This example shows how to ensure services are started or stopped appropriately.

code
body file control
{
  inputs => { "$(sys.libdir)/services.cf", "$(sys.libdir)/commands.cf" };
}

bundle agent main
{
  vars:

    linux::
      "enable[ssh]"
        string => ifelse( "debian|ubuntu", "ssh", "sshd"),
        comment => "The name of the ssh service varies on different platforms.
                    Here we set the name of the service based on existing
                    classes and defaulting to `sshd`";

      "disable[apache]"
        string => ifelse( "debian|ubuntu", "apache2", "httpd" ),
        comment => "The name of the apache web service varies on different
                    platforms. Here we set the name of the service based on
                    existing classes and defaulting to `httpd`";

      "enable[cron]"
        string  => ifelse( "debian|ubuntu", "cron", "crond" ),
        comment => "The name of the cron service varies on different
                    platforms. Here we set the name of the service based on
                    existing classes and defaulting to `crond`";

      "disable[cups]"
        string => "cups",
        comment => "Printing services are not needed on most hosts.";

      "enabled" slist => getvalues( enable );
      "disabled" slist => getvalues( disable );

  services:

    linux::

      "$(enabled)" -> { "SysOps" }
        service_policy => "start",
        comment => "These services should be running because x, y or z.";

      "$(disabled)" -> { "SysOps" }
        service_policy => "stop",
        comment => "These services should not be running because x, y or z.";

    systemd::

      "sysstat"
        service_policy => "stop",
        comment => "Standard service handling for sysstat only works with
                    systemd. Other inits need cron entries managed.";
}

This policy can be found in /var/cfengine/share/doc/examples/services.cf and downloaded directly from github.

Note: Not all services behave in the standard way. Some services may require custom handling. For example it is not uncommon for some services to not provide correct return codes for status checks.

See also:

Example usage on systemd

We can see that before the policy run sysstat is inactive, apache2 is active, cups is active, ssh is active and cron is inactive.

command
systemctl is-active sysstat apache2 cups ssh cron
output
inactive
active
active
active
inactive

Now we run the policy to converge the system to the desired state.

command
cf-agent --no-lock --inform --file ./services.cf
output
info: Executing 'no timeout' ... '/bin/systemctl --no-ask-password --global --system -q stop apache2'
info: Completed execution of '/bin/systemctl --no-ask-password --global --system -q stop apache2'
info: Executing 'no timeout' ... '/bin/systemctl --no-ask-password --global --system -q stop cups'
info: Completed execution of '/bin/systemctl --no-ask-password --global --system -q stop cups'
info: Executing 'no timeout' ... '/bin/systemctl --no-ask-password --global --system -q start cron'
info: Completed execution of '/bin/systemctl --no-ask-password --global --system -q start cron'

After the policy run we can see that systat, apache2, and cups are inactive. ssh and cron are active as specified in the policy.

command
systemctl is-active sysstat apache2 cups ssh cron
output
inactive
inactive
inactive
active
active

Example usage with System V

We can see that before the policy run sysstat is not reporting status correctly , httpd is running, cups is running, sshd is running and crond is not running.

command
service sysstat status; echo $?
output
3
command
service httpd status; echo $?
output
httpd (pid  3740) is running...
0
command
service cups status; echo $?
output
cupsd (pid  3762) is running...
0
command
service sshd status; echo $?
output
openssh-daemon (pid  3794) is running...
0
command
service crond status; echo $?
output
crond is stopped
3

Now we run the policy to converge the system to the desired state.

command
cf-agent -KIf ./services.cf
output
info: Executing 'no timeout' ... '/etc/init.d/crond start'
info: Completed execution of '/etc/init.d/crond start'
info: Executing 'no timeout' ... '/etc/init.d/httpd stop'
info: Completed execution of '/etc/init.d/httpd stop'
info: Executing 'no timeout' ... '/etc/init.d/cups stop'
info: Completed execution of '/etc/init.d/cups stop'

After the policy run we can see that systat is still not reporting status correctly (some services do not respond to standard checks), apache2, and cups are inactive. ssh and cron are active as specified in the policy.

command
service sysstat status; echo $?
output
3
command
service httpd status; echo $?
output
httpd is stopped
3
command
service cups status; echo $?
output
cups is stopped
3
command
service sshd status; echo $?
output
openssh-daemon (pid  3794) is running...
0
command
service crond status; echo $?
output
crond (pid  3929) is running...
0