The MPF or Masterfiles Policy Framework is intended to provide a stable base policy for installations and upgrades, and is used by both CFEngine Enterprise and CFEngine community.
When you create a new cfbs project with cfbs init one of the questions is related to the MPF:
Do you wish to build on top of the default policy set, masterfiles? (Recommended) [YES/y/no/n]:
Added module: masterfiles
The default commit message is 'Added module 'masterfiles'' - edit it? [yes/y/NO/n]
Committing using git:
[main f84d0d4] Added module 'masterfiles'
1 file changed, 16 insertions(+), 1 deletion(-)Of particular interest to policy writers is the lib sub-directory:
This directory contains the standard library aka COPBL or the Community Open Promise Body Library. The bodies and bundles found here are contributed and maintained by the CFEngine community. They codify many common and useful patterns.
Let’s look through some of the helpful bits you can re-use in your policy!
cronjob
Maybe you want to easily add a job to a users cronjob? Use the cronjob agent bundle.
methods:
"cron" usebundle => cronjob("/bin/ls","mark","*","5,10");in_shell
By default commands promises do not execute a shell due to resource and security concerns.
Often though, we need to setup a pipeline of commands to achieve our goals.
In this case we have to instruct CFEngine to use a shell with the contain body useshell attribute.
Here we use a helper in_shell that saves us from writing the contain body ourselves.
commands:
"/bin/pwd | /bin/cat"
contain => in_shell;warn_only
A wise strategy when writing policy is to not make any changes but just see how things are currently.
The action attribute provides a way to achieve this.
The MPF has many helper action bodies.
Here we use warn_only which warns once an hour if the promise needs to be repaired.
commands:
"something --destructive"
action => warn_only;classes_generic
It is often helpful to use the result of one promise to decide to activate another promise.
There are many classes bodies in the MPF.
The classes_generic body defines many classes depending on the outcome of the promise.
commands:
"/bin/true"
classes => classes_generic("true");Would define promise_repaired_true and promise_kept_true.
and so much more!
There are many other bundles and bodies for all the various promise types. Take a look through the documentation and find helpers for commands, files, paths and more.
Contact
For help with upgrading or additional questions, please contact support at:
