I want CFEngine to shut down a service that I have blacklisted,
and to notify me that it did so. It does this, but considers this as a promise
kept rather than as a promise repaired. Why? It makes a change to the
system in order to keep a promise, isn't that a repair?
Policy:
{{{
body common control {
inputs => { "/var/cfengine/inputs/cfengine_stdlib.cf" };
}
bundle agent example {
processes:
"cupsd"
process_stop => "/etc/init.d/cups stop",
comment => "We don't want print services on our Web servers."
,
classes => if_repaired("complain_loudly_about_cups");
commands:
complain_loudly_about_cups::
"/bin/echo send up a flare about CUPS";
}
}}}
When I run it (under 3.2.0) it shuts down CUPS but does not run the
reporter/alerter command:
cf3> Observe process table with /bin/ps -eo user,pid,ppid,pgid,pcpu,pmem,
vsz,pri,rss,nlwp,stime,time,args
cf3>
cf3> .........................................................
cf3> Promise handle:
cf3> Promise made by: cupsd
cf3>
cf3> Comment: We don't want print services on our Web servers.
cf3> .........................................................
cf3>
cf3> -> Found matching pid 11821
(root 11821 1 11821 0.0 0.0 78364 17 2612 1 21:30 00
:00:00 cupsd)
Stopping cups: [ OK ]
cf3> -> No restart promised for cupsd
cf3>
cf3> =========================================================
cf3> commands in bundle example (1)
cf3> =========================================================
cf3>
cf3>
cf3> . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cf3> Skipping whole next promise (/bin/echo send up a flare about CUPS),
as context complain_loudly_about_cups is not relevant
cf3> . . . . . . . . . . . . . . . . . . . . . . . . . . . .
So I changed my policy to use if_else() instead of if_repaired(), and
now it works!
cfengine_stdlib.cf:
{{{
body classes if_repaired(x)
{
promise_repaired => { "$(x)" };
}
##
body classes if_else(yes,no)
{
promise_kept => { "$(yes)" };
promise_repaired => { "$(yes)" };
repair_failed => { "$(no)" };
repair_denied => { "$(no)" };
repair_timeout => { "$(no)" };
}
}}}
The working policy:
{{{
body common control {
inputs => { "/var/cfengine/inputs/cfengine_stdlib.cf" };
}
bundle agent example {
processes:
"cupsd"
process_stop => "/etc/init.d/cups stop",
comment => "We don't want print services on our Web servers.",
classes => if_else("complain_loudly_about_cups","complain");
commands:
complain_loudly_about_cups::
"/bin/echo send up a flare about CUPS";
commands:
complain::
"/bin/echo Waaah!";
}
}}}
Is the processes promise in the first example a promise that the
process won't be running?
Or is it a promise to run a command if the process exists? And we do
run a command, so the promise is kept?
Reference Manual states, about promise_kept:
This class is set if no action was necessary by cf-agent because
the promise concerned was aready kept without further action required.
I want to make sure I understand how commands promises relate to
promise_kept/promise_repaired.
The behavior I am seeing is NOT what I expect, so I am confused.
Could this point be clarified in the manual, please?
Aleksey
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
