1The Masterfiles Policy Framework is the default policy 2that ships with both the CFEngine Enterprise and 3Community editions. The MPF includes policy to manage 4cfengine itself, the stdlib, and policy to inventory 5various aspects of the system. 6 7# Overview 8 9* `update.cf` - The update policy entry. 10* `promises.cf` - The main policy entry. 11* `lib/` - The standard library. 12* `inventory/` - Inventory policy. 13* `services` - User defined custom policy. 14* `services/main.cf` - Contains an empty bundle agent main where custom policy 15 can be integrated. 16* `services/autorun/` - Automatically included policy files. 17 18The MPF is continually updated. You can track its development 19on [github](https://github.com/cfengine/masterfiles/). 20 21# Configuration 22 23The most common controls reference variables in the ```def``` bundle in order to 24keep the modifications to the distributed policy contained within a single 25place. The recommended way to set classes and define variables in the ```def``` 26bundle is using an [augments file][Augments]. Keeping the modifications to the 27distributed policy set makes policy framework upgrades significantly easier. 28 29Note: If you need to make modification to a shipped file consider opening a pull 30request to expose the tunable into the ```def``` bundle. 31 32**Note:** `controls/def.cf` contains the defaults and settings for `promises.cf` 33and `controls/update_def.cf` contains the defaults and settings for `update.cf`. 34 35Since 3.7.8, 3.10.4, and 3.12.0 The class `cf_runagent_initated` is defined by 36default in the MPF for agent executions initiated by `cf-runagent` through 37`cf-serverd`. Previously the class `cfruncommand` was defined. See `body server 38control cfruncommand` in `controls/cf_serverd.cf`. 39 40## Update Policy (update.cf) 41 42Synchronizing clients with the policy server happens here, in 43`update.cf`. Its main job is to copy all the files on the policy 44server (usually the hub) under `$(sys.masterdir)` (usually 45`/var/cfengine/masterfiles`) to the local host into `$(sys.inputdir)` 46(usually `/var/cfengine/inputs`). 47 48This file should rarely if ever change. Should you ever change it (or 49when you upgrade CFEngine), take special care to ensure the old and 50the new CFEngine can parse and execute this file successfully. If not, 51you risk losing control of your system (that is, **if CFEngine cannot 52successfully execute `update.cf`, it has no mechanism for distributing 53new policy files**). 54 55By default, the policy defined in update.cf is executed at the 56beginning of a `cf-execd` scheduled agent run (see `schedule` and 57`exec_command` as defined in `body executor control` in 58`controls/cf_execd.cf`). When the update policy completes 59(regardless of success or failure) the policy defined in `promises.cf` 60is activated. 61 62This is a standalone policy file. You can actually run it with 63`cf-agent -KI -f ./update.cf` but if you don't understand what that 64command does, please hold off until you've gone through the CFEngine 65documentation. The contents of `update.cf` duplicate other things 66under `lib` sometimes, in order to be completely standalone. 67 68To repeat, when `update.cf` is broken, things go bonkers. CFEngine 69will try to run a backup `failsafe.cf` you can find in the C core 70under `libpromises/failsafe.cf` (that `.cf` file is written into the C 71code and can't be modified). If things get to that point, you probably 72have to look at why corrupted policies made it into production. 73 74As is typical for CFEngine, the policy and the configuration are mixed. In 75`controls/update_def.cf` you'll find some very useful settings. Keep referring 76to `controls/update_def.cf` as you read this. We are skipping the nonessential 77ones. 78 79### Configure upstream masterfiles location for policy update 80 81Want to get your policy from a place other than `/var/cfengine/masterfiles` on 82`sys.policy_hub`? 83 84With an augments like this: 85 86``` 87{ 88 "vars": { 89 "house": "Gryffindor", 90 "mpf_update_policy_master_location": "/srv/cfengine/$(sys.flavor)/$(def.house)" 91 } 92} 93``` 94 95A CentOS 7 host would copy policy from `/srv/cfengine/centos_6/Gryffindor` to 96`$(sys.inputdir)` (commonly `/var/cfengine/inputs`). 97 98**History:** 99 100- Introduced in 3.12.0. 101 102### Append to inputs used by update policy 103 104You can append to the inputs used by the update policy via augments by defining 105```vars.update_inputs```. The following example will add the policy file 106```my_updatebundle1.cf``` to the list of policy file inputs during the update policy. 107 108 109```json 110{ 111 "vars":{ 112 "update_inputs": [ "my_updatebundle1.cf" ] 113 } 114} 115``` 116 117### Append to the update bundlesequence 118 119You can specify bundles which should be run at the end of the default update 120policy bundlesequence by defining ```control_common_update_bundlesequence_end``` 121in the vars of an [augments file][Augments]. 122 123For example: 124 125```json 126{ 127 "vars":{ 128 "control_common_update_bundlesequence_end": [ "my_updatebundle1", "mybundle2" ] 129 } 130} 131``` 132 133**Notes:** 134 135* The order in which bundles are actuates is not guaranteed. 136* The agent will error if a named bundle is not part of inputs. 137 138### Specify the agent bundle used for policy update 139 140The MPF uses `cfe_internal_update_policy_cpv` to update inputs and modules on 141remote agents. When new policy is verified by the agent 142`/var/cfengine/masterfiles/cf_promises_validated` is updated with the current 143timestamp. This file is used by remote agents to avoid unnecessary inspection of 144all files each time the update policy is triggered. 145 146Override this bundle by setting `def.mpf_update_policy_bundle` via augments: 147 148``` 149{ 150 "vars": { 151 "mpf_update_policy_bundle": "MyCustomPolicyUpdateBundle" 152 } 153} 154``` 155 156**History:** 157 158- Introduced in 3.12.0 159 160#### ignore_missing_bundles 161 162This option allows you to ignore errors when a bundle specified in body common control bundlesequence is not found. 163 164This example illustrates enabling the option via augments. 165 166``` 167{ 168 "vars": { 169 "control_common_ignore_missing_bundles": "true" 170 } 171} 172``` 173 174**NOTE:** The same augments key is used for both `update.cf` and `promsies.cf` entries. 175 176**History:** 177 178- Introduced in 3.12.0 179 180#### ignore_missing_inputs 181 182This option allows you to ignore errors when a file specified in body common control inputs is not found. 183 184This example illustrates enabling the option via augments. 185 186``` 187{ 188 "vars": { 189 "control_common_ignore_missing_inputs": "true" 190 } 191} 192``` 193 194**NOTE:** The same augments key is used for both `update.cf` and `promsies.cf` entries. 195 196**History:** 197 198- Introduced in 3.12.0 199 200### Verify update transfers 201 202Enable additional verrification after file transfers during policy update by 203defining the class ```cfengine_internal_verify_update_transfers```. When this 204class is defined, the update policy will hash the transfered file and compare it 205against the hash given by the server 206 207This [augments file][Augments] will enable this behavior for all clients. 208 209``` 210{ 211 "classes": { 212 "cfengine_internal_verify_update_transfers": [ "any" ] 213 } 214} 215``` 216 217### Encrypted transfers 218 219**Note:** When using protocol version 2 or greater all communications are 220encapsulated within a TLS session. This configuration option is only relevant 221for clients using protocol version 1 (default for versions 3.6 and prior). 222 223To enable encryption during policy updates define the class 224```cfengine_internal_encrypt_transfers```. 225 226### Preserve permissions 227 228By default the MPF does not *enforce* permissions of *inputs*. When 229*masterfiles* are copied to *inputs*, new files are created with default 230restrictive permissions. If the class 231```cfengine_internal_preserve_permissions``` is defined the permissions of the 232policy server's masterfiles will be preserved when they are copied. 233 234### Enable CFEngine Enterprise HA 235 236When the ```enable_cfengine_enterprise_hub_ha``` class is defined the policy to 237manage High Availability of Enterprise Hubs is enabled. 238 239**Note:** This class is **not** defined by default. 240 241### Disable cf\_promises\_validated check 242 243For non policy hubs the default update policy only performs a full scan of 244masterfiles if ```cf_promises_validated``` is repaired. This repair indicates 245that the hub has validated new policy that the client needs to refresh. 246 247To disable this check define the 248```cfengine_internal_disable_cf_promises_validated``` class. 249 250It not recommended to disable this check as it both removes a safety mechanism 251that checks for policy to be valid before allowing clients to download updates, 252and the increased load on the hub will affect scalability. 253 254If you want to periodically perform a full scan consider adding custom policy to 255simply remove ```$(sys.inputdir)/cf_promises_validated```. This will cause the 256file to be repaired during the next update run triggering a full scan. 257 258### Disable automatically removing files not present upstream (SYNC masterfiles) 259 260By default, the MPF will keep inputdir in sync with masterfiles on the hub. If 261the class ```cfengine_internal_purge_policies_disabled``` is defined the update 262behavior will only keep files that exist on the remote up to date locally, files 263that exist locally that do not exist upstream will be left behind. Note, if this 264is disabled and a policy file that is dynamically loaded based on it's presence 265is renamed, duplicate definition errors may occur, preventing policy execution. 266 267This [augments file][Augments] will enable this behavior for all clients. 268 269``` 270{ 271 "classes": { 272 "cfengine_internal_purge_policies_disabled": [ "any" ] 273 } 274} 275``` 276 277**History:** 278 279- Introduced in 3.18.0, previously, the default behavior was opposite and the class `cfengine_internal_purge_policies` had to be enabled to keep inputs in sync with masterfiles. 280 281### Disable limiting robot agents 282 283By default the MPF (Masterfiles Policy Framework) contains active policy that is intended to remediate a pathological condition where multiple agent component daemons (like cf-execd) are running concurrently. 284 285Define the class ```mpf_disable_cfe_internal_limit_robot_agents``` to disable this automatic remediation. 286 287```json 288{ 289 "classes": { 290 "mpf_disable_cfe_internal_limit_robot_agents": [ "any" ] 291 } 292} 293``` 294 295**History:** 296 297- Introduced in 3.15.0, 3.12.3, 3.10.7 298 299### Automatically deploy masterfiles from Version Control 300 301On a CFEngine Enterprise Hub during the update policy if the class 302```cfengine_internal_masterfiles_update``` is defined masterfiles will be 303automatically deployed from an upstream version control repository using 304the 305[settings defined via Mission Portal][Best Practices#Version Control and Configuration Policy] or 306directly in ```/opt/cfengine/dc-scripts```. 307 308**Note:** Any policy in the distribution location (/var/cfengine/masterfiles) 309will be deleted the first time this tooling runs. Be wary of local modifications 310before enabling. 311 312### Policy Analyzer Exclude Files 313 314When the policy analyzer is enabled, a copy of the policy is made available for viewing from Mission Portal. To exclude files from this view you can define ```def.cfengine_enterprise_policy_analyzer_exclude_files``` as a list of regular expressions matching files that you do not want to be viewable from Policy Analyzer. 315 316This [augments file][Augments] will prevent any files named `please-no-copy` and any file names that contain `no-copy-me` from being copied and visible from Policy Analyzer. 317 318```json 319{ 320 "vars": { 321 "cfengine_enterprise_policy_analyzer_exclude_files": [ "please-no-copy", ".*no-copy-me.*" ] 322 }, 323} 324``` 325 326**History:** 327 328* Added in 3.19.0, 3.18.1 329 330### Policy Permissions 331 332By default the policy enforces permissions of ```0600``` meaning that inputs are 333only readable by their owner. If you are distributing scripts with your 334masterfiles, be sure there is a policy to ensure they are executable when you 335expect them to be. 336 337### Agent binary upgrades 338 339Remote agents can upgrade their own binaries using the built in binary upgrade 340policy. Packages must be placed in `/var/cfengine/master_software_updates` in 341the appropriate platform directory. Clients will automatically download and 342install packages when the ```trigger_upgrade``` class is defined during a run of 343`update.cf`. 344 345 346This [augments file][Augments] will defines `trigger_upgrade` on hosts with IPv4 addresses in 192.0.2.0/24 or 203.0.113.0/24 or hosts that have a cfengine 3.10 class not for cfengine 3.10.2. 347 348```json 349{ 350 "classes": { 351 "trigger_upgrade": [ 352 "ipv4_10_10_1", 353 "ipv4_10_10_2", 354 "cfengine_3_10_(?!2$)\\d+" 355 ] 356 } 357} 358``` 359 360**Notes:** 361 362- This policy is specific to CFEngine Enterprise. 363- The negative look ahead regular expression is useful because it automatically 364 turns off on hosts after they reach the target version. 365 366#### Configure path that software is served from for autonomous agent upgrades 367 368{% comment %}ENT-4953{% endcomment %} 369`def.master_software_updates` defines the path that cfengine policy servers 370share software updates from. Remote agents access this path via the 371`master_software_updates` *shortcut*. By default this path is 372`$(sys.workdir)/master_software_updates`. This path can be overridden via 373`vars.dir_master_software_updates` in augments. 374 375For example: 376 377```json 378{ 379 "vars": { 380 "dir_master_software_updates": "/srv/cfengine-software-updates/" 381 } 382} 383``` 384 385**History:** 386- Introduced 3.15.0, 3.12.3, 3.10.8 387 388#### Disable seeding binaries on hub 389 390By default when `trigger_upgrade` is defined on a hub, the hub will download 391packages for agents to use during self upgrade. This automatic download behavior 392is disabled when the class `mpf_disable_hub_masterfiles_software_update_seed` is 393defined. 394 395For example: 396 397```json 398{ 399 "classes": { 400 "mpf_disable_hub_masterfiles_software_update_seed": [ "policy_server::" ] 401 } 402} 403``` 404 405**History:** 406 407- Introduced 3.19.0, 3.18.1 408 409### Files considered for copy during policy updates 410 411The default update policy only copies files that match regular expressions 412listed in ```def.input_name_patterns```. 413 414This [augments file][Augments] ensures that only files ending in ```.cf```, ```.dat```, 415```.mustache```, ```.json```, ```.yaml``` and the file 416```cf_promises_release_id``` will be considered by the default update policy. 417 418``` 419{ 420 "vars": { 421 "input_name_patterns": [ ".*\\.cf", ".*\\.dat", ".*\\.txt", ".*\\.conf", 422 ".*\\.mustache", ".*\\.sh", ".*\\.pl", ".*\\.py", ".*\\.rb", 423 ".*\\.sed", ".*\\.awk", "cf_promises_release_id", ".*\\.json", 424 ".*\\.yaml", ".*\\.csv" ] 425 } 426} 427``` 428 429**Note:** This filter does **not** apply to bootstrap operations. During 430bootstrap the 431embedded 432[failsafe policy](https://github.com/cfengine/core/blob/master/libpromises/failsafe.cf) is 433used and it decides which files should be copied. 434 435### Configuring component management 436 437The Masterfiles Policy Framework ships with policy to manage the components of CFEngine. 438 439By default, for hosts without systemd, this policy defaults to ensuring that components are running. 440 441On systemd hosts, the policy to manage component units is disabled by default. 442 443#### Enable management of components on systemd hosts 444 445To allow the Masterfiles Policy Framework to actively manage cfengine systemd units and state define the `mpf_enable_cfengine_systemd_component_management`. 446 447This example illustrates enabling management of components on systemd hosts having a class matching `redhat_8` via augments. 448 449```json 450{ 451 "classes": { 452 "mpf_enable_cfengine_systemd_component_management": [ "redhat_8" ] 453 } 454} 455``` 456 457When enabled, the policy will render systemd unit files in `/etc/systemd/system` for managed services. Mustache templates for service units are in the *templates* directory in the root of the Masterfiles Policy Framework. 458 459When enabled, the policy will make sure that all units are enabled, unless they have been disabled by a persistent class or are explicitly listed as an agent to be disabled. 460 461#### Enable or disable CFEngine components 462 463##### Using persistent classes 464###### persistent\_disable\_*DAEMON* 465 466**Description:** Disable a CFEngine Enterprise daemon component persistently. 467 468`DAEMON` can be one of `cf_execd`, `cf_monitord` or `cf_serverd`. 469 470This will stop the AGENT from starting automatically. 471 472This [augments file][Augments] will ensure that `cf-monitord` is disabled on hosts that have 473`server1` or the `redhat` class defined. 474 475``` 476{ 477 "classes": { 478 "persistent_disable_cf_monitord": [ "server1", "redhat" ] 479 } 480} 481``` 482 483###### clear_persistent\_disable\_*DAEMON* 484 485**Description:** Re-enable a previously disabled CFEngine Enterprise daemon 486component. 487 488`DAEMON` can be one of `cf_execd`, `cf_monitord` or `cf_serverd`. 489 490This [augments file][Augments] will ensure that `cf-monitord` is not disabled on `redhat` 491hosts. 492 493``` 494{ 495 "classes": { 496 "clear_persistent_disable_cf_monitord": [ "redhat" ] 497 } 498} 499``` 500 501##### Using augments 502##### agents_to_be_disabled 503 504**Description:** list of agents to disable. 505 506This [augments file][Augments] is a way to specify that `cf-monitord` should be disabled on all hosts. 507 508``` 509{ 510 "vars": { 511 "agents_to_be_disabled": [ "cf-monitord" ] 512 } 513} 514``` 515 516## Main Policy (promises.cf) 517 518The following settings are defined in `controls/def.cf` can be set from an 519[augments file][Augments]. 520 521### dmidecode inventory 522 523When dmidecode is present, some key system attributes are inventoried. The 524inventoried attributes can be overridden by defining 525`def.cfe_autorun_inventory_demidecode[dmidefs]` via augments. dmidecode queries 526each key in dmidefs and tags the result with the value prefixed with 527`attribute_name=` Note, as the dmidefs are overridden, you must supply all 528desired inventory attributes. 529 530For example: 531 532```json 533{ 534 "vars": { 535 "cfe_autorun_inventory_dmidecode": { 536 "dmidefs": { 537 "bios-vendor": "BIOS vendor", 538 "bios-version": "BIOS version", 539 "system-serial-number": "System serial number", 540 "system-manufacturer": "System manufacturer", 541 "system-version": "System version", 542 "system-product-name": "System product name", 543 "bios-release-date": "BIOS release date", 544 "chassis-serial-number": "Chassis serial number", 545 "chassis-asset-tag": "Chassis asset tag", 546 "baseboard-asset-tag": "Baseboard asset tag" 547 } 548 } 549 } 550} 551``` 552 553**History:** 554- Introduced 3.13.0, 3.12.1, 3.10.5 555 556### mailto 557 558The address that `cf-execd` should email agent output to. 559 560### mailfrom 561 562The address that output mailed from `cf-execd` should come from. 563 564### smtpserver 565 566The SMTP server that `cf-execd` should use to send emails. 567 568### acl 569 570`def.acl` is a list of of network ranges that should be allowed to connect to cf-serverd. It is also used in the default access promises to allow hosts access to policy and modules that should be distributed. 571 572Here is an example setting the acl from augments: 573 574``` 575{ 576 "vars": { 577 "acl": [ "24.124.0.0/16", "192.168.33.0/24" ] 578 } 579} 580``` 581 582**See Also:** [Configure networks allowed to make collect calls (client initiated reporting)](#configure-networks-allowed-to-make-collect_calls-client-initiated-reporting) 583 584### ignore_missing_bundles 585 586This option allows you to ignore errors when a bundle specified in body common control bundlesequence is not found. 587 588This example illustrates enabling the option via augments. 589 590``` 591{ 592 "vars": { 593 "control_common_ignore_missing_bundles": "true" 594 } 595} 596``` 597 598**NOTE:** The same augments key is used for both `update.cf` and `promises.cf` entries. 599 600**History:** 601 602- Introduced in 3.12.0 603 604### ignore_missing_inputs 605 606This option allows you to ignore errors when a file specified in body common control inputs is not found. 607 608This example illustrates enabling the option via augments. 609 610``` 611{ 612 "vars": { 613 "control_common_ignore_missing_inputs": "true" 614 } 615} 616``` 617 618**NOTE:** The same augments key is used for both `update.cf` and `promises.cf` entries. 619 620**History:** 621 622- Introduced in 3.12.0 623 624### trustkeysfrom 625 626The list of network ranges that `cf-serverd` should trust keys from. This is 627should only be open on policy servers while new hosts are expected to be 628bootstrapped. It should be empty after your hosts have been bootstrapped to 629avoid unwanted hosts from being able to bootstrap. 630 631By default the MPF configures `cf-serverd` to trust keys from any host. This is 632convenient for simplified bootstrapping. After initial deployment it is 633recommended that this setting be reviewed and adjusted appropriately according 634to the needs of your infrastructure. 635 636The [augments][Augments] file (```def.json```) can be used to override the 637default setting. For example it can be restricted to ```127.0.0.1``` to prevent 638keys from any foreign host from being automatically accepted. 639 640``` 641{ 642 "vars": { 643 "trustkeysfrom": [ "127.0.0.1" ] 644 } 645} 646``` 647 648Prevent automatic trust for any host by specifying an empty value: 649 650``` 651{ 652 "vars": { 653 "trustkeysfrom": [ "" ] 654 } 655} 656``` 657### Append to inputs used by main policy 658 659The `inputs` key in augments can be used to add additional custom policy files. 660 661**See Also:** [Append to inputs used by update policy][Append to inputs used by update policy] 662 663**History:** 664 665* Introduced in CFEngine 3.7.3, 3.12.0 666 667### services\_autorun 668 669See the documentation in [services/autorun][mpf-services-autorun]. 670 671### postgresql\_full\_maintenance 672 673On CFEngine Enterprise policy hubs this class is defined by default on Sundays 674at 2am. To adjust when postgres maintenance operations run edit 675`controls/def.cf` directly. 676 677### postgresql\_vacuum 678 679On CFEngine Enterprise policy hubs this class is defined by default at 2am when 680```postgresql_maintenance_supported``` is defined except for Sundays. 681 682To adjust when postgres maintenance operations run edit `controls/def.cf` 683directly. 684 685### enable_cfengine_enterprise_hub_ha 686 687Set this class when you want to enable the CFEngine Enterprise HA policies. 688 689This class can be defined by an [augments file][Augments]. For example: 690 691``` 692{ 693 "classes" { 694 "enable_cfengine_enterprise_hub_ha": [ "hub001" ] 695 } 696} 697``` 698 699### enable\_cfe\_internal\_cleanup\_agent\_reports 700 701This class enables policy that cleans up report diffs when they exceed 702`def.max_client_history_size`. By default is is **off** unless a CFEngine 703Enterprise agent is detected. 704 705### Configure splaytime 706 707`splaytime` is the maximum number of minutes `exec_commad` should wait before executing. 708 709Note: `splaytime` should be less than the scheduled interval plus agent run time. So for example if your agent run time is over 1 minute and you are running the default execution schedule of 5 mintues your splay time should be set to 3. 710 711Configure it via augments by defining ```control_executor_splaytime```: 712 713``` 714{ 715 "vars": { 716 "control_executor_splaytime": "3" 717 } 718} 719``` 720 721### Configure agent expiration 722 723cf-agents spawned by cf-execd are killed after this number of minutes of not returning data. 724 725Example configuration via augments: 726 727``` 728{ 729 "vars": { 730 "control_executor_agent_expireafter": "15" 731 } 732} 733``` 734 735### Configure agent execution schedule 736 737The execution scheduled is expressesd as a list of classes. If any of the classes are defined when cf-execd wakes up then exec_command is triggered. By default this is set to a list of time based classes for every 5th minute. This results in a 5 minute execution schedule. 738 739Example configuration via augments: 740 741``` 742{ 743 "vars": { 744 "control_executor_schedule": [ "Min00", "Min30" ] 745 } 746} 747``` 748 749The above configuration would result in exec_command being triggered at the top and half hour and sleeping for up to `splaytime` before agent execution. 750 751### Configure cf-execd runagent socket users 752 753On Enterprise hubs, access to cf-execd sockets can be configured as a list of users who should be allowed by defining `vars.control_executor_runagent_socket_allow_users`. By default on Enterprise Hubs, `cfapache` is allowed to access runagent sockets. 754 755``` 756{ 757 "vars": { 758 "control_executor_runagent_socket_allow_users": [ "cfapache", "vpodzime" ] 759 } 760} 761``` 762 763**History:** 764 765* Added in CFEngine 3.18.0 766 767### Allow connections from the classic/legacy protocol 768 769By default since 3.9.0 `cf-serverd` disallows connections from the classic protocol by default. To allow clients using the legacy protocol (versions prior to 3.7.0 by default) define ```control_server_allowlegacyconnects``` as a list of networks. 770 771Example definition in augments file: 772 773``` 774{ 775 "vars": { 776 "control_server_allowlegacyconnects": [ "0.0.0.0/0" ] 777 } 778} 779``` 780 781### Configure users allowed to initate execution via cf-runagent 782 783cf-serverd only allows specified users to request unscheduled execution remotely via cf-runagent. 784 785By default the MPF allows `root` to request unscheduled execution of non policy servers and does not allow any users to request unscheduled execution from policy servers. 786 787To configure the list of users allowed to request unscheduled execution define `vars.control_server_allowusers`. 788 789``` 790{ 791 "vars": { 792 "control_server_allowusers": [ "root", "nickanderson", "cfapache" ], 793 } 794} 795``` 796 797It's possible to configure different users that are allowed for policy servers versus non policy servers via `vars.control_server_allowusers_non_policy_server` and `vars.control_server_allowusers_policy_server`. However, if `vars.control_server_allowusers` is defined, it has precedence. 798 799This example allows the users `hubmanager` and `cfoperator` to request unscheduled execution from policy servers and no users are allowed to request unscheduled runs from non policy servers. 800 801``` 802{ 803 "vars": { 804 "control_server_allowusers_non_policy_server": [ ], 805 "control_server_allowusers_policy_server": [ "hubmanager", "cfoperator" ] 806 } 807} 808``` 809 810**History:** 811 812- Added in 3.13.0, 3.12.1 813- Added `vars.control_server_allowusers` in 3.18.0 814 815**See Also:** [Configure hosts allowed to initate execution via cf-runagent][Configure hosts allowed to initate execution via cf-runagent] 816 817### Configure hosts allowed to initate execution via cf-runagent 818 819cf-serverd only allows specified hosts to request unscheduled execution remotely via `cf-runagent`. 820 821By default the MPF allows policy servers (as defined by `def.policy-servers`) to initiate agent runs via `cf-runagent`. 822 823 824To configure the list of hosts allowed to request unscheduled execution define `vars.mpf_admit_cf_runagnet_shell`. This example allows the IPv4 address `192.168.42.10`, the host `bastion.example.com`, and the host with identity `SHA=43c979e264924d0b4a2d3b568d71ab8c768ef63487670f2c51cd85e8cec63834` and policy servers the ability to initiate agent runs via `cf-runagent`. 825 826```json 827{ 828 "vars": { 829 "mpf_admit_cf_runagent_shell": [ "192.168.42.10", 830 "bastion.example.com", 831 "SHA=43c979e264924d0b4a2d3b568d71ab8c768ef63487670f2c51cd85e8cec63834", 832 "@(def.policy_servers)" 833 ] 834 } 835} 836``` 837 838**See Also:** [Configure users allowed to initate execution via cf-runagent][Configure users allowed to initate execution via cf-runagent] 839 840**History:** 841 842- Added in CFEngine 3.18.0 843 844### Configure retention for files in log directories 845 846By default the MPF rotates managed log files when they reach 1M in size. To configure this limit via augments define `vars.mpf_log_file_max_size`. 847 848For example: 849 850``` 851{ 852 "vars": { 853 "mpf_log_file_max_size": "10M" 854 } 855} 856``` 857 858By default the MPF keeps up to 10 rotated log files. To configure this limit via augments define `vars.mpf_log_file_retention`. 859 860For example: 861 862``` 863{ 864 "vars": { 865 "mpf_log_file_retention": "5" 866 } 867} 868``` 869 870By default the MPF retains log files in log directories (`outputs`, `reports` and application logs in Enterprise) for 30 days. This can be configured by setting `vars.mpf_log_dir_retention` via augments. 871 872For example: 873 874``` 875{ 876 "vars": { 877 "mpf_log_dir_retention": "7" 878 } 879} 880``` 881 882### Configure retention of assets generated by asynchronous query api or scheduled reports 883 884By default the MPF is configured to retain reports generated by the asynchronous query api and scheduled reports generated by CFEngine Enterprise. This can be configured by setting `vars.purge_scheduled_reports_older_than_days` via augments. 885 886```json 887{ 888 "vars": { 889 "purge_scheduled_reports_older_than_days": "30" 890 } 891} 892``` 893 894### Adjust the maximum amount of client side report data to retain (CFEngine Enterprise) 895 896Enterprise agents cache detailed information about each agent run locally. The 897data is purged when the data is reported to a hub. If the volume of data exceeds 898`def.max_client_history_size` then the client will purge the local data in order 899to keep report collection from timing out. 900 901The default 50M threshold can be configured using an [augments file][Augments], for example: 902 903``` 904{ 905 "vars": { 906 "max_client_history_size": "5M" 907 } 908} 909``` 910 911### Enterprise hub pull collection schedule 912 913By default Enterprise hubs initiate pull collection once every 5 minutes. This can be overridden in the MPF by defining `def.control_hub_hub_schedule` as a list of classes that should trigger collection when defined. 914 915Here we set the schedule to initiate pull collection once every 30 minutes via augments. 916 917```json 918{ 919 "vars": { 920 "control_hub_hub_schedule": [ "Min00", "Min30" ] 921 } 922} 923``` 924 925**History:** 926 927- MPF override introduced in 3.13.0, 3.12.2 928 929### Configure maximum age in hours of old reports for cf-hub to collect 930 931By default cf-hub instructs clients to expire reports older than 6 hours in order to prevent a build up of reports that could cause a condition where the client is never able to send all reports within the collection window. 932 933You can adjust this time by setting `vars.control_hub_client_history_timeout` 934 935For example: 936 937 938```json 939{ 940 "vars": { 941 "control_hub_client_history_timeout": "72" 942 } 943} 944``` 945 946**History:** 947 948- MPF override introduced in 3.13.0, 3.12.2 949 950### Exclude hosts from hub initiated report collection 951 952You may want to exclude some hosts like community agents, hosts behind NAT, and 953hosts using client initiated reporting from hub initiated report collection. To 954exclude hosts from hub initiated report collection define 955`def.control_hub_exclude_hosts` in an [augments file][Augments]. 956 957For example to completely disable hub initiated report collection: 958 959```json 960{ 961 "vars": { 962 "control_hub_exclude_hosts": [ "0.0.0.0/0" ] 963 } 964} 965``` 966 967**History:** 968 969- MPF override introduced in 3.13.0, 3.12.2 970 971### Change port used for enterprise report collection 972 973By default cf-hub collects reports by connecting to port 5308. You can change this default by setting `vars.control_hub_port` in augments. 974 975For example: 976 977```json 978{ 979 "vars": { 980 "control_hub_port": "8035" 981 } 982} 983``` 984 985**History:** 986 987- Added in 3.13.0, 3.12.2 988 989### Change hub to client connection timeout 990 991By default, cf-hub times out a connection after 30 seconds. 992This can be configured in augments. 993 994For example: 995 996```json 997{ 998 "vars": { 999 "control_hub_query_timeout": "10" 1000 } 1001} 1002``` 1003 1004**Note:** 1005 1006- A value of `"0"` will cause the default to be used. 1007 1008**History:** 1009 1010- Added in 3.15.0 1011 1012### Enable client initiated reporting 1013 1014In the default configuration for Enterprise report collection the hub 1015periodically polls agents that are bootstrapped to collect reports. Sometimes it 1016may be desirable or necessary for the client to initiate report collection. 1017 1018To enable client initiated reporting define the class 1019`client_initiated_reporting_enabled`. You may also want to configure the report 1020interval (how frequently an agent will try to report it's data to the hub) by default it is set to 5. The 1021reporting interval `def.control_server_call_collect_interval` and the class can 1022be defined in an [augments file][Augments]. 1023 1024For example: 1025 1026``` 1027{ 1028 "classes" { 1029 "client_initiated_reporting_enabled": [ "any" ] 1030 }, 1031 "vars": { 1032 "control_server_call_collect_interval": "1", 1033 } 1034} 1035``` 1036 1037### Configure client initiated reporting timeout 1038 1039By default cf-serverd holds an open connection for client initiated for 30 1040seconds. In some environments this value may need to be increased in order for 1041report collection to finish. Once the connection has been open for longer than 1042the specified seconds it is closed. 1043 1044The window of time can be controled by setting `def.control_server_collect_window`. 1045 1046For example, enable client initated reporting for all hosts with a 10 minute interval and hold the connection open for 90 seconds. 1047 1048``` 1049{ 1050 "classes" { 1051 "client_initiated_reporting_enabled": [ "any" ] 1052 }, 1053 "vars": { 1054 "control_server_collect_window": "90", 1055 "control_server_call_collect_interval": "10" 1056 } 1057} 1058``` 1059 1060**History:** 1061 1062- Added in 3.10.6, 3.12.2, 3.13.1 1063 1064### Configure MPF to automatically restart components on relevant data change 1065 1066While the agent itsef will reload its config upon notice of policy change this 1067bundle specifically handles changes to variables used in the MPF which may come 1068from external data sources which are unknown to the components themselves. 1069 1070Currently only `cf-serverd` and `cf-monitord` are handled. `cf-execd` is 1071**NOT** automatically restarted. 1072 1073To enable this functionality define the class **`mpf_augments_control_enabled`** 1074 1075```json 1076{ 1077 "classes":{ 1078 "mpf_augments_control_enabled": [ "any" ] 1079 } 1080} 1081``` 1082 1083**Notes:** In order for custom ACLs to leverage augments and support data based 1084restart you should use variables prefixed with ```control_server_```. 1085 1086For example changes to ```vars.control_server_my_access_rules``` 1087when ```mpf_augments_control_enabled``` is defined will result 1088in `cf-serverd` restarting. 1089 1090 1091```json 1092{ 1093 "classes": { 1094 "mpf_augments_control_enabled": [ "any" ] 1095 }, 1096 "vars": { 1097 "control_server_my_access_rules" : { 1098 "/var/repo/": { 1099 "admit": "def.acl" 1100 } 1101 } 1102 } 1103} 1104``` 1105 1106**History:** Added 3.11.0 1107 1108### Configure maxconnections for cf-serverd 1109 1110`maxconnections` in `body server control` configures the maximum number of 1111connections allowed by cf-serverd. Recommended to be set greater than the number 1112of hosts bootstrapped. 1113 1114This can be configured via [augments][Augments]: 1115 1116``` 1117{ 1118 "vars":{ 1119 "control_server_maxconnections": "1000" 1120 } 1121} 1122``` 1123 1124**History:** Added 3.11.0 1125 1126### Configure networks allowed to make collect_calls (client initiated reporting) 1127 1128By default the hub allows collect calls (client initiated reporting) from the 1129networks defined in `def.acl` To configure which networks are allowed to 1130initiate report collection define 1131`def.mpf_access_rules_collect_calls_admit_ips`. 1132 1133For example to allow client initiated reporting for hosts coming from 1134`24.124.0.0/16`: 1135 1136``` 1137{ 1138 "vars": { 1139 "mpf_access_rules_collect_calls_admit_ips": [ "24.124.0.0/16" ] 1140 } 1141} 1142``` 1143 1144**See Also:** [Generic acl](#acl) 1145 1146### Configure Enterprise Measurement/Monitoring Collection 1147 1148Metrics recorded by measurement promises in `cf-monitord` are only collected by 1149default for policy servers. In order to collect metrics for non policy servers 1150simply define `default_data_select_host_monitoring_include` via in an [augments file][Augments]. 1151 1152For example to collect all measurements for remote agents and only cpu and 1153memory related probes on policy servers: 1154 1155``` 1156{ 1157 "vars": { 1158 "default_data_select_host_monitoring_include": [ ".*" ], 1159 "default_data_select_policy_hub_monitoring_include": [ "mem_.*", "cpu.*" ] 1160 } 1161} 1162``` 1163 1164**History:** 1165 1166* Added in 3.10.2, 3.11.0 1167 1168### Configure Enterprise Mission Portal Docroot 1169 1170Primarily for developer conveniance, this setting allows you to easily disable the enforcement that the webapp consists of the packaged files in the docroot used for Mission Portal. 1171 1172 1173``` 1174{ 1175 "classes": { 1176 "mpf_disable_mission_portal_docroot_sync_from_share_gui": [ "any" ] 1177 } 1178} 1179``` 1180 1181### Bundlesequence 1182 1183#### Classification bundles before autorun 1184 1185You can specify a list of bundles which should be run before autorun policies (if enabled). 1186 1187```json 1188{ 1189 "vars":{ 1190 "control_common_bundlesequence_classification": [ "classification_one", "classification_two" ] 1191 }, 1192 1193 "inputs": [ "services/my_classificaton.cf" ] 1194} 1195``` 1196 1197**History:** 1198 1199* Added in CFEngine 3.18.0 1200 1201#### Append to the main bundlesequence 1202 1203You can specify bundles which should be run at the end of the default 1204bundlesequence by defining ```control_common_bundlesequence_end``` in the vars 1205of an [augments file][Augments]. 1206 1207For example: 1208 1209```json 1210{ 1211 "vars":{ 1212 "control_common_bundlesequence_end": [ "mybundle1", "mybundle2" ] 1213 }, 1214 1215 "inputs": [ "services/mybundles.cf" ] 1216} 1217``` 1218 1219**Notes:** 1220 1221* The order in which bundles are actuates is not guaranteed. 1222* The agent will error if a named bundle is not part of inputs. 1223 1224**History**: Added in 3.10.0 1225 1226### Configure `abortclasses` via augments 1227 1228Configure a list of regular expressions that result in cf-agent terminating 1229itself upon definition of a matching class. 1230 1231For example, abort execution if any class starting with ```error_``` or ```abort_``` is defined: 1232 1233``` 1234{ 1235 "vars":{ 1236 "control_agent_abortclasses": [ "error.*", "abort.**" ] 1237 } 1238} 1239``` 1240 1241**History**: Added in 3.15.0, 3.12.3 1242 1243### Configure `abortbundleclasses` via augments 1244 1245Configure a list of regular expressions that match classes which if defined lead 1246to termination of current bundle. 1247 1248If no list is defined, then a default of ```abortbundle``` is used. 1249 1250For example, abort execution if any class starting with ```bundle_error_``` or ```bundle_abort_``` is defined: 1251 1252``` 1253{ 1254 "vars":{ 1255 "control_agent_abortbundleclasses": [ "bundle_error.*", "bundle_abort.**" ] 1256 } 1257} 1258``` 1259 1260**History**: Added in 3.15.0, 3.12.3 1261 1262### Configure `files_single_copy` via augments 1263 1264Specify a list of regular expressions that when matched will prevent the agent 1265from performing subsequent copy operations on the same promiser. 1266 1267For example, to only allow any file to be copied a single time: 1268 1269``` 1270{ 1271 "vars":{ 1272 "control_agent_files_single_copy": [ ".*" ] 1273 } 1274 1275} 1276``` 1277 1278**History**: Added in 3.11.0, 3.10.2 1279 1280### Disable automatic policy hub detection 1281 1282During bootstrap, if the executing host finds the IP address of the target on 1283itself it automatically classifies the host as a policy server by ensuring the 1284`$(sys.statedir)/am_policy_hub` file exists. When this file exists, the 1285`am_policy_hub` and `policy_server` classes are defined. To help avoid 1286accidental declassification, the MPF contains policy to regularly check if the 1287host is bootstrapped to an IP found on itself, and if so, to ensure the proper 1288state file exists. 1289 1290To disable this check, define `mpf_auto_am_policy_hub_state_disabled`. 1291 1292For example, to define this class via augments, place the following in your def.json. 1293 1294``` 1295{ 1296 "classes":{ 1297 "mpf_auto_am_policy_hub_state_disabled": [ "any" ] 1298 } 1299 1300} 1301``` 1302 1303**History**: Added in 3.15.0, 3.12.3, 3.10.7 1304 1305### Configure default repository for file backups 1306 1307By default the agent creates a backup of a file before it is edited in the same 1308directory as the edited file. Defining the 1309`mpf_control_agent_default_repository` class will cause these backups to be 1310placed in `$(sys.workdir)/backups`. Customize the backup directory by setting 1311`def.control_agent_default_backup`. 1312 1313For example: 1314 1315``` 1316{ 1317 "classes": { 1318 "mpf_control_agent_default_repository": [ "any" ] 1319 }, 1320 1321 "vars": { 1322 "control_agent_default_repository": "/var/cfengine/edit_backups" 1323 } 1324} 1325``` 1326 1327**History**: Added in 3.10.1 1328 1329### Configure periodic package inventory refresh interval 1330 1331CFEngine refreshes software inventory when it makes changes via packages 1332promises. Additionally, by default, CFEngine refreshes it's 1333internal cache of packages installed (during each agent run) and package updates that 1334are available (once a day) according to the default package manager in order to 1335pick up changes made outside packages promises. 1336 1337```json 1338{ 1339 "vars": { 1340 "package_module_query_installed_ifelapsed": "5", 1341 "package_module_query_updates_ifelapsed": "60" 1342 } 1343} 1344``` 1345 1346WARNING: Be ware of setting `package_module_query_update_ifelapsed` too low, 1347especially with public repositories or you may be banned for abuse. 1348 1349**See also:** `packagesmatching()`, `packageupdatesmatching()` 1350 1351**History**: 1352 1353* Added in 3.15.0, 3.12.3 1354* 3.17.0 decreased `package_module_query_installed_ifelapsed` from `60` to `0` 1355 1356### Enable logging of Enterprise License utilization 1357 1358If the class `enable_log_cfengine_enterprise_license_utilization` is defined on 1359an enterprise hub license utilization will be logged by the hub in 1360`$(sys.workdir)/log/license_utilization.log` 1361 1362Example enabling the class from an [augments file][Augments]: 1363 1364``` 1365{ 1366 "classes": { 1367 "enable_log_cfengine_enterprise_license_utilization": [ "enterprise_edition" ] 1368 } 1369} 1370``` 1371 1372**History**: Added in 3.11, 3.10.2 1373 1374### Enable external watchdog 1375 1376**Note**: This feature is not enabled by default. 1377 1378If the class `cfe_internal_core_watchdog_enabled` is defined, the feature is 1379enabled and the watchdog will be active. If the class 1380`cfe_internal_core_watchdog_disabled` is defined, the feature is disabled and 1381the watchdog will not be active. 1382 1383```json 1384{ 1385 "classes": { 1386 "cfe_internal_core_watchdog_enabled": [ "aix::" ], 1387 "cfe_internal_core_watchdog_disabled": [ "!cfe_internal_core_watchdog_enabled::" ] 1388 } 1389} 1390``` 1391 1392**See Also:** [Watchdog documentation][cfe_internal/core/watchdog] 1393 1394### Modules 1395 1396Modules executed by the `usemodule()` function are expected to be found in 1397`$(sys.workdir)/modules` the modules are distributed to all remote agents by in 1398the default policy. 1399 1400### Templates 1401 1402For convenience the `templates` shortcut is provided and by default the path is 1403set to `$(sys.workdir/templates)` unless `$(def.template_dir)` is overridden via 1404[augments][Augments]. 1405 1406* **NOTE:** The templates directory is not currently managed by default policy. 1407 Unlike modules **templates are not distributed to all hosts by default**. 1408 1409Copy a template from the templates directory: 1410 1411```cf3 1412 files: 1413 1414 "$(def.dir_templates)/mytemplate.mustache" -> { "myservice" } 1415 copy_from => remote_dcp("templates/mytemplate.mustache", $(sys.policy_server) ), 1416 comment => "mytemplate is necessary in order to render myservice configuration file."; 1417``` 1418 1419Override the path for `$(def.dir_templates)` by setting `vars.dir_templates` in 1420the [augments file][Augments] (`def.json`): 1421 1422```json 1423{ 1424 "vars": { 1425 "dir_templates": "/var/cfengine/mytemplates" 1426 } 1427} 1428``` 1429 1430**Note:** When overriding the templates directory a change to the [augments][Augments] alone 1431will not cause `cf-serverd` to reload its configuration and update the access 1432control lists as necessary. `cf-serverd` will only automatically reload its 1433config when it notices a change in *policy*. 1434 1435**History**: Added in 3.11. 1436 1437## Recommendations 1438 1439The MPF includes policy that inspects the system and makes recommendations about 1440the configuration of the system. When `cfengine_recommendations_enabled` is 1441defined bundles tagged `cfengine_recommendation` are executed in lexical order. 1442`cfengine_recommendations_enabled` is defined by default when 1443`cfengine_recommendations_disabled` is **not** defined. 1444 1445To disable cfengine recommendations define `cfengine_recommendations_disabled`. 1446 1447This snippet disables recommendations via augments. 1448 1449``` 1450{ 1451 "classes": [ 1452 "cfengine_recommendations_disabled" 1453 ] 1454} 1455``` 1456 1457**History:** 1458 1459* Recommendations added in 3.12.1 1460