Modular policies with autorun and the augments_file

Posted by Nick Anderson
July 26, 2015

1, 2, 3.7 GO! CFEngine 3.7 was released just over a week ago and one of the neat things with 3.7 is the new augments_file also known as def.json or overrides. What’s so neat about it? It’s going to make your future policy upgrades easier! I will be using the CFEngine Enterprise Vagrant Environment because it’s a really quick and easy way to stand up a test environment. Here is my fresh 3.7.1 environment.

Looks like my instances are ready to go

Show CFEngine Version

First I log into the hub and wheel up to root.

vagrant ssh hub
sudo -i

I need something to augment inputs with. I will integrate some policy that does inventory for SSH Host Key Fingerprints.

# Add some additional Policy that needs included into inputs
export COMMIT=e1b7b4646dbcecfe35cb3c7471401850a29909ac
wget https://github.com/nickanderson/cfengine-ssh/archive/$COMMIT.tar.gz -O /tmp/$COMMIT.tar.gz
tar -C /tmp -zxf /tmp/$COMMIT.tar.gz
rm -f /tmp/$COMMIT.tar.gz
mv /tmp/cfengine-ssh-$COMMIT /var/cfengine/masterfiles/services/ssh

Next I create my augments_file (/var/cfengine/masterfiles/def.json) with the following content.

{
  "classes":
  {
    "services_autorun": [ "any" ]
  },

  "inputs": [ "services/ssh/def.cf" ]
}

If you’re looking for a more full example see example_def.json from the masterfiles repository. I just enabled the autorun feature and added the entry to my ssh policy to inputs without touching any files shipped in the masterfiles policy framework (minus that patch that is already upstream), now I just need to make sure my bundles get activated. I am going to do that by creating /var/cfengine/masterfiles/services/autorun/ssh.cf with the following content.

bundle agent ssh_autorun
{
  meta:
    "tags" slist => { "autorun" };

  methods:
    linux::
      "SSH Host Key Fingerprint Inventory"
        usebundle => inventory_ssh_host_key_fingerprints;

    am_policy_hub.enterprise_edition::
      "Inventory Duplicate SSH Host Key Fingerprints"
        usebundle => inventory_duplicate_ssh_host_key_fingerprints;
}

Further Reading: Brian Bennett has a nice write up on how he uses autorun, Bernt Jernberg also contributed a nice piece on how to use autorun with meta tags and hard classes. I double check that my policy validates after the changes.

cf-promises -cf /var/cfengine/masterfiles/promises.cf

After a few minutes I can see the new inventory attributes in Mission Portal.

It inventories each found host fingerprint as well as all of the known host key types.

Inventory SSH Host Fingerprint (DSA)