Show posts tagged:
feature-friday

Feature Friday Feature Friday #20: Macros

Did you know CFEngine has Macros? They were first introduced in CFEngine 3.7 (back in 2015), and more have been introduced since then. Macros are convenient for preventing the parsing of a section of the policy. It is handy for protecting older binaries from getting tripped up on newer syntax the agent does not understand. Let’s take a look. Currently there are 8 macros. minimum_version - Prevent the section of policy from being parsed unless the agent meets a minimum version. maximum_version - Prevent the section of policy from being parsed when the agent exceeds a maximum version. at_version - Prevents the section of policy from being parsed unless the agent is of a specific version. between_versions - Prevents a section of policy from being parsed unless the agent is between (inclusive) a minimum and maximum version. before_version - Prevents a section of policy from being parsed unless the agent is below a specified version (not inclusive). after_version - Prevents a section of policy from being parsed unless the agent is above a specified version (not inclusive). else - Allows the agent to parse a section of policy only if the preceding macro is not applicable. feature - Prevents a section of policy from being parsed based on feature availability. You can find examples of use within the Masterfiles Policy Framework. For example, body action fresh_systemd_state uses the minimum_version macro to control the setting of ifelapsed => "0" to versions 3.18.1 and higher since versions below might produce a warning.

Posted by Nick Anderson
July 26, 2024

Feature Friday #19: What variables and classes are defined?

Do you know how to quickly see what variables and classes are defined? Often, while developing CFEngine policy it’s convenient to emit a variable value or a report based on the presence of a class. For example: bundle agent main { reports: "Unqualified hostname = '$(sys.uqhost)'"; linux:: "I am running on linux"; } In some cases, this is because you are exploring what classes are available. In other cases, it might be DEBUG-related reports helping you understand how a variable is resolved during policy evaluation. Often, you can get this information without writing CFEngine policy to emit it by using the --show-vars or --show-classes options to cf-promises.

Posted by Nick Anderson
July 19, 2024

Feature Friday #18: Augments - def.json

Ever want to get some data into CFEngine? Have you heard about the def.json Augments file?1 Augments are JSON data files that allow you to define classes and variables very early during agent initialization, before policy. Augments are practical in a variety of ways. Perhaps most notably for overriding policy defaults. Let’s look at a simple example. Here we have a policy /tmp/feature-friday/18-0.cf /tmp/feature-friday/18-0.cf bundle agent main { reports: "MyVariable $(with) defined '$(MyVariable)'" with => ifelse( isvariable( MyVariable ), "is", "is not" ); } Running it, we can see that MyVariable isn’t defined

Posted by Nick Anderson
July 12, 2024

Feature Friday #17: Tags for inventory and reporting

Let’s talk about tags and how they can be useful for Inventory and Reporting. If you have been following along with the Feature Friday series you already heard about using tags to find currently defined classes, variables and bundles, but they are also very useful for reporting. In CFEngine Enterprise the inventory and attribute_name tags are special. A variable or class tagged with inventory becomes visible in the Inventory subsystem in Mission Portal with the name given in the attribute_name tag.

Posted by Nick Anderson
July 5, 2024

Feature Friday #16: host info report

Did you know the Masterfiles Policy Framework (MPF) ships with a host info report? That’s right, you can simply run cf-agent --bundlesequence host_info_report and a report will be generated. command cf-agent --bundlesequence host_info_report output R: Host info report generated and available at '/var/cfengine/reports/host_info_report.txt' It’s packed with information about the specific host. Let’s peek: command head -n 9 /var/cfengine/reports/host_info_report.txt output # Host Information Generated: Fri Feb 23 19:54:13 2024 ## Identity Fully Qualified Hostname: hub.example.com Host ID: SHA=41ebb680d136f82c57af6ee1a7b938c093fe8d773bf320213eae1c476dad4fb0 ## CFEngine Version: CFEngine Enterprise 3.21.4 Here are the section headers:

Posted by Nick Anderson
June 28, 2024

Feature Friday #15: bundlesmatching()

Did you know bundles can have tags too? That’s right! You can tag a bundle by defining tags as a meta promise on a bundle. For example: bundle agent example_bundle_tag { meta: "tags" slist => { "tag_1", "tag_2" }; } You’ve likely encountered bundles tagged with autorun. These tags trigger automatic execution of bundles in lexical order whenever the services_autorun class is defined. However, you’re not limited to autorun. You can create custom tags to suite your specific needs. Perhaps you want to tag bundles associated with a particular compliance framework or identify the primary developer/team responsible for maintenance.

Posted by Nick Anderson
June 21, 2024

Feature Friday #14: variablesmatching() & variablesmatching_as_data()

Did you know you can find variables by name and tag? Like the ability to find currently defined classes (as described in Feature Friday #13: classesmatching()) that match a name or tag, you can find variables by name and tag. It’s a nifty capability. variablesmatching() returns a list of variable names that match the name and tag criteria.1 variablesmatching_as_data() returns a data container of the matching variables along with their values2.

Posted by Nick Anderson
June 14, 2024

Feature Friday #13: classesmatching()

Did you know you can find classes by name and tag? classesmatching() dynamically sources information from the current state. For example, let’s say you have classes representing a system’s role. Furthermore, let’s say that we want a host to only have a single role class defined. Finally, if we have more than one role class defined, then we don’t want to proceed. To achieve this without classesmatching(), we might have a policy file that looks like this (/tmp/feature-friday-13/tags-on-classes-0.cf)

Posted by Nick Anderson
June 7, 2024

Feature Friday #12: special variables

Are you familiar with CFEngines special variables? Probably you are familiar with sys variables like sys.fqhost (the fully qualified host name) and sys.policy_hub (the IP address of the machine the host is bootstrapped to) but I want to highlight a few other special variables you may not be so familiar with. sys Sys variables are derived from the system discovery done by the agent as it initializes. sys.os_release - A data structure derived from /etc/os-release /etc/os-release, introduced by systemd provides a nice record of the current distributions release information.1 CFEngine prefers information from this file for determining system classification like the definition of the redhat and debian classes. The file can also be extended with custom keys, like I have done on my system to set NORTHERN_TECH_OWNER=Nick Anderson. Since files information is exposed as a data container in this sys variable it can be useful for influencing policy behavior, like selecting additional Augments to load.2

Posted by Nick Anderson
May 31, 2024

Feature Friday #11: namespaces

Did you know that CFEngine has namespaces? Let’s see how they can facilitate policy sharing while avoiding “duplicate definitions of bundle” errors. Most of the Masterfiles Policy Framework (MPF) and policy examples for CFEngine use the default namespace. However, body file control allows you to specify a namespace that applies for the rest of the file or until it’s set again by another body file control. Let’s consider a contrived example. Say we have two policy files (policy-1.cf, policy-2.cf) for different services. In each policy file, we want to have a bundle where we store settings related to that policy. Traditionally this would be handled by using some bundle naming convention, so we might have bundle agent policy_1_settings and bundle agent policy_2_settings. Using namespaces you can keep your bundle names brief and use different namespaces to avoid “duplicate definitions of bundle” errors.

Posted by Nick Anderson
May 24, 2024