On 11/22/2011 04:55 AM, Vivek Varghese Cherian wrote:
> I would like to know how to replicate and apply a promise to
> _all_clients_ in the network from a single policy server and
> also how to classify various clients into groups and to apply policies
> selectively to the client groups.
You have to have a promise that copies the files from your policyhub to
your clients. Some people have an update bundle for this, some people
put it in failsafe.cf so in the event of a bad policy it tries to update.
On your policyhub if you run the bootstrap with your own ip ...
cf-agent -s 10.130.221.138 -B
It will generate a policy that you can take a look at or use as a
starting point (move your existing policy out of the way).
I have attached my failsafe.cf, a message of the day bundle and one
bundle from my custom library.cf.
Its basically a broiler plate generated from the above command with some
additions to generate and update the motd file with the last time the
policy was updated and the last time the policy was successfully executed.
I also attached an example motd that it generates.
I don't recommend you use my motd generation stuff, I like it but it
does increase the complexity of the failsafe.cf a bit, and generally you
want it to be as simple as possible.
As for applying a promise to all nodes you can use the any class.
Hope it helps.
--
Nick Anderson <n...@cmdln.org>
bundle agent motd {
vars:
"last_update_report"
string => execresult ("/bin/cat $(sys.workdir)/last_update_report",
"noshell"),
comment => "DateTime of last update",
handle => "motd_vars_last_update_report";
"motd"
comment => "Text for updating motd with the datetime policy was last
validated as current",
handle => "motd_vars_motd",
string => "
@@@
@@@ This server is managed by CFEngine. Manual edits may be
reverted.
@ @@@ @
@ @@@ @ Policy Last Updated : $(last_update_report)
@ @@@ @ Last Successful Execution : $(last_success_exec)
@ @
@@@
@ @
@ @ CFEngine core community version $(sys.cf_version)
@ @
";
"last_success_exec"
string => execresult ("/bin/cat $(sys.workdir)/last_success_exec",
"noshell"),
comment => "DateTime of last update",
handle => "motd_vars_last_success_exec";
files:
any::
"$(sys.workdir)/last_success_exec"
comment => "Record datetime of last successful execution",
handle => "motd_files_sys_workdir_last_successful_execution",
edit_line => insert_lines("$(sys.date)"),
create => "true",
classes => if_repaired("recorded_last_success_exec"),
edit_defaults => empty;
recorded_last_success_exec:: # dont write motd until a datetime has been
recorded for the current run
"/etc/motd"
comment => "Update /etc/motd with last policy update time,
this gives us a good self check point",
handle => "motd_files_etc_motd",
create => "true",
edit_defaults => empty,
edit_line => expand_templatestring("$(motd)");
}
###############################################################################
#
# failsafe.cf - Basic Failsafe Policy for Community
#
###############################################################################
body common control
{
bundlesequence => { "update",
"motd",
};
version => "Community Failsafe.cf 1.0.0";
}
#############################################################################
body agent control
{
ifelapsed => "0";
skipidentify => "true";
}
#############################################################################
bundle agent motd {
vars:
"last_update_report" string => execresult ("/bin/cat
$(sys.workdir)/last_update_report", "noshell"),
comment => "DateTime of last update",
handle => "update_vars_last_update_report";
"last_success_exec" string => execresult ("/bin/cat
$(sys.workdir)/last_success_exec", "noshell"),
comment => "DateTime of last update",
handle => "update_vars_last_success_exec";
"motd" string => "
@@@
@@@ This server is managed by CFEngine. Manual edits may be
reverted.
@ @@@ @
@ @@@ @ Policy Last Updated : $(last_update_report)
@ @@@ @ Last Successful Execution : $(last_success_exec)
@ @
@@@
@ @
@ @ CFEngine core community version $(sys.cf_version)
@ @
",
comment => "Text for updating motd with the datetime
policy was last validated as current",
handle => "update_vars_motd";
files:
update_report::
"$(sys.workdir)/last_update_report"
comment => "Record datetime of last time update",
handle => "update_files_sys_workdir_last_update_report",
edit_line => u_insert_lines("$(sys.date)"),
create => "true",
edit_defaults => u_empty;
"/etc/motd"
comment => "Update /etc/motd with last policy update time,
this gives us a good self check point",
create => "true",
edit_defaults => u_empty,
edit_line => u_expand_templatestring("$(motd)");
}
bundle agent update
{
vars:
"inputs_dir" string => translatepath("$(sys.workdir)/inputs"),
comment => "Directory containing Cfengine policies",
handle => "update_vars_inputs_dir";
"ppkeys_file" string =>
translatepath("$(sys.workdir)/ppkeys/localhost.pub"),
comment => "Path to public key file",
handle => "update_vars_ppkeys_file";
"file_check" string => translatepath("$(inputs_dir)/promises.cf"),
comment => "Path to a policy file",
handle => "update_vars_file_check";
"master_location" string => "/var/cfengine/masterfiles",
comment => "The master cfengine policy directory on the
policy host",
handle => "update_vars_master_location";
classes:
"have_ppkeys" expression => fileexists("$(ppkeys_file)"),
comment => "Check for /var/cfengine/ppkeys/localhost.pub",
handle => "update_classes_have_ppkeys";
"files_ok" expression => fileexists("$(file_check)"),
comment => "Check for
/var/cfengine/masterfiles/promises.cf",
handle => "update_classes_files_ok";
#
processes:
files_ok::
"cf-serverd" restart_class => "start_server",
comment => "Monitor cf-serverd process",
handle => "update_processes_cf_serverd";
"cf-monitord" restart_class => "start_monitor",
comment => "Monitor cf-monitord process",
handle => "update_processes_cf_monitord";
files_ok.!windows::
"cf-execd" restart_class => "start_exec",
comment => "Monitor cf-execd process",
handle => "update_processes_cf_execd";
#
commands:
start_server::
"$(sys.cf_serverd)"
comment => "Start cf-serverd process",
handle => "update_commands_start_cf_serverd";
start_monitor::
"$(sys.cf_monitord)"
comment => "Start cf-monitord process",
handle => "update_commands_start_cf_monitord";
!windows.start_exec::
"$(sys.cf_execd)"
comment => "Start cf-execd process",
handle => "update_commands_start_cf_execd_not_windows";
!have_ppkeys::
"$(sys.cf_key)",
comment => "Generate cfengine encryption keys if necessary",
handle => "update_commands_generate_keys";
#
files:
!am_policy_hub:: # policy hub should not alter inputs/ uneccessary
"$(inputs_dir)/cf_promises_validated"
comment => "Check whether a validation stamp is available for a new
policy update to reduce the distributed load",
handle => "check_valid_update",
copy_from =>
u_dcp("$(master_location)/cf_promises_validated","$(sys.policy_hub)"),
action => u_immediate,
classes => u_if_repaired("validated_updates_ready");
am_policy_hub|validated_updates_ready:: # policy hub should always put
masterfiles in inputs in order to check new policy
"$(inputs_dir)"
comment => "Copy policy updates from master source on policy server
if a new validation was acquired",
handle => "update_files_inputs_dir",
copy_from => u_rcp("$(master_location)","$(sys.policy_hub)"),
depth_search => u_recurse("inf"),
file_select => u_input_files,
depends_on => { "grant_access_policy", "check_valid_update" },
action => u_immediate,
classes => u_if_repaired("update_report");
!windows::
"$(sys.workdir)/bin"
comment => "Make sure cfengine binaries have right file permissions",
handle => "update_files_sys_workdir_bin",
perms => u_m("755"),
depth_search => u_recurse_basedir("inf"),
action => u_immediate;
"$(sys.workdir)/lib"
comment => "Make sure cfengine libraries have right file
permissions",
handle => "update_files_sys_workdir_lib",
perms => u_m("644"),
depth_search => u_recurse_basedir("inf"),
action => u_immediate;
"/usr/local/sbin"
comment => "Ensure cfengine binaries were copied to /usr/local/sbin",
handle => "update_files_usr_local_sbin",
perms => u_m("755"),
copy_from => u_cp_nobck("$(sys.workdir)/bin"),
file_select => u_cf3_files,
depth_search => u_recurse("1"),
action => u_immediate;
am_policy_hub::
"$(master_location)/."
comment => "Make sure masterfiles folder has right file permissions",
handle => "update_files_sys_workdir_masterfiles",
perms => u_m("644"),
depth_search => u_recurse_basedir("inf"),
action => u_immediate;
# "$(sys.workdir)/last_success_exec"
# comment => "Record datetime of last successful execution",
# handle => "update_files_sys_workdir_last_successful_execution",
# edit_line => u_insert_lines("$(sys.date)"),
# create => "true",
# edit_defaults => u_reconstruct;
}
#########################################################
# Self-contained bodies from the lib to avoid dependencies
#########################################################
bundle edit_line u_expand_templatestring(templatestring) {
# Read in the named text file and expand $(var)
# inside the file
insert_lines:
"$(templatestring)"
insert_type => "string",
comment => "Expand variables in the template string",
expand_scalars => "true";
}
bundle edit_line u_insert_lines(lines)
{
insert_lines:
"$(lines)"
comment => "Append lines if they don't exist";
}
body edit_defaults u_empty
{
empty_file_before_editing => "true";
edit_backup => "false";
max_file_size => "100000";
}
body perms u_m(p)
{
mode => "$(p)";
}
#########################################################
body file_select u_cf3_files
{
leaf_name => { "cf-.*" };
file_result => "leaf_name";
}
#########################################################
body file_select u_input_files
{
leaf_name => { ".*.cf",".*.dat",".*.txt" };
file_result => "leaf_name";
}
#########################################################
body copy_from u_rcp(from,server)
{
source => "$(from)";
compare => "digest";
trustkey => "true";
!am_policy_hub::
servers => { "$(server)" };
}
#########################################################
body copy_from u_dcp(from,server)
{
source => "$(from)";
compare => "mtime";
trustkey => "true";
!am_policy_hub::
servers => { "$(server)" };
}
#########################################################
body copy_from u_cp_nobck(from)
{
source => "$(from)";
compare => "digest";
copy_backup => "false";
}
#########################################################
body action u_immediate
{
ifelapsed => "0";
}
#########################################################
body depth_search u_recurse(d)
{
depth => "$(d)";
exclude_dirs => { "\.svn" };
}
#########################################################
body depth_search u_recurse_basedir(d)
{
include_basedir => "true";
depth => "$(d)";
exclude_dirs => { "\.svn" };
}
#########################################################
body classes u_if_repaired(x)
{
promise_repaired => { "$(x)" };
}
#########################################################
bundle edit_line expand_templatestring(templatestring) {
# Read in the named text file and expand $(var)
# inside the file
insert_lines:
"$(templatestring)"
insert_type => "string",
comment => "Expand variables in the template string",
expand_scalars => "true";
}
@@@
@@@ This server is managed by CFEngine. Manual edits may be
reverted.
@ @@@ @
@ @@@ @ Policy Last Updated : Fri Nov 11 23:20:07 2011
@ @@@ @ Last Successful Execution : Tue Nov 22 08:51:56 2011
@ @
@@@
@ @
@ @ CFEngine core community version 3.2.1
@ @
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
