1################################################################################ 2# 3# DO NOT EDIT THIS FILE. All policy files prefixed with CFE_ and update_bins.cf 4# are maintained by CFEngine and its original state is required for internal 5# operations of CFEngine. If the file has been modified CFEngine's upgrades 6# may require manual intervention. Contact CFEngine support if additional 7# information and/or recommendation is needed. 8# 9################################################################################ 10################################################################################ 11# 12# update_processes 13# - To enable/disable CFEngine based processes, use the slists below. 14################################################################################ 15 16bundle common cfe_internal_process_knowledge 17# @brief Variables related to CFEngine's own processes used in other bundles 18# TODO Redact use of this bundle. It's no longer useful now that bindir variable exists. Not clear why its unset on windows. 19{ 20 vars: 21 22 !windows:: 23 24 "bindir" string => "$(sys.bindir)", 25 comment => "Use a system variable"; 26} 27 28bundle agent cfe_internal_update_processes 29# @brief Determine which cfengine components should be managed, and what their 30# state should be. 31# 32# By default all the relevant services will run on each host. For example all 33# hosts will run cf-execd, cf-serverd, and cf-monitord. Individual services can 34# be disabled: 35# 36# * If persistent_disable_COMPONENT ( persistent_disable_cf_serverd, 37# persistent_disable_cf_monitord) is defined the service will be disabled. 38# 39# * If the component is found in def.agents_to_be_disabled it will be disabled. 40# 41# * To enable component management on hosts with systemd define the class 42# `mpf_enable_cfengine_systemd_component_management`. 43{ 44 classes: 45 "systemd_supervised" 46 scope => "bundle", 47 expression => "systemd", 48 comment => "As of 3.10 the runalerts service is supervised by systemd 49 when available. Prior to 3.10 the service is supervised 50 directly by CFEngine policy."; 51 52 reports: 53 inform.systemd_supervised.!mpf_enable_cfengine_systemd_component_management:: 54 "NOTE: You have defined a class to persistently disable a cfengine 55 component on a systemd managed host, but you have not defined 56 mpf_enable_cfengine_systemd_component_management in order to enable 57 management" 58 if => classmatch( "persistent_disable_cf_.*" ); 59 60 "NOTE: You have explicitly listed components that should be disabled in def.agents_to_be_disabled. 61 This host is managed by systemd and requires the class 62 mpf_enable_cfengine_systemd_component_management in order to enable 63 active management" 64 if => some( ".*", @(def.agents_to_be_disabled) ); 65 66 vars: 67 68 any:: 69 70 # By default the core components are expected to be running in all cases. 71 72 "agent[cf_execd]" string => "cf-execd"; 73 "agent[cf_serverd]" string => "cf-serverd"; 74 "agent[cf_monitord]" string => "cf-monitord"; 75 76 policy_server.enterprise_edition:: 77 78 "agent[cf_hub]" 79 string => "cf-hub", 80 comment => "cf-hub is only relevant on Enterprise hubs"; 81 82 systemd:: 83 84 # On systemd hosts the cfengine3 service acts as an umbrella for other 85 # services. 86 87 "agent[cfengine3]" 88 string => "cfengine3", 89 comment => "systemd hosts use the cfengine3 service as an umbrella. 90 systemd_supervised hosts additionally have individual units 91 for each managed service."; 92 93 94 systemd_supervised.enterprise_edition.policy_server:: 95 96 # Only enterprise systemd supervised hosts these additional service 97 # definitions for each component. 98 99 "agent[cf_postgres]" string => "cf-postgres"; 100 "agent[cf_runalerts]" string => "cf-runalerts"; 101 "agent[cf_apache]" string => "cf-apache"; 102 103 cfredis_in_enterprise:: 104 # TODO Remove from MPF after 3.12 EOL 105 "agent[cf_redis_server]" -> { "ENT-2797" } 106 string => "cf-redis-server"; 107 108 cfconsumer_in_enterprise:: 109 # TODO Remove from MPF after 3.12 EOL 110 "agent[cf_consumer]" -> { "ENT-2797" } 111 string => "cf-consumer"; 112 113 any:: 114 # We get a consolidated list of all agents for the executing host. 115 "all_agents" slist => getvalues( agent ); 116 117 # We use def.agents_to_be_disabled if it exists, otherwise we default to 118 # no agents being disabled. 119 120 "agents_to_be_disabled" 121 comment => "CFE processes that should not be enabled", 122 handle => "cfe_internal_update_processes_vars_agents_to_be_disabled", 123 slist => { @(def.agents_to_be_disabled) }, 124 if => isvariable( "def.agents_to_be_disabled" ); 125 126 "agents_to_be_disabled" 127 comment => "The default agents that should not be enabled.", 128 handle => "cfe_internal_update_processes_vars_default_agents_to_be_disabled", 129 slist => { }, 130 if => not( isvariable("def.agents_to_be_disabled") ); 131 132 # An agent is disabled if there is a persistently defined disablement 133 # class OR if the agent is found in a list of agents to be specifically 134 # disabled. 135 136 "disabled[$(all_agents)]" 137 string => "$(all_agents)", 138 if => or( canonify( "persistent_disable_$(all_agents)" ), 139 some( "$(all_agents)", agents_to_be_disabled )); 140 141 systemd_supervised.policy_server.enterprise.hub_passive|(ha_replication_only_node.!failover_to_repliacation_node_enabled):: 142 143 # We want the enterprise components cf-runalerts, and cf-hub to be 144 # disabled if running on a passive hub or replication only hub. 145 146 "disabled[cf_runalerts]" string => "cf-runalerts"; 147 "disabled[cf_hub]" string => "cf-hub"; 148 149 any:: 150 151 # First we get the consolidated list of agents to be disabled. 152 "agents_to_be_disabled" slist => getvalues( disabled ); 153 154 # Any agent that is not explicitly disabled should be enabled. 155 "agents_to_be_enabled" slist => difference( all_agents, agents_to_be_disabled ); 156 157 methods: 158 159 systemd.!systemd_supervised:: 160 # TODO Remove from policy. 161 # This makes sure the cfengine3 (umbrella) unit is active. It does not 162 # make any assertions about individual components. Furthermore, since 163 # commit 6a7fe6b3fa466e55b29eca75cd53ff8b2883ff0e (introduced in 3.14) 164 # this policy won't be run because systemd_supervised is defined any time 165 # systemd is defined. 166 167 "CFENGINE systemd service" 168 usebundle => maintain_cfe_systemd, 169 comment => "Call a bundle to maintain CFEngine with systemd", 170 handle => "cfe_internal_update_processes_methods_maintain_systemd"; 171 172 systemd_supervised.mpf_enable_cfengine_systemd_component_management:: 173 174 "CFEngine systemd Unit Definitions" 175 usebundle => cfe_internal_systemd_unit_files; 176 177 "CFEngine systemd Unit States" 178 usebundle => cfe_internal_systemd_service_unit_state; 179 180 am_policy_hub.enterprise.!systemd_supervised:: 181 182 "TAKING CARE CFE HUB PROCESSES" 183 usebundle => maintain_cfe_hub_process, 184 comment => "Call a bundle to maintian HUB processes", 185 handle => "cfe_internal_update_processes_methods_maintain_hub"; 186 187 !windows.!systemd_supervised:: 188 189 "DISABLING CFE AGENTS" 190 usebundle => disable_cfengine_agents("$(agents_to_be_disabled)"), 191 comment => "Call a bundle to disable CFEngine given processes", 192 handle => "cfe_internal_update_processes_methods_disabling_cfe_agents"; 193 194 "CHECKING FOR PERSISTENTLY DISABLED CFE AGENTS" 195 usebundle => disable_cfengine_agents($(all_agents)), 196 if => canonify("persistent_disable_$(all_agents)"), 197 comment => "Call a bundle to disable CFEngine given processes if persistent_disable_x is set", 198 handle => "cfe_internal_update_processes_methods_maybe_disabling_cfe_agents"; 199 200 "ENABLING CFE AGENTS" 201 usebundle => enable_cfengine_agents("$(agents_to_be_enabled)"), 202 comment => "Call a bundle to enable CFEngine given processes", 203 handle => "cfe_internal_update_processes_methods_enabling_cfe_agents"; 204 205 windows:: 206 207 "CFENGINE on Windows" 208 usebundle => maintain_cfe_windows, 209 comment => "Call a bundle to maintain CFEngine on Windows", 210 handle => "cfe_internal_update_processes_methods_maintain_windows"; 211 212} 213 214# 215############################################################################### 216# 217 218bundle agent maintain_cfe_hub_process 219# @brief Ensure the proper processes are running on Enterprise hubs. 220{ 221 vars: 222 223 am_policy_hub:: 224 225 "file_check" string => translatepath("$(cfe_internal_update_policy_cpv.inputs_dir)/promises.cf"), 226 comment => "Path to a policy file", 227 handle => "cfe_internal_maintain_cfe_hub_process_vars_file_check"; 228 229 # 230 231 classes: 232 233 am_policy_hub:: 234 235 "files_ok" expression => fileexists("$(file_check)"), 236 comment => "Check for $(sys.workdir)/inputs/promises.cf", 237 handle => "cfe_internal_maintain_cfe_hub_process_classes_files_ok"; 238 239 am_policy_hub.enable_cfengine_enterprise_hub_ha:: 240 "ha_run_hub_process" 241 or => { "!ha_replication_only_node", 242 "ha_replication_only_node.failover_to_replication_node_enabled" }; 243 244 "ha_kill_hub_process" 245 or => { "ha_replication_only_node.!failover_to_replication_node_enabled" }; 246 247 # 248 249 processes: 250 251 am_policy_hub:: 252 253 "$(cfe_internal_process_knowledge.bindir)/vacuumdb" 254 restart_class => "no_vacuumdb", 255 comment => "Monitor vacuumdb process", 256 handle => "cfe_internal_maintain_cfe_hub_process_processes_check_vacuumdb", 257 if => "nova|enterprise"; 258 259 am_policy_hub.cfredis_in_enterprise:: 260 261 # TODO Remove from MPF after 3.12 EOL 262 "$(cfe_internal_process_knowledge.bindir)/redis-server" -> { "ENT-2797" } 263 restart_class => "start_redis_server", 264 comment => "Monitor redis-server process", 265 handle => "cfe_internal_maintain_cfe_hub_process_processes_redis", 266 if => "nova|enterprise"; 267 268 am_policy_hub.cfconsumer_in_enterprise:: 269 "$(cfe_internal_process_knowledge.bindir)/cf-consumer" -> { "ENT-2797" } 270 restart_class => "start_cf_consumer", 271 comment => "Monitor cf-consumer process", 272 handle => "cfe_internal_maintain_cfe_hub_process_processes_cf_consumer", 273 if => "(nova|enterprise).no_vacuumdb"; 274 275 am_policy_hub.!enable_cfengine_enterprise_hub_ha:: 276 "$(cfe_internal_process_knowledge.bindir)/postgres" 277 restart_class => "start_postgres_server", 278 comment => "Monitor postgres process", 279 handle => "cfe_internal_maintain_cfe_hub_process_processes_postgres", 280 if => "nova|enterprise"; 281 282 am_policy_hub.!enable_cfengine_enterprise_hub_ha.files_ok.!windows|ha_run_hub_process:: 283 "cf-hub" restart_class => "start_hub", 284 comment => "Monitor cf-hub process", 285 handle => "cfe_internal_maintain_cfe_hub_process_processes_cf_hub", 286 if => and( "(nova|enterprise).no_vacuumdb", 287 "!persistent_disable_cf_hub" ); # Don't start it if it's persistently disabled 288 289 am_policy_hub.ha_kill_hub_process:: 290 "cf-hub" signals => { "term" }, 291 comment => "Terminate cf-hub on backup HA node outside cluster", 292 handle => "cfe_internal_kill_hub_process_on_inactive_ha_node"; 293 294 # 295 296 files: 297 298 "/var/log/postgresql.log" 299 comment => "Ensure postgres.log file is there with right permissions", 300 handle => "cfe_internal_maintain_cfe_hub_process_files_create_postgresql_log", 301 create => "true", 302 perms => u_mo("0600","cfpostgres"); 303 304 # 305 306 commands: 307 308 !windows.am_policy_hub.start_redis_server.cfredis_in_enterprise:: 309 310 # TODO Remove from MPF after 3.12 EOL 311 "$(cfe_internal_process_knowledge.bindir)/redis-server $(cfe_internal_update_policy_cpv.redis_conf_file)" -> { "ENT-2797" } 312 contain => u_in_dir("/"), 313 comment => "Start redis process", 314 classes => u_kept_successful_command, 315 handle => "cfe_internal_maintain_cfe_hub_process_commands_start_redis"; 316 317 !windows.am_policy_hub.!enable_cfengine_enterprise_hub_ha.start_postgres_server:: 318 "$(cfe_internal_process_knowledge.bindir)/pg_ctl -D $(cfe_internal_update_policy_cpv.postgresdb_dir) -l $(cfe_internal_update_policy_cpv.postgresdb_log) start" 319 contain => u_postgres, 320 comment => "Start postgres process", 321 classes => u_kept_successful_command, 322 handle => "cfe_internal_maintain_cfe_hub_process_commands_start_postgres"; 323 324 !windows.am_policy_hub.start_cf_consumer.cfconsumer_in_enterprise:: 325 # TODO Remove from MPF after 3.12 EOL 326 327 "$(cfe_internal_process_knowledge.bindir)/cf-consumer" 328 comment => "Start cf-consumer process", 329 classes => u_kept_successful_command, 330 handle => "cfe_internal_maintain_cfe_hub_process_commands_start_cf-consumer"; 331 332 !windows.am_policy_hub.start_hub:: 333 "$(sys.cf_hub)" 334 comment => "Start cf-hub process", 335 classes => u_kept_successful_command, 336 handle => "cfe_internal_maintain_cfe_hub_process_commands_start_cf_hub"; 337 338} 339 340# 341############################################################################### 342# 343 344bundle agent disable_cfengine_agents(process) 345# @brief Ensure cfengine component is not running 346# @param process The name of the cfengine component binary to ensure not running. [cf-agent, cf-serverd, cf-monitord, cf-hub] 347{ 348 vars: 349 350 !windows:: 351 352 "cprocess" string => canonify("$(process)"), 353 comment => "Canonify a given process", 354 handle => "cfe_internal_disable_cfengine_agents_vars_cprocess"; 355 356 # 357 358 classes: 359 360 !windows:: 361 362 "disable_$(cprocess)" expression => strcmp("$(process)","$(process)"), 363 comment => "Create a class to disable a given process", 364 handle => "cfe_internal_disable_cfengine_agents_classes_disable_process"; 365 366 # 367 368 processes: 369 370 !windows:: 371 372 "$(cfe_internal_process_knowledge.bindir)/$(process)" 373 signals => { "term" }, 374 comment => "Terminate $(process)", 375 handle => "cfe_internal_disable_cfengine_agents_processes_terminate_process", 376 if => "disable_$(cprocess)"; 377 378} 379 380# 381############################################################################### 382# 383bundle agent enable_cfengine_agents(process) 384# @brief Ensure cfengine component is running 385# @param process The name of the cfengine component binary to ensure running. [cf-agent, cf-serverd, cf-monitord, cf-hub] 386{ 387 vars: 388 389 !windows:: 390 391 "cprocess" string => canonify("$(process)"), 392 comment => "Canonify a given process", 393 handle => "cfe_internal_enable_cfengine_agents_vars_cprocess"; 394 395 classes: 396 397 !windows:: 398 399 "enable_$(cprocess)" expression => "!persistent_disable_$(cprocess)", 400 comment => "Create a class to enable a given process", 401 handle => "cfe_internal_enable_cfengine_agents_classes_enable_process"; 402 403 # 404 405 processes: 406 407 !windows:: 408 409 "$(cfe_internal_process_knowledge.bindir)/$(process)" 410 restart_class => "restart_$(cprocess)", 411 comment => "Create a class to restart a process", 412 handle => "cfe_internal_enable_cfengine_agents_processes_restart_process", 413 if => "enable_$(cprocess)"; 414 415 # 416 417 commands: 418 419 !windows:: 420 421 "$(sys.$(cprocess))" 422 comment => "Restart a process", 423 handle => "cfe_internal_enable_cfengine_agents_commands_restart_process", 424 classes => u_kept_successful_command, 425 if => and( "restart_$(cprocess)", 426 isvariable( "sys.$(cprocess)" ) ); 427 428 reports: 429 "The process $(process) is persistently disabled. Run with '-Dclear_persistent_disable_$(cprocess)' to re-enable it." 430 if => and( "persistent_disable_$(cprocess)", 431 isvariable( "sys.$(cprocess)" )); 432 433 "The process $(process) has been re-enabled. Run with '-Dset_persistent_disable_$(cprocess)' to disable it persistently again." 434 if => and( "clear_persistent_disable_$(cprocess)", 435 isvariable( "sys.$(cprocess)" )), 436 classes => u_clear_always("persistent_disable_$(cprocess)"); 437 438 "The process $(process) has been disabled persistently. Run with '-Dclear_persistent_disable_$(cprocess)' to re-enable it." 439 if => "set_persistent_disable_$(cprocess)", 440 classes => u_always_forever("persistent_disable_$(cprocess)"); 441} 442 443# 444############################################################################### 445# 446 447bundle agent maintain_cfe_windows 448# @brief Ensure cfengine components are running 449{ 450 vars: 451 452 windows:: 453 454 "file_check" string => translatepath("$(cfe_internal_update_policy_cpv.inputs_dir)/promises.cf"), 455 comment => "Path to a policy file", 456 handle => "cfe_internal_maintain_cfe_windows_vars_file_check"; 457 458 # 459 460 classes: 461 462 windows:: 463 464 "files_ok" expression => fileexists("$(file_check)"), 465 comment => "Check for /var/cfengine/masterfiles/promises.cf", 466 handle => "cfe_internal_maintain_cfe_windows_classes_files_ok"; 467 468 # 469 470 processes: 471 472 files_ok:: 473 474 "cf-serverd" restart_class => "start_server", 475 comment => "Monitor cf-serverd process", 476 handle => "cfe_internal_maintain_cfe_windows_processes_cf_serverd"; 477 478 "cf-monitord" restart_class => "start_monitor", 479 comment => "Monitor cf-monitord process", 480 handle => "cfe_internal_maintain_cfe_windows_processes_cf_monitord"; 481 482 # 483 484 services: 485 486 files_ok.windows:: 487 488 "CfengineNovaExec" 489 service_policy => "start", 490 service_method => u_bootstart, 491 comment => "Start the executor windows service now and at boot time", 492 handle => "cfe_internal_maintain_cfe_windows_services_windows_executor"; 493 494 # 495 496 commands: 497 498 start_server:: 499 500 "$(sys.cf_serverd)" 501 action => u_ifwin_bg, 502 comment => "Start cf-serverd process", 503 classes => u_kept_successful_command, 504 handle => "cfe_internal_maintain_cfe_windows_commands_start_cf_serverd"; 505 506 start_monitor|restart_monitor:: 507 508 "$(sys.cf_monitord)" 509 action => u_ifwin_bg, 510 comment => "Start cf-monitord process", 511 classes => u_kept_successful_command, 512 handle => "cfe_internal_maintain_cfe_windows_commands_start_cf_monitord"; 513 514} 515 516bundle agent maintain_cfe_systemd 517# @brief Ensure cfengine components are running 518{ 519 classes: 520 systemd:: 521 "restart_cfe" 522 not => returnszero("/bin/systemctl -q is-active cfengine3", "noshell"), 523 comment => "Check running status of CFEngine using systemd", 524 handle => "cfe_internal_maintain_cfe_systemd_classes_restart_cfe"; 525 526 commands: 527 restart_cfe:: 528 "/bin/systemctl -q start cfengine3" 529 comment => "Start CFEngine using systemd", 530 handle => "cfe_internal_maintain_cfe_systemd_commands_start_cfe"; 531} 532 533body classes u_clear_always(theclass) 534# @brief Undefine, `theclass` for as a result of the promise actuation, no matter the outcome (kept, notkept, repaired) 535{ 536 cancel_kept => { $(theclass) }; 537 cancel_notkept => { $(theclass) }; 538 cancel_repaired => { $(theclass) }; 539} 540 541body classes u_always_forever(theclass) 542# @brief Define `theclass` for 999999999 minutes (1902 years) as a result of the promise actuation, no matter the outcome (kept, notkept, repaired) 543{ 544 promise_kept => { $(theclass) }; 545 promise_repaired => { $(theclass) }; 546 repair_failed => { $(theclass) }; 547 repair_denied => { $(theclass) }; 548 repair_timeout => { $(theclass) }; 549 persist_time => 999999999; 550 scope => "namespace"; 551} 552