abort_bundle_classe are not working...somwhat

36 views
Skip to first unread message

Xander Cage

unread,
Sep 7, 2020, 6:14:19 AM9/7/20
to help-c...@googlegroups.com
hi,

i'am defining abort bundle classes via augments...


"classes": {
                "services_autorun": ["any"],
                "control_agent_abortbundleclasses": ["ITSV_BUNDLE_ABORT.*"],
                "control_agent_abortclasses": ["ITSV_ABORT.*"],
                "cfengine_internal_disable_agent_email": ["any"],
                "cfengine_internal_purge_policies": [ "any" ],
                "mpf_augments_control_enabled": [ "any" ]
        },

then using it in policy...

#!/var/cfengine/bin/cf-agent -KI


#
# control bundle
#

bundle agent  b0031_control_upgrade_openssh
{

    meta:

        "tags"  slist => { "itsv_DISABLED" };

    methods:

    !am_policy_hub::

        "call_upgrade_openssh"       usebundle      => precheck_upgrade_openssh,
                                     comment        => "test if we should upgrade openssh fileset and do it ..",
                                     ifvarclass     => and ("SPARE_DAILY"),
                                     action         => if_elapsed_day;
}

bundle agent precheck_upgrade_openssh
{
   vars:

        "base_version_regex"            string  => "7.1.102.(.*)|7.5.102(.*)",
                                        comment => "only this version(s) will be upgraded (regex)";

        "openssl_prereqs_regex"         string  => "1.0.2.2100",
                                        comment => "needed openssl versions";

   methods:

       "check_prerequs"       usebundle  => check_openssl_prerequs($(openssl_prereqs_regex)),
                              comment    => "check versions before running the whole upgrade machinery";

       "check_openssh_version" usebundle  => check_openssh_upgrade_needed($(base_version_regex)),
                               comment    => "only certain (down-level) versions need to be upgraded";


  DO_UPGRADE::

   reports:

     "reached the point of no return..";





       #"do_openssh_upgrade"

                             #usebundle  => upgrade_openssh;


}

bundle agent upgrade_openssh
{


    vars:

        "update_dir_openssh"   string  => "/software/openssh/latest";

    methods:


       "mount_software"        usebundle  => mount_nfs_share("nimmsag_a", "/software", "/software", "soft,ro"),
                               comment    => "mount nimmsag:/software /software",
                               classes    => if_else("MOUNT_OK", "ITSV_ABORT");

       "update_openssh"        usebundle  => update_all($(update_dir_openssh), " -Y", 1200),
                               comment    => "update openssh filesets",
                               classes    => if_else("UPDATE_OK", "ITSV_ABORT");

       "umount_software"       usebundle  => umount_nfs_share("nimmsag_a", "/software"),
                               comment    => "cleanup after installation";

       "restart_sshd"          usebundle  => restart_sshd,
                               comment    => "start only the ones we stopped ..";

    reports:

        MOUNT_OK::  "[/software] mount ok ..";
        UPDATE_OK:: "[openssh] update ok ..";
        any::       "finished  ..";
}

bundle agent check_openssl_prerequs (needed_versions)
{

    classes:

        "ITSV_BUNDLE_ABORT_OPENSSL_CHECK_FAILED"     not        => regcmp("$(needed_versions)", "$(lpp_info_openssl[1])"),
                                                     comment    => "openssl prereq check ..";

        "OPENSSL_CHECK_OK"      expression => regcmp("$(version)", "$(lpp_info_openssl[1])"),
                                scope      => "namespace",
                                comment    => "go on ..";

    methods:

       "get_openssl_version_info" usebundle => get_lpp_info("openssl.base"),
                                  useresult => "lpp_info_openssl";

    reports:

        "$(lpp_info_openssl[1]) version found .. $(needed_versions) needed ..";
        OPENSSL_CHECK_OK:: "openssl check was ok..";
        ITSV_BUNDLE_ABORT_OPENSSL_CHECK_FAILED:: "openssh update canceled..";
}

bundle agent check_openssh_upgrade_needed (version)
{

    classes:

        "ITSV_BUNDLE_ABORT_CANCEL_UPGRADE"  not        => regcmp("$(version)", "$(lpp_info_openssh[1])"),
                                            comment    => "abort if its not an downgrade version ..";

        "DO_UPGRADE"      expression => regcmp("$(version)", "$(lpp_info_openssh[1])"),
                          scope      => "namespace",
                          comment    => "do it ..";


    methods:

       "get_openssh_version_info" usebundle => get_lpp_info("openssh.base.server"),
                                  useresult => "lpp_info_openssh";

    reports:

        "$(lpp_info_openssh[1]) version found .. $(version) needed ..";
        ITSV_BUNDLE_ABORT_CANCEL_UPGRADE:: "openssh update not needed..";
}


but the abort is never happening...

root@aixtestha2c2: /var/cfengine/inputs/itsv # /var/cfengine/bin/cf-agent -KI -D SPARE_DAILY -b b0031_control_upgrade_openssh
    info: Using command line specified bundlesequence
R: [/usr/lib/objrepos:openssl.base:1.0.2.1801::COMMITTED:I:Open Secure Socket Layer:] reported by lslpp ..
R: 1.0.2.1801 version found .. 1.0.2.2100 needed ..
R: openssh update canceled..
R: [/usr/lib/objrepos:openssh.base.server:7.5.102.1801::COMMITTED:I:Open Secure Shell Server:] reported by lslpp ..
R: 7.5.102.1801 version found .. 7.1.102.(.*)|7.5.102(.*) needed ..
R: reached the point of no return..


verbose snippet:
root@aixtestha2c2: /var/cfengine/inputs/itsv # /var/cfengine/bin/cf-agent -KIv -D SPARE_DAILY -b b0031_control_upgrade_openssh | grep -i abort
 verbose: Setting abort classes from ...
 verbose: C:     +  Private class: ITSV_BUNDLE_ABORT_OPENSSL_CHECK_FAILED
 verbose: P:    Base context class: ITSV_BUNDLE_ABORT_OPENSSL_CHECK_FAILED



what am i doing wrong here?

Xander Cage

unread,
Sep 7, 2020, 7:52:47 AM9/7/20
to help-cfengine
i found out that the abort stuff need to be defined as vars not as classes, very confusing.


root@aixtestha2c2: /var/cfengine/inputs # /var/cfengine/bin/cf-promises --show-vars | grep -i abort
default:control_agent.abortclasses        {"cfengine_3_3","cfengine_3_4"}                             source=promise
default:def.control_agent_abortbundleclasses  {"ITSV_BUNDLE_ABORT.*"}                                     source=augments_file
default:def.control_agent_abortclasses    {"ITSV_ABORT.*"}                                            source=augments_file
default:mpf_augments_control.agent_controls {"default:def.control_agent_abortbundleclasses":["ITSV_BUNDLE_ABORT.*"],"default:def.control_agent_abortclasses":["ITSV_ABORT.*"],"default:def.control_agent_maxconnections":"30"} source=promise
default:mpf_augments_control.agent_controls_state {\"default:def.control_agent_abortbundleclasses\":[\"ITSV_BUNDLE_ABORT.*\"],\"default:def.control_agent_abortclasses\":[\"ITSV_ABORT.*\"],\"default:def.control_agent_maxconnections\":\"30\"} source=promise


the abort in the policy still not working.

root@aixtestha2c2: /var/cfengine/inputs # /var/cfengine/bin/cf-agent -KIv -D SPARE_DAILY -b b0031_control_upgrade_openssh | grep -i abort
 verbose: Installing augments slist variable 'def.control_agent_abortbundleclasses' from file '/var/cfengine/inputs/def.json'
 verbose: Installing augments slist variable 'def.control_agent_abortclasses' from file '/var/cfengine/inputs/def.json'

Vratislav Podzimek

unread,
Sep 8, 2020, 5:37:37 AM9/8/20
to help-c...@googlegroups.com
On Mon, 2020-09-07 at 04:52 -0700, Xander Cage wrote:
> i found out that the abort stuff need to be defined as vars not as classes, very confusing.
>
>
> root@aixtestha2c2: /var/cfengine/inputs # /var/cfengine/bin/cf-promises --show-vars | grep -i abort
> default:control_agent.abortclasses {"cfengine_3_3","cfengine_3_4"} source=promise
> default:def.control_agent_abortbundleclasses {"ITSV_BUNDLE_ABORT.*"} source=augments_file
> default:def.control_agent_abortclasses {"ITSV_ABORT.*"} source=augments_file
> default:mpf_augments_control.agent_controls {"default:def.control_agent_abortbundleclasses":["ITSV_BUNDLE_ABORT.*"],"default:def.control_agent_abortclasses":["ITSV_ABORT.*"],"default:def.control_agent_maxconnections":"30"} source=promise
> default:mpf_augments_control.agent_controls_state {\"default:def.control_agent_abortbundleclasses\":[\"ITSV_BUNDLE_ABORT.*\"],\"default:def.control_agent_abortclasses\":[\"ITSV_ABORT.*\"],\"default:def.control_agent_maxconnections\":\"30\"} source=promise
>
>
> the abort in the policy still not working.
>
> root@aixtestha2c2: /var/cfengine/inputs # /var/cfengine/bin/cf-agent -KIv -D SPARE_DAILY -b b0031_control_upgrade_openssh | grep -i abort
> verbose: Installing augments slist variable 'def.control_agent_abortbundleclasses' from file '/var/cfengine/inputs/def.json'
> verbose: Installing augments slist variable 'def.control_agent_abortclasses' from file '/var/cfengine/inputs/def.json'
> verbose: Setting abort classes from ...
> verbose: C: + Private class: ITSV_BUNDLE_ABORT_OPENSSL_CHECK_FAILED
> verbose: P: Base context class: ITSV_BUNDLE_ABORT_OPENSSL_CHECK_FAILED

Can you share the full verbose output from the agent? The above looks good and the bundle should be
aborted. Regarding the 'abortclasses', I think the problem could be with the scope of the result
classes.

--
Vratislav
signature.asc

Xander Cage

unread,
Sep 10, 2020, 8:31:46 AM9/10/20
to help-cfengine

i tested with an example policy, to reduce clutter...

root@aixbuildhostng: /var/cfengine/inputs/itsv # cat abort_test.cf


bundle agent b0040abort_test

{

  meta:
    "tags"  slist => { "itsv" };

  vars:

      "userlist" slist => { "mark", "john", "thomas" };  # contains one invalid entry

  classes:

      "ITSV_BUNDLE_ABORT_INVALID_USER" not => regcmp("[a-z][a-z][a-z][a-z]","$(userlist)"); # The class 'invalid' is set if the user name does not
      # contain exactly four un-capitalized letters (bundle
      # execution will be aborted if set)

  reports:

    !ITSV_BUNDLE_ABORT_INVALID_USER::

      "User name $(userlist) is valid at 4 letters";
}


root@aixbuildhostng: /var/cfengine/inputs/itsv # /var/cfengine/bin/cf-promises --show-vars | grep ITSV_BUNDLE_ABORT
default:def.control_agent_abortbundleclasses  {"ITSV_BUNDLE_ABORT.*"}                                     source=augments_file
default:mpf_augments_control.agent_controls {"default:def.control_agent_abortbundleclasses":["ITSV_BUNDLE_ABORT.*"],"default:def.control_agent_abortclasses":["ITSV_ABORT.*"],"default:def.control_agent_maxconnections":"30"} source=promise
default:mpf_augments_control.agent_controls_state {\"default:def.control_agent_abortbundleclasses\":[\"ITSV_BUNDLE_ABORT.*\"],\"default:def.control_agent_abortclasses\":[\"ITSV_ABORT.*\"],\"default:def.control_agent_maxconnections\":\"30\"} source=promise


 verbose: ----------------------------------------------------------------
 verbose:  Begin policy/promise evaluation
 verbose: ----------------------------------------------------------------
    info: Using command line specified bundlesequence
 verbose: Using bundlesequence =>  {"b0040abort_test"}
 verbose: B: *****************************************************************
 verbose: B: BEGIN bundle b0040abort_test
 verbose: B: *****************************************************************
 verbose: V:     Computing value of 'tags'
 verbose: A: Promise was KEPT
 verbose: P: END meta promise (tags)
 verbose: V: .........................................................
 verbose: V: BEGIN variables (pass 1)
 verbose: V:     Computing value of 'userlist'
 verbose: C: .........................................................
 verbose: C: BEGIN classes / conditions (pass 1)
 verbose: C:     +  Private class: ITSV_BUNDLE_ABORT_INVALID_USER
 verbose: V:     Computing value of 'tags'
 verbose: A: Promise was KEPT
 verbose: P: END meta promise (tags)
 verbose: V: .........................................................
 verbose: V: BEGIN variables (pass 2)
 verbose: V:     Computing value of 'userlist'
 verbose: C: .........................................................
 verbose: C: BEGIN classes / conditions (pass 2)
 verbose: V:     Computing value of 'tags'
 verbose: A: Promise was KEPT
 verbose: P: END meta promise (tags)
 verbose: V: .........................................................
 verbose: V: BEGIN variables (pass 3)
 verbose: V:     Computing value of 'userlist'
 verbose: C: .........................................................
 verbose: C: BEGIN classes / conditions (pass 3)
 verbose: A: ...................................................
 verbose: A: Bundle Accounting Summary for 'b0040abort_test' in namespace default
 verbose: A: Promises kept in 'b0040abort_test' = 6
 verbose: A: Promises not kept in 'b0040abort_test' = 0
 verbose: A: Promises repaired in 'b0040abort_test' = 0
 verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'b0040abort_test' = 100.0%
 verbose: A: ...................................................
 verbose: B: *****************************************************************
 verbose: B: END bundle b0040abort_test
 verbose: B: *****************************************************************
 verbose: No lock purging scheduled
 verbose: Logging total compliance, total 'Outcome of version CFEngine Promises.cf 3.12.2 (agent-0): Promises observed to be kept 100.00%, Promises repaired 0.00%, Promises not repaired 0.00%'


still no bundle abort...

Nick Anderson

unread,
Sep 10, 2020, 12:52:14 PM9/10/20
to Xander Cage, help-cfengine

Xander Cage writes:

i tested with an example policy, to reduce clutter… still no bundle abort…

Hi Christian,

From your original post, I can see that you are running 3.12.2. 

verbose: Logging total compliance, total 'Outcome of version CFEngine Promises.cf 3.12.2 (agent-0): Promises observed to be kept 100.00%, Promises repaired 0.00%, Promises not repaired 0.00%'

Are you running the MPF from 3.12.2 as well?

I see that augments support for abortbundleclasses and abortclasses were added in 3.12.3. https://github.com/cfengine/masterfiles/commit/e2c4c1c57e51edcb46e80aa906048daea0b75192

What if you pull in controls/cf_agent.cf and controls/def.cf from 3.12.3?

https://github.com/cfengine/masterfiles/blob/3.12.3/controls/cf_agent.cf https://github.com/cfengine/masterfiles/blob/3.12.3/controls/def.cf

Does it work then?

– Nick Anderson | Doer of Things | (+1) 785-550-1767 | https://northern.tech

Xander Cage

unread,
Sep 11, 2020, 7:13:07 AM9/11/20
to help-cfengine
hi nick,

you are absolutley right, after upgrading mpf to 3.12.5 everything works fine...

verbose: ----------------------------------------------------------------
 verbose:  Begin policy/promise evaluation
 verbose: ----------------------------------------------------------------
    info: Using command line specified bundlesequence
 verbose: Using bundlesequence =>  {"b0040abort_test"}
 verbose: B: *****************************************************************
 verbose: B: BEGIN bundle b0040abort_test
 verbose: B: *****************************************************************
 verbose: V:     Computing value of 'tags'
 verbose: A: Promise was KEPT
 verbose: P: END meta promise (tags)
 verbose: V: .........................................................
 verbose: V: BEGIN variables (pass 1)
 verbose: V:     Computing value of 'userlist'
 verbose: C: .........................................................
 verbose: C: BEGIN classes / conditions (pass 1)
 verbose: C:     +  Private class:
ITSV_BUNDLE_ABORT_INVALID_USER
   error: Bundle 'b0040abort_test' aborted on defined class 'ITSV_BUNDLE_ABORT_INVALID_USER'

 verbose: A: ...................................................
 verbose: A: Bundle Accounting Summary for 'b0040abort_test' in namespace default

 verbose: A: Promises kept in 'b0040abort_test' = 2

 verbose: A: Promises not kept in 'b0040abort_test' = 0
 verbose: A: Promises repaired in 'b0040abort_test' = 0
 verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'b0040abort_test' = 100.0%
 verbose: A: ...................................................
 verbose: B: *****************************************************************
 verbose: B: END bundle b0040abort_test
 verbose: B: *****************************************************************
 verbose: No lock
purging scheduled
 verbose: Logging total compliance, total 'Outcome of version CFEngine Promises.cf 3.12.5 (agent-0): Promises observed to be kept 100.00%, Promises repaired 0.00%, Promises not repaired 0.00%'


thank you...

chris

Xander Cage

unread,
Sep 11, 2020, 7:56:37 AM9/11/20
to help-c...@googlegroups.com
i noticed one more little thing..since upgrade to the new mpf version this error is printed. it

verbose: C: BEGIN classes / conditions (pass 1)

   error: Unable to parse class expression 'ITSV_BUNDLE_ABORT.*'
 verbose: C:     +  Private class: percent_of_runs
   error: Unable to parse class expression 'ITSV_BUNDLE_ABORT.*'

 verbose: V:     Computing value of 'tags'
 verbose: A: Promise was KEPT
 verbose: P: END meta promise (tags)


first i thouhgt this is caused by the downlevel binary, but 3.12.5 makes no difference. seems that the wildcard class expression in def.json is not playing very well. ('ITSV_BUNDLE_ABORT.*')

Nick Anderson

unread,
Sep 11, 2020, 9:38:52 AM9/11/20
to help-cfengine
Yes, I encountered the same error yesterday. If you use specific classes and not regular expressions it should work without emitting the errors about being unable to parse the class expression.

I filed an issue for it yesterday: https://tracker.mender.io/browse/CFE-3411
Reply all
Reply to author
Forward
0 new messages