# $Id$ # # Do little here, just enough to bootstrap configuration of main agent # and other essentials. Breaking this file means fixes would need to be # manually copied out to clients! classes: # cannot assume installer has properly generated these have_ppkeys = ( FileExists(/var/cfengine/ppkeys/localhost.priv) ) control: actionsequence = ( directories files copy shellcommands processes tidy ) # Use ExecResult(/var/cfengine/scripts/get-domainname) instead of a # static domain if the site uses multiple Top Level Domain names (e.g. # both example.com and example.org). Sites with NIS could use the # "domainname" command instead of a custom script that parses the # hostname. domain = ( example.org ) # NOTE IP addresses used as DNS might be broken or blocked. List two # servers in event one down or unreachable. These server IP could vary # depending on whether the host is in a development or production # realm (multiple update.conf used in different realms), or the # master_cfinput directory can vary between development and production # hosts via custom class definitions in this file (single update.conf # used across all realms). policyhost = ( 192.0.2.11:192.0.2.12 ) master_cfinput = ( /var/cfengine/inputs ) workdir = ( /var/cfengine ) Syslog = ( off ) # speard out and delay too frequent updates SplayTime = ( 2 ) IfElapsed = ( 5 ) linux:: cf_install_dir = ( /usr/sbin ) zerogroup = ( root ) solaris:: cf_install_dir = ( /usr/local/sbin ) zerogroup = ( root ) compiled_on_cygwin:: cf_install_dir = ( /usr/sbin ) zerogroup = ( Administrators ) copy: any:: ${master_cfinput}/ dest=${workdir}/inputs backup=false recurse=inf owner=root group=${zerogroup} mode=600 type=checksum server=${policyhost} trustkey=true encrypt=true ${cf_install_dir}/cfagent dest=${workdir}/bin/cfagent owner=root group=${zerogroup} mode=755 backup=false type=checksum ${cf_install_dir}/cfservd dest=${workdir}/bin/cfservd owner=root group=${zerogroup} mode=755 backup=false type=checksum define=cf_file_update ${cf_install_dir}/cfexecd dest=${workdir}/bin/cfexecd owner=root group=${zerogroup} mode=755 backup=false type=checksum define=cf_file_update ${cf_install_dir}/cfenvd dest=${workdir}/bin/cfenvd owner=root group=${zerogroup} mode=755 backup=false type=checksum define=cf_file_update ${cf_install_dir}/cfkey dest=${workdir}/bin/cfkey owner=root group=${zerogroup} mode=755 backup=false type=checksum # fix permissions on cfengine area to prevent unauth from poking around. files: any:: ${workdir} mode=750 owner=root group=${zerogroup} action=fixdirs r=0 # Ensure that the proper directories exist. directories: any:: ${workdir}/inputs mode=750 owner=root group=${zerogroup} ${workdir}/modules mode=700 owner=root group=${zerogroup} ${workdir}/outputs mode=750 owner=root group=${zerogroup} tidy: any:: ${workdir}/outputs pattern=* age=7 ifelapsed=777 # TODO need to trim *.runlog and *.log files under ${workdir} processes: cf_file_update.!compiled_on_cygwin:: # TODO will this only restart process on systems already running it? # no, need to test matches=1, or try a elsedefine to restart things "cfenvd" signal=term restart "${workdir}/bin/cfenvd -H" "cfexecd$" signal=term restart "${workdir}/bin/cfexecd" # cfexecd should relanuch if needed on host in question "cfservd$" signal=term shellcommands: !have_ppkeys:: ${workdir}/bin/cfkey