cfe_internal/update/update_processes.cf
common bodies
cfe_internal_process_knowledge
Prototype: cfe_internal_process_knowledge
Implementation:
bundle common cfe_internal_process_knowledge
{
vars:
!windows::
"bindir" string => "$(sys.bindir)",
comment => "Use a system variable";
}
agent bundles
cfe_internal_update_processes
Prototype: cfe_internal_update_processes
Description: Determine which cfengine components should be managed, and what their state should be.
By default all the relevant services will run on each host. For example all hosts will run cf-execd, cf-serverd, and cf-monitord. Individual services can be disabled:
If persistent_disable_COMPONENT ( persistent_disable_cf_serverd, persistent_disable_cf_monitord) is defined the service will be disabled.
If the component is found in def.agents_to_be_disabled it will be disabled.
Implementation:
bundle agent cfe_internal_update_processes
{
classes:
"systemd_supervised"
scope => "bundle",
expression => "systemd",
comment => "As of 3.10 the runalerts service is supervised by systemd
when available. Prior to 3.10 the service is supervised
directly by CFEngine policy.";
vars:
any::
# By default the core components are expected to be running in all cases.
"agent[cf_execd]" string => "cf-execd";
"agent[cf_serverd]" string => "cf-serverd";
"agent[cf_monitord]" string => "cf-monitord";
policy_server.enterprise_edition::
"agent[cf_hub]"
string => "cf-hub",
comment => "cf-hub is only relevant on Enterprise hubs";
systemd::
# On systemd hosts the cfengine3 service acts as an umbrella for other
# services.
"agent[cfengine3]"
string => "cfengine3",
comment => "systemd hosts use the cfengine3 service as an umbrella.
systemd_supervised hosts additionally have individual units
for each managed service.";
systemd_supervised.enterprise_edition.policy_server::
# Only enterprise systemd supervised hosts these additional service
# definitions for each component.
"agent[cf_postgres]" string => "cf-postgres";
"agent[cf_runalerts]" string => "cf-runalerts";
"agent[cf_apache]" string => "cf-apache";
cfredis_in_enterprise::
# TODO Remove from MPF after 3.12 EOL
"agent[cf_redis_server]" -> { "ENT-2797" }
string => "cf-redis-server";
cfconsumer_in_enterprise::
# TODO Remove from MPF after 3.12 EOL
"agent[cf_consumer]" -> { "ENT-2797" }
string => "cf-consumer";
any::
# We get a consolidated list of all agents for the executing host.
"all_agents" slist => getvalues( agent );
# We use def.agents_to_be_disabled if it exists, otherwise we default to
# no agents being disabled.
"agents_to_be_disabled"
comment => "CFE processes that should not be enabled",
handle => "cfe_internal_update_processes_vars_agents_to_be_disabled",
slist => { @(def.agents_to_be_disabled) },
ifvarclass => isvariable( "def.agents_to_be_disabled" );
"agents_to_be_disabled"
comment => "The default agents that should not be enabled.",
handle => "cfe_internal_update_processes_vars_default_agents_to_be_disabled",
slist => { },
ifvarclass => not( isvariable("def.agents_to_be_disabled") );
# An agent is disabled if there is a persistently defined disablement
# class OR if the agent is found in a list of agents to be specifically
# disabled.
"disable[$(all_agents)]"
string => "$(all_agents)",
ifvarclass => or( canonify( "persistent_disable_$(all_agents)" ),
some( "$(all_agents)", agents_to_be_disabled ));
systemd_supervised.policy_server.enterprise.hub_passive|(ha_replication_only_node.!failover_to_repliacation_node_enabled)::
# We want the enterprise components cf-runalerts, and cf-hub to be
# disabled if running on a passive hub or replication only hub.
"disabled[cf_runalerts]" string => "cf-runalerts";
"disabled[cf_hub]" string => "cf-hub";
any::
# First we get the consolidated list of agents to be disabled.
"agents_to_be_disabled" slist => getvalues( disabled );
# Any agent that is not explicitly disabled should be enabled.
"agents_to_be_enabled" slist => difference( all_agents, agents_to_be_disabled );
methods:
systemd.!systemd_supervised::
"CFENGINE systemd service"
usebundle => maintain_cfe_systemd,
comment => "Call a bundle to maintain CFEngine with systemd",
handle => "cfe_internal_update_processes_methods_maintain_systemd";
systemd_supervised::
# By default when running under systemd supervision, cfengine will not
# continue to make sure that the units are enabled or running. To enable
# this internal management please uncomment the following.
# "CFEngine systemd Unit Definitions"
# usebundle => cfe_internal_systemd_unit_files;
# "CFEngine systemd Unit States"
# usebundle => cfe_internal_systemd_service_unit_state;
am_policy_hub.enterprise.!systemd_supervised::
"TAKING CARE CFE HUB PROCESSES"
usebundle => maintain_cfe_hub_process,
comment => "Call a bundle to maintian HUB processes",
handle => "cfe_internal_update_processes_methods_maintain_hub";
!windows.!systemd_supervised::
"DISABLING CFE AGENTS"
usebundle => disable_cfengine_agents("$(agents_to_be_disabled)"),
comment => "Call a bundle to disable CFEngine given processes",
handle => "cfe_internal_update_processes_methods_disabling_cfe_agents";
"CHECKING FOR PERSISTENTLY DISABLED CFE AGENTS"
usebundle => disable_cfengine_agents($(all_agents)),
ifvarclass => canonify("persistent_disable_$(all_agents)"),
comment => "Call a bundle to disable CFEngine given processes if persistent_disable_x is set",
handle => "cfe_internal_update_processes_methods_maybe_disabling_cfe_agents";
"ENABLING CFE AGENTS"
usebundle => enable_cfengine_agents("$(agents_to_be_enabled)"),
comment => "Call a bundle to enable CFEngine given processes",
handle => "cfe_internal_update_processes_methods_enabling_cfe_agents";
windows::
"CFENGINE on Windows"
usebundle => maintain_cfe_windows,
comment => "Call a bundle to maintain CFEngine on Windows",
handle => "cfe_internal_update_processes_methods_maintain_windows";
}
maintain_cfe_hub_process
Prototype: maintain_cfe_hub_process
Implementation:
bundle agent maintain_cfe_hub_process
{
vars:
am_policy_hub::
"file_check" string => translatepath("$(cfe_internal_update_policy_cpv.inputs_dir)/promises.cf"),
comment => "Path to a policy file",
handle => "cfe_internal_maintain_cfe_hub_process_vars_file_check";
#
classes:
am_policy_hub::
"files_ok" expression => fileexists("$(file_check)"),
comment => "Check for $(sys.workdir)/inputs/promises.cf",
handle => "cfe_internal_maintain_cfe_hub_process_classes_files_ok";
am_policy_hub.enable_cfengine_enterprise_hub_ha::
"ha_run_hub_process"
or => { "!ha_replication_only_node",
"ha_replication_only_node.failover_to_replication_node_enabled" };
"ha_kill_hub_process"
or => { "ha_replication_only_node.!failover_to_replication_node_enabled" };
#
processes:
am_policy_hub::
"$(cfe_internal_process_knowledge.bindir)/vacuumdb"
restart_class => "no_vacuumdb",
comment => "Monitor vacuumdb process",
handle => "cfe_internal_maintain_cfe_hub_process_processes_check_vacuumdb",
ifvarclass => "nova|enterprise";
am_policy_hub.cfredis_in_enterprise::
# TODO Remove from MPF after 3.12 EOL
"$(cfe_internal_process_knowledge.bindir)/redis-server" -> { "ENT-2797" }
restart_class => "start_redis_server",
comment => "Monitor redis-server process",
handle => "cfe_internal_maintain_cfe_hub_process_processes_redis",
ifvarclass => "nova|enterprise";
am_policy_hub.cfconsumer_in_enterprise::
"$(cfe_internal_process_knowledge.bindir)/cf-consumer" -> { "ENT-2797" }
restart_class => "start_cf_consumer",
comment => "Monitor cf-consumer process",
handle => "cfe_internal_maintain_cfe_hub_process_processes_cf_consumer",
ifvarclass => "(nova|enterprise).no_vacuumdb";
am_policy_hub.!enable_cfengine_enterprise_hub_ha::
"$(cfe_internal_process_knowledge.bindir)/postgres"
restart_class => "start_postgres_server",
comment => "Monitor postgres process",
handle => "cfe_internal_maintain_cfe_hub_process_processes_postgres",
ifvarclass => "nova|enterprise";
am_policy_hub.!enable_cfengine_enterprise_hub_ha.files_ok.!windows|ha_run_hub_process::
"cf-hub" restart_class => "start_hub",
comment => "Monitor cf-hub process",
handle => "cfe_internal_maintain_cfe_hub_process_processes_cf_hub",
ifvarclass => and( "(nova|enterprise).no_vacuumdb",
"!persistent_disable_cf_hub" ); # Don't start it if it's persistently disabled
am_policy_hub.ha_kill_hub_process::
"cf-hub" signals => { "term" },
comment => "Terminate cf-hub on backup HA node outside cluster",
handle => "cfe_internal_kill_hub_process_on_inactive_ha_node";
#
files:
"/var/log/postgresql.log"
comment => "Ensure postgres.log file is there with right permissions",
handle => "cfe_internal_maintain_cfe_hub_process_files_create_postgresql_log",
create => "true",
perms => u_mo("0600","cfpostgres");
#
commands:
!windows.am_policy_hub.start_redis_server.cfredis_in_enterprise::
# TODO Remove from MPF after 3.12 EOL
"$(cfe_internal_process_knowledge.bindir)/redis-server $(cfe_internal_update_policy_cpv.redis_conf_file)" -> { "ENT-2797" }
contain => u_in_dir("/"),
comment => "Start redis process",
classes => u_kept_successful_command,
handle => "cfe_internal_maintain_cfe_hub_process_commands_start_redis";
!windows.am_policy_hub.!enable_cfengine_enterprise_hub_ha.start_postgres_server::
"$(cfe_internal_process_knowledge.bindir)/pg_ctl -D $(cfe_internal_update_policy_cpv.postgresdb_dir) -l $(cfe_internal_update_policy_cpv.postgresdb_log) start"
contain => u_postgres,
comment => "Start postgres process",
classes => u_kept_successful_command,
handle => "cfe_internal_maintain_cfe_hub_process_commands_start_postgres";
!windows.am_policy_hub.start_cf_consumer.cfconsumer_in_enterprise::
# TODO Remove from MPF after 3.12 EOL
"$(cfe_internal_process_knowledge.bindir)/cf-consumer"
comment => "Start cf-consumer process",
classes => u_kept_successful_command,
handle => "cfe_internal_maintain_cfe_hub_process_commands_start_cf-consumer";
!windows.am_policy_hub.start_hub::
"$(sys.cf_hub)"
comment => "Start cf-hub process",
classes => u_kept_successful_command,
handle => "cfe_internal_maintain_cfe_hub_process_commands_start_cf_hub";
}
disable_cfengine_agents
Prototype: disable_cfengine_agents(process)
Arguments:
process
: string, used to set promise attributestring
ofvars
promiser cprocess: string, used to set promise attributeexpression
: string, used to set promise attributeexpression
ofclasses
promiser disable_$(cprocess), used as promiser of typeprocesses
Implementation:
bundle agent disable_cfengine_agents(process)
{
vars:
!windows::
"cprocess" string => canonify("$(process)"),
comment => "Canonify a given process",
handle => "cfe_internal_disable_cfengine_agents_vars_cprocess";
#
classes:
!windows::
"disable_$(cprocess)" expression => strcmp("$(process)","$(process)"),
comment => "Create a class to disable a given process",
handle => "cfe_internal_disable_cfengine_agents_classes_disable_process";
#
processes:
!windows::
"$(cfe_internal_process_knowledge.bindir)/$(process)"
signals => { "term" },
comment => "Terminate $(process)",
handle => "cfe_internal_disable_cfengine_agents_processes_terminate_process",
ifvarclass => "disable_$(cprocess)";
}
enable_cfengine_agents
Prototype: enable_cfengine_agents(process)
Arguments:
process
: string, used to set promise attributestring
ofvars
promiser cprocess ofclasses
promiser enable_$(cprocess), used as promiser of typeprocesses
ofcommands
promiser $(sys.$(cprocess)), used as promiser of typereports
, used as promiser of typereports
, used as promiser of typereports
Implementation:
bundle agent enable_cfengine_agents(process)
{
vars:
!windows::
"cprocess" string => canonify("$(process)"),
comment => "Canonify a given process",
handle => "cfe_internal_enable_cfengine_agents_vars_cprocess";
classes:
!windows::
"enable_$(cprocess)" expression => "!persistent_disable_$(cprocess)",
comment => "Create a class to enable a given process",
handle => "cfe_internal_enable_cfengine_agents_classes_enable_process";
#
processes:
!windows::
"$(cfe_internal_process_knowledge.bindir)/$(process)"
restart_class => "restart_$(cprocess)",
comment => "Create a class to restart a process",
handle => "cfe_internal_enable_cfengine_agents_processes_restart_process",
ifvarclass => "enable_$(cprocess)";
#
commands:
!windows::
"$(sys.$(cprocess))"
comment => "Restart a process",
handle => "cfe_internal_enable_cfengine_agents_commands_restart_process",
classes => u_kept_successful_command,
ifvarclass => and( "restart_$(cprocess)",
isvariable( "sys.$(cprocess)" ) );
reports:
"The process $(process) is persistently disabled. Run with '-Dclear_persistent_disable_$(cprocess)' to re-enable it."
ifvarclass => and( "persistent_disable_$(cprocess)",
isvariable( "sys.$(cprocess)" ));
"The process $(process) has been re-enabled. Run with '-Dset_persistent_disable_$(cprocess)' to disable it persistently again."
ifvarclass => and( "clear_persistent_disable_$(cprocess)",
isvariable( "sys.$(cprocess)" )),
classes => u_clear_always("persistent_disable_$(cprocess)");
"The process $(process) has been disabled persistently. Run with '-Dclear_persistent_disable_$(cprocess)' to re-enable it."
ifvarclass => "set_persistent_disable_$(cprocess)",
classes => u_always_forever("persistent_disable_$(cprocess)");
}
maintain_cfe_windows
Prototype: maintain_cfe_windows
Implementation:
bundle agent maintain_cfe_windows
{
vars:
windows::
"file_check" string => translatepath("$(cfe_internal_update_policy_cpv.inputs_dir)/promises.cf"),
comment => "Path to a policy file",
handle => "cfe_internal_maintain_cfe_windows_vars_file_check";
#
classes:
windows::
"files_ok" expression => fileexists("$(file_check)"),
comment => "Check for /var/cfengine/masterfiles/promises.cf",
handle => "cfe_internal_maintain_cfe_windows_classes_files_ok";
#
processes:
files_ok::
"cf-serverd" restart_class => "start_server",
comment => "Monitor cf-serverd process",
handle => "cfe_internal_maintain_cfe_windows_processes_cf_serverd";
"cf-monitord" restart_class => "start_monitor",
comment => "Monitor cf-monitord process",
handle => "cfe_internal_maintain_cfe_windows_processes_cf_monitord";
#
services:
files_ok.windows::
"CfengineNovaExec"
service_policy => "start",
service_method => u_bootstart,
comment => "Start the executor windows service now and at boot time",
handle => "cfe_internal_maintain_cfe_windows_services_windows_executor";
#
commands:
start_server::
"$(sys.cf_serverd)"
action => u_ifwin_bg,
comment => "Start cf-serverd process",
classes => u_kept_successful_command,
handle => "cfe_internal_maintain_cfe_windows_commands_start_cf_serverd";
start_monitor|restart_monitor::
"$(sys.cf_monitord)"
action => u_ifwin_bg,
comment => "Start cf-monitord process",
classes => u_kept_successful_command,
handle => "cfe_internal_maintain_cfe_windows_commands_start_cf_monitord";
}
maintain_cfe_systemd
Prototype: maintain_cfe_systemd
Implementation:
bundle agent maintain_cfe_systemd
{
classes:
systemd::
"restart_cfe"
not => returnszero("/bin/systemctl -q is-active cfengine3", "noshell"),
comment => "Check running status of CFEngine using systemd",
handle => "cfe_internal_maintain_cfe_systemd_classes_restart_cfe";
commands:
restart_cfe::
"/bin/systemctl -q start cfengine3"
comment => "Start CFEngine using systemd",
handle => "cfe_internal_maintain_cfe_systemd_commands_start_cfe";
}
classes bodies
u_clear_always
Prototype: u_clear_always(theclass)
Arguments:
theclass
Implementation:
body classes u_clear_always(theclass)
{
cancel_kept => { $(theclass) };
cancel_notkept => { $(theclass) };
cancel_repaired => { $(theclass) };
}
u_always_forever
Prototype: u_always_forever(theclass)
Arguments:
theclass
Implementation:
body classes u_always_forever(theclass)
{
promise_kept => { $(theclass) };
promise_repaired => { $(theclass) };
repair_failed => { $(theclass) };
repair_denied => { $(theclass) };
repair_timeout => { $(theclass) };
persist_time => 999999999;
scope => "namespace";
}