promises.cf

Table of Contents

$(sys.inputdir)/promises.cf is the default policy run by the agent. It is responsible for specifying additional policy files that should be included as part of the policy and the order in which to run bundles.

Policy

common bodies

control

Prototype: control

Description: Control options common to all agents

Implementation:

body common control
{

      bundlesequence => {
                          # Common bundle first (Best Practice)
                          inventory_control,
                          @(inventory.bundles),
                          def,
                          @(cfengine_enterprise_hub_ha.classification_bundles),

                          # Custom classification
                          @(def.bundlesequence_classification),

                          # autorun system
                          services_autorun,
                          @(services_autorun.bundles),

                          # Agent bundle
                          cfe_internal_management,   # See cfe_internal/CFE_cfengine.cf
                          main,
                          @(cfengine_enterprise_hub_ha.management_bundles),
                          @(def.bundlesequence_end),

      };

      inputs => {
                  # User policy init, for example for defining custom promise types:
                  "services/init.cf",

                  # File definition for global variables and classes
                  @(cfengine_controls.def_inputs),

                  # Inventory policy
                  @(inventory.inputs),

                  # CFEngine internal policy for the management of CFEngine itself
                  @(cfe_internal_inputs.inputs),

                  # Control body for all CFEngine robot agents
                  @(cfengine_controls.inputs),

                  # COPBL/Custom libraries.  Eventually this should use wildcards.
                  @(cfengine_stdlib.inputs),

                  # autorun system
                  @(services_autorun.inputs),

                  "services/main.cf",
      };

      version => "CFEngine Promises.cf 3.18.9a.98de4cfcc";

      # From 3.7 onwards there is a new package promise implementation using package
      # modules in which you MUST provide package modules used to generate
      # software inventory reports. You can also provide global default package module
      # instead of specifying it in all package promises.
    (debian).!disable_inventory_package_refresh::
          package_inventory => { $(package_module_knowledge.platform_default), @(default:package_module_knowledge.additional_inventory) };

      # We only define package_inventory on redhat like systems that have a
      # python version that works with the package module.
    (redhat|centos|suse|sles|opensuse|amazon_linux).cfe_python_for_package_modules_supported.!disable_inventory_package_refresh::
        package_inventory => { $(package_module_knowledge.platform_default), @(default:package_module_knowledge.additional_inventory)};

    aix.!disable_inventory_package_refresh::
      package_inventory => { $(package_module_knowledge.platform_default), @(default:package_module_knowledge.additional_inventory) };

    freebsd.!disable_inventory_package_refresh::
          package_inventory => { $(package_module_knowledge.platform_default), @(default:package_module_knowledge.additional_inventory) };

    aix::
      package_module => $(package_module_knowledge.platform_default);


    (debian|redhat|suse|sles|opensuse|amazon_linux|freebsd)::
          package_module => $(package_module_knowledge.platform_default);

      # CFEngine 3.12.2+ and 3.14+ have new package module on Windows
    windows.cfengine_3_12.!(cfengine_3_12_0|cfengine_3_12_1)::
          package_inventory => { $(package_module_knowledge.platform_default) };
          package_module => $(package_module_knowledge.platform_default);
@if minimum_version(3.14)
    windows::
          package_inventory => { $(package_module_knowledge.platform_default), @(default:package_module_knowledge.additional_inventory) };
          package_module => $(package_module_knowledge.platform_default);
@endif
    termux::
          package_module => $(package_module_knowledge.platform_default);

    alpinelinux::
          package_module => $(package_module_knowledge.platform_default);


    any::
        ignore_missing_bundles => "$(def.control_common_ignore_missing_bundles)";
        ignore_missing_inputs => "$(def.control_common_ignore_missing_inputs)";


      # The number of minutes after which last-seen entries are purged from cf_lastseen.lmdb
        lastseenexpireafter => "$(def.control_common_lastseenexpireafter)";

    control_common_tls_min_version_defined::
        tls_min_version => "$(default:def.control_common_tls_min_version)"; # See also: allowtlsversion in body server control

    control_common_tls_ciphers_defined::
        tls_ciphers => "$(default:def.control_common_tls_ciphers)"; # See also: allowciphers in body server control

}

common bodies

inventory

Prototype: inventory

Description: Set up inventory inputs

This bundle creates the inputs for inventory bundles.

Inventory bundles are simply common bundles loaded before anything else in promises.cf

Implementation:

bundle common inventory
{
  classes:
      "other_unix_os" expression => "!(windows|macos|linux|freebsd|aix)";
      "specific_linux_os" expression => "redhat|debian|suse|sles";

  vars:
      # This list is intended to grow as needed
    debian::
      "inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/debian.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_debian", "inventory_os" };
    redhat::
      "inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/redhat.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_redhat", "inventory_os" };
    suse|sles::
      "inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/suse.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_suse", "inventory_os" };
    windows::
      "inputs" slist => { "inventory/any.cf", "inventory/windows.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_windows", "inventory_os" };
    macos::
      "inputs" slist => { "inventory/any.cf", "inventory/macos.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_macos", "inventory_os" };
    freebsd::
      "inputs" slist => { "inventory/any.cf", "inventory/freebsd.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_freebsd", "inventory_os" };
    linux.!specific_linux_os::
      "inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_os" };
    aix::
      "inputs" slist => { "inventory/any.cf", "inventory/generic.cf", "inventory/aix.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_generic", "inventory_aix", "inventory_os" };
    other_unix_os::
      "inputs" slist => { "inventory/any.cf", "inventory/generic.cf", "inventory/os.cf" };
      "bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_generic", "inventory_os" };

  reports:
    verbose_mode::
      "$(this.bundle): loading inventory module '$(inputs)'";
}

cfe_internal_inputs

Prototype: cfe_internal_inputs

Description: Include internal self management policies

Implementation:

bundle common cfe_internal_inputs
{
  vars:
    any::

      "input[cfe_internal_management]"
        string => "cfe_internal/CFE_cfengine.cf",
        comment => "This policy activates internal management policies
                    for both core and enterprise";

      "input[core_main]"
        string => "cfe_internal/core/main.cf",
        comment => "This policy activates other core policies";

      "input[core_limit_robot_agents]"
        string => "cfe_internal/core/limit_robot_agents.cf",
        comment => "The policy here ensures that we don't have too many
                    cf-monitord or cf-execd processes";

      "input[core_log_rotation]"
        string => "cfe_internal/core/log_rotation.cf",
        comment => "This policy ensures that various cfengine log files
                    do not grow without bound and fill up the disk";

      "input[core_host_info_report]"
        string => "cfe_internal/core/host_info_report.cf",
        comment => "This policy produces a text based host info report
                    and serves as a functional example of using mustache templates";

      "input[cfengine_internal_core_watchdog]"
        string => "cfe_internal/core/watchdog/watchdog.cf",
        comment => "This policy configures external watchdogs to ensure that
                    cf-execd is always running.";

    enterprise_edition.(policy_server|am_policy_hub)::

      "input[enterprise_hub_specific]"
        string => "cfe_internal/enterprise/CFE_hub_specific.cf",
        comment => "Policy relating to CFEngine Enterprise Hub, for example
                    software updates, webserver configuration, and alerts";

@if minimum_version(3.12.0)
      "input[enterprise_hub_federation]"
        string => "cfe_internal/enterprise/federation/federation.cf",
        comment => "Policy relating to CFEngine Federated Reporting";
@endif

    enterprise_edition::

      "input[enterprise_knowledge]"
        string => "cfe_internal/enterprise/CFE_knowledge.cf",
        comment => "Settings mostly releated to CFEngine Enteprise Mission Portal";

      "input[enterprise_main]"
        string => "cfe_internal/enterprise/main.cf",
        comment => "This policy activates other enterprise specific policies";

      "input[change_management]"
        string => "cfe_internal/enterprise/file_change.cf",
        comment => "This policy monitors critical system files for change";

      "input[enterprise_mission_portal]"
        string => "cfe_internal/enterprise/mission_portal.cf",
        comment => "This policy manages Mission Portal related configurations.";

    any::
      "inputs" slist => getvalues("input");
}

cfengine_stdlib

Prototype: cfengine_stdlib

Description: Include the standard library

Implementation:

bundle common cfengine_stdlib
{
  vars:

    any::
      "inputs" slist => { "$(sys.local_libdir)/stdlib.cf" };


      # As part of ENT-2719 3.12.2 introduced package_method attributes for
      # specifying the interpreter and specifying the module path. These
      # attributes are not known in previous versions and must not be seen by
      # the parser or they will be seen as syntax errors. A cleaner way to do
      # this using the minimum_version macro is possible, but that would break
      # masterfiles compatibility in 3.12 with 3.7 binaries since 3.7 binaries
      # do not support major.minor.patch with minimum_version, only major.minor.

    windows.cfengine_3_12.!(cfengine_3_12_0|cfengine_3_12_1)::
      "inputs" slist => { "$(sys.local_libdir)/stdlib.cf",
                          "$(sys.local_libdir)/packages-ENT-3719.cf" };
@if minimum_version(3.14)
    windows::
      "inputs" slist => { "$(sys.local_libdir)/stdlib.cf",
                          "$(sys.local_libdir)/packages-ENT-3719.cf" };
@endif

  reports:
    verbose_mode::
      "$(this.bundle): defining inputs='$(inputs)'";
}

cfengine_controls

Prototype: cfengine_controls

Description: Include various agent control policies

Implementation:

bundle common cfengine_controls
{
  vars:

      "def_inputs"
        slist => {
                   "controls/def.cf",
                   "controls/def_inputs.cf",
                 },
        comment => "We strictly order the def inputs because they should be parsed first";


      "input[cf_agent]"
        string => "controls/cf_agent.cf",
        comment => "Agent control options";

      "input[cf_execd]"
        string => "controls/cf_execd.cf",
        comment => "Executor (scheduler) control options";

      "input[cf_monitord]"
        string => "controls/cf_monitord.cf",
        comment => "Monitor/Measurement control options";

      "input[cf_serverd]"
        string => "controls/cf_serverd.cf",
        comment => "Server control options";

      "input[cf_runagent]"
        string => "controls/cf_runagent.cf",
        comment => "Runagent (remote activation request) control options";

    enterprise_edition::

      "input[cf_hub]" -> { "CFEngine Enterprise" }
        string => "controls/cf_hub.cf",
        comment => "Hub (agent report collection) control options";

      "input[reports]" -> { "CFEngine Enterprise" }
        string => "controls/reports.cf",
        comment => "Report collection options";

    any::

      "inputs" slist => getvalues(input);

  reports:
    DEBUG|DEBUG_cfengine_controls::
      "DEBUG $(this.bundle)";
        "$(const.t)defining inputs='$(inputs)'";
}

services_autorun

Prototype: services_autorun

Description: Include autorun policy and discover autorun bundles if enabled

Files inside directories listed in def.mpf_extra_autorun_inputs will be added to inputs automatically.

Implementation:

bundle common services_autorun
{
  vars:
    services_autorun|services_autorun_inputs::
      "_default_autorun_input_dir"
        string => "$(this.promise_dirname)/services/autorun";
      "_default_autorun_inputs"
        slist => lsdir( "$(_default_autorun_input_dir)", ".*\.cf", "true");

      "_extra_autorun_input_dirs"
        slist => { @(def.mpf_extra_autorun_inputs) },
        if => isvariable( "def.mpf_extra_autorun_inputs" );

      "_extra_autorun_inputs[$(_extra_autorun_input_dirs)]"
        slist => lsdir("$(_extra_autorun_input_dirs)/.", ".*\.cf", "true"),
        if => isdir( $(_extra_autorun_input_dirs) );

      "found_inputs" slist => { @(_default_autorun_inputs),
                                sort( getvalues(_extra_autorun_inputs), "lex") };

    !(services_autorun|services_autorun_inputs|services_autorun_bundles)::
      # If services_autorun is not enabled, then we should not extend inputs
      # automatically.
      "inputs" slist => { };
      "found_inputs" slist => {};
      "bundles" slist => { "services_autorun" }; # run self

    services_autorun|services_autorun_inputs|services_autorun_bundles::
      "inputs" slist => { "$(sys.local_libdir)/autorun.cf" };
      "bundles" slist => { "autorun" }; # run loaded bundles

  reports:
    DEBUG|DEBUG_services_autorun::
      "DEBUG $(this.bundle): Services Autorun Disabled"
        if => "!(services_autorun|services_autorun_bundles|services_autorun_inputs)";

      "DEBUG $(this.bundle): Services Autorun Enabled"
        if => "services_autorun";

      "DEBUG $(this.bundle): Services Autorun Bundles Enabled"
        if => "services_autorun_bundles";

      "DEBUG $(this.bundle): Services Autorun Inputs Enabled"
        if => "services_autorun_inputs";

      "DEBUG $(this.bundle): Services Autorun (Bundles & Inputs) Enabled"
        if => "services_autorun_inputs.services_autorun_bundles";

      "DEBUG $(this.bundle): adding input='$(inputs)'"
        if => isvariable("inputs");

      "DEBUG $(this.bundle): adding input='$(found_inputs)'"
        if => isvariable("found_inputs");
}