cfengine-masterfiles-3.24.2/ 0000755 0000000 0000000 00000000000 15010704326 015670 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/test-driver 0000755 0000000 0000000 00000011040 15010704303 020055 0 ustar 00root root 0000000 0000000 #! /bin/sh
# test-driver - basic testsuite driver script.
scriptversion=2013-07-13.22; # UTC
# Copyright (C) 2011-2014 Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# This file is maintained in Automake, please report
# bugs to or send patches to
# .
# Make unconditional expansion of undefined variables an error. This
# helps a lot in preventing typo-related bugs.
set -u
usage_error ()
{
echo "$0: $*" >&2
print_usage >&2
exit 2
}
print_usage ()
{
cat <$log_file 2>&1
estatus=$?
if test $enable_hard_errors = no && test $estatus -eq 99; then
tweaked_estatus=1
else
tweaked_estatus=$estatus
fi
case $tweaked_estatus:$expect_failure in
0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
0:*) col=$grn res=PASS recheck=no gcopy=no;;
77:*) col=$blu res=SKIP recheck=no gcopy=yes;;
99:*) col=$mgn res=ERROR recheck=yes gcopy=yes;;
*:yes) col=$lgn res=XFAIL recheck=no gcopy=yes;;
*:*) col=$red res=FAIL recheck=yes gcopy=yes;;
esac
# Report the test outcome and exit status in the logs, so that one can
# know whether the test passed or failed simply by looking at the '.log'
# file, without the need of also peaking into the corresponding '.trs'
# file (automake bug#11814).
echo "$res $test_name (exit status: $estatus)" >>$log_file
# Report outcome to console.
echo "${col}${res}${std}: $test_name"
# Register the test result, and other relevant metadata.
echo ":test-result: $res" > $trs_file
echo ":global-test-result: $res" >> $trs_file
echo ":recheck: $recheck" >> $trs_file
echo ":copy-in-global-log: $gcopy" >> $trs_file
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:
cfengine-masterfiles-3.24.2/templates/ 0000755 0000000 0000000 00000000000 15010704326 017666 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/templates/vercmp.ps1 0000644 0000000 0000000 00000001121 15010704240 021575 0 ustar 00root root 0000000 0000000 param([string]$version1,[string]$comparison,[string]$version2)
if ( "$comparison" -eq "lt" ) {
if ([System.Version]"$version1" -lt [System.Version]"$version2") {
"$version1 is less than $version2"
exit 0
} else {
"$version1 is not less than $version2"
exit 1
}
}
if ( "$comparison" -eq "eq" ) {
if ([System.Version]"$version1" -eq [System.Version]"$version2") {
"$version1 is equal to $version2"
exit 0
} else {
"$version1 is not equal to $version2"
exit 1
}
} else {
"PROGRAMMING ERROR"
exit 3
}
cfengine-masterfiles-3.24.2/templates/cf-serverd.service.mustache 0000644 0000000 0000000 00000000670 15010704240 025116 0 ustar 00root root 0000000 0000000 [Unit]
Description=CFEngine Enterprise file server
After=syslog.target
After=network-online.target
ConditionPathExists={{{vars.sys.bindir}}}/cf-serverd
ConditionPathExists={{{vars.sys.workdir}}}/policy_server.dat
ConditionPathExists={{{vars.sys.default_policy_path}}}
PartOf=cfengine3.service
[Service]
Type=simple
ExecStart={{{vars.sys.bindir}}}/cf-serverd --no-fork
Restart=always
RestartSec=10
[Install]
WantedBy=network-online.target
cfengine-masterfiles-3.24.2/templates/cf-execd.service.mustache 0000644 0000000 0000000 00000000545 15010704240 024535 0 ustar 00root root 0000000 0000000 [Unit]
Description=CFEngine Execution Scheduler
After=syslog.target
ConditionPathExists={{{vars.sys.bindir}}}/cf-execd
ConditionPathExists={{{vars.sys.default_policy_path}}}
PartOf=cfengine3.service
[Service]
Type=simple
ExecStart={{{vars.sys.bindir}}}/cf-execd --no-fork
Restart=always
RestartSec=10
KillMode=process
[Install]
WantedBy=multi-user.target
cfengine-masterfiles-3.24.2/templates/cf-postgres.service.mustache 0000644 0000000 0000000 00000002276 15010704240 025316 0 ustar 00root root 0000000 0000000 [Unit]
Description=CFEngine Enterprise PostgreSQL Database
After=syslog.target
ConditionPathExists={{{vars.sys.bindir}}}/pg_ctl
PartOf=cfengine3.service
[Service]
Type=forking
WorkingDirectory=/tmp
User=cfpostgres
Restart=always
RestartSec=10
PIDFile={{{vars.sys.statedir}}}/pg/data/postmaster.pid
SyslogIdentifier=postgres
# Disable OOM kill on the postmaster
OOMScoreAdjust=-1000
# ... but allow it still to be effective for child processes
# (note that these settings are ignored by Postgres releases before 9.5)
Environment=PG_OOM_ADJUST_FILE=/proc/self/oom_score_adj
Environment=PG_OOM_ADJUST_VALUE=0
# Maximum number of seconds pg_ctl will wait for postgres to start. Note that
# PGSTARTTIMEOUT should be less than TimeoutSec value.
#Environment=PGSTARTTIMEOUT=270
Environment=PGDATA={{{vars.sys.statedir}}}/pg/data
ExecStart={{{vars.sys.bindir}}}/pg_ctl -w -D {{{vars.sys.statedir}}}/pg/data -l /var/log/postgresql.log start
ExecStop={{{vars.sys.bindir}}}/pg_ctl -w -D {{{vars.sys.statedir}}}/pg/data -l /var/log/postgresql.log stop -m fast
ExecReload={{{vars.sys.bindir}}}/pg_ctl -w -D {{{vars.sys.statedir}}}/pg/data -l /var/log/postgresql.log reload -m fast
[Install]
WantedBy=multi-user.target
cfengine-masterfiles-3.24.2/templates/cfengine_watchdog.mustache 0000644 0000000 0000000 00000000434 15010704240 025053 0 ustar 00root root 0000000 0000000 # This file is managed by CFEngine
# If cf-execd is executable and if no process matching cf-execd can be found then restart cf-execd
* * * * * root [ -x {{{vars.sys.cf_execd}}} ] && { {{{vars.paths.pgrep}}} cf-execd > /dev/null; if [ "$?" -eq 1 ]; then {{{vars.sys.cf_execd}}}; fi;}
cfengine-masterfiles-3.24.2/templates/federated_reporting/ 0000755 0000000 0000000 00000000000 15010704326 023702 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/templates/federated_reporting/transfer_distributed_cleanup_items.sh 0000644 0000000 0000000 00000003431 15010704240 033370 0 ustar 00root root 0000000 0000000 #!/bin/bash
#
# A script to pull items for fr_distributed_cleanup.py script from a given hub to local
#
# $@ -- one or more hub hostname/IP to pull items from
#
set -e
# make sure a failure in any part of a pipe sequence is a failure
set -o pipefail
source "$(dirname "$0")/config.sh"
source "$(dirname "$0")/log.sh"
# check that we have all the variables we need
true "${CFE_FR_SSH?undefined}"
true "${CFE_FR_DISTRIBUTED_CLEANUP_DIR?undefined}"
true "${CFE_FR_TRANSPORTER?undefined}"
true "${CFE_FR_TRANSPORTER_ARGS?undefined}"
true "${CFE_FR_FEEDER_USERNAME?undefined}"
if [ $# = 0 ]; then
log "Must provide at least one hub hostname/IP to $0, exiting!"
exit 1
fi
for feeder in $@; do
feeder_hostname=$("$CFE_FR_SSH" $CFE_FR_SSH_ARGS "$CFE_FR_FEEDER_USERNAME@${feeder}" hostname -f)
"$CFE_FR_TRANSPORTER" $CFE_FR_TRANSPORTER_ARGS "$CFE_FR_FEEDER_USERNAME@${feeder}:/$CFE_FR_DISTRIBUTED_CLEANUP_DIR/${feeder_hostname}.pub" "$CFE_FR_DISTRIBUTED_CLEANUP_DIR/" &&
"$CFE_FR_TRANSPORTER" $CFE_FR_TRANSPORTER_ARGS "$CFE_FR_FEEDER_USERNAME@${feeder}:/$CFE_FR_DISTRIBUTED_CLEANUP_DIR/${feeder_hostname}.cert" "$CFE_FR_DISTRIBUTED_CLEANUP_DIR/" ||
log "Failed to pull fr_distributed_cleanup items from hub $feeder"
done
# check that hubs.cert is the most recent *.cert file, if not then update it
# from the other cert files (all the hubs).
ls -t1 $CFE_FR_DISTRIBUTED_CLEANUP_DIR/*.cert | head -n1 | grep -q hubs.cert || sed -sn 'p' $(ls $CFE_FR_DISTRIBUTED_CLEANUP_DIR/*.cert | grep -v hubs.cert) > "$CFE_FR_DISTRIBUTED_CLEANUP_DIR/hubs.cert"
for feeder in $@; do
"$CFE_FR_TRANSPORTER" $CFE_FR_TRANSPORTER_ARGS "$CFE_FR_DISTRIBUTED_CLEANUP_DIR/hubs.cert" "$CFE_FR_FEEDER_USERNAME@${feeder}:/$CFE_FR_DISTRIBUTED_CLEANUP_DIR/" ||
log "Failed to transfer superhub certificate to hub $feeder"
done
cfengine-masterfiles-3.24.2/templates/federated_reporting/distributed_cleanup.py 0000755 0000000 0000000 00000040175 15010704240 030312 0 ustar 00root root 0000000 0000000 #!/usr/bin/env python3
"""
fr_distributed_cleanup.py - a script to remove hosts which have migrated to
other feeder hubs. To be run on Federated Reporting superhub
after each import of feeder data.
First, to setup, enable fr_distributed_cleanup by setting a class in augments (def.json).
This enables policy in cfe_internal/enterprise/federation/federation.cf
```json
{
"classes": {
"cfengine_mp_fr_enable_distributed_cleanup": [ "any::" ]
}
}
```
After the policy has run on superhub and feeders, run this script
to setup fr_distributed_cleanup role and account on all feeders and superhubs with
proper RBAC settings for normal operation.
You will be prompted for superhub admin credentials and then
admin credentials on each feeder.
"""
import argparse
import logging
import os
import socket
import string
import random
import subprocess
import sys
from getpass import getpass
from nova_api import NovaApi
from cfsecret import read_secret, write_secret
WORKDIR = None
CFE_FR_TABLES = None
# get WORKDIR and CFE_FR_TABLES from config.sh
config_sh_path = os.path.join(os.path.dirname(__file__), "config.sh")
cmd = "source {}; echo $WORKDIR; echo $CFE_FR_TABLES".format(config_sh_path)
with subprocess.Popen(
cmd, stdout=subprocess.PIPE, shell=True, executable="/bin/bash"
) as proc:
lines = proc.stdout.readlines()
WORKDIR = lines[0].decode().strip()
CFE_FR_TABLES = [table.strip() for table in lines[1].decode().split()]
if not WORKDIR or not CFE_FR_TABLES:
print("Unable to get WORKDIR and CFE_FR_TABLES values from config.sh")
sys.exit(1)
# Primary dir in which to place various needed files
DISTRIBUTED_CLEANUP_DIR = "/opt/cfengine/federation/cftransport/distributed_cleanup"
# collect cert files from /var/cfengine/httpd/ssl/certs on
# superhub and feeders and cat all together into hubs.cert
CERT_PATH = os.path.join(DISTRIBUTED_CLEANUP_DIR, "hubs.cert")
# Note: remove the file at DISTRIBUTED_CLEANUP_SECRET_PATH to reset everything.
# api calls will overwrite fr_distributed_cleanup user and role on superhub and all feeders.
DISTRIBUTED_CLEANUP_SECRET_PATH = os.path.join(
WORKDIR, "state/fr_distributed_cleanup.cfsecret"
)
def interactive_setup_feeder(hub, email, fr_distributed_cleanup_password, force_interactive=False):
if force_interactive:
feeder_credentials = input(
"admin credentials for {}: ".format(
hub["ui_name"]
)
)
print() # output newline for easier reading
else:
feeder_credentials = getpass(
prompt="Enter admin credentials for {}: ".format(
hub["ui_name"]
)
)
feeder_hostname = hub["ui_name"]
feeder_api = NovaApi(
api_user="admin",
api_password=feeder_credentials,
cert_path=CERT_PATH,
hostname=feeder_hostname,
)
logger.info("Creating fr_distributed_cleanup role on %s", feeder_hostname)
response = feeder_api.put(
"role",
"fr_distributed_cleanup",
{
"description": "fr_distributed_cleanup Federated Host Cleanup role",
"includeContext": "cfengine_3",
},
)
if response["status"] != 201:
print(
"Problem creating fr_distributed_cleanup role on feeder. {}".format(
response
)
)
sys.exit(1)
response = feeder_api.put_role_permissions(
"fr_distributed_cleanup", ["host.delete"]
)
if response["status"] != 201:
print("Unable to set RBAC permissions on role fr_distributed_cleanup")
sys.exit(1)
logger.info("Creating fr_distributed_cleanup user on %s", feeder_hostname)
response = feeder_api.put(
"user",
"fr_distributed_cleanup",
{
"description": "fr_distributed_cleanup Federated Host Cleanup user",
"email": "{}".format(email),
"password": "{}".format(fr_distributed_cleanup_password),
"roles": ["fr_distributed_cleanup"],
},
)
if response["status"] != 201:
print(
"Problem creating fr_distributed_cleanup user on {}. {}".format(
feeder_hostname, response
)
)
sys.exit(1)
def interactive_setup(force_interactive=False):
fr_distributed_cleanup_password = "".join(random.choices(string.digits + string.ascii_letters, k=20))
if force_interactive:
admin_pass = input("admin password for superhub {}: ".format(socket.getfqdn()))
print() # newline for easier reading
else:
admin_pass = getpass(
prompt="Enter admin password for superhub {}: ".format(socket.getfqdn())
)
api = NovaApi(api_user="admin", api_password=admin_pass)
# first confirm that this host is a superhub
status = api.fr_hub_status()
if (
status["status"] == 200
and status["role"] == "superhub"
and status["configured"]
):
logger.debug("This host is a superhub configured for Federated Reporting.")
else:
if status["status"] == 401:
print("admin credentials are incorrect, try again")
sys.exit(1)
else:
print(
"Check the status to ensure role is superhub and configured is True. {}".format(
status
)
)
sys.exit(1)
feederResponse = api.fr_remote_hubs()
if not feederResponse["hubs"]:
print(
"No attached feeders. Please attach at least one feeder hub before running this script."
)
sys.exit(1)
email = input("Enter email for fr_distributed_cleanup accounts: ")
print() # newline for easier reading
logger.info("Creating fr_distributed_cleanup role on superhub...")
response = api.put(
"role",
"fr_distributed_cleanup",
{
"description": "fr_distributed_cleanup Federated Host Cleanup role",
"includeContext": "cfengine_3",
},
)
if response["status"] != 201:
print(
"Problem creating fr_distributed_cleanup role on superhub. {}".format(
response
)
)
sys.exit(1)
response = api.put_role_permissions(
"fr_distributed_cleanup", ["query.post", "remoteHub.list", "hubStatus.get"]
)
if response["status"] != 201:
print("Unable to set RBAC permissions on role fr_distributed_cleanup")
sys.exit(1)
logger.info("Creating fr_distributed_cleanup user on superhub")
response = api.put(
"user",
"fr_distributed_cleanup",
{
"description": "fr_distributed_cleanup Federated Host Cleanup user",
"email": "{}".format(email),
"password": "{}".format(fr_distributed_cleanup_password),
"roles": ["fr_distributed_cleanup"],
},
)
if response["status"] != 201:
print(
"Problem creating fr_distributed_cleanup user on superhub. {}".format(
response
)
)
sys.exit(1)
for hub in feederResponse["hubs"]:
interactive_setup_feeder(hub, email, fr_distributed_cleanup_password, force_interactive=force_interactive)
write_secret(DISTRIBUTED_CLEANUP_SECRET_PATH, fr_distributed_cleanup_password)
def main():
if not os.geteuid() == 0:
sys.exit("\n{} must be run as root".format(os.path.basename(__file__)))
parser = argparse.ArgumentParser(
description="Clean up migrating clients in Federated Reporting setup"
)
group = parser.add_mutually_exclusive_group()
group.add_argument("--debug", action="store_true")
group.add_argument("--inform", action="store_true")
parser.add_argument("--force-interactive", action="store_true", help="force interactive mode even when no tty, good for automation")
parser.add_argument("--setup-feeder", help="Setup a single feeder by hostname")
args = parser.parse_args()
global logger
logger = logging.getLogger("fr_distributed_cleanup")
ch = logging.StreamHandler()
if args.debug:
logger.setLevel(logging.DEBUG)
ch.setLevel(logging.DEBUG)
if args.inform:
logger.setLevel(logging.INFO)
ch.setLevel(logging.INFO)
logger.addHandler(ch)
if not os.path.exists(DISTRIBUTED_CLEANUP_SECRET_PATH):
if sys.stdout.isatty() or args.force_interactive:
interactive_setup(force_interactive=args.force_interactive)
else:
print(
"{} requires manual setup, please run as root interactively.".format(
os.path.basename(__file__)
)
)
sys.exit(1)
fr_distributed_cleanup_password = read_secret(DISTRIBUTED_CLEANUP_SECRET_PATH)
if args.setup_feeder:
email = input("Enter email for fr_distributed_cleanup accounts: ")
print() # newline for easier reading
feeder = { "ui_name": args.setup_feeder }
interactive_setup_feeder(feeder, email, fr_distributed_cleanup_password, force_interactive=args.force_interactive)
api = NovaApi(
api_user="fr_distributed_cleanup", api_password=fr_distributed_cleanup_password
) # defaults to localhost
response = api.fr_hub_status()
if not (
response["status"] == 200
and response["role"] == "superhub"
and response["configured"]
):
print(
"{} can only be run on a properly configured superhub. ".format(os.path.basename(__file__)) +
" {}".format(response)
)
sys.exit(1)
response = api.fr_remote_hubs()
if not response["hubs"]:
print(
"No attached feeders. Please attach at least one feeder hub before running this script."
)
for hub in response["hubs"]:
if hub["role"] != "feeder" or hub["target_state"] != "on":
continue
feeder_hostkey = hub["hostkey"]
feeder_hostname = hub["ui_name"]
feeder_api = NovaApi(
api_user="fr_distributed_cleanup",
api_password=fr_distributed_cleanup_password,
cert_path=CERT_PATH,
hostname=feeder_hostname,
)
try:
response = feeder_api.status()
except Exception as e:
print("Could not connect to {}, error: {}".format(feeder_hostname, e));
sys.exit(1);
if response["status"] == 401 and sys.stdout.isatty():
# auth error when running interactively
# assume it's a new feeder and offer to set it up interactively
hub_user = api.get( "user", "fr_distributed_cleanup")
if hub_user is None or 'email' not in hub_user:
email = 'fr_distributed_cleanup@{}'.format(hub['ui_name'])
else:
email = hub_user['email']
interactive_setup_feeder(hub, email, fr_distributed_cleanup_password)
elif response["status"] != 200:
print(
"Unable to get status for feeder {}. Skipping".format(feeder_hostname)
)
continue
sql = "SELECT hub_id FROM __hubs WHERE hostkey = '{}'".format(feeder_hostkey)
response = api.query(sql)
if response["status"] != 200:
print("Unable to query for feeder hub_id. Response was {}".format(response))
continue
# query API should return one row, [0], and one column, [0], in rows value
feeder_hubid = response["rows"][0][0]
sql = """
SELECT DISTINCT hosts.hostkey
FROM hosts
WHERE hub_id = '{0}'
AND EXISTS(
SELECT 1 FROM lastseenhosts ls
JOIN (
SELECT hostkey, max(lastseentimestamp) as newesttimestamp
FROM lastseenhosts
WHERE lastseendirection = 'INCOMING'
GROUP BY hostkey
) as newest
ON ls.hostkey = newest.hostkey
AND ls.lastseentimestamp = newest.newesttimestamp
AND ls.hostkey = hosts.hostkey
AND ls.hub_id != '{0}'
)""".format(
feeder_hubid
)
response = api.query(sql)
if response["status"] != 200:
print(
"Unable to query for deletion candidates. Response was {}".format(
response
)
)
sys.exit(1)
logger.debug("Hosts to delete on %s are %s", hub["ui_name"], response["rows"])
hosts_to_delete = response["rows"]
if len(hosts_to_delete) == 0:
logger.info("%s: No hosts to delete. No actions taken.", feeder_hostname)
continue
logger.debug(
"%s host(s) to delete on feeder %s", len(hosts_to_delete), hub["ui_name"]
)
# build up a post-loop SQL statement to delete hosts locally from feeder schemas
# change to feeder schema to make deletions easier/more direct without having to
# specify hub_id in queries
post_sql = "set schema 'hub_{}';\n".format(feeder_hubid)
post_sql += "\\set ON_ERROR STOP on\n"
delete_sql = ""
post_hostkeys = []
for row in hosts_to_delete:
# The query API returns rows which are lists of column values.
# We only selected hostkey so will take the first value.
host_to_delete = row[0]
response = feeder_api.delete("host", host_to_delete)
# both 202 Accepted and 404 Not Found are acceptable responses
if response["status"] not in [202, 404]:
logger.warning(
"Delete %s on feeder %s got %s status code",
host_to_delete,
feeder_hostname,
response["status"],
)
continue
# only add the host_to_delete if it was successfully deleted on the feeder
post_hostkeys.append(host_to_delete)
if len(post_hostkeys) == 0:
logger.info(
"No hosts on feeder %s need processing on superhub so skipping post processing",
feeder_hostname,
)
continue
# simulate the host api delete process by setting current_timestamp in deleted column
# and delete from all federated tables similar to the clear_hosts_references() pgplsql function.
post_sql += "INSERT INTO __hosts (hostkey,deleted) VALUES"
deletes = []
for hostkey in post_hostkeys:
deletes.append("('{}', CURRENT_TIMESTAMP)".format(hostkey))
delete_sql = ", ".join(deletes)
delete_sql += (
" ON CONFLICT (hostkey,hub_id) DO UPDATE SET deleted = excluded.deleted;\n"
)
clear_sql = "set schema 'public';\n"
for table in CFE_FR_TABLES:
# special case of partitioning, operating on parent table will work
if "__promiselog_*" in table:
table = "__promiselog"
clear_sql += (
"DELETE FROM {} WHERE hub_id = {} AND hostkey IN ({});\n".format(
table,
feeder_hubid,
",".join(["'{}'".format(hk) for hk in post_hostkeys]),
)
)
post_sql += delete_sql + clear_sql
logger.debug("Running SQL:\n%s", post_sql)
with subprocess.Popen(
["/var/cfengine/bin/psql", "cfdb"],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
) as proc:
logger.debug("got a proc, sending sql...")
outs, errs = proc.communicate(input=post_sql.encode())
if "ERROR" in errs.decode("utf-8"):
print(
"Problem running post processing SQL. returncode was {}, stderr:\n{}\nstdout:\n{}".format(
proc.returncode, errs.decode("utf-8"), outs.decode("utf-8")
)
)
sys.exit(1)
logger.debug(
"Ran post processing SQL. returncode was %s, stderr:\n%s\nstdout:\n%s",
proc.returncode,
errs.decode("utf-8"),
outs.decode("utf-8"),
)
if len(hosts_to_delete) != 0:
logger.info(
"%s: %s host deletions processed",
hub["ui_name"],
len(hosts_to_delete),
)
if __name__ == "__main__":
main()
else:
raise ImportError("fr_distributed_cleanup.py must only be used as a script!")
cfengine-masterfiles-3.24.2/templates/federated_reporting/config.sh.mustache 0000644 0000000 0000000 00000007257 15010704240 027321 0 ustar 00root root 0000000 0000000 # -*- mode: shell-script -*-
# Configuration file that is supposed to be sourced into bash scripts.
DEFAULT_PREFIX="{{prefix}}"
DEFAULT_PREFIX="${DEFAULT_PREFIX:-/opt/cfengine/federation/}"
WORKDIR="{{workdir}}"
WORKDIR="${WORKDIR:-/var/cfengine/}"
# generic configuration
CFE_BIN_DIR="{{bindir}}"
CFE_BIN_DIR="${CFE_BIN_DIR:-/var/cfengine/bin}"
CFE_FR_SED_ARGS="{{sed_args}}" # no extra args by default
CFE_FR_AWK_ARGS="{{awk_args}}" # no extra args by default
CFE_VERSION="{{cf_version}}"
# specific feeder name
CFE_FR_FEEDER="{{feeder}}"
CFE_FR_FEEDER="${CFE_FR_FEEDER:-$(hostname)}"
# tables to dump and import
DEFAULT_TABLES="__agentstatus
__contexts
__hosts
__filechangeslog
__lastseenhosts
__software
__softwareupdates
__variables
__benchmarkslog
__contextslog
__promiseexecutions
__promiselog_*
__inventory
contextcache"
CFE_FR_TABLES="{{tables}}"
CFE_FR_TABLES="${CFE_FR_TABLES:-$DEFAULT_TABLES}"
# dump phase
CFE_FR_COMPRESSOR="{{compressor}}"
CFE_FR_COMPRESSOR="${CFE_FR_COMPRESSOR:-gzip}"
CFE_FR_COMPRESSOR_ARGS="{{compressor_args}}" # no extra args by default
CFE_FR_COMPRESSOR_EXT="{{compressor_ext}}"
CFE_FR_COMPRESSOR_EXT="${CFE_FR_COMPRESSOR_EXT:-gz}"
CFE_FR_DECOMPRESS_ARGS="{{decompress_args}}"
CFE_FR_DECOMPRESS_ARGS="${CFE_FR_DECOMPRESS_ARGS:--d -c}"
CFE_FR_DUMP_DIR="{{dump_dir}}"
CFE_FR_DUMP_DIR="${CFE_FR_DUMP_DIR:-$DEFAULT_PREFIX/fedhub/dump}"
CFE_FR_DUMP_FILTERS_DIR="{{dump_filters_dir}}"
CFE_FR_DUMP_FILTERS_DIR="${CFE_FR_DUMP_FILTERS_DIR:-$DEFAULT_PREFIX/fedhub/dump/filters}"
# transport phase
CFE_FR_FEEDER_USERNAME="{{feeder_username}}"
CFE_FR_FEEDER_USERNAME="${CFE_FR_FEEDER_USERNAME:-cftransport}"
CFE_FR_SUPERHUB_DROP_DIR="{{drop_dir}}"
CFE_FR_SUPERHUB_DROP_DIR="${CFE_FR_SUPERHUB_DROP_DIR:-$DEFAULT_PREFIX/$CFE_FR_FEEDER_USERNAME/destination}"
CFE_FR_SUPERHUB_IMPORT_DIR="{{import_dir}}"
CFE_FR_SUPERHUB_IMPORT_DIR="${CFE_FR_SUPERHUB_IMPORT_DIR:-$DEFAULT_PREFIX/superhub/import}"
CFE_FR_SUPERHUB_LOGIN="{{login}}"
CFE_FR_SUPERHUB_LOGIN="${CFE_FR_SUPERHUB_LOGIN:-cftransport@superhub}"
CFE_FR_SUPERHUB_HOSTKEYS="{{superhub_hostkeys}}"
CFE_FR_THIS_HOSTKEY="{{this_hostkey}}"
CFE_FR_TRANSPORT_DIR="{{transport_dir}}"
CFE_FR_TRANSPORT_DIR="${CFE_FR_TRANSPORT_DIR:-$DEFAULT_PREFIX/$CFE_FR_FEEDER_USERNAME/source}"
CFE_FR_TRANSPORTER="{{transporter}}"
CFE_FR_TRANSPORTER="${CFE_FR_TRANSPORTER:-/var/cfengine/bin/rsync}"
CFE_FR_TRANSPORTER_ARGS="{{transporter_args}}"
CFE_FR_TRANSPORTER_ARGS="${CFE_FR_TRANSPORTER_ARGS:--av --rsync-path=$CFE_BIN_DIR/rsync}"
CFE_FR_SSH="{{ssh}}"
CFE_FR_SSH="${CFE_FR_SSH:-ssh}"
CFE_FR_SSH_ARGS="{{ssh_args}}" # no extra args by default
# import phase
CFE_FR_EXTRACTOR="{{extractor}}"
CFE_FR_EXTRACTOR="${CFE_FR_EXTRACTOR:-zcat}"
CFE_FR_EXTRACTOR_ARGS="{{extractor_args}}" # no extra args by default
CFE_FR_IMPORT_NJOBS="{{n_jobs}}" # no explicit limit of jobs by default
# (will use all the CPUs available)
CFE_FR_IMPORT_FILTERS_DIR="{{import_filters_dir}}"
CFE_FR_IMPORT_FILTERS_DIR="${CFE_FR_IMPORT_FILTERS_DIR:-$DEFAULT_PREFIX/superhub/import/filters}"
CFE_FR_INVENTORY_REFRESH_CMD="{{inventory_refresh_cmd}}"
CFE_FR_DB_USER="{{db_user}}"
CFE_FR_DB_USER="${CFE_FR_DB_USER:-cfpostgres}"
CFE_FR_HANDLE_DUPLICATES="{{handle_duplicates}}" # default is no (don't handle duplicates as it adds to time to import)
CFE_FR_HANDLE_DUPLICATES="${CFE_FR_HANDLE_DUPLICATES:-no}"
CFE_FR_DEBUG_IMPORT="{{debug_import}}" # default is no (don't run imports with debug level logging)
CFE_FR_DEBUG_IMPORT="${CFE_FR_DEBUG_IMPORT:-no}"
# distributed_cleanup dir
CFE_FR_DISTRIBUTED_CLEANUP_DIR="{{distributed_cleanup_dir}}"
CFE_FR_DISTRIBUTED_CLEANUP_DIR="${CFE_FR_DISTRIBUTED_CLEANUP_DIR:-$DEFAULT_PREFIX/$CFE_FR_FEEDER_USERNAME/distributed_cleanup}"
cfengine-masterfiles-3.24.2/templates/federated_reporting/dump.sh 0000644 0000000 0000000 00000005154 15010704240 025203 0 ustar 00root root 0000000 0000000 #!/bin/bash
set -e
# make sure a failure in any part of a pipe sequence is a failure
set -o pipefail
source "$(dirname "$0")/config.sh"
source "$(dirname "$0")/log.sh"
# check that we have all the variables we need
true "${CFE_BIN_DIR?undefined}"
true "${CFE_FR_DUMP_DIR?undefined}"
true "${CFE_FR_DUMP_FILTERS_DIR?undefined}"
true "${CFE_FR_SED_ARGS?undefined}"
true "${CFE_FR_TRANSPORT_DIR?undefined}"
true "${CFE_FR_COMPRESSOR?undefined}"
true "${CFE_FR_COMPRESSOR_ARGS?undefined}"
true "${CFE_FR_COMPRESSOR_EXT?undefined}"
true "${CFE_FR_FEEDER?undefined}"
true "${CFE_FR_TABLES?undefined}"
true "${CFE_FR_FEEDER_USERNAME?undefined}"
true "${CFE_FR_SUPERHUB_HOSTKEYS?undefined}"
mkdir -p "$CFE_FR_DUMP_DIR"
mkdir -p "$CFE_FR_TRANSPORT_DIR"
chown "$CFE_FR_FEEDER_USERNAME" "$CFE_FR_TRANSPORT_DIR"
if ! type "$CFE_FR_COMPRESSOR" >/dev/null; then
log "Compressor $CFE_FR_COMPRESSOR not available!"
exit 1
fi
function sed_filters() {
sed_scripts="$(ls -1 "$CFE_FR_DUMP_FILTERS_DIR/"*".sed" 2>/dev/null | sort)"
if [ -n "$sed_scripts" ]; then
sed $CFE_FR_SED_ARGS $(printf ' -f %s' $sed_scripts)
else
cat
fi
}
function awk_filters() {
awk_scripts="$(ls -1 "$CFE_FR_DUMP_FILTERS_DIR/"*".awk" 2>/dev/null | sort)"
if [ -n "$awk_scripts" ]; then
awk $CFE_FR_AWK_ARGS $(printf ' -f %s' $awk_scripts)
else
cat
fi
}
failed=0
ts="$(date -Iseconds)" # ISO 8601 format that doesn't have spaces in it
in_progress_file="$CFE_FR_DUMP_DIR/$CFE_FR_FEEDER_$ts.sql.$CFE_FR_COMPRESSOR_EXT.dumping"
log "Dumping tables: $CFE_FR_TABLES"
{
"$CFE_BIN_DIR"/pg_dump --serializable-deferrable --column-inserts --rows-per-insert=10000 --data-only $(printf ' -t %s' $CFE_FR_TABLES) cfdb
} | sed_filters | awk_filters |
"$CFE_FR_COMPRESSOR" $CFE_FR_COMPRESSOR_ARGS > "$in_progress_file" || failed=1
if [ "$failed" != "0" ]; then
log "Dumping tables: FAILED"
echo "$in_progress_file" >> "$CFE_FR_DUMP_DIR/failed"
rm -f "$in_progress_file"
exit 1
else
log "Dumping tables: DONE"
mv "$in_progress_file" "$CFE_FR_TRANSPORT_DIR/$CFE_FR_FEEDER.sql.$CFE_FR_COMPRESSOR_EXT"
chown "$CFE_FR_FEEDER_USERNAME" "$CFE_FR_TRANSPORT_DIR/$CFE_FR_FEEDER.sql.$CFE_FR_COMPRESSOR_EXT"
fi
if [ -n "$CFE_FR_SUPERHUB_HOSTKEYS" ]; then
log "Linking for superhub(s): $CFE_FR_SUPERHUB_HOSTKEYS"
for superhub_hostkey in $CFE_FR_SUPERHUB_HOSTKEYS; do
mkdir -p "$CFE_FR_TRANSPORT_DIR/$superhub_hostkey"
ln -f "$CFE_FR_TRANSPORT_DIR/$CFE_FR_FEEDER.sql.$CFE_FR_COMPRESSOR_EXT" "$CFE_FR_TRANSPORT_DIR/$superhub_hostkey/"
chown -R "$CFE_FR_FEEDER_USERNAME" "$CFE_FR_TRANSPORT_DIR/$superhub_hostkey"
done
log "Linking for superhub(s): DONE"
fi
cfengine-masterfiles-3.24.2/templates/federated_reporting/nova_api.py 0000755 0000000 0000000 00000013604 15010704240 026052 0 ustar 00root root 0000000 0000000 """
NovaApi - module to interact with CFEngine Mission Portal Enterprise API
https://docs.cfengine.com/docs/3.18/enterprise-cfengine-guide-enterprise-api.html
Examples of usage:
```python
api = NovaApi() # defaults to CFE_ROBOT user and local hub certificate
print(api.fr_remote_hubs()) # should fail with message
api = NovaApi(api_user='admin', api_password='password')
response = api.fr_remote_hubs()
for hub in response['hubs']:
print(hub)
print(hub['ui_name'])
print(api.query("select * from hosts"))
print(api.query("select * from __hubs")["rows"])
print(api.status())
print(api.fr_hub_status())
print(api.get("user","admin"))
print(api.put('user',"yj",{"password":"quijibo"}))
print(api.put("role","yj",{}))
print(api.put_role_permissions("yj", ["query.post"]))
```
"""
import json
import os
import socket
import sys
import urllib3
_WORKDIR = os.environ.get("WORKDIR", "/var/cfengine")
_DEFAULT_SECRETS_PATH = "{}/httpd/secrets.ini".format(_WORKDIR)
class NovaApi:
def __init__(
self,
hostname=None,
api_user="CFE_ROBOT",
api_password=None,
cert_path=None,
ca_cert_dir=None,
):
self._hostname = hostname or str(socket.getfqdn())
self._api_user = api_user
if api_password is None:
self._api_password = self._get_robot_password()
else:
self._api_password = api_password
if cert_path is None:
self._cert_path = "{}/httpd/ssl/certs/{}.cert".format(
_WORKDIR, socket.getfqdn()
)
else:
self._cert_path = cert_path
if ca_cert_dir is None:
self._ca_cert_dir = os.environ.get("SSL_CERT_DIR")
else:
self._ca_cert_dir = ca_cert_dir
self._http = urllib3.PoolManager(
cert_reqs="CERT_REQUIRED",
ca_certs=self._cert_path,
ca_cert_dir=self._ca_cert_dir,
)
self._headers = urllib3.make_headers(
basic_auth="{}:{}".format(self._api_user, self._api_password)
)
self._headers["Content-Type"] = "application/json"
# urllib3 v2.0 removed SubjectAltNameWarning and instead throws an error if no SubjectAltName is present in a certificate
if hasattr(urllib3.exceptions, "SubjectAltNameWarning"):
# if urllib3 is < v2.0 then SubjectAltNameWarning will exist and should be silenced
if not sys.warnoptions:
import warnings
warnings.simplefilter(
"ignore", category=urllib3.exceptions.SubjectAltNameWarning
)
def __str__(self):
return str(self.__class__) + ":" + str(self.__dict__)
def _get_robot_password(self):
with open(_DEFAULT_SECRETS_PATH) as file:
for line in file:
if "cf_robot_password" in line:
tokens = line.split("=")
if len(tokens) == 2:
return tokens[1].strip()
raise Exception(
"Could not parse CFE_ROBOT password from {} file".format(
_DEFAULT_SECRETS_PATH
)
)
def _request(self, method, path, body=None):
url = "https://{}/api/{}".format(self._hostname, path)
if type(body) is not str:
payload = json.JSONEncoder().encode(body)
else:
payload = body
response = self._http.request(method, url, headers=self._headers, body=payload)
return self._build_response(response)
def _build_response(self, response):
if response.status != 200:
value = {}
message = response.data.decode("utf-8").strip()
if not message:
if response.status == 201:
message = "Created"
value["message"] = message
value["status"] = response.status
else:
data = json.loads(response.data.decode("utf-8"))
# some APIs like query API return a top-level data key which we want to skip for ease of use
if "data" in data:
# data response e.g. query API returns top-level key 'data'
# which has a value of a list with one entry containing
# the information.
# see https://docs.cfengine.com/docs/master/reference-enterprise-api-ref-query.html#execute-sql-query
value = data["data"][0]
value["meta"] = data["meta"]
else:
value = data if type(data) is dict else {}
value["status"] = response.status
return value
def query(self, sql):
clean_sql = sql.replace("\n", " ").strip()
return self._request(
"POST",
"query",
body="""
{{ "query": "{}" }}""".format(
clean_sql
),
)
def status(self):
return self._request("GET", "")
def fr_remote_hubs(self):
response = self._request("GET", "fr/remote-hub")
values = {}
values["hubs"] = [
response[key] for key in response if type(response[key]) is dict
]
values["status"] = response["status"]
return values
def fr_hub_status(self):
return self._request("GET", "fr/hub-status")
def fr_enable_as_superhub(self):
return self._request("POST", "fr/setup-hub/superhub")
def fr_enable_as_feeder(self):
return self._request("POST", "fr/setup-hub/feeder")
def get(self, entity, identifier):
return self._request("GET", "{}/{}".format(entity, identifier))
def put(self, entity, identifier, data):
return self._request("PUT", "{}/{}".format(entity, identifier), data)
def delete(self, entity, identifier):
return self._request("DELETE", "{}/{}".format(entity, identifier))
def put_role_permissions(self, identifier, data):
return self._request("PUT", "role/{}/permissions".format(identifier), data)
cfengine-masterfiles-3.24.2/templates/federated_reporting/transport.sh 0000644 0000000 0000000 00000007375 15010704240 026301 0 ustar 00root root 0000000 0000000 #!/bin/bash
#
# Transport dump files from the feeder hubs to the superhub.
#
# Can be run as:
# transport.sh
# On a feeder hub, pushes dump files to the superhub.
# transport.sh push
# The same as with no arguments.
# transport.sh pull FEEDER_HUB [FEEDER_HUB2...FEEDER_HUBn]
# On the superhub, pull dumps from the given feeder hubs (in parallel).
#
set -e
# make sure a failure in any part of a pipe sequence is a failure
set -o pipefail
source "$(dirname "$0")/config.sh"
source "$(dirname "$0")/log.sh"
source "$(dirname "$0")/parallel.sh"
# check that we have all the variables we need
true "${CFE_FR_TRANSPORT_DIR?undefined}"
true "${CFE_FR_SUPERHUB_DROP_DIR?undefined}"
true "${CFE_FR_TRANSPORTER?undefined}"
true "${CFE_FR_TRANSPORTER_ARGS?undefined}"
true "${CFE_FR_COMPRESSOR_EXT?undefined}"
true "${CFE_FR_SUPERHUB_LOGIN?undefined}"
if ! type "$CFE_FR_TRANSPORTER" >/dev/null; then
log "Transporter $CFE_FR_TRANSPORTER not available!"
exit 1
fi
function push() {
# Runs on the feeder hub, pushes dumps to the superhub.
dump_files="$(ls -1 "$CFE_FR_TRANSPORT_DIR/"*".sql.$CFE_FR_COMPRESSOR_EXT" 2>/dev/null)" ||
{
log "No files to transport."
exit 0
}
log "Transporting files: $dump_files"
some_failed=0
for dump_file in $dump_files; do
failed=0
mv "$dump_file" "$dump_file.transporting"
"$CFE_FR_TRANSPORTER" "$CFE_FR_TRANSPORTER_ARGS" "$dump_file.transporting" "$CFE_FR_SUPERHUB_LOGIN:$CFE_FR_SUPERHUB_DROP_DIR/$(basename "$dump_file")" ||
failed=1
rm -f "$dump_file.transporting"
if [ "$failed" != 0 ]; then
log "Transporting file $dump_file to $CFE_FR_SUPERHUB_LOGIN:$CFE_FR_SUPERHUB_DROP_DIR failed!"
some_failed=1
fi
done
if [ "$some_failed" != "0" ]; then
log "Transporting files: FAILED"
return 1
else
log "Transporting files: DONE"
return 0
fi
}
function pull() {
# $@ -- feeder hubs to pull the dumps from
feeder_lines="$(printf "%s\n" "$@")"
log "Pulling dumps from: $feeder_lines"
chmod u+x "$(dirname "$0")/pull_dumps_from.sh"
# create and work inside a process specific sub-directory for WIP
mkdir "$CFE_FR_SUPERHUB_DROP_DIR/$$"
# Determine the absolute path of the pull_dumps_from.sh script. If this was
# run with absolute path, use the absolute path, otherwise use the relative
# part as the base path.
if [ "${0:0:1}" = "/" ]; then
pull_dumps_path="$(dirname "$0")/pull_dumps_from.sh"
else
pull_dumps_path="$PWD/$(dirname "$0")/pull_dumps_from.sh"
fi
pushd "$CFE_FR_SUPERHUB_DROP_DIR/$$" >/dev/null
failed=0
echo "$feeder_lines" | run_in_parallel "$pull_dumps_path" - || failed=1
if [ "$failed" != "0" ]; then
log "Pulling dumps: FAILED"
for feeder in "$@"; do
if [ -f "$feeder.failed" ]; then
log "Failed to pull dumps from: $feeder"
rm -f "$feeder.failed"
fi
done
else
log "Pulling dumps: DONE"
fi
for feeder in "$@"; do
if ! ls "$feeder/"*".sql.$CFE_FR_COMPRESSOR_EXT" >/dev/null 2>/dev/null; then
log "No dump files from $feeder"
continue
fi
mv "$feeder/"*".sql.$CFE_FR_COMPRESSOR_EXT" "$CFE_FR_SUPERHUB_DROP_DIR/"
# the $feeder directory is not supposed to contain anything else
rmdir "$feeder" || log "Failed to remove directory after $feeder"
done
popd >/dev/null
rm -rf "$CFE_FR_SUPERHUB_DROP_DIR/$$"
return $failed
}
if [ $# = 0 ]; then
push
elif [ $# = 1 ]; then
if [ "$1" = "push" ]; then
push
else
if [ "$1" = "pull" ]; then
log "No feeder hubs given to pull from"
else
log "Invalid command given to $0: $1"
fi
exit 1
fi
else
# more than one argument given
if [ "$1" = "pull" ]; then
shift
pull "$@"
else
log "Invalid command given to $0: $1"
exit 1
fi
fi
cfengine-masterfiles-3.24.2/templates/federated_reporting/log.sh.mustache 0000644 0000000 0000000 00000000756 15010704240 026632 0 ustar 00root root 0000000 0000000 # -*- mode: shell-script -*-
# A bash "library" providing logging functionality
CFE_LOGGER="{{logger}}"
CFE_LOGGER="${CFE_LOGGER:-echo}"
CFE_LOGGER_ARGS="{{logger_args}}" # no extra args by default
CFE_TIMESTAMP_CMD="{{timestamp_cmd}}" # use 'true' to disable explicit timestamps
CFE_TIMESTAMP_CMD="${CFE_TIMESTAMP_CMD:-date}"
function log() {
# $1 -- message to log
ts="$($CFE_TIMESTAMP_CMD)"
if [ -n "$ts" ]; then
"${CFE_LOGGER}" "[$ts] $1"
else
"${CFE_LOGGER}" "$1"
fi
}
cfengine-masterfiles-3.24.2/templates/federated_reporting/pull_dumps_from.sh 0000644 0000000 0000000 00000004001 15010704240 027433 0 ustar 00root root 0000000 0000000 #!/bin/bash
#
# A script to pull dumps from a given feeder hub to the $PWD/$feeder folder.
#
# $1 -- feeder hub hostname/IP to pull the dumps from
#
set -e
# make sure a failure in any part of a pipe sequence is a failure
set -o pipefail
source "$(dirname "$0")/config.sh"
source "$(dirname "$0")/log.sh"
# check that we have all the variables we need
true "${CFE_FR_TRANSPORT_DIR?undefined}"
true "${CFE_FR_SUPERHUB_DROP_DIR?undefined}"
true "${CFE_FR_THIS_HOSTKEY?undefined}"
true "${CFE_FR_TRANSPORTER?undefined}"
true "${CFE_FR_TRANSPORTER_ARGS?undefined}"
true "${CFE_FR_SSH?undefined}"
true "${CFE_FR_SSH_ARGS?undefined}"
true "${CFE_FR_COMPRESSOR_EXT?undefined}"
true "${CFE_FR_FEEDER_USERNAME?undefined}"
if [ $# != 1 ]; then
log "Invalid number of arguments ($#) given to $0, exiting!"
exit 1
fi
feeder="$1"
mkdir -p "$feeder"
REMOTE_DIR="$CFE_FR_TRANSPORT_DIR/$CFE_FR_THIS_HOSTKEY"
"$CFE_FR_SSH" $CFE_FR_SSH_ARGS "$CFE_FR_FEEDER_USERNAME@${feeder}" "test -d $REMOTE_DIR" ||
{
REMOTE_DIR="$CFE_FR_TRANSPORT_DIR"
log "Trying fallback dump directory $REMOTE_DIR. Upgrade masterfiles on feeder to enable multiple superhubs pulling from one feeder."
}
"$CFE_FR_SSH" $CFE_FR_SSH_ARGS "$CFE_FR_FEEDER_USERNAME@${feeder}" "test -e $REMOTE_DIR/*.sql.$CFE_FR_COMPRESSOR_EXT" ||
{
log "No files to transport."
exit 0
}
# move the files so that they don't get overwritten/deleted during the transport
"$CFE_FR_SSH" $CFE_FR_SSH_ARGS "$CFE_FR_FEEDER_USERNAME@${feeder}" "mkdir $REMOTE_DIR/$$.transporting"
"$CFE_FR_SSH" $CFE_FR_SSH_ARGS "$CFE_FR_FEEDER_USERNAME@${feeder}" "mv $REMOTE_DIR/*.sql.$CFE_FR_COMPRESSOR_EXT $REMOTE_DIR/$$.transporting/"
failed=0
"$CFE_FR_TRANSPORTER" $CFE_FR_TRANSPORTER_ARGS "$CFE_FR_FEEDER_USERNAME@${feeder}:/$REMOTE_DIR/$$.transporting/*.sql.$CFE_FR_COMPRESSOR_EXT" "$feeder/" ||
failed=1
"$CFE_FR_SSH" $CFE_FR_SSH_ARGS "$CFE_FR_FEEDER_USERNAME@${feeder}" "rm -rf $REMOTE_DIR/$$.transporting"
if [ "$failed" != "0" ]; then
touch "$feeder.failed"
rm -rf "$feeder"
exit 1
fi
cfengine-masterfiles-3.24.2/templates/federated_reporting/cfsecret.py 0000755 0000000 0000000 00000001070 15010704240 026046 0 ustar 00root root 0000000 0000000 import subprocess
def write_secret(path, secret):
proc = subprocess.Popen(
["/var/cfengine/bin/cf-secret", "encrypt", "-H", "localhost", "-o", path, "-"],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
proc.communicate(input=secret.encode())
def read_secret(path):
return subprocess.check_output(
[
"/var/cfengine/bin/cf-secret",
"decrypt",
path,
"--output",
"-",
],
universal_newlines=True,
).strip()
cfengine-masterfiles-3.24.2/templates/federated_reporting/import_file.sh 0000644 0000000 0000000 00000003234 15010704240 026544 0 ustar 00root root 0000000 0000000 #!/bin/bash
# A script to import a compressed SQL file
#
# $1 -- compressed SQL file to import
set -e
set -o pipefail
source "$(dirname "$0")/config.sh"
true "${CFE_BIN_DIR?undefined}"
true "${CFE_FR_IMPORT_FILTERS_DIR?undefined}"
true "${CFE_FR_SED_ARGS?undefined}"
true "${CFE_FR_EXTRACTOR?undefined}"
true "${CFE_FR_EXTRACTOR_ARGS?undefined}"
true "${CFE_FR_DB_USER?undefined}"
true "${CFE_FR_TABLES?undefined}"
true "${CFE_FR_COMPRESSOR?undefined}"
true "${CFE_FR_COMPRESSOR_ARGS?undefined}"
true "${CFE_FR_COMPRESSOR_EXT?undefined}"
file="$1"
function sed_filters() {
sed_scripts="$(ls -1 "$CFE_FR_IMPORT_FILTERS_DIR/"*".sed" 2>/dev/null | sort)"
if [ -n "$sed_scripts" ]; then
sed $CFE_FR_SED_ARGS $(printf ' -f %s' $sed_scripts)
else
cat
fi
}
function awk_filters() {
awk_scripts="$(ls -1 "$CFE_FR_IMPORT_FILTERS_DIR/"*".awk" 2>/dev/null | sort)"
if [ -n "$awk_scripts" ]; then
awk $CFE_FR_AWK_ARGS $(printf ' -f %s' $awk_scripts)
else
cat
fi
}
hostkey=$(basename "$file" | cut -d. -f1)
table_whitelist=$(printf "'%s'," $CFE_FR_TABLES | sed -e 's/,$//')
mv "$file" "$file.importing"
{
cat<&1 | "$CFE_FR_COMPRESSOR" $CFE_FR_COMPRESSOR_ARGS >"$file.log.$CFE_FR_COMPRESSOR_EXT" && {
rm -f "$file.importing"
exit 0
} || {
mv "$file.importing" "$file.failed"
exit 1
}
cfengine-masterfiles-3.24.2/templates/federated_reporting/parallel.sh 0000644 0000000 0000000 00000005637 15010704240 026040 0 ustar 00root root 0000000 0000000 # A shell "library" providing a function to run a given command on multiple
# arguments in parallel.
#
# For best results, make sure 'parallel' is installed.
#
if type parallel >/dev/null 2>&1; then
HAVE_PARALLEL=1
else
HAVE_PARALLEL=0
fi
if type xargs >/dev/null 2>&1; then
HAVE_XARGS=1
else
HAVE_XARGS=0
fi
if type getconf >/dev/null 2>&1; then
NCPUs="$(getconf _NPROCESSORS_ONLN)"
else
NCPUs="$(grep processor /proc/cpuinfo | wc -l)"
fi
_run_using_parallel() {
max_jobs=""
if [ $# -gt 2 ]; then
max_jobs="-j$3"
fi
if [ "$2" = "-" ]; then
parallel $max_jobs "$1 {}"
else
parallel $max_jobs "$1 {}" :::: "$2"
fi
return $?
}
_run_using_xargs() {
if [ $# -gt 2 ]; then
max_jobs="-P$3"
else
max_jobs="-P$NCPUs"
fi
if [ "$2" = "-" ]; then
xargs -n1 $max_jobs "$1"
else
xargs -n1 $max_jobs -a "$2" "$1"
fi
return $?
}
_run_using_for() {
if [ $# -gt 2 ]; then
job_slots="$3"
else
job_slots="$NCPUs"
fi
if [ "$2" = "-" ]; then
input_arg="/dev/stdin"
else
input_arg="$2"
fi
failure=0
while read item; do
if [ "$job_slots" = 0 ]; then
wait -n
if [ $? != 0 ] && [ $failure = 0 ]; then
failure=1
fi
job_slots="$(expr $job_slots + 1)"
fi
"$1" "$item" &
job_slots="$(expr $job_slots - 1)"
done < $input_arg
# wait for the jobs one by one and check the exit statuses (127 means there
# are no more jobs to wait for)
wait -n
exit_status=$?
while [ $exit_status != 127 ]; do
wait -n
exit_status=$?
if [ $exit_status != 0 ] && [ $exit_status != 127 ] && [ $failure = 0 ]; then
failure=1
fi
done
return $failure
}
run_in_parallel() {
# Run the given command with the read arguments in parallel
#
# $1 -- command to run
# $2 -- path to the file to read the argument items from,
# or "-" to load from STDIN
# $3 -- OPTIONAL, maximum number of parallel jobs to run,
# defaults to the number of CPUs
# return -- 0 if all runs of the command exited with 0, 1 otherwise
#
# Reads the arguments (one arg per line) and runs the given command in
# parallel with them. One argument per command. Uses 'parallel', 'xargs' or a
# for-loop with background jobs in respective order of preference.
# we need to know if $1 is a function because 'xargs' doesn't support
# functions at all and for 'parallel' we need to export the function
if type "$1" | head -n1 | grep "$1 is a function" >/dev/null; then
IS_A_FUNC=1
else
IS_A_FUNC=0
fi
if [ $HAVE_PARALLEL = 1 ]; then
if [ $IS_A_FUNC = 1 ]; then
export -f "$1"
fi
_run_using_parallel "$@"
if [ $? = 0 ]; then
return 0
else
return 1
fi
elif [ $HAVE_XARGS = 1 ] && [ $IS_A_FUNC != 1 ]; then
_run_using_xargs "$@"
if [ $? = 0 ]; then
return 0
else
return 1
fi
else
_run_using_for "$@"
return $?
fi
}
cfengine-masterfiles-3.24.2/templates/federated_reporting/psql_wrapper.sh.mustache 0000644 0000000 0000000 00000001502 15010704240 030556 0 ustar 00root root 0000000 0000000 #!/bin/bash
# run an arbitrary psql command as cfpostgres user
# expectation is that a line will be output with exit_code=
# this exit code will then be used to exit
# This design enables cfengine policy to run a commands promise
# that can be kept, repaired or failed depending on an exit
# code from psql since psql can't get different codes from scripts.
if [ $# -ne 2 ]; then
echo "Usage: $0 [DBNAME] [SQL STRING]"
exit 2
fi
TMP=$(mktemp)
cd /tmp
OUT=$(su - cfpostgres --command "{{{vars.sys.bindir}}}/psql --quiet --tuples-only --no-align --no-psqlrc \"$1\" --command=\"$2\"" 2> $TMP)
RETURN_CODE=$?
ERR=$(<$TMP)
EXIT_CODE=$(echo $OUT | awk -F= '{ if ( /exit_code/ ) print $2}')
rm $TMP
if [ $RETURN_CODE -ne 0 ]; then
echo "stdout: $OUT"
echo "stderr: $ERR"
exit 2; # failed
fi
exit $EXIT_CODE
cfengine-masterfiles-3.24.2/templates/federated_reporting/10-base_filter.sed 0000644 0000000 0000000 00000002135 15010704240 027070 0 ustar 00root root 0000000 0000000 # remove the search_path settings because we want to stay in the newly created feeder schema
/SELECT pg_catalog.set_config('search_path', '', false);/d;
# Prevent setval() entries from being replayed on the superhub
# e.g., SELECT pg_catalog.setval('__promiselog_id_seq', 44075, true);
#/^SELECT pg_catalog.setval/d;
# NOTE: don't need this anymore since we will be calling setval on the local schema copy of things
# Remove public. schema prefix so that import can go into the current schema (feeder schema)
s/public\.//g;
# Remove CREATE TYPE blocks
/CREATE TYPE.*/,/^);$/d
# don't reset the promiselog sequence value
/SELECT pg_catalog.setval('__promiselog_id_seq.*$/d
# enable more debug messages
s/client_min_messages = warning/client_min_messages = notice/
# Munge rows from __promiselog child tables (like __promiselog_KEPT_2017-01-01)
# to write them to parent table on import (and the database will take care
# of placing them in the appropriate child table)
/^INSERT INTO "__promiselog_/ {
s/^INSERT INTO "__promiselog_.[^"]*"/INSERT INTO __promiselog/;
s/VALUES [^,]*,/VALUES \(DEFAULT,/;
};
cfengine-masterfiles-3.24.2/templates/federated_reporting/import.sh 0000644 0000000 0000000 00000013652 15010704240 025552 0 ustar 00root root 0000000 0000000 #!/bin/bash
set -e
# make sure a failure in any part of a pipe sequence is a failure
set -o pipefail
source "$(dirname "$0")/config.sh"
source "$(dirname "$0")/log.sh"
source "$(dirname "$0")/parallel.sh"
# check that we have all the variables we need
true "${WORKDIR?undefined}"
true "${CFE_BIN_DIR?undefined}"
true "${CFE_FR_SUPERHUB_DROP_DIR?undefined}"
true "${CFE_FR_SUPERHUB_IMPORT_DIR?undefined}"
true "${CFE_FR_COMPRESSOR_EXT?undefined}"
true "${CFE_FR_EXTRACTOR?undefined}"
true "${CFE_FR_TABLES?undefined}"
true "${CFE_FR_INVENTORY_REFRESH_CMD?undefined}"
true "${CFE_FR_HANDLE_DUPLICATES?undefined}"
if ! type "$CFE_FR_EXTRACTOR" >/dev/null; then
log "Extractor $CFE_FR_EXTRACTOR not available!"
exit 1
fi
# TODO: we should do some validation of the files here
mkdir -p "$CFE_FR_SUPERHUB_IMPORT_DIR"
no_drop_files=0
ls -l "$CFE_FR_SUPERHUB_DROP_DIR/"*".sql.$CFE_FR_COMPRESSOR_EXT" >/dev/null 2>/dev/null ||
no_drop_files=1
if [ "$no_drop_files" != "0" ]; then
log "No files in drop dir."
else
log "Moving files from drop dir to import dir."
mv "$CFE_FR_SUPERHUB_DROP_DIR/"*".sql.$CFE_FR_COMPRESSOR_EXT" "$CFE_FR_SUPERHUB_IMPORT_DIR" ||
log "Failed to move files from drop dir to import dir."
fi
dump_files="$(ls -1 "$CFE_FR_SUPERHUB_IMPORT_DIR/"*".sql.$CFE_FR_COMPRESSOR_EXT" 2>/dev/null)" ||
{
log "No files to import."
exit 0
}
table_whitelist=$(printf "'%s'," $CFE_FR_TABLES | sed -e 's/,$//')
failed=0
log "Setting up schemas for import"
declare -a hostkeys
for file in $dump_files; do
hostkey=$(basename "$file" | cut -d. -f1)
hostkeys+=($hostkey)
if [ -z $("$CFE_BIN_DIR"/psql --quiet --csv --tuples-only -U cfapache -d cfdb -c "SELECT hub_id FROM __hubs WHERE hostkey = '$hostkey';") ]; then
log "No feeder with hostkey $hostkey found in cfdb.__hubs, skipping the dump file $file, consider deleting this file or re-adding the feeder to superhub"
dump_files=$(echo "$dump_files" | sed "s,\s\?$file,," | xargs)
else
"$CFE_BIN_DIR"/psql -U $CFE_FR_DB_USER -d cfdb --set "ON_ERROR_STOP=1" \
-c "SELECT ensure_feeder_schema('$hostkey', ARRAY[$table_whitelist]);" \
> schema_setup.log 2>&1 || failed=1
fi
done
if [ "$failed" = "0" ]; then
log "Setting up schemas for import: DONE"
else
log "Setting up schemas for import: FAILED"
# remove any newly created schemas (revert the changes)
for file in $dump_files; do
hostkey=$(basename "$file" | cut -d. -f1)
"$CFE_BIN_DIR"/psql -U $CFE_FR_DB_USER -d cfdb -c "SELECT drop_feeder_schema('$hostkey');" || true
done
echo "last 10 lines of schema_setup.log"
tail -n 10 schema_setup.log
exit 1
fi
# if we removed all the dump_files due to lack of __hubs table entry, just quit
if [ -z "$dump_files" ]; then
log "No dump files left to process."
exit 0
fi
# make sure the script we are about to run is executable
chmod u+x "$(dirname "$0")/import_file.sh"
log "Importing files: $dump_files"
echo "$dump_files" | run_in_parallel "$(dirname "$0")/import_file.sh" - $CFE_FR_IMPORT_NJOBS ||
failed=1
if [ "$failed" = "0" ]; then
log "Importing files: DONE"
else
log "Importing files: FAILED"
for file in "$CFE_FR_SUPERHUB_IMPORT_DIR/"*".sql.$CFE_FR_COMPRESSOR_EXT.failed"; do
log "Failed to import file '${file%%.failed}'"
log "Last lines of failure log ${file%%.failed}.log.$CFE_FR_COMPRESSOR_EXT"
"$CFE_FR_COMPRESSOR" $CFE_FR_DECOMPRESS_ARGS "${file%%.failed}.log.$CFE_FR_COMPRESSOR_EXT" | tail
log "Revert changes by dropping $hostkey feeder schema"
# (the original/in-use/previous schema is left intact)
hostkey=$(basename "$file" | cut -d. -f1)
"$CFE_BIN_DIR"/psql -U $CFE_FR_DB_USER -d cfdb -c "SELECT drop_feeder_schema('$hostkey');" || true
done
fi
if [ "$CFE_FR_HANDLE_DUPLICATES" = "yes" ]; then
log "Handle Duplicate Hostkeys"
hostkey_list=$(printf "'%s'," ${hostkeys[*]} | sed -e 's/,$//')
"$CFE_BIN_DIR"/psql -U $CFE_FR_DB_USER -d cfdb --set "ON_ERROR_STOP=1" \
-c "SELECT handle_duplicate_hostkeys_in_import(ARRAY[$hostkey_list]);" \
> duplicates.log 2>&1 || failed=1
if [ "$failed" = "0" ]; then
log "Handle Duplicate Hostkeys: DONE"
else
log "Handle Duplicate Hostkeys: FAILED"
log "last 10 lines of duplicates.log"
tail -n 10 duplicates.log
exit 1
fi
fi
one_failed=0
any_failed=0
log "Attaching schemas"
for file in $dump_files; do
if [ ! -f "${file}.failed" ]; then
hostkey=$(basename "$file" | cut -d. -f1)
logfile="$WORKDIR"/outputs/"$hostkey"-schema-attach-$(date +%F-%T)-failure.log
if [ "${CFE_FR_DEBUG_IMPORT}" = "yes" ]; then
"$CFE_BIN_DIR"/psql -U $CFE_FR_DB_USER -d cfdb --set "ON_ERROR_STOP=1" "$debug_import_arg" \
-c "SET client_min_messages TO DEBUG5" \
-c "SET SCHEMA 'public'; SELECT attach_feeder_schema('$hostkey', ARRAY[$table_whitelist]);" \
> "$logfile" 2>&1 || one_failed=1
else
"$CFE_BIN_DIR"/psql -U $CFE_FR_DB_USER -d cfdb --set "ON_ERROR_STOP=1" "$debug_import_arg" \
-c "SET SCHEMA 'public'; SELECT attach_feeder_schema('$hostkey', ARRAY[$table_whitelist]);" \
> "$logfile" 2>&1 || one_failed=1
fi
if [ "$one_failed" = "0" ]; then
rm -f "$logfile"
else
any_failed=1
log "Attaching schemas: FAILED for $hostkey, check $logfile for details"
log "last 10 lines of $logfile"
tail -n 10 "$logfile"
fi
one_failed=0
else
rm -f "${file}.failed"
fi
done
if [ "$any_failed" = "0" ]; then
log "Attaching schemas: DONE"
else
# attach_feeder_schema() makes sure the feeder's import schema is removed in
# case of failure
log "Attaching schemas: FAILED"
exit 1
fi
if [ -n "$CFE_FR_INVENTORY_REFRESH_CMD" ]; then
log "Refreshing inventory"
inv_refresh_failed=0
$CFE_FR_INVENTORY_REFRESH_CMD || inv_refresh_failed=1
if [ "$inv_refresh_failed" != "0" ]; then
log "Refreshing inventory: FAILED"
exit 1
else
log "Refreshing inventory: DONE"
fi
fi
cfengine-masterfiles-3.24.2/templates/cfengine3.service.mustache 0000644 0000000 0000000 00000000347 15010704240 024720 0 ustar 00root root 0000000 0000000 [Unit]
Description=CFEngine 3 umbrella service
Documentation=https://docs.cfengine.com/
After=syslog.target
[Install]
WantedBy=multi-user.target
[Service]
Type=oneshot
ExecStart=/bin/true
ExecReload=/bin/true
RemainAfterExit=yes
cfengine-masterfiles-3.24.2/templates/host_info_report.mustache 0000644 0000000 0000000 00000003666 15010704240 025012 0 ustar 00root root 0000000 0000000 # Host Information
Generated: {{vars.sys.date}}
## Identity
Fully Qualified Hostname: {{vars.sys.fqhost}}
Host ID: {{vars.sys.key_digest}}
## CFEngine
Version: CFEngine {{#classes.enterprise}}Enterprise{{/classes.enterprise}} {{vars.sys.cf_version}}
Last Agent Run: {{vars.host_info_report_cfengine.last_agent_run}}
Policy Release ID: {{vars.host_info_report_cfengine.cf_promises_release_id.releaseId}}
Policy Last Updated: {{vars.host_info_report_cfengine.cf_promises_validated_timestamp_formatted}}
Bootstrapped to: {{vars.sys.policy_hub}}
## OS
Architecture: {{vars.sys.arch}}
Os: {{vars.sys.os}}
Release: {{vars.sys.release}}
Flavor: {{vars.sys.flavor}}
Version: {{vars.sys.version}}
Uptime: {{vars.sys.uptime}} minutes
## Hardware
No. CPUs: {{vars.sys.cpus}}
Total Memory: {{{vars.mon.value_mem_total}}} MB
Total Swap: {{{vars.mon.value_mem_swap}}} MB
Free Memory: {{{vars.mon.value_mem_free}}} MB
Free Swap: {{{vars.mon.value_mem_freeswap}}} MB
## Network
### Interfaces
{{#vars.host_info_report_cfengine.interface_info}}
* {{.}}
{{/vars.host_info_report_cfengine.interface_info}}
{{! Redmine:4506 https://cfengine.com/dev/issues/4506 }}
### IPv4 TCP Ports listening
{{#vars.mon.listening_tcp4_ports}}
* {{.}}
{{/vars.mon.listening_tcp4_ports}}
{{#classes.show_software}}
{{! Redmine:4507 https://cfengine.com/dev/issues/4507 }}
## Software
{{#vars.host_info_report_software.packages}}
[{{method}}] {{name}}: version {{version}}, arch {{arch}}
{{/vars.host_info_report_software.packages}}
{{/classes.show_software}}
## Policy
Information about the policy set on this host.
### Inventory
#### Variables tagged for inventory
{{%vars.host_info_report_inventory.inventory_vars}}
{{#classes.enterprise_edition}}
### Enterprise maintanance bundles available
{{#vars.cfe_internal_enterprise_maintenance.enterprise_maintenance_bundles}}
{{{.}}}
{{/vars.cfe_internal_enterprise_maintenance.enterprise_maintenance_bundles}}
{{/classes.enterprise_edition}}
cfengine-masterfiles-3.24.2/templates/json_multiline.mustache 0000644 0000000 0000000 00000000013 15010704240 024441 0 ustar 00root root 0000000 0000000 {{%-top-}}
cfengine-masterfiles-3.24.2/templates/cf-reactor.service.mustache 0000644 0000000 0000000 00000000712 15010704240 025100 0 ustar 00root root 0000000 0000000 [Unit]
Description=CFEngine Enterprise event reaction daemon
PartOf=cfengine3.service
ConditionPathExists={{{vars.sys.bindir}}}/cf-reactor
ConditionPathExists={{{vars.sys.default_policy_path}}}
After=syslog.target
After=network.target
Wants=cf-postgres.service
After=cf-postgres.service
[Service]
Type=simple
ExecStart={{{vars.sys.bindir}}}/cf-reactor --no-fork
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
WantedBy=cfengine3.service
cfengine-masterfiles-3.24.2/templates/cf-hub.service.mustache 0000644 0000000 0000000 00000000646 15010704240 024225 0 ustar 00root root 0000000 0000000 [Unit]
Description=CFEngine Enterprise Hub Report Collector
PartOf=cfengine3.service
ConditionPathExists={{{vars.sys.bindir}}}/cf-hub
ConditionPathExists={{{vars.sys.default_policy_path}}}
After=syslog.target
After=network.target
Wants=cf-postgres.service
After=cf-postgres.service
[Service]
Type=simple
ExecStart={{{vars.sys.bindir}}}/cf-hub --no-fork
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
cfengine-masterfiles-3.24.2/templates/cf-apache.service.mustache 0000644 0000000 0000000 00000001031 15010704240 024655 0 ustar 00root root 0000000 0000000 [Unit]
Description=CFEngine Enterprise Webserver
After=syslog.target
Wants=cf-postgres.service
After=cf-postgres.service
ConditionPathExists={{{vars.sys.workdir}}}/httpd/bin/apachectl
PartOf=cfengine3.service
[Service]
Type=forking
ExecStart={{{vars.sys.workdir}}}/httpd/bin/apachectl start
ExecStop={{{vars.sys.workdir}}}/httpd/bin/apachectl stop
ExecReload={{{vars.sys.workdir}}}/httpd/bin/apachectl graceful
PIDFile={{{vars.sys.workdir}}}/httpd/httpd.pid
Restart=always
RestartSec=10
UMask=0177
[Install]
WantedBy=multi-user.target
cfengine-masterfiles-3.24.2/templates/cf-monitord.service.mustache 0000644 0000000 0000000 00000000525 15010704240 025276 0 ustar 00root root 0000000 0000000 [Unit]
Description=CFEngine Monitor Daemon
After=syslog.target
ConditionPathExists={{{vars.sys.bindir}}}/cf-monitord
ConditionPathExists={{{vars.sys.default_policy_path}}}
PartOf=cfengine3.service
[Service]
Type=simple
ExecStart={{{vars.sys.bindir}}}/cf-monitord --no-fork
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
cfengine-masterfiles-3.24.2/templates/json_serial.mustache 0000644 0000000 0000000 00000000013 15010704240 023716 0 ustar 00root root 0000000 0000000 {{$-top-}}
cfengine-masterfiles-3.24.2/Makefile.am 0000644 0000000 0000000 00000002557 15010704240 017730 0 ustar 00root root 0000000 0000000 ACLOCAL_AMFLAGS = -I m4
SUBDIRS = \
tests/
# See configure.ac for MASTERFILES_INSTALL_TARGETS.
nobase_dist_masterfiles_DATA = @MASTERFILES_INSTALL_TARGETS@
masterfilesdir=$(prefix)/masterfiles
EXTRA_DIST = README.md inventory/README.md lib/README.md CONTRIBUTING.md LICENSE CFVERSION modules/promises
# Do not reveal usernames of the buildslave
TAR_OPTIONS = --owner=0 --group=0
export TAR_OPTIONS
# Store the permissions properly in the tarball for acceptance tests to succeed
dist-hook:
find $(distdir) -name '*.cf*' | xargs chmod go-w
tar-package:
pkgdir=`mktemp -d` && export pkgdir && \
origdir=`pwd` && export origdir && \
umask 0022 && chmod 755 $$pkgdir && \
$(MAKE) prefix=$$pkgdir install && \
( cd $$pkgdir && \
find . -name '*.cf*' | xargs -n1 chmod go-w && \
tardir=. && $(am__tar) | \
GZIP=$(GZIP_ENV) gzip -c \
> "$$origdir"/$(PACKAGE)-$(VERSION)-$(RELEASE).pkg.tar.gz \
) ; \
[ x$$pkgdir != x ] && rm -rf $$pkgdir
clean-local:
rm -rf build
non-priv-install:
mkdir -p "$$HOME/.cfagent/bin"
ln -sf $$(command -v cf-promises) "$$HOME/.cfagent/bin"
mkdir -p "$$HOME/.cfagent/inputs/lib"
rsync -avz ./lib/ "$$HOME/.cfagent/inputs/lib/"
[ ! -s "$$HOME/.cfagent/inputs/promises.cf" ] && echo "bundle agent main { reports: 'Hello, CFEngine!'; }" > "$$HOME/.cfagent/inputs/promises.cf"
cfengine-masterfiles-3.24.2/configure 0000755 0000000 0000000 00000401602 15010704303 017575 0 ustar 00root root 0000000 0000000 #! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for cfengine-masterfiles 3.24.2.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
#
#
# This configure script is free software; the Free Software Foundation
# gives unlimited permission to copy, distribute and modify it.
## -------------------- ##
## M4sh Initialization. ##
## -------------------- ##
# Be more Bourne compatible
DUALCASE=1; export DUALCASE # for MKS sh
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
emulate sh
NULLCMD=:
# Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
# is contrary to our usage. Disable this feature.
alias -g '${1+"$@"}'='"$@"'
setopt NO_GLOB_SUBST
else
case `(set -o) 2>/dev/null` in #(
*posix*) :
set -o posix ;; #(
*) :
;;
esac
fi
as_nl='
'
export as_nl
# Printing a long string crashes Solaris 7 /usr/bin/printf.
as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
# Prefer a ksh shell builtin over an external printf program on Solaris,
# but without wasting forks for bash or zsh.
if test -z "$BASH_VERSION$ZSH_VERSION" \
&& (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
as_echo='print -r --'
as_echo_n='print -rn --'
elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
as_echo='printf %s\n'
as_echo_n='printf %s'
else
if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
as_echo_n='/usr/ucb/echo -n'
else
as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
as_echo_n_body='eval
arg=$1;
case $arg in #(
*"$as_nl"*)
expr "X$arg" : "X\\(.*\\)$as_nl";
arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
esac;
expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
'
export as_echo_n_body
as_echo_n='sh -c $as_echo_n_body as_echo'
fi
export as_echo_body
as_echo='sh -c $as_echo_body as_echo'
fi
# The user is always right.
if test "${PATH_SEPARATOR+set}" != set; then
PATH_SEPARATOR=:
(PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
(PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
PATH_SEPARATOR=';'
}
fi
# IFS
# We need space, tab and new line, in precisely that order. Quoting is
# there to prevent editors from complaining about space-tab.
# (If _AS_PATH_WALK were called with IFS unset, it would disable word
# splitting by setting IFS to empty value.)
IFS=" "" $as_nl"
# Find who we are. Look in the path if we contain no directory separator.
as_myself=
case $0 in #((
*[\\/]* ) as_myself=$0 ;;
*) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
done
IFS=$as_save_IFS
;;
esac
# We did not find ourselves, most probably we were run as `sh COMMAND'
# in which case we are not to be found in the path.
if test "x$as_myself" = x; then
as_myself=$0
fi
if test ! -f "$as_myself"; then
$as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
exit 1
fi
# Unset variables that we do not need and which cause bugs (e.g. in
# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1"
# suppresses any "Segmentation fault" message there. '((' could
# trigger a bug in pdksh 5.2.14.
for as_var in BASH_ENV ENV MAIL MAILPATH
do eval test x\${$as_var+set} = xset \
&& ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
done
PS1='$ '
PS2='> '
PS4='+ '
# NLS nuisances.
LC_ALL=C
export LC_ALL
LANGUAGE=C
export LANGUAGE
# CDPATH.
(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
# Use a proper internal environment variable to ensure we don't fall
# into an infinite loop, continuously re-executing ourselves.
if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
_as_can_reexec=no; export _as_can_reexec;
# We cannot yet assume a decent shell, so we have to provide a
# neutralization value for shells without unset; and this also
# works around shells that cannot unset nonexistent variables.
# Preserve -v and -x to the replacement shell.
BASH_ENV=/dev/null
ENV=/dev/null
(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
case $- in # ((((
*v*x* | *x*v* ) as_opts=-vx ;;
*v* ) as_opts=-v ;;
*x* ) as_opts=-x ;;
* ) as_opts= ;;
esac
exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
# Admittedly, this is quite paranoid, since all the known shells bail
# out after a failed `exec'.
$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
as_fn_exit 255
fi
# We don't want this to propagate to other subprocesses.
{ _as_can_reexec=; unset _as_can_reexec;}
if test "x$CONFIG_SHELL" = x; then
as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
emulate sh
NULLCMD=:
# Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
# is contrary to our usage. Disable this feature.
alias -g '\${1+\"\$@\"}'='\"\$@\"'
setopt NO_GLOB_SUBST
else
case \`(set -o) 2>/dev/null\` in #(
*posix*) :
set -o posix ;; #(
*) :
;;
esac
fi
"
as_required="as_fn_return () { (exit \$1); }
as_fn_success () { as_fn_return 0; }
as_fn_failure () { as_fn_return 1; }
as_fn_ret_success () { return 0; }
as_fn_ret_failure () { return 1; }
exitcode=0
as_fn_success || { exitcode=1; echo as_fn_success failed.; }
as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
else
exitcode=1; echo positional parameters were not saved.
fi
test x\$exitcode = x0 || exit 1
test -x / || exit 1"
as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1"
if (eval "$as_required") 2>/dev/null; then :
as_have_required=yes
else
as_have_required=no
fi
if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
as_found=false
for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
as_found=:
case $as_dir in #(
/*)
for as_base in sh bash ksh sh5; do
# Try only shells that exist, to save several forks.
as_shell=$as_dir/$as_base
if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
{ $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
CONFIG_SHELL=$as_shell as_have_required=yes
if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
break 2
fi
fi
done;;
esac
as_found=false
done
$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
{ $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
CONFIG_SHELL=$SHELL as_have_required=yes
fi; }
IFS=$as_save_IFS
if test "x$CONFIG_SHELL" != x; then :
export CONFIG_SHELL
# We cannot yet assume a decent shell, so we have to provide a
# neutralization value for shells without unset; and this also
# works around shells that cannot unset nonexistent variables.
# Preserve -v and -x to the replacement shell.
BASH_ENV=/dev/null
ENV=/dev/null
(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
case $- in # ((((
*v*x* | *x*v* ) as_opts=-vx ;;
*v* ) as_opts=-v ;;
*x* ) as_opts=-x ;;
* ) as_opts= ;;
esac
exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
# Admittedly, this is quite paranoid, since all the known shells bail
# out after a failed `exec'.
$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
exit 255
fi
if test x$as_have_required = xno; then :
$as_echo "$0: This script requires a shell more modern than all"
$as_echo "$0: the shells that I found on your system."
if test x${ZSH_VERSION+set} = xset ; then
$as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
$as_echo "$0: be upgraded to zsh 4.3.4 or later."
else
$as_echo "$0: Please tell bug-autoconf@gnu.org about your system,
$0: including any error possibly output before this
$0: message. Then install a modern shell, or manually run
$0: the script under such a shell if you do have one."
fi
exit 1
fi
fi
fi
SHELL=${CONFIG_SHELL-/bin/sh}
export SHELL
# Unset more variables known to interfere with behavior of common tools.
CLICOLOR_FORCE= GREP_OPTIONS=
unset CLICOLOR_FORCE GREP_OPTIONS
## --------------------- ##
## M4sh Shell Functions. ##
## --------------------- ##
# as_fn_unset VAR
# ---------------
# Portably unset VAR.
as_fn_unset ()
{
{ eval $1=; unset $1;}
}
as_unset=as_fn_unset
# as_fn_set_status STATUS
# -----------------------
# Set $? to STATUS, without forking.
as_fn_set_status ()
{
return $1
} # as_fn_set_status
# as_fn_exit STATUS
# -----------------
# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
as_fn_exit ()
{
set +e
as_fn_set_status $1
exit $1
} # as_fn_exit
# as_fn_mkdir_p
# -------------
# Create "$as_dir" as a directory, including parents if necessary.
as_fn_mkdir_p ()
{
case $as_dir in #(
-*) as_dir=./$as_dir;;
esac
test -d "$as_dir" || eval $as_mkdir_p || {
as_dirs=
while :; do
case $as_dir in #(
*\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
*) as_qdir=$as_dir;;
esac
as_dirs="'$as_qdir' $as_dirs"
as_dir=`$as_dirname -- "$as_dir" ||
$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$as_dir" : 'X\(//\)[^/]' \| \
X"$as_dir" : 'X\(//\)$' \| \
X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X"$as_dir" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
}
/^X\(\/\/\)[^/].*/{
s//\1/
q
}
/^X\(\/\/\)$/{
s//\1/
q
}
/^X\(\/\).*/{
s//\1/
q
}
s/.*/./; q'`
test -d "$as_dir" && break
done
test -z "$as_dirs" || eval "mkdir $as_dirs"
} || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
} # as_fn_mkdir_p
# as_fn_executable_p FILE
# -----------------------
# Test if FILE is an executable regular file.
as_fn_executable_p ()
{
test -f "$1" && test -x "$1"
} # as_fn_executable_p
# as_fn_append VAR VALUE
# ----------------------
# Append the text in VALUE to the end of the definition contained in VAR. Take
# advantage of any shell optimizations that allow amortized linear growth over
# repeated appends, instead of the typical quadratic growth present in naive
# implementations.
if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
eval 'as_fn_append ()
{
eval $1+=\$2
}'
else
as_fn_append ()
{
eval $1=\$$1\$2
}
fi # as_fn_append
# as_fn_arith ARG...
# ------------------
# Perform arithmetic evaluation on the ARGs, and store the result in the
# global $as_val. Take advantage of shells that can avoid forks. The arguments
# must be portable across $(()) and expr.
if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
eval 'as_fn_arith ()
{
as_val=$(( $* ))
}'
else
as_fn_arith ()
{
as_val=`expr "$@" || test $? -eq 1`
}
fi # as_fn_arith
# as_fn_error STATUS ERROR [LINENO LOG_FD]
# ----------------------------------------
# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
# script with STATUS, using 1 if that was 0.
as_fn_error ()
{
as_status=$1; test $as_status -eq 0 && as_status=1
if test "$4"; then
as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
$as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
fi
$as_echo "$as_me: error: $2" >&2
as_fn_exit $as_status
} # as_fn_error
if expr a : '\(a\)' >/dev/null 2>&1 &&
test "X`expr 00001 : '.*\(...\)'`" = X001; then
as_expr=expr
else
as_expr=false
fi
if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
as_basename=basename
else
as_basename=false
fi
if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
as_dirname=dirname
else
as_dirname=false
fi
as_me=`$as_basename -- "$0" ||
$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
X"$0" : 'X\(//\)$' \| \
X"$0" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X/"$0" |
sed '/^.*\/\([^/][^/]*\)\/*$/{
s//\1/
q
}
/^X\/\(\/\/\)$/{
s//\1/
q
}
/^X\/\(\/\).*/{
s//\1/
q
}
s/.*/./; q'`
# Avoid depending upon Character Ranges.
as_cr_letters='abcdefghijklmnopqrstuvwxyz'
as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
as_cr_Letters=$as_cr_letters$as_cr_LETTERS
as_cr_digits='0123456789'
as_cr_alnum=$as_cr_Letters$as_cr_digits
as_lineno_1=$LINENO as_lineno_1a=$LINENO
as_lineno_2=$LINENO as_lineno_2a=$LINENO
eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
# Blame Lee E. McMahon (1931-1989) for sed's syntax. :-)
sed -n '
p
/[$]LINENO/=
' <$as_myself |
sed '
s/[$]LINENO.*/&-/
t lineno
b
:lineno
N
:loop
s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
t loop
s/-\n.*//
' >$as_me.lineno &&
chmod +x "$as_me.lineno" ||
{ $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
# If we had to re-execute with $CONFIG_SHELL, we're ensured to have
# already done that, so ensure we don't try to do so again and fall
# in an infinite loop. This has already happened in practice.
_as_can_reexec=no; export _as_can_reexec
# Don't try to exec as it changes $[0], causing all sort of problems
# (the dirname of $[0] is not the place where we might find the
# original and so on. Autoconf is especially sensitive to this).
. "./$as_me.lineno"
# Exit status is that of the last command.
exit
}
ECHO_C= ECHO_N= ECHO_T=
case `echo -n x` in #(((((
-n*)
case `echo 'xy\c'` in
*c*) ECHO_T=' ';; # ECHO_T is single tab character.
xy) ECHO_C='\c';;
*) echo `echo ksh88 bug on AIX 6.1` > /dev/null
ECHO_T=' ';;
esac;;
*)
ECHO_N='-n';;
esac
rm -f conf$$ conf$$.exe conf$$.file
if test -d conf$$.dir; then
rm -f conf$$.dir/conf$$.file
else
rm -f conf$$.dir
mkdir conf$$.dir 2>/dev/null
fi
if (echo >conf$$.file) 2>/dev/null; then
if ln -s conf$$.file conf$$ 2>/dev/null; then
as_ln_s='ln -s'
# ... but there are two gotchas:
# 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
# 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
# In both cases, we have to default to `cp -pR'.
ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
as_ln_s='cp -pR'
elif ln conf$$.file conf$$ 2>/dev/null; then
as_ln_s=ln
else
as_ln_s='cp -pR'
fi
else
as_ln_s='cp -pR'
fi
rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
rmdir conf$$.dir 2>/dev/null
if mkdir -p . 2>/dev/null; then
as_mkdir_p='mkdir -p "$as_dir"'
else
test -d ./-p && rmdir ./-p
as_mkdir_p=false
fi
as_test_x='test -x'
as_executable_p=as_fn_executable_p
# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
# Sed expression to map a string onto a valid variable name.
as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
test -n "$DJDIR" || exec 7<&0 &1
# Name of the host.
# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
# so uname gets run too.
ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
#
# Initializations.
#
ac_default_prefix=/usr/local
ac_clean_files=
ac_config_libobj_dir=.
LIBOBJS=
cross_compiling=no
subdirs=
MFLAGS=
MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='cfengine-masterfiles'
PACKAGE_TARNAME='cfengine-masterfiles'
PACKAGE_VERSION='3.24.2'
PACKAGE_STRING='cfengine-masterfiles 3.24.2'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
ac_subst_vars='LTLIBOBJS
LIBOBJS
MASTERFILES_INSTALL_TARGETS
MASTERFILES_TESTS
HAVE_SHUNIT2_FALSE
HAVE_SHUNIT2_TRUE
HAVE_PKG_INSTALL_FALSE
HAVE_PKG_INSTALL_TRUE
ac_cv_shunit2
ac_cv_pkg_install
XNU_FALSE
XNU_TRUE
NETBSD_FALSE
NETBSD_TRUE
FREEBSD_FALSE
FREEBSD_TRUE
HPUX_FALSE
HPUX_TRUE
AIX_FALSE
AIX_TRUE
CYGWIN_FALSE
CYGWIN_TRUE
NT_FALSE
NT_TRUE
SOLARIS_FALSE
SOLARIS_TRUE
MACOSX_FALSE
MACOSX_TRUE
LINUX_FALSE
LINUX_TRUE
enterprise_dir
HAVE_ENTERPRISE_FALSE
HAVE_ENTERPRISE_TRUE
core_dir
HAVE_CORE_FALSE
HAVE_CORE_TRUE
MAINT
MAINTAINER_MODE_FALSE
MAINTAINER_MODE_TRUE
AM_BACKSLASH
AM_DEFAULT_VERBOSITY
AM_DEFAULT_V
AM_V
am__untar
am__tar
AMTAR
am__leading_dot
SET_MAKE
AWK
mkdir_p
MKDIR_P
INSTALL_STRIP_PROGRAM
STRIP
install_sh
MAKEINFO
AUTOHEADER
AUTOMAKE
AUTOCONF
ACLOCAL
VERSION
PACKAGE
CYGPATH_W
am__isrc
INSTALL_DATA
INSTALL_SCRIPT
INSTALL_PROGRAM
target_os
target_vendor
target_cpu
target
host_os
host_vendor
host_cpu
host
build_os
build_vendor
build_cpu
build
RELEASE
target_alias
host_alias
build_alias
LIBS
ECHO_T
ECHO_N
ECHO_C
DEFS
mandir
localedir
libdir
psdir
pdfdir
dvidir
htmldir
infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
datadir
datarootdir
libexecdir
sbindir
bindir
program_transform_name
prefix
exec_prefix
PACKAGE_URL
PACKAGE_BUGREPORT
PACKAGE_STRING
PACKAGE_VERSION
PACKAGE_TARNAME
PACKAGE_NAME
PATH_SEPARATOR
SHELL'
ac_subst_files=''
ac_user_opts='
enable_option_checking
enable_silent_rules
enable_maintainer_mode
with_core
with_enterprise
'
ac_precious_vars='build_alias
host_alias
target_alias'
# Initialize some variables set by options.
ac_init_help=
ac_init_version=false
ac_unrecognized_opts=
ac_unrecognized_sep=
# The variables have the same names as the options, with
# dashes changed to underlines.
cache_file=/dev/null
exec_prefix=NONE
no_create=
no_recursion=
prefix=NONE
program_prefix=NONE
program_suffix=NONE
program_transform_name=s,x,x,
silent=
site=
srcdir=
verbose=
x_includes=NONE
x_libraries=NONE
# Installation directory options.
# These are left unexpanded so users can "make install exec_prefix=/foo"
# and all the variables that are supposed to be based on exec_prefix
# by default will actually change.
# Use braces instead of parens because sh, perl, etc. also accept them.
# (The list follows the same order as the GNU Coding Standards.)
bindir='${exec_prefix}/bin'
sbindir='${exec_prefix}/sbin'
libexecdir='${exec_prefix}/libexec'
datarootdir='${prefix}/share'
datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
infodir='${datarootdir}/info'
htmldir='${docdir}'
dvidir='${docdir}'
pdfdir='${docdir}'
psdir='${docdir}'
libdir='${exec_prefix}/lib'
localedir='${datarootdir}/locale'
mandir='${datarootdir}/man'
ac_prev=
ac_dashdash=
for ac_option
do
# If the previous option needs an argument, assign it.
if test -n "$ac_prev"; then
eval $ac_prev=\$ac_option
ac_prev=
continue
fi
case $ac_option in
*=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
*=) ac_optarg= ;;
*) ac_optarg=yes ;;
esac
# Accept the important Cygnus configure options, so we can diagnose typos.
case $ac_dashdash$ac_option in
--)
ac_dashdash=yes ;;
-bindir | --bindir | --bindi | --bind | --bin | --bi)
ac_prev=bindir ;;
-bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
bindir=$ac_optarg ;;
-build | --build | --buil | --bui | --bu)
ac_prev=build_alias ;;
-build=* | --build=* | --buil=* | --bui=* | --bu=*)
build_alias=$ac_optarg ;;
-cache-file | --cache-file | --cache-fil | --cache-fi \
| --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
ac_prev=cache_file ;;
-cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
| --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
cache_file=$ac_optarg ;;
--config-cache | -C)
cache_file=config.cache ;;
-datadir | --datadir | --datadi | --datad)
ac_prev=datadir ;;
-datadir=* | --datadir=* | --datadi=* | --datad=*)
datadir=$ac_optarg ;;
-datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
| --dataroo | --dataro | --datar)
ac_prev=datarootdir ;;
-datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
| --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
datarootdir=$ac_optarg ;;
-disable-* | --disable-*)
ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
# Reject names that are not valid shell variable names.
expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
as_fn_error $? "invalid feature name: $ac_useropt"
ac_useropt_orig=$ac_useropt
ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
case $ac_user_opts in
*"
"enable_$ac_useropt"
"*) ;;
*) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
ac_unrecognized_sep=', ';;
esac
eval enable_$ac_useropt=no ;;
-docdir | --docdir | --docdi | --doc | --do)
ac_prev=docdir ;;
-docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
docdir=$ac_optarg ;;
-dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
ac_prev=dvidir ;;
-dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
dvidir=$ac_optarg ;;
-enable-* | --enable-*)
ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
# Reject names that are not valid shell variable names.
expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
as_fn_error $? "invalid feature name: $ac_useropt"
ac_useropt_orig=$ac_useropt
ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
case $ac_user_opts in
*"
"enable_$ac_useropt"
"*) ;;
*) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
ac_unrecognized_sep=', ';;
esac
eval enable_$ac_useropt=\$ac_optarg ;;
-exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
| --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
| --exec | --exe | --ex)
ac_prev=exec_prefix ;;
-exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
| --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
| --exec=* | --exe=* | --ex=*)
exec_prefix=$ac_optarg ;;
-gas | --gas | --ga | --g)
# Obsolete; use --with-gas.
with_gas=yes ;;
-help | --help | --hel | --he | -h)
ac_init_help=long ;;
-help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
ac_init_help=recursive ;;
-help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
ac_init_help=short ;;
-host | --host | --hos | --ho)
ac_prev=host_alias ;;
-host=* | --host=* | --hos=* | --ho=*)
host_alias=$ac_optarg ;;
-htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
ac_prev=htmldir ;;
-htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
| --ht=*)
htmldir=$ac_optarg ;;
-includedir | --includedir | --includedi | --included | --include \
| --includ | --inclu | --incl | --inc)
ac_prev=includedir ;;
-includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
| --includ=* | --inclu=* | --incl=* | --inc=*)
includedir=$ac_optarg ;;
-infodir | --infodir | --infodi | --infod | --info | --inf)
ac_prev=infodir ;;
-infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
infodir=$ac_optarg ;;
-libdir | --libdir | --libdi | --libd)
ac_prev=libdir ;;
-libdir=* | --libdir=* | --libdi=* | --libd=*)
libdir=$ac_optarg ;;
-libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
| --libexe | --libex | --libe)
ac_prev=libexecdir ;;
-libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
| --libexe=* | --libex=* | --libe=*)
libexecdir=$ac_optarg ;;
-localedir | --localedir | --localedi | --localed | --locale)
ac_prev=localedir ;;
-localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
localedir=$ac_optarg ;;
-localstatedir | --localstatedir | --localstatedi | --localstated \
| --localstate | --localstat | --localsta | --localst | --locals)
ac_prev=localstatedir ;;
-localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
| --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
localstatedir=$ac_optarg ;;
-mandir | --mandir | --mandi | --mand | --man | --ma | --m)
ac_prev=mandir ;;
-mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
mandir=$ac_optarg ;;
-nfp | --nfp | --nf)
# Obsolete; use --without-fp.
with_fp=no ;;
-no-create | --no-create | --no-creat | --no-crea | --no-cre \
| --no-cr | --no-c | -n)
no_create=yes ;;
-no-recursion | --no-recursion | --no-recursio | --no-recursi \
| --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
no_recursion=yes ;;
-oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
| --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
| --oldin | --oldi | --old | --ol | --o)
ac_prev=oldincludedir ;;
-oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
| --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
| --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
oldincludedir=$ac_optarg ;;
-prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
ac_prev=prefix ;;
-prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
prefix=$ac_optarg ;;
-program-prefix | --program-prefix | --program-prefi | --program-pref \
| --program-pre | --program-pr | --program-p)
ac_prev=program_prefix ;;
-program-prefix=* | --program-prefix=* | --program-prefi=* \
| --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
program_prefix=$ac_optarg ;;
-program-suffix | --program-suffix | --program-suffi | --program-suff \
| --program-suf | --program-su | --program-s)
ac_prev=program_suffix ;;
-program-suffix=* | --program-suffix=* | --program-suffi=* \
| --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
program_suffix=$ac_optarg ;;
-program-transform-name | --program-transform-name \
| --program-transform-nam | --program-transform-na \
| --program-transform-n | --program-transform- \
| --program-transform | --program-transfor \
| --program-transfo | --program-transf \
| --program-trans | --program-tran \
| --progr-tra | --program-tr | --program-t)
ac_prev=program_transform_name ;;
-program-transform-name=* | --program-transform-name=* \
| --program-transform-nam=* | --program-transform-na=* \
| --program-transform-n=* | --program-transform-=* \
| --program-transform=* | --program-transfor=* \
| --program-transfo=* | --program-transf=* \
| --program-trans=* | --program-tran=* \
| --progr-tra=* | --program-tr=* | --program-t=*)
program_transform_name=$ac_optarg ;;
-pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
ac_prev=pdfdir ;;
-pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
pdfdir=$ac_optarg ;;
-psdir | --psdir | --psdi | --psd | --ps)
ac_prev=psdir ;;
-psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
psdir=$ac_optarg ;;
-q | -quiet | --quiet | --quie | --qui | --qu | --q \
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
| --sbi=* | --sb=*)
sbindir=$ac_optarg ;;
-sharedstatedir | --sharedstatedir | --sharedstatedi \
| --sharedstated | --sharedstate | --sharedstat | --sharedsta \
| --sharedst | --shareds | --shared | --share | --shar \
| --sha | --sh)
ac_prev=sharedstatedir ;;
-sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
| --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
| --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
| --sha=* | --sh=*)
sharedstatedir=$ac_optarg ;;
-site | --site | --sit)
ac_prev=site ;;
-site=* | --site=* | --sit=*)
site=$ac_optarg ;;
-srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
ac_prev=srcdir ;;
-srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
srcdir=$ac_optarg ;;
-sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
| --syscon | --sysco | --sysc | --sys | --sy)
ac_prev=sysconfdir ;;
-sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
| --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
sysconfdir=$ac_optarg ;;
-target | --target | --targe | --targ | --tar | --ta | --t)
ac_prev=target_alias ;;
-target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
target_alias=$ac_optarg ;;
-v | -verbose | --verbose | --verbos | --verbo | --verb)
verbose=yes ;;
-version | --version | --versio | --versi | --vers | -V)
ac_init_version=: ;;
-with-* | --with-*)
ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
# Reject names that are not valid shell variable names.
expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
as_fn_error $? "invalid package name: $ac_useropt"
ac_useropt_orig=$ac_useropt
ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
case $ac_user_opts in
*"
"with_$ac_useropt"
"*) ;;
*) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
ac_unrecognized_sep=', ';;
esac
eval with_$ac_useropt=\$ac_optarg ;;
-without-* | --without-*)
ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
# Reject names that are not valid shell variable names.
expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
as_fn_error $? "invalid package name: $ac_useropt"
ac_useropt_orig=$ac_useropt
ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
case $ac_user_opts in
*"
"with_$ac_useropt"
"*) ;;
*) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
ac_unrecognized_sep=', ';;
esac
eval with_$ac_useropt=no ;;
--x)
# Obsolete; use --with-x.
with_x=yes ;;
-x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
| --x-incl | --x-inc | --x-in | --x-i)
ac_prev=x_includes ;;
-x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
| --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
x_includes=$ac_optarg ;;
-x-libraries | --x-libraries | --x-librarie | --x-librari \
| --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
ac_prev=x_libraries ;;
-x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
| --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
x_libraries=$ac_optarg ;;
-*) as_fn_error $? "unrecognized option: \`$ac_option'
Try \`$0 --help' for more information"
;;
*=*)
ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
# Reject names that are not valid shell variable names.
case $ac_envvar in #(
'' | [0-9]* | *[!_$as_cr_alnum]* )
as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
esac
eval $ac_envvar=\$ac_optarg
export $ac_envvar ;;
*)
# FIXME: should be removed in autoconf 3.0.
$as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
$as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
: "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}"
;;
esac
done
if test -n "$ac_prev"; then
ac_option=--`echo $ac_prev | sed 's/_/-/g'`
as_fn_error $? "missing argument to $ac_option"
fi
if test -n "$ac_unrecognized_opts"; then
case $enable_option_checking in
no) ;;
fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
*) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
esac
fi
# Check all directory arguments for consistency.
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir runstatedir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
case $ac_val in
*/ )
ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
eval $ac_var=\$ac_val;;
esac
# Be sure to have absolute directory names.
case $ac_val in
[\\/$]* | ?:[\\/]* ) continue;;
NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
esac
as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
done
# There might be people who depend on the old broken behavior: `$host'
# used to hold the argument of --host etc.
# FIXME: To remove some day.
build=$build_alias
host=$host_alias
target=$target_alias
# FIXME: To remove some day.
if test "x$host_alias" != x; then
if test "x$build_alias" = x; then
cross_compiling=maybe
elif test "x$build_alias" != "x$host_alias"; then
cross_compiling=yes
fi
fi
ac_tool_prefix=
test -n "$host_alias" && ac_tool_prefix=$host_alias-
test "$silent" = yes && exec 6>/dev/null
ac_pwd=`pwd` && test -n "$ac_pwd" &&
ac_ls_di=`ls -di .` &&
ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
as_fn_error $? "working directory cannot be determined"
test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
as_fn_error $? "pwd does not report name of working directory"
# Find the source files, if location was not specified.
if test -z "$srcdir"; then
ac_srcdir_defaulted=yes
# Try the directory containing this script, then the parent directory.
ac_confdir=`$as_dirname -- "$as_myself" ||
$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$as_myself" : 'X\(//\)[^/]' \| \
X"$as_myself" : 'X\(//\)$' \| \
X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X"$as_myself" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
}
/^X\(\/\/\)[^/].*/{
s//\1/
q
}
/^X\(\/\/\)$/{
s//\1/
q
}
/^X\(\/\).*/{
s//\1/
q
}
s/.*/./; q'`
srcdir=$ac_confdir
if test ! -r "$srcdir/$ac_unique_file"; then
srcdir=..
fi
else
ac_srcdir_defaulted=no
fi
if test ! -r "$srcdir/$ac_unique_file"; then
test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
fi
ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
ac_abs_confdir=`(
cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
pwd)`
# When building in place, set srcdir=.
if test "$ac_abs_confdir" = "$ac_pwd"; then
srcdir=.
fi
# Remove unnecessary trailing slashes from srcdir.
# Double slashes in file names in object file debugging info
# mess up M-x gdb in Emacs.
case $srcdir in
*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
esac
for ac_var in $ac_precious_vars; do
eval ac_env_${ac_var}_set=\${${ac_var}+set}
eval ac_env_${ac_var}_value=\$${ac_var}
eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
eval ac_cv_env_${ac_var}_value=\$${ac_var}
done
#
# Report the --help message.
#
if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures cfengine-masterfiles 3.24.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print \`checking ...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for \`--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or \`..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[$ac_default_prefix]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, \`make install' will install all the files in
\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify
an installation prefix other than \`$ac_default_prefix' using \`--prefix',
for instance \`--prefix=\$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
--datadir=DIR read-only architecture-independent data [DATAROOTDIR]
--infodir=DIR info documentation [DATAROOTDIR/info]
--localedir=DIR locale-dependent data [DATAROOTDIR/locale]
--mandir=DIR man documentation [DATAROOTDIR/man]
--docdir=DIR documentation root
[DATAROOTDIR/doc/cfengine-masterfiles]
--htmldir=DIR html documentation [DOCDIR]
--dvidir=DIR dvi documentation [DOCDIR]
--pdfdir=DIR pdf documentation [DOCDIR]
--psdir=DIR ps documentation [DOCDIR]
_ACEOF
cat <<\_ACEOF
Program names:
--program-prefix=PREFIX prepend PREFIX to installed program names
--program-suffix=SUFFIX append SUFFIX to installed program names
--program-transform-name=PROGRAM run sed PROGRAM on installed program names
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
--target=TARGET configure for building compilers for TARGET [HOST]
_ACEOF
fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of cfengine-masterfiles 3.24.2:";;
esac
cat <<\_ACEOF
Optional Features:
--disable-option-checking ignore unrecognized --enable/--with options
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-silent-rules less verbose build output (undo: "make V=1")
--disable-silent-rules verbose build output (undo: "make V=0")
--disable-maintainer-mode
disable make rules and dependencies not useful (and
sometimes confusing) to the casual installer
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-core= Build against core in directory . Defaults to
"../core". If not found there or if --with-core=no
then tests are disabled
--with-enterprise=
Build against enterprise in directory .
Defaults to "../enterprise"
Report bugs to the package provider.
_ACEOF
ac_status=$?
fi
if test "$ac_init_help" = "recursive"; then
# If there are subdirs, report their specific --help.
for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
test -d "$ac_dir" ||
{ cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
continue
ac_builddir=.
case "$ac_dir" in
.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
*)
ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
# A ".." for each directory in $ac_dir_suffix.
ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
case $ac_top_builddir_sub in
"") ac_top_builddir_sub=. ac_top_build_prefix= ;;
*) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
esac ;;
esac
ac_abs_top_builddir=$ac_pwd
ac_abs_builddir=$ac_pwd$ac_dir_suffix
# for backward compatibility:
ac_top_builddir=$ac_top_build_prefix
case $srcdir in
.) # We are building in place.
ac_srcdir=.
ac_top_srcdir=$ac_top_builddir_sub
ac_abs_top_srcdir=$ac_pwd ;;
[\\/]* | ?:[\\/]* ) # Absolute name.
ac_srcdir=$srcdir$ac_dir_suffix;
ac_top_srcdir=$srcdir
ac_abs_top_srcdir=$srcdir ;;
*) # Relative name.
ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
ac_top_srcdir=$ac_top_build_prefix$srcdir
ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
esac
ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
cd "$ac_dir" || { ac_status=$?; continue; }
# Check for guested configure.
if test -f "$ac_srcdir/configure.gnu"; then
echo &&
$SHELL "$ac_srcdir/configure.gnu" --help=recursive
elif test -f "$ac_srcdir/configure"; then
echo &&
$SHELL "$ac_srcdir/configure" --help=recursive
else
$as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
fi || ac_status=$?
cd "$ac_pwd" || { ac_status=$?; break; }
done
fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
cfengine-masterfiles configure 3.24.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
_ACEOF
exit
fi
## ------------------------ ##
## Autoconf initialization. ##
## ------------------------ ##
cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by cfengine-masterfiles $as_me 3.24.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
_ACEOF
exec 5>>config.log
{
cat <<_ASUNAME
## --------- ##
## Platform. ##
## --------- ##
hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
uname -m = `(uname -m) 2>/dev/null || echo unknown`
uname -r = `(uname -r) 2>/dev/null || echo unknown`
uname -s = `(uname -s) 2>/dev/null || echo unknown`
uname -v = `(uname -v) 2>/dev/null || echo unknown`
/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown`
/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown`
/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown`
/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown`
/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown`
/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown`
/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown`
_ASUNAME
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
$as_echo "PATH: $as_dir"
done
IFS=$as_save_IFS
} >&5
cat >&5 <<_ACEOF
## ----------- ##
## Core tests. ##
## ----------- ##
_ACEOF
# Keep a trace of the command line.
# Strip out --no-create and --no-recursion so they do not pile up.
# Strip out --silent because we don't want to record it for future runs.
# Also quote any args containing shell meta-characters.
# Make two passes to allow for proper duplicate-argument suppression.
ac_configure_args=
ac_configure_args0=
ac_configure_args1=
ac_must_keep_next=false
for ac_pass in 1 2
do
for ac_arg
do
case $ac_arg in
-no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
-q | -quiet | --quiet | --quie | --qui | --qu | --q \
| -silent | --silent | --silen | --sile | --sil)
continue ;;
*\'*)
ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
esac
case $ac_pass in
1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
2)
as_fn_append ac_configure_args1 " '$ac_arg'"
if test $ac_must_keep_next = true; then
ac_must_keep_next=false # Got value, back to normal.
else
case $ac_arg in
*=* | --config-cache | -C | -disable-* | --disable-* \
| -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
| -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
| -with-* | --with-* | -without-* | --without-* | --x)
case "$ac_configure_args0 " in
"$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
esac
;;
-* ) ac_must_keep_next=true ;;
esac
fi
as_fn_append ac_configure_args " '$ac_arg'"
;;
esac
done
done
{ ac_configure_args0=; unset ac_configure_args0;}
{ ac_configure_args1=; unset ac_configure_args1;}
# When interrupted or exit'd, cleanup temporary files, and complete
# config.log. We remove comments because anyway the quotes in there
# would cause problems or look ugly.
# WARNING: Use '\'' to represent an apostrophe within the trap.
# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
trap 'exit_status=$?
# Save into config.log some information that might help in debugging.
{
echo
$as_echo "## ---------------- ##
## Cache variables. ##
## ---------------- ##"
echo
# The following way of writing the cache mishandles newlines in values,
(
for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
eval ac_val=\$$ac_var
case $ac_val in #(
*${as_nl}*)
case $ac_var in #(
*_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
esac
case $ac_var in #(
_ | IFS | as_nl) ;; #(
BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
*) { eval $ac_var=; unset $ac_var;} ;;
esac ;;
esac
done
(set) 2>&1 |
case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
*${as_nl}ac_space=\ *)
sed -n \
"s/'\''/'\''\\\\'\'''\''/g;
s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
;; #(
*)
sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
;;
esac |
sort
)
echo
$as_echo "## ----------------- ##
## Output variables. ##
## ----------------- ##"
echo
for ac_var in $ac_subst_vars
do
eval ac_val=\$$ac_var
case $ac_val in
*\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
esac
$as_echo "$ac_var='\''$ac_val'\''"
done | sort
echo
if test -n "$ac_subst_files"; then
$as_echo "## ------------------- ##
## File substitutions. ##
## ------------------- ##"
echo
for ac_var in $ac_subst_files
do
eval ac_val=\$$ac_var
case $ac_val in
*\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
esac
$as_echo "$ac_var='\''$ac_val'\''"
done | sort
echo
fi
if test -s confdefs.h; then
$as_echo "## ----------- ##
## confdefs.h. ##
## ----------- ##"
echo
cat confdefs.h
echo
fi
test "$ac_signal" != 0 &&
$as_echo "$as_me: caught signal $ac_signal"
$as_echo "$as_me: exit $exit_status"
} >&5
rm -f core *.core core.conftest.* &&
rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
exit $exit_status
' 0
for ac_signal in 1 2 13 15; do
trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
done
ac_signal=0
# confdefs.h avoids OS command line length limits that DEFS can exceed.
rm -f -r conftest* confdefs.h
$as_echo "/* confdefs.h */" > confdefs.h
# Predefined preprocessor variables.
cat >>confdefs.h <<_ACEOF
#define PACKAGE_NAME "$PACKAGE_NAME"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define PACKAGE_VERSION "$PACKAGE_VERSION"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define PACKAGE_STRING "$PACKAGE_STRING"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define PACKAGE_URL "$PACKAGE_URL"
_ACEOF
# Let the site file select an alternate cache file if it wants to.
# Prefer an explicitly selected file to automatically selected ones.
ac_site_file1=NONE
ac_site_file2=NONE
if test -n "$CONFIG_SITE"; then
# We do not want a PATH search for config.site.
case $CONFIG_SITE in #((
-*) ac_site_file1=./$CONFIG_SITE;;
*/*) ac_site_file1=$CONFIG_SITE;;
*) ac_site_file1=./$CONFIG_SITE;;
esac
elif test "x$prefix" != xNONE; then
ac_site_file1=$prefix/share/config.site
ac_site_file2=$prefix/etc/config.site
else
ac_site_file1=$ac_default_prefix/share/config.site
ac_site_file2=$ac_default_prefix/etc/config.site
fi
for ac_site_file in "$ac_site_file1" "$ac_site_file2"
do
test "x$ac_site_file" = xNONE && continue
if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
$as_echo "$as_me: loading site script $ac_site_file" >&6;}
sed 's/^/| /' "$ac_site_file" >&5
. "$ac_site_file" \
|| { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "failed to load site script $ac_site_file
See \`config.log' for more details" "$LINENO" 5; }
fi
done
if test -r "$cache_file"; then
# Some versions of bash will fail to source /dev/null (special files
# actually), so we avoid doing that. DJGPP emulates it as a regular file.
if test /dev/null != "$cache_file" && test -f "$cache_file"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
$as_echo "$as_me: loading cache $cache_file" >&6;}
case $cache_file in
[\\/]* | ?:[\\/]* ) . "$cache_file";;
*) . "./$cache_file";;
esac
fi
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
$as_echo "$as_me: creating cache $cache_file" >&6;}
>$cache_file
fi
# Check that the precious variables saved in the cache have kept the same
# value.
ac_cache_corrupted=false
for ac_var in $ac_precious_vars; do
eval ac_old_set=\$ac_cv_env_${ac_var}_set
eval ac_new_set=\$ac_env_${ac_var}_set
eval ac_old_val=\$ac_cv_env_${ac_var}_value
eval ac_new_val=\$ac_env_${ac_var}_value
case $ac_old_set,$ac_new_set in
set,)
{ $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
ac_cache_corrupted=: ;;
,set)
{ $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
ac_cache_corrupted=: ;;
,);;
*)
if test "x$ac_old_val" != "x$ac_new_val"; then
# differences in whitespace do not lead to failure.
ac_old_val_w=`echo x $ac_old_val`
ac_new_val_w=`echo x $ac_new_val`
if test "$ac_old_val_w" != "$ac_new_val_w"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
ac_cache_corrupted=:
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
eval $ac_var=\$ac_old_val
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5
$as_echo "$as_me: former value: \`$ac_old_val'" >&2;}
{ $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5
$as_echo "$as_me: current value: \`$ac_new_val'" >&2;}
fi;;
esac
# Pass precious variables to config.status.
if test "$ac_new_set" = set; then
case $ac_new_val in
*\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
*) ac_arg=$ac_var=$ac_new_val ;;
esac
case " $ac_configure_args " in
*" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy.
*) as_fn_append ac_configure_args " '$ac_arg'" ;;
esac
fi
done
if $ac_cache_corrupted; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
{ $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
fi
## -------------------- ##
## Main body of script. ##
## -------------------- ##
ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
cfengine_version=3.24.2
RELEASE=1
cfengine_release=1
ac_aux_dir=
for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
if test -f "$ac_dir/install-sh"; then
ac_aux_dir=$ac_dir
ac_install_sh="$ac_aux_dir/install-sh -c"
break
elif test -f "$ac_dir/install.sh"; then
ac_aux_dir=$ac_dir
ac_install_sh="$ac_aux_dir/install.sh -c"
break
elif test -f "$ac_dir/shtool"; then
ac_aux_dir=$ac_dir
ac_install_sh="$ac_aux_dir/shtool install -c"
break
fi
done
if test -z "$ac_aux_dir"; then
as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5
fi
# These three variables are undocumented and unsupported,
# and are intended to be withdrawn in a future Autoconf release.
# They can cause serious problems if a builder's source tree is in a directory
# whose full name contains unusual characters.
ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var.
ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var.
ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
# Make sure we can run config.sub.
$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5
$as_echo_n "checking build system type... " >&6; }
if ${ac_cv_build+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_build_alias=$build_alias
test "x$ac_build_alias" = x &&
ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
test "x$ac_build_alias" = x &&
as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5
ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5
$as_echo "$ac_cv_build" >&6; }
case $ac_cv_build in
*-*-*) ;;
*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;;
esac
build=$ac_cv_build
ac_save_IFS=$IFS; IFS='-'
set x $ac_cv_build
shift
build_cpu=$1
build_vendor=$2
shift; shift
# Remember, the first character of IFS is used to create $*,
# except with old shells:
build_os=$*
IFS=$ac_save_IFS
case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5
$as_echo_n "checking host system type... " >&6; }
if ${ac_cv_host+:} false; then :
$as_echo_n "(cached) " >&6
else
if test "x$host_alias" = x; then
ac_cv_host=$ac_cv_build
else
ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5
$as_echo "$ac_cv_host" >&6; }
case $ac_cv_host in
*-*-*) ;;
*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;;
esac
host=$ac_cv_host
ac_save_IFS=$IFS; IFS='-'
set x $ac_cv_host
shift
host_cpu=$1
host_vendor=$2
shift; shift
# Remember, the first character of IFS is used to create $*,
# except with old shells:
host_os=$*
IFS=$ac_save_IFS
case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking target system type" >&5
$as_echo_n "checking target system type... " >&6; }
if ${ac_cv_target+:} false; then :
$as_echo_n "(cached) " >&6
else
if test "x$target_alias" = x; then
ac_cv_target=$ac_cv_host
else
ac_cv_target=`$SHELL "$ac_aux_dir/config.sub" $target_alias` ||
as_fn_error $? "$SHELL $ac_aux_dir/config.sub $target_alias failed" "$LINENO" 5
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_target" >&5
$as_echo "$ac_cv_target" >&6; }
case $ac_cv_target in
*-*-*) ;;
*) as_fn_error $? "invalid value of canonical target" "$LINENO" 5;;
esac
target=$ac_cv_target
ac_save_IFS=$IFS; IFS='-'
set x $ac_cv_target
shift
target_cpu=$1
target_vendor=$2
shift; shift
# Remember, the first character of IFS is used to create $*,
# except with old shells:
target_os=$*
IFS=$ac_save_IFS
case $target_os in *\ *) target_os=`echo "$target_os" | sed 's/ /-/g'`;; esac
# The aliases save the names the user supplied, while $host etc.
# will get canonicalized.
test -n "$target_alias" &&
test "$program_prefix$program_suffix$program_transform_name" = \
NONENONEs,x,x, &&
program_prefix=${target_alias}-
am__api_version='1.15'
# Find a good install program. We prefer a C program (faster),
# so one script is as good as another. But avoid the broken or
# incompatible versions:
# SysV /etc/install, /usr/sbin/install
# SunOS /usr/etc/install
# IRIX /sbin/install
# AIX /bin/install
# AmigaOS /C/install, which installs bootblocks on floppy discs
# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
# AFS /usr/afsws/bin/install, which mishandles nonexistent args
# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
# OS/2's system install, which has a completely different semantic
# ./install, which can be erroneously created by make from ./install.sh.
# Reject install programs that cannot install multiple files.
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5
$as_echo_n "checking for a BSD-compatible install... " >&6; }
if test -z "$INSTALL"; then
if ${ac_cv_path_install+:} false; then :
$as_echo_n "(cached) " >&6
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
# Account for people who put trailing slashes in PATH elements.
case $as_dir/ in #((
./ | .// | /[cC]/* | \
/etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \
/usr/ucb/* ) ;;
*)
# OSF1 and SCO ODT 3.0 have their own names for install.
# Don't use installbsd from OSF since it installs stuff as root
# by default.
for ac_prog in ginstall scoinst install; do
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
if test $ac_prog = install &&
grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
# AIX install. It has an incompatible calling convention.
:
elif test $ac_prog = install &&
grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
# program-specific install script used by HP pwplus--don't use.
:
else
rm -rf conftest.one conftest.two conftest.dir
echo one > conftest.one
echo two > conftest.two
mkdir conftest.dir
if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" &&
test -s conftest.one && test -s conftest.two &&
test -s conftest.dir/conftest.one &&
test -s conftest.dir/conftest.two
then
ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
break 3
fi
fi
fi
done
done
;;
esac
done
IFS=$as_save_IFS
rm -rf conftest.one conftest.two conftest.dir
fi
if test "${ac_cv_path_install+set}" = set; then
INSTALL=$ac_cv_path_install
else
# As a last resort, use the slow shell script. Don't cache a
# value for INSTALL within a source directory, because that will
# break other packages using the cache if that directory is
# removed, or if the value is a relative name.
INSTALL=$ac_install_sh
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5
$as_echo "$INSTALL" >&6; }
# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
# It thinks the first close brace ends the variable substitution.
test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether build environment is sane" >&5
$as_echo_n "checking whether build environment is sane... " >&6; }
# Reject unsafe characters in $srcdir or the absolute working directory
# name. Accept space and tab only in the latter.
am_lf='
'
case `pwd` in
*[\\\"\#\$\&\'\`$am_lf]*)
as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5;;
esac
case $srcdir in
*[\\\"\#\$\&\'\`$am_lf\ \ ]*)
as_fn_error $? "unsafe srcdir value: '$srcdir'" "$LINENO" 5;;
esac
# Do 'set' in a subshell so we don't clobber the current shell's
# arguments. Must try -L first in case configure is actually a
# symlink; some systems play weird games with the mod time of symlinks
# (eg FreeBSD returns the mod time of the symlink's containing
# directory).
if (
am_has_slept=no
for am_try in 1 2; do
echo "timestamp, slept: $am_has_slept" > conftest.file
set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null`
if test "$*" = "X"; then
# -L didn't work.
set X `ls -t "$srcdir/configure" conftest.file`
fi
if test "$*" != "X $srcdir/configure conftest.file" \
&& test "$*" != "X conftest.file $srcdir/configure"; then
# If neither matched, then we have a broken ls. This can happen
# if, for instance, CONFIG_SHELL is bash and it inherits a
# broken ls alias from the environment. This has actually
# happened. Such a system could not be considered "sane".
as_fn_error $? "ls -t appears to fail. Make sure there is not a broken
alias in your environment" "$LINENO" 5
fi
if test "$2" = conftest.file || test $am_try -eq 2; then
break
fi
# Just in case.
sleep 1
am_has_slept=yes
done
test "$2" = conftest.file
)
then
# Ok.
:
else
as_fn_error $? "newly created file is older than distributed files!
Check your system clock" "$LINENO" 5
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
# If we didn't sleep, we still need to ensure time stamps of config.status and
# generated files are strictly newer.
am_sleep_pid=
if grep 'slept: no' conftest.file >/dev/null 2>&1; then
( sleep 1 ) &
am_sleep_pid=$!
fi
rm -f conftest.file
test "$program_prefix" != NONE &&
program_transform_name="s&^&$program_prefix&;$program_transform_name"
# Use a double $ so make ignores it.
test "$program_suffix" != NONE &&
program_transform_name="s&\$&$program_suffix&;$program_transform_name"
# Double any \ or $.
# By default was `s,x,x', remove it if useless.
ac_script='s/[\\$]/&&/g;s/;s,x,x,$//'
program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"`
# Expand $ac_aux_dir to an absolute path.
am_aux_dir=`cd "$ac_aux_dir" && pwd`
if test x"${MISSING+set}" != xset; then
case $am_aux_dir in
*\ * | *\ *)
MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;;
*)
MISSING="\${SHELL} $am_aux_dir/missing" ;;
esac
fi
# Use eval to expand $SHELL
if eval "$MISSING --is-lightweight"; then
am_missing_run="$MISSING "
else
am_missing_run=
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: 'missing' script is too old or missing" >&5
$as_echo "$as_me: WARNING: 'missing' script is too old or missing" >&2;}
fi
if test x"${install_sh+set}" != xset; then
case $am_aux_dir in
*\ * | *\ *)
install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;;
*)
install_sh="\${SHELL} $am_aux_dir/install-sh"
esac
fi
# Installed binaries are usually stripped using 'strip' when the user
# run "make install-strip". However 'strip' might not be the right
# tool to use in cross-compilation environments, therefore Automake
# will honor the 'STRIP' environment variable to overrule this program.
if test "$cross_compiling" != no; then
if test -n "$ac_tool_prefix"; then
# Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
set dummy ${ac_tool_prefix}strip; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_STRIP+:} false; then :
$as_echo_n "(cached) " >&6
else
if test -n "$STRIP"; then
ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_STRIP="${ac_tool_prefix}strip"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
STRIP=$ac_cv_prog_STRIP
if test -n "$STRIP"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5
$as_echo "$STRIP" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
fi
if test -z "$ac_cv_prog_STRIP"; then
ac_ct_STRIP=$STRIP
# Extract the first word of "strip", so it can be a program name with args.
set dummy strip; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_ac_ct_STRIP+:} false; then :
$as_echo_n "(cached) " >&6
else
if test -n "$ac_ct_STRIP"; then
ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_ac_ct_STRIP="strip"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
if test -n "$ac_ct_STRIP"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5
$as_echo "$ac_ct_STRIP" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
if test "x$ac_ct_STRIP" = x; then
STRIP=":"
else
case $cross_compiling:$ac_tool_warned in
yes:)
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
ac_tool_warned=yes ;;
esac
STRIP=$ac_ct_STRIP
fi
else
STRIP="$ac_cv_prog_STRIP"
fi
fi
INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5
$as_echo_n "checking for a thread-safe mkdir -p... " >&6; }
if test -z "$MKDIR_P"; then
if ${ac_cv_path_mkdir+:} false; then :
$as_echo_n "(cached) " >&6
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_prog in mkdir gmkdir; do
for ac_exec_ext in '' $ac_executable_extensions; do
as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue
case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
'mkdir (GNU coreutils) '* | \
'mkdir (coreutils) '* | \
'mkdir (fileutils) '4.1*)
ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext
break 3;;
esac
done
done
done
IFS=$as_save_IFS
fi
test -d ./--version && rmdir ./--version
if test "${ac_cv_path_mkdir+set}" = set; then
MKDIR_P="$ac_cv_path_mkdir -p"
else
# As a last resort, use the slow shell script. Don't cache a
# value for MKDIR_P within a source directory, because that will
# break other packages using the cache if that directory is
# removed, or if the value is a relative name.
MKDIR_P="$ac_install_sh -d"
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5
$as_echo "$MKDIR_P" >&6; }
for ac_prog in gawk mawk nawk awk
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_AWK+:} false; then :
$as_echo_n "(cached) " >&6
else
if test -n "$AWK"; then
ac_cv_prog_AWK="$AWK" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_AWK="$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
AWK=$ac_cv_prog_AWK
if test -n "$AWK"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5
$as_echo "$AWK" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
test -n "$AWK" && break
done
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5
$as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; }
set x ${MAKE-make}
ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then :
$as_echo_n "(cached) " >&6
else
cat >conftest.make <<\_ACEOF
SHELL = /bin/sh
all:
@echo '@@@%%%=$(MAKE)=@@@%%%'
_ACEOF
# GNU make sometimes prints "make[1]: Entering ...", which would confuse us.
case `${MAKE-make} -f conftest.make 2>/dev/null` in
*@@@%%%=?*=@@@%%%*)
eval ac_cv_prog_make_${ac_make}_set=yes;;
*)
eval ac_cv_prog_make_${ac_make}_set=no;;
esac
rm -f conftest.make
fi
if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
SET_MAKE=
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
SET_MAKE="MAKE=${MAKE-make}"
fi
rm -rf .tst 2>/dev/null
mkdir .tst 2>/dev/null
if test -d .tst; then
am__leading_dot=.
else
am__leading_dot=_
fi
rmdir .tst 2>/dev/null
# Check whether --enable-silent-rules was given.
if test "${enable_silent_rules+set}" = set; then :
enableval=$enable_silent_rules;
fi
case $enable_silent_rules in # (((
yes) AM_DEFAULT_VERBOSITY=0;;
no) AM_DEFAULT_VERBOSITY=1;;
*) AM_DEFAULT_VERBOSITY=1;;
esac
am_make=${MAKE-make}
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5
$as_echo_n "checking whether $am_make supports nested variables... " >&6; }
if ${am_cv_make_support_nested_variables+:} false; then :
$as_echo_n "(cached) " >&6
else
if $as_echo 'TRUE=$(BAR$(V))
BAR0=false
BAR1=true
V=1
am__doit:
@$(TRUE)
.PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then
am_cv_make_support_nested_variables=yes
else
am_cv_make_support_nested_variables=no
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5
$as_echo "$am_cv_make_support_nested_variables" >&6; }
if test $am_cv_make_support_nested_variables = yes; then
AM_V='$(V)'
AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)'
else
AM_V=$AM_DEFAULT_VERBOSITY
AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY
fi
AM_BACKSLASH='\'
if test "`cd $srcdir && pwd`" != "`pwd`"; then
# Use -I$(srcdir) only when $(srcdir) != ., so that make's output
# is not polluted with repeated "-I."
am__isrc=' -I$(srcdir)'
# test to see if srcdir already configured
if test -f $srcdir/config.status; then
as_fn_error $? "source directory already configured; run \"make distclean\" there first" "$LINENO" 5
fi
fi
# test whether we have cygpath
if test -z "$CYGPATH_W"; then
if (cygpath --version) >/dev/null 2>/dev/null; then
CYGPATH_W='cygpath -w'
else
CYGPATH_W=echo
fi
fi
# Define the identity of the package.
PACKAGE='cfengine-masterfiles'
VERSION='3.24.2'
cat >>confdefs.h <<_ACEOF
#define PACKAGE "$PACKAGE"
_ACEOF
cat >>confdefs.h <<_ACEOF
#define VERSION "$VERSION"
_ACEOF
# Some tools Automake needs.
ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"}
AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"}
AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"}
AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"}
MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
# For better backward compatibility. To be removed once Automake 1.9.x
# dies out for good. For more background, see:
#
#
mkdir_p='$(MKDIR_P)'
# We need awk for the "check" target (and possibly the TAP driver). The
# system "awk" is bad on some platforms.
# Always define AMTAR for backward compatibility. Yes, it's still used
# in the wild :-( We should find a proper way to deprecate it ...
AMTAR='$${TAR-tar}'
# We'll loop over all known methods to create a tar archive until one works.
_am_tools='gnutar plaintar pax cpio none'
# The POSIX 1988 'ustar' format is defined with fixed-size fields.
# There is notably a 21 bits limit for the UID and the GID. In fact,
# the 'pax' utility can hang on bigger UID/GID (see automake bug#8343
# and bug#13588).
am_max_uid=2097151 # 2^21 - 1
am_max_gid=$am_max_uid
# The $UID and $GID variables are not portable, so we need to resort
# to the POSIX-mandated id(1) utility. Errors in the 'id' calls
# below are definitely unexpected, so allow the users to see them
# (that is, avoid stderr redirection).
am_uid=`id -u || echo unknown`
am_gid=`id -g || echo unknown`
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether UID '$am_uid' is supported by ustar format" >&5
$as_echo_n "checking whether UID '$am_uid' is supported by ustar format... " >&6; }
if test $am_uid -le $am_max_uid; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
_am_tools=none
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether GID '$am_gid' is supported by ustar format" >&5
$as_echo_n "checking whether GID '$am_gid' is supported by ustar format... " >&6; }
if test $am_gid -le $am_max_gid; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
_am_tools=none
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to create a ustar tar archive" >&5
$as_echo_n "checking how to create a ustar tar archive... " >&6; }
# Go ahead even if we have the value already cached. We do so because we
# need to set the values for the 'am__tar' and 'am__untar' variables.
_am_tools=${am_cv_prog_tar_ustar-$_am_tools}
for _am_tool in $_am_tools; do
case $_am_tool in
gnutar)
for _am_tar in tar gnutar gtar; do
{ echo "$as_me:$LINENO: $_am_tar --version" >&5
($_am_tar --version) >&5 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && break
done
# Work around CFEngine redmine #6925 by using --hard-dereference.
{ echo "$as_me:$LINENO: $_am_tar --hard-dereference 2>&1 | grep 'unrecognized option'" >&5
($_am_tar --hard-dereference 2>&1 | grep 'unrecognized option') >&5 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }
# Check if --hard-dereference is supported by this version of GNU Tar
if test "$ac_status" -eq 0; then
_am_gnutar_hard_dereference=false
am__tar="$_am_tar --format=ustar -chf - "'"$$tardir"'
am__tar_="$_am_tar --format=ustar -chf - "'"$tardir"'
else
_am_gnutar_hard_dereference=true
am__tar="$_am_tar --format=ustar --hard-dereference -chf - "'"$$tardir"'
am__tar_="$_am_tar --format=ustar --hard-dereference -chf - "'"$tardir"'
fi
am__untar="$_am_tar -xf -"
;;
plaintar)
# Must skip GNU tar: if it does not support --format= it doesn't create
# ustar tarball either.
(tar --version) >/dev/null 2>&1 && continue
am__tar='tar chf - "$$tardir"'
am__tar_='tar chf - "$tardir"'
am__untar='tar xf -'
;;
pax)
am__tar='pax -L -x ustar -w "$$tardir"'
am__tar_='pax -L -x ustar -w "$tardir"'
am__untar='pax -r'
;;
cpio)
am__tar='find "$$tardir" -print | cpio -o -H ustar -L'
am__tar_='find "$tardir" -print | cpio -o -H ustar -L'
am__untar='cpio -i -H ustar -d'
;;
none)
am__tar=false
am__tar_=false
am__untar=false
;;
esac
# If the value was cached, stop now. We just wanted to have am__tar
# and am__untar set.
test -n "${am_cv_prog_tar_ustar}" && break
# tar/untar a dummy directory, and stop if the command works.
rm -rf conftest.dir
mkdir conftest.dir
echo GrepMe > conftest.dir/file
{ echo "$as_me:$LINENO: tardir=conftest.dir && eval $am__tar_ >conftest.tar" >&5
(tardir=conftest.dir && eval $am__tar_ >conftest.tar) >&5 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }
rm -rf conftest.dir
if test -s conftest.tar; then
{ echo "$as_me:$LINENO: $am__untar &5
($am__untar &5 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }
{ echo "$as_me:$LINENO: cat conftest.dir/file" >&5
(cat conftest.dir/file) >&5 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }
grep GrepMe conftest.dir/file >/dev/null 2>&1 && break
fi
done
rm -rf conftest.dir
if ${am_cv_prog_tar_ustar+:} false; then :
$as_echo_n "(cached) " >&6
else
am_cv_prog_tar_ustar=$_am_tool
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_tar_ustar" >&5
$as_echo "$am_cv_prog_tar_ustar" >&6; }
if test $_am_tool = gnutar; then
# We've checked already, so we're just printing here
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if GNU tar supports --hard-dereference" >&5
$as_echo_n "checking if GNU tar supports --hard-dereference... " >&6; }
if test x$_am_gnutar_hard_dereference = xtrue; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
fi
# POSIX will say in a future version that running "rm -f" with no argument
# is OK; and we want to be able to make that assumption in our Makefile
# recipes. So use an aggressive probe to check that the usage we want is
# actually supported "in the wild" to an acceptable degree.
# See automake bug#10828.
# To make any issue more visible, cause the running configure to be aborted
# by default if the 'rm' program in use doesn't match our expectations; the
# user can still override this though.
if rm -f && rm -fr && rm -rf; then : OK; else
cat >&2 <<'END'
Oops!
Your 'rm' program seems unable to run without file operands specified
on the command line, even when the '-f' option is present. This is contrary
to the behaviour of most rm programs out there, and not conforming with
the upcoming POSIX standard:
Please tell bug-automake@gnu.org about your system, including the value
of your $PATH and any error possibly output before this message. This
can help us improve future automake versions.
END
if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then
echo 'Configuration will proceed anyway, since you have set the' >&2
echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2
echo >&2
else
cat >&2 <<'END'
Aborting the configuration process, to ensure you take notice of the issue.
You can download and install GNU coreutils to get an 'rm' implementation
that behaves properly: .
If you want to complete the configuration process using your problematic
'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
to "yes", and re-run configure.
END
as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable maintainer-specific portions of Makefiles" >&5
$as_echo_n "checking whether to enable maintainer-specific portions of Makefiles... " >&6; }
# Check whether --enable-maintainer-mode was given.
if test "${enable_maintainer_mode+set}" = set; then :
enableval=$enable_maintainer_mode; USE_MAINTAINER_MODE=$enableval
else
USE_MAINTAINER_MODE=yes
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $USE_MAINTAINER_MODE" >&5
$as_echo "$USE_MAINTAINER_MODE" >&6; }
if test $USE_MAINTAINER_MODE = yes; then
MAINTAINER_MODE_TRUE=
MAINTAINER_MODE_FALSE='#'
else
MAINTAINER_MODE_TRUE='#'
MAINTAINER_MODE_FALSE=
fi
MAINT=$MAINTAINER_MODE_TRUE
cat >>confdefs.h <<_ACEOF
#define ABS_TOP_SRCDIR "`cd -- "$srcdir"; pwd`"
_ACEOF
# Check whether --enable-silent-rules was given.
if test "${enable_silent_rules+set}" = set; then :
enableval=$enable_silent_rules;
fi
case $enable_silent_rules in # (((
yes) AM_DEFAULT_VERBOSITY=0;;
no) AM_DEFAULT_VERBOSITY=1;;
*) AM_DEFAULT_VERBOSITY=0;;
esac
am_make=${MAKE-make}
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5
$as_echo_n "checking whether $am_make supports nested variables... " >&6; }
if ${am_cv_make_support_nested_variables+:} false; then :
$as_echo_n "(cached) " >&6
else
if $as_echo 'TRUE=$(BAR$(V))
BAR0=false
BAR1=true
V=1
am__doit:
@$(TRUE)
.PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then
am_cv_make_support_nested_variables=yes
else
am_cv_make_support_nested_variables=no
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5
$as_echo "$am_cv_make_support_nested_variables" >&6; }
if test $am_cv_make_support_nested_variables = yes; then
AM_V='$(V)'
AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)'
else
AM_V=$AM_DEFAULT_VERBOSITY
AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY
fi
AM_BACKSLASH='\'
# Check whether --with-core was given.
if test "${with_core+set}" = set; then :
withval=$with_core; if test "x$with_core" == "xno"; then :
core_dir=
else
if test -d "$with_core/libpromises"; then :
core_dir="$with_core"
else
as_fn_error $? "$with_core is not a valid core directory (--with-core=$with_core)" "$LINENO" 5
fi
fi
else
if test -d `pwd`/../core/libpromises
then
core_dir="`pwd`/../core"
else
core_dir=
fi
fi
if test "x$core_dir" != x; then
HAVE_CORE_TRUE=
HAVE_CORE_FALSE='#'
else
HAVE_CORE_TRUE='#'
HAVE_CORE_FALSE=
fi
if test "x$core_dir" != x; then :
case $core_dir in #(
/*) :
;; #(
*) :
core_dir=`pwd`/$core_dir ;;
esac
fi
# Check whether --with-enterprise was given.
if test "${with_enterprise+set}" = set; then :
withval=$with_enterprise; if test "x$with_enterprise" == "xno"; then :
enterprise_dir=
else
enterprise_dir=$with_enterprise
fi
else
enterprise_dir=`pwd`/../enterprise
fi
case $enterprise_dir in #(
/*) :
;; #(
*) :
enterprise_dir=`pwd`/$enterprise_dir ;;
esac
if test -d "$enterprise_dir/libcfenterprise"; then
HAVE_ENTERPRISE_TRUE=
HAVE_ENTERPRISE_FALSE='#'
else
HAVE_ENTERPRISE_TRUE='#'
HAVE_ENTERPRISE_FALSE=
fi
if test x"$prefix" = xNONE; then :
prefix=/var/cfengine
fi
bindir="${bindir:-${exec_prefix}/bin}"
_lcl_receval=""${bindir}""
bindir=`(test "x$prefix" = xNONE && prefix="$ac_default_prefix"
test "x$exec_prefix" = xNONE && exec_prefix="${prefix}"
_lcl_receval_old=''
while test "$_lcl_receval_old" != "$_lcl_receval"; do
_lcl_receval_old="$_lcl_receval"
eval _lcl_receval="\"$_lcl_receval\""
done
echo "$_lcl_receval")`
bindir="${bindir}"
#
# Copyright 2024 Northern.tech AS
#
# This file is part of CFEngine 3 - written and maintained by Northern.tech AS.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
#
# To the extent this program is licensed as part of the Enterprise
# versions of CFEngine, the applicable Commercial Open Source License
# (COSL) may apply to this file if you as a licensee so wish it. See
# included file COSL.txt.
#
#
# OS kernels conditionals. Don't use those unless it is really needed (if code
# depends on the *kernel* feature, and even then -- some kernel features are
# shared by different kernels).
#
# Good example: use LINUX to select code which uses inotify and netlink sockets.
# Bad example: use LINUX to select code which parses output of coreutils' ps(1).
#
if test -n "`echo ${target_os} | grep linux`"; then
LINUX_TRUE=
LINUX_FALSE='#'
else
LINUX_TRUE='#'
LINUX_FALSE=
fi
if test -n "`echo ${target_os} | grep darwin`"; then
MACOSX_TRUE=
MACOSX_FALSE='#'
else
MACOSX_TRUE='#'
MACOSX_FALSE=
fi
if test -n "`(echo ${target_os} | egrep 'solaris|sunos')`"; then
SOLARIS_TRUE=
SOLARIS_FALSE='#'
else
SOLARIS_TRUE='#'
SOLARIS_FALSE=
fi
if test -n "`(echo ${target_os} | egrep 'mingw|cygwin')`"; then
NT_TRUE=
NT_FALSE='#'
else
NT_TRUE='#'
NT_FALSE=
fi
if test -n "`(echo ${target_os} | egrep 'cygwin')`"; then
CYGWIN_TRUE=
CYGWIN_FALSE='#'
else
CYGWIN_TRUE='#'
CYGWIN_FALSE=
fi
if test -n "`(echo ${target_os} | grep aix)`"; then
AIX_TRUE=
AIX_FALSE='#'
else
AIX_TRUE='#'
AIX_FALSE=
fi
if test -n "`(echo ${target_os} | egrep 'hpux|hp-ux')`"; then
HPUX_TRUE=
HPUX_FALSE='#'
else
HPUX_TRUE='#'
HPUX_FALSE=
fi
if test -n "`(echo ${target_os} | grep freebsd)`"; then
FREEBSD_TRUE=
FREEBSD_FALSE='#'
else
FREEBSD_TRUE='#'
FREEBSD_FALSE=
fi
if test -n "`(echo ${target_os} | grep netbsd)`"; then
NETBSD_TRUE=
NETBSD_FALSE='#'
else
NETBSD_TRUE='#'
NETBSD_FALSE=
fi
if test -n "`(echo ${target_os} | grep darwin)`"; then
XNU_TRUE=
XNU_FALSE='#'
else
XNU_TRUE='#'
XNU_FALSE=
fi
# Extract the first word of "pkg_install", so it can be a program name with args.
set dummy pkg_install; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_ac_cv_pkg_install+:} false; then :
$as_echo_n "(cached) " >&6
else
if test -n "$ac_cv_pkg_install"; then
ac_cv_prog_ac_cv_pkg_install="$ac_cv_pkg_install" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_ac_cv_pkg_install="yes"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
test -z "$ac_cv_prog_ac_cv_pkg_install" && ac_cv_prog_ac_cv_pkg_install="no"
fi
fi
ac_cv_pkg_install=$ac_cv_prog_ac_cv_pkg_install
if test -n "$ac_cv_pkg_install"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_pkg_install" >&5
$as_echo "$ac_cv_pkg_install" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
# Extract the first word of "shunit2", so it can be a program name with args.
set dummy shunit2; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_ac_cv_shunit2+:} false; then :
$as_echo_n "(cached) " >&6
else
if test -n "$ac_cv_shunit2"; then
ac_cv_prog_ac_cv_shunit2="$ac_cv_shunit2" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_ac_cv_shunit2="yes"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
test -z "$ac_cv_prog_ac_cv_shunit2" && ac_cv_prog_ac_cv_shunit2="no"
fi
fi
ac_cv_shunit2=$ac_cv_prog_ac_cv_shunit2
if test -n "$ac_cv_shunit2"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_shunit2" >&5
$as_echo "$ac_cv_shunit2" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
if test "$ac_cv_pkg_install" = "yes"; then
HAVE_PKG_INSTALL_TRUE=
HAVE_PKG_INSTALL_FALSE='#'
else
HAVE_PKG_INSTALL_TRUE='#'
HAVE_PKG_INSTALL_FALSE=
fi
if test "$ac_cv_shunit2" = "yes"; then
HAVE_SHUNIT2_TRUE=
HAVE_SHUNIT2_FALSE='#'
else
HAVE_SHUNIT2_TRUE='#'
HAVE_SHUNIT2_FALSE=
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
$as_echo "" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Summary:" >&5
$as_echo "Summary:" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Version -> $cfengine_version" >&5
$as_echo "Version -> $cfengine_version" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Release -> $cfengine_release" >&5
$as_echo "Release -> $cfengine_release" >&6; }
if test -z "$HAVE_CORE_TRUE"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Core directory -> $core_dir" >&5
$as_echo "Core directory -> $core_dir" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Core directory -> not set - tests are disabled" >&5
$as_echo "Core directory -> not set - tests are disabled" >&6; }
fi
if test -z "$HAVE_ENTERPRISE_TRUE"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Enterprise directory -> $enterprise_dir" >&5
$as_echo "Enterprise directory -> $enterprise_dir" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Enterprise directory -> not set - some tests are disabled" >&5
$as_echo "Enterprise directory -> not set - some tests are disabled" >&6; }
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Install prefix -> $prefix" >&5
$as_echo "Install prefix -> $prefix" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: bindir -> $bindir" >&5
$as_echo "bindir -> $bindir" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
$as_echo "" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: generating makefile targets" >&5
$as_echo "$as_me: generating makefile targets" >&6;}
# Do not try to unroll these for loops by putting the find commands directly in
# the assignments, it will overflow on the Solaris and HP-UX shells.
MASTERFILES_TESTS=''
for i in `cd "$srcdir/tests/acceptance/" && find . -name '*.cf*'`
do
MASTERFILES_TESTS="$MASTERFILES_TESTS $i"
done
MASTERFILES_INSTALL_TARGETS=
find $srcdir -maxdepth 1 -name '*.cf' > tmp
while IFS= read -r j
do
# Only add those that don't have a corresponding .in file.
# They will be added later.
if ! test -f "$j.in"
then
MASTERFILES_INSTALL_TARGETS="$MASTERFILES_INSTALL_TARGETS $j"
fi
done < tmp
rm tmp
for j in `echo $srcdir/*.cf.in`
do
# Add .in files, but without the .in suffix.
MASTERFILES_INSTALL_TARGETS="$MASTERFILES_INSTALL_TARGETS `echo $j | sed -e 's/\.in$//'`"
done
for i in cfe_internal controls inventory lib services
do
for j in `find "$srcdir/$i" -name '*.cf'`
do
# Only add those that don't have a corresponding .in file.
# They will be added later.
if ! test -f "$j.in"
then
MASTERFILES_INSTALL_TARGETS="$MASTERFILES_INSTALL_TARGETS $j"
fi
done
for j in `find "$srcdir/$i" -name '*.cf.in'`
do
# Add .in files, but without the .in suffix.
MASTERFILES_INSTALL_TARGETS="$MASTERFILES_INSTALL_TARGETS `echo $j | sed -e 's/\.in$//'`"
done
done
for i in templates cfe_internal modules/packages/vendored lib/templates
do
for j in `find "$srcdir/$i" -name '*.mustache' -o -name '*.sh' -o -name '*.awk' -o -name '*.sed' -o -name '*.ps1' -o -name '*.py'`
do
MASTERFILES_INSTALL_TARGETS="$MASTERFILES_INSTALL_TARGETS $j"
done
done
ac_config_files="$ac_config_files Makefile controls/update_def.cf update.cf promises.cf standalone_self_upgrade.cf tests/Makefile tests/acceptance/Makefile tests/unit/Makefile"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
# tests run on this system so they can be shared between configure
# scripts and configure runs, see configure's option --config-cache.
# It is not useful on other systems. If it contains results you don't
# want to keep, you may remove or edit it.
#
# config.status only pays attention to the cache file if you give it
# the --recheck option to rerun configure.
#
# `ac_cv_env_foo' variables (set or unset) will be overridden when
# loading this file, other *unset* `ac_cv_foo' will be assigned the
# following values.
_ACEOF
# The following way of writing the cache mishandles newlines in values,
# but we know of no workaround that is simple, portable, and efficient.
# So, we kill variables containing newlines.
# Ultrix sh set writes to stderr and can't be redirected directly,
# and sets the high bit in the cache file unless we assign to the vars.
(
for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
eval ac_val=\$$ac_var
case $ac_val in #(
*${as_nl}*)
case $ac_var in #(
*_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
esac
case $ac_var in #(
_ | IFS | as_nl) ;; #(
BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
*) { eval $ac_var=; unset $ac_var;} ;;
esac ;;
esac
done
(set) 2>&1 |
case $as_nl`(ac_space=' '; set) 2>&1` in #(
*${as_nl}ac_space=\ *)
# `set' does not quote correctly, so add quotes: double-quote
# substitution turns \\\\ into \\, and sed turns \\ into \.
sed -n \
"s/'/'\\\\''/g;
s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
;; #(
*)
# `set' quotes correctly as required by POSIX, so do not add quotes.
sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
;;
esac |
sort
) |
sed '
/^ac_cv_env_/b end
t clear
:clear
s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
t end
s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
:end' >>confcache
if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
if test -w "$cache_file"; then
if test "x$cache_file" != "x/dev/null"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
$as_echo "$as_me: updating cache $cache_file" >&6;}
if test ! -f "$cache_file" || test -h "$cache_file"; then
cat confcache >"$cache_file"
else
case $cache_file in #(
*/* | ?:*)
mv -f confcache "$cache_file"$$ &&
mv -f "$cache_file"$$ "$cache_file" ;; #(
*)
mv -f confcache "$cache_file" ;;
esac
fi
fi
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
fi
fi
rm -f confcache
test "x$prefix" = xNONE && prefix=$ac_default_prefix
# Let make expand exec_prefix.
test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
# Transform confdefs.h into DEFS.
# Protect against shell expansion while executing Makefile rules.
# Protect against Makefile macro expansion.
#
# If the first sed substitution is executed (which looks for macros that
# take arguments), then branch to the quote section. Otherwise,
# look for a macro that doesn't take arguments.
ac_script='
:mline
/\\$/{
N
s,\\\n,,
b mline
}
t clear
:clear
s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g
t quote
s/^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\)/-D\1=\2/g
t quote
b any
:quote
s/[ `~#$^&*(){}\\|;'\''"<>?]/\\&/g
s/\[/\\&/g
s/\]/\\&/g
s/\$/$$/g
H
:any
${
g
s/^\n//
s/\n/ /g
p
}
'
DEFS=`sed -n "$ac_script" confdefs.h`
ac_libobjs=
ac_ltlibobjs=
U=
for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
# 1. Remove the extension, and $U if already installed.
ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
# 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR
# will be set to the directory where LIBOBJS objects are built.
as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
done
LIBOBJS=$ac_libobjs
LTLIBOBJS=$ac_ltlibobjs
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking that generated files are newer than configure" >&5
$as_echo_n "checking that generated files are newer than configure... " >&6; }
if test -n "$am_sleep_pid"; then
# Hide warnings about reused PIDs.
wait $am_sleep_pid 2>/dev/null
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: done" >&5
$as_echo "done" >&6; }
if test -z "${MAINTAINER_MODE_TRUE}" && test -z "${MAINTAINER_MODE_FALSE}"; then
as_fn_error $? "conditional \"MAINTAINER_MODE\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${HAVE_CORE_TRUE}" && test -z "${HAVE_CORE_FALSE}"; then
as_fn_error $? "conditional \"HAVE_CORE\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${HAVE_ENTERPRISE_TRUE}" && test -z "${HAVE_ENTERPRISE_FALSE}"; then
as_fn_error $? "conditional \"HAVE_ENTERPRISE\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${LINUX_TRUE}" && test -z "${LINUX_FALSE}"; then
as_fn_error $? "conditional \"LINUX\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${MACOSX_TRUE}" && test -z "${MACOSX_FALSE}"; then
as_fn_error $? "conditional \"MACOSX\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${SOLARIS_TRUE}" && test -z "${SOLARIS_FALSE}"; then
as_fn_error $? "conditional \"SOLARIS\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${NT_TRUE}" && test -z "${NT_FALSE}"; then
as_fn_error $? "conditional \"NT\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${CYGWIN_TRUE}" && test -z "${CYGWIN_FALSE}"; then
as_fn_error $? "conditional \"CYGWIN\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${AIX_TRUE}" && test -z "${AIX_FALSE}"; then
as_fn_error $? "conditional \"AIX\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${HPUX_TRUE}" && test -z "${HPUX_FALSE}"; then
as_fn_error $? "conditional \"HPUX\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${FREEBSD_TRUE}" && test -z "${FREEBSD_FALSE}"; then
as_fn_error $? "conditional \"FREEBSD\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${NETBSD_TRUE}" && test -z "${NETBSD_FALSE}"; then
as_fn_error $? "conditional \"NETBSD\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${XNU_TRUE}" && test -z "${XNU_FALSE}"; then
as_fn_error $? "conditional \"XNU\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${HAVE_PKG_INSTALL_TRUE}" && test -z "${HAVE_PKG_INSTALL_FALSE}"; then
as_fn_error $? "conditional \"HAVE_PKG_INSTALL\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${HAVE_SHUNIT2_TRUE}" && test -z "${HAVE_SHUNIT2_FALSE}"; then
as_fn_error $? "conditional \"HAVE_SHUNIT2\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
: "${CONFIG_STATUS=./config.status}"
ac_write_fail=0
ac_clean_files_save=$ac_clean_files
ac_clean_files="$ac_clean_files $CONFIG_STATUS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
as_write_fail=0
cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
#! $SHELL
# Generated by $as_me.
# Run this file to recreate the current configuration.
# Compiler output produced by configure, useful for debugging
# configure, is in config.log if it exists.
debug=false
ac_cs_recheck=false
ac_cs_silent=false
SHELL=\${CONFIG_SHELL-$SHELL}
export SHELL
_ASEOF
cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
## -------------------- ##
## M4sh Initialization. ##
## -------------------- ##
# Be more Bourne compatible
DUALCASE=1; export DUALCASE # for MKS sh
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
emulate sh
NULLCMD=:
# Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
# is contrary to our usage. Disable this feature.
alias -g '${1+"$@"}'='"$@"'
setopt NO_GLOB_SUBST
else
case `(set -o) 2>/dev/null` in #(
*posix*) :
set -o posix ;; #(
*) :
;;
esac
fi
as_nl='
'
export as_nl
# Printing a long string crashes Solaris 7 /usr/bin/printf.
as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
# Prefer a ksh shell builtin over an external printf program on Solaris,
# but without wasting forks for bash or zsh.
if test -z "$BASH_VERSION$ZSH_VERSION" \
&& (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
as_echo='print -r --'
as_echo_n='print -rn --'
elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
as_echo='printf %s\n'
as_echo_n='printf %s'
else
if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
as_echo_n='/usr/ucb/echo -n'
else
as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
as_echo_n_body='eval
arg=$1;
case $arg in #(
*"$as_nl"*)
expr "X$arg" : "X\\(.*\\)$as_nl";
arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
esac;
expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
'
export as_echo_n_body
as_echo_n='sh -c $as_echo_n_body as_echo'
fi
export as_echo_body
as_echo='sh -c $as_echo_body as_echo'
fi
# The user is always right.
if test "${PATH_SEPARATOR+set}" != set; then
PATH_SEPARATOR=:
(PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
(PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
PATH_SEPARATOR=';'
}
fi
# IFS
# We need space, tab and new line, in precisely that order. Quoting is
# there to prevent editors from complaining about space-tab.
# (If _AS_PATH_WALK were called with IFS unset, it would disable word
# splitting by setting IFS to empty value.)
IFS=" "" $as_nl"
# Find who we are. Look in the path if we contain no directory separator.
as_myself=
case $0 in #((
*[\\/]* ) as_myself=$0 ;;
*) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
done
IFS=$as_save_IFS
;;
esac
# We did not find ourselves, most probably we were run as `sh COMMAND'
# in which case we are not to be found in the path.
if test "x$as_myself" = x; then
as_myself=$0
fi
if test ! -f "$as_myself"; then
$as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
exit 1
fi
# Unset variables that we do not need and which cause bugs (e.g. in
# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1"
# suppresses any "Segmentation fault" message there. '((' could
# trigger a bug in pdksh 5.2.14.
for as_var in BASH_ENV ENV MAIL MAILPATH
do eval test x\${$as_var+set} = xset \
&& ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
done
PS1='$ '
PS2='> '
PS4='+ '
# NLS nuisances.
LC_ALL=C
export LC_ALL
LANGUAGE=C
export LANGUAGE
# CDPATH.
(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
# as_fn_error STATUS ERROR [LINENO LOG_FD]
# ----------------------------------------
# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
# script with STATUS, using 1 if that was 0.
as_fn_error ()
{
as_status=$1; test $as_status -eq 0 && as_status=1
if test "$4"; then
as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
$as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
fi
$as_echo "$as_me: error: $2" >&2
as_fn_exit $as_status
} # as_fn_error
# as_fn_set_status STATUS
# -----------------------
# Set $? to STATUS, without forking.
as_fn_set_status ()
{
return $1
} # as_fn_set_status
# as_fn_exit STATUS
# -----------------
# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
as_fn_exit ()
{
set +e
as_fn_set_status $1
exit $1
} # as_fn_exit
# as_fn_unset VAR
# ---------------
# Portably unset VAR.
as_fn_unset ()
{
{ eval $1=; unset $1;}
}
as_unset=as_fn_unset
# as_fn_append VAR VALUE
# ----------------------
# Append the text in VALUE to the end of the definition contained in VAR. Take
# advantage of any shell optimizations that allow amortized linear growth over
# repeated appends, instead of the typical quadratic growth present in naive
# implementations.
if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
eval 'as_fn_append ()
{
eval $1+=\$2
}'
else
as_fn_append ()
{
eval $1=\$$1\$2
}
fi # as_fn_append
# as_fn_arith ARG...
# ------------------
# Perform arithmetic evaluation on the ARGs, and store the result in the
# global $as_val. Take advantage of shells that can avoid forks. The arguments
# must be portable across $(()) and expr.
if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
eval 'as_fn_arith ()
{
as_val=$(( $* ))
}'
else
as_fn_arith ()
{
as_val=`expr "$@" || test $? -eq 1`
}
fi # as_fn_arith
if expr a : '\(a\)' >/dev/null 2>&1 &&
test "X`expr 00001 : '.*\(...\)'`" = X001; then
as_expr=expr
else
as_expr=false
fi
if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
as_basename=basename
else
as_basename=false
fi
if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
as_dirname=dirname
else
as_dirname=false
fi
as_me=`$as_basename -- "$0" ||
$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
X"$0" : 'X\(//\)$' \| \
X"$0" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X/"$0" |
sed '/^.*\/\([^/][^/]*\)\/*$/{
s//\1/
q
}
/^X\/\(\/\/\)$/{
s//\1/
q
}
/^X\/\(\/\).*/{
s//\1/
q
}
s/.*/./; q'`
# Avoid depending upon Character Ranges.
as_cr_letters='abcdefghijklmnopqrstuvwxyz'
as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
as_cr_Letters=$as_cr_letters$as_cr_LETTERS
as_cr_digits='0123456789'
as_cr_alnum=$as_cr_Letters$as_cr_digits
ECHO_C= ECHO_N= ECHO_T=
case `echo -n x` in #(((((
-n*)
case `echo 'xy\c'` in
*c*) ECHO_T=' ';; # ECHO_T is single tab character.
xy) ECHO_C='\c';;
*) echo `echo ksh88 bug on AIX 6.1` > /dev/null
ECHO_T=' ';;
esac;;
*)
ECHO_N='-n';;
esac
rm -f conf$$ conf$$.exe conf$$.file
if test -d conf$$.dir; then
rm -f conf$$.dir/conf$$.file
else
rm -f conf$$.dir
mkdir conf$$.dir 2>/dev/null
fi
if (echo >conf$$.file) 2>/dev/null; then
if ln -s conf$$.file conf$$ 2>/dev/null; then
as_ln_s='ln -s'
# ... but there are two gotchas:
# 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
# 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
# In both cases, we have to default to `cp -pR'.
ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
as_ln_s='cp -pR'
elif ln conf$$.file conf$$ 2>/dev/null; then
as_ln_s=ln
else
as_ln_s='cp -pR'
fi
else
as_ln_s='cp -pR'
fi
rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
rmdir conf$$.dir 2>/dev/null
# as_fn_mkdir_p
# -------------
# Create "$as_dir" as a directory, including parents if necessary.
as_fn_mkdir_p ()
{
case $as_dir in #(
-*) as_dir=./$as_dir;;
esac
test -d "$as_dir" || eval $as_mkdir_p || {
as_dirs=
while :; do
case $as_dir in #(
*\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
*) as_qdir=$as_dir;;
esac
as_dirs="'$as_qdir' $as_dirs"
as_dir=`$as_dirname -- "$as_dir" ||
$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$as_dir" : 'X\(//\)[^/]' \| \
X"$as_dir" : 'X\(//\)$' \| \
X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X"$as_dir" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
}
/^X\(\/\/\)[^/].*/{
s//\1/
q
}
/^X\(\/\/\)$/{
s//\1/
q
}
/^X\(\/\).*/{
s//\1/
q
}
s/.*/./; q'`
test -d "$as_dir" && break
done
test -z "$as_dirs" || eval "mkdir $as_dirs"
} || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
} # as_fn_mkdir_p
if mkdir -p . 2>/dev/null; then
as_mkdir_p='mkdir -p "$as_dir"'
else
test -d ./-p && rmdir ./-p
as_mkdir_p=false
fi
# as_fn_executable_p FILE
# -----------------------
# Test if FILE is an executable regular file.
as_fn_executable_p ()
{
test -f "$1" && test -x "$1"
} # as_fn_executable_p
as_test_x='test -x'
as_executable_p=as_fn_executable_p
# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
# Sed expression to map a string onto a valid variable name.
as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
exec 6>&1
## ----------------------------------- ##
## Main body of $CONFIG_STATUS script. ##
## ----------------------------------- ##
_ASEOF
test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# Save the log message, to keep $0 and so on meaningful, and to
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by cfengine-masterfiles $as_me 3.24.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
CONFIG_HEADERS = $CONFIG_HEADERS
CONFIG_LINKS = $CONFIG_LINKS
CONFIG_COMMANDS = $CONFIG_COMMANDS
$ $0 $@
on `(hostname || uname -n) 2>/dev/null | sed 1q`
"
_ACEOF
case $ac_config_files in *"
"*) set x $ac_config_files; shift; ac_config_files=$*;;
esac
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
# Files that config.status was made for.
config_files="$ac_config_files"
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
ac_cs_usage="\
\`$as_me' instantiates files and other configuration actions
from templates according to the current configuration. Unless the files
and actions are specified as TAGs, all are instantiated by default.
Usage: $0 [OPTION]... [TAG]...
-h, --help print this help, then exit
-V, --version print version number and configuration settings, then exit
--config print configuration, then exit
-q, --quiet, --silent
do not print progress messages
-d, --debug don't remove temporary files
--recheck update $as_me by reconfiguring in the same conditions
--file=FILE[:TEMPLATE]
instantiate the configuration file FILE
Configuration files:
$config_files
Report bugs to the package provider."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
cfengine-masterfiles config.status 3.24.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
Copyright (C) 2012 Free Software Foundation, Inc.
This config.status script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it."
ac_pwd='$ac_pwd'
srcdir='$srcdir'
INSTALL='$INSTALL'
MKDIR_P='$MKDIR_P'
AWK='$AWK'
test -n "\$AWK" || AWK=awk
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# The default lists apply if the user does not specify any file.
ac_need_defaults=:
while test $# != 0
do
case $1 in
--*=?*)
ac_option=`expr "X$1" : 'X\([^=]*\)='`
ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
ac_shift=:
;;
--*=)
ac_option=`expr "X$1" : 'X\([^=]*\)='`
ac_optarg=
ac_shift=:
;;
*)
ac_option=$1
ac_optarg=$2
ac_shift=shift
;;
esac
case $ac_option in
# Handling of the options.
-recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
ac_cs_recheck=: ;;
--version | --versio | --versi | --vers | --ver | --ve | --v | -V )
$as_echo "$ac_cs_version"; exit ;;
--config | --confi | --conf | --con | --co | --c )
$as_echo "$ac_cs_config"; exit ;;
--debug | --debu | --deb | --de | --d | -d )
debug=: ;;
--file | --fil | --fi | --f )
$ac_shift
case $ac_optarg in
*\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
'') as_fn_error $? "missing file argument" ;;
esac
as_fn_append CONFIG_FILES " '$ac_optarg'"
ac_need_defaults=false;;
--he | --h | --help | --hel | -h )
$as_echo "$ac_cs_usage"; exit ;;
-q | -quiet | --quiet | --quie | --qui | --qu | --q \
| -silent | --silent | --silen | --sile | --sil | --si | --s)
ac_cs_silent=: ;;
# This is an error.
-*) as_fn_error $? "unrecognized option: \`$1'
Try \`$0 --help' for more information." ;;
*) as_fn_append ac_config_targets " $1"
ac_need_defaults=false ;;
esac
shift
done
ac_configure_extra_args=
if $ac_cs_silent; then
exec 6>/dev/null
ac_configure_extra_args="$ac_configure_extra_args --silent"
fi
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
if \$ac_cs_recheck; then
set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
shift
\$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
CONFIG_SHELL='$SHELL'
export CONFIG_SHELL
exec "\$@"
fi
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
exec 5>>config.log
{
echo
sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
## Running $as_me. ##
_ASBOX
$as_echo "$ac_log"
} >&5
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# Handling of arguments.
for ac_config_target in $ac_config_targets
do
case $ac_config_target in
"Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
"controls/update_def.cf") CONFIG_FILES="$CONFIG_FILES controls/update_def.cf" ;;
"update.cf") CONFIG_FILES="$CONFIG_FILES update.cf" ;;
"promises.cf") CONFIG_FILES="$CONFIG_FILES promises.cf" ;;
"standalone_self_upgrade.cf") CONFIG_FILES="$CONFIG_FILES standalone_self_upgrade.cf" ;;
"tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;;
"tests/acceptance/Makefile") CONFIG_FILES="$CONFIG_FILES tests/acceptance/Makefile" ;;
"tests/unit/Makefile") CONFIG_FILES="$CONFIG_FILES tests/unit/Makefile" ;;
*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
esac
done
# If the user did not use the arguments to specify the items to instantiate,
# then the envvar interface is used. Set only those that are not.
# We use the long form for the default assignment because of an extremely
# bizarre bug on SunOS 4.1.3.
if $ac_need_defaults; then
test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
fi
# Have a temporary directory for convenience. Make it in the build tree
# simply because there is no reason against having it here, and in addition,
# creating and moving files from /tmp can sometimes cause problems.
# Hook for its removal unless debugging.
# Note that there is a small window in which the directory will not be cleaned:
# after its creation but before its name has been assigned to `$tmp'.
$debug ||
{
tmp= ac_tmp=
trap 'exit_status=$?
: "${ac_tmp:=$tmp}"
{ test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status
' 0
trap 'as_fn_exit 1' 1 2 13 15
}
# Create a (secure) tmp directory for tmp files.
{
tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
test -d "$tmp"
} ||
{
tmp=./conf$$-$RANDOM
(umask 077 && mkdir "$tmp")
} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
ac_tmp=$tmp
# Set up the scripts for CONFIG_FILES section.
# No need to generate them if there are no CONFIG_FILES.
# This happens for instance with `./config.status config.h'.
if test -n "$CONFIG_FILES"; then
ac_cr=`echo X | tr X '\015'`
# On cygwin, bash can eat \r inside `` if the user requested igncr.
# But we know of no other shell where ac_cr would be empty at this
# point, so we can use a bashism as a fallback.
if test "x$ac_cr" = x; then
eval ac_cr=\$\'\\r\'
fi
ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null`
if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
ac_cs_awk_cr='\\r'
else
ac_cs_awk_cr=$ac_cr
fi
echo 'BEGIN {' >"$ac_tmp/subs1.awk" &&
_ACEOF
{
echo "cat >conf$$subs.awk <<_ACEOF" &&
echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
echo "_ACEOF"
} >conf$$subs.sh ||
as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
. ./conf$$subs.sh ||
as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
if test $ac_delim_n = $ac_delim_num; then
break
elif $ac_last_try; then
as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
else
ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
fi
done
rm -f conf$$subs.sh
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK &&
_ACEOF
sed -n '
h
s/^/S["/; s/!.*/"]=/
p
g
s/^[^!]*!//
:repl
t repl
s/'"$ac_delim"'$//
t delim
:nl
h
s/\(.\{148\}\)..*/\1/
t more1
s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
p
n
b repl
:more1
s/["\\]/\\&/g; s/^/"/; s/$/"\\/
p
g
s/.\{148\}//
t nl
:delim
h
s/\(.\{148\}\)..*/\1/
t more2
s/["\\]/\\&/g; s/^/"/; s/$/"/
p
b
:more2
s/["\\]/\\&/g; s/^/"/; s/$/"\\/
p
g
s/.\{148\}//
t delim
' >$CONFIG_STATUS || ac_write_fail=1
rm -f conf$$subs.awk
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
_ACAWK
cat >>"\$ac_tmp/subs1.awk" <<_ACAWK &&
for (key in S) S_is_set[key] = 1
FS = ""
}
{
line = $ 0
nfields = split(line, field, "@")
substed = 0
len = length(field[1])
for (i = 2; i < nfields; i++) {
key = field[i]
keylen = length(key)
if (S_is_set[key]) {
value = S[key]
line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
len += length(value) + length(field[++i])
substed = 1
} else
len += 1 + keylen
}
print line
}
_ACAWK
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
else
cat
fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \
|| as_fn_error $? "could not setup config files machinery" "$LINENO" 5
_ACEOF
# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
# trailing colons and then remove the whole line if VPATH becomes empty
# (actually we leave an empty line to preserve line numbers).
if test "x$srcdir" = x.; then
ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{
h
s///
s/^/:/
s/[ ]*$/:/
s/:\$(srcdir):/:/g
s/:\${srcdir}:/:/g
s/:@srcdir@:/:/g
s/^:*//
s/:*$//
x
s/\(=[ ]*\).*/\1/
G
s/\n//
s/^[^=]*=[ ]*$//
}'
fi
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
fi # test -n "$CONFIG_FILES"
eval set X " :F $CONFIG_FILES "
shift
for ac_tag
do
case $ac_tag in
:[FHLC]) ac_mode=$ac_tag; continue;;
esac
case $ac_mode$ac_tag in
:[FHL]*:*);;
:L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;;
:[FH]-) ac_tag=-:-;;
:[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
esac
ac_save_IFS=$IFS
IFS=:
set x $ac_tag
IFS=$ac_save_IFS
shift
ac_file=$1
shift
case $ac_mode in
:L) ac_source=$1;;
:[FH])
ac_file_inputs=
for ac_f
do
case $ac_f in
-) ac_f="$ac_tmp/stdin";;
*) # Look for the file first in the build tree, then in the source tree
# (if the path is not absolute). The absolute path cannot be DOS-style,
# because $ac_f cannot contain `:'.
test -f "$ac_f" ||
case $ac_f in
[\\/$]*) false;;
*) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
esac ||
as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;;
esac
case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
as_fn_append ac_file_inputs " '$ac_f'"
done
# Let's still pretend it is `configure' which instantiates (i.e., don't
# use $as_me), people would be surprised to read:
# /* config.h. Generated by config.status. */
configure_input='Generated from '`
$as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
`' by configure.'
if test x"$ac_file" != x-; then
configure_input="$ac_file. $configure_input"
{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
$as_echo "$as_me: creating $ac_file" >&6;}
fi
# Neutralize special characters interpreted by sed in replacement strings.
case $configure_input in #(
*\&* | *\|* | *\\* )
ac_sed_conf_input=`$as_echo "$configure_input" |
sed 's/[\\\\&|]/\\\\&/g'`;; #(
*) ac_sed_conf_input=$configure_input;;
esac
case $ac_tag in
*:-:* | *:-) cat >"$ac_tmp/stdin" \
|| as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;;
esac
;;
esac
ac_dir=`$as_dirname -- "$ac_file" ||
$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$ac_file" : 'X\(//\)[^/]' \| \
X"$ac_file" : 'X\(//\)$' \| \
X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X"$ac_file" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
}
/^X\(\/\/\)[^/].*/{
s//\1/
q
}
/^X\(\/\/\)$/{
s//\1/
q
}
/^X\(\/\).*/{
s//\1/
q
}
s/.*/./; q'`
as_dir="$ac_dir"; as_fn_mkdir_p
ac_builddir=.
case "$ac_dir" in
.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
*)
ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
# A ".." for each directory in $ac_dir_suffix.
ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
case $ac_top_builddir_sub in
"") ac_top_builddir_sub=. ac_top_build_prefix= ;;
*) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
esac ;;
esac
ac_abs_top_builddir=$ac_pwd
ac_abs_builddir=$ac_pwd$ac_dir_suffix
# for backward compatibility:
ac_top_builddir=$ac_top_build_prefix
case $srcdir in
.) # We are building in place.
ac_srcdir=.
ac_top_srcdir=$ac_top_builddir_sub
ac_abs_top_srcdir=$ac_pwd ;;
[\\/]* | ?:[\\/]* ) # Absolute name.
ac_srcdir=$srcdir$ac_dir_suffix;
ac_top_srcdir=$srcdir
ac_abs_top_srcdir=$srcdir ;;
*) # Relative name.
ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
ac_top_srcdir=$ac_top_build_prefix$srcdir
ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
esac
ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
case $ac_mode in
:F)
#
# CONFIG_FILE
#
case $INSTALL in
[\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
*) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
esac
ac_MKDIR_P=$MKDIR_P
case $MKDIR_P in
[\\/$]* | ?:[\\/]* ) ;;
*/*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;;
esac
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# If the template does not know about datarootdir, expand it.
# FIXME: This hack should be removed a few years after 2.60.
ac_datarootdir_hack=; ac_datarootdir_seen=
ac_sed_dataroot='
/datarootdir/ {
p
q
}
/@datadir@/p
/@docdir@/p
/@infodir@/p
/@localedir@/p
/@mandir@/p'
case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
*datarootdir*) ac_datarootdir_seen=yes;;
*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_datarootdir_hack='
s&@datadir@&$datadir&g
s&@docdir@&$docdir&g
s&@infodir@&$infodir&g
s&@localedir@&$localedir&g
s&@mandir@&$mandir&g
s&\\\${datarootdir}&$datarootdir&g' ;;
esac
_ACEOF
# Neutralize VPATH when `$srcdir' = `.'.
# Shell code in configure.ac might set extrasub.
# FIXME: do we really want to maintain this feature?
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_sed_extra="$ac_vpsub
$extrasub
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
:t
/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
s|@configure_input@|$ac_sed_conf_input|;t t
s&@top_builddir@&$ac_top_builddir_sub&;t t
s&@top_build_prefix@&$ac_top_build_prefix&;t t
s&@srcdir@&$ac_srcdir&;t t
s&@abs_srcdir@&$ac_abs_srcdir&;t t
s&@top_srcdir@&$ac_top_srcdir&;t t
s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
s&@builddir@&$ac_builddir&;t t
s&@abs_builddir@&$ac_abs_builddir&;t t
s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
s&@INSTALL@&$ac_INSTALL&;t t
s&@MKDIR_P@&$ac_MKDIR_P&;t t
$ac_datarootdir_hack
"
eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \
>$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5
test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
{ ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } &&
{ ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \
"$ac_tmp/out"`; test -z "$ac_out"; } &&
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
which seems to be undefined. Please make sure it is defined" >&5
$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
which seems to be undefined. Please make sure it is defined" >&2;}
rm -f "$ac_tmp/stdin"
case $ac_file in
-) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";;
*) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";;
esac \
|| as_fn_error $? "could not create $ac_file" "$LINENO" 5
;;
esac
done # for ac_tag
as_fn_exit 0
_ACEOF
ac_clean_files=$ac_clean_files_save
test $ac_write_fail = 0 ||
as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
# configure is writing to config.log, and then calls config.status.
# config.status does its own redirection, appending to config.log.
# Unfortunately, on DOS this fails, as config.log is still kept open
# by configure, so config.status won't be able to write to it; its
# output is simply discarded. So we exec the FD to /dev/null,
# effectively closing config.log, so it can be properly (re)opened and
# appended to by config.status. When coming back to configure, we
# need to make the FD available again.
if test "$no_create" != yes; then
ac_cs_success=:
ac_config_status_args=
test "$silent" = yes &&
ac_config_status_args="$ac_config_status_args --quiet"
exec 5>/dev/null
$SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
exec 5>>config.log
# Use ||, not &&, to avoid exiting from the if with $? = 1, which
# would make configure fail if this is the last instruction.
$ac_cs_success || as_fn_exit 1
fi
if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
$as_echo "" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: DONE: Configuration done. Run \"make install\" to install CFEngine Masterfiles." >&5
$as_echo "DONE: Configuration done. Run \"make install\" to install CFEngine Masterfiles." >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
$as_echo "" >&6; }
cfengine-masterfiles-3.24.2/missing 0000755 0000000 0000000 00000015330 15010704303 017264 0 ustar 00root root 0000000 0000000 #! /bin/sh
# Common wrapper for a few potentially missing GNU programs.
scriptversion=2013-10-28.13; # UTC
# Copyright (C) 1996-2014 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard , 1996.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
if test $# -eq 0; then
echo 1>&2 "Try '$0 --help' for more information"
exit 1
fi
case $1 in
--is-lightweight)
# Used by our autoconf macros to check whether the available missing
# script is modern enough.
exit 0
;;
--run)
# Back-compat with the calling convention used by older automake.
shift
;;
-h|--h|--he|--hel|--help)
echo "\
$0 [OPTION]... PROGRAM [ARGUMENT]...
Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due
to PROGRAM being missing or too old.
Options:
-h, --help display this help and exit
-v, --version output version information and exit
Supported PROGRAM values:
aclocal autoconf autoheader autom4te automake makeinfo
bison yacc flex lex help2man
Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
'g' are ignored when checking the name.
Send bug reports to ."
exit $?
;;
-v|--v|--ve|--ver|--vers|--versi|--versio|--version)
echo "missing $scriptversion (GNU Automake)"
exit $?
;;
-*)
echo 1>&2 "$0: unknown '$1' option"
echo 1>&2 "Try '$0 --help' for more information"
exit 1
;;
esac
# Run the given program, remember its exit status.
"$@"; st=$?
# If it succeeded, we are done.
test $st -eq 0 && exit 0
# Also exit now if we it failed (or wasn't found), and '--version' was
# passed; such an option is passed most likely to detect whether the
# program is present and works.
case $2 in --version|--help) exit $st;; esac
# Exit code 63 means version mismatch. This often happens when the user
# tries to use an ancient version of a tool on a file that requires a
# minimum version.
if test $st -eq 63; then
msg="probably too old"
elif test $st -eq 127; then
# Program was missing.
msg="missing on your system"
else
# Program was found and executed, but failed. Give up.
exit $st
fi
perl_URL=http://www.perl.org/
flex_URL=http://flex.sourceforge.net/
gnu_software_URL=http://www.gnu.org/software
program_details ()
{
case $1 in
aclocal|automake)
echo "The '$1' program is part of the GNU Automake package:"
echo "<$gnu_software_URL/automake>"
echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/autoconf>"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
autoconf|autom4te|autoheader)
echo "The '$1' program is part of the GNU Autoconf package:"
echo "<$gnu_software_URL/autoconf/>"
echo "It also requires GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
esac
}
give_advice ()
{
# Normalize program name to check for.
normalized_program=`echo "$1" | sed '
s/^gnu-//; t
s/^gnu//; t
s/^g//; t'`
printf '%s\n' "'$1' is $msg."
configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
case $normalized_program in
autoconf*)
echo "You should only need it if you modified 'configure.ac',"
echo "or m4 files included by it."
program_details 'autoconf'
;;
autoheader*)
echo "You should only need it if you modified 'acconfig.h' or"
echo "$configure_deps."
program_details 'autoheader'
;;
automake*)
echo "You should only need it if you modified 'Makefile.am' or"
echo "$configure_deps."
program_details 'automake'
;;
aclocal*)
echo "You should only need it if you modified 'acinclude.m4' or"
echo "$configure_deps."
program_details 'aclocal'
;;
autom4te*)
echo "You might have modified some maintainer files that require"
echo "the 'autom4te' program to be rebuilt."
program_details 'autom4te'
;;
bison*|yacc*)
echo "You should only need it if you modified a '.y' file."
echo "You may want to install the GNU Bison package:"
echo "<$gnu_software_URL/bison/>"
;;
lex*|flex*)
echo "You should only need it if you modified a '.l' file."
echo "You may want to install the Fast Lexical Analyzer package:"
echo "<$flex_URL>"
;;
help2man*)
echo "You should only need it if you modified a dependency" \
"of a man page."
echo "You may want to install the GNU Help2man package:"
echo "<$gnu_software_URL/help2man/>"
;;
makeinfo*)
echo "You should only need it if you modified a '.texi' file, or"
echo "any other file indirectly affecting the aspect of the manual."
echo "You might want to install the Texinfo package:"
echo "<$gnu_software_URL/texinfo/>"
echo "The spurious makeinfo call might also be the consequence of"
echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might"
echo "want to install GNU make:"
echo "<$gnu_software_URL/make/>"
;;
*)
echo "You might have modified some files without having the proper"
echo "tools for further handling them. Check the 'README' file, it"
echo "often tells you about the needed prerequisites for installing"
echo "this package. You may also peek at any GNU archive site, in"
echo "case some other package contains this missing '$1' program."
;;
esac
}
give_advice "$1" | sed -e '1s/^/WARNING: /' \
-e '2,$s/^/ /' >&2
# Propagate the correct exit status (expected to be 127 for a program
# not found, 63 for a program that failed due to version mismatch).
exit $st
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:
cfengine-masterfiles-3.24.2/m4/ 0000755 0000000 0000000 00000000000 15010704326 016210 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/m4/adl_recursive_eval.m4 0000644 0000000 0000000 00000001167 15010704240 022310 0 ustar 00root root 0000000 0000000 dnl adl_RECURSIVE_EVAL(VALUE, RESULT)
dnl =================================
dnl Interpolate the VALUE in loop until it doesn't change,
dnl and set the result to $RESULT.
dnl WARNING: It's easy to get an infinite loop with some unsane input.
AC_DEFUN([adl_RECURSIVE_EVAL],
[_lcl_receval="$1"
$2=`(test "x$prefix" = xNONE && prefix="$ac_default_prefix"
test "x$exec_prefix" = xNONE && exec_prefix="${prefix}"
_lcl_receval_old=''
while test "[$]_lcl_receval_old" != "[$]_lcl_receval"; do
_lcl_receval_old="[$]_lcl_receval"
eval _lcl_receval="\"[$]_lcl_receval\""
done
echo "[$]_lcl_receval")`])
cfengine-masterfiles-3.24.2/m4/cf3_platforms.m4 0000644 0000000 0000000 00000004076 15010704240 021216 0 ustar 00root root 0000000 0000000 #
# Copyright 2024 Northern.tech AS
#
# This file is part of CFEngine 3 - written and maintained by Northern.tech AS.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
#
# To the extent this program is licensed as part of the Enterprise
# versions of CFEngine, the applicable Commercial Open Source License
# (COSL) may apply to this file if you as a licensee so wish it. See
# included file COSL.txt.
#
#
# OS kernels conditionals. Don't use those unless it is really needed (if code
# depends on the *kernel* feature, and even then -- some kernel features are
# shared by different kernels).
#
# Good example: use LINUX to select code which uses inotify and netlink sockets.
# Bad example: use LINUX to select code which parses output of coreutils' ps(1).
#
AM_CONDITIONAL([LINUX], [test -n "`echo ${target_os} | grep linux`"])
AM_CONDITIONAL([MACOSX], [test -n "`echo ${target_os} | grep darwin`"])
AM_CONDITIONAL([SOLARIS], [test -n "`(echo ${target_os} | egrep 'solaris|sunos')`"])
AM_CONDITIONAL([NT], [test -n "`(echo ${target_os} | egrep 'mingw|cygwin')`"])
AM_CONDITIONAL([CYGWIN], [test -n "`(echo ${target_os} | egrep 'cygwin')`"])
AM_CONDITIONAL([AIX], [test -n "`(echo ${target_os} | grep aix)`"])
AM_CONDITIONAL([HPUX], [test -n "`(echo ${target_os} | egrep 'hpux|hp-ux')`"])
AM_CONDITIONAL([FREEBSD], [test -n "`(echo ${target_os} | grep freebsd)`"])
AM_CONDITIONAL([NETBSD], [test -n "`(echo ${target_os} | grep netbsd)`"])
AM_CONDITIONAL([XNU], [test -n "`(echo ${target_os} | grep darwin)`"])
cfengine-masterfiles-3.24.2/m4/tar.m4 0000644 0000000 0000000 00000012351 15010704240 017235 0 ustar 00root root 0000000 0000000 # Check how to create a tarball. -*- Autoconf -*-
# Copyright (C) 2004-2015 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# _AM_PROG_TAR(FORMAT)
# --------------------
# Check how to create a tarball in format FORMAT.
# FORMAT should be one of 'v7', 'ustar', or 'pax'.
#
# Substitute a variable $(am__tar) that is a command
# writing to stdout a FORMAT-tarball containing the directory
# $tardir.
# tardir=directory && $(am__tar) > result.tar
#
# Substitute a variable $(am__untar) that extract such
# a tarball read from stdin.
# $(am__untar) < result.tar
#
AC_DEFUN([_AM_PROG_TAR],
[# Always define AMTAR for backward compatibility. Yes, it's still used
# in the wild :-( We should find a proper way to deprecate it ...
AC_SUBST([AMTAR], ['$${TAR-tar}'])
# We'll loop over all known methods to create a tar archive until one works.
_am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none'
m4_if([$1], [v7],
[am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'],
[m4_case([$1],
[ustar],
[# The POSIX 1988 'ustar' format is defined with fixed-size fields.
# There is notably a 21 bits limit for the UID and the GID. In fact,
# the 'pax' utility can hang on bigger UID/GID (see automake bug#8343
# and bug#13588).
am_max_uid=2097151 # 2^21 - 1
am_max_gid=$am_max_uid
# The $UID and $GID variables are not portable, so we need to resort
# to the POSIX-mandated id(1) utility. Errors in the 'id' calls
# below are definitely unexpected, so allow the users to see them
# (that is, avoid stderr redirection).
am_uid=`id -u || echo unknown`
am_gid=`id -g || echo unknown`
AC_MSG_CHECKING([whether UID '$am_uid' is supported by ustar format])
if test $am_uid -le $am_max_uid; then
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
_am_tools=none
fi
AC_MSG_CHECKING([whether GID '$am_gid' is supported by ustar format])
if test $am_gid -le $am_max_gid; then
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
_am_tools=none
fi],
[pax],
[],
[m4_fatal([Unknown tar format])])
AC_MSG_CHECKING([how to create a $1 tar archive])
# Go ahead even if we have the value already cached. We do so because we
# need to set the values for the 'am__tar' and 'am__untar' variables.
_am_tools=${am_cv_prog_tar_$1-$_am_tools}
for _am_tool in $_am_tools; do
case $_am_tool in
gnutar)
for _am_tar in tar gnutar gtar; do
AM_RUN_LOG([$_am_tar --version]) && break
done
# Work around CFEngine redmine #6925 by using --hard-dereference.
AM_RUN_LOG([$_am_tar --hard-dereference 2>&1 | grep 'unrecognized option'])
# Check if --hard-dereference is supported by this version of GNU Tar
if test "$ac_status" -eq 0; then
_am_gnutar_hard_dereference=false
am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"'
am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"'
else
_am_gnutar_hard_dereference=true
am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) --hard-dereference -chf - "'"$$tardir"'
am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) --hard-dereference -chf - "'"$tardir"'
fi
am__untar="$_am_tar -xf -"
;;
plaintar)
# Must skip GNU tar: if it does not support --format= it doesn't create
# ustar tarball either.
(tar --version) >/dev/null 2>&1 && continue
am__tar='tar chf - "$$tardir"'
am__tar_='tar chf - "$tardir"'
am__untar='tar xf -'
;;
pax)
am__tar='pax -L -x $1 -w "$$tardir"'
am__tar_='pax -L -x $1 -w "$tardir"'
am__untar='pax -r'
;;
cpio)
am__tar='find "$$tardir" -print | cpio -o -H $1 -L'
am__tar_='find "$tardir" -print | cpio -o -H $1 -L'
am__untar='cpio -i -H $1 -d'
;;
none)
am__tar=false
am__tar_=false
am__untar=false
;;
esac
# If the value was cached, stop now. We just wanted to have am__tar
# and am__untar set.
test -n "${am_cv_prog_tar_$1}" && break
# tar/untar a dummy directory, and stop if the command works.
rm -rf conftest.dir
mkdir conftest.dir
echo GrepMe > conftest.dir/file
AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar])
rm -rf conftest.dir
if test -s conftest.tar; then
AM_RUN_LOG([$am__untar /dev/null 2>&1 && break
fi
done
rm -rf conftest.dir
AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool])
AC_MSG_RESULT([$am_cv_prog_tar_$1])])
if test $_am_tool = gnutar; then
# We've checked already, so we're just printing here
AC_MSG_CHECKING([if GNU tar supports --hard-dereference])
if test x$_am_gnutar_hard_dereference = xtrue; then
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
fi
fi
AC_SUBST([am__tar])
AC_SUBST([am__untar])
]) # _AM_PROG_TAR
cfengine-masterfiles-3.24.2/README.md 0000644 0000000 0000000 00000006054 15010704240 017147 0 ustar 00root root 0000000 0000000 Looking for help?
* [Chat with us in #CFEngine:matrix.org](https://matrix.to/#/#CFEngine:matrix.org).
* Ask questions on [Github Discussions](https://github.com/cfengine/core/discussions/) or the mailing list [help-cfengine@googlegroups.com](https://groups.google.com/g/help-cfengine).
# CFEngine 3 masterfiles
CFEngine 3 is a popular open source configuration management system. Its primary
function is to provide automated configuration and maintenance of large-scale
computer systems.
The MPF or Masterfiles Policy Framework is intended to provide a stable base
policy installations and upgrades, and is used by both CFEngine Enterprise and
CFEngine community in versions 3.6 and newer.
The
[documentation for the MPF](https://docs.cfengine.com/docs/master/reference-masterfiles-policy-framework.html) is
highly recommended.
## Installation
There are several methods available for installing the CFEngine Masterfiles
Policy Framework.
* From pkg tarball
* From git
* From source tarball
### From pkg tarball
If you have downloaded
a [package tarball from our website](https://cfengine.com/product/community/)
(not from github), you don't need to `autogen`, `configure` or `make` anything.
Instead simply unpack the tarball to the desired location using `tar`.
For example:
```
tar zxvf cfengine-masterfiles-MAJOR.MINOR.PATCH.pkg.tar.gz /var/cfengine/masterfiles
```
### From git
Clone this repository
```
git clone https://github.com/cfengine/masterfiles
```
If you have cloned the repository from github:
Run autogen and make to build masterfiles.
```
./autogen.sh
make
```
Optionally configure masterfiles to install to a different location (perhaps your
own version control checkout)
```
./configure --prefix=/tmp/cfengine/
make
```
```
make install
```
### From source tarball
If you have downloaded
a [release tarball from our website](https://cfengine.com/product/community/)
(not from github), you don't need to run `autogen.sh`. By default it installs in
`/var/cfengine/masterfiles` but you can override that easily:
```
./configure --prefix=/install/directory
make install
```
Note that the last directory component will always be called `masterfiles`.
## Host report
A very important piece of functionality, which you may want for your
own use but will certainly be helpful for debugging or submitting bugs
to CFEngine (core, masterfiles, or any other are) is the host report.
Run the host report like so: `cf-agent -b host_info_report`
You should see output like:
```
R: Host info report generated and available at '/var/cfengine/reports/host_info_report.txt'
```
Take a look at the resulting file, it has lots of useful information about the system.
## Contributing
Please see the [CONTRIBUTING.md](CONTRIBUTING.md) file.
The CFEngine masterfiles are under the MIT license, see [LICENSE](LICENSE)
# Authors
CFEngine was originally created by Mark Burgess with many contributions from
around the world. Thanks [everyone](https://github.com/cfengine/core/blob/master/AUTHORS)!
[CFEngine](https://cfengine.com) is sponsored by [Northern.tech AS](https://northern.tech)
cfengine-masterfiles-3.24.2/config.guess 0000755 0000000 0000000 00000125644 15010704303 020217 0 ustar 00root root 0000000 0000000 #! /bin/sh
# Attempt to guess a canonical system name.
# Copyright 1992-2016 Free Software Foundation, Inc.
timestamp='2016-10-02'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see .
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that
# program. This Exception is an additional permission under section 7
# of the GNU General Public License, version 3 ("GPLv3").
#
# Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
#
# You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
#
# Please send patches to .
me=`echo "$0" | sed -e 's,.*/,,'`
usage="\
Usage: $0 [OPTION]
Output the configuration name of the system \`$me' is run on.
Operation modes:
-h, --help print this help, then exit
-t, --time-stamp print date of last modification, then exit
-v, --version print version number, then exit
Report bugs and patches to ."
version="\
GNU config.guess ($timestamp)
Originally written by Per Bothner.
Copyright 1992-2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
help="
Try \`$me --help' for more information."
# Parse command line
while test $# -gt 0 ; do
case $1 in
--time-stamp | --time* | -t )
echo "$timestamp" ; exit ;;
--version | -v )
echo "$version" ; exit ;;
--help | --h* | -h )
echo "$usage"; exit ;;
-- ) # Stop option processing
shift; break ;;
- ) # Use stdin as input.
break ;;
-* )
echo "$me: invalid option $1$help" >&2
exit 1 ;;
* )
break ;;
esac
done
if test $# != 0; then
echo "$me: too many arguments$help" >&2
exit 1
fi
trap 'exit 1' 1 2 15
# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
# compiler to aid in system detection is discouraged as it requires
# temporary files to be created and, as you can see below, it is a
# headache to deal with in a portable fashion.
# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
# use `HOST_CC' if defined, but it is deprecated.
# Portable tmp directory creation inspired by the Autoconf team.
set_cc_for_build='
trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
: ${TMPDIR=/tmp} ;
{ tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
{ test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
{ tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
{ echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
dummy=$tmp/dummy ;
tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
case $CC_FOR_BUILD,$HOST_CC,$CC in
,,) echo "int x;" > $dummy.c ;
for c in cc gcc c89 c99 ; do
if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
CC_FOR_BUILD="$c"; break ;
fi ;
done ;
if test x"$CC_FOR_BUILD" = x ; then
CC_FOR_BUILD=no_compiler_found ;
fi
;;
,,*) CC_FOR_BUILD=$CC ;;
,*,*) CC_FOR_BUILD=$HOST_CC ;;
esac ; set_cc_for_build= ;'
# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
# (ghazi@noc.rutgers.edu 1994-08-24)
if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
PATH=$PATH:/.attbin ; export PATH
fi
UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
case "${UNAME_SYSTEM}" in
Linux|GNU|GNU/*)
# If the system lacks a compiler, then just pick glibc.
# We could probably try harder.
LIBC=gnu
eval $set_cc_for_build
cat <<-EOF > $dummy.c
#include
#if defined(__UCLIBC__)
LIBC=uclibc
#elif defined(__dietlibc__)
LIBC=dietlibc
#else
LIBC=gnu
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
;;
esac
# Note: order is significant - the case branches are not exclusive.
case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
*:NetBSD:*:*)
# NetBSD (nbsd) targets should (where applicable) match one or
# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
# *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
# switched to ELF, *-*-netbsd* would select the old
# object file format. This provides both forward
# compatibility and a consistent mechanism for selecting the
# object file format.
#
# Note: NetBSD doesn't particularly care about the vendor
# portion of the name. We always set it to "unknown".
sysctl="sysctl -n hw.machine_arch"
UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \
/sbin/$sysctl 2>/dev/null || \
/usr/sbin/$sysctl 2>/dev/null || \
echo unknown)`
case "${UNAME_MACHINE_ARCH}" in
armeb) machine=armeb-unknown ;;
arm*) machine=arm-unknown ;;
sh3el) machine=shl-unknown ;;
sh3eb) machine=sh-unknown ;;
sh5el) machine=sh5le-unknown ;;
earmv*)
arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'`
endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'`
machine=${arch}${endian}-unknown
;;
*) machine=${UNAME_MACHINE_ARCH}-unknown ;;
esac
# The Operating System including object format, if it has switched
# to ELF recently (or will in the future) and ABI.
case "${UNAME_MACHINE_ARCH}" in
earm*)
os=netbsdelf
;;
arm*|i386|m68k|ns32k|sh3*|sparc|vax)
eval $set_cc_for_build
if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ELF__
then
# Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
# Return netbsd for either. FIX?
os=netbsd
else
os=netbsdelf
fi
;;
*)
os=netbsd
;;
esac
# Determine ABI tags.
case "${UNAME_MACHINE_ARCH}" in
earm*)
expr='s/^earmv[0-9]/-eabi/;s/eb$//'
abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"`
;;
esac
# The OS release
# Debian GNU/NetBSD machines have a different userland, and
# thus, need a distinct triplet. However, they do not need
# kernel version information, so it can be replaced with a
# suitable tag, in the style of linux-gnu.
case "${UNAME_VERSION}" in
Debian*)
release='-gnu'
;;
*)
release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2`
;;
esac
# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
# contains redundant information, the shorter form:
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
echo "${machine}-${os}${release}${abi}"
exit ;;
*:Bitrig:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
exit ;;
*:OpenBSD:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
exit ;;
*:LibertyBSD:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE}
exit ;;
*:ekkoBSD:*:*)
echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
exit ;;
*:SolidBSD:*:*)
echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE}
exit ;;
macppc:MirBSD:*:*)
echo powerpc-unknown-mirbsd${UNAME_RELEASE}
exit ;;
*:MirBSD:*:*)
echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
exit ;;
*:Sortix:*:*)
echo ${UNAME_MACHINE}-unknown-sortix
exit ;;
alpha:OSF1:*:*)
case $UNAME_RELEASE in
*4.0)
UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
;;
*5.*)
UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
;;
esac
# According to Compaq, /usr/sbin/psrinfo has been available on
# OSF/1 and Tru64 systems produced since 1995. I hope that
# covers most systems running today. This code pipes the CPU
# types through head -n 1, so we only detect the type of CPU 0.
ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1`
case "$ALPHA_CPU_TYPE" in
"EV4 (21064)")
UNAME_MACHINE=alpha ;;
"EV4.5 (21064)")
UNAME_MACHINE=alpha ;;
"LCA4 (21066/21068)")
UNAME_MACHINE=alpha ;;
"EV5 (21164)")
UNAME_MACHINE=alphaev5 ;;
"EV5.6 (21164A)")
UNAME_MACHINE=alphaev56 ;;
"EV5.6 (21164PC)")
UNAME_MACHINE=alphapca56 ;;
"EV5.7 (21164PC)")
UNAME_MACHINE=alphapca57 ;;
"EV6 (21264)")
UNAME_MACHINE=alphaev6 ;;
"EV6.7 (21264A)")
UNAME_MACHINE=alphaev67 ;;
"EV6.8CB (21264C)")
UNAME_MACHINE=alphaev68 ;;
"EV6.8AL (21264B)")
UNAME_MACHINE=alphaev68 ;;
"EV6.8CX (21264D)")
UNAME_MACHINE=alphaev68 ;;
"EV6.9A (21264/EV69A)")
UNAME_MACHINE=alphaev69 ;;
"EV7 (21364)")
UNAME_MACHINE=alphaev7 ;;
"EV7.9 (21364A)")
UNAME_MACHINE=alphaev79 ;;
esac
# A Pn.n version is a patched version.
# A Vn.n version is a released version.
# A Tn.n version is a released field test version.
# A Xn.n version is an unreleased experimental baselevel.
# 1.2 uses "1.2" for uname -r.
echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
exitcode=$?
trap '' 0
exit $exitcode ;;
Alpha\ *:Windows_NT*:*)
# How do we know it's Interix rather than the generic POSIX subsystem?
# Should we change UNAME_MACHINE based on the output of uname instead
# of the specific Alpha model?
echo alpha-pc-interix
exit ;;
21064:Windows_NT:50:3)
echo alpha-dec-winnt3.5
exit ;;
Amiga*:UNIX_System_V:4.0:*)
echo m68k-unknown-sysv4
exit ;;
*:[Aa]miga[Oo][Ss]:*:*)
echo ${UNAME_MACHINE}-unknown-amigaos
exit ;;
*:[Mm]orph[Oo][Ss]:*:*)
echo ${UNAME_MACHINE}-unknown-morphos
exit ;;
*:OS/390:*:*)
echo i370-ibm-openedition
exit ;;
*:z/VM:*:*)
echo s390-ibm-zvmoe
exit ;;
*:OS400:*:*)
echo powerpc-ibm-os400
exit ;;
arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
echo arm-acorn-riscix${UNAME_RELEASE}
exit ;;
arm*:riscos:*:*|arm*:RISCOS:*:*)
echo arm-unknown-riscos
exit ;;
SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
echo hppa1.1-hitachi-hiuxmpp
exit ;;
Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
if test "`(/bin/universe) 2>/dev/null`" = att ; then
echo pyramid-pyramid-sysv3
else
echo pyramid-pyramid-bsd
fi
exit ;;
NILE*:*:*:dcosx)
echo pyramid-pyramid-svr4
exit ;;
DRS?6000:unix:4.0:6*)
echo sparc-icl-nx6
exit ;;
DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
case `/usr/bin/uname -p` in
sparc) echo sparc-icl-nx7; exit ;;
esac ;;
s390x:SunOS:*:*)
echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
exit ;;
sun4H:SunOS:5.*:*)
echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
exit ;;
sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
exit ;;
i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*)
echo i386-pc-auroraux${UNAME_RELEASE}
exit ;;
i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
eval $set_cc_for_build
SUN_ARCH=i386
# If there is a compiler, see if it is configured for 64-bit objects.
# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
# This test works for both compilers.
if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
SUN_ARCH=x86_64
fi
fi
echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
exit ;;
sun4*:SunOS:6*:*)
# According to config.sub, this is the proper way to canonicalize
# SunOS6. Hard to guess exactly what SunOS6 will be like, but
# it's likely to be more like Solaris than SunOS4.
echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
exit ;;
sun4*:SunOS:*:*)
case "`/usr/bin/arch -k`" in
Series*|S4*)
UNAME_RELEASE=`uname -v`
;;
esac
# Japanese Language versions have a version number like `4.1.3-JL'.
echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
exit ;;
sun3*:SunOS:*:*)
echo m68k-sun-sunos${UNAME_RELEASE}
exit ;;
sun*:*:4.2BSD:*)
UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3
case "`/bin/arch`" in
sun3)
echo m68k-sun-sunos${UNAME_RELEASE}
;;
sun4)
echo sparc-sun-sunos${UNAME_RELEASE}
;;
esac
exit ;;
aushp:SunOS:*:*)
echo sparc-auspex-sunos${UNAME_RELEASE}
exit ;;
# The situation for MiNT is a little confusing. The machine name
# can be virtually everything (everything which is not
# "atarist" or "atariste" at least should have a processor
# > m68000). The system name ranges from "MiNT" over "FreeMiNT"
# to the lowercase version "mint" (or "freemint"). Finally
# the system name "TOS" denotes a system which is actually not
# MiNT. But MiNT is downward compatible to TOS, so this should
# be no problem.
atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
echo m68k-atari-mint${UNAME_RELEASE}
exit ;;
atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
echo m68k-atari-mint${UNAME_RELEASE}
exit ;;
*falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
echo m68k-atari-mint${UNAME_RELEASE}
exit ;;
milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
echo m68k-milan-mint${UNAME_RELEASE}
exit ;;
hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
echo m68k-hades-mint${UNAME_RELEASE}
exit ;;
*:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
echo m68k-unknown-mint${UNAME_RELEASE}
exit ;;
m68k:machten:*:*)
echo m68k-apple-machten${UNAME_RELEASE}
exit ;;
powerpc:machten:*:*)
echo powerpc-apple-machten${UNAME_RELEASE}
exit ;;
RISC*:Mach:*:*)
echo mips-dec-mach_bsd4.3
exit ;;
RISC*:ULTRIX:*:*)
echo mips-dec-ultrix${UNAME_RELEASE}
exit ;;
VAX*:ULTRIX*:*:*)
echo vax-dec-ultrix${UNAME_RELEASE}
exit ;;
2020:CLIX:*:* | 2430:CLIX:*:*)
echo clipper-intergraph-clix${UNAME_RELEASE}
exit ;;
mips:*:*:UMIPS | mips:*:*:RISCos)
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#ifdef __cplusplus
#include /* for printf() prototype */
int main (int argc, char *argv[]) {
#else
int main (argc, argv) int argc; char *argv[]; {
#endif
#if defined (host_mips) && defined (MIPSEB)
#if defined (SYSTYPE_SYSV)
printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
#endif
#if defined (SYSTYPE_SVR4)
printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
#endif
#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
#endif
#endif
exit (-1);
}
EOF
$CC_FOR_BUILD -o $dummy $dummy.c &&
dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
SYSTEM_NAME=`$dummy $dummyarg` &&
{ echo "$SYSTEM_NAME"; exit; }
echo mips-mips-riscos${UNAME_RELEASE}
exit ;;
Motorola:PowerMAX_OS:*:*)
echo powerpc-motorola-powermax
exit ;;
Motorola:*:4.3:PL8-*)
echo powerpc-harris-powermax
exit ;;
Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
echo powerpc-harris-powermax
exit ;;
Night_Hawk:Power_UNIX:*:*)
echo powerpc-harris-powerunix
exit ;;
m88k:CX/UX:7*:*)
echo m88k-harris-cxux7
exit ;;
m88k:*:4*:R4*)
echo m88k-motorola-sysv4
exit ;;
m88k:*:3*:R3*)
echo m88k-motorola-sysv3
exit ;;
AViiON:dgux:*:*)
# DG/UX returns AViiON for all architectures
UNAME_PROCESSOR=`/usr/bin/uname -p`
if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
then
if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
[ ${TARGET_BINARY_INTERFACE}x = x ]
then
echo m88k-dg-dgux${UNAME_RELEASE}
else
echo m88k-dg-dguxbcs${UNAME_RELEASE}
fi
else
echo i586-dg-dgux${UNAME_RELEASE}
fi
exit ;;
M88*:DolphinOS:*:*) # DolphinOS (SVR3)
echo m88k-dolphin-sysv3
exit ;;
M88*:*:R3*:*)
# Delta 88k system running SVR3
echo m88k-motorola-sysv3
exit ;;
XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
echo m88k-tektronix-sysv3
exit ;;
Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
echo m68k-tektronix-bsd
exit ;;
*:IRIX*:*:*)
echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
exit ;;
????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id
exit ;; # Note that: echo "'`uname -s`'" gives 'AIX '
i*86:AIX:*:*)
echo i386-ibm-aix
exit ;;
ia64:AIX:*:*)
if [ -x /usr/bin/oslevel ] ; then
IBM_REV=`/usr/bin/oslevel`
else
IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
fi
echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
exit ;;
*:AIX:2:3)
if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#include
main()
{
if (!__power_pc())
exit(1);
puts("powerpc-ibm-aix3.2.5");
exit(0);
}
EOF
if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
then
echo "$SYSTEM_NAME"
else
echo rs6000-ibm-aix3.2.5
fi
elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
echo rs6000-ibm-aix3.2.4
else
echo rs6000-ibm-aix3.2
fi
exit ;;
*:AIX:*:[4567])
IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
IBM_ARCH=rs6000
else
IBM_ARCH=powerpc
fi
if [ -x /usr/bin/lslpp ] ; then
IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc |
awk -F: '{ print $3 }' | sed s/[0-9]*$/0/`
else
IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
fi
echo ${IBM_ARCH}-ibm-aix${IBM_REV}
exit ;;
*:AIX:*:*)
echo rs6000-ibm-aix
exit ;;
ibmrt:4.4BSD:*|romp-ibm:BSD:*)
echo romp-ibm-bsd4.4
exit ;;
ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and
echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to
exit ;; # report: romp-ibm BSD 4.3
*:BOSX:*:*)
echo rs6000-bull-bosx
exit ;;
DPX/2?00:B.O.S.:*:*)
echo m68k-bull-sysv3
exit ;;
9000/[34]??:4.3bsd:1.*:*)
echo m68k-hp-bsd
exit ;;
hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
echo m68k-hp-bsd4.4
exit ;;
9000/[34678]??:HP-UX:*:*)
HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
case "${UNAME_MACHINE}" in
9000/31? ) HP_ARCH=m68000 ;;
9000/[34]?? ) HP_ARCH=m68k ;;
9000/[678][0-9][0-9])
if [ -x /usr/bin/getconf ]; then
sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
case "${sc_cpu_version}" in
523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0
528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1
532) # CPU_PA_RISC2_0
case "${sc_kernel_bits}" in
32) HP_ARCH=hppa2.0n ;;
64) HP_ARCH=hppa2.0w ;;
'') HP_ARCH=hppa2.0 ;; # HP-UX 10.20
esac ;;
esac
fi
if [ "${HP_ARCH}" = "" ]; then
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#define _HPUX_SOURCE
#include
#include
int main ()
{
#if defined(_SC_KERNEL_BITS)
long bits = sysconf(_SC_KERNEL_BITS);
#endif
long cpu = sysconf (_SC_CPU_VERSION);
switch (cpu)
{
case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
case CPU_PA_RISC2_0:
#if defined(_SC_KERNEL_BITS)
switch (bits)
{
case 64: puts ("hppa2.0w"); break;
case 32: puts ("hppa2.0n"); break;
default: puts ("hppa2.0"); break;
} break;
#else /* !defined(_SC_KERNEL_BITS) */
puts ("hppa2.0"); break;
#endif
default: puts ("hppa1.0"); break;
}
exit (0);
}
EOF
(CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
test -z "$HP_ARCH" && HP_ARCH=hppa
fi ;;
esac
if [ ${HP_ARCH} = hppa2.0w ]
then
eval $set_cc_for_build
# hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
# 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler
# generating 64-bit code. GNU and HP use different nomenclature:
#
# $ CC_FOR_BUILD=cc ./config.guess
# => hppa2.0w-hp-hpux11.23
# $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
# => hppa64-hp-hpux11.23
if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) |
grep -q __LP64__
then
HP_ARCH=hppa2.0w
else
HP_ARCH=hppa64
fi
fi
echo ${HP_ARCH}-hp-hpux${HPUX_REV}
exit ;;
ia64:HP-UX:*:*)
HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
echo ia64-hp-hpux${HPUX_REV}
exit ;;
3050*:HI-UX:*:*)
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#include
int
main ()
{
long cpu = sysconf (_SC_CPU_VERSION);
/* The order matters, because CPU_IS_HP_MC68K erroneously returns
true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct
results, however. */
if (CPU_IS_PA_RISC (cpu))
{
switch (cpu)
{
case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
default: puts ("hppa-hitachi-hiuxwe2"); break;
}
}
else if (CPU_IS_HP_MC68K (cpu))
puts ("m68k-hitachi-hiuxwe2");
else puts ("unknown-hitachi-hiuxwe2");
exit (0);
}
EOF
$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
{ echo "$SYSTEM_NAME"; exit; }
echo unknown-hitachi-hiuxwe2
exit ;;
9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
echo hppa1.1-hp-bsd
exit ;;
9000/8??:4.3bsd:*:*)
echo hppa1.0-hp-bsd
exit ;;
*9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
echo hppa1.0-hp-mpeix
exit ;;
hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
echo hppa1.1-hp-osf
exit ;;
hp8??:OSF1:*:*)
echo hppa1.0-hp-osf
exit ;;
i*86:OSF1:*:*)
if [ -x /usr/sbin/sysversion ] ; then
echo ${UNAME_MACHINE}-unknown-osf1mk
else
echo ${UNAME_MACHINE}-unknown-osf1
fi
exit ;;
parisc*:Lites*:*:*)
echo hppa1.1-hp-lites
exit ;;
C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
echo c1-convex-bsd
exit ;;
C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
if getsysinfo -f scalar_acc
then echo c32-convex-bsd
else echo c2-convex-bsd
fi
exit ;;
C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
echo c34-convex-bsd
exit ;;
C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
echo c38-convex-bsd
exit ;;
C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
echo c4-convex-bsd
exit ;;
CRAY*Y-MP:*:*:*)
echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;;
CRAY*[A-Z]90:*:*:*)
echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
-e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
-e 's/\.[^.]*$/.X/'
exit ;;
CRAY*TS:*:*:*)
echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;;
CRAY*T3E:*:*:*)
echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;;
CRAY*SV1:*:*:*)
echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;;
*:UNICOS/mp:*:*)
echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;;
F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
5000:UNIX_System_V:4.*:*)
FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'`
echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
exit ;;
sparc*:BSD/OS:*:*)
echo sparc-unknown-bsdi${UNAME_RELEASE}
exit ;;
*:BSD/OS:*:*)
echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
exit ;;
*:FreeBSD:*:*)
UNAME_PROCESSOR=`/usr/bin/uname -p`
case ${UNAME_PROCESSOR} in
amd64)
echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
*)
echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
esac
exit ;;
i*:CYGWIN*:*)
echo ${UNAME_MACHINE}-pc-cygwin
exit ;;
*:MINGW64*:*)
echo ${UNAME_MACHINE}-pc-mingw64
exit ;;
*:MINGW*:*)
echo ${UNAME_MACHINE}-pc-mingw32
exit ;;
*:MSYS*:*)
echo ${UNAME_MACHINE}-pc-msys
exit ;;
i*:windows32*:*)
# uname -m includes "-pc" on this system.
echo ${UNAME_MACHINE}-mingw32
exit ;;
i*:PW*:*)
echo ${UNAME_MACHINE}-pc-pw32
exit ;;
*:Interix*:*)
case ${UNAME_MACHINE} in
x86)
echo i586-pc-interix${UNAME_RELEASE}
exit ;;
authenticamd | genuineintel | EM64T)
echo x86_64-unknown-interix${UNAME_RELEASE}
exit ;;
IA64)
echo ia64-unknown-interix${UNAME_RELEASE}
exit ;;
esac ;;
[345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
echo i${UNAME_MACHINE}-pc-mks
exit ;;
8664:Windows_NT:*)
echo x86_64-pc-mks
exit ;;
i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
# How do we know it's Interix rather than the generic POSIX subsystem?
# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
# UNAME_MACHINE based on the output of uname instead of i386?
echo i586-pc-interix
exit ;;
i*:UWIN*:*)
echo ${UNAME_MACHINE}-pc-uwin
exit ;;
amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
echo x86_64-unknown-cygwin
exit ;;
p*:CYGWIN*:*)
echo powerpcle-unknown-cygwin
exit ;;
prep*:SunOS:5.*:*)
echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
exit ;;
*:GNU:*:*)
# the GNU system
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
exit ;;
*:GNU/*:*:*)
# other systems with GNU libc and userland
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
exit ;;
i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix
exit ;;
aarch64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
aarch64_be:Linux:*:*)
UNAME_MACHINE=aarch64_be
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
alpha:Linux:*:*)
case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
EV5) UNAME_MACHINE=alphaev5 ;;
EV56) UNAME_MACHINE=alphaev56 ;;
PCA56) UNAME_MACHINE=alphapca56 ;;
PCA57) UNAME_MACHINE=alphapca56 ;;
EV6) UNAME_MACHINE=alphaev6 ;;
EV67) UNAME_MACHINE=alphaev67 ;;
EV68*) UNAME_MACHINE=alphaev68 ;;
esac
objdump --private-headers /bin/sh | grep -q ld.so.1
if test "$?" = 0 ; then LIBC=gnulibc1 ; fi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arc:Linux:*:* | arceb:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arm*:Linux:*:*)
eval $set_cc_for_build
if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_EABI__
then
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
else
if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_PCS_VFP
then
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi
else
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf
fi
fi
exit ;;
avr32*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
cris:Linux:*:*)
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
exit ;;
crisv32:Linux:*:*)
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
exit ;;
e2k:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
frv:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
hexagon:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
i*86:Linux:*:*)
echo ${UNAME_MACHINE}-pc-linux-${LIBC}
exit ;;
ia64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
k1om:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
m32r*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
m68*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
mips:Linux:*:* | mips64:Linux:*:*)
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#undef CPU
#undef ${UNAME_MACHINE}
#undef ${UNAME_MACHINE}el
#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
CPU=${UNAME_MACHINE}el
#else
#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
CPU=${UNAME_MACHINE}
#else
CPU=
#endif
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
;;
mips64el:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
openrisc*:Linux:*:*)
echo or1k-unknown-linux-${LIBC}
exit ;;
or32:Linux:*:* | or1k*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
padre:Linux:*:*)
echo sparc-unknown-linux-${LIBC}
exit ;;
parisc64:Linux:*:* | hppa64:Linux:*:*)
echo hppa64-unknown-linux-${LIBC}
exit ;;
parisc:Linux:*:* | hppa:Linux:*:*)
# Look for CPU level
case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
*) echo hppa-unknown-linux-${LIBC} ;;
esac
exit ;;
ppc64:Linux:*:*)
echo powerpc64-unknown-linux-${LIBC}
exit ;;
ppc:Linux:*:*)
echo powerpc-unknown-linux-${LIBC}
exit ;;
ppc64le:Linux:*:*)
echo powerpc64le-unknown-linux-${LIBC}
exit ;;
ppcle:Linux:*:*)
echo powerpcle-unknown-linux-${LIBC}
exit ;;
riscv32:Linux:*:* | riscv64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
s390:Linux:*:* | s390x:Linux:*:*)
echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
exit ;;
sh64*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
sh*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
sparc:Linux:*:* | sparc64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
tile*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
vax:Linux:*:*)
echo ${UNAME_MACHINE}-dec-linux-${LIBC}
exit ;;
x86_64:Linux:*:*)
echo ${UNAME_MACHINE}-pc-linux-${LIBC}
exit ;;
xtensa*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
i*86:DYNIX/ptx:4*:*)
# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
# earlier versions are messed up and put the nodename in both
# sysname and nodename.
echo i386-sequent-sysv4
exit ;;
i*86:UNIX_SV:4.2MP:2.*)
# Unixware is an offshoot of SVR4, but it has its own version
# number series starting with 2...
# I am not positive that other SVR4 systems won't match this,
# I just have to hope. -- rms.
# Use sysv4.2uw... so that sysv4* matches it.
echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
exit ;;
i*86:OS/2:*:*)
# If we were able to find `uname', then EMX Unix compatibility
# is probably installed.
echo ${UNAME_MACHINE}-pc-os2-emx
exit ;;
i*86:XTS-300:*:STOP)
echo ${UNAME_MACHINE}-unknown-stop
exit ;;
i*86:atheos:*:*)
echo ${UNAME_MACHINE}-unknown-atheos
exit ;;
i*86:syllable:*:*)
echo ${UNAME_MACHINE}-pc-syllable
exit ;;
i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*)
echo i386-unknown-lynxos${UNAME_RELEASE}
exit ;;
i*86:*DOS:*:*)
echo ${UNAME_MACHINE}-pc-msdosdjgpp
exit ;;
i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
else
echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
fi
exit ;;
i*86:*:5:[678]*)
# UnixWare 7.x, OpenUNIX and OpenServer 6.
case `/bin/uname -X | grep "^Machine"` in
*486*) UNAME_MACHINE=i486 ;;
*Pentium) UNAME_MACHINE=i586 ;;
*Pent*|*Celeron) UNAME_MACHINE=i686 ;;
esac
echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
exit ;;
i*86:*:3.2:*)
if test -f /usr/options/cb.name; then
UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then
UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
&& UNAME_MACHINE=i586
(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
&& UNAME_MACHINE=i686
(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
&& UNAME_MACHINE=i686
echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
else
echo ${UNAME_MACHINE}-pc-sysv32
fi
exit ;;
pc:*:*:*)
# Left here for compatibility:
# uname -m prints for DJGPP always 'pc', but it prints nothing about
# the processor, so we play safe by assuming i586.
# Note: whatever this is, it MUST be the same as what config.sub
# prints for the "djgpp" host, or else GDB configure will decide that
# this is a cross-build.
echo i586-pc-msdosdjgpp
exit ;;
Intel:Mach:3*:*)
echo i386-pc-mach3
exit ;;
paragon:*:*:*)
echo i860-intel-osf1
exit ;;
i860:*:4.*:*) # i860-SVR4
if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
else # Add other i860-SVR4 vendors below as they are discovered.
echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4
fi
exit ;;
mini*:CTIX:SYS*5:*)
# "miniframe"
echo m68010-convergent-sysv
exit ;;
mc68k:UNIX:SYSTEM5:3.51m)
echo m68k-convergent-sysv
exit ;;
M680?0:D-NIX:5.3:*)
echo m68k-diab-dnix
exit ;;
M68*:*:R3V[5678]*:*)
test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
OS_REL=''
test -r /etc/.relid \
&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
&& { echo i486-ncr-sysv4.3${OS_REL}; exit; }
/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
&& { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
&& { echo i486-ncr-sysv4; exit; } ;;
NCR*:*:4.2:* | MPRAS*:*:4.2:*)
OS_REL='.3'
test -r /etc/.relid \
&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
&& { echo i486-ncr-sysv4.3${OS_REL}; exit; }
/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
&& { echo i586-ncr-sysv4.3${OS_REL}; exit; }
/bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \
&& { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
echo m68k-unknown-lynxos${UNAME_RELEASE}
exit ;;
mc68030:UNIX_System_V:4.*:*)
echo m68k-atari-sysv4
exit ;;
TSUNAMI:LynxOS:2.*:*)
echo sparc-unknown-lynxos${UNAME_RELEASE}
exit ;;
rs6000:LynxOS:2.*:*)
echo rs6000-unknown-lynxos${UNAME_RELEASE}
exit ;;
PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*)
echo powerpc-unknown-lynxos${UNAME_RELEASE}
exit ;;
SM[BE]S:UNIX_SV:*:*)
echo mips-dde-sysv${UNAME_RELEASE}
exit ;;
RM*:ReliantUNIX-*:*:*)
echo mips-sni-sysv4
exit ;;
RM*:SINIX-*:*:*)
echo mips-sni-sysv4
exit ;;
*:SINIX-*:*:*)
if uname -p 2>/dev/null >/dev/null ; then
UNAME_MACHINE=`(uname -p) 2>/dev/null`
echo ${UNAME_MACHINE}-sni-sysv4
else
echo ns32k-sni-sysv
fi
exit ;;
PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
# says
echo i586-unisys-sysv4
exit ;;
*:UNIX_System_V:4*:FTX*)
# From Gerald Hewes .
# How about differentiating between stratus architectures? -djm
echo hppa1.1-stratus-sysv4
exit ;;
*:*:*:FTX*)
# From seanf@swdc.stratus.com.
echo i860-stratus-sysv4
exit ;;
i*86:VOS:*:*)
# From Paul.Green@stratus.com.
echo ${UNAME_MACHINE}-stratus-vos
exit ;;
*:VOS:*:*)
# From Paul.Green@stratus.com.
echo hppa1.1-stratus-vos
exit ;;
mc68*:A/UX:*:*)
echo m68k-apple-aux${UNAME_RELEASE}
exit ;;
news*:NEWS-OS:6*:*)
echo mips-sony-newsos6
exit ;;
R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
if [ -d /usr/nec ]; then
echo mips-nec-sysv${UNAME_RELEASE}
else
echo mips-unknown-sysv${UNAME_RELEASE}
fi
exit ;;
BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only.
echo powerpc-be-beos
exit ;;
BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only.
echo powerpc-apple-beos
exit ;;
BePC:BeOS:*:*) # BeOS running on Intel PC compatible.
echo i586-pc-beos
exit ;;
BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
echo i586-pc-haiku
exit ;;
x86_64:Haiku:*:*)
echo x86_64-unknown-haiku
exit ;;
SX-4:SUPER-UX:*:*)
echo sx4-nec-superux${UNAME_RELEASE}
exit ;;
SX-5:SUPER-UX:*:*)
echo sx5-nec-superux${UNAME_RELEASE}
exit ;;
SX-6:SUPER-UX:*:*)
echo sx6-nec-superux${UNAME_RELEASE}
exit ;;
SX-7:SUPER-UX:*:*)
echo sx7-nec-superux${UNAME_RELEASE}
exit ;;
SX-8:SUPER-UX:*:*)
echo sx8-nec-superux${UNAME_RELEASE}
exit ;;
SX-8R:SUPER-UX:*:*)
echo sx8r-nec-superux${UNAME_RELEASE}
exit ;;
SX-ACE:SUPER-UX:*:*)
echo sxace-nec-superux${UNAME_RELEASE}
exit ;;
Power*:Rhapsody:*:*)
echo powerpc-apple-rhapsody${UNAME_RELEASE}
exit ;;
*:Rhapsody:*:*)
echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
exit ;;
*:Darwin:*:*)
UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
eval $set_cc_for_build
if test "$UNAME_PROCESSOR" = unknown ; then
UNAME_PROCESSOR=powerpc
fi
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
case $UNAME_PROCESSOR in
i386) UNAME_PROCESSOR=x86_64 ;;
powerpc) UNAME_PROCESSOR=powerpc64 ;;
esac
fi
fi
elif test "$UNAME_PROCESSOR" = i386 ; then
# Avoid executing cc on OS X 10.9, as it ships with a stub
# that puts up a graphical alert prompting to install
# developer tools. Any system running Mac OS X 10.7 or
# later (Darwin 11 and later) is required to have a 64-bit
# processor. This is not true of the ARM version of Darwin
# that Apple uses in portable devices.
UNAME_PROCESSOR=x86_64
fi
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
exit ;;
*:procnto*:*:* | *:QNX:[0123456789]*:*)
UNAME_PROCESSOR=`uname -p`
if test "$UNAME_PROCESSOR" = x86; then
UNAME_PROCESSOR=i386
UNAME_MACHINE=pc
fi
echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
exit ;;
*:QNX:*:4*)
echo i386-pc-qnx
exit ;;
NEO-?:NONSTOP_KERNEL:*:*)
echo neo-tandem-nsk${UNAME_RELEASE}
exit ;;
NSE-*:NONSTOP_KERNEL:*:*)
echo nse-tandem-nsk${UNAME_RELEASE}
exit ;;
NSR-?:NONSTOP_KERNEL:*:*)
echo nsr-tandem-nsk${UNAME_RELEASE}
exit ;;
*:NonStop-UX:*:*)
echo mips-compaq-nonstopux
exit ;;
BS2000:POSIX*:*:*)
echo bs2000-siemens-sysv
exit ;;
DS/*:UNIX_System_V:*:*)
echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
exit ;;
*:Plan9:*:*)
# "uname -m" is not consistent, so use $cputype instead. 386
# is converted to i386 for consistency with other x86
# operating systems.
if test "$cputype" = 386; then
UNAME_MACHINE=i386
else
UNAME_MACHINE="$cputype"
fi
echo ${UNAME_MACHINE}-unknown-plan9
exit ;;
*:TOPS-10:*:*)
echo pdp10-unknown-tops10
exit ;;
*:TENEX:*:*)
echo pdp10-unknown-tenex
exit ;;
KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
echo pdp10-dec-tops20
exit ;;
XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
echo pdp10-xkl-tops20
exit ;;
*:TOPS-20:*:*)
echo pdp10-unknown-tops20
exit ;;
*:ITS:*:*)
echo pdp10-unknown-its
exit ;;
SEI:*:*:SEIUX)
echo mips-sei-seiux${UNAME_RELEASE}
exit ;;
*:DragonFly:*:*)
echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
exit ;;
*:*VMS:*:*)
UNAME_MACHINE=`(uname -p) 2>/dev/null`
case "${UNAME_MACHINE}" in
A*) echo alpha-dec-vms ; exit ;;
I*) echo ia64-dec-vms ; exit ;;
V*) echo vax-dec-vms ; exit ;;
esac ;;
*:XENIX:*:SysV)
echo i386-pc-xenix
exit ;;
i*86:skyos:*:*)
echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'`
exit ;;
i*86:rdos:*:*)
echo ${UNAME_MACHINE}-pc-rdos
exit ;;
i*86:AROS:*:*)
echo ${UNAME_MACHINE}-pc-aros
exit ;;
x86_64:VMkernel:*:*)
echo ${UNAME_MACHINE}-unknown-esx
exit ;;
amd64:Isilon\ OneFS:*:*)
echo x86_64-unknown-onefs
exit ;;
esac
cat >&2 </dev/null || echo unknown`
uname -r = `(uname -r) 2>/dev/null || echo unknown`
uname -s = `(uname -s) 2>/dev/null || echo unknown`
uname -v = `(uname -v) 2>/dev/null || echo unknown`
/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
/bin/uname -X = `(/bin/uname -X) 2>/dev/null`
hostinfo = `(hostinfo) 2>/dev/null`
/bin/universe = `(/bin/universe) 2>/dev/null`
/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null`
/bin/arch = `(/bin/arch) 2>/dev/null`
/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null`
/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
UNAME_MACHINE = ${UNAME_MACHINE}
UNAME_RELEASE = ${UNAME_RELEASE}
UNAME_SYSTEM = ${UNAME_SYSTEM}
UNAME_VERSION = ${UNAME_VERSION}
EOF
exit 1
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "timestamp='"
# time-stamp-format: "%:y-%02m-%02d"
# time-stamp-end: "'"
# End:
cfengine-masterfiles-3.24.2/update.cf 0000644 0000000 0000000 00000021072 15010704326 017466 0 ustar 00root root 0000000 0000000 ###############################################################################
#
# update.cf - Basic Update Policy
#
###############################################################################
body common control
# @brief Common control attributes for all components
{
bundlesequence => {
"update_def",
"u_cfengine_enterprise",
@(u_cfengine_enterprise.def),
"cfe_internal_dc_workflow",
"cfe_internal_update_policy",
"cfengine_internal_standalone_self_upgrade",
"cfe_internal_update_processes",
@(update_def.bundlesequence_end), # Define control_common_update_bundlesequnce_end via augments
};
version => "update.cf 3.24.2";
inputs => {
"cfe_internal/update/lib.cf",
"cfe_internal/update/systemd_units.cf",
@(cfengine_update_controls.update_def_inputs),
"cfe_internal/update/cfe_internal_dc_workflow.cf",
"cfe_internal/update/cfe_internal_update_from_repository.cf",
"cfe_internal/update/update_policy.cf",
"cfe_internal/update/update_processes.cf",
@(update_def.augments_inputs)
};
any::
ignore_missing_bundles => "$(update_def.control_common_ignore_missing_bundles)";
ignore_missing_inputs => "$(update_def.control_common_ignore_missing_inputs)";
control_common_tls_min_version_defined::
tls_min_version => "$(default:def.control_common_tls_min_version)"; # See also: allowtlsversion in body server control
control_common_tls_ciphers_defined::
tls_ciphers => "$(default:def.control_common_tls_ciphers)"; # See also: allowciphers in body server control
}
#############################################################################
bundle common cfengine_update_controls
# @brief Resolve other controls necessary for update
{
vars:
"update_def_inputs"
slist => {
"controls/update_def.cf",
"controls/update_def_inputs.cf",
};
reports:
DEBUG|DEBUG_cfengine_update_controls::
"DEBUG $(this.bundle): update def inputs='$(update_def_inputs)'";
}
bundle agent cfengine_internal_standalone_self_upgrade
# @brief Manage desired version state and execution of policy to reach the target version.
{
methods:
"cfengine_internal_standalone_self_upgrade_state_data";
"cfengine_internal_standalone_self_upgrade_execution";
}
bundle agent cfengine_internal_standalone_self_upgrade_state_data
# @brief Clear stale recorded desired version information from state
{
vars:
"binary_upgrade_entry"
string => "$(this.promise_dirname)/standalone_self_upgrade.cf";
"desired_pkg_data_path" string =>
"$(cfengine_internal_standalone_self_upgrade_execution.desired_pkg_data_path)";
files:
# We consider the data stale if it's older than the policy that generated it
"$(desired_pkg_data_path)" -> { "ENT-4317" }
delete => u_tidy,
if => isnewerthan( $(binary_upgrade_entry) , $(desired_pkg_data_path) );
}
bundle agent cfengine_internal_standalone_self_upgrade_execution
# @brief Manage the version of CFEngine that is currently installed. This policy
# executes a stand alone policy as a sub agent. If systemd is found we assume
# that it is necessary to escape the current unit via systemd-run.
#
# If the running version matches either the desired version information in state
# or the version supplied from augments, then we skip running the standalone
# upgrade policy.
{
vars:
"exec_prefix"
string => ifelse( isexecutable("/bin/systemd-run"), "/bin/systemd-run --unit=cfengine-upgrade --scope ", # trailing space in commands important
isexecutable( "/usr/bin/systemd-run" ), "/usr/bin/systemd-run --unit=cfengine-upgrade --scope ",
"");
"local_update_log_dir"
string => translatepath("$(sys.workdir)/software_updates/update_log"),
comment => "This directory is used for logging the current version of cfengine running.";
"hub_binary_version" -> { "ENT-10664" }
data => data_regextract(
"^(?\d+\.\d+\.\d+)-(?\d+)",
readfile("$(sys.statedir)$(const.dirsep)hub_cf_version.txt" ) ),
if => fileexists( "$(sys.statedir)$(const.dirsep)hub_cf_version.txt" );
classes:
# If we are running the version explicitly defined by the user
"at_desired_version_by_user_specification" -> { "ENT-3592" }
expression => strcmp( "$(def.cfengine_software_pkg_version)", "$(sys.cf_version)" );
"at_desired_version_by_hub_binary_version" -> { "ENT-10664" }
expression => strcmp( "$(hub_binary_version[major_minor_patch])", "$(sys.cf_version)" );
"at_desired_version"
or => { "at_desired_version_by_user_specification",
"at_desired_version_by_hub_binary_version" };
policy_server|am_policy_hub::
"downloaded_target_binaries"
expression => fileexists( "$(sys.workdir)/master_software_updates/$(def.cfengine_software_pkg_version)-downloaded.txt"),
if => isvariable( "def.cfengine_software_pkg_version");
"downloaded_target_binaries"
expression => fileexists( "$(sys.workdir)/master_software_updates/$(sys.cf_version_major).$(sys.cf_version_minor).$(sys.cf_version_patch)-downloaded.txt"),
if => not( isvariable( "def.cfengine_software_pkg_version") );
files:
!(policy_server|am_policy_hub)::
"$(sys.statedir)/hub_cf_version.txt" -> { "ENT-10664", "handle:server_access_grant_access_state_cf_version" }
comment => concat( "We copy the hub binary version state locally",
" so that we can target the hubs binary",
" version as the default target version for",
" self upgrade." ),
handle => "cfe_internal_update_hub_cf_version",
copy_from => u_remote_dcp_missing_ok( "hub-cf_version", $(sys.policy_hub) );
policy_server|am_policy_hub::
"$(sys.statedir)/cf_version.txt" -> { "ENT-10664", "handle:server_access_grant_access_state_cf_version" }
comment => concat( "We record the hubs binary version in state and this",
" is shared with clients so that clients can target",
" the hubs binary version as the default target",
" version for self upgrade." ),
handle => "cfe_internal_update_state_cf_version",
content => "$(sys.cf_version_major).$(sys.cf_version_minor).$(sys.cf_version_patch)-$(sys.cf_version_release)";
enterprise_edition::
"$(local_update_log_dir)/$(sys.cf_version)_is_running" -> { "ENT-4352" }
comment => "This results in a record of the first time the enterprise
agent of a given version is seen to run on a host.",
handle => "cfe_internal_update_bins_files_version_is_running",
create => "true";
commands:
trigger_upgrade.!(at_desired_version|mpf_disable_hub_masterfiles_software_update_seed|downloaded_target_binaries)::
'$(exec_prefix)$(sys.cf_agent) --inform --timestamp --file "$(this.promise_dirname)$(const.dirsep)standalone_self_upgrade.cf" --define trigger_upgrade,update_cf_initiated >"$(sys.workdir)$(const.dirsep)outputs/standalone_self_upgrade_$(sys.cdate).log"'
handle => "standalone_self_upgrade",
contain => in_shell;
reports:
trigger_upgrade.(inform_mode|verbose_mode|DEBUG|DEBUG_cfengine_internal_standalone_self_upgrade)::
"Skipped self upgrade because we are running the desired version $(sys.cf_version)" -> { "ENT-3592" }
if => "at_desired_version";
}
body agent control
# @brief Agent controls for update
{
ifelapsed => "1";
skipidentify => "true";
control_agent_agentfacility_configured::
agentfacility => "$(default:update_def.control_agent_agentfacility)";
mpf_update_control_agent_default_repository::
# Location to backup files before they are edited by cfengine
default_repository => "$(update_def.control_agent_default_repository)";
}
#############################################################################
body classes u_kept_successful_command
# @brief Set command to "kept" instead of "repaired" if it returns 0
{
kept_returncodes => { "0" };
failed_returncodes => { "1" };
}
body contain in_shell
{
useshell => "true";
}
cfengine-masterfiles-3.24.2/config.sub 0000755 0000000 0000000 00000106763 15010704303 017663 0 ustar 00root root 0000000 0000000 #! /bin/sh
# Configuration validation subroutine script.
# Copyright 1992-2016 Free Software Foundation, Inc.
timestamp='2016-11-04'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see .
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that
# program. This Exception is an additional permission under section 7
# of the GNU General Public License, version 3 ("GPLv3").
# Please send patches to .
#
# Configuration subroutine to validate and canonicalize a configuration type.
# Supply the specified configuration type as an argument.
# If it is invalid, we print an error message on stderr and exit with code 1.
# Otherwise, we print the canonical config type on stdout and succeed.
# You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
# This file is supposed to be the same for all GNU packages
# and recognize all the CPU types, system types and aliases
# that are meaningful with *any* GNU software.
# Each package is responsible for reporting which valid configurations
# it does not support. The user should be able to distinguish
# a failure to support a valid configuration from a meaningless
# configuration.
# The goal of this file is to map all the various variations of a given
# machine specification into a single specification in the form:
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
# or in some cases, the newer four-part form:
# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
# It is wrong to echo any other type of specification.
me=`echo "$0" | sed -e 's,.*/,,'`
usage="\
Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS
Canonicalize a configuration name.
Operation modes:
-h, --help print this help, then exit
-t, --time-stamp print date of last modification, then exit
-v, --version print version number, then exit
Report bugs and patches to ."
version="\
GNU config.sub ($timestamp)
Copyright 1992-2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
help="
Try \`$me --help' for more information."
# Parse command line
while test $# -gt 0 ; do
case $1 in
--time-stamp | --time* | -t )
echo "$timestamp" ; exit ;;
--version | -v )
echo "$version" ; exit ;;
--help | --h* | -h )
echo "$usage"; exit ;;
-- ) # Stop option processing
shift; break ;;
- ) # Use stdin as input.
break ;;
-* )
echo "$me: invalid option $1$help"
exit 1 ;;
*local*)
# First pass through any local machine types.
echo $1
exit ;;
* )
break ;;
esac
done
case $# in
0) echo "$me: missing argument$help" >&2
exit 1;;
1) ;;
*) echo "$me: too many arguments$help" >&2
exit 1;;
esac
# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
# Here we must recognize all the valid KERNEL-OS combinations.
maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
case $maybe_os in
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
kopensolaris*-gnu* | cloudabi*-eabi* | \
storm-chaos* | os2-emx* | rtmk-nova*)
os=-$maybe_os
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
;;
android-linux)
os=-linux-android
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
;;
*)
basic_machine=`echo $1 | sed 's/-[^-]*$//'`
if [ $basic_machine != $1 ]
then os=`echo $1 | sed 's/.*-/-/'`
else os=; fi
;;
esac
### Let's recognize common machines as not being operating systems so
### that things like config.sub decstation-3100 work. We also
### recognize some manufacturers as not being operating systems, so we
### can provide default operating systems below.
case $os in
-sun*os*)
# Prevent following clause from handling this invalid input.
;;
-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-apple | -axis | -knuth | -cray | -microblaze*)
os=
basic_machine=$1
;;
-bluegene*)
os=-cnk
;;
-sim | -cisco | -oki | -wec | -winbond)
os=
basic_machine=$1
;;
-scout)
;;
-wrs)
os=-vxworks
basic_machine=$1
;;
-chorusos*)
os=-chorusos
basic_machine=$1
;;
-chorusrdb)
os=-chorusrdb
basic_machine=$1
;;
-hiux*)
os=-hiuxwe2
;;
-sco6)
os=-sco5v6
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-sco5)
os=-sco3.2v5
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-sco4)
os=-sco3.2v4
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-sco3.2.[4-9]*)
os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-sco3.2v[4-9]*)
# Don't forget version if it is 3.2v4 or newer.
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-sco5v6*)
# Don't forget version if it is 3.2v4 or newer.
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-sco*)
os=-sco3.2v2
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-udk*)
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-isc)
os=-isc2.2
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-clix*)
basic_machine=clipper-intergraph
;;
-isc*)
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-lynx*178)
os=-lynxos178
;;
-lynx*5)
os=-lynxos5
;;
-lynx*)
os=-lynxos
;;
-ptx*)
basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
;;
-windowsnt*)
os=`echo $os | sed -e 's/windowsnt/winnt/'`
;;
-psos*)
os=-psos
;;
-mint | -mint[0-9]*)
basic_machine=m68k-atari
os=-mint
;;
esac
# Decode aliases for certain CPU-COMPANY combinations.
case $basic_machine in
# Recognize the basic CPU types without company name.
# Some are omitted here because they have special meanings below.
1750a | 580 \
| a29k \
| aarch64 | aarch64_be \
| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
| am33_2.0 \
| arc | arceb \
| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
| avr | avr32 \
| ba \
| be32 | be64 \
| bfin \
| c4x | c8051 | clipper \
| d10v | d30v | dlx | dsp16xx \
| e2k | epiphany \
| fido | fr30 | frv | ft32 \
| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
| hexagon \
| i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \
| k1om \
| le32 | le64 \
| lm32 \
| m32c | m32r | m32rle | m68000 | m68k | m88k \
| maxq | mb | microblaze | microblazeel | mcore | mep | metag \
| mips | mipsbe | mipseb | mipsel | mipsle \
| mips16 \
| mips64 | mips64el \
| mips64octeon | mips64octeonel \
| mips64orion | mips64orionel \
| mips64r5900 | mips64r5900el \
| mips64vr | mips64vrel \
| mips64vr4100 | mips64vr4100el \
| mips64vr4300 | mips64vr4300el \
| mips64vr5000 | mips64vr5000el \
| mips64vr5900 | mips64vr5900el \
| mipsisa32 | mipsisa32el \
| mipsisa32r2 | mipsisa32r2el \
| mipsisa32r6 | mipsisa32r6el \
| mipsisa64 | mipsisa64el \
| mipsisa64r2 | mipsisa64r2el \
| mipsisa64r6 | mipsisa64r6el \
| mipsisa64sb1 | mipsisa64sb1el \
| mipsisa64sr71k | mipsisa64sr71kel \
| mipsr5900 | mipsr5900el \
| mipstx39 | mipstx39el \
| mn10200 | mn10300 \
| moxie \
| mt \
| msp430 \
| nds32 | nds32le | nds32be \
| nios | nios2 | nios2eb | nios2el \
| ns16k | ns32k \
| open8 | or1k | or1knd | or32 \
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle \
| pru \
| pyramid \
| riscv32 | riscv64 \
| rl78 | rx \
| score \
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
| sh64 | sh64le \
| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
| spu \
| tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
| ubicom32 \
| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
| visium \
| we32k \
| x86 | xc16x | xstormy16 | xtensa \
| z8k | z80)
basic_machine=$basic_machine-unknown
;;
c54x)
basic_machine=tic54x-unknown
;;
c55x)
basic_machine=tic55x-unknown
;;
c6x)
basic_machine=tic6x-unknown
;;
leon|leon[3-9])
basic_machine=sparc-$basic_machine
;;
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
basic_machine=$basic_machine-unknown
os=-none
;;
m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
;;
ms1)
basic_machine=mt-unknown
;;
strongarm | thumb | xscale)
basic_machine=arm-unknown
;;
xgate)
basic_machine=$basic_machine-unknown
os=-none
;;
xscaleeb)
basic_machine=armeb-unknown
;;
xscaleel)
basic_machine=armel-unknown
;;
# We use `pc' rather than `unknown'
# because (1) that's what they normally are, and
# (2) the word "unknown" tends to confuse beginning users.
i*86 | x86_64)
basic_machine=$basic_machine-pc
;;
# Object if more than one company name word.
*-*-*)
echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
exit 1
;;
# Recognize the basic CPU types with company name.
580-* \
| a29k-* \
| aarch64-* | aarch64_be-* \
| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
| arm-* | armbe-* | armle-* | armeb-* | armv*-* \
| avr-* | avr32-* \
| ba-* \
| be32-* | be64-* \
| bfin-* | bs2000-* \
| c[123]* | c30-* | [cjt]90-* | c4x-* \
| c8051-* | clipper-* | craynv-* | cydra-* \
| d10v-* | d30v-* | dlx-* \
| e2k-* | elxsi-* \
| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
| h8300-* | h8500-* \
| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
| hexagon-* \
| i*86-* | i860-* | i960-* | ia64-* \
| ip2k-* | iq2000-* \
| k1om-* \
| le32-* | le64-* \
| lm32-* \
| m32c-* | m32r-* | m32rle-* \
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
| microblaze-* | microblazeel-* \
| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
| mips16-* \
| mips64-* | mips64el-* \
| mips64octeon-* | mips64octeonel-* \
| mips64orion-* | mips64orionel-* \
| mips64r5900-* | mips64r5900el-* \
| mips64vr-* | mips64vrel-* \
| mips64vr4100-* | mips64vr4100el-* \
| mips64vr4300-* | mips64vr4300el-* \
| mips64vr5000-* | mips64vr5000el-* \
| mips64vr5900-* | mips64vr5900el-* \
| mipsisa32-* | mipsisa32el-* \
| mipsisa32r2-* | mipsisa32r2el-* \
| mipsisa32r6-* | mipsisa32r6el-* \
| mipsisa64-* | mipsisa64el-* \
| mipsisa64r2-* | mipsisa64r2el-* \
| mipsisa64r6-* | mipsisa64r6el-* \
| mipsisa64sb1-* | mipsisa64sb1el-* \
| mipsisa64sr71k-* | mipsisa64sr71kel-* \
| mipsr5900-* | mipsr5900el-* \
| mipstx39-* | mipstx39el-* \
| mmix-* \
| mt-* \
| msp430-* \
| nds32-* | nds32le-* | nds32be-* \
| nios-* | nios2-* | nios2eb-* | nios2el-* \
| none-* | np1-* | ns16k-* | ns32k-* \
| open8-* \
| or1k*-* \
| orion-* \
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
| pru-* \
| pyramid-* \
| riscv32-* | riscv64-* \
| rl78-* | romp-* | rs6000-* | rx-* \
| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
| sparclite-* \
| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \
| tahoe-* \
| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
| tile*-* \
| tron-* \
| ubicom32-* \
| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
| vax-* \
| visium-* \
| we32k-* \
| x86-* | x86_64-* | xc16x-* | xps100-* \
| xstormy16-* | xtensa*-* \
| ymp-* \
| z8k-* | z80-*)
;;
# Recognize the basic CPU types without company name, with glob match.
xtensa*)
basic_machine=$basic_machine-unknown
;;
# Recognize the various machine names and aliases which stand
# for a CPU type and a company and sometimes even an OS.
386bsd)
basic_machine=i386-unknown
os=-bsd
;;
3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
basic_machine=m68000-att
;;
3b*)
basic_machine=we32k-att
;;
a29khif)
basic_machine=a29k-amd
os=-udi
;;
abacus)
basic_machine=abacus-unknown
;;
adobe68k)
basic_machine=m68010-adobe
os=-scout
;;
alliant | fx80)
basic_machine=fx80-alliant
;;
altos | altos3068)
basic_machine=m68k-altos
;;
am29k)
basic_machine=a29k-none
os=-bsd
;;
amd64)
basic_machine=x86_64-pc
;;
amd64-*)
basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
amdahl)
basic_machine=580-amdahl
os=-sysv
;;
amiga | amiga-*)
basic_machine=m68k-unknown
;;
amigaos | amigados)
basic_machine=m68k-unknown
os=-amigaos
;;
amigaunix | amix)
basic_machine=m68k-unknown
os=-sysv4
;;
apollo68)
basic_machine=m68k-apollo
os=-sysv
;;
apollo68bsd)
basic_machine=m68k-apollo
os=-bsd
;;
aros)
basic_machine=i386-pc
os=-aros
;;
asmjs)
basic_machine=asmjs-unknown
;;
aux)
basic_machine=m68k-apple
os=-aux
;;
balance)
basic_machine=ns32k-sequent
os=-dynix
;;
blackfin)
basic_machine=bfin-unknown
os=-linux
;;
blackfin-*)
basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'`
os=-linux
;;
bluegene*)
basic_machine=powerpc-ibm
os=-cnk
;;
c54x-*)
basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
c55x-*)
basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
c6x-*)
basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
c90)
basic_machine=c90-cray
os=-unicos
;;
cegcc)
basic_machine=arm-unknown
os=-cegcc
;;
convex-c1)
basic_machine=c1-convex
os=-bsd
;;
convex-c2)
basic_machine=c2-convex
os=-bsd
;;
convex-c32)
basic_machine=c32-convex
os=-bsd
;;
convex-c34)
basic_machine=c34-convex
os=-bsd
;;
convex-c38)
basic_machine=c38-convex
os=-bsd
;;
cray | j90)
basic_machine=j90-cray
os=-unicos
;;
craynv)
basic_machine=craynv-cray
os=-unicosmp
;;
cr16 | cr16-*)
basic_machine=cr16-unknown
os=-elf
;;
crds | unos)
basic_machine=m68k-crds
;;
crisv32 | crisv32-* | etraxfs*)
basic_machine=crisv32-axis
;;
cris | cris-* | etrax*)
basic_machine=cris-axis
;;
crx)
basic_machine=crx-unknown
os=-elf
;;
da30 | da30-*)
basic_machine=m68k-da30
;;
decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
basic_machine=mips-dec
;;
decsystem10* | dec10*)
basic_machine=pdp10-dec
os=-tops10
;;
decsystem20* | dec20*)
basic_machine=pdp10-dec
os=-tops20
;;
delta | 3300 | motorola-3300 | motorola-delta \
| 3300-motorola | delta-motorola)
basic_machine=m68k-motorola
;;
delta88)
basic_machine=m88k-motorola
os=-sysv3
;;
dicos)
basic_machine=i686-pc
os=-dicos
;;
djgpp)
basic_machine=i586-pc
os=-msdosdjgpp
;;
dpx20 | dpx20-*)
basic_machine=rs6000-bull
os=-bosx
;;
dpx2* | dpx2*-bull)
basic_machine=m68k-bull
os=-sysv3
;;
e500v[12])
basic_machine=powerpc-unknown
os=$os"spe"
;;
e500v[12]-*)
basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
os=$os"spe"
;;
ebmon29k)
basic_machine=a29k-amd
os=-ebmon
;;
elxsi)
basic_machine=elxsi-elxsi
os=-bsd
;;
encore | umax | mmax)
basic_machine=ns32k-encore
;;
es1800 | OSE68k | ose68k | ose | OSE)
basic_machine=m68k-ericsson
os=-ose
;;
fx2800)
basic_machine=i860-alliant
;;
genix)
basic_machine=ns32k-ns
;;
gmicro)
basic_machine=tron-gmicro
os=-sysv
;;
go32)
basic_machine=i386-pc
os=-go32
;;
h3050r* | hiux*)
basic_machine=hppa1.1-hitachi
os=-hiuxwe2
;;
h8300hms)
basic_machine=h8300-hitachi
os=-hms
;;
h8300xray)
basic_machine=h8300-hitachi
os=-xray
;;
h8500hms)
basic_machine=h8500-hitachi
os=-hms
;;
harris)
basic_machine=m88k-harris
os=-sysv3
;;
hp300-*)
basic_machine=m68k-hp
;;
hp300bsd)
basic_machine=m68k-hp
os=-bsd
;;
hp300hpux)
basic_machine=m68k-hp
os=-hpux
;;
hp3k9[0-9][0-9] | hp9[0-9][0-9])
basic_machine=hppa1.0-hp
;;
hp9k2[0-9][0-9] | hp9k31[0-9])
basic_machine=m68000-hp
;;
hp9k3[2-9][0-9])
basic_machine=m68k-hp
;;
hp9k6[0-9][0-9] | hp6[0-9][0-9])
basic_machine=hppa1.0-hp
;;
hp9k7[0-79][0-9] | hp7[0-79][0-9])
basic_machine=hppa1.1-hp
;;
hp9k78[0-9] | hp78[0-9])
# FIXME: really hppa2.0-hp
basic_machine=hppa1.1-hp
;;
hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
# FIXME: really hppa2.0-hp
basic_machine=hppa1.1-hp
;;
hp9k8[0-9][13679] | hp8[0-9][13679])
basic_machine=hppa1.1-hp
;;
hp9k8[0-9][0-9] | hp8[0-9][0-9])
basic_machine=hppa1.0-hp
;;
hppa-next)
os=-nextstep3
;;
hppaosf)
basic_machine=hppa1.1-hp
os=-osf
;;
hppro)
basic_machine=hppa1.1-hp
os=-proelf
;;
i370-ibm* | ibm*)
basic_machine=i370-ibm
;;
i*86v32)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-sysv32
;;
i*86v4*)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-sysv4
;;
i*86v)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-sysv
;;
i*86sol2)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-solaris2
;;
i386mach)
basic_machine=i386-mach
os=-mach
;;
i386-vsta | vsta)
basic_machine=i386-unknown
os=-vsta
;;
iris | iris4d)
basic_machine=mips-sgi
case $os in
-irix*)
;;
*)
os=-irix4
;;
esac
;;
isi68 | isi)
basic_machine=m68k-isi
os=-sysv
;;
leon-*|leon[3-9]-*)
basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'`
;;
m68knommu)
basic_machine=m68k-unknown
os=-linux
;;
m68knommu-*)
basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'`
os=-linux
;;
m88k-omron*)
basic_machine=m88k-omron
;;
magnum | m3230)
basic_machine=mips-mips
os=-sysv
;;
merlin)
basic_machine=ns32k-utek
os=-sysv
;;
microblaze*)
basic_machine=microblaze-xilinx
;;
mingw64)
basic_machine=x86_64-pc
os=-mingw64
;;
mingw32)
basic_machine=i686-pc
os=-mingw32
;;
mingw32ce)
basic_machine=arm-unknown
os=-mingw32ce
;;
miniframe)
basic_machine=m68000-convergent
;;
*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
basic_machine=m68k-atari
os=-mint
;;
mips3*-*)
basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
;;
mips3*)
basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
;;
monitor)
basic_machine=m68k-rom68k
os=-coff
;;
morphos)
basic_machine=powerpc-unknown
os=-morphos
;;
moxiebox)
basic_machine=moxie-unknown
os=-moxiebox
;;
msdos)
basic_machine=i386-pc
os=-msdos
;;
ms1-*)
basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
;;
msys)
basic_machine=i686-pc
os=-msys
;;
mvs)
basic_machine=i370-ibm
os=-mvs
;;
nacl)
basic_machine=le32-unknown
os=-nacl
;;
ncr3000)
basic_machine=i486-ncr
os=-sysv4
;;
netbsd386)
basic_machine=i386-unknown
os=-netbsd
;;
netwinder)
basic_machine=armv4l-rebel
os=-linux
;;
news | news700 | news800 | news900)
basic_machine=m68k-sony
os=-newsos
;;
news1000)
basic_machine=m68030-sony
os=-newsos
;;
news-3600 | risc-news)
basic_machine=mips-sony
os=-newsos
;;
necv70)
basic_machine=v70-nec
os=-sysv
;;
next | m*-next )
basic_machine=m68k-next
case $os in
-nextstep* )
;;
-ns2*)
os=-nextstep2
;;
*)
os=-nextstep3
;;
esac
;;
nh3000)
basic_machine=m68k-harris
os=-cxux
;;
nh[45]000)
basic_machine=m88k-harris
os=-cxux
;;
nindy960)
basic_machine=i960-intel
os=-nindy
;;
mon960)
basic_machine=i960-intel
os=-mon960
;;
nonstopux)
basic_machine=mips-compaq
os=-nonstopux
;;
np1)
basic_machine=np1-gould
;;
neo-tandem)
basic_machine=neo-tandem
;;
nse-tandem)
basic_machine=nse-tandem
;;
nsr-tandem)
basic_machine=nsr-tandem
;;
op50n-* | op60c-*)
basic_machine=hppa1.1-oki
os=-proelf
;;
openrisc | openrisc-*)
basic_machine=or32-unknown
;;
os400)
basic_machine=powerpc-ibm
os=-os400
;;
OSE68000 | ose68000)
basic_machine=m68000-ericsson
os=-ose
;;
os68k)
basic_machine=m68k-none
os=-os68k
;;
pa-hitachi)
basic_machine=hppa1.1-hitachi
os=-hiuxwe2
;;
paragon)
basic_machine=i860-intel
os=-osf
;;
parisc)
basic_machine=hppa-unknown
os=-linux
;;
parisc-*)
basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'`
os=-linux
;;
pbd)
basic_machine=sparc-tti
;;
pbb)
basic_machine=m68k-tti
;;
pc532 | pc532-*)
basic_machine=ns32k-pc532
;;
pc98)
basic_machine=i386-pc
;;
pc98-*)
basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
pentium | p5 | k5 | k6 | nexgen | viac3)
basic_machine=i586-pc
;;
pentiumpro | p6 | 6x86 | athlon | athlon_*)
basic_machine=i686-pc
;;
pentiumii | pentium2 | pentiumiii | pentium3)
basic_machine=i686-pc
;;
pentium4)
basic_machine=i786-pc
;;
pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
pentiumpro-* | p6-* | 6x86-* | athlon-*)
basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
pentium4-*)
basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
pn)
basic_machine=pn-gould
;;
power) basic_machine=power-ibm
;;
ppc | ppcbe) basic_machine=powerpc-unknown
;;
ppc-* | ppcbe-*)
basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
ppcle | powerpclittle)
basic_machine=powerpcle-unknown
;;
ppcle-* | powerpclittle-*)
basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
ppc64) basic_machine=powerpc64-unknown
;;
ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
ppc64le | powerpc64little)
basic_machine=powerpc64le-unknown
;;
ppc64le-* | powerpc64little-*)
basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
ps2)
basic_machine=i386-ibm
;;
pw32)
basic_machine=i586-unknown
os=-pw32
;;
rdos | rdos64)
basic_machine=x86_64-pc
os=-rdos
;;
rdos32)
basic_machine=i386-pc
os=-rdos
;;
rom68k)
basic_machine=m68k-rom68k
os=-coff
;;
rm[46]00)
basic_machine=mips-siemens
;;
rtpc | rtpc-*)
basic_machine=romp-ibm
;;
s390 | s390-*)
basic_machine=s390-ibm
;;
s390x | s390x-*)
basic_machine=s390x-ibm
;;
sa29200)
basic_machine=a29k-amd
os=-udi
;;
sb1)
basic_machine=mipsisa64sb1-unknown
;;
sb1el)
basic_machine=mipsisa64sb1el-unknown
;;
sde)
basic_machine=mipsisa32-sde
os=-elf
;;
sei)
basic_machine=mips-sei
os=-seiux
;;
sequent)
basic_machine=i386-sequent
;;
sh)
basic_machine=sh-hitachi
os=-hms
;;
sh5el)
basic_machine=sh5le-unknown
;;
sh64)
basic_machine=sh64-unknown
;;
sparclite-wrs | simso-wrs)
basic_machine=sparclite-wrs
os=-vxworks
;;
sps7)
basic_machine=m68k-bull
os=-sysv2
;;
spur)
basic_machine=spur-unknown
;;
st2000)
basic_machine=m68k-tandem
;;
stratus)
basic_machine=i860-stratus
os=-sysv4
;;
strongarm-* | thumb-*)
basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
sun2)
basic_machine=m68000-sun
;;
sun2os3)
basic_machine=m68000-sun
os=-sunos3
;;
sun2os4)
basic_machine=m68000-sun
os=-sunos4
;;
sun3os3)
basic_machine=m68k-sun
os=-sunos3
;;
sun3os4)
basic_machine=m68k-sun
os=-sunos4
;;
sun4os3)
basic_machine=sparc-sun
os=-sunos3
;;
sun4os4)
basic_machine=sparc-sun
os=-sunos4
;;
sun4sol2)
basic_machine=sparc-sun
os=-solaris2
;;
sun3 | sun3-*)
basic_machine=m68k-sun
;;
sun4)
basic_machine=sparc-sun
;;
sun386 | sun386i | roadrunner)
basic_machine=i386-sun
;;
sv1)
basic_machine=sv1-cray
os=-unicos
;;
symmetry)
basic_machine=i386-sequent
os=-dynix
;;
t3e)
basic_machine=alphaev5-cray
os=-unicos
;;
t90)
basic_machine=t90-cray
os=-unicos
;;
tile*)
basic_machine=$basic_machine-unknown
os=-linux-gnu
;;
tx39)
basic_machine=mipstx39-unknown
;;
tx39el)
basic_machine=mipstx39el-unknown
;;
toad1)
basic_machine=pdp10-xkl
os=-tops20
;;
tower | tower-32)
basic_machine=m68k-ncr
;;
tpf)
basic_machine=s390x-ibm
os=-tpf
;;
udi29k)
basic_machine=a29k-amd
os=-udi
;;
ultra3)
basic_machine=a29k-nyu
os=-sym1
;;
v810 | necv810)
basic_machine=v810-nec
os=-none
;;
vaxv)
basic_machine=vax-dec
os=-sysv
;;
vms)
basic_machine=vax-dec
os=-vms
;;
vpp*|vx|vx-*)
basic_machine=f301-fujitsu
;;
vxworks960)
basic_machine=i960-wrs
os=-vxworks
;;
vxworks68)
basic_machine=m68k-wrs
os=-vxworks
;;
vxworks29k)
basic_machine=a29k-wrs
os=-vxworks
;;
w65*)
basic_machine=w65-wdc
os=-none
;;
w89k-*)
basic_machine=hppa1.1-winbond
os=-proelf
;;
xbox)
basic_machine=i686-pc
os=-mingw32
;;
xps | xps100)
basic_machine=xps100-honeywell
;;
xscale-* | xscalee[bl]-*)
basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'`
;;
ymp)
basic_machine=ymp-cray
os=-unicos
;;
z8k-*-coff)
basic_machine=z8k-unknown
os=-sim
;;
z80-*-coff)
basic_machine=z80-unknown
os=-sim
;;
none)
basic_machine=none-none
os=-none
;;
# Here we handle the default manufacturer of certain CPU types. It is in
# some cases the only manufacturer, in others, it is the most popular.
w89k)
basic_machine=hppa1.1-winbond
;;
op50n)
basic_machine=hppa1.1-oki
;;
op60c)
basic_machine=hppa1.1-oki
;;
romp)
basic_machine=romp-ibm
;;
mmix)
basic_machine=mmix-knuth
;;
rs6000)
basic_machine=rs6000-ibm
;;
vax)
basic_machine=vax-dec
;;
pdp10)
# there are many clones, so DEC is not a safe bet
basic_machine=pdp10-unknown
;;
pdp11)
basic_machine=pdp11-dec
;;
we32k)
basic_machine=we32k-att
;;
sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele)
basic_machine=sh-unknown
;;
sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
basic_machine=sparc-sun
;;
cydra)
basic_machine=cydra-cydrome
;;
orion)
basic_machine=orion-highlevel
;;
orion105)
basic_machine=clipper-highlevel
;;
mac | mpw | mac-mpw)
basic_machine=m68k-apple
;;
pmac | pmac-mpw)
basic_machine=powerpc-apple
;;
*-unknown)
# Make sure to match an already-canonicalized machine name.
;;
*)
echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
exit 1
;;
esac
# Here we canonicalize certain aliases for manufacturers.
case $basic_machine in
*-digital*)
basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
;;
*-commodore*)
basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
;;
*)
;;
esac
# Decode manufacturer-specific aliases for certain operating systems.
if [ x"$os" != x"" ]
then
case $os in
# First match some system type aliases
# that might get confused with valid system types.
# -solaris* is a basic system type, with this one exception.
-auroraux)
os=-auroraux
;;
-solaris1 | -solaris1.*)
os=`echo $os | sed -e 's|solaris1|sunos4|'`
;;
-solaris)
os=-solaris2
;;
-svr4*)
os=-sysv4
;;
-unixware*)
os=-sysv4.2uw
;;
-gnu/linux*)
os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
;;
# First accept the basic system types.
# The portable systems comes first.
# Each alternative MUST END IN A *, to match a version number.
# -sysv* is not here because it comes later, after sysvr4.
-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
| -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
| -sym* | -kopensolaris* | -plan9* \
| -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
| -aos* | -aros* | -cloudabi* | -sortix* \
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
| -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
| -chorusos* | -chorusrdb* | -cegcc* \
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
| -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
| -onefs* | -tirtos* | -phoenix* | -fuchsia*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
case $basic_machine in
x86-* | i*86-*)
;;
*)
os=-nto$os
;;
esac
;;
-nto-qnx*)
;;
-nto*)
os=`echo $os | sed -e 's|nto|nto-qnx|'`
;;
-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
| -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
| -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
;;
-mac*)
os=`echo $os | sed -e 's|mac|macos|'`
;;
-linux-dietlibc)
os=-linux-dietlibc
;;
-linux*)
os=`echo $os | sed -e 's|linux|linux-gnu|'`
;;
-sunos5*)
os=`echo $os | sed -e 's|sunos5|solaris2|'`
;;
-sunos6*)
os=`echo $os | sed -e 's|sunos6|solaris3|'`
;;
-opened*)
os=-openedition
;;
-os400*)
os=-os400
;;
-wince*)
os=-wince
;;
-osfrose*)
os=-osfrose
;;
-osf*)
os=-osf
;;
-utek*)
os=-bsd
;;
-dynix*)
os=-bsd
;;
-acis*)
os=-aos
;;
-atheos*)
os=-atheos
;;
-syllable*)
os=-syllable
;;
-386bsd)
os=-bsd
;;
-ctix* | -uts*)
os=-sysv
;;
-nova*)
os=-rtmk-nova
;;
-ns2 )
os=-nextstep2
;;
-nsk*)
os=-nsk
;;
# Preserve the version number of sinix5.
-sinix5.*)
os=`echo $os | sed -e 's|sinix|sysv|'`
;;
-sinix*)
os=-sysv4
;;
-tpf*)
os=-tpf
;;
-triton*)
os=-sysv3
;;
-oss*)
os=-sysv3
;;
-svr4)
os=-sysv4
;;
-svr3)
os=-sysv3
;;
-sysvr4)
os=-sysv4
;;
# This must come after -sysvr4.
-sysv*)
;;
-ose*)
os=-ose
;;
-es1800*)
os=-ose
;;
-xenix)
os=-xenix
;;
-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
os=-mint
;;
-aros*)
os=-aros
;;
-zvmoe)
os=-zvmoe
;;
-dicos*)
os=-dicos
;;
-nacl*)
;;
-ios)
;;
-none)
;;
*)
# Get rid of the `-' at the beginning of $os.
os=`echo $os | sed 's/[^-]*-//'`
echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
exit 1
;;
esac
else
# Here we handle the default operating systems that come with various machines.
# The value should be what the vendor currently ships out the door with their
# machine or put another way, the most popular os provided with the machine.
# Note that if you're going to try to match "-MANUFACTURER" here (say,
# "-sun"), then you have to tell the case statement up towards the top
# that MANUFACTURER isn't an operating system. Otherwise, code above
# will signal an error saying that MANUFACTURER isn't an operating
# system, and we'll never get to this point.
case $basic_machine in
score-*)
os=-elf
;;
spu-*)
os=-elf
;;
*-acorn)
os=-riscix1.2
;;
arm*-rebel)
os=-linux
;;
arm*-semi)
os=-aout
;;
c4x-* | tic4x-*)
os=-coff
;;
c8051-*)
os=-elf
;;
hexagon-*)
os=-elf
;;
tic54x-*)
os=-coff
;;
tic55x-*)
os=-coff
;;
tic6x-*)
os=-coff
;;
# This must come before the *-dec entry.
pdp10-*)
os=-tops20
;;
pdp11-*)
os=-none
;;
*-dec | vax-*)
os=-ultrix4.2
;;
m68*-apollo)
os=-domain
;;
i386-sun)
os=-sunos4.0.2
;;
m68000-sun)
os=-sunos3
;;
m68*-cisco)
os=-aout
;;
mep-*)
os=-elf
;;
mips*-cisco)
os=-elf
;;
mips*-*)
os=-elf
;;
or32-*)
os=-coff
;;
*-tti) # must be before sparc entry or we get the wrong os.
os=-sysv3
;;
sparc-* | *-sun)
os=-sunos4.1.1
;;
*-be)
os=-beos
;;
*-haiku)
os=-haiku
;;
*-ibm)
os=-aix
;;
*-knuth)
os=-mmixware
;;
*-wec)
os=-proelf
;;
*-winbond)
os=-proelf
;;
*-oki)
os=-proelf
;;
*-hp)
os=-hpux
;;
*-hitachi)
os=-hiux
;;
i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
os=-sysv
;;
*-cbm)
os=-amigaos
;;
*-dg)
os=-dgux
;;
*-dolphin)
os=-sysv3
;;
m68k-ccur)
os=-rtu
;;
m88k-omron*)
os=-luna
;;
*-next )
os=-nextstep
;;
*-sequent)
os=-ptx
;;
*-crds)
os=-unos
;;
*-ns)
os=-genix
;;
i370-*)
os=-mvs
;;
*-next)
os=-nextstep3
;;
*-gould)
os=-sysv
;;
*-highlevel)
os=-bsd
;;
*-encore)
os=-bsd
;;
*-sgi)
os=-irix
;;
*-siemens)
os=-sysv4
;;
*-masscomp)
os=-rtu
;;
f30[01]-fujitsu | f700-fujitsu)
os=-uxpv
;;
*-rom68k)
os=-coff
;;
*-*bug)
os=-coff
;;
*-apple)
os=-macos
;;
*-atari*)
os=-mint
;;
*)
os=-none
;;
esac
fi
# Here we handle the case where we know the os, and the CPU type, but not the
# manufacturer. We pick the logical manufacturer.
vendor=unknown
case $basic_machine in
*-unknown)
case $os in
-riscix*)
vendor=acorn
;;
-sunos*)
vendor=sun
;;
-cnk*|-aix*)
vendor=ibm
;;
-beos*)
vendor=be
;;
-hpux*)
vendor=hp
;;
-mpeix*)
vendor=hp
;;
-hiux*)
vendor=hitachi
;;
-unos*)
vendor=crds
;;
-dgux*)
vendor=dg
;;
-luna*)
vendor=omron
;;
-genix*)
vendor=ns
;;
-mvs* | -opened*)
vendor=ibm
;;
-os400*)
vendor=ibm
;;
-ptx*)
vendor=sequent
;;
-tpf*)
vendor=ibm
;;
-vxsim* | -vxworks* | -windiss*)
vendor=wrs
;;
-aux*)
vendor=apple
;;
-hms*)
vendor=hitachi
;;
-mpw* | -macos*)
vendor=apple
;;
-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
vendor=atari
;;
-vos*)
vendor=stratus
;;
esac
basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
;;
esac
echo $basic_machine$os
exit
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "timestamp='"
# time-stamp-format: "%:y-%02m-%02d"
# time-stamp-end: "'"
# End:
cfengine-masterfiles-3.24.2/cfe_internal/ 0000755 0000000 0000000 00000000000 15010704326 020321 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/cfe_internal/core/ 0000755 0000000 0000000 00000000000 15010704326 021251 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/cfe_internal/core/limit_robot_agents.cf 0000644 0000000 0000000 00000007474 15010704240 025456 0 ustar 00root root 0000000 0000000 ###############################################################################
#
# cfe_internal_limit_robot_agents
# - Kill and restart CFE processes for a given component if there are too many
#
###############################################################################
bundle agent cfe_internal_limit_robot_agents
# @brief Remediate pathological case of duplicate cfengine daemons running concurrently
{
methods:
any::
"Ensure there are not more than expected cfengine daemons" -> { "CFE-3150" }
usebundle => "cfe_internal_limit_robot_agents_reap";
more_cf_execd_processes_than_expected|more_cf_monitord_process_than_expected::
# We only look to re-launch daemons if we found a pathological case. It's
# important that these promises are in a separate bundle as we want to
# refresh our observation of the process table to ensure they are indeed
# not running.
"Ensure expected cfengine daemons are running" -> { "CFE-3150" }
usebundle => "cfe_internal_limit_robot_agents_spawn";
}
bundle agent cfe_internal_limit_robot_agents_reap
# @brief Ensure that there are not more cfengine daemons running than there should be
{
processes:
!windows::
"bin/cf-monitord"
process_count => check_monitord("1"),
comment => "Check cf-monitord process if exceed the number",
handle => "cfe_internal_limit_robot_agents_processes_check_cf_monitord";
# Do not do this for cf-execd because it forks child processes to handle requests.
# Do not do this for cf-hub because cf-hub may have unlimited processes
# Do not do this for cf-agent because it is not unexpected to have
# concurrent agent runs, and the lifetime of an individual agent run can be controlled with
# [agent_expireafter][cf-execd#agent_expireafter] as defined in body executor control
#
more_cf_monitord_processes_than_expected::
"bin/cf-monitord"
signals => { "term", "kill" },
comment => "When cf-monitord comes undone then kill all matching
process",
handle => "cfe_internal_limit_robot_agents_processes_kill_cf_monitord";
}
bundle agent cfe_internal_limit_robot_agents_spawn
# @brief Ensure that daemons are running after we have possibly reaped a pathological condition where more than the expected number of cfengine daemons was running
{
processes:
!windows::
"bin/cf-execd" -> { "CFE-2974" }
restart_class => "cf_execd_not_running",
comment => "If cf-execd isn't running, define a class so that it will be started",
handle => "cfe_internal_limit_robot_agents_processes_cf_execd_not_running";
"bin/cf-monitord" -> { "CFE-2963" }
restart_class => "cf_monitord_not_running",
handle => "cfe_internal_limit_robot_agents_classify_cf_monitord_not_running",
comment => "We want cf-monitord to be running, but in order to avoid
non-convergent promises, this must be separated from the
promise to terminate misbehaving daemons";
commands:
cf_execd_not_running::
"$(sys.cf_execd)"
comment => "Restart cf-execd process",
handle => "cfe_internal_limit_robot_agents_commands_restart_cf_execd";
cf_monitord_not_running::
"$(sys.cf_monitord)"
comment => "Restart cf-monitord process",
handle => "cfe_internal_limit_robot_agents_commands_restart_cf_monitord";
}
body process_count check_execd(n)
{
match_range => "0,$(n)";
# Note this class is namespace scoped. Other bundles do use it
out_of_range_define => {"more_cf_execd_processes_than_expected"};
}
body process_count check_monitord(n)
{
match_range => "0,$(n)";
# Note this class is namespace scoped. Other bundles do use it
out_of_range_define => {"more_cf_monitord_processes_than_expected"};
}
cfengine-masterfiles-3.24.2/cfe_internal/core/main.cf 0000644 0000000 0000000 00000015517 15010704240 022513 0 ustar 00root root 0000000 0000000 bundle agent cfe_internal_core_main
{
methods:
!mpf_auto_am_policy_hub_state_disabled::
"Verify policy hub state" -> { "CFE-3073" }
usebundle => mpf_auto_am_policy_hub_state,
if => not( fileexists( "$(sys.statedir)/am_policy_hub" ));
any::
# NB! On a container host this may kill CFEngine processes inside containers.
# See https://dev.cfengine.com/issues/6906
!mpf_disable_cfe_internal_limit_robot_agents::
"Limit concurrent agents" -> { "CFE-1799" }
usebundle => cfe_internal_limit_robot_agents,
handle => "cfe_internal_management_limit_cfe_agents",
comment => "Manage CFE processes";
any::
"any"
usebundle => cfe_internal_log_rotation,
handle => "cfe_internal_management_log_rotation",
comment => "Rotate CFEngine logs so we don't fill the disk";
cfe_internal_core_watchdog_disabled::
"Disable Core Watchdog"
usebundle => cfe_internal_core_watchdog("disabled");
cfe_internal_core_watchdog_enabled::
"Enable Core Watchdog"
usebundle => cfe_internal_core_watchdog("enabled");
mpf_augments_control_enabled::
"mpf_augments_control"
usebundle => mpf_augments_control;
}
bundle agent mpf_auto_am_policy_hub_state
# @brief Ensure that `$(sys.statedir)/am_policy_hub` file is present when expected
{
files:
# We think we are a policy hub if the policy server (the host you
# bootstrapped to) resolves to an IP found on the host. This is intended
# to prevent accidental removal of the am_policy_hub state file.
"$(sys.statedir)/am_policy_hub"
create => "true",
if => some( escape( $(sys.policy_server) ), @(sys.ipaddresses) );
}
bundle agent mpf_augments_control
# @brief Restart cfenigne components when one of the control variables has changed.
#
# While the agent itsef will reload its config upon notice of policy change
# this bundle specifically handles changes to variables used in the MPF which may
# come from external data sources which are unknown to the components themselves.
{
@if minimum_version(3.10)
# This policy leverages variablesmatching_as_data() (available since
# 3.10.0) and the -top- mustache extension (available since 3.9.0).
vars:
# Variables and their data which might necessitate a component restart
"server_controls" data => variablesmatching_as_data("default:def.control_server_.*");
"executor_controls" data => variablesmatching_as_data("default:def.control_executor_.*");
"monitor_controls" data => variablesmatching_as_data("default:def.control_monitor_.*");
"hub_controls" data => variablesmatching_as_data("default:def.control_hub_.*");
"runagent_controls" data => variablesmatching_as_data("default:def.control_runagent_.*");
"common_controls" data => variablesmatching_as_data("default:def.control_common_.*");
"agent_controls" data => variablesmatching_as_data("default:def.control_agent_.*");
# Serialized data for tracking state
"server_controls_state" string => string_mustache("{{$-top-}}", server_controls);
"executor_controls_state" string => string_mustache("{{$-top-}}", executor_controls);
"monitor_controls_state" string => string_mustache("{{$-top-}}", monitor_controls);
"hub_controls_state" string => string_mustache("{{$-top-}}", hub_controls);
"runagent_controls_state" string => string_mustache("{{$-top-}}", runagent_controls);
"common_controls_state" string => string_mustache("{{$-top-}}", common_controls);
"agent_controls_state" string => string_mustache("{{$-top-}}", agent_controls);
files:
"$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_hub_controls"
create => "true",
edit_line => insert_lines( $(hub_controls_state) ),
edit_defaults => empty,
classes => results("bundle", "hub_controls" );
"$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_server_controls"
create => "true",
edit_line => insert_lines( $(server_controls_state) ),
edit_defaults => empty,
classes => results("bundle", "server_controls" );
"$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_monitor_controls"
create => "true",
edit_line => insert_lines( $(monitor_controls_state) ),
edit_defaults => empty,
classes => results("bundle", "monitor_controls" );
"$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_executor_controls"
create => "true",
edit_line => insert_lines( $(executor_controls_state) ),
edit_defaults => empty,
classes => results("bundle", "executor_controls" );
"$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_runagent_controls"
create => "true",
edit_line => insert_lines( $(runagent_controls_state) ),
edit_defaults => empty,
classes => results("bundle", "runagent_controls" );
# Note a change in common controls is not expected to trigger any
# component restart, its simply tracked for completeness.
"$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_common_controls"
create => "true",
edit_line => insert_lines( $(common_controls_state) ),
edit_defaults => empty,
classes => results("bundle", "common_controls" );
# No need to restart cf-agent it as its not long running. We simply track the details for completeness.
"$(sys.workdir)$(const.dirsep)state$(const.dirsep)mpf_agent_controls"
create => "true",
edit_line => insert_lines( $(agent_controls_state) ),
edit_defaults => empty,
classes => results("bundle", "agent_controls" );
services:
systemd::
"cf-serverd"
service_policy => "restart",
if => "(server_controls_repaired|runagent_controls_repaired)";
"cf-monitord"
service_policy => "restart",
if => "monitor_controls_repaired";
systemd.enterprise_edition.(am_policy_hub|policy_server)::
"cf-hub"
service_policy => "restart",
if => "hub_controls_repaired";
# Well, this is dangerous we might kill our own agent
# "cf-execd"
# service_policy => "restart",
# if => "(execd_controls_repaired|runagent_controls_repaired)";
processes:
!systemd::
"cf-serverd"
signals => { "term" },
if => "(server_controls_repaired|runagent_controls_repaired)";
"cf-monitord"
signals => { "term" },
if => "monitor_controls_repaired";
systemd.enterprise_edition.(am_policy_hub|policy_server)::
"cf-hub"
signals => { "term" },
if => "hub_controls_repaired";
# Well, this is dangerous we might kill our own agent
# "cf-execd"
# signals => { "term" },
# if => "(execd_controls_repaired|runagent_controls_repaired)";
@endif
}
cfengine-masterfiles-3.24.2/cfe_internal/core/watchdog/ 0000755 0000000 0000000 00000000000 15010704326 023051 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/cfe_internal/core/watchdog/templates/ 0000755 0000000 0000000 00000000000 15010704326 025047 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/cfe_internal/core/watchdog/templates/watchdog-windows.ps1.mustache 0000644 0000000 0000000 00000003445 15010704240 032575 0 ustar 00root root 0000000 0000000 $LOGFILE="{{{logfile}}}"
$long_running_cf_agent_threshold_min = 5
$long_running_cf_agent_count = @(Get-Process cf-agent -erroraction "silentlycontinue" | Where { $_.StartTime -lt (Get-Date).AddMinutes(-$long_running_cf_agent_threshold_min) }).count
$long_running_cf_agent_count_threshold = 1
If ($long_running_cf_agent_count -ge $long_running_cf_agent_count_threshold) {
$DATESTAMP=Get-Date -Format "yyyy-MM-dd HH:mm"
Write-Output "${DATESTAMP}: Count of long running cf-agent ($long_running_cf_agent_count) has met the threshold ($long_running_cf_agent_count_threshold) of long running agents, remediation triggered." | Tee-Object -FilePath "$LOGFILE" -Append
Write-Output "${DATESTAMP}: Before remediation" | Tee-Object -FilePath "$LOGFILE" -Append
Get-Process cf-agent -erroraction "silentlycontinue" | ft -erroraction "silentlycontinue" Name,CommandLine,StartTime,@{label="Elapsed Minutes";expression={[System.Math]::Round(((Get-Date)-$_.StartTime).totalminutes)}} | Tee-Object -FilePath "$LOGFILE" -Append
Get-Process cf-agent -erroraction "silentlycontinue" | Where { $_.StartTime -lt (Get-Date).AddMinutes(-$long_running_cf_agent_threshold_min) } | Stop-Process -Force
# Give the system a bit of time to kill all the processes
sleep 1
$DATESTAMP=Get-Date -Format "yyyy-MM-dd HH:mm"
$running_cf_agent_count = @(Get-Process cf-agent -erroraction "silentlycontinue").count
Write-Output "${DATESTAMP}: Observed $running_cf_agent_count cf-agent processes after remediation" | Tee-Object -FilePath "$LOGFILE" -Append
Get-Process cf-agent -erroraction "silentlycontinue" | ft -erroraction "silentlycontinue" Name,CommandLine,StartTime,@{label="Elapsed Minutes";expression={[System.Math]::Round(((Get-Date)-$_.StartTime).totalminutes)}} | Tee-Object -FilePath "$LOGFILE" -Append
}
cfengine-masterfiles-3.24.2/cfe_internal/core/watchdog/templates/watchdog.mustache 0000644 0000000 0000000 00000036104 15010704240 030401 0 ustar 00root root 0000000 0000000 #!/usr/bin/sh
# Watchdog events are logged here.
PIDFILE="/var/cfengine/watchdog.pid"
trap cleanup SIGHUP SIGINT SIGQUIT SIGABRT SIGTERM
cleanup()
{
# Don't leave behind junk if the script is killed
if [ -d "${COLLECTION_DIR}" ]; then
rm -rf "${COLLECTION_DIR}"
fi
}
all_cfengine_daemons_running()
{
/etc/rc.d/init.d/cfengine3 restart > ${COLLECTION_DIR}/etc_rc_d_init_d_cfengine3_restart.$(date +%s).log 2>&1
sleep 3
# Log if any expected daemon is not running
if [ $(ps -ef -o args | grep -c ^\/var\/cfengine\/bin\/[c]f-execd) -lt 1 ]; then
echo "- *cf-execd is not running after service restart*" >> ${COLLECTION_REPORT}
echo "$(date) cf-execd is not running after service restart" | tee -a ${LOGFILE}
fi
if [ $(ps -ef -o args | grep -c ^\/var\/cfengine\/bin\/[c]f-serverd) -lt 1 ]; then
echo "- *cf-serverd is not running after service restart*" >> ${COLLECTION_REPORT}
echo "$(date) cf-serverd is not running after service restart" | tee -a ${LOGFILE}
fi
if [ $(ps -ef -o args | grep -c ^\/var\/cfengine\/bin\/[c]f-monitord) -lt 1 ]; then
echo "- *cf-monitord is not running after service restart*" >> ${COLLECTION_REPORT}
echo "$(date) cf-monitord is not running after service restart" | tee -a ${LOGFILE}
fi
if [ $(ps -ef -o args | grep -c ^\/var\/cfengine\/bin\/[c]f-) -lt 1 ]; then
echo "- *No cf- processes running after service restart*" >> ${COLLECTION_REPORT}
echo "$(date) No cf- processes running after service restart" | tee -a ${LOGFILE}
fi
for each in execd serverd monitord; do
if [ $(ps -ef -o args | grep -c ^\/var\/cfengine\/bin\/[c]f-${each}) -lt 1 ]; then
/etc/rc.d/init.d/cfengine3 stop > ${COLLECTION_DIR}/etc_rc_d_init_d_cfengine3_stop.$(date +%s).log 2>&1
return 1
fi
done
return 0
}
LOGFILE="/var/cfengine/watchdog.log"
echo "$(date) Initiating watchdog $$" >> ${LOGFILE}
if [ -s $PIDFILE ]; then
# We have a pidfile
if ps -p $(cat $PIDFILE) > /dev/null 2>&1 ; then
# There is a process with the PID in the file, but is it stale?
if [ -d /proc ]; then
# We can know for sure if it's stale
actual_process="/proc/$(cat "$PIDFILE")"
newer="$(ls -1dt "$PIDFILE" "$actual_process" | head -n 1)"
if [ "$actual_process" = "$newer" ]; then
# Pidfile is stale, ignore it
echo $$ > $PIDFILE
else
# Pidfile is definitely correct
echo "$(date) Aborting execution of watchdog $$, existing watchdog process $(cat $PIDFILE) running" >> ${LOGFILE}
exit 1
fi
else
# No /proc, pidfile shows a running process, we'll assume it's valid
echo "$(date) Aborting execution of watchdog $$, existing watchdog process $(cat $PIDFILE) running" >> ${LOGFILE}
exit 1
fi
else
# No current process matching pid in file
echo $$ > $PIDFILE
fi
else
# No pidfile at all
echo $$ > $PIDFILE
fi
TMPDIR="/tmp"
mkdir -p $TMPDIR
CFENGINE_WORKDIR="/var/cfengine"
CFENGINE_WORKDIR_COLLECTION=""
OUTPUTS_DIR="${CFENGINE_WORKDIR}/outputs"
ARCHIVE_DIR="/var/cfengine/watchdog-archives"
mkdir -p "${ARCHIVE_DIR}"
PATHOLOGY_COUNT=0
PATHOLOGY_THRESHOLD=0
# Collection Dir
# - We create a directory in order to collect artifacts about our observations
# - If there are enough pathology indicators found to warrant a report, the
# directory will be packaged for sending
# Portable mktemp: https://stackoverflow.com/questions/10224921/how-to-create-a-temporary-file-with-portable-shell-in-a-secure-way#comment86787877_10235393
# Adjusted, known to work on aix 7.1.0.0
if [ -r "/dev/urandom" ]; then
RNDM="/dev/urandom"
else
RNDM="/dev/random"
fi
length=7; safetemp=$(od -An -N${length} -tx1 ${RNDM} | tr -d ' \t').cfengine-watchdog
COLLECTION_DIR="${TMPDIR}/${safetemp}"
mkdir -p "${COLLECTION_DIR}"
COLLECTION_REPORT="${COLLECTION_DIR}/README.org"
echo "#+Title: CFEngine Watchdog Engineering Summary [$(date '+%Y-%m-%d %a')]" >> ${COLLECTION_REPORT}
echo "* Pathologies" >> ${COLLECTION_REPORT}
ARCHIVE_DIR_FREEk=$(df -k ${ARCHIVE_DIR} | tail -n 1 | awk '{print $3}')
if [ "${ARCHIVE_DIR_FREEk}" -lt 500000 ]; then
echo "$(date) ${ARCHIVE_DIR} has less than 500MB free space, initiating watchdog archive cleanup" | tee -a ${LOGFILE}
# Archive dir has less than 500MB, cleanup leaving oldest and newest archives
files=$(ls ${ARCHIVE_DIR})
count=$(echo $files | wc -w)
_counter=0
for i in $files; do
if [ "${_counter}" -eq 0 ]; then
echo "Not deleting $i it's the oldest and may contain valuable information about the first event"
elif [ "${_counter}" -eq "$(( $count - 1))" ]; then
echo "Not deleting $i it's the most recent"
else
echo "Delete $i"
rm "${ARCHIVE_DIR}/$i"
fi
_counter=$((1 + ${_counter}))
done
ARCHIVE_DIR_FREEk=$(df -k ${ARCHIVE_DIR} | tail -n 1 | awk '{print $3}')
if [ "${ARCHIVE_DIR_FREEk}" -lt 500000 ]; then
echo "$(date) ${ARCHIVE_DIR} still has less than 500MB free space after cleaning up archives." | tee -a ${LOGFILE}
echo "$(date) Aborting watchdog $$" | tee -a ${LOGFILE}
cleanup
exit 1
fi
fi
# We check free space in tmp second (in case tmp is on same filesystem as archives, and archives get cleaned up)
TMPDIR_FREEk=$(df -k ${TMPDIR} | tail -n 1 | awk '{print $3}')
if [ "${TMPDIR_FREEk}" -lt 500000 ]; then
echo "$(date) ${TMPDIR} has less than 500MB free space" | tee -a ${LOGFILE}
echo "$(date) Aborting watchdog $$" | tee -a ${LOGFILE}
cleanup
exit 1
fi
# Pathology #1: cf-execd is not running.
# While not strictly a pathology, it is non-standard to run cf-agent without cf-execd.
ps -ef -o args | grep ^\/var\/cfengine\/bin\/[c]f-execd > "${COLLECTION_DIR}/ps_grep_cf-execd.txt"
_COUNT_CF_EXECD_PROCS="$(cat ${COLLECTION_DIR}/ps_grep_cf-execd.txt | wc -l)"
if [ "${_COUNT_CF_EXECD_PROCS}" -lt "1" ]; then
echo "$(date) Found cf-execd not running" >> ${LOGFILE}
echo "- cf-execd not running" >> ${COLLECTION_REPORT}
PATHOLOGY_COUNT=$((${PATHOLOGY_COUNT}+1))
fi
# Pathology #1.5: More than one cf-execd is running.
/var/cfengine/bin/cf-promises --show-vars=default:sys.cf > "${COLLECTION_DIR}/cf-promises_--show-vars=default:sys.cf.txt"
CF_VERSION_MINOR_RUNNING="$(awk '/cf_version_minor / {print $2}' ${COLLECTION_DIR}/cf-promises_--show-vars=default:sys.cf.txt)"
# At 3.18.0 cf-execd began running cf-agent from a child process instead of a thread on POSIX systems (ENT-6182)
_COUNT_CF_EXECD_PROCS_THRESHOLD=1
if [ "${CF_VERSION_MINOR_RUNNING}" -ge "18" ]; then
_COUNT_CF_EXECD_PROCS_THRESHOLD=2
fi
if [ "${_COUNT_CF_EXECD_PROCS}" -gt "${_COUNT_CF_EXECD_PROCS_THRESHOLD}" ]; then
echo "$(date) Found ${_COUNT_CF_EXECD_PROCS} cf-execd processes running" >> ${LOGFILE}
echo "- Found ${_COUNT_CF_EXECD_PROCS} cf-execd running" >> ${COLLECTION_REPORT}
PATHOLOGY_COUNT=$((${PATHOLOGY_COUNT}+1))
fi
# Pathology #2: cf-agent execution times exceed body executor control agent_expireafter
# cf-agent processes launched by cf-execd have not communicated back to cf-execd
# within $(agent_expireafter). This may be OK, but may also indicate that
# cf-agent is hung.
# Outputs could be empty because:
# - cf-execd hasn't executed cf-agent since purging outputs
# - cf-agent is not producing output (the expected normal state)
if [ "$(ls -A ${OUTPUTS_DIR})" ]; then
observation=$(find "${OUTPUTS_DIR}" ! -name previous | xargs grep "cf-execd: timeout waiting for output from agent")
if [ -n "$observation" ]; then
count=$(expr 0 + $(echo -n "${observation}" | wc -l))
echo "$(date) Found ${count} occurrences of cf-execd terminating unresponsive cf-agent" >> ${LOGFILE}
echo "- ${count} cf-agent terminations" >> ${COLLECTION_REPORT}
PATHOLOGY_COUNT=$((${PATHOLOGY_COUNT}+1))
fi
fi
# Pathology #3: cf-agent process(s) running longer than expected
# While not strictly a pathology, this may indicate a hung agent
# On AIX, etime (and etimes) is displayed in human readable form
# e.g:
# USER PID ELAPSED COMMAND
# root 10551366 5-00:35:58 /var/cfengine/bin/cf-agent
# We have to convert that into seconds so that we can determine if it's been
# running longer than we expect, that's what the second awk command is for.
observation=$(ps -e -o user,pid,etime,args | awk 'FNR == 1 {next} /\/var\/cfengine\/bin\/cf-agent/ {print $3}' | awk 'BEGIN { FS = ":" } \
{
if (NF == 2) {
etimes = $1*60 + $2
} else if (NF == 3) {
split($1, a, "-");
if (a[2] != "" ) {
etimes = ((a[1]*24+a[2])*60 + $2) * 60 + $3;
} else {
etimes = ($1*60 + $2) * 60 + $3;
}
}
if (etimes > 300) {
print
}
}')
if [ ${#observation} -gt 0 ]; then
count=$(expr 1 + $(echo -n "${observation}" | wc -l))
echo "$(date) Found ${count} cf-agent processes running longer than 300s" >> ${LOGFILE}
echo "- ${count} cf-agent processes running longer than 300s" >> ${COLLECTION_REPORT}
PATHOLOGY_COUNT=$((${PATHOLOGY_COUNT}+1))
fi
# Pathology #4: High number of concurrent cf-agent processes
# While cf-agent is designed to be able to run concurrently, having many
# concurrent cf-agent processes may indicate an an issue like an agent pile up
observation=$(ps -e -o pid,etime,args | awk '/\/var\/cfengine\/bin\/cf-agent/ {print}')
if [ ${#observation} -gt 0 ]; then
count=$(expr 1 + $(echo -n "${observation}" | wc -l))
if [ ${count} -gt 3 ]; then
echo "$(date) Found ${count} concurrently running agents" >> ${LOGFILE}
echo "- ${count} concurrently running cf-agent processes" >> ${COLLECTION_REPORT}
PATHOLOGY_COUNT=$((${PATHOLOGY_COUNT}+1))
fi
fi
# Pathology #5: cf-check has encountered a critical issue
# This indicates that there are one or more integrity issues
if [ -x /var/cfengine/bin/cf-check ]; then
observation=$(/var/cfengine/bin/cf-check diagnose /var/cfengine/state/*.lmdb)
if [ $? -ne 0 ]; then
echo "$(date) cf-check observed critical integrity issues" >> ${LOGFILE}
echo "- cf-check observed critical integrity issues" >> ${COLLECTION_REPORT}
echo " #+begin_example\n${observation}\n#+end_example" >> ${COLLECTION_REPORT}
fi
fi
if [ "${PATHOLOGY_COUNT}" -gt "${PATHOLOGY_THRESHOLD}" ]; then
echo "$(date) Found ${PATHOLOGY_COUNT} symptoms, threshold (${PATHOLOGY_THRESHOLD}) breached." | tee -a ${LOGFILE}
echo "* Observations" >> ${COLLECTION_REPORT}
ps auxwww > "${COLLECTION_DIR}/ps_auxwww.txt"
echo "- [[./ps_auxwww.txt][~ps auxwww~]]" >> ${COLLECTION_REPORT}
ps -elf > "${COLLECTION_DIR}/ps_-elf.txt"
echo "- [[./ps_-elf.txt][~ps -elf~]]" >> ${COLLECTION_REPORT}
find "${CFENGINE_WORKDIR}" >> "${COLLECTION_DIR}/find__var_cfengine.txt"
echo "- [[./find__var_cfengine.txt][=/var/cfengine= file list]] - Before remediation" >> ${COLLECTION_REPORT}
tar -c -f "${COLLECTION_DIR}/sys.workdir-before-remediation.tar" -C "${CFENGINE_WORKDIR}" state outputs
echo "- [[./sys.workdir-before-remediation.tar][=sys.workdir-before-remediation.tar=]] - CFEngine WORKDIR artifacts before remediation" >> ${COLLECTION_REPORT}
ps -efl | grep cf- > "${COLLECTION_DIR}/cf-procs.txt"
echo "- [[./cf-procs.txt][~ps -efl | grep cf-~]]" >> ${COLLECTION_REPORT}
echo "$(date) Initiating apoptosis" | tee -a ${LOGFILE}
while IFS= read -r proc; do
_PID=$(echo $proc | awk '{print $4}')
_PROC=$(echo $proc | awk '{print $15}')
_PROCFILE=$(echo "$_PROC" | sed 's./._.g')
_COREFILE=$(printf "%s_%s.core" "$_PID" "$_PROCFILE")
_COREPATH=$(printf "%s/%s" "${COLLECTION_DIR}" "$_COREFILE")
_DBX_ERR_LOG=$(printf "%s/%s.dbx.err" "${COLLECTION_DIR}" "$_COREFILE")
gencore "$_PID" "$_COREPATH" > "${COLLECTION_DIR}/gencore-$_PID.output" 2>&1
echo "- [[./gencore-$_PID.output][output from gencore $_PID $_COREPATH]]" >> ${COLLECTION_REPORT}
echo "- [[./$_COREFILE][core from $_PID]]" >> ${COLLECTION_REPORT}
observation=$(echo "where" | dbx "$_PROC" "$_COREPATH" 2> "$_DBX_ERR_LOG")
echo " - backtrace:" >> ${COLLECTION_REPORT}
echo " #+begin_example\n${observation}\n#+end_example" >> ${COLLECTION_REPORT}
echo " - dbx stderr: [[./$(basename $_DBX_ERR_LOG)][dbx $_PROC $_COREPATH]]" >> ${COLLECTION_REPORT}
kill -s SIGKILL "$_PID" > "${COLLECTION_DIR}/kill_$_PID.txt" 2>&1
echo " - [[./kill_$_PID.txt][~kill -s SIGKILL $_PID~]]" >> ${COLLECTION_REPORT}
done < "${COLLECTION_DIR}/cf-procs.txt"
echo "- Purged outputs (don't want them to trigger pathology remediation more than once)" >> ${COLLECTION_REPORT}
for each in $(ls -A "${CFENGINE_WORKDIR}/outputs/"); do
rm "${CFENGINE_WORKDIR}/outputs/${each}"
done
# Switch to more intelligent cf-check repair in 3.12.3
echo "- Purged LMDBs" >> ${COLLECTION_REPORT}
for each in ${CFENGINE_WORKDIR}/state/*.lmdb*; do
rm "${each}"
done
tar -c -f "${COLLECTION_DIR}/sys.workdir-after-remediation.tar" -C "${CFENGINE_WORKDIR}" state outputs
echo "- [[./sys.workdir-after-remediation.tar][=sys.workdir-after-remediation.tar=]] - CFEngine WORKDIR artifacts after remediation" >> ${COLLECTION_REPORT}
####+begin_critical
# We will re-try up to 10 times to get all the daemons running
echo "$(date) Initiating anastasis" | tee -a ${LOGFILE}
for try in 1 2 3 4 5 6 7 8 9 10; do
echo "- Anastasis [[./remediation-re-start-try-${try}.log][try ${try}]]" >> ${COLLECTION_REPORT}
if all_cfengine_daemons_running > "${COLLECTION_DIR}/remediation-re-start-try-${try}.log"; then break; fi
if [ "${try}" -ne 10 ]; then
echo "Attempt $((1 + ${try})) of 10 in 10 seconds ..." >> ${LOGFILE}
sleep 10
else
echo "$(date) Failed to bring all services online after 10 retries, giving up" | tee -a ${LOGFILE}
echo "- Failed to bring all services online after 10 retries, giving up" >> ${COLLECTION_REPORT}
fi
done
####+end_critical
tar -c -f "${COLLECTION_DIR}/sys.workdir-after-restarting.tar" -C "${CFENGINE_WORKDIR}" state outputs
echo "- [[./sys.workdir-after-restarting.tar][=sys.workdir-after-restarting.tar=]] - CFEngine WORKDIR artifacts after restarting" >> ${COLLECTION_REPORT}
cp $0 ${COLLECTION_DIR}/watchdog
echo "- [[./watchdog][=watchdog=]] - The watchdog that generated this report" >> ${COLLECTION_REPORT}
# Package the artifacts together
tar -c -f "${COLLECTION_DIR}.tar" -C "${COLLECTION_DIR}" .
gzip "${COLLECTION_DIR}.tar"
mv "${COLLECTION_DIR}.tar.gz" "${ARCHIVE_DIR}/$(date +%Y-%m-%d_%s).tar.gz"
echo "$(date) Collected artifacts stored in ${ARCHIVE_DIR}/$(date +%Y-%m-%d_%s).tar.gz" | tee -a ${LOGFILE}
elif [ "${PATHOLOGY_COUNT}" -gt 0 ]; then
echo "$(date) Found ${PATHOLOGY_COUNT} symptoms, threshold (${PATHOLOGY_THRESHOLD}) not breached." | tee -a ${LOGFILE}
else
echo "$(date) Found ${PATHOLOGY_COUNT} symptoms, threshold (${PATHOLOGY_THRESHOLD}) not breached, no remediation or collection performed" >> ${LOGFILE}
fi
echo "$(date) DONE watchdog $$" >> ${LOGFILE}
cleanup
cfengine-masterfiles-3.24.2/cfe_internal/core/watchdog/watchdog.cf 0000644 0000000 0000000 00000020444 15010704240 025162 0 ustar 00root root 0000000 0000000 bundle agent cfe_internal_core_watchdog(state)
# @brief Configure external watchdog processes to keep cf-execd running
# @param state (enabled|disabled) The state to keep the watchdog configuration in
{
meta:
"description"
string => "Configure external watchdog processes (like cron, or monit) to
make sure that cf-execd is always running";
vars:
"_logfile" string => "$(sys.workdir)/watchdog.log";
classes:
"invalid_state"
not => regcmp("(enabled|disabled)", "$(state)");
"have_cron_d"
expression => isdir("/etc/cron.d");
"use_cfe_internal_core_watchdog_cron_d"
expression => "have_cron_d._stdlib_path_exists_pgrep";
# We use the aix specific watchdog implementation when it's aix and we are
# not using the cron.d implementation.
"use_cfe_internal_core_watchdog_aix"
expression => "!use_cfe_internal_core_watchdog_cron_d.aix";
"use_cfe_internal_core_watchdog_windows"
expression => "windows";
methods:
use_cfe_internal_core_watchdog_cron_d::
"any" usebundle => cfe_internal_core_watchdog_cron_d( $(state) );
use_cfe_internal_core_watchdog_aix::
"any" usebundle => cfe_internal_core_watchdog_aix( $(state) );
use_cfe_internal_core_watchdog_windows::
"any" usebundle => cfe_internal_core_watchdog_windows( $(state) );
reports:
DEBUG|DEBUG_cfe_internal_core_watchdog::
"DEBUG $(this.bundle): Watchdog '$(state)'";
"DEBUG $(this.bundle): Invalid state '$(state)' only enabled|disabled allowed"
if => "invalid_state";
!(use_cfe_internal_core_watchdog_cron_d|use_cfe_internal_core_watchdog_aix|use_cfe_internal_core_watchdog_windows)::
"WARNING $(this.bundle): Currently only supports /etc/cron.d on systems that have pgrep in the the stdlib paths bundle, AIX and Windows hosts.";
}
bundle agent cfe_internal_core_watchdog_windows(state)
# @brief Manage watchdog state on windows
# @param state enabled|disabled
# - When enabled a scheduled task "CFEngine-watchdog" will be present and enabled
# - When disabled a scheduled task named "CFEngine-watchdog" will be absent.
{
vars:
windows::
"_requested_state" string => ifelse( regcmp( "enabled|disabled", $(state) ), "$(state)", "invalid");
"_taskname" string => "CFEngine-watchdog";
"_taskfreq" string => "1";
"_taskscript" string => "$(sys.bindir)$(const.dirsep)watchdog.ps1";
"_taskrun" string => "PowerShell";
"_taskrun_args" string => "-NoProfile -ExecutionPolicy bypass -File";
"_logfile" string => "$(cfe_internal_core_watchdog._logfile)";
# -NonInteractive?
"_cmd_task_schedule"
string => `$(sys.winsysdir)$(const.dirsep)schtasks.exe /create /tn "$(_taskname)" /tr "$(_taskrun) $(_taskrun_args) '$(_taskscript)'" /ru "System" /sc minute /mo $(_taskfreq) /rl highest /f`;
# We use XML output because it's the most portable output considering localization etc ...
"_cmd_task_query"
string => `schtasks /QUERY /TN "$(_taskname)" /XML 2> $(const.dollar)null`;
"_cmd_task_query_result"
string => execresult( $(_cmd_task_query), powershell);
# This regular expression is used to match against the XML output querying the task
# We escape _taskscript with \Q \E since it contains backslashes which we don't want to be expanded
"_scheduled_task_regex"
string => concat(".*Interval.PT$(_taskfreq)M..Interval",
".*Command.$(_taskrun)..Command",
".*Arguments.$(_taskrun_args) .\Q$(_taskscript)\E...Arguments",
".*");
classes:
windows::
"_requested_state_$(_requested_state)";
_requested_state_enabled::
"_watchdog_present_correct"
expression => regcmp( $(_scheduled_task_regex), $(_cmd_task_query_result) );
_requested_state_disabled::
"_watchdog_absent_correct"
expression => not( returnszero( 'schtasks /QUERY /TN "$(_taskname)" 2> $(const.dollar)null', powershell ));
files:
"$(_taskscript)"
create => "true",
template_method => "mustache",
edit_template => "$(this.promise_dirname)/templates/watchdog-windows.ps1.mustache",
template_data => parsejson( '{"logfile": "$(_logfile)" }' );
commands:
_requested_state_disabled.!_watchdog_absent_correct::
`schtasks /DELETE /TN "$(_taskname)" /F`
action => immediate,
contain => powershell,
classes => results( "bundle", "win_watchdog_script");
_requested_state_enabled.!_watchdog_present_correct::
`$(_cmd_task_schedule)`
action => immediate,
contain => in_shell,
classes => results( "bundle", "win_watchdog_script");
reports:
verbose_mode::
"CFEngine-watchdog desired state '$(_requested_state)'";
"CFEngine-watchdog scheduled task state '$(_requested_state)' correct"
if => "_watchdog_present_correct|_watchdog_absent_correct";
verbose_mode.(!_watchdog_present_correct._requested_state_enabled)::
"CFEngine-watchdog scheduled task state incorrect";
`Should: $(_cmd_task_schedule)`;
(inform_mode|verbose_mode).win_watchdog_script_repaired::
"CFEngine-watchdog scheduled task repaired";
}
bundle agent cfe_internal_core_watchdog_aix(state)
# @brief Manage watchdog state on aix
# @param state enabled|disabled
# - When enabled a cron job will be present to start cf-execd if it's not running.
# - When disabled cron jobs ending with `# CFEngine watchdog` will not be present.
{
classes:
any::
# Define a class for whatever the desired state is
"$(state)"
expression => "any";
vars:
"my_statedir" string => "$(sys.statedir)/MPF/$(this.bundle)";
commands:
# We need to know about the current crontab before making any changes
"/usr/bin/crontab -l > $(my_statedir)/root-crontab"
handle => "aix_crontab_get_state",
if => isdir( "$(my_statedir)" ),
contain => in_shell_and_silent;
files:
enabled::
# We need a place to track state for processing changes to cron entries
# with proper signaling.
"$(my_statedir)/."
create => "true";
# The watchdog script takes care of detecting conditions and launching
# necessary components.
"$(sys.bindir)/watchdog"
create => "true",
template_method => "mustache",
perms => mog( "700", "root", "system" ),
edit_template => "$(this.promise_dirname)/templates/watchdog.mustache";
# When enabled we make sure there is a cron entry to execute the watchdog
# script.
# NOTE The text `# CFEngine watchdog` is used to locate the specific entry in cron when disabling
"$(my_statedir)/root-crontab"
create => "true",
edit_line => lines_present( "* * * * * $(sys.bindir)/watchdog >/dev/null 2>&1 # CFEngine watchdog"),
classes => results( "bundle", "root_crontab" ),
depends_on => { "aix_crontab_get_state" };
disabled::
"$(my_statedir)/root-crontab"
edit_line => delete_lines_matching(".*# CFEngine watchdog"),
classes => results( "bundle", "root_crontab" ),
depends_on => { "aix_crontab_get_state" };
commands:
root_crontab_repaired::
# We use crontab to load the desired entries so that crond will be
# signaled and the changes will be respected.
"/usr/bin/crontab $(my_statedir)/root-crontab";
}
bundle agent cfe_internal_core_watchdog_cron_d(state)
# @brief Use a cron job installed in /etc/cron.d to watch and make sure that
# cf-execd is always running.
# @param state (enabled|disabled) The state to keep the watchdog configuration
# in. Enabled manages the cron job, disabled removes it.
{
classes:
any::
# Define a class for whatever the desired state is
"$(state)"
expression => "any";
vars:
any::
"template"
string => "$(this.promise_dirname)/../../../templates/cfengine_watchdog.mustache";
"cron_d_watchdog" string => "/etc/cron.d/cfengine_watchdog";
files:
enabled::
"$(cron_d_watchdog)"
create => "true";
"$(cron_d_watchdog)"
edit_template => "$(template)",
handle => "cfe_internal_core_watchdog_enable_cron_d_file_content",
template_method => "mustache";
disabled::
"$(cron_d_watchdog)"
delete => tidy;
}
cfengine-masterfiles-3.24.2/cfe_internal/core/deprecated/ 0000755 0000000 0000000 00000000000 15010704326 023351 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/cfe_internal/core/deprecated/cfengine_processes.cf 0000644 0000000 0000000 00000014351 15010704240 027526 0 ustar 00root root 0000000 0000000 ##################################################################
#
# cfe_internal_processes
# - restart CFE processes by specific time (not in service)
#
##################################################################
bundle agent cfe_internal_processes
{
vars:
"cf_components" slist => {
"cf-key",
"cf-monitord",
"cf-promises",
"cf-runagent",
"cf-serverd",
"cf-hub"
},
comment => "Define all cfengine robot agents",
handle => "cfe_internal_processes_vars_cf_components";
windows::
"stop_signal" string => "kill",
comment => "Define a stop signal for Windows",
handle => "cfe_internal_processes_vars_stop_signal_windows";
!windows::
"stop_signal" string => "term",
comment => "Define a stop signal for *NIX",
handle => "cfe_internal_processes_vars_stop_signal_unix";
#
classes:
# NOTE: We do not restart by default, can be added if desired
# "restart_cf" expression => "Monday.Hr05.Min00_05"
# comment => "Define a class to restart cfengine processes",
# handle => "cfe_internal_processes_classes_restart_cf";
#
processes:
restart_cf::
"$(cf_components)"
signals => { "$(stop_signal)" },
comment => "Kill cfengine processes",
handle => "cfe_internal_processes_stop_cf_components";
restart_cf.!windows::
"cf-execd"
signals => { "$(stop_signal)" },
comment => "Kill cf-execd process on *NIX",
handle => "cfe_internal_processes_stop_cf_execd";
#
commands:
restart_cf.!windows::
"$(sys.cf_execd)"
comment => "Restart cf-execd process",
classes => kept_successful_command,
handle => "cfe_internal_processes_commands_cf_execd";
#
services:
restart_cf.windows::
"CfengineNovaExec"
service_policy => "stop",
comment => "Stop the executor service, part of scheduled restart",
handle => "cfe_internal_processes_services_stop_cf_execd_windows";
"CfengineNovaExec"
service_policy => "start",
comment => "Start the executor service, part of scheduled restart",
handle => "cfe_internal_processes_services_start_cf_execd_windows";
#
reports:
restart_cf::
"Reloaded configuration of all Cfengine components"
comment => "Alert restarting message",
handle => "cfe_internal_processes_reports";
}
##################################################################
#
# cfe_internal_enable
# - start CFE agents when booting (not in service)
#
##################################################################
bundle agent cfe_internal_enable
{
vars:
freebsd::
"rc_conf[cfengine_enable]" string => "\"YES\"",
comment => "Define a variable to start cfengine at boot time",
handle => "cfe_internal_enable_vars_rc_conf_freebsd";
netbsd::
"rc_conf[cfengine_enable]" string => "\"YES\"",
comment => "Define a variable to start cfengine at boot time",
handle => "cfe_internal_enable_vars_rc_conf_netbsd";
linux::
"rc_files" slist => {
"/etc/rc1.d/K11cfengine3",
"/etc/rc2.d/S90cfengine3",
"/etc/rc3.d/S90cfengine3",
"/etc/rc4.d/S90cfengine3",
"/etc/rc5.d/S90cfengine3",
"/etc/rc6.d/K11cfengine3"
},
comment => "Define a list of rc files on Linux",
handle => "cfe_internal_enable_vars_rc_files";
#
files:
freebsd::
"/usr/local/etc/rc.d/cfengine3.sh"
comment => "Ensure that the cfengine rc.d script is executable",
handle => "cfe_internal_enable_files_cfengine3_sh_freebsd",
perms => mog("755", "root", "wheel");
"/etc/rc.conf"
comment => "cfengine libraries should be enabled in rc.conf if appropriate",
handle => "cfe_internal_enable_files_rc_conf_freebsd_1",
edit_line => append_if_no_line("[ -e $(sys.workdir)/lib ] && /sbin/ldconfig -m $(sys.workdir)/lib");
"/etc/rc.conf"
comment => "cfengine should be enabled in rc.conf",
handle => "cfe_internal_enable_files_rc_conf_freebsd_2",
edit_line => set_variable_values("cfengine_enable.rc_conf");
netbsd::
"/usr/local/etc/rc.d/cfengine3.sh"
comment => "Ensure that the cfengine rc.d script is executable",
handle => "cfe_internal_enable_files_cfengine3_sh_netbsd",
perms => mog("755", "root", "wheel");
"/etc/rc.d/cfengine"
comment => "Move cfengine rc.d script to the correct location",
handle => "cfe_internal_enable_files_rc_d_netbsd",
copy_from => local_cp("/usr/local/etc/rc.d/cfengine3.sh");
"/etc/rc.conf"
comment => "cfengine should be enabled in rc.conf",
handle => "cfe_internal_enable_files_rc_conf_netbsd",
edit_line => set_variable_values("cfengine_enable.rc_conf");
linux::
"$(rc_files)"
comment => "Ensure that startup scripts are properly linked",
handle => "cfe_internal_enable_files_rc_files_linux",
link_from => ln_s("/etc/init.d/cfengine3");
}
##################################################################
#
# cfe_internal_build_software_report
# - force machines to have package promises to be able to generate
# software reports (not in service)
#
##################################################################
bundle agent cfe_internal_build_software_report
{
packages:
redhat::
"wget"
comment => "Install packages from the list",
handle => "cfe_internal_build_software_report_redhat",
package_policy => "add",
package_method => yum;
debian::
"wget"
comment => "Install packages from the list",
handle => "cfe_internal_build_software_report_debian",
package_policy => "add",
package_method => apt;
(SuSE|suse)::
"wget"
comment => "Install packages from the list",
handle => "cfe_internal_build_software_report_suse",
package_policy => "add",
package_method => zypper;
}
cfengine-masterfiles-3.24.2/cfe_internal/core/host_info_report.cf 0000644 0000000 0000000 00000013441 15010704240 025144 0 ustar 00root root 0000000 0000000 bundle agent host_info_report
# @brief Generates a short high level summary of the executing host information
#
# **Example:**
# `cf-agent -b host_info_report`
{
vars:
"host_info_report_template"
handle => "host_info_report_vars_host_info_report_template",
string => "$(this.promise_dirname)/../../templates/$(this.bundle).mustache",
comment => "Where the report template is found";
"host_info_report_output"
handle => "host_info_report_vars_host_info_report_output",
string => "$(sys.workdir)/reports/$(this.bundle).txt",
comment => "Where the host info report should be generated";
methods:
show_software::
"Software"
handle => "host_info_report_methods_software",
usebundle => host_info_report_software,
comment => "Collect information about software installed";
any::
"CFEngine"
handle => "host_info_report_methods_cfengine",
usebundle => host_info_report_cfengine,
comment => "Collect information about CFEngine";
"Render"
usebundle => host_info_report_render_txt,
comment => "Render the host info report in plain text";
}
bundle agent host_info_report_software
# @brief Collect information about software installed
{
vars:
"packages"
data => packagesmatching(".*", ".*", ".*", ".*"),
comment => "Get information about all packages currently on system";
"package_names"
slist => getindices("packages[name]");
DEBUG::
"printable"
string => format("%S", packages);
reports:
DEBUG::
"$(printable)";
"$(package_names)";
}
bundle agent host_info_report_cfengine
# @brief Collect information about CFEngine
{
classes:
"have_masterdir_cf_promises_validated"
expression => fileexists("$(sys.masterdir)/cf_promises_validated"),
handle => "host_info_report_cfengine_classes_have_masterdir_cf_promises_validated",
comment => "We need to know if we have the files, because if we try to
read them when they don't exist we get error messages. Look
in masterdir because we are interested in the last time when
policy was changed and validated (indicating when a policy
release was received). ";
"have_inputdir_cf_promises_release_id"
expression => fileexists("$(sys.inputdir)/cf_promises_release_id"),
handle => "host_info_report_cfengine_classes_have_masterdir_cf_promises_release_id",
comment => "We need to know if we have the files, because if we try to
read them when they don't exist we get error messages. Look
in inputdir because we are interested in the current policy
release id as determined on the policyserver, not as
calculated locally.";
vars:
# doesn't work :( # "interface_flags" slist => maparray("$(this.k): IP $(sys.ipv4[$(this.k)]), flags $(this.v)", "sys.interface_flags");
"interface_flags" slist => maparray("$(this.k): $(this.v)", "sys.interface_flags");
"interface_ips" slist => maparray("$(this.k): IPv4 $(this.v)", "sys.ipv4");
"interface_info_unsorted" slist => { @(interface_flags), @(interface_ips) };
"interface_info" slist => sort(interface_info_unsorted, "lex");
any::
"cfengine_info_files"
handle => "host_info_report_vars_cfengine_info_files",
slist => { "cf_promises_validated", "cf_promises_release_id" },
comment => "These files are required for CFEngine related information,
and if we try to read them when they don't exist we get
ugly error messages";
have_masterdir_cf_promises_validated::
"cf_promises_validated"
data => readjson("$(sys.masterdir)/cf_promises_validated", 1K),
comment => "This contains information about the last time policy was
updated and subsequently validated, it indicates when
policy was last updated from the policy server.";
"cf_promises_validated_timestamp_formatted"
string => strftime("localtime", "%F %T %Z", $(cf_promises_validated[timestamp])),
comment => "It's useful to display when policy was last updated and
verified, in a human readable format.";
have_inputdir_cf_promises_release_id::
"cf_promises_release_id"
data => readjson("$(sys.inputdir)/cf_promises_release_id", 1K);
any::
"last_agent_run"
string => strftime("localtime", "%F %T %Z", filestat("$(sys.workdir)/outputs/previous", "mtime"));
DEBUG::
"printable"
string => format("%S", cf_promises_release_id);
reports:
DEBUG::
"$(printable)";
reports:
DEBUG.have_masterdir_cf_promises_validated::
"I have cf_promises_validated";
DEBUG.have_inputdir_cf_promises_release_id::
"I have a policy release ID";
}
bundle agent host_info_report_inventory
# @brief Collect information about policy
{
vars:
@if minimum_version(3.10)
"inventory_vars" data => variablesmatching_as_data( ".*", "inventory" );
@endif
}
bundle agent host_info_report_render_txt
# @brief Generates a report with the collected information
{
files:
"$(host_info_report.host_info_report_output)"
create => "true",
edit_template => "$(host_info_report.host_info_report_template)",
handle => "host_info_report_files_host_info_report_output",
classes => scoped_classes_generic("bundle", "host_info_report_output"),
template_method => "mustache";
reports:
host_info_report_output_repaired::
"Host info report generated and available at '$(host_info_report.host_info_report_output)'";
host_info_report_output_not_ok::
"There was a problem generating your host info report at '$(host_info_report.host_info_report_output)'";
}
cfengine-masterfiles-3.24.2/cfe_internal/core/log_rotation.cf 0000644 0000000 0000000 00000003540 15010704240 024260 0 ustar 00root root 0000000 0000000 ##################################################################
#
# cfe_internal_log_rotation
# - Rotate logs and clean up old files so the disk doesn't get full
#
##################################################################
bundle agent cfe_internal_log_rotation
# @brief Manage CFEngine log files so they don't fill up disks
# See def.cf to enable rotation
{
methods:
cfengine_internal_rotate_logs::
# CFEngine generates internal log files that need to be rotated.
# Have a look at def.cf to enable rotation of these files
"Rotate CFEngine log files"
handle => "cfe_internal_log_rotation_rotate_log_files",
usebundle => logrotate( @(def.cfe_log_files), $(def.mpf_log_file_max_size), $(def.mpf_log_file_retention) ),
comment => "To keep the disk from getting to full we want to rotate log
files when they reach $(def.mpf_log_file_max_size) in size.
So that we have some history , we keep
$(def.mpf_log_file_retention) versions.";
"Prune old log files"
handle => "cfe_internal_log_rotation_prune_log_dirs",
usebundle => prunedir( @(def.cfe_log_dirs), $(def.mpf_log_dir_retention) ),
comment => "Scheduled activities like agent runs and reports can create
log files or reports that stack up over time. So that we
don't fill the disk, but have some historical information
available locally we purge log files older than
$(def.mpf_log_dir_retention) days.";
reports:
DEBUG|DEBUG_cfe_internal_log_rotation::
"DEBUG $(this.bundle): Check CFEngine log file for rotation '$(def.cfe_log_files)'";
"DEBUG $(this.bundle): Check CFEngine log directory for old logs in '$(def.cfe_log_dirs)' older than '$(def.mpf_log_dir_retention)' days";
}
cfengine-masterfiles-3.24.2/cfe_internal/recommendations.cf 0000644 0000000 0000000 00000022173 15010704240 024022 0 ustar 00root root 0000000 0000000 bundle agent MPF_class_recommendations
{
meta:
(policy_server|am_policy_hub).enterprise_edition::
"tags" slist => { "cfengine_recommends" };
classes:
"cfengine_recommendation_instruct_disablement"
expression => "cfengine_recommendation_emitted",
scope => "namespace";
reports:
"`cfengine_internal_purge_policies` no longer has any effect. Please use `cfengine_internal_purge_policies_disabled` instead, to choose where you want to disable purging or remove the class completely if you want purging enabled everywhere (the new default in 3.18+)." -> { "CFE-3662" }
if => "cfengine_internal_purge_policies",
classes => results( "bundle", "cfengine_recommendation_emitted");
}
bundle agent federated_reporting_superhub_recommendations
{
meta:
"tags" slist => { "cfengine_recommends" };
classes:
"cfengine_recommendation_instruct_disablement"
expression => "cfengine_recommendation_emitted_reached",
scope => "namespace";
reports:
cfengine_enterprise_federation:am_superhub::
"CFEngine recommends installing gnu parallel on federated reporting superhubs."
if => not(isgreaterthan(length(packagesmatching( "parallel", ".*", ".*", ".*")), 0 )),
classes => results( "bundle", "cfengine_recommendation_emitted");
}
@if minimum_version(3.21.4)
# The preferred location for ignore_interfaces.rx changed from
# $(sys.inputdir)/ignore_interfaces.rx to $(sys.workdir)/ignore_interfaces.rx in
# 3.23.0 and 3.21.4. Versions lower than 3.23.0 and 3.21.4 only look for the file in inputdir.
bundle agent ignore_interfaces_rx_reccomendations
# @brief Recommend completing migration of ignore_interfaces.rx from inputdir to workdir
#
# @description This bundle identifies the presence of ignore_interfaces.rx in
# inputdir and emits messages about its presence. Additionally, the file is
# automatically copied if the file is present in inputdir and the class
# default:mpf_auto_migrate_ignore_interfaces_rx_to_workdir is defined (not
# defined by default).
{
meta:
"tags" slist => { "cfengine_recommends" };
classes:
"ignore_interfaces_in_workdir_supported"
and => { cf_version_minimum( "3.21.4" ),
not( cf_version_at( "3.22" ) ) },
comment => concat( "CFEngine doesn't look for ignore_interfaces.rx in",
" workdir except for versions greater than or equal",
"to 3.21.4." );
"ignore_interfaces_in_workdir" -> { "ENT-9402" }
if => fileexists( "$(sys.workdir)/ignore_interfaces.rx" );
"ignore_interfaces_in_inputdir" -> { "ENT-9402" }
if => fileexists( "$(sys.inputdir)/ignore_interfaces.rx" );
"cfengine_recommendation_instruct_disablement"
expression => "cfengine_recommendation_emitted_reached",
scope => "namespace";
files:
ignore_interfaces_in_workdir_supported.default:mpf_auto_migrate_ignore_interfaces_rx_to_workdir.ignore_interfaces_in_inputdir::
"$(sys.workdir)/ignore_interfaces.rx" -> { "ENT-9402" }
copy_from => local_dcp( "$(sys.inputdir)/ignore_interfaces.rx"),
comment => concat( "Excluding interfaces should be done outside of the",
" policy input directory so that it's easier to",
" ignore different interfaces on different hosts.");
ignore_interfaces_in_workdir_supported::
"$(sys.inputdir)/ignore_interfaces.rx" -> { "ENT-9402" }
delete => tidy,
action => policy( "warn" ),
comment => concat( "Excluding interfaces should be done outside of the",
" policy input directory so that it's easier to",
" ignore different interfaces on different hosts.",
" This file should be deleted once it's been migrated",
" to sys.workdir");
reports:
ignore_interfaces_in_workdir_supported.(ignore_interfaces_in_inputdir.!default:mpf_auto_migrate_ignore_interfaces_rx_to_workdir_reports_disabled)::
"NOTICE: 'ignore_interfaces.rx' is present in '$(const.dollar)(sys.inputdir)' ('$(sys.inputdir)/ignore_interfaces.rx'). We recommend that it be removed and migrated to '$(const.dollar)(sys.workdir)' ('$(sys.workdir)/ignore_interfaces.rx')"
if => not( fileexists( "$(sys.workdir)/ignore_interfaces.rx" ) ),
classes => results( "bundle", "cfengine_recommendation_emitted");
ignore_interfaces_in_workdir_supported.(ignore_interfaces_in_workdir.ignore_interfaces_in_inputdir).!default:mpf_auto_migrate_ignore_interfaces_rx_to_workdir_reports_disabled::
"NOTICE: 'ignore_interfaces.rx' identical in '$(const.dollar)(sys.workdir)' and '$(const.dollar)(sys.inputdir)'. We recommend removing '$(const.dollar)(sys.inputdir)/ignore_interfaces.rx'"
if => strcmp( readfile( "$(sys.workdir)/ignore_interfaces.rx"),
readfile( "$(sys.inputdir)/ignore_interfaces.rx") ),
classes => results( "bundle", "cfengine_recommendation_emitted");
"NOTICE: 'ignore_interfaces.rx' in '$(const.dollar)(sys.workdir)' and '$(const.dollar)(sys.inputdir)' but not identical. We recommend verifying the desired content of '$(const.dollar)(sys.workdir)/ignore_interfaces.rx', correcting it if necessary and removing '$(const.dollar)(sys.inputdir)/ignore_interfaces.rx'"
if => not( strcmp( readfile( "$(sys.workdir)/ignore_interfaces.rx"),
readfile( "$(sys.inputdir)/ignore_interfaces.rx") ) ),
classes => results( "bundle", "cfengine_recommendation_emitted");
}
@endif
bundle agent postgresql_conf_recommendations
# @brief Recommendations about the configuration of postgresql.conf for CFEngine Enterprise Hubs
{
meta:
(policy_server|am_policy_hub).enterprise_edition::
"tags" slist => { "cfengine_recommends" };
vars:
"pgsql_conf" string => "$(sys.statedir)/pg/data/postgresql.conf";
"mem_info_source" string => "/proc/meminfo";
"mem_info_data"
data => data_readstringarray( $(mem_info_source), "", "(:|\s+)", inf, inf),
if => fileexists( $(mem_info_source) );
"upper" string => "67108864"; # 64 * 1024 * 1024 in KB
"lower" string => "3145728"; # 3 * 1024 * 1024 in KB
"conf[maintenance_work_mem]"
string => "2GB",
if => isgreaterthan( "$(mem_info_data[MemTotal][1])", $(lower) ),
comment => "If we have more than 2GB of memory available then we set the
maintenance_work_memory to 2G to improve index creation, and
vacuuming. Else we leave the default value.";
"conf[shared_buffers]"
string => "16GB",
if => isgreaterthan( "$(mem_info_data[MemTotal][1])", $(upper) );
"conf[effective_cache_size]"
string => "11GB", # 70% of 16GB
if => isgreaterthan( "$(mem_info_data[MemTotal][1])", $(upper) );
"calculated_shared_buffers_MB"
string => format( "%d0",
eval( "$(mem_info_data[MemTotal][1]) * 25 / 100 / 1024", "math", "infix"));
"conf[shared_buffers]"
string => concat( $(calculated_shared_buffers_MB), "MB"),
if => and(
not( isvariable( "conf[maintenance_work_mem]" ) ),
not( isvariable( "conf[shared_buffers]" )));
"calculated_effective_cache_size_MB"
string => format( "%d0",
eval( "$(mem_info_data[MemTotal][1]) * 70 / 100 / 1024", "math", "infix"));
"conf[effective_cache_size]"
string => concat( $(calculated_effective_cache_size_MB), "MB"),
if => and(
not( isvariable( "conf[maintenance_work_mem]" ) ),
not( isvariable( "conf[effective_cache_size]" )));
classes:
"cfengine_recommendation_instruct_disablement"
expression => "cfengine_recommendation_emitted_reached",
scope => "namespace";
files:
"$(pgsql_conf)"
edit_line => set_line_based("$(this.bundle).conf", "=", "\s*=\s*", ".*", "\s*#\s*"),
classes => results( "bundle", "psql_conf_recommendations" ),
action => policy( "warn" ),
if => fileexists( $(pgsql_conf) );
reports:
psql_conf_recommendations_not_kept::
"CFEngine Recommended Settings:";
"You have less than $(lower)KB of total memory, please consider adding more memory."
if => islessthan( "$(mem_info_data[MemTotal][1])", $(lower) );
"shared_buffers = $(conf[shared_buffers])"
if => isvariable( "conf[shared_buffers]" ),
classes => results( "bundle", "cfengine_recommendation_emitted");
"effective_cache_size = $(conf[effective_cache_size])"
if => isvariable( "conf[effective_cache_size]" ),
classes => results( "bundle", "cfengine_recommendation_emitted");
"$(with)"
with => concat( "maintenance_work_mem = $(conf[maintenance_work_mem]);",
" If we have more than 2GB of memory available then",
" we set the maintenance_work_memory to 2G to improve",
" index creation, and vacuuming. Else we leave the default value." ),
if => isvariable( "conf[maintenance_work_mem]" ),
classes => results( "bundle", "cfengine_recommendation_emitted");
}
cfengine-masterfiles-3.24.2/cfe_internal/update/ 0000755 0000000 0000000 00000000000 15010704326 021603 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/cfe_internal/update/lib.cf 0000644 0000000 0000000 00000021570 15010704240 022663 0 ustar 00root root 0000000 0000000
### The following bodies were plucked from the standard library. They have been
### prefixed with =u_=.
body classes u_results(scope, class_prefix)
# @brief Define classes prefixed with `class_prefix` and suffixed with
# appropriate outcomes: _kept, _repaired, _not_kept, _error, _failed,
# _denied, _timeout, _reached
#
# @param scope The scope in which the class should be defined (`bundle` or `namespace`)
# @param class_prefix The prefix for the classes defined
#
# This body can be applied to any promise and sets global
# (`namespace`) or local (`bundle`) classes based on its outcome. For
# instance, with `class_prefix` set to `abc`:
#
# * if the promise is to change a file's owner to `nick` and the file
# was already owned by `nick`, the classes `abc_reached` and
# `abc_kept` will be set.
#
# * if the promise is to change a file's owner to `nick` and the file
# was owned by `adam` and the change succeeded, the classes
# `abc_reached` and `abc_repaired` will be set.
#
# This body is a simpler, more consistent version of the body
# `scoped_classes_generic`, which see. The key difference is that
# fewer classes are defined, and only for outcomes that we can know.
# For example this body does not define "OK/not OK" outcome classes,
# since a promise can be both kept and failed at the same time.
#
# It's important to understand that promises may do multiple things,
# so a promise is not simply "OK" or "not OK." The best way to
# understand what will happen when your specific promises get this
# body is to test it in all the possible combinations.
#
# **Suffix Notes:**
#
# * `_reached` indicates the promise was tried. Any outcome will result
# in a class with this suffix being defined.
#
# * `_kept` indicates some aspect of the promise was kept
#
# * `_repaired` indicates some aspect of the promise was repaired
#
# * `_not_kept` indicates some aspect of the promise was not kept.
# error, failed, denied and timeout outcomes will result in a class
# with this suffix being defined
#
# * `_error` indicates the promise repair encountered an error
#
# * `_failed` indicates the promise failed
#
# * `_denied` indicates the promise repair was denied
#
# * `_timeout` indicates the promise timed out
#
# **Example:**
#
# ```cf3
# bundle agent example
# {
# commands:
# "/bin/true"
# classes => results("bundle", "my_class_prefix");
#
# reports:
# my_class_prefix_kept::
# "My promise was kept";
#
# my_class_prefix_repaired::
# "My promise was repaired";
# }
# ```
#
# **See also:** `scope`, `scoped_classes_generic`, `classes_generic`
{
scope => "$(scope)";
promise_kept => { "$(class_prefix)_reached",
"$(class_prefix)_kept" };
promise_repaired => { "$(class_prefix)_reached",
"$(class_prefix)_repaired" };
repair_failed => { "$(class_prefix)_reached",
"$(class_prefix)_error",
"$(class_prefix)_not_kept",
"$(class_prefix)_failed" };
repair_denied => { "$(class_prefix)_reached",
"$(class_prefix)_error",
"$(class_prefix)_not_kept",
"$(class_prefix)_denied" };
repair_timeout => { "$(class_prefix)_reached",
"$(class_prefix)_error",
"$(class_prefix)_not_kept",
"$(class_prefix)_timeout" };
}
body depth_search u_cfe_internal_recurse(d)
# @brief Search for files recursively to a depth of `d` across file system boundaries
# @param d Number of levels deep to traverse
{
depth => "$(d)";
xdev => "true";
}
body classes u_kept_successful_command_results(scope, class_prefix)
# @brief Set command to "kept" instead of "repaired" if it returns 0 and define
# classes suffixed with the appropriate outcomes.
#
# @param scope The scope in which the class should be defined (`bundle` or `namespace`)
# @param class_prefix The prefix for the classes defined
#
# **See also:** `scope`, `scoped_classes_generic`, `classes_generic`, `results`
{
inherit_from => u_results( "$(scope)", "$(class_prefix)" );
kept_returncodes => { "0" };
failed_returncodes => { "1" };
}
body service_method u_systemd_services
# @brief Define service method for systemd
{
service_autostart_policy => "none";
service_dependence_chain => "ignore";
service_type => "generic";
service_args => "";
}
bundle agent u_systemd_services(service,state)
# @brief Manage standard systemd services
# @param service The name of the service
# @param state The desired state the service should be in.
{
vars:
# We explicitly guard for systemd to avoid unnecessary agent time in
# pre-eval
systemd::
"systemctl" string => "/bin/systemctl";
"call_systemctl" string => "$(systemctl) --no-ask-password --global --system";
"systemd_properties" string => "-pLoadState,CanStop,UnitFileState,ActiveState,LoadState,CanStart,CanReload";
"systemd_service_info" slist => string_split(execresult("$(call_systemctl) $(systemd_properties) show $(service)", "noshell"), "\n", "10");
classes:
systemd::
# define a class named after the desired state
"$(state)" expression => "any";
"non_disabling" or => { "start", "stop", "restart", "reload" };
# A collection of classes to determine the capabilities of a given systemd
# service, then start, stop, etc. the service. Also supports a custom action
# for anything not supported
"service_enabled" expression => reglist(@(systemd_service_info), "UnitFileState=enabled");
"service_active" expression => reglist(@(systemd_service_info), "ActiveState=active");
"service_loaded" expression => reglist(@(systemd_service_info), "LoadState=loaded");
"service_notfound" expression => reglist(@(systemd_service_info), "LoadState=not-found");
"can_stop_service" expression => reglist(@(systemd_service_info), "CanStop=yes");
"can_start_service" expression => reglist(@(systemd_service_info), "CanStart=yes");
"can_reload_service" expression => reglist(@(systemd_service_info), "CanReload=yes");
"request_start" expression => strcmp("start", "$(state)");
"request_stop" expression => strcmp("stop", "$(state)");
"request_reload" expression => strcmp("reload", "$(state)");
"request_restart" expression => strcmp("restart", "$(state)");
"action_custom" expression => "!(request_start|request_stop|request_reload|request_restart)";
"action_start" expression => "request_start.!service_active.can_start_service";
"action_stop" expression => "request_stop.service_active.can_stop_service";
"action_reload" expression => "request_reload.service_active.can_reload_service";
"action_restart" or => {
"request_restart",
# Possibly undesirable... if a reload is
# requested, and the service "can't" be
# reloaded, then we restart it instead.
"request_reload.!can_reload_service.service_active",
};
# Starting a service implicitly enables it
"action_enable" expression => "request_start.!service_enabled";
# Respectively, stopping it implicitly disables it
"action_disable" expression => "request_stop.service_enabled";
commands:
systemd.service_loaded:: # note this class is defined in `inventory/linux.cf`
# conveniently, systemd states map to `services` states, except
# for `enable`
"$(call_systemctl) -q start $(service)" if => "action_start";
"$(call_systemctl) -q stop $(service)" if => "action_stop";
"$(call_systemctl) -q reload $(service)" if => "action_reload";
"$(call_systemctl) -q restart $(service)" if => "action_restart";
"$(call_systemctl) -q enable $(service)" if => "action_enable";
"$(call_systemctl) -q disable $(service)" if => "action_disable";
# Custom action for any of the non-standard systemd actions such a
# status, try-restart, isolate, et al.
"$(call_systemctl) $(state) $(service)" if => "action_custom";
reports:
DEBUG|DEBUG_u_systemd_service::
"DEBUG $(this.bundle): using systemd layer to $(state) $(service)";
"DEBUG $(this.bundle): Service $(service) unit file is not loaded; doing nothing"
if => "systemd.!service_loaded";
"DEBUG $(this.bundle): Could not find service: $(service)"
if => "systemd.service_notfound";
}
body perms u_mog(mode,user,group)
# @brief Set the file's mode, owner and group
# @param mode The new mode
# @param user The username of the new owner
# @param group The group name
{
owners => { "$(user)" };
groups => { "$(group)" };
mode => "$(mode)";
#+begin_ENT-951
# Remove after 3.20 is not supported
rxdirs => "true";
@if minimum_version(3.20)
rxdirs => "false";
@endif
#+end
}
cfengine-masterfiles-3.24.2/cfe_internal/update/windows_unattended_upgrade.cf 0000644 0000000 0000000 00000010766 15010704240 027536 0 ustar 00root root 0000000 0000000 bundle agent windows_unattended_upgrade
# @brief This bundle creates two scripts: one to schedule a cfengine agent upgrade
# and one to actually perform the upgrade after the scripts are rendered the schedule script is run.
# If the requested version and release is already installed the scripts will be deleted.
{
classes:
windows::
"_expected_version_installed" expression => and(
strcmp( $(sys.cf_version), $(cfengine_software.pkg_version) ),
strcmp( $(sys.cf_version_release), $(cfengine_software.pkg_release) )
);
vars:
windows::
"_schedule_upgrade_script"
string => "$(const.dirsep)schedule_unattended_upgrade.ps1",
comment => "sys.bindir has issues when used as execution path"; # TODO examine and fix/document specific issue(s)
"_upgrade_script_name" string => "unattended-upgrade.bat";
"_upgrade_script"
string => "$(sys.bindir)$(const.dirsep)$(_upgrade_script_name)";
"_scripts" slist => { "$(_schedule_upgrade_script)", "$(_upgrade_script)" };
"_min_offset" string => "2";
files:
windows::
# /sigh/. In order to make a stable promise, we render a script that runs
# to create the scheduled task that runs another script to perform the
# upgrade outside of cf-agent. Since the command differs based on the time
# of of day, the only way to have a stable promise is to promise a script
# where the time base difference is handeled inside the script. One
# alternative would be to use inline subshell exection (iex)
"$(_schedule_upgrade_script)"
create => "true",
edit_template_string => `
$scheduled_time_to_upgrade = (Get-Date).AddMinutes($(_min_offset)).ToString("HH:mm")
$schedule = "/SC ONCE"
$taskname = '/TN "CFEngine Agent Upgrade"'
$starttime = "/ST $scheduled_time_to_upgrade"
$taskrun = @"
"cmd /c '$(_upgrade_script)'"
"@
$schtasks = "$(sys.winsysdir)$(const.dirsep)schtasks.exe"
$username = '/RU "System"'
$force = "/F"
Invoke-Expression "$schtasks /Create $schedule $taskname /TR $taskrun $starttime $username $force"
`,
template_method => "inline_mustache",
template_data => '{}';
"$(_upgrade_script)"
edit_template_string => `
set LOGFILE=$(sys.workdir)$(const.dirsep)outputs/standalone_self_upgrade_bat.log
call :SCRIPT > "%LOGFILE%" 2>&1
exit /B
:SCRIPT
REM kill all cf procs first so that installed can run
Taskkill /IM cf-execd.exe /F
Taskkill /IM cf-monitord.exe /F
Taskkill /IM cf-serverd.exe /F
Taskkill /IM cf-agent.exe /F
set bat="$(sys.workdir)$(const.dirsep)modules$(const.dirsep)packages$(const.dirsep)msiexec.bat"
echo File=$(cfengine_software.local_software_dir)$(const.dirsep)$(cfengine_package_names.my_pkg) | call %bat% file-install
@echo off
REM A failed install at this point can leave cf-execd not running leaving the host unable to try and self heal
REM We at least want to try and start cf-execd if it is not running
set TARGET_SERVICE=CfengineNovaExec
set SERVICE_STATE=
REM Surgically target third line, as some locales (such as Spanish) translate the output
for /F "skip=3 tokens=3" %%i in ('""%windir%\system32\sc.exe" query "%TARGET_SERVICE%" 2>nul"') do (
if not defined SERVICE_STATE set SERVICE_STATE=%%i
)
rem Process result
if not defined SERVICE_STATE (
echo ERROR: could not obtain service state!
) else (
REM NOTE: values correspond to "SERVICE_STATUS.dwCurrentState"
REM https://msdn.microsoft.com/en-us/library/windows/desktop/ms685996(v=vs.85).aspx
if not %SERVICE_STATE%==4 (
echo WARNING: service is not running, attempting to start
net start "%TARGET_SERVICE%"
) else (
echo INFORMATION: service is running
)
)
REM exit 0 so that scheduled task will not keep trying a failing situation
REM looking at package module logs of one failure should help in debugging
exit 0
`,
template_method => "inline_mustache",
template_data => '{}',
create => "true",
if => not( "_expected_version_installed" );
"$(_scripts)"
delete => windows_unattended_upgrade_tidy,
if => "_expected_version_installed";
commands:
windows::
'powershell -NoProfile -ExecutionPolicy bypass -F $(_schedule_upgrade_script)'
if => not( "_expected_version_installed" ),
contain => windows_unattended_upgrade:powershell;
}
body delete windows_unattended_upgrade_tidy
{
dirlinks => "delete";
rmdirs => "true";
}
body file control
{
namespace => "windows_unattended_upgrade";
}
body contain powershell
{
useshell => "powershell";
}
cfengine-masterfiles-3.24.2/cfe_internal/update/cfe_internal_dc_workflow.cf 0000644 0000000 0000000 00000001006 15010704240 027136 0 ustar 00root root 0000000 0000000 bundle agent cfe_internal_dc_workflow
# @brief Update default policy distribution point from upstream repository
{
methods:
am_policy_hub.enterprise.cfengine_internal_masterfiles_update::
"Masterfiles from VCS"
usebundle => cfe_internal_update_from_repository,
handle => "cfe_internal_dc_workflow_methods_masterfiles_from_vcs",
action => u_immediate,
comment => "Update masterfiles from upstream VCS automatically
for best OOTB Enterprise experience";
}
cfengine-masterfiles-3.24.2/cfe_internal/update/systemd_units.cf 0000644 0000000 0000000 00000006371 15010704240 025031 0 ustar 00root root 0000000 0000000 bundle agent cfe_internal_systemd_unit_files
# @brief This bundle is responsible for ensuring the systemd units are in place
# with the proper content and permissions. Any time a unit is repaired systemd
# is reloaded and the repaired unit(s) are restarted. the
# cfe_internal_systemd_unit_state bundle is responsible for making sure the
# service units are in the appropriate state. So a service may be restarted
# because of a change, and subsequently stopped if the desired state was for it
# to not be running.
{
vars:
systemd::
"systemctl" string => "/bin/systemctl";
"unit_dir"
string => "/etc/systemd/system",
comment => "This is the directory where the systemd units should be
placed.";
"unit_template_dir"
string => "$(this.promise_dirname)/../../templates",
comment => "This is where the templates for the units exist. In the
templates dir in the root of masterfiles.";
"service_units"
slist => { @(cfe_internal_update_processes.all_agents) },
handle => "systemd_core_units",
comment => "These are the services which should have systemd units on all systems.";
files:
systemd::
"$(unit_dir)/$(service_units).service"
create => "true",
edit_template => "$(unit_template_dir)/$(service_units).service.mustache",
template_method => "mustache",
classes => u_results( "bundle", "cfe_systemd_service_unit_$(service_units)" ),
perms => u_mog("644", "root", "root"),
comment => "We need to make each service units content is correct.";
commands:
systemd::
"$(systemctl)"
args => "daemon-reload --no-ask-password",
handle => "cfe_internal_systemd_unit_files_reload_when_changed",
if => classmatch("cfe_systemd_service_unit_.*_repaired"),
comment => "We need to reload the systemd configuration after any unit
is changed in order for systemd to recognize the change.";
"$(systemctl)"
args => "restart $(service_units).service --no-ask-password",
handle => "cfe_internal_systemd_unit_restart_when_changed",
if => and(classify("cfe_systemd_service_unit_$(service_units)_repaired"),
returnszero("$(systemctl) --quiet is-active $(service_units)", noshell)),
comment => "We need to restart any units which have been changed in
order for the new configuration to be in effect. But we only
want to restart them if they are currently running.";
}
bundle agent cfe_internal_systemd_service_unit_state
# @brief This bundle is responsible for managing the various cfengine components
# units state. It uses information from
# cfe_internal_update_processes.agents_to_be_enabled,
# cfe_internal_update_processes.agents_to_be_disabled to determine which units
# should be running or not.
{
vars:
"enabled" slist => { @(cfe_internal_update_processes.agents_to_be_enabled) };
"disabled"
slist => { @(cfe_internal_update_processes.agents_to_be_disabled) };
methods:
"Disabled Components"
usebundle => u_systemd_services( $(disabled), "stop");
"Enabled Components"
usebundle => u_systemd_services( $(enabled), "start" );
}
cfengine-masterfiles-3.24.2/cfe_internal/update/update_bins.cf 0000644 0000000 0000000 00000052337 15010704240 024417 0 ustar 00root root 0000000 0000000 ################################################################################
#
# DO NOT EDIT THIS FILE. All policy files prefixed with CFE_ and update_bins.cf
# are maintained by CFEngine and its original state is required for internal
# operations of CFEngine. If the file has been modified CFEngine's upgrades
# may require manual intervention. Contact CFEngine support if additional
# information and/or recommendation is needed.
#
################################################################################
################################################################################
#
# update_bins
# - CFEngine binary update (native packages)
#
################################################################################
bundle agent cfe_internal_update_bins
# @brief Update cfengine binaries
# TODO Redact this file, not in use. The policy here was migrated into
# standalone self upgrade, nothing includes this policy nor references it's
# bundles
{
vars:
enterprise::
"cf_components" slist => { "cf-key", "cf-monitord", "cf-promises",
"cf-runagent", "cf-serverd", "cf-hub", },
comment => "Define cfengine robot agents",
handle => "cfe_internal_update_bins_vars_cf_components";
"master_software_location" string => "/var/cfengine/master_software_updates",
comment => "The Cfengine binary updates directory on the policy host",
handle => "cfe_internal_update_bins_vars_master_software_location";
!hpux::
"package_dir"
string => "$(sys.flavour)_$(sys.arch)",
comment => "The directory within software updates to look for packages";
hpux::
"package_dir"
string => "$(sys.class)_$(sys.arch)",
comment => "The directory within software updates to look for packages.
On HPUX sys.flavor includes versions, so we use sys.class
instead.";
enterprise::
"local_software_dir" string => translatepath("$(sys.workdir)/software_updates/$(package_dir)"),
comment => "Local directory containing binary updates for this host",
handle => "cfe_internal_update_bins_vars_local_software_dir";
"local_update_log_dir" string => translatepath("$(sys.workdir)/software_updates/update_log"),
comment => "Local directory to store update log for this host",
handle => "cfe_internal_update_bins_vars_local_update_log_dir";
!windows.enterprise::
# backup script for cf-upgrade
# the script should have 2 conditions, BACKUP and RESTORE
# BACKUP and RESTORE status is $(const.dollar)1 variable in the script
# see more details at bundle edit_line u_backup_script
"backup_script" string => "/tmp/cf-upgrade_backup.sh";
# a single compressed backup file for cf-upgrade
# this backup_file is passed to backup_script as $(const.dollar)2 variable
# cf-upgrade will extract this file if return signal of upgrade command is not 0
"backup_file" string => "/tmp/cfengine-nova-$(sys.cf_version).tar.gz";
# install script for cf-upgrade
# each distribution has its own way to upgrade a package
# see more details at bundle edit_line u_install_script
"install_script" string => "/tmp/cf-upgrade_install.sh";
(solarisx86|solaris).enterprise::
# to automatically remove or install packages on Solaris
# admin_file is a must to have to avoid pop-up interaction
# see more details at bundle edit_line u_admin_file
"admin_file" string => "/tmp/cf-upgrade_admin_file";
(solarisx86|solaris).enterprise::
"novapkg" string => "cfengine-nova",
comment => "Name convention of Nova package on Solaris",
handle => "cfe_internal_update_bins_vars_novapkg_solaris",
if => "nova_edition";
aix.enterprise::
"novapkg" string => "cfengine-nova",
comment => "Name convention of Nova package on AIX",
handle => "cfe_internal_update_bins_vars_novapkg_aix",
if => "nova_edition";
!(solarisx86|solaris|aix).enterprise::
"novapkg" string => "cfengine-nova",
comment => "Name convention of Nova package for all but not Solaris",
handle => "cfe_internal_update_bins_vars_novapkg_not_solaris_aix",
if => "nova_edition";
solaris.!sunos_i86pc.enterprise::
"pkgarch" string => "sparc",
comment => "Name convention of package arch on Solaris",
handle => "cfe_internal_update_bins_vars_pkgarch_solaris";
solarisx86.enterprise::
"pkgarch" string => "i386",
comment => "Name convention of package arch on Solaris",
handle => "cfe_internal_update_bins_vars_pkgarch_solarisx86";
redhat.i686.enterprise::
"pkgarch" string => "i386",
comment => "Name convention of package arch on 32-bit RHEL",
handle => "cfe_internal_update_bins_vars_pkgarch_redhat_32b";
redhat.(x86_64|ppc64).enterprise::
"pkgarch" string => "$(sys.arch)",
comment => "Name convention of package arch on RHEL x86_64 and ppc64",
handle => "cfe_internal_update_bins_vars_pkgarch_redhat_x86_64_and_ppc64";
(freebsd|netbsd|debian|aix).enterprise::
"pkgarch" string => "*",
comment => "Name convention of package arch on *BSD/Debian",
handle => "cfe_internal_update_bins_vars_pkgarch_bsd_debian_aix";
!(solarisx86|solaris|freebsd|netbsd|debian|aix|redhat).enterprise::
"pkgarch" string => "$(sys.arch)",
comment => "Name convention of package arch for other system except Solaris and *BSD",
handle => "cfe_internal_update_bins_vars_pkgarch_not_solaris_bsd_debian_aix_redhat_32b";
#
classes:
"have_software_dir" expression => fileexists($(local_software_dir));
#
packages:
!am_policy_hub.linux.enterprise.trigger_upgrade.!bootstrap_mode::
"$(novapkg)"
comment => "Update Nova package to a newer version (package is there)",
handle => "cfe_internal_update_bins_packages_nova_update_linux_pkg_there",
package_policy => "update",
package_select => "==", # picks the newest Nova available
package_architectures => { "$(pkgarch)" },
package_version => "$(update_def.current_version)-$(update_def.current_release)",
package_method => u_generic( "$(local_software_dir)" ),
if => "nova_edition.have_software_dir",
classes => u_if_else("bin_update_success", "bin_update_fail");
!am_policy_hub.(solaris|solarisx86).enterprise.trigger_upgrade.!bootstrap_mode::
"$(novapkg)"
comment => "Update Nova package to a newer version (package is there)",
handle => "cfe_internal_update_bins_packages_nova_update_solaris_pkg_there",
package_policy => "update",
package_select => "==", # picks the newest Nova available
package_architectures => { "$(pkgarch)" },
package_version => "$(update_def.current_version)",
package_method => u_generic( "$(local_software_dir)" ),
if => "nova_edition.have_software_dir",
classes => u_if_else("bin_update_success", "bin_update_fail");
!am_policy_hub.windows.enterprise.trigger_upgrade.!bootstrap_mode::
"$(novapkg)"
comment => "Update Nova package to a newer version (package is there)",
handle => "cfe_internal_update_bins_packages_nova_update_windows_only_pkg_there",
package_policy => "update",
package_select => "==", # picks the newest Nova available
package_architectures => { "$(pkgarch)" },
package_version => "$(update_def.current_version)",
package_method => u_generic( "$(local_software_dir)" ),
if => "nova_edition.have_software_dir",
classes => u_if_else("bin_update_success", "bin_update_fail");
!am_policy_hub.aix.enterprise.trigger_upgrade.!bootstrap_mode::
"$(novapkg)"
comment => "Update Nova package to a newer version (package is there)",
handle => "cfe_internal_update_bins_packages_nova_update_aix_only_pkg_there",
package_policy => "update",
package_select => "==", # picks the newest Nova available
package_architectures => { "$(pkgarch)" },
package_version => "$(update_def.current_version).0",
package_method => u_generic( "$(local_software_dir)" ),
if => "nova_edition.have_software_dir",
classes => u_if_else("bin_update_success", "bin_update_fail");
#
files:
enterprise::
"$(local_update_log_dir)/$(sys.nova_version)_is_running"
comment => "Create an empty file about a version that is running",
handle => "cfe_internal_update_bins_files_version_is_running",
create => "true";
am_policy_hub.enterprise::
"$(master_software_location)/cf-upgrade/linux.i386/."
comment => "Prepare a directory for cf-upgrade",
handle => "cfe_internal_update_bins_files_linux_i386",
create => "true";
"$(master_software_location)/cf-upgrade/linux.x86_64/."
comment => "Prepare a directory for cf-upgrade",
handle => "cfe_internal_update_bins_files_linux_x86_64",
create => "true";
!am_policy_hub.enterprise.trigger_upgrade::
"$(admin_file)"
comment => "Create solaris admin_file to automate remove and install packages",
handle => "cfe_internal_update_bins_files_solaris_admin_file",
create => "true",
edit_defaults => u_empty_no_backup,
edit_line => u_admin_file,
perms => u_m("0644"),
if => "solarisx86|solaris";
"$(backup_script)"
comment => "Create a backup script for cf-upgrade",
handle => "cfe_internal_update_bins_files_backup_script",
create => "true",
if => "!windows",
edit_defaults => u_empty_no_backup,
edit_line => u_backup_script,
perms => u_m("0755");
"$(install_script)"
comment => "Create an install script for cf-upgrade",
handle => "cfe_internal_update_bins_files_install_script",
create => "true",
if => "!windows",
edit_defaults => u_empty_no_backup,
edit_line => u_install_script,
perms => u_m("0755");
"$(local_software_dir)/."
create => "true",
handle => "cfe_internal_update_bins_files_local_software_dir_presence",
comment => "Ensure the local software directory exists for new binaries
to be downloaded to";
"$(local_software_dir)/."
comment => "Copy binary updates from master source on policy server",
handle => "cfe_internal_update_bins_files_pkg_copy",
copy_from => u_pcp("$(master_software_location)/$(package_dir)", @(update_def.policy_servers)),
depth_search => u_recurse("1"), # Nova updates should be in root dir
action => u_immediate,
classes => u_if_repaired("bin_newpkg");
bin_update_success.enterprise.trigger_upgrade::
"$(local_update_log_dir)/upgraded_binary_from_$(sys.nova_version)"
comment => "Create an empty file after successfully upgrade the binary",
handle => "cfe_internal_update_bins_files_update_from_log",
create => "true";
reports:
DEBUG|DEBUG_cfe_internal_update_bins::
"DEBUG $(this.bundle): Evaluating binaries for upgrade using internal update mechanism"
if => "trigger_upgrade";
}
################################################################################
bundle edit_line u_admin_file
# @brief Admin file for automating solaris package installs
{
insert_lines:
sunos_5_8::
"mail=
instance=unique
partial=nocheck
runlevel=nocheck
idepend=nocheck
rdepend=nocheck
space=nocheck
setuid=nocheck
conflict=nocheck
action=nocheck
basedir=default";
solaris.!sunos_5_8::
"mail=
instance=overwrite
partial=nocheck
runlevel=nocheck
idepend=nocheck
rdepend=nocheck
space=nocheck
setuid=nocheck
conflict=nocheck
action=nocheck
networktimeout=60
networkretries=3
authentication=quit
keystore=/var/sadm/security
proxy=
basedir=default";
}
################################################################################
bundle edit_line u_backup_script
# brief Script to execute before package upgrade
{
insert_lines:
linux::
"#!/bin/sh
if [ $(const.dollar)1 = \"BACKUP\" ]; then
tar cfzS $(const.dollar)2 $(sys.workdir) > /dev/null
fi
if [ $(const.dollar)1 = \"RESTORE\" ]; then
tar xfz $(const.dollar)2
fi";
solarisx86|solaris::
"#!/bin/sh
if [ $(const.dollar)1 = \"BACKUP\" ]; then
tar cf $(const.dollar)2 $(sys.workdir); gzip $(const.dollar)2
fi
if [ $(const.dollar)1 = \"RESTORE\" ]; then
gunzip $(const.dollar)2.gz; tar xf $(const.dollar)2
fi";
}
################################################################################
bundle edit_line u_install_script
# brief Script to upgrade package
{
insert_lines:
redhat|suse|sles::
"#!/bin/sh
/bin/rpm -U $(const.dollar)1";
debian::
"#!/bin/sh
/usr/bin/dpkg --force-confdef --force-confnew --install $(const.dollar)1 > /dev/null";
solarisx86|solaris::
"#!/bin/sh
pkgname=`pkginfo -d $(const.dollar)1 | awk '{print $(const.dollar)2}'`
/usr/sbin/pkgrm -n -a $(cfe_internal_update_bins.admin_file) $pkgname
/usr/sbin/pkgadd -n -a $(cfe_internal_update_bins.admin_file) -d $(const.dollar)1 all
$(sys.workdir)/bin/cf-execd || true
exit 0";
}
################################################################################
body edit_defaults u_empty_no_backup
# @brief Empty file before editing and create no backups
{
empty_file_before_editing => "true";
edit_backup => "false";
}
################################################################################
body copy_from u_pcp(from,server)
# @brief Copy from `from` on `server` using digest comparison
# @param from Path on remote server to copy from
# @param server Remote host to copy from
{
source => "$(from)";
compare => "digest";
trustkey => "false";
purge => "true";
!am_policy_hub::
servers => { "$(server)" };
cfengine_internal_encrypt_transfers::
encrypt => "true";
}
################################################################################
bundle common u_common_knowledge
# @brief standalone common packages knowledge bundle
#
# This common bundle defines general things about platforms.
# @see common_knowledge
{
vars:
"list_update_ifelapsed_now" string => "10080";
}
################################################################################
body package_method u_generic(repo)
{
debian::
package_changes => "individual";
package_list_command => "/usr/bin/dpkg -l";
# package_list_update_command => "/usr/bin/apt-get update";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_list_name_regex => "ii\s+([^\s:]+).*";
# package_list_version_regex => "ii\s+[^\s]+\s+([^\s]+).*";
package_list_version_regex => "ii\s+[^\s]+\s+(\d+\.\d+((\.|-)\d+)+).*";
package_installed_regex => ".*"; # all reported are installed
package_file_repositories => { "$(repo)" };
package_version_equal_command => "/usr/bin/dpkg --compare-versions '$(v1)' eq '$(v2)'";
package_version_less_command => "/usr/bin/dpkg --compare-versions '$(v1)' lt '$(v2)'";
debian.x86_64::
package_name_convention => "$(name)_$(version)_amd64.deb";
debian.i686::
package_name_convention => "$(name)_$(version)_i386.deb";
debian::
package_add_command => "/usr/bin/dpkg --force-confdef --force-confnew --install";
package_delete_command => "/usr/bin/dpkg --purge";
debian::
package_update_command => "$(sys.workdir)/bin/cf-upgrade -b $(cfe_internal_update_bins.backup_script) -s $(cfe_internal_update_bins.backup_file) -i $(cfe_internal_update_bins.install_script)";
redhat|SuSE|suse|sles::
package_changes => "individual";
package_list_command => "/bin/rpm -qa --queryformat \"i | repos | %{name} | %{version}-%{release} | %{arch}\n\"";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_list_name_regex => "[^|]+\|[^|]+\|\s+([^\s|]+).*";
package_list_version_regex => "[^|]+\|[^|]+\|[^|]+\|\s+([^\s|]+).*";
package_list_arch_regex => "[^|]+\|[^|]+\|[^|]+\|[^|]+\|\s+([^\s]+).*";
package_installed_regex => "i.*";
package_file_repositories => { "$(repo)" };
package_name_convention => "$(name)-$(version).$(arch).rpm";
package_add_command => "/bin/rpm -ivh ";
package_delete_command => "/bin/rpm -e --nodeps";
package_verify_command => "/bin/rpm -V";
package_noverify_regex => ".*[^\s].*";
package_version_less_command => "$(sys.bindir)/rpmvercmp '$(v1)' lt '$(v2)'";
package_version_equal_command => "$(sys.bindir)/rpmvercmp '$(v1)' eq '$(v2)'";
(redhat|SuSE|suse|sles)::
package_update_command => "$(sys.workdir)/bin/cf-upgrade -b $(cfe_internal_update_bins.backup_script) -s $(cfe_internal_update_bins.backup_file) -i $(cfe_internal_update_bins.install_script)";
redhat.!redhat_4::
package_list_update_command => "/usr/bin/yum --quiet check-update";
redhat_4::
package_list_update_command => "/usr/bin/yum check-update";
SuSE|suse|sles::
package_list_update_command => "/usr/bin/zypper list-updates";
windows::
package_changes => "individual";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_file_repositories => { "$(repo)" };
package_installed_regex => ".*";
package_name_convention => "$(name)-$(version)-$(arch).msi";
package_add_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /i";
package_update_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /i";
package_delete_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /x";
freebsd::
package_changes => "individual";
package_list_command => "/usr/sbin/pkg_info";
package_list_update_command => "/usr/bin/true";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_list_name_regex => "^(\S+)-(\d+\.?)+";
package_list_version_regex => "^\S+-((\d+\.?)+\_\d)";
package_file_repositories => { "$(repo)" };
package_installed_regex => ".*";
package_name_convention => "$(name)-$(version).tbz";
package_delete_convention => "$(name)-$(version)";
package_add_command => "/usr/sbin/pkg_add";
package_delete_command => "/usr/sbin/pkg_delete";
netbsd::
package_changes => "individual";
package_list_command => "/usr/sbin/pkg_info";
package_list_update_command => "/usr/bin/true";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_list_name_regex => "^(\S+)-(\d+\.?)+";
package_list_version_regex => "^\S+-((\d+\.?)+\nb\d)";
package_file_repositories => { "$(repo)" };
package_installed_regex => ".*";
package_name_convention => "$(name)-$(version).tgz";
package_delete_convention => "$(name)-$(version)";
package_add_command => "/usr/sbin/pkg_add";
package_delete_command => "/usr/sbin/pkg_delete";
solarisx86|solaris::
package_changes => "individual";
package_list_command => "/usr/bin/pkginfo -l";
package_list_update_command => "/usr/bin/true";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_multiline_start => "\s*PKGINST:\s+[^\s]+";
package_list_name_regex => "\s*PKGINST:\s+([^\s]+)";
package_list_version_regex => "\s*VERSION:\s+([^\s]+)";
package_list_arch_regex => "\s*ARCH:\s+([^\s]+)";
package_file_repositories => { "$(repo)" };
package_installed_regex => "\s*STATUS:\s*(completely|partially)\s+installed.*";
package_name_convention => "$(name)-$(version)-$(arch).pkg";
package_delete_convention => "$(name)";
# Cfengine appends path to package and package name below, respectively
package_add_command => "/bin/sh $(repo)/add_scr $(repo)/admin_file";
package_delete_command => "/usr/sbin/pkgrm -n -a $(repo)/admin_file";
(solarisx86|solaris)::
package_update_command => "$(sys.workdir)/bin/cf-upgrade -b $(cfe_internal_update_bins.backup_script) -s $(cfe_internal_update_bins.backup_file) -i $(cfe_internal_update_bins.install_script)";
aix::
package_changes => "individual";
package_list_update_command => "/usr/bin/true";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_list_command => "/usr/bin/lslpp -lc";
package_list_name_regex => "[^:]+:([^:]+):[^:]+:.*";
package_list_version_regex => "[^:]+:[^:]+:([^:]+):.*";
package_file_repositories => { "$(repo)" };
package_installed_regex => "[^:]+:[^:]+:[^:]+:[^:]*:(COMMITTED|APPLIED):.*";
package_name_convention => "$(name)-$(version).bff";
package_delete_convention => "$(name)";
package_add_command => "/usr/bin/rm -f $(repo)/.toc && /usr/sbin/geninstall -IqacgXNY -d $(repo) cfengine-nova$";
package_update_command => "/usr/bin/rm -f $(repo)/.toc && /usr/sbin/geninstall -IqacgXNY -d $(repo) cfengine-nova$";
package_delete_command => "/usr/sbin/installp -ug cfengine-nova$";
}
cfengine-masterfiles-3.24.2/cfe_internal/update/update_policy.cf 0000644 0000000 0000000 00000102246 15010704240 024756 0 ustar 00root root 0000000 0000000 ################################################################################
#
# DO NOT EDIT THIS FILE. All policy files prefixed with CFE_ and update_bins.cf
# are maintained by CFEngine and its original state is required for internal
# operations of CFEngine. If the file has been modified CFEngine's upgrades
# may require manual intervention. Contact CFEngine support if additional
# information and/or recommendation is needed.
#
################################################################################
#########################################################
#
# update_policy
# - Cfengine policy update (masterfiles -> inputs)
#
#########################################################
bundle agent cfe_internal_update_policy
# @brief This bundle is responsible for activating the policy to update inputs.
# @description Users may define `def.mpf_update_policy_bundle` to override the
# default policy update bundle.
{
classes:
# Define classes if we see a user is requesting a custom policy update bundle
"have_user_specified_update_bundle"
expression => isvariable( "def.mpf_update_policy_bundle" );
# Define classes if we are able to find the specific bundle they requested
# (otherwise we may get an error about undefined bundle)
"have_found_user_specified_update_bundle"
expression => some(".*", "found_matching_user_specified_bundle");
"missing_user_specified_update_bundle"
not => some(".*", "found_matching_user_specified_bundle");
vars:
"default_policy_update_bundle" string => "cfe_internal_update_policy_cpv";
# Look for a bundle that matches what the user wants
"found_matching_user_specified_bundle"
slist => bundlesmatching( "^$(def.mpf_update_policy_bundle)$" );
methods:
# Use the user specified bundle when it's found
have_found_user_specified_update_bundle::
"User specified policy update bundle"
usebundle => $(found_matching_user_specified_bundle);
# Fall back to stock policy update bundle if we have not found one
# specified by user
!have_found_user_specified_update_bundle::
"Stock policy update"
usebundle => cfe_internal_update_policy_cpv;
any::
"CMDB data update" -> { "ENT-6788", "ENT-8847" }
usebundle => cfe_internal_update_cmdb,
action => u_immediate;
reports:
inform_mode|verbose_mode|DEBUG|DEBUG_cfe_internal_update_policy::
# Report a human readable way to understand the policy behavior
"User specified update bundle: $(def.mpf_update_policy_bundle)"
if => "have_user_specified_update_bundle";
"User specified update bundle MISSING! Falling back to $(default_policy_update_bundle)."
if => and( "have_user_specified_update_bundle",
"missing_user_specified_update_bundle" );
any::
"WARNING User specified update bundle '$(def.mpf_update_policy_bundle)' does not specify a namespace. Please specify a namespace, e.g. 'default:$(def.mpf_update_policy_bundle)'."
if => and( not(regcmp( ".*:.*", $(def.mpf_update_policy_bundle) ) ),
"have_user_specified_update_bundle" );
}
bundle agent cfe_internal_setup_python_symlink(symlink_path)
# @brief Create the /var/cfengine/bin/python symlink pointing to some installed python (if any)
{
vars:
"path" string => getenv("PATH", 1024);
"path_folders" slist => splitstring("$(path)", ":", 128);
windows::
"abs_path_folders" -> {"CFE-2309"}
slist => filter("([A-Z]|//):.*", path_folders, "true", "false", 128),
comment => "findfiles() complains about relative directories";
!windows::
"abs_path_folders" -> {"CFE-2309"}
slist => filter("/.*", path_folders, "true", "false", 128),
comment => "findfiles() complains about relative directories";
any::
"exact_version_globs" slist => maplist("$(this)/python[23]", @(abs_path_folders)),
comment => "Looking for Python 2 and/or Python 3 in the $PATH folders";
"generic_python_globs" slist => maplist("$(this)/python", @(abs_path_folders)),
comment => "Looking for the 'python' symlink/executable which can be any
version of Python (usually Python 2 for backwards compatibility)";
"python_exact[$(exact_version_globs)]" slist => findfiles("$(exact_version_globs)");
"python_generic[$(generic_python_globs)]" slist => findfiles("$(generic_python_globs)");
"python_platform_fallback[/usr/libexec/platform-python]" -> { "CFE-3291" }
slist => { "/usr/libexec/platform-python" };
"python_exact_sorted" slist => reverse(sort(getvalues(@(python_exact)), "lex")),
comment => "Prefer higher major versions of Python";
"pythons" slist => getvalues(mergedata(@(python_exact_sorted),
getvalues(@(python_generic)),
getvalues(@(python_platform_fallback)))),
comment => "Prefer exact versions over unknown";
"python" string => nth(@(pythons), 0),
if => isgreaterthan(length(@(pythons)), 0),
comment => "Taking the first item from the list (sorted by preference)";
files:
"$(symlink_path)"
delete => u_tidy,
if => not(isvariable("python"));
"$(symlink_path)"
link_from => u_ln_s("$(python)"),
move_obstructions => "true",
if => isvariable("python");
"$(sys.bindir)/python" -> { "CFE-3512", "CFE-4146" }
delete => u_tidy,
if => and( islink( "$(sys.bindir)/python" ),
strcmp( "$(sys.bindir)", "/var/cfengine/bin")),
comment => concat( "We don't want to leave a python that is potentially in $PATH ",
"after having re-named our python symlink that is used for various ",
"modules. Additionally we want to be cautious that we don't delete ",
"system python symlinks in the event the binary was built for FHS.");
}
bundle agent cfe_internal_update_policy_cpv
# @brief Update inputs from masterfiles when cf_promises_validated changes
#
# @description This bundle updates inputdir, and modules. It uses the
# cf_promises_validated file as a gating mechanism to prevent
# unnecessary burden on the server from remote agents checking to
# see if each individual file needs an update.
# - The class `validated_updates_ready` is defined when `cf_promises_validated` is repaired
# - Executing `cf-agent -KIf update.cf --define validated_updates_ready` will
# cause the update policy to scan all files in masterfiles and modules to be
# scanned for update.
{
vars:
"inputs_dir" string => translatepath("$(sys.inputdir)"),
comment => "Directory containing CFEngine policies",
handle => "cfe_internal_update_policy_vars_inputs_dir";
"master_location" -> { "ENT-3692" }
string => "$(update_def.mpf_update_policy_master_location)",
comment => "The path to request updates from the policy server.",
handle => "cfe_internal_update_policy_vars_master_location";
windows::
"modules_dir_source" string => "/var/cfengine/masterfiles/modules",
comment => "Directory containing CFEngine modules",
handle => "cfe_internal_update_policy_vars_modules_dir_windows";
!windows::
"modules_dir_source" string => translatepath("$(master_location)/modules"),
comment => "Directory containing CFEngine modules",
handle => "cfe_internal_update_policy_vars_modules_dir";
any::
"file_check" string => translatepath("$(inputs_dir)/promises.cf"),
comment => "Path to a policy file",
handle => "cfe_internal_update_vars_file_check";
"ppkeys_file" string => translatepath("$(sys.workdir)/ppkeys/localhost.pub"),
comment => "Path to public key file",
handle => "cfe_internal_update_policy_vars_ppkeys_file";
"postgresdb_dir" string => "$(sys.workdir)/state/pg/data",
comment => "Directory where Postgres database files will be stored on hub -",
handle => "cfe_internal_update_policy_postgresdb_dir";
"postgresdb_log" string => "/var/log/postgresql.log",
comment => "File where Postgres database files will be logging -",
handle => "cfe_internal_update_policy_postgresdb_log_file";
"python_symlink" -> { "CFE-2602", "CFE-3512" }
string => "$(sys.bindir)/cfengine-selected-python",
comment => "Symlink to Python we found (if any)",
handle => "cfe_internal_update_policy_python_symlink";
classes:
"validated_updates_ready"
expression => "cfengine_internal_disable_cf_promises_validated",
comment => "If cf_promises_validated is disabled, then updates are
always considered validated.";
any::
"local_files_ok" expression => fileexists("$(file_check)"),
comment => "Check for $(sys.masterdir)/promises.cf",
handle => "cfe_internal_update_classes_files_ok";
# create a global files_ok class
"cfe_internal_trigger" expression => "local_files_ok",
classes => u_if_else("files_ok", "files_ok");
files:
!am_policy_hub:: # policy hub should not alter inputs/ uneccessary
"$(inputs_dir)/cf_promises_validated"
comment => "Check whether a validation stamp is available for a new policy update to reduce the distributed load",
handle => "cfe_internal_update_policy_check_valid_update",
copy_from => u_rcp("$(master_location)/cf_promises_validated", @(update_def.policy_servers)),
action => u_immediate,
classes => u_if_repaired("validated_updates_ready");
am_policy_hub|validated_updates_ready:: # policy hub should always put masterfiles in inputs in order to check new policy
"$(inputs_dir)"
comment => "Copy policy updates from master source on policy server if a new validation was acquired",
handle => "cfe_internal_update_policy_files_inputs_dir",
copy_from => u_rcp("$(master_location)", @(update_def.policy_servers)),
depth_search => u_infinite_client_policy,
file_select => u_input_files,
action => u_immediate,
classes => u_results("bundle", "update_inputs"),
move_obstructions => "true";
# Note that here we do not filter with `update_def.input_name_patterns` so
# that we copy any and all modules scripts.
"$(inputs_dir)/modules"
comment => "Copy any files in modules from master source on policy server if a new validation was acquired",
handle => "cfe_internal_update_policy_files_modules_dir",
copy_from => u_rcp("$(modules_dir_source)", @(update_def.policy_servers)),
depth_search => u_recurse("inf"),
action => u_immediate;
update_inputs_not_kept::
"$(inputs_dir)/cf_promises_validated" -> { "CFE-2587" }
delete => u_tidy,
comment => "If there is any problem copying to $(inputs_dir) then purge
the cf_promises_validated file must be purged so that
subsequent agent runs will perform a full scan.";
!policy_server.enable_cfengine_enterprise_hub_ha::
"$(sys.workdir)/policy_server.dat"
comment => "Copy policy_server.dat file from server",
handle => "cfe_internal_update_ha_policy_server",
copy_from => u_rcp("$(sys.workdir)/state/master_hub.dat", @(update_def.policy_servers)),
action => u_immediate,
classes => u_if_repaired("replica_failover"); # not needed ?
am_policy_hub::
"$(master_location)/." -> { "CFE-951" }
comment => "Make sure masterfiles folder has right file permissions",
handle => "cfe_internal_update_policy_files_sys_workdir_masterfiles_dirs",
perms => u_m($(update_def.masterfiles_perms_mode_dirs)),
file_select => u_dirs,
depth_search => u_recurse_basedir("inf"),
action => u_immediate;
"$(master_location)/." -> { "CFE-951" }
comment => "Make sure masterfiles folder has right file permissions",
handle => "cfe_internal_update_policy_files_sys_workdir_masterfiles_not_dir",
perms => u_m($(update_def.masterfiles_perms_mode_not_dir)),
file_select => u_not_dir,
depth_search => u_recurse_basedir("inf"),
action => u_immediate;
methods:
debian|redhat|amazon_linux|suse|sles|opensuse::
# Only needed on distros with Python-based package modules
"setup_python_symlink" -> { "CFE-2602" }
usebundle => cfe_internal_setup_python_symlink("$(python_symlink)");
any::
# Install vendored and user provided modules to $(sys.workdir) from $(sys.inputdir)
"modules_presence";
}
bundle agent cfe_internal_update_cmdb
# @brief Ensure local cache of CMDB data is up to date
{
classes:
"have_cf_reactor" expression => fileexists("$(sys.bindir)/cf-reactor");
methods:
policy_server.enterprise_edition.(!have_cf_reactor|cmdb_data_files_updates_done_in_policy)::
"cfe_internal_update_cmdb_data_distribution";
@if feature(host_specific_data_load)
# Only hosts with this feature, introduced in 3.18.0 can use the data.
# Don't pull CMDB data on policy_hub self bootstrap because
# there will be no cf-serverd listening to serve files yet.
enterprise_edition.!(bootstrap_mode):: # ENT-6840
"cfe_internal_update_cmdb_data_consumption" -> { "ENT-8847" }
action => u_immediate;
@endif
}
bundle agent cfe_internal_update_cmdb_data_distribution
# @brief Ensure data is ready for agents to download
{
classes:
"_have_cmdb_next_request_state_file" -> { "ENT-9933" }
expression => fileexists( "$(_cmdb_next_request_state_file)" );
vars:
!bootstrap_mode.(policy_server.enterprise_edition)::
# The API response for host specific data from cmdb tells us the timestamp of the last data change
# We store this timestamp and use it for the next request.
"_cmdb_next_request_state_file"
string => "$(sys.statedir)/cmdb_next_request_from.dat";
!bootstrap_mode.(policy_server.enterprise_edition._have_cmdb_next_request_state_file)::
# If we have the timestamp from a previous response we use it, else we start from 0
"_cmdb_previous_next_request_from"
string => readfile( $(_cmdb_next_request_state_file), inf ),
if => regline( "^\d+$", $(_cmdb_next_request_state_file) );
"_cmdb_previous_next_request_from"
string => "0",
unless => regline( "^\d+$", $(_cmdb_next_request_state_file) );
!bootstrap_mode.(policy_server.enterprise_edition)::
# We need a script to call that should return the API response
"_get_cmdb_data_bin" string => "$(sys.workdir)/httpd/htdocs/scripts/get_cmdb.php";
"_get_cmdb_data_cmd" string => "/var/cfengine/httpd/php/bin/php $(_get_cmdb_data_bin) $(_cmdb_previous_next_request_from)";
# We call the script and we pass it the timestamp from the prior call
"_get_cmdb_data_response"
string => execresult( $(_get_cmdb_data_cmd), useshell ),
if => fileexists( $(_get_cmdb_data_bin) );
"_get_cmdb_data_response_d"
data => parsejson('$(_get_cmdb_data_response)'),
if => validjson( '$(_get_cmdb_data_response)' );
# So that we can write a JSON file for each host we get the indicies of data in the response
"_i" slist => getindices( "_get_cmdb_data_response_d[data]");
# We need to store the timestamp from the most recent change so that we can use that as a starting point for future requests.
"_next_request_from"
string => "$(_get_cmdb_data_response_d[meta][cmdb_epoch])";
files:
# "$(_get_cmdb_data_cmd)" perms => m( 700 );
@if minimum_version(3.18)
!bootstrap_mode.(policy_server.enterprise_edition)::
# This functionality is only present on 3.18.0+ Enterprise hubs, and this
# promise uses the /content/ attribute which was first introduced in
# 3.16.0.
# If the next request state file doesn't exist, we seed one with 0, the
# lowest epoch value possible. because we populate variables from this
# file content.
"$(_cmdb_next_request_state_file)"
content => "0$(const.n)",
handle => "cmdb_data_change_next_seed",
if => and( not(fileexists("$(_cmdb_next_request_state_file)" )),
isvariable( "_cmdb_next_request_state_file" ));
@endif
# Write out the data for each host that had a data change
"$(sys.workdir)/cmdb/$(_i)/host_specific.json"
create => "true", # CFE-2329, ENT-4792
template_data => mergedata("_get_cmdb_data_response_d[data][$(_i)]" ), # mergedata() is necessary in order to pick out a substructure, parsejson() is insufficient because expanding a key results in iteration of /values/ under that key
template_method => "inline_mustache",
edit_template_string => string_mustache( "{{$-top-}}", "_get_cmdb_data_response_d[data][$(_i)]" ),
if => isgreaterthan( $(_next_request_from), $(_cmdb_previous_next_request_from) );
@if minimum_version(3.18)
# This functionality is only present on 3.18.0+ Enterprise hubs, and this
# promise uses the /content/ attribute which was first introduced in
# 3.16.0.
# Write out the last data change timestamp so we can use it as a startring point
"$(_cmdb_next_request_state_file)"
handle => "cmdb_data_change_next_update",
content => "$(_next_request_from)$(const.n)",
unless => strcmp( $(_next_request_from), $(_cmdb_previous_next_request_from) );
@endif
reports:
DEBUG|DEBUG_cfe_internal_update_cmdb_data_distribution::
"'$(_get_cmdb_data_cmd)' response indicates '$(sys.workdir)/cmdb/$(_i)/host_specific.json' needs refreshed"
if => and( isvariable( "_i" ),
isgreaterthan( $(_next_request_from), $(_cmdb_previous_next_request_from) ));
}
bundle agent cfe_internal_update_cmdb_data_consumption
# @brief Ensure data to load is up to date
{
files:
"$(sys.workdir)/data/."
create => "true",
comment => "If a host is to load data from the CMDB, it needs to have a directory where said data is cached.";
"$(sys.workdir)/data/." -> { "ENT-6788", "ENT-8847" }
depth_search => u_recurse( inf ),
file_select => u_all,
copy_from => u_cmdb_data,
comment => "So that hosts have access to the most recent CMDB data, we make sure that it's up to date.",
action => u_immediate;
}
#########################################################
# Self-contained bodies from the lib to avoid dependencies
#########################################################
body copy_from u_cmdb_data
# @brief Sync CMDB data from policy server
# Note: Not all hosts necessarily have CMDB data
{
copy_backup => "false";
trustkey => "false";
compare => "digest";
source => "hub_cmdb";
servers => { "$(sys.policy_hub)" };
purge => "true";
@if minimum_version(3.12)
missing_ok => "true";
@endif
}
body perms u_m(p)
# @brief Ensure file mode is `p`
# @param p Desired file mode
{
mode => "$(p)";
#+begin_ENT-951
# Remove after 3.20 is not supported
rxdirs => "true";
@if minimum_version(3.20)
rxdirs => "false";
@endif
#+end
}
#########################################################
body perms u_mo(p,o)
# @brief Ensure file mode is `p` and owner is `o`
# @param p Desired file mode
# @param p Desired file owner (username or uid)
{
mode => "$(p)";
#+begin_ENT-951
# Remove after 3.20 is not supported
rxdirs => "true";
@if minimum_version(3.20)
rxdirs => "false";
@endif
#+end
!(windows|termux)::
owners => {"$(o)"};
}
#########################################################
body perms u_shared_lib_perms
# @brief Shared library permissions
{
#+begin_ENT-951
# Remove after 3.20 is not supported
rxdirs => "true";
@if minimum_version(3.20)
rxdirs => "false";
@endif
#+end
!hpux::
mode => "0644";
hpux::
mode => "0755"; # Mantis 1114, Redmine 1179
}
#########################################################
body file_select u_all
# @brief Select all file system entries
{
leaf_name => { ".*" };
file_result => "leaf_name";
}
body file_select u_cf3_files
# @brief Select files starting with `cf-` (cfengine binaries)
{
leaf_name => { "cf-.*" };
file_result => "leaf_name";
}
#########################################################
body file_select u_input_files
# @brief Select files by extension that we should include when updating inputs
{
leaf_name => { @(update_def.input_name_patterns),
@(update_def.input_name_patterns_extra) };
file_result => "leaf_name";
}
#########################################################
body copy_from u_rcp(from,server)
# @brief Ensure file is a copy of `from` on `server` using digest comparison
# @param from The path to copy from
# @param server The remote host to copy from
{
source => "$(from)";
compare => "digest";
trustkey => "false";
purge => "true"; # CFE-3662
# CFE-2932 For testing, we want to be able to avoid this local copy optimiztion
!am_policy_hub|mpf_skip_local_copy_optimizaton::
servers => { "$(server)" };
!am_policy_hub.(sys_policy_hub_port_exists|mpf_skip_local_copy_optimization)::
portnumber => "$(sys.policy_hub_port)";
cfengine_internal_encrypt_transfers::
encrypt => "true";
cfengine_internal_purge_policies_disabled::
purge => "false";
cfengine_internal_preserve_permissions::
preserve => "true";
cfengine_internal_verify_update_transfers::
verify => "true";
}
#########################################################
body copy_from u_cp(from)
# @brief Ensure file is a copy from `from` on the local server based on digest comparison
{
source => "$(from)";
compare => "digest";
}
#########################################################
body copy_from u_cp_nobck(from)
# @brief copy from `from` locally with digest comparison and making no backups
{
source => "$(from)";
compare => "digest";
copy_backup => "false";
}
#########################################################
body copy_from u_cp_missing_ok(from)
# @brief same as u_cp but allow from to be missing
{
inherit_from => u_cp($(from));
missing_ok => "true";
}
body copy_from u_remote_dcp_missing_ok(from,server)
# @brief Download a file from a remote server if available and if differs from the local copy.
#
# @param from The location of the file on the remote server
# @param server The hostname or IP of the server from which to download
#
# **See Also:** `remote_dcp()`
{
servers => { "$(server)" };
source => "$(from)";
compare => "digest";
missing_ok => "true";
}
#########################################################
body action u_immediate
# @brief Actuate the promise immediately, ignoring locks
{
ifelapsed => "0";
}
#########################################################
body depth_search u_recurse(d)
# @brief Search recursively for files up to `d` levels excluding common version control data
# @param d Maximum depth to search recursively
{
depth => "$(d)";
exclude_dirs => { "\.svn", "\.git", "git-core" };
}
#########################################################
body depth_search u_infinite_client_policy
# @brief Search recursively for files excluding vcs related files and .no-distrib directories
# @param d Maximum depth to search recursively
# Duplicated in embedded bootstrap/failsafe
{
depth => "inf";
exclude_dirs => { "\.svn", "\.git", "git-core", "\.no-distrib" };
}
#########################################################
body depth_search u_recurse_basedir(d)
# @brief Search recursively for files up to `d` levels excluding common version control data and including the base directory
# @param d Maximum depth to search recursively
{
include_basedir => "true";
depth => "$(d)";
exclude_dirs => { "\.svn", "\.git", "git-core" };
}
#########################################################
body classes u_if_repaired(x)
# @brief Define `x` if the promise is repaired
# @param x Class to define if promise repaired
{
promise_repaired => { "$(x)" };
}
#########################################################
body classes u_if_repaired_then_cancel(y)
# @brief Cancel class `x` if the promise is repaired
# @param x Class to undefine if promise repaired
{
cancel_repaired => { "$(y)" };
}
#########################################################
body classes u_if_else(yes,no)
# @brief define `yes` if the promise is repaired, and `no` if the promise fails to repair (notkept)
# @param yes Class to define if promise repaired
# @param no Class to undefine if promise notkept
{
# promise_kept => { "$(yes)" };
promise_repaired => { "$(yes)" };
repair_failed => { "$(no)" };
repair_denied => { "$(no)" };
repair_timeout => { "$(no)" };
}
#########################################################
body contain u_in_shell
# @brief Run command within shell environment
{
useshell => "true";
}
#########################################################
body contain u_in_shell_and_silent
# @brief Run command within shell environment suppressing output
{
useshell => "true";
no_output => "true";
}
########################################################""
body contain u_postgres
# @brief Run command within postgres users shell environment
{
useshell => "useshell";
exec_owner => "cfpostgres";
exec_group => "cfpostgres";
chdir => "/tmp";
no_output => "true";
}
#########################################################
body action u_ifwin_bg
# @brief Run command in the background if windows is defined
{
windows::
background => "true";
}
#########################################################
body service_method u_bootstart
# @brief Attributes for u_bootstart service method
{
service_autostart_policy => "boot_time";
}
#########################################################
body contain u_in_dir(s)
# @brief Run command from within `s`
# @param s Path to change into before running command
{
chdir => "$(s)";
}
#########################################################
body contain u_silent_in_dir(s)
# @brief Run command from within `s` and suppress output
# @param s Path to change into before running command
{
chdir => "$(s)";
no_output => "true";
}
#########################################################
body link_from u_ln_s(x)
# @brief Symlink to `x`, even if it does not exist
# @param x Path to symlink
#@ **Example:**
#@ ```cf3
#@ bundle agent example u_ln_s {
#@ files:
#@ "$(symlink_path)"
#@ link_from => u_ln_s("$(python)"),
#@ move_obstructions => "true",
#@ if => isvariable("python");
#@ }
#@ ```
{
link_type => "symlink";
source => "$(x)";
when_no_source => "force";
}
#########################################################
body delete u_tidy
# @brief Delete directories and symlinks
#@ **Example:**
#@ ```cf3
#@ bundle agent example u_tidy {
#@ files:
#@ "$(symlink_path)"
#@ delete => u_tidy,
#@ if => not(isvariable("python"));
#@ }
#@ ```
{
dirlinks => "delete";
rmdirs => "true";
}
bundle agent modules_presence
# @brief Render vendored and user provided modules from $(sys.inputdir) to $(sys.workdir)
#
# @description This bundle manages the contents of $(sys.workdir)/modules by
# first dealing with package module scripts.
# Preference is given to user provided package module scripts in
# modules/packages directory. If a module there matches a mustache
# template in modules/packages/vendored directory then the user
# provided module will be installed.
#
# e.g. modules/packages/apt_get takes precedence over modules/packages/apt_get.mustache
#
# Any other files in the modules directory will be promised to
# be updated in $(sys.workdir)/modules, including any sub-directories.
{
vars:
"_vendored_dir" string => "$(this.promise_dirname)$(const.dirsep)..$(const.dirsep)..$(const.dirsep)modules$(const.dirsep)packages$(const.dirsep)vendored$(const.dirsep)";
"_override_dir" string => "$(this.promise_dirname)$(const.dirsep)..$(const.dirsep)..$(const.dirsep)modules$(const.dirsep)packages$(const.dirsep)";
"_custom_template_dir" string => "$(this.promise_dirname)$(const.dirsep)..$(const.dirsep)..$(const.dirsep)modules$(const.dirsep)mustache$(const.dirsep)";
"_vendored_paths" slist => findfiles("$(_vendored_dir)*.mustache");
"_custom_template_paths" slist => findfiles("$(_custom_template_dir)*.mustache"), if => isdir( "$(_custom_template_dir)" );
"_package_paths" slist => filter("$(_override_dir)vendored", _package_paths_tmp, "false", "true", 999);
windows::
"_package_paths_tmp" slist => findfiles("$(_override_dir)*");
"_vendored_modules" slist => maplist(regex_replace("$(this)", "\Q$(_vendored_dir)\E(.*).mustache", "$1", "g"), @(_vendored_paths));
"_override_modules" slist => maplist(regex_replace("$(this)", "\Q$(_override_dir)\E(.*)", "$1", "g"), @(_package_paths));
# replace single backslashes in a windows path with double-backslashes
# to avoid problems with things like `C:\Program Files` and `\promises`
# causing PCRE to try and interpret special escape sequences.
"_not_vendored_modules_pathname_regex" string => regex_replace("$(sys.inputdir)$(const.dirsep)modules$(const.dirsep)(?!packages$(const.dirsep)vendored).*","\\\\","\\\\\\\\","g");
!windows::
"_package_paths_tmp" slist => findfiles("$(_override_dir)*");
"_vendored_modules" slist => maplist(regex_replace("$(this)", "$(_vendored_dir)(.*).mustache", "$1", "g"), @(_vendored_paths));
"_override_modules" slist => maplist(regex_replace("$(this)", "$(_override_dir)(.*)", "$1", "g"), @(_package_paths));
"_custom_template_modules" slist => maplist(regex_replace("$(this)", "$(_custom_template_dir)(.*).mustache", "$1", "g"), @(_custom_template_paths));
"_not_vendored_modules_pathname_regex" string => "$(sys.inputdir)/modules/(?!(packages/vendored|mustache/)).*";
classes:
"override_vendored_module_$(_vendored_modules)" expression => fileexists("$(_override_dir)$(_vendored_modules)");
"override_module_$(_override_modules)" expression => fileexists("$(_override_dir)$(_override_modules)");
# NOTE: here we are using the .mustache extension only to
# ensure that the modules scripts are copied as part of
# update (see controls/update_def.cf input_name_patterns var.
files:
"$(sys.workdir)/modules/packages/$(_vendored_modules)"
create => "true",
perms => u_mo("755", "root"),
unless => canonify("override_vendored_module_$(_vendored_modules)"),
edit_template => "$(_vendored_dir)$(_vendored_modules).mustache",
template_method => "mustache";
"$(sys.workdir)/modules/packages/$(_override_modules)"
copy_from => u_cp_missing_ok("$(_override_dir)$(_override_modules)"),
perms => u_mo("755", "root"),
if => or (
canonify("override_vendored_module_$(_override_modules)"),
canonify("override_module_$(_override_modules)"));
"$(sys.workdir)/modules/$(_custom_template_modules)" -> { "ENT-10793" }
comment => "We want to render mustache templated modules",
handle => "cfe_internal_update_policy_files_custom_template_modules",
template_method => "mustache",
edit_template => "$(_custom_template_dir)$(_custom_template_modules).mustache",
perms => u_mo("500", "root"),
if => fileexists("$(_custom_template_dir)$(_custom_template_modules).mustache");
"$(sys.workdir)/modules"
comment => "Copy any non-packages modules",
handle => "cfe_internal_update_policy_files_nonpackages_modules",
copy_from => u_cp("$(sys.inputdir)$(const.dirsep)modules"),
if => fileexists("$(sys.inputdir)$(const.dirsep)modules"),
depth_search => u_recurse("inf"),
perms => u_mo("755", "root"),
action => u_immediate,
file_select => not_vendored_modules("$(_not_vendored_modules_pathname_regex)");
reports:
DEBUG::
"_override_dir: $(_override_dir)";
"_package_paths_tmp: $(with)" with => storejson(_package_paths_tmp);
"_not_vendored_modules_pathname_regex: $(_not_vendored_modules_pathname_regex)";
"_vendored_modules: $(_vendored_modules)";
"_override_modules: $(_override_modules)";
"_vendored_dir: $(_vendored_dir)";
"_vendored_paths: $(_vendored_paths)";
"_override_dir: $(_override_dir)";
"_package_paths: $(_package_paths)";
"override_vendored_module_$(_vendored_modules)"
if => "override_vendored_module_$(_vendored_modules)";
"override_module_$(_override_modules)"
if => "override_module_$(_override_modules)";
"canonified: $(with)" with => canonify("override_vendored_module_$(_vendored_modules)");
}
body file_select not_vendored_modules(pathname)
{
path_name => { "$(pathname)" };
file_result => "path_name";
}
#########################################################
body file_select u_dirs
# @brief Select directories
{
file_types => { "dir" };
file_result => "file_types";
}
body file_select u_not_dir
# @brief Select all files that are not directories
{
file_types => { "dir" };
file_result => "!file_types";
}
cfengine-masterfiles-3.24.2/cfe_internal/update/update_processes.cf 0000644 0000000 0000000 00000042234 15010704240 025465 0 ustar 00root root 0000000 0000000 ################################################################################
#
# DO NOT EDIT THIS FILE. All policy files prefixed with CFE_ and update_bins.cf
# are maintained by CFEngine and its original state is required for internal
# operations of CFEngine. If the file has been modified CFEngine's upgrades
# may require manual intervention. Contact CFEngine support if additional
# information and/or recommendation is needed.
#
################################################################################
################################################################################
#
# update_processes
# - To enable/disable CFEngine based processes, use the slists below.
################################################################################
bundle common cfe_internal_process_knowledge
# @brief Variables related to CFEngine's own processes used in other bundles
# TODO Redact use of this bundle. It's no longer useful now that bindir variable exists. Not clear why its unset on windows.
{
vars:
!windows::
"bindir" string => "$(sys.bindir)",
comment => "Use a system variable";
}
bundle agent cfe_internal_update_processes
# @brief Determine which cfengine components should be managed, and what their
# state should be.
#
# By default all the relevant services will run on each host. For example all
# hosts will run cf-execd, cf-serverd, and cf-monitord. Individual services can
# be disabled:
#
# * If persistent_disable_COMPONENT ( persistent_disable_cf_serverd,
# persistent_disable_cf_monitord) is defined the service will be disabled.
#
# * If the component is found in def.agents_to_be_disabled it will be disabled.
#
# * To enable component management on hosts with systemd define the class
# `mpf_enable_cfengine_systemd_component_management`.
{
classes:
"systemd_supervised"
scope => "bundle",
expression => "systemd";
reports:
inform.systemd_supervised.!mpf_enable_cfengine_systemd_component_management::
"NOTE: You have defined a class to persistently disable a cfengine
component on a systemd managed host, but you have not defined
mpf_enable_cfengine_systemd_component_management in order to enable
management"
if => classmatch( "persistent_disable_cf_.*" );
"NOTE: You have explicitly listed components that should be disabled in def.agents_to_be_disabled.
This host is managed by systemd and requires the class
mpf_enable_cfengine_systemd_component_management in order to enable
active management"
if => some( ".*", @(def.agents_to_be_disabled) );
vars:
any::
# By default the core components are expected to be running in all cases.
"agent[cf_execd]" string => "cf-execd";
"agent[cf_serverd]" string => "cf-serverd";
"agent[cf_monitord]" string => "cf-monitord";
policy_server.enterprise_edition::
"agent[cf_hub]"
string => "cf-hub",
comment => "cf-hub is only relevant on Enterprise hubs";
"agent[cf_reactor]"
string => "cf-reactor",
comment => "cf-reactor is only provided on Enterprise hubs";
systemd::
# On systemd hosts the cfengine3 service acts as an umbrella for other
# services.
"agent[cfengine3]"
string => "cfengine3",
comment => "systemd hosts use the cfengine3 service as an umbrella.
systemd_supervised hosts additionally have individual units
for each managed service.";
systemd_supervised.enterprise_edition.policy_server::
# Only enterprise systemd supervised hosts these additional service
# definitions for each component.
"agent[cf_postgres]" string => "cf-postgres";
"agent[cf_apache]" string => "cf-apache";
any::
# We get a consolidated list of all agents for the executing host.
"all_agents" slist => getvalues( agent );
# We use def.agents_to_be_disabled if it exists, otherwise we default to
# no agents being disabled.
"agents_to_be_disabled"
comment => "CFE processes that should not be enabled",
handle => "cfe_internal_update_processes_vars_agents_to_be_disabled",
slist => { @(def.agents_to_be_disabled) },
if => isvariable( "def.agents_to_be_disabled" );
"agents_to_be_disabled"
comment => "The default agents that should not be enabled.",
handle => "cfe_internal_update_processes_vars_default_agents_to_be_disabled",
slist => { },
if => not( isvariable("def.agents_to_be_disabled") );
# An agent is disabled if there is a persistently defined disablement
# class OR if the agent is found in a list of agents to be specifically
# disabled.
"disabled[$(all_agents)]"
string => "$(all_agents)",
if => or( canonify( "persistent_disable_$(all_agents)" ),
some( "$(all_agents)", agents_to_be_disabled ));
systemd_supervised.policy_server.enterprise.hub_passive|(ha_replication_only_node.!failover_to_repliacation_node_enabled)::
# We want the enterprise component cf-hub to be disabled if running on a
# passive hub or replication only hub.
"disabled[cf_hub]" string => "cf-hub";
any::
# First we get the consolidated list of agents to be disabled.
"agents_to_be_disabled" slist => getvalues( disabled );
# Any agent that is not explicitly disabled should be enabled.
"agents_to_be_enabled" slist => difference( all_agents, agents_to_be_disabled );
methods:
systemd.!systemd_supervised::
# TODO Remove from policy.
# This makes sure the cfengine3 (umbrella) unit is active. It does not
# make any assertions about individual components. Furthermore, since
# commit 6a7fe6b3fa466e55b29eca75cd53ff8b2883ff0e (introduced in 3.14)
# this policy won't be run because systemd_supervised is defined any time
# systemd is defined.
"CFENGINE systemd service"
usebundle => maintain_cfe_systemd,
comment => "Call a bundle to maintain CFEngine with systemd",
handle => "cfe_internal_update_processes_methods_maintain_systemd";
systemd_supervised.mpf_enable_cfengine_systemd_component_management::
"CFEngine systemd Unit Definitions"
usebundle => cfe_internal_systemd_unit_files;
"CFEngine systemd Unit States"
usebundle => cfe_internal_systemd_service_unit_state;
am_policy_hub.enterprise.!systemd_supervised::
"TAKING CARE CFE HUB PROCESSES"
usebundle => maintain_cfe_hub_process,
comment => "Call a bundle to maintian HUB processes",
handle => "cfe_internal_update_processes_methods_maintain_hub";
!windows.!systemd_supervised::
"DISABLING CFE AGENTS"
usebundle => disable_cfengine_agents("$(agents_to_be_disabled)"),
comment => "Call a bundle to disable CFEngine given processes",
handle => "cfe_internal_update_processes_methods_disabling_cfe_agents";
"CHECKING FOR PERSISTENTLY DISABLED CFE AGENTS"
usebundle => disable_cfengine_agents($(all_agents)),
if => canonify("persistent_disable_$(all_agents)"),
comment => "Call a bundle to disable CFEngine given processes if persistent_disable_x is set",
handle => "cfe_internal_update_processes_methods_maybe_disabling_cfe_agents";
"ENABLING CFE AGENTS"
usebundle => enable_cfengine_agents("$(agents_to_be_enabled)"),
comment => "Call a bundle to enable CFEngine given processes",
handle => "cfe_internal_update_processes_methods_enabling_cfe_agents";
windows::
"CFENGINE on Windows"
usebundle => maintain_cfe_windows,
comment => "Call a bundle to maintain CFEngine on Windows",
handle => "cfe_internal_update_processes_methods_maintain_windows";
}
#
###############################################################################
#
bundle agent maintain_cfe_hub_process
# @brief Ensure the proper processes are running on Enterprise hubs.
{
vars:
am_policy_hub::
"file_check" string => translatepath("$(cfe_internal_update_policy_cpv.inputs_dir)/promises.cf"),
comment => "Path to a policy file",
handle => "cfe_internal_maintain_cfe_hub_process_vars_file_check";
#
classes:
am_policy_hub::
"files_ok" expression => fileexists("$(file_check)"),
comment => "Check for $(sys.workdir)/inputs/promises.cf",
handle => "cfe_internal_maintain_cfe_hub_process_classes_files_ok";
am_policy_hub.enable_cfengine_enterprise_hub_ha::
"ha_run_hub_process"
or => { "!ha_replication_only_node",
"ha_replication_only_node.failover_to_replication_node_enabled" };
"ha_kill_hub_process"
or => { "ha_replication_only_node.!failover_to_replication_node_enabled" };
#
processes:
am_policy_hub::
"$(cfe_internal_process_knowledge.bindir)/vacuumdb"
restart_class => "no_vacuumdb",
comment => "Monitor vacuumdb process",
handle => "cfe_internal_maintain_cfe_hub_process_processes_check_vacuumdb",
if => "nova|enterprise";
am_policy_hub.!enable_cfengine_enterprise_hub_ha::
"$(cfe_internal_process_knowledge.bindir)/postgres"
restart_class => "start_postgres_server",
comment => "Monitor postgres process",
handle => "cfe_internal_maintain_cfe_hub_process_processes_postgres",
if => "nova|enterprise";
am_policy_hub.!enable_cfengine_enterprise_hub_ha.files_ok.!windows|ha_run_hub_process::
"cf-hub" restart_class => "start_hub",
comment => "Monitor cf-hub process",
handle => "cfe_internal_maintain_cfe_hub_process_processes_cf_hub",
if => and( "(nova|enterprise).no_vacuumdb",
"!persistent_disable_cf_hub" ); # Don't start it if it's persistently disabled
am_policy_hub.ha_kill_hub_process::
"cf-hub" signals => { "term" },
comment => "Terminate cf-hub on backup HA node outside cluster",
handle => "cfe_internal_kill_hub_process_on_inactive_ha_node";
#
files:
"/var/log/postgresql.log"
comment => "Ensure postgres.log file is there with right permissions",
handle => "cfe_internal_maintain_cfe_hub_process_files_create_postgresql_log",
create => "true",
perms => u_mo("0600","cfpostgres");
#
commands:
!windows.am_policy_hub.!enable_cfengine_enterprise_hub_ha.start_postgres_server::
"$(cfe_internal_process_knowledge.bindir)/pg_ctl -D $(cfe_internal_update_policy_cpv.postgresdb_dir) -l $(cfe_internal_update_policy_cpv.postgresdb_log) start"
contain => u_postgres,
comment => "Start postgres process",
classes => u_kept_successful_command,
handle => "cfe_internal_maintain_cfe_hub_process_commands_start_postgres";
!windows.am_policy_hub.start_hub::
"$(sys.cf_hub)"
comment => "Start cf-hub process",
classes => u_kept_successful_command,
handle => "cfe_internal_maintain_cfe_hub_process_commands_start_cf_hub";
}
#
###############################################################################
#
bundle agent disable_cfengine_agents(process)
# @brief Ensure cfengine component is not running
# @param process The name of the cfengine component binary to ensure not running. [cf-agent, cf-serverd, cf-monitord, cf-hub]
{
vars:
!windows::
"cprocess" string => canonify("$(process)"),
comment => "Canonify a given process",
handle => "cfe_internal_disable_cfengine_agents_vars_cprocess";
#
classes:
!windows::
"disable_$(cprocess)" expression => strcmp("$(process)","$(process)"),
comment => "Create a class to disable a given process",
handle => "cfe_internal_disable_cfengine_agents_classes_disable_process";
#
processes:
!windows::
"$(cfe_internal_process_knowledge.bindir)/$(process)"
signals => { "term" },
comment => "Terminate $(process)",
handle => "cfe_internal_disable_cfengine_agents_processes_terminate_process",
if => "disable_$(cprocess)";
}
#
###############################################################################
#
bundle agent enable_cfengine_agents(process)
# @brief Ensure cfengine component is running
# @param process The name of the cfengine component binary to ensure running. [cf-agent, cf-serverd, cf-monitord, cf-hub]
{
vars:
!windows::
"cprocess" string => canonify("$(process)"),
comment => "Canonify a given process",
handle => "cfe_internal_enable_cfengine_agents_vars_cprocess";
classes:
!windows::
"enable_$(cprocess)" expression => "!persistent_disable_$(cprocess)",
comment => "Create a class to enable a given process",
handle => "cfe_internal_enable_cfengine_agents_classes_enable_process";
#
processes:
!windows::
"$(cfe_internal_process_knowledge.bindir)/$(process)"
restart_class => "restart_$(cprocess)",
comment => "Create a class to restart a process",
handle => "cfe_internal_enable_cfengine_agents_processes_restart_process",
if => "enable_$(cprocess)";
#
commands:
!windows::
"$(sys.$(cprocess))"
comment => "Restart a process",
handle => "cfe_internal_enable_cfengine_agents_commands_restart_process",
classes => u_kept_successful_command,
if => and( "restart_$(cprocess)",
isvariable( "sys.$(cprocess)" ) );
reports:
"The process $(process) is persistently disabled. Run with '-Dclear_persistent_disable_$(cprocess)' to re-enable it."
if => and( "persistent_disable_$(cprocess)",
isvariable( "sys.$(cprocess)" ));
"The process $(process) has been re-enabled. Run with '-Dset_persistent_disable_$(cprocess)' to disable it persistently again."
if => and( "clear_persistent_disable_$(cprocess)",
isvariable( "sys.$(cprocess)" )),
classes => u_clear_always("persistent_disable_$(cprocess)");
"The process $(process) has been disabled persistently. Run with '-Dclear_persistent_disable_$(cprocess)' to re-enable it."
if => "set_persistent_disable_$(cprocess)",
classes => u_always_forever("persistent_disable_$(cprocess)");
}
#
###############################################################################
#
bundle agent maintain_cfe_windows
# @brief Ensure cfengine components are running
{
vars:
windows::
"file_check" string => translatepath("$(cfe_internal_update_policy_cpv.inputs_dir)/promises.cf"),
comment => "Path to a policy file",
handle => "cfe_internal_maintain_cfe_windows_vars_file_check";
#
classes:
windows::
"files_ok" expression => fileexists("$(file_check)"),
comment => "Check for /var/cfengine/masterfiles/promises.cf",
handle => "cfe_internal_maintain_cfe_windows_classes_files_ok";
#
processes:
files_ok::
"cf-serverd" restart_class => "start_server",
comment => "Monitor cf-serverd process",
handle => "cfe_internal_maintain_cfe_windows_processes_cf_serverd";
"cf-monitord" restart_class => "start_monitor",
comment => "Monitor cf-monitord process",
handle => "cfe_internal_maintain_cfe_windows_processes_cf_monitord";
#
services:
files_ok.windows::
"CfengineNovaExec"
service_policy => "start",
service_method => u_bootstart,
comment => "Start the executor windows service now and at boot time",
handle => "cfe_internal_maintain_cfe_windows_services_windows_executor";
#
commands:
start_server::
"$(sys.cf_serverd)"
action => u_ifwin_bg,
comment => "Start cf-serverd process",
classes => u_kept_successful_command,
handle => "cfe_internal_maintain_cfe_windows_commands_start_cf_serverd";
start_monitor|restart_monitor::
"$(sys.cf_monitord)"
action => u_ifwin_bg,
comment => "Start cf-monitord process",
classes => u_kept_successful_command,
handle => "cfe_internal_maintain_cfe_windows_commands_start_cf_monitord";
}
bundle agent maintain_cfe_systemd
# @brief Ensure cfengine components are running
{
classes:
systemd::
"restart_cfe"
not => returnszero("/bin/systemctl -q is-active cfengine3", "noshell"),
comment => "Check running status of CFEngine using systemd",
handle => "cfe_internal_maintain_cfe_systemd_classes_restart_cfe";
commands:
restart_cfe::
"/bin/systemctl -q start cfengine3"
comment => "Start CFEngine using systemd",
handle => "cfe_internal_maintain_cfe_systemd_commands_start_cfe";
}
body classes u_clear_always(theclass)
# @brief Undefine, `theclass` for as a result of the promise actuation, no matter the outcome (kept, notkept, repaired)
{
cancel_kept => { $(theclass) };
cancel_notkept => { $(theclass) };
cancel_repaired => { $(theclass) };
}
body classes u_always_forever(theclass)
# @brief Define `theclass` for 999999999 minutes (1902 years) as a result of the promise actuation, no matter the outcome (kept, notkept, repaired)
{
promise_kept => { $(theclass) };
promise_repaired => { $(theclass) };
repair_failed => { $(theclass) };
repair_denied => { $(theclass) };
repair_timeout => { $(theclass) };
persist_time => 999999999;
scope => "namespace";
}
cfengine-masterfiles-3.24.2/cfe_internal/update/cfe_internal_update_from_repository.cf 0000644 0000000 0000000 00000003212 15010704240 031423 0 ustar 00root root 0000000 0000000 bundle common cfe_internal_update_from_repository_file_control
# @brief Define inputs needed for updating *masterfiles*, the default policy distribution point with content from an upstream VCS
{
vars:
"inputs" slist => { "$(this.promise_dirname)/lib.cf" };
}
body file control
# @brief Include policy needed for updating *masterfiles*, the default policy distribution point with content from an upstream VCS
{
inputs => { @(cfe_internal_update_from_repository_file_control.inputs) };
}
bundle agent cfe_internal_update_from_repository
# @brief Ensure *masterfiles*, the default policy is up to date
{
methods:
am_policy_hub.cfengine_internal_masterfiles_update::
"Update staged masterfiles from VCS"
usebundle => cfe_internal_masterfiles_stage,
handle => "cfe_internal_update_from_repository_methods_masterfiles_fetch",
action => u_immediate,
comment => "Grab the latest updates from upstream VCS repo before deploying masterfiles";
}
bundle agent cfe_internal_masterfiles_stage
# @brief Run masterfiles-stage.sh to update the default distribution of masterfiles
{
commands:
"$(update_def.dc_scripts)/masterfiles-stage.sh"
classes => u_kept_successful_command_results("bundle", "masterfiles_deploy"),
handle => "masterfiles_update_stage",
action => u_immediate;
reports:
masterfiles_deploy_not_kept::
"Masterfiles deployment failed, for more info see '$(sys.workdir)/outputs/dc-scripts.log'";
(DEBUG|DEBUG_cfe_internal_masterfiles_stage).(masterfiles_deploy_kept|masterfiles_deploy_repaired)::
"DEBUG $(this.bundle): Masterfiles deployed successfully";
}
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/ 0000755 0000000 0000000 00000000000 15010704326 022501 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/cfe_internal/enterprise/templates/ 0000755 0000000 0000000 00000000000 15010704326 024477 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/cfe_internal/enterprise/templates/httpd.conf.mustache 0000644 0000000 0000000 00000025352 15010704240 030303 0 ustar 00root root 0000000 0000000 # This file is rendered by CFEngine
# manual edits will be reverted.
ServerSignature Off
ServerTokens ProductOnly
ServerName {{{vars.sys.fqhost}}}
ServerRoot "{{{vars.sys.workdir}}}/httpd"
{{^classes.cfe_enterprise_disable_plain_http}}
# ENT-10411
# ENT-10646 - Listen 80 often causes IPv6 related errors, specifying ipv4 squashes them.
# Unclear why the same is not an issue for 443
# To enable listening on ipv6 add Listen [::]:80
Listen 0.0.0.0:80
{{/classes.cfe_enterprise_disable_plain_http}}
PidFile "{{{vars.mission_portal_apache_from_stage.httpd_pid_file}}}"
# Modules
# Note: Not all modules that are built are loaded.
# Find built modules in {{{vars.sys.workdir}}}/httpd/modules
# Our default log format uses features provided by these modules
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
# We use the Header directive which is provided by this module
LoadModule headers_module modules/mod_headers.so
# We use the BrowserMatch directive which is provided by this module
LoadModule setenvif_module modules/mod_setenvif.so
# Associates the requested filename's extensions with the file's behavior
# (handlers and filters) and content (mime-type, language, character set and
# encoding)
LoadModule mime_module modules/mod_mime.so
# Provides for "trailing slash" redirects and serving directory index files
LoadModule dir_module modules/mod_dir.so
# Used for mapping in some nicer URL names
# TODO Consider removal after 3.20 is EOL (used by transition in 3.16)
LoadModule alias_module modules/mod_alias.so
# Required for http->https redirection and handling indexes
LoadModule rewrite_module modules/mod_rewrite.so
# Required for secure access
LoadModule ssl_module modules/mod_ssl.so
# Required to drop privledges
LoadModule unixd_module modules/mod_unixd.so
# Required for use of Order and Require commands
LoadModule access_compat_module modules/mod_access_compat.so
# Required for SSL Session Caching
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
# Required to log into mission portal
LoadModule authz_core_module modules/mod_authz_core.so
# TRACE can be useful for debugging, but can be abused to perform Cross-Site
# Tracing (XST) attacheks in order to obtain access to user cooking via
# malicious scripting on the client side.
TraceEnable off
# The 'HttpOnly' flag makes the cookie inaccessible to client-side scripts,
# preventing it from being stolen using malicious client side scripts. The
# absence of this flag increases the likelihood of an attacker being able to
# compromise the user's cookie via a malicious script. When the 'secure' flag is
# used, the cookie is only sent over an encrypted HTTPS channel, and not over
# unencrypted HTTP.
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# This module should not be loaded, this is just an extra measure.
UserDir disabled
User cfapache
Group cfapache
# Server configuration
# ServerAdmin root@localhost
DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}"
Order deny,allow
Deny from all
Options FollowSymLinks
AllowOverride None
DirectoryIndex index.html index.php
Order allow,deny
Deny from all
Satisfy All
ErrorLog "logs/error_log"
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %{username}n %t \"%r\" %>s %b" common_with_apache_notes_username
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
CustomLog "logs/access_log" common_with_apache_notes_username
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# Include conf/extra/httpd-ssl.conf
# This content used to be included from an external file
# /var/cfengine/httpd/conf/extra/httpd-ssl.conf
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:{{{vars.sys.workdir}}}/httpd/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLSessionTickets Off
# OCSP stapling is an extension that aims to improve SSL negotiation
# performance while mainting visitor privacy. Disabled because of
# issues with self signed certs.
SSLUseStapling off
# SSLStaplingCache "shmcb:logs/stabling-cache(150000)"
# TLS Compression should be disabled to avoid CRIME
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929
# SSLCompression off
# As part of security hardening we minimize the features provided by OpenSSL.
# Case in point, we build openssl 3 without support for compression. As such,
# we do not explicitly disable SSL Compression beginning with CFEngine
# Enteprprise 3.21.0 as apache is unable to then validate the configuration.
# This is not explicitly enabled to allow the requesting client the first
# choice of support ciphers
# SSLHonorCipherOrder On
# We expect that openssl is upgraded with each release and that the most
# recent openssl version possible will be used and that it defines ciphers
# considered HIGH appropriately. We use HIGH to get a good balance between
# browser compatibility and security. Use ~{{vars.sys.workdir}}/openssl ciphers
# -v HIGH~ to see what ciphers are considered HIGH security.
# SSLCipherSuite HIGH
# A more secure setting might be:
# SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCipherSuite {{{vars.def.cfe_enterprise_mission_portal_apache_sslciphersuite}}}
# The SSL protocol versions allowed
SSLProtocol {{{vars.def.cfe_enterprise_mission_portal_apache_sslprotocol}}}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}"
Alias "/api" "{{{vars.cfe_internal_hub_vars.docroot}}}/api"
Alias "/api/static" "{{{vars.cfe_internal_hub_vars.docroot}}}/api/static"
Alias "/ldap" "{{{vars.cfe_internal_hub_vars.docroot}}}/ldap"
ServerName {{{vars.sys.fqhost}}}:443
# ServerAdmin root@localhost
ErrorLog "{{{vars.cfe_internal_hub_vars.error_log}}}"
LogFormat "%h %l %{username}n %t \"%r\" %>s %b"
TransferLog "{{{vars.cfe_internal_hub_vars.access_log}}}"
SSLEngine on
SSLCertificateFile "{{{vars.cfe_internal_hub_vars.SSLCertificateFile}}}"
SSLCertificateKeyFile "{{{vars.cfe_internal_hub_vars.SSLCertificateKeyFile}}}"
{{#classes.cfe_enterprise_have_SSLCACertificateFile_defined}}
SSLCACertificateFile "{{{vars.cfe_internal_hub_vars.SSLCACertificateFile}}}"
{{/classes.cfe_enterprise_have_SSLCACertificateFile_defined}}
# Enable Strict Transport Security to prevent HTTPS users from
# accessing http content.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Header always set Content-Security-Policy \
"frame-ancestors 'self'; \
default-src 'self'; \
script-src 'self' 'unsafe-inline'; \
style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
object-src 'none'; \
frame-src 'self'; \
child-src 'self'; \
img-src 'self' data: blob: avatars.githubusercontent.com badges.gitter.im fonts.gstatic.com kiwiirc.com raw.githubusercontent.com raw.github.com; \
font-src 'self' data: fonts.googleapis.com fonts.gstatic.com; \
connect-src 'self' fonts.gstatic.com fonts.googleapis.com; \
manifest-src 'self'; \
base-uri 'self'; \
form-action 'self'; \
media-src 'self'; \
worker-src 'self' blob:;"
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
AllowOverride None
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "{{{vars.cfe_internal_hub_vars.ssl_request_log}}}" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
LoadModule php{{{vars.cfe_internal_hub_vars.php_version}}}_module modules/libphp{{{vars.cfe_internal_hub_vars.php_version}}}.so
AddHandler php{{{vars.cfe_internal_hub_vars.php_version}}}-script .php
AddType application/x-httpd-php-source php{{{vars.cfe_internal_hub_vars.php_version}}}
Options -Indexes +FollowSymLinks +MultiViews
Order deny,allow
AllowOverride None
RewriteEngine On
{{^classes.cfe_enterprise_disable_http_redirect_to_https}}
# Force https with redirection
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
{{/classes.cfe_enterprise_disable_http_redirect_to_https}}
{{#classes.mission_portal_index_php_redirect_enabled}}
# redirect from `index.php/path` to `/path`
RewriteCond %{REQUEST_URI} !(.*)/api/(.*) [NC] #do not apply redirect to internal APIs for backward compatibility
RewriteCond %{THE_REQUEST} /index\.php/(.+)\sHTTP [NC]
RewriteRule ^ /%1 [NE,L,R]
{{/classes.mission_portal_index_php_redirect_enabled}}
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^(.*)$ /index.php/$1 [NC,L]
Order deny,allow
AllowOverride None
RewriteEngine On
RewriteRule ^static/(.+)$ static/$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ dispatch.php [QSA,L]
Order deny,allow
AllowOverride None
# What do we use mod_mime for?
AddType text/csv .csv
AddType application/pdf .pdf
AddType application/json .json
Order deny,allow
AllowOverride None
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
# Whats in here that got a specific deny?
Deny from all
AllowOverride None
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/templates/runalerts.sh.mustache 0000644 0000000 0000000 00000000737 15010704240 030664 0 ustar 00root root 0000000 0000000 # Rendered by CFEngine
#!/bin/bash
while true; do
touch {{{vars.sys.workdir}}}/httpd/php/runalerts_all
if [ -f {{{vars.sys.workdir}}}/httpd/php/runalerts_all ]; then
{{{vars.sys.workdir}}}/httpd/php/bin/php {{{vars.cfe_internal_hub_vars.public_docroot}}}/index.php cli_tasks runalerts {{{vars.cfe_internal_php_runalerts.all[limit]}}} {{{vars.cfe_internal_php_runalerts.all[running]}}} all >/dev/null 2>&1
fi
sleep {{{vars.cfe_internal_php_runalerts.sleep_time}}}
done
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/templates/apachectl.mustache 0000644 0000000 0000000 00000012442 15010704240 030154 0 ustar 00root root 0000000 0000000 #!/bin/sh
#
# This is CFEngine version of apachectl script, being more persistent when
# killing httpd and more resillient when doing so. The only change is special
# processing of "stop" inside "case $ACMD in". When asked to kill httpd
# process, it not just sends a "kill" signal and happily quits, but first waits
# for it to be gone (by checking `ps p` output), and if it's not gone - kills
# the main httpd process and all its children (found via `pgrep --parent` or by
# parsing `ps -eo ppid,pid` output) by sending `kill -9` singal to them. If
# process(es) exist even after that - it gives up with an error message.
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# Apache control script designed to allow an easy command line interface
# to controlling Apache. Written by Marc Slemko, 1997/08/23
#
# Modified by Northern.Tech to try harder in killing httpd process(es)
# and wait for them to be gone before returning to caller.
#
# The exit codes returned are:
# XXX this doc is no longer correct now that the interesting
# XXX functions are handled by httpd
# 0 - operation completed successfully
# 1 -
# 2 - usage error
# 3 - httpd could not be started
# 4 - httpd could not be stopped
# 5 - httpd could not be started during a restart
# 6 - httpd could not be restarted during a restart
# 7 - httpd could not be restarted during a graceful restart
# 8 - configuration syntax error
#
# When multiple arguments are given, only the error from the _last_
# one is reported. Run "apachectl help" for usage info
#
ACMD="$1"
ARGV="$@"
#
# |||||||||||||||||||| START CONFIGURATION SECTION ||||||||||||||||||||
# -------------------- --------------------
#
# the path to your httpd binary, including options if necessary
HTTPD='{{{cfengine_enterprise_mission_portal_httpd_dir}}}/bin/httpd'
#
# pick up any necessary environment variables
if test -f {{{cfengine_enterprise_mission_portal_httpd_dir}}}/bin/envvars; then
. {{{cfengine_enterprise_mission_portal_httpd_dir}}}/bin/envvars
fi
#
# a command that outputs a formatted text version of the HTML at the
# url given on the command line. Designed for lynx, however other
# programs may work.
LYNX="lynx -dump"
#
# the URL to your server's mod_status status page. If you do not
# have one, then status and fullstatus will not work.
STATUSURL="http://localhost:80/server-status"
#
# Set this variable to a command that increases the maximum
# number of file descriptors allowed per child process. This is
# critical for configurations that use many file descriptors,
# such as mass vhosting, or a multithreaded server.
ULIMIT_MAX_FILES="ulimit -S -n `ulimit -H -n`"
# -------------------- --------------------
# |||||||||||||||||||| END CONFIGURATION SECTION ||||||||||||||||||||
# Set the maximum number of file descriptors allowed per child process.
if [ "x$ULIMIT_MAX_FILES" != "x" ] ; then
$ULIMIT_MAX_FILES
fi
ERROR=0
if [ "x$ARGV" = "x" ] ; then
ARGV="-h"
fi
case $ACMD in
start|restart|graceful|graceful-stop)
$HTTPD -k $ARGV
ERROR=$?
;;
stop)
# Added by CFEngine
PIDFILE='{{{cfengine_enterprise_mission_portal_httpd_dir}}}/httpd.pid'
if [ ! -f "$PIDFILE" ] ; then
PIDFILE='{{{cfengine_enterprise_mission_portal_httpd_dir}}}/logs/httpd.pid'
fi
if [ ! -f "$PIDFILE" ] ; then
echo PID file not found, nothing to stop
exit 2
fi
PID="$(cat "$PIDFILE")"
$HTTPD -k $ARGV
ERROR=$?
# wait for pid to terminate, up to 5 seconds
for _iteration in `seq 50`; do
ps p $PID >/dev/null || exit $ERROR
sleep 0.1
done
echo "process didn't finish gracefully, commencing murder"
# collect all child processes
if command -v pgrep >/dev/null; then
PIDS="$PID $(pgrep --parent $PID)"
else
PIDS="$PID $(ps -eo ppid,pid | awk "/ $PID /{print \$2}")"
fi
# send KILL signal to all of them
kill -9 $PIDS
# wait for them to terminate, up to 5 seconds
for _iteration in `seq 50`; do
ps p $PIDS >/dev/null || exit $ERROR
sleep 0.1
done
echo Failed to terminate processes
ps p $PIDS
;;
startssl|sslstart|start-SSL)
echo The startssl option is no longer supported.
echo Please edit httpd.conf to include the SSL configuration settings
echo and then use "apachectl start".
ERROR=2
;;
configtest)
$HTTPD -t
ERROR=$?
;;
status)
$LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } '
;;
fullstatus)
$LYNX $STATUSURL
;;
*)
$HTTPD "$@"
ERROR=$?
esac
exit $ERROR
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/templates/runalerts.php.mustache 0000644 0000000 0000000 00000001343 15010704240 031033 0 ustar 00root root 0000000 0000000 #!{{{vars.sys.workdir}}}/httpd/php/bin/php
# Rendered by CFEngine
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/CFE_hub_specific.cf 0000644 0000000 0000000 00000074107 15010704240 026117 0 ustar 00root root 0000000 0000000 ##################################################################
#
# DO NOT EDIT THIS FILE. All policy files prefixed with CFE_ are maintained
# by CFEngine and its original state is required for internal operations of
# CFEngine. If the file has been modified CFEngine's upgrades may require
# manual intervention. Contact CFEngine support if additional information
# and/or recommendation is needed.
#
##################################################################
##################################################################
#
# cfe_internal_hub_vars
# - define a default location of Mission Portal WebGUI
#
##################################################################
@if minimum_version(3.12.0)
bundle common cfe_hub_specific_file_control
{
vars:
"inputs" slist => { "$(this.promise_dirname)/federation/federation.cf" };
}
body file control
{
inputs => { @(cfe_hub_specific_file_control.inputs) };
}
@endif
bundle common cfe_internal_hub_vars
# @brief Set hub specific variables
{
classes:
"cfe_enterprise_have_SSLCACertificateFile_defined" -> { "ENT-11421" }
scope => "namespace",
expression => isvariable( "SSLCACertificateFile" );
vars:
policy_server::
"docroot" string => "$(sys.workdir)/httpd/htdocs",
comment => "Root directory of Enterprise Web interface",
handle => "cfe_internal_hub_vars_docroot";
"public_docroot" string => ifelse( isdir("$(cfe_internal_hub_vars.docroot)/public"), "$(cfe_internal_hub_vars.docroot)/public",
$(cfe_internal_hub_vars.docroot)),
comment => "Public root directory of Enterprise Web interface";
# TODO Consider tagging these files for file integrity monitoring.
"SSLCertificateFile"
string => "$(sys.workdir)/httpd/ssl/certs/$(sys.fqhost).cert";
"SSLCertificateKeyFile"
string => "$(sys.workdir)/httpd/ssl/private/$(sys.fqhost).key";
"SSLCertificatePasswdKeyFile"
string => "$(sys.workdir)/httpd/ssl/private/$(sys.fqhost).pass.key";
"SSLCertificateSigningRequest"
string => "$(sys.workdir)/httpd/ssl/private/$(sys.fqhost).csr";
"SSLCnf"
string => "$(sys.workdir)/ssl/openssl.cnf";
"access_log" string => "$(sys.workdir)/httpd/logs/access_log";
"error_log" string => "$(sys.workdir)/httpd/logs/error_log";
"ssl_request_log" string => "$(sys.workdir)/httpd/logs/ssl_request_log";
"SSLCertificateKeySize" string => "4096";
"SSLCertificateDaysValid" string => "3650";
# Determine the version of PHP that is used
# TODO Drop this after 3.18 is no longer supported. It's used for Mission Portals httpd configuration.
"php_version" -> { "ENT-7039" }
string => ifelse(
fileexists( "$(sys.workdir)/httpd/modules/libphp.so" ), "", # ENT-7039 php 8+
fileexists( "$(sys.workdir)/httpd/modules/libphp7.so" ), "7",
fileexists( "$(sys.workdir)/httpd/modules/libphp5.so" ), "5",
"UNKNOWN" );
reports:
policy_server::
"ERROR: $(this.bundle): Unable to determine correct PHP version."
if => strcmp( $(php_version), "UNKNOWN" );
}
##################################################################
#
# cfe_internal_update_folders
# - create temp directories to make CFE silent (self-upgrading)
#
##################################################################
bundle agent cfe_internal_update_folders
# @brief Ensure that the directory structure exists on the hub for storing packages used in self upgrade
{
vars:
"dirs" slist => {
"aix_5_powerpc",
"aix_6_powerpc",
"aix_6.1_powerpc",
"aix_7_powerpc",
"ubuntu_8_i686",
"ubuntu_8_x86_64",
"ubuntu_10_i686",
"ubuntu_10_x86_64",
"ubuntu_11_i686",
"ubuntu_11_x86_64",
"ubuntu_12_i686",
"ubuntu_12_x86_64",
"ubuntu_13_i686",
"ubuntu_13_x86_64",
"ubuntu_14_i686",
"ubuntu_14_x86_64",
"ubuntu_16_i686",
"ubuntu_16_x86_64",
"centos_5_i686",
"centos_5_x86_64",
"centos_6_i686",
"centos_6_x86_64",
"centos_7_i686",
"centos_7_x86_64",
"redhat_4_i686",
"redhat_4_x86_64",
"redhat_5_i686",
"redhat_5_x86_64",
"redhat_6_i686",
"redhat_6_x86_64",
"redhat_7_i686",
"redhat_7_x86_64",
"SuSE_10_i686",
"SuSE_10_x86_64",
"SuSE_11_i686",
"SuSE_11_x86_64",
"debian_5_i686",
"debian_5_x86_64",
"debian_6_i686",
"debian_6_x86_64",
"debian_7_i686",
"debian_7_x86_64",
"debian_8_i686",
"debian_8_x86_64",
"windows_i686",
"windows_x86_64",
"sunos_5.8_sun4u",
"sunos_5.8_sun4v",
"sunos_5.9_sun4u",
"sunos_5.9_sun4v",
"sunos_5.10_sun4u",
"sunos_5.10_sun4v",
"sunos_5.10_i86pc",
"hpux_ia64",
},
comment => "Define a list for $(sys.flavour)_$(sys.arch) directories",
handle => "cfe_internal_update_folders_vars_dirs";
#
files:
"$(sys.workdir)/master_software_updates/$(dirs)/."
comment => "Prepare binary upgrade folders for all distributions in our environment",
handle => "cfe_internal_update_folders_files_create_dirs",
create => "true";
}
bundle agent cfe_internal_php_runalerts
# @brief Manage the runalerts service.
#
# - Bundle status need to be updated and displayed on MP. This bundle manages a
# small script which runs in a loop.
{
vars:
any::
"runalerts_types"
comment => "Runalerts is run for different types of alerts",
slist => { "all" };
"runalerts_script" string => "$(sys.bindir)/runalerts.php",
comment => "location of php runalerts script",
handle => "cfe_internal_php_runalerts_vars_runalerts_script";
# TODO Move runalerts stamp files into $(sys.statedir)
"runalerts_stampfiles_dir"
string => "$(sys.workdir)/httpd/php/runalerts-stamp",
comment => "location of runalerts stamp file directory",
handle => "cfe_internal_php_runalerts_var_runalerts_stampfiles_dir";
"sleep_time" string => "60",
comment => "how often that php_runalerts will run in every seconds",
handle => "cfe_internal_php_runalerts_vars_sleep_time";
"stale_time" string => "10",
comment => "if script does not function in minutes, restart the script",
handle => "cfe_internal_php_runalerts_vars_stale_time";
"all[name]" string => "all",
comment => "name of query type - all",
handle => "cfe_internal_php_runalerts_vars_all_name";
"all[limit]" string => "300",
comment => "query limit of sql",
handle => "cfe_internal_php_runalerts_vars_all_limit";
"all[running]" string => "20",
comment => "how many query at a time of sql",
handle => "cfe_internal_php_runalerts_vars_all_running";
classes:
"systemd_supervised"
scope => "bundle",
expression => "systemd",
comment => "As of 3.10 the runalerts service is supervised by systemd
when available. Prior to 3.10 the service is supervised
directly by CFEngine policy.";
files:
any::
"$(runalerts_script)"
comment => "The runalerts script is necessary for the proper functioning
of the CFEngine Enterprise alerts.",
handle => "cfe_internal_php_runalerts_files_php_runalerts_script",
create => "true",
perms => mog("0755","root","root"),
edit_template => "$(this.promise_dirname)/templates/runalerts.php.mustache",
classes => results( "bundle", "runalerts_script" ),
template_method => "mustache";
"$(runalerts_stampfiles_dir)/."
create => "true",
comment => "We provide a single directory where the runalerts process
should maintain its timestamp tracking.";
# This promise uses the side effect of cleaning up the timestamp files to
# realize when it's time to kill the runalerts script. However, in order
# to make sure that runalerts can write to the state files, we will also
# make sure they exist with specific perms. This extra churn is probably
# unnecessary.
"$(runalerts_stampfiles_dir)/runalerts_.*"
comment => "The runalerts process updates a timestamp for each type of
alert each time alerts are checked. Here we check for the
state files not being updated and kill off the runalerts
process so that it can be refreshed. ",
handle => "cfe_internal_php_runalerts_files_status_check",
delete => tidy,
file_select => mins_old("$(stale_time)"),
classes => results("bundle", "stale_runalerts_timestamp");
"$(runalerts_stampfiles_dir)/runalerts_$(runalerts_types)"
create => "true",
handle => "cfe_internal_php_runalerts_state_file_perms",
comment => "The runalerts timestamp files need to be owned by the apache
user or we won't be able to update the timestamps from the
runalerts service which is expected to be running as
$(def.cf_apache_user)",
perms => mog( "600", $(def.cf_apache_user), $(def.cf_apache_group) );
# Cleanup old runalerts script if it's still present
"$(sys.bindir)/runalerts.sh"
delete => tidy,
comment => "The runalerts loop was re-written in php to better work with
systemd service Type=simple.";
processes:
"$(sys.bindir)/runalerts.sh"
comment => "The old runalerts process should be killed if it's running
and replaced with the php version of the loop.",
signals => { "kill" };
# Make sure to kill script on non active hub(s), when the tracking timestamp
# is stale, or when the script has been repaired.
stale_runalerts_timestamp_repaired|passive_ha_hub|runalerts_script_repaired::
"$(runalerts_script)"
comment => "The runalerts process should be killed if it has failed to
update the timestamp files in $(stale_time) minutes or if it
is running on an standby HA hub.",
handle => "cfe_internal_php_runalerts_process_kill_php_runalerts_script",
signals => { "term" },
classes => if_repaired("run_script");
# We don't try to supervise the runalerts process on systemd hosts because
# there is a unit for that.
!systemd_supervised.active_hub::
"$(runalerts_script)"
comment => "When the runalerts service is not supervised by systemd we
need to check to see if the service is running so that we can
restart it when necessary.",
handle => "cfe_internal_php_runalerts_process_check_php_runalerts_script",
restart_class => "runalerts_process_not_running";
commands:
# Don't run the script on systemd hosts
!systemd_supervised.runalerts_process_not_running.active_hub::
"$(runalerts_script) > /dev/null < /dev/null 2>&1 &"
comment => "Runalerts is needed for proper functioning of Enterprise
dashboard alerts. It should only be run on the active hub to
avoid duplicate alerts. On systemd hosts the service is
supervised by it's own unit and the CFEngine policy does not
need to ensure it is running.",
handle => "cfe_internal_php_runalerts_commands_run_php_runalerts_script",
classes => kept_successful_command,
contain => run_as_cfapache,
action => cfe_internal_bg;
}
body contain run_as_cfapache
{
useshell => "true";
exec_owner => "$(def.cf_apache_user)";
exec_group => "$(def.cf_apache_group)";
}
#
body action cfe_internal_bg
{
background => "true";
}
#
body file_select mins_old(mins)
# @brief Select files that are older than `mins` minutes old
{
mtime => irange(0,ago(0,0,0,0,"$(mins)",0));
file_result => "mtime";
}
bundle agent cfe_internal_truncate_events
#@brief cancel all the pending events once in a day
{
commands:
Hr05.Min00_05::
"$(sys.workdir)/httpd/php/bin/php $(cfe_internal_hub_vars.public_docroot)/index.php cli_tasks truncate_events"
contain => silent,
comment => "Truncate all the pending notifications if there is any",
handle => "cfe_internal_truncate_event_mp";
}
bundle agent cfe_internal_purge_scheduled_reports_older_than_days(days)
# @brief Clean up scheduled reports older than `days` days old
{
vars:
"tmp_directories_list" slist => {"$(cfe_internal_hub_vars.public_docroot)/tmp/.", "$(cfe_internal_hub_vars.docroot)/static/."};
files:
"$(tmp_directories_list)"
handle => "cfe_internal_purge_scheduled_reports_files_docroot_tmp",
delete => tidy,
depth_search => recurse("inf"),
file_select => filetype_older_than("plain", $(days) ),
if => isdir( $(tmp_directories_list) ),
comment => "Mission Portals scheduled reports are written here. They need
to be purged after some time so that they do not fill the disk.";
"$(cfe_internal_hub_vars.docroot)/api/static/." -> { "ENT-3558" }
handle => "cfe_internal_purge_scheduled_reports_files_docroot_api_static",
delete => tidy,
depth_search => recurse("inf"),
file_select => filetype_older_than("plain", $(days) ),
comment => "In some versions of Enterprise the async query api and
scheduled reports assets are deposited in this directory.
They need to be cleaned up as to not fill the disk.";
}
bundle agent inventory_cfengine_enterprise_license_utilization
# @brief Inventory CFEngine Enterprise License Utilization
{
@if minimum_version(3.15.0)
classes:
enterprise_edition::
"have_cf_hub" expression => fileexists( $(cf_hub) );
vars:
"cf_hub" string => "/var/cfengine/bin/cf-hub";
have_cf_hub::
"cf_hub_show_license_output" string => '$(sys.statedir)/cf-hub-show-license.txt';
"parsed_license"
data => data_readstringarray( $(cf_hub_show_license_output),
"",
":\s+",
10,
500),
if => fileexists( $(cf_hub_show_license_output) );
"license_file"
string => "$(parsed_license[License file])",
meta => { "inventory", "attribute_name=CFEngine Enterprise license file" };
"license_owner" -> { "ENT-5337" }
string => "$(with)",
meta => { "inventory", "attribute_name=CFEngine Enterprise license owner" },
with => nth( string_split( "$(parsed_license[Company name])", "\W", inf ), 0),
if => isvariable( "parsed_license[Company Name]" );
"license_utilization"
string => "$(with)",
meta => { "inventory", "attribute_name=CFEngine Enterprise license utilization" },
with => nth( string_split( "$(parsed_license[Utilization])", "\W", inf ), 0),
if => isvariable( "parsed_license[Utilization]" );
"license_expiration"
string => "$(parsed_license[Expiration date])",
meta => { "inventory", "attribute_name=CFEngine Enterprise license expiration date" },
if => isvariable( "parsed_license[Expiration date]" );
"license_count"
string => "$(with)",
with => nth( string_split( "$(parsed_license[Utilization])", "\W", inf ), 1),
meta => { "inventory", "attribute_name=CFEngine Enterprise licenses allocated" },
if => isvariable( "parsed_license[Utilization]" );
"license_status"
string => "$(parsed_license[License status])",
meta => { "inventory", "attribute_name=CFEngine Enterprise license status" },
if => isvariable( "parsed_license[License status]" );
commands:
have_cf_hub::
"$(sys.cf_hub) --show-license"
arglist => { ">", $(cf_hub_show_license_output) },
handle => "enterprise_hub_license_info_cache",
contain => in_shell,
inform => "false",
classes => ENT_5279;
@endif
}
body classes ENT_5279
# @brief Work around ENT-5279, cf-hub --show-license returns 1 when no license is installed
{
kept_returncodes => { "0" };
# TODO: Redact when 3.15.x is no longer supported
# considered kept on affected versions.
cfengine_3_15_0::
kept_returncodes => { "0", "1" };
}
bundle agent log_cfengine_enterprise_license_utilization
# @brief Log the number of hosts seen within the last 24 hours and the number of
# hosts reported to have the "cfengine" class. Note any hosts that has been
# successfully collected from is expected to have the "cfengine" class. This
# bundle will not be called unless the class
# `enable_log_cfengine_enterprise_license_utilization` is defined.
{
reports:
policy_server.enterprise_edition.DEBUG_log_cfengine_enterprise_license_utilization::
"Hosts reported: $(count_reporting)";
vars:
policy_server.enterprise_edition::
"log_dir" string => "$(sys.workdir)/log";
policy_server.enterprise_edition.enable_log_cfengine_enterprise_license_utilization.(DEBUG_log_cfengine_enterprise_license_utilization|!cfe_internal_logged_utilization)::
"log_frequency" int => "720";
# Using address for reporting hosts because hostseen() will incur
# undesirable reverse dns lookups if name is used
# The cfengine class is always reported, and a reliable way to find hosts
# that have reported.
"hosts_reporting" slist => hostswithclass("cfengine", "address");
"count_reporting" int => length(hosts_reporting);
# We are counting hosts seen within the last day.
"hosts_seen" slist => hostsseen("24", "lastseen", "address");
"count_seen" int => length(hosts_seen);
files:
policy_server.enterprise_edition::
"$(log_dir)/."
create => "true",
comment => "The log dir must exist in order to write to a file.";
reports:
policy_server.enterprise_edition.!cfe_internal_logged_utilization::
"$(sys.date), hosts_reporting=$(count_reporting), hosts_seen=$(count_seen)"
report_to_file => "$(sys.workdir)/log/license_utilization.log",
classes => cfe_internal_log_utilization($(log_frequency));
}
bundle agent cfe_internal_enterprise_HA_classes
{
classes:
# NOTE The `hub_active` class is a hard class defined by the ha_plugin in
# the enterprise agent.
"active_hub"
expression => "policy_server.(!enable_cfengine_enterprise_hub_ha|(enable_cfengine_enterprise_hub_ha.hub_active))",
scope => "namespace",
comment => "This means this is a hub that is not in an HA setup or the active one in a HA setup";
# TODO Consider using `hub_passive` instead of `!hub_active`
"passive_ha_hub"
expression => "policy_server.(enable_cfengine_enterprise_hub_ha.!hub_active)",
scope => "namespace",
comment => "This means this is a passive hub in an HA setup";
}
bundle agent cfe_internal_enterprise_maintenance
# @brief Actuate bundles tagged with `enterprise_maintenance` in lexically sorted order
{
vars:
enterprise_edition::
"enterprise_maintenance_bundles_unsorted"
slist => bundlesmatching(".*", "enterprise_maintenance");
"enterprise_maintenance_bundles"
slist => sort( enterprise_maintenance_bundles_unsorted,
lex);
"enterprise_maintenance_bundle_count"
int => length( enterprise_maintenance_bundles );
methods:
enterprise_edition::
"HA classes"
usebundle => "cfe_internal_enterprise_HA_classes",
comment => "Set the HA-related classes for the maintenance bundles";
"Enterprise Maintenance"
usebundle => $(enterprise_maintenance_bundles),
if => isgreaterthan( $(enterprise_maintenance_bundle_count), 0 );
reports:
"DEBUG|DEBUG_$(this.bundle)"::
"DEBUG $(this.bundle): $(enterprise_maintenance_bundle_count) CFEngine Enterprise Maintenance Bundles"
if => isgreaterthan( $(enterprise_maintenance_bundle_count), 0 );
"DEBUG $(this.bundle): $(enterprise_maintenance_bundles) CFEngine Enterprise Maintenance Bundles"
if => isgreaterthan( $(enterprise_maintenance_bundle_count), 0 );
}
bundle agent cfe_internal_exported_report_location
# @brief Ensure that exported reports are in the correct directory
{
meta:
am_policy_hub.enterprise_edition::
"tags" slist => { "enterprise_maintenance" };
files:
am_policy_hub.enterprise_edition::
"$(cfe_internal_hub_vars.public_docroot)/tmp/." -> { "ENT-7465" }
depth_search => recurse( inf ),
file_select => by_name( '.*\.(csv|pdf)' ),
transformer => "/bin/mv $(this.promiser) $(cfe_internal_hub_vars.docroot)/static/",
if => isdir( "$(cfe_internal_hub_vars.docroot)/static/." ),
comment => "Generated reports (CSV and PDF) should be in the static directory if it exists.";
}
bundle agent cfe_internal_refresh_inventory_view
# @brief Refresh list of inventory variables every 5 minutes
# @note Beginning with 3.24.0 the inventory view refresh is handled by cf-reactor.
{
@if before_version(3.24.0)
meta:
(policy_server|am_policy_hub).enterprise_edition::
"tags" slist => { "enterprise_maintenance" };
commands:
(policy_server|am_policy_hub).enterprise_edition.active_hub::
"$(sys.workdir)/httpd/php/bin/php"
args => "$(cfe_internal_hub_vars.public_docroot)/index.php cli_tasks inventory_refresh",
contain => silent,
inform => "false",
comment => "This refreshes the variables shown in the Mission Portal Inventory.",
handle => "mpf_fresh_inventory_view",
if => isdir( "$(cfe_internal_hub_vars.docroot)/api/modules/inventory" );
@endif
}
bundle agent cfe_internal_refresh_hosts_view
# @brief Refresh hosts materialized view every 5 minutes
{
meta:
(policy_server|am_policy_hub).enterprise_edition::
"tags" slist => { "enterprise_maintenance" };
commands:
(policy_server|am_policy_hub).enterprise_edition.active_hub::
"$(sys.workdir)/httpd/php/bin/php" -> { "ENT-3482" }
args => "$(cfe_internal_hub_vars.public_docroot)/index.php cli_tasks materialized_hosts_view_refresh",
contain => silent,
@if minimum_version(3.15.0)
inform => "false",
@endif
comment => "This refreshes the hosts view. If the hosts view is not refreshed then it will contain stale data.",
handle => "mpf_fresh_hosts_view",
if => isgreaterthan(countlinesmatching(".*materialized_hosts_view_refresh.*", "$(cfe_internal_hub_vars.docroot)/application/controllers/Cli_tasks.php"), 0);
}
bundle agent cfe_internal_clear_last_seen_hosts_logs
# @brief Clear last seen hosts log every 5 minutes
# TODO Redact this bundle when 3.15 is no longer under standard support
# (December 31st 2022). The commands in the policy are scoped to run only on
# active enterprise hubs with =(cfengine_3_12|cfengine_3_13|cfengine_3_14)=.
# 3.15.0 was released while 3.12.x was still supported and this bundle should
# remain until 3.15.0 becomes EOL so that someone running 3.12.x could upgrade
# to 3.15.x policy while still running 3.12.x binaries and this bundle will
# continue to function as expected.
{
meta:
(policy_server|am_policy_hub).enterprise_edition::
"tags" slist => { "enterprise_maintenance" };
commands:
(policy_server|am_policy_hub).enterprise_edition.active_hub.(cfengine_3_12|cfengine_3_13|cfengine_3_14)::
"$(sys.workdir)/httpd/php/bin/php" -> { "ENT-3550" }
args => "$(cfe_internal_hub_vars.public_docroot)/index.php cli_tasks clearLastSeenHostsLogs",
contain => silent,
comment => "This clears the __lastseenhostslogs table. If the __lastseenhostslogs table is not cleared then it will contain unnecessary data.",
handle => "mpf_clear_lastseenhostslogs",
if => isgreaterthan(countlinesmatching(".*clearLastSeenHostsLogs.*", "$(cfe_internal_hub_vars.docroot)/application/controllers/Cli_tasks.php"), 0);
}
bundle agent cfe_internal_refresh_events_table
# @brief Refresh materialized view every 5 minutes
{
meta:
(policy_server|am_policy_hub).enterprise_edition::
"tags" slist => { "enterprise_maintenance" };
commands:
(policy_server|am_policy_hub).enterprise_edition.active_hub::
"$(sys.workdir)/httpd/php/bin/php"
args => "$(cfe_internal_hub_vars.public_docroot)/index.php cli_tasks process_api_events",
contain => silent,
@if minimum_version(3.15.0)
inform => "false",
@endif
comment => "This refreshes the events table. If the events table is not refreshed then it will contain stale data.",
handle => "mpf_fresh_events_table",
if => fileexists( "$(cfe_internal_hub_vars.docroot)/api/resource-v1/Event.php" );
}
bundle agent cfe_internal_update_health_failures
# @brief Update table that contains health diagnostics failures hosts
{
meta:
(policy_server|am_policy_hub).enterprise_edition::
"tags" slist => { "enterprise_maintenance" };
commands:
(policy_server|am_policy_hub).enterprise_edition.active_hub::
"$(sys.workdir)/httpd/php/bin/php" -> { "ENT-6228" }
args => "$(cfe_internal_hub_vars.public_docroot)/index.php cli_tasks update_health_failures",
contain => silent,
@if minimum_version(3.15.0)
inform => "false",
@endif
comment => "This updates health diagnostics failures table. If the table is not updated then it will contain stale data.",
handle => "mpf_update_health_failures",
if => isgreaterthan(countlinesmatching(".*update_health_failures.*", "$(cfe_internal_hub_vars.docroot)/application/controllers/Cli_tasks.php"), 0);
}
body classes cfe_internal_log_utilization(time)
# @brief Define persistent class for period of time to control log volume
{
promise_repaired => { "cfe_internal_logged_utilization" };
promise_kept => { "cfe_internal_logged_utilization" };
scope => "namespace";
persist_time => "$(time)";
}
bundle agent cfe_internal_enterprise_policy_analyzer
# @brief Ensure published policy is available for use with policy analyzer
# @description This bundle runs as part of the enterprise_maintenance bundles. When `analyzer_flagfile` exists, this bundle ensures policy from `analyzer_source` is kept in sync with `analyzer_dir`.
{
meta:
(policy_server|am_policy_hub).enterprise_edition::
"tags" -> { "ENT-4192" }
slist => { "enterprise_maintenance" };
vars:
enterprise_edition.policy_server::
"analyzer_flagfile" string => "$(cfe_internal_hub_vars.docroot)/analyzer/pa.enabled";
"analyzer_base" string => "/opt/cfengine/analyzer";
"analyzer_dir" string => "$(analyzer_base)/policy/masterfiles";
"analyzer_source" string => "$(sys.masterdir)";
"exclude_files" -> { "ENT-7684" }
slist => { "" },
unless => isvariable( "def.cfengine_enterprise_policy_analyzer_exclude_files" ),
comment => concat( "By default policy analyzer will get access to all files, ",
"that are part of the policy." );
"exclude_files" -> { "ENT-7684" }
slist => { "@(def.cfengine_enterprise_policy_analyzer_exclude_files)" },
if => isvariable( "def.cfengine_enterprise_policy_analyzer_exclude_files" ),
comment => concat( "A list of regular expressions matching file leaf names ",
"that should not be copied for access by policy analyzer." );
classes:
enterprise_edition.policy_server::
"policy_analyzer_enabled" expression => fileexists( $(analyzer_flagfile) );
files:
enterprise_edition.policy_server::
"$(cfe_internal_hub_vars.docroot)/analyzer/." -> { "CFE-951" }
create => "true",
handle => "cfe_internal_setup_knowledge_docroot_analyzer_dir",
perms => mog( "0470", "root", $(def.cf_apache_group) ),
comment => concat( "This directory holds the policy analyzer flag file ",
"that is written by Mission Portal when someone ",
"clicks to enable the feature. Thus, it needs to be ",
"readable, writeable and executable for the web ",
"server.");
policy_analyzer_enabled::
"$(analyzer_dir)/."
create => "true",
handle => "policy_analyzer_sync_analyzer_source",
copy_from => analyzer_sync( $(analyzer_source) ),
depth_search => recurse_with_base( inf ),
file_select => default:ex_list( @(exclude_files) );
"$(analyzer_base)/." -> { "CFE-951" }
file_select => default:dirs,
depth_search => recurse_with_base( inf ),
perms => mog( "0450", "root", $(def.cf_apache_group) );
"$(analyzer_dir)/." -> { "CFE-951" }
file_select => default:not_dir,
depth_search => recurse_with_base( inf ),
perms => mog( "0450", "root", $(def.cf_apache_group) );
reports:
DEBUG|DEBUG_cfe_internal_enterprise_policy_analyzer::
"DEBUG Mission Portal Policy Analyzer enabled. Keeping '$(analyzer_dir)' in sync with '$(analyzer_source)'"
if => "policy_analyzer_enabled";
}
body copy_from analyzer_sync(path)
# @brief Keep promised files in sync with local `path`
{
source => "$(path)";
purge => "true";
preserve => "false";
compare => "digest";
}
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/mission_portal.cf 0000644 0000000 0000000 00000040333 15010704240 026053 0 ustar 00root root 0000000 0000000 bundle agent cfe_internal_enterprise_mission_portal
{
meta:
"description" string => "Manage mission portal configuration";
methods:
policy_server::
"Apache Configuration" -> { "CFEngine Enterprise", "Mission Portal" }
usebundle => cfe_internal_enterprise_mission_portal_apache;
"Apache Service" -> { "CFEngine Enterprise", "Mission Portal" }
usebundle => cfe_internal_webserver("on"),
handle => "cfe_internal_management_web_server",
comment => "Manage Apache Web server (on/off)";
}
bundle agent apachectl_patched_for_upgrade
# @brief Ensure that apacehctl is patched so that it is able to re-start services
#
# @description This bundle addresses an issue where upgrades fail trying to stop
# httpd. Versions prior to 3.20.0, 3.18.2, and 3.15.6 need to have apachectl
# patched to make it wait for processes to shut down before exiting before
# upgrading binaries to 3.20.0, 3.18.2, or 3.15.6. CFEngine packages for
# versions after 3.20.0, 3.18.2, 3.15.6 ship with this patched apachectl which
# should make this bundle a no-op.
#
# TODO Redact when 3.21.0 is the oldest supported version
#
# NOTE The rendering of apachectl is done slightly differently for different
# versions of CFEngine. We need to maintain support for 3.15.x and many macros
# were not available at 3.15.0, so we use classes instead of macros.
#
# Versions prior to CFEngine 3.20.0 do not create files by default when managed
# by a template, if the file is absent but it's presence was desired the use of
# create => "true" or some other machinery is necessary.
#
# When 3.15.0 (Currently oldest supported version) was released, 3.10.0 was supported.
{
vars:
"considered_versions"
slist => { "cfengine_3_10", "cfengine_3_11", "cfengine_3_12",
"cfengine_3_13", "cfengine_3_14", "cfengine_3_15",
"cfengine_3_16", "cfengine_3_17", "cfengine_3_18" };
classes:
"_running_cfengine_version_where_templated_files_automatically_created"
or => { @(considered_versions) };
"_running_cfengine_version_where_templated_files_NOT_automatically_created"
not => or( @(considered_versions) );
files:
_running_cfengine_version_where_templated_files_automatically_created::
"$(sys.workdir)/httpd/bin/apachectl"
edit_template => "$(this.promise_dirname)/templates/apachectl.mustache",
handle => "apachectl_content_pre_create_default_templated_files",
template_method => "mustache",
template_data => parsejson( '{ "cfengine_enterprise_mission_portal_httpd_dir": "$(sys.workdir)/httpd" }');
_running_cfengine_version_where_templated_files_NOT_automatically_created::
"$(sys.workdir)/httpd/bin/apachectl"
create => "true",
edit_template => "$(this.promise_dirname)/templates/apachectl.mustache",
handle => "apachectl_content_post_create_default_templated_files",
template_method => "mustache",
template_data => parsejson( '{ "cfengine_enterprise_mission_portal_httpd_dir": "$(sys.workdir)/httpd" }');
cfengine::
"$(sys.workdir)/httpd/bin/apachectl"
handle => "apachectl_perms",
perms => mog( "0755", "root", "root" );
}
bundle agent cfe_internal_enterprise_mission_portal_apache
# @brief Manage Apache instance that runs Mission Portal
{
vars:
policy_server.enterprise_edition::
"template"
string => "$(this.promise_dirname)/templates/httpd.conf.mustache",
comment => "The template used to render the apache config file.";
"config"
string => "$(sys.workdir)/httpd/conf/httpd.conf",
comment => "This is the location of the apache config file.";
"staged_config"
string => "$(config).staged",
comment => "This is the temporary file we will render the config and
valid against before deploying to the final $(config)
location.";
# TODO: Consider collecting the classes and variables used based on a tag
# to prepare a smaller subset of data
"data"
data => datastate();
methods:
"apachectl patched for resilient stop " -> { "ENT-8823" }
usebundle => apachectl_patched_for_upgrade;
"Stage Apache Config"
usebundle => file_make_mustache( $(staged_config), $(template), @(data) ),
comment => "We render the config to a staging location so that it can be
validated before deploying the final apache config so that we
don't end up with a broken service.";
"Manage Final Apache Config"
usebundle => mission_portal_apache_from_stage( $(config), $(staged_config) );
reports:
DEBUG|DEBUG_cfe_internal_enterprise_mission_portal_apache::
"DEBUG $(this.bundle): Should stage '$(staged_config)' from '$(template)'.";
classes:
(policy_server|am_policy_hub).enterprise_edition::
"mission_portal_index_php_redirect_enabled"
expression => isgreaterthan(countlinesmatching(".*config\['index_page'\] = \"\".*", "$(cfe_internal_hub_vars.docroot)/application/config/config.php"), 0),
comment => "We need to know if index_page config in Mission Portal
is empty to enable redirect from /index.php/path to /path
in httpd.conf";
}
bundle agent mission_portal_apache_from_stage(config, staged_config)
# @brief Make sure the live Apache config is based on a staged config that has
# been validated.
# @param config Path to the live config
# @param staged_config Path to the staged configuration
#
# **Example:**
#
# ```cf3
# bundle agent example
# {
# vars:
#
# "config"
# string => "$(sys.workdir)/httpd/conf/httpd.conf",
# comment => "This is the location of the apache config file.";
#
# "staged_config"
# string => "$(config).staged",
# comment => "This is the temporary file we will render the config and
# valid against before deploying to the final $(config)
# location.";
#
# methods:
#
# "Manage Final Apache Config"
# usebundle => mission_portal_apache_from_stage( $(config), $(staged_config) );
# }
#```
{
meta:
"description"
string => "Configure apache based on successfully staged config";
classes:
"systemd_supervised"
expression => returnszero("$(paths.systemctl) -q is-active cf-apache > /dev/null 2>&1", "useshell"),
if => fileexists( $(paths.systemctl) );
vars:
"validate_config"
string => "$(sys.workdir)/httpd/bin/httpd -t -f $(staged_config)";
# The location of the apache pid file moved from httpd/logs/httpd.pid to
# httpd/httpd.pid in 3.15.5, 3.18.1 and, 3.19.0
"httpd_pid_file" -> { "ENT-7966" }
string => ifelse( classmatch( "cfengine_3_1[0-4]" ), "$(sys.workdir)/httpd/logs/httpd.pid",
classmatch( "cfengine_3_15_[0-4]" ), "$(sys.workdir)/httpd/logs/httpd.pid",
"cfengine_3_18_0", "$(sys.workdir)/httpd/logs/httpd.pid",
"$(sys.workdir)/httpd/httpd.pid" );
files:
"$(config)"
create => "true",
comment => "Without an apache config, Mission Mortal and Enterprise API
services will not work";
"$(config)" -> { "ENT-9686" }
copy_from => local_dcp( $(staged_config) ),
handle => "cfapache_httpd_conf_from_staged",
if => and( or( "apache_stop_after_new_staged_config_repaired",
not( fileexists( "$(httpd_pid_file)" ) ),
isnewerthan( $(config), $(staged_config) ) ),
returnszero("$(validate_config) > /dev/null 2>&1 ", "useshell")),
classes => results("bundle", "mission_portal_apache_config"),
comment => "We make sure that the deployed config is a copy of the staged
config if the staged config passes a syntax check. We redirect
the output to keep policy runs clean and not generate lots of
unnecessary email.";
# Note: RPM package spec must align or the file will come up in rpm verification
"$(config)" -> { "ENT-11096" }
handle => "cfengine_mp_apache_config_ownership_perms",
perms => mog( "400", "root", "root");
commands:
!systemd_supervised::
"LD_LIBRARY_PATH=$(sys.workdir)/lib:$LD_LIBRARY_PATH $(sys.workdir)/httpd/bin/apachectl"
args => "stop",
if => and( returnszero("$(validate_config) > /dev/null 2>&1 ", "useshell"),
isnewerthan( $(staged_config), $(config) ),
fileexists( "$(httpd_pid_file)" ) ),
contain => in_shell,
classes => results( "bundle", "apache_stop_after_new_staged_config" ),
comment => concat( "We have to stop apache before trying to start with a",
"new config, or the new config could prevent apache from stopping.");
"LD_LIBRARY_PATH=$(sys.workdir)/lib:$LD_LIBRARY_PATH $(sys.workdir)/httpd/bin/apachectl"
args => "start",
if => and( "mission_portal_apache_config_repaired",
"apache_stop_after_new_staged_config_repaired"),
contain => in_shell,
comment => concat( "We start apache after the new valid config is in ",
"place only if we have stopped apache already.");
"LD_LIBRARY_PATH=$(sys.workdir)/lib:$LD_LIBRARY_PATH $(sys.workdir)/httpd/bin/apachectl" -> { "ENT-9686" }
args => "graceful",
if => and( "mission_portal_apache_config_repaired",
not( "apache_stop_after_new_staged_config_repaired" ) ),
contain => in_shell,
comment => "We restart apache after the new valid config is in place";
services:
systemd_supervised::
"cf-apache"
service_policy => "stop",
if => and( returnszero("$(validate_config) > /dev/null 2>&1 ", "useshell"),
isnewerthan( $(staged_config), $(config) ) ),
classes => results( "bundle", "apache_stop_after_new_staged_config" ),
comment => concat( "We have to stop apache before trying to start with a",
"new config, or the new config could prevent apache from stopping.");
"cf-apache"
service_policy => "start",
if => and( "mission_portal_apache_config_repaired",
"apache_stop_after_new_staged_config_repaired"),
comment => concat( "We start apache after the new valid config is in ",
"place only if we have stopped apache already.");
"cf-apache" -> { "ENT-9686" }
service_policy => "restart",
if => and( "mission_portal_apache_config_repaired",
not( "apache_stop_after_new_staged_config_repaired" ) ),
comment => "We restart apache after the new valid config is in place";
reports:
DEBUG|DEBUG_mission_portal_apache_from_stage::
"DEBUG $(this.bundle): '$(config)' should be a copy of '$(staged_config)' because it validates with '$(validate_config)'"
if => returnszero("$(validate_config) > /dev/null 2>&1 ", "useshell");
"DEBUG $(this.bundle): '$(config)' should *not* be a copy of '$(staged_config)' because it failed to validate with '$(validate_config)'"
if => not(returnszero("$(validate_config) > /dev/null 2>&1 ", "useshell"));
}
##################################################################
#
# cfe_internal_webserver(on/off)
#
##################################################################
bundle agent cfe_internal_webserver(state)
{
meta:
"description" string => "Manage the Mission Portal webserver state";
classes:
"on" expression => strcmp("$(state)","on"),
comment => "Check if a keyword \"on\" is inputs",
handle => "cfe_internal_webserver_classes_on";
"off" expression => strcmp("$(state)","off"),
comment => "Check if a keyword \"off\" is inputs",
handle => "cfe_internal_webserver_classes_off";
#
processes:
am_policy_hub.on::
".*$(sys.workdir)/httpd/bin/httpd.*"
restart_class => "start_cfe_httpd",
comment => "Check if CFE httpd process exists or not",
handle => "cfe_internal_webserver_processes_start_cfe_httpd";
#
commands:
start_cfe_httpd::
"LD_LIBRARY_PATH=$(sys.workdir)/lib:$LD_LIBRARY_PATH $(sys.workdir)/httpd/bin/apachectl start"
comment => "Start CFE httpd process if not exist",
classes => kept_successful_command,
handle => "cfe_internal_webserver_commands_start_cfe_httpd",
contain => in_shell;
}
bundle agent cfe_enterprise_selfsigned_cert
# @brief Generate a self signed certificate for Mission Portal
#
# By default this bundle will only regenerate a certificate if one of the
# necessary files is missing. To force certificate regeneration run with the
# class '_cfe_enterprise_selfsigned_cert_regenerate_certificate' defined.
{
meta:
"description"
string => "Generate a self signed SSL certificate for secure hub communications.";
vars:
policy_server::
"SSLCertificateFile" string => "$(cfe_internal_hub_vars.SSLCertificateFile)";
"SSLCertificateKeyFile" string => "$(cfe_internal_hub_vars.SSLCertificateKeyFile)";
"SSLCertificatePasswdKeyFile" string => "$(cfe_internal_hub_vars.SSLCertificatePasswdKeyFile)";
"SSLCertificateKeySize" string => "$(cfe_internal_hub_vars.SSLCertificateKeySize)";
"SSLCertificateSigningRequest" string => "$(cfe_internal_hub_vars.SSLCertificateSigningRequest)";
"SSLCnf" string => "$(cfe_internal_hub_vars.SSLCnf)";
"SSLCertificateDaysValid" string => "$(cfe_internal_hub_vars.SSLCertificateDaysValid)";
"SSLCertificateFileSymlink" string => "$(sys.workdir)/ssl/cert.pem";
"openssl" string => "$(sys.workdir)/bin/openssl";
"_generated_files" slist => {
$(SSLCertificateFile),
$(SSLCertificateKeyFile),
$(SSLCertificatePasswdKeyFile),
$(SSLCertificateSigningRequest),
};
classes:
"_cfe_enterprise_selfsigned_cert_regenerate_certificate"
not => filesexist( @(_generated_files) ),
comment => "We only want to automatically regenerate the certificate if
one of the files does not exist.";
commands:
policy_server._cfe_enterprise_selfsigned_cert_regenerate_certificate::
"$(openssl)"
args => "genrsa -passout pass:x -out $(SSLCertificatePasswdKeyFile) $(SSLCertificateKeySize)";
# Strip password from key in ${CFENGINE_MP_PASS_KEY} and produce ${CFENGINE_MP_KEY}
"$(openssl)"
args => "rsa -passin pass:x -in $(SSLCertificatePasswdKeyFile) -out $(SSLCertificateKeyFile)";
# Generate a CSR in ${CFENGINE_MP_CSR} with key ${CFENGINE_MP_KEY}
"$(openssl)"
args => 'req -utf8 -sha256 -nodes -new -subj "/CN=$(sys.fqhost)" -key $(SSLCertificateKeyFile) -out $(SSLCertificateSigningRequest) -config $(SSLCnf)';
# Generate CRT
"$(openssl)"
args => "x509 -req -days $(SSLCertificateDaysValid) -in $(SSLCertificateSigningRequest) -signkey $(SSLCertificateKeyFile) -out $(SSLCertificateFile)";
files:
"$(SSLCertificateFile)" -> { "jira:ENT-760" }
perms => mog("644", "root", "root"),
comment => "The SSL Certificate File needs to be readable so that it can
be read by other services like Mission Portal.";
"$(SSLCertificateKeyFile)"
perms => mog("600", "root", "root"),
comment => "The SSL Certificate Key should only be readable by root.";
"$(SSLCertificatePasswdKeyFile)"
perms => mog("600", "root", "root"),
comment => "The SSL Certificate Key should only be readable by root.";
"$(SSLCertificateFileSymlink)" -> { "jira:ENT-760" }
link_from => ln_s( $(SSLCertificateFile) ),
move_obstructions => "true",
comment => "Mission Portal reads the certificate from this stable
location, so it must always point to the current certificate.";
reports:
DEBUG|DEBUG_cfe_enterprise_selfsigned_cert::
"DEBUG $(this.bundle): Certificate Generation Requested"
if => "_cfe_enterprise_selfsigned_cert_regenerate_certificate";
"DEBUG $(this.bundle): No Certificate Generation Requested"
if => "!_cfe_enterprise_selfsigned_cert_regenerate_certificate";
}
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/ha/ 0000755 0000000 0000000 00000000000 15010704326 023071 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/cfe_internal/enterprise/ha/ha_def.cf 0000644 0000000 0000000 00000002337 15010704240 024611 0 ustar 00root root 0000000 0000000 bundle common ha_def
{
vars:
enable_cfengine_enterprise_hub_ha::
"master_hub_location" string => "$(sys.statedir)/master_hub.dat";
"hubs_keys_location" string => "$(sys.workdir)/ppkeys_hubs";
"ppkeys_staging" string => "$(sys.workdir)/ppkeys_staging";
#The location of the config file can not be changed!
"config_file" string => "$(this.promise_dirname)/ha_info.json";
"config" data => readjson("$(config_file)", "4k");
"ips" slist => getindices("config");
"hub_sha[$(ips)]"
string => escape("root-SHA=$(config[$(ips)][sha]).pub"),
comment => "We need to construct an intermediary array so that we can
extract a combined list of all hub keys.";
"hub_shas"
slist => getvalues("hub_sha"),
comment => "We use the list of hub key files for restricting clients access only to those";
"replication_only_node[$(ips)]"
string => "dummy", if => strcmp("$(config[$(ips)][is_in_cluster])", "false");
"replication_only_nodes"
slist => getindices("replication_only_node");
classes:
"ha_replication_only_node" expression => some($(sys.policy_hub), replication_only_nodes);
reports:
verbose_mode::
"HA hub $(ips) $(config[$(ips)][sha])";
}
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/ha/ha.cf 0000644 0000000 0000000 00000011021 15010704240 023761 0 ustar 00root root 0000000 0000000 bundle agent ha_main
{
classes:
enable_cfengine_enterprise_hub_ha::
"have_ha_hub_active_ip" expression => isvariable("sys.hub_active_ip");
methods:
policy_server.enterprise::
"manage_mp_enable_cfengine_enterprise_hub_ha_file" usebundle => ha_manage_mp_status_file;
policy_server.enable_cfengine_enterprise_hub_ha.hub_active::
"manage_mp_enable_cfengine_enterprise_hub_ha_file" usebundle => ha_manage_notification_scripts_dir;
policy_server.!hub_active.have_ha_hub_active_ip::
"sync_config_data" usebundle => ha_hub_sync_config_data;
}
# enable_cfengine_enterprise_hub_ha file is used by MP as a first test to figure out if
# HA functionality is switched on or not. Based on existence of this
# file further actions are performed.
bundle agent ha_manage_mp_status_file
{
files:
policy_server.!enable_cfengine_enterprise_hub_ha::
"$(sys.workdir)/httpd/htdocs/ha_enabled" -> { "Mission Portal" }
delete => tidy,
handle => "cfengine_enterprise_ha_enabled_semaphore_absent",
comment => "If this file is present when HA is not enabled
Mission Portal will incorrectly report HA status.";
policy_server.enable_cfengine_enterprise_hub_ha::
"$(sys.workdir)/httpd/htdocs/ha_enabled" -> { "Mission Portal", "ENT-4751" }
create => "true",
handle => "cfengine_enterprise_ha_enabled_semaphore_present",
perms => mog("0440",$(def.cf_apache_user),$(def.cf_apache_group)),
comment => "This file is read by mission portal to know that HA
is enabled. Without it the UI will not report the
correct HA status.";
}
bundle agent ha_manage_notification_scripts_dir
{
files:
"/opt/cfengine/notification_scripts/." -> { "Mission Portal" }
create => "true",
perms => mog("770", "root", $(def.cf_apache_group)),
comment => "This directory is used by Mission Portal to store custom
user-defined scripts. Having HA set up we need to synchronize
content of this directory between active and passive hubs.
In case of no user-scripts being defined directory may not
exist on active hub.
To avoid policy synchronizing content of this directory
being not kept we are creating directory in advance.";
}
bundle agent ha_hub_sync_config_data
# @brief Keep passive hub configuration in sync with active hub
{
vars:
"htdocs" string => "$(sys.workdir)/httpd/htdocs/";
"application_config_path" string => "$(htdocs)/application/config/";
"application_config_files"
comment => "These files are from application/config and if not in sync
will cause various authentication errors",
slist => {
"cf_robot.php",
"appsettings.php",
"config.php", # ENT-4944
};
files:
"$(application_config_path)/$(application_config_files)"
copy_from => ha_no_backup_scp("$(application_config_path)/$(application_config_files)",
$(sys.hub_active_ip)),
comment => "Ensure application configuration files are in sync to avoid authentication issues",
handle => "ha_sync_application_config";
"/opt/cfengine/notification_scripts"
copy_from => ha_no_backup_scp("/opt/cfengine/notification_scripts",
$(sys.hub_active_ip)),
comment => "Copy MP notification scripts",
handle => "ha_copy_notification_scripts",
depth_search => recurse("1");
@if minimum_version(3.11)
# These configuration settings were introduced in CFEngine non-LTS 3.11
# Used macro as there is no class based way to do version X and greater
"$(htdocs)/ldap/config/settings.php" -> { "ENT-4944" }
copy_from => ha_no_backup_scp("$(htdocs)/ldap/config/settings.php",
$(sys.hub_active_ip)),
comment => "Ensure LDAP configuration files are in sync to avoid authentication issues",
handle => "ha_sync_ldap_config";
"$(htdocs)/api/config/config.php" -> { "ENT-4944" }
copy_from => ha_no_backup_scp("$(htdocs)/api/config/config.php",
$(sys.hub_active_ip)),
comment => "Ensure LDAP configuration files are in sync to avoid authentication issues",
handle => "ha_sync_api_config";
@endif
}
body copy_from ha_no_backup_scp(from,server)
{
servers => { "$(server)" };
source => "$(from)";
compare => "digest";
copy_backup => "false";
encrypt => "true";
}
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/ha/ha_update.cf 0000644 0000000 0000000 00000015400 15010704240 025330 0 ustar 00root root 0000000 0000000 bundle agent ha_update
{
methods:
enable_cfengine_enterprise_hub_ha::
"Hubs have am_policy_hub marker"
usebundle => ha_hubs_have_am_policy_hub_marker,
comment => "All hubs should have the am_policy_hub marker. This bundle
ensures that standby hubs get this marker even though they are not
bootstrapped to themselves";
enable_cfengine_enterprise_hub_ha.am_policy_hub::
"share_keys" usebundle => ha_share_hub_keys;
"sync_hub_data" usebundle => ha_hub_sync;
enable_cfengine_enterprise_hub_ha.!am_policy_hub::
"sync_agent_data" usebundle => ha_agent_sync;
enable_cfengine_enterprise_hub_ha.hub_data_synced::
"manage_keys" usebundle => manage_hub_synced_data;
enable_cfengine_enterprise_hub_ha.ha_replication_only_node::
"syncronize_master_hub_dat" usebundle => sync_master_hub_dat;
}
bundle agent ha_hubs_have_am_policy_hub_marker
# @brief Ensure that all ha hub members have the am_policy_hub state marker
{
classes:
# We know we need the am_policy_hub marker if any of our ips are found in the ha definition
"ha_hub_member" expression => iprange( $(ha_def.ips) );
files:
ha_hub_member::
"$(sys.statedir)/am_policy_hub" -> { "ENT-3328" }
create => "true",
comment => "This file is automatically created when bootstrapping to
self, but in a clustered environment standby hubs bootstrap to the
primary and this marker will not be automatically created.";
}
bundle agent ha_agent_sync
{
files:
"$(sys.workdir)/policy_server.dat"
copy_from => ha_update_ha_no_backup_scp("$(ha_def.master_hub_location)", @(update_def.policy_servers)),
handle => "ha_cfengine_node_update_master_ip",
comment => "Update master hub IP on CFEngine node. This is causing that clients will try
to contact active/master hub first.";
"$(sys.workdir)/ppkeys"
copy_from => ha_update_ha_no_backup_scp("$(ha_def.hubs_keys_location)", @(update_def.policy_servers)),
file_select => hub_all_keys,
depth_search => ha_update_ha_recurse("inf"),
handle => "ha_copy_hub_keys_to_nodes",
comment => "Download keys of all hubs working in HA cluster and store in client's ppkeys directory.
This is important for establishing trusted connection with standby hub(s) in
case of failover.";
}
bundle agent ha_share_hub_keys
{
files:
"$(ha_def.hubs_keys_location)"
copy_from => ha_update_no_backup_cp("$(sys.workdir)/ppkeys"),
file_select => hubs_keys_select,
handle => "ha_copy_hubs_keys",
depth_search => ha_update_recurse("1"),
comment => "Clients need to be able to download keys of all hubs working in
HA cluster. This is needed to establish trusted connection
with standby hubs in case of failover. In order to limit possibility
of copying wrong keys hub keys are copied to separate directory first
and only ppkeys_hubs is accessible by clients.";
}
bundle agent ha_hub_sync
{
vars:
"exclude_files" slist => {"localhost.priv", "localhost.pub", @(ha_def.hub_shas)};
files:
"$(ha_def.ppkeys_staging)"
copy_from => ha_update_ha_no_backup_scp("$(sys.workdir)/ppkeys", @(update_def.standby_servers)),
file_select => ha_update_ex_list(@(exclude_files)),
handle => "ha_copy_client_keys_between_replica_set_servers",
depth_search => ha_update_recurse("1"),
classes => ha_update_if_repaired("hub_data_synced"),
comment => "Distribute all client keys between replica set servers. This is
important in case of failover. Once clients keys are synchronized
between all hubs working in HA cluster, clients will be able
to authenticate and establish connection with all hubs working in HA cluster.";
}
bundle agent manage_hub_synced_data
# @brief Manage trust of clients bootstrapped other hubs in cluster
#
# Ensures keys collected from other hubs are present in ppkeys so that the
# agents bootstrapped to other hubs are trusted.
{
files:
# Ensure that localhost.pub and localhost.priv are not in the directory of
# keys collected from standby hubs
"$(ha_def.ppkeys_staging)/localhost.*" -> { "ENT-3303" }
delete => ha_tidy,
handle => "manage_hub_synced_data_ppkeys_staging_localhost_absent",
comment => "We don't want localhost related key files from a standby
server to end up over-writing the active hubs key. That will
cause an identity crisis and trust issues.";
# Ensure that keys collected from standby hubs are present in this hubs
# ppkeys directory so that agents bootstrapped to standby hubs will be
# trusted.
"$(sys.workdir)/ppkeys"
copy_from => ha_update_no_backup_cp("$(ha_def.ppkeys_staging)"),
file_select => ha_update_plain,
depth_search => ha_update_recurse("1"),
handle => "ha_copy_staged_client_keys",
comment => "Copy staged client keys to ppkeys. First client keys are copied
to ppkeys_staging directory and then to ppkeys. Only clients which
keys are copied to ppkeys will be able to authenticate and connect
to hub.";
}
bundle agent sync_master_hub_dat
{
files:
"$(ha_def.master_hub_location)"
copy_from => ha_update_ha_no_backup_scp("$(ha_def.master_hub_location)", @(update_def.standby_servers)),
comment => "Update master hub IP on CFEngine node",
handle => "ha_cfengine_hub_update_master_ip";
}
body file_select hub_all_keys
{
leaf_name => {".*.pub"};
file_result => "leaf_name";
}
body file_select hubs_keys_select
{
search_size => irange("426", "426");
leaf_name => {escape("root-SHA=$(ha_def.config[$(update_def.standby_servers)][sha]).pub")};
file_result => "leaf_name";
}
body copy_from ha_update_ha_no_backup_scp(from,server)
{
servers => { "$(server)" };
source => "$(from)";
compare => "digest";
copy_backup => "false";
encrypt => "true";
}
body depth_search ha_update_ha_recurse(d)
{
depth => "$(d)";
exclude_dirs => { "\.svn", "\.git", "git-core" };
}
body depth_search ha_update_recurse(d)
{
depth => "$(d)";
xdev => "true";
}
body classes ha_update_if_repaired(x)
{
promise_repaired => { "$(x)" };
}
body file_select ha_update_ex_list(names)
{
leaf_name => { @(names)};
file_result => "!leaf_name";
}
body file_select ha_update_plain
{
file_types => { "plain" };
file_result => "file_types";
}
body copy_from ha_update_no_backup_cp(from)
{
source => "$(from)";
copy_backup => "false";
}
body delete ha_tidy
# @brief Copy of body delete tidy from the standard library
{
dirlinks => "delete";
rmdirs => "true";
}
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/main.cf 0000644 0000000 0000000 00000007362 15010704240 023742 0 ustar 00root root 0000000 0000000 bundle agent cfe_internal_enterprise_main
# @brief Drive policy related to CFEngine Enterprise
{
methods:
any::
"security" -> { InfoSec }
usebundle => change_management,
comment => "Basic change management",
handle => "cfe_internal_enterprise_main_change_management";
enterprise_edition.(policy_server|am_policy_hub)::
"hub" usebundle => cfe_internal_update_folders,
handle => "cfe_internal_management_update_folders",
comment => "Create empty directories for CFE self-upgrade";
"hub" -> { "Mission Portal", "CFEngine Enterprise" }
usebundle => cfe_internal_purge_scheduled_reports_older_than_days( $(def.purge_scheduled_reports_older_than_days) ),
handle => "cfe_internal_management_purge_scheduled_reports_older_than_days",
comment => "So that we do not fill up the disk we need to purge scheduled
reports after some time.";
"hub" usebundle => cfe_internal_setup_knowledge,
handle => "cfe_internal_management_setup_knowledge",
comment => "Manage CFE Knowledge Map";
"Enterprise Maintenance"
usebundle => cfe_internal_enterprise_maintenance;
"hub" usebundle => cfe_internal_php_runalerts,
handle => "cfe_internal_management_php_runalerts",
comment => concat("To run PHP runalerts to check bundle status on SQL and Sketch.",
" ENT-5432: must run after cfe_internal_enterprise_maintenance bundle",
" so that active_hub class is determined. Since version 3.24.0 running",
" alerts is part of cf-reactor"),
if => cf_version_before("3.24");
"Inventory Enterprise License Utilization" -> { "ENT-5089" }
usebundle => inventory_cfengine_enterprise_license_utilization;
enterprise_edition.(policy_server|am_policy_hub).enable_log_cfengine_enterprise_license_utilization::
"hub" -> { "ENT-3186" }
usebundle => log_cfengine_enterprise_license_utilization,
handle => "log_cfengine_enterprise_license_utilization",
comment => "Log license utilization information";
# As passive hub is supposed to run read-only PostgreSQL instance
# doing maintenance makes no sense and is not possible at all.
(enterprise_edition.(policy_server|am_policy_hub).!enable_cfengine_enterprise_hub_ha)||(enable_cfengine_enterprise_hub_ha.hub_active)::
"hub" usebundle => cfe_internal_hub_maintain,
handle => "cfe_internal_management_hub_maintain",
comment => "Start the hub maintenance process";
"hub" usebundle => cfe_internal_truncate_events,
handle => "cfe_internal_truncate_events",
comment => "To run CFE truncate to pending";
postgresql_full_maintenance|postgresql_monitoring_maintenance::
"hub" usebundle => cfe_internal_postgresql_maintenance,
handle => "cfe_internal_management_postgresql_maintenance",
action => measure_promise_time("cfe_internal_management_postgresql_maintenance"),
comment => "Run clean up on PostgreSQL database";
postgresql_vacuum::
"hub" usebundle => cfe_internal_postgresql_vacuum,
handle => "cfe_internal_management_postgresql_vacuum",
action => measure_promise_time("cfe_internal_management_postgresql_vacuum"),
comment => "Maintain PostgreSQL by executing vacuum";
enable_cfe_internal_cleanup_agent_reports::
"any" usebundle => cfe_internal_cleanup_agent_reports,
handle => "cfe_internal_management_cleanup_agent_reports",
comment => "Remove accumulated reports if they grow too large in size";
!windows::
"Permissions and Ownership"
usebundle => cfe_internal_permissions,
comment => "Specific expectations for permissions and ownership for cfengine itself";
}
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/CFE_knowledge.cf 0000644 0000000 0000000 00000073436 15010704240 025457 0 ustar 00root root 0000000 0000000 ##################################################################
#
# DO NOT EDIT THIS FILE. All policy files prefixed with CFE_ are maintained
# by CFEngine and its original state is required for internal operations of
# CFEngine. If the file has been modified CFEngine's upgrades may require
# manual intervention. Contact CFEngine support if additional information
# and/or recommendation is needed.
#
##################################################################
##################################################################
#
# cfe_internal_setup_knowledge
# - populate knowledge bank database (CFE Enterprise)
#
##################################################################
bundle agent cfe_internal_setup_knowledge
# @brief Policy related to enterprise hubs
{
classes:
#
# check when updates arrive, new compared to the database
#
"ENT_3572" -> { "ENT-3572" }
comment => "Hosts with this class need to be sure that the ssl directory
is readable and executable by other users",
or => {
"enterprise_3_7_3", "enterprise_3_7_4", "enterprise_3_7_5",
"enterprise_3_10_0"
};
vars:
"install_logs" -> {"ENT-4564"}
slist => findfiles("/var/log/CFEngine*Install.log"),
unless => "windows";
files:
!mpf_disable_mission_portal_docroot_sync_from_share_gui::
"$(cfe_internal_hub_vars.docroot)"
comment => "Copy the basic knowledge base configuration from the installation to doc root",
handle => "cfe_internal_setup_knowledge_files_doc_root_1",
copy_from => no_backup_cp_compare("$(sys.workdir)/share/GUI", "binary"),
depth_search => recurse("inf");
any::
"$(install_logs)" -> { "ENT-4506" }
perms => mog("0600", "root", "root" );
"$(cfe_internal_hub_vars.docroot)/." -> { "CFE-951" }
comment => "The top level docroot needs to be readable and executable by the web server.",
handle => "cfe_internal_setup_knowledge_dir_doc_root",
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(sys.workdir)/httpd/php/." -> { "ENT-9703", "cfe_internal_setup_knowledge_dir_doc_root_runalerts_stamp" }
create => "true",
comment => "php directory needs to be accessible (execute) to cfapache",
handle => "cfe_internal_setup_knowledge_dir_doc_root_php",
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(sys.workdir)/httpd/php/runalerts-stamp/." -> { "ENT-9703" }
create => "true",
comment => "runalerts-stamp directory needs to be accessible (execute) to cfapache",
handle => "cfe_internal_setup_knowledge_dir_doc_root_runalerts_stamp",
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.docroot)/vendor/." -> { "CFE-951" }
comment => "The vendor directory and sub-directories contains dependencies from the code ignitor framework and the directories need to be searchable by the web server.",
handle => "cfe_internal_setup_knowledge_dir_doc_root_vendor_dirs",
depth_search => recurse_with_base("inf"),
file_select => dirs,
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.docroot)/vendor/." -> { "CFE-951" }
comment => "The files in the vendor directory contain dependencies from the code ignitor framework and need to be readable by the web server.",
handle => "cfe_internal_setup_knowledge_dir_doc_root_vendor_not_dir",
depth_search => recurse_with_base("inf"),
file_select => not_dir,
perms => mog("0440", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.public_docroot)/themes/." -> { "CFE-951" }
comment => "The public docroot themes directory needs to be searchable by the web server so that it can find css and images to make Mission Portal look as expected.",
handle => "cfe_internal_setup_knowledge_dir_doc_root_public_themes_dirs",
depth_search => recurse_with_base("inf"),
file_select => dirs,
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.public_docroot)/themes/." -> { "CFE-951" }
comment => "The public docroot themes directory needs to be searchable by the web server so that it can find css and images to make Mission Portal look as expected.",
handle => "cfe_internal_setup_knowledge_dir_doc_root_public_themes_not_dir",
depth_search => recurse_with_base("inf"),
file_select => not_dir,
perms => mog("0440", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.public_docroot)/."
comment => "The public dir in the docroot needs the to be executable by the webserver",
handle => "cfe_internal_setup_knowledge_dir_doc_root_public",
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.public_docroot)/index.php"
comment => "The public dir in the docroot needs the to be executable by the webserver",
handle => "cfe_internal_setup_knowledge_dir_doc_root_public_index_php",
perms => mog("0440", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.public_docroot)/images/." -> { "CFE-951" }
comment => "The public docroot images directory needs to be searchable by the webserver so that Mission Portal can load images and look as expected.",
handle => "cfe_internal_setup_knowledge_dir_doc_root_public_images_dirs",
depth_search => recurse_with_base("inf"),
file_select => dirs,
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.public_docroot)/images/." -> { "CFE-951" }
comment => "The public docroot images directory needs to be searchable by the webserver so that Mission Portal can load images and look as expected.",
handle => "cfe_internal_setup_knowledge_dir_doc_root_public_images_not_dir",
depth_search => recurse_with_base("inf"),
file_select => not_dir,
perms => mog("0440", "root", $(def.cf_apache_group) );
"$(sys.workdir)/httpd/."
comment => "httpd dir should be 755",
handle => "cfe_internal_setup_knowledge_dir_httpd",
perms => mog("755", "root", "root");
"$(cfe_internal_hub_vars.docroot)/.htaccess"
comment => "Correct up htaccess file in doc root",
handle => "cfe_internal_setup_knowledge_files_doc_root_htaccess",
copy_from => no_backup_cp("$(sys.workdir)/share/GUI/Apache-htaccess");
"$(cfe_internal_hub_vars.public_docroot)/scripts/." -> { "CFE-951" }
comment => "Ensure permissions for $(cfe_internal_hub_vars.public_docroot)/scripts",
handle => "cfe_internal_setup_knowledge_files_doc_root_scripts_dir",
create => "true",
perms => mog("0570", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.public_docroot)/scripts/." -> { "CFE-951" }
comment => "Ensure permissions for $(cfe_internal_hub_vars.public_docroot)/scripts",
handle => "cfe_internal_setup_knowledge_files_doc_root_scripts_not_dir",
create => "true",
file_select => not_dir,
depth_search => recurse_basedir("inf"),
perms => mog("0440", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.docroot)/static/." -> { "CFE-951" }
handle => "cfe_internal_setup_knowledge_files_doc_root_static_dir",
create => "true",
perms => mog("0770", "root", $(def.cf_apache_group)),
comment => "Ensure permissions for $(cfe_internal_hub_vars.docroot)/static.
This is where exported and scheduled reports generated by Mission Portal
(temp files to email)";
"$(cfe_internal_hub_vars.docroot)/static/." -> { "CFE-951", "ENT-11941" }
handle => "cfe_internal_setup_knowledge_files_doc_root_static_not_dir",
create => "true",
depth_search => recurse_basedir("inf"),
file_select => not_dir,
perms => mog("0600", "$(def.cf_apache_user)", "$(def.cf_apache_group)"),
comment => "Ensure permissions for $(cfe_internal_hub_vars.docroot)/static/*.
This is where exported and scheduled reports generated by Mission Portal (temp
files to download or email)";
"$(cfe_internal_hub_vars.public_docroot)/tmp/." -> { "CFE-951" }
handle => "cfe_internal_setup_knowledge_files_public_doc_root_tmp_dir",
create => "true",
depth_search => recurse_basedir("inf"),
file_select => dirs,
perms => mog("0770", $(def.cf_apache_user), $(def.cf_apache_group)),
comment => "Ensure permissions for $(cfe_internal_hub_vars.public_docroot)/tmp.
This is where css and js files generated by Mission Portal";
"$(cfe_internal_hub_vars.public_docroot)/tmp/." -> { "CFE-951" }
handle => "cfe_internal_setup_knowledge_files_public_doc_root_tmp_not_dir",
create => "true",
depth_search => recurse_basedir("inf"),
file_select => not_dir,
perms => mog("0440", $(def.cf_apache_user), $(def.cf_apache_group)),
comment => "Ensure permissions for $(cfe_internal_hub_vars.public_docroot)/tmp.
This is where css and js files generated by Mission Portal";
"$(cfe_internal_hub_vars.docroot)/application" -> { "CFE-951" }
comment => "No one should be able to write to the application, and only
the webserver needs access",
handle => "cfe_internal_setup_knowledge_files_all_not_dir_in_application",
depth_search => cfe_internal_docroot_application_perms,
file_select => not_dir,
perms => mog("0440", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.docroot)/application" -> { "CFE-951" }
comment => "No one should be able to write to the application, and only
the webserver needs access",
handle => "cfe_internal_setup_knowledge_files_all_dirs_in_application",
depth_search => cfe_internal_docroot_application_perms,
file_select => dirs,
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.docroot)/application/cache/." -> { "ENT-11442" }
handle => "cfe_internal_setup_knowledge_files_doc_root_application_cache",
create => "true",
perms => mog("0770", $(def.cf_apache_user), $(def.cf_apache_group)),
comment => "This is where cache generated by Mission Portal is stored.";
"$(cfe_internal_hub_vars.docroot)/api/." -> { "ENT-4250" }
comment => "The api directory and it's subdirectories need to be
executable by cfapache",
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.docroot)/api/." -> { "ENT-4250", "CFE-951" }
depth_search => recurse_ignore( "inf", "static" ),
file_select => dirs,
comment => "The api subdirectories need to be executable by cfapache,
but ignore static here, it needs to be writeable as well,
well take care of it separately",
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.docroot)/ldap/." -> { "ENT-9693" }
comment => concat( "The ldap directory and it's subdirectories need to be",
"executable by cfapache" ),
depth_search => recurse( "inf" ),
file_select => cfe_internal_docroot_perms,
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.docroot)/ldap/." -> { "ENT-9693" }
depth_search => recurse( "inf" ),
file_select => dirs,
comment => concat( "The ldap subdirectories need to be executable by cfapache",
"but ignore static here, it needs to be writeable as well,",
"well take care of it separately" ),
perms => mog("0550", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.docroot)/api/." -> { "CFE-951" }
depth_search => recurse_basedir("inf"),
handle => "cfe_internal_setup_knowledge_files_doc_root_api",
file_select => cfe_internal_exclude_sh_pl_scripts,
perms => mog("0440", "root", $(def.cf_apache_group) ),
comment => "No one should be able to write to the application config code,
and only the webserver needs access to read the config.";
"$(cfe_internal_hub_vars.docroot)/api/."
depth_search => recurse_basedir("inf"),
handle => "cfe_internal_setup_knowledge_files_doc_root_api_scripts",
file_select => cfe_internal_sh_pl_scripts,
perms => mog("0550", "root", $(def.cf_apache_group) ),
comment => "The scripts need to be executable, but only by the
webserver and root users.";
"$(cfe_internal_hub_vars.docroot)/api/static/."
perms => mog("0770", "root", $(def.cf_apache_group) ),
comment => "This is where exported PDF and CSV reports from Mission
Portal are written, it be writeable by the webserver";
"$(cfe_internal_hub_vars.docroot)/api/static/." -> { "CFE-951" }
comment => "Exported reports only need to be readable by the webserver.",
handle => "cfe_internal_setup_knowledge_files_doc_root_api_static_not_dir",
depth_search => recurse("inf"),
file_select => cfe_internal_docroot_api_static_perms,
perms => mog("0440", "root", $(def.cf_apache_group) );
"$(cfe_internal_hub_vars.docroot)/api/static/." -> { "ENT-4551", "CFE-951" }
comment => ".status, .pid, and potentially .abort files need to be writeable so that the async query API will function properly",
handle => "cfe_internal_setup_knowledge_files_doc_root_api_static_async_query_status",
depth_search => recurse("inf"),
file_select => cfe_internal_docroot_api_static_async_query_status_status_perms,
perms => mog("0660", "root", $(def.cf_apache_group) );
"$(sys.workdir)/httpd/logs/application/." -> { "ENT-7731", "ENT-2758", "ENT-8908", "CFE-951" }
comment => "Ensure permissions for $(sys.workdir)/httpd/logs/application/.",
handle => "cfe_internal_setup_knowledge_files_httpd_application_log_dir",
create => "true",
perms => mog("0750", $(def.cf_apache_user), $(def.cf_apache_group));
"$(sys.workdir)/httpd/logs/application/." -> { "ENT-7730" }
comment => "Ensure permissions for $(sys.workdir)/httpd/logs/application/.*",
handle => "cfe_internal_setup_knowledge_files_httpd_application_log_files",
file_select => plain,
depth_search => recurse( "inf" ),
perms => mog("0600", $(def.cf_apache_user), $(def.cf_apache_group));
"$(sys.workdir)/httpd/logs/." -> { "CFE-951" }
comment => "Ensure permissions for $(sys.workdir)/httpd/logs",
handle => "cfe_internal_setup_knowledge_files_httpd_logs_dir",
create => "true",
perms => mog("0750", $(def.cf_apache_user), $(def.cf_apache_group));
"$(sys.workdir)/httpd/logs/." -> { "ENT-7730" }
comment => "Ensure permissions for $(sys.workdir)/httpd/logs",
handle => "cfe_internal_setup_knowledge_files_httpd_log_files",
file_select => plain,
depth_search => recurse_with_base( "0" ),
perms => mog("0600", root, root);
"/var/log/postgresql.log" -> { "ENT-7961" }
comment => "Ensure permissions for PostgreSQL log",
handle => "cfe_internal_setup_knowledge_files_postgresql_log_file",
perms => mog("0600", "cfpostgres", "cfpostgres");
"$(cfe_internal_hub_vars.docroot)/../ssl/."
perms => mog("0440", "root", "root" ),
if => not( "ENT_3572" );
"$(cfe_internal_hub_vars.docroot)/../ssl/." -> { "ENT-3572" }
perms => mog("0444", "root", "root" ),
if => "ENT_3572",
comment => "Exported be 0 bytes in some versions if the ssl directory is
not accessible to all users.";
"$(cfe_internal_hub_vars.docroot)/../ssl/private/."
depth_search => recurse_with_base("inf"),
perms => mog("0440", "root", "root"),
comment => "Private keys are secrets and should not be accessible by
anyone other than root.";
"$(cfe_internal_hub_vars.docroot)/../ssl/csr/."
depth_search => recurse_with_base("inf"),
perms => mog("0440", "root", "root"),
comment => "Certificate signing requests, while not secrets do not need to
be readable by others.";
"$(cfe_internal_hub_vars.docroot)/../ssl/certs/." -> { "ENT-3050", "Mission Portal" }
depth_search => recurse_with_base("inf"),
perms => mog("0444", "root", "root"),
comment => "Certificates need to be read by any user wishing to validate
a request. For example Mission Portals api.";
"$(cfe_internal_hub_vars.docroot)/." -> { "CFE-951"}
depth_search => recurse_basedir("inf"),
handle => "cfe_internal_setup_knowledge_files_doc_root_htaccess_perms",
file_select => cfe_internal_htaccess,
perms => mog("0440", "root", $(def.cf_apache_group) ),
comment => ".htaccess files should only be readable by webserver.";
"$(cfe_internal_hub_vars.docroot)/ldap/config/settings.ldap.php" -> { "ENT-3400" }
handle => "cfe_internal_setup_knowledge_files_ldap_config_settings_perms",
perms => mog("0600", $(def.cf_apache_user), $(def.cf_apache_group) ),
if => fileexists( "$(cfe_internal_hub_vars.docroot)/ldap/config/settings.ldap.php" ),
comment => "If the ldap settings are not writeable by
$(def.cf_apache_user) then users will not be able to change
ldap settings.";
"$(sys.workdir)/share/GUI/."
perms => mog("0400", "root", "root" ),
depth_search => recurse_basedir("inf"),
comment => "No Mission Portal code in share needs to be accessed by
anyone";
"$(sys.workdir)/." -> { "ENT-3299" }
perms => mog("755", "root", "root"),
comment => "Ensure that others (like cfpostgres and cfapache) are able
to enter and read from cfengines workdir";
"$(sys.workdir)/modules/."
perms => mog("755", "root", "root"),
comment => "The agent will complain if any other users (group or other)
have write access to the modules directory.";
"/opt/cfengine/notification_scripts/." -> { "ENT-5070" }
create => "true",
perms => mog("770", "root", $(def.cf_apache_group) ),
comment => "If this directory is not present and writable by the
web-server, then Mission Portal users will be unable to
upload custom action scripts.";
}
bundle agent cfe_internal_permissions
# @brief Specific expectations for permissions and ownership of CFEngine with respect to the Enterprise Edition
{
vars:
# nonstandard directories in statedir
"_statedir_standard_perm_exceptions"
slist => { "pg", "cf-execd.sockets" };
# Derive the users that should be able to access cf-execd sockets
"_cf_execd_socket_allow_users"
slist => { @(def.control_executor_runagent_socket_allow_users) };
"_cf_statedir_allow_users"
slist => { "cfpostgres", "cfapache", @(def.control_executor_runagent_socket_allow_users) },
if => "enterprise_edition.(policy_server|am_policy_hub)";
# Derive the aces for users allowed to access cf-execd sockets
"_cf_execd_socket_dir_user_aces" -> { "ENT-6777" }
slist => maplist( "user:$(this):rx:allow", @(_cf_execd_socket_allow_users) );
"_cf_execd_socket_runagent_user_aces" -> { "ENT-6777" }
slist => maplist( "user:$(this):rw:allow", @(_cf_execd_socket_allow_users) );
"_cf_statedir_user_aces" -> { "ENT-6777" }
slist => maplist( "user:$(this):rx:allow", @(_cf_statedir_allow_users) );
files:
!(policy_server|am_policy_hub)::
"$(sys.statedir)/." -> { "ENT-4773", "CFE-951" }
handle => "state_dir_not_dir_perms",
perms => state_dir_system_owned_files(),
# Important to recurse across file system boundaries, as databases and or state are commonly on different filesystems
depth_search => recurse_with_base( inf ),
file_select => not_dir;
"$(sys.statedir)/." -> { "ENT-4773", "CFE-951" }
handle => "state_dir_dirs_perms",
perms => state_dir_system_owned_dirs(),
# Important to recurse across file system boundaries, as databases and or state are commonly on different filesystems
depth_search => recurse_with_base( inf ),
file_select => dirs;
enterprise_edition.(policy_server|am_policy_hub)::
"$(sys.statedir)/." -> { "CFE-951" }
perms => mog("0750", "root", "cfpostgres"),
acl => cf_statedir_acl( @(_cf_statedir_user_aces) ),
comment => "The database user must be able to read the parent directory of the database or it won't be accessible";
"$(sys.statedir)/." -> { "CFE-951" }
perms => state_dir_system_owned_files(),
depth_search => recurse_except( inf, @(_statedir_standard_perm_exceptions) ),
file_select => not_dir,
comment => "The database user must be able to read the parent directory of the database or it won't be accessible";
"$(sys.statedir)/." -> { "CFE-951" }
perms => state_dir_system_owned_dirs(),
depth_search => recurse_except( inf, @(_statedir_standard_perm_exceptions) ),
file_select => dirs,
comment => "The database user must be able to read the parent directory of the database or it won't be accessible";
"$(sys.statedir)/pg/." -> { "CFE-951" }
perms => mog("0600", "cfpostgres", "cfpostgres"),
depth_search => recurse_with_base( inf ),
file_select => not_dir,
comment => "No one except for the database user needs to access where the db is installed.";
"$(sys.statedir)/pg/." -> { "CFE-951" }
perms => mog("0700", "cfpostgres", "cfpostgres"),
depth_search => recurse_with_base( inf ),
file_select => dirs,
comment => "No one except for the database user needs to access where the db is installed.";
"$(sys.statedir)/cf-execd.sockets/." -> { "ENT-6777" }
acl => cf_execd_socket_dir_acl( @(_cf_execd_socket_dir_user_aces) ),
if => isdir( "$(sys.statedir)/cf-execd.sockets" );
"$(sys.statedir)/cf-execd.sockets/runagent.socket" -> { "ENT-6777" }
acl => cf_execd_socket_runagent_acl( @(_cf_execd_socket_runagent_user_aces) ),
if => fileexists( "$(sys.statedir)/cf-execd.sockets/runagent.socket" );
}
body acl cf_statedir_acl( aces )
# @brief Describe ACL for state directory (sys.statedir)
# @param aces A list of additional access control rules that should be used
#
# * User is allowed read, write, execute
# * Group is allowed read, execute
# * Permissions described by @(aces)
# * Other is allowed nothing
#
# **Example:**
#
# ```
# bundle agent example
# {
# vars:
# "_cf_statedir_allow_users"
# slist => { "root", "cfpostgres", "cfapache" };
# "_cf_statedir_user_aces"
# slist => maplist( "user:$(this):rx:allow", @(_cf_statedir_allow_users) );
# files:
# "$(sys.statedir)/."
# acl => cf_statedir_aces( @(_cf_statedir_user_aces) );
# }
# ```
#
{
acl_method => "overwrite";
acl_type => "posix";
aces => { "user:*:rwx:allow",
"group:*:rx:allow",
@(aces),
"all:---:allow"
};
}
body acl cf_execd_socket_dir_acl( aces )
# @brief Describe ACL for cf-execd socket directory
# @param aces A list of additional access control rules that should be used
#
# * Owner is allowed read, write, execute
# * Group is allowed nothing
# * Permissions described by @(aces)
# * Other is allowed nothing
#
# **Example:**
#
# ```
# bundle agent example
# {
# vars:
# "_cf_execd_socket_allow_users"
# slist => { "cfapache" };
# "_cf_execd_socket_dir_user_aces"
# slist => maplist( "user:$(this):rx:allow", @(_cf_execd_socket_allow_users) );
# files:
# "$(sys.statedir)/cf-execd.sockets/runagent.socket"
# acl => cf_execd_socket_dir_aces( @(_cf_execd_socket_runagent_dir_aces) );
# }
# ```
#
{
acl_method => "overwrite";
acl_type => "posix";
aces => { "user:*:rwx:allow",
"group:*:---:allow",
@(aces),
"all:---:allow"
};
}
body acl cf_execd_socket_runagent_acl( aces )
# @brief Describe ACL for cf-execd runagent socket
# @param aces A list of additional access control rules that should be used
#
# * Owner is allowed read, write
# * Group is allowed nothing
# * Permissions described by @(aces)
# * Other is allowed nothing
#
# **Example:**
#
# ```
# bundle agent example
# {
# vars:
# "_cf_execd_socket_allow_users"
# slist => { "cfapache" };
# "_cf_execd_socket_runagent_user_aces"
# slist => maplist( "user:$(this):rx:allow", @(_cf_execd_socket_allow_users) );
# files:
# "$(sys.statedir)/cf-execd.sockets/runagent.socket"
# acl => cf_execd_socket_runagent_acl( @(_cf_execd_socket_dir_user_aces) );
# }
# ```
#
{
acl_method => "overwrite";
acl_type => "posix";
aces => { "user:*:rw:allow",
"group:*:---:allow",
@(aces),
"all:---:allow"
};
}
#############################################################################
body depth_search recurse_except( d, exceptions)
# @breif Recurse (across device boundaires) `d` levels (excluding basedir) excluding `exceptions`
# @param `d` Levels to decend in recursion
# @param `exceptions` List of directories to exclude from depth search
{
depth => "$(d)";
include_basedir => "false";
exclude_dirs => { @(exceptions) };
}
############################################################################
body depth_search recurse_basedir(d)
# @brief Search `d` levels deep including the base dir
# @param `d` Levels to decend in recursion
{
depth => "$(d)";
include_basedir => "true";
}
###########################################################################
body depth_search recurse_basedir_exclude(d)
# @brief Search `d` levels deep including the base dir but exclude some specific dirs
{
depth => "$(d)";
include_basedir => "true";
exclude_dirs => { "static" };
}
############################################################################
body file_select cfe_internal_docroot_perms
# @brief Select files (not dirs) not named `.htaccess` or `settings.ldap.php`
{
leaf_name => { "\.htaccess", "settings.ldap.php", "ha_enabled" };
path_name => { "$(cfe_internal_hub_vars.docroot)/vendor/.*"};
file_types => { "dir" };
# htaccess are going the way of the dodo bird
# settings.ldap.php permissions are handled explicitly in it's own bundle
# ha_enabled permissions is handled explicitly by cfengine_enterprise_ha_enabled_semaphore_present
file_result => "!leaf_name.!file_types.!path_name";
}
############################################################################
body depth_search recurse_exclude(d)
# @brief Search to a depth of `d` excluding known directories
{
depth => "$(d)";
exclude_dirs => { "hub" , "graphs", "scripts", "tmp", "static", "logs", "api", "rest", "application", "dc-scripts" };
}
############################################################################
body file_select cfe_internal_exclude_sh_pl_scripts
# @brief select plain files not ending in `.sh` and `.pl`
{
leaf_name => { ".*\.sh",".*\.pl"};
file_types => { "plain" };
file_result => "!leaf_name.file_types";
}
############################################################################
body file_select cfe_internal_sh_pl_scripts
# @brief select plain files ending in `.sh` and `.pl`
{
leaf_name => { ".*\.sh",".*\.pl" };
file_types => { "plain" };
file_result => "leaf_name.file_types";
}
############################################################################
body file_select cfe_internal_htaccess
# @brief select files named `.htaccess`
{
leaf_name => { "\.htaccess" };
file_types => { "dir" };
file_result => "leaf_name.!file_types";
}
############################################################################
body file_select cfe_internal_exclude_index_html
{
leaf_name => { "index.html" };
file_result => "!leaf_name";
}
############################################################################
body file_select cfe_internal_docroot_api_static_perms
{
# ENT-4551 - .status, .pid, and potentially .abort files used by async
# query mechanism need to be writeable by the webserver, we exclude those
# files here to avoid continual promise repair.
leaf_name => { "\.htaccess", "\.status", "\.pid", "\.abort" };
file_types => { "dir" };
file_result => "!leaf_name.!file_types";
}
############################################################################
body file_select cfe_internal_docroot_api_static_async_query_status_status_perms
# @brief .status, .pid and .abort files are used by the asynchronous query API and need to be writeable
{
# ENT-4551 - .status, .pid, and potentially .abort files used by async
# query mechanism need to be writeable by the webserver
leaf_name => { "\.status", "\.pid", "\.abort" };
file_types => { "dir" };
file_result => "leaf_name.!file_types";
}
############################################################################
body depth_search cfe_internal_docroot_application_perms
{
depth => "inf";
exclude_dirs => { "logs", "cache" };
}
############################################################################
body perms state_dir_system_owned_files
{
#+begin_ENT-951
# Remove after 3.20 is not supported
rxdirs => "true";
@if minimum_version(3.20)
rxdirs => "false";
@endif
#+end
mode => "0600";
!windows::
owners => { "root" };
freebsd|openbsd|netbsd|darwin::
groups => { "wheel" };
aix::
groups => { "system" };
hpux::
groups => { "sys" };
!(freebsd|openbsd|netbsd|darwin|aix|hpux)::
groups => { "root" };
}
body perms state_dir_system_owned_dirs
{
inherit_from => state_dir_system_owned_files;
mode => "0700";
}
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/federation/ 0000755 0000000 0000000 00000000000 15010704326 024621 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/cfe_internal/enterprise/federation/federation.cf 0000644 0000000 0000000 00000131112 15010704240 027245 0 ustar 00root root 0000000 0000000 # @brief This policy file handles Federated Reporting setup and ongoing operations.
#
# There are several augments which can be used to tune the behavior of this policy:
#
# - `cfengine_mp_fr_dependencies_auto_install` class
#
# If defined then all non-shipped dependencies needed for Federated Reporting will be installed.
#
# ```json
# {
# "classes": {
# "cfengine_mp_fr_dependencies_auto_install": [ "any::" ]
# }
# }
# ```
#
# - `cfengine_mp_fr_enable_distributed_cleanup` class
# If defined then the distributed_cleanup script is partially setup and enabled to run.
# Setup involves some manual steps detailed in templates/federated/distributed_cleanup.py.
# The script deletes hosts on feeder hubs when a different feeder has a more recent
# incoming communication (last seen database). Each feeder queries the superhub for
# last seen information from other feeders.
#
# ```json
# {
# "classes": {
# "cfengine_mp_fr_enable_distributed_cleanup": [ "any::" ]
# }
# }
# ```
body file control
{
namespace => "cfengine_enterprise_federation";
}
bundle agent config
# @brief Read/parse config JSON, define variables and classes for use later
{
vars:
enterprise_edition.(policy_server|am_policy_hub)::
"federation_dir" string => "/opt/cfengine/federation";
"bin_dir" string => "$(federation_dir)/bin";
"path" string => "$(federation_dir)/cfapache/federation-config.json";
"path_setup_status" string => "$(federation_dir)/cfapache/setup-status.json";
"dump_interval" -> { "ENT-4806", "ENT-10900" }
int => "20",
if => not( isvariable( "cfengine_enterprise_federation:config.dump_interval" ) ),
comment => "Dump data on the feeders every 20 minutes";
# TODO: don't hard-code cftransport user
"transport_user" -> { "ENT-4610" } string => "cftransport";
"transport_home"
string => "$(cfengine_enterprise_federation:config.federation_dir)/cftransport";
config_present::
"data" data => readjson( $(path) );
classes:
enterprise_edition.(policy_server|am_policy_hub)::
"config_present"
expression => fileexists( $(path) );
config_present::
"enabled" expression => or(strcmp("on", "$(data[target_state])"),
strcmp("paused", "$(data[target_state])")),
scope => "namespace";
"am_off" expression => strcmp("off", "$(data[target_state])"),
scope => "namespace";
"am_on" expression => strcmp("on", "$(data[target_state])"),
scope => "namespace";
# _stdlib_path_exists_getenforce and paths.getenforce are defined by masterfiles/lib/paths.cf
default:_stdlib_path_exists_getenforce::
"selinux_enabled"
expression => strcmp("Enforcing", execresult("$(default:paths.getenforce)", useshell)),
scope => "namespace";
vars:
enabled::
"role" string => "$(data[role])";
"remotes" slist => getindices( @(data[remote_hubs]) );
"login" string => ""; # default
"login"
string => "$(data[remote_hubs][$(remotes)][transport][ssh_user])@$(data[remote_hubs][$(remotes)][transport][ssh_host])",
if => and(
# To ensure we are using a remote hub that's actually enabled
strcmp( "on", "$(data[remote_hubs][$(remotes)][target_state])" ),
# To ensure the remote we are pushing to actually needs the data (is a superhub)
strcmp( "superhub", "$(data[remote_hubs][$(remotes)][role])" ));
am_superhub::
# Public keys of enabled pushing feeders need to be trusted (on a superhub)
"pubkey[$(remotes)]" string => "$(data[remote_hubs][$(remotes)][transport][ssh_pubkey])",
if => and( strcmp( "on", "$(data[remote_hubs][$(remotes)][target_state])" ),
strcmp( "feeder", "$(data[remote_hubs][$(remotes)][role])" ),
strcmp( "push_over_rsync", "$(data[remote_hubs][$(remotes)][transport][mode])"));
am_feeder::
# List of superhub hostkeys for use with dump process
"superhubs[$(remotes)]" string => "$(data[remote_hubs][$(remotes)][hostkey])",
if => and( strcmp( "on", "$(data[remote_hubs][$(remotes)][target_state])" ),
strcmp( "superhub", "$(data[remote_hubs][$(remotes)][role])" ),
strcmp( "pull_over_rsync", "$(data[remote_hubs][$(remotes)][transport][mode])"));
"superhub_hostkeys" string => join(" ", getvalues(superhubs));
# Public key(s) of enabled pulling superhub(s) need(s) to be trusted (on a feeder)
"pubkey[$(remotes)]" string => "$(data[remote_hubs][$(remotes)][transport][ssh_pubkey])",
if => and( strcmp( "on", "$(data[remote_hubs][$(remotes)][target_state])" ),
strcmp( "superhub", "$(data[remote_hubs][$(remotes)][role])" ),
strcmp( "pull_over_rsync", "$(data[remote_hubs][$(remotes)][transport][mode])"));
am_superhub|am_feeder::
"pubkeys" slist => getvalues( pubkey );
"fingerprint[$(data[remote_hubs][$(remotes)][transport][ssh_host])]"
slist => string_split("$(data[remote_hubs][$(remotes)][transport][ssh_fingerprint])", "$(const.n)", "inf"),
# To ensure we are using a remote hub that's enabled
if => strcmp( "on", "$(data[remote_hubs][$(remotes)][target_state])" );
"fingerprints" slist => maparray("$(this.k) $(this.v)", fingerprint);
"feeder[$(remotes)]" string => "$(data[remote_hubs][$(remotes)][hostkey])",
if => strcmp( "feeder", "$(data[remote_hubs][$(remotes)][role])" );
classes:
enabled::
# Knowing if feeder or superhub is based on explicit setting of role in
# path (federation-config.json)
"am_feeder"
expression => strcmp("feeder", "$(data[role])"),
scope => "namespace";
"am_superhub"
expression => strcmp("superhub", "$(data[role])"),
scope => "namespace";
"am_pusher"
and => {strcmp("superhub", "$(data[remote_hubs][$(remotes)][role])"),
strcmp("on", "$(data[remote_hubs][$(remotes)][target_state])"),
strcmp("push_over_rsync", "$(data[remote_hubs][$(remotes)][transport][mode])")},
comment => "Has an enabled remote superhub with push as transport method, should run push transport",
scope => "namespace";
"am_puller"
and => {"am_superhub",
strcmp("on", "$(data[remote_hubs][$(remotes)][target_state])"),
strcmp("pull_over_rsync", "$(data[remote_hubs][$(remotes)][transport][mode])")},
comment => "Superhub with some enabled remote hub with pull as transport method, should run pull transport",
scope => "namespace";
"am_transporter"
or => {"am_pusher", "am_puller"},
scope => "namespace";
"am_paused"
expression => strcmp("paused", "$(data[target_state])"),
scope => "namespace";
# Note: in order to see these debugs you must either define the default DEBUG class
# or the namespace prefixed class like:
# cf-agent -KI -DDEBUG
# or
# cf-agent -KI -Dcfengine_enterprise_federation:DEBUG_config
reports:
enabled.(default:DEBUG|DEBUG_config)::
"Federation enabled!";
am_superhub.(default:DEBUG|DEBUG_config)::
"I'm a superhub!";
am_feeder.(default:DEBUG|DEBUG_config)::
"I'm a feeder!";
am_pusher.(default:DEBUG|DEBUG_config)::
"I'm pushing dumps!";
am_puller.(default:DEBUG|DEBUG_config)::
"I'm pulling dumps!";
am_transporter.(default:DEBUG|DEBUG_config)::
"I'm a transporter!";
am_paused.(default:DEBUG|DEBUG_config)::
"I'm paused so won't do any import/dump";
}
bundle agent distributed_cleanup_dependencies
# @brief warn if python3 and urllib3 required dependencies are not installed
# if cfengine_mp_fr_enable_distributed_cleanup class is defined
# Note: these requirements are only needed on superhub to run the distributed cleanup python script.
# on feeders only the shell script is run so no python dependencies needed there.
{
vars:
debian|ubuntu|redhat_9|rocky_9::
"packages" slist => { "python3", "python3-urllib3" };
redhat_8|centos_8::
"packages" slist => { "python36", "python3-urllib3" };
redhat_7|centos_7::
"packages" slist => { "python3" };
classes:
(redhat_6|centos_6)::
"cfengine_mp_fr_distributed_cleanup_python3_installed"
expression => returnszero(
"$(sys.bindir)/cfengine-selected-python --version | grep -q ' 3.'",
"useshell"
);
(redhat_6|centos_6|redhat_7|centos_7)::
"cfengine_mp_fr_distributed_cleanup_urllib3_installed"
expression => returnszero(
"echo 'import urllib3' | $(sys.bindir)/cfengine-selected-python 2>/dev/null",
"useshell"
);
packages:
debian|ubuntu::
"$(packages)"
policy => "present",
classes => default:results("bundle", "cfengine_mp_fr_distributed_cleanup_packages"),
action => default:policy ( "warn" ),
package_module => default:apt_get;
redhat.!(centos_6|redhat_6)::
"$(packages)"
policy => "present",
classes => default:results("bundle", "cfengine_mp_fr_distributed_cleanup_packages"),
package_module => default:yum;
reports:
(redhat_6|centos_6).!cfengine_mp_fr_distributed_cleanup_python3_installed::
"error: python3 is required for distributed cleanup utility. On this platform it is recommened you install python3 from source (https://docs.python.org/3.10/using/unix.html#building-python)";
(redhat_6|centos_6).!cfengine_mp_fr_distributed_cleanup_urllib3_installed::
"error: python3 module urllib3 is required for distributed cleanup utility. On this platform it is recommend you install via pip3 after installing python3 from source";
(redhat_7|centos_7).!cfengine_mp_fr_distributed_cleanup_urllib3_installed::
"error: python3 module urllib3 is required for distributed cleanup utility. On this platform please install with the command `pip3 install urllib3`";
}
bundle agent semanage_installed
# @brief Install semanage utility if selinux enabled and
# cfengine_mp_fr_dependencies_auto_install class is defined
# if not defined then only warn
{
vars:
"semanage_action"
string => ifelse( "default:_stdlib_path_exists_semanage", "fix", "default:cfengine_mp_fr_dependencies_auto_install", "fix", "warn" ),
comment => "We only want to use semanage if it's available, or if we have
indicated it's ok to install it automatically. This variable
is subsequently used by a commands and packages promises to
warn or fix based.";
debian_6|debian_7|debian_8|ubuntu_12|ubuntu_14|ubuntu_16|rhel_5::
"semanage_package" string => "policycoreutils";
debian_9|debian_10|ubuntu_18|redhat_8|centos_8|redhat_9|rocky_9::
"semanage_package" string => "policycoreutils-python-utils";
redhat_6|centos_6|redhat_7|centos_7::
"semanage_package" string => "policycoreutils-python";
packages:
debian|ubuntu::
"$(semanage_package)"
policy => "present",
package_module => default:apt_get,
action => default:policy ( $(semanage_action) );
redhat::
"$(semanage_package)"
policy => "present",
package_module => default:yum,
action => default:policy ( $(semanage_action) );
reports:
default:DEBUG|DEBUG_semanage_installed::
"paths.semanage = $(default:paths.semanage)";
!default:_stdlib_path_exists_semanage.!default:cfengine_mp_fr_dependencies_auto_install::
"semanage command is not available at $(default:paths.semanage). Will only install needed package if cfengine_mp_fr_dependencies_auto_install class is defined in augments(def.json) or with --define cf-agent option.";
}
bundle agent ssh_keygen(key_path)
{
commands:
"/usr/bin/ssh-keygen"
handle => "ssh_keys_configured",
args => "-N '' -f $(key_path)",
if => not( fileexists( "$(key_path)" ));
}
bundle agent ssh_selinux_context(home, ssh_paths)
{
classes:
default:_stdlib_path_exists_semanage::
"cftransport_fcontext_missing"
expression => not(returnszero("$(default:paths.semanage) fcontext -l | grep '$(home)/.ssh(/.*)?'", "useshell")),
if => fileexists("$(home)");
any::
# For all the files below it must be true that if they exist they need
# to have the right context.
# IOW, the following implication: if fileexists() then correct_context.
# IOW, the following OR: not(filexists()) or correct_context.
# not( and()) means that if for one of the files the implication is false, we get a true.
"incorrect_ssh_context"
expression => not( and(
or(
not(fileexists("$(home)")),
regcmp(".*[\s:]ssh_home_t[\s:].*",
execresult("$(default:paths.ls) -dZ $(home)/.ssh", noshell))),
or(
not(fileexists("$(ssh_paths[auth_keys])")),
regcmp(".*[\s:]ssh_home_t[\s:].*",
execresult("$(default:paths.ls) -Z $(ssh_paths[auth_keys])", noshell))),
or(
not(fileexists("$(ssh_paths[priv_key])")),
regcmp(".*[\s:]ssh_home_t[\s:].*",
execresult("$(default:paths.ls) -Z $(ssh_paths[priv_key])", noshell))),
or(
not(fileexists("$(ssh_paths[pub_key])")),
regcmp(".*[\s:]ssh_home_t[\s:].*",
execresult("$(default:paths.ls) -Z $(ssh_paths[pub_key])", noshell))),
or(
not(fileexists("$(ssh_paths[config])")),
regcmp(".*[\s:]ssh_home_t[\s:].*",
execresult("$(default:paths.ls) -Z $(ssh_paths[config])", noshell)))
));
commands:
# _stdlib_path_exists_ and paths. are defined is masterfiles/lib/paths.cf
cftransport_fcontext_missing.default:_stdlib_path_exists_semanage::
"$(default:paths.semanage) fcontext -a -t ssh_home_t '$(home)/.ssh(/.*)?'";
incorrect_ssh_context.default:_stdlib_path_exists_restorecon::
"$(default:paths.restorecon) -R -F $(home)/.ssh/";
reports:
incorrect_ssh_context.!default:_stdlib_path_exists_semanage::
"need to fix incorrect ssh context for transport user but semanage path in $(sys.libdir)/paths.cf $(default:paths.semanage) does not resolve";
incorrect_ssh_context.!default:_stdlib_path_exists_restorecon)::
"need to fix incorrect ssh context for transport user but restorecon path in $(sys.libdir)/paths.cf $(default:paths.restorecon) does not resolve";
}
bundle agent transport_user
# @brief Manage transport user and permissions for remote SSH access
{
vars:
"user"
string => "$(cfengine_enterprise_federation:config.transport_user)";
"home"
string => "$(cfengine_enterprise_federation:config.transport_home)";
"ssh_key_name" string => "id_FR";
"ssh_priv_key" string => "$(home)/.ssh/$(ssh_key_name)";
"ssh_pub_key" string => "$(ssh_priv_key).pub";
"ssh_auth_keys" string => "$(home)/.ssh/authorized_keys";
"ssh_known_hosts" string => "$(home)/.ssh/known_hosts";
"ssh_config" string => "$(home)/.ssh/config";
"create_files"
slist => {
"$(home)/.",
"$(home)/.ssh/.",
"$(home)/source/.", # Dumps from feeders are taken from here
"$(home)/destination/.", # And dropped here on superhub
"$(ssh_auth_keys)",
"$(ssh_known_hosts)",
"$(ssh_config)"
};
"ssh_paths" data => parsejson('{
"key_name": "id_FR",
"priv_key": "$(home)/.ssh/$(ssh_key_name)",
"pub_key": "$(ssh_priv_key).pub",
"auth_keys": "$(home)/.ssh/authorized_keys",
"known_hosts": "$(home)/.ssh/known_hosts",
"config": "$(home)/.ssh/config"
}');
users:
"$(user)"
policy => "present",
home_dir => "$(home)";
files:
"$(create_files)"
create => "true";
"$(home)/." -> { "CFE-951" }
depth_search => default:recurse_with_base("inf"),
file_select => default:dirs,
perms => default:mog( "700", $(user), "root" ),
comment => "The transport users home directory and children should be accessible only by the transport user itself.";
"$(home)/." -> { "CFE-951" }
depth_search => default:recurse_with_base("inf"),
file_select => default:not_dir,
perms => default:mog( "600", $(user), "root" ),
comment => "The files within the transport users home directory should be readable and writable by the transport user";
"$(ssh_auth_keys)"
create => "true",
handle => "ssh_auth_keys_configured",
edit_template_string => "{{#-top-}}{{{.}}}$(const.n){{/-top-}}",
template_data => @(cfengine_enterprise_federation:config.pubkeys),
template_method => "inline_mustache";
"$(ssh_known_hosts)"
create => "true",
handle => "ssh_known_hosts_configured",
edit_template_string => "{{#-top-}}{{{.}}}$(const.n){{/-top-}}",
template_data => @(cfengine_enterprise_federation:config.fingerprints),
template_method => "inline_mustache",
if => isvariable("cfengine_enterprise_federation:config.fingerprints");
"$(ssh_config)"
create => "true",
handle => "ssh_config_configured",
edit_line => default:insert_lines("IdentityFile $(ssh_priv_key)");
methods:
selinux_enabled::
"semanage_installed" usebundle => semanage_installed;
enabled.selinux_enabled::
# Ensure correct SElinux context
"ssh_selinux_context" usebundle => ssh_selinux_context("$(home)", @(ssh_paths));
enabled::
# Generate ssh keypair
"ssh_keygen" usebundle => ssh_keygen("$(ssh_priv_key)");
}
bundle agent clean_when_off
# @brief cleanup changes made for federated reporting on a feeder
# NOTE: a superhub turned off by removing federation-config.json or setting
# federation_manage_files will always run regardless of off or not
# so as to be prepared for enablement via Mission Portal UI
{
vars:
"user" string => "$(cfengine_enterprise_federation:transport_user.user)";
"home" string => "$(cfengine_enterprise_federation:transport_user.home)";
@if minimum_version(3.15)
"remote_hubs_table_row_count"
string => execresult(`$(sys.bindir)/psql cfsettings --quiet --tuples-only --command "SELECT COUNT(*) FROM remote_hubs" 2>/dev/null`, useshell);
"federated_reporting_settings_table_row_count"
string => execresult(`$(sys.bindir)/psql cfsettings --quiet --tuples-only --command "SELECT COUNT(*) FROM federated_reporting_settings" 2>/dev/null`, useshell);
@endif
users:
"$(user)"
policy => "absent";
files:
"$(cfengine_enterprise_federation:config.path_setup_status)" -> { "ENT-7233" }
comment => "We must remove this file for Mission Portal to understand that the federation is not configured",
delete => default:tidy;
"$(cfengine_enterprise_federation:config.path)" -> { "ENT-7969" }
comment => "We must remove this file for Mission Portal to understand that the federation is not configured",
delete => default:tidy;
methods:
"rm_rf_cftransport_home_dir" usebundle => default:rm_rf("$(home)");
classes:
selinux_enabled.default:_stdlib_path_exists_semanage::
"has_cftransport_fcontext" expression => returnszero("$(default:paths.semanage) fcontext -l | grep $(home)", "useshell");
"remote_hubs_table_empty" expression => returnszero(`[ $(const.dollar)($(sys.bindir)/psql cfsettings --quiet --tuples-only --command "SELECT COUNT(*) FROM remote_hubs") -eq "0"]`, "useshell");
"federated_reporting_settings_table_empty" expression => returnszero(`[ $(const.dollar)($(sys.bindir)/psql cfsettings --quiet --tuples-only --command "SELECT COUNT(*) FROM federated_reporting_settings") -eq "0"]`, "useshell");
commands:
# Oh, the humanity! Where for art thou databases: promises for psql!
`$(sys.bindir)/psql cfsettings --quiet --command "TRUNCATE TABLE remote_hubs"` -> { "ENT-7233" }
if => isgreaterthan( "$(remote_hubs_table_row_count)", "0" );
`$(sys.bindir)/psql cfsettings --quiet --command "TRUNCATE TABLE federated_reporting_settings"` -> { "ENT-7233" }
if => isgreaterthan( "$(federated_reporting_settings_table_row_count)", "0" );
# _stdlib_path_exists_ and paths. are defined in masterfiles/lib/paths.cf
selinux_enabled.default:_stdlib_path_exists_semanage.has_cftransport_fcontext::
"$(default:paths.semanage) fcontext -d '$(home)/.ssh(/.*)?'";
}
bundle agent federation_manage_files
# @brief Manage files, directories and permissions in $(cfengine_enterprise_federation:config.federation_dir)
#
# By default the import process will not prohibit the inclusion of duplicate hostkey data from feeders.
# By defining the `cfengine_mp_fr_handle_duplicate_hostkeys` class in augments a step will be performed
# during import which will find the which feeder's data is most recent for each duplicate hostkey and
# use that data. Duplicate hostkey data will be moved to a `dup` schema for analysis.
#
# This class only applies to superhubs.
#
# ```json
# {
# "classes": {
# "cfengine_mp_fr_handle_duplicate_hostkeys": [ "any::" ]
# }
# }
# ```
{
vars:
"transport_user"
string => "$(cfengine_enterprise_federation:config.transport_user)";
"login" data => parsejson('{"login":"$(cfengine_enterprise_federation:config.login)"}');
"feeder_username" data => parsejson('{"feeder_username":"$(cfengine_enterprise_federation:config.transport_user)"}');
"superhub_hostkeys" string => ifelse( isvariable("cfengine_enterprise_federation:config.superhub_hostkeys"),
"$(cfengine_enterprise_federation:config.superhub_hostkeys)",
"" );
"this_hostkey" data => parsejson('{"this_hostkey":"$(default:sys.key_digest)"}');
"feeder" data => parsejson('{"feeder": "$(sys.key_digest)"}');
"cf_version" data => parsejson('{"cf_version":"$(sys.cf_version)"}');
"workdir" data => parsejson('{"workdir":"$(sys.workdir)"}');
"handle_duplicates_value" string => ifelse("default:cfengine_mp_fr_handle_duplicate_hostkeys", "yes", "no");
"handle_duplicates" data => parsejson('{"handle_duplicates":"$(handle_duplicates_value)"}');
"debug_import_value" string => ifelse("default:cfengine_mp_fr_debug_import", "yes", "no");
"debug_import" data => parsejson('{"debug_import":"$(debug_import_value)"}');
files:
enterprise_edition.(policy_server|am_policy_hub)::
# Both cfpache and $(transport_user) need permission so adding o+x here
"$(cfengine_enterprise_federation:config.federation_dir)/." -> { "CFE-951" }
create => "true",
perms => default:mog( "755", "root", "cfapache" );
"$(cfengine_enterprise_federation:config.federation_dir)/cfapache/."
create => "true",
perms => default:mog( "700", "cfapache", "root" );
"$(cfengine_enterprise_federation:config.federation_dir)/cfapache/." -> { "CFE-951" }
depth_search => default:recurse_with_base("inf"),
file_select => default:dirs,
perms => default:mog( "700", "cfapache", "root" ),
comment => "The cfapache home directory and children need to be accessible by the web-server";
"$(cfengine_enterprise_federation:config.federation_dir)/cfapache/." -> { "CFE-951" }
depth_search => default:recurse_with_base("inf"),
file_select => default:not_dir,
perms => default:mog( "600", "cfapache", "root" ),
comment => "Files within the cfapache home directory need to be readable and writable by the web server.";
enabled::
"$(cfengine_enterprise_federation:config.bin_dir)/." -> { "CFE-951" }
create => "true",
perms => default:mog( "0770", "root", "$(transport_user)" );
am_superhub::
"$(cfengine_enterprise_federation:config.federation_dir)/superhub/."
create => "true",
perms => default:mog( "770", "root", "$(transport_user)" );
"$(cfengine_enterprise_federation:config.federation_dir)/superhub/import/."
create => "true",
perms => default:mog( "600", "root", "root" );
"$(cfengine_enterprise_federation:config.federation_dir)/superhub/import/filters/."
create => "true",
perms => default:mog( "600", "root", "root" );
am_feeder::
"$(cfengine_enterprise_federation:config.federation_dir)/fedhub/."
create => "true",
perms => default:mog( "660", "root", "$(transport_user)" );
"$(cfengine_enterprise_federation:config.federation_dir)/fedhub/dump/."
create => "true",
perms => default:mog( "660", "root", "$(transport_user)" );
"$(cfengine_enterprise_federation:config.federation_dir)/fedhub/transport/."
create => "true",
perms => default:mog( "660", "root", "$(transport_user)" );
"$(cfengine_enterprise_federation:config.federation_dir)/fedhub/dump/filters/."
create => "true",
perms => default:mog( "600", "root", "root" );
am_feeder|am_transporter|am_superhub::
# TODO: Instrument augments
"$(cfengine_enterprise_federation:config.bin_dir)/config.sh"
create => "true",
template_method => "mustache",
edit_template => "$(this.promise_dirname)/../../../templates/federated_reporting/config.sh.mustache",
template_data => mergedata(@(login),
@(feeder_username),
@(feeder),
parsejson('{"superhub_hostkeys": "$(superhub_hostkeys)"}'),
@(debug_import),
@(this_hostkey),
@(cf_version),
@(handle_duplicates),
parsejson('{"inventory_refresh_cmd": ""}')),
perms => default:mog( "640", "root", "$(transport_user)" );
# TODO: Instrument augments
"$(cfengine_enterprise_federation:config.bin_dir)/log.sh"
create => "true",
template_method => "mustache",
edit_template => "$(this.promise_dirname)/../../../templates/federated_reporting/log.sh.mustache",
perms => default:mog( "640", "root", "$(transport_user)" );
"$(cfengine_enterprise_federation:config.bin_dir)/parallel.sh"
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/parallel.sh" ),
perms => default:mog( "640", "root", "$(transport_user)" );
"$(cfengine_enterprise_federation:config.bin_dir)/psql_wrapper.sh" -> { "ENT-4792"}
create => "true",
edit_template => "$(this.promise_dirname)/../../../templates/federated_reporting/psql_wrapper.sh.mustache",
template_method => "mustache",
perms => default:mog( "700", "root", "root" );
am_feeder::
"$(cfengine_enterprise_federation:config.bin_dir)/dump.sh"
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/dump.sh" ),
perms => default:mog( "700", "root", "root" );
am_transporter::
"$(cfengine_enterprise_federation:config.bin_dir)/transport.sh" -> { "CFE-951" }
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/transport.sh" ),
perms => default:mog( "500", "$(transport_user)", "root" );
am_puller::
"$(cfengine_enterprise_federation:config.bin_dir)/pull_dumps_from.sh"
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/pull_dumps_from.sh" ),
perms => default:mog( "500", "$(transport_user)", "root" );
am_superhub::
"$(cfengine_enterprise_federation:config.bin_dir)/import.sh"
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/import.sh" ),
perms => default:mog( "700", "root", "root" );
"$(cfengine_enterprise_federation:config.bin_dir)/import_file.sh"
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/import_file.sh" ),
perms => default:mog( "700", "root", "root" );
"$(cfengine_enterprise_federation:config.federation_dir)/superhub/import/filters/10-base_filter.sed"
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/10-base_filter.sed" ),
perms => default:mog( "600", "root", "root" );
am_superhub.default:cfengine_mp_fr_enable_distributed_cleanup::
"$(cfengine_enterprise_federation:config.bin_dir)/transfer_distributed_cleanup_items.sh"
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/transfer_distributed_cleanup_items.sh" ),
perms => default:mog( "500", "$(transport_user)", "root" );
"$(cfengine_enterprise_federation:config.bin_dir)/distributed_cleanup.py"
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/distributed_cleanup.py" ),
perms => default:mog( "500", "root", "root" );
"$(cfengine_enterprise_federation:config.bin_dir)/nova_api.py"
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/nova_api.py" ),
perms => default:mog( "500", "root", "root" );
"$(cfengine_enterprise_federation:config.bin_dir)/cfsecret.py"
copy_from => default:local_dcp( "$(this.promise_dirname)/../../../templates/federated_reporting/cfsecret.py" ),
perms => default:mog( "500", "root", "root" );
}
bundle agent postgres_config
# @brief Customize postgres config for superhub
# @variable cfengine_enterprise_federation:postgres_config.shared_buffers - Sets the maximum number of locks per transaction.
# @variable cfengine_enterprise_federation:postgres_config.max_locks_per_transaction - Sets the maximum number of locks per transaction.
# @variable cfengine_enterprise_federation:postgres_config.log_lock_waits - Logs long lock waits.
# @variable cfengine_enterprise_federation:postgres_config.max_wal_size - Sets the WAL size that triggers a checkpoint.
# @variable cfengine_enterprise_federation:postgres_config.checkpoint_timeout- Sets the maximum time between automatic WAL checkpoints.
{
vars:
am_superhub::
"c[shared_buffers]" -> { "ENT-8617" }
string => ifelse( isvariable( "cfengine_enterprise_federation:postgres_config.shared_buffers"),
$(cfengine_enterprise_federation:postgres_config.shared_buffers),
"1GB"),
comment => "Changing this setting requires restarting the database.";
"c[max_locks_per_transaction]" -> { "ENT-8617" }
string => ifelse( isvariable( "cfengine_enterprise_federation:postgres_config.max_locks_per_transaction"),
$(cfengine_enterprise_federation:postgres_config.max_locks_per_transaction),
"4000"),
comment => "Changing this setting requires restarting the database.";
"c[log_lock_waits]" -> { "ENT-8617" }
string => ifelse( isvariable( "cfengine_enterprise_federation:postgres_config.log_lock_waits"),
$(cfengine_enterprise_federation:postgres_config.log_lock_waits),
"on"),
comment => "Changing this setting requires restarting the database.";
"c[max_wal_size]" -> { "ENT-8617" }
string => ifelse( isvariable( "cfengine_enterprise_federation:postgres_config.max_wal_size"),
$(cfengine_enterprise_federation:postgres_config.max_wal_size),
"1GB");
"c[checkpoint_timeout]" -> { "ENT-8617" }
string => ifelse( isvariable( "cfengine_enterprise_federation:postgres_config.checkpoint_timeout"),
$(cfengine_enterprise_federation:postgres_config.checkpoint_timeout),
"5min");
files:
am_superhub::
"$(sys.statedir)/pg/data/postgresql.conf"
edit_line => default:set_line_based( "$(this.namespace):$(this.bundle).c",
"=",
"\s*=\s*",
".*",
""),
classes => default:results( "bundle", "postgresql_conf" ),
if => fileexists( "$(sys.statedir)/pg/data/postgresql.conf" );
commands:
am_superhub.postgresql_conf_repaired.!systemd::
# smart mode tries to wait for operations to finish and clients to
# disconnect, fast mode terminates open connections gracefully
"$(sys.bindir)/pg_ctl --pgdata $(sys.statedir)/pg/data --log /var/log/postgresql.log --wait --mode smart restart ||
$(sys.bindir)/pg_ctl --pgdata $(sys.statedir)/pg/data --log /var/log/postgresql.log --wait --mode fast restart"
contain => cfpostgres_user;
services:
am_superhub.postgresql_conf_repaired.systemd::
"cf-postgres"
service_method => default:standard_services,
service_policy => "restart";
}
body contain cfpostgres_user
{
useshell => "useshell";
exec_owner => "cfpostgres";
exec_group => "cfpostgres";
chdir => "/tmp";
no_output => "false";
}
bundle agent exported_data
# @brief Run script to dump pg data on feeder hub
# @note Since version 3.24.0, the inventory view is automatically refreshed by
# cf-reactor whenever inventory is updated. Hence, you can assume that the
# inventory is refreshed. However, there is one exception; if the previous
# refresh happened too recently, the following one will be delayed.
{
@if before_version(3.24.0)
methods:
am_feeder.!am_paused::
"Refresh Inventory"
usebundle => "default:cfe_internal_refresh_inventory_view",
handle => "fr_inventory_refresh",
comment => "Use standard inventory refresh so that we don't run it twice";
@endif
commands:
am_feeder.!am_paused::
"/bin/bash"
arglist => {"$(cfengine_enterprise_federation:config.bin_dir)/dump.sh"},
contain => default:in_shell,
@if before_version(3.24.0)
depends_on => { "fr_inventory_refresh" },
@endif
comment => "Refresh Inventory must be completed before dumping data";
}
bundle agent data_transport
# @brief Run script to transport data from feeder to superhub
{
vars:
am_puller.!am_paused::
# local copies of the variables to make using them below sane
"remotes" slist => {@(cfengine_enterprise_federation:config.remotes)};
"data" data => @(cfengine_enterprise_federation:config.data);
"enabled_pull_hosts[$(remotes)]"
string => "$(data[remote_hubs][$(remotes)][transport][ssh_host])",
if => and(strcmp("on", "$(data[remote_hubs][$(remotes)][target_state])"),
strcmp("pull_over_rsync", "$(data[remote_hubs][$(remotes)][transport][mode])"));
"pull_args" -> {"ENT-4499"}
string => join(" ", getvalues(@(enabled_pull_hosts)));
commands:
am_pusher.!am_paused::
"/bin/bash"
arglist => {"$(cfengine_enterprise_federation:config.bin_dir)/transport.sh push"},
contain => contain_transport_user;
am_puller.!am_paused::
"/bin/bash"
arglist => {"$(cfengine_enterprise_federation:config.bin_dir)/transport.sh pull $(pull_args)"},
contain => contain_transport_user;
am_puller.!am_paused.default:cfengine_mp_fr_enable_distributed_cleanup::
"/bin/bash"
arglist => {"$(cfengine_enterprise_federation:config.bin_dir)/transfer_distributed_cleanup_items.sh $(pull_args)"},
contain => contain_transport_user;
}
body contain contain_transport_user
{
exec_owner => "$(cfengine_enterprise_federation:config.transport_user)";
exec_group => "$(cfengine_enterprise_federation:config.transport_user)";
chdir => "$(cfengine_enterprise_federation:config.transport_home)";
useshell => "true";
}
bundle agent imported_data
# @brief Run script to import dumps on superhub
{
commands:
"/bin/bash"
arglist => {"$(cfengine_enterprise_federation:config.bin_dir)/import.sh"},
contain => default:in_shell;
}
bundle agent superhub_schema
# @brief Run SQL script to ensure schema is migrated to superhub partitioned tables architecture
{
commands:
am_superhub::
"$(cfengine_enterprise_federation:config.bin_dir)/psql_wrapper.sh"
arglist => {
"cfdb",
@if minimum_version(3.24)
"select superhub_schema('$(sys.key_digest)');",
@else
`"select superhub_schema('$(sys.key_digest)');"`,
@endif
},
classes => psql_wrapper_exit_codes;
}
bundle agent ensure_feeders
# @brief Run SQL function to ensure that all configured feeder hubs are in __hubs table
{
vars:
am_superhub::
"feeders" slist => getvalues( "cfengine_enterprise_federation:config.feeder");
"feeders_arg" string => concat( "ARRAY['", join( "', '", feeders ), "']");
commands:
am_superhub::
"$(cfengine_enterprise_federation:config.bin_dir)/psql_wrapper.sh"
arglist => {
"cfdb",
@if minimum_version(3.24)
"select ensure_feeders($(feeders_arg));"
@else
`"select ensure_feeders($(feeders_arg));"`
@endif
},
classes => psql_wrapper_exit_codes,
if => isgreaterthan(length(feeders), 0);
}
body classes psql_wrapper_exit_codes
{
kept_returncodes => { "0" };
repaired_returncodes => { "1" };
failed_returncodes => { "2" };
}
bundle agent entry
# @brief Conditionally runs all federated reporting bundles
{
meta:
(policy_server|am_policy_hub).enterprise_edition::
"tags" -> { "ENT-4383" }
slist => { "enterprise_maintenance" };
classes:
enterprise_edition.(policy_server|am_policy_hub)::
"config_exists"
expression => fileexists("$(cfengine_enterprise_federation:config.federation_dir)/cfapache/federation-config.json");
enterprise_edition.(policy_server|am_policy_hub)::
"config_not_exists"
expression => not(fileexists("$(cfengine_enterprise_federation:config.federation_dir)/cfapache/federation-config.json"));
methods:
config_exists::
"CFEngine Enterprise Federation Configuration"
handle => "config",
usebundle => config;
am_policy_hub.(am_off|config_not_exists)::
"CFEngine Enterprise Federation Transport Off"
handle => "clean_when_off",
usebundle => clean_when_off,
if => cf_version_minimum("3.15");
enabled.am_on::
"CFEngine Enterprise Federation Transport User"
handle => "transport_user",
usebundle => transport_user;
enterprise_edition.(policy_server|am_policy_hub)::
"federation_manage_files"
handle => "federation_manage_files",
usebundle => federation_manage_files;
enabled.am_on::
"CFEngine Enterprise Federation Postgres Configuration"
handle => "postgres_config",
usebundle => postgres_config;
"CFEngine Enterprise Federation Schema Migration"
handle => "superhub_schema",
depends_on => { "postgres_config" },
usebundle => superhub_schema;
"CFEngine Enterprise Federation Ensure Feeder Hubs in Database"
handle => "ensure_feeders",
depends_on => { "superhub_schema" },
usebundle => ensure_feeders;
"CFEngine Enterprise Federation Feeder Data Transport"
handle => "data_transport",
depends_on => { "transport_user" },
usebundle => data_transport;
"CFEngine Enterprise Federation Feeder Data Export"
usebundle => exported_data,
action => default:if_elapsed($(cfengine_enterprise_federation:config.dump_interval));
"Configuration Status"
usebundle => setup_status;
enabled.am_on.am_superhub.!am_paused::
"CFEngine Enterprise Federation Feeder Data Import"
handle => "imported_data",
depends_on => { "transport_user", "ensure_feeders" },
usebundle => imported_data;
am_policy_hub.default:cfengine_mp_fr_enable_distributed_cleanup::
"Distributed Cleanup Dependencies"
handle => "distributed_cleanup_dependencies",
if => "enabled.am_on.am_superhub.!am_paused",
usebundle => "distributed_cleanup_dependencies";
"Distributed Cleanup Setup"
handle => "distributed_cleanup_setup",
depends_on => { "transport_user", "data_transport" },
usebundle => "distributed_cleanup_setup";
"Distributed Federated Host Cleanup"
handle => "distributed_cleanup",
if => "enabled.am_on.am_superhub.!am_paused",
depends_on => { "imported_data", "distributed_cleanup_setup", "distributed_cleanup_dependencies" },
usebundle => distributed_cleanup_run;
reports:
!enterprise_edition::
"Federated reporting is only available in CFEngine Enterprise.";
enterprise_edition.!(policy_server|am_policy_hub)::
"Federated reporting is only available on the policy server / hub.";
}
bundle agent setup_status
{
vars:
"role" string => "$(cfengine_enterprise_federation:config.role)";
"ssh_pub_key"
string => readfile( "$(cfengine_enterprise_federation:transport_user.ssh_pub_key)" ),
if => fileexists( "$(cfengine_enterprise_federation:transport_user.ssh_pub_key)" );
"ssh_server_fingerprint"
# ssh-keyscan is used because it's more reliable/easy than trying to
# parse sshd config to find the file and then readfile():
string => execresult("ssh-keyscan localhost 2>/dev/null | sed 's/localhost //g' | sort", useshell);
classes:
"superhub_setup_status_complete"
expression => "any",
depends_on => {
"config",
"transport_user",
"postgres_config", # We are depending on a deep guard within this bundle
"federation_manage_files",
};
files:
superhub_setup_status_complete::
"$(cfengine_enterprise_federation:config.path_setup_status)"
create => "true",
perms => default:mog( "600", "cfapache", "root" ),
template_method => "inline_mustache",
edit_template_string => "{{%-top-}}$(const.n)",
template_data => '{
"configured": true,
"role": "$(role)",
"hostkey": "$(sys.key_digest)",
"transport_ssh_public_key": "$(ssh_pub_key)",
"transport_ssh_server_fingerprint": "$(ssh_server_fingerprint)",
}',
if => isvariable( ssh_pub_key );
}
bundle agent distributed_cleanup_setup
{
vars:
"distributed_cleanup_dir" string => "/opt/cfengine/federation/cftransport/distributed_cleanup";
files:
am_superhub|am_feeder::
"${distributed_cleanup_dir}/."
perms => default:mog( "700", "$(cfengine_enterprise_federation:config.transport_user)", "root" ),
create => "true";
"${distributed_cleanup_dir}/${sys.fqhost}.pub"
perms => default:mog( "600", "$(cfengine_enterprise_federation:config.transport_user)", "root" ),
copy_from => default:local_cp("${sys.workdir}/ppkeys/localhost.pub");
"${distributed_cleanup_dir}/${sys.fqhost}.cert"
perms => default:mog( "600", "$(cfengine_enterprise_federation:config.transport_user)", "root" ),
copy_from => default:local_cp("${sys.workdir}/httpd/ssl/certs/${sys.fqhost}.cert");
}
bundle agent distributed_cleanup_run
{
vars:
"_arglist" slist => { ifelse("debug_mode", "--debug",
"inform_mode", "--inform",
"") };
commands:
am_superhub.!am_paused.default:cfengine_mp_fr_enable_distributed_cleanup::
"$(sys.bindir)/cfengine-selected-python"
args => "$(cfengine_enterprise_federation:config.bin_dir)/distributed_cleanup.py",
arglist => { @(_arglist) },
unless => isvariable( "default:def.DISTRIBUTED_CLEANUP_SSL_CERT_DIR" );
"SSL_CERT_DIR=$(default:def.DISTRIBUTED_CLEANUP_SSL_CERT_DIR) $(sys.bindir)/cfengine-selected-python" -> { "ENT-8477", "ENT-8464" }
args => "$(cfengine_enterprise_federation:config.bin_dir)/distributed_cleanup.py",
arglist => { @(_arglist) },
if => isvariable( "default:def.DISTRIBUTED_CLEANUP_SSL_CERT_DIR"),
contain => default:in_shell,
comment => "When custom SSL certificates are used from the non default location we need to let the script know where to find them.";
}
body file control
{
namespace => "default";
}
bundle agent __main__
# @brief You can run this policy file from shell without specifying bundle
{
methods:
"entry" usebundle => cfengine_enterprise_federation:entry;
}
cfengine-masterfiles-3.24.2/cfe_internal/enterprise/file_change.cf 0000644 0000000 0000000 00000004536 15010704240 025242 0 ustar 00root root 0000000 0000000 #########################################################################
#
# file_change.cf - Change Management
#
# NOTE: Be careful with the amount of data that CFEngine is to watch.
# Large amounts can cause resource hogs and long-running agents.
#
#########################################################################
bundle agent change_management
{
vars:
linux::
"watch_files_report_diffs"
slist => {
"/etc/passwd",
"/etc/group",
"/etc/services",
"$(sys.statedir)/pg/data/postgresql.conf",
},
comment => "These files will be watched for change, and diffs will be
reported back to mission portal if you are running CFEngine
Enterprise.";
"watch_files_report_change"
slist => { "/etc/shadow" },
comment => "These files will be watched for change. No diffs will be
reported back to mission portal, only that the file did
change.";
files:
linux::
"$(watch_files_report_diffs)" -> { "InfoSec" }
changes => diff,
handle => "change_management_files_watch_files_report_diffs",
if => fileexists( $(watch_files_report_diffs) ),
comment => "Unplanned changes of these files may indicate a security
breach.";
"$(watch_files_report_change)" -> { "InfoSec" }
changes => detect_content_using("sha256"),
if => fileexists( $(watch_files_report_change) ),
comment => "Unplanned changes of these files may indicate a security
breach. (Diffs are not reported in case those with access
to this report should not have access to shadow entries.)";
#######################################################################
# Redundant cross monitoring for strong `tripwire' ...............
#######################################################################
# "$(sys.workdir)/nw/$(neighbours)_checksum_digests.db"
# comment => "Watching our peers remote hash tables for changes - cross check",
# copy_from => remote_cp("$(sys.workdir)/checksum_digests.db","$(neighbours)"),
# action => neighbourwatch("File hash changes observed on $(neighbours) (neighbourhood watch)");
}
cfengine-masterfiles-3.24.2/cfe_internal/CFE_cfengine.cf 0000644 0000000 0000000 00000005172 15010704240 023066 0 ustar 00root root 0000000 0000000 ##################################################################
#
# DO NOT EDIT THIS FILE. All policy files prefixed with CFE_ are maintained
# by CFEngine and its original state is required for internal operations of
# CFEngine. If the file has been modified CFEngine's upgrades may require
# manual intervention. Contact CFEngine support if additional information
# and/or recommendation is needed.
#
##################################################################
##################################################################
#
# cfe_internal_management
# - manage internal CFE functionalities (any:: can be modified)
# - some agent bundles are in CFE_hub_specific.cf
#
##################################################################
bundle common cfe_internal_management_file_control
# @brief Define policy input dependancies
{
vars:
"inputs" slist => { };
cfengine_recommendations_enabled::
"input[cfengine_recommendations]"
string => "$(this.promise_dirname)/recommendations.cf";
any::
"inputs" slist => getvalues( input );
}
body file control
# @brief Include policy input dependancies
{
cfengine_recommendations_enabled::
inputs => { @(cfe_internal_management_file_control.inputs) };
}
bundle agent cfe_internal_management
# @brief Actuate the appropriate set(s) of internal management policies
{
vars:
any::
"policy[cfe_internal_core_main]"
string => "cfe_internal_core_main",
comment => "Activate policies related to basic CFEngine operations";
enterprise_edition::
"policy[cfe_internal_enterprise_main]"
string => "cfe_internal_enterprise_main",
comment => "Activate policies related to CFEngine Enterprise operations";
# TODO: Scope this more tightly to mission portal role
enterprise_edition.policy_server::
"policy[cfe_internal_enterprise_mission_portal]"
string => "Activate policies related to CFEngine Enterprise Mission Portal";
any::
"bundles" slist => getindices(policy);
"recommendation_bundles"
slist => sort( bundlesmatching( ".*", "cfengine_recommends" ), lex);
methods:
#
# CFEngine internals
#
"CFEngine_Internals"
usebundle => "$(bundles)";
"CFEngine Recommendations"
usebundle => $(recommendation_bundles),
if => isvariable( recommendation_bundles );
reports:
DEBUG|DEBUG_cfe_internal_management::
"DEBUG $(this.bundle): Should actuate $(bundles)";
cfengine_recommendation_instruct_disablement::
"Note: All recommendations can be disabled by defining 'default:cfengine_recommendations_disabled'";
}
cfengine-masterfiles-3.24.2/promises.cf.in 0000644 0000000 0000000 00000040706 15010704240 020452 0 ustar 00root root 0000000 0000000 # All software in this repository except where explicitly marked otherwise is
# under the following license.
################################################################################
# MIT Public License
# http://www.opensource.org/licenses/MIT
# Copyright 2024 Northern.tech AS
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
################################################################################
################################################################################
# If you find CFEngine useful, please consider purchasing a commercial version
# of the software.
################################################################################
################################################################################
#
# promises.cf - Basic Policy for CFEngine
#
################################################################################
body common control
# @brief Control options common to all agents
{
bundlesequence => {
# Common bundle first (Best Practice)
inventory_control,
@(inventory.bundles),
def,
@(cfengine_enterprise_hub_ha.classification_bundles),
# Custom classification
@(def.bundlesequence_classification),
# autorun system
services_autorun,
@(services_autorun.bundles),
# Agent bundle
cfe_internal_management, # See cfe_internal/CFE_cfengine.cf
mpf_main,
@(cfengine_enterprise_hub_ha.management_bundles),
@(def.bundlesequence_end),
};
inputs => {
# User policy init, for example for defining custom promise types:
"services/init.cf",
# File definition for global variables and classes
@(cfengine_controls.def_inputs),
# Inventory policy
@(inventory.inputs),
# CFEngine internal policy for the management of CFEngine itself
@(cfe_internal_inputs.inputs),
# Control body for all CFEngine robot agents
@(cfengine_controls.inputs),
# COPBL/Custom libraries. Eventually this should use wildcards.
@(cfengine_stdlib.inputs),
# autorun system
@(services_autorun.inputs),
"services/main.cf",
};
version => "CFEngine Promises.cf @VERSION@";
# From 3.7 onwards there is a new package promise implementation using package
# modules in which you MUST provide package modules used to generate
# software inventory reports. You can also provide global default package module
# instead of specifying it in all package promises.
(debian).!disable_inventory_package_refresh::
package_inventory => { $(package_module_knowledge.platform_default), @(default:package_module_knowledge.additional_inventory) };
# We only define package_inventory on redhat like systems that have a
# python version that works with the package module.
(redhat|centos|suse|sles|opensuse|amazon_linux).cfe_python_for_package_modules_supported.!disable_inventory_package_refresh::
package_inventory => { $(package_module_knowledge.platform_default), @(default:package_module_knowledge.additional_inventory)};
aix.!disable_inventory_package_refresh::
package_inventory => { $(package_module_knowledge.platform_default), @(default:package_module_knowledge.additional_inventory) };
freebsd.!disable_inventory_package_refresh::
package_inventory => { $(package_module_knowledge.platform_default), @(default:package_module_knowledge.additional_inventory) };
aix::
package_module => $(package_module_knowledge.platform_default);
(debian|redhat|suse|sles|opensuse|amazon_linux|freebsd)::
package_module => $(package_module_knowledge.platform_default);
windows::
package_inventory => { $(package_module_knowledge.platform_default), @(default:package_module_knowledge.additional_inventory) };
package_module => $(package_module_knowledge.platform_default);
termux::
package_module => $(package_module_knowledge.platform_default);
alpinelinux::
package_module => $(package_module_knowledge.platform_default);
any::
ignore_missing_bundles => "$(def.control_common_ignore_missing_bundles)";
ignore_missing_inputs => "$(def.control_common_ignore_missing_inputs)";
# The number of minutes after which last-seen entries are purged from cf_lastseen.lmdb
lastseenexpireafter => "$(def.control_common_lastseenexpireafter)";
control_common_tls_min_version_defined::
tls_min_version => "$(default:def.control_common_tls_min_version)"; # See also: allowtlsversion in body server control
control_common_tls_ciphers_defined::
tls_ciphers => "$(default:def.control_common_tls_ciphers)"; # See also: allowciphers in body server control
}
bundle common inventory
# @brief Set up inventory inputs
#
# This bundle creates the inputs for inventory bundles.
#
# Inventory bundles are simply common bundles loaded before anything
# else in promises.cf
{
classes:
"other_unix_os" expression => "!(windows|macos|linux|freebsd|aix)";
"specific_linux_os" expression => "redhat|debian|suse|sles";
vars:
# This list is intended to grow as needed
debian::
"inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/debian.cf", "inventory/os.cf" };
"bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_debian", "inventory_os" };
redhat::
"inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/redhat.cf", "inventory/os.cf" };
"bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_redhat", "inventory_os" };
suse|sles::
"inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/suse.cf", "inventory/os.cf" };
"bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_suse", "inventory_os" };
windows::
"inputs" slist => { "inventory/any.cf", "inventory/windows.cf", "inventory/os.cf" };
"bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_windows", "inventory_os" };
macos::
"inputs" slist => { "inventory/any.cf", "inventory/macos.cf", "inventory/os.cf" };
"bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_macos", "inventory_os" };
freebsd::
"inputs" slist => { "inventory/any.cf", "inventory/freebsd.cf", "inventory/os.cf" };
"bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_freebsd", "inventory_os" };
linux.!specific_linux_os::
"inputs" slist => { "inventory/any.cf", "inventory/linux.cf", "inventory/lsb.cf", "inventory/os.cf" };
"bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_linux", "inventory_lsb", "inventory_os" };
aix::
"inputs" slist => { "inventory/any.cf", "inventory/generic.cf", "inventory/aix.cf", "inventory/os.cf" };
"bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_generic", "inventory_aix", "inventory_os" };
other_unix_os::
"inputs" slist => { "inventory/any.cf", "inventory/generic.cf", "inventory/os.cf" };
"bundles" slist => { "inventory_control", "inventory_any", "inventory_autorun", "inventory_generic", "inventory_os" };
reports:
verbose_mode::
"$(this.bundle): loading inventory module '$(inputs)'";
}
#
bundle common cfe_internal_inputs
# @brief Include internal self management policies
{
vars:
any::
"input[cfe_internal_management]"
string => "cfe_internal/CFE_cfengine.cf",
comment => "This policy activates internal management policies
for both core and enterprise";
"input[core_main]"
string => "cfe_internal/core/main.cf",
comment => "This policy activates other core policies";
"input[core_limit_robot_agents]"
string => "cfe_internal/core/limit_robot_agents.cf",
comment => "The policy here ensures that we don't have too many
cf-monitord or cf-execd processes";
"input[core_log_rotation]"
string => "cfe_internal/core/log_rotation.cf",
comment => "This policy ensures that various cfengine log files
do not grow without bound and fill up the disk";
"input[core_host_info_report]"
string => "cfe_internal/core/host_info_report.cf",
comment => "This policy produces a text based host info report
and serves as a functional example of using mustache templates";
"input[cfengine_internal_core_watchdog]"
string => "cfe_internal/core/watchdog/watchdog.cf",
comment => "This policy configures external watchdogs to ensure that
cf-execd is always running.";
enterprise_edition.(policy_server|am_policy_hub)::
"input[enterprise_hub_specific]"
string => "cfe_internal/enterprise/CFE_hub_specific.cf",
comment => "Policy relating to CFEngine Enterprise Hub, for example
software updates, webserver configuration, and alerts";
@if minimum_version(3.12.0)
"input[enterprise_hub_federation]"
string => "cfe_internal/enterprise/federation/federation.cf",
comment => "Policy relating to CFEngine Federated Reporting";
@endif
enterprise_edition::
"input[enterprise_knowledge]"
string => "cfe_internal/enterprise/CFE_knowledge.cf",
comment => "Settings mostly releated to CFEngine Enteprise Mission Portal";
"input[enterprise_main]"
string => "cfe_internal/enterprise/main.cf",
comment => "This policy activates other enterprise specific policies";
"input[change_management]"
string => "cfe_internal/enterprise/file_change.cf",
comment => "This policy monitors critical system files for change";
"input[enterprise_mission_portal]"
string => "cfe_internal/enterprise/mission_portal.cf",
comment => "This policy manages Mission Portal related configurations.";
any::
"inputs" slist => getvalues("input");
}
bundle common cfengine_stdlib
# @brief Include the standard library
{
vars:
any::
"inputs" slist => { "$(sys.local_libdir)/stdlib.cf" };
# As part of ENT-2719 3.12.2 introduced package_method attributes for
# specifying the interpreter and specifying the module path. These
# attributes are not known in previous versions and must not be seen by
# the parser or they will be seen as syntax errors. A cleaner way to do
# this using the minimum_version macro is possible, but that would break
# masterfiles compatibility in 3.12 with 3.7 binaries since 3.7 binaries
# do not support major.minor.patch with minimum_version, only major.minor.
windows.cfengine_3_12.!(cfengine_3_12_0|cfengine_3_12_1)::
"inputs" slist => { "$(sys.local_libdir)/stdlib.cf",
"$(sys.local_libdir)/packages-ENT-3719.cf" };
@if minimum_version(3.14)
windows::
"inputs" slist => { "$(sys.local_libdir)/stdlib.cf",
"$(sys.local_libdir)/packages-ENT-3719.cf" };
@endif
reports:
verbose_mode::
"$(this.bundle): defining inputs='$(inputs)'";
}
bundle common cfengine_controls
# @brief Include various agent control policies
{
vars:
"def_inputs"
slist => {
"controls/def.cf",
"controls/def_inputs.cf",
},
comment => "We strictly order the def inputs because they should be parsed first";
"input[cf_agent]"
string => "controls/cf_agent.cf",
comment => "Agent control options";
"input[cf_execd]"
string => "controls/cf_execd.cf",
comment => "Executor (scheduler) control options";
"input[cf_monitord]"
string => "controls/cf_monitord.cf",
comment => "Monitor/Measurement control options";
"input[cf_serverd]"
string => "controls/cf_serverd.cf",
comment => "Server control options";
"input[cf_runagent]"
string => "controls/cf_runagent.cf",
comment => "Runagent (remote activation request) control options";
enterprise_edition::
"input[cf_hub]" -> { "CFEngine Enterprise" }
string => "controls/cf_hub.cf",
comment => "Hub (agent report collection) control options";
"input[reports]" -> { "CFEngine Enterprise" }
string => "controls/reports.cf",
comment => "Report collection options";
any::
"inputs" slist => getvalues(input);
reports:
DEBUG|DEBUG_cfengine_controls::
"DEBUG $(this.bundle)";
"$(const.t)defining inputs='$(inputs)'";
}
bundle common services_autorun
# @brief Include autorun policy and discover autorun bundles if enabled
#
# Files inside directories listed in `def.mpf_extra_autorun_inputs` will be
# added to inputs automatically.
{
vars:
services_autorun|services_autorun_inputs::
"_default_autorun_input_dir"
string => "$(this.promise_dirname)/services/autorun";
"_default_autorun_inputs"
slist => sort( lsdir( "$(_default_autorun_input_dir)", ".*\.cf", "true"), lex);
"_extra_autorun_input_dirs"
slist => { @(def.mpf_extra_autorun_inputs) },
if => isvariable( "def.mpf_extra_autorun_inputs" );
"_extra_autorun_inputs[$(_extra_autorun_input_dirs)]"
slist => sort( lsdir("$(_extra_autorun_input_dirs)/.", ".*\.cf", "true"), lex),
if => isdir( $(_extra_autorun_input_dirs) );
"found_inputs" slist => { @(_default_autorun_inputs),
sort( getvalues(_extra_autorun_inputs), "lex") };
!(services_autorun|services_autorun_inputs|services_autorun_bundles)::
# If services_autorun is not enabled, then we should not extend inputs
# automatically.
"inputs" slist => { };
"found_inputs" slist => {};
"bundles" slist => { "services_autorun" }; # run self
services_autorun|services_autorun_inputs|services_autorun_bundles::
"inputs" slist => { "$(sys.local_libdir)/autorun.cf" };
"bundles" slist => { "autorun" }; # run loaded bundles
reports:
DEBUG|DEBUG_services_autorun::
"DEBUG $(this.bundle): Services Autorun Disabled"
if => "!(services_autorun|services_autorun_bundles|services_autorun_inputs)";
"DEBUG $(this.bundle): Services Autorun Enabled"
if => "services_autorun";
"DEBUG $(this.bundle): Services Autorun Bundles Enabled"
if => "services_autorun_bundles";
"DEBUG $(this.bundle): Services Autorun Inputs Enabled"
if => "services_autorun_inputs";
"DEBUG $(this.bundle): Services Autorun (Bundles & Inputs) Enabled"
if => "services_autorun_inputs.services_autorun_bundles";
"DEBUG $(this.bundle): adding input='$(inputs)'"
if => isvariable("inputs");
"DEBUG $(this.bundle): adding input='$(found_inputs)'"
if => isvariable("found_inputs");
}
cfengine-masterfiles-3.24.2/standalone_self_upgrade.cf 0000644 0000000 0000000 00000126366 15010704326 023070 0 ustar 00root root 0000000 0000000 # This policy is designed to be run with an independent agent.
# WARNING: Including this policy into the inputs of another policy may result in
# duplicate definition of bundles.
# TODO remove windows_unattended_upgrade.cf when ENT-6823 allows us to use msiexec packages module
bundle common standalone_self_upgrade_file_control
{
vars:
"inputs" slist => { "$(this.promise_dirname)$(const.dirsep)cfe_internal$(const.dirsep)update$(const.dirsep)windows_unattended_upgrade.cf" };
}
body file control
{
inputs => { @(standalone_self_upgrade_file_control.inputs) };
}
bundle common def_standalone_self_upgrade
{
vars:
"control_agent_agentfacility" -> { "ENT-10209" }
string => "",
if => not( isvariable ( "default:def.control_agent_agentfacility" ));
classes:
"control_agent_agentfacility_configured" -> { "ENT-10209" }
expression => regcmp( "LOG_(USER|DAEMON|LOCAL[0-7])",
$(control_agent_agentfacility) ),
comment => concat( "If default:def.control_agent_agentfacility is a",
" valid setting, we want to use it in body agent",
" control for setting agentfacility" );
"control_common_tls_min_version_defined" -> { "ENT-10198" }
expression => isvariable( "default:def.control_common_tls_min_version"),
comment => concat( "If default:def.control_common_tls_min_version is defined then",
" its value will be used for the minimum version in outbound",
" connections. Else the binary default will be used.");
"control_common_tls_ciphers_defined" -> { "ENT-10198" }
expression => isvariable( "default:def.control_common_tls_ciphers"),
comment => concat( "If default:def.control_common_tls_ciphers is defined then",
" its value will be used for the set of tls ciphers allowed",
" for outbound connections. Else the binary default will be used.");
}
body agent control
# @brief Agent controls for standalone self upgrade
{
control_agent_agentfacility_configured::
agentfacility => "$(default:update_def.control_agent_agentfacility)";
}
bundle agent main
# @brief This bundle drives the self upgrade. It actuates the appropriate
# bundles to download binaries to the hub for serving to clients, caching the
# software to remote clients, and managing the version of cfengine installed on
# non hubs.
{
classes:
"policy_server_dat_unstable"
expression => isnewerthan( "$(sys.workdir)/policy_server.dat", "$(sys.workdir)/outputs" ),
comment => "If $(sys.workdir)/policy_server.dat is newer than the
outputs directory, it can indicate that the current agent
execution is a result of bootstrap. For stability we want to
skip upgrades during bootstrap. The outputs directory should
be newer than the policy_server.dat on the next agent run
and allow upgrade then.";
reports:
"Running $(this.promise_filename)";
methods:
"cfengine_software";
(am_policy_hub|policy_server).!mpf_disable_hub_masterfiles_software_update_seed::
"Master Software Repository Data"
usebundle => cfengine_master_software_content;
!(am_policy_hub|policy_server|policy_server_dat_unstable)::
"Local Software Cache"
usebundle => cfengine_software_cached_locally;
"CFEngine Version"
usebundle => cfengine_software_version;
}
bundle common package_module_knowledge
# @brief common package_module_knowledge bundle
#
# This common bundle defines which package modules are the defaults on different
# platforms.
{
vars:
debian|ubuntu::
"platform_default" string => "apt_get";
redhat|centos|amazon_linux::
"platform_default" string => "yum";
}
bundle common u_common_knowledge
# @brief standalone common packages knowledge bundle
#
# This common bundle defines general things about platforms.
# @see common_knowledge
{
vars:
"list_update_ifelapsed_now" string => "10080";
}
bundle agent cfengine_software
# @brief Variables to control the specifics in desired package selection
{
vars:
any::
# Extract the hub binary version info if it's available. Only expected to
# be available on a client.
"hub_binary_version" -> { "ENT-10664" }
data => data_regextract(
"^(?\d+\.\d+\.\d+)-(?\d+)",
readfile("$(sys.statedir)$(const.dirsep)hub_cf_version.txt" ) ),
if => fileexists( "$(sys.statedir)$(const.dirsep)hub_cf_version.txt" );
# Default desired CFEngine software
"pkg_name" string => ifelse( isvariable( "def.cfengine_software_pkg_name" ), $(def.cfengine_software_pkg_name), "cfengine-nova");
"pkg_version" -> { "ENT-10664" }
string => "$(sys.cf_version_major).$(sys.cf_version_minor).$(sys.cf_version_patch)",
if => "am_policy_hub|policy_server",
comment => "The hub will use its own version to seed client packages.";
"pkg_version" -> { "ENT-10664" }
string => "$(hub_binary_version[major_minor_patch])",
if => isvariable("hub_binary_version[major_minor_patch]"),
comment => "Use the hub binary version if available.";
"pkg_version"
string => "$(def.cfengine_software_pkg_version)",
if => isvariable( "def.cfengine_software_pkg_version" ),
comment => "If the target version is explicitly set, we want to use that.";
"pkg_release" string => "$(sys.cf_version_release)", if => "am_policy_hub|policy_server";
"pkg_release" string => "$(hub_binary_version[release])", if => isvariable("hub_binary_version[release]");
"pkg_release" string => "$(def.cfengine_software_pkg_release)", if => isvariable("def.cfengine_software_pkg_release");
"pkg_arch" string => ifelse( isvariable( "def.cfengine_software_pkg_arch" ), $(def.cfengine_software_pkg_arch), "x86_64");
"package_dir" string => ifelse( isvariable( "def.cfengine_software_pkg_dir" ), $(def.cfengine_software_pkg_dir), "$(sys.flavour)_$(sys.arch)");
"pkg_edition_path" string => ifelse( isvariable( "def.cfengine_software_pkg_edition_path" ), $(def.cfengine_software_pkg_edition_path), "enterprise/Enterprise-$(pkg_version)/agent");
community_edition::
"pkg_name" string => "cfengine-community";
"pkg_edition_path" string => "community_binaries/Community-$(pkg_version)";
aix::
"pkg_name" string => "cfengine-nova";
"pkg_arch" string => "default";
solaris|solarisx86::
"pkg_name" string => "cfengine-nova";
amzn_2::
"package_dir"
string => "amazon_2_$(pkg_arch)";
(debian|ubuntu).64_bit::
"pkg_arch"
string => "amd64",
comment => "On debian hosts it's the standard to use 'amd64' instead of
'x86_64' in package architectures.";
(debian|ubuntu).aarch64::
"pkg_arch"
string => "arm64",
comment => concat( "On debian hosts it's the CFEngine standard to use 'arm64' in",
"the package filename." );
"package_dir"
string => "$(sys.flavor)_arm_64";
(redhat|centos|suse|sles).32_bit::
"pkg_arch"
string => "i386",
comment => "i686 is the detected architecture, but the package is
compatible from i386 up.";
hpux::
"package_dir"
string => "$(sys.class)_$(sys.arch)",
comment => "The directory within software updates to look for packages.
On HPUX sys.flavor includes versions, so we use sys.class
instead.";
windows::
"package_dir" -> { "ENT-9010" }
string => "$(sys.class)_$(sys.arch)",
comment => concat( "The directory within software updates to look for ",
"packages. Since one package is built for each",
"supported architecture instead of each platform",
"version architecture we use sys.class and sys.arch.");
any::
"local_software_dir"
string => translatepath( "$(sys.workdir)/software_updates/$(package_dir)" ),
comment => "So that we converge on the first pass we set this last as
package_dir may vary across platforms.";
reports:
DEBUG|DEBUG_cfengine_software::
"$(this.bundle) pkg_name = $(pkg_name)";
"$(this.bundle) pkg_version = $(pkg_version)";
"$(this.bundle) pkg_release = $(pkg_release)";
"$(this.bundle) pkg_arch = $(pkg_arch)";
"$(this.bundle) package_dir = $(package_dir)";
files:
windows::
"$(sys.bindir)$(const.dirsep)vercmp.ps1"
create => "true",
template_method => "mustache",
edit_template => "$(this.promise_dirname)$(const.dirsep)/templates/vercmp.ps1",
template_data => mergedata( '{}' ),
comment => "We need to use specialized version comparison logic for unattended self upgrades.";
}
bundle agent cfengine_software_cached_locally
# @brief Ensure that the internal local software mirror is up to date
{
reports:
inform_mode::
"Ensuring local software cache in $(local_software_dir) is up to date";
vars:
"local_software_dir"
string => "$(cfengine_software.local_software_dir)";
"package_dir"
string => "$(cfengine_software.package_dir)";
"master_software_location" -> { "ENT-4953" }
string => "master_software_updates",
comment => "The Cfengine binary updates directory on the policy server",
handle => "cfe_internal_update_bins_vars_master_software_location";
files:
"$(local_software_dir)/."
create => "true",
comment => "Ensure the local software directory exists for new binaries
to be downloaded to";
# NOTE This is pegged to the single upstream policy hub, it won't fail
# over to a secondary for copying the binarys to update.
"$(local_software_dir)/."
comment => "Copy binary updates from master source on policy server",
handle => "cfe_internal_update_bins_files_pkg_copy",
copy_from => u_dsync( "$(master_software_location)/$(package_dir)", $(sys.policy_hub) ),
file_select => plain,
depth_search => u_recurse_basedir(inf),
action => u_immediate,
classes => u_if_repaired("bin_newpkg");
}
bundle agent cfengine_software_version
# @brief Ensure the version of CFEngine installed is correct for supported
# platforms. Different platforms leverage different implementations for self
# upgrading.
{
classes:
"__supported_platform" -> { "ENT-5045", "ENT-5152", "ENT-4094", "ENT-8247" }
or => {
"amazon_linux",
"redhat.!redhat_4",
"centos.!centos_4",
"debian",
"suse|opensuse",
"ubuntu",
"hpux",
"aix",
"windows", # ENT-4094
};
# Add "windows" to __new_implementation classes with ENT-6823
"__new_implementation"
or => { "amazon_linux", "redhat", "centos", "ubuntu", "debian", "suse", "opensuse" };
vars:
"pkg_name" string => "$(cfengine_software.pkg_name)";
"pkg_version" string => "$(cfengine_software.pkg_version)";
"pkg_release" string => "$(cfengine_software.pkg_release)";
"_cf_version_release" string => ifelse( isvariable( "sys.cf_version_release" ), "$(sys.cf_version_release)", "1" );
"pkg_arch" string => "$(cfengine_software.pkg_arch)";
"package_dir" string => "$(cfengine_software.package_dir)";
"local_software_dir" string => "$(cfengine_software.local_software_dir)";
methods:
__supported_platform.__new_implementation::
"Manage CFEngine Version"
usebundle => cfengine_software_version_packages2;
__supported_platform.!__new_implementation::
"Manage CFEngine Version"
usebundle => cfengine_software_version_packages1;
# TODO, remove this and cfe_internal/enterprise/windows_unattended_upgrade.cf
# when ENT-6823 allows us to use msiexec.bat packages module.
"Windows Unattended Upgrade Workaround"
usebundle => windows_unattended_upgrade,
if => and(
"windows",
or(
not(strcmp("$(cfengine_software.pkg_version)", "$(sys.cf_version)")),
not(strcmp("$(cfengine_software.pkg_release)", "$(_cf_version_release)"))
)
);
reports:
!__supported_platform.inform_mode::
"$(this.bundle) $(package_dir) is not supported";
}
bundle agent cfengine_software_version_packages2
# @brief Ensure the correct version of software is installed using the new packages promise implementation
{
vars:
"pkg_name" string => "$(cfengine_software.pkg_name)";
"pkg_version" string => "$(cfengine_software.pkg_version)";
"pkg_release" string => "$(cfengine_software.pkg_release)";
"pkg_arch" string => "$(cfengine_software.pkg_arch)";
"package_dir" string => "$(cfengine_software.package_dir)";
"local_software_dir" string => "$(cfengine_software.local_software_dir)";
packages:
(amazon_linux|redhat|centos)::
"$(local_software_dir)/$(cfengine_package_names.my_pkg)"
policy => "present",
package_module => yum,
comment => "Ensure the latest package is installed";
(debian|ubuntu)::
"$(local_software_dir)/$(cfengine_package_names.my_pkg)"
policy => "present",
package_module => apt_get,
comment => "Ensure the latest package is installed";
(opensuse|suse)::
"$(local_software_dir)/$(cfengine_package_names.my_pkg)"
policy => "present",
package_module => zypper,
comment => "Ensure the latest package is installed";
# TODO, uncomment the following to enable msiexec packages module (ENT-6823)
# windows::
# "$(local_software_dir)$(const.dirsep)$(cfengine_package_names.my_pkg)"
# policy => "present",
# package_module => msiexec,
# comment => "Ensure the latest package is installed";
reports:
"DEBUG|DEBUG_$(this.bundle)"::
"Running $(this.bundle)";
}
bundle agent cfengine_software_version_packages1
# @brief Ensure the correct version of software is installed using the legacy self update mechanism
#@ **Supported Platforms:**
#@ - RedHat|Centos|Suse (rpm)
#@ - Debian|Ubuntu (dpkg)
#@ - solarisx86|solaris (pkgadd)
#@ - windows (msiexec)
#@ - aix (installp)
#@ **Unsupported Platforms:** (but stubbed)
#@ - freebsd|netbsd (pkg_add)
{
classes:
"cf_upgrade" expression => "(redhat|suse|sles|debian|solaris|solarisx86).!(am_policy_hub|policy_server)";
vars:
# NOTE These logs are not actively used or cleaned up by anything. Their
# use will be phased as platforms migrate to the new packages
# implementation for self upgrades.
"local_update_log_dir"
string => translatepath("$(sys.workdir)/software_updates/update_log"),
comment => "Local directory to store update log for this host.",
handle => "cfe_internal_update_bins_vars_local_update_log_dir";
"local_software_dir" string => "$(cfengine_software.local_software_dir)";
"desired_version" -> { "ENT-4094" }
string => ifelse("linux", "$(cfengine_software.pkg_version)-$(cfengine_software.pkg_release)",
"windows", "$(cfengine_software.pkg_version).$(cfengine_software.pkg_release)", # ENT-4094
"aix", "$(cfengine_software.pkg_version).0",
$(cfengine_software.pkg_version) ),
comment => "The version attribute sometimes contains package release
information and sometimes does not. Here we construct the
version used in the package promise for the given
platform.";
cf_upgrade::
# We only use cf-upgrade for some platforms, the need for it has been
# deprecated by the new packages promise implementation.
# backup script for cf-upgrade
# the script should have 2 conditions, BACKUP and RESTORE
# BACKUP and RESTORE status is $(const.dollar)1 variable in the script
# see more details at bundle edit_line u_backup_script
# NOTE cf-upgrade wants to execute from /tmp by default. This is
# problematic for systems where /tmp is mounted with no-exec.
"backup_script" string => "/tmp/cf-upgrade_backup.sh";
# a single compressed backup file for cf-upgrade
# this backup_file is passed to backup_script as $(const.dollar)2 variable
# cf-upgrade will extract this file if return signal of upgrade command is not 0
"backup_file" string => "/tmp/cfengine-nova-$(sys.cf_version).tar.gz";
# install script for cf-upgrade
# each distribution has its own way to upgrade a package
# see more details at bundle edit_line u_install_script
"install_script" string => "/tmp/cf-upgrade_install.sh";
(solarisx86|solaris).enterprise::
# to automatically remove or install packages on Solaris
# admin_file is a must to have to avoid pop-up interaction
# see more details at bundle edit_line u_admin_file
"admin_file" string => "/tmp/cf-upgrade_admin_file";
files:
# Remote enterprise agents (non policy hubs) that have `trigger_upgrade` defined
cf_upgrade.enterprise.trigger_upgrade::
"$(backup_script)"
comment => "Create a backup script for cf-upgrade",
handle => "cfe_internal_update_bins_files_backup_script",
create => "true",
if => "!windows",
edit_defaults => u_empty_no_backup,
edit_line => u_backup_script,
perms => u_m("0755");
"$(install_script)"
comment => "Create an install script for cf-upgrade",
handle => "cfe_internal_update_bins_files_install_script",
create => "true",
if => "!windows",
edit_defaults => u_empty_no_backup,
edit_line => u_install_script,
perms => u_m("0755");
"$(admin_file)"
comment => "Create solaris admin_file to automate remove and install packages",
handle => "cfe_internal_update_bins_files_solaris_admin_file",
create => "true",
edit_defaults => u_empty_no_backup,
edit_line => u_admin_file,
perms => u_m("0644"),
if => "solarisx86|solaris";
packages:
# Only non policy hubs running are allowed to self upgrade
# We don't upgrade during bootstrap
!(am_policy_hub|policy_server|bootstrap_mode).enterprise_edition::
"$(cfengine_software.pkg_name)"
comment => "Update Nova package to a newer version",
handle => "cfe_internal_update_bins_packages_nova_update",
package_policy => "update",
package_select => "==",
package_architectures => { "$(cfengine_software.pkg_arch)" },
package_version => "$(desired_version)",
package_method => u_generic( $(cfengine_software.local_software_dir) ),
classes => u_if_else("bin_update_success", "bin_update_fail");
reports:
"DEBUG|DEBUG_$(this.bundle)"::
"Running $(this.bundle)";
}
bundle common cfengine_package_names
# @brief Maps platforms to the package naming convention used by the self upgrade policy
{
vars:
"pkg_name" string => "$(cfengine_software.pkg_name)";
"pkg_version" string => "$(cfengine_software.pkg_version)";
"pkg_release" string => "$(cfengine_software.pkg_release)";
"pkg_arch" string => "$(cfengine_software.pkg_arch)";
# Redhat/Centos/Oracle 5, SuSE 11 use the same package
"pkg[redhat_5_x86_64]" string => "$(pkg_name)-$(pkg_version)-$(pkg_release).el5.centos.x86_64.rpm";
"pkg[centos_5_x86_64]" string => "$(pkg[redhat_5_x86_64])";
"pkg[oracle_5_x86_64]" string => "$(pkg[redhat_5_x86_64])";
"pkg[SuSE_11_x86_64]" string => "$(pkg[redhat_5_x86_64])";
# 32bit RPMs
"pkg[$(cfengine_master_software_content._rpm_dists)_$(cfengine_master_software_content._32bit_arches)]" string => "$(pkg_name)-$(pkg_version)-$(pkg_release).el5.centos.i386.rpm";
# Redhat/Centos/Oracle 6, SuSE 12-15, Opensuse Leap 15 use the same package
"pkg[redhat_6_x86_64]" string => "$(pkg_name)-$(pkg_version)-$(pkg_release).el6.x86_64.rpm";
"pkg[centos_6_x86_64]" string => "$(pkg[redhat_6_x86_64])";
"pkg[oracle_6_x86_64]" string => "$(pkg[redhat_6_x86_64])";
"pkg[SuSE_12_x86_64]" string => "$(pkg[redhat_6_x86_64])";
"pkg[SuSE_15_x86_64]" string => "$(pkg[redhat_6_x86_64])";
"pkg[opensuse_leap_15_x86_64]" string => "$(pkg[redhat_6_x86_64])";
# Redhat/Centos/Oracle/Rocky 7/Amazon 2 use the same package
"pkg[redhat_7_x86_64]" string => "$(pkg_name)-$(pkg_version)-$(pkg_release).el7.x86_64.rpm";
"pkg[centos_7_x86_64]" string => "$(pkg[redhat_7_x86_64])";
"pkg[oracle_7_x86_64]" string => "$(pkg[redhat_7_x86_64])";
"pkg[rocky_7_x86_64]" string => "$(pkg[redhat_7_x86_64])";
"pkg[amazon_2_x86_64]" string => "$(pkg[redhat_7_x86_64])";
# Redhat/Centos/Oracle/Rocky 8 use the same package
"pkg[redhat_8_x86_64]" string => "$(pkg_name)-$(pkg_version)-$(pkg_release).el8.x86_64.rpm";
"pkg[centos_8_x86_64]" string => "$(pkg[redhat_8_x86_64])";
"pkg[oracle_8_x86_64]" string => "$(pkg[redhat_8_x86_64])";
"pkg[rocky_8_x86_64]" string => "$(pkg[redhat_8_x86_64])";
# Redhat/Centos/Oracle/Rocky 8 use the same package
"pkg[redhat_9_x86_64]" string => "$(pkg_name)-$(pkg_version)-$(pkg_release).el9.x86_64.rpm";
"pkg[centos_9_x86_64]" string => "$(pkg[redhat_9_x86_64])";
"pkg[oracle_9_x86_64]" string => "$(pkg[redhat_9_x86_64])";
"pkg[rocky_9_x86_64]" string => "$(pkg[redhat_9_x86_64])";
# 64bit Debian
"pkg[debian_7_x86_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).debian7_amd64.deb";
"pkg[debian_8_x86_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).debian8_amd64.deb";
"pkg[debian_9_x86_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).debian9_amd64.deb";
"pkg[debian_10_x86_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).debian10_amd64.deb";
"pkg[debian_11_x86_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).debian11_amd64.deb";
# 64bit Ubuntu
"pkg[ubuntu_14_x86_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).ubuntu14_amd64.deb";
"pkg[ubuntu_16_x86_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).ubuntu16_amd64.deb";
"pkg[ubuntu_18_x86_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).ubuntu18_amd64.deb";
"pkg[ubuntu_20_x86_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).ubuntu20_amd64.deb";
"pkg[ubuntu_22_x86_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).ubuntu22_amd64.deb";
# aarch64 Ubuntu
"pkg[ubuntu_22_arm_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).ubuntu22_arm64.deb";
# aarch64 Debian
"pkg[debian_11_arm_64]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).debian11_arm64.deb";
# 32bit DEBs
"pkg[$(cfengine_master_software_content._deb_dists)_$(cfengine_master_software_content._32bit_arches)]" string => "$(pkg_name)_$(pkg_version)-$(pkg_release).debian7_i386.deb";
# Windows
"pkg[windows_x86_64]" string => "$(pkg_name)-$(pkg_version)-$(pkg_release)-x86_64.msi";
"pkg[windows_i686]" string => "$(pkg_name)-$(pkg_version)-$(pkg_release)-i686.msi";
"my_pkg"
string => "$(pkg[$(cfengine_software.package_dir)])",
comment => "The package name for the currently executing platform.";
reports:
"DEBUG|DEBUG_$(this.bundle)"::
"My Package: $(my_pkg)";
}
bundle agent cfengine_master_software_content
# @brief When cfengine_master_software_content_state_present is defined the software
# will try be be automatically downloaded.
{
vars:
"pkg_name" string => "$(cfengine_software.pkg_name)";
"pkg_version" string => "$(cfengine_software.pkg_version)";
"pkg_release" string => "$(cfengine_software.pkg_release)";
"pkg_arch" string => "$(cfengine_software.pkg_arch)";
"package_dir" string => "$(cfengine_software.package_dir)";
"pkg_edition" string => "$(cfengine_software.pkg_edition_path)";
"base_url" string => "https://cfengine-package-repos.s3.amazonaws.com/$(pkg_edition)";
# Map platform/directory identifier to upstream package URLs
# Better to read in an external explicit data structure?
"_32bit_arches" slist => { "i386", "i586", "i686" };
# Redhat/Centos/Oracle 5 and SuSE 11 all use the same package
"dir[redhat_5_x86_64]" string => "agent_rpm_x86_64";
"dir[centos_5_x86_64]" string => "$(dir[redhat_5_x86_64])";
"dir[oracle_5_x86_64]" string => "$(dir[redhat_5_x86_64])";
"dir[SuSE_11_x86_64]" string => "$(dir[redhat_5_x86_64])";
"pkg[SuSE_12_x86_64]" string => "$(pkg[redhat_6_x86_64])";
"pkg[SuSE_15_x86_64]" string => "$(pkg[redhat_6_x86_64])";
"pkg[opensuse_leap_15_x86_64]" string => "$(pkg[redhat_6_x86_64])";
# All 32bit rpms use the same package
"_rpm_dists" slist => { "redhat_5", "redhat_6", "redhat_7",
"centos_5", "centos_6", "centos_7",
"SuSE_11", "SuSE_10" };
"dir[$(_rpm_dists)_$(_32bit_arches)]" string => "agent_rpm_i386";
# Redhat/Centos/Oracle 6 use the same package
"dir[redhat_6_x86_64]" string => "agent_rhel6_x86_64";
"dir[centos_6_x86_64]" string => "$(dir[redhat_6_x86_64])";
"dir[oracle_6_x86_64]" string => "$(dir[redhat_6_x86_64])";
# Redhat/Centos/Oracle/Rocky 7/Amazon 2 use the same package
"dir[redhat_7_x86_64]" string => "agent_rhel7_x86_64";
"dir[centos_7_x86_64]" string => "$(dir[redhat_7_x86_64])";
"dir[oracle_7_x86_64]" string => "$(dir[redhat_7_x86_64])";
"dir[rocky_7_x86_64]" string => "$(dir[redhat_7_x86_64])";
"dir[amazon_2_x86_64]" string => "$(dir[redhat_7_x86_64])";
# Redhat/Centos/Oracle/Rocky 8 use the same package
"dir[redhat_8_x86_64]" string => "agent_rhel8_x86_64";
"dir[centos_8_x86_64]" string => "$(dir[redhat_8_x86_64])";
"dir[oracle_8_x86_64]" string => "$(dir[redhat_8_x86_64])";
"dir[rocky_8_x86_64]" string => "$(dir[redhat_8_x86_64])";
# Redhat/Centos/Oracle/Rocky 9 use the same package
"dir[redhat_9_x86_64]" string => "agent_rhel9_x86_64";
"dir[centos_9_x86_64]" string => "$(dir[redhat_9_x86_64])";
"dir[oracle_9_x86_64]" string => "$(dir[redhat_9_x86_64])";
"dir[rocky_9_x86_64]" string => "$(dir[redhat_9_x86_64])";
# Debian
"dir[debian_7_x86_64]" string => "agent_deb_x86_64";
"dir[debian_8_x86_64]" string => "agent_debian8_x86_64";
"dir[debian_9_x86_64]" string => "agent_debian9_x86_64";
"dir[debian_10_x86_64]" string => "agent_debian10_x86_64";
"dir[debian_11_x86_64]" string => "agent_debian11_x86_64";
"dir[debian_11_arm_64]" string => "agent_debian11_arm_64";
# Ubuntu
"dir[ubuntu_14_x86_64]" string => "agent_ubuntu14_x86_64";
"dir[ubuntu_16_x86_64]" string => "agent_ubuntu16_x86_64";
"dir[ubuntu_18_x86_64]" string => "agent_ubuntu18_x86_64";
"dir[ubuntu_20_x86_64]" string => "agent_ubuntu20_x86_64";
"dir[ubuntu_22_x86_64]" string => "agent_ubuntu22_x86_64";
"dir[ubuntu_22_arm_64]" string => "agent_ubuntu22_arm_64";
# All 32bit debs use the same package
"_deb_dists" slist => { "debian_4", "debian_5", "debian_6",
"debian_7", "debian_8", "debian_9",
"debian_10", "ubuntu_14", "ubuntu_16",
"ubuntu_18" };
"dir[$(_deb_dists)_$(_32bit_arches)]" string => "agent_deb_i386";
# Windows
"dir[windows_x86_64]" string => "windows_x86_64";
"dir[windows_i686]" string => "windows_i686";
"platform_dir" slist => getindices( dir );
"download_dir" string => "$(sys.workdir)/master_software_updates";
files:
"$(download_dir)/$(platform_dir)/."
create => "true",
comment => "We need a place to download each packge we build";
"$(download_dir)/$(cfengine_software.pkg_version)-downloaded.txt"
content => join( "\n", classesmatching( "binary_downloaded_.*" ) ),
if => isgreaterthan( length(classesmatching( "binary_downloaded_.*" )),
0 ),
comment => concat( "We place a marker of the files downloaded so that",
" the hub can skip the self upgrade policy after",
" download.");
commands:
# Fetch each package that we don't already have
"/usr/bin/curl"
args => "-s $(base_url)/$(dir[$(platform_dir)])/$(cfengine_package_names.pkg[$(platform_dir)]) --output /var/cfengine/master_software_updates/$(platform_dir)/$(cfengine_package_names.pkg[$(platform_dir)])",
if => not( fileexists( "$(download_dir)/$(platform_dir)/$(cfengine_package_names.pkg[$(platform_dir)])" ) ),
classes => u_if_else("binary_downloaded_$(platform_dir)","binary_not_downloaded");
reports:
DEBUG|DEBUG_cfengine_master_software_content::
"curl -s $(base_url)/$(dir[$(platform_dir)])/$(cfengine_package_names.pkg[$(platform_dir)]) --output $(download_dir)/$(platform_dir)/$(cfengine_package_names.pkg[$(platform_dir)])";
}
bundle edit_line u_backup_script
# @brief Backup script used by cf-upgrade
{
insert_lines:
linux::
"#!/bin/sh
if [ $(const.dollar)1 = \"BACKUP\" ]; then
tar cfzS $(const.dollar)2 $(sys.workdir) > /dev/null
fi
if [ $(const.dollar)1 = \"RESTORE\" ]; then
tar xfz $(const.dollar)2
fi";
solarisx86|solaris::
"#!/bin/sh
if [ $(const.dollar)1 = \"BACKUP\" ]; then
tar cf $(const.dollar)2 $(sys.workdir); gzip $(const.dollar)2
fi
if [ $(const.dollar)1 = \"RESTORE\" ]; then
gunzip $(const.dollar)2.gz; tar xf $(const.dollar)2
fi";
}
bundle edit_line u_install_script
# @brief Install script used by cf-upgrade
{
insert_lines:
redhat|suse|sles::
"#!/bin/sh
/bin/rpm -U $(const.dollar)1";
debian::
"#!/bin/sh
/usr/bin/dpkg --force-confdef --force-confnew --install $(const.dollar)1 > /dev/null";
solarisx86|solaris::
"#!/bin/sh
pkgname=`pkginfo -d $(const.dollar)1 | awk '{print $(const.dollar)2}'`
/usr/sbin/pkgrm -n -a $(cfengine_software_version_packages1.admin_file) $pkgname
/usr/sbin/pkgadd -n -a $(cfengine_software_version_packages1.admin_file) -d $(const.dollar)1 all
$(sys.workdir)/bin/cf-execd || true
exit 0";
}
bundle edit_line u_admin_file
# @brief Admin file specification to enable unattended installation
{
insert_lines:
sunos_5_8::
"mail=
instance=unique
partial=nocheck
runlevel=nocheck
idepend=nocheck
rdepend=nocheck
space=nocheck
setuid=nocheck
conflict=nocheck
action=nocheck
basedir=default";
solaris.!sunos_5_8::
"mail=
instance=overwrite
partial=nocheck
runlevel=nocheck
idepend=nocheck
rdepend=nocheck
space=nocheck
setuid=nocheck
conflict=nocheck
action=nocheck
networktimeout=60
networkretries=3
authentication=quit
keystore=/var/sadm/security
proxy=
basedir=default";
}
body action u_immediate
# @brief Ignore promise locks, actuate the promise immediately
{
ifelapsed => "0";
}
body copy_from u_dsync(from,server)
# @brief Synchronize promiser with `from` on `server` using digest comparison. If host is a policy hub, then it skips the remote copy, preferring the local file path. For this reason, this body is not compatible with shortcuts defined by cf-serverd.
# @param from File path to copy from on remote server
# @param server Remote server to copy file from if executing host is not a policy server
{
# NOTE policy servers cheat and copy directly from the local file system.
# This works even if cf-serverd is down and it makes sense if your serving
# yourself.
source => "$(from)";
compare => "digest";
trustkey => "false";
purge => "true";
!am_policy_hub::
servers => { "$(server)" };
cfengine_internal_encrypt_transfers::
encrypt => "true";
}
body classes u_if_repaired(x)
# @brief Define `x` if promise results in a repair
# @param x Name of the class to be defined if promise results in repair
{
promise_repaired => { "$(x)" };
}
body classes u_if_else(yes,no)
# @brief Define `yes` if promise results in a repair, `no` if promise is not kept (failed, denied, timeout)
# @param yes class to define if promise results in repair
# @param no class to define if promise is not kept (failed, denied, timeout)
{
# promise_kept => { "$(yes)" };
promise_repaired => { "$(yes)" };
repair_failed => { "$(no)" };
repair_denied => { "$(no)" };
repair_timeout => { "$(no)" };
}
body common control
# @brief Common control for standalone self upgrade
{
version => "CFEngine Standalone Self Upgrade 3.24.2";
control_common_tls_min_version_defined::
tls_min_version => "$(default:def.control_common_tls_min_version)"; # See also: allowtlsversion in body server control
control_common_tls_ciphers_defined::
tls_ciphers => "$(default:def.control_common_tls_ciphers)"; # See also: allowciphers in body server control
(debian|ubuntu)::
package_inventory => { $(package_module_knowledge.platform_default) };
# We only define pacakge_inventory on redhat like systems that have a
# python version that works with the package module.
(redhat|centos)::
package_inventory => { $(package_module_knowledge.platform_default) };
(debian|redhat)::
package_module => $(package_module_knowledge.platform_default);
}
body depth_search u_recurse_basedir(d)
# @brief Search recursively from (and including) the referenced directory directory to depth `d` excluding common version control paths
# @param d maximum depth to descend
{
include_basedir => "true";
depth => "$(d)";
exclude_dirs => { "\.svn", "\.git", "git-core" };
}
body edit_defaults u_empty_no_backup
# @brief Do not create backups and ensure we are promising the entire content of
# the file.
{
empty_file_before_editing => "true";
edit_backup => "false";
}
body file_select plain
# @brief Select plain, regular files
{
file_types => { "plain" };
file_result => "file_types";
}
body package_method u_generic(repo)
# @brief Generic package_method capable of managing packages on multiple platforms.
# @param repo Local directory to look for packages in
{
debian::
package_changes => "individual";
package_list_command => "/usr/bin/dpkg -l";
# package_list_update_command => "/usr/bin/apt-get update";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_list_name_regex => "ii\s+([^\s:]+).*";
# package_list_version_regex => "ii\s+[^\s]+\s+([^\s]+).*";
package_list_version_regex => "ii\s+[^\s]+\s+(\d+\.\d+((\.|-)\d+)+).*";
package_installed_regex => ".*"; # all reported are installed
package_file_repositories => { "$(repo)" };
package_version_equal_command => "/usr/bin/dpkg --compare-versions '$(v1)' eq '$(v2)'";
package_version_less_command => "/usr/bin/dpkg --compare-versions '$(v1)' lt '$(v2)'";
debian.x86_64::
package_name_convention => "$(name)_$(version)_amd64.deb";
debian.i686::
package_name_convention => "$(name)_$(version)_i386.deb";
debian::
package_add_command => "/usr/bin/dpkg --force-confdef --force-confnew --install";
package_delete_command => "/usr/bin/dpkg --purge";
redhat|SuSE|suse|sles::
package_changes => "individual";
package_list_command => "/bin/rpm -qa --queryformat \"i | repos | %{name} | %{version}-%{release} | %{arch}\n\"";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_list_name_regex => "[^|]+\|[^|]+\|\s+([^\s|]+).*";
package_list_version_regex => "[^|]+\|[^|]+\|[^|]+\|\s+([^\s|]+).*";
package_list_arch_regex => "[^|]+\|[^|]+\|[^|]+\|[^|]+\|\s+([^\s]+).*";
package_installed_regex => "i.*";
package_file_repositories => { "$(repo)" };
package_name_convention => "$(name)-$(version).$(arch).rpm";
package_add_command => "/bin/rpm -ivh ";
package_delete_command => "/bin/rpm -e --nodeps";
package_verify_command => "/bin/rpm -V";
package_noverify_regex => ".*[^\s].*";
package_version_less_command => "$(sys.bindir)/rpmvercmp '$(v1)' lt '$(v2)'";
package_version_equal_command => "$(sys.bindir)/rpmvercmp '$(v1)' eq '$(v2)'";
(redhat|SuSE|suse|sles|debian|solarisx86|solaris)::
package_update_command => "$(sys.workdir)/bin/cf-upgrade -b $(cfengine_software_version_packages1.backup_script) -s $(cfengine_software_version_packages1.backup_file) -i $(cfengine_software_version_packages1.install_script)";
redhat.!redhat_4::
package_list_update_command => "/usr/bin/yum --quiet check-update";
redhat_4::
package_list_update_command => "/usr/bin/yum check-update";
SuSE|suse|sles::
package_list_update_command => "/usr/bin/zypper list-updates";
windows::
package_changes => "individual";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_file_repositories => { "$(repo)" };
package_installed_regex => ".*";
package_name_convention => "$(name)-$(version)-$(arch).msi";
package_add_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /i";
package_update_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /i";
package_delete_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /x";
package_version_less_command => '$(sys.winsysdir)$(const.dirsep)WindowsPowerShell$(const.dirsep)v1.0$(const.dirsep)powershell.exe "$(sys.bindir)$(const.dirsep)vercmp.ps1" "$(v1)" "lt" "$(v2)"';
package_version_equal_command => '$(sys.winsysdir)$(const.dirsep)WindowsPowerShell$(const.dirsep)v1.0$(const.dirsep)powershell.exe "$(sys.bindir)$(const.dirsep)vercmp.ps1" "$(v1)" "eq" "$(v2)"';
freebsd::
package_changes => "individual";
package_list_command => "/usr/sbin/pkg_info";
package_list_update_command => "/usr/bin/true";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_list_name_regex => "^(\S+)-(\d+\.?)+";
package_list_version_regex => "^\S+-((\d+\.?)+\_\d)";
package_file_repositories => { "$(repo)" };
package_installed_regex => ".*";
package_name_convention => "$(name)-$(version).tbz";
package_delete_convention => "$(name)-$(version)";
package_add_command => "/usr/sbin/pkg_add";
package_delete_command => "/usr/sbin/pkg_delete";
netbsd::
package_changes => "individual";
package_list_command => "/usr/sbin/pkg_info";
package_list_update_command => "/usr/bin/true";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_list_name_regex => "^(\S+)-(\d+\.?)+";
package_list_version_regex => "^\S+-((\d+\.?)+\nb\d)";
package_file_repositories => { "$(repo)" };
package_installed_regex => ".*";
package_name_convention => "$(name)-$(version).tgz";
package_delete_convention => "$(name)-$(version)";
package_add_command => "/usr/sbin/pkg_add";
package_delete_command => "/usr/sbin/pkg_delete";
solarisx86|solaris::
package_changes => "individual";
package_list_command => "/usr/bin/pkginfo -l";
package_list_update_command => "/usr/bin/true";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_multiline_start => "\s*PKGINST:\s+[^\s]+";
package_list_name_regex => "\s*PKGINST:\s+([^\s]+)";
package_list_version_regex => "\s*VERSION:\s+([^\s]+)";
package_list_arch_regex => "\s*ARCH:\s+([^\s]+)";
package_file_repositories => { "$(repo)" };
package_installed_regex => "\s*STATUS:\s*(completely|partially)\s+installed.*";
package_name_convention => "$(name)-$(version)-$(arch).pkg";
package_delete_convention => "$(name)";
# Cfengine appends path to package and package name below, respectively
package_add_command => "/bin/sh $(repo)/add_scr $(repo)/admin_file";
package_delete_command => "/usr/sbin/pkgrm -n -a $(repo)/admin_file";
aix::
package_changes => "individual";
package_list_update_command => "/usr/bin/true";
package_list_update_ifelapsed => "$(u_common_knowledge.list_update_ifelapsed_now)";
package_list_command => "/usr/bin/lslpp -lc";
package_list_name_regex => "[^:]+:([^:]+):[^:]+:.*";
package_list_version_regex => "[^:]+:[^:]+:([^:]+):.*";
package_file_repositories => { "$(repo)" };
package_installed_regex => "[^:]+:[^:]+:[^:]+:[^:]*:(COMMITTED|APPLIED):.*";
package_name_convention => "$(name)-$(version).bff";
package_delete_convention => "$(name)";
# Redirecting the output to '/dev/null' below makes sure 'geninstall' has
# its stdout open even if the 'cf-agent' process that started it
# terminates (e.g. gets killed).
package_add_command => "/usr/bin/rm -f $(repo)/.toc && /usr/sbin/geninstall -IacgXNY -d $(repo) cfengine-nova > /dev/null$";
package_update_command => "/usr/bin/rm -f $(repo)/.toc && /usr/sbin/geninstall -IacgXNY -d $(repo) cfengine-nova > /dev/null$";
package_delete_command => "/usr/sbin/installp -ug cfengine-nova$";
# Internal version comparison model doesn't work for W.X.Y.Z
package_version_less_command => "$(sys.bindir)/rpmvercmp '$(v1)' lt '$(v2)'";
package_version_equal_command => "$(sys.bindir)/rpmvercmp '$(v1)' eq '$(v2)'";
}
body package_module yum
# @brief Yum package module default settings
{
query_installed_ifelapsed => "10";
query_updates_ifelapsed => "30";
@if minimum_version(3.12.2)
interpreter => "$(sys.bindir)/cfengine-selected-python";
@endif
}
body package_module apt_get
# @brief apt_get package module default settings
{
query_installed_ifelapsed => "10";
query_updates_ifelapsed => "30";
@if minimum_version(3.12.2)
interpreter => "$(sys.bindir)/cfengine-selected-python";
@endif
}
body package_module zypper
{
query_installed_ifelapsed => "0";
query_updates_ifelapsed => "30";
#default_options => {};
@if minimum_version(3.12.2)
interpreter => "$(sys.bindir)/cfengine-selected-python";
@endif
}
body package_module msiexec
# @brief msiexec package module default settings
{
query_installed_ifelapsed => "10";
query_updates_ifelapsed => "30";
@if minimum_version(3.12.2)
interpreter => "$(sys.winsysdir)$(const.dirsep)cmd.exe /c ";
@endif
module_path => "$(sys.workdir)$(const.dirsep)modules$(const.dirsep)packages$(const.dirsep)msiexec.bat";
}
body perms u_m(p)
# @brief Ensure mode is `p`
# @param p permissions
{
mode => "$(p)";
}
body copy_from local_dcp(from)
# @brief Copy a local file if the hash on the source file differs.
# @param from The path to the source file.
#
# **Example:**
#
# ```cf3
# bundle agent example
# {
# files:
# "/tmp/file.bak"
# copy_from => local_dcp("/tmp/file");
# }
# ```
#
# **See Also:** `local_cp()`, `remote_dcp()`
{
source => "$(from)";
compare => "digest";
}
cfengine-masterfiles-3.24.2/services/ 0000755 0000000 0000000 00000000000 15010704326 017513 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/services/main.cf 0000644 0000000 0000000 00000000511 15010704240 020741 0 ustar 00root root 0000000 0000000 ###############################################################################
#
# bundle agent mpf_main
# - User/Site policy entry
#
###############################################################################
bundle agent mpf_main
# User Defined Service Catalogue
{
methods:
# Activate your custom policies here
}
cfengine-masterfiles-3.24.2/services/autorun/ 0000755 0000000 0000000 00000000000 15010704326 021210 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/services/autorun/hello.cf 0000644 0000000 0000000 00000000270 15010704240 022617 0 ustar 00root root 0000000 0000000 bundle agent hello_world_autorun
{
meta:
"tags" slist => { "autorun" };
reports:
verbose_mode::
"$(this.bundle): Hello, this is an automatically loaded bundle";
}
cfengine-masterfiles-3.24.2/services/init.cf 0000644 0000000 0000000 00000001224 15010704240 020762 0 ustar 00root root 0000000 0000000 ################################################################################
#
# User policy init
# This file is added to inputs before autorun and main.cf policy files.
# Thus, it is parsed before other user-written policy.
# You should not put bundles and promises here.
# This is a good place to put promise blocks (promise type definitions).
# This is loaded very early, only use hard classes or classes from def.json here.
#
###############################################################################
# For example:
# promise agent git
# {
# path => "/var/cfengine/modules/promises/git_using_lib.py";
# interpreter => "/usr/bin/python3";
# }
cfengine-masterfiles-3.24.2/CONTRIBUTING.md 0000644 0000000 0000000 00000001451 15010704240 020115 0 ustar 00root root 0000000 0000000 # Contributing to the CFEngine masterfiles
* Follow the [Core contribution guidelines](https://github.com/cfengine/core/blob/master/CONTRIBUTING.md#how-to-contribute-to-cfengine)
* * Prefix commit subjects with the issue identifier
* * Don't forget to include a [ChangeLog Entry](https://github.com/cfengine/core/blob/master/CONTRIBUTING.md#changelog)
* Follow the [policy style guide](https://docs.cfengine.com/docs/latest/guide-writing-and-serving-policy-policy-style.html)
* Test thoroughly, provide [acceptance tests](https://github.com/cfengine/core/blob/master/tests/acceptance/README) to run in core or masterfiles using the [DCS framework](https://github.com/cfengine/core/blob/master/tests/acceptance/DCS.org)
* Document well See [MPF.md](MPF.md)
* lurk for a bit
* don't be afraid to ask questions
cfengine-masterfiles-3.24.2/controls/ 0000755 0000000 0000000 00000000000 15010704326 017533 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/controls/update_def_inputs.cf 0000644 0000000 0000000 00000001211 15010704240 023535 0 ustar 00root root 0000000 0000000 bundle common u_cfengine_enterprise
# @brief Inputs specific to CFEngine Enterprise
{
vars:
enable_cfengine_enterprise_hub_ha::
"input[ha_update]"
string => "cfe_internal/enterprise/ha/ha_update.cf";
"input[ha_def]"
string => "cfe_internal/enterprise/ha/ha_def.cf";
"def"
slist => { "ha_def", "ha_update" };
"inputs" slist => getvalues(input);
!enable_cfengine_enterprise_hub_ha::
"inputs" slist => { };
"def" slist => { "$(this.bundle)" };
}
body file control
# @brief Include policy specific to CFEngine Enterprise
{
inputs => { @(u_cfengine_enterprise.inputs) };
}
cfengine-masterfiles-3.24.2/controls/def_inputs.cf 0000644 0000000 0000000 00000000102 15010704240 022171 0 ustar 00root root 0000000 0000000 body file control
{
inputs => { @(def.augments_inputs) };
}
cfengine-masterfiles-3.24.2/controls/update_def.cf.in 0000644 0000000 0000000 00000026421 15010704240 022552 0 ustar 00root root 0000000 0000000 bundle common update_def
# @brief Main default settings for update policy
{
classes:
any::
"sys_policy_hub_port_exists" expression => isvariable("sys.policy_hub_port");
vars:
"hub_binary_version" -> { "ENT-10664" }
data => data_regextract(
"^(?\d+\.\d+\.\d+)-(?\d+)",
readfile("$(sys.statedir)$(const.dirsep)hub_cf_version.txt" ) ),
if => fileexists( "$(sys.statedir)$(const.dirsep)hub_cf_version.txt" );
"current_version" -> { "ENT-10664" }
string => "$(hub_binary_version[major_minor_patch])";
"current_release"
string => "$(hub_binary_version[release])";
# MPF Controls
# Because in some versions of cfengine bundlesequence in body common
# control does not support does not support iteration over data containers
# we must first pick out the bundles into a shallow container that we can
# then get a regular list from using getvalues().
"tbse" data => mergedata( "def.control_common_update_bundlesequence_end" );
# Since we have @(def.update_bundlesequence_end) in body common control
# bundlesequence we must have a list variable defined. It can be empty, but it
# must be defined. If it is not defined the agent will error complaining
# that '@(def.bundlesequence_end) is not a defined bundle.
# As noted in CFE-2460 getvalues behaviour varies between versions. 3.7.x
# getvalues will return an empty list when run on a non existant data
# container. On 3.9.1 it does not return an empty list.
# So we initialize it as an empty list first to be safe.
"bundlesequence_end" slist => {};
"bundlesequence_end" slist => getvalues( tbse );
"augments_inputs"
slist => {},
if => not( isvariable( "def.update_inputs" ) );
"augments_inputs"
slist => { @(def.update_inputs) },
if => isvariable( "def.update_inputs" );
# Default the input name patterns, if we don't find it defined in def
# (from the augments_file).
"input_name_patterns" -> { "CFE-3425" }
slist => { ".*\.cf",".*\.dat",".*\.txt", ".*\.conf", ".*\.mustache",
".*\.sh", ".*\.pl", ".*\.py", ".*\.rb", ".*\.sed", ".*\.awk",
"cf_promises_release_id", ".*\.json", ".*\.yaml", ".*\.csv",
".*\.ps1" },
comment => "Filename patterns to match when updating the policy
(see update/update_policy.cf)",
handle => "common_def_vars_input_name_patterns_policy_default",
if => and(and(not(isvariable("override_data_acl")),
not(isvariable("input_name_patterns"))),
not(isvariable("def.input_name_patterns"))),
meta => { "defvar" };
# define based on data in def (which comes from augments file), if
# present and input_name_patterns is not yet defined.).
"input_name_patterns"
slist => { @(def.input_name_patterns) },
comment => "Filename patterns to match when updating the policy
(see update/update_policy.cf)",
handle => "common_def_vars_input_name_patterns",
if => and( isvariable("def.input_name_patterns"),
not(isvariable("input_name_patterns"))),
meta => { "defvar" };
"input_name_patterns_extra" -> { "ENT-10480" }
slist => {},
comment => "Additional filename patterns to copy during policy update.",
if => not( isvariable( "input_name_patterns_extra" ) );
# the permissions for your masterfiles files (not dirs), which will propagate to inputs
"masterfiles_perms_mode_not_dir" -> { "CFE-951" }
string => "0600",
handle => "common_def_vars_masterfiles_perms_mode_not_dir",
meta => { "defvar" };
"masterfiles_perms_mode_dirs" -> { "CFE-951" }
string => "0700",
handle => "common_def_vars_masterfiles_perms_mode_dirs",
meta => { "defvar" };
"dc_scripts" string => "$(sys.workdir)/httpd/htdocs/api/dc-scripts",
comment => "Directory where VCS scripts are located on Enterprise Hub";
"DCWORKFLOW" string => "/opt/cfengine",
comment => "Directory where VCS related data things is stored";
"local_masterfiles_git" string => "$(DCWORKFLOW)/masterfiles.git",
comment => "Local bare git repository, serves as OOTB upstream repo";
"cf_git" string => "$(sys.workdir)/bin/git",
comment => "Path to git binary installed with CFEngine Enterprise";
"cf_apache_user" string => "cfapache",
comment => "User that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_user";
"cf_apache_group" string => "cfapache",
comment => "Group that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_group";
# Hubs get the explicit path because they perform local copies (especially
# during bootstrap) when cf-serverd may not be available. Else we use the
# "masterfiles" shortcut.
"mpf_update_policy_master_location" -> { "ENT-3692" }
string => ifelse( "am_policy_hub", "@prefix@/masterfiles",
"masterfiles");
# Here we allow the masterfiles location to be overridden via augments. If
# augments overides the value, use that. Note: Since hubs do not perform
# copies to themselves over cf-serverd, this should be a fully qualified
# path or special considerations must be made for hub bootstrapping.
"mpf_update_policy_master_location" -> { "ENT-3692" }
comment => "Directory where clients should get policy from.",
string => "$(def.mpf_update_policy_master_location)",
if => isvariable( "def.mpf_update_policy_master_location" );
# enable_cfengine_enterprise_hub_ha is defined below
# Disabled by default
# If we want to use the backup repository for update (because the class is
# defined) and if the location is not already configured (via Augments),
# set a default.
"control_agent_default_repository" -> { "ENT-10481" }
string => "$(sys.workdir)/backups",
if => and( "mpf_update_control_agent_default_repository",
not( isvariable( "control_agent_default_repository" ) ) );
enable_cfengine_enterprise_hub_ha::
"standby_servers" slist => filter("$(sys.policy_hub)", "ha_def.ips", false, true, 10);
"policy_servers" slist => { "$(sys.policy_hub)", "@(standby_servers)" };
!enable_cfengine_enterprise_hub_ha::
"policy_servers" slist => {"$(sys.policy_hub)"};
any::
"control_common_ignore_missing_bundles" -> { "CFE-2773" }
string => ifelse( strcmp( $(control_common_ignore_missing_bundles), "true" ),
"true",
"false");
"control_common_ignore_missing_inputs" -> { "CFE-2773" }
string => ifelse( strcmp( $(control_common_ignore_missing_inputs), "true" ),
"true",
"false");
"control_agent_agentfacility" -> { "ENT-10209" }
string => "",
if => not( isvariable ( "default:def.control_agent_agentfacility" ));
classes:
"control_agent_agentfacility_configured" -> { "ENT-10209" }
expression => regcmp( "LOG_(USER|DAEMON|LOCAL[0-7])",
$(control_agent_agentfacility) ),
comment => concat( "If default:def.control_agent_agentfacility is a",
" valid setting, we want to use it in body agent",
" control for setting agentfacility" );
"control_common_tls_min_version_defined" -> { "ENT-10198" }
expression => isvariable( "default:def.control_common_tls_min_version"),
comment => concat( "If default:def.control_common_tls_min_version is defined then",
" it's value will be used for the minimum version in outbound",
" connections. Else the binary default will be used.");
"control_common_tls_ciphers_defined" -> { "ENT-10198" }
expression => isvariable( "default:def.control_common_tls_ciphers"),
comment => concat( "If default:def.control_common_tls_ciphers is defined then",
" it's value will be used for the set of tls ciphers allowed",
" for outbound connections. Else the binary default will be used.");
# Trigger binary upgrade from policy hub
# Disable by default
"trigger_upgrade" or => {
"!any",
};
# Update masterfiles from Git
# Enabled for enterprise users by default
# you can also request it from the command line with
# -Dcfengine_internal_masterfiles_update
# NOTE THAT ENABLING THIS BY DEFAULT *WILL* OVERWRITE THE HUB'S $(sys.workdir)/masterfiles
#"cfengine_internal_masterfiles_update" expression => "enterprise.!(cfengine_3_4|cfengine_3_5)";
"cfengine_internal_masterfiles_update" expression => "!any";
# Transfer policies and binaries with encryption
# you can also request it from the command line with
# -Dcfengine_internal_encrypt_transfers
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_encrypt_transfers" expression => "!any";
# Do not purge policies that don't exist on the server side.
# you can also request it from the command line with
# -Dcfengine_internal_purge_policies_disabled
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_purge_policies_disabled" expression => "!any";
# Preserve permissions of the policy server's masterfiles.
# you can also request it from the command line with
# -Dcfengine_internal_preserve_permissions
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_preserve_permissions" expression => "!any";
# Disable checking of cf_promises_validated before updating clients.
# Disabling checking of cf_promises_validated ensures that remote agents
# will **always** scan all of masterfiles for any changes and update
# accordingly. This is not recommended as it both removes a safety
# mechanism that checks for policy to be valid before allowing clients to
# download updates, and the increased load on the hub will affect
# scalability. Consider using time_based, select_class, or dist based classes
# instead of any to retain some of the benefits. **DISABLE WITH CAUTION**
"cfengine_internal_disable_cf_promises_validated"
expression => "!any",
comment => "When cf_promises_validated is disabled remote agents will
always scan all of masterfiles for changes. Disabling this
is not recommended as it will increase the load on the policy
server and increases the possibility for remote agents to
receive broken policy.";
# Enable CFEngine Enterprise HA Policy
"enable_cfengine_enterprise_hub_ha" expression => "!any";
#"enable_cfengine_enterprise_hub_ha" expression => "enterprise_edition";
# Enable failover to node which is outside cluster
#"failover_to_replication_node_enabled" expression => "enterprise_edition";
}
cfengine-masterfiles-3.24.2/controls/cf_agent.cf 0000644 0000000 0000000 00000004337 15010704240 021615 0 ustar 00root root 0000000 0000000 ###############################################################################
#
# This part is for cf-agent
#
# Settings describing the details of the fixed behavioural promises made
# by cf-agent
#
###############################################################################
body agent control
{
# Global default for time that must elapse before promise will be rechecked.
# Don't keep any promises.
any::
# Minimum time (in minutes) which should have passed since the last time
# the promise was verified before it is checked again.
ifelapsed => "1";
# Do not send IP/name during server connection if address resolution is broken.
# Comment it out if you do NOT have a problem with DNS
skipidentify => "true";
# explicitly not supported (but they should break long before)
abortclasses => { "cfengine_3_3", "cfengine_3_4", @(def.control_agent_abortclasses) };
# The abortbundleclasses slist contains regular expressions that match
# classes which if defined lead to termination of current bundle.
abortbundleclasses => { @(def.control_agent_abortbundleclasses) };
# Maximum number of outgoing connections to a remote cf-serverd.
maxconnections => "$(def.control_agent_maxconnections)";
# Environment variables of the agent process.
# The values of environment variables are inherited by child commands
# EMPTY list is not valid for environment attribute Ref: CFE-3927. So, we
# do some validation on it so we can apply it selectively.
_control_agent_environment_vars_validated::
environment => { @(def.control_agent_environment_vars) };
_have_control_agent_files_single_copy::
# CFE-3622
# File patterns which allow a file to be copied over only a single time
# per agent run.
files_single_copy => { @(def.control_agent_files_single_copy) };
mpf_control_agent_default_repository::
# Location to backup files before they are edited by cfengine
default_repository => "$(def.control_agent_default_repository)";
# Environment variables based on Distro
control_agent_agentfacility_configured::
agentfacility => "$(default:def.control_agent_agentfacility)";
}
cfengine-masterfiles-3.24.2/controls/cf_hub.cf 0000644 0000000 0000000 00000002235 15010704240 021270 0 ustar 00root root 0000000 0000000 ###############################################################################
#
# This part is for cf-hub
#
# Settings describing the details of the fixed behavioural promises made
# by cf-monitord. The system defaults will be sufficient for most users.
#
###############################################################################
body hub control
# @brief Control attributes for `cf-hub`
{
enterprise_edition.policy_server::
exclude_hosts => { @(def.control_hub_exclude_hosts) };
# exclude_hosts => { "192.168.12.21", "10.10", "10.12.*" };
# cf-hub initiates a pull collection round if one of the listed classes is defined.
hub_schedule => { @(def.control_hub_hub_schedule) };
# port => "5308";
@if minimum_version(3.15)
query_timeout => "$(def.control_hub_query_timeout)";
@endif
# Hub will discard accumulated reports on the clients
# and download only information about current state of the client
# in case of not successfully downloading the reports for defined
# period of time. Default value is 6 hours.
# Was introduced in CFEngine 3.6.4
# client_history_timeout => 6; # [hours]
}
cfengine-masterfiles-3.24.2/controls/cf_monitord.cf 0000644 0000000 0000000 00000001264 15010704240 022346 0 ustar 00root root 0000000 0000000 ###############################################################################
#
# This part is for cf-monitord
#
# Settings describing the details of the fixed behavioural promises made
# by cf-monitord. The system defaults will be sufficient for most users.
# This configurability potential, however, will be a key to developing
# the integrated monitoring capabilities of CFEngine.
#
###############################################################################
body monitor control
# @brief Attributes controlling cf-monitord
{
any::
forgetrate => "0.7";
histograms => "true";
# tcpdump => "false";
# tcpdumpcommand => "/usr/sbin/tcpdump -t -n -v";
}
cfengine-masterfiles-3.24.2/controls/cf_execd.cf 0000644 0000000 0000000 00000004741 15010704240 021606 0 ustar 00root root 0000000 0000000 ###############################################################################
# This part is for cf-execd
#
# These body settings determine the behaviour of cf-execd,
# including scheduling times and output capture to
# $(sys.workdir)/outputs and relay via email.
###############################################################################
body executor control
# @brief Settings that determine the behavior of `cf-execd`
# @variable `default:def.control_executor_mailmaxlines` - The maximum number of lines of output that `cf-execd` will email.
{
any::
splaytime => "$(def.control_executor_splaytime)"; # activity will be spread over this many time slices
agent_expireafter => "$(def.control_executor_agent_expireafter)";
@if minimum_version(3.18.0)
_have_control_executor_runagent_socket_allow_users::
runagent_socket_allow_users => { @(def.control_executor_runagent_socket_allow_users) };
@endif
cfengine_internal_agent_email.!cfengine_internal_disable_agent_email::
mailto => "$(def.mailto)";
mailfrom => "$(def.mailfrom)";
smtpserver => "$(def.smtpserver)";
mailmaxlines => "$(default:def.control_executor_mailmaxlines)";
control_executor_mailsubject_configured.cfengine_internal_agent_email.!cfengine_internal_disable_agent_email::
mailsubject => "$(default:def.control_executor_mailsubject)";
control_executor_mailfilter_exclude_configured.cfengine_internal_agent_email.!cfengine_internal_disable_agent_email::
mailfilter_exclude => { "@(default:def.control_executor_mailfilter_exclude)" };
control_executor_mailfilter_include_configured.cfengine_internal_agent_email.!cfengine_internal_disable_agent_email::
mailfilter_include => { "@(default:def.control_executor_mailfilter_include)" };
any::
# Default:
#
# schedule => { "Min00", "Min05", "Min10", "Min15", "Min20",
# "Min25", "Min30", "Min35", "Min40", "Min45",
# "Min50", "Min55" };
schedule => { @(def.control_executor_schedule_value) };
# The full path and command to the executable run by default (overriding builtin).
windows::
exec_command => "$(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated -f \"$(sys.update_policy_path)\" & $(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated";
!windows::
exec_command => "$(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated -f \"$(sys.update_policy_path)\" ; $(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated";
}
cfengine-masterfiles-3.24.2/controls/update_def.cf 0000644 0000000 0000000 00000026426 15010704326 022157 0 ustar 00root root 0000000 0000000 bundle common update_def
# @brief Main default settings for update policy
{
classes:
any::
"sys_policy_hub_port_exists" expression => isvariable("sys.policy_hub_port");
vars:
"hub_binary_version" -> { "ENT-10664" }
data => data_regextract(
"^(?\d+\.\d+\.\d+)-(?\d+)",
readfile("$(sys.statedir)$(const.dirsep)hub_cf_version.txt" ) ),
if => fileexists( "$(sys.statedir)$(const.dirsep)hub_cf_version.txt" );
"current_version" -> { "ENT-10664" }
string => "$(hub_binary_version[major_minor_patch])";
"current_release"
string => "$(hub_binary_version[release])";
# MPF Controls
# Because in some versions of cfengine bundlesequence in body common
# control does not support does not support iteration over data containers
# we must first pick out the bundles into a shallow container that we can
# then get a regular list from using getvalues().
"tbse" data => mergedata( "def.control_common_update_bundlesequence_end" );
# Since we have @(def.update_bundlesequence_end) in body common control
# bundlesequence we must have a list variable defined. It can be empty, but it
# must be defined. If it is not defined the agent will error complaining
# that '@(def.bundlesequence_end) is not a defined bundle.
# As noted in CFE-2460 getvalues behaviour varies between versions. 3.7.x
# getvalues will return an empty list when run on a non existant data
# container. On 3.9.1 it does not return an empty list.
# So we initialize it as an empty list first to be safe.
"bundlesequence_end" slist => {};
"bundlesequence_end" slist => getvalues( tbse );
"augments_inputs"
slist => {},
if => not( isvariable( "def.update_inputs" ) );
"augments_inputs"
slist => { @(def.update_inputs) },
if => isvariable( "def.update_inputs" );
# Default the input name patterns, if we don't find it defined in def
# (from the augments_file).
"input_name_patterns" -> { "CFE-3425" }
slist => { ".*\.cf",".*\.dat",".*\.txt", ".*\.conf", ".*\.mustache",
".*\.sh", ".*\.pl", ".*\.py", ".*\.rb", ".*\.sed", ".*\.awk",
"cf_promises_release_id", ".*\.json", ".*\.yaml", ".*\.csv",
".*\.ps1" },
comment => "Filename patterns to match when updating the policy
(see update/update_policy.cf)",
handle => "common_def_vars_input_name_patterns_policy_default",
if => and(and(not(isvariable("override_data_acl")),
not(isvariable("input_name_patterns"))),
not(isvariable("def.input_name_patterns"))),
meta => { "defvar" };
# define based on data in def (which comes from augments file), if
# present and input_name_patterns is not yet defined.).
"input_name_patterns"
slist => { @(def.input_name_patterns) },
comment => "Filename patterns to match when updating the policy
(see update/update_policy.cf)",
handle => "common_def_vars_input_name_patterns",
if => and( isvariable("def.input_name_patterns"),
not(isvariable("input_name_patterns"))),
meta => { "defvar" };
"input_name_patterns_extra" -> { "ENT-10480" }
slist => {},
comment => "Additional filename patterns to copy during policy update.",
if => not( isvariable( "input_name_patterns_extra" ) );
# the permissions for your masterfiles files (not dirs), which will propagate to inputs
"masterfiles_perms_mode_not_dir" -> { "CFE-951" }
string => "0600",
handle => "common_def_vars_masterfiles_perms_mode_not_dir",
meta => { "defvar" };
"masterfiles_perms_mode_dirs" -> { "CFE-951" }
string => "0700",
handle => "common_def_vars_masterfiles_perms_mode_dirs",
meta => { "defvar" };
"dc_scripts" string => "$(sys.workdir)/httpd/htdocs/api/dc-scripts",
comment => "Directory where VCS scripts are located on Enterprise Hub";
"DCWORKFLOW" string => "/opt/cfengine",
comment => "Directory where VCS related data things is stored";
"local_masterfiles_git" string => "$(DCWORKFLOW)/masterfiles.git",
comment => "Local bare git repository, serves as OOTB upstream repo";
"cf_git" string => "$(sys.workdir)/bin/git",
comment => "Path to git binary installed with CFEngine Enterprise";
"cf_apache_user" string => "cfapache",
comment => "User that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_user";
"cf_apache_group" string => "cfapache",
comment => "Group that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_group";
# Hubs get the explicit path because they perform local copies (especially
# during bootstrap) when cf-serverd may not be available. Else we use the
# "masterfiles" shortcut.
"mpf_update_policy_master_location" -> { "ENT-3692" }
string => ifelse( "am_policy_hub", "/var/cfengine/masterfiles",
"masterfiles");
# Here we allow the masterfiles location to be overridden via augments. If
# augments overides the value, use that. Note: Since hubs do not perform
# copies to themselves over cf-serverd, this should be a fully qualified
# path or special considerations must be made for hub bootstrapping.
"mpf_update_policy_master_location" -> { "ENT-3692" }
comment => "Directory where clients should get policy from.",
string => "$(def.mpf_update_policy_master_location)",
if => isvariable( "def.mpf_update_policy_master_location" );
# enable_cfengine_enterprise_hub_ha is defined below
# Disabled by default
# If we want to use the backup repository for update (because the class is
# defined) and if the location is not already configured (via Augments),
# set a default.
"control_agent_default_repository" -> { "ENT-10481" }
string => "$(sys.workdir)/backups",
if => and( "mpf_update_control_agent_default_repository",
not( isvariable( "control_agent_default_repository" ) ) );
enable_cfengine_enterprise_hub_ha::
"standby_servers" slist => filter("$(sys.policy_hub)", "ha_def.ips", false, true, 10);
"policy_servers" slist => { "$(sys.policy_hub)", "@(standby_servers)" };
!enable_cfengine_enterprise_hub_ha::
"policy_servers" slist => {"$(sys.policy_hub)"};
any::
"control_common_ignore_missing_bundles" -> { "CFE-2773" }
string => ifelse( strcmp( $(control_common_ignore_missing_bundles), "true" ),
"true",
"false");
"control_common_ignore_missing_inputs" -> { "CFE-2773" }
string => ifelse( strcmp( $(control_common_ignore_missing_inputs), "true" ),
"true",
"false");
"control_agent_agentfacility" -> { "ENT-10209" }
string => "",
if => not( isvariable ( "default:def.control_agent_agentfacility" ));
classes:
"control_agent_agentfacility_configured" -> { "ENT-10209" }
expression => regcmp( "LOG_(USER|DAEMON|LOCAL[0-7])",
$(control_agent_agentfacility) ),
comment => concat( "If default:def.control_agent_agentfacility is a",
" valid setting, we want to use it in body agent",
" control for setting agentfacility" );
"control_common_tls_min_version_defined" -> { "ENT-10198" }
expression => isvariable( "default:def.control_common_tls_min_version"),
comment => concat( "If default:def.control_common_tls_min_version is defined then",
" it's value will be used for the minimum version in outbound",
" connections. Else the binary default will be used.");
"control_common_tls_ciphers_defined" -> { "ENT-10198" }
expression => isvariable( "default:def.control_common_tls_ciphers"),
comment => concat( "If default:def.control_common_tls_ciphers is defined then",
" it's value will be used for the set of tls ciphers allowed",
" for outbound connections. Else the binary default will be used.");
# Trigger binary upgrade from policy hub
# Disable by default
"trigger_upgrade" or => {
"!any",
};
# Update masterfiles from Git
# Enabled for enterprise users by default
# you can also request it from the command line with
# -Dcfengine_internal_masterfiles_update
# NOTE THAT ENABLING THIS BY DEFAULT *WILL* OVERWRITE THE HUB'S $(sys.workdir)/masterfiles
#"cfengine_internal_masterfiles_update" expression => "enterprise.!(cfengine_3_4|cfengine_3_5)";
"cfengine_internal_masterfiles_update" expression => "!any";
# Transfer policies and binaries with encryption
# you can also request it from the command line with
# -Dcfengine_internal_encrypt_transfers
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_encrypt_transfers" expression => "!any";
# Do not purge policies that don't exist on the server side.
# you can also request it from the command line with
# -Dcfengine_internal_purge_policies_disabled
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_purge_policies_disabled" expression => "!any";
# Preserve permissions of the policy server's masterfiles.
# you can also request it from the command line with
# -Dcfengine_internal_preserve_permissions
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN def.cf
"cfengine_internal_preserve_permissions" expression => "!any";
# Disable checking of cf_promises_validated before updating clients.
# Disabling checking of cf_promises_validated ensures that remote agents
# will **always** scan all of masterfiles for any changes and update
# accordingly. This is not recommended as it both removes a safety
# mechanism that checks for policy to be valid before allowing clients to
# download updates, and the increased load on the hub will affect
# scalability. Consider using time_based, select_class, or dist based classes
# instead of any to retain some of the benefits. **DISABLE WITH CAUTION**
"cfengine_internal_disable_cf_promises_validated"
expression => "!any",
comment => "When cf_promises_validated is disabled remote agents will
always scan all of masterfiles for changes. Disabling this
is not recommended as it will increase the load on the policy
server and increases the possibility for remote agents to
receive broken policy.";
# Enable CFEngine Enterprise HA Policy
"enable_cfengine_enterprise_hub_ha" expression => "!any";
#"enable_cfengine_enterprise_hub_ha" expression => "enterprise_edition";
# Enable failover to node which is outside cluster
#"failover_to_replication_node_enabled" expression => "enterprise_edition";
}
cfengine-masterfiles-3.24.2/controls/def.cf 0000644 0000000 0000000 00000114365 15010704240 020610 0 ustar 00root root 0000000 0000000 ###############################################################################
#
# bundle common def
# - common/global variables and classes here
#
###############################################################################
bundle common def
# @brief Common settings for the Masterfiles Policy Framework
{
vars:
any::
"augments_inputs"
slist => {},
if => not( isvariable( "augments_inputs" ) ),
comment => "It's important that we define this list, even if it's empty
or we get errors about the list being unresolved.";
# Your domain name, for use in access control
# Note: this default may be inaccurate!
"domain"
string => "$(sys.domain)",
comment => "Define a global domain for all hosts",
handle => "common_def_vars_domain",
if => not(isvariable("domain"));
# Mail settings used by body executor control found in controls/cf_execd.cf
"mailto"
string => "root@$(def.domain)",
if => not(isvariable("mailto"));
"mailfrom"
string => "root@$(sys.uqhost).$(def.domain)",
if => not(isvariable("mailfrom"));
"smtpserver"
string => "localhost",
if => not(isvariable("smtpserver"));
"control_executor_mailmaxlines" -> { "ENT-9614" }
int => "30",
if => not( isvariable( "control_executor_mailmaxlines" ));
"control_executor_mailsubject" -> { "ENT-10210" }
string => "",
if => not( isvariable( "control_executor_mailsubject" ) );
"control_executor_mailfilter_exclude" -> { "ENT-10210" }
slist => {},
if => not( isvariable( "control_executor_mailfilter_exclude" ) );
"control_executor_mailfilter_include" -> { "ENT-10210" }
slist => {},
if => not( isvariable( "control_executor_mailfilter_include" ) );
# List here the IP masks that we grant access to on the server
"acl"
slist => {
# Allow everything in my own domain.
# Note that this:
# 1. requires def.domain to be correctly set
# 2. will cause a DNS lookup for every access
# ".*$(def.domain)",
# Assume /16 LAN clients to start with
"$(sys.policy_hub)/16",
# Uncomment below if HA is used
#"@(def.policy_servers)"
# "2001:700:700:3.*",
# "217.77.34.18",
# "217.77.34.19",
},
comment => "Define an acl for the machines to be granted accesses",
handle => "common_def_vars_acl",
if => and(not(isvariable("override_data_acl")), not(isvariable("acl"))),
meta => { "defvar" };
!disable_always_accept_policy_server_acl::
"acl_derived" -> { "ENT-10951" }
slist => {
@(def.acl),
"$(sys.policy_hub)"
},
comment => "Define an acl for the machines to be granted accesses";
disable_always_accept_policy_server_acl::
"acl_derived" -> { "ENT-10951" }
slist => {
@(def.acl)
},
comment => "Define an acl for the machines to be granted accesses";
any::
"control_server_allowconnects" -> { "ENT-10212" }
slist => { "127.0.0.1" , "::1", @(def.acl) },
if => not( isvariable( "control_server_allowconnects" ) ),
comment => concat( "We want to define the default setting for",
" allowconnects in body server control if not",
" already specified" );
!disable_always_accept_policy_server_allowconnects::
"control_server_allowconnects_derived" -> { "ENT-10951" }
slist => { "$(sys.policy_hub)", @(def.control_server_allowconnects) },
comment => concat( "We want to define the default setting for",
" allowconnects in body server control if not",
" already specified. Since not explicitly excluded",
" we want the policy server itself to be allowed." );
disable_always_accept_policy_server_allowconnects::
"control_server_allowconnects_derived" -> { "ENT-10951" }
slist => { @(def.control_server_allowconnects) },
comment => concat( "We want to define the default setting for",
" allowconnects in body server control if not",
" already specified. Since explicitly excluded",
" we don't automatically include the policy server itself." );
any::
"control_server_allowallconnects" -> { "ENT-10212" }
slist => { "127.0.0.1" , "::1", @(def.acl) },
if => not( isvariable( "control_server_allowallconnects" ) ),
comment => concat( "We want to define the default setting for",
" allowallconnects in body server control if not",
" already specified" );
!disable_always_accept_policy_server_allowallconnects::
"control_server_allowallconnects_derived" -> { "ENT-10951" }
slist => { @(def.control_server_allowallconnects), "$(sys.policy_hub)" },
comment => concat( "We want to define the default setting for",
" allowallconnects in body server control if not",
" already specified" );
disable_always_accept_policy_server_allowallconnects::
"control_server_allowallconnects_derived" -> { "ENT-10951" }
slist => { @(def.control_server_allowallconnects) },
comment => concat( "We want to define the default setting for",
" allowallconnects in body server control if not",
" already specified" );
any::
# Out of the hosts in allowconnects, trust new keys only from the
# following ones. This is open by default for bootstrapping.
"trustkeysfrom"
slist => {
# COMMENT THE NEXT LINE OUT AFTER ALL MACHINES HAVE BEEN BOOTSTRAPPED.
"0.0.0.0/0", # allow any IP
},
comment => "Define from which machines keys can be trusted",
if => and(not(isvariable("override_data_trustkeysfrom")),
not(isvariable("trustkeysfrom"))),
meta => { "defvar" };
## List of the hosts not using the latest protocol that we'll accept connections from
## (absence of this option or empty list means allow none)
"control_server_allowlegacyconnects"
slist => {},
if => not( isvariable( "control_server_allowlegacyconnects" ) );
# Users authorized to request executions via cf-runagent
"control_server_allowusers_non_policy_server"
slist => { "root" },
if => not( isvariable( "control_server_allowusers_non_policy_server" ) );
"control_server_allowusers_policy_server"
slist => {},
if => not( isvariable( "control_server_allowusers_policy_server" ) );
policy_server::
"control_server_allowusers" -> { "CFE-3544", "ENT-6666" }
handle => "def_control_server_allowusers_policy_server",
slist => { @(control_server_allowusers_policy_server) },
meta => { "inventory", "attribute_name=Allowed users for cf-runagent" },
if => not(isvariable("control_server_allowusers"));
!policy_server::
"control_server_allowusers" -> { "CFE-3544", "ENT-6666" }
handle => "def_control_server_allowusers_non_policy_server",
slist => { @(control_server_allowusers_non_policy_server) },
meta => { "inventory", "attribute_name=Allowed users for cf-runagent" },
if => not(isvariable("control_server_allowusers"));
# Executor controls
any::
"mpf_admit_cf_runagent_shell_selected" -> { "ENT-6673", "ENT-6666" }
handle => "mpf_admit_cf_runagent_shell_default",
if => not( isvariable( "mpf_admit_cf_runagent_shell" )),
slist => { @(def.policy_servers) },
meta => { "inventory", "attribute_name=Allowed hosts for cf-runagent", "derived-from=def.policy_servers" },
comment => concat( "By default we admit our policy servers to initiate",
"agent runs via cf-runagent");
"mpf_admit_cf_runagent_shell_selected" -> { "ENT-6673", "ENT-6666" }
handle => "mpf_admit_cf_runagent_shell_augments",
if => isvariable( "mpf_admit_cf_runagent_shell" ),
slist => { @(def.mpf_admit_cf_runagent_shell) },
meta => { "inventory", "attribute_name=Allowed hosts for cf-runagent", "derived-from=def.mpf_admit_cf_runagent_shell" },
comment => concat( "Users can override the default set of hosts that ",
"can initiate agent runs via cf-runagent.");
# Executor Controls
## Default splaytime to 4 unless it's already defined (via augments)
"control_executor_splaytime"
string => "4",
if => not( isvariable( "control_executor_splaytime" ) ),
comment => "Splaytime controls the number of minutes hosts execution
should be splayed over. This value should be less than the
number of minutes between scheduled executions";
## Default agent_expireafter to 120 unless it's already defined (via augments)
"control_executor_agent_expireafter" -> { "ENT-4208" }
string => "120",
if => not( isvariable( "control_executor_agent_expireafter" ) ),
comment => "This controls the number of minutes after no data has been
recieved by cf-execd from a cf-agent process before that
cf-agent process is killed.";
## Default schedule unless it's already defined (via augments)
"control_executor_schedule_value"
slist => {
"Min00", "Min05", "Min10", "Min15",
"Min20", "Min25", "Min30", "Min35",
"Min40", "Min45", "Min50", "Min55",
},
if => not( isvariable( control_executor_schedule) ),
comment => "This variable defines the list of classes that should
trigger exec_command if any of them are defined.";
# schedule cant use a data structure directly, so we must use an
# intermediary variable to convert it to list
"control_executor_schedule_value"
slist => getvalues(control_executor_schedule),
if => not( isvariable( control_executor_schedule_value) ),
comment => "This variable defines the list of classes that should
trigger exec_command if any of them are defined.";
# Users allowed on sockets
# Set the users allowed by default, if not already set (e.g. via augments)
"control_executor_runagent_socket_allow_users"
slist => { "cfapache" },
unless => isvariable( $(this.promiser) ),
if => and( "enterprise_edition", "am_policy_hub");
# Agent Controls
"control_agent_abortclasses" -> { "ENT-4823" }
slist => { },
comment => "The control body has a variable, so a valid list must be defined or the agent will error",
if => not( isvariable( $(this.promiser) ));
"control_agent_agentfacility" -> { "ENT-10209" }
string => "",
if => not( isvariable ( $(this.promiser) ));
"control_agent_abortbundleclasses" -> { "ENT-4823" }
slist => { "abortbundle" },
comment => "The control body has a variable, so a valid list must be defined or the agent will error",
if => not( isvariable( $(this.promiser) ));
"control_agent_default_repository"
string => ifelse( isvariable( "control_agent_default_repository"),
$(control_agent_default_repository),
"$(sys.workdir)/backups"),
if => "mpf_control_agent_default_repository";
"control_agent_maxconnections"
int => "30",
if => not( isvariable( "control_agent_maxconnections" ) );
# Because in some versions of cfengine bundlesequence in body common
# control does not support does not support iteration over data containers
# we must first pick out the bundles into a shallow container that we can
# then get a regular list from using getvalues().
"tbse" data => mergedata( "def.control_common_bundlesequence_end" );
"bundlesequence_end" slist => getvalues( tbse );
"tbse" data => mergedata( "def.control_common_bundlesequence_classification" );
"bundlesequence_classification" slist => getvalues( tbse );
"control_common_ignore_missing_bundles" -> { "CFE-2773" }
string => ifelse( strcmp( $(control_common_ignore_missing_bundles), "true" ),
"true",
"false");
"control_common_ignore_missing_inputs" -> { "CFE-2773" }
string => ifelse( strcmp( $(control_common_ignore_missing_inputs), "true" ),
"true",
"false");
"control_common_lastseenexpireafter" -> { "ENT-10414" }
string => "10080", # 10080 minutes is 1 week
if => not( isvariable( "default:def.control_common_lastseenexpireafter") ),
comment => concat( "Since lastseenexpireafter is not defined, we default to",
" the binary default of 10080 minutes (1 week)" );
# Agent controls
@if minimum_version(3.18.0)
# TODO When 3.18 is the oldest supported LTS, redact this macro and associated protections
"control_agent_files_single_copy" -> { "CFE-3622" }
slist => { },
if => not( isvariable( "control_agent_files_single_copy" ) ),
comment => "Default files_single_copy to an empty list if it is not
defined. It is expected that users can override the default
by setting this value from the augments file (def.json).";
@endif
"control_server_maxconnections"
int => "200",
if => not( isvariable( "control_server_maxconnections" ) );
#+begin_src def.control_agent_environment_vars
# This configures environment_vars in body agent control
# It's configurable without having to modify policy, so the default values
# are only applied if the variable is not already defined (via augments).
# Platform defaults are set first, and the global default is set last so
# that global default does not override a platform specific setting since
# the promises are only applied if the variable is not already defined
# which is reverse of what you might normally do in CFEngine since
# typically the last promise wins.
classes:
"disable_always_accept_policy_server_acl" -> { "ENT-10951" }
expression => "disable_always_accept_policy_server";
"disable_always_accept_policy_server_allowconnects" -> { "ENT-10951" }
expression => "disable_always_accept_policy_server";
"disable_always_accept_policy_server_allowallconnects" -> { "ENT-10951" }
expression => "disable_always_accept_policy_server";
"control_agent_agentfacility_configured" -> { "ENT-10209" }
expression => regcmp( "LOG_(USER|DAEMON|LOCAL[0-7])",
$(control_agent_agentfacility) ),
comment => concat( "If default:def.control_agent_agentfacility is a",
" valid setting, we want to use it in body agent",
" control for setting agentfacility" );
"_control_agent_environment_vars_validated" -> { "CFE-3927" }
and => {
# The variable must be defined
isvariable( "default:def.control_agent_environment_vars" ),
# The length of the variable must be greater than 0 (can't be an empty list)
isgreaterthan( length( "default:def.control_agent_environment_vars" ), 0),
# Each element of the list must be of the form KEY=VALUE
every( ".+=.+", "default:def.control_agent_environment_vars"),
# In 3.18 and greater we can validate the type of variable in use
@if minimum_version(3.18.0)
regcmp( "(policy slist|data array)", type( "default:def.control_agent_environment_vars", "true" ) ),
@endif
};
"control_executor_mailsubject_configured" -> { "ENT-10210" }
expression => regcmp( ".+", "$(control_executor_mailsubject)"),
comment => concat( "If default:def.control_executor_mailsubject is not",
" an empty string, we want to use it's value for",
" emails sent by cf-execd.");
"control_executor_mailfilter_exclude_configured" -> { "ENT-10210" }
expression => isgreaterthan( length( "control_executor_mailfilter_exclude" ), 0 ),
comment => concat( "If default:def.control_executor_mailfilter_exclude is not",
" an empty list, we want to use it's value for",
" stripping lines from emails sent by cf-execd.");
"control_executor_mailfilter_include_configured" -> { "ENT-10210" }
expression => isgreaterthan( length( "control_executor_mailfilter_include" ), 0 ),
comment => concat( "If default:def.control_executor_mailfilter_include is not",
" an empty list, we want to use it's value for",
" including lines from emails sent by cf-execd.");
"control_server_allowciphers_defined" -> { "ENT-10182" }
expression => isvariable( "default:def.control_server_allowciphers"),
comment => concat( "If default:def.control_server_allowciphers is defined then",
" it's value will be used for allowciphers in body server",
" control. Else the binary default will be used.");
"control_server_allowtlsversion_defined" -> { "ENT-10182" }
expression => isvariable( "default:def.control_server_allowtlsversion"),
comment => concat( "If default:def.control_server_allowtlsversion is defined then",
" it's value will be used for allowtlsversion in body server",
" control. Else the binary default will be used.");
vars:
debian::
"control_agent_environment_vars_default" -> { "CFE-3925" }
handle => "common_def_vars_debian_control_agent_environment_vars_default",
if => not( isvariable( "control_agent_environment_vars_default" ) ),
comment => "Set default environment variables for using Debian non-interactively",
slist => {
"DEBIAN_FRONTEND=noninteractive",
# "APT_LISTBUGS_FRONTEND=none",
# "APT_LISTCHANGES_FRONTEND=none",
};
any::
# Resolve the final state for environment vars if there is a default var
# or if there is a user extra and merge the defined entities
"control_agent_environment_vars" -> { "CFE-3925" }
slist => { @(def.control_agent_environment_vars_default),
@(def.control_agent_environment_vars_extra) },
policy => "ifdefined",
if => or( isvariable( "def.control_agent_environment_vars_default" ), # Protect against defining
isvariable( "def.control_agent_environment_vars_extra" )); # an empty variable
#+end_src Agent Environment Variables
any::
"dir_masterfiles" string => translatepath("$(sys.masterdir)"),
comment => "Define masterfiles path",
handle => "common_def_vars_dir_masterfiles";
"dir_reports" string => translatepath("$(sys.workdir)/reports"),
comment => "Define reports path",
handle => "common_def_vars_dir_reports";
"dir_bin" string => translatepath("$(sys.bindir)"),
comment => "Define binary path",
handle => "common_def_vars_dir_bin";
"dir_data"
string => ifelse( isvariable( "def.dir_data"),
$(def.dir_data),
"$(sys.workdir)/data"),
comment => "Define data path",
handle => "common_def_vars_dir_data";
"dir_modules" string => translatepath("$(sys.workdir)/modules"),
comment => "Define modules path",
handle => "common_def_vars_dir_modules";
# TODO: Remove after 3.15 is no longer supported (December 18th 2022)
"dir_plugins" -> { "CFE-3618" }
string => translatepath("$(sys.workdir)/plugins"),
comment => "Define plugins path",
handle => "common_def_vars_dir_plugins";
"dir_templates"
string => ifelse( isvariable( "def.dir_templates"),
$(def.dir_templates),
"$(sys.workdir)/templates"),
comment => "Define templates path",
handle => "common_def_vars_dir_templates";
"cf_apache_user" string => "cfapache",
comment => "User that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_user";
"cf_apache_group" string => "cfapache",
comment => "Group that CFEngine Enterprise webserver runs as",
handle => "common_def_vars_cf_cfapache_group";
policy_server|am_policy_hub::
# Only hubs serve software updates
"dir_master_software_updates" -> { "ENT-4953" }
string => "$(sys.workdir)/master_software_updates",
handle => "common_def_vars_dir_serve_master_software_updates",
comment => "Path where software updates are served from the policy hub.
This variable is overridable via augments as
vars.dir_master_software_updates. All remote agents request this path
via the master_software_updates shortcut.",
if => not( isvariable( "def.dir_master_software_updates" ));
enterprise_edition.(policy_server|am_policy_hub)::
# Only enterprise hubs have Mission Portal
"cfe_enterprise_mission_portal_apache_sslprotocol" -> { "ENT-10412" }
string => "all -SSLv2 -SSLv3 -TLSv1", # We disable some versions of SSL
# as they are known to be insecure
if => not( isvariable( "default:def.cfe_enterprise_mission_portal_apache_sslprotocol" ) ),
comment => "The SSL protocol versions that are allowed by Apache for Mission Portal";
"cfe_enterprise_mission_portal_apache_sslciphersuite" -> { "ENT-11393" }
string => "HIGH",
if => not( isvariable( "default:def.cfe_enterprise_mission_portal_apache_sslciphersuite" ) ),
comment => "The SSL cipher suites that are allowed by Apache for Mission Portal";
solaris::
"cf_runagent_shell"
string => "/usr/bin/sh",
comment => "Define path to shell used by cf-runagent",
handle => "common_def_vars_solaris_cf_runagent_shell";
!(windows|solaris)::
"cf_runagent_shell"
string => "/bin/sh",
comment => "Define path to shell used by cf-runagent",
handle => "common_def_vars_cf_runagent_shell";
any::
"base_log_files" slist =>
{
"$(sys.workdir)/cf3.$(sys.uqhost).runlog",
"$(sys.workdir)/promise_summary.log",
};
"enterprise_log_files" slist =>
{
"$(sys.workdir)/cf_notkept.log",
"$(sys.workdir)/cf_repair.log",
"$(sys.workdir)/state/cf_value.log",
"$(sys.workdir)/outputs/dc-scripts.log",
"$(sys.workdir)/state/promise_log.jsonl",
"$(sys.workdir)/state/classes.jsonl",
};
"hub_log_files" slist =>
{
"$(cfe_internal_hub_vars.access_log)", # Mission Portal
"$(cfe_internal_hub_vars.error_log)", # Mission Portal
"$(cfe_internal_hub_vars.ssl_request_log)", # Mission Portal
"/var/log/postgresql.log", # PostgreSQL
};
"max_client_history_size" -> { "cf-hub", "CFEngine Enterprise" }
int => "50M",
unless => isvariable(max_client_history_size),
comment => "The threshold of report diffs which will trigger purging of
diff files.";
enterprise.!am_policy_hub::
# CFEngine's own log files
"cfe_log_files" slist => { @(base_log_files), @(enterprise_log_files) };
enterprise.am_policy_hub::
# CFEngine's own log files
"cfe_log_files" slist => { @(base_log_files), @(enterprise_log_files), @(hub_log_files) };
!enterprise::
# CFEngine's own log files
"cfe_log_files" slist => { @(base_log_files) };
# Directories where logs are rotated and old files need to be purged.
any::
"log_dir[outputs]" string => "$(sys.workdir)/outputs";
"log_dir[reports]" string => "$(sys.workdir)/reports";
# TODO ENT-6845 - move package module logs to $(sys.workdir)/log/something
windows::
"log_dir[package_logs]" string => "$(const.dirsep)cfengine_package_logs";
enterprise.am_policy_hub::
"log_dir[mission_portal]" string => "$(sys.workdir)/httpd/logs";
"log_dir[application]" string => "$(sys.workdir)/httpd/logs/application";
any::
"cfe_log_dirs" slist => getvalues( log_dir );
# MPF controls
"mpf_log_dir_retention"
string => "30",
if => not( isvariable ( mpf_log_dir_retention ) ),
comment => "The default log file retention in cfe_log_dirs is 30 days
unless it's already been defined (augments).";
"mpf_log_file_retention"
string => "10",
if => not( isvariable( mpf_log_file_retention) ),
comment => "This is the number of rotated versions of mpf log files to
save";
"mpf_log_file_max_size"
string => "1M",
if => not( isvariable( mpf_log_file_max_size) ),
comment => "When individual mpf log files reach this size they should be
rotated so that we don't fill up the disk";
"purge_scheduled_reports_older_than_days" -> { "ENT-4404" }
string => "30",
if => not( isvariable( purge_scheduled_reports_older_than_days ) ),
comment => "This controls the maximum age of artifacts generated by the
asynchronous query API and scheduled reports.";
"mpf_extra_autorun_inputs" -> { "CFE-3524" }
slist => {},
unless => isvariable( $(this.promiser) );
# Enterprise HA Related configuration
# enable_cfengine_enterprise_hub_ha is defined below
# Disabled by default
enable_cfengine_enterprise_hub_ha::
"standby_servers" slist => filter("$(sys.policy_hub)", "ha_def.ips", false, true, 10);
"policy_servers" slist => { "$(sys.policy_hub)", "@(standby_servers)" };
!enable_cfengine_enterprise_hub_ha::
"policy_servers" slist => {"$(sys.policy_hub)"};
enterprise_edition.policy_server::
"control_hub_exclude_hosts"
slist => { "" },
unless => isvariable(control_hub_exclude_hosts);
"control_hub_hub_schedule"
comment => "By default Enterprise hubs initiate pull collection once every 5 minutes.",
slist => { "Min00", "Min05", "Min10", "Min15", "Min20",
"Min25", "Min30", "Min35", "Min40", "Min45",
"Min50", "Min55" },
unless => isvariable(control_hub_hub_schedule);
"control_hub_query_timeout"
comment => "Configurable timeout for cf-hub outgoing connections",
string => "0", # 0 = default is set by cf-hub binary
unless => isvariable(control_hub_query_timeout);
"control_hub_port"
comment => "cf-hub performs pull collection on port 5308, unless
overridden by augments",
string => "5308",
unless => isvariable(control_hub_port);
"control_hub_client_history_timeout"
comment => "cf-hub instructs clients to discard reports older than this
many hours to avoid a condition where a build up of reports
causes a client to never be fully collected from",
string => "6",
unless => isvariable(control_hub_port);
"mpf_access_rules_collect_calls_admit_ips"
slist => { @(def.acl_derived) },
unless => isvariable(mpf_access_rules_collect_calls_admit_ips);
enterprise_edition.client_initiated_reporting_enabled::
"control_server_call_collect_interval"
string => "5",
unless => isvariable(control_server_call_collect_interval);
"control_server_collect_window" -> { "ENT-4102" }
string => "30",
unless => isvariable(control_server_collect_window);
enterprise_edition.policy_server::
"default_data_select_host_monitoring_include"
comment => "Most people have monitoring systems, so instead of collecting data people won't use we save the work unless its requested.",
slist => { },
unless => isvariable( default_data_select_host_monitoring_include );
"default_data_select_policy_hub_monitoring_include"
comment => "Collect all the monitoring data from the hub itself. It can be useful in diagnostics.",
slist => { ".*" },
unless => isvariable( default_data_select_policy_hub_monitoring_include );
classes:
"_have_control_agent_files_single_copy" -> { "CFE-3622"}
expression => isvariable( "def.control_agent_files_single_copy" );
"_have_control_executor_runagent_socket_allow_users"
expression => some( ".+", "def.control_executor_runagent_socket_allow_users" );
"cfengine_recommendations_enabled"
expression => "!cfengine_recommendations_disabled";
### Enable special features policies. Set to "any" to enable.
# Auto-load files in "services/autorun" and run bundles tagged "autorun".
# Disabled by default!
"services_autorun" -> { "jira:CFE-2135" }
comment => "This class enables the automatic parsing running of bundles
tagged with 'autorun'. Evaluation limitations require that
this class is set at the beginning of the agent run, so it
must be defined in the augments file (def.json), or as an
option to the agent with --define or -D. Changing the
expression here will *NOT* work correctly. Setting the class
here will result in an error due to the autorun bundle not
being found.",
expression => "!any";
# Internal CFEngine log files rotation
"cfengine_internal_rotate_logs" expression => "any";
# Enable or disable agent email output (also see mailto, mailfrom and
# smtpserver)
"cfengine_internal_agent_email" expression => "any";
"cfengine_internal_disable_agent_email" expression => "!any";
# Enable or disable external watchdog to ensure cf-execd is running
"cfe_internal_core_watchdog_enabled" expression => "!any";
"cfe_internal_core_watchdog_disabled" expression => "!any";
# Transfer policies and binaries with encryption
# you can also request it from the command line with
# -Dcfengine_internal_encrypt_transfers
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN update.cf
"cfengine_internal_encrypt_transfers" expression => "!any";
# Do not purge policies that don't exist on the server side.
# you can also request it from the command line with
# -Dcfengine_internal_purge_policies_disabled
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN update.cf
"cfengine_internal_purge_policies_disabled" expression => "!any";
# Preserve permissions of the policy server's masterfiles.
# you can also request it from the command line with
# -Dcfengine_internal_preserve_permissions
# NOTE THAT THIS CLASS ALSO NEEDS TO BE SET IN update.cf
"cfengine_internal_preserve_permissions" expression => "!any";
# Class defining which versions of cfengine are (not) supported
# by this policy version.
# Also note that this policy will only be run on enterprise policy_server
"postgresql_maintenance_supported"
expression => "(policy_server.enterprise.!enable_cfengine_enterprise_hub_ha)|(policy_server.enterprise.enable_cfengine_enterprise_hub_ha.hub_active)";
# This class is for PosgreSQL maintenance
# pre-defined to every Sunday at 2 a.m.
# This can be changed later on.
"postgresql_full_maintenance" expression => "postgresql_maintenance_supported.Sunday.Hr02.Min00_05";
# Run vacuum job on database
# pre-defined to every night except Sunday when full cleanup is executed.
"postgresql_vacuum" expression => "postgresql_maintenance_supported.!Sunday.Hr02.Min00_05";
# Enable CFEngine Enterprise HA Policy
"enable_cfengine_enterprise_hub_ha" expression => "!any";
#"enable_cfengine_enterprise_hub_ha" expression => "enterprise_edition";
# Enable failover to node which is outside cluster
#"failover_to_replication_node_enabled" expression => "enterprise_edition";
# Enable cleanup of agent report diffs when they exceed
# `def.max_client_history_size`
"enable_cfe_internal_cleanup_agent_reports" -> { "cf-hub", "CFEngine Enterprise" }
expression => "enterprise_edition",
comment => "If reports are not collected for an extended period of time
the disk may fill up or cause additional collection
issues.";
# Enable paths to POSIX tools instead of native tools when possible.
"mpf_stdlib_use_posix_utils" expression => "any";
enterprise_edition.(policy_server|am_policy_hub)::
"cfe_enterprise_disable_http_redirect_to_https"
scope => "namespace",
expression => "cfe_cfengine_enterprise_enable_plain_http";
"cfe_enterprise_disable_http_redirect_to_https"
expression => "cfe_enterprise_disable_plain_http",
comment => "If plain http is disabled, it makes no sense to redirect to it, so we disable that as well.";
reports:
"Warning: the 'cfe_cfengine_enterprise_enable_plain_http' class has been deprecated in favor of 'cfe_enterprise_disable_http_redirect_to_https', please adjust accordingly. The 'cfe_enterprise_disable_http_redirect_to_https' class has been set automatically."
if => "cfe_enterprise_disable_http_redirect_to_https.cfe_cfengine_enterprise_enable_plain_http";
"Warning: the 'cfe_cfengine_enterprise_enable_plain_http' class has been deprecated in favor of 'cfe_enterprise_disable_http_redirect_to_https', please adjust accordingly."
if => "cfe_cfengine_enterprise_enable_plain_http.!cfe_enterprise_disable_http_redirect_to_https";
}
bundle common inventory_control
# @brief Inventory control bundle
#
# This common bundle is for controlling whether some inventory bundles
# are disabled.
{
vars:
"lldpctl_exec" string => ifelse(fileexists("/usr/sbin/lldpctl"), "/usr/sbin/lldpctl",
fileexists("/usr/local/bin/lldpctl"), "/usr/local/bin/lldpctl",
"/usr/sbin/lldpctl");
"lldpctl_json" string => "$(lldpctl_exec) -f json",
unless => isvariable("def.lldpctl_json");
"lldpctl_json" string => "$(def.lldpctl_json)",
if => isvariable("def.lldpctl_json");
"lsb_exec" string => "/usr/bin/lsb_release";
"mtab" string => "/etc/mtab";
"proc" string => "/proc";
vars:
freebsd::
"dmidecoder" string => "/usr/local/sbin/dmidecode";
!freebsd::
"dmidecoder" string => "/usr/sbin/dmidecode";
"proc_device_tree" string => "/proc/device-tree";
classes:
# setting this disables all the inventory modules except package_refresh
"disable_inventory" expression => "!any";
# disable specific inventory modules below
# by default disable the LSB inventory if the general inventory
# is disabled or the binary is missing. Note that the LSB
# binary is typically not very fast.
"disable_inventory_lsb" expression => "disable_inventory";
"disable_inventory_lsb" not => fileexists($(lsb_exec));
# If we have /proc/device-tree we should likely disable dmi completely
# as of 2022 systems with dmi dont have device-tree and vice versa.
"have_proc_device_tree" expression => fileexists($(proc_device_tree));
# by default disable the dmidecode inventory if the general
# inventory is disabled or the binary does not exist. Note that
# typically this is a very fast binary.
"disable_inventory_dmidecode" expression => "disable_inventory";
"disable_inventory_dmidecode" expression => "have_proc_device_tree";
"disable_inventory_dmidecode" not => fileexists($(dmidecoder));
# by default disable the LLDP inventory if the general inventory
# is disabled or the binary does not exist. Note that typically
# this is a reasonably fast binary but still may require network
# I/O.
"disable_inventory_LLDP" expression => "disable_inventory";
"disable_inventory_LLDP" not => fileexists($(lldpctl_exec));
# by default run the package inventory refresh every time, even
# if disable_inventory is set
"disable_inventory_package_refresh" expression => "!any";
# by default disable the mtab inventory if the general inventory
# is disabled or $(mtab) is missing. Note that this is very
# fast.
"disable_inventory_mtab" expression => "disable_inventory";
"disable_inventory_mtab" not => fileexists($(mtab));
# by default disable the fstab inventory if the general
# inventory is disabled or $(sys.fstab) is missing. Note that
# this is very fast.
"disable_inventory_fstab" expression => "disable_inventory";
"disable_inventory_fstab" not => fileexists($(sys.fstab));
# by default disable the proc inventory if the general
# inventory is disabled or /proc is missing. Note that
# this is typically fast.
"disable_inventory_proc" expression => "disable_inventory|freebsd";
"disable_inventory_proc" not => isdir($(proc));
reports:
verbose_mode.disable_inventory::
"$(this.bundle): All inventory modules disabled";
verbose_mode.!disable_inventory_lsb::
"$(this.bundle): LSB module enabled";
verbose_mode.!disable_inventory_dmidecode::
"$(this.bundle): dmidecode module enabled";
verbose_mode.!disable_inventory_LLDP::
"$(this.bundle): LLDP module enabled";
verbose_mode.!disable_inventory_mtab::
"$(this.bundle): mtab module enabled";
verbose_mode.!disable_inventory_fstab::
"$(this.bundle): fstab module enabled";
verbose_mode.!disable_inventory_proc::
"$(this.bundle): proc module enabled";
verbose_mode.!disable_inventory_package_refresh::
"$(this.bundle): package_refresh module enabled";
DEBUG|DEBUG_def::
"Executor Schedule: $(def.control_executor_schedule_value)";
}
cfengine-masterfiles-3.24.2/controls/cf_runagent.cf 0000644 0000000 0000000 00000001061 15010704240 022331 0 ustar 00root root 0000000 0000000 ###############################################################################
#
# This part is for cf-runagent
#
# Settings describing the details of the fixed behavioural promises made
# by cf-runagent. The most important parameter here is the list of hosts
# that the agent will poll for connections.
#
###############################################################################
body runagent control
{
# A list of hosts to contact when using cf-runagent
any::
hosts => { "127.0.0.1" };
# , "myhost.example.com:5308", ...
}
cfengine-masterfiles-3.24.2/controls/reports.cf 0000644 0000000 0000000 00000003121 15010704240 021533 0 ustar 00root root 0000000 0000000 # Reporting bodies
bundle server report_access_rules
# @brief Access rules for Enterprise report collection
{
vars:
enterprise::
"query_types" slist => {"delta", "rebase", "full"};
access:
!policy_server.enterprise::
"$(query_types)"
handle => "report_access_grant_$(query_types)_for_hosts",
comment => "Grant $(query_types) reporting query for the hub on the hosts",
resource_type => "query",
report_data_select => default_data_select_host,
admit => { @(def.policy_servers) };
policy_server.enterprise::
"$(query_types)"
handle => "report_access_grant_$(query_types)_for_hub",
comment => "Grant $(query_types) reporting query for the hub on the policy server",
resource_type => "query",
report_data_select => default_data_select_policy_hub,
admit => { "127.0.0.1", "::1", @(def.policy_servers) };
}
body report_data_select default_data_select_host
# @brief Data authorized by non policy servers for collection by cf-hub
{
metatags_include => { "inventory", "report" };
metatags_exclude => { "noreport" };
promise_handle_exclude => { "noreport_.*" };
monitoring_include => { @(def.default_data_select_host_monitoring_include) };
}
body report_data_select default_data_select_policy_hub
# @brief Data authorized by policy servers for collection by cf-hub
{
metatags_include => { "inventory", "report" };
metatags_exclude => { "noreport" };
promise_handle_exclude => { "noreport_.*" };
monitoring_include => { @(def.default_data_select_policy_hub_monitoring_include) };
}
cfengine-masterfiles-3.24.2/controls/cf_serverd.cf 0000644 0000000 0000000 00000025056 15010704240 022172 0 ustar 00root root 0000000 0000000 ###############################################################################
# This part is for cf-serverd
#
# General IP access policy for the connection protocol
# i.e. access to the server itself.
# Access to specific files must be granted in addition.
###############################################################################
body server control
# @brief Control attributes for cf-serverd
{
# List of hosts that may connect (change the ACL in def.cf)
allowconnects => { @(default:def.control_server_allowconnects_derived) };
# Out of them, which ones should be allowed to have more than one
# connection established at the same time?
allowallconnects => { @(default:def.control_server_allowallconnects_derived) };
# Out of the hosts in allowconnects, trust new keys only from the
# following ones. SEE COMMENTS IN def.cf
trustkeysfrom => { @(def.trustkeysfrom) };
## List of the hosts not using the latest protocol that we'll accept connections from
## (absence of this option or empty list means allow none)
allowlegacyconnects => { @(def.control_server_allowlegacyconnects) };
# Maximum number of concurrent connections.
# Suggested value >= total number of hosts
maxconnections => "$(def.control_server_maxconnections)";
# Allow connections from nodes which are out-of-sync
denybadclocks => "false";
control_server_allowtlsversion_defined::
# Minimum required version of TLS. Set to "1.0" if you need clients
# running CFEngine in a version lower than 3.7.0 to connect.
#
# Example:
# allowtlsversion => "1.0";
allowtlsversion => "$(default:def.control_server_allowtlsversion)"; # See also: tls_min_version in body common control
control_server_allowciphers_defined::
# List of ciphers the server accepts. For Syntax help see man page for
# "openssl-ciphers" (man:openssl-ciphers(1ssl)). The 'TLS_'-prefixed
# ciphers are for TLS 1.3 and later.
#
# Example setting:
# allowciphers => "AES256-GCM-SHA384:AES256-SHA:TLS_AES_256_GCM_SHA384";
allowciphers => "$(default:def.control_server_allowciphers)"; # See also: tls_ciphers in body common control
enterprise_edition.client_initiated_reporting_enabled::
# How often cf-serverd should try to establish a reverse tunnel for report
# collection
call_collect_interval => "$(def.control_server_call_collect_interval)";
# The time in seconds that a collect-call tunnel will remain open for hub
# to complete report transfer.
collect_window => "$(def.control_server_collect_window)";
any::
# The remote user accounts which are allowed to initiate cf-agent via
# cf-runagent.
allowusers => { @(def.control_server_allowusers) };
windows::
cfruncommand => "$(sys.cf_agent) -I -D cf_runagent_initiated -f \"$(sys.update_policy_path)\" &
$(sys.cf_agent) -I -D cf_runagent_initiated";
!windows::
# In 3.10 the quotation is properly closed when EOF is reached. It is left
# open so that arguments (like -K and --remote-bundles) can be appended.
# 3.10.x does not automatically append -I -Dcfruncommand
cfruncommand => "$(def.cf_runagent_shell) -c \'
$(sys.cf_agent) -I -D cf_runagent_initiated -f $(sys.update_policy_path) ;
$(sys.cf_agent) -I -D cf_runagent_initiated";
# Use bindtointerface to specify interface to bind to, the default is :: +
# 0.0.0.0/0 if IPV6 is supported or 0.0.0.0/0 if IPV6 is not supported. On
# Windows, binding to :: means only IPV6 connections will be accepted.
# !windows::
# bindtointerface => "::";
}
###############################################################################
bundle server mpf_default_access_rules()
# @brief Defines access to common resources
{
access:
any::
"$(def.dir_masterfiles)/"
handle => "server_access_grant_access_policy",
shortcut => "masterfiles",
comment => "Grant access to the policy updates",
if => isdir( "$(def.dir_masterfiles)/" ),
admit => { @(def.acl_derived) };
"$(def.dir_masterfiles)/.no-distrib" -> { "ENT-8079" }
handle => "prevent_distribution_of_top_level_dot_no_distrib",
deny => { "0.0.0.0/0" };
"$(def.dir_bin)/"
handle => "server_access_grant_access_binary",
comment => "Grant access to binary for cf-runagent",
if => isdir( "$(def.dir_bin)/" ),
admit => { @(def.acl_derived) };
"$(def.dir_data)/"
handle => "server_access_grant_access_data",
shortcut => "data",
comment => "Grant access to data directory",
if => isdir( "$(def.dir_data)/" ),
admit => { @(def.acl_derived) };
"$(def.dir_modules)/"
handle => "server_access_grant_access_modules",
shortcut => "modules",
comment => "Grant access to modules directory",
if => isdir( "$(def.dir_modules)/" ),
admit => { @(def.acl_derived) };
# TODO: Remove after 3.15 is no longer supported (December 18th 2022)
"$(def.dir_plugins)/" -> { "CFE-3618" }
handle => "server_access_grant_access_plugins",
comment => "Grant access to plugins directory",
if => isdir( "$(def.dir_plugins)/" ),
admit => { @(def.acl_derived) };
"$(def.dir_templates)/"
handle => "server_access_grant_access_templates",
shortcut => "templates",
comment => "Grant access to templates directory",
if => isdir( "$(def.dir_templates)/" ),
admit => { @(def.acl_derived) };
policy_server|am_policy_hub::
"$(def.dir_master_software_updates)/" -> { "ENT-4953" }
handle => "server_access_grant_access_master_software_updates",
shortcut => "master_software_updates",
comment => "Grant access for hosts to download cfengine packages for self upgrade",
if => isdir( "$(sys.workdir)/master_software_updates" ),
admit => { @(def.acl_derived) };
"$(sys.statedir)/cf_version.txt" -> { "ENT-10664" }
handle => "server_access_grant_access_state_cf_version",
shortcut => "hub-cf_version",
comment => concat( "We want remote hosts to default their target binary",
" version to that of the hubs binary version, so we",
" need to share this state with remote clients." ),
admit => { @(def.acl_derived) };
enterprise_edition.policy_server::
"collect_calls"
resource_type => "query",
admit_ips => { @(def.mpf_access_rules_collect_calls_admit_ips) };
"$(sys.workdir)/cmdb/$(connection.key)/" -> { "ENT-6788" }
handle => "server_access_grant_access_cmdb",
comment => "Grant access to host specific CMDB data",
shortcut => "hub_cmdb",
admit_keys => { $(connection.key) };
!windows::
"$(def.cf_runagent_shell)" -> { "ENT-6673" }
handle => "server_access_grant_access_shell_cmd",
comment => "Grant access to shell for cfruncommand",
admit => { @(def.mpf_admit_cf_runagent_shell_selected) };
policy_server.enable_cfengine_enterprise_hub_ha::
"$(sys.workdir)/ppkeys/"
handle => "server_access_grant_access_ppkeys_hubs",
comment => "Grant access to ppkeys for HA hubs",
if => isdir( "$(sys.workdir)/ppkeys/" ),
admit => { @(def.policy_servers) };
# Allow slave hub to synchronize cf_robot and appsettings, application
# config config, ldap config settings, and ldap api config settings.
# Files are containing configuration that must be the same on all hubs.
"$(sys.workdir)/httpd/htdocs/application/config/cf_robot.php"
handle => "server_access_grant_access_cf_robot",
comment => "Grant access to cf_robot file for HA hubs",
admit => { @(def.policy_servers) };
"$(sys.workdir)/httpd/htdocs/application/config/appsettings.php"
handle => "server_access_grant_access_appsettings",
comment => "Grant access to appsettings for HA hubs",
admit => { @(def.policy_servers) };
"$(sys.workdir)/httpd/htdocs/application/config/config.php" -> { "ENT-4944" }
handle => "server_access_grant_access_application_config_config_php",
comment => "Grant access to application config for HA hubs",
admit => { @(def.policy_servers) };
"$(sys.workdir)/httpd/htdocs/ldap/config/settings.php" -> { "ENT-4944" }
handle => "server_access_grant_access_ldap_config_settings_php",
comment => "Grant access to ldap config settings for HA hubs",
admit => { @(def.policy_servers) };
"$(sys.workdir)/httpd/htdocs/api/config/config.php" -> { "ENT-4944" }
handle => "server_access_grant_access_api_config_settings_php",
comment => "Grant access to LDAP api config for HA hubs",
admit => { @(def.policy_servers) };
# Allow access to notification_scripts directory so passive hub
# will be able to synchronize its content. Once passive hub will
# be promoted to act as a master all the custom scripts will be
# accessible.
"/opt/cfengine/notification_scripts/"
handle => "server_access_grant_access_notification scripts",
comment => "Grant access to notification scripts",
if => isdir( "/opt/cfengine/notification_scripts/" ),
admit => { @(def.policy_servers) };
# When HA is enabled clients are updating active hub IP address
# using data stored in master_hub.dat file.
"$(ha_def.master_hub_location)"
handle => "server_access_grant_access_policy_server_dat",
comment => "Grant access to policy_server.dat",
admit => { @(def.acl_derived) };
# Hubs keys working in HA configuration are stored in ppkeys_hubs directory.
# In order to perform failover while active hub is down clients needs to
# have all hubs keys. This gives ability to connect to slave hub promoted to active role
# once active is down.
"$(ha_def.hubs_keys_location)/"
handle => "server_access_grant_access_to_clients",
comment => "Grant access to hubs' keys to clients",
if => isdir("$(ha_def.hubs_keys_location)/"),
admit => { @(def.acl_derived) };
windows::
"c:\program files\cfengine\bin\cf-agent.exe"
handle => "server_access_grant_access_agent",
comment => "Grant access to the agent (for cf-runagent)",
admit => { @(def.policy_servers) };
roles:
# Use roles to allow specific remote cf-runagent users to
# define certain soft-classes when running cf-agent on this host
".*" authorize => { "root" };
}
cfengine-masterfiles-3.24.2/inventory/ 0000755 0000000 0000000 00000000000 15010704326 017725 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/inventory/any.cf 0000644 0000000 0000000 00000145340 15010704240 021030 0 ustar 00root root 0000000 0000000 bundle common inventory_any
# @brief Do inventory for any OS
#
# This common bundle is for any OS work not handled by specific
# bundles.
{
vars:
"release_data" string => "$(this.promise_dirname)/../cf_promises_release_id";
"data"
data => readjson( $(release_data), inf ),
if => fileexists( $(release_data) );
"id"
string => "$(data[releaseId])",
meta => { "inventory", "attribute_name=Policy Release Id" };
"policy_version" -> { "ENT-9806" }
string => "$(default:control_common.version)",
meta => { "inventory", "attribute_name=CFEngine policy version" };
reports:
"DEBUG|DEBUG_$(this.bundle)"::
"DEBUG $(this.bundle): Inventory Policy Release Id=$(id)";
}
bundle agent inventory_autorun
# @brief Autorun some inventory bundles
#
# This agent bundle runs other "autorun" inventory agent bundles
# explicitly. It will use bundlesmatching() when CFEngine 3.5 and
# earlier are no longer supported.
{
methods:
!disable_inventory_LLDP::
"LLDP" usebundle => cfe_autorun_inventory_LLDP(),
handle => "cfe_internal_autorun_inventory_LLDP";
!disable_inventory_package_refresh::
"packages_refresh" usebundle => cfe_autorun_inventory_packages(),
handle => "cfe_internal_autorun_inventory_packages";
!disable_inventory_policy_servers::
"Inventory Policy Servers"
handle => "cfe_internal_autorun_inventory_policy_servers",
usebundle => cfe_autorun_inventory_policy_servers;
!disable_inventory_proc::
"proc" usebundle => cfe_autorun_inventory_proc(),
handle => "cfe_internal_autorun_inventory_proc";
"proc_cpuinfo" usebundle => cfe_autorun_inventory_proc_cpuinfo(),
handle => "cfe_internal_autorun_inventory_proc_cpuinfo";
!disable_inventory_cpuinfo::
"cpuinfo" usebundle => cfe_autorun_inventory_cpuinfo(),
handle => "cfe_internal_autorun_inventory_cpuinfo";
!disable_inventory_fstab::
"fstab" usebundle => cfe_autorun_inventory_fstab(),
handle => "cfe_internal_autorun_inventory_fstab";
!disable_inventory_mtab::
"mtab" -> { "ENT-8338" }
usebundle => cfe_autorun_inventory_mtab(),
handle => "cfe_internal_autorun_inventory_mtab",
action => default:immediate;
!disable_inventory_dmidecode::
"dmidecode" usebundle => cfe_autorun_inventory_dmidecode(),
handle => "cfe_internal_autorun_inventory_dmidecode";
!disable_inventory_aws::
"aws" usebundle => cfe_autorun_inventory_aws(),
handle => "cfe_internal_autorun_inventory_aws";
!disable_inventory_aws|disable_inventory_aws_ec2_metadata::
"aws" usebundle => cfe_autorun_inventory_aws_ec2_metadata(),
handle => "cfe_internal_autorun_inventory_ec2_metadata";
!disable_inventory_setuid::
"Inventory SetUID Files" -> { "ENT-4158" }
usebundle => cfe_autorun_inventory_setuid(),
handle => "cfe_internal_autorun_inventory_setuid";
any::
"listening ports" usebundle => cfe_autorun_inventory_listening_ports(),
handle => "cfe_internal_autorun_listening_ports";
"disk" usebundle => cfe_autorun_inventory_disk(),
handle => "cfe_internal_autorun_disk";
"memory" usebundle => cfe_autorun_inventory_memory(),
handle => "cfe_internal_autorun_memory";
"loadaverage" usebundle => cfe_autorun_inventory_loadaverage(),
handle => "cfe_internal_autorun_loadaverage";
"IP addresses" -> { "ENT-2552", "ENT-4987" }
usebundle => cfe_autorun_inventory_ip_addresses,
handle => "cfe_internal_autorun_ip_addresses";
}
bundle agent cfe_autorun_inventory_listening_ports
# @brief Inventory the listening ports
#
# This bundle uses `mon.listening_ports` and is always enabled by
# default, as it runs instantly and has no side effects.
{
vars:
"ports" -> { "ENT-150" }
slist => sort( "mon.listening_ports", "int"),
meta => { "inventory", "attribute_name=Ports listening" },
if => some("[0-9]+", "mon.listening_ports"),
comment => "We only want to inventory the listening ports if we have
values that make sense.";
}
bundle agent cfe_autorun_inventory_ip_addresses
# @brief Inventory ipv4 addresses
# This will filter the ipv4 and ipv4 loopback address (127.0.0.1, ::as it is likely not very interesting)
{
vars:
"ipv4_regex" -> { "ENT-4987" }
string => "\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b";
"ipv4_loopback_regex" -> { "ENT-2552" }
string => "127\.0\.0\.1",
comment => "Addresses that match this regular expression will be filtered
from the inventory for ipv4 addresses";
"ipv6_loopback_regex" -> { "ENT-4987" }
string => "::1",
comment => "Addresses that match this regular expression will be filtered
from the inventory for ipv4 addresses";
# Strings are displayed more beautifully in Mission Portal than lists, so
# we first generate the list of addresses to be inventoried and then do
# inventory using an array.
"ipv4_addresses"
slist => sort( filter( $(ipv4_regex), "sys.ip_addresses", "true", "false", inf), lex ),
if => not( isvariable( $(this.promiser) ));
"ipv4_addresses_non_loopback" -> { "ENT-2552" }
slist => sort( filter( $(ipv4_loopback_regex), "$(this.bundle).ipv4_addresses", "true", "true", inf)),
if => not( isvariable( $(this.promiser) ));
"ipv4[$(ipv4_addresses_non_loopback)]" -> { "ENT-2552" }
string => "$(ipv4_addresses_non_loopback)",
meta => { "inventory", "attribute_name=IPv4 addresses" };
# sys.ip_addresses contains ipv4 and (as of 3.15.0) ipv6 addresses. We get
# the ipv6 addresses indirectly, based on excluding the ipv4 addresses
# (which we identify using a regular expression)
"ipv6_addresses" -> { "ENT-4987" }
slist => sort( difference( "sys.ip_addresses", "$(this.bundle).ipv4_addresses" ), lex),
if => not( isvariable( $(this.promiser) ));
"ipv4_addresses_non_loopback" -> { "ENT-4987" }
slist => sort( filter( $(ipv6_loopback_regex), "$(this.bundle).ipv4_addresses", "true", "true", inf)),
if => not( isvariable( $(this.promiser) ));
"ipv6[$(ipv6_addresses_non_loopback)]" -> { "ENT-4987" }
string => "$(ipv6_addresses_non_loopback)",
meta => { "inventory", "attribute_name=IPv6 addresses" };
reports:
DEBUG|DEBUG_cfe_autorun_inventory_ipv4_addresses::
"DEBUG $(this.bundle)";
"$(const.t)Inventorying: '$(ipv4_addresses)'";
"$(const.t)Inventorying: '$(ipv6_addresses)'";
}
bundle agent cfe_autorun_inventory_disk
# @brief Inventory the disk (Enterprise only)
{
vars:
enterprise::
"free" -> { "ENT-5190" }
string => "$(mon.value_diskfree)",
meta => { "inventory", "attribute_name=Disk free (%)" },
if => isvariable( "mon.value_diskfree" );
}
bundle agent cfe_autorun_inventory_memory
# @brief Inventory the memory (Enterprise only)
{
vars:
@if minimum_version(3.11)
# The `with` attribute is necessary for this to work in a single promise.
enterprise_edition.windows::
# wmic returns "TotalVisibleMemorySize=10760224" so split on = and take
# the second item (0-based with nth())
"total" -> { "ENT-4188" }
meta => { "inventory", "attribute_name=Memory size (MB)" },
string => format( "%d", eval("$(with)/1024", "math", "infix" )),
if => not( isvariable( "total" ) ),
with => nth( string_split( execresult("wmic OS get TotalVisibleMemorySize /format:list", useshell ),
"=", 2), 1);
"totalPhysical" -> { "CFE-2896" }
meta => { "inventory", "attribute_name=Physical memory (MB)" },
string => format( "%d", eval("$(with)/1024", "math", "infix" )),
if => not( isvariable( "total" ) ),
with => nth( string_split( execresult("wmic ComputerSystem get TotalPhysicalMemory /format:list", useshell ),
"=", 2), 1);
# This is a volatile metric, perhaps not well suited for inventory
"free"
meta => { "report" },
string => format( "%d", eval("$(with)/1024", "math", "infix" )),
if => not( isvariable( "free" ) ),
with => nth( string_split( execresult("wmic OS get FreePhysicalMemory /format:list", useshell ),
"=", 2), 1);
@endif
enterprise_edition.aix::
"total" -> { "CFE-2797", "CFE-2803" }
string => execresult("/usr/bin/lparstat -i | awk '/Online Memory/ { print $4 }'", "useshell"),
meta => { "inventory", "attribute_name=Memory size (MB)" };
enterprise_edition.hpux::
"total" -> { "ENT-4188" }
string => execresult( "machinfo | awk '/^Memory =/ {print $3}'", useshell ),
meta => { "inventory", "attribute_name=Memory size (MB)" };
enterprise_edition.!(aix|windows|hpux)::
"total" string => "$(mon.value_mem_total)",
meta => { "inventory", "attribute_name=Memory size (MB)" },
if => isvariable( "mon.value_mem_total" );
"free" string => "$(mon.value_mem_free)",
if => and( not( isvariable( "free" ) ),
isvariable( "mon.value_mem_free" )),
meta => { "report" };
}
bundle agent cfe_autorun_inventory_setuid
# @brief Inventory setuid files and prune invalid entries from the setuid log
# @inventory Setuid files
# @inventory Root owned setuid files
# @inventory Setgid files
# @inventory Root owned setgid files
{
vars:
!disable_inventory_setuid::
"candidates" slist => lsdir( "$(sys.workdir)", "cfagent\..*\.log", true );
"_reg_setuid_filestat_modeoct" string => "10(4|5|6|7)\d+";
"_reg_setgid_filestat_modeoct" string => "10(2|3|6|7)\d+";
"setuid_log_path"
comment => "We select the file that matches the downcased version of the
hostname since sys.fqhost always returns lower case",
string => "$(candidates)",
if => strcmp( "$(sys.workdir)/cfagent.$(sys.fqhost).log",
string_downcase($(candidates)));
"files" slist => readstringlist( $(setuid_log_path), "", "$(const.n)", inf, inf);
"setuid[$(files)]"
string => "$(files)",
meta => { "inventory", "attribute_name=Setuid files" },
if => regcmp( $(_reg_setuid_filestat_modeoct), filestat( $(files), modeoct ) );
"rootsetuid[$(files)]"
string => "$(files)",
meta => { "inventory", "attribute_name=Root owned setuid files" },
if => and( regcmp( $(_reg_setuid_filestat_modeoct), filestat( $(files), modeoct ) ),
regcmp( "0", filestat( $(files), uid ) ));
"setgid[$(files)]" -> { "ENT-6793" }
string => "$(files)",
meta => { "inventory", "attribute_name=Setgid files" },
if => regcmp( $(_reg_setuid_filestat_modeoct), filestat( $(files), modeoct ) );
"rootsetgid[$(files)]" -> { "ENT-6793" }
string => "$(files)",
meta => { "inventory", "attribute_name=Root owned setgid files" },
if => and( regcmp( $(_reg_setuid_filestat_modeoct), filestat( $(files), modeoct ) ),
regcmp( "0", filestat( $(files), gid ) ));
files:
!disable_inventory_setuid::
"$(setuid_log_path)"
comment => concat( "If the logged file is not currently setuid|setgid then we can",
"safely purge it from the list to avoid unnecessary work."),
edit_line => delete_lines_matching( escape( $(files) ) ),
if => not( regcmp( "($(_reg_setuid_filestat_modeoct))|($(_reg_setgid_filestat_modeoct))",
filestat( $(files), modeoct ) ) );
reports:
!disable_inventory_setuid.(DEBUG|DEBUG_cfe_autorun_inventory_setuid)::
"$(setuid_log_path) present"
if => fileexists( $(setuid_log_path) );
@if minimum_version(3.11)
"Previously logged (setuid|setgid) file: $(files) modeoct=$(with)"
with => filestat( $(files), modeoct );
"Should remove '$(files)' from '$(setuid_log_path)' because `filestat ($(files), modeoct )` returns '$(with)' which does not match '($(_reg_setuid_filestat_modeoct))|($(_reg_setgid_filestat_modeoct))' (setgid|setuid)"
comment => concat( "If the logged file is not currently set(uid&|gid) then we can",
"safely purge it from the list to avoid unnecessary work."),
with => filestat( $(files), modeoct ),
if => not( regcmp( "($(_reg_setuid_filestat_modeoct))|($(_reg_setgid_filestat_modeoct))",
filestat( $(files), modeoct ) ) );
# The `with` attribute was introduced in 3.11
"Inventory: setuid Files: $(files) modeoct=$(with)"
with => filestat( $(files), modeoct ),
if => regcmp( $(_reg_setuid_filestat_modeoct), filestat( $(files), modeoct ) );
"Inventory: root owned setuid Files: $(files) modeoct=$(with)"
with => filestat( $(files), modeoct ),
if => and( regcmp( $(_reg_setuid_filestat_modeoct), filestat( $(files), modeoct ) ),
regcmp( "0", filestat( $(files), uid ) ));
@endif
}
bundle agent cfe_autorun_inventory_timezone
# @brief Inventory timezone and GMT offset
{
vars:
"_now" int => now();
"timezone" -> { "ENT-6161" }
string => strftime( localtime, "%Z", $(_now) ),
meta => { "inventory", "attribute_name=Timezone" };
"gmt_offset" -> { "ENT-6161" }
string => strftime( localtime, "%z", $(_now) ),
meta => { "inventory", "attribute_name=Timezone GMT Offset" };
}
bundle agent cfe_autorun_inventory_loadaverage
# @brief Inventory the loadaverage (Enterprise only)
{
vars:
enterprise::
"value" -> { "ENT-5190" }
string => "$(mon.value_loadavg)",
meta => { "report" },
if => isvariable( "mon.value_loadavg" );
}
bundle agent cfe_autorun_inventory_proc
# @brief Do procfs inventory
#
# This bundle will parse these /proc files: consoles, cpuinfo,
# meminfo, modules, partitions, version, vmstat. There are
# some general patterns you can follow to extend it for other /proc
# items of interest.
#
# Contributions welcome. /proc/net and /proc/sys in general are of
# wide interest, if you're looking for something fun. For instance,
# the network interfaces could be extracted here without calling
# `ifconfig`.
{
vars:
# To override this set of base files, define default:cfe_autorun_inventory_proc.basefiles via augments.
# {
# "variables": {
# "default:cfe_autorun_inventory_proc.basefiles" : {
# "value": [ "consoles", "cpuinfo", "version" ],
# "comment": "We do not need the extra variables this produces since we get the info differently",
# "tags": [ "inventory", "attribute_name=My Inventory" ]
# }
# }
# }
"basefiles" -> { "CFE-4056" }
slist => { "consoles", "cpuinfo", "modules", "partitions", "version" },
unless => isvariable( "$(this.namespace):$(this.bundle).basefiles" );
"files[$(basefiles)]" string => "$(inventory_control.proc)/$(basefiles)";
_have_proc_consoles::
"console_count" int => readstringarrayidx("consoles",
"$(files[consoles])",
"\s*#[^\n]*",
"\s+",
500,
50000);
"console_idx" slist => getindices("consoles");
_have_proc_modules::
"module_count" int => readstringarrayidx("modules",
"$(files[modules])",
"\s*#[^\n]*",
"\s+",
2500,
250000);
"module_idx" slist => getindices("modules");
_have_proc_cpuinfo::
# this will extract all the keys in one bunch, so you won't get
# detailed info for processor 0 for example
"cpuinfo_count" int => readstringarrayidx("cpuinfo_array",
"$(files[cpuinfo])",
"\s*#[^\n]*",
"\s*:\s*",
500,
50000);
"cpuinfo_idx" slist => getindices("cpuinfo_array");
"cpuinfo[$(cpuinfo_array[$(cpuinfo_idx)][0])]" string => "$(cpuinfo_array[$(cpuinfo_idx)][1])";
"cpuinfo_keys" slist => getindices("cpuinfo");
_have_proc_partitions::
"partitions_count" int => readstringarrayidx("partitions_array",
"$(files[partitions])",
"major[^\n]*",
"\s+",
500,
50000);
"partitions_idx" slist => getindices("partitions_array");
"partitions[$(partitions_array[$(partitions_idx)][4])]" string => "$(partitions_array[$(partitions_idx)][3])";
"partitions_keys" slist => getindices("partitions");
_have_proc_version::
"version" string => readfile("$(files[version])", 2048);
classes:
"have_proc" expression => isdir($(inventory_control.proc));
have_proc::
"_have_proc_$(basefiles)"
expression => fileexists("$(files[$(basefiles)])");
_have_proc_consoles::
"have_console_$(consoles[$(console_idx)][0])"
expression => "any",
scope => "namespace";
_have_proc_modules::
"have_module_$(modules[$(module_idx)][0])"
expression => "any",
scope => "namespace";
reports:
_have_proc_consoles.verbose_mode::
"$(this.bundle): we have console $(consoles[$(console_idx)][0])";
_have_proc_modules.verbose_mode::
"$(this.bundle): we have module $(modules[$(module_idx)][0])";
_have_proc_cpuinfo.verbose_mode::
"$(this.bundle): we have cpuinfo $(cpuinfo_keys) = $(cpuinfo[$(cpuinfo_keys)])";
_have_proc_partitions.verbose_mode::
"$(this.bundle): we have partitions $(partitions_keys) with $(partitions[$(partitions_keys)]) blocks";
_have_proc_version.verbose_mode::
"$(this.bundle): we have kernel version '$(version)'";
}
bundle agent cfe_autorun_inventory_proc_cpuinfo
# @brief Inventory cpu information from proc
{
classes:
"_have_cpuinfo" expression => isvariable("default:cfe_autorun_inventory_proc.cpuinfo_idx");
# So that we don't inventory non dereferenced variables we check to see
# if we have the info first This is only necessary because its currently
# invalid to do isvariable on an array key that contains a space
# Ref: redmine#7088 https://dev.cfengine.com/issues/7088
"have_cpuinfo_cpu_cores" expression => strcmp("cpu cores", "$(default:cfe_autorun_inventory_proc.cpuinfo_array[$(default:cfe_autorun_inventory_proc.cpuinfo_idx)][0])");
"have_cpuinfo_model_name" expression => strcmp("model name", "$(default:cfe_autorun_inventory_proc.cpuinfo_array[$(default:cfe_autorun_inventory_proc.cpuinfo_idx)][0])");
"have_cpuinfo_hardware" expression => strcmp("Hardware", "$(default:cfe_autorun_inventory_proc.cpuinfo_array[$(default:cfe_autorun_inventory_proc.cpuinfo_idx)][0])");
"have_cpuinfo_revision" expression => strcmp("Revision", "$(default:cfe_autorun_inventory_proc.cpuinfo_array[$(default:cfe_autorun_inventory_proc.cpuinfo_idx)][0])");
vars:
_have_cpuinfo::
"cpuinfo_physical_cores"
string => "$(default:cfe_autorun_inventory_proc.cpuinfo[cpu cores])",
if => "have_cpuinfo_cpu_cores";
"cpuinfo_cpu_model_name"
string => "$(default:cfe_autorun_inventory_proc.cpuinfo[model name])",
if => "have_cpuinfo_model_name";
"cpuinfo_hardware"
string => "$(default:cfe_autorun_inventory_proc.cpuinfo[Hardware])",
if => "have_cpuinfo_hardware";
"cpuinfo_revision"
string => "$(default:cfe_autorun_inventory_proc.cpuinfo[Revision])",
if => "have_cpuinfo_revision";
# We need to be able to count the number of unique physical id lines in
# /proc/cpu in order to get a physical processor count.
"cpuinfo_lines" slist => readstringlist(
"$(default:cfe_autorun_inventory_proc.files[cpuinfo])",
"\s*#[^\n]*",
"\n",
500,
50000);
"cpuinfo_processor_lines"
slist => grep("processor\s+:\s\d+", "cpuinfo_lines"),
comment => "The number of processor entries in $(default:cfe_autorun_inventory_proc.files[cpuinfo]). If no
'physical id' entries are found this is the processor count";
"cpuinfo_processor_lines_count"
int => length("cpuinfo_processor_lines");
"cpuinfo_physical_id_lines"
slist => grep("physical id.*", "cpuinfo_lines"),
comment => "This identifies which physical socket a logical core is on,
the count of the unique physical id lines tells you how
many physical sockets you have. THis would not be present
on systems that are not multicore.";
"cpuinfo_physical_id_lines_unique"
slist => unique("cpuinfo_physical_id_lines");
"cpuinfo_physical_id_lines_unique_count"
int => length("cpuinfo_physical_id_lines_unique");
# If we have physical id lines in cpu info use that for socket inventory,
# else we should use the number of processor lines. physical id lines
# seem to only be present when multiple cores are active.
"cpuinfo_physical_socket_inventory"
string => ifelse(isgreaterthan( length("cpuinfo_physical_id_lines"), 0 ), "$(cpuinfo_physical_id_lines_unique_count)",
"$(cpuinfo_processor_lines_count)"),
meta => { "inventory", "attribute_name=CPU sockets" };
reports:
DEBUG|DEBUG_cfe_autorun_inventory_proc::
"DEBUG $(this.bundle)";
"$(const.t)cpuinfo[$(default:cfe_autorun_inventory_proc.cpuinfo_array[$(default:cfe_autorun_inventory_proc.cpuinfo_idx)][0])] = $(default:cfe_autorun_inventory_proc.cpuinfo[$(default:cfe_autorun_inventory_proc.cpuinfo_array[$(default:cfe_autorun_inventory_proc.cpuinfo_idx)][0])])";
"$(const.t)CPU physical cores: '$(cpuinfo_physical_cores)'"
if => "have_cpuinfo_cpu_cores";
"$(const.t)CPU model name: '$(cpuinfo_cpu_model_name)'"
if => "have_cpuinfo_model_name";
"$(const.t)CPU Physical Sockets: '$(cpuinfo_physical_socket_inventory)'";
}
bundle agent cfe_autorun_inventory_cpuinfo
# @brief Inventory cpu information
{
classes:
"_have_proc_cpu_model_name" expression => isvariable("default:cfe_autorun_inventory_proc_cpuinfo.cpuinfo_cpu_model_name");
"_have_proc_hardware" expression => isvariable("default:cfe_autorun_inventory_proc_cpuinfo.cpuinfo_hardware");
"_have_proc_revision" expression => isvariable("default:cfe_autorun_inventory_proc_cpuinfo.cpuinfo_revision");
"_have_proc_cpu_physical_cores" expression => isvariable("default:cfe_autorun_inventory_proc_cpuinfo.cpuinfo_physical_cores");
# We only accept dmidecode values that don't look like cfengine variables,
# (starting with dollar), or that have an apparent empty value.
"_have_dmidecode_cpu_model_name"
not => regcmp("($(const.dollar)\(.*\)|^$)", "$(default:cfe_autorun_inventory_dmidecode.dmi[processor-version])");
vars:
_have_proc_cpu_physical_cores::
"cpuinfo_physical_cores"
string => "$(default:cfe_autorun_inventory_proc.cpuinfo[cpu cores])",
#if => "have_cpuinfo_cpu_cores",
meta => { "inventory", "attribute_name=CPU physical cores", "derived-from=$(default:cfe_autorun_inventory_proc.files[cpuinfo])" };
_have_proc_cpu_model_name::
"cpu_model"
string => "$(default:cfe_autorun_inventory_proc_cpuinfo.cpuinfo_cpu_model_name)",
meta => { "inventory", "attribute_name=CPU model", "derived-from=$(default:cfe_autorun_inventory_proc.files[cpuinfo])" };
_have_proc_hardware::
"cpu_model"
string => "$(default:cfe_autorun_inventory_proc_cpuinfo.cpuinfo_hardware)",
meta => { "inventory", "attribute_name=CPU model", "derived-from=$(default:cfe_autorun_inventory_proc.files[cpuinfo])" };
_have_proc_revision::
"system_product_name"
string => "$(default:cfe_autorun_inventory_proc_cpuinfo.cpuinfo_revision)",
meta => { "inventory", "attribute_name=System product name", "derived-from=$(default:cfe_autorun_inventory_proc.files[cpuinfo])" };
_have_dmidecode_cpu_model_name.!_have_proc_cpu_model_name::
"cpu_model"
string => "$(default:cfe_autorun_inventory_dmidecode.dmi[processor-version])",
meta => { "inventory", "attribute_name=CPU model", "derived-from=$(inventory_control.dmidecoder) -s processor-version" };
reports:
DEBUG|DEBUG_cfe_autorun_inventory_cpuinfo::
"DEBUG $(this.bundle)";
"$(const.t) CPU model: $(cpu_model)";
"$(const.t) CPU physical cores: $(cpuinfo_physical_cores)";
}
bundle common cfe_autorun_inventory_aws
# @brief inventory AWS EC2 instances
#
# Provides:
# ec2_instance class based on Amazon markers in dmidecode's system-uuid, bios-version or bios-vendor
{
classes:
!disable_inventory_aws::
"ec2_instance" -> { "CFE-2924" }
comment => "See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/identify_ec2_instances.html",
scope => "namespace",
expression => regcmp("^[eE][cC]2.*", "$(cfe_autorun_inventory_dmidecode.dmi[system-uuid])"),
if => isvariable("cfe_autorun_inventory_dmidecode.dmi[system-uuid]");
"ec2_instance" -> { "CFE-2924" }
expression => regcmp(".*[aA]mazon.*", "$(cfe_autorun_inventory_dmidecode.dmi[bios-version])"),
scope => "namespace",
if => isvariable("cfe_autorun_inventory_dmidecode.dmi[bios-version]");
"ec2_instance" -> { "CFE-2924" }
expression => regcmp(".*[aA]mazon.*", "$(cfe_autorun_inventory_dmidecode.dmi[bios-vendor])"),
scope => "namespace",
if => isvariable("cfe_autorun_inventory_dmidecode.dmi[bios-vendor]");
@if minimum_version(3.22.0)
"sys_hypervisor_uuid_readable" -> { "ENT-9931" }
expression => isreadable("/sys/hypervisor/uuid", 1);
@else
"sys_hypervisor_uuid_readable" -> { "ENT-9931" }
expression => returnszero("${paths.cat} /sys/hypervisor/uuid >/dev/null 2>&1", "useshell");
@endif
!disable_inventory_aws.sys_hypervisor_uuid_readable::
"ec2_instance" -> { "CFE-2924" }
expression => regline( "^ec2.*", "/sys/hypervisor/uuid" ),
scope => "namespace",
if => fileexists("/sys/hypervisor/uuid");
reports:
(DEBUG|DEBUG_inventory_aws)::
"DEBUG $(this.bundle)";
"$(const.t)+ec2_instance"
if => "ec2_instance";
}
bundle agent cfe_autorun_inventory_aws_ec2_metadata
# @brief Inventory ec2 metadata
# Provides:
{
methods:
!(disable_inventory_aws|disable_inventory_aws_ec2_metadata)::
"cfe_autorun_inventory_aws_ec2_metadata_data";
"cfe_autorun_inventory_aws_ec2_metadata_cache";
"cfe_aws_ec2_metadata_from_cache";
}
bundle agent cfe_autorun_inventory_aws_ec2_metadata_data
# @brief Retrieve metadata from AWS API, preferring IMDSV2
{
vars:
ec2_instance.!(disable_inventory_aws|disable_inventory_aws_ec2_metadata)::
"base_url" string => "http://169.254.169.254/latest";
"imdsv2_token_cmd" string => '$(paths.curl) -s -X PUT "$(base_url)/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"';
# Store the token for imdsv2 query, and it's result just once.
"imdsv2_token"
string => execresult("$(imdsv2_token_cmd)", noshell, stdout),
if => not( isvariable( imdsv2_token ) );
"imdsv2_cmd" string => '$(paths.curl) -s -H "X-aws-ec2-metadata-token: $(imdsv2_token)" $(base_url)/dynamic/instance-identity/document';
"imdsv2_cmd_result"
string => execresult( "$(imdsv2_cmd)", noshell ),
if => not( isvariable( imdsv2_cmd_result ) );
# Store the result of the imdsv1 query, just once (if it's not alredy been defined) only if imdsv2 result is not valid
"imdsv1_cmd" string => "$(paths.curl) -s $(base_url)/dynamic/instance-identity/document";
"imdsv1_cmd_result"
string => execresult( "$(imdsv1_cmd)", noshell ),
if => and( not( isvariable( imdsv1_cmd_result ) ),
not( validjson( "$(imdsv2_cmd_result)" ) ) );
}
bundle agent cfe_autorun_inventory_aws_ec2_metadata_cache
# @brief Cache ec2 metadata from http request
#
# Provides cache of ec2 instance metadata for inventory
{
vars:
"cache" string => "$(sys.statedir)/aws_ec2_metadata";
classes:
"imdsv1_result_valid" expression => validjson( "$(cfe_autorun_inventory_aws_ec2_metadata_data.imdsv1_cmd_result)" );
"imdsv2_result_valid" expression => validjson( "$(cfe_autorun_inventory_aws_ec2_metadata_data.imdsv2_cmd_result)" );
files:
imdsv1_result_valid.!imdsv2_result_valid::
"$(cache)"
content => "$(cfe_autorun_inventory_aws_ec2_metadata_data.imdsv1_cmd_result)";
imdsv2_result_valid::
"$(cache)"
content => "$(cfe_autorun_inventory_aws_ec2_metadata_data.imdsv2_cmd_result)";
}
bundle agent cfe_aws_ec2_metadata_from_cache
# @brief Inventory ec2 metadata from cache
#
# Provides inventory for EC2 Region, EC2 Instance ID, EC2 Instance Type, EC2
# Image ID, and EC2 Availability Zone
{
classes:
ec2_instance.!(disable_inventory_aws|disable_inventory_aws_ec2_metadata)::
"have_cached_instance_identity"
expression => fileexists( $(cfe_autorun_inventory_aws_ec2_metadata_cache.cache) );
vars:
have_cached_instance_identity.ec2_instance.!(disable_inventory_aws|disable_inventory_aws_ec2_metadata)::
"data" data => readjson( $(cfe_autorun_inventory_aws_ec2_metadata_cache.cache), 100K);
"region" string => "$(data[region])", meta => { "inventory", "attribute_name=EC2 Region" };
"instanceId" string => "$(data[instanceId])", meta => { "inventory", "attribute_name=EC2 Instance ID" };
"instanceType" string => "$(data[instanceType])", meta => { "inventory", "attribute_name=EC2 Instance Type" };
"imageId" string => "$(data[imageId])", meta => { "inventory", "attribute_name=EC2 Image ID" };
"availabilityZone" string => "$(data[availabilityZone])", meta => { "inventory", "attribute_name=EC2 Availability Zone" };
reports:
DEBUG|DEBUG_inventory_ec2_metadata|DEBUG_inventory_ec2_metadata_from_cache::
"DEBUG $(this.bundle):";
"$(const.t)Inventory 'EC2 Region' = '$(region)'";
"$(const.t)Inventory 'EC2 Instance ID' = '$(instanceId)'";
"$(const.t)Inventory 'EC2 Instance Type' = '$(instanceType)'";
"$(const.t)Inventory 'EC2 Image ID' = '$(imageId)'";
"$(const.t)Inventory 'EC2 Availability Zone' = '$(availabilityZone)'";
}
bundle agent cfe_autorun_inventory_mtab
# @brief Do mtab inventory
# @inventory `File system` - File system in use by active mounts
# @inventory `Mount point` - Mount points that have active mounts
# @class `have_mount_FSTYPE_MOUNTPOINT` - Namespace scoped class for each file system mount point. For example: `have_mount_ext4__var` for a `ext4` file system mounted at `/var`
# @class `have_mount_FSTYPE` - if there is any mounted file system formatted with `ext4`
#
# The mtab format is simple: each line looks like this format:
# `/dev/sda1 / ext4 rw,noatime,data=ordered 0 0` (in order: `DEV
# MOUNTPOINT FSTYPE OPTIONS DUMP-FREQ PASS`). Some older Unices have
# a different format and it's really not portable, so enable this only
# if you know you want it. It's very handy if you want to check if a
# file system is mounted.
{
vars:
have_mtab::
"mounts"
meta => { "noreport" },
data => data_readstringarrayidx( $(inventory_control.mtab),
"\s*#[^\n]*",
"\s+",
inf,
inf);
"mount_count"
int => length( mounts );
"idx" slist => getindices("mounts");
"inventory_mount_point[$(idx)]" -> { "ENT-8338" }
string => "$(mounts[$(idx)][1])",
meta => { "inventory", "attribute_name=Mount point" };
"inventory_mounted_fs[$(idx)]"
string => "$(mounts[$(idx)][2])",
meta => { "noreport" };
"slist_unique_fs_types"
slist => unique( sort( getvalues( inventory_mounted_fs ), lex ) );
"inventory_fs[$(slist_unique_fs_types)]" -> { "ENT-8338" }
string => "$(slist_unique_fs_types)",
meta => { "inventory", "attribute_name=File system" };
classes:
"have_mtab" expression => fileexists($(inventory_control.mtab));
# define classes like have_mount_ext4__var for a ext4 /var mount
"have_mount_$(mounts[$(idx)][2])_$(mounts[$(idx)][1])"
expression => "any",
scope => "namespace";
# define classes like have_mount_ext4 if there is a ext4 mount
"have_mount_$(mounts[$(idx)][2])"
expression => "any",
scope => "namespace";
reports:
verbose_mode::
"$(this.bundle): we have a $(mounts[$(idx)][2]) mount under $(mounts[$(idx)][1])";
}
bundle agent cfe_autorun_inventory_fstab
# @brief Do fstab inventory
#
# The fstab format is simple: each line looks like this format:
# `/dev/sda1 / auto noatime 0 1` (in order: `DEV MOUNTPOINT FSTYPE
# OPTIONS DUMP-FREQ PASS`). Note the FSTYPE is not known from the
# fstab.
#
# Solaris has 'MOUNTDEV FSCKDEV MOUNTPOINT FSTYPE PASS MOUNT-AD-BOOT
# OPTIONS' but is not supported here. Contributions welcome.
{
vars:
have_fstab::
"mount_count" int => readstringarrayidx("mounts",
$(sys.fstab),
"\s*#[^\n]*",
"\s+",
500,
50000);
"idx" slist => getindices("mounts");
classes:
"have_fstab" expression => fileexists($(sys.fstab));
# define classes like have_fs_ext4__var for a ext4 /var entry
"have_fs_$(mounts[$(idx)][2])_$(mounts[$(idx)][1])"
expression => "any",
scope => "namespace";
# define classes like have__var for a /var entry
"have_fs_$(mounts[$(idx)][1])"
expression => "any",
scope => "namespace";
# define classes like have_fs_ext4 if there is a ext4 entry
"have_fs_$(mounts[$(idx)][2])"
expression => "any",
scope => "namespace";
reports:
verbose_mode::
"$(this.bundle): we have a $(mounts[$(idx)][2]) fstab entry under $(mounts[$(idx)][1])";
}
bundle agent cfe_autorun_inventory_dmidecode
# @brief Do hardware related inventory
#
# This agent bundle reads dmi information from the sysfs and/or from dmidecode.
# Sysfs is preferred for most variables, but if no sysfs (e.g. on RHEL 5),
# or no sysfs equivalent to a dmidecode variable (e.g. system-version),
# then dmidecode is run to collect the info.
# For system-uuid, a parsed version of dmidecode is the preferred source.
#
# The variable names dmi[...] are all based on dmidecode string keywords.
#
# Information collected is:
# - BIOS vendor
# - BIOS version
# - System serial number
# - System manufacturer
# - System version
# - System product name
# - Physical memory (MB)
#
# On windows where powershell is available this bundle runs gwmi to inventory:
# - BIOS vendor
# - BIOS version
# - System serial number
# - System manufacturer
{
vars:
any::
"sysfs_name_for"
comment => "The names in /sys/devices/virtual/dmi/id/ don't match
the strings to be passed to dmidecode, even though the
values do. We use the dmidecode string names for our
variables since that was the original source (i.e. for
backward compatibility with policies based on prior
versions of this code).",
# system-version has no equivalent in sysfs that I can find.
# Items after the line break aren't currently collected, but mapping is provided
# in case someone adds them to a custom dmidefs (so that they could be gotten
# from sysfs in that case).
data => parsejson('
{
"bios-vendor": "bios_vendor",
"bios-version": "bios_version",
"system-serial-number": "product_serial",
"system-manufacturer": "sys_vendor",
"system-product-name": "product_name",
"system-uuid": "product_uuid",
"baseboard-manufacturer": "board_vendor",
"baseboard-product-name": "board_name",
"baseboard-serial-number": "board_serial",
"baseboard-version": "board_version",
"bios-release-date": "bios_date",
"chassis-manufacturer": "chassis_vendor",
}');
vars:
any::
# The dmidefs variable controls which values are collected
# (and what are their inventory tags)
"dmidefs" data => parsejson('
{
"bios-vendor": "BIOS vendor",
"bios-version": "BIOS version",
"system-serial-number": "System serial number",
"system-manufacturer": "System manufacturer",
"system-version": "System version",
"system-product-name": "System product name",
"system-uuid": "System UUID",
}');
# We override dmidefs from augments when we can.
"dmidefs" -> { "CFE-2927" }
data => mergedata( "def.cfe_autorun_inventory_dmidecode[dmidefs]" ),
if => isvariable( "def.cfe_autorun_inventory_dmidecode[dmidefs]");
# other dmidecode variables you may want:
# baseboard-asset-tag
# baseboard-manufacturer
# baseboard-product-name
# baseboard-serial-number
# baseboard-version
# bios-release-date
# chassis-asset-tag
# chassis-manufacturer
# chassis-serial-number
# chassis-type
# chassis-version
# processor-family
# processor-frequency
# processor-manufacturer
#"processor-version": "CPU model" <- Collected by default, but not by iterating over the list
"dmivars" slist => getindices(dmidefs);
have_dmidecode::
"decoder" string => "$(inventory_control.dmidecoder)";
have_dmidecode._stdlib_path_exists_awk.!(redhat_4|redhat_3)::
# Awk script from https://kb.vmware.com/s/article/53609
# Edited only to add "-t1" (an improvement tested on RHEL 4/5/6/7 and FreeBSD)
# and to take out the "UUID: " prefix in the output.
# This works on a superset of systems where dmidecode -s system-uuid works,
# e.g. RHEL 5 with dmidecode-2.7-1.28.2.el5 where system-uuid is not one of the valid keywords;
# also, this returns the correct UUID on systems (such as VMWare VMs with hardware version 13)
# where dmidecode -s system-uuid shows the wrong UUID. Some such VMWare VMs also show the
# wrong UUID in sysfs, which is why we prefer the "dmidecode | awk" version to sysfs for UUID.
# (We still need to check sysfs for UUID to handle hosts without dmidecode such as CoreOS.)
"dmi[system-uuid]"
string => execresult(
"$(decoder) -u -t1 |
$(paths.awk) '
BEGIN { in1 = 0; hd = 0}
/, DMI type / { in1 = 0 }
/Strings:/ { hd = 0 }
{ if (hd == 2) { printf \"%s-%s\n\", $1 $2, $3 $4 $5 $6 $7 $8; hd = 0 } }
{ if (hd == 1) { printf \"%s-%s-%s-\", $9 $10 $11 $12, $13 $14, $15 $16; hd = 2 } }
/, DMI type 1,/ { in1 = 1 }
/Header and Data:/ { if (in1 != 0) { hd = 1 } }
'",
"useshell" ),
if => isvariable("dmidefs[system-uuid]"), # Only run this if system-uuid is marked for collection in dmidefs
meta => { "inventory", "attribute_name=$(dmidefs[system-uuid])" };
!disable_inventory_dmidecode.!windows::
# The reason disable_inventory_dmidecode is referenced here but not in the other context lines
# is because those vars depend on have_dmidecode which won't be set during pre-eval (and won't
# be set at all if this bundle isn't called). Without this guard here, we would attempt to
# read sysfs even if dmi inventory were turned off on the host via disable_inventory_dmidecode,
# which would be undesirable.
"dmi[$(dmivars)]"
unless => isvariable("dmi[$(dmivars)]"), # This is just for system-uuid really, which we get from the awk script above by preference.
if => fileexists("/sys/devices/virtual/dmi/id/$(sysfs_name_for[$(dmivars)])"),
string => readfile("/sys/devices/virtual/dmi/id/$(sysfs_name_for[$(dmivars)])", 0),
meta => { "inventory", "attribute_name=$(dmidefs[$(dmivars)])" };
# Redhat 4 can support the -s option to dmidecode if
# kernel-utils-2.4-15.el4 or greater is installed.
have_dmidecode.!(redhat_4|redhat_3).!have_proc_device_tree::
"dmi[$(dmivars)]" string => execresult("$(decoder) -s $(dmivars)",
"useshell"),
unless => isvariable("dmi[$(dmivars)]"), # If already defined from sysfs, don't run dmidecode
meta => { "inventory", "attribute_name=$(dmidefs[$(dmivars)])" };
# We do not want to inventory the model name from here, as inventory for
# CPU info has been abstracted away from DMI so we just collect it
# manually.
"dmi[processor-version]" string => execresult("$(decoder) -s processor-version",
"useshell");
windows.powershell::
"dmi[bios-vendor]" string => $(bios_array[1]),
meta => { "inventory", "attribute_name=BIOS vendor" };
"dmi[system-serial-number]" string => $(bios_array[2]),
meta => { "inventory", "attribute_name=System serial number" };
"dmi[bios-version]" string => $(bios_array[3]),
meta => { "inventory", "attribute_name=BIOS version" };
"dmi[system-version]" string => $(bios_array[4]),
meta => { "inventory", "attribute_name=System version" };
"dmi[processor-version]" string => $(processor_array[1]);
"split_pscomputername"
slist => string_split($(system_array[1]), "PSComputerName\s.*", 2),
comment => "Work around weird appearance of PSComputerName into System manufacturer";
"dmi[system-manufacturer]" string => nth(split_pscomputername, 0),
meta => { "inventory", "attribute_name=System manufacturer" };
classes:
"have_dmidecode" expression => fileexists($(inventory_control.dmidecoder));
windows.powershell::
"bios_match" expression => regextract(".*Manufacturer\s+:\s([a-zA-Z0-9 ]+)\n.*SerialNumber\W+([a-zA-Z0-9 ]+).*SMBIOSBIOSVersion\W+([a-zA-Z0-9 ]+).*Version\W+([a-zA-Z0-9 -]+)",
execresult("gwmi -query 'SELECT SMBIOSBIOSVersion, Manufacturer, SerialNumber, Version FROM WIN32_BIOS'", "powershell"),
"bios_array");
"processor_match" expression => regextract(".*Name\W+(.*)",
execresult("gwmi -query 'SELECT Name FROM WIN32_PROCESSOR'", "powershell"),
"processor_array");
"system_match" expression => regextract(".*Manufacturer\W+(.*)",
execresult("gwmi -query 'SELECT Manufacturer FROM WIN32_COMPUTERSYSTEM'", "powershell"),
"system_array");
# BEGIN Inventory Total Physical Memory MB
vars:
"total_physical_memory_MB" -> { "CFE-2896" }
string => readfile( "$(sys.statedir)/inventory-$(this.bundle)-total-physical-memory-MB.txt", 100),
meta => { "inventory", "attribute_name=Physical memory (MB)" },
if => fileexists( "$(sys.statedir)/inventory-$(this.bundle)-total-physical-memory-MB.txt" );
commands:
have_dmidecode::
"$(decoder) -t 17 | $(paths.awk) '/^\tSize:.*MB/ {a+=$2} /^\tSize:.*GB/ {b+=$2*1024} END {print a+b}' > '$(sys.statedir)/inventory-$(this.bundle)-total-physical-memory-MB.txt'" -> { "CFE-2896", "ENT-7714" }
contain => in_shell,
if => not( fileexists( "$(sys.statedir)/inventory-$(this.bundle)-total-physical-memory-MB.txt") );
files:
"$(sys.statedir)/inventory-$(this.bundle)-total-physical-memory-MB.txt" -> { "CFE-2896" }
delete => tidy,
file_select => older_than(0, 0, 1, 0, 0, 0),
comment => "Clear the cached value for total physical memory MB once a day.";
# END Inventory Total Physical Memory MB
reports:
DEBUG|DEBUG_cfe_autorun_inventory_dmidecode::
"DEBUG $(this.bundle): Obtained $(dmidefs[$(dmivars)]) = '$(dmi[$(dmivars)])'";
"DEBUG $(this.bundle): Obtained Physical memory (MB) = '$(total_physical_memory_MB)'";
}
bundle agent cfe_autorun_inventory_LLDP
# @brief Do LLDP-based inventory
#
# This agent bundle runs lldpctl to discover information. See
# http://vincentbernat.github.io/lldpd/ to run this yourself for
# testing, and your Friendly Network Admin may be of help too.
{
classes:
"lldpctl_exec_exists" expression => fileexists($(inventory_control.lldpctl_exec));
vars:
!disable_inventory_LLDP.lldpctl_exec_exists::
# TODO When CFE-3108 is DONE, migrate to capturing only stdout
"info" -> { "CFE-3109", "CFE-3108" }
data => parsejson(execresult("$(inventory_control.lldpctl_json) 2>/dev/null", "useshell")),
if => not(isvariable("def.lldpctl_json")),
comment => "Not all versions of lldpctl support json, and because an
absent lldpd will result in an error on stderr resulting noisy logs and
failure to parse the json we redirect to dev null";
"info" -> { "CFE-3109" }
data => parsejson(execresult($(inventory_control.lldpctl_json), "noshell")),
if => isvariable("def.lldpctl_json"),
comment => "For safety, we do not run lldpctl in a shell if the path to
lldpctl is customized via augments";
}
bundle agent cfe_autorun_inventory_packages
# @brief Package inventory auto-refresh
#
# This bundle is for refreshing the package inventory. It runs on
# startup, unless disabled. Other package methods can be added below.
{
classes:
"have_patches" or => { "community_edition", # not in Community
fileexists("$(sys.workdir)/state/software_patches_avail.csv") };
"have_inventory" and => { "have_patches",
fileexists("$(sys.workdir)/state/software_packages.csv"),
};
"use_package_module_for_inventory" or => { "redhat", "debian", "suse", "sles", "alpinelinux", "windows" };
"use_package_method_for_inventory" or => { "gentoo", "aix" };
"use_package_method_generic_for_inventory"
not => "use_package_module_for_inventory|use_package_method_for_inventory";
vars:
# if we have the patches, 7 days; otherwise keep trying
"refresh" string => ifelse("have_inventory", "10080",
"0");
packages:
# The legacy implementation (package_method) of the packages type promise
# requires a packages promise to be triggered in order to generate package
# inventory. The following promises ensure that package inventory data
# exists. As package modules become available the package_methods should be
# removed.
aix::
"cfe_internal_non_existing_package"
package_policy => "add",
package_method => inventory_lslpp($(refresh)),
action => if_elapsed_day;
gentoo::
"cfe_internal_non_existing_package"
package_policy => "add",
package_method => emerge,
action => if_elapsed_day;
use_package_method_generic_for_inventory::
"cfe_internal_non_existing_package"
package_policy => "add",
package_method => generic,
action => if_elapsed_day;
reports:
DEBUG|DEBUG_cfe_autorun_inventory_packages::
"DEBUG $(this.bundle): refresh interval is $(refresh)";
"DEBUG $(this.bundle): we have the inventory files."
if => "have_inventory";
"DEBUG $(this.bundle): we don't have the inventory files."
if => "!have_inventory";
}
bundle agent cfe_autorun_inventory_policy_servers
# @brief Inventory policy servers
{
vars:
!disable_inventory_policy_servers::
"_primary_policy_server" -> { "ENT-6212" }
string => "$(sys.policy_hub)",
meta => { "inventory", "attribute_name=Primary Policy Server" };
"_policy_servers" -> { "ENT-6212" }
slist => { @(def.policy_servers) },
if => isgreaterthan( length( "def.policy_servers"), 0),
meta => { "inventory", "attribute_name=Policy Servers" };
}
body package_method inventory_lslpp(update_interval)
# @brief AIX lslpp installation method for inventory purposes only
# @param update_interval how often to update the package and patch list
{
package_changes => "individual";
package_list_update_command => "/usr/bin/true";
package_list_update_ifelapsed => $(update_interval);
package_list_command => "/usr/bin/lslpp -Lqc"; # list RPMs too
package_list_version_regex => "[^:]+:[^:]+:([^:]+):.*";
# Make sure version is not included in the name, that indicates RPM
# packages, which we should ignore.
package_list_name_regex => "[^:]+:(([^-:]|-[^0-9])+):.*";
package_installed_regex => "[^:]+:(([^-:]|-[^0-9])+):[^:]+:[^:]+:.*";
package_name_convention => "$(name)-$(version).+";
package_add_command => "/usr/bin/true";
package_update_command => "/usr/bin/true";
package_patch_command => "/usr/bin/true";
package_delete_command => "/usr/bin/true";
package_verify_command => "/usr/bin/true";
}
body classes inventory_scoped_classes_generic(scope, x)
# @brief Define `x` prefixed/suffixed with promise outcome
# **See also:** `scope`
#
# @param scope The scope in which the class should be defined
# @param x The unique part of the classes to be defined
#
# Copy of `scoped_classes_generic`, which see.
{
scope => "$(scope)";
promise_repaired => { "promise_repaired_$(x)", "$(x)_repaired", "$(x)_ok", "$(x)_reached" };
repair_failed => { "repair_failed_$(x)", "$(x)_failed", "$(x)_not_ok", "$(x)_not_kept", "$(x)_not_repaired", "$(x)_reached" };
repair_denied => { "repair_denied_$(x)", "$(x)_denied", "$(x)_not_ok", "$(x)_not_kept", "$(x)_not_repaired", "$(x)_reached" };
repair_timeout => { "repair_timeout_$(x)", "$(x)_timeout", "$(x)_not_ok", "$(x)_not_kept", "$(x)_not_repaired", "$(x)_reached" };
promise_kept => { "promise_kept_$(x)", "$(x)_kept", "$(x)_ok", "$(x)_not_repaired", "$(x)_reached" };
}
body contain inventory_in_shell
# @brief run command in shell
#
# Copy of `in_shell`, which see.
{
useshell => "true"; # canonical "useshell" but this is backwards-compatible
}
cfengine-masterfiles-3.24.2/inventory/windows.cf 0000644 0000000 0000000 00000000174 15010704240 021726 0 ustar 00root root 0000000 0000000 bundle common inventory_windows
# @brief Windows inventory bundle
#
# This common bundle is for Windows inventory work.
{
}
cfengine-masterfiles-3.24.2/inventory/README.md 0000644 0000000 0000000 00000024763 15010704240 021213 0 ustar 00root root 0000000 0000000 The CFEngine 3 inventory modules are pieces of CFEngine policy that are loaded
and used by `promises.cf` in order to *inventory* the system.
CFEngine Enterprise has specific functionality to show and use inventory data,
but users of the Community Version can use them as well locally on each host.
## How It Works
The inventory modules are called in `promises.cf`:
```
body common control
{
bundlesequence => {
# Common bundle first (Best Practice)
inventory_control,
@(inventory.bundles),
...
```
As you see, this calls the `inventory_control` bundle, and then each
bundle in the list `inventory.bundles`. That list is built in the
top-level common `inventory` bundle, which will load the right things
for some common cases. The `any.cf` inventory module is always loaded;
the rest are loaded if they are appropriate for the platform. For
instance, Debian systems will load `debian.cf` and `linux.cf` and
`lsb.cf` but may load others as needed.
The effect for users is that the right inventory modules will be
loaded and evaluated.
The `inventory_control` bundle lives in `def.cf` and defines what
inventory modules should be disabled. You can simply set
`disable_inventory` to avoid the whole system, or you can look for the
`disable_inventory_xyz` class to disable module `xyz`.
Any inventory module works the same way, by doing some discovery work
and then tagging its classes and variables with the `report` or
`inventory` tags. For example:
```
vars:
"ports" slist => { @(mon.listening_ports) },
meta => { "inventory", "attribute_name=Ports listening" };
```
This defines a reported attribute "Ports listening" which contains a
list of strings representing the listening ports. More on this in a
second.
## Your Very Own Inventory Module
The good news is, writing an inventory module is incredibly easy.
They are just CFEngine bundles. You can see a simple one that collects
the listening ports in `any.cf`:
```cf3
bundle agent cfe_autorun_inventory_listening_ports
# @brief Inventory the listening ports
#
# This bundle uses `mon.listening_ports` and is always enabled by
# default, as it runs instantly and has no side effects.
{
vars:
"ports" slist => { @(mon.listening_ports) },
meta => { "inventory", "attribute_name=Ports listening" };
}
```
Well, the slist copy is a CFEngine detail (we get the listening ports from the
monitoring daemon), so just assume that the data is correct. What's important is
the second line that starts with [`meta`](https://docs.cfengine.com/docs/master/reference-promise-types.html#meta).
That defines metadata for the promise that CFEngine will use to determine that
this data is indeed inventory data and should be reported to the CFEngine
Enterprise Hub.
That's it. Really. The comments are optional but nice to have. You don't have to
put your new bundle in a file under the `inventory` directory, either. The
variables and classes can be declared anywhere as long as they have the right
tags. So you can use the `services` directory or whatever else makes sense to
you.
# CFEngine Enterprise vs. Community
In CFEngine Enterprise, the reported data is aggregated in the hub and
reported across the whole host population.
In CFEngine Community, users can use the `classesmatching()` and
`variablesmatching()` functions to collect all the inventory variables
and classes and report them in other ways.
## Implementation Best Practice for CFEngine Enterprise
It is important that inventory variables and classes are continually
defined. Only inventory variables and classes defined during the last
reported run are available for use by the inventory reporting interface.
Inventory items that change frequently can create a burden on the
Enterprise reporting infrastructure. Generally, inventory attributes
should change infrequently.
If you wish to inventory attributes that frequently change or are expensive to
discover consider implementing a sample interval and caching mechanism.
# What Modules Are Available?
As soon as you use the `promises.cf` provided in the parent directory,
quite a few inventory modules will be enabled (if appropriate for your
system). Here's the list of modules and what they provide. Note they
are all enabled by code in `def.cf` as explained above.
## Package Inventory
* lives in: `any.cf`
* applies to: All systems
* runs: package modules in order to report on packages installed and patches
available
* disable: define the class ```disable_inventory_package_refresh```. Note this
also disables the default package inventory used by the new packages promise
implementation. This will cause the ```packagesmatching()``` and
```packageupdatesmatching()``` functions to rely on data supplied by the
legacy package promise implementation.
## LSB
* lives in: `lsb.cf`
* applies to: LSB systems (most Linux distributions, basically)
* runs: `lsb_release -a`
* sample data:
```
Distributor ID: Ubuntu
Description: Ubuntu 14.04 LTS
Release: 14.04
Codename: trusty
```
* provides:
* classes `lsb_$(os)`, `lsb_$(os)_$(release)`, `lsb_$(os)_$(codename)`
* variables: `inventory_lsb.os` (Distributor ID), `inventory_lsb.codename`, `inventory_lsb.release`, `inventory_lsb.flavor`, `inventory_lsb.description`
* sample output:
```
% cf-agent -KI -binventory_control,inventory_lsb
R: inventory_lsb: OS = Ubuntu, codename = trusty, release = 14.04, flavor = Ubuntu_14_04, description = Ubuntu 14.04 LTS
```
## SUSE
* lives in: `suse.cf`
* applies to: SUSE Linux
* provides classes: `suse_pure` and `suse_derived`
## Debian
* lives in: `debian.cf`
* applies to: Debian and its derivatives
* provides:
* variables: `inventory_debian.mint_release` and `inventory_debian.mint_codename`
* classes: `debian_pure`, `debian_derived`, `linuxmint`, `lmde`, `linuxmint_$(mint_release)`, `linuxmint_$(mint_codename)`, `$(mint_codename)`
## Red Hat
* lives in: `redhat.cf`
* applies to: Red Hat and its derivatives
* provides classes: `redhat_pure`, `redhat_derived`
## Windows
* lives in: `windows.cf`
## Mac OS X
* lives in: `macos.cf`
## Generic (unknown OS)
* lives in: `generic.cf` (see `any.cf` for generally applicable inventory modules)
## LLDP
* lives in: `any.cf`
* runs `inventory_control.lldpctl_exec` through a Perl filter
* provides variables: `cfe_autorun_inventory_LLDP.K` for each `K` returned by the LLDB executable
## mtab
* lives in: `any.cf`
* parses: `/etc/mtab`
* provides classes: `have_mount_FSTYPE` and `have_mount_FSTYPE_MOUNTPOINT`
* sample output (note this is verbose mode with `-v` because there's a lot of output):
```
% cf-agent -Kv -binventory_control,cfe_autorun_inventory_mtab|grep 'cfe_autorun_inventory_mtab: we have'
R: cfe_autorun_inventory_mtab: we have a ext4 mount under /
...
R: cfe_autorun_inventory_mtab: we have a cgroup mount under /sys/fs/cgroup/systemd
R: cfe_autorun_inventory_mtab: we have a tmpfs mount under /run/shm
```
## fstab
* lives in: `any.cf`
* parses: `sys.fstab`
* provides classes: `have_fs_FSTYPE` `have_fs_MOUNTPOINT` and `have_fs_FSTYPE_MOUNTPOINT`
* sample output (note this is verbose mode with `-v` because there's a LOT of output):
```
% cf-agent -Kv -binventory_control,cfe_autorun_inventory_fstab|grep 'cfe_autorun_inventory_fstab: we have'
R: cfe_autorun_inventory_fstab: we have a ext4 fstab entry under /
R: cfe_autorun_inventory_fstab: we have a cifs fstab entry under /backups/load
R: cfe_autorun_inventory_fstab: we have a auto fstab entry under /mnt/cdrom
```
## DMI decoding
* lives in: `any.cf`
* runs: `dmidecode`
* provides variables: `cfe_autorun_inventory_dmidecode.dmi[K]` for each key K in the `dmidecode` output
* sample output (sudo is needed to access the DMI):
```
% sudo /var/cfengine/bin/cf-agent -KI -binventory_control,cfe_autorun_inventory_dmidecode
R: cfe_autorun_inventory_dmidecode: Obtained BIOS vendor = 'Intel Corp.'
R: cfe_autorun_inventory_dmidecode: Obtained BIOS version = 'BLH6710H.86A.0146.2013.1555.1888'
R: cfe_autorun_inventory_dmidecode: Obtained System serial number = ''
R: cfe_autorun_inventory_dmidecode: Obtained System manufacturer = ''
R: cfe_autorun_inventory_dmidecode: Obtained System version = ''
R: cfe_autorun_inventory_dmidecode: Obtained CPU model = 'Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz'
```
## Listening ports
* lives in: `any.cf`
* provides variables: `cfe_autorun_inventory_listening_ports.ports` as a copy of `mon.listening_ports`
## Disk space
* lives in: `any.cf`
* provides variables: `cfe_autorun_inventory_disk.free` as a copy of `mon.value_diskfree`
## Available memory
* lives in: `any.cf`
* provides variables: `cfe_autorun_inventory_memory.free` as a copy of `mon.value_mem_free` and `cfe_autorun_inventory_memory.total` as a copy of `mon.value_mem_total`
## Load average
* lives in: `any.cf`
* provides variables: `cfe_autorun_inventory_loadaverage.value` as a copy of `mon.value_loadavg`
## procfs
* lives in: `any.cf`
* parses: `consoles`, `cpuinfo`, `modules`, `partitions`, `version`
* provides variables: `cfe_autorun_inventory_proc.console_count`, `cfe_autorun_inventory_proc.cpuinfo[K]` for each CPU info key, `cfe_autorun_inventory_proc.paritions[K]` for each partition key
* provides classes: `_have_console_CONSOLENAME`, `have_module_MODULENAME`
* sample output (note this is verbose mode with `-v` because there's a LOT of output):
```
% cf-agent -Kv -binventory_control,cfe_autorun_inventory_proc|grep 'cfe_autorun_inventory_proc: we have'
R: cfe_autorun_inventory_proc: we have console tty0
R: cfe_autorun_inventory_proc: we have module snd_seq_midi
...
R: cfe_autorun_inventory_proc: we have module ghash_clmulni_intel
R: cfe_autorun_inventory_proc: we have cpuinfo flags = fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid
...
R: cfe_autorun_inventory_proc: we have cpuinfo model name = Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
R: cfe_autorun_inventory_proc: we have partitions sr0 with 1048575 blocks
...
R: cfe_autorun_inventory_proc: we have partitions sda with 468851544 blocks
R: cfe_autorun_inventory_proc: we have kernel version 'Linux version 3.11.0-15-generic (buildd@roseapple) (gcc version 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu8) ) #25-Ubuntu SMP Thu Jan 30 17:22:01 UTC 2014'
```
cfengine-masterfiles-3.24.2/inventory/lsb.cf 0000644 0000000 0000000 00000005762 15010704240 021024 0 ustar 00root root 0000000 0000000 bundle agent inventory_lsb
# @brief LSB inventory bundle
#
# This common bundle is for LSB inventory work.
{
classes:
"have_lsb" expression => fileexists($(lsb_exec));
"_inventory_lsb_found" expression => regcmp("^[1-9][0-9]*$", $(dim)),
scope => "namespace";
_inventory_lsb_found::
"lsb_$(os)" expression => "any",
comment => "LSB Distributor ID",
depends_on => { "inventory_lsb_os" },
scope => "namespace",
meta => { "inventory", "attribute_name=none" };
"lsb_$(os)_$(release)" expression => "any",
comment => "LSB Distributor ID and Release",
depends_on => { "inventory_lsb_os", "inventory_lsb_release" },
scope => "namespace",
meta => { "inventory", "attribute_name=none" };
"lsb_$(os)_$(codename)" expression => "any",
comment => "LSB Distributor ID and Codename",
depends_on => { "inventory_lsb_os", "inventory_lsb_codename" },
scope => "namespace",
meta => { "inventory", "attribute_name=none" };
vars:
"lsb_exec" string => "$(inventory_control.lsb_exec)";
have_lsb::
"data" string => execresult("$(lsb_exec) -a", "noshell");
"dim" int => parsestringarray(
"lsb",
$(data),
"\s*#[^\n]*",
"\s*:\s+",
"15",
"4095"
);
_inventory_lsb_found::
"lsb_keys" slist => getindices("lsb");
"os" string => canonify("$(lsb[Distributor ID][1])"),
handle => "inventory_lsb_os",
comment => "LSB-provided OS name",
meta => { "inventory", "attribute_name=none" };
"codename" string => canonify("$(lsb[Codename][1])"),
handle => "inventory_lsb_codename",
comment => "LSB-provided OS code name",
meta => { "inventory", "attribute_name=none" };
"release" string => "$(lsb[Release][1])",
handle => "inventory_lsb_release",
comment => "LSB-provided OS release",
meta => { "inventory", "attribute_name=none" };
"flavor" string => canonify("$(lsb[Distributor ID][1])_$(lsb[Release][1])"),
handle => "inventory_lsb_flavor",
comment => "LSB-provided OS flavor",
meta => { "inventory", "attribute_name=none" };
"description" string => "$(lsb[Description][1])",
handle => "inventory_lsb_description",
comment => "LSB-provided OS description",
meta => { "inventory", "attribute_name=none" };
reports:
(DEBUG|DEBUG_inventory_lsb)._inventory_lsb_found::
"DEBUG $(this.bundle): OS = $(os), codename = $(codename), release = $(release), flavor = $(flavor), description = $(description)";
"DEBUG $(this.bundle): got $(dim) LSB keys";
"DEBUG $(this.bundle): prepared LSB key $(lsb_keys) = '$(lsb[$(lsb_keys)][1])'";
(DEBUG|DEBUG_inventory_lsb).!_inventory_lsb_found::
"DEBUG $(this.bundle): LSB inventory not found";
}
cfengine-masterfiles-3.24.2/inventory/suse.cf 0000644 0000000 0000000 00000000650 15010704240 021212 0 ustar 00root root 0000000 0000000 bundle common inventory_suse
# @brief SUSE inventory bundle
#
# This common bundle is for SUSE Linux inventory work.
{
classes:
"suse_pure" expression => "(sles|sled).!opensuse",
comment => "pure SUSE",
meta => { "inventory", "attribute_name=none" };
"suse_derived" expression => "opensuse.!suse_pure",
comment => "derived from SUSE",
meta => { "inventory", "attribute_name=none" };
}
cfengine-masterfiles-3.24.2/inventory/linux.cf 0000644 0000000 0000000 00000010305 15010704240 021370 0 ustar 00root root 0000000 0000000 bundle common inventory_linux
# @brief Linux inventory
#
# This common bundle is for Linux inventory work.
#
# Provides:
# systemd class based on linktarget of /proc/1/cmdline
{
vars:
have_proc_device_tree::
"_model_path" string => "/proc/device-tree/model";
"proc_device_tree_model" string => readfile("$(_model_path)"),
if => fileexists("$(_model_path)"),
comment => "Read model from $(_model_path) because it's not available from DMI",
meta => { "inventory", "attribute_name=System version" };
"_serial_number_path" string => "/proc/device-tree/serial-number";
"proc_device_tree_serial_number" string => readfile("$(_serial_number_path)"),
if => fileexists("$(_serial_number_path)"),
comment => "Read serial number from $(_serial_number_path) because it's not available from DMI",
meta => { "inventory", "attribute_name=System serial number" };
has_proc_1_cmdline::
"proc_1_cmdline_split" slist => string_split(readfile("/proc/1/cmdline", "512"), " ", "2"),
comment => "Read /proc/1/cmdline and split off arguments";
"proc_1_cmdline" string => nth("proc_1_cmdline_split", 0),
comment => "Get argv[0] of /proc/1/cmdline";
# this is the same as the original file for non-links
"proc_1_process" string => filestat($(proc_1_cmdline), "linktarget");
any::
"proc_routes" data => data_readstringarrayidx("/proc/net/route",
"#[^\n]*","\s+",40,4k),
if => fileexists("/proc/net/route");
"routeidx" slist => getindices("proc_routes");
"dgw_ipv4_iface" string => "$(proc_routes[$(routeidx)][0])",
comment => "Name of the interface where default gateway is routed",
if => strcmp("$(proc_routes[$(routeidx)][1])", "00000000");
linux::
"nfs_servers" -> { "CFE-3259" }
comment => "NFS servers (to list hosts impacted by NFS outages)",
slist => maplist( regex_replace( $(this) , ":.*", "", "g"),
# NFS server is before the colon (:), that's all we want
# e.g., nfs.example.com:/vol/homedir/user1 /home/user1 ...
# ^^^^^^^^^^^^^^^
grep( ".* nfs .*",
readstringlist("/proc/mounts", "", "\n", inf, inf)
)
),
if => fileexists( "/proc/mounts" );
"nfs_server[$(nfs_servers)]"
string => "$(nfs_servers)",
meta => { "inventory", "attribute_name=NFS Server" };
classes:
any::
"has_proc_1_cmdline" expression => fileexists("/proc/1/cmdline"),
comment => "Check if we can read /proc/1/cmdline";
"inventory_have_python_symlink" expression => fileexists("$(sys.bindir)/cfengine-selected-python");
has_proc_1_cmdline::
"systemd" expression => strcmp(lastnode($(proc_1_process), "/"), "systemd"),
comment => "Check if (the link target of) /proc/1/cmdline is systemd";
inventory_have_python_symlink::
"cfe_python_for_package_modules_supported" -> { "CFE-2602", "CFE-3512", "ENT-10248" }
comment => concat( "Here we see if the version of python found is",
" acceptable ( 3.x or 2.4 or greater ) for package",
" modules. We use this guard to prevent errors",
" related to missing python modules."),
expression => returnszero("$(sys.bindir)/cfengine-selected-python -V 2>&1 | grep ^Python | cut -d' ' -f 2 | ( IFS=. read v1 v2 v3 ; [ $v1 -ge 3 ] || [ $v1 -eq 2 -a $v2 -ge 4 ] )",
useshell);
}
bundle monitor measure_entropy_available
# @brief Measure amount of entropy available
{
measurements:
linux::
# A lack of entropy can cause agents to hang
"/proc/sys/kernel/random/entropy_avail" -> { "ENT-6495", "ENT-6494" }
if => fileexists( "/proc/sys/kernel/random/entropy_avail" ),
handle => "entropy_avail",
stream_type => "file",
data_type => "int",
units => "bits",
history_type => "weekly",
match_value => single_value("\d+"),
comment => "Amount of entropy available";
}
cfengine-masterfiles-3.24.2/inventory/debian.cf 0000644 0000000 0000000 00000007220 15010704240 021455 0 ustar 00root root 0000000 0000000 bundle common inventory_debian
# @brief Debian inventory
#
# This common bundle is for Debian inventory work.
{
vars:
has_lsb_release::
"lsb_release_info" string => readfile("/etc/lsb-release","256"),
comment => "Read more OS info" ;
has_etc_linuxmint_info::
"linuxmint_info" string => readfile("/etc/linuxmint/info","1024"),
comment => "Read Linux Mint specific info" ;
"lm_info_count"
int => parsestringarray("mint_info", # array to populate
"$(linuxmint_info)", # data to parse
"\s*#[^\n]*", # comments
"=", # split
100, # maxentries
2048) ; # maxbytes
"mint_release" string => "$(mint_info[RELEASE][1])" ;
"mint_codename" string => "$(mint_info[CODENAME][1])" ;
classes:
any::
"debian_derived_evaluated"
scope => "bundle",
or => { isvariable("sys.os_release"), "has_lsb_release", "has_etc_linuxmint_info" } ;
"linuxmint"
expression => "has_etc_linuxmint_info",
comment => "this is a Linux Mint system, of some sort",
meta => { "inventory", "attribute_name=none" } ;
has_lsb_release::
"linuxmint"
expression => regcmp("(?ms).*^DISTRIB_ID=LinuxMint$.*", "$(lsb_release_info)"),
comment => "this is a Linux Mint system, of some sort",
meta => { "inventory", "attribute_name=none" } ;
linuxmint::
"lmde"
expression => regcmp('.*LMDE.*', "$(sys.os_release[NAME])"),
comment => "this is a Linux Mint Debian Edition",
meta => { "inventory", "attribute_name=none", "derived-from=sys.os_release[NAME]" } ;
linuxmint.has_lsb_release::
"lmde"
expression => regcmp('(?ms).*^DISTRIB_DESCRIPTION="LMDE.*', "$(lsb_release_info)"),
comment => "this is a Linux Mint Debian Edition",
meta => { "inventory", "attribute_name=none", "derived-from=inventory_debian.lsb_release_info" } ;
has_etc_linuxmint_info::
"lmde"
expression => regcmp('(?ms).*^DESCRIPTION="LMDE.*',"$(linuxmint_info)"),
comment => "this is a Linux Mint Debian Edition",
meta => { "inventory", "attribute_name=none", "derived-from=inventory_debian.linuxmint_info" } ;
debian_derived_evaluated.has_etc_linuxmint_info.!lmde::
# These need to be evaluated only after debian_derived_evaluated is defined
# to ensure that the mint_info array has been evaluated as well.
# Failing to do that will create meaningless classes
# On non-LMDE Mint systems, this will create classes like, e.g.:
# linuxmint_14, nadia, linuxmint_nadia
"linuxmint_$(mint_release)" expression => "any",
meta => { "inventory", "attribute_name=none" } ;
"$(mint_codename)" expression => "any",
meta => { "inventory", "attribute_name=none" } ;
"linuxmint_$(mint_codename)" expression => "any",
meta => { "inventory", "attribute_name=none" } ;
debian_derived_evaluated::
"debian_pure" expression => "debian.!(ubuntu|linuxmint)",
comment => "pure Debian",
meta => { "inventory", "attribute_name=none" };
"debian_derived" expression => "debian.!debian_pure",
comment => "derived from Debian",
meta => { "inventory", "attribute_name=none" };
any::
"has_lsb_release" expression => fileexists("/etc/lsb-release"),
comment => "Check if we can get more info from /etc/lsb-release";
"has_etc_linuxmint_info" expression => fileexists("/etc/linuxmint/info"),
comment => "If this is a Linux Mint system, this *could* be available";
}
cfengine-masterfiles-3.24.2/inventory/freebsd.cf 0000644 0000000 0000000 00000000174 15010704240 021646 0 ustar 00root root 0000000 0000000 bundle common inventory_freebsd
# @brief FreeBSD inventory bundle
#
# This common bundle is for FreeBSD inventory work.
{
}
cfengine-masterfiles-3.24.2/inventory/macos.cf 0000644 0000000 0000000 00000000174 15010704240 021336 0 ustar 00root root 0000000 0000000 bundle common inventory_macos
# @brief Mac OS X inventory bundle
#
# This common bundle is for Mac OS X inventory work.
{
}
cfengine-masterfiles-3.24.2/inventory/aix.cf 0000644 0000000 0000000 00000004273 15010704240 021021 0 ustar 00root root 0000000 0000000 bundle agent inventory_aix
# @brief Red Hat inventory bundle
#
# This agent bundle is for AIX inventory work.
{
methods:
"oslevel"
usebundle => inventory_aix_oslevel;
}
bundle agent inventory_aix_oslevel
# @brief Inventory oslevel
# @description This policy inventories oslevel on aix. It caches the information
# for up to 1 day before re-discovering.
{
vars:
"oslevel"
string => ifelse( isvariable( "paths.oslevel" ), $(paths.oslevel),
"/usr/bin/oslevel" );
commands:
aix::
"$(oslevel)"
handle => "cache_aix_oslevel_s",
args => "-s > $(sys.statedir)/aix-oslevel-s",
if => not( fileexists( "$(sys.statedir)/aix-oslevel-s" ) ),
contain => in_shell,
comment => "We cache the highest service pack reached to avoid
unnecessary command executions.";
"$(oslevel)"
handle => "cache_aix_oslevel_r",
args => "-r > $(sys.statedir)/aix-oslevel-r",
if => not( fileexists( "$(sys.statedir)/aix-oslevel-r" ) ),
contain => in_shell,
comment => "We cache the highest technology level reached to avoid
unnecessary command executions.";
files:
aix::
"$(sys.statedir)/aix-oslevel-r"
handle => "cache_expire_aix_oslevel_r",
delete => tidy,
file_select => days_old( 1 ),
comment => "We regularly clear the cache to avoid stale data";
"$(sys.statedir)/aix-oslevel-s"
handle => "cache_expire_aix_oslevel_s",
delete => tidy,
file_select => days_old( 1 ),
comment => "We regularly clear the cache to avoid stale data";
vars:
aix::
"oslevel_s"
string => readfile("$(sys.statedir)/aix-oslevel-s", 1K ),
if => fileexists("$(sys.statedir)/aix-oslevel-s"),
meta => { "inventory", "attribute_name=Highest Service Pack" };
"oslevel_r"
string => readfile("$(sys.statedir)/aix-oslevel-r", 1K),
if => fileexists("$(sys.statedir)/aix-oslevel-r"),
meta => { "inventory", "attribute_name=Highest Technology Level" };
reports:
DEBUG::
"Highest Service Pack: $(oslevel_s)";
"Highest Technology Level: $(oslevel_r)";
}
cfengine-masterfiles-3.24.2/inventory/os.cf 0000644 0000000 0000000 00000013372 15010704240 020661 0 ustar 00root root 0000000 0000000 bundle common inventory_os
{
vars:
# NOTE TODO: This first part is the old implementation
# scroll down to the @if minimum_version part for the
# current implementation.
# This bundle uses variable overwriting, so the definitions further
# down are prioritized.
# Fall back to old LSB based implementation (Lowest priority):
_inventory_lsb_found::
"description" string => "$(inventory_lsb.os) $(inventory_lsb.release)",
meta => { "inventory", "attribute_name=OS" };
!_inventory_lsb_found.windows::
"description" string => "$(sys.release)",
meta => { "inventory", "attribute_name=OS" };
!_inventory_lsb_found.!windows::
"description" string => "$(sys.flavor) (LSB missing)",
meta => { "inventory", "attribute_name=OS" };
# Hard coded values for exceptions / platforms without os-release:
(redhat_5|redhat_6).redhat_pure::
"description" string => regex_replace("$(inventory_lsb.description)", " release ", " ", "g"),
if => isvariable("inventory_lsb.description"),
meta => { "inventory", "attribute_name=OS", "derived-from=inventory_lsb.description" };
centos_5::
"description" string => "CentOS Linux 5", # Matches format of os-release on 7+
meta => { "inventory", "attribute_name=OS", "derived-from=centos_5" };
centos_6::
"description" string => "CentOS Linux 6", # Matches format of os-release on 7+
meta => { "inventory", "attribute_name=OS", "derived-from=centos_6" };
# os-release PRETTY_NAME preferred whenever available (Highest priority):
any::
"description" string => "$(sys.os_release[PRETTY_NAME])",
if => isvariable("sys.os_release[PRETTY_NAME]"),
meta => { "inventory", "attribute_name=OS", "derived-from=sys.os_release" };
# TODO: Remove promises above this line once 3.15+ is what we care about
# New style for Inventory OS variable:
# As short and human-friendly as possible, and consistent across platforms(!)
# Examples: CentOS 7, Ubuntu 18, Debian 9, SUSE 12, etc.
@if minimum_version(3.15)
!_inventory_lsb_found.!windows::
"description" string => "$(sys.flavor) (LSB missing)",
meta => { "inventory", "attribute_name=OS" };
_inventory_lsb_found::
"description" string => "$(inventory_lsb.os) $(inventory_lsb.release)",
meta => { "inventory", "attribute_name=OS" };
windows::
"description" string => string_replace(string_replace(
"$(sys.release)",
"Windows Server", "Windows"),
"2012 R2", "2012"),
meta => { "inventory", "attribute_name=OS" };
# os-release is preferred over LSB:
any::
# os-release PRETTY_NAME
"description" string => string_replace(string_replace(string_replace(string_replace(
"$(sys.os_release[PRETTY_NAME])",
"Red Hat Enterprise Linux Server", "RHEL"),
"Debian GNU/Linux", "Debian"),
"CentOS Linux", "CentOS"),
"Rocky Linux", "Rocky"),
if => isvariable("sys.os_release[PRETTY_NAME]"),
meta => { "inventory", "attribute_name=OS", "derived-from=sys.os_release" };
"major_version_from_os_release" string => nth(string_split("$(sys.os_release[VERSION_ID])", "\.", 2), 0),
if => isvariable("sys.os_release[VERSION_ID]");
# os-release NAME VERSION_ID - preferred when available
"description" string => string_replace(string_replace(string_replace(string_replace(string_replace(string_replace(
"$(sys.os_release[NAME]) $(major_version_from_os_release)",
"Red Hat Enterprise Linux Server", "RHEL"), # Seen on RHEL 7...
"Red Hat Enterprise Linux", "RHEL"), # On RHEL 8 they changed their mind
"Debian GNU/Linux", "Debian"),
"CentOS Linux", "CentOS"),
"Rocky Linux", "Rocky"),
"SLES", "SUSE"),
if => and(isvariable("sys.os_release[NAME]"),
isvariable("major_version_from_os_release")),
meta => { "inventory", "attribute_name=OS", "derived-from=sys.os_release" };
# Hard coded values for exceptions / platforms without os-release:
redhat_5.redhat_pure::
"description" string => "RHEL 5",
meta => { "inventory", "attribute_name=OS", "derived-from=redhat_5" };
redhat_6.redhat_pure::
"description" string => "RHEL 6",
meta => { "inventory", "attribute_name=OS", "derived-from=redhat_6" };
centos_5::
"description" string => "CentOS 5",
meta => { "inventory", "attribute_name=OS", "derived-from=centos_5" };
centos_6::
"description" string => "CentOS 6",
meta => { "inventory", "attribute_name=OS", "derived-from=centos_6" };
@endif
# TODO: Remove all of the logic above once 3.18 clients are expected everywhere
@if minimum_version(3.18)
any::
"description"
string => "$(sys.os_name_human) $(sys.os_version_major)",
meta => { "inventory", "attribute_name=OS" };
rocky::
"description" -> { "ENT-8292" }
string => "Rocky $(sys.os_version_major)",
meta => { "inventory", "attribute_name=OS" };
amzn_2::
"description" -> { "ENT-10817" }
string => "Amazon 2",
meta => { "inventory", "attribute_name=OS" };
any::
"description"
string => "$(sys.os_release[PRETTY_NAME])",
if => and(
strcmp("$(sys.os_name_human)", "Unknown"),
isvariable("sys.os_release[PRETTY_NAME]")
),
meta => { "inventory", "attribute_name=OS", "derived-from=sys.os_release" };
@endif
}
cfengine-masterfiles-3.24.2/inventory/generic.cf 0000644 0000000 0000000 00000000250 15010704240 021643 0 ustar 00root root 0000000 0000000 bundle common inventory_generic
# @brief Generic (unknown OS) inventory
#
# This common bundle is for unknown operating systems, not handled by
# specific bundles.
{
}
cfengine-masterfiles-3.24.2/inventory/redhat.cf 0000644 0000000 0000000 00000001620 15010704240 021500 0 ustar 00root root 0000000 0000000 bundle common inventory_redhat
# @brief Red Hat inventory bundle
#
# This common bundle is for Red Hat Linux inventory work.
{
classes:
"redhat_pure" or => { strcmp( "$(sys.os_release[ID])" , "rhel" ), # Red Hat > 7 have /etc/os-release and the ID field is set to rhel
strcmp( "any", and( "redhat.!(centos|oracle|fedora|rocky|almalinux)", # Red Hat < 7 does not have /etc/os-release, and is pure if we don't find another known derivative
not( isvariable( "sys.os_release" ))))},
comment => "pure Red Hat",
meta => { "inventory", "attribute_name=none" };
"redhat_derived" expression => "redhat.!redhat_pure",
comment => "derived from Red Hat",
meta => { "inventory", "attribute_name=none" };
"inventory_redhat_have_python_symlink" expression => fileexists("$(sys.bindir)/cfengine-selected-python");
}
cfengine-masterfiles-3.24.2/Makefile.in 0000644 0000000 0000000 00000070766 15010704303 017750 0 ustar 00root root 0000000 0000000 # Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
target_triplet = @target@
subdir = .
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/adl_recursive_eval.m4 \
$(top_srcdir)/m4/tar.m4 $(top_srcdir)/m4/cf3_platforms.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \
$(am__configure_deps) $(nobase_dist_masterfiles_DATA) \
$(am__DIST_COMMON)
am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
configure.lineno config.status.lineno
mkinstalldirs = $(install_sh) -d
CONFIG_CLEAN_FILES = controls/update_def.cf update.cf promises.cf \
standalone_self_upgrade.cf
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
ctags-recursive dvi-recursive html-recursive info-recursive \
install-data-recursive install-dvi-recursive \
install-exec-recursive install-html-recursive \
install-info-recursive install-pdf-recursive \
install-ps-recursive install-recursive installcheck-recursive \
installdirs-recursive pdf-recursive ps-recursive \
tags-recursive uninstall-recursive
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(masterfilesdir)"
DATA = $(nobase_dist_masterfiles_DATA)
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
am__recursive_targets = \
$(RECURSIVE_TARGETS) \
$(RECURSIVE_CLEAN_TARGETS) \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
cscope distdir dist dist-all distcheck
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/promises.cf.in \
$(srcdir)/standalone_self_upgrade.cf.in $(srcdir)/update.cf.in \
$(top_srcdir)/controls/update_def.cf.in config.guess \
config.sub install-sh missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
am__remove_distdir = \
if test -d "$(distdir)"; then \
find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
&& rm -rf "$(distdir)" \
|| { sleep 5 && rm -rf "$(distdir)"; }; \
else :; fi
am__post_remove_distdir = $(am__remove_distdir)
am__relativize = \
dir0=`pwd`; \
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
sed_rest='s,^[^/]*/*,,'; \
sed_last='s,^.*/\([^/]*\)$$,\1,'; \
sed_butlast='s,/*[^/]*$$,,'; \
while test -n "$$dir1"; do \
first=`echo "$$dir1" | sed -e "$$sed_first"`; \
if test "$$first" != "."; then \
if test "$$first" = ".."; then \
dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
else \
first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
if test "$$first2" = "$$first"; then \
dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
else \
dir2="../$$dir2"; \
fi; \
dir0="$$dir0"/"$$first"; \
fi; \
fi; \
dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
done; \
reldir="$$dir2"
DIST_ARCHIVES = $(distdir).tar.gz
GZIP_ENV = --best
DIST_TARGETS = dist-gzip
distuninstallcheck_listfiles = find . -type f -print
am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
| sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
distcleancheck_listfiles = find . -type f -print
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LTLIBOBJS = @LTLIBOBJS@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
MASTERFILES_INSTALL_TARGETS = @MASTERFILES_INSTALL_TARGETS@
MASTERFILES_TESTS = @MASTERFILES_TESTS@
MKDIR_P = @MKDIR_P@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
RELEASE = @RELEASE@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
STRIP = @STRIP@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_cv_pkg_install = @ac_cv_pkg_install@
ac_cv_shunit2 = @ac_cv_shunit2@
am__leading_dot = @am__leading_dot@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
core_dir = @core_dir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
enterprise_dir = @enterprise_dir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target = @target@
target_alias = @target_alias@
target_cpu = @target_cpu@
target_os = @target_os@
target_vendor = @target_vendor@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = \
tests/
# See configure.ac for MASTERFILES_INSTALL_TARGETS.
nobase_dist_masterfiles_DATA = @MASTERFILES_INSTALL_TARGETS@
masterfilesdir = $(prefix)/masterfiles
EXTRA_DIST = README.md inventory/README.md lib/README.md CONTRIBUTING.md LICENSE CFVERSION modules/promises
# Do not reveal usernames of the buildslave
TAR_OPTIONS = --owner=0 --group=0
all: all-recursive
.SUFFIXES:
am--refresh: Makefile
@:
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
echo ' cd $(srcdir) && $(AUTOMAKE) --foreign'; \
$(am__cd) $(srcdir) && $(AUTOMAKE) --foreign \
&& exit 0; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
echo ' $(SHELL) ./config.status'; \
$(SHELL) ./config.status;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
$(SHELL) ./config.status --recheck
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
$(am__cd) $(srcdir) && $(AUTOCONF)
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
$(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
$(am__aclocal_m4_deps):
controls/update_def.cf: $(top_builddir)/config.status $(top_srcdir)/controls/update_def.cf.in
cd $(top_builddir) && $(SHELL) ./config.status $@
update.cf: $(top_builddir)/config.status $(srcdir)/update.cf.in
cd $(top_builddir) && $(SHELL) ./config.status $@
promises.cf: $(top_builddir)/config.status $(srcdir)/promises.cf.in
cd $(top_builddir) && $(SHELL) ./config.status $@
standalone_self_upgrade.cf: $(top_builddir)/config.status $(srcdir)/standalone_self_upgrade.cf.in
cd $(top_builddir) && $(SHELL) ./config.status $@
install-nobase_dist_masterfilesDATA: $(nobase_dist_masterfiles_DATA)
@$(NORMAL_INSTALL)
@list='$(nobase_dist_masterfiles_DATA)'; test -n "$(masterfilesdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(masterfilesdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(masterfilesdir)" || exit 1; \
fi; \
$(am__nobase_list) | while read dir files; do \
xfiles=; for file in $$files; do \
if test -f "$$file"; then xfiles="$$xfiles $$file"; \
else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \
test -z "$$xfiles" || { \
test "x$$dir" = x. || { \
echo " $(MKDIR_P) '$(DESTDIR)$(masterfilesdir)/$$dir'"; \
$(MKDIR_P) "$(DESTDIR)$(masterfilesdir)/$$dir"; }; \
echo " $(INSTALL_DATA) $$xfiles '$(DESTDIR)$(masterfilesdir)/$$dir'"; \
$(INSTALL_DATA) $$xfiles "$(DESTDIR)$(masterfilesdir)/$$dir" || exit $$?; }; \
done
uninstall-nobase_dist_masterfilesDATA:
@$(NORMAL_UNINSTALL)
@list='$(nobase_dist_masterfiles_DATA)'; test -n "$(masterfilesdir)" || list=; \
$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
dir='$(DESTDIR)$(masterfilesdir)'; $(am__uninstall_files_from_dir)
# This directory's subdirectories are mostly independent; you can cd
# into them and run 'make' without going through this Makefile.
# To change the values of 'make' variables: instead of editing Makefiles,
# (1) if the variable is set in 'config.status', edit 'config.status'
# (which will cause the Makefiles to be regenerated when you run 'make');
# (2) otherwise, pass the desired values on the 'make' command line.
$(am__recursive_targets):
@fail=; \
if $(am__make_keepgoing); then \
failcom='fail=yes'; \
else \
failcom='exit 1'; \
fi; \
dot_seen=no; \
target=`echo $@ | sed s/-recursive//`; \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
for subdir in $$list; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
dot_seen=yes; \
local_target="$$target-am"; \
else \
local_target="$$target"; \
fi; \
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|| eval $$failcom; \
done; \
if test "$$dot_seen" = "no"; then \
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
fi; test -z "$$fail"
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-recursive
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
include_option=--etags-include; \
empty_fix=.; \
else \
include_option=--include; \
empty_fix=; \
fi; \
list='$(SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
test ! -f $$subdir/TAGS || \
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
fi; \
done; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: ctags-recursive
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscope: cscope.files
test ! -s cscope.files \
|| $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS)
clean-cscope:
-rm -f cscope.files
cscope.files: clean-cscope cscopelist
cscopelist: cscopelist-recursive
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
distdir: $(DISTFILES)
$(am__remove_distdir)
test -d "$(distdir)" || mkdir "$(distdir)"
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
$(am__make_dryrun) \
|| test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
$(am__relativize); \
new_distdir=$$reldir; \
dir1=$$subdir; dir2="$(top_distdir)"; \
$(am__relativize); \
new_top_distdir=$$reldir; \
echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
($(am__cd) $$subdir && \
$(MAKE) $(AM_MAKEFLAGS) \
top_distdir="$$new_top_distdir" \
distdir="$$new_distdir" \
am__remove_distdir=: \
am__skip_length_check=: \
am__skip_mode_fix=: \
distdir) \
|| exit 1; \
fi; \
done
$(MAKE) $(AM_MAKEFLAGS) \
top_distdir="$(top_distdir)" distdir="$(distdir)" \
dist-hook
-test -n "$(am__skip_mode_fix)" \
|| find "$(distdir)" -type d ! -perm -755 \
-exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
|| chmod -R a+r "$(distdir)"
dist-gzip: distdir
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
$(am__post_remove_distdir)
dist-bzip2: distdir
tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
$(am__post_remove_distdir)
dist-lzip: distdir
tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
$(am__post_remove_distdir)
dist-xz: distdir
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
$(am__post_remove_distdir)
dist-tarZ: distdir
@echo WARNING: "Support for distribution archives compressed with" \
"legacy program 'compress' is deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
$(am__post_remove_distdir)
dist-shar: distdir
@echo WARNING: "Support for shar distribution archives is" \
"deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
$(am__post_remove_distdir)
dist-zip: distdir
-rm -f $(distdir).zip
zip -rq $(distdir).zip $(distdir)
$(am__post_remove_distdir)
dist dist-all:
$(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:'
$(am__post_remove_distdir)
# This target untars the dist file and tries a VPATH configuration. Then
# it guarantees that the distribution is self-contained by making another
# tarfile.
distcheck: dist
case '$(DIST_ARCHIVES)' in \
*.tar.gz*) \
GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
*.tar.bz2*) \
bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
*.tar.lz*) \
lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
*.tar.xz*) \
xz -dc $(distdir).tar.xz | $(am__untar) ;;\
*.tar.Z*) \
uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
*.shar.gz*) \
GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\
*.zip*) \
unzip $(distdir).zip ;;\
esac
chmod -R a-w $(distdir)
chmod u+w $(distdir)
mkdir $(distdir)/_build $(distdir)/_build/sub $(distdir)/_inst
chmod a-w $(distdir)
test -d $(distdir)/_build || exit 0; \
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
&& am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build/sub \
&& ../../configure \
$(AM_DISTCHECK_CONFIGURE_FLAGS) \
$(DISTCHECK_CONFIGURE_FLAGS) \
--srcdir=../.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) check \
&& $(MAKE) $(AM_MAKEFLAGS) install \
&& $(MAKE) $(AM_MAKEFLAGS) installcheck \
&& $(MAKE) $(AM_MAKEFLAGS) uninstall \
&& $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \
distuninstallcheck \
&& chmod -R a-w "$$dc_install_base" \
&& ({ \
(cd ../.. && umask 077 && mkdir "$$dc_destdir") \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \
distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \
} || { rm -rf "$$dc_destdir"; exit 1; }) \
&& rm -rf "$$dc_destdir" \
&& $(MAKE) $(AM_MAKEFLAGS) dist \
&& rm -rf $(DIST_ARCHIVES) \
&& $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
&& cd "$$am__cwd" \
|| exit 1
$(am__post_remove_distdir)
@(echo "$(distdir) archives ready for distribution: "; \
list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
distuninstallcheck:
@test -n '$(distuninstallcheck_dir)' || { \
echo 'ERROR: trying to run $@ with an empty' \
'$$(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
$(am__cd) '$(distuninstallcheck_dir)' || { \
echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
|| { echo "ERROR: files left after uninstall:" ; \
if test -n "$(DESTDIR)"; then \
echo " (check DESTDIR support)"; \
fi ; \
$(distuninstallcheck_listfiles) ; \
exit 1; } >&2
distcleancheck: distclean
@if test '$(srcdir)' = . ; then \
echo "ERROR: distcleancheck can only run from a VPATH build" ; \
exit 1 ; \
fi
@test `$(distcleancheck_listfiles) | wc -l` -eq 0 \
|| { echo "ERROR: files left in build directory after distclean:" ; \
$(distcleancheck_listfiles) ; \
exit 1; } >&2
check-am: all-am
check: check-recursive
all-am: Makefile $(DATA)
installdirs: installdirs-recursive
installdirs-am:
for dir in "$(DESTDIR)$(masterfilesdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-recursive
install-exec: install-exec-recursive
install-data: install-data-recursive
uninstall: uninstall-recursive
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-recursive
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-recursive
clean-am: clean-generic clean-local mostlyclean-am
distclean: distclean-recursive
-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-rm -f Makefile
distclean-am: clean-am distclean-generic distclean-tags
dvi: dvi-recursive
dvi-am:
html: html-recursive
html-am:
info: info-recursive
info-am:
install-data-am: install-nobase_dist_masterfilesDATA
install-dvi: install-dvi-recursive
install-dvi-am:
install-exec-am:
install-html: install-html-recursive
install-html-am:
install-info: install-info-recursive
install-info-am:
install-man:
install-pdf: install-pdf-recursive
install-pdf-am:
install-ps: install-ps-recursive
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-recursive
-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-rm -rf $(top_srcdir)/autom4te.cache
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-recursive
mostlyclean-am: mostlyclean-generic
pdf: pdf-recursive
pdf-am:
ps: ps-recursive
ps-am:
uninstall-am: uninstall-nobase_dist_masterfilesDATA
.MAKE: $(am__recursive_targets) install-am install-strip
.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
am--refresh check check-am clean clean-cscope clean-generic \
clean-local cscope cscopelist-am ctags ctags-am dist dist-all \
dist-bzip2 dist-gzip dist-hook dist-lzip dist-shar dist-tarZ \
dist-xz dist-zip distcheck distclean distclean-generic \
distclean-tags distcleancheck distdir distuninstallcheck dvi \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-info install-info-am install-man \
install-nobase_dist_masterfilesDATA install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs installdirs-am maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic pdf \
pdf-am ps ps-am tags tags-am uninstall uninstall-am \
uninstall-nobase_dist_masterfilesDATA
.PRECIOUS: Makefile
export TAR_OPTIONS
# Store the permissions properly in the tarball for acceptance tests to succeed
dist-hook:
find $(distdir) -name '*.cf*' | xargs chmod go-w
tar-package:
pkgdir=`mktemp -d` && export pkgdir && \
origdir=`pwd` && export origdir && \
umask 0022 && chmod 755 $$pkgdir && \
$(MAKE) prefix=$$pkgdir install && \
( cd $$pkgdir && \
find . -name '*.cf*' | xargs -n1 chmod go-w && \
tardir=. && $(am__tar) | \
GZIP=$(GZIP_ENV) gzip -c \
> "$$origdir"/$(PACKAGE)-$(VERSION)-$(RELEASE).pkg.tar.gz \
) ; \
[ x$$pkgdir != x ] && rm -rf $$pkgdir
clean-local:
rm -rf build
non-priv-install:
mkdir -p "$$HOME/.cfagent/bin"
ln -sf $$(command -v cf-promises) "$$HOME/.cfagent/bin"
mkdir -p "$$HOME/.cfagent/inputs/lib"
rsync -avz ./lib/ "$$HOME/.cfagent/inputs/lib/"
[ ! -s "$$HOME/.cfagent/inputs/promises.cf" ] && echo "bundle agent main { reports: 'Hello, CFEngine!'; }" > "$$HOME/.cfagent/inputs/promises.cf"
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
cfengine-masterfiles-3.24.2/modules/ 0000755 0000000 0000000 00000000000 15010704326 017340 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/modules/packages/ 0000755 0000000 0000000 00000000000 15010704326 021116 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/modules/packages/vendored/ 0000755 0000000 0000000 00000000000 15010704326 022724 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/modules/packages/vendored/msiexec-list.vbs.mustache 0000644 0000000 0000000 00000005704 15010704240 027657 0 ustar 00root root 0000000 0000000 ' Helper script to enumerate installed software (packages)
' Based on original work of Cory Coager at CDPHP
' This module reads the installed packages from the registry using WMI
Const HKLM = &H80000002 'HKEY_LOCAL_MACHINE
strComputer = "."
strKeys=Array("SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\", "SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\")
strDisplayNameEntryA = "DisplayName"
strDisplayNameEntryB = "QuietDisplayName"
strInstallDateEntry = "InstallDate"
strDisplayVersionEntry = "DisplayVersion"
' Read registry using WMI
Set objReg = GetObject("winmgmts://" & strComputer & "/root/default:StdRegProv")
' Iterate through each uninstall registry key
For Each strKey in strKeys
' Enumerate the subkeys
objReg.EnumKey HKLM, strKey, arrSubkeys
' Iterate through each subkey
For Each strSubkey In arrSubkeys
strDisplayNameValue = ""
strInstallDateValue = ""
strDisplayVersionValue = ""
' Read the DisplayName
intRet1 = objReg.GetStringValue(HKLM, strKey & strSubkey, strDisplayNameEntryA , strDisplayNameValue)
If intRet1 <> 0 Then
' On failure, read the QuietDisplayName
intRet1 = objReg.GetStringValue(HKLM, strKey & strSubkey, strDisplayNameEntryB , strDisplayNameValue)
End If
' Check if key has a DisplayName, otherwise not valid
If intRet1 = 0 And strDisplayNameValue <> "" Then
' Read the InstallDate
objReg.GetStringValue HKLM, strKey & strSubkey, strInstallDateEntry, strInstallDateValue
' Read the DisplayVersion
intRet2 = objReg.GetStringValue( HKLM, strKey & strSubkey, strDisplayVersionEntry, strDisplayVersionValue )
If intRet2 <> 0 Then
' DisplayVersion is missing, so try to fall back InstalledVersion
intRet2 = objReg.GetStringValue( HKLM, strKey & strSubKey, "InstalledVersion", strDisplayVersionValue )
End If
If intRet2 <> 0 Then
' DisplayVersion and InstalledVersion are missing, so try to fall back to a key of the same name as the node, i.e. AOMEI Backupper Server.
intRet2 = objReg.GetStringValue( HKLM, strKey & strDisplayNameValue, strDisplayNameValue, strDisplayVersionValue )
End If
' Print out the DisplayName
WScript.Echo "Name=" & strDisplayNameValue
' Print out the DisplayVersion
' Ensure that Version is set to something, else it can't be inserted into the database.
If intRet2 <> 0 Then
' Unable to find a version, set it to "unknown" so that it can be inserted into the database and not result in patch failure
WScript.Echo "Version=unknown"
Else
' Must have a legit version
WScript.Echo "Version=" & LCase(strDisplayVersionValue)
End If
' Print out the Architecture
If InStr(strKey, "6432") = 0 Then
WScript.Echo "Architecture=amd64"
Else
WScript.Echo "Architecture=amd64"
End If
End If
Next
Next cfengine-masterfiles-3.24.2/modules/packages/vendored/freebsd_ports.mustache 0000755 0000000 0000000 00000004302 15010704240 027315 0 ustar 00root root 0000000 0000000 #!/bin/sh -e
command=$1
while read -r line; do
export INPUT_$line
done
get_package_data() {
name="${INPUT_File?File must be given to get-package-data}"
echo PackageType=repo
echo Name=$name
}
list_installed() {
# Example pkg output:
# sudo-1.8.14p3
# Name : sudo
# Version : 1.8.14p3
# Installed on : Sun Aug 16 05:36:05 UTC 2015
# Origin : security/sudo
# Architecture : freebsd:10:x86:64
#
# After rewrite:
# Name=sudo
# Version=1.8.14p3
# Architecture=none
pkg info -f -a | egrep '^(Name|Version|Architecture)' | sed -e 's/[ ]*:[ ]*/=/' -e 's/^Architecture=.*/Architecture=none/'
}
repo_install() {
name="${INPUT_Name?Name must be given to repo-install}"
version="${INPUT_Version}"
export BATCH=1
PORT_PATH=$(whereis -sq "$name")
if [ -z "$PORT_PATH" ]
then
echo "ErrorMessage=Could not install $name, port does not exist"
exit 0
fi
cd "$PORT_PATH"
if [ -n "$version" ]
then
available=$(make -V PKGVERSION)
if [ "$available" != "$version" ]
then
echo "ErrorMessage=Could not install $name $version, available version was $available"
exit 0
fi
fi
make deinstall reinstall >&2
}
update_ports_tree() {
portsnap --interactive fetch update >&2
}
list_updates_local() {
# Example pkg output:
# ca_root_nss-3.19.3 < needs updating (index has 3.20)
#
# After sed:
# Name=ca_root_nss
# Version=3.20
# Architecture=none
pkg version -v -l "<" | sed -e 's/\([^ ]*\)-[^-]* .* \(.*\))/Name=\1\
Version=\2\
Architecture=none/'
}
remove() {
name="${INPUT_Name?Name must be given to remove}"
export BATCH=1
PORT_PATH=$(whereis -sq "$name")
if [ -z "$PORT_PATH" ]
then
echo "ErrorMessage=Could not remove $name, port does not exist"
exit 0
fi
cd "$PORT_PATH"
make deinstall >&2
}
case $command in
supports-api-version)
echo 1
;;
get-package-data)
get_package_data
;;
list-installed)
list_installed
;;
repo-install)
repo_install
;;
list-updates)
update_ports_tree
list_updates_local
;;
list-updates-local)
list_updates_local
;;
remove)
remove
;;
*)
echo "ErrorMessage=Invalid operation"
esac
cfengine-masterfiles-3.24.2/modules/packages/vendored/msiexec.bat.mustache 0000644 0000000 0000000 00000011411 15010704240 026652 0 ustar 00root root 0000000 0000000 @echo off
setlocal ENABLEDELAYEDEXPANSION
rem Use real applications or testing stub for testing
set MSIEXEC=msiexec
set WMIC=wmic
set CSCRIPT=cscript
if not "%CFENGINE_MSIEXEC_TEST%"=="" (
set MSIEXEC=%CFENGINE_MSIEXEC_TEST% msiexec
set WMIC=%CFENGINE_MSIEXEC_TEST% wmic
set CSCRIPT=%CFENGINE_MSIEXEC_TEST% cscript
)
rem choose a function to execute
if "%1"=="supports-api-version" echo 1
if "%1"=="get-package-data" goto :get_package_data_list
if "%1"=="list-installed" goto :list_installed
if "%1"=="list-updates" rem not implemented
if "%1"=="list-updates-local" rem not implemented
if "%1"=="repo-install" rem not implemented
if "%1"=="file-install" goto :file_install_list
if "%1"=="remove" goto :remove_list
goto :EOF
rem Reads all stdin lines, for each line which starts with
rem "File=" call the next function
:get_package_data_list
for /F "tokens=*" %%a in ('more') do (
rem Assign for-loop %%a variable to "normal" %_q% variable to extract substrings
rem via %name:~begin,length% expansion (negative value means length of string - value)
set "_q=%%a"
rem * Use "Delayed Expansion" of variables (surround them with ! instead of %)
if "!_q:~0,5!"=="File=" call :get_package_data_one "!_q:~5!"
)
goto :EOF
rem Choose one of two following functions to call based on whether file exists or not
:get_package_data_one
rem This function called with an argument in quotes, so:
rem use %1 when you need value in quotes,
rem use %~1 when you need without
if not exist %1 call :get_package_data_repo %1
if exist %1 call :get_package_data_file %1
goto :EOF
rem Print package information for an existing file
:get_package_data_file
echo PackageType=file
rem %~dp0 expands to drive and path of current script
rem TODO: if name is multi-line, print "Name=" only once
for /f "usebackq delims=" %%b in (`%CSCRIPT% /nologo "%~dp0\WiRunSQL.vbs" %1
"select Value from Property where Property = 'ProductName'"`
) do echo Name=%%b
for /f "usebackq delims=" %%b in (`%CSCRIPT% /nologo "%~dp0\WiRunSQL.vbs" %1
"select Value from Property where Property = 'ProductVersion'"`
) do echo Version=%%b
goto :EOF
rem If file does not exist - assume it's a repo
:get_package_data_repo
echo PackageType=repo
echo Name=%~1
goto :EOF
rem Call vbs script to read installed software from registry
:list_installed
%CSCRIPT% /nologo "%~dp0\msiexec-list.vbs"
goto :EOF
rem Reads all stdin lines, for each line which starts with "File=" call the next function
:file_install_list
for /F "tokens=*" %%a in ('more') do (
set "_q=%%a"
if "!_q:~0,5!"=="File=" call :file_install_one "!_q:~5!"
)
goto :EOF
rem Install this file if it exists
:file_install_one
if not exist %1 (
echo ErrorMessage=File %1 not found!
goto :EOF
)
set log_dir="\cfengine_package_logs\"
if not exist %log_dir% (
mkdir %log_dir%
)
for /F "delims=" %%i in (%1) do @set basename="%%~ni"
REM %log_dir:"=% replaces quotes with nothing, otherwise you get two double-quotes which causes failures
set log_file="%log_dir:"=%%basename:"=%_install.log"
%MSIEXEC% /quiet /passive /qn /norestart /l*vx %log_file% /i %1
if not errorlevel 0 (
echo ErrorMessage=msiexec.exe ErrorLevel was %ErrorLevel% for file %1 log at %log_file%
)
goto :EOF
rem Reads all stdin lines, calls next function for each of them
:remove_list
for /F "tokens=*" %%a in ('more') do (
call :remove_line "%%a"
)
call :remove_one
goto :EOF
rem processes line of input, saves name and version, and calls
rem next function before new block (which starts with "Name=" line)
:remove_line
set "_q=%~1"
if "%_q:~0,5%"=="Name=" (
call :remove_one
set "_name=%_q:~5%"
set _ver=
)
if "%_q:~0,8%"=="Version=" (
set "_ver=%_q:~8%"
)
goto :EOF
rem Remove file or software stored in "%_name%" env variable, if it's set.
rem If such file does not exist - remove an installed program with such name
:remove_one
if "%_name%"=="" goto :EOF
if exist "%_name%" (
call :remove_file "%_name%"
goto :EOF
)
if "%_ver%"=="" (
set "_condition=name='%_name%'"
) else (
set "_condition=name='%_name%' and version='%_ver%'"
)
rem Characters > and & chars in for expression must be escaped
for /f "delims=" %%a in (
'%WMIC% product where "%_condition%" get LocalPackage /value 2^>^&1'
) do (
set "_q=%%a"
if "!_q:~0,13!"=="LocalPackage=" call :remove_file "!_q:~13!"
)
goto :EOF
rem Remove software from MSI package which name is passed as argument
:remove_file
%MSIEXEC% /quiet /passive /qn /norestart /x %1
rem TODO options, error checking
goto :EOF
cfengine-masterfiles-3.24.2/modules/packages/vendored/WiRunSQL.vbs.mustache 0000644 0000000 0000000 00000006206 15010704240 026673 0 ustar 00root root 0000000 0000000 ' Windows Installer utility to execute SQL statements against an installer database
' For use with Windows Scripting Host, CScript.exe or WScript.exe
' Copyright (c) Microsoft Corporation. All rights reserved.
' Demonstrates the script-driven database queries and updates
'
' Saved from https://github.com/Microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/sysmgmt/msi/scripts/WiRunSQL.vbs
' Distributed under MIT license
'
Option Explicit
Const msiOpenDatabaseModeReadOnly = 0
Const msiOpenDatabaseModeTransact = 1
Dim argNum, argCount:argCount = Wscript.Arguments.Count
If (argCount < 2) Then
Wscript.Echo "Windows Installer utility to execute SQL queries against an installer database." &_
vbLf & " The 1st argument specifies the path to the MSI database, relative or full path" &_
vbLf & " Subsequent arguments specify SQL queries to execute - must be in double quotes" &_
vbLf & " SELECT queries will display the rows of the result list specified in the query" &_
vbLf & " Binary data columns selected by a query will not be displayed" &_
vblf &_
vblf & "Copyright (C) Microsoft Corporation. All rights reserved."
Wscript.Quit 1
End If
' Scan arguments for valid SQL keyword and to determine if any update operations
Dim openMode : openMode = msiOpenDatabaseModeReadOnly
For argNum = 1 To argCount - 1
Dim keyword : keyword = Wscript.Arguments(argNum)
Dim keywordLen : keywordLen = InStr(1, keyword, " ", vbTextCompare)
If (keywordLen) Then keyword = UCase(Left(keyword, keywordLen - 1))
If InStr(1, "UPDATE INSERT DELETE CREATE ALTER DROP", keyword, vbTextCompare) Then
openMode = msiOpenDatabaseModeTransact
ElseIf keyword <> "SELECT" Then
Fail "Invalid SQL statement type: " & keyword
End If
Next
' Connect to Windows installer object
On Error Resume Next
Dim installer : Set installer = Nothing
Set installer = Wscript.CreateObject("WindowsInstaller.Installer") : CheckError
' Open database
Dim databasePath:databasePath = Wscript.Arguments(0)
Dim database : Set database = installer.OpenDatabase(databasePath, openMode) : CheckError
' Process SQL statements
Dim query, view, record, message, rowData, columnCount, delim, column
For argNum = 1 To argCount - 1
query = Wscript.Arguments(argNum)
Set view = database.OpenView(query) : CheckError
view.Execute : CheckError
If Ucase(Left(query, 6)) = "SELECT" Then
Do
Set record = view.Fetch
If record Is Nothing Then Exit Do
columnCount = record.FieldCount
rowData = Empty
delim = " "
For column = 1 To columnCount
If column = columnCount Then delim = vbLf
rowData = rowData & record.StringData(column) & delim
Next
message = message & rowData
Loop
End If
Next
If openMode = msiOpenDatabaseModeTransact Then database.Commit
If Not IsEmpty(message) Then Wscript.Echo message
Wscript.Quit 0
Sub CheckError
Dim message, errRec
If Err = 0 Then Exit Sub
message = Err.Source & " " & Hex(Err) & ": " & Err.Description
If Not installer Is Nothing Then
Set errRec = installer.LastErrorRecord
If Not errRec Is Nothing Then message = message & vbLf & errRec.FormatText
End If
Fail message
End Sub
Sub Fail(message)
Wscript.Echo message
Wscript.Quit 2
End Sub
cfengine-masterfiles-3.24.2/modules/packages/vendored/pkg.mustache 0000755 0000000 0000000 00000015310 15010704240 025236 0 ustar 00root root 0000000 0000000 #!/bin/sh
## Licensed under
## BSD License (2-clause)
## https://opensource.org/licenses/BSD-2-Clause
## Copyright (c) 2015, John D. "Trix" Farrar
## pkgng module for CFEngine 3.7+
if [ -n "$CFENGINE_TEST_PKGNG_MOCK" ]; then
alias pkg='./mock_pkgng'
fi
CMD="$1"
PKG_OPTIONS=''
REPO=''
INPUTLIST=''
mangle_arch() {
awk 'BEGIN {
arch["x86:32"] = "i386";
arch["x86:64"] = "amd64";
arch["aarch64:64"] = "aarch64";
arch["armv6:32:el:eabi:softfp"] = "armv6";
arch["armv7:32:el:eabi:softfp"] = "armv7";
arch["mips:32:eb:o32"] = "mips";
arch["mips:64:eb:n64"] = "mips64";
arch["powerpc:64:eb"] = "powerpc64";
}
{
for (a in arch) {
re = ":" a "$";
sub(re, ":" arch[a]);
}
sub(/[Ff]ree[Bb][Ss][Dd]:[0-9]*:/, "");
}
$0'
}
fatal() {
echo "ErrorMessage=$*"
exit 1
}
parse_line() {
echo "$1" | awk -F= '{
i=index($0,"=");
print "KEYWORD=\"" $1 "\"" "; VALUE=\"" substr($0, i+1) "\"";
}' 2>/dev/null
}
read_options() {
while read -r INPUT ; do
if [ -n "${INPUT}" ] ; then
eval `parse_line "${INPUT}"`
case "${KEYWORD}" in
File|Name)
if [ "${KEYWORD}" = 'File' ] ; then
PKG="${VALUE}"
else
NAM="${VALUE}"
fi
;;
Version|Architecture)
# Do not store the value separately, as process_inputs()
# will get it from $INPUTLIST
;;
options)
eval `parse_line "${VALUE}"`
case "${KEYWORD}" in
repo|repository) REPO="-r ${VALUE}";;
option) PKG_OPTIONS="${PKG_OPTIONS} -o ${VALUE}";;
esac
continue
;;
PackageType*)
TYP="${VALUE}"
;;
*)
fatal "Invalid input: '${KEYWORD}'."
;;
esac
if [ -n "${KEYWORD}" ] && [ -n "${VALUE}" ] ; then
if [ -n "${INPUTLIST}" ] ; then
INPUTLIST="${INPUTLIST} ${KEYWORD}=${VALUE}"
else
INPUTLIST="${KEYWORD}=${VALUE}"
fi
fi
fi
done
}
process_inputs() {
CMD="$1" ; shift
OPTIONS="$*"
for OPT in ${OPTIONS} ; do
eval `parse_line ${OPT}`
case "${KEYWORD}" in
File*)
if [ "${CMD}" = 'file-install' ] ; then
PKG="${PKG} ${VALUE}"
else
fatal "Bad Input: '${OPT}' (should be Name=...)."
fi
;;
Name*)
if [ "${CMD}" != 'file-install' ] ; then
PKG="${PKG} ${VALUE}"
else
fatal "Bad Input: '${OPT}' (should be File=...)"
fi
;;
Version*)
PKG="${PKG}-${VALUE}"
;;
Architecture*)
if [ -n "${VALUE}" ] &&
[ "${VALUE}" != "${ARCH}" ] ; then
fatal "Bad Input: Architecture ${VALUE} does not match ${ARCH}."
fi
;;
PackageType*)
TYP="${VALUE}"
;;
*)
fatal "Invalid input: '${INPUT}'."
;;
esac
done
}
_pkg() {
pkg ${PKG_OPTIONS} "$@"
}
_pkg_query() {
_pkg query "$@" "Name=%n\nVersion=%v\nArchitecture=${ARCH}"
}
get_package_data() {
if [ -n "${NAM}" ] && [ -z "${PKG}" ] ; then
PKG="${NAM}"
fi
if [ -n "${PKG}" ] ; then
case "${PKG}" in
/*) # File Path. It's a file
TYP='file'
if [ ! -e "${PKG}" ] ; then
fatal "No such file: '${PKG}'."
fi
;;
http://*|ftp://|file://) # URL, it's a file.
TYP='file'
;;
*)
TYP='repo'
;;
esac
echo "PackageType=${TYP}"
if [ "${TYP}" = 'repo' ] ; then
PKGNAM=`basename "${PKG}" | sed -r -e 's/^([A-Za-z0-9_-]+)-[0-9a-z.,_]+/\1/'`
PKGVER=`basename "${PKG}" | sed -r -e 's/^[A-Za-z0-9_-]+-([0-9a-z.,_]+)/\1/' -e 's/\.(tgz|(tar\.)?gz|txz|zip)$//'`
if [ -z "`echo ${PKGVER} | grep -E '^[0-9]'`" ] ; then
if [ "${PKGNAM}" != "${PKGVER}" ] ; then
PKGNAM="${PKGNAM}-${PKGVER}"
fi
PKGVER=''
fi
echo "Name=${PKGNAM}"
# Returning version for PackageType=repo is not advised
# https://docs.cfengine.com/latest/reference-standard-library-package_modules.html
# if [ -n "${PKGVER}" ] ; then
# echo "Version=${PKGVER}"
# fi
else
_pkg_query --file "${PKG}"
fi
fi
}
if [ "${CMD}" = 'supports-api-version' ] ; then
echo '1'
exit 0
else
read_options
fi
ARCH=$(_pkg config abi | mangle_arch)
case "${CMD}" in
get-package-data)
get_package_data
;;
list-installed)
_pkg_query -a
;;
list-updates-local|list-updates)
if [ "${CMD}" = 'list-updates-local' ] ; then
LOCALUPDATE='-U'
else
LOCALUPDATE=''
fi
_pkg version ${LOCALUPDATE} -vl'<' | \
awk -v arch="${ARCH}" \
'/ repositor(y|ies) / { next; }
{
pkgname = $1;
pkgver = $7;
sub(/-[0-9_.,]*$/, "", pkgname);
sub(/\)/, "", pkgver);
print "Name=" pkgname;
print "Version=" pkgver;
print "Architecture=" arch;
}'
;;
repo-install|file-install|remove)
process_inputs "${CMD}" "${INPUTLIST}"
case "${CMD}" in
repo-install)
_pkg install -qy ${REPO} ${PKG} 2>/dev/null >/dev/null
;;
file-install)
_pkg install -qy ${PKG} 2>/dev/null >/dev/null
;;
remove)
_pkg delete -Rqy ${PKG} 2>/dev/null >/dev/null
;;
esac
RC=$?
if [ ${RC} -ne 0 ] ; then
fatal "Package manager error"
exit $RC
fi
;;
*)
fatal "Command '${CMD}' is either not valid or not implemented."
;;
esac
cfengine-masterfiles-3.24.2/modules/packages/vendored/nimclient.mustache 0000755 0000000 0000000 00000014233 15010704240 026442 0 ustar 00root root 0000000 0000000 #!/bin/sh
## Licensed under:
## MIT Public License
## http://www.opensource.org/licenses/MIT
## Copyright (c) 2015, Nick Anderson
## nim package module for cfengine
## - Based on work done in pkgsrc module
## Installs packages using nimclient
## - Probably need to implement caching layer for nimclient, it can be slow
## and always requires remote connection
## Removes packages using installp
export PATH=/opt/local/bin:/opt/local/sbin:$PATH
LEVEL=0
fatal () {
echo "ErrorMessage=$@"
exit 2
}
warn () {
[ $LEVEL -gt 0 ] && echo "[TRACE]: $*" >&2
}
supports_api_version () {
echo 1
}
repo_install () {
# nimclient needs to know which lpp_source to install from.
# If lpp_source is provied its a fatal error
if [ -z "$lpp_source" ]; then
fatal "Error installing '${Name}': No lpp_source defined."
fi
nimclient_install_package
}
file_install () {
# Must query the File to get the Name
# installp -d ${File} ${Name}
fatal "Error: File based installs not supported by nimclient"
}
remove () {
# This function should make sure the specified package gets removed
remove_package
}
list_installed () {
# This function should return the packages that are currently installed
# NAME=
# VERSION=
# ARCHITECTURE=
list_installed_packages | /usr/bin/grep -v "\s*#" | /usr/bin/awk -F':' '{print "Name=" $1 "\nVersion=" $3 "\nArchitecture=PPC"}'
}
list_updates () {
# This function should hit the network
# This function should return the list of package updates that are available
# NAME=
# VERSION=
# ARCHITECTURE=
# If you can't get a list of updates available, then you can't use
# version=latest and mission portal won't report updates available. If
# there is no valid cached list, AND it is unable to get a list it should
# return nothing
# if it is able to get a valid listing it should update the local cache and return that
# - expects the cache is kept up to date with the installed state
# - if you hve an update and you set the version to latest, and it installs
# that package that package should be removed from the cache
# - If you don't then mission portal may show that there are updates
# available that are actually already installed (until the cache gets
# refreshed)
# Since we don't yet know how to determine which packages have updates
# available we simply return true.
/usr/bin/true
}
list_updates_local () {
# This function should return the cached list of package updates availabel
# IF there is no cache then it should return nothing
# This function should avoid hitting the network for listing
# returns same info as list_updates
# CFEngine determines which one to call based on if_elapsed
# see if showres can do offline listing, see if we can know which filesets are considered updates
# - only list the latest update
/usr/bin/true
}
get_package_data () {
# NIM is only a REPO type install
# - Could add file based install for bff or rpm packages
#if echo "${File}" | grep '^/' >/dev/null; then
# If there's a / in $File then we'll expec this to be a 'file' install.
# First we need to figure out if the package matches .bff or .rpm
# - If not fail
# - fatal "Unsupported Package Type"
# Next we need to query the package for the base name and version
# Finally spit out the stuff
# echo "PackageType=file"
# echo NAME=
# echo VERSION=
# echo ARCHITECUTE=
#echo "Name=$(echo "$File" | sed 's/.*\///g')"
#else
# If $File does not contain /, it must be in an existing remote repo
echo "PackageType=repo"
echo "Name=${File}"
}
parse_pkg_data () {
# Emit package name and version, and arch based on output from nimclient
# showres. If file based install support is added then this will need to be
# improved to handle that case.
name=$(echo $1 | awk -F':' '{ print $2}')
version=$(echo $1 | awk -F':' '{ print $3 }')
echo "Name=$name"
echo "Version=$version"
# ARCH is useless on AIX?
echo "Architecture=PPC"
}
# Cfengine passes data on STDIN. Absorb that and convert to shell variables.
while IFS= read -r line; do
eval "$line"
# options can be passed multiple times so we need to avoid clobbering
# previous instances. Plus, what we really want to eval is the value of
# each option so that we can have a variable for each value.
# For example options => { "lpp_source=aix7783" }
# comes through the protocol as options=lpp_source=aix7783
# and here we define lpp_source=aix7783
if [ -n "$options" ]; then
eval "$options"
fi
done
# Set up mock environment if necessary
# This is not well developed as I don't have continuous access to aix and nim
# nor am I an expert
CFENGINE_TEST_NIMCLIENT_MOCK=false
if [ "$CFENGINE_TEST_NIMCLIENT_MOCK" = "true" ]; then
list_installed_packages() {
cat ../../tests/unit/mock_lslpp_Lc
}
nimclient_showres() {
# This lists the AVAILABLE packages in the nim repo
cat ../../tests/unit/mock_nimclient_showres
}
nimclient_install_package() {
# Ugh, not sure what this should do to mock. I think that nimclient
# return codes kind of suck, might need to parse the output?
echo nimclient -o cust -a lpp_source=${lpp_source} -a filesets=\"${Name}\" >&2
}
remove_package() {
echo installp -u "${Name}" >&2
}
else
list_installed_packages() {
lslpp -Lc
}
nimclient_showres() {
/usr/sbin/nimclient -o showres -a resource=${lpp_source} -a installp_flags=L
}
nimclient_install_package() {
/usr/sbin/nimclient -o cust -a lpp_source=${lpp_source} -a filesets=\"${Name}\" 1>&2
}
remove_package() {
installp -u "${Name}" 1>&2
}
fi
case "$1" in
supports-api-version) supports_api_version;;
repo-install) repo_install;;
file-install) file_install;;
remove) remove;;
list-installed) list_installed;;
list-updates) list_updates;;
list-updates-local) list_updates_local;;
get-package-data) get_package_data;;
*) fatal "Invalid operation";;
esac
cfengine-masterfiles-3.24.2/modules/packages/vendored/zypper.mustache 0000755 0000000 0000000 00000040373 15010704240 026015 0 ustar 00root root 0000000 0000000 #!/usr/bin/python
# Note that the shebang above is ignored when run in policy
# See lib/packages.cf `package_module zypper` use of the
# `interpreter` attribute to use cfengine-selected-python.
#####################################################################################
# Copyright 2016 Normation SAS
#####################################################################################
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, Version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
#
#####################################################################################
# This script is based on the CFEngine's masterfiles yum script:
# https://github.com/cfengine/masterfiles/blob/master/modules/packages/yum
# Licensed under:
# MIT Public License
# Copyright 2024 Northern.tech AS
import sys
import os
import subprocess
import re
from distutils.version import StrictVersion
rpm_cmd = os.environ.get('CFENGINE_TEST_RPM_CMD', "/bin/rpm")
rpm_quiet_option = ["--quiet"]
rpm_output_format = "Name=%{name}\nVersion=%|EPOCH?{%{epoch}:}:{}|%{version}-%{release}\nArchitecture=%{arch}\n"
zypper_cmd = os.environ.get('CFENGINE_TEST_ZYPPER_CMD', "/usr/bin/zypper")
zypper_options = ["--quiet", "-n"]
NULLFILE = open(os.devnull, 'w')
redirection_is_broken_cached = -1
zypper_supports_oldpackage_cached = -1
def zypper_supports_oldpackage():
# Suse zypper "--oldpackage" option is only supported greater that 1.6.169
global zypper_supports_oldpackage_cached
if zypper_supports_oldpackage_cached == -1:
zypper_version = subprocess.Popen([zypper_cmd, "-n", "--version"], stdout=subprocess.PIPE).communicate()[0]
zypper_version = zypper_version.decode().split(" ", 1)[1].rstrip()
if StrictVersion(zypper_version) >= StrictVersion("1.6.169"):
zypper_supports_oldpackage_cached = 1
else:
zypper_supports_oldpackage_cached = 0
return zypper_supports_oldpackage_cached
def redirection_is_broken():
# Older versions of Python have a bug where it is impossible to redirect
# stderr using subprocess, and any attempt at redirecting *anything*, not
# necessarily stderr, will result in it being closed instead. This is very
# bad, because RPM may then open its RPM database on file descriptor 2
# (stderr), and will cause it to output error messages directly into the
# database file. Fortunately "stdout=subprocess.PIPE" doesn't have the bug,
# and that's good, because it would have been much more tricky to solve.
global redirection_is_broken_cached
if redirection_is_broken_cached == -1:
cmd_line = [sys.executable, sys.argv[0], "internal-test-stderr"]
if subprocess.call(cmd_line, stdout=sys.stderr) == 0:
redirection_is_broken_cached = 0
else:
redirection_is_broken_cached = 1
return redirection_is_broken_cached
def subprocess_Popen(cmd, stdout=None, stderr=None):
if not redirection_is_broken() or (stdout is None and stderr is None) or stdout == subprocess.PIPE or stderr == subprocess.PIPE:
return subprocess.Popen(cmd, stdout=stdout, stderr=stderr)
old_stdout_fd = -1
old_stderr_fd = -1
if stdout is not None:
old_stdout_fd = os.dup(1)
os.dup2(stdout.fileno(), 1)
if stderr is not None:
old_stderr_fd = os.dup(2)
os.dup2(stderr.fileno(), 2)
result = subprocess.Popen(cmd)
if old_stdout_fd >= 0:
os.dup2(old_stdout_fd, 1)
os.close(old_stdout_fd)
if old_stderr_fd >= 0:
os.dup2(old_stderr_fd, 2)
os.close(old_stderr_fd)
return result
# If subprocess.PIPE is passed as stderr, it will re-write it in an ErrorMessage
def subprocess_call(cmd, stdout=None, stderr=None):
process = subprocess_Popen(cmd, stdout, stderr)
outs, errs = process.communicate()
if stderr == subprocess.PIPE:
lines = [line for line in errs.decode().splitlines()]
if len(lines):
printed_error = "ErrorMessage=" + " ".join(lines)
sys.stdout.write(printed_error)
sys.stdout.flush()
return process.returncode
def get_package_data():
pkg_string = ""
for line in sys.stdin:
if line.startswith("File="):
pkg_string = line.split("=", 1)[1].rstrip()
# Don't break, we need to exhaust stdin.
if not pkg_string:
return 1
if pkg_string.startswith("/"):
# Absolute file.
sys.stdout.write("PackageType=file\n")
sys.stdout.flush()
subprocess_call([rpm_cmd, "--qf", rpm_output_format, "-qp", pkg_string], stderr=subprocess.PIPE)
return 0
elif re.search("[:,]", pkg_string):
# Contains an illegal symbol.
sys.stdout.write(line + "ErrorMessage: Package string with illegal format\n")
return 1
else:
sys.stdout.write("PackageType=repo\n")
sys.stdout.write("Name=" + pkg_string + "\n")
return 0
def list_installed():
# Ignore everything.
sys.stdin.readlines()
subprocess_call([rpm_cmd, "-qa", "--qf", rpm_output_format])
return 0
def list_updates(online):
# Ignore everything.
sys.stdin.readlines()
online_flag = []
if not online:
online_flag = ["--no-refresh"]
process = subprocess_Popen([zypper_cmd] + zypper_options + online_flag + ["list-updates"], stdout=subprocess.PIPE)
for line in (line.decode() for line in process.stdout):
# Zypper's output looks like:
#
# S | Repository | Name | Current Version | Available Version | Arch
# --+-------------------+--------------+------------------------------------+------------------------------------------------+-------
# v | Rudder repository | rudder-agent | 1398866025:3.2.6.release-1.SLES.11 | 1398866025:3.2.7.rc1.git201609190419-1.SLES.11 | x86_64
#
# Which gives:
#
# v | Rudder repository | rudder-agent | 1398866025:3.2.6.release-1.SLES.11 | 1398866025:3.2.7.rc1.git201609190419-1.SLES.11 | x86_64
# may contain package name old version, ignore it version available architecture
# special chars
# v\s+\|[^\|]+\ |\s+(?P\S+)\s+\|\s+\S+\s+\ |\s+(?P\S+)\s+\ |\s+(?P\S+)\s*$
# The first char will always be "v" which means there is a new version available on search outputs.
match = re.match(r"v\s+\|[^\|]+\|\s+(?P\S+)\s+\|\s+\S+\s+\|\s+(?P\S+)\s+\|\s+(?P\S+)\s*$", line)
if match is not None:
sys.stdout.write("Name=" + match.group("name") + "\n")
sys.stdout.write("Version=" + match.group("version") + "\n")
sys.stdout.write("Architecture=" + match.group("arch") + "\n")
return 0
# Returns a pair:
# List 1: Contains arguments for a single command line.
# List 2: Contains arguments for multiple command lines (see comments in
# repo_install()).
def one_package_argument(name, arch, version, is_zypper_install):
args = []
archs = []
exists = False
if arch:
archs.append(arch)
if is_zypper_install:
process = subprocess_Popen([rpm_cmd, "--qf", "%{arch}\n",
"-q", name], stdout=subprocess.PIPE)
existing_archs = [line.decode().rstrip() for line in process.stdout]
process.wait()
if process.returncode == 0 and existing_archs:
exists = True
if not arch:
# Here we have no specified architecture and we are
# installing. If we have existing versions, operate
# on those, instead of the platform default.
archs += existing_archs
version_suffix = ""
if version:
version_suffix = "=" + version
if archs:
args += [name + "." + arch + version_suffix for arch in archs]
else:
args.append(name + version_suffix)
if exists and version:
return [], args
else:
return args, []
# Returns a pair:
# List 1: Contains arguments for a single command line.
# List 2: Contains arguments for multiple command lines (see comments in
# repo_install()). This is a list of lists, where the logic is:
# list
# | +---- package1:amd64 -+
# +- sublist ---+ +--- Do these together
# | +---- package1:i386 -+
# |
# |
# | +---- package2:amd64 -+
# +- sublist ---+ +--- And these together
# +---- package2:i386 -+
def package_arguments_builder(is_zypper_install):
name = ""
version = ""
arch = ""
single_cmd_args = [] # List of arguments
multi_cmd_args = [] # List of lists of arguments
old_name = ""
for line in sys.stdin:
if line.startswith("Name="):
if name:
# Each new "Name=" triggers a new entry.
single_list, multi_list = one_package_argument(name, arch, version, is_zypper_install)
single_cmd_args += single_list
if name == old_name:
# Packages that differ only by architecture should be
# processed together
multi_cmd_args[-1] += multi_list
elif multi_list:
# Otherwise we process them individually.
multi_cmd_args += [multi_list]
version = ""
arch = ""
old_name = name
name = line.split("=", 1)[1].rstrip()
elif line.startswith("Version="):
version = line.split("=", 1)[1].rstrip()
elif line.startswith("Architecture="):
arch = line.split("=", 1)[1].rstrip()
if name:
single_list, multi_list = one_package_argument(name, arch, version, is_zypper_install)
single_cmd_args += single_list
if name == old_name:
# Packages that differ only by architecture should be
# processed together
multi_cmd_args[-1] += multi_list
elif multi_list:
# Otherwise we process them individually.
multi_cmd_args += [multi_list]
return single_cmd_args, multi_cmd_args
def repo_install():
# Due to how zypper works we need to split repo installs into several
# components.
#
# 1. Installation of fresh packages is easy, we add all of them on one
# command line.
# 2. Upgrade of existing packages where no version has been specified is
# also easy, we add that to the same command line.
# 3. Up/downgrade of existing packages where version is specified is
# tricky, for several reasons:
# a) There is no one zypper command that will do both, "install" or
# "upgrade" will only upgrade, and "downgrade" will only downgrade.
# b) There is no way rpm or zypper will tell you which version is higher
# than the other, and we know from experience with the old package
# promise implementation that we don't want to try to do such a
# comparison ourselves.
# c) zypper has no dry-run mode, so we cannot tell in advance which
# operation will succeed.
# d) zypper will not even tell you whether operation succeeded when you
# run it for real
#
# So here's what we need to do. We start by querying each package to find
# out whether that exact version is installed. If it fulfills 1. or 2. we
# add it to that single command line.
#
# If we end up at 3. we need to split the work and do each package
# separately. We do:
#
# 1. Try to upgrade using "zypper upgrade".
# 2. Query the package again, see if it is the right version now.
# 3. If not, try to downgrade using "zypper downgrade".
# 4. Query the package again, see if it is the right version now.
# 5. Final safeguard, try installing using "zypper install". This may happen
# in case we have one architecture already, but we are installing a
# second one. In this case only install will work.
# 6. (No need to check again, CFEngine will do the final check)
#
# This is considerably more expensive than what we do for apt, but it's the
# only way to cover all bases. In apt it will be one apt call for any number
# of packages, with zypper it will in the worst case be:
# 1 + 5 * number_of_packages
# although a more common case will probably be:
# 1 + 2 * number_of_packages
# since it's unlikely that people will do a whole lot of downgrades
# simultaneously.
single_cmd_args, multi_cmd_args = package_arguments_builder(True)
if single_cmd_args:
cmd_line = [zypper_cmd] + zypper_options + ["install"]
if zypper_supports_oldpackage():
cmd_line += ["--oldpackage"]
cmd_line.extend(single_cmd_args)
subprocess_call(cmd_line, stdout=NULLFILE, stderr=subprocess.PIPE)
if multi_cmd_args:
for block in multi_cmd_args:
# Try to upgrade.
cmd_line = [zypper_cmd] + zypper_options + ["update"] + block
subprocess_call(cmd_line, stdout=NULLFILE, stderr=subprocess.PIPE)
# See if it succeeded.
success = True
for item in block:
cmd_line = [rpm_cmd] + rpm_quiet_option + ["-q", item]
if subprocess_call(cmd_line, stdout=NULLFILE, stderr=subprocess.PIPE) != 0:
success = False
break
if success:
continue
# Try to plain install.
cmd_line = [zypper_cmd] + zypper_options + ["install"]
if zypper_supports_oldpackage():
cmd_line += ["--oldpackage"]
cmd_line += block
subprocess_call(cmd_line, stdout=NULLFILE, stderr=subprocess.PIPE)
# No final check. CFEngine will figure out that it's missing
# if it failed.
# return 0 doesn't mean we succeeded with everything, but it's expensive to
# check, so let CFEngine do that.
return 0
def remove():
cmd_line = [zypper_cmd] + zypper_options + ["remove"]
# package_arguments_builder will always return empty second element in case
# of removals, so just drop it. |
# V
args = package_arguments_builder(False)[0]
if args:
return subprocess_call(cmd_line + args, stdout=NULLFILE, stderr=subprocess.PIPE)
return 0
def file_install():
cmd_line = [rpm_cmd] + rpm_quiet_option + ["--force", "-U"]
found = False
for line in sys.stdin:
if line.startswith("File="):
found = True
cmd_line.append(line.split("=", 1)[1].rstrip())
if not found:
return 0
subprocess_call(cmd_line, stdout=NULLFILE, stderr=subprocess.PIPE)
return 0
def main():
if len(sys.argv) < 2:
sys.stderr.write("Need to provide argument\n")
return 2
if sys.argv[1] == "internal-test-stderr":
# This will cause an exception if stderr is closed.
try:
os.fstat(2)
except OSError:
return 1
return 0
elif sys.argv[1] == "supports-api-version":
sys.stdout.write("1\n")
return 0
elif sys.argv[1] == "get-package-data":
return get_package_data()
elif sys.argv[1] == "list-installed":
return list_installed()
elif sys.argv[1] == "list-updates":
return list_updates(True)
elif sys.argv[1] == "list-updates-local":
return list_updates(False)
elif sys.argv[1] == "repo-install":
return repo_install()
elif sys.argv[1] == "remove":
return remove()
elif sys.argv[1] == "file-install":
return file_install()
else:
sys.stderr.write("Invalid operation\n")
return 2
sys.exit(main())
cfengine-masterfiles-3.24.2/modules/packages/vendored/snap.mustache 0000755 0000000 0000000 00000003271 15010704240 025421 0 ustar 00root root 0000000 0000000 #!/bin/bash -e
get_package_data() {
name="${INPUT_File?File must be given to get-package-data}"
echo PackageType=repo
echo Name=$name
}
list_installed() {
# Example pkg output:
# Name Version Rev Developer Notes
# core 16-2.30 3748 canonical core
# hello-world 6.3 27 canonical -
#
# After rewrite:
# Name=core
# Version=16-2.30
# Architecture=none
snap list | sed 1d | awk '
{
printf("Name=%s\n",$1)
printf("Version=%s\n",$2)
printf("Architecture=none\n")
}'
}
repo_install() {
name="${INPUT_Name?Name must be given to repo-install}"
# TODO: investigate channel, revision flags
snap install "$name" >&2
}
list_updates() {
# By default snaps are updated daily, at the time of this writing, there is no
# way to disable the auto-update, but it can be delayed.
# TODO: Get example output showing updates from `snap refresh --list`
true
}
remove() {
name="${INPUT_Name?Name must be given to remove}"
snap remove "$name" >&2
}
main() {
command=$1
# Output maybe contain backslashes, and we don't want those to end up escaping
# something so we use use -r with read.
while read -r line; do
# Note that line is a variable assignment, e.g.
# INPUT_File=syncthing
declare INPUT_$line
done
case $command in
supports-api-version)
echo 1
;;
get-package-data)
get_package_data
;;
list-installed)
list_installed
;;
repo-install)
repo_install
;;
list-updates)
list_updates
;;
list-updates-local)
list_updates
;;
remove)
remove
;;
*)
echo "ErrorMessage=Invalid operation"
esac
}
main $1
cfengine-masterfiles-3.24.2/modules/packages/vendored/pkgsrc.mustache 0000755 0000000 0000000 00000012604 15010704240 025751 0 ustar 00root root 0000000 0000000 #!/bin/sh
## Licensed under:
## MIT Public License
## http://www.opensource.org/licenses/MIT
## Copyright (c) 2015, Brian Bennett
## pkgsrc package module for cfengine
# Set up mock environment if necessary
if [ -n "$CFENGINE_TEST_PKGSRC_MOCK" ]; then
alias pkgin='./mock_pkgin'
alias pkg_info='./mock_pkg_info'
fi
# /opt/local supports SmartOS
# /opt/pkg supports Mac OS X from Joyent, 2015Q2 or later
# /usr/pkg supports standard pkgsrc
# This should be sufficient to support all platforms supported by pgksrc.
# pkgsrc bootstrapped manually to non-standard locations is not currently supported.
export PATH=/opt/local/bin:/opt/local/sbin:/opt/pkg/bin:/opt/pkg/sbin:/usr/pkg/bin:/usr/pkg/sbin:$PATH
export MACHINE_ARCH=$(pkg_info -X pkg_install | grep MACHINE_ARCH | cut -d = -f 2)
export PKG_ROOT=$(pkg_info -pq pkg_install | cut -d ' ' -f 2 | sort -u)
export PKG_INSTALL_CONF=${PKG_ROOT}/etc/pkg_install.conf
LEVEL=0
fatal () {
echo "ErrorMessage=$@"
exit 2
}
warn () {
[ $LEVEL -gt 0 ] && echo "[TRACE]: $*" >&2
}
supports_api_version () {
echo 1
}
repo_install () {
# If a version number is specified, insert a dash between the name and
# version
[ -n "$Version" ] && ver="-$Version"
pkgin -y in "${Name}${ver}" > /dev/null
if [ $? -gt 0 ]; then
fatal "Error installing ${Name}${ver}"
fi
}
file_install () {
# The specified config file might, for example override signature reqs:
# VERIFIED_INSTALLATION=never
pkg_add -U -C "$PKG_INSTALL_CONF" "$File" > /dev/null
if [ $? -gt 0 ]; then
echo "Error installing ${File}"
fi
}
remove () {
# If a version number is specified, insert a dash between the name and
# version
[ -n "$Version" ] && ver="-$Version"
pkgin -y rm "${Name}${ver}" > /dev/null
}
list_installed () {
parse_pkg_data "$(pkgin -p list)"
}
list_updates () {
# The difference between list-updates and list-updates-local, it seems
# is that list-updates expects to refresh from the upstream repo.
pkgin -f update >&2
list_updates_local
}
list_updates_local () {
parse_pkg_data "$(pkgin -pl '<' ls)"
}
get_package_data () {
if echo "$File" | grep '/' >/dev/null; then
# If there's a / in $File then we'll expec this to be a 'file' install.
# This is reliable because 1) pkgsrc packages don't have / in the name
# and because cfengine can't install a PackageType=file from a relative
# path.
#
# The package will be installed with pkg_add later, which also supports
# arbitrary HTTP locations.
echo "PackageType=file"
# To appease cfengine, we'll take the basename of the package passed.
echo "Name=$(echo "$File" | sed 's/.*\///g')"
else
# If $File does not contain /, it must be in an existing remote repo,
# because cfengine can't install files from relative paths.
echo "PackageType=repo"
# Cfengine expects a *single* matching package. So sort and return the
# most recent. If a version is specified it can partial match, in which
# case we'll again take the latest. If there's no match on the name
# or version, return nothing.
# There's possibly a bug here because we're already emitting that the
# PackageType is repo.
parse_pkg_data "$(pkgin -pP avail | grep "^${File}-[0-9]" | grep "$Version;" | sort -n | tail -1)" | grep Name
fi
}
parse_pkg_data () {
# This is a bit tricky.
# pkgin is called with parsable format and separates fields with ';'.
# Packages are further sub-split between name and version with '-', but
# package names may also contain '-'. To complicate matters, package
# versions can have '-' as well.
# Take the example package mozilla-rootcerts-1.0.20141117nb1
# $1 is the package-version compound. Discard the description in $2..
# Split $1 on 'separator' and store in array 'package'. Return length 'l'
# 'version' is the last element of array 'package'
# Now the tricky bit. We've split the package name, so now must reassemble
# it with dashes in tact, without the version number.
# For each element less 1 in 'package', if this is the first iteration
# print the element. On subsequent passes print "-element"
# Finally print the version and the machine architecture as well.
echo "$*" | awk -F';' '
{
separator="-"
l=split($1,package,separator)
version=package[l]
printf("Name=")
for (i=1ength;i1) {
printf("-")
}
printf("%s",package[i])
}
printf("\nVersion=%s\n",version)
printf("Architecture=%s\n",ENVIRON["MACHINE_ARCH"])
}'
}
# Cfengine passes data on STDIN. Absorb that and convert to shell variables.
while IFS= read -r line; do
eval "$line"
# options can be passed multiple times so we need to avoid clobbering
# previous instances. Plus, what we really want to eval is the value of
# each option.
if [ -n "$options" ]; then
eval "$options"
fi
done
case "$1" in
supports-api-version) supports_api_version;;
repo-install) repo_install;;
file-install) file_install;;
remove) remove;;
list-installed) list_installed;;
list-updates) list_updates;;
list-updates-local) list_updates_local;;
get-package-data) get_package_data;;
*) fatal "Invalid operation";;
esac
cfengine-masterfiles-3.24.2/modules/packages/vendored/yum.mustache 0000755 0000000 0000000 00000037417 15010704240 025303 0 ustar 00root root 0000000 0000000 #!/usr/bin/python
# Note that the shebang above is ignored when run in policy
# See lib/packages.cf `package_module yum` use of the
# `interpreter` attribute to use cfengine-selected-python.
import sys
import os
import subprocess
import re
rpm_cmd = os.environ.get("CFENGINE_TEST_RPM_CMD", "/bin/rpm")
rpm_quiet_option = ["--quiet"]
rpm_output_format = (
"Name=%{name}\nVersion=%{epoch}:%{version}-%{release}\nArchitecture=%{arch}\n"
)
yum_cmd = os.environ.get("CFENGINE_TEST_YUM_CMD", "/usr/bin/yum")
yum_options = ["--quiet", "-y"]
NULLFILE = open(os.devnull, "w")
redirection_is_broken_cached = -1
def redirection_is_broken():
# Older versions of Python have a bug where it is impossible to redirect
# stderr using subprocess, and any attempt at redirecting *anything*, not
# necessarily stderr, will result in it being closed instead. This is very
# bad, because RPM may then open its RPM database on file descriptor 2
# (stderr), and will cause it to output error messages directly into the
# database file. Fortunately "stdout=subprocess.PIPE" doesn't have the bug,
# and that's good, because it would have been much more tricky to solve.
global redirection_is_broken_cached
if redirection_is_broken_cached == -1:
cmd_line = [sys.executable, sys.argv[0], "internal-test-stderr"]
if subprocess.call(cmd_line, stdout=sys.stderr) == 0:
redirection_is_broken_cached = 0
else:
redirection_is_broken_cached = 1
return redirection_is_broken_cached
def subprocess_Popen(cmd, stdout=None, stderr=None):
if (
not redirection_is_broken()
or (stdout is None and stderr is None)
or stdout == subprocess.PIPE
or stderr == subprocess.PIPE
):
return subprocess.Popen(cmd, stdout=stdout, stderr=stderr)
old_stdout_fd = -1
old_stderr_fd = -1
if stdout is not None:
old_stdout_fd = os.dup(1)
os.dup2(stdout.fileno(), 1)
if stderr is not None:
old_stderr_fd = os.dup(2)
os.dup2(stderr.fileno(), 2)
result = subprocess.Popen(cmd)
if old_stdout_fd >= 0:
os.dup2(old_stdout_fd, 1)
os.close(old_stdout_fd)
if old_stderr_fd >= 0:
os.dup2(old_stderr_fd, 2)
os.close(old_stderr_fd)
return result
def subprocess_call(cmd, stdout=None, stderr=None):
process = subprocess_Popen(cmd, stdout, stderr)
return process.wait()
def get_package_data():
pkg_string = ""
for line in sys.stdin:
if line.startswith("File="):
pkg_string = line.split("=", 1)[1].rstrip()
# Don't break, we need to exhaust stdin.
if not pkg_string:
return 1
if pkg_string.startswith("/"):
# Absolute file.
sys.stdout.write("PackageType=file\n")
sys.stdout.flush()
process = subprocess_Popen(
[rpm_cmd, "--qf", rpm_output_format, "-qp", pkg_string],
stdout=subprocess.PIPE,
)
(stdoutdata, _) = process.communicate()
if process.returncode != 0:
return process.returncode
for line in stdoutdata.decode("utf-8").splitlines():
sys.stdout.write(line.replace("(none):", "") + "\n")
return 0
elif re.search("[:,]", pkg_string):
# Contains an illegal symbol.
sys.stdout.write(line + "ErrorMessage: Package string with illegal format\n")
return 1
else:
sys.stdout.write("PackageType=repo\n")
sys.stdout.write("Name=" + pkg_string + "\n")
return 0
def list_installed():
# Ignore everything.
sys.stdin.readlines()
process = subprocess_Popen(
[rpm_cmd, "-qa", "--qf", rpm_output_format], stdout=subprocess.PIPE
)
(stdoutdata, _) = process.communicate()
if process.returncode != 0:
return process.returncode
for line in stdoutdata.decode("utf-8").splitlines():
sys.stdout.write(line.replace("(none):", "") + "\n")
return 0
def list_updates(online):
global yum_options
for line in sys.stdin:
line = line.strip()
if line.startswith("options="):
option = line[len("options=") :]
if option.startswith("-"):
yum_options.append(option)
elif option.startswith("enablerepo=") or option.startswith("disablerepo="):
yum_options.append("--" + option)
online_flag = []
if not online:
online_flag = ["-C"]
process = subprocess_Popen(
[yum_cmd] + yum_options + online_flag + ["check-update"], stdout=subprocess.PIPE
)
(stdoutdata, _) = process.communicate()
# analyze return code from `yum check-update`:
# 0 means no updates
# 1 means there was an error
# 100 means that there are available updates
if process.returncode == 1 and not online:
# If we get an error when listing local updates, try again using the
# online method, so that the cache is generated
process = subprocess_Popen(
[yum_cmd] + yum_options + ["check-update"], stdout=subprocess.PIPE
)
(stdoutdata, _) = process.communicate()
if process.returncode != 100:
# either there were no updates or error happened
# Nothing to do for us here anyway
return process.returncode
lastline = ""
for line in stdoutdata.decode("utf-8").splitlines():
# Combine multiline entries into one line. A line without at least three
# space separated fields gets combined with the next line, if that line
# starts with a space.
if lastline and (len(line) == 0 or not line[0].isspace()):
# Line does not start with a space. No combination.
lastline = ""
line = lastline + line
match = re.match(r"^\S+\s+\S+\s+\S+", line)
if match is None:
# Keep line
lastline = line
continue
lastline = ""
match = re.match(
r"^(?P\S+)\.(?P[^.\s]+)\s+(?P\S+)\s+\S+\s*$", line
)
if match is not None:
sys.stdout.write("Name=" + match.group("name") + "\n")
sys.stdout.write("Version=" + match.group("version") + "\n")
sys.stdout.write("Architecture=" + match.group("arch") + "\n")
return 0
# Returns a pair:
# List 1: Contains arguments for a single command line.
# List 2: Contains arguments for multiple command lines (see comments in
# repo_install()).
def one_package_argument(name, arch, version, is_yum_install):
args = []
archs = []
exists = False
if arch:
archs.append(arch)
if is_yum_install:
process = subprocess_Popen(
[rpm_cmd, "--qf", "%{arch}\n", "-q", name], stdout=subprocess.PIPE
)
existing_archs = [line.decode("utf-8").rstrip() for line in process.stdout]
process.wait()
if process.returncode == 0 and existing_archs:
exists = True
if not arch:
# Here we have no specified architecture and we are
# installing. If we have existing versions, operate
# on those, instead of the platform default.
archs += existing_archs
version_suffix = ""
if version:
version_suffix = "-" + version
if archs:
args += [name + version_suffix + "." + arch for arch in archs]
else:
args.append(name + version_suffix)
if exists and version:
return [], args
else:
return args, []
# Returns a pair:
# List 1: Contains arguments for a single command line.
# List 2: Contains arguments for multiple command lines (see comments in
# repo_install()). This is a list of lists, where the logic is:
# list
# | +---- package1:amd64 -+
# +- sublist ---+ +--- Do these together
# | +---- package1:i386 -+
# |
# |
# | +---- package2:amd64 -+
# +- sublist ---+ +--- And these together
# +---- package2:i386 -+
def package_arguments_builder(is_yum_install):
name = ""
version = ""
arch = ""
single_cmd_args = [] # List of arguments
multi_cmd_args = [] # List of lists of arguments
old_name = ""
for line in sys.stdin:
line = line.strip()
if line.startswith("options="):
option = line[len("options=") :]
if option.startswith("-"):
yum_options.append(option)
elif option.startswith("enablerepo=") or option.startswith("disablerepo="):
yum_options.append("--" + option)
if line.startswith("Name="):
if name:
# Each new "Name=" triggers a new entry.
single_list, multi_list = one_package_argument(
name, arch, version, is_yum_install
)
single_cmd_args += single_list
if name == old_name:
# Packages that differ only by architecture should be
# processed together
multi_cmd_args[-1] += multi_list
elif multi_list:
# Otherwise we process them individually.
multi_cmd_args += [multi_list]
version = ""
arch = ""
old_name = name
name = line.split("=", 1)[1].rstrip()
elif line.startswith("Version="):
version = line.split("=", 1)[1].rstrip()
elif line.startswith("Architecture="):
arch = line.split("=", 1)[1].rstrip()
if name:
single_list, multi_list = one_package_argument(
name, arch, version, is_yum_install
)
single_cmd_args += single_list
if name == old_name:
# Packages that differ only by architecture should be
# processed together
multi_cmd_args[-1] += multi_list
elif multi_list:
# Otherwise we process them individually.
multi_cmd_args += [multi_list]
return single_cmd_args, multi_cmd_args
def repo_install():
# Due to how yum works we need to split repo installs into several
# components.
#
# 1. Installation of fresh packages is easy, we add all of them on one
# command line.
# 2. Upgrade of existing packages where no version has been specified is
# also easy, we add that to the same command line.
# 3. Up/downgrade of existing packages where version is specified is
# tricky, for several reasons:
# a) There is no one yum command that will do both, "install" or
# "upgrade" will only upgrade, and "downgrade" will only downgrade.
# b) There is no way rpm or yum will tell you which version is higher
# than the other, and we know from experience with the old package
# promise implementation that we don't want to try to do such a
# comparison ourselves.
# c) yum has no dry-run mode, so we cannot tell in advance which
# operation will succeed.
# d) yum will not even tell you whether operation succeeded when you
# run it for real
#
# So here's what we need to do. We start by querying each package to find
# out whether that exact version is installed. If it fulfills 1. or 2. we
# add it to that single command line.
#
# If we end up at 3. we need to split the work and do each package
# separately. We do:
#
# 1. Try to upgrade using "yum upgrade".
# 2. Query the package again, see if it is the right version now.
# 3. If not, try to downgrade using "yum downgrade".
# 4. Query the package again, see if it is the right version now.
# 5. Final safeguard, try installing using "yum install". This may happen
# in case we have one architecture already, but we are installing a
# second one. In this case only install will work.
# 6. (No need to check again, CFEngine will do the final check)
#
# This is considerably more expensive than what we do for apt, but it's the
# only way to cover all bases. In apt it will be one apt call for any number
# of packages, with yum it will in the worst case be:
# 1 + 5 * number_of_packages
# although a more common case will probably be:
# 1 + 2 * number_of_packages
# since it's unlikely that people will do a whole lot of downgrades
# simultaneously.
ret = 0
single_cmd_args, multi_cmd_args = package_arguments_builder(True)
if single_cmd_args:
cmd_line = [yum_cmd] + yum_options + ["install"]
cmd_line.extend(single_cmd_args)
ret = subprocess_call(cmd_line, stdout=NULLFILE)
if multi_cmd_args:
for block in multi_cmd_args:
# Try to upgrade.
cmd_line = [yum_cmd] + yum_options + ["upgrade"] + block
subprocess_call(cmd_line, stdout=NULLFILE)
# See if it succeeded.
success = True
for item in block:
cmd_line = [rpm_cmd] + rpm_quiet_option + ["-q", item]
if subprocess_call(cmd_line, stdout=NULLFILE) != 0:
success = False
break
if success:
continue
# Try to downgrade.
cmd_line = [yum_cmd] + yum_options + ["downgrade"] + block
subprocess_call(cmd_line, stdout=NULLFILE)
# See if it succeeded.
success = True
for item in block:
cmd_line = [rpm_cmd] + rpm_quiet_option + ["-q", item]
if subprocess_call(cmd_line, stdout=NULLFILE) != 0:
success = False
break
if success:
continue
# Try to plain install.
cmd_line = [yum_cmd] + yum_options + ["install"] + block
subprocess_call(cmd_line, stdout=NULLFILE)
# No final check. CFEngine will figure out that it's missing
# if it failed.
# ret == 0 doesn't mean we succeeded with everything, but it's expensive to
# check, so let CFEngine do that.
return ret
def remove():
cmd_line = [yum_cmd] + yum_options + ["remove"]
# package_arguments_builder will always return empty second element in case
# of removals, so just drop it. |
# V
args = package_arguments_builder(False)[0]
if args:
return subprocess_call(cmd_line + args, stdout=NULLFILE)
return 0
def file_install():
cmd_line = [rpm_cmd] + rpm_quiet_option + ["--force", "-U"]
found = False
for line in sys.stdin:
if line.startswith("File="):
found = True
cmd_line.append(line.split("=", 1)[1].rstrip())
if not found:
return 0
return subprocess_call(cmd_line, stdout=NULLFILE)
def main():
if len(sys.argv) < 2:
sys.stderr.write("Need to provide argument\n")
return 2
if sys.argv[1] == "internal-test-stderr":
# This will cause an exception if stderr is closed.
try:
os.fstat(2)
except OSError:
return 1
return 0
elif sys.argv[1] == "supports-api-version":
sys.stdout.write("1\n")
return 0
elif sys.argv[1] == "get-package-data":
return get_package_data()
elif sys.argv[1] == "list-installed":
return list_installed()
elif sys.argv[1] == "list-updates":
return list_updates(True)
elif sys.argv[1] == "list-updates-local":
return list_updates(False)
elif sys.argv[1] == "repo-install":
return repo_install()
elif sys.argv[1] == "remove":
return remove()
elif sys.argv[1] == "file-install":
return file_install()
else:
sys.stderr.write("Invalid operation\n")
return 2
sys.exit(main())
cfengine-masterfiles-3.24.2/modules/packages/vendored/apt_get.mustache 0000755 0000000 0000000 00000034230 15010704240 026102 0 ustar 00root root 0000000 0000000 #!/usr/bin/python
# Note that the shebang above is ignored when run in policy
# See lib/packages.cf `package_module apt_get` use of the
# `interpreter` attribute to use cfengine-selected-python.
import sys
import os
import subprocess
import re
PY3 = sys.version_info > (3,)
dpkg_options = ["--force-confold", "--force-confdef"]
dpkg_cmd = os.environ.get('CFENGINE_TEST_DPKG_CMD', "/usr/bin/dpkg")
dpkg_deb_cmd = os.environ.get('CFENGINE_TEST_DPKG_DEB_CMD', "/usr/bin/dpkg-deb")
dpkg_query_cmd = os.environ.get('CFENGINE_TEST_DPKG_QUERY_CMD', "/usr/bin/dpkg-query")
dpkg_output_format = "Name=${Package}\nVersion=${Version}\nArchitecture=${Architecture}\n"
dpkg_status_format = "Status=${Status}\n" + dpkg_output_format
apt_get_cmd = os.environ.get('CFENGINE_TEST_APT_GET_CMD', "/usr/bin/apt-get")
# Some options only work with specific versions of apt, so we must know the
# current version in order to do the right thing.
apt_version = subprocess.Popen([ apt_get_cmd , '-v'],
stdout=subprocess.PIPE, universal_newlines=True).communicate()[0]
apt_version = apt_version.splitlines()[0].split(' ')[1]
apt_get_options = ["-o", "Dpkg::Options::=--force-confold",
"-o", "Dpkg::Options::=--force-confdef",
"-y"]
# compare only the first two digits of the version so versions like 1.1.1ubuntu2 work
if [int(x) for x in apt_version.split(".")[0:2]] < [1, 1]:
apt_get_options.append("--force-yes")
else:
# The --force-yes option was deprecated in apt-get 1.1
apt_get_options.extend( [ "--allow-downgrades",
"--allow-remove-essential",
"--allow-change-held-packages"])
os.environ['DEBIAN_FRONTEND'] = "noninteractive"
os.environ['LC_ALL'] = "C"
NULLFILE = open(os.devnull, 'w')
redirection_is_broken_cached = -1
def redirection_is_broken():
# Older versions of Python have a bug where it is impossible to redirect
# stderr using subprocess, and any attempt at redirecting *anything*, not
# necessarily stderr, will result in it being closed instead. This is very
# bad, because RPM may then open its RPM database on file descriptor 2
# (stderr), and will cause it to output error messages directly into the
# database file. Fortunately "stdout=subprocess.PIPE" doesn't have the bug,
# and that's good, because it would have been much more tricky to solve.
global redirection_is_broken_cached
if redirection_is_broken_cached == -1:
cmd_line = [sys.executable, sys.argv[0], "internal-test-stderr"]
if subprocess.call(cmd_line, stdout=sys.stderr) == 0:
redirection_is_broken_cached = 0
else:
redirection_is_broken_cached = 1
return redirection_is_broken_cached
def subprocess_Popen(cmd, stdout=None, stderr=None):
if ((not redirection_is_broken())
or (stdout is None and stderr is None)
or (stdout == subprocess.PIPE)
or (stderr == subprocess.PIPE)):
return subprocess.Popen(cmd, stdout=stdout, stderr=stderr)
old_stdout_fd = -1
old_stderr_fd = -1
if stdout is not None:
old_stdout_fd = os.dup(1)
os.dup2(stdout.fileno(), 1)
if stderr is not None:
old_stderr_fd = os.dup(2)
os.dup2(stderr.fileno(), 2)
result = subprocess.Popen(cmd)
if old_stdout_fd >= 0:
os.dup2(old_stdout_fd, 1)
os.close(old_stdout_fd)
if old_stderr_fd >= 0:
os.dup2(old_stderr_fd, 2)
os.close(old_stderr_fd)
return result
def subprocess_call(cmd, stdout=None, stderr=None):
process = subprocess_Popen(cmd, stdout, stderr)
return process.wait()
def get_package_data():
pkg_string = ""
for line in sys.stdin:
if line.startswith("File="):
pkg_string = line.split("=", 1)[1].rstrip()
# Don't break, we need to exhaust stdin.
if not pkg_string:
return 1
if (pkg_string.startswith("/")):
# Absolute file.
sys.stdout.write("PackageType=file\n")
sys.stdout.flush()
return subprocess_call([dpkg_deb_cmd, "--showformat", dpkg_output_format, "-W", pkg_string])
elif (re.search("([:,]|_[0-9])", pkg_string)):
# Contains either a version number or an illegal symbol.
sys.stdout.write(line + "ErrorMessage: Package string with illegal format\n")
return 1
else:
sys.stdout.write("PackageType=repo\n")
sys.stdout.write("Name=" + pkg_string + "\n")
return 0
def list_installed():
# Ignore everything.
sys.stdin.readlines()
process = subprocess_Popen([dpkg_query_cmd, "--showformat", dpkg_status_format, "-W"], stdout=subprocess.PIPE)
installed_package = False
for line in process.stdout:
if PY3:
line = line.decode("utf-8")
line = line.rstrip("\n")
# 'Status=install ok ' or 'Status=hold ok '
if line.startswith("Status=install") or line.startswith("Status=hold"):
state = line.split()[2]
if state in [ "installed", "half-configured", "half-installed" ]:
installed_package = True
else:
installed_package = False
elif line.startswith("Status="):
installed_package = False
elif installed_package:
sys.stdout.write(line + "\n")
return 0
def list_updates(online):
# Ignore everything.
sys.stdin.readlines()
if online:
result = subprocess_call([apt_get_cmd] + apt_get_options + ["update"], stdout=NULLFILE)
if result != 0:
return result
# We ignore held packages (--ignore-hold) so that all package updates
# available are listed. This makes package update listing compatible with
# debian 8 and highers `apt list --upgradeable`
process = subprocess_Popen([apt_get_cmd] + apt_get_options + ["--simulate", "--ignore-hold", "upgrade"], stdout=subprocess.PIPE)
for line in process.stdout:
if PY3:
line = line.decode("utf-8")
# Example of lines that we try to match:
# (name) (old version (ignored)) (new version) (repository(ies) (ignored)) (arch)
# | | | | |
# V V V V V
# Inst php5-cli [5.3.10-1ubuntu3.17] (5.3.10-1ubuntu3.18 Ubuntu:12.04/precise-updates [amd64]) []
#
# Note architecture included in the name on this one:
# Inst php5-cli:i386 [5.3.10-1ubuntu3.17] (5.3.10-1ubuntu3.18 Ubuntu:12.04/precise-updates [i386]) []
#
# Note multiple repositories in this one:
# Inst linux-libc-dev [2.6.32-48squeeze4] (2.6.32-48squeeze6 Debian:6.0.10/oldstable, Debian-Security:6.0/oldoldstable [amd64])
#
# Another example (note the addition of jessie:jessie without a comma):
# Inst rudder-agent [4.1.0~rc1-jessie0] (4.1.0-jessie0 release/4.1.0-2 jessie:jessie [amd64])
#
# name old version new version
# | | |
# /-------+-------\ /--+--\ /------+-------\
match = re.match(r"^Inst\s+(?P[^\s:]+)(?::\S+)?\s+\[[^]\s]+\]\s+\((?P\S+)" +
# repository(ies) arch (might be optional)
# | |
# /--+-\ /---------+---------\
r"(?:\s+\S+)*?(\s+\[(?P[^]\s]+)\])?\).*", line)
if match is not None:
sys.stdout.write("Name=" + match.group("name") + "\n")
sys.stdout.write("Version=" + match.group("version") + "\n")
arch = match.group("arch")
if not arch:
arch = get_platform_arch()
sys.stdout.write("Architecture=" + arch + "\n")
return 0
def get_platform_arch():
process = subprocess_Popen([dpkg_cmd, "--print-architecture"], stdout=subprocess.PIPE)
for line in process.stdout:
if PY3:
line = line.decode("utf-8")
return line.rstrip()
return None
def one_package_argument(name, arch, version, is_apt_install):
args = []
archs = []
platform_arch = get_platform_arch()
if arch:
archs.append(arch)
else:
# If we have existing architectures, operate on those, instead
# of the platform default. stderr is suppressed to avoid
# message pollution if the package is not be installed
process = subprocess_Popen([dpkg_query_cmd, "--showformat", "${Architecture}=${Status}\n",
"-W", name + ":*"],
stdout=subprocess.PIPE, stderr=NULLFILE)
for line in process.stdout:
if PY3:
line = line.decode("utf-8")
# The space before "installed" is important, because it can be "not-installed".
if "=" in line:
arch, stat = line.split("=", 1)
if stat.find(" installed") >= 0:
archs.append(arch)
version_suffix = ""
if version != "":
version_suffix = "=" + version
if archs:
for cur_arch in archs:
if cur_arch == platform_arch:
if is_apt_install:
# Store duplicated entry in tuple for simplicity of use in repo_install and remove
# functions.
args.append((name + version_suffix, name + version_suffix))
else:
# For some distributions with multi arch support we must provide package name with ':architecture'
# postfix to remove package which architecture matches architecture of OS (Debian 7).
# This is not consistent behavior for all dpkg implementations. On Ubuntu 12 we have to
# use a package name only and adding ':architecture' postfix results in an error.
args.append((name + version_suffix, name + ':' + cur_arch + version_suffix))
else:
# For managing packages which architecture doesn't match native OS architecture we always
# are using ':architecture' postfix added to package name.
args.append((name + ':' + cur_arch + version_suffix, name + ':' + cur_arch + version_suffix))
else:
args.append((name + version_suffix, name + version_suffix))
return args
def package_arguments_builder(is_apt_install):
name = ""
version = ""
arch = ""
args = []
for line in sys.stdin:
if line.startswith("Name="):
if name:
# Each new "Name=" triggers a new entry.
args.extend(one_package_argument(name, arch, version, is_apt_install))
version = ""
arch = ""
name = line.split("=", 1)[1].rstrip()
elif line.startswith("Version="):
version = line.split("=", 1)[1].rstrip()
elif line.startswith("Architecture="):
arch = line.split("=", 1)[1].rstrip()
elif line.startswith("options="):
global apt_get_options
option = line.split("=", 1)[1].rstrip()
if option:
apt_get_options.append(option)
if name:
args.extend(one_package_argument(name, arch, version, is_apt_install))
return args
def repo_install():
args = package_arguments_builder(True)
cmd_line = [apt_get_cmd] + apt_get_options + ["install"]
if (not args):
return 0
# Convert list of tuples into two lists so that first element of each
# tuple belongs to list 'a1' and the second one to list 'a2'.
a1, a2 = map(list, zip(*args))
# For 'repo_insrtall' both 'a1' and 'a2' should be equal so we can operate
# on 'a1' elements only.
if a1:
return subprocess_call(cmd_line + a1, stdout=NULLFILE)
return 0
def remove():
args = package_arguments_builder(False)
cmd_line = [apt_get_cmd] + apt_get_options + ["remove"]
if (not args):
return 0
# Convert list of tuples into two lists so that first element of each
# tuple belongs to list 'a1' and the second one to list 'a2'.
#
# In case of multi arch support elements of 'a1' list should not contain
# packages names with ':architecture' suffix for all packages matching native
# OS architecture.
a1, a2 = map(list, zip(*args))
# As there seems to be no unified method to remove packages matching
# native OS architecture we are trying first to remove packages providing
# just a package name and if this call is failing we are trying
# 'package_name:architecture' approach.
ret = subprocess_call(cmd_line + a1, stdout=NULLFILE)
if ret != 0 and a1 != a2:
ret = subprocess_call(cmd_line + a2, stdout=NULLFILE)
return ret
def file_install():
cmd_line = [dpkg_cmd] + dpkg_options + ["-i"]
found = False
for line in sys.stdin:
if line.startswith("File="):
found = True
cmd_line.append(line.split("=", 1)[1].rstrip())
if (not found):
return 0
return subprocess_call(cmd_line, stdout=NULLFILE)
def main():
if len(sys.argv) < 2:
sys.stderr.write("Need to provide argument\n")
return 2
if sys.argv[1] == "internal-test-stderr":
# This will cause an exception if stderr is closed.
try:
os.fstat(2)
except OSError:
return 1
return 0
elif sys.argv[1] == "supports-api-version":
sys.stdout.write("1\n")
return 0
elif sys.argv[1] == "get-package-data":
return get_package_data()
elif sys.argv[1] == "list-installed":
return list_installed()
elif sys.argv[1] == "list-updates":
return list_updates(True)
elif sys.argv[1] == "list-updates-local":
return list_updates(False)
elif sys.argv[1] == "repo-install":
return repo_install()
elif sys.argv[1] == "remove":
return remove()
elif sys.argv[1] == "file-install":
return file_install()
else:
sys.stderr.write("Invalid operation\n")
return 2
sys.exit(main())
cfengine-masterfiles-3.24.2/modules/packages/vendored/slackpkg.mustache 0000755 0000000 0000000 00000012670 15010704240 026262 0 ustar 00root root 0000000 0000000 #!/bin/sh
CMD="$1"
DEFARCH=$(uname -m)
REPO=''
INPUTLIST=''
fatal() {
echo "ErrorMessage=$*"
exit 1
}
parse_line() {
INPUTP="$1"
KEYWORD=$(echo "${INPUTP}" | sed -e 's/=.*$//')
VALUE=$(echo "${INPUTP}" | sed -e 's/^.*=//')
unset INPUTP
}
read_options() {
while read -r INPUT ; do
if [ -n "${INPUT}" ] ; then
parse_line "${INPUT}"
case "${KEYWORD}" in
File|Name)
VER=''
ARCH=''
if [ "${KEYWORD}" = 'File' ] ; then
PKG="${VALUE}"
else
NAM="${VALUE}"
fi
;;
Version)
VER="${VALUE}"
;;
Architecture)
ARCH=${VALUE:=${DEFARCH}}
;;
options*)
if [ -n "${repository}" ] ; then
REPO="-r ${repository}"
fi
continue
;;
PackageType*)
TYP="${VALUE}"
;;
*)
fatal "Invalid input: '${KEYWORD}'."
;;
esac
if [ -n "${KEYWORD}" ] && [ -n "${VALUE}" ] ; then
if [ -n "${INPUTLIST}" ] ; then
INPUTLIST="${INPUTLIST} ${KEYWORD}=${VALUE}"
else
INPUTLIST="${KEYWORD}=${VALUE}"
fi
fi
fi
done
}
process_inputs() {
CMD="$1" ; shift
OPTIONS="$*"
for OPT in ${OPTIONS} ; do
eval `parse_line ${OPT}`
case "${KEYWORD}" in
File*)
if [ "${CMD}" = 'file-install' ] ; then
PKG="${PKG} ${VALUE}"
else
fatal "Bad Input: '${OPT}' (should be Name=...)."
fi
VER=''
;;
Name*)
if [ "${CMD}" != 'file-install' ] ; then
PKG="${PKG} ${VALUE}"
else
fatal "Bad Input: '${OPT}' (should be File=...)"
fi
VER=''
;;
Version*)
PKG="${PKG}-${VALUE}"
;;
Architecture*)
if [ -n "${VALUE}" ] &&
[ "${VALUE}" != "${DEFARCH}" ] ; then
fatal "Bad Input: Architecture ${VALUE} does not match ${DEFARCH}."
fi
;;
PackageType*)
TYP="${VALUE}"
;;
*)
fatal "Invalid input: '${INPUT}'."
;;
esac
done
}
get_package_data() {
if [ -n "${NAM}" ] && [ -z "${PKG}" ] ; then
PKG="${NAM}"
fi
if [ -n "${PKG}" ] ; then
case "${PKG}" in
/*|./*) # File Path. It's a file
TYP='file'
if [ ! -e "${PKG}" ] ; then
fatal "No such file: '${PKG}'."
fi
;;
http://*|ftp://|file://) # URL, it's a file.
TYP='file'
;;
*)
TYP='repo'
;;
esac
echo "PackageType=${TYP}"
if [ "${TYP}" = 'repo' ] ; then
if [ -z "`echo ${PKGVER} | grep -E '^[0-9]'`" ] ; then
if [ "${PKGNAM}" != "${PKGVER}" ] ; then
PKGNAM="${PKGNAM}-${PKGVER}"
fi
PKGVER=''
fi
# Returning version for PackageType=repo is not advised
# https://docs.cfengine.com/latest/reference-standard-library-package_modules.html
# if [ -n "${PKGVER}" ] ; then
# echo "Version=${PKGVER}"
# fi
echo "Name="${PKG}
else
echo "Name="$(echo ${PKG} |sed -e 's/-[0-9].*$//' -e 's/[^/]+\(.*$\)/\1/' -e 's/.*\///')
echo ${PKG} |sed -e 's/.*\///' -e 's/.*-\([_a-z0-9.?]\+\)-\(.*\)-.*/Version=\1\'$'\nArchitecture=\\2/'
fi
fi
}
if [ "${CMD}" = 'supports-api-version' ] ; then
echo '1'
exit 0
else
read_options
fi
case "${CMD}" in
get-package-data)
get_package_data
;;
list-installed)
ls -1 /var/log/packages/ |sed -e 's/\([^ ]\+\)-\([_a-zA-Z0-9.?]\+\)-\(.*\)-/Name=\1\'$'\nVersion=\\2\\nArchitecture=\\3/'
;;
list-updates-local|list-updates)
slackpkg -dialog=off -batch=on upgrade-all | sed -r 's!^(.+)-(.+)-(i[0-9]86|noarch|x86_64|x86|fw|npmjs)-(.*)$!Name=\1\nVersion=\2\nArchitecture=\3!g' | grep -vE "Total\ package|Do\ you\ wish\ to|Looking\ for|Checking\ local|^$"
;;
repo-install|file-install|remove)
process_inputs "${CMD}" "${INPUTLIST}"
case "${CMD}" in
repo-install)
slackpkg -dialog=off -batch=on -default_answer=yes install ${PKG} 2>/dev/null >/dev/null
;;
file-install)
installpkg ${PKG} 2>/dev/null >/dev/null
;;
remove)
slackpkg -dialog=off -batch=on -default_answer=yes remove ${PKG} 2>/dev/null >/dev/null
;;
esac
RC=$?
if [ ${RC} -ne 0 ] ; then
fatal "Package manager error"
exit $RC
fi
;;
*)
fatal "Command '${CMD}' is either not valid or not implemented."
;;
esac
cfengine-masterfiles-3.24.2/modules/packages/vendored/apk.mustache 0000755 0000000 0000000 00000004314 15010704240 025232 0 ustar 00root root 0000000 0000000 #!/bin/sh -e
get_package_data() {
file="${INPUT_File?File must be given to get-package-data}"
set +e
apk verify $file 2>/dev/null >/dev/null
rc=$?
set -e
if [ 0 = $rc ]; then
echo "PackageType=file"
name=$(basename $file)
echo $name | sed -e 's/-/ /' -e 's/.apk/ apk/' | awk '
{
printf("Name=%s\n",$1)
printf("Version=%s\n",$2)
}'
else
echo PackageType=repo
echo Name=$file
fi
}
list_installed() {
# Example `apk list --installed` output:
# busybox-1.32.0-r3 x86_64 {busybox} (GPL-2.0-only) [installed]
#
# After rewrite:
# Name=busybox
# Version=1.32.0-r3
# Architecture=x86_64
apk list --installed | sed 's/-\([0-9]\)/ \1/' | awk '
{
printf("Name=%s\n",$1)
printf("Version=%s\n",$2)
printf("Architecture=%s\n",$3)
}'
}
repo_install() {
name="${INPUT_Name?Name must be given to repo-install}"
version="${INPUT_Version}"
if [ ! -z "${INPUT_Version}" ]; then
apk add "$name=$version" 2>/dev/null >/dev/null
else
apk add --upgrade "$name" 2>/dev/null >/dev/null
fi
}
file_install() {
file="${INPUT_File?File must be given to file-install}"
apk add $file 2>/dev/null >/dev/null
}
list_updates() {
# for some odd reason --upgradable does not work where -u does
apk list -u | sed 's/-\([0-9]\)/ \1/' | awk '
{
printf("Name=%s\n",$1)
printf("Version=%s\n",$2)
printf("Architecture=%s\n",$3)
}'
}
remove() {
name="${INPUT_Name?Name must be given to remove}"
apk del "$name" 2>/dev/null >/dev/null
}
main() {
command=$1
# Output maybe contain backslashes, and we don't want those to end up escaping
# something so we use use -r with read.
while read -r line; do
# Note that line is a variable assignment, e.g.
# INPUT_File=syncthing
export INPUT_$line
done
case $command in
supports-api-version)
echo 1
;;
get-package-data)
get_package_data
;;
list-installed)
list_installed
;;
repo-install)
repo_install
;;
file-install)
file_install
;;
list-updates)
list_updates
;;
list-updates-local)
list_updates
;;
remove)
remove
;;
*)
echo "ErrorMessage=Invalid operation"
esac
}
main $1
cfengine-masterfiles-3.24.2/modules/promises/ 0000755 0000000 0000000 00000000000 15010704240 021174 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/modules/promises/cfengine.sh 0000644 0000000 0000000 00000011247 15010704240 023313 0 ustar 00root root 0000000 0000000 #!/bin/false
#
# This file should be sourced, not run
log() {
if [ "$#" != 2 ] ; then
echo "log_critical=Error in promise module (log must be used with 2 arguments, level and message)"
exit 1
fi
level="$1"
message="$2"
echo "log_$level=$message"
}
reset_state() {
# Set global variables before we begin another request
# Variables parsed directly from request:
request_operation=""
request_log_level=""
request_promise_type=""
request_promiser=""
for var in $(env | cut -d '=' -f 1 | grep '^request_attribute_'); do
unset $var
done
# Variables to put into response:
response_result=""
# Other state:
saw_unknown_key="no"
saw_unknown_attribute="no"
unknown_attribute_names=""
}
handle_input_line() {
# Split the line of input on the first '=' into 2 - key and value
IFS='=' read -r key value <<< "$1"
case "$key" in
operation)
request_operation="$value" ;;
log_level)
request_log_level="$value" ;;
promise_type)
request_promise_type="$value" ;;
promiser)
request_promiser="$value" ;;
attribute_*)
attribute_name=${key#"attribute_"}
if ! expr " $required_attributes $optional_attributes " : ".* $attribute_name " >/dev/null; then
saw_unknown_attribute="yes"
unknown_attribute_names="$unknown_attribute_names, $attribute_name"
fi
eval "request_${key}=\$value" ;;
*)
saw_unknown_key="yes" ;;
esac
}
receive_request() {
# Read lines from input until empty line
# Call handle_input_line for each non-empty line
while IFS='$\n' read -r line; do
if [ "x$line" = "x" ] ; then
break
fi
handle_input_line "$line" # Parses a key=value pair
done
}
write_response() {
echo "operation=$request_operation"
echo "result=$response_result"
echo "result_classes=$response_classes"
echo ""
}
operation_terminate() {
response_result="success"
type do_terminate >/dev/null 2>&1 && do_terminate
write_response
exit 0
}
operation_validate() {
response_result="valid"
if [ "$saw_unknown_attribute" != "no" -a "$all_attributes_are_valid" != "yes" ] ; then
log error "Unknown attribute/s: ${unknown_attribute_names#, }"
response_result="invalid"
fi
if [ ! -z "$required_attributes" ]; then
for attribute_name in $required_attributes; do
# Note: ${!varname} syntax expands to value of variable, which name
# is saved in $varname variable. Example:
# var_1=something
# varname=var_1
# echo "${!varname}" # prints "something"
varname="request_attribute_$attribute_name"
if [ -z "${!varname}" ]; then
log error "Attribute '$attribute_name' is missing or empty"
response_result="invalid"
fi
done
fi
type do_validate >/dev/null 2>&1 && do_validate
write_response
}
operation_evaluate() {
response_result="error" # it's responsibility of do_evaluate to override this
type do_evaluate >/dev/null 2>&1 && do_evaluate
write_response
}
operation_unknown() {
response_result="error"
log error "Promise module received unexpected operation: $request_operation"
write_response
}
perform_operation() {
case "$request_operation" in
validate_promise)
operation_validate ;;
evaluate_promise)
operation_evaluate ;;
terminate)
operation_terminate ;;
*)
operation_unknown ;;
esac
}
handle_request() {
response_classes=""
reset_state # 1. Reset global variables
receive_request # 2. Receive / parse an operation from agent
perform_operation # 3. Perform operation (validate, evaluate, terminate)
}
skip_header() {
# Skip until (and including) the first empty line
while IFS='$\n' read -r line; do
if [ "x$line" = "x" ] ; then
return;
fi
done
}
module_main() {
# Check arguments provided by the caller. Must have two arguments with no spaces.
if [ "$#" != 2 ] || expr "$1$2" : ".* " >/dev/null; then
exit 1
fi
module_name="$1"
module_version="$2"
# Skip the protocol header given by agent:
skip_header
# Write our header to request line based protocol:
echo "$module_name $module_version v1 line_based"
echo ""
type do_initialize >/dev/null 2>&1 && do_initialize
# Loop indefinitely, handling requests:
while true; do
handle_request
done
# Should never get here.
}
cfengine-masterfiles-3.24.2/modules/promises/cfengine.py 0000644 0000000 0000000 00000037617 15010704240 023342 0 ustar 00root root 0000000 0000000 import sys
import json
import traceback
from copy import copy
from collections import OrderedDict
_LOG_LEVELS = {
level: idx
for idx, level in enumerate(
("critical", "error", "warning", "notice", "info", "verbose", "debug")
)
}
def _skip_until_empty_line(file):
while True:
line = file.readline().strip()
if not line:
break
def _get_request(file, record_file=None):
line = file.readline()
blank_line = file.readline()
if record_file is not None:
record_file.write("< " + line)
record_file.write("< " + blank_line)
return json.loads(line.strip())
def _put_response(data, file, record_file=None):
data = json.dumps(data)
file.write(data + "\n\n")
file.flush()
if record_file is not None:
record_file.write("> " + data + "\n")
record_file.write("> \n")
def _would_log(level_set, msg_level):
if msg_level not in _LOG_LEVELS:
# uknown level, assume it would be logged
return True
return _LOG_LEVELS[msg_level] <= _LOG_LEVELS[level_set]
def _cfengine_type(typing):
if typing is str:
return "string"
if typing is int:
return "int"
if typing in (list, tuple):
return "slist"
if typing is dict:
return "data container"
if typing is bool:
return "true/false"
return "Error in promise module"
class AttributeObject(object):
def __init__(self, d):
for key, value in d.items():
setattr(self, key, value)
def __repr__(self):
return "{}({})".format(
self.__class__.__qualname__,
", ".join("{}={!r}".format(k, v) for k, v in self.__dict__.items())
)
class ValidationError(Exception):
def __init__(self, message):
self.message = message
class ProtocolError(Exception):
def __init__(self, message):
self.message = message
class Result:
# Promise evaluation outcomes, can reveal "real" problems with system:
KEPT = "kept" # Satisfied already, no change
REPAIRED = "repaired" # Not satisfied before , but fixed
NOT_KEPT = "not_kept" # Not satisfied before , not fixed
# Validation only, can reveal problems in CFEngine policy:
VALID = "valid" # Validation successful
INVALID = "invalid" # Validation failed, error in cfengine policy
# Generic succes / fail for init / terminate requests:
SUCCESS = "success"
FAILURE = "failure"
# Unexpected, can reveal problems in promise module:
ERROR = "error" # Something went wrong in module / protocol
class PromiseModule:
def __init__(
self, name="default_module_name", version="0.0.1", record_file_path=None
):
self.name = name
self.version = version
# Note: The class doesn't expose any way to set protocol version
# or flags, because that should be abstracted away from the
# user (module author).
self._validator_attributes = OrderedDict()
self._result_classes = None
# File to record all the incoming and outgoing communication
self._record_file = open(record_file_path, "a") if record_file_path else None
def start(self, in_file=None, out_file=None):
self._in = in_file or sys.stdin
self._out = out_file or sys.stdout
first_line = self._in.readline()
if self._record_file is not None:
self._record_file.write("< " + first_line)
header = first_line.strip().split(" ")
name = header[0]
version = header[1]
protocol_version = header[2]
# flags = header[3:] -- unused for now
assert len(name) > 0 # cf-agent
assert version.startswith("3.") # 3.18.0
assert protocol_version[0] == "v" # v1
_skip_until_empty_line(self._in)
header_reply = "{name} {version} v1 json_based\n\n".format(
name=self.name, version=self.version
)
self._out.write(header_reply)
self._out.flush()
if self._record_file is not None:
self._record_file.write("> " + header_reply.strip() + "\n")
self._record_file.write(">\n")
while True:
self._response = {}
self._result = None
request = _get_request(self._in, self._record_file)
self._handle_request(request)
def _convert_types(self, promiser, attributes):
# Will only convert types if module has typing information:
if not self._has_validation_attributes:
return promiser, attributes
replacements = {}
for name, value in attributes.items():
if type(value) is not str:
# If something is not string, assume it is correct type
continue
if name not in self._validator_attributes:
# Unknown attribute, this will cause a validation error later
continue
# "true"/"false" -> True/False
if self._validator_attributes[name]["typing"] is bool:
if value == "true":
replacements[name] = True
elif value == "false":
replacements[name] = False
# "int" -> int()
elif self._validator_attributes[name]["typing"] is int:
try:
replacements[name] = int(value)
except ValueError:
pass
# Don't edit dict while iterating over it, after instead:
attributes.update(replacements)
return (promiser, attributes)
def _handle_request(self, request):
if not request:
sys.exit("Error: Empty/invalid request or EOF reached")
operation = request["operation"]
self._log_level = request.get("log_level", "info")
self._response["operation"] = operation
# Agent will never request log level critical
assert self._log_level in [
"error",
"warning",
"notice",
"info",
"verbose",
"debug",
]
if operation in ["validate_promise", "evaluate_promise"]:
promiser = request["promiser"]
attributes = request.get("attributes", {})
promiser, attributes = self._convert_types(promiser, attributes)
promiser, attributes = self.prepare_promiser_and_attributes(
promiser, attributes
)
self._response["promiser"] = promiser
self._response["attributes"] = attributes
if operation == "init":
self._handle_init()
elif operation == "validate_promise":
self._handle_validate(promiser, attributes, request)
elif operation == "evaluate_promise":
self._handle_evaluate(promiser, attributes, request)
elif operation == "terminate":
self._handle_terminate()
else:
self._log_level = None
raise ProtocolError(
"Unknown operation: '{operation}'".format(operation=operation)
)
self._log_level = None
def _add_result(self):
self._response["result"] = self._result
def _add_result_classes(self):
if self._result_classes:
self._response["result_classes"] = self._result_classes
def _add_traceback_to_response(self):
if self._log_level != "debug":
return
trace = traceback.format_exc()
logs = self._response.get("log", [])
logs.append({"level": "debug", "message": trace})
self._response["log"] = logs
def add_attribute(
self,
name,
typing,
default=None,
required=False,
default_to_promiser=False,
validator=None,
):
attribute = OrderedDict()
attribute["name"] = name
attribute["typing"] = typing
attribute["default"] = default
attribute["required"] = required
attribute["default_to_promiser"] = default_to_promiser
attribute["validator"] = validator
self._validator_attributes[name] = attribute
@property
def _has_validation_attributes(self):
return bool(self._validator_attributes)
def create_attribute_dict(self, promiser, attributes):
# Check for missing required attributes:
for name, attribute in self._validator_attributes.items():
if attribute["required"] and name not in attributes:
raise ValidationError(
"Missing required attribute '{name}'".format(name=name)
)
# Check for unknown attributes:
for name in attributes:
if name not in self._validator_attributes:
raise ValidationError("Unknown attribute '{name}'".format(name=name))
# Check typings and run custom validator callbacks:
for name, value in attributes.items():
expected = _cfengine_type(self._validator_attributes[name]["typing"])
found = _cfengine_type(type(value))
if found != expected:
raise ValidationError(
"Wrong type for attribute '{name}', requires '{expected}', not '{value}'({found})".format(
name=name, expected=expected, value=value, found=found
)
)
if self._validator_attributes[name]["validator"]:
# Can raise ValidationError:
self._validator_attributes[name]["validator"](value)
attribute_dict = OrderedDict()
# Copy attributes specified by user policy:
for key, value in attributes.items():
attribute_dict[key] = value
# Set defaults based on promise module validation hints:
for name, value in self._validator_attributes.items():
if value.get("default_to_promiser", False):
attribute_dict.setdefault(name, promiser)
elif value.get("default", None) is not None:
attribute_dict.setdefault(name, copy(value["default"]))
else:
attribute_dict.setdefault(name, None)
return attribute_dict
def create_attribute_object(self, promiser, attributes):
attribute_dict = self.create_attribute_dict(promiser, attributes)
return AttributeObject(attribute_dict)
def _validate_attributes(self, promiser, attributes):
if not self._has_validation_attributes:
# Can only validate attributes if module
# provided typings for attributes
return
self.create_attribute_object(promiser, attributes)
return # Only interested in exceptions, return None
def _handle_init(self):
self._result = self.protocol_init(None)
self._add_result()
_put_response(self._response, self._out, self._record_file)
def _handle_validate(self, promiser, attributes, request):
meta = {"promise_type": request.get("promise_type")}
try:
self.validate_attributes(promiser, attributes, meta)
returned = self.validate_promise(promiser, attributes, meta)
if returned is None:
# Good, expected
self._result = Result.VALID
else:
# Bad, validate method shouldn't return anything else
self.log_critical(
"Bug in promise module {name} - validate_promise() should not return anything".format(
name=self.name
)
)
self._result = Result.ERROR
except ValidationError as e:
message = str(e)
if "promise_type" in request:
message += " for {request_promise_type} promise with promiser '{promiser}'".format(
request_promise_type=request["promise_type"], promiser=promiser
)
else:
message += " for promise with promiser '{promiser}'".format(
promiser=promiser
)
if "filename" in request and "line_number" in request:
message += " ({request_filename}:{request_line_number})".format(
request_filename=request["filename"],
request_line_number=request["line_number"],
)
self.log_error(message)
self._result = Result.INVALID
except Exception as e:
self.log_critical(
"{error_type}: {error}".format(error_type=type(e).__name__, error=e)
)
self._add_traceback_to_response()
self._result = Result.ERROR
self._add_result()
_put_response(self._response, self._out, self._record_file)
def _handle_evaluate(self, promiser, attributes, request):
self._result_classes = None
meta = {"promise_type": request.get("promise_type")}
try:
results = self.evaluate_promise(promiser, attributes, meta)
# evaluate_promise should return either a result or a (result, result_classes) pair
if type(results) == str:
self._result = results
else:
assert len(results) == 2
self._result = results[0]
self._result_classes = results[1]
except Exception as e:
self.log_critical(
"{error_type}: {error}".format(error_type=type(e).__name__, error=e)
)
self._add_traceback_to_response()
self._result = Result.ERROR
self._add_result()
self._add_result_classes()
_put_response(self._response, self._out, self._record_file)
def _handle_terminate(self):
self._result = self.protocol_terminate()
self._add_result()
_put_response(self._response, self._out, self._record_file)
sys.exit(0)
def _log(self, level, message):
if self._log_level is not None and not _would_log(self._log_level, level):
return
# Message can be str or an object which implements __str__()
# for example an exception:
message = str(message).replace("\n", r"\n")
assert "\n" not in message
self._out.write("log_{level}={message}\n".format(level=level, message=message))
self._out.flush()
if self._record_file is not None:
self._record_file.write(
"log_{level}={message}\n".format(level=level, message=message)
)
def log_critical(self, message):
self._log("critical", message)
def log_error(self, message):
self._log("error", message)
def log_warning(self, message):
self._log("warning", message)
def log_notice(self, message):
self._log("notice", message)
def log_info(self, message):
self._log("info", message)
def log_verbose(self, message):
self._log("verbose", message)
def log_debug(self, message):
self._log("debug", message)
def _log_traceback(self):
trace = traceback.format_exc().split("\n")
for line in trace:
self.log_debug(line)
# Functions to override in subclass:
def protocol_init(self, version):
return Result.SUCCESS
def prepare_promiser_and_attributes(self, promiser, attributes):
"""Override if you want to modify promiser or attributes before validate or evaluate"""
return (promiser, attributes)
def validate_attributes(self, promiser, attributes, meta):
"""Override this if you want to prevent automatic validation"""
return self._validate_attributes(promiser, attributes)
def validate_promise(self, promiser, attributes, meta):
"""Must override this or use validation through self.add_attribute()"""
if not self._has_validation_attributes:
raise NotImplementedError("Promise module must implement validate_promise")
def evaluate_promise(self, promiser, attributes, meta):
raise NotImplementedError("Promise module must implement evaluate_promise")
def protocol_terminate(self):
return Result.SUCCESS
cfengine-masterfiles-3.24.2/install-sh 0000755 0000000 0000000 00000035463 15010704303 017702 0 ustar 00root root 0000000 0000000 #!/bin/sh
# install - install a program, script, or datafile
scriptversion=2014-09-12.12; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
# following copyright and license.
#
# Copyright (C) 1994 X Consortium
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Except as contained in this notice, the name of the X Consortium shall not
# be used in advertising or otherwise to promote the sale, use or other deal-
# ings in this Software without prior written authorization from the X Consor-
# tium.
#
#
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# 'make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch.
tab=' '
nl='
'
IFS=" $tab$nl"
# Set DOITPROG to "echo" to test this script.
doit=${DOITPROG-}
doit_exec=${doit:-exec}
# Put in absolute file names if you don't have them in your path;
# or use environment vars.
chgrpprog=${CHGRPPROG-chgrp}
chmodprog=${CHMODPROG-chmod}
chownprog=${CHOWNPROG-chown}
cmpprog=${CMPPROG-cmp}
cpprog=${CPPROG-cp}
mkdirprog=${MKDIRPROG-mkdir}
mvprog=${MVPROG-mv}
rmprog=${RMPROG-rm}
stripprog=${STRIPPROG-strip}
posix_mkdir=
# Desired mode of installed file.
mode=0755
chgrpcmd=
chmodcmd=$chmodprog
chowncmd=
mvcmd=$mvprog
rmcmd="$rmprog -f"
stripcmd=
src=
dst=
dir_arg=
dst_arg=
copy_on_change=false
is_target_a_directory=possibly
usage="\
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
or: $0 [OPTION]... SRCFILES... DIRECTORY
or: $0 [OPTION]... -t DIRECTORY SRCFILES...
or: $0 [OPTION]... -d DIRECTORIES...
In the 1st form, copy SRCFILE to DSTFILE.
In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
In the 4th, create DIRECTORIES.
Options:
--help display this help and exit.
--version display version info and exit.
-c (ignored)
-C install only if different (preserve the last data modification time)
-d create directories instead of installing files.
-g GROUP $chgrpprog installed files to GROUP.
-m MODE $chmodprog installed files to MODE.
-o USER $chownprog installed files to USER.
-s $stripprog installed files.
-t DIRECTORY install into DIRECTORY.
-T report an error if DSTFILE is a directory.
Environment variables override the default commands:
CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
RMPROG STRIPPROG
"
while test $# -ne 0; do
case $1 in
-c) ;;
-C) copy_on_change=true;;
-d) dir_arg=true;;
-g) chgrpcmd="$chgrpprog $2"
shift;;
--help) echo "$usage"; exit $?;;
-m) mode=$2
case $mode in
*' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*)
echo "$0: invalid mode: $mode" >&2
exit 1;;
esac
shift;;
-o) chowncmd="$chownprog $2"
shift;;
-s) stripcmd=$stripprog;;
-t)
is_target_a_directory=always
dst_arg=$2
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
shift;;
-T) is_target_a_directory=never;;
--version) echo "$0 $scriptversion"; exit $?;;
--) shift
break;;
-*) echo "$0: invalid option: $1" >&2
exit 1;;
*) break;;
esac
shift
done
# We allow the use of options -d and -T together, by making -d
# take the precedence; this is for compatibility with GNU install.
if test -n "$dir_arg"; then
if test -n "$dst_arg"; then
echo "$0: target directory not allowed when installing a directory." >&2
exit 1
fi
fi
if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
# When -d is used, all remaining arguments are directories to create.
# When -t is used, the destination is already specified.
# Otherwise, the last argument is the destination. Remove it from $@.
for arg
do
if test -n "$dst_arg"; then
# $@ is not empty: it contains at least $arg.
set fnord "$@" "$dst_arg"
shift # fnord
fi
shift # arg
dst_arg=$arg
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
done
fi
if test $# -eq 0; then
if test -z "$dir_arg"; then
echo "$0: no input file specified." >&2
exit 1
fi
# It's OK to call 'install-sh -d' without argument.
# This can happen when creating conditional directories.
exit 0
fi
if test -z "$dir_arg"; then
if test $# -gt 1 || test "$is_target_a_directory" = always; then
if test ! -d "$dst_arg"; then
echo "$0: $dst_arg: Is not a directory." >&2
exit 1
fi
fi
fi
if test -z "$dir_arg"; then
do_exit='(exit $ret); exit $ret'
trap "ret=129; $do_exit" 1
trap "ret=130; $do_exit" 2
trap "ret=141; $do_exit" 13
trap "ret=143; $do_exit" 15
# Set umask so as not to create temps with too-generous modes.
# However, 'strip' requires both read and write access to temps.
case $mode in
# Optimize common cases.
*644) cp_umask=133;;
*755) cp_umask=22;;
*[0-7])
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw='% 200'
fi
cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
*)
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw=,u+rw
fi
cp_umask=$mode$u_plus_rw;;
esac
fi
for src
do
# Protect names problematic for 'test' and other utilities.
case $src in
-* | [=\(\)!]) src=./$src;;
esac
if test -n "$dir_arg"; then
dst=$src
dstdir=$dst
test -d "$dstdir"
dstdir_status=$?
else
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if test ! -f "$src" && test ! -d "$src"; then
echo "$0: $src does not exist." >&2
exit 1
fi
if test -z "$dst_arg"; then
echo "$0: no destination specified." >&2
exit 1
fi
dst=$dst_arg
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
if test -d "$dst"; then
if test "$is_target_a_directory" = never; then
echo "$0: $dst_arg: Is a directory" >&2
exit 1
fi
dstdir=$dst
dst=$dstdir/`basename "$src"`
dstdir_status=0
else
dstdir=`dirname "$dst"`
test -d "$dstdir"
dstdir_status=$?
fi
fi
obsolete_mkdir_used=false
if test $dstdir_status != 0; then
case $posix_mkdir in
'')
# Create intermediate dirs using mode 755 as modified by the umask.
# This is like FreeBSD 'install' as of 1997-10-28.
umask=`umask`
case $stripcmd.$umask in
# Optimize common cases.
*[2367][2367]) mkdir_umask=$umask;;
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
*[0-7])
mkdir_umask=`expr $umask + 22 \
- $umask % 100 % 40 + $umask % 20 \
- $umask % 10 % 4 + $umask % 2
`;;
*) mkdir_umask=$umask,go-w;;
esac
# With -d, create the new directory with the user-specified mode.
# Otherwise, rely on $mkdir_umask.
if test -n "$dir_arg"; then
mkdir_mode=-m$mode
else
mkdir_mode=
fi
posix_mkdir=false
case $umask in
*[123567][0-7][0-7])
# POSIX mkdir -p sets u+wx bits regardless of umask, which
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
# $RANDOM is not portable (e.g. dash); use it when possible to
# lower collision chance
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
# As "mkdir -p" follows symlinks and we work in /tmp possibly; so
# create the $tmpdir first (and fail if unsuccessful) to make sure
# that nobody tries to guess the $tmpdir name.
if (umask $mkdir_umask &&
$mkdirprog $mkdir_mode "$tmpdir" &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
test_tmpdir="$tmpdir/a"
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi
trap '' 0;;
esac;;
esac
if
$posix_mkdir && (
umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
)
then :
else
# The umask is ridiculous, or mkdir does not conform to POSIX,
# or it failed possibly due to a race condition. Create the
# directory the slow way, step by step, checking for races as we go.
case $dstdir in
/*) prefix='/';;
[-=\(\)!]*) prefix='./';;
*) prefix='';;
esac
oIFS=$IFS
IFS=/
set -f
set fnord $dstdir
shift
set +f
IFS=$oIFS
prefixes=
for d
do
test X"$d" = X && continue
prefix=$prefix$d
if test -d "$prefix"; then
prefixes=
else
if $posix_mkdir; then
(umask=$mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
# Don't fail if two instances are running concurrently.
test -d "$prefix" || exit 1
else
case $prefix in
*\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
*) qprefix=$prefix;;
esac
prefixes="$prefixes '$qprefix'"
fi
fi
prefix=$prefix/
done
if test -n "$prefixes"; then
# Don't fail if two instances are running concurrently.
(umask $mkdir_umask &&
eval "\$doit_exec \$mkdirprog $prefixes") ||
test -d "$dstdir" || exit 1
obsolete_mkdir_used=true
fi
fi
fi
if test -n "$dir_arg"; then
{ test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
{ test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
else
# Make a couple of temp file names in the proper directory.
dsttmp=$dstdir/_inst.$$_
rmtmp=$dstdir/_rm.$$_
# Trap to clean up those temp files at exit.
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
# Copy the file name to the temp name.
(umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
# and set any options; do chmod last to preserve setuid bits.
#
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $cpprog $src $dsttmp" command.
#
{ test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
{ test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
{ test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
# If -C, don't bother to copy if it wouldn't change the file.
if $copy_on_change &&
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
set -f &&
set X $old && old=:$2:$4:$5:$6 &&
set X $new && new=:$2:$4:$5:$6 &&
set +f &&
test "$old" = "$new" &&
$cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
then
rm -f "$dsttmp"
else
# Rename the file to the real destination.
$doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
# The rename failed, perhaps because mv can't rename something else
# to itself, or perhaps because mv is so ancient that it does not
# support -f.
{
# Now remove or move aside any old file at destination location.
# We try this two ways since rm can't unlink itself on some
# systems and the destination file might be busy for other
# reasons. In this case, the final cleanup might fail but the new
# file should still install successfully.
{
test ! -f "$dst" ||
$doit $rmcmd -f "$dst" 2>/dev/null ||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
} ||
{ echo "$0: cannot unlink or rename $dst" >&2
(exit 1); exit 1
}
} &&
# Now rename the file to the real destination.
$doit $mvcmd "$dsttmp" "$dst"
}
fi || exit 1
trap '' 0
fi
done
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:
cfengine-masterfiles-3.24.2/tests/ 0000755 0000000 0000000 00000000000 15010704326 017032 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/tests/Makefile.am 0000644 0000000 0000000 00000000763 15010704240 021067 0 ustar 00root root 0000000 0000000 SUBDIRS = . unit
if HAVE_CORE
SUBDIRS += acceptance
endif
fix-python-hashbang:
test -x /usr/bin/python || find $(srcdir) \( -name '*.py' -o -name 'mock_*' -o -name 'test_*' \) -exec sed -ri '\~/usr/bin/python($$|[^0-9])~ s|/usr/bin/python|/usr/bin/python3|' '{}' \;
# fix-python-hashbang is in check-local here (masterfiles/tests) instead of where it is
# needed in masterfiles/tests/unit since there is no hook for pre-check there.
check-local: fix-python-hashbang
.PHONY: fix-python-hashbang
cfengine-masterfiles-3.24.2/tests/unit/ 0000755 0000000 0000000 00000000000 15010704326 020011 5 ustar 00root root 0000000 0000000 cfengine-masterfiles-3.24.2/tests/unit/mock_pkg_info 0000755 0000000 0000000 00000003413 15010704240 022540 0 ustar 00root root 0000000 0000000 #!/bin/sh -e
case "$*" in
"-X pkg_install")
cat << EOF
CONFLICTS=audit-packages-[0-9]*
PKGNAME=pkg_install-20150508
COMMENT=Package management and administration tools for pkgsrc
SIZE_PKG=2707598
BUILD_DATE=2015-07-17 12:28:33 +0100
CATEGORIES=pkgtools
HOMEPAGE=http://www.pkgsrc.org/
LICENSE=modified-bsd
MACHINE_ARCH=x86_64
OPSYS=Darwin
OS_VERSION=13.4.0
PKGPATH=pkgtools/pkg_install
PKGTOOLS_VERSION=20091115
PKG_OPTIONS=inet6 openssl
REQUIRES=/usr/lib/libSystem.B.dylib
REQUIRES=/usr/lib/libbz2.1.0.dylib
REQUIRES=/usr/lib/libcrypto.0.9.8.dylib
REQUIRES=/usr/lib/liblzma.5.dylib
REQUIRES=/usr/lib/libssl.0.9.8.dylib
REQUIRES=/usr/lib/libz.1.dylib
DESCRIPTION=pkg_install contains the core package management and administration
DESCRIPTION=utilities for pkgsrc, a multi-platform source and binary package
DESCRIPTION=system developed and maintained by The NetBSD Project and volunteers
DESCRIPTION=from around the globe.
DESCRIPTION=
DESCRIPTION=The following tools are included:
DESCRIPTION=
DESCRIPTION=pkg_add install and upgrade binary packages
DESCRIPTION=pkg_admin perform various pkgsrc administrative tasks
DESCRIPTION=pkg_create create software package distributions
DESCRIPTION=pkg_delete delete installed packages
DESCRIPTION=pkg_info display information about installed or binary packages
DESCRIPTION=
DESCRIPTION=For the following tools compatibility wrappers are included:
DESCRIPTION=
DESCRIPTION=audit-packages audit installed packages for security vulnerabilities
DESCRIPTION=download-vulnerability-list download the latest vulnerabilities list
DESCRIPTION=
DESCRIPTION=Homepage:
DESCRIPTION=http://www.pkgsrc.org/
EOF
;;
"-pq pkg_install")
echo "@cwd /opt/local"
;;
*)
echo "Invalid call"
exit 1
;;
esac
cfengine-masterfiles-3.24.2/tests/unit/Makefile.am 0000644 0000000 0000000 00000001134 15010704240 022037 0 ustar 00root root 0000000 0000000 check_SCRIPTS =
# Depends on Python.
if LINUX
check_SCRIPTS += \
test_package_module_apt_get \
test_package_module_yum
endif
if HAVE_SHUNIT2
check_SCRIPTS += test_package_module_freebsd_ports
if HAVE_PKG_INSTALL
check_SCRIPTS += test_package_module_pkgsrc
endif
endif
if FREEBSD
if HAVE_SHUNIT2
check_SCRIPTS += test_package_module_pkg
endif
endif
TESTS = $(check_SCRIPTS)
EXTRA_DIST = \
harness_freebsd_ports \
mock_apt_get \
mock_dpkg \
mock_dpkg_deb \
mock_dpkg_query \
mock_pkgin \
mock_pkg_info \
mock_freebsd_pkg \
mock_pkgng \
mock_rpm \
mock_yum
EXTRA_DIST += $(check_SCRIPTS)
cfengine-masterfiles-3.24.2/tests/unit/mock_freebsd_pkg 0000755 0000000 0000000 00000012106 15010704240 023216 0 ustar 00root root 0000000 0000000 #!/bin/sh -e
case "$*" in
"info -f -a")
cat <