controls/update_def.cf
Table of contents
This is where most common variables and classes are defined for the update
policy. Note its variable scope can be augmented with def.json
.
common bodies
update_def
Prototype: update_def
Description: Main default settings for update policy
Implementation:
code
bundle common update_def
{
classes:
any::
"sys_policy_hub_port_exists" expression => isvariable("sys.policy_hub_port");
vars:
any::
"current_version" string => "3.21.6a.737699ad7";
"current_release" string => "1";
# MPF Controls
# Because in some versions of cfengine bundlesequence in body common
# control does not support does not support iteration over data containers
# we must first pick out the bundles into a shallow container that we can
# then get a regular list from using getvalues().
"tbse" data => mergedata( "def.control_common_update_bundlesequence_end" );
# Since we have @(def.update_bundlesequence_end) in body common control
# bundlesequence we must have a list variable defined. It can be empty, but it
# must be defined. If it is not defined the agent will error complaining
# that '@(def.bundlesequence_end) is not a defined bundle.
# As noted in CFE-2460 getvalues behaviour varies between versions. 3.7.x
# getvalues will return an empty list when run on a non existant data
# container. On 3.9.1 it does not return an empty list.
# So we initialize it as an empty list first to be safe.
"bundlesequence_end" slist => {};
"bundlesequence_end" slist => getvalues( tbse );
"augments_inputs"
slist => {},
if => not( isvariable( "def.update_inputs" ) );
"augments_inputs"
slist => { @(def.update_inputs) },
if => isvariable( "def.update_inputs" );
# Default the input name patterns, if we don't find it defined in def
# (from the augments_file).
"input_name_patterns" -> { "CFE-3425" }
slist => { ".*\.cf",".*\.dat",".*\.txt", ".*\.conf", ".*\.mustache",
".*\.sh", ".*\.pl", ".*\.py", ".*\.rb", ".*\.sed", ".*\.awk",
"cf_promises_release_id", ".*\.json", ".*\.yaml", ".*\.csv",
".*\.ps1" },
comment => "Filename patterns to match when updating the policy
(see update/update_policy.cf)",
handle => "common_def_vars_input_name_patterns_policy_default",
if => and(and(not(isvariable("override_data_acl")),
not(isvariable("input_name_patterns"))),
not(isvariable("def.input_name_patterns"))),
meta => { "defvar" };
# define based on data in def (which comes from augments file), if
# present and input_name_patterns is not yet defined.).
"input_name_patterns"
slist => { @(def.input_name_patterns) },
comment => "Filename patterns to match when updating the policy
(see update/update_policy.cf)",
handle => "common_def_vars_input_name_patterns",
if => and( isvariable("def.input_name_patterns"),
not(isvariable("input_name_patterns"))),
meta => { "defvar" };
"input_name_patterns_extra" -> { "ENT-10480" }
slist => {},
comment => "Additional filename patterns to copy during policy update.",
if => not( isvariable( "input_name_patterns_extra" ) );
# the permissions for your masterfiles files (not dirs), which will propagate to inputs
"masterfiles_perms_mode_not_dir" -> { "CFE-951" }
string => "0600",
handle => "common_def_vars_masterfiles_perms_mode_not_dir",
meta => { "defvar" };
"masterfiles_perms_mode_dirs" -> { "CFE-951" }
string => "0700",
handle => "common_def_vars_masterfiles_perms_mode_dirs",
meta => { "defvar" };
"dc_scripts" string => "$(sys.workdir)/httpd/htdocs/api/dc-scripts",
comment => "Directory where VCS scripts are located on Enterprise Hub";
"DCWORKFLOW" string => "/opt/cfengine",
comment => "Directory where VCS related data things is stored";
"local_masterfiles_git" string => "$(DCWORKFLOW)/masterfiles.git",
comment => "Local bare git repository, serves as OOTB upstream repo";
"cf_git" string => "$(sys.workdir)/bin/git",
comment => "Path to git binary installed with CFEngine Enterprise";
"cf_apache_user" string => "cfapache",
comment => "User that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_user";
"cf_apache_group" string => "cfapache",
comment => "Group that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_group";
# Hubs get the explicit path because they perform local copies (especially
# during bootstrap) when cf-serverd may not be available. Else we use the
# "masterfiles" shortcut.
"mpf_update_policy_master_location" -> { "ENT-3692" }
string => ifelse( "am_policy_hub", "/var/cfengine/masterfiles",
"masterfiles");
# Here we allow the masterfiles location to be overridden via augments. If
# augments overides the value, use that. Note: Since hubs do not perform
# copies to themselves over cf-serverd, this should be a fully qualified
# path or special considerations must be made for hub bootstrapping.
"mpf_update_policy_master_location" -> { "ENT-3692" }
comment => "Directory where clients should get policy from.",
string => "$(def.mpf_update_policy_master_location)",
if => isvariable( "def.mpf_update_policy_master_location" );
# enable_cfengine_enterprise_hub_ha is defined below
# Disabled by default
# If we want to use the backup repository for update (because the class is
# defined) and if the location is not already configured (via Augments),
# set a default.
"control_agent_default_repository" -> { "ENT-10481" }
string => "$(sys.workdir)/backups",
if => and( "mpf_update_control_agent_default_repository",
not( isvariable( "control_agent_default_repository" ) ) );
enable_cfengine_enterprise_hub_ha::
"standby_servers" slist => filter("$(sys.policy_hub)", "ha_def.ips", false, true, 10);
"policy_servers" slist => { "$(sys.policy_hub)", "@(standby_servers)" };
!enable_cfengine_enterprise_hub_ha::
"policy_servers" slist => {"$(sys.policy_hub)"};
any::
"control_common_ignore_missing_bundles" -> { "CFE-2773" }
string => ifelse( strcmp( $(control_common_ignore_missing_bundles), "true" ),
"true",
"false");
"control_common_ignore_missing_inputs" -> { "CFE-2773" }
string => ifelse( strcmp( $(control_common_ignore_missing_inputs), "true" ),
"true",
"false");
"control_agent_agentfacility" -> { "ENT-10209" }
string => "",
if => not( isvariable ( "default:def.control_agent_agentfacility" ));
classes:
"control_agent_agentfacility_configured" -> { "ENT-10209" }
expression => regcmp( "LOG_(USER|DAEMON|LOCAL[0-7])",
$(control_agent_agentfacility) ),
comment => concat( "If default:def.control_agent_agentfacility is a",
" valid setting, we want to use it in body agent",
" control for setting agentfacility" );
"control_common_tls_min_version_defined" -> { "ENT-10198" }
expression => isvariable( "default:def.control_common_tls_min_version"),
comment => concat( "If default:def.control_common_tls_min_version is defined then",
" it's value will be used for the minimum version in outbound",
" connections. Else the binary default will be used.");
"control_common_tls_ciphers_defined" -> { "ENT-10198" }
expression => isvariable( "default:def.control_common_tls_ciphers"),
comment => concat( "If default:def.control_common_tls_ciphers is defined then",
" it's value will be used for the set of tls ciphers allowed",
" for outbound connections. Else the binary default will be used.");
# Trigger binary upgrade from policy hub
# Disable by default
"trigger_upgrade" or => {
"!any",
};
# Update masterfiles from Git
# Enabled for enterprise users by default
# you can also request it from the command line with
# -Dcfengine_internal_masterfiles_update
# NOTE THAT ENABLING THIS BY DEFAULT *WILL* OVERWRITE THE HUB'S $(sys.workdir)/masterfiles
#"cfengine_internal_masterfiles_update" expression => "enterprise.!(cfengine_3_4|cfengine_3_5)";
"cfengine_internal_masterfiles_update" expression => "!any";
# Transfer policies and binaries with encryption
# you can also request it from the command line with
# -Dcfengine_internal_encrypt_transfers
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_encrypt_transfers" expression => "!any";
# Do not purge policies that don't exist on the server side.
# you can also request it from the command line with
# -Dcfengine_internal_purge_policies_disabled
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_purge_policies_disabled" expression => "!any";
# Preserve permissions of the policy server's masterfiles.
# you can also request it from the command line with
# -Dcfengine_internal_preserve_permissions
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_preserve_permissions" expression => "!any";
# Disable checking of cf_promises_validated before updating clients.
# Disabling checking of cf_promises_validated ensures that remote agents
# will **always** scan all of masterfiles for any changes and update
# accordingly. This is not recommended as it both removes a safety
# mechanism that checks for policy to be valid before allowing clients to
# download updates, and the increased load on the hub will affect
# scalability. Consider using time_based, select_class, or dist based classes
# instead of any to retain some of the benefits. **DISABLE WITH CAUTION**
"cfengine_internal_disable_cf_promises_validated"
expression => "!any",
comment => "When cf_promises_validated is disabled remote agents will
always scan all of masterfiles for changes. Disabling this
is not recommended as it will increase the load on the policy
server and increases the possibility for remote agents to
receive broken policy.";
# Enable CFEngine Enterprise HA Policy
"enable_cfengine_enterprise_hub_ha" expression => "!any";
#"enable_cfengine_enterprise_hub_ha" expression => "enterprise_edition";
# Enable failover to node which is outside cluster
#"failover_to_replication_node_enabled" expression => "enterprise_edition";
}