neilhwatson / evolve_cfengine_freelib Goto Github PK

Requirements:

1. Promise Dockerfile and supporting files from cf-serverd.
2. If above promise is repaired then 'force' both image build and container restart. Use --restart=unless-stopped for run and --rm=true for images.
3. If promise 1 is kept then ensure defined image is present and container is running.

How to do the last promise the least invasive way given CFEngine has not docker aware parts? Commands must be used.

Data required:

1. File src on cf-serverd.
2. File destination on agent host.
3. Image and container name.
4. Image tag (maybe)
5. Docker capabilities.
6. Volumes (nice to have)

Possible checks:

1. docker images -q pcf_dns:latest
2. docker ps -q --filter=name=pcf_dns

Keep docker images current by checking existing images and build new ones from Dockerfiles if current ones are old or missing.

Getting info from Docker API

1. Get creation time of image with given RepoTag:
   curl -s --unix-socket /run/docker.sock http://docker/images/json|jq '.[] | select( .RepoTags[] == "my_tag:latest" )|.Created''

Compare time against Dockerfile and support files' ctime. Invoke new build if Created is older.

Replace CSV data with JSON data.

Move from arrays to data containers where possible.

Testing has been good, time to make it official.

A bundle to kill process that are long running, consuming too much memory, or not permitted by security. Consider not using CSV for this an all new bundles.

Parameters:

1. Class
2. Process command regex
3. Process_owner regex list
4. Minimum rsize in kilobytes
5. Minimum elapsed process time in minutes
6. Minimum number of processes

Because number of processes is not in a process select body, it will be tricky to combine. Will probably need three process promises.

Disabling these in el_sysctl_conf bundle.

A set of bundles for passive host auditing by setting classes. Combine them with the test bundle for TAP output.

1. Is process running?
2. Is rpm installed?
3. Is sysctl value set?
4. Is systctl value in conf file?
5. Does file have correct hash sum?
6. Is service enabled for boot start?
7. Is service disabled for boot start?
8. Are file permissions correct?

Expected input:
class, class to set, test

Or class to set should be base class and prefix it with ok or not_ok based on pass or fail.

Lists from efl_global_slists will not work if you attempt to de-reference them. See https://dev.cfengine.com/issues/6866

Workarounds:

You must call the lists directly, or do not use efl_global_slists and build them directly in policy like this:

bundle common list_backup
{
  vars:
     "policy_servers" slist => { "${sys.policy_hub}" };
     "localhost"      slist => { "localhost" };
}

May improve performance for 3.6 clients until all bundles are replaced with readjson.

On hold until CFE bug 7372 is resolved: https://dev.cfengine.com/issues/7372

In progress

Not sure if I'm doing something wrong, but with cfengine-community 3.7.2, I see this in the logs:

'''
2016-03-31T05:43:28.256199-04:00 myserver [20596]: CFEngine(server) Trying to evaluate unsupported/obsolete promise type meta in server bundle efl_server_csv
2016-03-31T05:43:28.256764-04:00 myserver [20596]: CFEngine(server) Trying to evaluate unsupported/obsolete promise type meta in server bundle efl_server_json
'''

Is meta really deprecated, or should I file a bug with cfengine to have this message removed?

Just read a JSON, but how to shuffle lists?

promise outcome not logged , only below line in /var/cfengine/delta_reporting/log/promises
BEGIN 2017-06-12T05:37:32-0500
copied evolve_freelib.cf and efl_common.cf to masterfiles/lib/EFL
and efl.cf to masterfiles/services/autorun
followed install document and created efl_data and other required files.

also how we can debug logging promise outcome.

cfengine 3.7.0

error: A variable seems to have been used for the name of the method. In this case, the promiser also needs to contain the unique name of the method
error: A method attempted to use a bundle '${d[0][bundle]}' that was apparently not defined
error: Method 'efl_bug2638' failed in some repairs
error: A variable seems to have been used for the name of the method. In this case, the promiser also needs to contain the unique name of the method
error: A method attempted to use a bundle '${d[1][bundle]}' that was apparently not defined
error: Method 'efl_bug2638' failed in some repairs
error: A variable seems to have been used for the name of the method. In this case, the promiser also needs to contain the unique name of the method
error: A method attempted to use a bundle '${d[2][bundle]}' that was apparently not defined
error: Method 'efl_bug2638' failed in some repairs
error: Method 'efl_main' failed in some repairs
error: Method 'efl_run' failed in some repairs

Ideally use existing edit_template bundle an detect template file by its extension.

The directory structure seems to have changed considerable in CFE 3.5, so some of the README steps differ. I've managed to load the elf library and run the efl_main bundle, but now I"m getting the following error :

# cf-agent -I -K
2014-01-13T15:46:16+0530   notice: R: --> I'm a policy hub.
2014-01-13T15:46:16+0530   notice: R: Hello World!
2014-01-13T15:46:16+0530     info: M '"/var/cfengine/modules/return_index.pl" efl_main 1': 2014-01-13T15:46:16+0530   error: Couldn't run '/var/cfengine/modules/return_index.pl'. (execv: No such file or directory)

Do you know why the return_index.pl module is not being detected? The file is present and set to executable in that directory :

# cd modules/
# pwd
/var/cfengine/modules
# ls -al
total 12
drwx------.  2 root root 4096 Jan 13 15:24 .
drwxr-xr-x. 13 root root 4096 Jan 13 14:55 ..
-rwxr-xr-x.  1 root root  630 Jan 13 15:24 return_index.pl

promises.cf :

body common control
{
 bundlesequence => {
                 # Common bundles first for best practice 
                    def,

                 # Design Center
                    cfsketch_run,

                 # Agent bundles from here
                    main,
                    edit_motd,
                    efl_main("/var/cfengine/inputs/bundle.txt"),
 };

 inputs => {

         # Global common bundles
            "def.cf",

         # Control body for all agents
            "controls/cf_agent.cf",
            "controls/cf_execd.cf",
            "controls/cf_monitord.cf",
            "controls/cf_runagent.cf",
            "controls/cf_serverd.cf",

         # COPBL/Custom libraries.  Eventually this should use wildcards.
             @(cfengine_stdlib.inputs),

         # Design Center
             # MARKER FOR CF-SKETCH INPUT INSERTION
             "cf-sketch-runfile.cf",

         # User services from here
            "services/init_msg.cf",
            "lib/3.5/evolve_freelib.cf",
            "edit_motd.cf",
};

 version => "Community Promises.cf 3.4.0";

}

Add Delta Hardening data with both 3.5 and 3.6 branches.

Is this possible? Can I provide a wild card to user and group?