Here is my complete configuration, not just what I think are the
relevant bits (thank you, Mark). Please note that when I swap out
the 3.1.4 or 3.1.2 RPM for the 3.1.0 version (built from source), I
get the expected behavior (I can copy files).
1. Server configuration:
#######################################################
#
# promises.cf
#
#######################################################
body common control
{
bundlesequence => {
"update",
"garbage_collection",
"main",
"cfengine"
};
inputs => {
"update.cf",
"site.cf",
"cfengine_stdlib.cf"
};
}
#######################################################
body agent control
{
# if default runtime is 5 mins we need this for long jobs
ifelapsed => "15";
}
#######################################################
body monitor control
{
forgetrate => "0.7";
histograms => "true";
}
#######################################################
body executor control
{
splaytime => "1";
mailto => "cfengine_m...@example.org";
smtpserver => "localhost";
mailmaxlines => "30";
# Instead of a separate update script, now do this
exec_command => "$(sys.workdir)/bin/cf-agent -f failsafe.cf &&
$(sys.workdir)/bin/cf-agent";
}
#######################################################
body reporter control
{
reports => { "performance", "last_seen", "monitor_history" };
build_directory => "$(sys.workdir)/reports";
report_output => "html";
}
#######################################################
body runagent control
{
hosts => {
"127.0.0.1"
# , "myhost.example.com:5308", ...
};
}
#######################################################
body server control
{
allowconnects => { "127.0.0.1" , "::1", "205.186.156.208" };
allowallconnects => { "127.0.0.1" , "::1", "205.186.156.208" };
trustkeysfrom => { "127.0.0.1" , "::1", "205.186.156.208" };
skipverify => { "127.0.0.1" , "::1", "205.186.156.208" };
bindtointerface => "205.186.147.195";
# Make updates and runs happen in one
cfruncommand => "$(sys.workdir)/bin/cf-agent -f failsafe.cf
&& $(sys.workdir)/bin/cf-ag
ent";
allowusers => { "root" };
}
and site.cf:
#######################################################
#
# Site specific promises
#
#######################################################
bundle common g
{
vars:
SuSE::
"crontab" string => "/var/spool/cron/tabs/root";
redhat::
"crontab" string => "/var/spool/cron/root";
(!SuSE).(!redhat)::
"crontab" string => "/var/spool/cron/crontabs/root";
}
#######################################################
# Start with cfengine itself
#######################################################
bundle agent cfengine
{
classes:
"integrate_cfengine2"
and => {
fileexists("$(sys.workdir)/inputs/cfagent.conf"),
fileexists("$(sys.workdir)/bin/cfagent")
};
vars:
"cf2bits" slist => { "cfenvd", "cfservd", "cfexecd" };
commands:
integrate_cfengine2::
"$(sys.workdir)/bin/cfagent"
action => if_elapsed("240");
files:
# Warn about rules relating to cfengine 2 in inputs - could conflict
"$(sys.workdir)/inputs/.*"
comment => "Check if there are still promises about
cfengine 2 that need removing",
edit_line => delete_lines_matching(".*$(cf2bits).*"),
file_select => OldCf2Files,
action => warn_only;
# Check cf-execd and schedule is in crontab
"$(g.crontab)"
comment => "Add cfengine as a cron job, or check for cfengine 2
jobs to replace",
create => "true",
edit_line => upgrade_cfexecd;
processes:
exec_fix::
"cron" signals => { "hup" };
}
#######################################################
# General site issues can be in bundles like this one
#######################################################
bundle agent main
{
vars:
"component" slist => { "cf-monitord", "cf-serverd" };
# - - - - - - - - - - - - - - - - - - - - - - - -
files:
"$(sys.resolv)" # test on "/tmp/resolv.conf" #
comment => "Edit the resolver file",
create => "true",
edit_line => resolver,
edit_defaults => def;
# Uncomment this to perform a change-detection scan
# "/usr"
# changes => lay_trip_wire,
# depth_search => recurse("inf"),
# action => measure;
processes:
"cfenvd" signals => { "term" };
# Uncomment this if/when you are ready to upgrade a cf2 server
#
# "cfservd" signals => { "term" };
#
# Now make sure the new parts are running, cf-serverd will fail if
# the old server is still running
"$(component)" restart_class => canonify("start_$(component)");
# - - - - - - - - - - - - - - - - - - - - - - - -
commands:
"$(sys.workdir)/bin/$(component)"
ifvarclass => canonify("start_$(component)");
}
#######################################################
# Garbage collection issues
#######################################################
bundle agent garbage_collection
{
files:
"$(sys.workdir)/outputs"
delete => tidy,
file_select => days_old("3"),
depth_search => recurse("inf");
}
#######################################################
bundle edit_line resolver
{
vars:
"search" slist => { "search cfengine.com" };
delete_lines:
"search.*";
insert_lines:
"$(search)" location => start;
}
###########################################################
body file_select OldCf2Files
{
leaf_name => {
"promises.cf",
"site.cf",
"library.cf",
"failsafe.cf",
".*.txt",
".*.html",
".*~",
"#.*"
};
file_result => "!leaf_name";
}
###########################################################
body action measure
{
measurement_class => "Detect Changes in /usr";
ifelapsed => "240";
expireafter => "240";
}
#######################################################
# Anomaly monitoring
#######################################################
bundle agent anomalies
{
reports:
rootprocs_high_dev2::
"RootProc anomaly high 2 dev on $(mon.host) at $(mon.env_time)
measured value $(mon.value_rootprocs) av $(mon.av_rootprocs) pm
$(mon.dev_rootprocs)"
showstate => { "rootprocs" };
entropy_www_in_high&anomaly_hosts.www_in_high_anomaly::
"HIGH ENTROPY Incoming www anomaly high anomaly dev!! on
$(mon.host) at $(mon.env_time)
- measured value $(mon.value_www_in) av $(mon.av_www_in) pm
$(mon.dev_www_in)"
showstate => { "incoming.www" };
entropy_www_in_low.anomaly_hosts.www_in_high_anomaly::
"LOW ENTROPY Incoming www anomaly high anomaly dev!! on $(mon.host)
at $(mon.env_time)
- measured value $(svalue_www_in) av $(av_www_in) pm $(dev_www_in)"
showstate => { "incoming.www" };
entropy_tcpsyn_in_low.anomaly_hosts.tcpsyn_in_high_dev2::
"Anomalous number of new TCP connections on $(mon.host) at $(mon.env_time)
- measured value $(mon.value_tcpsyn_in) av $(mon.av_tcpsyn_in) pm
$(mon.dev_tcpsyn_in)"
showstate => { "incoming.tcpsyn" };
entropy_dns_in_low.anomaly_hosts.dns_in_high_anomaly::
"Anomalous (3dev) incoming DNS packets on $(mon.host) at $(mon.env_time)
- measured value $(mon.value_dns_in) av $(av_dns_in) pm $(mon.dev_dns_in)"
showstate => { "incoming.dns" };
entropy_dns_in_low.anomaly_hosts.udp_in_high_dev2::
"Anomalous (2dev) incoming (non-DNS) UDP traffic on $(mon.host) at
$(mon.env_time)
- measured value $(mon.value_udp_in) av $(mon.av_udp_in) pm
$(mon.dev_udp_in)"
showstate => { "incoming.udp" };
anomaly_hosts.icmp_in_high_anomaly.!entropy_icmp_in_high::
"Anomalous low entropy (3dev) incoming ICMP traffic on $(mon.host)
at $(mon.env_time)
- measured value $(mon.value_icmp_in) av $(mon.av_icmp_in) pm
$(mon.dev_icmp_in)"
showstate => { "incoming.icmp" };
}
#######################################################
# Server configuration
#######################################################
bundle server access_rules()
{
access:
"/var/cfengine/masterfiles"
admit => { "127.0.0.1", "205.186.156.208" };
roles:
".*" authorize => { "root" };
}
########################################################
bundle edit_line upgrade_cfexecd
{
classes:
"exec_fix" not => regline(".*cf-execd.*","$(edit.filename)");
insert_lines:
exec_fix::
"0,5,10,15,20,25,30,35,40,45,50,55 * * * * /var/cfengine/bin/cf-execd -F";
replace_patterns:
"cfexecd" replace_with => value("cf-execd");
reports:
exec_fix::
"Added a 5 minute schedule to crontabs";
}
#######################################################
body edit_defaults def
{
empty_file_before_editing => "false";
edit_backup => "false";
max_file_size => "100000";
}
2. Client configuration:
body common control
{
bundlesequence => { "updatefrom2" };
inputs => { "cfengine_stdlib.cf" };
}
#########################################################
body agent control {
skipidentify => "true";
bindtointerface => "205.186.156.208";
}
#########################################################
bundle agent updatefrom2
{
vars:
"master_location" string => "/var/cfengine/masterfiles";
files:
"/var/cfengine/inputs"
perms => u_p("600"),
copy_from => mycopy("$(master_location)","cfengine02"),
depth_search => recurse("inf"),
action => immediate;
}
############################################
body perms u_p(p)
{
mode => "$(p)";
}
#########################################################
body copy_from mycopy(from,server)
{
source => "$(from)";
servers => { "$(server)" };
compare => "digest";
encrypt => "true";
trustkey => "true"; # trust the server's public key
}
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
