always repaired status when copying an entire directory

[Jeroen van den Haspel]

All,

When doing something like:
files:

      "$(target)/"
      comment              => "Copy files in directory",
      create               => "true",
      perms                => mog("${perms2use}","${user2use}","${group2use}"),
      action               => immediate_dlc,
      copy_from            => cp_dlc("${source}/"),
      depth_search         => recurse("1"),
      classes              => if_repaired("status_files_copy");

The class status_files_copy will always be set. Even if the files are already there and nothing is copied.

Any idea how to deal with that?

Regards,
Jeroen.

[Aleksey Tsalolikhin]

Is CFEngine actually changing anything? E.g. perms? Could we see the "cf-agent -I" output?

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengine+unsubscribe@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.

[Jeroen van den Haspel]

Hi Aleksey,

Thanks.That pointed me in the right direction!

In another policy a single file was copied to the same target directory but with different permissions. And because I am copying an entire directory appearantly the permission of the already existing file also gets changed.

I expected that the permissions only would be set on the copied files, not on files already in the target directory.

Thanks for you help.

Regards,

Jeroen.

[Aleksey Tsalolikhin]

Right. :)

You are welcome!

Nick Anderson breaks a compound promise like this up into multiple promises: one to copy, another to set perms.  So you can see exactly what got repaired. He's a smart one! :-)

[Ted Zlatanov]

On Wed, 19 Apr 2017 14:08:48 +0200 Jeroen van den Haspel <jvdh...@gmail.com> wrote:

JvdH> In another policy a single file was copied to the same target directory but
JvdH> with different permissions. And because I am copying an entire directory
JvdH> appearantly the permission of the already existing file also gets changed.
JvdH> I expected that the permissions only would be set on the copied files, not
JvdH> on files already in the target directory.

I mentioned previously that it would be useful to see all the outcomes
of a vector promise like that, so you don't have to dig in the logs or
guess, and so you can utilize the outcomes in other promises.

https://groups.google.com/d/msg/help-cfengine/5Cd81gYXYl4/aG8i-Hd1CAAJ

Ted

[Neil H. Watson]

"It's common to promise file permissions and content in a single
promise, but what if the promiser file is sshd_config? If you have a
follow up promise to restart sshd if sshd_config changes that restart
will be triggered even by a permission only repair. Separate these into
two promise to avoid this disruptive behaviour."

http://watson-wilson.ca/blog/2014/07/18/cfengine-best-practices-part-2/

--
Neil H Watson @neil_h_watson
CFEngine reporting: https://github.com/neilhwatson/delta_reporting
CFEngine policy: https://github.com/neilhwatson/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3

[Nick Anderson]

Jeroen van den Haspel <jvdh...@gmail.com> writes:

> All,
>
> When doing something like:
> files:
>

> "{perms2use}","{group2use}"),
> action => immediate_dlc,
> copy_from => cp_dlc("${source}/"),
> depth_search => recurse("1"),
> classes => if_repaired("status_filescopy");
>
> The class status_filescopy will always be set. Even if the files are

> already there and nothing is copied.
>
> Any idea how to deal with that?

I really prefer to use the results classes body because it gives me classes
for each outcome a promise has, and because I can scope the classes to the
bundle instead of namespace scoped where the classes can be seen by other
bundles.

For example:

bundle agent main
{
  commands:
    "/bin/true"
      classes => results("bundle", "true");

  vars:
    "found_classes" slist => classesmatching("true_.*");

  reports:
    "CFEngine $(sys.cf_version)";

    "Found class '$(found_classes)'";
}

R: CFEngine 3.10.1
R: Found class 'true_repaired'
R: Found class 'true_reached'

And when iterating over a list, you can define classes for each iterable.

bundle agent main
{
  vars:
    "l" slist => { "one", "two", "three" };

  commands:
    "/bin/echo $(l)"
      classes => results("bundle", "echo_$(l)" );

    "/bin/false $(l)"
      classes => results("bundle", "false_$(l)" );
  vars:
    "found_classes" slist => classesmatching("(echo|false).*");

  reports:
    "CFEngine $(sys.cf_version)";

    "Found class '$(found_classes)'";
}

  notice: Q: ".../bin/echo one": one
  notice: Q: ".../bin/echo two": two
  notice: Q: ".../bin/echo three": three
   error: Finished command related to promiser '/bin/false one' -- an error occurred, returned 1
   error: Finished command related to promiser '/bin/false two' -- an error occurred, returned 1
   error: Finished command related to promiser '/bin/false three' -- an error occurred, returned 1
R: CFEngine 3.10.1
R: Found class 'false_two_reached'
R: Found class 'echo_two_repaired'
R: Found class 'false_three_error'
R: Found class 'false_one_reached'
R: Found class 'false_two_error'
R: Found class 'false_one_error'
R: Found class 'false_two_failed'
R: Found class 'false_two_not_kept'
R: Found class 'false_one_failed'
R: Found class 'false_one_not_kept'
R: Found class 'echo_one_reached'
R: Found class 'false_three_reached'
R: Found class 'echo_one_repaired'
R: Found class 'echo_two_reached'
R: Found class 'echo_three_repaired'
R: Found class 'false_three_not_kept'
R: Found class 'echo_three_reached'
R: Found class 'false_three_failed'

Hope this helps.

–
Nick Anderson
Doer of things, CFEngine

[Enrico Scholz]

Jeroen van den Haspel <jvdh...@gmail.com> writes:

> In another policy a single file was copied to the same target directory but
> with different permissions. And because I am copying an entire directory
> appearantly the permission of the already existing file also gets changed.
> I expected that the permissions only would be set on the copied files, not
> on files already in the target directory.

yes; changing perms of completely unrelated files while doing a recursive
copy is a broken design decision of CFengine3 :(

The https://github.com/ensc/cfengine3/commits/3.10/copy-no-perms branch
fixes it.


Enrico

[Jeroen van den Haspel]

Thanks Nick, that's also a good option.

As I am only interested if something was ok (eg not changed), changed or raised an error I created a body class.

body classes ok_changed_error(x)
# @brief Define the class `x` if the promise is kept, could be repaired or is not kept and cannot be repaired
# @param x The name of the class that should be defined
# @param x will be extended with _ok, _changed or _error
{
      promise_kept     => { "$(x)_ok" };
      promise_repaired => { "$(x)_changed" };
      repair_failed    => { "$(x)_error" };
      repair_denied    => { "$(x)_error" };
      repair_timeout   => { "$(x)_error" };
}

So that will be like:
      classes              => ok_changed_error("status");

And after that I can use these classes like:

status_ok::

  do something

status_changed::

    do something else

status_error::

    do something else 2

As far as I know only promise_kept,  promise_repaired, repair_failed, repair_denied and repair_timeout are possible. Right?

Regards,

Jeroen.

[Nick Anderson]

Here are the docs for the results body.

https://docs.cfengine.com/docs/3.10/reference-masterfiles-policy-framework-lib-common.html#results

The classes body attributes available are:

promise_kept promise_repaired repair_failed repair_denied repair_timeout

scope

Remember that promises can have multiple outcomes. But you can build an expression based on them to get what you want.

For example, maybe I want to do something ONLY if there have been no repairs, when things are perfect already:

prefix_kept.!(prefix_repaired|prefix_error)::

[Jeroen van den Haspel]

That's indeed similar to what I do: prefix_ok.!prefix_changed.!prefix_error::

Is it possible to do prefix_kept.!(prefix_repaired|prefix_error) within a body class?

So the outcome gives a "real" "unchanged" status?

--
You received this message because you are subscribed to a topic in the Google Groups "help-cfengine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/help-cfengine/nMvf79L-pXY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to help-cfengine+unsubscribe@googlegroups.com.

[Nick Anderson]

Jeroen van den Haspel <jvdh...@gmail.com> writes:

> That's indeed similar to what I do:

> prefix_ok.!prefix_changed.!prefix_error::
>
> Is it possible to do prefix_kept.!(prefix_repaired|prefix_error) within a

> body class?
> So the outcome gives a "real" "unchanged" status?

No, there is no way to do that inside the classes body.

process_select bodies have process_result and file_select bodies have the
file_result which allows you to construct an expression to describe the
characteristic of a process or file that should match.