1bundle agent cfe_internal_core_main 2{ 3 methods: 4 5 !mpf_auto_am_policy_hub_state_disabled:: 6 7 "Verify policy hub state" -> { "CFE-3073" } 8 usebundle => mpf_auto_am_policy_hub_state, 9 if => not( fileexists( "$(sys.statedir)/am_policy_hub" )); 10 11 any:: 12 13# NB! On a container host this may kill CFEngine processes inside containers. 14# See https://dev.cfengine.com/issues/6906 15 16 !mpf_disable_cfe_internal_limit_robot_agents:: 17 "Limit concurrent agents" -> { "CFE-1799" } 18 usebundle => cfe_internal_limit_robot_agents, 19 handle => "cfe_internal_management_limit_cfe_agents", 20 comment => "Manage CFE processes"; 21 22 any:: 23 24 "any" 25 usebundle => cfe_internal_log_rotation, 26 handle => "cfe_internal_management_log_rotation", 27 comment => "Rotate CFEngine logs so we don't fill the disk"; 28 29 cfe_internal_core_watchdog_disabled:: 30 31 "Disable Core Watchdog" 32 usebundle => cfe_internal_core_watchdog("disabled"); 33 34 cfe_internal_core_watchdog_enabled:: 35 36 "Enable Core Watchdog" 37 usebundle => cfe_internal_core_watchdog("enabled"); 38 39 mpf_augments_control_enabled:: 40 "mpf_augments_control" 41 usebundle => mpf_augments_control; 42 43} 44 45bundle agent mpf_auto_am_policy_hub_state 46# @brief Ensure that `$(sys.statedir)/am_policy_hub` file is present when expected 47{ 48 files: 49 50 # We think we are a policy hub if the policy server (the host you 51 # bootstrapped to) resolves to an IP found on the host. This is intended 52 # to prevent accidental removal of the am_policy_hub state file. 53 54 "$(sys.statedir)/am_policy_hub" 55 create => "true", 56 if => some( escape( $(sys.policy_server) ), @(sys.ipaddresses) ); 57 58} 59bundle agent mpf_augments_control 60# @brief Restart cfenigne components when one of the control variables has changed. 61# 62# While the agent itsef will reload its config upon notice of policy change 63# this bundle specifically handles changes to variables used in the MPF which may 64# come from external data sources which are unknown to the components themselves. 65{ 66 67@if minimum_version(3.10) 68 69 # This policy leverages variablesmatching_as_data() (available since 70 # 3.10.0) and the -top- mustache extension (available since 3.9.0). 71 72 vars: 73 74 # Variables and their data which might necessitate a component restart 75 "server_controls" data => variablesmatching_as_data("default:def.control_server_.*"); 76 "executor_controls" data => variablesmatching_as_data("default:def.control_executor_.*"); 77 "monitor_controls" data => variablesmatching_as_data("default:def.control_monitor_.*"); 78 "hub_controls" data => variablesmatching_as_data("default:def.control_hub_.*"); 79 "runagent_controls" data => variablesmatching_as_data("default:def.control_runagent_.*"); 80 81 "common_controls" data => variablesmatching_as_data("default:def.control_common_.*"); 82 "agent_controls" data => variablesmatching_as_data("default:def.control_agent_.*"); 83 84 # Serialized data for tracking state 85 "server_controls_state" string => string_mustache("{{$-top-}}", server_controls); 86 "executor_controls_state" string => string_mustache("{{$-top-}}", executor_controls); 87 "monitor_controls_state" string => string_mustache("{{$-top-}}", monitor_controls); 88 "hub_controls_state" string => string_mustache("{{$-top-}}", hub_controls); 89 "runagent_controls_state" string => string_mustache("{{$-top-}}", runagent_controls); 90 91 "common_controls_state" string => string_mustache("{{$-top-}}", common_controls); 92 "agent_controls_state" string => string_mustache("{{$-top-}}", agent_controls); 93 94 files: 95 96 "$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_hub_controls" 97 create => "true", 98 edit_line => insert_lines( $(hub_controls_state) ), 99 edit_defaults => empty, 100 classes => results("bundle", "hub_controls" ); 101 102 "$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_server_controls" 103 create => "true", 104 edit_line => insert_lines( $(server_controls_state) ), 105 edit_defaults => empty, 106 classes => results("bundle", "server_controls" ); 107 108 "$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_monitor_controls" 109 create => "true", 110 edit_line => insert_lines( $(monitor_controls_state) ), 111 edit_defaults => empty, 112 classes => results("bundle", "monitor_controls" ); 113 114 "$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_executor_controls" 115 create => "true", 116 edit_line => insert_lines( $(executor_controls_state) ), 117 edit_defaults => empty, 118 classes => results("bundle", "executor_controls" ); 119 120 "$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_runagent_controls" 121 create => "true", 122 edit_line => insert_lines( $(runagent_controls_state) ), 123 edit_defaults => empty, 124 classes => results("bundle", "runagent_controls" ); 125 126 # Note a change in common controls is not expected to trigger any 127 # component restart, its simply tracked for completeness. 128 129 "$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_common_controls" 130 create => "true", 131 edit_line => insert_lines( $(common_controls_state) ), 132 edit_defaults => empty, 133 classes => results("bundle", "common_controls" ); 134 135 # No need to restart cf-agent it as its not long running. We simply track the details for completeness. 136 137 "$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_agent_controls" 138 create => "true", 139 edit_line => insert_lines( $(agent_controls_state) ), 140 edit_defaults => empty, 141 classes => results("bundle", "agent_controls" ); 142 143 services: 144 145 systemd:: 146 147 "cf-serverd" 148 service_policy => "restart", 149 if => "(server_controls_repaired|runagent_controls_repaired)"; 150 151 "cf-monitord" 152 service_policy => "restart", 153 if => "monitor_controls_repaired"; 154 155 systemd.enterprise_edition.(am_policy_hub|policy_server):: 156 157 "cf-hub" 158 service_policy => "restart", 159 if => "hub_controls_repaired"; 160 161 162 # Well, this is dangerous we might kill our own agent 163 # "cf-execd" 164 # service_policy => "restart", 165 # if => "(execd_controls_repaired|runagent_controls_repaired)"; 166 167 processes: 168 169 !systemd:: 170 171 "cf-serverd" 172 signals => { "term" }, 173 if => "(server_controls_repaired|runagent_controls_repaired)"; 174 175 "cf-monitord" 176 signals => { "term" }, 177 if => "monitor_controls_repaired"; 178 179 systemd.enterprise_edition.(am_policy_hub|policy_server):: 180 181 "cf-hub" 182 signals => { "term" }, 183 if => "hub_controls_repaired"; 184 185 186 # Well, this is dangerous we might kill our own agent 187 # "cf-execd" 188 # signals => { "term" }, 189 # if => "(execd_controls_repaired|runagent_controls_repaired)"; 190 191@endif 192 193 server_controls_repaired|runagent_controls_repaired:: 194 "Should restart cf-serverd because something in its data changed."; 195 196 executor_controls_repaired|runagent_controls_repaired:: 197 "Should restart cf-execd because something in its data changed."; 198 199 monitor_controls_repaired:: 200 "Should restart cf-monitord because something in its data changed."; 201 202 hub_controls_repaired:: 203 "Should restart cf-hub because something in its data changed."; 204 205 DEBUG|DEBUG_mpf_augments_control:: 206 "DEBUG $(this.bundle): Common control $(common_controls_state)"; 207 "DEBUG $(this.bundle): Agent control $(agent_controls_state)"; 208 "DEBUG $(this.bundle): Executor control $(executor_controls_state)"; 209 "DEBUG $(this.bundle): Server control $(server_controls_state)"; 210} 211