1################################################################################ 2# 3# DO NOT EDIT THIS FILE. All policy files prefixed with CFE_ and update_bins.cf 4# are maintained by CFEngine and its original state is required for internal 5# operations of CFEngine. If the file has been modified CFEngine's upgrades 6# may require manual intervention. Contact CFEngine support if additional 7# information and/or recommendation is needed. 8# 9################################################################################ 10################################################################################ 11# 12# update_bins 13# - CFEngine binary update (native packages) 14# 15################################################################################ 16 17bundle agent cfe_internal_update_bins 18# @brief Update cfengine binaries 19# TODO Redact this file, not in use. The policy here was migrated into 20# standalone self upgrade, nothing includes this policy nor references it's 21# bundles 22{ 23 24 vars: 25 26 enterprise:: 27 28 "cf_components" slist => { "cf-key", "cf-monitord", "cf-promises", 29 "cf-runagent", "cf-serverd", "cf-hub", }, 30 comment => "Define cfengine robot agents", 31 handle => "cfe_internal_update_bins_vars_cf_components"; 32 33 "master_software_location" string => "/var/cfengine/master_software_updates", 34 comment => "The Cfengine binary updates directory on the policy host", 35 handle => "cfe_internal_update_bins_vars_master_software_location"; 36 37 !hpux:: 38 "package_dir" 39 string => "$(sys.flavour)_$(sys.arch)", 40 comment => "The directory within software updates to look for packages"; 41 42 hpux:: 43 "package_dir" 44 string => "$(sys.class)_$(sys.arch)", 45 comment => "The directory within software updates to look for packages. 46 On HPUX sys.flavor includes versions, so we use sys.class 47 instead."; 48 49 enterprise:: 50 51 "local_software_dir" string => translatepath("$(sys.workdir)/software_updates/$(package_dir)"), 52 comment => "Local directory containing binary updates for this host", 53 handle => "cfe_internal_update_bins_vars_local_software_dir"; 54 55 "local_update_log_dir" string => translatepath("$(sys.workdir)/software_updates/update_log"), 56 comment => "Local directory to store update log for this host", 57 handle => "cfe_internal_update_bins_vars_local_update_log_dir"; 58 59 !windows.enterprise:: 60 61 # backup script for cf-upgrade 62 # the script should have 2 conditions, BACKUP and RESTORE 63 # BACKUP and RESTORE status is $(const.dollar)1 variable in the script 64 # see more details at bundle edit_line u_backup_script 65 66 "backup_script" string => "/tmp/cf-upgrade_backup.sh"; 67 68 # a single compressed backup file for cf-upgrade 69 # this backup_file is passed to backup_script as $(const.dollar)2 variable 70 # cf-upgrade will extract this file if return signal of upgrade command is not 0 71 72 "backup_file" string => "/tmp/cfengine-nova-$(sys.cf_version).tar.gz"; 73 74 # install script for cf-upgrade 75 # each distribution has its own way to upgrade a package 76 # see more details at bundle edit_line u_install_script 77 78 "install_script" string => "/tmp/cf-upgrade_install.sh"; 79 80 (solarisx86|solaris).enterprise:: 81 82 # to automatically remove or install packages on Solaris 83 # admin_file is a must to have to avoid pop-up interaction 84 # see more details at bundle edit_line u_admin_file 85 86 "admin_file" string => "/tmp/cf-upgrade_admin_file"; 87 88 (solarisx86|solaris).enterprise:: 89 90 "novapkg" string => "CFEcfengine-nova", 91 comment => "Name convention of Nova package on Solaris", 92 handle => "cfe_internal_update_bins_vars_novapkg_solaris", 93 ifvarclass => "nova_edition"; 94 95 aix.enterprise:: 96 97 "novapkg" string => "cfengine.cfengine-nova", 98 comment => "Name convention of Nova package on AIX", 99 handle => "cfe_internal_update_bins_vars_novapkg_aix", 100 ifvarclass => "nova_edition"; 101 102 !(solarisx86|solaris|aix).enterprise:: 103 104 "novapkg" string => "cfengine-nova", 105 comment => "Name convention of Nova package for all but not Solaris", 106 handle => "cfe_internal_update_bins_vars_novapkg_not_solaris_aix", 107 ifvarclass => "nova_edition"; 108 109 solaris.!sunos_i86pc.enterprise:: 110 111 "pkgarch" string => "sparc", 112 comment => "Name convention of package arch on Solaris", 113 handle => "cfe_internal_update_bins_vars_pkgarch_solaris"; 114 115 solarisx86.enterprise:: 116 117 "pkgarch" string => "i386", 118 comment => "Name convention of package arch on Solaris", 119 handle => "cfe_internal_update_bins_vars_pkgarch_solarisx86"; 120 121 redhat.i686.enterprise:: 122 123 "pkgarch" string => "i386", 124 comment => "Name convention of package arch on 32-bit RHEL", 125 handle => "cfe_internal_update_bins_vars_pkgarch_redhat_32b"; 126 127 redhat.(x86_64|ppc64).enterprise:: 128 129 "pkgarch" string => "$(sys.arch)", 130 comment => "Name convention of package arch on RHEL x86_64 and ppc64", 131 handle => "cfe_internal_update_bins_vars_pkgarch_redhat_x86_64_and_ppc64"; 132 133 (freebsd|netbsd|debian|aix).enterprise:: 134 135 "pkgarch" string => "*", 136 comment => "Name convention of package arch on *BSD/Debian", 137 handle => "cfe_internal_update_bins_vars_pkgarch_bsd_debian_aix"; 138 139 !(solarisx86|solaris|freebsd|netbsd|debian|aix|redhat).enterprise:: 140 141 "pkgarch" string => "$(sys.arch)", 142 comment => "Name convention of package arch for other system except Solaris and *BSD", 143 handle => "cfe_internal_update_bins_vars_pkgarch_not_solaris_bsd_debian_aix_redhat_32b"; 144 145 # 146 147 classes: 148 149 "have_software_dir" expression => fileexists($(local_software_dir)); 150 151 # 152 153 packages: 154 155 !am_policy_hub.linux.enterprise.trigger_upgrade.!bootstrap_mode:: 156 157 "$(novapkg)" 158 comment => "Update Nova package to a newer version (package is there)", 159 handle => "cfe_internal_update_bins_packages_nova_update_linux_pkg_there", 160 package_policy => "update", 161 package_select => "==", # picks the newest Nova available 162 package_architectures => { "$(pkgarch)" }, 163 package_version => "$(update_def.current_version)-1", 164 package_method => u_generic( "$(local_software_dir)" ), 165 ifvarclass => "nova_edition.have_software_dir", 166 classes => u_if_else("bin_update_success", "bin_update_fail"); 167 168 !am_policy_hub.(solaris|solarisx86).enterprise.trigger_upgrade.!bootstrap_mode:: 169 170 "$(novapkg)" 171 comment => "Update Nova package to a newer version (package is there)", 172 handle => "cfe_internal_update_bins_packages_nova_update_solaris_pkg_there", 173 package_policy => "update", 174 package_select => "==", # picks the newest Nova available 175 package_architectures => { "$(pkgarch)" }, 176 package_version => "$(update_def.current_version)", 177 package_method => u_generic( "$(local_software_dir)" ), 178 ifvarclass => "nova_edition.have_software_dir", 179 classes => u_if_else("bin_update_success", "bin_update_fail"); 180 181 !am_policy_hub.windows.enterprise.trigger_upgrade.!bootstrap_mode:: 182 183 "$(novapkg)" 184 comment => "Update Nova package to a newer version (package is there)", 185 handle => "cfe_internal_update_bins_packages_nova_update_windows_only_pkg_there", 186 package_policy => "update", 187 package_select => "==", # picks the newest Nova available 188 package_architectures => { "$(pkgarch)" }, 189 package_version => "$(update_def.current_version)", 190 package_method => u_generic( "$(local_software_dir)" ), 191 ifvarclass => "nova_edition.have_software_dir", 192 classes => u_if_else("bin_update_success", "bin_update_fail"); 193 194 !am_policy_hub.aix.enterprise.trigger_upgrade.!bootstrap_mode:: 195 196 "$(novapkg)" 197 comment => "Update Nova package to a newer version (package is there)", 198 handle => "cfe_internal_update_bins_packages_nova_update_aix_only_pkg_there", 199 package_policy => "update", 200 package_select => "==", # picks the newest Nova available 201 package_architectures => { "$(pkgarch)" }, 202 package_version => "$(update_def.current_version).0", 203 package_method => u_generic( "$(local_software_dir)" ), 204 ifvarclass => "nova_edition.have_software_dir", 205 classes => u_if_else("bin_update_success", "bin_update_fail"); 206 207 # 208 209 files: 210 211 enterprise:: 212 213 "$(local_update_log_dir)/$(sys.nova_version)_is_running" 214 comment => "Create an empty file about a version that is running", 215 handle => "cfe_internal_update_bins_files_version_is_running", 216 create => "true"; 217 218 am_policy_hub.enterprise:: 219 220 "$(master_software_location)/cf-upgrade/linux.i386/." 221 comment => "Prepare a directory for cf-upgrade", 222 handle => "cfe_internal_update_bins_files_linux_i386", 223 create => "true"; 224 225 "$(master_software_location)/cf-upgrade/linux.x86_64/." 226 comment => "Prepare a directory for cf-upgrade", 227 handle => "cfe_internal_update_bins_files_linux_x86_64", 228 create => "true"; 229 230 !am_policy_hub.enterprise.trigger_upgrade:: 231 232 "$(admin_file)" 233 comment => "Create solaris admin_file to automate remove and install packages", 234 handle => "cfe_internal_update_bins_files_solaris_admin_file", 235 create => "true", 236 edit_defaults => u_empty_no_backup, 237 edit_line => u_admin_file, 238 perms => u_m("0644"), 239 ifvarclass => "solarisx86|solaris"; 240 241 "$(backup_script)" 242 comment => "Create a backup script for cf-upgrade", 243 handle => "cfe_internal_update_bins_files_backup_script", 244 create => "true", 245 ifvarclass => "!windows", 246 edit_defaults => u_empty_no_backup, 247 edit_line => u_backup_script, 248 perms => u_m("0755"); 249 250 "$(install_script)" 251 comment => "Create an install script for cf-upgrade", 252 handle => "cfe_internal_update_bins_files_install_script", 253 create => "true", 254 ifvarclass => "!windows", 255 edit_defaults => u_empty_no_backup, 256 edit_line => u_install_script, 257 perms => u_m("0755"); 258 259 "$(local_software_dir)/." 260 create => "true", 261 handle => "cfe_internal_update_bins_files_local_software_dir_presence", 262 comment => "Ensure the local software directory exists for new binaries 263 to be downloaded to"; 264 265 "$(local_software_dir)" 266 comment => "Copy binary updates from master source on policy server", 267 handle => "cfe_internal_update_bins_files_pkg_copy", 268 copy_from => u_pcp("$(master_software_location)/$(package_dir)", @(update_def.policy_servers)), 269 depth_search => u_recurse("1"), # Nova updates should be in root dir 270 action => u_immediate, 271 classes => u_if_repaired("bin_newpkg"); 272 273 bin_update_success.enterprise.trigger_upgrade:: 274 275 "$(local_update_log_dir)/upgraded_binary_from_$(sys.nova_version)" 276 comment => "Create an empty file after successfully upgrade the binary", 277 handle => "cfe_internal_update_bins_files_update_from_log", 278 create => "true"; 279 280 reports: 281 DEBUG|DEBUG_cfe_internal_update_bins:: 282 "DEBUG $(this.bundle): Evaluating binaries for upgrade using internal update mechanism" 283 ifvarclass => "trigger_upgrade"; 284 285} 286 287################################################################################ 288 289bundle edit_line u_admin_file 290# @brief Admin file for automating solaris package installs 291{ 292 insert_lines: 293 294 sunos_5_8:: 295 296 "mail= 297instance=unique 298partial=nocheck 299runlevel=nocheck 300idepend=nocheck 301rdepend=nocheck 302space=nocheck 303setuid=nocheck 304conflict=nocheck 305action=nocheck 306basedir=default"; 307 308 solaris.!sunos_5_8:: 309 310 "mail= 311instance=overwrite 312partial=nocheck 313runlevel=nocheck 314idepend=nocheck 315rdepend=nocheck 316space=nocheck 317setuid=nocheck 318conflict=nocheck 319action=nocheck 320networktimeout=60 321networkretries=3 322authentication=quit 323keystore=/var/sadm/security 324proxy= 325basedir=default"; 326 327} 328 329################################################################################ 330 331bundle edit_line u_backup_script 332# brief Script to execute before package upgrade 333{ 334 insert_lines: 335 336 linux:: 337 338 "#!/bin/sh 339 340if [ $(const.dollar)1 = \"BACKUP\" ]; then 341 tar cfzS $(const.dollar)2 $(sys.workdir) > /dev/null 342fi 343if [ $(const.dollar)1 = \"RESTORE\" ]; then 344 tar xfz $(const.dollar)2 345fi"; 346 347 solarisx86|solaris:: 348 349 "#!/bin/sh 350 351if [ $(const.dollar)1 = \"BACKUP\" ]; then 352 tar cf $(const.dollar)2 $(sys.workdir); gzip $(const.dollar)2 353fi 354if [ $(const.dollar)1 = \"RESTORE\" ]; then 355 gunzip $(const.dollar)2.gz; tar xf $(const.dollar)2 356fi"; 357 358} 359 360################################################################################ 361 362bundle edit_line u_install_script 363# brief Script to upgrade package 364{ 365 insert_lines: 366 367 redhat|suse|sles:: 368 369 "#!/bin/sh 370 371/bin/rpm -U $(const.dollar)1"; 372 373 debian:: 374 375 "#!/bin/sh 376 377/usr/bin/dpkg --force-confdef --force-confnew --install $(const.dollar)1 > /dev/null"; 378 379 solarisx86|solaris:: 380 381 "#!/bin/sh 382 383pkgname=`pkginfo -d $(const.dollar)1 | awk '{print $(const.dollar)2}'` 384/usr/sbin/pkgrm -n -a $(cfe_internal_update_bins.admin_file) $pkgname 385/usr/sbin/pkgadd -n -a $(cfe_internal_update_bins.admin_file) -d $(const.dollar)1 all 386$(sys.workdir)/bin/cf-execd || true 387exit 0"; 388 389} 390 391################################################################################ 392 393body edit_defaults u_empty_no_backup 394# @brief Empty file before editing and create no backups 395{ 396 empty_file_before_editing => "true"; 397 edit_backup => "false"; 398} 399 400################################################################################ 401 402body copy_from u_pcp(from,server) 403# @brief Copy from `from` on `server` using digest comparison 404# @param from Path on remote server to copy from 405# @param server Remote host to copy from 406{ 407 source => "$(from)"; 408 compare => "digest"; 409 trustkey => "false"; 410 purge => "true"; 411 412 !am_policy_hub:: 413 414 servers => { "$(server)" }; 415 416 cfengine_internal_encrypt_transfers:: 417 encrypt => "true"; 418} 419 420################################################################################ 421 422bundle common u_common_knowledge 423# @brief standalone common packages knowledge bundle 424# 425# This common bundle defines general things about platforms. 426# @see common_knowledge 427{ 428 vars: 429 "list_update_ifelapsed_now" string => "10080"; 430} 431 432################################################################################ 433 434body package_method u_generic(repo) 435{ 436 437 debian:: 438 439 package_changes => "individual"; 440 package_list_command => "/usr/bin/dpkg -l"; 441 442 # package_list_update_command => "/usr/bin/apt-get update"; 443 package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)"; 444 445 package_list_name_regex => "ii\s+([^\s:]+).*"; 446 # package_list_version_regex => "ii\s+[^\s]+\s+([^\s]+).*"; 447 package_list_version_regex => "ii\s+[^\s]+\s+(\d+\.\d+((\.|-)\d+)+).*"; 448 449 package_installed_regex => ".*"; # all reported are installed 450 451 package_file_repositories => { "$(repo)" }; 452 package_version_equal_command => "/usr/bin/dpkg --compare-versions '$(v1)' eq '$(v2)'"; 453 package_version_less_command => "/usr/bin/dpkg --compare-versions '$(v1)' lt '$(v2)'"; 454 455 456 debian.x86_64:: 457 package_name_convention => "$(name)_$(version)_amd64.deb"; 458 459 debian.i686:: 460 package_name_convention => "$(name)_$(version)_i386.deb"; 461 462 debian:: 463 package_add_command => "/usr/bin/dpkg --force-confdef --force-confnew --install"; 464 package_delete_command => "/usr/bin/dpkg --purge"; 465 466 debian:: 467 package_update_command => "$(sys.workdir)/bin/cf-upgrade -b $(cfe_internal_update_bins.backup_script) -s $(cfe_internal_update_bins.backup_file) -i $(cfe_internal_update_bins.install_script)"; 468 469 redhat|SuSE|suse|sles:: 470 471 package_changes => "individual"; 472 473 package_list_command => "/bin/rpm -qa --queryformat \"i | repos | %{name} | %{version}-%{release} | %{arch}\n\""; 474 475 package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)"; 476 477 package_list_name_regex => "[^|]+\|[^|]+\|\s+([^\s|]+).*"; 478 package_list_version_regex => "[^|]+\|[^|]+\|[^|]+\|\s+([^\s|]+).*"; 479 package_list_arch_regex => "[^|]+\|[^|]+\|[^|]+\|[^|]+\|\s+([^\s]+).*"; 480 481 package_installed_regex => "i.*"; 482 483 package_file_repositories => { "$(repo)" }; 484 485 package_name_convention => "$(name)-$(version).$(arch).rpm"; 486 487 package_add_command => "/bin/rpm -ivh "; 488 package_delete_command => "/bin/rpm -e --nodeps"; 489 package_verify_command => "/bin/rpm -V"; 490 package_noverify_regex => ".*[^\s].*"; 491 492 package_version_less_command => "$(sys.bindir)/rpmvercmp '$(v1)' lt '$(v2)'"; 493 package_version_equal_command => "$(sys.bindir)/rpmvercmp '$(v1)' eq '$(v2)'"; 494 495 (redhat|SuSE|suse|sles):: 496 package_update_command => "$(sys.workdir)/bin/cf-upgrade -b $(cfe_internal_update_bins.backup_script) -s $(cfe_internal_update_bins.backup_file) -i $(cfe_internal_update_bins.install_script)"; 497 498 redhat.!redhat_4:: 499 package_list_update_command => "/usr/bin/yum --quiet check-update"; 500 redhat_4:: 501 package_list_update_command => "/usr/bin/yum check-update"; 502 SuSE|suse|sles:: 503 package_list_update_command => "/usr/bin/zypper list-updates"; 504 505 windows:: 506 507 package_changes => "individual"; 508 package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)"; 509 package_file_repositories => { "$(repo)" }; 510 511 package_installed_regex => ".*"; 512 513 package_name_convention => "$(name)-$(version)-$(arch).msi"; 514 515 package_add_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /i"; 516 package_update_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /i"; 517 package_delete_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /x"; 518 519 freebsd:: 520 521 package_changes => "individual"; 522 523 package_list_command => "/usr/sbin/pkg_info"; 524 525 package_list_update_command => "/usr/bin/true"; 526 package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)"; 527 528 package_list_name_regex => "^(\S+)-(\d+\.?)+"; 529 package_list_version_regex => "^\S+-((\d+\.?)+\_\d)"; 530 531 package_file_repositories => { "$(repo)" }; 532 533 package_installed_regex => ".*"; 534 535 package_name_convention => "$(name)-$(version).tbz"; 536 package_delete_convention => "$(name)-$(version)"; 537 538 package_add_command => "/usr/sbin/pkg_add"; 539 package_delete_command => "/usr/sbin/pkg_delete"; 540 541 netbsd:: 542 543 package_changes => "individual"; 544 545 package_list_command => "/usr/sbin/pkg_info"; 546 547 package_list_update_command => "/usr/bin/true"; 548 package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)"; 549 550 package_list_name_regex => "^(\S+)-(\d+\.?)+"; 551 package_list_version_regex => "^\S+-((\d+\.?)+\nb\d)"; 552 553 package_file_repositories => { "$(repo)" }; 554 555 package_installed_regex => ".*"; 556 557 package_name_convention => "$(name)-$(version).tgz"; 558 package_delete_convention => "$(name)-$(version)"; 559 560 package_add_command => "/usr/sbin/pkg_add"; 561 package_delete_command => "/usr/sbin/pkg_delete"; 562 563 solarisx86|solaris:: 564 565 package_changes => "individual"; 566 package_list_command => "/usr/bin/pkginfo -l"; 567 package_list_update_command => "/usr/bin/true"; 568 package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)"; 569 570 package_multiline_start => "\s*PKGINST:\s+[^\s]+"; 571 package_list_name_regex => "\s*PKGINST:\s+([^\s]+)"; 572 package_list_version_regex => "\s*VERSION:\s+([^\s]+)"; 573 package_list_arch_regex => "\s*ARCH:\s+([^\s]+)"; 574 575 package_file_repositories => { "$(repo)" }; 576 577 package_installed_regex => "\s*STATUS:\s*(completely|partially)\s+installed.*"; 578 package_name_convention => "$(name)-$(version)-$(arch).pkg"; 579 package_delete_convention => "$(name)"; 580 581 # Cfengine appends path to package and package name below, respectively 582 package_add_command => "/bin/sh $(repo)/add_scr $(repo)/admin_file"; 583 package_delete_command => "/usr/sbin/pkgrm -n -a $(repo)/admin_file"; 584 (solarisx86|solaris):: 585 package_update_command => "$(sys.workdir)/bin/cf-upgrade -b $(cfe_internal_update_bins.backup_script) -s $(cfe_internal_update_bins.backup_file) -i $(cfe_internal_update_bins.install_script)"; 586 587 aix:: 588 589 package_changes => "individual"; 590 591 package_list_update_command => "/usr/bin/true"; 592 package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)"; 593 594 package_list_command => "/usr/bin/lslpp -lc"; 595 package_list_name_regex => "[^:]+:([^:]+):[^:]+:.*"; 596 package_list_version_regex => "[^:]+:[^:]+:([^:]+):.*"; 597 598 package_file_repositories => { "$(repo)" }; 599 600 package_installed_regex => "[^:]+:[^:]+:[^:]+:[^:]*:(COMMITTED|APPLIED):.*"; 601 602 package_name_convention => "$(name)-$(version).bff"; 603 package_delete_convention => "$(name)"; 604 605 package_add_command => "/usr/bin/rm -f $(repo)/.toc && /usr/sbin/geninstall -IqacgXNY -d $(repo) cfengine.cfengine-nova$"; 606 package_update_command => "/usr/bin/rm -f $(repo)/.toc && /usr/sbin/geninstall -IqacgXNY -d $(repo) cfengine.cfengine-nova$"; 607 608 # package_add_command => "/bin/sh -c /usr/sbin/inutoc $(repo) && /usr/sbin/installp -qacgXNYd $(repo) cfengine.cfengine-nova$"; 609 # package_update_command => "/bin/sh -c /usr/sbin/inutoc $(repo) && /usr/sbin/installp -qacgXNYd $(repo) cfengine.cfengine-nova$"; 610 611 package_delete_command => "/usr/sbin/installp -ug cfengine.cfengine-nova$"; 612 613} 614