promises.cf

Table of Contents

$(sys.inputdir)/promises.cf is the default policy run by the agent. It is responsible for specifying additional policy files that should be included as part of the policy and the order in which to run bundles.

Policy

common bodies

inventory

Prototype: inventory

Description: Set up inventory inputs

This bundle creates the inputs for inventory bundles.

Inventory bundles are simply common bundles loaded before anything else in promises.cf

Tested to work properly against 3.5.x

Implementation:

{
  classes:
      "other_unix_os" expression => "!(windows|macos|linux|freebsd|aix)";
      "specific_linux_os" expression => "redhat|debian|suse|sles";

  vars:
      # This list is intended to grow as needed
    debian::
      "inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/debian.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_debian", "inventory_os" };
    redhat::
      "inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/redhat.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_redhat", "inventory_os" };
    suse|sles::
      "inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/suse.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_suse", "inventory_os" };
    windows::
      "inputs" slist => { "inventory/any.cf", "inventory/windows.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_windows", "inventory_os" };
    macos::
      "inputs" slist => { "inventory/any.cf", "inventory/macos.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_macos", "inventory_os" };
    freebsd::
      "inputs" slist => { "inventory/any.cf", "inventory/freebsd.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_freebsd", "inventory_os" };
    linux.!specific_linux_os::
      "inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_os" };
    aix::
      "inputs" slist => { "inventory/any.cf", "inventory/generic.cf", "inventory/aix.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_generic", "inventory_aix", "inventory_os" };
    other_unix_os::
      "inputs" slist => { "inventory/any.cf", "inventory/generic.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_generic", "inventory_os" };

  reports:
    verbose_mode::
      "$(this.bundle): loading inventory module '$(inputs)'";
}

cfe_internal_inputs

Prototype: cfe_internal_inputs

Description: Include internal self management policies

Implementation:

}
{
  vars:
    any::

      "input[cfe_internal_management]"
        string => "cfe_internal/CFE_cfengine.cf",
        comment => "This policy activates internal management policies
                    for both core and enterprise";

      "input[core_main]"
        string => "cfe_internal/core/main.cf",
        comment => "This policy activates other core policies";

      "input[core_limit_robot_agents]"
        string => "cfe_internal/core/limit_robot_agents.cf",
        comment => "The policy here ensures that we don't have too many
                    cf-monitord or cf-execd processes";

      "input[core_log_rotation]"
        string => "cfe_internal/core/log_rotation.cf",
        comment => "This policy ensures that various cfengine log files
                    do not grow without bound and fill up the disk";

      "input[core_host_info_report]"
        string => "cfe_internal/core/host_info_report.cf",
        comment => "This policy produces a text based host info report
                    and serves as a functional example of using mustache templates";

      "input[cfengine_internal_core_watchdog]"
        string => "cfe_internal/core/watchdog/watchdog.cf",
        comment => "This policy configures external watchdogs to ensure that
                    cf-execd is always running.";

    enterprise_edition.(policy_server|am_policy_hub)::

      "input[enterprise_hub_specific]"
        string => "cfe_internal/enterprise/CFE_hub_specific.cf",
        comment => "Policy relating to CFEngine Enterprise Hub, for example
                    software updates, webserver configuration, and alerts";

@if minimum_version(3.12)
      "input[enterprise_hub_federation]"
        string => "cfe_internal/enterprise/federation/federation.cf",
        comment => "Policy relating to CFEngine Federated Reporting";
@endif

    enterprise_edition::

      "input[enterprise_knowledge]"
        string => "cfe_internal/enterprise/CFE_knowledge.cf",
        comment => "Settings mostly releated to CFEngine Enteprise Mission Portal";

      "input[enterprise_main]"
        string => "cfe_internal/enterprise/main.cf",
        comment => "This policy activates other enterprise specific policies";

      "input[change_management]"
        string => "cfe_internal/enterprise/file_change.cf",
        comment => "This policy monitors critical system files for change";

      "input[enterprise_mission_portal]"
        string => "cfe_internal/enterprise/mission_portal.cf",
        comment => "This policy manages Mission Portal related configurations.";

    any::
      "inputs" slist => getvalues("input");
}

cfengine_stdlib

Prototype: cfengine_stdlib

Description: Include the standard library

Implementation:

    any::
{
  vars:

    !cfengine_3_7::
      # CFEngine 3.6 can include through a secondary file
      # CFEngine version 3.6 and prior use the split library to avoid syntax
      # errors introduced by new functionality. For example new functions.
      # This also works for 3.8 because local_libdir should be set to lib
      # instead of lib/3.8
      "inputs" slist => { "$(sys.local_libdir)/stdlib.cf" };


      # As part of ENT-2719 3.12.2 introduced package_method attributes for
      # specifying the interpreter and specifying the module path. These
      # attributes are not known in previous versions and must not be seen by
      # the parser or they will be seen as syntax errors. A cleaner way to do
      # this using the minimum_version macro is possible, but that would break
      # masterfiles compatibility in 3.12 with 3.7 binaries since 3.7 binaries
      # do not support major.minor.patch with minimum_version, only major.minor.

    windows.cfengine_3_12.!(cfengine_3_12_0|cfengine_3_12_1)::
      "inputs" slist => { "$(sys.local_libdir)/stdlib.cf",
                          "$(sys.local_libdir)/packages-ENT-3719.cf" };
@if minimum_version(3.14)
    windows::
      "inputs" slist => { "$(sys.local_libdir)/stdlib.cf",
                          "$(sys.local_libdir)/packages-ENT-3719.cf" };
@endif

    cfengine_3_7::
      # CFEngine 3.7 has local_libdir set to $(sys.inputdir)/lib/3.7, but with
      # the @if macro support we can re-unify the split library for 3.7+ so we
      # specify the unified lib relative to local_libdir.
      "inputs" slist => { "$(sys.local_libdir)/../stdlib.cf" };


  reports:
    verbose_mode::
      "$(this.bundle): defining inputs='$(inputs)'";
}

cfengine_controls

Prototype: cfengine_controls

Description: Include various agent control policies

Implementation:

      "inputs" slist => { "$(sys.local_libdir)/../stdlib.cf" };
{
  vars:

      "def_inputs"
        slist => {
                   "controls/def.cf",
                   "controls/def_inputs.cf",
                 },
        comment => "We strictly order the def inputs because they should be parsed first";


      "input[cf_agent]"
        string => "controls/cf_agent.cf",
        comment => "Agent control options";

      "input[cf_execd]"
        string => "controls/cf_execd.cf",
        comment => "Executor (scheduler) control options";

      "input[cf_monitord]"
        string => "controls/cf_monitord.cf",
        comment => "Monitor/Measurement control options";

      "input[cf_serverd]"
        string => "controls/cf_serverd.cf",
        comment => "Server control options";

      "input[cf_runagent]"
        string => "controls/cf_runagent.cf",
        comment => "Runagent (remote activation request) control options";

    enterprise_edition::

      "input[cf_hub]" -> { "CFEngine Enterprise" }
        string => "controls/cf_hub.cf",
        comment => "Hub (agent report collection) control options";

      "input[reports]" -> { "CFEngine Enterprise" }
        string => "controls/reports.cf",
        comment => "Report collection options";

    any::

      "inputs" slist => getvalues(input);

  reports:
    DEBUG|DEBUG_cfengine_controls::
      "DEBUG $(this.bundle)";
        "$(const.t)defining inputs='$(inputs)'";
}

services_autorun

Prototype: services_autorun

Description: Include autorun policy and discover autorun bundles if enabled

Implementation:

      "inputs" slist => getvalues(input);
{
  vars:
    !cfengine_3_7.services_autorun::
      # 3.8+ can use local_libdir and will use the common lib as it supports the
      # @if macro
      "inputs" slist => { "$(sys.local_libdir)/autorun.cf" };
      "found_inputs" slist => lsdir("$(this.promise_dirname)/services/autorun", ".*\.cf", "true");
      "bundles" slist => { "autorun" }; # run loaded bundles

    cfengine_3_7.services_autorun::
      # We have to point 3.7 at the unified library because sys.local_libdir in
      # 3.7 binaries it is set to a version specific path. However since 3.7
      # knows about the @if macro it is safe to share the same policy as 3.8+
      "inputs" slist => { "$(sys.local_libdir)/../autorun.cf" };
      "found_inputs" slist => lsdir("$(this.promise_dirname)/services/autorun", ".*\.cf", "true");
      "bundles" slist => { "autorun" }; # run loaded bundles

    !services_autorun::
      # If services_autorun is not enabled, then we should not extend inputs
      # automatically.
      "inputs" slist => { };
      "found_inputs" slist => {};
      "bundles" slist => { "services_autorun" }; # run self

  reports:
    DEBUG|DEBUG_services_autorun::
      "DEBUG $(this.bundle): Services Autorun Disabled"
        ifvarclass => "!services_autorun";

      "DEBUG $(this.bundle): Services Autorun Enabled"
        ifvarclass => "services_autorun";

      "DEBUG $(this.bundle): adding input='$(inputs)'"
        ifvarclass => isvariable("inputs");

      "DEBUG $(this.bundle): adding input='$(found_inputs)'"
        ifvarclass => isvariable("found_inputs");
}

common bodies

control

Prototype: control

Description: Control options common to all agents

Implementation:

body common control
{

      bundlesequence => {
                        # Common bundle first (Best Practice)
                          inventory_control,
                          @(inventory.bundles),
                          def,
                          @(cfengine_enterprise_hub_ha.classification_bundles),

                          # Design Center
                          cfsketch_run,

                          # autorun system
                          services_autorun,
                          @(services_autorun.bundles),

                         # Agent bundle
                          cfe_internal_management,   # See cfe_internal/CFE_cfengine.cf
                          main,
                          @(cfengine_enterprise_hub_ha.management_bundles),
                          @(def.bundlesequence_end),

      };

      inputs => {
                 # File definition for global variables and classes
                  @(cfengine_controls.def_inputs),

                # Inventory policy
                  @(inventory.inputs),

                 # Design Center
                  "sketches/meta/api-runfile.cf",
                  @(cfsketch_g.inputs),

                 # CFEngine internal policy for the management of CFEngine itself
                  @(cfe_internal_inputs.inputs),

                 # Control body for all CFEngine robot agents
                  @(cfengine_controls.inputs),

                 # COPBL/Custom libraries.  Eventually this should use wildcards.
                  @(cfengine_stdlib.inputs),

                  # autorun system
                  @(services_autorun.inputs),

                  "services/main.cf",
      };

      version => "CFEngine Promises.cf 3.12.8a.ff51a7d2f";

      # From 3.7 onwards there is a new package promise implementation using package
      # modules in which you MUST provide package modules used to generate
      # software inventory reports. You can also provide global default package module
      # instead of specifying it in all package promises.
    (debian).!disable_inventory_package_refresh::
          package_inventory => { $(package_module_knowledge.platform_default) };

      # We only define pacakge_invetory on redhat like systems that have a
      # python version that works with the package module.
    (redhat|centos|suse|sles|opensuse|amazon_linux).cfe_yum_package_module_supported.!disable_inventory_package_refresh::
        package_inventory => { $(package_module_knowledge.platform_default) };

    (debian|redhat|suse|sles|opensuse|amazon_linux)::
          package_module => $(package_module_knowledge.platform_default);

      # CFEngine 3.12.2+ and 3.14+ have new package module on Windows
    windows.cfengine_3_12.!(cfengine_3_12_0|cfengine_3_12_1)::
          package_inventory => { $(package_module_knowledge.platform_default) };
          package_module => $(package_module_knowledge.platform_default);
@if minimum_version(3.14)
    windows::
          package_inventory => { $(package_module_knowledge.platform_default) };
          package_module => $(package_module_knowledge.platform_default);
@endif

    alpinelinux::
          package_module => $(package_module_knowledge.platform_default);


    any::
        ignore_missing_bundles => "$(def.control_common_ignore_missing_bundles)";
        ignore_missing_inputs => "$(def.control_common_ignore_missing_inputs)";


}