Forum: CFEngine Help
Subject: Need criticism regarding my service control bundle.
Author: juriskrumins
Link to topic: https://cfengine.com/forum/read.php?3,27588,27588#msg-27588
The purpose of the bundle is to maintain, in this case sshd, full service
livecycle in the system. Starting from sshd configuration file (using templates
mechanism), following package installation, service auto start control using
chkconfig utility and audit sshd process existance in the system process table.
In more general way this can be used to manage any service using this bundle as
a starting point and tweaking it a bit for certain services.
So if anybody have a time and willigness to take a look with some level of
criticism and maybe propose some changes so we can together make this bundle
better and everybody can benefit from it.
[%CFEngine BEGIN %]
Protocol $(sshd.sshd)
SyslogFacility AUTHPRIV
PermitRootLogin $(sshd.sshd)
MaxAuthTries $(sshd.sshd)
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding $(sshd.sshd)
UseDNS $(sshd.sshd)
Subsystem sftp /usr/libexec/openssh/sftp-server
[%CFEngine END %]
bundle agent sshd
{
vars:
redhat|centos::
"sshd_config_file" string => "/etc/ssh/sshd_config",
comment => "Default sshd service config file",
handle => "sshd_vars_sshd_config_file";
"sshd_tmpl_file" string =>
"$(sys.workdir)/inputs/foo/templates/sshd.tmpl",
comment => "Sshd service config file template",
handle => "sshd_vars_sshd_tmpl_file";
redhat|centos::
"packages" slist => {
"openssh",
"openssh-server",
"openssh-clients",
},
comment => "Gerenal package list gets installed on every host
arch specific",
handle => "sshd_vars_packages";
"runlvl" string => lastnode(execresult("/sbin/runlevel","noshell")," "),
comment => "Define current system runlevel",
handle => "sshd_vars_runlvl";
"up_runlvl" string => "[2|3|4|5]",
comment => "Runlevel where service shoud be running.",
handle => "sshd_vars_up_runlvl";
"down_runlvl" string => "[0|1|6]",
comment => "Runlevel where service shoudn't be running.",
handle => "sshd_vars_down_runlvl";
"svc_name" string => "sshd",
comment => "Define service name",
handle => "sshd_vars_svc_name";
"chkcfg[0]" string => "off";
"chkcfg[1]" string => "off";
"chkcfg[2]" string => "on";
"chkcfg[3]" string => "on";
"chkcfg[4]" string => "on";
"chkcfg[5]" string => "on";
"chkcfg[6]" string => "off",
comment => "Define service autostart configuration",
handle => "sshd_vars_chkcfg";
"svc_lvl" slist => getindices("chkcfg");
any::
"sshd" string => "2";
"sshd" string => "yes";
"sshd" string => "no";
"sshd" string => "no";
"sshd" string => "6";
classes:
"up" expression => regcmp("$(up_runlvl)","$(runlvl)"),
comment => "Define up class in case system is on certain
runlevel",
handle => "sshd_classes_up";
"down" expression => regcmp("$(down_runlvl)","$(runlvl)"),
comment => "Define down class in case system is on certain
runlevel",
handle => "sshd_classes_down";
files:
"$(sshd_config_file)"
handle => "sshd_files_sshd_config_file",
comment => "Set sshd configuration",
edit_template => "$(sshd_tmpl_file)",
create => "true",
classes => if_repaired("reload_sshd");
packages:
redhat|centos::
"$(packages)"
package_policy => "add",
package_architectures => { "$(sys.arch)" },
package_method => yum_rpm_cachetimeout(0);
methods:
redhat|centos::
"any" usebundle =>
chkconfig_svc_lvl("$(svc_name)","$(svc_lvl)","$(chkcfg[$(svc_lvl)])"),
action => if_elapsed(60);
services:
(redhat|centos).up::
"sshd"
service_policy => "start",
service_method => custom_service(".*/sshd","1","false");
(redhat|centos).down::
"sshd"
service_policy => "stop",
service_method => custom_service(".*/sshd","1","false");
commands:
(redhat|centos).reload_sshd::
"/sbin/service sshd reload"
handle => "sshd_commands_sshd_reload",
comment => "Reload sshd if the configuration file was modified";
}
body package_method yum_rpm_cachetimeout(pkg_list_update_time)
{
package_changes => "bulk";
package_list_command => "/bin/rpm -qa --qf '%{name} %{version}-%{release}
%{arch}\n'";
package_patch_list_command => "/usr/bin/yum check-update";
package_list_name_regex => "^(\S+?)\s\S+?\s\S+$";
package_list_version_regex => "^\S+?\s(\S+?)\s\S+$";
package_list_arch_regex => "^\S+?\s\S+?\s(\S+)$";
package_installed_regex => ".*";
package_name_convention => "$(name)";
package_list_update_ifelapsed => "$(pkg_list_update_time)";
package_patch_installed_regex => "^[^*]\s.*";
package_patch_name_regex => "([^.]+).*";
package_patch_version_regex => "[^\s]\s+([^\s]+).*";
package_patch_arch_regex => "[^.]+\.([^\s]+).*";
package_add_command => "/usr/bin/yum -y install";
package_update_command => "/usr/bin/yum -y update";
package_delete_command => "/bin/rpm -e --nodeps --allmatches";
package_verify_command => "/bin/rpm -V";
}
body service_method custom_service(pattern,ppid,useshell)
{
service_bundle =>
generic_services("$(this.promiser)","$(this.service_policy)","$(pattern)","$(ppid)","$(useshell)");
}
bundle agent generic_services(service,state,proc_name,proc_ppid,useshell)
{
vars:
linux::
"startcommand[$(service)]" string => "/sbin/service $(service) start";
"stopcommand[$(service)]" string => "/sbin/service $(service) stop";
"pattern[$(service)]" string => "$(proc_name)";
classes:
"start" expression => strcmp("start","$(state)"),
comment => "Check if to start a service";
"stop" expression => strcmp("stop","$(state)"),
comment => "Check if to stop a service";
processes:
start::
"$(pattern[$(service)])"
comment => "Verify that the service appears in the process table",
process_select =>
proc_command_ppid("$(pattern[$(service)])","$(proc_ppid)"),
restart_class => "start_service";
stop::
"$(pattern[$(service)])"
comment => "Verify that the service does not appear in the process",
process_stop => "$(stopcommand[$(service)])",
process_select =>
proc_command_ppid("$(pattern[$(service)])","$(proc_ppid)"),
signals => { "term","kill" };
commands:
"$(startcommand[$(service)])"
contain => useshell("$(useshell)"),
comment => "Execute command to restart the $(service) service",
ifvarclass => "start_service";
}
body contain useshell(boolean)
{
useshell => "$(boolean)";
}
body process_select proc_command_ppid(command,ppid)
{
ppid => irange("$(ppid)","$(ppid)");
command => "$(command)";
process_result => "command.ppid";
}
bundle agent chkconfig_svc_lvl(svc,lvl,status) {
vars:
"service" string => "$(svc)",
comment => "Get service name",
handle => "chkconfig_svc_lvl_vars_service";
"level" string => "$(lvl)",
comment => "Get level for service name",
handle => "chkconfig_svc_lvl_vars_levels";
"switch" string => "$(status)",
comment => "Get status for service name",
handle => "chkconfig_svc_lvl_vars_switch";
"chkconfig" string => "/sbin/chkconfig";
commands:
redhat|centos::
"$(chkconfig) --level $(level) $(service) $(switch)",
comment => "Set service autostart switch",
handle => "chkconfig_svc_lvl_commands_chkconfig",
contain => no_output;
}
Thanks in advance.
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
