"classes": {
"services_autorun": ["any"],
"control_agent_abortbundleclasses": ["ITSV_BUNDLE_ABORT.*"],
"control_agent_abortclasses": ["ITSV_ABORT.*"],
"cfengine_internal_disable_agent_email": ["any"],
"cfengine_internal_purge_policies": [ "any" ],
"mpf_augments_control_enabled": [ "any" ]
},
#!/var/cfengine/bin/cf-agent -KI
#
# control bundle
#
bundle agent b0031_control_upgrade_openssh
{
meta:
"tags" slist => { "itsv_DISABLED" };
methods:
!am_policy_hub::
"call_upgrade_openssh" usebundle => precheck_upgrade_openssh,
comment => "test if we should upgrade openssh fileset and do it ..",
ifvarclass => and ("SPARE_DAILY"),
action => if_elapsed_day;
}
bundle agent precheck_upgrade_openssh
{
vars:
"base_version_regex" string => "7.1.102.(.*)|7.5.102(.*)",
comment => "only this version(s) will be upgraded (regex)";
"openssl_prereqs_regex" string => "1.0.2.2100",
comment => "needed openssl versions";
methods:
"check_prerequs" usebundle => check_openssl_prerequs($(openssl_prereqs_regex)),
comment => "check versions before running the whole upgrade machinery";
"check_openssh_version" usebundle => check_openssh_upgrade_needed($(base_version_regex)),
comment => "only certain (down-level) versions need to be upgraded";
DO_UPGRADE::
reports:
"reached the point of no return..";
#"do_openssh_upgrade"
#usebundle => upgrade_openssh;
}
bundle agent upgrade_openssh
{
vars:
"update_dir_openssh" string => "/software/openssh/latest";
methods:
"mount_software" usebundle => mount_nfs_share("nimmsag_a", "/software", "/software", "soft,ro"),
comment => "mount nimmsag:/software /software",
classes => if_else("MOUNT_OK", "ITSV_ABORT");
"update_openssh" usebundle => update_all($(update_dir_openssh), " -Y", 1200),
comment => "update openssh filesets",
classes => if_else("UPDATE_OK", "ITSV_ABORT");
"umount_software" usebundle => umount_nfs_share("nimmsag_a", "/software"),
comment => "cleanup after installation";
"restart_sshd" usebundle => restart_sshd,
comment => "start only the ones we stopped ..";
reports:
MOUNT_OK:: "[/software] mount ok ..";
UPDATE_OK:: "[openssh] update ok ..";
any:: "finished ..";
}
bundle agent check_openssl_prerequs (needed_versions)
{
classes:
"ITSV_BUNDLE_ABORT_OPENSSL_CHECK_FAILED" not => regcmp("$(needed_versions)", "$(lpp_info_openssl[1])"),
comment => "openssl prereq check ..";
"OPENSSL_CHECK_OK" expression => regcmp("$(version)", "$(lpp_info_openssl[1])"),
scope => "namespace",
comment => "go on ..";
methods:
"get_openssl_version_info" usebundle => get_lpp_info("openssl.base"),
useresult => "lpp_info_openssl";
reports:
"$(lpp_info_openssl[1]) version found .. $(needed_versions) needed ..";
OPENSSL_CHECK_OK:: "openssl check was ok..";
ITSV_BUNDLE_ABORT_OPENSSL_CHECK_FAILED:: "openssh update canceled..";
}
bundle agent check_openssh_upgrade_needed (version)
{
classes:
"ITSV_BUNDLE_ABORT_CANCEL_UPGRADE" not => regcmp("$(version)", "$(lpp_info_openssh[1])"),
comment => "abort if its not an downgrade version ..";
"DO_UPGRADE" expression => regcmp("$(version)", "$(lpp_info_openssh[1])"),
scope => "namespace",
comment => "do it ..";
methods:
"get_openssh_version_info" usebundle => get_lpp_info("openssh.base.server"),
useresult => "lpp_info_openssh";
reports:
"$(lpp_info_openssh[1]) version found .. $(version) needed ..";
ITSV_BUNDLE_ABORT_CANCEL_UPGRADE:: "openssh update not needed..";
}
root@aixtestha2c2: /var/cfengine/inputs/itsv # /var/cfengine/bin/cf-agent -KI -D SPARE_DAILY -b b0031_control_upgrade_openssh
info: Using command line specified bundlesequence
R: [/usr/lib/objrepos:openssl.base:1.0.2.1801::COMMITTED:I:Open Secure Socket Layer:] reported by lslpp ..
R: 1.0.2.1801 version found .. 1.0.2.2100 needed ..
R: openssh update canceled..
R: [/usr/lib/objrepos:openssh.base.server:7.5.102.1801::COMMITTED:I:Open Secure Shell Server:] reported by lslpp ..
R: 7.5.102.1801 version found .. 7.1.102.(.*)|7.5.102(.*) needed ..
R: reached the point of no return..
root@aixtestha2c2: /var/cfengine/inputs/itsv # /var/cfengine/bin/cf-agent -KIv -D SPARE_DAILY -b b0031_control_upgrade_openssh | grep -i abort
verbose: Setting abort classes from ...
verbose: C: + Private class: ITSV_BUNDLE_ABORT_OPENSSL_CHECK_FAILED
verbose: P: Base context class: ITSV_BUNDLE_ABORT_OPENSSL_CHECK_FAILED
root@aixtestha2c2: /var/cfengine/inputs # /var/cfengine/bin/cf-promises --show-vars | grep -i abort
default:control_agent.abortclasses {"cfengine_3_3","cfengine_3_4"} source=promise
default:def.control_agent_abortbundleclasses {"ITSV_BUNDLE_ABORT.*"} source=augments_file
default:def.control_agent_abortclasses {"ITSV_ABORT.*"} source=augments_file
default:mpf_augments_control.agent_controls {"default:def.control_agent_abortbundleclasses":["ITSV_BUNDLE_ABORT.*"],"default:def.control_agent_abortclasses":["ITSV_ABORT.*"],"default:def.control_agent_maxconnections":"30"} source=promise
default:mpf_augments_control.agent_controls_state {\"default:def.control_agent_abortbundleclasses\":[\"ITSV_BUNDLE_ABORT.*\"],\"default:def.control_agent_abortclasses\":[\"ITSV_ABORT.*\"],\"default:def.control_agent_maxconnections\":\"30\"} source=promise
root@aixtestha2c2: /var/cfengine/inputs # /var/cfengine/bin/cf-agent -KIv -D SPARE_DAILY -b b0031_control_upgrade_openssh | grep -i abort
verbose: Installing augments slist variable 'def.control_agent_abortbundleclasses' from file '/var/cfengine/inputs/def.json'
verbose: Installing augments slist variable 'def.control_agent_abortclasses' from file '/var/cfengine/inputs/def.json'
root@aixbuildhostng: /var/cfengine/inputs/itsv # cat abort_test.cf
bundle agent b0040abort_test
{
meta:
"tags" slist => { "itsv" };
vars:
"userlist" slist => { "mark", "john", "thomas" }; # contains one invalid entry
classes:
"ITSV_BUNDLE_ABORT_INVALID_USER" not => regcmp("[a-z][a-z][a-z][a-z]","$(userlist)"); # The class 'invalid' is set if the user name does not
# contain exactly four un-capitalized letters (bundle
# execution will be aborted if set)
reports:
!ITSV_BUNDLE_ABORT_INVALID_USER::
"User name $(userlist) is valid at 4 letters";
}
root@aixbuildhostng: /var/cfengine/inputs/itsv # /var/cfengine/bin/cf-promises --show-vars | grep ITSV_BUNDLE_ABORT
default:def.control_agent_abortbundleclasses {"ITSV_BUNDLE_ABORT.*"} source=augments_file
default:mpf_augments_control.agent_controls {"default:def.control_agent_abortbundleclasses":["ITSV_BUNDLE_ABORT.*"],"default:def.control_agent_abortclasses":["ITSV_ABORT.*"],"default:def.control_agent_maxconnections":"30"} source=promise
default:mpf_augments_control.agent_controls_state {\"default:def.control_agent_abortbundleclasses\":[\"ITSV_BUNDLE_ABORT.*\"],\"default:def.control_agent_abortclasses\":[\"ITSV_ABORT.*\"],\"default:def.control_agent_maxconnections\":\"30\"} source=promise
verbose: ----------------------------------------------------------------
verbose: Begin policy/promise evaluation
verbose: ----------------------------------------------------------------
info: Using command line specified bundlesequence
verbose: Using bundlesequence => {"b0040abort_test"}
verbose: B: *****************************************************************
verbose: B: BEGIN bundle b0040abort_test
verbose: B: *****************************************************************
verbose: V: Computing value of 'tags'
verbose: A: Promise was KEPT
verbose: P: END meta promise (tags)
verbose: V: .........................................................
verbose: V: BEGIN variables (pass 1)
verbose: V: Computing value of 'userlist'
verbose: C: .........................................................
verbose: C: BEGIN classes / conditions (pass 1)
verbose: C: + Private class: ITSV_BUNDLE_ABORT_INVALID_USER
verbose: V: Computing value of 'tags'
verbose: A: Promise was KEPT
verbose: P: END meta promise (tags)
verbose: V: .........................................................
verbose: V: BEGIN variables (pass 2)
verbose: V: Computing value of 'userlist'
verbose: C: .........................................................
verbose: C: BEGIN classes / conditions (pass 2)
verbose: V: Computing value of 'tags'
verbose: A: Promise was KEPT
verbose: P: END meta promise (tags)
verbose: V: .........................................................
verbose: V: BEGIN variables (pass 3)
verbose: V: Computing value of 'userlist'
verbose: C: .........................................................
verbose: C: BEGIN classes / conditions (pass 3)
verbose: A: ...................................................
verbose: A: Bundle Accounting Summary for 'b0040abort_test' in namespace default
verbose: A: Promises kept in 'b0040abort_test' = 6
verbose: A: Promises not kept in 'b0040abort_test' = 0
verbose: A: Promises repaired in 'b0040abort_test' = 0
verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'b0040abort_test' = 100.0%
verbose: A: ...................................................
verbose: B: *****************************************************************
verbose: B: END bundle b0040abort_test
verbose: B: *****************************************************************
verbose: No lock purging scheduled
verbose: Logging total compliance, total 'Outcome of version CFEngine Promises.cf 3.12.2 (agent-0): Promises observed to be kept 100.00%, Promises repaired 0.00%, Promises not repaired 0.00%'
Xander Cage writes:
i tested with an example policy, to reduce clutter… still no bundle abort…
Hi Christian,
From your original post, I can see that you are running 3.12.2.
verbose: Logging total compliance, total 'Outcome of version CFEngine Promises.cf 3.12.2 (agent-0): Promises observed to be kept 100.00%, Promises repaired 0.00%, Promises not repaired 0.00%'
Are you running the MPF from 3.12.2 as well?
I see that augments support for abortbundleclasses and abortclasses were added in 3.12.3. https://github.com/cfengine/masterfiles/commit/e2c4c1c57e51edcb46e80aa906048daea0b75192
What if you pull in controls/cf_agent.cf
and controls/def.cf
from 3.12.3?
https://github.com/cfengine/masterfiles/blob/3.12.3/controls/cf_agent.cf https://github.com/cfengine/masterfiles/blob/3.12.3/controls/def.cf
Does it work then?
– Nick Anderson | Doer of Things | (+1) 785-550-1767 | https://northern.tech
verbose: ----------------------------------------------------------------
verbose: Begin policy/promise evaluation
verbose: ----------------------------------------------------------------
info: Using command line specified bundlesequence
verbose: Using bundlesequence => {"b0040abort_test"}
verbose: B: *****************************************************************
verbose: B: BEGIN bundle b0040abort_test
verbose: B: *****************************************************************
verbose: V: Computing value of 'tags'
verbose: A: Promise was KEPT
verbose: P: END meta promise (tags)
verbose: V: .........................................................
verbose: V: BEGIN variables (pass 1)
verbose: V: Computing value of 'userlist'
verbose: C: .........................................................
verbose: C: BEGIN classes / conditions (pass 1)
verbose: C: + Private class:
ITSV_BUNDLE_ABORT_INVALID_USER
error: Bundle 'b0040abort_test' aborted on defined class 'ITSV_BUNDLE_ABORT_INVALID_USER'
verbose: A: ...................................................
verbose: A: Bundle Accounting Summary for 'b0040abort_test' in namespace default
verbose: A: Promises kept in 'b0040abort_test' = 2
verbose: A: Promises not kept in 'b0040abort_test' = 0
verbose: A: Promises repaired in 'b0040abort_test' = 0
verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'b0040abort_test' = 100.0%
verbose: A: ...................................................
verbose: B: *****************************************************************
verbose: B: END bundle b0040abort_test
verbose: B: *****************************************************************
verbose: No lock
purging scheduled
verbose: Logging total compliance, total 'Outcome of version CFEngine Promises.cf 3.12.5 (agent-0): Promises observed to be kept 100.00%, Promises repaired 0.00%, Promises not repaired 0.00%'
verbose: C: BEGIN classes / conditions (pass 1)
error: Unable to parse class expression 'ITSV_BUNDLE_ABORT.*'
verbose: C: + Private class: percent_of_runs
error: Unable to parse class expression 'ITSV_BUNDLE_ABORT.*'
verbose: V: Computing value of 'tags'
verbose: A: Promise was KEPT
verbose: P: END meta promise (tags)
'ITSV_BUNDLE_ABORT.*')