disabling CFEngine

[elim...@gmail.com]

Hi all, 

Hope you are doing well. I have a question for you. We need to disable CFEngine across multiple servers temporarily while we work something out. I have a colleague who used an ansible script to call systemctl disable cfengine3 on these servers. That was Friday. Today, he logged into some of those servers and found CFEngine running again. Is there something else we need to do in order to make sure it remains disabled until we re-enable it intentionally?

Sincerely,

Eli

[Nick Anderson]

elim…@gmail.com <elim...@gmail.com> writes:

Hi all,

Hope you are doing well. I have a question for you. We need to disable CFEngine across multiple servers temporarily while we work something out. I have a colleague who used an ansible script to call systemctl disable cfengine3 on these servers. That was Friday. Today, he logged into some of those servers and found CFEngine running again. Is there something else we need to do in order to make sure it remains disabled until we re-enable it intentionally?

Perhaps you have a watchdog enabled?

https://docs.cfengine.com/docs/3.15/reference-masterfiles-policy-framework.html#enable-external-watchdog https://docs.cfengine.com/docs/3.15/reference-masterfiles-policy-framework-cfe_internal-core-watchdog.html

You could disable individual binaries by moving them out of the way or even move the entirety of /var/cfengine.

I believe you could also disable and or mask individual cfengine services like cf-execd.

systemctl disable cf-execd; systemctl mask cf-execd

[Steven Kreuzer]

At a previous gig I added an agent which was the first to run and would check for the existence of a file. If found it would define a class which was contained in the abortclasses slist. This allows you to "pause" execution by causing a run cf-agent to exit before doing anything without having too muck with systemd or the binaries

See https://steven.kreuzer.cx/aborting-cfagent-execution/ for an example of how you can implement this.

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/87zgz41l97.fsf%40northern.tech.
--
Nick Anderson | Doer of Things | (+1) 785-550-1767 | https://northern.tech

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/87zgz41l97.fsf%40northern.tech.

[elim...@gmail.com]

Thanks! We have not enabled a watchdog, but we did remember that there is more than one systemd service, so we disabled cf-execd, cf-monitord, cf-serverd, and cfengine3 :)

Thanks again,

Sincerely,

Eli

[Aleksey Tsalolikhin]

Nice. That reminds me, we did something similar with flag files --
except rather than aborting the run (which would mean stale inventory
for Enterprise reporting), the agent would skip the configuration
bundles (system management promises) but would still evaluate the
_inventory_ promises.

Later on we got fancy and had different flag files to disable
different aspects of system configuration -- still with the "global"
flag file to disable all system configuration.

There is "abortbundleclasses" as well.
https://docs.cfengine.com/docs/3.12/examples-example-snippets-promise-patterns-example_aborting_execution.html

> To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/CAFFB%2BpQR%2BxXWctJ478vXJ-nmCz-0gdZsXLkExO4_rjQRqqBJJA%40mail.gmail.com.

[Nick Anderson]

Aleksey Tsalolikhin <ale...@verticalsysadmin.com> writes:

Nice. That reminds me, we did something similar with flag files – except rather than aborting the run (which would mean stale inventory for Enterprise reporting), the agent would skip the configuration bundles (system management promises) but would still evaluate the inventory promises.

For what it's worth, that was a bug that has been fixed. The agent was aborting immediately, but we fixed that to write out the reporting data before seppuku.

[Aleksey Tsalolikhin]

Nice!

That's one of the things I love about CFEngine, it just keeps getting better.

--
Founder
Vertical Sysadmin, Inc.
Achieve real learning.