Table of Contents

controls/cf_serverd.cf

Table of Contents

This is where body server control is defined. body server control is where various settings related to cf-serverd can be tuned.

server bundles

access_rules

Prototype: access_rules

Implementation:

bundle server access_rules()
{
  access:

    any::

      "$(def.dir_masterfiles)/"
      handle => "server_access_grant_access_policy",
      shortcut => "masterfiles",
      comment => "Grant access to the policy updates",
      if => isdir( "$(def.dir_masterfiles)/" ),
      admit => { @(def.acl) };

      "$(def.dir_bin)/"
      handle => "server_access_grant_access_binary",
      comment => "Grant access to binary for cf-runagent",
      if => isdir( "$(def.dir_bin)/" ),
      admit => { @(def.acl) };

      "$(def.dir_data)/"
      handle => "server_access_grant_access_data",
      shortcut => "data",
      comment => "Grant access to data directory",
      if => isdir( "$(def.dir_data)/" ),
      admit => { @(def.acl) };

      "$(def.dir_modules)/"
      handle => "server_access_grant_access_modules",
      shortcut => "modules",
      comment => "Grant access to modules directory",
      if => isdir( "$(def.dir_modules)/" ),
      admit => { @(def.acl) };

      "$(def.dir_plugins)/"
      handle => "server_access_grant_access_plugins",
      comment => "Grant access to plugins directory",
      if => isdir( "$(def.dir_plugins)/" ),
      admit => { @(def.acl) };

      "$(def.dir_templates)/"
      handle => "server_access_grant_access_templates",
      shortcut => "templates",
      comment => "Grant access to templates directory",
      if => isdir( "$(def.dir_templates)/" ),
      admit => { @(def.acl) };

    policy_server|am_policy_hub::

      "$(def.dir_master_software_updates)/" -> { "ENT-4953" }
        handle => "server_access_grant_access_master_software_updates",
        shortcut => "master_software_updates",
        comment => "Grant access for hosts to download cfengine packages for self upgrade",
        if => isdir( "$(sys.workdir)/master_software_updates" ),
        admit => { @(def.acl) };

      enterprise_edition.policy_server::
        "collect_calls"
          resource_type => "query",
          admit_ips => { @(def.mpf_access_rules_collect_calls_admit_ips) };

    !windows::
      "$(def.cf_runagent_shell)"
      handle => "server_access_grant_access_shell_cmd",
      comment => "Grant access to shell for cfruncommand",
      admit => { @(def.policy_servers) };

    policy_server.enable_cfengine_enterprise_hub_ha::
      "$(sys.workdir)/ppkeys/"
      handle => "server_access_grant_access_ppkeys_hubs",
      comment => "Grant access to ppkeys for HA hubs",
      if => isdir( "$(sys.workdir)/ppkeys/" ),
      admit => { @(def.policy_servers) };

      # Allow slave hub to synchronize cf_robot and appsettings, application
      # config config, ldap config settings, and ldap api config settings.
      # Files are containing configuration that must be the same on all hubs.
      "$(sys.workdir)/httpd/htdocs/application/config/cf_robot.php"
      handle => "server_access_grant_access_cf_robot",
      comment => "Grant access to cf_robot file for HA hubs",
      admit => { @(def.policy_servers) };

      "$(sys.workdir)/httpd/htdocs/application/config/appsettings.php"
      handle => "server_access_grant_access_appsettings",
      comment => "Grant access to appsettings for HA hubs",
      admit => { @(def.policy_servers) };

      "$(sys.workdir)/httpd/htdocs/application/config/config.php" -> { "ENT-4944" }
      handle => "server_access_grant_access_application_config_config_php",
      comment => "Grant access to application config for HA hubs",
      admit => { @(def.policy_servers) };


      "$(sys.workdir)/httpd/htdocs/ldap/config/settings.php" -> { "ENT-4944" }
      handle => "server_access_grant_access_ldap_config_settings_php",
      comment => "Grant access to ldap config settings for HA hubs",
      admit => { @(def.policy_servers) };


      "$(sys.workdir)/httpd/htdocs/api/config/config.php" -> { "ENT-4944" }
      handle => "server_access_grant_access_api_config_settings_php",
      comment => "Grant access to LDAP api config for HA hubs",
      admit => { @(def.policy_servers) };

      # Allow access to notification_scripts directory so passive hub
      # will be able to synchronize its content. Once passive hub will
      # be promoted to act as a master all the custom scripts will be
      # accessible.
      "/opt/cfengine/notification_scripts/"
      handle => "server_access_grant_access_notification scripts",
      comment => "Grant access to notification scripts",
      if => isdir( "/opt/cfengine/notification_scripts/" ),
      admit => { @(def.policy_servers) };

      # When HA is enabled clients are updating active hub IP address
      # using data stored in master_hub.dat file.
      "$(ha_def.master_hub_location)"
      handle => "server_access_grant_access_policy_server_dat",
      comment => "Grant access to policy_server.dat",
      admit => { @(def.acl) };

      # Hubs keys working in HA configuration are stored in ppkeys_hubs directory.
      # In order to perform failover while active hub is down clients needs to
      # have all hubs keys. This gives ability to connect to slave hub promoted to active role
      # once active is down.
      "$(ha_def.hubs_keys_location)/"
      handle => "server_access_grant_access_to_clients",
      comment => "Grant access to hubs' keys to clients",
      if => isdir("$(ha_def.hubs_keys_location)/"),
      admit => { @(def.acl) };

    windows::
      "c:\program files\cfengine\bin\cf-agent.exe"
      handle => "server_access_grant_access_agent",
      comment => "Grant access to the agent (for cf-runagent)",
      admit   => { @(def.policy_servers) };

  roles:

      # Use roles to allow specific remote cf-runagent users to
      # define certain soft-classes when running cf-agent on this host

      ".*" authorize => { "root" };

}

server bodies

control

Prototype: control

Implementation:

body server control
{
      # List of ciphers the server accepts. For Syntax help see man page
      # for "openssl ciphers". Default is "AES256-GCM-SHA384:AES256-SHA"
      #allowciphers          => "AES256-GCM-SHA384:AES256-SHA";

      # List of hosts that may connect (change the ACL in def.cf)
      allowconnects         => { "127.0.0.1" , "::1", @(def.acl) };

      # Out of them, which ones should be allowed to have more than one
      # connection established at the same time?
      allowallconnects      => { "127.0.0.1" , "::1", @(def.acl) };

      # Out of the hosts in allowconnects, trust new keys only from the
      # following ones.  SEE COMMENTS IN def.cf
      trustkeysfrom         => { @(def.trustkeysfrom) };

      ## List of the hosts not using the latest protocol that we'll accept connections from
      ## (absence of this option or empty list means allow none)
      allowlegacyconnects   => { @(def.control_server_allowlegacyconnects) };

      # Maximum number of concurrent connections.
      # Suggested value >= total number of hosts
      maxconnections        => "$(def.control_server_maxconnections)";

      # Allow connections from nodes which are out-of-sync
      denybadclocks         => "false";

    enterprise_edition.client_initiated_reporting_enabled::

      # How often cf-serverd should try to establish a reverse tunnel for report
      # collection

      call_collect_interval => "$(def.control_server_call_collect_interval)";

      # The time in seconds that a collect-call tunnel will remain open for hub
      # to complete report transfer.
        collect_window => "$(def.control_server_collect_window)";

    # The MPF provides different variables for configuring which users are
    # allowed to initiate execution via cf-runagent.
    !policy_server::
      allowusers => { @(def.control_server_allowusers_non_policy_server) };

    policy_server::
        allowusers => { @(def.control_server_allowusers_policy_server) };

    windows::
      cfruncommand => "$(sys.cf_agent) -I -D cf_runagent_initiated -f \"$(sys.update_policy_path)\"  &
                       $(sys.cf_agent) -I -D cf_runagent_initiated";

    !windows.!cfengine_3_7::

      # In 3.10 the quotation is properly closed when EOF is reached. It is left
      # open so that arguments (like -K and --remote-bundles) can be appended.
      # 3.10.x does not automatically append -I -Dcfruncommand

        cfruncommand => "$(def.cf_runagent_shell) -c \'
                           $(sys.cf_agent) -I -D cf_runagent_initiated -f $(sys.update_policy_path)  ;
                           $(sys.cf_agent) -I -D cf_runagent_initiated";

    !windows.cfengine_3_7::

      # 3.7.x does not properly close open quotes when EOF is reached preventing
      # policy execution, so we must provide a trailing quote for cfruncommand.

      # 3.7.x Automatically appends -I -Dcfruncommand to the cfruncommand. This
      # results in an error about not being allowed to specify inputs for remote
      # execution from the update policy. In order to preserve the ability for
      # policy to know its execution provenance we define a different class
      # `cf_runagent_initiated` that does not elicit the error.

        cfruncommand => "$(def.cf_runagent_shell) -c \'
                           $(sys.cf_agent) -I -D cf_runagent_initiated -f $(sys.update_policy_path)  ;
                           $(sys.cf_agent) -I -D cf_runagent_initiated\'";

      # Bind to all interfaces including ipv6
      # Adding this on windows will force ipv6 only
      bindtointerface => "::";

}