From 1eb007a41a1404c3793c774ce345571d0f88c7fd Mon Sep 17 00:00:00 2001 From: James Richardson Date: Sat, 30 Jul 2011 09:48:15 -0400 Subject: [PATCH] Initial commit of Cfengine 3 configuration --- inputs/cf-execd.cf | 35 +++++++++++ inputs/cf-report.cf | 11 ++++ inputs/cf-serverd.cf | 51 ++++++++++++++++ inputs/classes.cf | 14 +++++ inputs/cleanup.cf | 18 ++++++ inputs/failsafe.cf | 26 ++++++++ inputs/library.cf | 167 +++++++++++++++++++++++++++++++++++++++++++++++++++ inputs/promises.cf | 42 +++++++++++++ inputs/update.cf | 82 +++++++++++++++++++++++++ 9 files changed, 446 insertions(+) create mode 100644 inputs/cf-execd.cf create mode 100644 inputs/cf-report.cf create mode 100644 inputs/cf-serverd.cf create mode 100644 inputs/classes.cf create mode 100644 inputs/cleanup.cf create mode 100644 inputs/failsafe.cf create mode 100644 inputs/library.cf create mode 100644 inputs/promises.cf create mode 100644 inputs/update.cf diff --git a/inputs/cf-execd.cf b/inputs/cf-execd.cf new file mode 100644 index 0000000..95440b1 --- /dev/null +++ b/inputs/cf-execd.cf @@ -0,0 +1,35 @@ +##################################### +# # +# cf-execd.cf - Cfengine 3 Executor # +# # +##################################### + +body executer control { + splaytime => "1"; + mailto => "james@jamestechnotes.com"; + mailfrom => "cfengine@lan0"; + smtpserver => "mail.lan0"; + executorfacilty => "LOG_DAEMON"; +} + +# Make sure that the server is running +bundle agent executor { + +vars: + + "init_d" string => "/etc/init.d"; + +processes: + + + "cf-execd" + + comment => "Make sure cf-execd runs on all hosts", + restart_class => "start_cfexecd"; + +commands: + + start_cfexecd:: + + "$(init_d)/cfengine3 start"; +} diff --git a/inputs/cf-report.cf b/inputs/cf-report.cf new file mode 100644 index 0000000..0d13453 --- /dev/null +++ b/inputs/cf-report.cf @@ -0,0 +1,11 @@ +##################################### +# # +# cf-report.cf - Cfengine 3 Reports # +# # +##################################### + +body reporter control { + reports => { "performance", "last_seen", "monitor_history" }; + build_diretory => { "$(sys.workdir)/reports"; + report_output => "text"; +} diff --git a/inputs/cf-serverd.cf b/inputs/cf-serverd.cf new file mode 100644 index 0000000..d64d6bc --- /dev/null +++ b/inputs/cf-serverd.cf @@ -0,0 +1,51 @@ +##################################### +# # +# cf-serverd.cf - Cfengine 3 Server # +# # +##################################### + +body server control { + allowconnects => { "10.0.0.0/24" }; + maxconnections => "100"; + logallconnections => "true"; + cfruncommand => "$(sys.workdir)/bin/cf-agent"; + allowusers => { "root" } +} + +# Make sure that the server is running on the policy servers +bundle agent server { + +vars: + + "init_d" string => "/etc/init.d"; + +processes: + + policy_servers:: + + "cf-serverd" + + comment => "Make sure cf-serverd run on the policy servers", + restart_class => "start_cfserverd"; + +commands: + + start_cfserverd:: + + "$(init_d)/cfengine3 start"; +} + +bundle server access_rules { + +access: + + # Allow clients access to the input files + "$(g.inputfiles)" + + admit => { "10.0.0.0/24" }; + + # Allow clients access to the masterfiles + "$(g.masterfiles)" + + admit => { "10.0.0.0/24" }; +} diff --git a/inputs/classes.cf b/inputs/classes.cf new file mode 100644 index 0000000..95585cc --- /dev/null +++ b/inputs/classes.cf @@ -0,0 +1,14 @@ +################################################ +# # +# classes.cf - Cfengine 3 user-defined classes # +# # +################################################ + +bundle common myclasses { + +classes: + + "policy_servers" or => { + classify("$(g.policyhost)") + }; +} diff --git a/inputs/cleanup.cf b/inputs/cleanup.cf new file mode 100644 index 0000000..7d7c627 --- /dev/null +++ b/inputs/cleanup.cf @@ -0,0 +1,18 @@ +################################################### +# # +# cleanup.cf - Cfengine 3 promises for tidying up # +# # +################################################### + +bundle agent cleanup { + +files: + + # Cleanup old reports + "$(sys.workdir)/outputs" + + comment => "Clean up reports older than 3 days", + delete => tidy, + file_select => days_old("14"), + depth_search => recurse("inf"); +} diff --git a/inputs/failsafe.cf b/inputs/failsafe.cf new file mode 100644 index 0000000..6945a6f --- /dev/null +++ b/inputs/failsafe.cf @@ -0,0 +1,26 @@ +######################################## +# # +# failsafe.cf - Failsafe configuration # +# # +######################################## + +body common control { + + # Update input files on the clients + !f_policy_servers:: + + bundlesequence => {"update" }; + + inputs => { "update.cf" }; +} + +bundle common failsafe_globals { + +vars: + + "f_policyhost" string => "cfengine.lan0"; + +classes: + + "f_policy_servers" or => { classify("$(f_policyhost)") }; +} diff --git a/inputs/library.cf b/inputs/library.cf new file mode 100644 index 0000000..9ef7dcd --- /dev/null +++ b/inputs/library.cf @@ -0,0 +1,167 @@ +# Copyright (C) Cfengine AS + +# This file is part of Cfengine 3 - written and maintained by Cfengine AS. + +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; version 3. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + +# To the extent this program is licensed as part of the Enterprise +# versions of Cfengine, the applicable Commerical Open Source License +# (COSL) may apply to this file if you as a licensee so wish it. See +# included file COSL.txt. + +# +# Just bodies and editbundles here +# + +body perms p(user,mode) + +{ +owners => { "$(user)" }; +mode => "$(mode)"; +} + +############################################ + +body depth_search recurse(d) + +{ +depth => "$(d)"; +} + +######################################################### + +body delete tidy + +{ +dirlinks => "delete"; #keep/tidy/delete +rmdirs => "true"; #none/all/sub +} + +######################################################### + +body file_select days_old(days) + +# +# we can build old "include", "exclude", and "ignore" +# from these as standard patterns - these bodies can +# form a library of standard patterns +# + +{ +mtime => irange(ago(1,0,0,0,0,0),ago(0,0,$(days),0,0,0)); +file_result => "mtime"; +} + +######################################################### + +body changes lay_trip_wire + +{ +hash => "best"; +report_changes => "content"; +update_hashes => "yes"; +} + +######################################################## + +body action longjob +{ +ifelapsed => "240"; # run only every 4 hours +} + +####################################################### +# For the library +####################################################### + +body edit_defaults def +{ +empty_file_before_editing => "false"; +edit_backup => "false"; +max_file_size => "100000"; +} + +######################################################## + +body location start + +{ +# If not line to match, applies to whole text body +before_after => "before"; +} + +######################################################## + +bundle edit_line DeleteLinesMatching(regex) + { + delete_lines: + + "$(regex)", + action => WarnOnly; + + } + +######################################################## + +body action WarnOnly +{ +action_policy => "warn"; +ifelapsed => "60"; +} + +######################################################## + +bundle edit_line upgrade_cfexecd + { + classes: + + "exec_fix" not => regline(".*cf-execd.*","$(edit.filename)"); + + insert_lines: + + exec_fix:: + + "0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/sbin/cf-execd -F"; + + replace_patterns: + + "cfexecd" replace_with => With("cf-execd"); + + reports: + + exec_fix:: + + "Added a 5 minute schedule to crontabs"; + } + +######################################## +# Bodies +######################################## + +body replace_with With(x) + +{ +replace_value => "$(x)"; +occurrences => "all"; +} + +######################################## + +body copy_from scp(from,server) + +{ +source => "$(from)"; +compare => "digest"; +encrypt => "true"; +verify => "true"; +} diff --git a/inputs/promises.cf b/inputs/promises.cf new file mode 100644 index 0000000..6d1ffeb --- /dev/null +++ b/inputs/promises.cf @@ -0,0 +1,42 @@ +#################################################### +# # +# promises.cf - Main Cfeinge 3 configuration file # +# # +#################################################### + +body common control { + + any:: + + bundlesequence => { @(g.bundlesequence) }; + + any:: + + inputs => { + "update.cf", + "library.cf", + "classes.cf", + "cf-execd.cf", + "cf-serverd.cf", + "cf-report.cf", + "cleanup.cf" + }; + + output_prefix => "cf3>"; +} + +# global vars +bundle common g { + +vars: + + "workdir" string => "/var/lib/cfengine3"; + "masterfiles" string => "$(workdir)/masterfiles"; + "inputfiles" string => "$(workdir)/inputs"; + "policyhost" string => "cfengine.lan0"; + "bundlesequence" slist => { "update", "executor", "server", "cleanup" }; +} + +body runagent control { + hosts => { "127.0.0.1", "10.0.0.0/24" }; +} diff --git a/inputs/update.cf b/inputs/update.cf new file mode 100644 index 0000000..34da5c2 --- /dev/null +++ b/inputs/update.cf @@ -0,0 +1,82 @@ +################################################# +# # +# upate.cf - Promises for updating policy files # +# # +################################################# + +bundle agent update { + +vars: + + "u_workdir" string => "/var/lib/cfengine3"; + "u_policyhost" string => "cfengine.lan0"; + +classes: + + "u_policy_servers" or => { classify("$(u_policyhost)") }; + +files: + + "$(u_workdir)/." + + comment => "Set proper permissions of the work directory", + create => "true", + perms => u_workdir_perms("0600"); + + u_policy_servers:: + + "$(u_workdir)/masterfiles/." + + comment => "Set proper permissions of the $(u_workdir)/masterfiles directory", + create => "true", + perms => u_workdir_perms("0600"), + depth_search => u_recurse("inf"); + + "$(u_workdir)/inputs/." + + comment => "Set permissions of input files on policy servers", + create => "true", + perms => u_workdir_perms("0600"), + depth_search => u_recurse("inf"); + + !u_policy_servers:: + + "$(u_workdir)/inputs/." + + comment => "Update input files from policy server", + create => "true", + perms => u_workdir_perms("0600"), + depth_search => u_recurse("inf"), + copy_from => u_policy_copy("$(u_policyhost)"); +} + +# +# u_workdir_perms +# + +body perms u_workdir_perms(mode) { + mode => "$(mode)"; + owners => { "root" }; + groups => { "root" }; +} + +# +# u_policy_copy +# + +body copy_from u_policy_copy(server) { + source => "$(u_workdir)/inputs"; + servers => { "$(u_policyhost)" }; + compare => "digest"; + purge => "true"; + copy_backup => "false"; +} + +# +# u_recurse +# + +body depth_search u_recurse(d) { + depth => "${d)"; + xdev => "true"; +} -- 2.11.4.GIT