1################################################################################
2#
3# DO NOT EDIT THIS FILE. All policy files prefixed with CFE_ and update_bins.cf
4# are maintained by CFEngine and its original state is required for internal
5# operations of CFEngine. If the file has been modified CFEngine's upgrades
6# may require manual intervention. Contact CFEngine support if additional
7# information and/or recommendation is needed.
8#
9################################################################################
10################################################################################
11#
12# update_processes
13#  - To enable/disable CFEngine based processes, use the slists below.
14################################################################################
15
16bundle common cfe_internal_process_knowledge
17# @brief Variables related to CFEngine's own processes used in other bundles
18# TODO Redact use of this bundle. It's no longer useful now that bindir variable exists. Not clear why its unset on windows.
19{
20  vars:
21
22    !windows::
23
24      "bindir"      string => "$(sys.bindir)",
25      comment => "Use a system variable";
26}
27
28bundle agent cfe_internal_update_processes
29# @brief Determine which cfengine components should be managed, and what their
30# state should be.
31#
32# By default all the relevant services will run on each host. For example all
33# hosts will run cf-execd, cf-serverd, and cf-monitord. Individual services can
34# be disabled:
35#
36# * If persistent_disable_COMPONENT ( persistent_disable_cf_serverd,
37#   persistent_disable_cf_monitord) is defined the service will be disabled.
38#
39# * If the component is found in def.agents_to_be_disabled it will be disabled.
40#
41# * To enable component management on hosts with systemd define the class
42#    `mpf_enable_cfengine_systemd_component_management`.
43{
44  classes:
45      "systemd_supervised"
46        scope => "bundle",
47        expression => "systemd",
48        comment => "As of 3.10 the runalerts service is supervised by systemd
49                    when available. Prior to 3.10 the service is supervised
50                    directly by CFEngine policy.";
51
52  reports:
53      inform.systemd_supervised.!mpf_enable_cfengine_systemd_component_management::
54      "NOTE: You have defined a class to persistently disable a cfengine
55             component on a systemd managed host, but you have not defined
56             mpf_enable_cfengine_systemd_component_management in order to enable
57             management"
58        if => classmatch( "persistent_disable_cf_.*" );
59
60      "NOTE: You have explicitly listed components that should be disabled in def.agents_to_be_disabled.
61             This host is managed by systemd and requires the class
62             mpf_enable_cfengine_systemd_component_management in order to enable
63             active management"
64        if => some( ".*", @(def.agents_to_be_disabled) );
65
66  vars:
67
68    any::
69
70      # By default the core components are expected to be running in all cases.
71
72      "agent[cf_execd]" string => "cf-execd";
73      "agent[cf_serverd]" string => "cf-serverd";
74      "agent[cf_monitord]" string => "cf-monitord";
75
76    policy_server.enterprise_edition::
77
78      "agent[cf_hub]"
79        string => "cf-hub",
80        comment => "cf-hub is only relevant on Enterprise hubs";
81
82    systemd::
83
84      # On systemd hosts the cfengine3 service acts as an umbrella for other
85      # services.
86
87      "agent[cfengine3]"
88        string => "cfengine3",
89        comment => "systemd hosts use the cfengine3 service as an umbrella.
90                    systemd_supervised hosts additionally have individual units
91                    for each managed service.";
92
93
94    systemd_supervised.enterprise_edition.policy_server::
95
96      # Only enterprise systemd supervised hosts these additional service
97      # definitions for each component.
98
99      "agent[cf_postgres]" string => "cf-postgres";
100      "agent[cf_runalerts]" string => "cf-runalerts";
101      "agent[cf_apache]"   string => "cf-apache";
102
103    cfredis_in_enterprise::
104      # TODO Remove from MPF after 3.12 EOL
105      "agent[cf_redis_server]" -> { "ENT-2797" }
106        string => "cf-redis-server";
107
108    cfconsumer_in_enterprise::
109      # TODO Remove from MPF after 3.12 EOL
110      "agent[cf_consumer]" -> { "ENT-2797" }
111        string => "cf-consumer";
112
113    any::
114      # We get a consolidated list of all agents for the executing host.
115      "all_agents" slist => getvalues( agent );
116
117      # We use def.agents_to_be_disabled if it exists, otherwise we default to
118      # no agents being disabled.
119
120      "agents_to_be_disabled"
121        comment => "CFE processes that should not be enabled",
122        handle => "cfe_internal_update_processes_vars_agents_to_be_disabled",
123        slist => { @(def.agents_to_be_disabled) },
124        if => isvariable( "def.agents_to_be_disabled" );
125
126      "agents_to_be_disabled"
127        comment => "The default agents that should not be enabled.",
128        handle => "cfe_internal_update_processes_vars_default_agents_to_be_disabled",
129        slist => { },
130        if => not( isvariable("def.agents_to_be_disabled") );
131
132      # An agent is disabled if there is a persistently defined disablement
133      # class OR if the agent is found in a list of agents to be specifically
134      # disabled.
135
136      "disabled[$(all_agents)]"
137        string => "$(all_agents)",
138        if => or( canonify( "persistent_disable_$(all_agents)" ),
139                          some( "$(all_agents)", agents_to_be_disabled ));
140
141    systemd_supervised.policy_server.enterprise.hub_passive|(ha_replication_only_node.!failover_to_repliacation_node_enabled)::
142
143      # We want the enterprise components cf-runalerts, and cf-hub to be
144      # disabled if running on a passive hub or replication only hub.
145
146      "disabled[cf_runalerts]" string => "cf-runalerts";
147      "disabled[cf_hub]" string => "cf-hub";
148
149    any::
150
151      # First we get the consolidated list of agents to be disabled.
152      "agents_to_be_disabled" slist => getvalues( disabled );
153
154      # Any agent that is not explicitly disabled should be enabled.
155      "agents_to_be_enabled"  slist => difference( all_agents, agents_to_be_disabled );
156
157  methods:
158
159    systemd.!systemd_supervised::
160      # TODO Remove from policy.
161      # This makes sure the cfengine3 (umbrella) unit is active. It does not
162      # make any assertions about individual components. Furthermore, since
163      # commit 6a7fe6b3fa466e55b29eca75cd53ff8b2883ff0e (introduced in 3.14)
164      # this policy won't be run because systemd_supervised is defined any time
165      # systemd is defined.
166
167      "CFENGINE systemd service"
168      usebundle => maintain_cfe_systemd,
169      comment => "Call a bundle to maintain CFEngine with systemd",
170      handle => "cfe_internal_update_processes_methods_maintain_systemd";
171
172    systemd_supervised.mpf_enable_cfengine_systemd_component_management::
173
174      "CFEngine systemd Unit Definitions"
175        usebundle => cfe_internal_systemd_unit_files;
176
177      "CFEngine systemd Unit States"
178        usebundle => cfe_internal_systemd_service_unit_state;
179
180    am_policy_hub.enterprise.!systemd_supervised::
181
182      "TAKING CARE CFE HUB PROCESSES"
183      usebundle => maintain_cfe_hub_process,
184      comment => "Call a bundle to maintian HUB processes",
185      handle => "cfe_internal_update_processes_methods_maintain_hub";
186
187    !windows.!systemd_supervised::
188
189      "DISABLING CFE AGENTS"
190      usebundle => disable_cfengine_agents("$(agents_to_be_disabled)"),
191      comment => "Call a bundle to disable CFEngine given processes",
192      handle => "cfe_internal_update_processes_methods_disabling_cfe_agents";
193
194      "CHECKING FOR PERSISTENTLY DISABLED CFE AGENTS"
195      usebundle => disable_cfengine_agents($(all_agents)),
196      if => canonify("persistent_disable_$(all_agents)"),
197      comment => "Call a bundle to disable CFEngine given processes if persistent_disable_x is set",
198      handle => "cfe_internal_update_processes_methods_maybe_disabling_cfe_agents";
199
200      "ENABLING CFE AGENTS"
201      usebundle => enable_cfengine_agents("$(agents_to_be_enabled)"),
202      comment => "Call a bundle to enable CFEngine given processes",
203      handle => "cfe_internal_update_processes_methods_enabling_cfe_agents";
204
205    windows::
206
207      "CFENGINE on Windows"
208      usebundle => maintain_cfe_windows,
209      comment => "Call a bundle to maintain CFEngine on Windows",
210      handle => "cfe_internal_update_processes_methods_maintain_windows";
211
212}
213
214#
215###############################################################################
216#
217
218bundle agent maintain_cfe_hub_process
219# @brief Ensure the proper processes are running on Enterprise hubs.
220{
221  vars:
222
223    am_policy_hub::
224
225      "file_check"  string => translatepath("$(cfe_internal_update_policy_cpv.inputs_dir)/promises.cf"),
226      comment => "Path to a policy file",
227      handle => "cfe_internal_maintain_cfe_hub_process_vars_file_check";
228
229      #
230
231  classes:
232
233    am_policy_hub::
234
235      "files_ok" expression => fileexists("$(file_check)"),
236      comment => "Check for $(sys.workdir)/inputs/promises.cf",
237      handle => "cfe_internal_maintain_cfe_hub_process_classes_files_ok";
238
239    am_policy_hub.enable_cfengine_enterprise_hub_ha::
240      "ha_run_hub_process"
241        or => { "!ha_replication_only_node",
242                "ha_replication_only_node.failover_to_replication_node_enabled" };
243
244      "ha_kill_hub_process"
245        or => { "ha_replication_only_node.!failover_to_replication_node_enabled" };
246
247      #
248
249  processes:
250
251    am_policy_hub::
252
253      "$(cfe_internal_process_knowledge.bindir)/vacuumdb"
254      restart_class => "no_vacuumdb",
255      comment => "Monitor vacuumdb process",
256      handle => "cfe_internal_maintain_cfe_hub_process_processes_check_vacuumdb",
257      if => "nova|enterprise";
258
259   am_policy_hub.cfredis_in_enterprise::
260
261      # TODO Remove from MPF after 3.12 EOL
262      "$(cfe_internal_process_knowledge.bindir)/redis-server" -> { "ENT-2797" }
263      restart_class => "start_redis_server",
264      comment => "Monitor redis-server process",
265      handle => "cfe_internal_maintain_cfe_hub_process_processes_redis",
266      if => "nova|enterprise";
267
268    am_policy_hub.cfconsumer_in_enterprise::
269      "$(cfe_internal_process_knowledge.bindir)/cf-consumer" -> { "ENT-2797" }
270      restart_class => "start_cf_consumer",
271      comment => "Monitor cf-consumer process",
272      handle => "cfe_internal_maintain_cfe_hub_process_processes_cf_consumer",
273      if => "(nova|enterprise).no_vacuumdb";
274
275   am_policy_hub.!enable_cfengine_enterprise_hub_ha::
276      "$(cfe_internal_process_knowledge.bindir)/postgres"
277      restart_class => "start_postgres_server",
278      comment => "Monitor postgres process",
279      handle => "cfe_internal_maintain_cfe_hub_process_processes_postgres",
280      if => "nova|enterprise";
281
282    am_policy_hub.!enable_cfengine_enterprise_hub_ha.files_ok.!windows|ha_run_hub_process::
283      "cf-hub"      restart_class => "start_hub",
284      comment => "Monitor cf-hub process",
285      handle => "cfe_internal_maintain_cfe_hub_process_processes_cf_hub",
286      if => and( "(nova|enterprise).no_vacuumdb",
287                         "!persistent_disable_cf_hub" ); # Don't start it if it's persistently disabled
288
289    am_policy_hub.ha_kill_hub_process::
290      "cf-hub"      signals => { "term" },
291      comment => "Terminate cf-hub on backup HA node outside cluster",
292      handle => "cfe_internal_kill_hub_process_on_inactive_ha_node";
293
294      #
295
296  files:
297
298      "/var/log/postgresql.log"
299      comment => "Ensure postgres.log file is there with right permissions",
300      handle => "cfe_internal_maintain_cfe_hub_process_files_create_postgresql_log",
301      create => "true",
302      perms => u_mo("0600","cfpostgres");
303
304      #
305
306  commands:
307
308    !windows.am_policy_hub.start_redis_server.cfredis_in_enterprise::
309
310      # TODO Remove from MPF after 3.12 EOL
311     "$(cfe_internal_process_knowledge.bindir)/redis-server $(cfe_internal_update_policy_cpv.redis_conf_file)" -> { "ENT-2797" }
312      contain => u_in_dir("/"),
313      comment => "Start redis process",
314      classes => u_kept_successful_command,
315      handle => "cfe_internal_maintain_cfe_hub_process_commands_start_redis";
316
317    !windows.am_policy_hub.!enable_cfengine_enterprise_hub_ha.start_postgres_server::
318     "$(cfe_internal_process_knowledge.bindir)/pg_ctl -D $(cfe_internal_update_policy_cpv.postgresdb_dir) -l $(cfe_internal_update_policy_cpv.postgresdb_log) start"
319      contain => u_postgres,
320      comment => "Start postgres process",
321      classes => u_kept_successful_command,
322      handle => "cfe_internal_maintain_cfe_hub_process_commands_start_postgres";
323
324    !windows.am_policy_hub.start_cf_consumer.cfconsumer_in_enterprise::
325      # TODO Remove from MPF after 3.12 EOL
326
327      "$(cfe_internal_process_knowledge.bindir)/cf-consumer"
328      comment => "Start cf-consumer process",
329      classes => u_kept_successful_command,
330      handle => "cfe_internal_maintain_cfe_hub_process_commands_start_cf-consumer";
331
332    !windows.am_policy_hub.start_hub::
333      "$(sys.cf_hub)"
334      comment => "Start cf-hub process",
335      classes => u_kept_successful_command,
336      handle => "cfe_internal_maintain_cfe_hub_process_commands_start_cf_hub";
337
338}
339
340#
341###############################################################################
342#
343
344bundle agent disable_cfengine_agents(process)
345# @brief Ensure cfengine component is not running
346# @param process The name of the cfengine component binary to ensure not running. [cf-agent, cf-serverd, cf-monitord, cf-hub]
347{
348  vars:
349
350    !windows::
351
352      "cprocess"    string => canonify("$(process)"),
353      comment => "Canonify a given process",
354      handle => "cfe_internal_disable_cfengine_agents_vars_cprocess";
355
356      #
357
358  classes:
359
360    !windows::
361
362      "disable_$(cprocess)" expression => strcmp("$(process)","$(process)"),
363      comment => "Create a class to disable a given process",
364      handle => "cfe_internal_disable_cfengine_agents_classes_disable_process";
365
366      #
367
368  processes:
369
370    !windows::
371
372      "$(cfe_internal_process_knowledge.bindir)/$(process)"
373      signals => { "term" },
374      comment => "Terminate $(process)",
375      handle => "cfe_internal_disable_cfengine_agents_processes_terminate_process",
376      if => "disable_$(cprocess)";
377
378}
379
380#
381###############################################################################
382#
383bundle agent enable_cfengine_agents(process)
384# @brief Ensure cfengine component is running
385# @param process The name of the cfengine component binary to ensure running. [cf-agent, cf-serverd, cf-monitord, cf-hub]
386{
387  vars:
388
389    !windows::
390
391      "cprocess"  string => canonify("$(process)"),
392      comment => "Canonify a given process",
393      handle => "cfe_internal_enable_cfengine_agents_vars_cprocess";
394
395  classes:
396
397    !windows::
398
399      "enable_$(cprocess)" expression => "!persistent_disable_$(cprocess)",
400      comment => "Create a class to enable a given process",
401      handle => "cfe_internal_enable_cfengine_agents_classes_enable_process";
402
403      #
404
405  processes:
406
407    !windows::
408
409      "$(cfe_internal_process_knowledge.bindir)/$(process)"
410      restart_class => "restart_$(cprocess)",
411      comment => "Create a class to restart a process",
412      handle => "cfe_internal_enable_cfengine_agents_processes_restart_process",
413      if => "enable_$(cprocess)";
414
415      #
416
417  commands:
418
419    !windows::
420
421      "$(sys.$(cprocess))"
422      comment => "Restart a process",
423      handle => "cfe_internal_enable_cfengine_agents_commands_restart_process",
424      classes => u_kept_successful_command,
425      if => and( "restart_$(cprocess)",
426                         isvariable( "sys.$(cprocess)" ) );
427
428  reports:
429      "The process $(process) is persistently disabled.  Run with '-Dclear_persistent_disable_$(cprocess)' to re-enable it."
430      if => and( "persistent_disable_$(cprocess)",
431                         isvariable( "sys.$(cprocess)" ));
432
433      "The process $(process) has been re-enabled.  Run with '-Dset_persistent_disable_$(cprocess)' to disable it persistently again."
434      if => and( "clear_persistent_disable_$(cprocess)",
435                         isvariable( "sys.$(cprocess)" )),
436      classes => u_clear_always("persistent_disable_$(cprocess)");
437
438      "The process $(process) has been disabled persistently.  Run with '-Dclear_persistent_disable_$(cprocess)' to re-enable it."
439      if => "set_persistent_disable_$(cprocess)",
440      classes => u_always_forever("persistent_disable_$(cprocess)");
441}
442
443#
444###############################################################################
445#
446
447bundle agent maintain_cfe_windows
448# @brief Ensure cfengine components are running
449{
450  vars:
451
452    windows::
453
454      "file_check"  string => translatepath("$(cfe_internal_update_policy_cpv.inputs_dir)/promises.cf"),
455      comment => "Path to a policy file",
456      handle => "cfe_internal_maintain_cfe_windows_vars_file_check";
457
458      #
459
460  classes:
461
462    windows::
463
464      "files_ok" expression => fileexists("$(file_check)"),
465      comment => "Check for /var/cfengine/masterfiles/promises.cf",
466      handle => "cfe_internal_maintain_cfe_windows_classes_files_ok";
467
468      #
469
470  processes:
471
472    files_ok::
473
474      "cf-serverd"  restart_class => "start_server",
475      comment => "Monitor cf-serverd process",
476      handle => "cfe_internal_maintain_cfe_windows_processes_cf_serverd";
477
478      "cf-monitord" restart_class => "start_monitor",
479      comment => "Monitor cf-monitord process",
480      handle => "cfe_internal_maintain_cfe_windows_processes_cf_monitord";
481
482      #
483
484  services:
485
486    files_ok.windows::
487
488      "CfengineNovaExec"
489      service_policy => "start",
490      service_method => u_bootstart,
491      comment => "Start the executor windows service now and at boot time",
492      handle => "cfe_internal_maintain_cfe_windows_services_windows_executor";
493
494      #
495
496  commands:
497
498    start_server::
499
500      "$(sys.cf_serverd)"
501      action => u_ifwin_bg,
502      comment => "Start cf-serverd process",
503      classes => u_kept_successful_command,
504      handle => "cfe_internal_maintain_cfe_windows_commands_start_cf_serverd";
505
506    start_monitor|restart_monitor::
507
508      "$(sys.cf_monitord)"
509      action => u_ifwin_bg,
510      comment => "Start cf-monitord process",
511      classes => u_kept_successful_command,
512      handle => "cfe_internal_maintain_cfe_windows_commands_start_cf_monitord";
513
514}
515
516bundle agent maintain_cfe_systemd
517# @brief Ensure cfengine components are running
518{
519  classes:
520    systemd::
521      "restart_cfe"
522      not => returnszero("/bin/systemctl -q is-active cfengine3", "noshell"),
523      comment => "Check running status of CFEngine using systemd",
524      handle => "cfe_internal_maintain_cfe_systemd_classes_restart_cfe";
525
526  commands:
527    restart_cfe::
528      "/bin/systemctl -q start cfengine3"
529      comment => "Start CFEngine using systemd",
530      handle => "cfe_internal_maintain_cfe_systemd_commands_start_cfe";
531}
532
533body classes u_clear_always(theclass)
534# @brief Undefine, `theclass` for as a result of the promise actuation, no matter the outcome (kept, notkept, repaired)
535{
536      cancel_kept => { $(theclass) };
537      cancel_notkept => { $(theclass) };
538      cancel_repaired => { $(theclass) };
539}
540
541body classes u_always_forever(theclass)
542# @brief Define `theclass` for 999999999 minutes (1902 years) as a result of the promise actuation, no matter the outcome (kept, notkept, repaired)
543{
544      promise_kept => { $(theclass) };
545      promise_repaired => { $(theclass) };
546      repair_failed => { $(theclass) };
547      repair_denied => { $(theclass) };
548      repair_timeout => { $(theclass) };
549      persist_time => 999999999;
550      scope => "namespace";
551}
552