Forum: Cfengine Help
Subject: Re: question on bundle sequence vs. ifelapsed
Author: bglomm
Link to topic: https://cfengine.com/forum/read.php?3,19154,19163#msg-19163
Seva, thnx!
Well here are the files that I produced that effect...
DON'T run them on your system (without adjusting) :-/ they WILL log you quite
off/out !!!
So:
here I give only my first 4 bundles, the interesting ones...
when I leave the bundle sequence like it is shown below, I got the described
effect that
"cf-agent -vI" stops with the beginning off sdk_global_pkg_update with
"Nothing promised here (23/240 minutes elapsed)"
"sdk_admin_access_config" isn't reached (I expect it to be reached after 240
min??)
When I change the bundlesequence putting "sdk_admin_access_config" before
"sdk_global_pkg_update" than my cfengine nicely checks if my sshd_config is up
to
date each minute (or respectivley each time cf-agent will run...)
### /srv/cfengine3/masterfiles/inputs/promises.cf
############################################
# (c) 2010 user1
############################################
#
# promisses file
#
############################################
body common control {
require_comments => "true";
version => "0.01";
bundlesequence => {
"update",
"server",
"sdk_global",
"sdk_global_pkg_update",
"sdk_admin_access_config",
"sdk_nagios_nrpe_config",
"sdk_logwatch_config"
};
inputs => {
"update.cf",
"server.cf",
"cfengine_stdlib.cf",
"library.cf",
"sdk-global.cf",
"sdk-admin_access.cf",
"sdk-nagios.cf",
"sdk-logwatch.cf"
};
}
############################################
body agent control {
# if default runtime is 5 mins we need this for long jobs
ifelapsed => "1";
}
############################################
body monitor control {
forgetrate => "0.7";
histograms => "true";
}
############################################
body executor control {
splaytime => "1";
mailto => "us...@mymailaddress.some";
smtpserver => "10.0.0.2";
executorfacility => "LOG_DAEMON";
mailmaxlines => "30";
# Instead of a separate update script, now do this
exec_command => "$(sys.workdir)/bin/cf-agent -f failsafe.cf &&
$(sys.workdir)/bin/cf-agent";
}
############################################
body reporter control {
reports => { "performance", "last_seen", "monitor_history" };
build_directory => "$(sys.workdir)/reports";
report_output => "html";
}
############################################
####################################################################################################################################
### /srv/cfengine3/masterfiles/inputs/failsafe.cf
############################################
# (c) 2010 user1
############################################
#
# Failsafe file
#
body common control {
version => "0.01";
bundlesequence => { "update" };
inputs => { "update.cf" };
}
############################################
####################################################################################################################################
### /srv/cfengine3/masterfiles/inputs/update.cf
############################################
# (c) 2010 user1
############################################
#
# update file
#
bundle agent update {
vars:
"masterfiles" string => "/srv/cfengine3/masterfiles";
"inputs" string => "$(masterfiles)/inputs";
"cfmaster" string => "10.0.0.99";
files:
"/var/lib/cfengine3/."
comment => "Make sure the cfengine dir exist with correct
rights",
perms => u_p("0700"),
create => "true";
"/var/lib/cfengine3/bin/."
comment => "Make sure the cfengines bin dir exist with correct
rights",
perms => u_p("0700"),
create => "true";
"/var/lib/cfengine3/ppkeys/."
comment => "Make sure the cfengines ppkeys dir exist with
correct rights",
perms => u_p("0700"),
create => "true";
"/var/lib/cfengine3/inputs"
comment => "Copy new policies from the cfmaster server",
perms => u_p("0600"),
copy_from => mycopy("$(inputs)"),
file_select => update_selection,
depth_search => mrecurse("1"),
action => if_elapsed("1");
}
############################################
body perms u_p(p) { mode => "$(p)"; owners => { "root" }; groups => {
"root" }; }
body depth_search mrecurse(d) { depth => "$(d)"; }
body file_select update_selection { leaf_name => { ".*\.cf" }; file_result =>
"leaf_name"; }
############################################
body copy_from mycopy(from){
source => "$(from)";
servers => { "${cfmaster}" };
compare => "digest";
verify => "true";
purge => "true";
encrypt => "true";
}
############################################
####################################################################################################################################
### /srv/cfengine3/masterfiles/inputs/sdk-global.cf
########################################################
# (c)2010 user1
#
# This script sets the global classes for the sdk network
# Furthermore here is the place to execute frequent
# commands such as: checking for updates, harvesting
# volatile performance data (e.g. vnstat -h) etc.
#
########################################################
bundle common sdk_global {
vars:
"outhousesrv" slist => { "king", "kong" };
"inhousesrv" slist => { "ping", "pong" };
classes:
"outhouse" expression => reglist("@(outhousesrv)","$(sys.host)");
"inhouse" expression => reglist("@(inhousesrv)","$(sys.host)");
}
bundle agent sdk_global_pkg_update {
packages:
"apt"
package_method => apt,
package_version => "0.0.1",
package_select => ">=",
comment => "Get a regular update of available
packages";
}
####################################################################################################################################
### /srv/cfengine3/masterfiles/inputs/sdk-admin_access.cf
########################################################
# (c)2010 user1
# this script will handle the secure access configuration,
# including ssh key distribution and sudo configuration
# to user will be granted and ssh access
########################################################
bundle agent sdk_admin_access_config {
# NOTE: whenever the target value contains regex special characters we need
an escaped version of the string for the searching tasks
vars:
!(outhouse|inhouse)&any::
"sshd_var_arr" string => "22";
inhouse::
"sshd_var_arr" string => "22";
outhouse::
"sshd_var_arr" string => "1021";
any::
"sshd_conf" string => "/etc/ssh/sshd_config";
"mpermission" string => "644";
"muser" string => "root";
"mgroup" string => "root";
"sshd_var_arr" string => "no";
"sshd_var_arr" string => "yes";
"sshd_var_arr" string => "no";
"sshd_var_arr" string => "no";
"sshd_var_arr" string => "no";
"sshd_var_arr" string => join(" ",
"all_admins");
"ssh_vars" slist =>
getindices("sshd_var_arr");
"pubkey" string => "ssh-rsa somesshkey== user1";
"pubkey" string => "ssh-rsa somesshkey== user2";
"pubkey" string => "ssh-rsa somesshkey== user3";
"pubkey" string => "ssh-rsa somesshkey== user4";
"pubkey" string => "ssh-rsa somesshkey== user5";
"s_pubkey" string => escape("$(pubkey)");
"s_pubkey" string => escape("$(pubkey)");
"s_pubkey" string => escape("$(pubkey)");
"s_pubkey" string => escape("$(pubkey)");
"s_pubkey" string => escape("$(pubkey)");
"passwd" string => "$1$mypassword";
"passwd" string => "$1$mypassword";
"passwd" string => "$1$mypassword";
"passwd" string => "$1$mypassword";
"passwd" string => "$1$mypassword";
"s_passwd" string => escape("$(passwd)");
"s_passwd" string => escape("$(passwd)");
"s_passwd" string => escape("$(passwd)");
"s_passwd" string => escape("$(passwd)");
"s_passwd" string => escape("$(passwd)");
"sudoers" string => "ALL=NOPASSWD: ALL";
"sudoers" string => "ALL=(ALL) ALL";
"sudoers" string => "ALL=(ALL) ALL";
"sudoers" string => "ALL=(ALL) ALL";
"sudoers" string => "ALL=(ALL) ALL";
"s_sudoers" string => escape("$(sudoers)");
"s_sudoers" string => escape("$(sudoers)");
"s_sudoers" string => escape("$(sudoers)");
"s_sudoers" string => escape("$(sudoers)");
"s_sudoers" string => escape("$(sudoers)");
"uid" string => "1001";
"uid" string => "1002";
"uid" string => "1003";
"uid" string => "1004";
"uid" string => "1005";
"all_admins" slist => getindices("pubkey");
# # # static list of users that shall be REMOVED if found on the
system. keep the "dummy" in the list...
"nonsystemusers_list" slist => { "dummy" };
files:
any::
"${sshd_conf}"
comment => "Secure existance and permissions on
/root/test/${sshd_conf}",
perms => mog(${mpermission},${muser},${mgroup}),
create => "true";
"${sshd_conf}"
comment => "set header line in /home/${user}/${sshd_conf}",
action => if_elapsed("1"),
edit_line => prepend_if_no_line("# (c) 2010 user1
(cfengine3())");
"${sshd_conf}"
comment => "replace all patterns in ${sshd_conf} that
match, service will restarted if any value was repaired",
edit_line =>
repl_l("^\s*$(ssh_vars)\s+(?!$(sshd_var_arr[$(ssh_vars)])$).*","$(ssh_vars)
$(sshd_var_arr[$(ssh_vars)])"),
classes => if_repaired("restart_sshd");
"${sshd_conf}"
comment => "append value in ${sshd_conf} if the promised
value \"$(ssh_vars) $(sshd_var_arr[$(ssh_vars)])\" isn't found",
edit_line => append_if_no_line("$(ssh_vars)
$(sshd_var_arr[$(ssh_vars)])"),
action => if_elapsed("1"),
classes => if_repaired("restart_sshd");
"${sshd_conf}"
comment => "replace AllowUsers... since this is a list, we
have to iterate about it",
edit_line =>
repl_l("\s*AllowUsers\s+(?!$(sshd_var_arr)$).*","AllowUsers $(sshd_var_arr)"),
action => if_elapsed("0"),
classes => if_repaired("restart_sshd");
"${sshd_conf}"
comment => "append AllowUsers if it doesn't exist already",
edit_line => append_if_no_line("AllowUsers $(sshd_var_arr)"),
action => if_elapsed("0"),
classes => if_repaired("restart_sshd");
"/etc/shadow"
comment => "Repair broken shadow entries",
perms => mog("640", "root", "shadow"),
action => if_elapsed("1"),
edit_line =>
repl_l("^\s*$(all_admins)(?!:$(s_passwd[$(all_admins)]):14874:0:999999:7:::).*",
"$(all_admins):$(passwd[$(all_admins)]):14874:0:999999:7:::");
"/etc/shadow"
comment => "Add user to shadows if their not present yet",
edit_line =>
append_if_no_line("$(all_admins):$(passwd[$(all_admins)]):14874:0:999999:7:::");
"/etc/shadow"
comment => "obsolet users, i.e. users with uid 1000..9999
who are not valid admins, will be removed",
edit_line =>
delete_lines_matching("^\s*$(nonsystemusers_list):.*");
"/etc/shadow-"
comment => "obsolet users, i.e. users with uid 1000..9999
who are not valid admins, will be removed",
edit_line =>
delete_lines_matching("^\s*$(nonsystemusers_list):.*");
"/etc/passwd"
comment => "Repair broken passwd entries",
perms => mog("644", "root", "root"),
action => if_elapsed("1"),
edit_line =>
repl_l("^\s*$(all_admins)(?!:x:$(uid[$(all_admins)]):$(uid[$(all_admins)])::/home/$(all_admins):/bin/bash).*",
"$(all_admins):x:$(uid[$(all_admins)]):$(uid[$(all_admins)])::/home/$(all_admins):/bin/bash");
"/etc/passwd"
comment => "Add user to passwd if their not present yet",
edit_line =>
append_if_no_line("$(all_admins):x:$(uid[$(all_admins)]):$(uid[$(all_admins)])::/home/$(all_admins):/bin/bash");
"/etc/passwd"
comment => "obsolet users, i.e. users with uid 1000..9999
who are not valid admins, will be removed",
edit_line =>
delete_lines_matching("^\s*$(nonsystemusers_list):.*");
"/etc/passwd-"
comment => "obsolet users, i.e. users with uid 1000..9999
who are not valid admins, will be removed",
edit_line =>
delete_lines_matching("^\s*$(nonsystemusers_list):.*");
"/etc/group"
comment => "Repair broken group entries",
perms => mog("644", "root", "root"),
action => if_elapsed("1"),
edit_line =>
repl_l("^\s*$(all_admins)(?!:x:$(uid[$(all_admins)]):).*",
"$(all_admins):x:$(uid[$(all_admins)]):");
"/etc/group"
comment => "Add user to group if their not present yet",
edit_line =>
append_if_no_line("$(all_admins):x:$(uid[$(all_admins)]):");
"/etc/group"
comment => "obsolet users, i.e. users with uid 1000..9999
who are not valid admins, will be removed",
edit_line =>
delete_lines_matching("^\s*$(nonsystemusers_list):.*");
"/etc/group-"
comment => "obsolet users, i.e. users with uid 1000..9999
who are not valid admins, will be removed",
edit_line =>
delete_lines_matching("^\s*$(nonsystemusers_list):.*");
"/home/$(all_admins)/."
comment => "Make sure target area exists.",
perms => mog("770","$(all_admins)","$(all_admins)"),
create => "true";
"/home/$(all_admins)/.ssh/."
comment => "Make sure in target area exists .ssh/.",
perms => og("$(all_admins)","$(all_admins)"),
create => "true";
"/home/$(all_admins)/.ssh/authorized_keys"
comment => "Edit the authorized keys into the user's
personal keyring",
create => "true",
edit_line =>
delete_lines_matching(".*(?<!$(s_pubkey[$(all_admins)]))");
"/home/$(all_admins)/.ssh/authorized_keys"
comment => "Edit the authorized keys into the user's
personal keyring",
perms => mog("644", "$(all_admins)", "$(all_admins)"),
action => if_elapsed("1"),
edit_line => append_if_no_line("$(pubkey[$(all_admins)])");
"/home/$(all_admins)/"
comment => "populate new accounts with standard ~/*.rc
files (/etc/skel/*)",
copy_from => mlocal_cp("/etc/skel"),
depth_search => recurse("1"),
perms => mog("644", "$(all_admins)","$(all_admins)"),
action => if_elapsed("1");
"/home/"
comment => "All directorys in /home that don't belong to
registrated admins will be removed, correspondiong users will be deleted too.",
file_select => otoexcl( "@(all_admins)" ),
delete => mdelete("delete", "true"),
depth_search => recurse("inf");
"/etc/sudoers"
comment => "Add the admins to the sudoers file.",
edit_line => repl_l("^\s*$(all_admins)
(?!$(s_sudoers[$(all_admins)])).*", "$(all_admins) $(sudoers[$(all_admins)])"),
action => if_elapsed("1");
"/etc/sudoers"
comment => "Add the admins to the sudoers file.",
edit_line => append_if_no_line("$(all_admins)
$(sudoers[$(all_admins)])"),
action => if_elapsed("1");
"/etc/sudoers"
comment => "delete all lines in sudoers that are not valid
admins and are not a comment",
edit_line =>
delete_lines_matching("^$(nonsystemusers_list)\s*{1,}.*"),
action => if_elapsed("1");
"/etc/sudoers"
comment => "delete all lines in sudoers that are not valid
admins and are not a comment",
edit_line => comment_lines_matching("^%sudo.*","#"),
action => if_elapsed("1");
"/etc/sudoers"
comment => "Make sure /etc/sudoers always have 0440 ",
perms => mog("440", "root", "root");
"/root/scripts/."
comment => "Here we keep some maintainance scripts",
perms => mog("0700", "root", "root"),
create => "true";
"/root/logs/."
comment => "Here we keep the logs of the maintainance
scripts",
perms => mog("0700", "root", "root"),
create => "true";
commands:
restart_sshd::
"/etc/init.d/ssh restart",
comment => "if /etc/ssh/sshd_config was edited, sshd is restarted
here.";
# any::
# "/bin/echo $(nonsystemusers_list)",
# comment => "test";
# reports:
# "ssh vars are ${ssh_vars.{.*}}";
# comment => "dito";
}
bundle edit_line repl_l(x,y) {
classes:
"enforce" expression => regline("^$(x)$",
"$(edit.filename)"),
comment => "Report the repair of a line";
replace_patterns:
enforce::
"$(x)"
replace_with => value("$(y)"),
comment => "Repaired value in key";
reports:
enforce::
"Repaired searching pattern \"$(x)\" with \"$(y)\"",
comment => "Reporting the repair of a line in file $(y)";
}
body edit_defaults edit_backup { edit_backup => "true"; }
body delete mdelete(dirlinks,rmdirs) { dirlinks => "$(dirlinks)"; rmdirs =>
"$(rmdirs)"; }
body file_select otoexcl(whomnot) { search_owners => { @(whomnot) };
file_result => "!owner"; }
body copy_from mlocal_cp(source) { source => "$(source)"; compare =>
"digest"; verify => "true"; }
####################################################################################################################################
### from cfengine_stdlib.cf
...
body package_method apt
{
package_changes => "bulk";
package_list_command => "/usr/bin/dpkg -l";
package_list_name_regex => "ii\s+([^\s]+).*";
package_list_version_regex => "ii\s+[^\s]+\s+([^\s]+).*";
package_installed_regex => ".*"; # all reported are installed
package_name_convention => "$(name)";
have_aptitude::
package_add_command => "/usr/bin/aptitude --assume-yes install";
package_delete_command => "/usr/bin/aptitude --assume-yes remove";
package_update_command => "/usr/bin/aptitude --assume-yes install";
package_list_update_command => "/usr/bin/aptitude update";
package_list_update_ifelapsed => "240";
!have_aptitude::
package_add_command => "/usr/bin/apt-get --yes install";
package_delete_command => "/usr/bin/apt-get --yes remove";
package_update_command => "/usr/bin/apt-get --yes install";
package_list_update_command => "/usr/bin/apt-get update";
package_list_update_ifelapsed => "240";
}
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
