from the command line with
      # -Dcfengine_internal_masterfiles_update

      # NOTE THAT ENABLING THIS BY DEFAULT *WILL* OVERWRITE THE HUB'S $(sys.workdir)/masterfiles

      #"cfengine_internal_masterfiles_update" expression => "enterprise.!(cfengine_3_4|cfengine_3_5)";
      "cfengine_internal_masterfiles_update" expression => "!any";

      # Transfer policies and binaries with encryption
      # you can also request it from the command line with
      # -Dcfengine_internal_encrypt_transfers

      # NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf

      "cfengine_internal_encrypt_transfers" expression => "!any";

      # Purge policies that don't exist on the server side.
      # you can also request it from the command line with
      # -Dcfengine_internal_purge_policies

      # NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf

      "cfengine_internal_purge_policies" expression => "!any";

      # Preserve permissions of the policy server's masterfiles.
      # you can also request it from the command line with
      # -Dcfengine_internal_preserve_permissions

      # NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf

      "cfengine_internal_preserve_permissions" expression => "!any";

      # Disable checking of cf_promises_validated before updating clients.
      # Disabling checking of cf_promises_validated ensures that remote agents
      # will **always** scan all of masterfiles for any changes and update
      # accordingly. This is not recommended as it both removes a safety
      # mechanism that checks for policy to be valid before allowing clients to
      # download updates, and the increased load on the hub will affect
      # scalability. Consider using time_based, select_class, or dist based classes
      # instead of any to retain some of the benefits. **DISABLE WITH CAUTION**

      "cfengine_internal_disable_cf_promises_validated"
        expression => "!any",
        comment => "When cf_promises_validated is disabled remote agents will
                   always scan all of masterfiles for changes. Disabling this
                   is not recommended as it will increase the load on the policy
                   server and increases the possibility for remote agents to
                   receive broken policy.";

      # Enable CFEngine Enterprise HA Policy
      "enable_cfengine_enterprise_hub_ha" expression => "!any";
      #"enable_cfengine_enterprise_hub_ha" expression => "enterprise_edition";

      # Enable failover to node which is outside cluster
      #"failover_to_replication_node_enabled" expression => "enterprise_edition";

  reports:
    DEBUG|DEBUG_update_def::
      "DEBUG: $(this.bundle)";
      "$(const.t) override request $(override_vars) to '$(override_data_s_$(override_vars))'; new value '$($(override_vars))'"
        ifvarclass => isvariable("override_data_$(override_vars)");

      "$(const.t) defined class role/byname $(extra_roles[byname][$(roles_byname_keys)]) because of classmatch('$(roles_byname_keys)')"
        ifvarclass => "$(extra_roles[byname][$(roles_byname_keys)])";

      "$(const.t) defined class role/byrole $(roles_byrole_keys) because of classmatch('$(extra_roles[byrole][$(roles_byrole_keys)])')"
        ifvarclass => "$(roles_byrole_keys)";

      "$(const.t) $(defvars) = $($(defvars))";
      "DEBUG $(this.bundle): Agent parsed augments_file"
        ifvarclass => "have_augments_file.feature_def_json_preparse";
      "DEBUG $(this.bundle): Policy parsed augments_file"
        ifvarclass => "have_augments_file.!feature_def_json_preparse";
      "DEBUG $(this.bundle): input_name_pattern = '$(input_name_patterns)'";
}