forked from Normation/rudder-techniques
-
Notifications
You must be signed in to change notification settings - Fork 0
/
failsafe.st
224 lines (186 loc) · 7.31 KB
/
failsafe.st
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
#####################################################################################
# Copyright 2011 Normation SAS
#####################################################################################
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, Version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#####################################################################################
#
# Failsafe file
#
body common control
{
bundlesequence => { "check_lock_db_problem", "init_files", "update" };
inputs => { "common/1.0/update.cf" };
output_prefix => "rudder";
&if(NOVA)&
host_licenses_paid => "&LICENSESPAID&";
&endif&
}
body agent control {
# we can not depend on DNS for mobile devices
android::
skipidentify=> "true";
}
bundle common g
{
vars:
any::
"uuid" string => "&UUID&";
"excludedreps" slist => { "\.X11", ".*kde.*", "\.svn", "perl" };
"rudder_tools_origin" string => "/var/rudder/tools";
"rudder_ncf_origin_common" string => "/usr/share/ncf/tree";
"rudder_ncf_origin_local" string => "/var/rudder/configuration-repository/ncf";
&if(NOVA)&
windows::
"rudder_base" string => "${sys.winprogdir}\Rudder";
"rudder_var" string => "${sys.winprogdir}\Rudder\var";
"rudder_bin" string => "${rudder_base}\bin";
"rudder_sbin" string => "${rudder_base}\sbin";
"rudder_tools" string => "${rudder_sbin}";
"rudder_ncf" string => "${rudder_var}\ncf";
"execRun" string => execresult("\"${g.rudder_sbin}\getDate.bat\"", "noshell");
&endif&
linux|cygwin::
"rudder_base" string => "/opt/rudder";
"rudder_var" string => "/var/rudder";
"rudder_bin" string => "${rudder_base}/bin";
"rudder_sbin" string => "${rudder_base}/sbin";
"rudder_base_sbin" string => "${rudder_base}/sbin"; #folder where tools are installed
"rudder_tools" string => "/var/rudder/tools";
"rudder_ncf" string => "${rudder_var}/ncf";
"execRun" string => execresult("/bin/date --rfc-3339=second", "noshell");
android::
"rudder_base" string => "/data/rudder";
"rudder_var" string => "/data/rudder";
"rudder_sbin" string => "${rudder_base}/sbin";
"rudder_base_sbin" string => "${rudder_base}/sbin"; #folder where tools are installed
"rudder_tools" string => "${rudder_var}/tools";
"rudder_ncf" string => "${rudder_var}/ncf";
"execRun" string => execresult("/system/xbin/date \"+%Y-%m-%d %T+02:00\"", "noshell");
# definition of the node roles
&NODEROLE&
}
bundle common rudder_roles
{
classes:
# Abort if no uuid is defined
"should_not_continue" not => fileexists("${g.uuid_file}");
# Policy Server is a machine which delivers promises
"policy_server" expression => strcmp("root","${g.uuid}");
# Root Server is the top policy server machine
"root_server" expression => strcmp("root","${g.uuid}");
# We are in the failsafe phase
"failsafe" expression => "any";
}
############################################
#generate a key if not present
bundle agent init_files
{
vars:
"components" slist => { "cf-agent", "cf-serverd", "cf-execd", "cf-monitord", "cf-promises", "cf-runagent", "cf-key", "cf-hub" };
nova_edition::
"cfengine_install_path" string => "/usr/local";
community_edition::
"cfengine_install_path" string => "/opt/rudder";
classes:
"missing_key" not => fileexists("${sys.workdir}/ppkeys/localhost.priv");
files:
cfengine_community.(linux|cygwin)::
"${sys.workdir}/bin/${components}"
perms => u_p("700"),
copy_from => cp("${cfengine_install_path}/bin/${components}","localhost"),
action => immediate;
commands:
cygwin.missing_key::
"${sys.workdir}/bin/cf-key.exe";
&if(NOVA)&
windows.missing_key.!cygwin::
"\"${sys.workdir}\bin\cf-key\"";
&endif&
linux.missing_key::
"${sys.workdir}/bin/cf-key";
}
# This bundle will check the "last successful inputs update", and if it is older
# than 1 hour, remove cf_lock.db (and only this DB), to give CFEngine a chance
# to run properly again.
bundle agent check_lock_db_problem{
vars:
cfengine_3_0|cfengine_3_1|cfengine_3_2::
"cf_lock_filename" string => "cf_lock.db";
!(cfengine_3_0|cfengine_3_1|cfengine_3_2)::
"cf_lock_filename" string => "cf_lock.tcdb";
files:
# The aim of this promise is to create a class when this file is older
# than one hour. The class can not be created without touching but in
# order to not modifing the mtime we use warn_only.
"${sys.workdir}/last_successful_inputs_update"
file_select => over_an_hour,
touch => "true",
action => warn_only,
classes => success("last_successful_inputs_update_too_old", "last_successful_inputs_update_check_error", "last_successful_inputs_update_ok");
"${sys.workdir}/state/${cf_lock_filename}"
delete => tidy,
ifvarclass => "last_successful_inputs_update_too_old",
classes => success("cf_lock_removed", "cf_lock_error_removing", "cf_lock_not_deleted");
reports:
cf_lock_removed::
"@@Common@@log_repaired@@&TRACKINGKEY&@@Update@@None@@${g.execRun}##${g.uuid}@#Promises had not been updated for over an hour, this could indicate a broken lockfile. cf_lock DB file was removed.";
cf_lock_error_removing::
"@@Common@@result_error@@&TRACKINGKEY&@@Update@@None@@${g.execRun}##${g.uuid}@#Promises have not been updated for over an hour, this could indicate a broken lockfile, but an error occured when trying to remove it";
}
body file_select over_an_hour()
{
# Select file which are older than one hour
# Use of positive mtime instead of negative one
# In order to avoid corner effects
mtime => irange(ago(0,0,0,1,0,0), now);
file_result => "!mtime";
}
body depth_search recurse(d)
{
depth => "${d}";
}
#perms validation
body perms u_p(p)
{
mode => "${p}";
}
#server may be a list
body copy_from cp(from,server)
{
servers => { "${server}" };
source => "${from}";
compare => "digest";
community_edition::
portnumber => "&COMMUNITYPORT&";
}
body action immediate
{
ifelapsed => "0";
}
body depth_search recurse_ignore(d,list)
{
depth => "${d}";
exclude_dirs => { @{list} };
}
body delete tidy
{
dirlinks => "delete";
rmdirs => "true";
}
body action warn_only
{
action_policy => "warn";
ifelapsed => "60";
}