1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
|
bundle common update_def
# @brief Main default settings for update policy
{
classes:
any::
"sys_policy_hub_port_exists" expression => isvariable("sys.policy_hub_port");
vars:
"hub_binary_version" -> { "ENT-10664" }
data => data_regextract(
"^(?<major_minor_patch>\d+\.\d+\.\d+)-(?<release>\d+)",
readfile("$(sys.statedir)$(const.dirsep)hub_cf_version.txt" ) ),
if => fileexists( "$(sys.statedir)$(const.dirsep)hub_cf_version.txt" );
"current_version" -> { "ENT-10664" }
string => "$(hub_binary_version[major_minor_patch])";
"current_release"
string => "$(hub_binary_version[release])";
# MPF Controls
# Because in some versions of cfengine bundlesequence in body common
# control does not support does not support iteration over data containers
# we must first pick out the bundles into a shallow container that we can
# then get a regular list from using getvalues().
"tbse" data => mergedata( "def.control_common_update_bundlesequence_end" );
# Since we have @(def.update_bundlesequence_end) in body common control
# bundlesequence we must have a list variable defined. It can be empty, but it
# must be defined. If it is not defined the agent will error complaining
# that '@(def.bundlesequence_end) is not a defined bundle.
# As noted in CFE-2460 getvalues behaviour varies between versions. 3.7.x
# getvalues will return an empty list when run on a non existant data
# container. On 3.9.1 it does not return an empty list.
# So we initialize it as an empty list first to be safe.
"bundlesequence_end" slist => {};
"bundlesequence_end" slist => getvalues( tbse );
"augments_inputs"
slist => {},
if => not( isvariable( "def.update_inputs" ) );
"augments_inputs"
slist => { @(def.update_inputs) },
if => isvariable( "def.update_inputs" );
# Default the input name patterns, if we don't find it defined in def
# (from the augments_file).
"input_name_patterns" -> { "CFE-3425" }
slist => { ".*\.cf",".*\.dat",".*\.txt", ".*\.conf", ".*\.mustache",
".*\.sh", ".*\.pl", ".*\.py", ".*\.rb", ".*\.sed", ".*\.awk",
"cf_promises_release_id", ".*\.json", ".*\.yaml", ".*\.csv",
".*\.ps1" },
comment => "Filename patterns to match when updating the policy
(see update/update_policy.cf)",
handle => "common_def_vars_input_name_patterns_policy_default",
if => and(and(not(isvariable("override_data_acl")),
not(isvariable("input_name_patterns"))),
not(isvariable("def.input_name_patterns"))),
meta => { "defvar" };
# define based on data in def (which comes from augments file), if
# present and input_name_patterns is not yet defined.).
"input_name_patterns"
slist => { @(def.input_name_patterns) },
comment => "Filename patterns to match when updating the policy
(see update/update_policy.cf)",
handle => "common_def_vars_input_name_patterns",
if => and( isvariable("def.input_name_patterns"),
not(isvariable("input_name_patterns"))),
meta => { "defvar" };
"input_name_patterns_extra" -> { "ENT-10480" }
slist => {},
comment => "Additional filename patterns to copy during policy update.",
if => not( isvariable( "input_name_patterns_extra" ) );
# the permissions for your masterfiles files (not dirs), which will propagate to inputs
"masterfiles_perms_mode_not_dir" -> { "CFE-951" }
string => "0600",
handle => "common_def_vars_masterfiles_perms_mode_not_dir",
meta => { "defvar" };
"masterfiles_perms_mode_dirs" -> { "CFE-951" }
string => "0700",
handle => "common_def_vars_masterfiles_perms_mode_dirs",
meta => { "defvar" };
"dc_scripts" string => "$(sys.workdir)/httpd/htdocs/api/dc-scripts",
comment => "Directory where VCS scripts are located on Enterprise Hub";
"DCWORKFLOW" string => "/opt/cfengine",
comment => "Directory where VCS related data things is stored";
"local_masterfiles_git" string => "$(DCWORKFLOW)/masterfiles.git",
comment => "Local bare git repository, serves as OOTB upstream repo";
"cf_git" string => "$(sys.workdir)/bin/git",
comment => "Path to git binary installed with CFEngine Enterprise";
"cf_apache_user" string => "cfapache",
comment => "User that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_user";
"cf_apache_group" string => "cfapache",
comment => "Group that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_group";
# Hubs get the explicit path because they perform local copies (especially
# during bootstrap) when cf-serverd may not be available. Else we use the
# "masterfiles" shortcut.
"mpf_update_policy_master_location" -> { "ENT-3692" }
string => ifelse( "am_policy_hub", "@prefix@/masterfiles",
"masterfiles");
# Here we allow the masterfiles location to be overridden via augments. If
# augments overides the value, use that. Note: Since hubs do not perform
# copies to themselves over cf-serverd, this should be a fully qualified
# path or special considerations must be made for hub bootstrapping.
"mpf_update_policy_master_location" -> { "ENT-3692" }
comment => "Directory where clients should get policy from.",
string => "$(def.mpf_update_policy_master_location)",
if => isvariable( "def.mpf_update_policy_master_location" );
# enable_cfengine_enterprise_hub_ha is defined below
# Disabled by default
# If we want to use the backup repository for update (because the class is
# defined) and if the location is not already configured (via Augments),
# set a default.
"control_agent_default_repository" -> { "ENT-10481" }
string => "$(sys.workdir)/backups",
if => and( "mpf_update_control_agent_default_repository",
not( isvariable( "control_agent_default_repository" ) ) );
enable_cfengine_enterprise_hub_ha::
"standby_servers" slist => filter("$(sys.policy_hub)", "ha_def.ips", false, true, 10);
"policy_servers" slist => { "$(sys.policy_hub)", "@(standby_servers)" };
!enable_cfengine_enterprise_hub_ha::
"policy_servers" slist => {"$(sys.policy_hub)"};
any::
"control_common_ignore_missing_bundles" -> { "CFE-2773" }
string => ifelse( strcmp( $(control_common_ignore_missing_bundles), "true" ),
"true",
"false");
"control_common_ignore_missing_inputs" -> { "CFE-2773" }
string => ifelse( strcmp( $(control_common_ignore_missing_inputs), "true" ),
"true",
"false");
"control_agent_agentfacility" -> { "ENT-10209" }
string => "",
if => not( isvariable ( "default:def.control_agent_agentfacility" ));
classes:
"control_agent_agentfacility_configured" -> { "ENT-10209" }
expression => regcmp( "LOG_(USER|DAEMON|LOCAL[0-7])",
$(control_agent_agentfacility) ),
comment => concat( "If default:def.control_agent_agentfacility is a",
" valid setting, we want to use it in body agent",
" control for setting agentfacility" );
"control_common_tls_min_version_defined" -> { "ENT-10198" }
expression => isvariable( "default:def.control_common_tls_min_version"),
comment => concat( "If default:def.control_common_tls_min_version is defined then",
" it's value will be used for the minimum version in outbound",
" connections. Else the binary default will be used.");
"control_common_tls_ciphers_defined" -> { "ENT-10198" }
expression => isvariable( "default:def.control_common_tls_ciphers"),
comment => concat( "If default:def.control_common_tls_ciphers is defined then",
" it's value will be used for the set of tls ciphers allowed",
" for outbound connections. Else the binary default will be used.");
# Trigger binary upgrade from policy hub
# Disable by default
"trigger_upgrade" or => {
"!any",
};
# Update masterfiles from Git
# Enabled for enterprise users by default
# you can also request it from the command line with
# -Dcfengine_internal_masterfiles_update
# NOTE THAT ENABLING THIS BY DEFAULT *WILL* OVERWRITE THE HUB'S $(sys.workdir)/masterfiles
#"cfengine_internal_masterfiles_update" expression => "enterprise.!(cfengine_3_4|cfengine_3_5)";
"cfengine_internal_masterfiles_update" expression => "!any";
# Transfer policies and binaries with encryption
# you can also request it from the command line with
# -Dcfengine_internal_encrypt_transfers
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_encrypt_transfers" expression => "!any";
# Do not purge policies that don't exist on the server side.
# you can also request it from the command line with
# -Dcfengine_internal_purge_policies_disabled
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_purge_policies_disabled" expression => "!any";
# Preserve permissions of the policy server's masterfiles.
# you can also request it from the command line with
# -Dcfengine_internal_preserve_permissions
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_preserve_permissions" expression => "!any";
# Disable checking of cf_promises_validated before updating clients.
# Disabling checking of cf_promises_validated ensures that remote agents
# will **always** scan all of masterfiles for any changes and update
# accordingly. This is not recommended as it both removes a safety
# mechanism that checks for policy to be valid before allowing clients to
# download updates, and the increased load on the hub will affect
# scalability. Consider using time_based, select_class, or dist based classes
# instead of any to retain some of the benefits. **DISABLE WITH CAUTION**
"cfengine_internal_disable_cf_promises_validated"
expression => "!any",
comment => "When cf_promises_validated is disabled remote agents will
always scan all of masterfiles for changes. Disabling this
is not recommended as it will increase the load on the policy
server and increases the possibility for remote agents to
receive broken policy.";
# Enable CFEngine Enterprise HA Policy
"enable_cfengine_enterprise_hub_ha" expression => "!any";
#"enable_cfengine_enterprise_hub_ha" expression => "enterprise_edition";
# Enable failover to node which is outside cluster
#"failover_to_replication_node_enabled" expression => "enterprise_edition";
}
|
