forked from cfengine/masterfiles
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathupdate.cf
156 lines (119 loc) · 5.96 KB
/
update.cf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
###############################################################################
#
# update.cf - Basic Update Policy
#
###############################################################################
body common control
{
bundlesequence => {
"ha_def",
"update_def",
"cfe_internal_dc_workflow",
"cfe_internal_update_policy",
"cfe_internal_update_bins",
"cfe_internal_update_processes",
};
version => "update.cf 3.6.1";
inputs => {
"cfe_internal/ha/ha_def.cf",
"update/update_bins.cf",
"update/cfe_internal_dc_workflow.cf",
"update/cfe_internal_local_git_remote.cf",
"update/cfe_internal_update_from_repository.cf",
"update/update_policy.cf",
"update/update_processes.cf"
};
# Uncomment to connect to the hub using latest protocol.
#protocol_version => "latest";
}
#############################################################################
body agent control
{
ifelapsed => "1";
skipidentify => "true";
}
#############################################################################
bundle common update_def
{
vars:
"input_name_patterns" slist => { ".*\.cf",".*\.dat",".*\.txt", ".*\.conf", ".*\.mustache",
".*\.sh", ".*\.pl", ".*\.py", ".*\.rb",
"cf_promises_release_id", ".*\.json" },
comment => "Filename patterns to match when updating the policy (see update/update_policy.cf)",
handle => "common_def_vars_input_name_patterns";
# the permissions for your masterfiles, which will propagate to inputs
"masterfiles_perms_mode" string => "0600",
handle => "common_def_vars_masterfiles_perms_mode";
"dc_scripts" string => "/var/cfengine/httpd/htdocs/api/dc-scripts",
comment => "Directory where design center scripts are located on Enterprise Hub";
"DCWORKFLOW" string => "/opt/cfengine",
comment => "Directory where DC Workflow related things are stored";
"masterfiles_staging" string => "$(DCWORKFLOW)/masterfiles_staging",
comment => "Directory where Mission Portal Design Center
activations are staged for commit to upstream repository";
"local_masterfiles_git" string => "$(DCWORKFLOW)/masterfiles.git",
comment => "Local bare git repository, serves as OOTB upstream repo";
"cf_git" string => "$(sys.workdir)/bin/git",
comment => "Path to git binary installed with CFEngine Enterprise";
"cf_apache_user" string => "cfapache",
comment => "User that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_user";
"cf_apache_group" string => "cfapache",
comment => "Group that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_group";
# ha_enabled is defined in WORKDIR/cfe_internal/ha/ha_def.cf
# Disabled by default
ha_enabled::
"policy_servers" slist => {"$(sys.policy_hub)", @(ha_def.ips)};
!ha_enabled::
"policy_servers" slist => {"$(sys.policy_hub)"};
classes:
# Trigger binary upgrade from policy hub
# Disable by default
"trigger_upgrade" or => {
"!any",
};
# Update masterfiles from Git
# Enabled for enterprise users by default
# you can also request it from the command line with
# -Dcfengine_internal_masterfiles_update
# NOTE THAT ENABLING THIS BY DEFAULT *WILL* OVERWRITE THE HUB'S /var/cfengine/masterfiles
#"cfengine_internal_masterfiles_update" expression => "enterprise.!(cfengine_3_4|cfengine_3_5)";
"cfengine_internal_masterfiles_update" expression => "!any";
# Transfer policies and binaries with encryption
# you can also request it from the command line with
# -Dcfengine_internal_encrypt_transfers
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_encrypt_transfers" expression => "!any";
# Purge policies that don't exist on the server side.
# you can also request it from the command line with
# -Dcfengine_internal_purge_policies
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_purge_policies" expression => "!any";
# Preserve permissions of the policy server's masterfiles.
# you can also request it from the command line with
# -Dcfengine_internal_preserve_permissions
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_preserve_permissions" expression => "!any";
# Disable checking of cf_promises_validated before updating clients.
# Disabling checking of cf_promises_validated ensures that remote agents
# will **always** scan all of masterfiles for any changes and update
# accordingly. This is not recommended as it both removes a safety
# mechanism that checks for policy to be valid before allowing clients to
# download updates, and the increased load on the hub will affect
# scalability. Consider using time_based, select_class, or dist based classes
# instead of any to retain some of the benefits. **DISABLE WITH CAUTION**
"cfengine_internal_disable_cf_promises_validated"
expression => "!any",
comment => "When cf_promises_validated is disabled remote agents will
always scan all of masterfiles for changes. Disabling this
is not recomended as it will increase the load on the policy
server and increases the possibility for remote agents to
recieve broken policy.";
}
body classes u_kept_successful_command
# @brief Set command to "kept" instead of "repaired" if it returns 0
{
kept_returncodes => { "0" };
failed_returncodes => { "1" };
}