Install and uninstall packages based on conditions

Posted by Craig Comstock
July 1, 2024

For security reasons, you generally want to uninstall talk, samba, and apache2 in your infrastructure. However, on your webservers, which have the webserver CFEngine class defined, you might want Apache to be installed. With the conditional-installer module, you can put talk,samba,apache2 in the list of packages to uninstall. And in the list of packages to install, you can put apache2 with the condition webserver. Hence, the module will install apache2 on your webservers and uninstall it everywhere else. talk and samba, on the other hand, will be uninstalled everywhere. As always with CFEngine, if the state is already correct - i.e., packages that should be installed are already installed and packages that should not be installed are not installed - no actions will be performed.

When we use the Mission Portal Build application we can add this module and edit data to specify what we want to happen.

First, search for “conditional-installer,” click on the entry found from searching, and then the Edit button.

conditional-installer inputs edited

Notice that we specify data:webserver instead of just webserver. This is because we want to use host-specific data, which defaults to the namespace data.

After that, we can visit two hosts to add the webserver class:

adding webserver class to a Debian host adding webserver class to a RHEL 8 host

We can then test package removal by visiting x220 (my Debian host):

root@x220:~# apt install telnet
root@x220:~# command -v telnet
/usr/bin/telnet
root@x220:~# echo $?
0
root@x220:~# cf-agent -KI
   info: Successfully removed package 'telnet'
root@x220:~# command -v telnet
root@x220:~# echo $?
1

And then check on our webserver installations. First on Debian:

root@x220:~# apache2ctl -v
Server version: Apache/2.4.59 (Debian)
Server built:   2024-04-05T12:08:04

And on RHEL-8:

root@rhel8:~# httpd -v
Server version: Apache/2.4.37 (Red Hat Enterprise Linux)
Server built:   Feb 16 2024 04:23:20

Looks good! Now, you can proceed by specifying more packages to install and uninstall based on how you classify your hosts with CFEngine classes.

With our upcoming 3.24.0 release, our new Groups feature allows you to further refine how to specify vars and classes data on host records.

Groups app in Mission Portal showing Webservers group

Oops! Looks like I have 15 unkept promises, according to our Policy Analyzer. I better hop over there and get busy fixing those issues.

For a more detailed preview of this functionality, check out our latest The agent is in episode 38.

Questions?

If you have questions or need help, don’t hesitate to reach out on the mailing list or GitHub discussions. If you have a support contract, feel free to open a ticket in our support system.