diff --git a/.CFVERSION b/.CFVERSION index 6075c9a9ff..ac3a4bd51e 100644 --- a/.CFVERSION +++ b/.CFVERSION @@ -1 +1 @@ -3.21.0 +3.21.9 diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..b082519997 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,5 @@ +name: "CFEngine cpp CodeQL config" + +queries: + - uses: cfengine/core/.github/codeql/cpp-queries/bool-type-mismatch-return.ql@master + - uses: cfengine/core/.github/codeql/cpp-queries/missing-argument-null-check.ql@master diff --git a/.lgtm/cpp-queries/bool-type-mismatch-return.c b/.github/codeql/cpp-queries/bool-type-mismatch-return.c similarity index 100% rename from .lgtm/cpp-queries/bool-type-mismatch-return.c rename to .github/codeql/cpp-queries/bool-type-mismatch-return.c diff --git a/.lgtm/cpp-queries/bool-type-mismatch-return.qhelp b/.github/codeql/cpp-queries/bool-type-mismatch-return.qhelp similarity index 100% rename from .lgtm/cpp-queries/bool-type-mismatch-return.qhelp rename to .github/codeql/cpp-queries/bool-type-mismatch-return.qhelp diff --git a/.lgtm/cpp-queries/bool-type-mismatch-return.ql b/.github/codeql/cpp-queries/bool-type-mismatch-return.ql similarity index 100% rename from .lgtm/cpp-queries/bool-type-mismatch-return.ql rename to .github/codeql/cpp-queries/bool-type-mismatch-return.ql diff --git a/.lgtm/cpp-queries/missing-argument-null-check.c b/.github/codeql/cpp-queries/missing-argument-null-check.c similarity index 100% rename from .lgtm/cpp-queries/missing-argument-null-check.c rename to .github/codeql/cpp-queries/missing-argument-null-check.c diff --git a/.lgtm/cpp-queries/missing-argument-null-check.qhelp b/.github/codeql/cpp-queries/missing-argument-null-check.qhelp similarity index 100% rename from .lgtm/cpp-queries/missing-argument-null-check.qhelp rename to .github/codeql/cpp-queries/missing-argument-null-check.qhelp diff --git a/.lgtm/cpp-queries/missing-argument-null-check.ql b/.github/codeql/cpp-queries/missing-argument-null-check.ql similarity index 100% rename from .lgtm/cpp-queries/missing-argument-null-check.ql rename to .github/codeql/cpp-queries/missing-argument-null-check.ql diff --git a/.github/codeql/cpp-queries/qlpack.yml b/.github/codeql/cpp-queries/qlpack.yml new file mode 100644 index 0000000000..3be7e4e80c --- /dev/null +++ b/.github/codeql/cpp-queries/qlpack.yml @@ -0,0 +1,4 @@ +name: cfengine/codeql-cpp-queries +version: 1.0.0 +dependencies: + codeql/cpp-all: ~0.5.4 diff --git a/.github/workflows/acceptance_tests.yml b/.github/workflows/acceptance_tests.yml index 9eac099968..b3a7c9aa24 100644 --- a/.github/workflows/acceptance_tests.yml +++ b/.github/workflows/acceptance_tests.yml @@ -5,7 +5,7 @@ on: jobs: acceptance_tests: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 with: diff --git a/.github/workflows/asan_unit_tests.yml b/.github/workflows/asan_unit_tests.yml index aae0a8fdcf..e6e2b9572e 100644 --- a/.github/workflows/asan_unit_tests.yml +++ b/.github/workflows/asan_unit_tests.yml @@ -5,9 +5,9 @@ on: jobs: asan_unit_tests: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: recursive - name: Install dependencies @@ -17,4 +17,4 @@ jobs: - name: Compile and link (make) run: make -j8 CFLAGS="-Werror -Wall -fsanitize=address" LDFLAGS="-fsanitize=address" - name: Run unit tests - run: make -C tests/unit CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" check + run: ASAN_OPTIONS=detect_odr_violation=0 LSAN_OPTIONS="suppressions=../../.github/workflows/suppr.txt" make -C tests/unit CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" check diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5d0993c0dd..9e4b3ad451 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,18 +4,13 @@ on: # run this workflow on pull_request activity # this includes opening and pushing more commits pull_request: - branches: [ master, 3.18.x, 3.15.x ] - - # run this workflow on push/merge activity - # pull_request activity won't detect changes - # in the upstream branch before we merge - push: - branches: [ master, 3.18.x, 3.15.x ] - + branches: [ master, 3.21.x, 3.18.x ] jobs: unit_tests: uses: ./.github/workflows/unit_tests.yml + shellcheck_tests: + uses: ./.github/workflows/shellcheck.yml asan_unit_tests: needs: unit_tests uses: ./.github/workflows/asan_unit_tests.yml @@ -25,6 +20,9 @@ jobs: macos_unit_tests: needs: unit_tests uses: ./.github/workflows/macos_unit_tests.yml - cifuzz_tests: + valgrind_check: + needs: unit_tests + uses: ./.github/workflows/job-valgrind-check.yml + static_check: needs: unit_tests - uses: ./.github/workflows/cifuzz.yml + uses: ./.github/workflows/job-static-check.yml diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml deleted file mode 100644 index 05d8f63f46..0000000000 --- a/.github/workflows/cifuzz.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: CIFuzz -on: - workflow_call -jobs: - Fuzzing: - runs-on: ubuntu-latest - steps: - - name: Build Fuzzers - id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master - with: - oss-fuzz-project-name: 'cfengine' - dry-run: false - - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master - with: - oss-fuzz-project-name: 'cfengine' - fuzz-seconds: 600 - dry-run: false - - name: Upload Crash - uses: actions/upload-artifact@v1 - if: failure() && steps.build.outcome == 'success' - with: - name: artifacts - path: ./out/artifacts diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..dfe8dd437e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,53 @@ +name: "CodeQL" + +on: + push: + branches: [ "master", "3.15.x", "3.18.x", "3.21.x"] + pull_request: + branches: [ "master", "3.15.x", "3.18.x", "3.21.x"] + schedule: + - cron: "40 18 * * 6" + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ python, cpp ] + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: +security-and-quality + config-file: .github/codeql/codeql-config.yml + + - name: Autobuild (Python) + if: ${{ matrix.language == 'python' }} + uses: github/codeql-action/autobuild@v2 + + - name: Install dependencies (C) + if: ${{ matrix.language == 'cpp' }} + run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl libpcre3-dev + + - name: Build (C) + if: ${{ matrix.language == 'cpp' }} + run: ./autogen.sh && make + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/job-static-check.yml b/.github/workflows/job-static-check.yml new file mode 100644 index 0000000000..295aaf1d33 --- /dev/null +++ b/.github/workflows/job-static-check.yml @@ -0,0 +1,53 @@ +name: Static Check + +on: + workflow_call + +jobs: + static_check: + runs-on: ubuntu-latest + steps: + - name: Checkout Together Action + uses: actions/checkout@v3 + with: + repository: cfengine/together-javascript-action + ref: main + ssh-key: ${{ secrets.GH_ACTIONS_SSH_DEPLOY_KEY_TOGETHER_REPO }} + ssh-known-hosts: github.com + + - name: Action step + uses: ./ + id: together + with: + myToken: ${{ secrets.GITHUB_TOKEN }} + + - name: Checkout Core + uses: actions/checkout@v3 + with: + submodules: recursive + path: core + + - name: Checkout Buildscripts + uses: actions/checkout@v3 + with: + repository: cfengine/buildscripts + submodules: recursive + path: buildscripts + ref: ${{steps.together.outputs.buildscripts || github.base_ref}} + + - name: Checkout Masterfiles + uses: actions/checkout@v3 + with: + repository: cfengine/masterfiles + submodules: recursive + path: masterfiles + ref: ${{steps.together.outputs.masterfiles || github.base_ref}} + + - name: Prepare Environment + run: | + sudo apt-get update && \ + sudo apt-get install -y buildah + + - name: Run The Test + working-directory: ./core + run: ./tests/static-check/run.sh diff --git a/.github/workflows/job-valgrind-check.yml b/.github/workflows/job-valgrind-check.yml new file mode 100644 index 0000000000..3fb2c39239 --- /dev/null +++ b/.github/workflows/job-valgrind-check.yml @@ -0,0 +1,40 @@ +name: Valgrind Check + +on: + workflow_call + +jobs: + valgrind_check: + runs-on: ubuntu-latest + steps: + - name: Checkout Together Action + uses: actions/checkout@v3 + with: + repository: cfengine/together-javascript-action + ref: main + ssh-key: ${{ secrets.GH_ACTIONS_SSH_DEPLOY_KEY_TOGETHER_REPO }} + ssh-known-hosts: github.com + + - name: Action step + uses: ./ + id: together + with: + myToken: ${{ secrets.GITHUB_TOKEN }} + + - name: Checkout Core + uses: actions/checkout@v3 + with: + submodules: recursive + path: core + + - name: Checkout Masterfiles + uses: actions/checkout@v3 + with: + repository: cfengine/masterfiles + submodules: recursive + path: masterfiles + ref: ${{steps.together.outputs.masterfiles || github.base_ref}} + + - name: Run The Test + working-directory: ./core/tests/valgrind-check + run: sudo bash run.sh diff --git a/.github/workflows/macos_unit_tests.yml b/.github/workflows/macos_unit_tests.yml index 7e624a6510..86de8343cb 100644 --- a/.github/workflows/macos_unit_tests.yml +++ b/.github/workflows/macos_unit_tests.yml @@ -7,14 +7,22 @@ jobs: macos_unit_tests: runs-on: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: recursive - name: Install dependencies - run: brew install lmdb automake openssl@1.1 pcre + run: brew install lmdb automake openssl pcre autoconf libtool + - name: Check tools + run: command -v libtool && command -v automake && command -v autoconf + - name: Check tools versions + run: libtool -V && automake --version && autoconf --version - name: Run autotools / configure - run: ./autogen.sh --enable-debug --with-openssl="$(brew --prefix openssl@1.1)" + run: > + LDFLAGS="-L`brew --prefix lmdb`/lib -L`brew --prefix openssl`/lib -L`brew --prefix pcre`/lib" + CPPFLAGS="-I`brew --prefix lmdb`/include -I`brew --prefix openssl`/include -I`brew --prefix pcre`/include" + PATH="/opt/homebrew/opt/libtool/libexec/gnubin:$PATH" + ./autogen.sh --enable-debug - name: Compile and link - run: make -j8 CFLAGS="-Werror -Wall" + run: MACOSX_DEPLOYMENT_TARGET=15.4 make -j8 CFLAGS="-Werror -Wall" - name: Run unit tests run: make -C tests/unit check diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml new file mode 100644 index 0000000000..8f84f184f4 --- /dev/null +++ b/.github/workflows/shellcheck.yml @@ -0,0 +1,18 @@ +on: + workflow_call + +jobs: + unit_tests: + name: Run shellcheck on shell scripts + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v3 + with: + submodules: recursive + - name: Install dependencies + run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl shellcheck + - name: Run autotools / configure + run: ./autogen.sh --enable-debug + - name: Run shellcheck +# todo: add more places to run shellcheck besides misc/cf-support + run: make -C misc check diff --git a/.github/workflows/suppr.txt b/.github/workflows/suppr.txt new file mode 100644 index 0000000000..24b14962d3 --- /dev/null +++ b/.github/workflows/suppr.txt @@ -0,0 +1 @@ +leak:crypto diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index 99c2f0525e..9aa0412391 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -4,7 +4,7 @@ on: jobs: unit_tests: name: Run Unit Tests - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 with: diff --git a/.gitignore b/.gitignore index 2125c0e47a..805a2f0f0e 100644 --- a/.gitignore +++ b/.gitignore @@ -187,4 +187,5 @@ __pycache__ # SELinux policy build artifacts misc/selinux/cfengine-enterprise.pp misc/selinux/cfengine-enterprise.if +misc/selinux/cfengine-enterprise.te misc/selinux/tmp diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 4dcfc5ef5e..0000000000 --- a/.travis.yml +++ /dev/null @@ -1,59 +0,0 @@ -language: c -os: linux -dist: xenial - -# This is an addon for uploading artifacts to s3: -# https://docs.travis-ci.com/user/uploading-artifacts/ -# Env vars: ARTIFACTS_BUCKET ARTIFACTS_SECRET ARTIFACTS_BUCKET -# If you are logged in and have permission, you can see here: -# https://s3.console.aws.amazon.com/s3/buckets/cfengine-travis-artifacts?region=us-east-1 -addons: - artifacts: - paths: - - artifacts/ - -# Build on pushes only to given branches -branches: - only: - - master - - 3.12.x - - 3.15.x - - 3.18.x - -env: - global: - - CI_NODE_TOTAL=6 - # Quickest to build, fast performing, debugable builds. - - CFLAGS="-g1 -O1" - # upload log files, tarballs etc artifacts from the build. - - ARTIFACTS_BUCKET=cfengine-travis-artifacts - # 2 cores according to: https://docs.travis-ci.com/user/ci-environment/ - - MAKEFLAGS=-j3 - -# Parallel jobs listed here; fastest jobs should come first to give -# feedback ASAP. For more info read this: -# https://docs.travis-ci.com/user/multi-os/ -jobs: - fast_finish: true # Build will succeed once all linux jobs succeed - include: - - env: JOB_TYPE=compile_and_unit_test_asan - - env: JOB_TYPE=valgrind_health_check - - env: JOB_TYPE=compile_and_unit_test COVERAGE=no - compiler: clang - - env: JOB_TYPE=acceptance_tests_common - # The unsafe acceptance tests don't work with SIMFS which is the default - # filesystem in Travis; so change OS to Trusty, which uses ext4. - - env: JOB_TYPE=acceptance_tests_unsafe_serial_network_etc - - env: JOB_TYPE=serverd_multi_versions COVERAGE=no - -before_install: - - chmod ug+x ./travis-scripts/* - - ./travis-scripts/before_install.sh - -script: ./travis-scripts/script.sh - -after_success: ./travis-scripts/after_success.sh - -before_deploy: ./travis-scripts/before_deploy.sh - -after_script: ./travis-scripts/after_script.sh diff --git a/ChangeLog b/ChangeLog index 4d07306787..4b29b92dd0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,186 @@ +3.21.8: + - Added sysvinit cf-php-fpm service script for Mission Portal + (ENT-13234) + - Atomic permissions during file copy. + Temporary file is now set to promised permissions before replacing it + with original during remote copy from. (ENT-13163) + - Fixed bug where remote file copy always preserves source perms. + Remote file copy with the 'copy_from' attribute now only preserves + source file permissions if the 'preserve' attribute in 'body copy_from' + is true. Otherwise it will use the permissions of the destination file + if it already exists and default permissions if it does not. (ENT-11988) + - Fixed cf-support usage of coredumpctl matching (ENT-13272) + - Fixed move_obstructions support when using content, and edit_template (CFE-4591) + - Fixed handling of promise locking with edit line + Fixed bug where rendered files can result in erroneously empty files + as a result of promise locking. (ENT-9980) + - Removed useless output from cfengine3 init script (ENT-13234) + +3.21.7: + - Fixed issue where rhel >8 packages would not have correct openssl + dependency version (ENT-12587) + - Added http_port and getattr selinux permissions as needed for selinux + policy on rhel-8 and rhel-9 (ENT-12954) + - Fixed bug in parsing process_select for Windows (ENT-12751) + - Added "acknowledged" field to lastseen DB (ENT-11838) + - Adjusted cf-support for exotic UNIX platforms (ENT-9786) + - Adjusted cf-support to not fail if core dumps are available and gdb is missing + (ENT-9786) + - Fixed bug causing LMDB database corruption + - Fixed incorrect exit code handling in cf-runagent (ENT-12712) + - Fixed possible segfault when backing up LMDB databases + - In case of LMDB migration failures, the respective database file is + moved to the side, and a fresh database is created. + - Made cf-support use coredumpctl for core analysis only when configured in kerenl.core_pattern + (ENT-9985) + - cf-agent now creates backup before LMDB migration + - Re-enabled DB migration support for LMDB + - SELinux: Allow cf-serverd to set its own limits (ENT-12446) + +3.21.6: + - Fixed multiple issues in cfengine-enterprise SELinux policy which could + cause AVC denials / warnings for various CFEngine components. + (ENT-12466, ENT-12446) + - Added logging CFEngine component related SELinux denials in cf-support + (ENT-12137) + - Agent now also ignores interfaces listed in ignore_interfaces.rx when + looking for IPv6 interface info. Variables such as + 'default:sys.hardware_mac[]' will no longer be defined for + ignored interfaces. (ENT-11840) + - Atomic copy_from in files promise + Changes to 'files' promise in 'copy_from' attribute: + - The new file (i.e., '.cfnew') is now created with correct + permission during remote copy. Previously it would be created with + default permissions. + - The destination file (i.e., '') is no longer deleted on + backup during file copy. Previously it would be renamed to + '.cfsaved', causing the original file to dissappear. Now an + actual copy of the original file with the same permissions is created + instead. + As a result, there will no longer be a brief moment where the original + file is inaccessible. (ENT-11988) + - Fixed bug in double expansion of foreign list variables with namespaces + (ENT-11923) + - Fixed package promises with only promisers and no other attributes + (CFE-4315, CFE-4398, CFE-4408) + - Fixed packagesmatching() function segfaulting on Windows platform + (ENT-11900) + - Trailing newline on insert_tree promisers no longer removes ending tag for select_xpath + (CFE-3806) + - commands promises with exit codes not matching any + _returncodes attributes from classes body now log an + error message not just an info message (CFE-4429, ENT-12103) + +3.21.5: + - Added warning log message when OS is not recognized (CFE-4342) + - Adjusted package module inventory to include quotes around fields when needed + (CFE-4341) + - Added 'sys.os_name_human' and 'sys.os_version_major'. Additionally + changed value of 'sys.flavor' from 'AmazonLinux' to 'amazon_linux_2', so + that it is similar to other supported Linux distros. This change was + necessary, due to the fact that the 'sys.os_version_major' variable is + derived from it. However, the 'AmazonLinux' class previously derived + from 'sys.flavor' is still defined for backwards compatibility. + (ENT-10817) + - CFEngine processes no longer suffer from the "Invalid argument" issues when + working with LMDB (ENT-11543) + - Changed cf-apache systemd unit to reload configuration gracefully + (ENT-11526) + - Changed cf-execd's sleep behavior so it attempts to wake up at the beginning of every minute + (ENT-11765) + - Modified package promise default. If platform_default is present use that package module. + (CFE-4315) + - Ownership of symlinks is now handled properly (ENT-11235) + - cf-agent has two new options --no-augments and --no-host-specific-data to skip + loading augments (def.json or def_preferred.json) and host-specific data + (host_specific.json), respectively (ENT-10792) + - Fixed bug where 'default:sys.fqhost' contained many spaces when domain is + set in body common control (CFE-4053) + - depth_search acting on a non-directory promiser now handles such + file as if the promise didn't use depth_search, issuing a warning (ENT-8996) + +3.21.4: + - 'cf-check diagnose' now shows DB usage and a hint if rotation is required + - 'cf-check repair' now rotates DB files with high usage (>95%) (CFE-3374) + - 'cf-check repair' now supports the '--test-write' option to check if DBs can + be written to as part of identifying DBs that need repairing (CFE-3375) + - /usr/bin/getent is now attempted to be used if /bin/getent doesn't exist + (CFE-4256) + - CFEngine locks are now purged dynamically based on the local locks DB + usage/size ranging from no purging (<=25% usage) to purging of locks older + than 1 week (>75% usage) (CFE-2136, ENT-5898, ENT-8201) + - Fixed infinite loop on error bug while reading interface exception file + - Fixed inventoried policy release id when masterfiles-stage.sh deploys with + cfbs (ENT-10832) + - Full LMDB files are now handled gracefully by moving them aside and using + new empty LMDB files (ENT-8201) + - Improved locale override in masterfiles stage scripts (ENT-10753) + - Moved ignore_interfaces.rx to $(sys.workdir) Moved expected location of + ignore_interfaces.rx from $(sys.inputdir) to $(sys.workdir). If the file is + found in $(sys.inputdir) but not in $(sys.workdir), we will still process it + for backwards compatibility, but issue a warning prompting the user to move + it to the appropriate location. (ENT-9402) + - Only CFEngine processes are now killed as expired lock owners (CFE-3982) + - SELinux no longer blocks CFEngine deamons in reading security parameters + from /proc/sys/kernel (ENT-9684) + - cf-hub is now allowed to use the TLS kernel module on SELinux-enabled + systems (ENT-9727) + - cf_lock.lmdb is no longer restored from backup on every boot (CFE-3982) + - Fixed cf-support call to cf-promises to collect all classes and vars + (CFE-4300) + - SELinux no longer breaks exporting large reports as PDF (ENT-11154) + +3.21.3: + - Fixed and improved postgresql server state handling in package installer + scriptlets (ENT-10647) + - Cached policy function results now take into account number of arguments + and function name (CFE-4244) + - Improved the syntax description for validjson() (ENT-9759) + - Modified classesmatching() function to search parent bundles with inherit + => true (ENT-5850) + - packagesmatching() and packageupdatesmatching() now look for the software + inventory databases in the state directory and use them if found. This + change enables the usage of these functions in standalone policy files + without the demand for specifying the default package inventory attribute + in body common control. However, you still need the default package + inventory attribute specified in the policy framework for the software + inventory databases to exist in the first place and to be maintained. + (ENT-9083) + +3.21.2: + - The CF3_WITH_LIBRARY and AC_CHECK_HEADERS were moved to outside of the check for with-libxml2=no (CFE-4023) + - configure.ac: Enabled use of pkg-config to find libxml2 (CFE-4014) + - Added --help option to cf-support and aligned output with other + components (ENT-9740) + - Added classes and vars to cf-support (CFE-4160) + - Added condition to runalerts service to require stamp directory + (ENT-9711) + - Added mctp_socket class to selinux policy (ENT-10206) + - Added native core dump handling in cf-support for solaris (ENT-9786) + - Added needed selinux class lockdown for latest rhel-9 hosts + (ENT-9685) + - Adjusted cf-support for exotic/legacy POSIX systems (ENT-9340) + - Adjusted cf-support for hpux mktemp command (ENT-9786) + - Instead of creating the directories with the default file + permissions, then change them to the desired state; directories are + now created with the desired set of permissions (CFE-4114) + - Enabled install-time selinux policy compiling (ENT-9685) + - Fixed debug module expand logging for scalars (CFE-4122) + - Fixed syntax description of validjson() (ENT-9759) + - Prevented cf-support from searching more than 1 level for core files + (ENT-9981) + - Started checking status of all cf- prefixed systemd services in cf-support + (ENT-9804) + - validjson() no longer accepts trailing bogus data (CFE-4080) + - Variables & classes modules are now automatically tagged with 'source=module' and 'derived_from=' (ENT-7725) + +3.21.1: + - This release contains fixes to CVE-2023-26560, a security vulnerability in the + CFEngine Enterprise Hub / Mission Portal. Beyond this, there were no other changes. + For more information about the vulnerability and release see our blog; + https://cfengine.com/blog/2023/cve-2023-26560/ + https://cfengine.com/blog/2023/cfengine-3-18-4-and-3-21-1-released/ + 3.21.0: - Added cf-support utility for generating support information (ENT-9037) @@ -263,7 +446,7 @@ interpreters results in an error (CFE-3572) - Value of the 'files_single_copy' body control attribute is now logged in verbose logging mode (CFE-3622) - - variables and classes defined in cmdb cannot be re-defined in + - Variables and classes defined in cmdb cannot be re-defined in augments (ENT-7079) - Verbose log now contains comments associated with 'vars' and 'classes' promises (CFE-2442, CFE-2443) @@ -495,7 +678,7 @@ - IPv6 addresses are now added to policy variable sys.ip_addresses (CFE-682) - IPv6 addresses now respect ignored_interfaces.rx (CFE-3156) - - hostname now allowed in bindtoaddress (CFE-3190) + - Hostname now allowed in bindtoaddress (CFE-3190) - Fixed issue when removing comments from files in various policy functions This also fixes many erroneous occurences of the error message mentioning: @@ -563,7 +746,7 @@ - Added a new utility to contrib: cf-remote cf-remote is a python + fabric tool to log in to remote hosts you have ssh access to. It can be used to download, transfer, - and install cfengine packages as well as bootstrapping etc. + and install CFEngine packages as well as bootstrapping etc. At this point, cf-remote is not packaged with CFEngine, but can be installed separately from: https://github.com/cfengine/cf-remote @@ -759,17 +942,17 @@ use string comparison to find matches. The documentation is clear; arguments should be regexes (so you have to escape special characters). - bundle agent main - { - vars: - "myvar" - string => "example", - meta => {"os[linux]"}; - "matches" - slist => variablesmatching(".*", "os\[linux\]"); - reports: - "Match: $(matches)"; - } + bundle agent main + { + vars: + "myvar" + string => "example", + meta => {"os[linux]"}; + "matches" + slist => variablesmatching(".*", "os\[linux\]"); + reports: + "Match: $(matches)"; + } The above example is correct. If you don't escape the brackets like above, it will no longer work. (You probably shouldn't use brackets in tags anyway). @@ -783,7 +966,7 @@ (CFE-2817) - Fixed issue with cf-agent intermittently hanging on windows sometimes (ENT-3756) - - change GIT_BRANCH to GIT_REFSPEC and remove Design Center vars + - Change GIT_BRANCH to GIT_REFSPEC and remove Design Center vars (ENT-4023) - os-release file is now used for hard classes and sys.flavor on all linuxes This will improve platform detection on newer operating systems where @@ -794,14 +977,14 @@ special variable sys.flavor will also be set by determining major version from VERSION_ID. Example os-release file: - ID=coreos - VERSION_ID=1185.3.0 + ID=coreos + VERSION_ID=1185.3.0 For the example above, sys.flavor will be coreos_1185 and 4 hard classes will be set; coreos_1185_3_0, coreos_1185_3, coreos_1185, and coreos. For backwards compatibility, older distribution specific logic is still executed and may overwrite sys.flavor and define hard classes as before. - - refactor use of atexit to use custom cleanup function instead. On Windows + - Refactor use of atexit to use custom cleanup function instead. On Windows atexit() unloads DLLs before and/or during atexit functions being called which causes bad behavior. (ENT-3756) @@ -986,7 +1169,7 @@ example to enable all log modules, run: cf-agent -d --log-modules=all - Add: edit_line contains_literal_string to stdlib - - add variablesmatching_as_data() function paralleling variablesmatching() + - Add variablesmatching_as_data() function paralleling variablesmatching() (Redmine #7885) - Allow specifying agent maxconnections via def.json (CFE-2461) - Add getuserinfo() function @@ -1000,29 +1183,29 @@ This speeds up enormously the execution of policies that included long slists or JSON containers, that in the past didn't even terminate. Change: "cf_null" string literal was changed to not be something - special, and it's now a string that can be used anywhere, like - in slists or part of bundlesequence etc. + special, and it's now a string that can be used anywhere, like + in slists or part of bundlesequence etc. NOTE: Old policy should be grep'ed for "cf_null" and in case such - occurences were handled specially, they should be reworked. + occurences were handled specially, they should be reworked. Change: "--empty-list--" is now never printed by format(), - an empty list is now printed as "{ }". + an empty list is now printed as "{ }". Change: Order of pre-evaluation was slightly changed, A new "vars" pass - at the beginning of pre-evaluation was added. It used to be - classes-vars, but it was changed to vars-classes-vars. As a - result some classes or variables might be evaluated at a - different time than before. As always try to write policy code that works no matter what the - order of execution is. - One way is to always *guard* the execution of functions to avoid - bogus function results. For example the following will avoid - running execresult() bevore the file has been created: - execresult("cmd /path/to/filename") if => fileexists("/path/to/filename"); + at the beginning of pre-evaluation was added. It used to be + classes-vars, but it was changed to vars-classes-vars. As a + result some classes or variables might be evaluated at a + different time than before. As always try to write policy code that works no matter what the + order of execution is. + One way is to always *guard* the execution of functions to avoid + bogus function results. For example the following will avoid + running execresult() bevore the file has been created: + execresult("cmd /path/to/filename") if => fileexists("/path/to/filename"); C internals: NULL Rlist is now perfectly valid, in fact it is the only - way to denote an empty Rlist. + way to denote an empty Rlist. C internals: Since a slist variable can be NULL, API of - EvalContextVariableGet() changed: The way to detect if a - variable is found, is not to check return value for NULL, - but to check returned *type* for CF_DATA_TYPE_NONE. - Fixed what I could find as wrong API uses. (CFE-2162) + EvalContextVariableGet() changed: The way to detect if a + variable is found, is not to check return value for NULL, + but to check returned *type* for CF_DATA_TYPE_NONE. + Fixed what I could find as wrong API uses. (CFE-2162) - Allow arbitrary service policies (CFE-2402) - Behaviour change: cf-execd: Do not append -Dfrom_cfexecd to exec_command . (CFE-2386) @@ -1040,7 +1223,7 @@ (CFE-2429) - Change: Switch processes restart_class logging to verbose - Change: Log level for keeping verbatim JSON to DEBUG (CFE-2141) - - Change: Require network before cfengine services (CFE-2435) + - Change: Require network before CFEngine services (CFE-2435) - Behaviour change: getvalues(inexistent_var) returns an empty list. Restores 3.7.x and earlier behaviour. (CFE-2479) - Behaviour change: when used with CFEngine 3.10.0 or greater, @@ -1059,7 +1242,7 @@ (CFE-2519) Bug fixes: - - fix files promise not setting ACL properly on directories. (CFE-616) + - Fix files promise not setting ACL properly on directories. (CFE-616) - Upgrade CFEngine dependencies to the following versions: - lixml2 2.9.4 - OpenSSL 1.0.2j @@ -1076,12 +1259,12 @@ - Fix bug which caused empty emails to be sent from cf-execd if there was no previous output log and the new log was fully filtered by email filters. (ENT-2739) - - allow ifelse(FALSE, $(x), "something else") to work. (CFE-2260) + - Allow ifelse(FALSE, $(x), "something else") to work. (CFE-2260) - Fix connection cache, reuse connections when possible. (CFE-2447) - Fix rare bug that would sometimes prevent redis-server from launching. - Fix bug in files promise when multiple owners are promised but first one doesn't exist, and improve logging . (CFE-2432) - - define kept outcome with action warn if edit_line is as expected + - Define kept outcome with action warn if edit_line is as expected (CFE-2424) - Example using getvariablemetatags() and getclassmetatags() to get a specific tag key - Remove 2k limit on strings length when writing JSON policies @@ -1091,7 +1274,7 @@ - Allow editing fields in lines longer than 4k (CFE-2438) - Don't send empty emails for logs where everything is filtered. (ENT-2739) - - allow maplist(), maparray(), and mapdata() to evaluate function calls during iteration + - Allow maplist(), maparray(), and mapdata() to evaluate function calls during iteration (ARCHIVE-1619) - insert_lines is no longer implicitly matching EOF as end of the region if 'select_end' pattern is not matched . (CFE-2263) @@ -1115,8 +1298,8 @@ - Be less verbose if a network interface doesn't have a MAC address. (CFE-1995) - Fix: CFEngine choking on standard services (CFE-2806) - - fix insert_lines related memory corruption (CFE-2520) - - fix cf-serverd crash when reporting corrupted data. (ENT-3023) + - Fix insert_lines related memory corruption (CFE-2520) + - Fix cf-serverd crash when reporting corrupted data. (ENT-3023) - Fix ability to manage INI sections with metachars for manage_variable_values_ini and set_variable_values_ini (CFE-2519) - Fix apt_get package module incorrectly using interactive mode. @@ -1142,7 +1325,7 @@ - See documentation for more details. (Jira CFE-1991) - sys.ip2iface: new reverse mapping variable from IP to interface name - Namespaced classes can now be specified on the command line. - - namespaces can now be passed to cf-runagent -D and --remote-bundles + - Namespaces can now be passed to cf-runagent -D and --remote-bundles (Redmine #7856) - Add 'cf-full' and 'json-full' to cf-promises '-p' option. They generate output based on the entire policy. The existing 'cf' @@ -1164,7 +1347,7 @@ useful. A corresponding $(def.jq) variable has also been added with a default path to this tool. See documentation for mapdata() for more information and examples. (Jira CFE-2071) - - behaviour change: "true" is always defined and "false" is never defined in a context expression. + - Behaviour change: "true" is always defined and "false" is never defined in a context expression. - Add: nimclient package module for AIX This module provides basic functionality for using nimclient as a means to ensure packages are either present or absent. It does not support @@ -1258,8 +1441,8 @@ defined, it will be used by all promises of type unless another body is explicitly used. - cf-serverd no longer appends "-I -Dcfruncommand" to - cfruncommand, this has to be done manually in masterfiles - body server control. (Redmine #7732) + cfruncommand, this has to be done manually in masterfiles + body server control. (Redmine #7732) - eval() function arguments mode and options are now optional. - sort() function argument mode is now optional. @@ -1349,7 +1532,7 @@ started" messages in the log, most notably in long running cf-agent runs (longer than one minute). (Redmine #7933) - TTY detection should be more reliable. (Redmine #7606) - - cf-promises -p cf now produces valid cfengine code (Redmine #7956) + - cf-promises -p cf now produces valid CFEngine code (Redmine #7956) - Fix ps options for FreeBSD to check processes only in current host and not in jails - cf-runagent now properly supports multiple -D or -s arguments (Redmine #7191) @@ -1380,7 +1563,7 @@ attributes is different between the mount points. - Fix classes being set because of hash collision in the implementation. (Redmine #7912) - - fix build failure on FreeBSD 7.1 (Redmine #7415) + - Fix build failure on FreeBSD 7.1 (Redmine #7415) - Improve logging when managing setuid/setgid - Reduce verbosity of apt_get package module (Redmine #7485) - packagesmatching() and packageupdatesmatching() should work @@ -1417,7 +1600,7 @@ hub can execute package promises. (Redmine #7602) - Fix: CFEngine choking on standard services (Jira CFE-2086) - Fix: cf-upgrade on SUSE - - Fix: Stop cfengine choking on systemctl output (Jira CFE-2806) + - Fix: Stop CFEngine choking on systemctl output (Jira CFE-2806) - storage: Properly initialize the list of current mounts (Jira CFE-1803) - Fix bug which caused empty emails to be sent from cf-execd @@ -1471,7 +1654,7 @@ - Installing packages containing version numbers using yum now works correctly. (Redmine #7825) - Fix ps options for FreeBSD to check processes only in current host and not in jails - - fix build failure on FreeBSD 7.1 (Redmine #7415) + - Fix build failure on FreeBSD 7.1 (Redmine #7415) - Show errors regarding failure to copy extended attributes when doing a local file copy. Errors could happen when copying across two different mount points where the support for extended @@ -1525,7 +1708,7 @@ inherit from, plus any arguments it accepts. For example: body classes myclasses { - inherit_from => classes_generic("myname"); + inherit_from => classes_generic("myname"); } (Redmine #4309) - Add url_get() function. (Redmine #6480) @@ -1592,7 +1775,7 @@ - Redmine #6027 Directories should no more be changed randomly into files. (Redmine #6027) - Improve cf-serverd's lock contention because of getpwnam() - call. (Redmine #7643) (Redmine #7643) + call. (Redmine #7643) (Redmine #7643) - action_policy "warn" now correctly produces warnings instead of various other verbosity levels. (Redmine #7274) - If there is an error saving a mustache template file @@ -1657,7 +1840,7 @@ - Redis 2.8.24 - rsync 3.1.2 PHP was kept at 5.6.17 because of problems with the 5.6.19 version. - - parse def.json vars, classes, and inputs in C (Redmine #7453) + - Parse def.json vars, classes, and inputs in C (Redmine #7453) - Namespaced classes can now be specified on the command line. - getvalues() will now return a list also for data containers, and will descend recursively into the containers. (Redmine #7116) @@ -1697,7 +1880,7 @@ (Redmine #7274) - Fix classes being set because of hash collision in the implementation. (Redmine #7912) - - fix build failure on FreeBSD 7.1 (Redmine #7415) + - Fix build failure on FreeBSD 7.1 (Redmine #7415) - Installing packages containing version numbers using yum now works correctly. (Redmine #7825) @@ -1721,7 +1904,7 @@ - Redis 2.8.24 - rsync 3.1.2 PHP was kept at 5.6.17 because of problems with the 5.6.19 version. - - parse def.json vars, classes, and inputs in C (Redmine #7453) + - Parse def.json vars, classes, and inputs in C (Redmine #7453) - Namespaced classes can now be specified on the command line. - getvalues() will now return a list also for data containers, and will descend recursively into the containers. (Redmine #7116) @@ -1761,7 +1944,7 @@ (Redmine #7274) - Fix classes being set because of hash collision in the implementation. (Redmine #7912) - - fix build failure on FreeBSD 7.1 (Redmine #7415) + - Fix build failure on FreeBSD 7.1 (Redmine #7415) - Installing packages containing version numbers using yum now works correctly. (Redmine #7825) @@ -1854,23 +2037,22 @@ - New package promise implementation. The syntax is much simpler, to try it out, check out the syntax: packages: - "mypackage" - policy => "absent/present", - - # Optional, default taken from common control - package_module => apt_get, + "mypackage" + policy => "absent/present", - # Optional, will only match exact version. May be - # "latest". - version => "32.0", + # Optional, default taken from common control + package_module => apt_get, - # Optional. - architecture => "x86_64"; + # Optional, will only match exact version. May be + # "latest". + version => "32.0", + # Optional. + architecture => "x86_64"; - Full systemd support for all relevant platforms - New classes to determine whether certain features are enabled: - * feature_yaml - * feature_xml + * feature_yaml + * feature_xml For the official CFEngine packages, these are always enabled, but packages from other sources may be built without the support. - New readdata() support for generic data input (CSV, YAML, JSON, or auto) @@ -1895,7 +2077,7 @@ same data structure will produce the same JSON every time. - New "@if minimum_version(x.x)" syntax in order to hide future language improvements from versions that don't understand them. - - compile time option (--with-statedir) to + - Compile time option (--with-statedir) to override the default state/ directory path. - Fix error messages/ handling in process signalling which no longer allowed any signals to fail silently @@ -1907,7 +2089,7 @@ - In a services promise, if the service_method bundle is not specified, it defaults to the promiser string (canonified) with "service_" as a prefix. The bundle must be in the same namespace as the promise. - - inline JSON in policy files: surrounding with parsejson() is now + - Inline JSON in policy files: surrounding with parsejson() is now optional *when creating a new data container*. - New data_expand() function to interpolate variables in a data container. - Add configurable network bandwidth limit for all outgoing @@ -2092,72 +2274,72 @@ 3.6.3 New features: - - support for HP-UX 11.23 and later - - experimental support for Red Hat Enterprise Linux 7 + - Support for HP-UX 11.23 and later + - Experimental support for Red Hat Enterprise Linux 7 Bug fixes: - - fix getindices on multi-dimensional arrays (Redmine #6779) - - fix mustache template method to run in dryrun mode (Redmine #6739) - - set mailto and mailfrom settings for execd in def.cf (Redmine #6702) - - fix conflation of multi-index entries in arrays (Redmine #6674) - - fix promise locking when transferring using update.cf (Redmine #6623) - - update JSON parser to return an error on truncation (Redmine #6608) - - fix sys.hardware_addresses not expanded (Redmine #6603) - - fix opening database txn /var/cfengine/cf_lastseen.lmdb: + - Fix getindices on multi-dimensional arrays (Redmine #6779) + - Fix mustache template method to run in dryrun mode (Redmine #6739) + - Set mailto and mailfrom settings for execd in def.cf (Redmine #6702) + - Fix conflation of multi-index entries in arrays (Redmine #6674) + - Fix promise locking when transferring using update.cf (Redmine #6623) + - Update JSON parser to return an error on truncation (Redmine #6608) + - Fix sys.hardware_addresses not expanded (Redmine #6603) + - Fix opening database txn /var/cfengine/cf_lastseen.lmdb: MDB_READERS_FULL when running cf-keys --show-hosts (Redmine #6602) - - fix segfault (Null pointer dereference) when select_end in + - Fix segfault (Null pointer dereference) when select_end in delete_lines never matches (Redmine #6589) - - fix max_file_size => "0" not disabling or allowing any size + - Fix max_file_size => "0" not disabling or allowing any size (Redmine #6588) - - fix ifvarclass, with iteration over list, failing when deleting + - Fix ifvarclass, with iteration over list, failing when deleting files with time condition (Redmine #6577) - - fix classes defined with "or" constraint are never set if any value + - Fix classes defined with "or" constraint are never set if any value doesn't evaluate to a scalar (Redmine #6569) - - update "mailfrom" default in default policy (Redmine #6567) - - fix logrotate ambiguity of filename (Redmine #6563) - - fix parsing JSON files (Redmine #6549) - - reduce write count activity to /var partition (Redmine #6523) - - fix files delete attribute incorrectly triggering promise_kept + - Update "mailfrom" default in default policy (Redmine #6567) + - Fix logrotate ambiguity of filename (Redmine #6563) + - Fix parsing JSON files (Redmine #6549) + - Reduce write count activity to /var partition (Redmine #6523) + - Fix files delete attribute incorrectly triggering promise_kept (Redmine #6509) - - update services bundle output related to chkconfig when run in + - Update services bundle output related to chkconfig when run in inform mode. (Redmine #6492) - - fix Solaris serverd tests (Redmine #6406) - - fix broken bechaviour of merging arrays with readstringarray + - Fix Solaris serverd tests (Redmine #6406) + - Fix broken bechaviour of merging arrays with readstringarray (Redmine #6369) - - fix ifelapsed bug with bundle nesting (Redmine #6334) - - fix handling cf_null in bundlesequence (Redmine #6119) - - fix maparray reading whole input array when using subarray + - Fix ifelapsed bug with bundle nesting (Redmine #6334) + - Fix handling cf_null in bundlesequence (Redmine #6119) + - Fix maparray reading whole input array when using subarray (Redmine #6033) - - fix directories being randomly changed to files (Redmine #6027) - - update defaults promise type to work with classes (Redmine #5748) + - Fix directories being randomly changed to files (Redmine #6027) + - Update defaults promise type to work with classes (Redmine #5748) - systemd integration in services promises (Redmine #5415) - - fix touch attribute ignoring action = warn_only (Redmine #3172) - - fix 4KB string limit in functions readfile, string_downcase, + - Fix touch attribute ignoring action = warn_only (Redmine #3172) + - Fix 4KB string limit in functions readfile, string_downcase, string_head, string_reverse, string_length, string_tail, string_upcase (Redmine #2912) 3.6.2 Bug fixes: - - don't regenerate software_packages.csv every time (Redmine #6441) - - improve verbose message for package_list_command - - fix missing log output on AIX (Redmine #6434) - - assorted fixes to dirname() esp on Windows (Redmine #4716) - - fix package manager detection - - fix build issues on FreeBSD - - allow copying of dead symbolic links (Redmine #6175) - - preserve order in readstringarrayidx (Redmine #6466) - - fix passing of unexpanded variable references to arrays + - Don't regenerate software_packages.csv every time (Redmine #6441) + - Improve verbose message for package_list_command + - Fix missing log output on AIX (Redmine #6434) + - Assorted fixes to dirname() esp on Windows (Redmine #4716) + - Fix package manager detection + - Fix build issues on FreeBSD + - Allow copying of dead symbolic links (Redmine #6175) + - Preserve order in readstringarrayidx (Redmine #6466) + - Fix passing of unexpanded variable references to arrays (Redmine #5893) - - use entries for new {admin,deny}_{ips,hostnames} constraints in + - Use entries for new {admin,deny}_{ips,hostnames} constraints in the relevant legacy lists (Redmine #6542) - - cope with ps's numeric fields overflowing to the right - - interpret failing function calls in ifvarclass as class not set + - Cope with ps's numeric fields overflowing to the right + - Interpret failing function calls in ifvarclass as class not set (Redmine #6327) - - remove unexpanded lists when extending lists (Redmine #6541) - - infer start-time of a process from elapsed when needed + - Remove unexpanded lists when extending lists (Redmine #6541) + - Infer start-time of a process from elapsed when needed (Redmine #4094) - - fix input range definition for laterthan() function (Redmine #6530) - - don't add trailing delimiter when join()'ing lists ending with a + - Fix input range definition for laterthan() function (Redmine #6530) + - Don't add trailing delimiter when join()'ing lists ending with a null-value (Redmine #6552) - 9999999999 (ten 9s) or higher has been historically used as an upper bound in CFEngine code and policy but because of overflow on 32-bit @@ -2176,7 +2358,7 @@ Changes: - Short-circuit evaluation of classes promises if class is already set (Redmine #5241) - - fix to assume all non-specified return codes are failed in commands promises (Redmine #5986) + - Fix to assume all non-specified return codes are failed in commands promises (Redmine #5986) - cf-serverd logs reconfiguration message to NOTICE (was INFO) so that it's always logged in syslog Bug fixes: @@ -2206,23 +2388,23 @@ Changes: - Changes to logging output - - add process name and pid in syslog message (GitHub #789) - - cf-serverd logging levels are now more standardised: - - INFO logs only failures - - VERBOSE logs successful requests as well - - DEBUG logs actual protocol traffic. - - cf-serverd now logs the relevant client IP address on - each message. - - Logging contexts to local database (cf_classes.tcdb) has been deprecated. - - 'usebundle' promisees are logged for all the bundle promises - - output from 'reports' promises has nothing prefixed except 'R: ' - - a log line with stack path is generated when the promise type evaluated changes + - Add process name and pid in syslog message (GitHub #789) + - cf-serverd logging levels are now more standardised: + - INFO logs only failures + - VERBOSE logs successful requests as well + - DEBUG logs actual protocol traffic. + - cf-serverd now logs the relevant client IP address on + each message. + - Logging contexts to local database (cf_classes.tcdb) has been deprecated. + - 'usebundle' promisees are logged for all the bundle promises + - output from 'reports' promises has nothing prefixed except 'R: ' + - a log line with stack path is generated when the promise type evaluated changes - LMDB (symas.com/mdb) is the default database for local data storage : use version 0.9.9 or later cf-agent --self-diagnostics (-x) is only implemented for TCDB, not for LMDB - port argument in readtcp() and selectservers() may be a service name (e.g. "http", "pop3"). - Enable source file in agent copy_from promises to be a relative path. - - file "changes" reporting now reports with log level "notice", instead of "error". + - file "changes" reporting now reports with log level "notice", instead of "error". - process_results default to AND'ing of set attributes if not specified (Redmine #3224) - interface is now canonified in sys.hardware_mac[interface] to align with sys.ipv4[interface] (Redmine #3418) @@ -2230,182 +2412,182 @@ - Linux flavor "SUSE" now correctly spelled with all uppercase in variables and class names (Redmine #3734). The "suse" lowercase version is also provided for convenience (Redmine #5417). - $(this.promise_filename) and $(..._dirname) variables are now absolute paths. (Redmine #3839) - - including the same file multiple times in 'body control inputs' is not an error + - Including the same file multiple times in 'body control inputs' is not an error - portnumber in body copy_from now supports service names like "cfengine", "pop3" etc, check /etc/services for more. - The failsafe.cf policy, run on bootstrap and in some other unusual cases, has been extracted from C code into libpromises/failsafe.cf - masterfiles - - cf_promises_validated is now in JSON format - - timestamp key is timestamp (sec since unix epoch) of last time validated - - the masterfiles now come from https://github.com/cfengine/masterfiles and are - not in the core repository + - cf_promises_validated is now in JSON format + - timestamp key is timestamp (sec since unix epoch) of last time validated + - the masterfiles now come from https://github.com/cfengine/masterfiles and are + not in the core repository - cf-serverd calls cf-agent with -Dcfruncommand when executing cf-runagent requests - - Mark as removed: promise_notkept_log_include, promise_notkept_log_exclude, promise_repaired_log_include, - promise_repaired_log_exclude, classes_include, classes_exclude, variables_include, - variables_exclude attributes from report_data_select body (syntax is valid but not functional). - They have been replaced by the following attributes: promise_handle_include, - promise_handle_exclude, metatags_include, metatags_exclude. + - Mark as removed: promise_notkept_log_include, promise_notkept_log_exclude, promise_repaired_log_include, + promise_repaired_log_exclude, classes_include, classes_exclude, variables_include, + variables_exclude attributes from report_data_select body (syntax is valid but not functional). + They have been replaced by the following attributes: promise_handle_include, + promise_handle_exclude, metatags_include, metatags_exclude. New features: - New promise type "users" for managing local user accounts. - TLS authentication and fully encrypted network protocol. Additions specific to the new type of connections: - - New attribute "allowlegacyconnects" in body server control, - which enables serving policy via non-latest cfengine protocol, - to the given list of hosts. If the option is absent, it - defaults to allow all hosts. To refuse non-TLS connections, - specify an empty list. - - New attribute "protocol_version" in body copy_from, and body - common control, which defines the preferred protocol for - outgoing connections.. Allowed values at the moment: "0" or - "undefined", "classic" or "1", "latest" or "2". By leaving the - copy_from option as undefined the common control option is - used, and if both are undefined then classic protocol is used - by default. - - The new networking protocol uses TLS for authentication, - after which all dialog is encrypted within the established - TLS session. cf-serverd is still able to speak the legacy - protocol with old agents. - - The 'skipverify' option in 'body server control' is - deprecated and only left for compatibility; it does - nothing - - cf-serverd does not hang up the connection if some request - fails, so that the client can add more requests. - - For the connections using the new protocol, all of the - paths in bundle server access_rules now differentiate - between a directory and a file using the trailing - slash. If the path exists then this is auto-detected and - trailing slash appended automatically. You have to append - a trailing slash manually to an inexistent or symbolic - path (e.g. "/path/to/$(connection.ip)/") to force - recursive access. + - New attribute "allowlegacyconnects" in body server control, + which enables serving policy via non-latest CFEngine protocol, + to the given list of hosts. If the option is absent, it + defaults to allow all hosts. To refuse non-TLS connections, + specify an empty list. + - New attribute "protocol_version" in body copy_from, and body + common control, which defines the preferred protocol for + outgoing connections.. Allowed values at the moment: "0" or + "undefined", "classic" or "1", "latest" or "2". By leaving the + copy_from option as undefined the common control option is + used, and if both are undefined then classic protocol is used + by default. + - The new networking protocol uses TLS for authentication, + after which all dialog is encrypted within the established + TLS session. cf-serverd is still able to speak the legacy + protocol with old agents. + - The 'skipverify' option in 'body server control' is + deprecated and only left for compatibility; it does + nothing + - cf-serverd does not hang up the connection if some request + fails, so that the client can add more requests. + - For the connections using the new protocol, all of the + paths in bundle server access_rules now differentiate + between a directory and a file using the trailing + slash. If the path exists then this is auto-detected and + trailing slash appended automatically. You have to append + a trailing slash manually to an inexistent or symbolic + path (e.g. "/path/to/$(connection.ip)/") to force + recursive access. - New in 'access' promises for 'bundle server access_rules' - - Attributes "admit_ips", "admit_hostnames", "admit_keys", - "deny_ips", "deny_hostnames", "deny_keys" - - "admit_keys" and "deny_keys" add the new functionality - of controlling access according to host identity, - regardless of the connecting IP. - - For these new attributes, regular expressions - are not allowed, only CIDR notation for "admit/deny_ips", exact - "SHA=..." strings for "admit/deny_keys", and exact hostnames - (e.g. "cfengine.com") or subdomains (starting with dot, - e.g. ".cfengine.com") for "admit/deny"_hostnames. Same rules - apply to 'deny_*' attributes. - - These new constraints and the paths in access_rules, can contain - special variables "$(connection.ip)", "$(connection.hostname)", - "$(connection.key)", which are expanded dynamically for every - received connection. - - For connections using the new protocol, "admit" and "deny" - constraints in bundle server access_rules are being phased - out, preferred attributes are now "admit_ips", "deny_ips", - "admit_hostnames", "deny_hostnames", "admit_keys", - "deny_keys". - - New "shortcut" attribute in bundle server access_rules used to - dynamically expand non-absolute request paths. + - Attributes "admit_ips", "admit_hostnames", "admit_keys", + "deny_ips", "deny_hostnames", "deny_keys" + - "admit_keys" and "deny_keys" add the new functionality + of controlling access according to host identity, + regardless of the connecting IP. + - For these new attributes, regular expressions + are not allowed, only CIDR notation for "admit/deny_ips", exact + "SHA=..." strings for "admit/deny_keys", and exact hostnames + (e.g. "cfengine.com") or subdomains (starting with dot, + e.g. ".cfengine.com") for "admit/deny"_hostnames. Same rules + apply to 'deny_*' attributes. + - These new constraints and the paths in access_rules, can contain + special variables "$(connection.ip)", "$(connection.hostname)", + "$(connection.key)", which are expanded dynamically for every + received connection. + - For connections using the new protocol, "admit" and "deny" + constraints in bundle server access_rules are being phased + out, preferred attributes are now "admit_ips", "deny_ips", + "admit_hostnames", "deny_hostnames", "admit_keys", + "deny_keys". + - New "shortcut" attribute in bundle server access_rules used to + dynamically expand non-absolute request paths. - masterfiles - - standard library split: lib/3.5 (compatibility) and lib/3.6 (mainline) - - many standard library bundles and bodies, especially packages- and file-related, - were revised and fixed - - supports both Community and Enterprise - - new 'inventory/' structure to provide OS, dmidecode, LSB, etc. system inventory - (configured mainly in def.cf) - - cf_promises_release_id contains the policy release ID which is the GIT HEAD SHA - if available or hash of tree - - a bunch'o'bundles to make starting with CFEngine easier: - - file-related: file_mustache, file_mustache_jsonstring, file_tidy, dir_sync, file_copy, - file_link, file_hardlink, file_empty, file_make - - packages-related: package_absent, package_present, package_latest, - package_specific_present, package_specific_absent, package_specific_latest, package_specific - - XML-related: xml_insert_tree_nopath, xml_insert_tree, xml_set_value, xml_set_attribute - - VCS-related: git_init, git_add, git_checkout, git_checkout_new_branch, - git_clean, git_stash, git_stash_and_clean, git_commit, git - - process-related: process_kill - - other: cmerge, url_ping, logrotate, prunedir + - standard library split: lib/3.5 (compatibility) and lib/3.6 (mainline) + - many standard library bundles and bodies, especially packages- and file-related, + were revised and fixed + - supports both Community and Enterprise + - new 'inventory/' structure to provide OS, dmidecode, LSB, etc. system inventory + (configured mainly in def.cf) + - cf_promises_release_id contains the policy release ID which is the GIT HEAD SHA + if available or hash of tree + - a bunch'o'bundles to make starting with CFEngine easier: + - file-related: file_mustache, file_mustache_jsonstring, file_tidy, dir_sync, file_copy, + file_link, file_hardlink, file_empty, file_make + - packages-related: package_absent, package_present, package_latest, + package_specific_present, package_specific_absent, package_specific_latest, package_specific + - XML-related: xml_insert_tree_nopath, xml_insert_tree, xml_set_value, xml_set_attribute + - VCS-related: git_init, git_add, git_checkout, git_checkout_new_branch, + git_clean, git_stash, git_stash_and_clean, git_commit, git + - process-related: process_kill + - other: cmerge, url_ping, logrotate, prunedir - New command line options for agent binaries - - New options to cf-promises - - '--show-classes' and '--show-vars' - - '--eval-functions' controls whether cf-promises should evaluate functions - - Colorized output for agent binaries with command line option '--color' - (auto-enabled if you set CFENGINE_COLOR=1) + - New options to cf-promises + - '--show-classes' and '--show-vars' + - '--eval-functions' controls whether cf-promises should evaluate functions + - Colorized output for agent binaries with command line option '--color' + (auto-enabled if you set CFENGINE_COLOR=1) - New language features - - New variable type 'data' for handling of structured data (ie JSON), - including supporting functions: - - 'data_readstringarray' - read a delimited file into a data map - - 'data_readstringarrayidx' - read a delimited file into a data array - - 'datastate' - create a data variable with currently set classes and variables - - 'datatype' - determine the type of the top element of a container - - 'format' - %S can be used to serialize 'data' containers into a string - - 'mergedata' - merge two data containers, slists/ilists/rlists, or "classic" - arrays into a data container - - 'parsejson' - create a data container from a JSON string - - 'readjson' - create a data container from a file that contains JSON - - 'storejson' - serialize a data container into a string - - Most functions operating on lists can also operate on data containers - - pass a data container to a bundle with the @(container) notation - - the module protocol accepts JSON for data containers with the '%' sigil + - New variable type 'data' for handling of structured data (ie JSON), + including supporting functions: + - 'data_readstringarray' - read a delimited file into a data map + - 'data_readstringarrayidx' - read a delimited file into a data array + - 'datastate' - create a data variable with currently set classes and variables + - 'datatype' - determine the type of the top element of a container + - 'format' - %S can be used to serialize 'data' containers into a string + - 'mergedata' - merge two data containers, slists/ilists/rlists, or "classic" + arrays into a data container + - 'parsejson' - create a data container from a JSON string + - 'readjson' - create a data container from a file that contains JSON + - 'storejson' - serialize a data container into a string + - Most functions operating on lists can also operate on data containers + - pass a data container to a bundle with the @(container) notation + - the module protocol accepts JSON for data containers with the '%' sigil - Tagging of classes and variables allows annotating of language construct with meta data; supporting functionality: - - The module protocol in 'commands' promises has been extended to allow setting - of tags of created variables and classes, and the context of created variables - - 'getclassmetatags' - returns list of meta tags for a class - - 'getvariablemetatags' - returns list of meta tags for a variable + - The module protocol in 'commands' promises has been extended to allow setting + of tags of created variables and classes, and the context of created variables + - 'getclassmetatags' - returns list of meta tags for a class + - 'getvariablemetatags' - returns list of meta tags for a variable - 'body file control' has an 'inputs' attribute to include library files and other dependencies - bundlesequences can be built with bundlesmatching() based on bundle name and tags - New attributes in existing promise types and bodies - - New option 'preserve_all_lines' for insert_type in insert_lines promises - - Caching of expensive system functions to avoid multiple executions of - execresult() etc, can be controlled via cache_system_functions attribute in - body common control - - New option 'mailsubject' in body executor control allows defining the subject - in emails sent by CFEngine - - Support for Mustache templates in 'files' promises; use 'template_method' and - 'template_data' attributes. Without 'template_data' specified, uses datastate(). + - New option 'preserve_all_lines' for insert_type in insert_lines promises + - Caching of expensive system functions to avoid multiple executions of + execresult() etc, can be controlled via cache_system_functions attribute in + body common control + - New option 'mailsubject' in body executor control allows defining the subject + in emails sent by CFEngine + - Support for Mustache templates in 'files' promises; use 'template_method' and + 'template_data' attributes. Without 'template_data' specified, uses datastate(). - New and improved functions - - 'bundlesmatching' - returns list of defined bundles matching a regex and tags - - 'canonifyuniquely' - converts a string into a unique, legal class name - - 'classesmatching' - returns list of set classes matching a regex and tags - - 'eval' - evaluates mathematical expressions; knows SI k, m, g quantifiers, e.g. "100k" - - 'findfiles' - list files matching a search pattern; use "**" for recursive searches - - 'makerule' - evaluates whether a target file needs to be rebuilt from sources - - 'max', 'min' - returns maximum and minimum of the numbers in a container or list - (sorted by a 'sort' method) - - 'mean' - returns the mean of the numbers in a container or list - - 'nth' - learned to look up by key in a data container holding a map - - 'packagesmatching' - returns a filtered list of installed packages. - - 'readfile' - learned to read system files of unknown size like those in /proc - - 'sort' - can sort lexicographically, numerically (int or real), by IP, or by MAC - - 'string_downcase', 'string_upcase' - returns the lower-/upper-case version of a - string - - 'string_head', 'string_tail' - returns the beginning/end of a string - - 'string_length' - returns the length of a string - - 'string_reverse' - reverses a string - - 'string_split' - improved implementation, deprecates 'splitstring' - - 'variablesmatching' - returns a list of variables matching a regex and tags - - 'variance' - returns the variance of numbers in a list or container + - 'bundlesmatching' - returns list of defined bundles matching a regex and tags + - 'canonifyuniquely' - converts a string into a unique, legal class name + - 'classesmatching' - returns list of set classes matching a regex and tags + - 'eval' - evaluates mathematical expressions; knows SI k, m, g quantifiers, e.g. "100k" + - 'findfiles' - list files matching a search pattern; use "**" for recursive searches + - 'makerule' - evaluates whether a target file needs to be rebuilt from sources + - 'max', 'min' - returns maximum and minimum of the numbers in a container or list + (sorted by a 'sort' method) + - 'mean' - returns the mean of the numbers in a container or list + - 'nth' - learned to look up by key in a data container holding a map + - 'packagesmatching' - returns a filtered list of installed packages. + - 'readfile' - learned to read system files of unknown size like those in /proc + - 'sort' - can sort lexicographically, numerically (int or real), by IP, or by MAC + - 'string_downcase', 'string_upcase' - returns the lower-/upper-case version of a + string + - 'string_head', 'string_tail' - returns the beginning/end of a string + - 'string_length' - returns the length of a string + - 'string_reverse' - reverses a string + - 'string_split' - improved implementation, deprecates 'splitstring' + - 'variablesmatching' - returns a list of variables matching a regex and tags + - 'variance' - returns the variance of numbers in a list or container - New hard classes - - Introduced alias 'policy_server' for context 'am_policy_hub' (the latter will - be deprecated) - - all the time-based classes have GMT equivalents + - Introduced alias 'policy_server' for context 'am_policy_hub' (the latter will + be deprecated) + - all the time-based classes have GMT equivalents - New variables - - 'sys.bindir' - the location of the CFEngine binaries - - 'sys.failsafe_policy_path' - the location of the failsafe policy file - - 'sys.inputdir' - the directory where CFEngine searches for policy files - - 'sys.key_digest' - the digest of the host's cryptographic key - - 'sys.libdir', 'sys.local_libdir' - the location of the CFEngine libraries - - 'sys.logdir' - the directory where the CFEngine log files are saved - - 'sys.masterdir' - the location of masterfiles on the policy server - - 'sys.piddir' - the directory where the daemon pid files are saved - - 'sys.sysday' - the number of days since the beginning of the UNIX epoch - - 'sys.systime' - the number of seconds since the beginning of the UNIX epoch - - 'sys.update_policy_path' - the name of the update policy file - - 'sys.uptime' - the number of minutes the host has been online - - 'this.promise_dirname' - the name of the file in which the current promise - is defined - - 'this.promiser_uid' - the ID of the user running cf-agent - - 'this.promiser_gid' - the group ID of the user running cf-agent - - 'this.promiser_ppid' - the ID of the parent process running cf-agent + - 'sys.bindir' - the location of the CFEngine binaries + - 'sys.failsafe_policy_path' - the location of the failsafe policy file + - 'sys.inputdir' - the directory where CFEngine searches for policy files + - 'sys.key_digest' - the digest of the host's cryptographic key + - 'sys.libdir', 'sys.local_libdir' - the location of the CFEngine libraries + - 'sys.logdir' - the directory where the CFEngine log files are saved + - 'sys.masterdir' - the location of masterfiles on the policy server + - 'sys.piddir' - the directory where the daemon pid files are saved + - 'sys.sysday' - the number of days since the beginning of the UNIX epoch + - 'sys.systime' - the number of seconds since the beginning of the UNIX epoch + - 'sys.update_policy_path' - the name of the update policy file + - 'sys.uptime' - the number of minutes the host has been online + - 'this.promise_dirname' - the name of the file in which the current promise + is defined + - 'this.promiser_uid' - the ID of the user running cf-agent + - 'this.promiser_gid' - the group ID of the user running cf-agent + - 'this.promiser_ppid' - the ID of the parent process running cf-agent Deprecations: - 'splitstring' - deprecated by 'string_split' @@ -2413,349 +2595,299 @@ - 'skipverify' Bug fixes: for a complete list of fixed bugs, see Redmine at https://cfengine.com/dev - - various fixes in evaluation and variable resolution + - Various fixes in evaluation and variable resolution - Improve performance of list iteration (Redmine #1875) - Removed limitation of input length to internal buffer sizes - - directories ending with "/" are not ignored - - lsdir() always return a list now, never a scalar + - directories ending with "/" are not ignored + - lsdir() always return a list now, never a scalar - 'abortclasses' fixed to work in common bundles and other cases - - namespaced 'edit_line' bundles now work (Redmine#3781) - - lists are interpolated in correct order (Redmine#3122) + - Namespaced 'edit_line' bundles now work (Redmine#3781) + - Lists are interpolated in correct order (Redmine#3122) - cf-serverd reloads policies properly when they change - - lots of leaks (memory and file descriptor) fixed + - Lots of leaks (memory and file descriptor) fixed 3.5.3 - Changes: - - Improved security checks of symlink ownership. A symlink created by a user pointing - to resources owned by a different user will no longer be followed. - - Changed the way package versions are compared in package promises. (Redmine #3314) - In previous versions the comparison was inconsistent. This has been fixed, but may - also lead to behavior changes in certain cases. In CFEngine 3.5.3, the comparison - works as follows: - - For instance: - apache-2.2.31 ">=" "2.2.0" - will result in the package being installed. - - Bug fixes: - - fix cf-monitord crash due to incorrect array initialization (Redmine #3180) - - fix cf-serverd stat()'ing the file tree every second (Redmine #3479) - - correctly populate sys.hardware_addresses variable (Redmine #2936) - - add support for Debian's GNU/kfreebsd to build system (Redmine #3500) - - fix possible stack corruption in guest_environments promises (Redmine #3552) - - work-around hostname trunctation in HP-UX's uname (Redmine #3517) - - fix body copy purging of empty directories (Redmine #3429) - - make discovery and loading of avahi libraries more robust - - compile and packaging fixes for HP-UX, AIX and Solaris - - fix fatal error in lsdir() when directory doesn't exist (Redmine #3273) - - fix epoch calculation for stime inrange calculation (Redmine #2921) + Changes: + - Improved security checks of symlink ownership. A symlink created by a user pointing + to resources owned by a different user will no longer be followed. + - Changed the way package versions are compared in package promises. (Redmine #3314) + In previous versions the comparison was inconsistent. This has been fixed, but may + also lead to behavior changes in certain cases. In CFEngine 3.5.3, the comparison + works as follows: + + For instance: + apache-2.2.31 ">=" "2.2.0" + will result in the package being installed. + + Bug fixes: + - Fix cf-monitord crash due to incorrect array initialization (Redmine #3180) + - Fix cf-serverd stat()'ing the file tree every second (Redmine #3479) + - Correctly populate sys.hardware_addresses variable (Redmine #2936) + - Add support for Debian's GNU/kfreebsd to build system (Redmine #3500) + - Fix possible stack corruption in guest_environments promises (Redmine #3552) + - Work-around hostname trunctation in HP-UX's uname (Redmine #3517) + - Fix body copy purging of empty directories (Redmine #3429) + - Make discovery and loading of avahi libraries more robust + - Compile and packaging fixes for HP-UX, AIX and Solaris + - Fix fatal error in lsdir() when directory doesn't exist (Redmine #3273) + - Fix epoch calculation for stime inrange calculation (Redmine #2921) 3.5.2 - Bug fixes: - - fix delayed abortclasses checking (Redmine #2316, #3114, #3003) - - fix maplist arguments bug (Redmine #3256) - - fix segfaults in cf-pomises (Redmine #3173, 3194) - - fix build on Solaris 10/SmartOS (Redmine #3097) - - sanitize characters from /etc/issue in sys.flavor for Debian (Redmine #2988) - - Fix segfault when dealing with files or data > 4K (Redmine #2912, 2698) - - Don't truncate keys to 126 characters in getindices (Redmine #2626) - - files created via log_* actions now have mode 600 (Redmine #1578) - - fix wrong log message when a promise is ignored due to 'ifvarclass' not matching - - fix lifetime of persistent classes (Redmine #3259) - - fix segfault when process_select body had no process_result attribute - Default to AND'ed expression of all specified attributes (Redmine #3224) - - include system message in output when acl promises fail - - fix invocation of standard_services bundle and corresponding promise compliance (Redmine #2869) + Bug fixes: + - Fix delayed abortclasses checking (Redmine #2316, #3114, #3003) + - Fix maplist arguments bug (Redmine #3256) + - Fix segfaults in cf-pomises (Redmine #3173, 3194) + - Fix build on Solaris 10/SmartOS (Redmine #3097) + - Sanitize characters from /etc/issue in sys.flavor for Debian (Redmine #2988) + - Fix segfault when dealing with files or data > 4K (Redmine #2912, 2698) + - Don't truncate keys to 126 characters in getindices (Redmine #2626) + - Files created via log_* actions now have mode 600 (Redmine #1578) + - Fix wrong log message when a promise is ignored due to 'ifvarclass' not matching + - Fix lifetime of persistent classes (Redmine #3259) + - Fix segfault when process_select body had no process_result attribute + Default to AND'ed expression of all specified attributes (Redmine #3224) + - Include system message in output when acl promises fail + - Fix invocation of standard_services bundle and corresponding promise compliance (Redmine #2869) 3.5.1 - Changes: - - file changes are logged with log level Notice, not Error - - the CFEngine Standard Library in masterfiles/libraries is now split into - promise-type specific policy files, and lives in a version-specific directory. - This should have no impact on current code, but allows more granular include of - needed stdlib elements (Redmine #3044) - - Bug fixes: - - fix recursive copying of files (Redmine #2965) - - respect classes in templates (Redmine ##2928) - - fix timestamps on Windows (Redmine #2933) - - fix non-root cf-agent flooding syslog (Redmine #2980) - - fix email flood from cf-execd due to timestamps in agent output (Redmine #3011) - - Preserve security context when editing or copying local files (Redmine #2728) - - fix path for sys.crontab on redhat systems (Redmine #2553) - - prevent incorrect "insert_lines promise uses the same select_line_matching anchor" warning (Redmine #2778) - - Fix regression of setting VIPADDRESS to 127.0.0.1 (Redmine #3010) - - Fix "changes" promise not receiving status when file is missing (Redmine #2820) - - Fix symlinks being destroyed when editing them (Redmine #2363) - - Fix missing "promise kept" status for the last line in a file (Redmine #2943) + Changes: + - File changes are logged with log level Notice, not Error + - The CFEngine Standard Library in masterfiles/libraries is now split into + promise-type specific policy files, and lives in a version-specific directory. + This should have no impact on current code, but allows more granular include of + needed stdlib elements (Redmine #3044) + + Bug fixes: + - Fix recursive copying of files (Redmine #2965) + - Respect classes in templates (Redmine ##2928) + - Fix timestamps on Windows (Redmine #2933) + - Fix non-root cf-agent flooding syslog (Redmine #2980) + - Fix email flood from cf-execd due to timestamps in agent output (Redmine #3011) + - Preserve security context when editing or copying local files (Redmine #2728) + - Fix path for sys.crontab on redhat systems (Redmine #2553) + - Prevent incorrect "insert_lines promise uses the same select_line_matching anchor" warning (Redmine #2778) + - Fix regression of setting VIPADDRESS to 127.0.0.1 (Redmine #3010) + - Fix "changes" promise not receiving status when file is missing (Redmine #2820) + - Fix symlinks being destroyed when editing them (Redmine #2363) + - Fix missing "promise kept" status for the last line in a file (Redmine #2943) 3.5.0 - New features: - - classes promises now take an optional scope constraint. - - new built-in functions: every, none, some, nth, sublist, uniq, filter - - every - - none - - some - - nth - - sublist - - uniq - - filter - - classesmatching - - strftime - - filestat - - ifelse - - maparray - - format - - cf-promises flag --parse-tree is replaced by --policy-output-format=, requiring the + New features: + - classes promises now take an optional scope constraint. + - New built-in functions: every, none, some, nth, sublist, uniq, filter + - every + - none + - some + - nth + - sublist + - uniq + - filter + - classesmatching + - strftime + - filestat + - ifelse + - maparray + - format + - cf-promises flag --parse-tree is replaced by --policy-output-format=, requiring the user to specify the output format (none, cf, json) - - cf-promises allows partial check of policy (without body common control) without integrity check; + - cf-promises allows partial check of policy (without body common control) without integrity check; --full-check enforces integrity check - - agent binaries support JSON input format (.json file as generated by cf-promises) - - cf-key: new options --trust-key/-t and --print-digest/-p - - Class "failsafe_fallback" is defined in failsafe.cf when main policy contains errors and - failsafe is run because of this - - add scope attribute for body classes (Redmine #2013) - - Better diagnostics of parsing errors - - Error messages from parser now show the context of error - - new cf-agent option: --self-diagnostics - - new output format, and --legacy-output - - warnings for cf-promises. - - Enable zeroconf-discovery of policy hubs for automatic bootstrapping - if Avahi is present - - Support for sys.cpus on more platforms than Linux & HPUX - - Changes: - - parser no longer allows ',' after promiser or promisee. must be either ';' or lval - - Make parser output in GCC compatible format the only supported format - (remove --gcc-brief-format flag) - - - Silence license warnings in Enterprise Free25 installations - - action_policy => "warn" causes not_kept classes to be set on promise needing repair. - - command line option version (-V) now prints a shorter parsable version without graphic - - implicit execution of server and common bundles taking arguments is skipped in cf-serverd. - - WARNING: option --policy-server removed, require option to --bootstrap instead - - process promises don't log if processes are out of range unless you - run in verbose mode - - reports promises are now allowed in any context (Redmine #2005) - - cf-report has been removed - - cf-execd: --once implies --no-fork - - Version info removed from mail subject in the emails sent by cf-execd. - The subject will only contain "[fqname/ipaddress]" instead of "communnity/nova [fqname/ipaddress]" - Please change your email filters accordingly if necessary. - - "outputs" promise type is retired. Their semantics was not clear, and the functionality - is better suited for control body setting, not a promise. - - Tokyo Cabinet databases are now automatically checked for - correctness during opening. It should prevent a number of issues - with corrupted TC databases causing binaries to hang. - - Improved ACL handling on Windows, which led to some syntax changes. We now consistently - use the term "default" to describe ACLs that can be inherited by child objects. These - keywords have received new names: - acl_directory_inherit -> acl_default - specify_inherit_aces -> specify_default_aces - The old keywords are deprecated, but still valid. In addition, a new keyword - "acl_inherit" controls inheritance behavior on Windows. This feature does not exist on - Unix platforms. (Redmine #1832) - - Networking code is moved from libpromises to its own library, - libcfnet. Work has begun on making the API more sane and thread-safe. - Lots of legacy code was removed. - - Add getaddrinfo() replacement in libcompat (borrowed from PostgreSQL). - - Replace old deprecated and non thread-safe resolver calls with - getaddrinfo() and getnameinfo(). - - Hostname2IPString(), IPString2Hostname() are now thread-safe, and are - returning error when resolution fails. - - Running cf-execd --once now implies --no-fork, and also does not wait - for splaytime to pass. - - execresult(), returnszero() and commands promises no longer requires the first word - word to be an absolute path when using the shell. (Part of Redmine #2143) - - commands promises useshell attribute now accepts "noshell" and "useshell" values. Boolean - values are accepted but deprecated. (Part of Redmine #2143) - - returnszero() now correctly sets the class name in this scenario (Part of - Redmine #2143): - classes: - "commandfailed" not => returnszero("/bin/nosuchcommand", "noshell"); - - Bugfixes: - - bundles are allowed to be empty (Redmine #2411) - - Fixed '.' and '-' not being accepted by a commands module. (Redmine #2384) - - Correct parsing of list variables by a command module. (Redmine #2239) - - Fixed issue with package management and warn. (Redmine #1831) - - Fixed JSON crash. (Redmine #2151) - - Improved error checking when using fgets(). (Redmine #2451) - - Fixed error message when deleting nonexistent files. (Redmine #2448) - - Honor warn-only when purging from local directory. (Redmine #2162) - - Make sure "restart" and "reload" are recognized keywords in packages. (Redmine #2468) - - Allocate memory dynamically to avoid out-of-buffer or out-of-hash - situations - - fix edit_xml update of existing attributes (Redmine #2034) - - use failsafe policy from compile-time specified workdir (Redmine #1991) - - ifvarclass checked from classes promises in common bundles - - do not wait for splaytime when executing only once - - disable xml editing functionality when libxml2 doesn't provide necessary APIs (Redmine #1937) - - Out-of-tree builds should work again, fixed a bunch of related bugs. - - Fixed race condition in file editing. (Redmine #2545) - - Fixed memory leak in cf-serverd and others (Redmine #1758) - -3.4.5 (Bugfix and Stability release) - - Bugfixes: - - - make qualified arrays expand correcty (Redmine #1998, Mantis #1128) - - - correct possible errors in tcdb files when opening - - - avoid possible db corruption when mixing read/write and cursor operations - - - Allow umask value of 002 (Redmine #2496) - -3.4.4 (Bugfix and Stability release) - - Bugfixes: - - - prevent possible crash when archiving files (GitHub #316) - - - don't create symlinks to cf-know in update policy - - - don't enable xml support if libxml2 is too old (Redmine #1937) - -3.4.3 (Bugfix and Stability release) + - Agent binaries support JSON input format (.json file as generated by cf-promises) + - cf-key: new options --trust-key/-t and --print-digest/-p + - Class "failsafe_fallback" is defined in failsafe.cf when main policy contains errors and + failsafe is run because of this + - Add scope attribute for body classes (Redmine #2013) + - Better diagnostics of parsing errors + - Error messages from parser now show the context of error + - New cf-agent option: --self-diagnostics + - New output format, and --legacy-output + - Warnings for cf-promises. + - Enable zeroconf-discovery of policy hubs for automatic bootstrapping + if Avahi is present + - Support for sys.cpus on more platforms than Linux & HPUX - Bugfixes: - - - Don't flood error messages when processes are out of defined range - - - prevent segmentation fault in cf-monitord -x (Redmine #2021) - - - when copying files, use same file mode as source file, rather than 0600 (Redmine #1804) - - - include xpath in messages generated by edit_xml operations (Redmine #2057) - -3.4.2 (Bugfix and Stability release) - - Bugfixes: - - - Fixes to policies in masterfiles (see masterfiles/Changelog for details) - - - Fixes for OpenBSD (GitHub #278) - - - Do not canonify values specified in abortbundleclasses/abortclasses (Redmine #1786) - - - Fix build issues on NetBSD, SLES 12.2 + Changes: + - Parser no longer allows ',' after promiser or promisee. must be either ';' or lval + - Make parser output in GCC compatible format the only supported format + (remove --gcc-brief-format flag) + + - Silence license warnings in Enterprise Free25 installations + - action_policy => "warn" causes not_kept classes to be set on promise needing repair. + - Command line option version (-V) now prints a shorter parsable version without graphic + - Implicit execution of server and common bundles taking arguments is skipped in cf-serverd. + - WARNING: option --policy-server removed, require option to --bootstrap instead + - process promises don't log if processes are out of range unless you + run in verbose mode + - reports promises are now allowed in any context (Redmine #2005) + - cf-report has been removed + - cf-execd: --once implies --no-fork + - Version info removed from mail subject in the emails sent by cf-execd. + The subject will only contain "[fqname/ipaddress]" instead of "communnity/nova [fqname/ipaddress]" + Please change your email filters accordingly if necessary. + - "outputs" promise type is retired. Their semantics was not clear, and the functionality + is better suited for control body setting, not a promise. + - Tokyo Cabinet databases are now automatically checked for + correctness during opening. It should prevent a number of issues + with corrupted TC databases causing binaries to hang. + - Improved ACL handling on Windows, which led to some syntax changes. We now consistently + use the term "default" to describe ACLs that can be inherited by child objects. These + keywords have received new names: + acl_directory_inherit -> acl_default + specify_inherit_aces -> specify_default_aces + The old keywords are deprecated, but still valid. In addition, a new keyword + "acl_inherit" controls inheritance behavior on Windows. This feature does not exist on + Unix platforms. (Redmine #1832) + - Networking code is moved from libpromises to its own library, + libcfnet. Work has begun on making the API more sane and thread-safe. + Lots of legacy code was removed. + - Add getaddrinfo() replacement in libcompat (borrowed from PostgreSQL). + - Replace old deprecated and non thread-safe resolver calls with + getaddrinfo() and getnameinfo(). + - Hostname2IPString(), IPString2Hostname() are now thread-safe, and are + returning error when resolution fails. + - Running cf-execd --once now implies --no-fork, and also does not wait + for splaytime to pass. + - execresult(), returnszero() and commands promises no longer requires the first word + word to be an absolute path when using the shell. (Part of Redmine #2143) + - commands promises useshell attribute now accepts "noshell" and "useshell" values. Boolean + values are accepted but deprecated. (Part of Redmine #2143) + - returnszero() now correctly sets the class name in this scenario (Part of + Redmine #2143): + classes: + "commandfailed" not => returnszero("/bin/nosuchcommand", "noshell"); - - Improve error message when libxml2 support is not compiled (Redmine #1799) + Bugfixes: + - Bundles are allowed to be empty (Redmine #2411) + - Fixed '.' and '-' not being accepted by a commands module. (Redmine #2384) + - Correct parsing of list variables by a command module. (Redmine #2239) + - Fixed issue with package management and warn. (Redmine #1831) + - Fixed JSON crash. (Redmine #2151) + - Improved error checking when using fgets(). (Redmine #2451) + - Fixed error message when deleting nonexistent files. (Redmine #2448) + - Honor warn-only when purging from local directory. (Redmine #2162) + - Make sure "restart" and "reload" are recognized keywords in packages. (Redmine #2468) + - Allocate memory dynamically to avoid out-of-buffer or out-of-hash + situations + - Fix edit_xml update of existing attributes (Redmine #2034) + - Use failsafe policy from compile-time specified workdir (Redmine #1991) + - ifvarclass checked from classes promises in common bundles + - Do not wait for splaytime when executing only once + - Disable xml editing functionality when libxml2 doesn't provide necessary APIs (Redmine #1937) + - Out-of-tree builds should work again, fixed a bunch of related bugs. + - Fixed race condition in file editing. (Redmine #2545) + - Fixed memory leak in cf-serverd and others (Redmine #1758) + +3.4.5: (Bugfix and stability release) - - fix potential segmentation fault when trimming network socket data (GitHub #233) + Bugfixes: + - Make qualified arrays expand correcty (Redmine #1998, Mantis #1128) + - Correct possible errors in tcdb files when opening + - Avoid possible db corruption when mixing read/write and cursor operations + - Allow umask value of 002 (Redmine #2496) - - fix potential segmentation fault when address-lookups in lastseen db failed (GitHub #233) +3.4.4: (Bugfix and stability release) - - execute background promise serially when max_children was reached, rather - than skipping them (GitHub #233) + Bugfixes: + - Prevent possible crash when archiving files (GitHub #316) + - Don't create symlinks to cf-know in update policy + - Don't enable xml support if libxml2 is too old (Redmine #1937) - - fix segmentation fault in cf-promises when invoked with --reports (Redmine #1931) +3.4.3: (Bugfix and stability release) - - fix compilation with Sun Studio 12 (Redmine #1901) + Bugfixes: + - Don't flood error messages when processes are out of defined range + - Prevent segmentation fault in cf-monitord -x (Redmine #2021) + - When copying files, use same file mode as source file, rather than 0600 (Redmine #1804) + - Include xpath in messages generated by edit_xml operations (Redmine #2057) - - silence type-pun warning when building on HP-UX (GitHub #287) +3.4.2: (Bugfix and stability release) -3.4.1 (Bugfix and Stability release) + Bugfixes: + - Fixes to policies in masterfiles (see masterfiles/Changelog for details) + - Fixes for OpenBSD (GitHub #278) + - Do not canonify values specified in abortbundleclasses/abortclasses (Redmine #1786) + - Fix build issues on NetBSD, SLES 12.2 + - Improve error message when libxml2 support is not compiled (Redmine #1799) + - Fix potential segmentation fault when trimming network socket data (GitHub #233) + - Fix potential segmentation fault when address-lookups in lastseen db failed (GitHub #233) + - Execute background promise serially when max_children was reached, rather + than skipping them (GitHub #233) + - Fix segmentation fault in cf-promises when invoked with --reports (Redmine #1931) + - Fix compilation with Sun Studio 12 (Redmine #1901) + - Silence type-pun warning when building on HP-UX (GitHub #287) + +3.4.1: (Bugfix and stability release) New feature/behavior: - - cf-execd terminates agent processes that are not responsive for a configurable amount of time (see agent_expireafter in body executor control), defaulting to 1 week Bugfixes: - - - fix regression of classmatch() failing with hard classes (Redmine #1834) - - - create promise-defined and persistent classes in correct + - Fix regression of classmatch() failing with hard classes (Redmine #1834) + - Create promise-defined and persistent classes in correct namespace (Redmine #1836) - - - several fixes to namespace support - - - fix several crash bugs caused by buffer overflow and race + - Several fixes to namespace support + - Fix several crash bugs caused by buffer overflow and race conditions in cf-serverd - - - regenerate time classes in cf-execd for each run (Redmine #1838) - + - Regenerate time classes in cf-execd for each run (Redmine #1838) - edit_xml: fix select_xpath implementation and update documentation NOTE: code that uses select_xpath_region needs to be changed to select_xpath - - edit_xml: make sure that text-modification functions don't overwrite child nodes - - edit_xml: improve error logging 3.4.0 New features: - - Added rpmvercmp utility to compare versions of RPM packages for accurate sorting of RPM packages for packages promises. - - Implement network timeout on server side to avoid keeping stale connections for hours. - - XML editing capabilities. See the documentation for edit_xml body. Note the new dependency: libxml2. - - Implement inheritance of local classes by bundles called using "usebundle". By default classes are not inherited. See the examples/unit_inherit.cf for an example. - - Moved from Nova/Enterprise: - POSIX ACL support, - "outputs" promise type, - remote syslog support. - - packages_default_arch_command hook in packages promises, to specify default architecture of the packages on the system. - - packages_version_less_command / packages_version_equal_command hooks in packages promises, to specify external command for native package manager versions comparison - - agent_expireafter in body executor control allows you to set a timeout on all cf-agent runs, to enforce a threshold on the number of concurrent agents - - Running in Solaris zone is now detected and classes "zone" and "zone_" are created in this case. - - VirtualBox support added to guest_environment promises. - - guest_environment promises are supported under OS X. - - The "depends_on" attribute is now active, for the partal ordering of promises. If a promise depends on another (referred by handle) it will only be considered if the depends_on list is either kept or repaired already. ** WARNING: When upgrading, make sure that any existing use - of depends_on does not make some promises being - unintentionally ignored. This can happen if you are - currently referring to non-existent or never-run handles - in depends_on attributes. - + of depends_on does not make some promises being + unintentionally ignored. This can happen if you are + currently referring to non-existent or never-run handles + in depends_on attributes. - methods return values, initial implementation - - New format for cf-key -s, includes timestamp of last connection - - cf-promises --parse-tree option to parse policy file and dump it in JSON format - - Namespaces support for bundles and bodies. See the examples/unit_namespace*.cf for the usage. - - Default arguments for bundles. See the examples/unit_defaults.cf - - Metadata promise type. See the examples/unit_meta.cf New semantics: - - Methods promises now return the status of promises kept within them. If any promise was not kept, the method is not kept, else if any promise is repaired, the method was repaired @@ -2763,14 +2895,12 @@ - Remote variable access in namespaces by $(namespace:bundle.variable) Changed functionality: - - cf-execd -F switch no longer implies 'run once'. New -O/--once option is added to achieve this behaviour. This makes cf-execd easier to run from systemd, launchd and other supervision systems. Misc: - - Support for the following outdated platforms and corresponding classes has been removed. De facto those platforms were unsupported for a long time, as CFEngine codebase uses C99 @@ -2789,59 +2919,45 @@ - NeXTSTEP (nextstep) - GNU Hurd (gnu) - NEC UX/4800 (ux4800) - - (Old news) Since 3.3.0 the layout of CFEngine Community packages has changed slightly. cf-* binaries have been moved to /var/cfengine/bin, due to the following reasons: - - - cf-* binaries are linked to libraries installed to - /var/cfengine/lib, so placing binaries in /usr/local/sbin does not - increase reliability of the CFEngine, - - - keeping whole CFEngine under single prefix (/var/cfengine) - makes packaging simpler, - - - it matches the layout of CFEngine Enterprise packages. - - Please adjust your policies (the recommended ways to deal with - the move are either to adjust $PATH to include /var/cfengine or to - create symlinks in /usr/local/sbin in case you are relying on - binaries to be available in $PATH). - + - cf-* binaries are linked to libraries installed to + /var/cfengine/lib, so placing binaries in /usr/local/sbin does not + increase reliability of the CFEngine, + - keeping whole CFEngine under single prefix (/var/cfengine) + makes packaging simpler, + - it matches the layout of CFEngine Enterprise packages. + + Please adjust your policies (the recommended ways to deal with + the move are either to adjust $PATH to include /var/cfengine or to + create symlinks in /usr/local/sbin in case you are relying on + binaries to be available in $PATH). - Workdir location is properly changed if --prefix or --enable-fhs options are supplied to configure (Mantis #1195). - - Added check for broken libmysqlclient implementations (Mantis #1217). - - Standard library is updated from COPBL repository. - - cf-know is no longer built in Community releases. The only functionality useful in Community, namely the reference manual generation, is provided by new compile-time cf-gendoc tool. + - Filename (for storing filechanges) changed + from file_change.log -> file_changes.log (in /var/cfengine/state) - - Filename (for storing filechanges) changed - from file_change.log -> file_changes.log (in /var/cfengine/state) - - New format for storing file changes introduced: - [timestamp,filename,,Message] - - N = New file found - C = Content Changed - S = Stats changed - R = File removed + New format for storing file changes introduced: + [timestamp,filename,,Message] + N = New file found + C = Content Changed + S = Stats changed + R = File removed - Acceptance test suite passes on Mac OS X. - - Changed some port numbers to replace old services with imap(s) - - archlinux hard class on Arch Linux. - - Detect BSD Make and automatically switch to GNU Make during build. Bugfixes: - - cfruncommand for cf-execd is an arbitrary shell command now (Mantis #1268). - Fixed broken "daily" splayclasses (Mantis #1307). - Allow filenames up to 4096 bytes in network transfers (Redmine #1199). @@ -2864,73 +2980,64 @@ https://cfengine.com/bugtracker/changelog_page.php (old bug tracker) and https://cfengine.com/dev/projects/core/versions/34 (new bug tracker) -3.3.9 (Bugfix and Stability release) +3.3.9: (Bugfix and stability release) Bugfixes: - - Do not lose hard classes in cf-serverd during policy reload (Mantis #1218). - Implement receive network timeout in cf-serverd. Prevents overloading cf-serverd with stale connections. -3.3.8 (Bugfix and Stability release) +3.3.8: (Bugfix and stability release) Versions 3.3.6, 3.3.7 were internal and weren't released. Bugfixes: - - Propery set sys.domain variable if hostname is fully-qualified. - Fixed several small memory leaks. - Make network timeout for network reads configurable. Previously it was hardcoded to be 30 seconds, which was not enough for cf-runagent invoking cf-agent on big policies (Mantis #1028). -3.3.5 (Bugfix and Stability release) +3.3.5: (Bugfix and stability release) Bugfixes: - - Fixed cf-execd memory leak on hosts with cf-monitord running. - Robustify against wrongly-sized entires in embedded databases. Standard library: - - Bugfixes from upstream COPBL repository. - standard_services bundle from upstream COPBL repository. -3.3.4 (Bugfix and Stability release) +3.3.4: (Bugfix and stability release) Evaluation of policies: - - Fix wrong classes set after installation of several packages using packages promises (Mantis #829). - Fix segfault using edit_template on existing file (Mantis #1155). Misc: - - Fix memory leak during re-read of network interfaces' information in cf-execd/cf-serverd. -3.3.3 (Bugfix and Stability release) +3.3.3: (Bugfix and stability release) Evaluation of policies: - - Zero-length files are valid for readfile() and similar functions (Mantis #1136). - Unchoke agent in case it encounters symlinks in form ./foo (Similar to Mantis #1117). Misc: - - Fix generation of reference manual on machines with umask more relaxed than 022. - Use statvfs(3) on OpenBSD to obtain filesystem information (Mantis #1135). -3.3.2 (Bugfix and Stability release) +3.3.2: (Bugfix and stability release) Evaluation of policies: - - Do not segfault if file copy was interrupted due to network connectivity or server going away (Mantis #1089). - Do not segfault if log_failed attribute is present in body, but @@ -2943,14 +3050,12 @@ (Mantis #890, #1066). Base policy: - - Properly set permissions on files for /var/cfengine/lib on HP-UX (Mantis #1114). - Standard library (cfengine_stdlib.cf) is synced with COPBL repository. Misc: - - Do not create huge file in case corrupted TokyoCabinet database is detected (Mantis #1106). - Fix file descriptor leak on error paths, may have caused crashes @@ -2963,40 +3068,35 @@ on HP-UX (Mantis #1109). - Fix compilation on Solaris 11 (Mantis #1091). -3.3.1 (Bugfix and Stability release) +3.3.1: (Bugfix and stability release) Evaluation of policies: - - Do not cut off name of bundle in variables interpolation (Mantis #975). - Do not segfault in function evaluation guarded by ifvaclass clause (Mantis #1084, #864). - Do not segfault if "classes" promise does not declare any value to be evaluated (Mantis #1074). - Do not segfault in database promises if there is no - database_operation provided (Mantis #1046). + database_operation provided (Mantis #1046). Built-in functions: - - Fix countclassesmatching() function which was misbehaving trying - to match classes starting with alphanumeric symbol (Mantis #1073). + to match classes starting with alphanumeric symbol (Mantis #1073). - Fix diskfree() to return kilobytes, as described in documentation (Mantis #980, #955). - Fix hostsseen() function to avoid treating all hosts as not - being seen since 1970 (Mantis #886). + being seen since 1970 (Mantis #886). - Do not output misleading error message if readtcp() is unable to connect (Mantis #1085). Command-line interface: - - -d option previously reqired an argument, though help message disagreed (Mantis #1053). - Disable --parse-tree option, not ready for the release (Mantis #1063). - Acept -h as a --help option. - Ensure that cf-execd might be started right after being shut down. Misc: - - Plug file descriptor leak after failed file copy (Mantis #990). - Fix unsafe admit rules in default promises.cf (Mantis #1040). - Fix splaytime to match documentation: it is specified in minutes, not seconds (Mantis #1099). Packaging: - - Fix owner/group of initscript and profile.d snippet in RPM builds (Mantis #1061, #1058). - Fix location of libvirt socket CFEngine uses to connect to libvirtd (Mantis #1072). - Install CoreBase to /var/cfengine/masterfiles during installation (Mantis #1075). @@ -3040,7 +3140,6 @@ - mac_:: - discovered MAC addresses Changes: - - Major cleanup of database handling code. Should radically decrease amount of database issues experienced under heavy load. @@ -3053,10 +3152,8 @@ For the older systems QDBM, which relies only on C89, is a better replacement, and deemed to be as portable, as Berkeley DB. - - Change of lastseen database schema. Should radically decrease I/O contention on lasteen database. - - Automatic reload of policies by cf-execd. - Documentation is generated during build, PDF and HTML files are retired from repository. @@ -3071,506 +3168,258 @@ - See the full list of bugfixes at https://cfengine.com/bugtracker/changelog_page.php -3.2.4 (Bugfix and Stability release) - - Fixed failure in network transfer in case of misbehaving peer - - A few tiny memory leaks on error paths fixed - -3.2.3 (Bugfix and Stability release) +3.2.4: (Bugfix and stability release) + - Fixed failure in network transfer in case of misbehaving peer + - A few tiny memory leaks on error paths fixed - A few tiny memory leaks fixed - - Improved performance of cf-serverd under heavy load with - TokyoCabinet database - - Full list of issues fixed is available on - https://cfengine.com/bugtracker/changelog_page.php - -3.2.2 (Bugfix and Stability release) - - Enabled compilation in "large files" mode under AIX - - Alleviated problem with broken file transfers over unstable - Internet links. - - Full list of issues fixed is available on - https://cfengine.com/bugtracker/changelog_page.php - -3.2.1 (Bugfix and Stability release) - - Fixed compilation under HP-UX and Solaris +3.2.3: (Bugfix and stability release) + - A few tiny memory leaks fixed + - Improved performance of cf-serverd under heavy load with + TokyoCabinet database + - Full list of issues fixed is available on + https://cfengine.com/bugtracker/changelog_page.php - Enabled compilation using HP ANSI C compiler +3.2.2: (Bugfix and stability release) + - Enabled compilation in "large files" mode under AIX + - Alleviated problem with broken file transfers over unstable + internet links. + - Full list of issues fixed is available on + https://cfengine.com/bugtracker/changelog_page.php - Full list of issues fixed is available on - https://cfengine.com/bugtracker/changelog_page.php +3.2.1: (Bugfix and stability release) + - Fixed compilation under HP-UX and Solaris + - Enabled compilation using HP ANSI C compiler + - Full list of issues fixed is available on + - https://cfengine.com/bugtracker/changelog_page.php -3.2.0 +3.2.0: New bootstrap method with single-command bootstrapping: - cf-agent --bootstrap --policy-server 123.456.789.123 - Associated policy template files are added, partially maintained by CFEngine - - Bug fixes for file-editing, package versioning, and embedded - database corruption (We recommend using TokyoCabinet instead of - BerkeleyDB if building from source). - - Improved upgrade path for Nova. - - Patches for improved run-agent concurrency - - Reorganization of documentation and community resources - - 100% on regression test suite on 3 operating systems - (Ubuntu, Debian, SuSE on x86-64 hardware) - - Support for multiple release environments - - package_policy update and addupdate now check if user-supplied - version is larger than currently installed - updates only if so - - Help text of cf-report -r corrected - a list of key hashes is - required, not ip addresses. - - New Emacs mode for CFEngine policy files (thanks to Ted Zlatanov!) - - Warnings are on edit_line changes can now give greater degree of information - without spamming promise logs - - Class expressions parser accepts '||' as an alias for '|' again. - - Invalidation of package list cache on installation/removal of - packages. - - New option cf-key -r to remove host key by IP or hostname. - - Added detection of network interfaces which belong to BSD jails. - - Improve robustness of multi-threaded code, in particular fix - problems with spurious access denials in server and losing of - authentication rules after policy reload. - - cf-promises accepts option -b matching cf-agent, which causes it - to do not complain about missing bundlesequence. - - New functions and(), not(), or() and concat() to ease use of - ifvarclass() clause. - - Full list of issues fixed is available on - https://cfengine.com/bugtracker/changelog_page.php - -3.1.5 - New class parser, '||' is no longer allowed in expressions (use '|'). - - Class setting in the promise types insert_lines, delete_lines, - replace_patterns, field_edits, vars, classes is restored. - - suspiciousnames implemented. - - New function getvalues(). - - New functions parse{read,int,string}array to match read{read,int,string}array. - - Testsuite added to check for core functionality. - - Syslog prefix is fixed to say 'cf3' instead of 'community'. - -3.1.4 (Bugfix and Stability release) - - Some urgent patches to 3.1.3. - Class validation parse bug fixed. - Global zone handling error for solaris fixed. - Package architectures handled correctly (bug #456). - Reading and writing of key name "root-.pub" eliminated (bug #442, #453). - cf-serverd crash because of race condition on SERVER_KEYSEEN fixed. - Lock purging to avoid remnant complexity explosion (bug #430). - Some copyright notices added that got lost. - -3.1.3 (Stability release) - - Major memory leaks in cf-monitord, cf-execd, cf-serverd fixed (bug #427). - The daemons now show no growth even with very complex policies. - - cf-serverd crash due to race condition in DeleteScope() fixed (bug #406). - - Added 30 second timeout on recv() on Linux. - - package_noverify_returncode implemented (bug #256). - - A flexible mechanism for setting classes based on return codes of - commands has been introduced. Allows for setting promise kept, - repaired or failed based on any return codes. This is currently - implemented for commands-promises, package-manager commands and - transformer in files. In classes body, see attributes - kept_returncodes, repaired_returncodes, failed_returncodes (bug - #248, #329). - - New function ip2host - reverse DNS lookup (bug #146). - -3.1.2 (Scalability/efficiency release) - - Big efficiency improvements by caching output from - cf-promises. Can also be used for much more efficient policy - deployment (only pull if changed). - - Caching state of ps command for greater efficiency. Reloaded for each bundle. - - Index class lookup improves efficiency of class evaluation for huge configurations. - - Fixed issue where certain promiser strings got corrupted. - - Minor memory access issues fixed. - - Iterator bug introduced in 3.1.0 fixed - -3.1.1 (Bugfix release) - - Memory leaks in server tracked down and fixed. - List expansion bug (one list items not executed) fixed. - Security issue introduced by change of runcommand shell policy fixed. If users defined a runcommand for cf-runagent/cf-serverd communication, possible to execute commands. - cf-key -s command for showing key hash/IP address identity pairs - -3.1.0 - Change in storage of public keys. Cfengine now hashes the public key and uses this - as the keyname. Keys will be converted automatically. - - The old dynamic addresses lists are deprecated. - Caching of dns and key information for greater server speed. - Change in last-seen format reflects the public key usage. - - New package policy addupdate - installs package if not there and - updates it otherwise. - - Support for package_changes => "bulk" in file repository as well. - - New special function readstringarrayidx, similar to readstringarray, - but uses integer indices. Very useful if first row elements are - not good identifiers (e.g. contains spaces, non-unique, etc.). - - Change two log formats to use time() instead of date() - - filechanges - - total compliance - - Change from using md5 to sha256 as default digest for commercial version, - community retains md5 for compat. - - Commands not returning 0 in commands-promises are flagged - as repair_failed. - - Adjustable timeout on connect(). Defaults to 10 seconds, adjustable - with default_timeout in agent control. - - Redesign of the knowledge map infrastructure. - - Now possible to use variables to call methods, e.g - - methods: - - "name $(list)" usebundle => $(list)("abc"); - - See reference manual notes - - Changes to normal ordering to optimize execution. - - Increased stability by always initializing Attribute and Promise - structures. - - When running cf-promises in dry-run mode (-n), the user does not need - to put binaries in WORKDIR/bin. For example, non-privileged users can verify root - policies. - - Source control revision added in version string if run in verbose mode - (e.g. "cf-promises -vV"). This needs some refining, uses revision of a header now. - - New semantics in return values of list functions. Null values are now allowed - and there is no iteration over empty lists. The value "cf_null" is reserved for - use as a null iterator. - -3.0.5p1 - Showing paths allowed/denied access to when cf-serverd is run in verbose mode. - Bug in server fixed for dynamic addresses. - File handle closure bugfix - too many open databases. - Seg fault in mount files fix. - Twin used in cf-execd without checking. - Check_root set wrong directory permissions at source not destination. - Error message degraded in body definition. - Undefined body not warned as error. - Various build enahncements. - Package_list_update called only once per manager, and fixed crash. - Version number bug in packages. - -3.0.5 - Encryption problems fixed - client key buffer was uninitialized. - - Classes-promisers are now automatically canonified when class - strings are defined, to simplifying the use of variables in classes. - - New scalars sys.cf_version and sys.nova_version that hold Cfengine version information. - - Attribute package_delete_convention added, to allow customizable - package name in delete command during update. - - package_list_update_ifelapsed limit added. - - Private variable $(firstrepo) is available in package_name_convention - and package_delete_convention in order to expand the full path to - a package, which is required by some managers. - - Some of the threading code is rewritten and made more robust. This includes - synchronizing access to the lastseen database from the server. - - Bad initialization of BSD flags fixed - Multiple variable expansion issues in control fixed for server and agent - Allow ignore_missing_bundles to affect methods: bundles too - Run agent trust dialogue fixed - - Bug in CPU monitoring, increasing time scale caused linear decay - of CPU measurement. - - Bug in Setuid log storage, fix. - - Hooks added for new Nova virtualization promises. - - Multithreading mutex failed to collide during cfservd leading to dropped authentication under heavy load. - - -3.0.4 - Class cancellation in promises to create better class feedback, - allows emulation of switch/case semantics etc - - Value of SA measurement promises - - Special function getenv() which returns the contents of an - environment variable (on all platforms). - New function translatepath for generic Windows - New function escape() to escape literals as regular expressions (like SQL) - New function host2ip for caching IP address lookup - New function regextract for setting variables with backreferences - - New variables for the components $(sys.cf_agent), $(sys.cf_know) etc - pointing to the binaries. - - More robust integrated database implementation; closing all - handles when receiving signals, self-healing on corruption. - - Package installation on localhost without a manager like yum completed, - multiple repositories searched, and universal methods. - - Numerous bugfixes - - -3.0.3 - sha256 .. new hashes in openssl included in syntax tree. - - End of line autocropping in readfile (hopefully intelligent) - - hashmatch function incorrectly implemented - old debugging code left behind. Fix. - - sys.crontab variable - - Unknown user is now interpretated as "same user", so that we give cfengine a chance to - fix - - Unregistered addresses no longer report "(Non registered IP)", but return as the address - itself when doing reverse lookups. - -3.0.2 - IMPORTANT: Change in normal ordering of editing. replace comes - after insert lines Much testing and minor bug fixing - - Memory leaks fixed - Many hooks added for Nova enterprise extensions. - - promise_output reports now placed in WORKDIR/reports directory - - Initialization correction and self-correx in monitord - - Many new body constraints added. - - Code readied for enterprise version Nova. - - -b option can override the bundlesequence (must not contain parameters yet) - - collapse_destination_dir option added to copy so that files can be - aggregated from subdirectories into a single destination. - - Preparation for release: - unit_accessed_before.cf x - unit_accumulated_time.cf x - unit_acl.cf x - unit_acl_generic.cf x - unit_ago.cf x - unit_arrays.cf x - unit_backreferences_files.cf x - unit_badpromise.cf x - unit_badtype.cf x - unit_bsdflags.cf x - unit_cf2_integration.cf x - unit_changedbefore.cf x - unit_change_detect.cf x - unit_chdir.cf x - unit_classes_global.cf x - unit_classmatch.cf x - unit_classvar_convergence.cf x - unit_compare.cf x - unit_controlclasses.cf x - unit_control_expand.cf x - unit_copy.cf x - unit_copy_edit.cf x - unit_copylinks.cf x - unit_createdb.cf x - unit_create_filedir.cf x - unit_definitions.cf x - unit_deletelines.cf x - unit_disable_and_rotate_files.cf x - unit_dollar.cf x - unit_edit_column_files.cf x - unit_edit_comment_lines.cf x - unit_edit_deletenotmatch.cf x - unit_edit_insert_lines.cf x - unit_edit_insert_lines_silly.cf x - unit_edit_replace_string.cf x - unit_edit_sectioned_file.cf x - unit_edit_setvar.cf x - unit_edit_triggerclass.cf x - unit-env.cf x - unit_epimenides.cf x - unit_exec_args.cf x - unit_execd.cf x - unit_exec_in_sequence.cf x - unit_execresult.cf x - unit_expand.cf x - unit_failsafe.cf x - unit_file_change_detection.cf x - unit_fileexists.cf x - unit_file_owner_list_template.cf x - unit_fileperms.cf x - unit_filesexist2.cf x - unit_filesexist.cf x - unit_getgid.cf x - unit_getindices.cf x - unit_getregistry.cf x - unit_getuid.cf x - unit_global_list_expansion_2.cf x - unit_global_list_expansion.cf x - unit_groupexists.cf x - unit_hash.cf x - unit_hashcomment.cf x - unit_hashmatch.cf x - unit_helloworld.cf x - unit_hostrange.cf x - unit_intarray.cf x - unit_iprange.cf x - unit_irange.cf x - unit_isdir.cf x - unit_islink.cf x - unit_isnewerthan.cf x - unit_isplain.cf x - unit_isvariable.cf x - unit_iteration.cf x - unit_knowledge_txt.cf x - unit_lastnode.cf x - unit_ldap.cf x - unit_linking.cf x - unit_literal_server.cf x - unit_locate_files_and_compress.cf x - unit_log_private.cf x - unit_loops.cf x - unit_measurements.cf x - unit_method.cf x - unit_method_validate.cf x - unit_module_exec_2.cf - unit_module_exec.cf - unit_mount_fs.cf x - unit_neighbourhood_watch.cf x - unit_null_config.cf x - unit_occurrences.cf x - unit_ordering.cf x - unit_package_apt.cf x - unit_package_hash.cf x - unit_package_rpm.cf x - unit_package_yum.cf x - unit_package_zypper.cf x - unit_parallel_exec.cf x - unit_pathtype.cf x - unit_pattern_and_edit.cf x - unit_peers.cf x - unit_postfix.cf x - unit_process_kill.cf x - unit_process_matching2.cf x - unit_process_matching.cf x - unit_process_signalling.cf x - unit_readlist.cf x - unit_readtcp.cf x - unit_regarray.cf x - unit_registry.cf x - unit_regline.cf x - unit_reglist.cf x - unit_remove_deadlinks.cf x - unit_rename.cf x - unit_report_state.cf x - unit_reporttofile.cf x - unit_returnszero.cf x - unit_select_mode.cf x - unit_select_region.cf x - unit_selectservers.cf x - unit_select_size.cf x - unit_server_copy_localhost.cf x - unit_server_copy_remote.cf x - unit_server_copy_purge.cf x - unit_splitstring.cf x - unit_sql.cf x - unit_storage.cf x - unit_strcmp.cf x - unit_stringarray.cf x - unit_syslog.cf x - unit_template.cf x - unit_tidy_all_files.cf x - unit_user_edit.cf x - unit_user_edit_method.cf x - unit_userexists.cf x - unit_varclass.cf x - unit_vars.cf x - unit_warnifline.cf x - unit_webserver.cf x - - -3.0.1 - First standalone release, independent of cfengine 2 - Purge old definitions and check consistency. - - NB: changed search_mode to be a list of matching values - - Reporting rationalized in cf-promises with -r only to avoid - leaving output files everywhere. - - Hooks added for upcoming commercial additions to cfengine. - - Added classify() and hostinnetgroup() functions - Added additional change management options for change detection - - Package management added - generic mechanisms. - - Limits on backgrounding added to avoid resource contention during cfengine runs. - Image type added to cf-know. - - New classes for quartly shifts: Morning,Afternoon,Evening,Night - - Bug fixes in editfiles - line insertion for multiple line objects - - Change the name of the variables and context from the monitord for - better separation of data, and shorter names. sys -> mon - average -> av, stddev -> dev - - canonical name for windows changed from "nt" to "windows", also version names - added "vista","xp" etc.. - - License notices updated for dual license editions. - -3.0.0 - First release of cfengine 3. Known omissions: - - no support for ACLs - - no support for packages - - no support for interface configuration - These will be added in the next release. + - Bug fixes for file-editing, package versioning, and embedded + database corruption (We recommend using TokyoCabinet instead of + BerkeleyDB if building from source). + - Improved upgrade path for Nova. + - Patches for improved run-agent concurrency + - Reorganization of documentation and community resources + - 100% on regression test suite on 3 operating systems + (Ubuntu, Debian, SuSE on x86-64 hardware) + - Support for multiple release environments + - package_policy update and addupdate now check if user-supplied + version is larger than currently installed - updates only if so + - Help text of cf-report -r corrected - a list of key hashes is + required, not ip addresses. + - New Emacs mode for CFEngine policy files (thanks to Ted Zlatanov!) + - Warnings are on edit_line changes can now give greater degree of information + without spamming promise logs + - Class expressions parser accepts '||' as an alias for '|' again. + - Invalidation of package list cache on installation/removal of + packages. + - New option cf-key -r to remove host key by IP or hostname. + - Added detection of network interfaces which belong to BSD jails. + - Improve robustness of multi-threaded code, in particular fix + problems with spurious access denials in server and losing of + authentication rules after policy reload. + - cf-promises accepts option -b matching cf-agent, which causes it + to do not complain about missing bundlesequence. + - New functions and(), not(), or() and concat() to ease use of + ifvarclass() clause. + - Full list of issues fixed is available on + https://cfengine.com/bugtracker/changelog_page.php + +3.1.5: + - New class parser, '||' is no longer allowed in expressions (use '|'). + - Class setting in the promise types insert_lines, delete_lines, + replace_patterns, field_edits, vars, classes is restored. + - suspiciousnames implemented. + - New function getvalues(). + - New functions parse{read,int,string}array to match read{read,int,string}array. + - Testsuite added to check for core functionality. + - Syslog prefix is fixed to say 'cf3' instead of 'community'. + +3.1.4: (Bugfix and stability release) + - Some urgent patches to 3.1.3. + - Class validation parse bug fixed. + - Global zone handling error for solaris fixed. + - Package architectures handled correctly (bug #456). + - Reading and writing of key name "root-.pub" eliminated (bug #442, #453). + - cf-serverd crash because of race condition on SERVER_KEYSEEN fixed. + - Lock purging to avoid remnant complexity explosion (bug #430). + - Some copyright notices added that got lost. + +3.1.3: (Stability release) + - Major memory leaks in cf-monitord, cf-execd, cf-serverd fixed (bug #427). + The daemons now show no growth even with very complex policies. + - cf-serverd crash due to race condition in DeleteScope() fixed (bug #406). + - Added 30 second timeout on recv() on Linux. + - package_noverify_returncode implemented (bug #256). + - A flexible mechanism for setting classes based on return codes of + commands has been introduced. Allows for setting promise kept, + repaired or failed based on any return codes. This is currently + implemented for commands-promises, package-manager commands and + transformer in files. In classes body, see attributes + kept_returncodes, repaired_returncodes, failed_returncodes (bug + #248, #329). + - New function ip2host - reverse DNS lookup (bug #146). + +3.1.2: (Scalability/efficiency release) + - Big efficiency improvements by caching output from + cf-promises. Can also be used for much more efficient policy + deployment (only pull if changed). + - Caching state of ps command for greater efficiency. Reloaded for each bundle. + - Index class lookup improves efficiency of class evaluation for huge configurations. + - Fixed issue where certain promiser strings got corrupted. + - Minor memory access issues fixed. + - Iterator bug introduced in 3.1.0 fixed + +3.1.1: (Bugfix release) + - Memory leaks in server tracked down and fixed. + - List expansion bug (one list items not executed) fixed. + - Security issue introduced by change of runcommand shell policy fixed. If users defined a runcommand for cf-runagent/cf-serverd communication, possible to execute commands. + - cf-key -s command for showing key hash/IP address identity pairs + +3.1.0: + - Change in storage of public keys. Cfengine now hashes the public key and uses this + as the keyname. Keys will be converted automatically. + - The old dynamic addresses lists are deprecated. + Caching of dns and key information for greater server speed. + Change in last-seen format reflects the public key usage. + - New package policy addupdate - installs package if not there and + updates it otherwise. + - Support for package_changes => "bulk" in file repository as well. + - New special function readstringarrayidx, similar to readstringarray, + but uses integer indices. Very useful if first row elements are + not good identifiers (e.g. contains spaces, non-unique, etc.). + - Change two log formats to use time() instead of date() + - filechanges + - total compliance + - Change from using md5 to sha256 as default digest for commercial version, + community retains md5 for compat. + - Commands not returning 0 in commands-promises are flagged + as repair_failed. + - Adjustable timeout on connect(). Defaults to 10 seconds, adjustable + with default_timeout in agent control. + - Redesign of the knowledge map infrastructure. + - Now possible to use variables to call methods, e.g + methods: + "name $(list)" usebundle => $(list)("abc"); + See reference manual notes + - Changes to normal ordering to optimize execution. + - Increased stability by always initializing Attribute and Promise + structures. + - When running cf-promises in dry-run mode (-n), the user does not need + to put binaries in WORKDIR/bin. For example, non-privileged users can verify root + policies. + - Source control revision added in version string if run in verbose mode + (e.g. "cf-promises -vV"). This needs some refining, uses revision of a header now. + - New semantics in return values of list functions. Null values are now allowed + and there is no iteration over empty lists. The value "cf_null" is reserved for + use as a null iterator. + +3.0.5p1: + - Showing paths allowed/denied access to when cf-serverd is run in verbose mode. + - Bug in server fixed for dynamic addresses. + - File handle closure bugfix - too many open databases. + - Seg fault in mount files fix. + - Twin used in cf-execd without checking. + - Check_root set wrong directory permissions at source not destination. + - Error message degraded in body definition. + - Undefined body not warned as error. + - Various build enahncements. + - Package_list_update called only once per manager, and fixed crash. + - Version number bug in packages. + +3.0.5: + - Encryption problems fixed - client key buffer was uninitialized. + - Classes-promisers are now automatically canonified when class + strings are defined, to simplifying the use of variables in classes. + - New scalars sys.cf_version and sys.nova_version that hold Cfengine version information. + - Attribute package_delete_convention added, to allow customizable + package name in delete command during update. + - package_list_update_ifelapsed limit added. + - Private variable $(firstrepo) is available in package_name_convention + and package_delete_convention in order to expand the full path to + a package, which is required by some managers. + - Some of the threading code is rewritten and made more robust. This includes + synchronizing access to the lastseen database from the server. + - Bad initialization of BSD flags fixed + - Multiple variable expansion issues in control fixed for server and agent + - Allow ignore_missing_bundles to affect methods: bundles too + - Run agent trust dialogue fixed + - Bug in CPU monitoring, increasing time scale caused linear decay + of CPU measurement. + - Bug in Setuid log storage, fix. + - Hooks added for new Nova virtualization promises. + - Multithreading mutex failed to collide during cfservd leading to dropped authentication under heavy load. + + +3.0.4: + - Class cancellation in promises to create better class feedback, + allows emulation of switch/case semantics etc + - Value of SA measurement promises + - Special function getenv() which returns the contents of an + environment variable (on all platforms). + - New function translatepath for generic Windows + - New function escape() to escape literals as regular expressions (like SQL) + - New function host2ip for caching IP address lookup + - New function regextract for setting variables with backreferences + - New variables for the components $(sys.cf_agent), $(sys.cf_know) etc + pointing to the binaries. + - More robust integrated database implementation; closing all + handles when receiving signals, self-healing on corruption. + - Package installation on localhost without a manager like yum completed, + multiple repositories searched, and universal methods. + - Numerous bugfixes + + +3.0.3: + - sha256 .. new hashes in openssl included in syntax tree. + - End of line autocropping in readfile (hopefully intelligent) + - hashmatch function incorrectly implemented - old debugging code left behind. Fix. + - sys.crontab variable + - Unknown user is now interpretated as "same user", so that we give CFEngine a chance to + fix + - Unregistered addresses no longer report "(Non registered IP)", but return as the address + itself when doing reverse lookups. + +3.0.2: + - IMPORTANT: Change in normal ordering of editing. replace comes + after insert lines Much testing and minor bug fixing + - Memory leaks fixed + - Many hooks added for Nova enterprise extensions. + - promise_output reports now placed in WORKDIR/reports directory + - Initialization correction and self-correx in monitord + - Many new body constraints added. + - Code readied for enterprise version Nova. + - -b option can override the bundlesequence (must not contain parameters yet) + - collapse_destination_dir option added to copy so that files can be + aggregated from subdirectories into a single destination. + +3.0.1: + - First standalone release, independent of CFEngine 2 + Purge old definitions and check consistency. + - NB: changed search_mode to be a list of matching values + - Reporting rationalized in cf-promises with -r only to avoid + leaving output files everywhere. + - Hooks added for upcoming commercial additions to CFEngine. + - Added classify() and hostinnetgroup() functions + - Added additional change management options for change detection + - Package management added - generic mechanisms. + - Limits on backgrounding added to avoid resource contention during CFEngine runs. + - Image type added to cf-know. + - New classes for quartly shifts: Morning,Afternoon,Evening,Night + - Bug fixes in editfiles - line insertion for multiple line objects + - Change the name of the variables and context from the monitord for + better separation of data, and shorter names. sys -> mon + average -> av, stddev -> dev + - Canonical name for windows changed from "nt" to "windows", also version names + added "vista","xp" etc.. + - License notices updated for dual license editions. + +3.0.0: + - First release of CFEngine 3. Known omissions: + - no support for ACLs + - no support for packages + - no support for interface configuration + - These will be added in the next release. diff --git a/INSTALL b/INSTALL index f78f8f7ed8..7e2a19bde3 100644 --- a/INSTALL +++ b/INSTALL @@ -112,17 +112,35 @@ Here we have examples of command lines for various systems to install dependenci needed to build. The version and date checked are noted in parenthesis. Please submit PRs with updates to this information. -* RedHat/CentOS (rhel-8/rhel-9/centos-7 2022-11-15) +* RedHat/CentOS (rhel-9 2023-10-09) -Note that first you will need to install epel-release (https://fedoraproject.org/wiki/EPEL) for lmdb-devel to be available. +On CentOS: +sudo yum install epel-release && sudo yum update -$ sudo yum install -y gcc gdb make git libtool autoconf automake byacc flex openssl-devel pcre-devel lmdb-devel pam-devel flex-devel libyaml-devel +Or on RHEL, replacing the version number with yours: +sudo subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms && sudo yum update + +sudo yum install -y gcc gdb make git libtool autoconf automake byacc flex openssl-devel pcre-devel lmdb-devel pam-devel flex-devel libyaml-devel fakeroot libxml2-devel For SELinux support you will need selinux-policy-devel package and specify `--with-selinux-policy` to `autogen.sh` or `configure` -* Debian (Raspbian 10 2021-07-02) +* Debian (Debian 12 2023-10-09) + +sudo apt-get install -y build-essential git libtool autoconf automake bison flex libssl-dev libpcre-dev libbison-dev libacl1 libacl1-dev lmdb-utils liblmdb-dev libpam0g-dev libtool libyaml-dev libxml2-dev + +* NetBSD (9.3 2024-03-01) -$ sudo apt-get install -y build-essential git libtool autoconf automake bison flex libssl-dev libpcre3-dev libbison-dev libacl1 libacl1-dev lmdb-utils liblmdb-dev libpam0g-dev libtool libyaml-dev +doas pkgin install automake autoconf bison pcre m4 libtool lmdb gmake +LDFLAGS=-L/usr/pkg/lib CPPFLAGS=-I/usr/pkg/include ./autogen.sh --enable-debug --without-systemd-service --without-systemd-socket +gmake -j8 +doas /usr/pkg/bin/gmake install + +* OpenBSD (7.4 2024-02-15) + +pkg_add git automake-1.16.5 autoconf-2.71 bison pcre m4 libtool lmdb gmake +MAKE=/usr/local/bin/gmake LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include AUTOMAKE_VERSION=1.16 AUTOCONF_VERSION=2.71 ./autogen.sh --enable-debug +gmake -j8 +doas gmake install * FreeBSD (12.1 2020-04-07) @@ -130,19 +148,21 @@ See docs/BSD.md * SUSE (Tumbleweed 2020-02-02) -$ sudo zypper install gdb gcc make lmdb autoconf automake libtool git python3 pcre-devel libopenssl-devel pam-devel +sudo zypper install gdb gcc make lmdb autoconf automake libtool git python3 pcre-devel libopenssl-devel pam-devel * AlpineOS (3.11.3 x86_64 2020-04-13) -$ sudo apk add alpine-sdk lmdb-dev openssl-dev bison flex-dev acl-dev pcre-dev autoconf automake libtool git python3 gdb -$ ./autogen.sh --without-pam +sudo apk add alpine-sdk lmdb-dev openssl-dev bison flex-dev acl-dev pcre-dev autoconf automake libtool git python3 gdb +./autogen.sh --without-pam + +Note that in order for process promises to work you must install the procps package for a "proper" ps command instead of busybox. * Termux (2020-04-24) -$ pkg install build-essential git autoconf automake bison flex liblmdb openssl pcre libacl libyaml -$ ./autogen.sh --without-pam +pkg install build-essential git autoconf automake bison flex liblmdb openssl pcre libacl libyaml +./autogen.sh --without-pam * OSX (2021-10-20) -brew install openssl@1.1 lmdb autoconf automake libtool bison flex pcre m4 gcc make -./autogen.sh --enable-debug --with-openssl="$(brew --prefix openssl@1.1)" +brew install openssl lmdb autoconf automake libtool bison flex pcre m4 gcc make +./autogen.sh --enable-debug diff --git a/README.md b/README.md index 38b16dcff5..deefb86546 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ [![Gitter chat](https://badges.gitter.im/cfengine/core.png)](https://gitter.im/cfengine/core) -[![Language grade: C](https://img.shields.io/lgtm/grade/cpp/g/cfengine/core.svg?logo=lgtm&logoWidth=18&label=code%20quality)](https://lgtm.com/projects/g/cfengine/core/) - # CFEngine 3 CFEngine 3 is a popular open source configuration management system. Its primary @@ -44,6 +42,13 @@ stated otherwise in the copyright notice inside the particular file. ## Example Usage +In order to use the built cf-agent in the source tree you must add a $HOME/.cfagent/bin/cf-promises file: + +$ pwd +/core +$ echo "cd $(pwd); cf-promises/cf-promises \"\$@\"" > ~/.cfagent/bin/cf-promises + + ### Hello World The following code demonstrates simple CFEngine output through a reports promise. @@ -65,6 +70,13 @@ The following policy code may be executed with cf-agent (the main CFEngine binar $ cf-agent/cf-agent hello.cf R: Hello, world + +## Debugging + +As this project uses autotools you must use libtool to run gdb/lldb/debuggers + +./libtool --mode=execute ./cf-agent/cf-agent + ## Contributing Please see the [CONTRIBUTING.md](https://github.com/cfengine/core/blob/master/CONTRIBUTING.md) file. diff --git a/cf-agent/cf-agent.c b/cf-agent/cf-agent.c index 145bdd5cbe..5b210668b5 100644 --- a/cf-agent/cf-agent.c +++ b/cf-agent/cf-agent.c @@ -203,6 +203,8 @@ static const struct option OPTIONS[] = /* Only long option for the rest */ {"ignore-preferred-augments", no_argument, 0, 0}, {"log-modules", required_argument, 0, 0}, + {"no-augments", no_argument, 0, 0}, + {"no-host-specific-data", no_argument, 0, 0}, {"show-evaluated-classes", optional_argument, 0, 0 }, {"show-evaluated-vars", optional_argument, 0, 0 }, {"skip-bootstrap-policy-run", no_argument, 0, 0 }, @@ -235,6 +237,8 @@ static const char *const HINTS[] = "Log timestamps on each line of log output", "Ignore def_preferred.json file in favor of def.json", "Enable even more detailed debug logging for specific areas of the implementation. Use together with '-d'. Use --log-modules=help for a list of available modules", + "Do not load augments (def.json)", + "Do not load host-specific data (host_specific.json)", "Show *final* evaluated classes, including those defined in common bundles in policy. Optionally can take a regular expression.", "Show *final* evaluated variables, including those defined without dependency to user-defined classes in policy. Optionally can take a regular expression.", "Do not run policy as the last step of the bootstrap process", @@ -680,6 +684,14 @@ static GenericAgentConfig *CheckOpts(int argc, char **argv) DoCleanupAndExit(EXIT_FAILURE); } } + else if (StringEqual(option_name, "no-augments")) + { + config->agent_specific.common.no_augments = true; + } + else if (StringEqual(option_name, "no-host-specific-data")) + { + config->agent_specific.common.no_host_specific = true; + } else if (StringEqual(option_name, "show-evaluated-classes")) { if (optarg == NULL) diff --git a/cf-agent/cf_sql.c b/cf-agent/cf_sql.c index 6bf2a46956..f2782fb06e 100644 --- a/cf-agent/cf_sql.c +++ b/cf-agent/cf_sql.c @@ -384,7 +384,7 @@ void CfCloseDB(CfdbConn *cfdb) /*****************************************************************************/ -void CfVoidQueryDB(CfdbConn *cfdb, char *query) +void CfVoidQueryDB(CfdbConn *cfdb, const char *query) { if (!cfdb->connected) { @@ -398,7 +398,7 @@ void CfVoidQueryDB(CfdbConn *cfdb, char *query) /*****************************************************************************/ -void CfNewQueryDB(CfdbConn *cfdb, char *query) +void CfNewQueryDB(CfdbConn *cfdb, const char *query) { cfdb->result = false; cfdb->row = 0; diff --git a/cf-agent/cf_sql.h b/cf-agent/cf_sql.h index 5b2779fe46..e126107437 100644 --- a/cf-agent/cf_sql.h +++ b/cf-agent/cf_sql.h @@ -42,8 +42,8 @@ typedef struct void CfConnectDB(CfdbConn *cfdb, DatabaseType dbtype, char *remotehost, char *dbuser, char *passwd, char *db); void CfCloseDB(CfdbConn *cfdb); -void CfVoidQueryDB(CfdbConn *cfdb, char *query); -void CfNewQueryDB(CfdbConn *cfdb, char *query); +void CfVoidQueryDB(CfdbConn *cfdb, const char *query); +void CfNewQueryDB(CfdbConn *cfdb, const char *query); char **CfFetchRow(CfdbConn *cfdb); char *CfFetchColumn(CfdbConn *cfdb, int col); void CfDeleteQuery(CfdbConn *cfdb); diff --git a/cf-agent/files_edit.c b/cf-agent/files_edit.c index 64b43f3bb1..cd0e1997b3 100644 --- a/cf-agent/files_edit.c +++ b/cf-agent/files_edit.c @@ -33,6 +33,7 @@ #include #include #include +#include /*****************************************************************************/ @@ -102,9 +103,9 @@ EditContext *NewEditContext(char *filename, const Attributes *a) /*****************************************************************************/ void FinishEditContext(EvalContext *ctx, EditContext *ec, const Attributes *a, const Promise *pp, - PromiseResult *result) + PromiseResult *result, bool save_file) { - if ((*result != PROMISE_RESULT_NOOP) && (*result != PROMISE_RESULT_CHANGE)) + if (!save_file || ((*result != PROMISE_RESULT_NOOP) && (*result != PROMISE_RESULT_CHANGE))) { // Failure or skipped. Don't update the file. goto end; diff --git a/cf-agent/files_edit.h b/cf-agent/files_edit.h index e4c8341356..425d21b215 100644 --- a/cf-agent/files_edit.h +++ b/cf-agent/files_edit.h @@ -57,7 +57,7 @@ typedef struct EditContext *NewEditContext(char *filename, const Attributes *a); void FinishEditContext(EvalContext *ctx, EditContext *ec, const Attributes *a, const Promise *pp, - PromiseResult *result); + PromiseResult *result, bool save_file); #ifdef HAVE_LIBXML2 bool LoadFileAsXmlDoc(xmlDocPtr *doc, const char *file, EditDefaults ed, bool only_checks); diff --git a/cf-agent/nfs.c b/cf-agent/nfs.c index 73c8005243..c7602fa4b6 100644 --- a/cf-agent/nfs.c +++ b/cf-agent/nfs.c @@ -468,29 +468,62 @@ int VerifyInFstab(EvalContext *ctx, char *name, const Attributes *a, const Promi mountpt = name; fstype = a->mount.mount_type; + char device[CF_BUFSIZE]; + if (StringEqual(fstype, "cifs") || StringEqual(fstype, "panfs")) + { + NDEBUG_UNUSED int ret = snprintf(device, sizeof(device), "%s%s", host, rmountpt); + assert(ret >= 0 && ret < CF_BUFSIZE); + } + else + { + NDEBUG_UNUSED int ret = snprintf(device, sizeof(device), "%s:%s", host, rmountpt); + assert(ret >= 0 && ret < CF_BUFSIZE); + } + #if defined(__QNX__) || defined(__QNXNTO__) - snprintf(fstab, CF_BUFSIZE, "%s:%s \t %s %s\t%s 0 0", host, rmountpt, mountpt, fstype, opts); + // QNX documents 4 fstab fields : https://www.qnx.com/developers/docs/7.1/index.html#com.qnx.doc.neutrino.utilities/topic/f/fstab.html + // specialdevice mountpoint type mountoptions + // TODO Remove DUMP and PASS options used here (unsupported)? + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s %s\t%s 0 0", device, mountpt, fstype, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(_CRAY) char fstype_upper[CF_BUFSIZE]; strlcpy(fstype_upper, fstype, CF_BUFSIZE); ToUpperStrInplace(fstype_upper); - snprintf(fstab, CF_BUFSIZE, "%s:%s \t %s %s\t%s", host, rmountpt, mountpt, fstype_upper, opts); + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s %s\t%s", device, mountpt, fstype_upper, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); break; #elif defined(__hpux) - snprintf(fstab, CF_BUFSIZE, "%s:%s %s \t %s \t %s 0 0", host, rmountpt, mountpt, fstype, opts); + // HP-UX documents 7 fstab fields: https://nixdoc.net/man-pages/HP-UX/man4/fstab.4.html + // deviceSpecialFile directory type options backupFrequency passNumber comment + // TODO Bring promise comment in as the 7th comment field # promise comment (stripped of newlines) + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s %s \t %s \t %s 0 0", device, mountpt, fstype, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(_AIX) - snprintf(fstab, CF_BUFSIZE, - "%s:\n\tdev\t= %s\n\ttype\t= %s\n\tvfs\t= %s\n\tnodename\t= %s\n\tmount\t= true\n\toptions\t= %s\n\taccount\t= false\n", - mountpt, rmountpt, fstype, fstype, host, opts); + // AIX uses /etc/filesystems: https://www.ibm.com/docs/en/aix/7.2.0?topic=files-filesystems-file + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, + "%s:\n\tdev\t= %s\n\ttype\t= %s\n\tvfs\t= %s\n\tnodename\t= %s\n\tmount\t= true\n\toptions\t= %s\n\taccount\t= false\n", + mountpt, rmountpt, fstype, fstype, host, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__linux__) - snprintf(fstab, CF_BUFSIZE, "%s:%s \t %s \t %s \t %s", host, rmountpt, mountpt, fstype, opts); + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s \t %s \t %s", device, mountpt, fstype, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__NetBSD__) || defined(__OpenBSD__) || defined(__DragonFly__) || defined(__FreeBSD__) || defined(__APPLE__) - snprintf(fstab, CF_BUFSIZE, "%s:%s \t %s \t %s \t %s 0 0", host, rmountpt, mountpt, fstype, opts); + // BSDs document 6 fstab fields https://man.freebsd.org/cgi/man.cgi?fstab(5) + // Device Mountpoint FStype Options Dump Pass + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s \t %s \t %s \t %s 0 0", device, mountpt, fstype, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__sun) || defined(sco) || defined(__SCO_DS) - snprintf(fstab, CF_BUFSIZE, "%s:%s - %s %s - yes %s", host, rmountpt, mountpt, fstype, opts); + // SunOS uses /etc/fstab and documents 7 fields: https://docs.oracle.com/cd/E19455-01/805-6331/fsadm-59727/index.html + // deviceToMount deviceToFsck mountPoint FStype fsckPass automount? mountOptions + // - is used for deviceToFsck for read-only and network based file systems + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "%s - %s %s - yes %s", device, mountpt, fstype, opts); + assert(ret >= 0 && ret < CF_BUFSIZE); #elif defined(__CYGWIN__) - snprintf(fstab, CF_BUFSIZE, "/bin/mount %s:%s %s", host, rmountpt, mountpt); + // https://cygwin.com/cygwin-ug-net/using.html#mount-table + NDEBUG_UNUSED int ret = snprintf(fstab, CF_BUFSIZE, "/bin/mount %s %s", device, mountpt); + assert(ret >= 0 && ret < CF_BUFSIZE); #else #error "Could not determine format of fstab entry on this platform." #endif @@ -503,7 +536,7 @@ int VerifyInFstab(EvalContext *ctx, char *name, const Attributes *a, const Promi { AppendItem(&FSTABLIST, fstab, NULL); FSTAB_EDITS++; - cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_CHANGE, pp, a, "Adding file system '%s:%s' to '%s'", host, rmountpt, + cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_CHANGE, pp, a, "Adding file system entry '%s' to '%s'", fstab, VFSTAB[VSYSTEMHARDCLASS]); *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE); changes += 1; diff --git a/cf-agent/package_module.c b/cf-agent/package_module.c index 2f7039d7ba..7ec7809e1c 100644 --- a/cf-agent/package_module.c +++ b/cf-agent/package_module.c @@ -39,6 +39,7 @@ #include #include /* RecordPkgOperationInChroot() */ #include /* CHROOT_PKG_OPERATION_* */ +#include /* safely write csv entries */ #define INVENTORY_LIST_BUFFER_SIZE 100 * 80 /* 100 entries with 80 characters * per line */ @@ -658,7 +659,8 @@ int UpdatePackagesDB(Rlist *data, const char *pm_name, UpdateType type) { CleanDB(db_cached); - Buffer *inventory_data = BufferNewWithCapacity(INVENTORY_LIST_BUFFER_SIZE); + Writer *idw = StringWriter(); + CsvWriter *idcw = CsvWriterOpen(idw); const char *package_data[3] = {NULL, NULL, NULL}; @@ -676,9 +678,10 @@ int UpdatePackagesDB(Rlist *data, const char *pm_name, UpdateType type) package_data[1], package_data[2], type); - BufferAppendF(inventory_data, "%s,%s,%s\n", - package_data[0], package_data[1], - package_data[2]); + CsvWriterField(idcw, package_data[0]); + CsvWriterField(idcw, package_data[1]); + CsvWriterField(idcw, package_data[2]); + CsvWriterNewRecord(idcw); } else { @@ -726,8 +729,10 @@ int UpdatePackagesDB(Rlist *data, const char *pm_name, UpdateType type) WritePackageDataToDB(db_cached, package_data[0], package_data[1], package_data[2], type); - BufferAppendF(inventory_data, "%s,%s,%s\n", package_data[0], - package_data[1], package_data[2]); + CsvWriterField(idcw, package_data[0]); + CsvWriterField(idcw, package_data[1]); + CsvWriterField(idcw, package_data[2]); + CsvWriterNewRecord(idcw); } else if (package_data[0] || package_data[1] || package_data[2]) { @@ -739,7 +744,14 @@ int UpdatePackagesDB(Rlist *data, const char *pm_name, UpdateType type) } char *inventory_key = ""; - char *inventory_list = BufferClose(inventory_data); + CsvWriterClose(idcw); + char *inventory_list = StringWriterClose(idw); + + // Legacy: the lines are expected to be separated by newlines, not CRLF + const size_t buf_size = strlen(inventory_list); + NDEBUG_UNUSED const ssize_t num_repl = + StringReplace(inventory_list, buf_size, "\r\n", "\n"); + assert(num_repl >= 0); /* We can have empty list of installed software or available updates. */ if (inventory_list == NULL) diff --git a/cf-agent/retcode.c b/cf-agent/retcode.c index 190b4c2a28..33b2e74d11 100644 --- a/cf-agent/retcode.c +++ b/cf-agent/retcode.c @@ -86,7 +86,7 @@ bool VerifyCommandRetcode(EvalContext *ctx, int retcode, const Attributes *a, co if (!matched) { - cfPS(ctx, info_or_verbose, PROMISE_RESULT_FAIL, pp, a, + cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "Command related to promiser '%s' returned code '%d' not defined as promise kept, not kept or repaired; setting to failed", pp->promiser, retcode); *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL); diff --git a/cf-agent/verify_databases.c b/cf-agent/verify_databases.c index 65980b731f..b18ff93138 100644 --- a/cf-agent/verify_databases.c +++ b/cf-agent/verify_databases.c @@ -743,48 +743,50 @@ static int TableExists(CfdbConn *cfdb, char *name) static bool CreateTableColumns(CfdbConn *cfdb, char *table, Rlist *columns) { - char entry[CF_MAXVARSIZE], query[CF_BUFSIZE]; int i, *size_table, *done; char **name_table, **type_table; int no_of_cols = RlistLen(columns); - Log(LOG_LEVEL_ERR, "Trying to create table '%s'", table); + Log(LOG_LEVEL_VERBOSE, "Trying to create table '%s'", table); if (!NewSQLColumns(table, columns, &name_table, &type_table, &size_table, &done)) { return false; } - if (no_of_cols > 0) + if (no_of_cols <= 0) { - snprintf(query, CF_BUFSIZE - 1, "create table %s(", table); - - for (i = 0; i < no_of_cols; i++) - { - Log(LOG_LEVEL_VERBOSE, "Forming column template %s %s %d", name_table[i], type_table[i], - size_table[i]);; + Log(LOG_LEVEL_ERR, "Attempted to create table '%s' without any columns", table); + return false; + } - if (size_table[i] > 0) - { - snprintf(entry, CF_MAXVARSIZE - 1, "%s %s(%d)", name_table[i], type_table[i], size_table[i]); - } - else - { - snprintf(entry, CF_MAXVARSIZE - 1, "%s %s", name_table[i], type_table[i]); - } + Buffer *query = BufferNew(); + BufferPrintf(query, "create table %s(", table); - strcat(query, entry); + for (i = 0; i < no_of_cols; i++) + { + Log(LOG_LEVEL_VERBOSE, "Forming column template %s %s %d", name_table[i], type_table[i], + size_table[i]);; - if (i < no_of_cols - 1) - { - strcat(query, ","); - } + if (size_table[i] > 0) + { + BufferAppendF(query, "%s %s(%d)", name_table[i], type_table[i], size_table[i]); + } + else + { + BufferAppendF(query, "%s %s", name_table[i], type_table[i]); } - strcat(query, ")"); + if (i < no_of_cols - 1) + { + BufferAppendChar(query, ','); + } } - CfVoidQueryDB(cfdb, query); + BufferAppendChar(query, ')'); + + CfVoidQueryDB(cfdb, BufferData(query)); + BufferDestroy(query); DeleteSQLColumns(name_table, type_table, size_table, done, no_of_cols); return true; } diff --git a/cf-agent/verify_files.c b/cf-agent/verify_files.c index a83fdb97cf..d1e3c076e5 100644 --- a/cf-agent/verify_files.c +++ b/cf-agent/verify_files.c @@ -59,6 +59,7 @@ #include #include #include /* PrepareChangesChroot(), RecordFileChangedInChroot() */ +#include static PromiseResult FindFilePromiserObjects(EvalContext *ctx, const Promise *pp); static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promise *pp); @@ -446,16 +447,11 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi } else { - if (!S_ISDIR(osb.st_mode)) + if (!S_ISDIR(osb.st_mode) && a.havedepthsearch) { - if (a.havedepthsearch) - { - /* TODO: PROMISE_RESULT_DENIED */ - Log(LOG_LEVEL_DEBUG, - "depth_search (recursion) is promised for a base object '%s' that is not a directory", - path); - goto exit; - } + Log(LOG_LEVEL_WARNING, + "depth_search (recursion) is promised for a base object '%s' that is not a directory", + path); } exists = true; @@ -535,6 +531,20 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi result = PromiseResultUpdate(result, ScheduleLinkOperation(ctx, path, a.link.source, &a, pp)); } + if (a.haveedit || a.content || a.edit_template_string) + { + if (exists || link) + { + if (!HandleFileObstruction(ctx, changes_path, &oslb, &a, pp, &result)) + { + goto exit; + } + // After moving, it no longer exists at the original path + exists = (lstat(changes_path, &oslb) != -1); + link = false; + } + } + /* Phase 3a - direct content */ if (a.content) @@ -599,9 +609,9 @@ static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, const Promi // Once more in case a file has been created as a result of editing or copying - exists = (stat(changes_path, &osb) != -1); + exists = (lstat(changes_path, &osb) != -1); - if (exists && (S_ISREG(osb.st_mode)) + if (exists && (S_ISREG(osb.st_mode) || S_ISLNK(osb.st_mode)) && (!a.haveselect || SelectLeaf(ctx, path, &osb, &(a.select)))) { VerifyFileLeaf(ctx, path, &osb, &a, pp, &result); @@ -739,7 +749,8 @@ static PromiseResult RenderTemplateCFEngine(EvalContext *ctx, const Rlist *bundle_args, const Attributes *attr, EditContext *edcontext, - bool file_exists) + bool file_exists, + bool *save_file) { assert(edcontext != NULL); assert(attr != NULL); @@ -752,7 +763,7 @@ static PromiseResult RenderTemplateCFEngine(EvalContext *ctx, { if (!file_exists && !CfCreateFile(ctx, edcontext->changes_filename, pp, attr, &result)) - { + { RecordFailure(ctx, pp, attr, "Failed to create file '%s' for rendering cfengine template '%s'", edcontext->filename, attr->edit_template); @@ -764,7 +775,7 @@ static PromiseResult RenderTemplateCFEngine(EvalContext *ctx, EvalContextStackPushBundleFrame(ctx, bp, bundle_args, a.edits.inherit); BundleResolve(ctx, bp); - ScheduleEditLineOperations(ctx, bp, &a, pp, edcontext); + *save_file = ScheduleEditLineOperations(ctx, bp, &a, pp, edcontext); EvalContextStackPopFrame(ctx); @@ -864,7 +875,7 @@ static PromiseResult RenderTemplateMustache(EvalContext *ctx, if (!file_exists && !CfCreateFile(ctx, edcontext->changes_filename, pp, attr, &result)) - { + { RecordFailure(ctx, pp, attr, "Failed to create file '%s' for rendering mustache template '%s'", edcontext->filename, message); @@ -975,6 +986,7 @@ PromiseResult ScheduleEditOperation(EvalContext *ctx, char *filename, Rlist *args = NULL; char edit_bundle_name[CF_BUFSIZE], lockname[CF_BUFSIZE]; CfLock thislock; + bool save_file = true; snprintf(lockname, CF_BUFSIZE - 1, "fileedit-%s", filename); thislock = AcquireLock(ctx, lockname, VUQNAME, CFSTARTTIME, a->transaction.ifelapsed, a->transaction.expireafter, pp, false); @@ -1077,7 +1089,8 @@ PromiseResult ScheduleEditOperation(EvalContext *ctx, char *filename, PromiseResult render_result = RenderTemplateCFEngine(ctx, pp, args, a, edcontext, - file_exists); + file_exists, + &save_file); result = PromiseResultUpdate(result, render_result); } } @@ -1109,7 +1122,7 @@ PromiseResult ScheduleEditOperation(EvalContext *ctx, char *filename, } exit: - FinishEditContext(ctx, edcontext, a, pp, &result); + FinishEditContext(ctx, edcontext, a, pp, &result, save_file); YieldCurrentLock(thislock); if (result == PROMISE_RESULT_CHANGE) { diff --git a/cf-agent/verify_files_utils.c b/cf-agent/verify_files_utils.c index 067ce96287..8882164f6d 100644 --- a/cf-agent/verify_files_utils.c +++ b/cf-agent/verify_files_utils.c @@ -22,6 +22,9 @@ included file COSL.txt. */ +#include +#include +#include #include #include @@ -69,6 +72,7 @@ #include /* GetGroupName(), GetUserName() */ #include +#include "cf3.defs.h" #define CF_RECURSION_LIMIT 100 @@ -341,8 +345,8 @@ static PromiseResult CfCopyFile(EvalContext *ctx, char *sourcefile, else { bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, &attr, &result, - destfile, true, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, &attr, &result, destfile, + true, &dir_created, DEFAULTMODE)) { return result; } @@ -757,8 +761,9 @@ static PromiseResult SourceSearchAndCopy(EvalContext *ctx, const char *from, cha struct stat tostat; bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, attr, &result, - newto, attr->move_obstructions, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, attr, &result, newto, + attr->move_obstructions, &dir_created, + DEFAULTMODE)) { return result; } @@ -1550,8 +1555,32 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con return false; } + /* Use perms from source file if preserve is true, otherwise use perms + * of destination file if it exists, otherwise use default perms. */ + mode_t mode; + if (attr->copy.preserve) + { + mode = sstat->st_mode; + } + else if (dest_exists) + { + mode = dest_stat.st_mode; + } + else + { + mode = CF_PERMS_DEFAULT; + } + mode &= 0777; /* Never preserve SUID bit */ + + /* If perms are promised for this file, use those instead */ + if ((attr->perms.plus != CF_SAMEMODE) && (attr->perms.minus != CF_SAMEMODE)) + { + mode |= attr->perms.plus; + mode &= ~(attr->perms.minus); + } + if (!CopyRegularFileNet(source, ToChangesPath(new), - sstat->st_size, attr->copy.encrypt, conn)) + sstat->st_size, attr->copy.encrypt, conn, mode)) { RecordFailure(ctx, pp, attr, "Failed to copy file '%s' from '%s'", source, conn->remoteip); @@ -1711,7 +1740,7 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con } } - if (rename(dest, changes_backup) == 0) + if (CopyRegularFileDisk(dest, changes_backup)) { RecordChange(ctx, pp, attr, "Backed up '%s' as '%s'", dest, backup); *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE); @@ -2701,6 +2730,57 @@ static PromiseResult VerifyFileAttributes(EvalContext *ctx, const char *file, co return result; } +bool HandleFileObstruction(EvalContext *ctx, const char *path, const struct stat *sb, const Attributes *attr, const Promise *pp, PromiseResult *result) +{ + // Tell static analysis tools that these pointers do not need to be checked for NULL before dereferencing + assert(sb != NULL); + assert(attr != NULL); + + const mode_t st_mode = sb->st_mode; + const bool move_obstructions = attr->move_obstructions; + + // If path exists, but is not a regular file, it's an obstruction + if (!S_ISREG(st_mode)) + { + if (move_obstructions) + { + if (MakingChanges(ctx, pp, attr, result, "Moving obstructing file '%s'", path)) + { + char backup[CF_BUFSIZE]; + int ret = snprintf(backup, sizeof(backup), "%s.cf-moved", path); + if (ret < 0 || (size_t) ret >= sizeof(backup)) + { + RecordFailure(ctx, pp, attr, "Could not move obstruction '%s': Path too long", + path); + *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL); + return false; + } + + if (rename(path, backup) == -1) + { + RecordFailure(ctx, pp, attr, "Could not move obstruction '%s' to '%s'. (rename: %s)", + path, backup, GetErrorStr()); + *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL); + return false; + } + else + { + RecordChange(ctx, pp, attr, "Moved obstructing path '%s' to '%s'", path, backup); + *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE); + return true; + } + } + } + else if (!S_ISLNK(st_mode)) + { + RecordFailure(ctx, pp, attr, "Path '%s' is not a regular file and move_obstructions is not set", path); + *result = PromiseResultUpdate(*result, PROMISE_RESULT_FAIL); + return false; + } + } + return true; +} + bool DepthSearch(EvalContext *ctx, char *name, const struct stat *sb, int rlevel, const Attributes *attr, const Promise *pp, dev_t rootdevice, PromiseResult *result) { @@ -3154,8 +3234,9 @@ static PromiseResult CopyFileSources(EvalContext *ctx, char *destination, const PromiseResult result = PROMISE_RESULT_NOOP; bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, attr, &result, - vbuff, attr->move_obstructions, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, attr, &result, vbuff, + attr->move_obstructions, &dir_created, + DEFAULTMODE)) { BufferDestroy(source_buf); return result; @@ -4339,15 +4420,30 @@ bool CfCreateFile(EvalContext *ctx, char *file, const Promise *pp, const Attribu if (MakingChanges(ctx, pp, attr, result, "create directory '%s'", file)) { + mode_t filemode = DEFAULTMODE; + if (PromiseGetConstraintAsRval(pp, "mode", RVAL_TYPE_SCALAR) == NULL) + { + Log(LOG_LEVEL_VERBOSE, + "No mode was set, choosing directory default %04jo", + (uintmax_t) filemode); + } + else + { + filemode = attr->perms.plus & ~(attr->perms.minus); + } + bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, - file, attr->move_obstructions, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, file, + attr->move_obstructions, + &dir_created, filemode)) { return false; } if (dir_created) { - RecordChange(ctx, pp, attr, "Created directory '%s'", file); + RecordChange(ctx, pp, attr, + "Created directory '%s', mode %04jo", file, + (uintmax_t) filemode); *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE); } } @@ -4370,8 +4466,9 @@ bool CfCreateFile(EvalContext *ctx, char *file, const Promise *pp, const Attribu } bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, - file, attr->move_obstructions, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, file, + attr->move_obstructions, + &dir_created, DEFAULTMODE)) { return false; } @@ -4423,8 +4520,9 @@ bool CfCreateFile(EvalContext *ctx, char *file, const Promise *pp, const Attribu } bool dir_created = false; - if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, - file, attr->move_obstructions, &dir_created)) + if (!MakeParentDirectoryForPromise(ctx, pp, attr, result, file, + attr->move_obstructions, + &dir_created, DEFAULTMODE)) { return false; } diff --git a/cf-agent/verify_files_utils.h b/cf-agent/verify_files_utils.h index 7f294c45e0..fdbb8bd8b3 100644 --- a/cf-agent/verify_files_utils.h +++ b/cf-agent/verify_files_utils.h @@ -35,6 +35,7 @@ extern StringSet *SINGLE_COPY_CACHE; void SetFileAutoDefineList(const Rlist *auto_define_list); void VerifyFileLeaf(EvalContext *ctx, char *path, const struct stat *sb, const Attributes *attr, const Promise *pp, PromiseResult *result); +bool HandleFileObstruction(EvalContext *ctx, const char *path, const struct stat *sb, const Attributes *attr, const Promise *pp, PromiseResult *result); bool DepthSearch(EvalContext *ctx, char *name, const struct stat *sb, int rlevel, const Attributes *attr, const Promise *pp, dev_t rootdevice, PromiseResult *result); bool CfCreateFile(EvalContext *ctx, char *file, const Promise *pp, const Attributes *attr, PromiseResult *result_out); void SetSearchDevice(struct stat *sb, const Promise *pp); diff --git a/cf-agent/verify_methods.c b/cf-agent/verify_methods.c index 39d32ab72f..7ca2865c36 100644 --- a/cf-agent/verify_methods.c +++ b/cf-agent/verify_methods.c @@ -95,10 +95,8 @@ PromiseResult VerifyMethod(EvalContext *ctx, const Rval call, const Attributes * const FnCall *fp = RvalFnCallValue(call); ExpandScalar(ctx, PromiseGetBundle(pp)->ns, PromiseGetBundle(pp)->name, fp->name, method_name); args = fp->args; - int arg_index = 0; while (args) { - ++arg_index; args = args->next; } args = fp->args; diff --git a/cf-agent/verify_packages.c b/cf-agent/verify_packages.c index 376815e334..c8592e6fe5 100644 --- a/cf-agent/verify_packages.c +++ b/cf-agent/verify_packages.c @@ -54,6 +54,7 @@ #include #include #include +#include /* Called structure: @@ -115,7 +116,7 @@ static PromiseResult VerifyPromisedPatch(EvalContext *ctx, const Attributes *a, static char *GetDefaultArch(const char *command); -static bool ExecPackageCommand(EvalContext *ctx, char *command, int verify, int setCmdClasses, const Attributes *a, const Promise *pp, PromiseResult *result); +static bool ExecPackageCommand(EvalContext *ctx, const char *command, int verify, int setCmdClasses, const Attributes *a, const Promise *pp, PromiseResult *result); static bool PrependPatchItem(EvalContext *ctx, PackageItem ** list, char *item, PackageItem * chklist, const char *default_arch, const Attributes *a, const Promise *pp); static bool PrependMultiLinePackageItem(EvalContext *ctx, PackageItem ** list, char *item, int reset, const char *default_arch, const Attributes *a, const Promise *pp); @@ -189,21 +190,17 @@ PromiseResult VerifyPackagesPromise(EvalContext *ctx, const Promise *pp) switch (package_promise_type) { case PACKAGE_PROMISE_TYPE_NEW: - Log(LOG_LEVEL_VERBOSE, "Using new package promise."); + Log(LOG_LEVEL_VERBOSE, "Using v2 package promises (package_module)"); result = HandleNewPackagePromiseType(ctx, pp, &a); break; case PACKAGE_PROMISE_TYPE_OLD: - Log(LOG_LEVEL_VERBOSE, - "Using old package promise. Please note that this old " - "implementation is being phased out. The old " - "implementation will continue to work, but forward development " - "will be directed toward the new implementation."); + Log(LOG_LEVEL_VERBOSE, "Using v1 package promises (package_method)"); result = HandleOldPackagePromiseType(ctx, pp, &a); - /* Update new package promise cache in case we have mixed old and new + /* Update v2 package promise cache in case we have mixed v2 and v1 * package promises in policy. */ if (result == PROMISE_RESULT_CHANGE || result == PROMISE_RESULT_FAIL) { @@ -212,15 +209,15 @@ PromiseResult VerifyPackagesPromise(EvalContext *ctx, const Promise *pp) break; case PACKAGE_PROMISE_TYPE_NEW_ERROR: cfPS_HELPER_0ARG(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, &a, - "New package promise failed sanity check."); + "v2 package promise (package_method) failed sanity check."); break; case PACKAGE_PROMISE_TYPE_OLD_ERROR: cfPS_HELPER_0ARG(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, &a, - "Old package promise failed sanity check."); + "v1 package promise (package_method) failed sanity check."); break; case PACKAGE_PROMISE_TYPE_MIXED: cfPS_HELPER_0ARG(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, &a, - "Mixed old and new package promise attributes inside " + "Mixed v1 and v2 package promise attributes inside " "one package promise."); break; default: @@ -2582,35 +2579,9 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa continue; } - size_t estimated_size = 0; - - for (const PackageItem *pi = pm->pack_list; pi != NULL; pi = pi->next) - { - size_t size = strlen(pi->name) + strlen(" "); - - switch (pm->policy) - { - case PACKAGE_ACTION_POLICY_INDIVIDUAL: - - if (size > estimated_size) - { - estimated_size = size + CF_MAXVARSIZE; - } - break; - - case PACKAGE_ACTION_POLICY_BULK: - - estimated_size += size + CF_MAXVARSIZE; - break; - - default: - break; - } - } - const Promise *const pp = pm->pack_list->pp; Attributes a = GetPackageAttributes(ctx, pp); - char *command_string = NULL; + Buffer *command_buffer = BufferNew(); switch (action) { @@ -2621,14 +2592,12 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa if (a.packages.package_add_command == NULL) { ProgrammingError("Package add command undefined"); + BufferDestroy(command_buffer); return false; } Log(LOG_LEVEL_INFO, "Installing %-.39s...", pp->promiser); - - estimated_size += strlen(a.packages.package_add_command) + 2; - command_string = xmalloc(estimated_size); - strcpy(command_string, a.packages.package_add_command); + BufferAppendString(command_buffer, a.packages.package_add_command); break; case PACKAGE_ACTION_DELETE: @@ -2638,14 +2607,12 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa if (a.packages.package_delete_command == NULL) { ProgrammingError("Package delete command undefined"); + BufferDestroy(command_buffer); return false; } Log(LOG_LEVEL_INFO, "Deleting %-.39s...", pp->promiser); - - estimated_size += strlen(a.packages.package_delete_command) + 2; - command_string = xmalloc(estimated_size); - strcpy(command_string, a.packages.package_delete_command); + BufferAppendString(command_buffer, a.packages.package_delete_command); break; case PACKAGE_ACTION_UPDATE: @@ -2655,14 +2622,12 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa if (a.packages.package_update_command == NULL) { ProgrammingError("Package update command undefined"); + BufferDestroy(command_buffer); return false; } Log(LOG_LEVEL_INFO, "Updating %-.39s...", pp->promiser); - - estimated_size += strlen(a.packages.package_update_command) + 2; - command_string = xcalloc(1, estimated_size); - strcpy(command_string, a.packages.package_update_command); + BufferAppendString(command_buffer, a.packages.package_update_command); break; case PACKAGE_ACTION_VERIFY: @@ -2672,33 +2637,32 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa if (a.packages.package_verify_command == NULL) { ProgrammingError("Package verify command undefined"); + BufferDestroy(command_buffer); return false; } - estimated_size += strlen(a.packages.package_verify_command) + 2; - command_string = xmalloc(estimated_size); - strcpy(command_string, a.packages.package_verify_command); + BufferAppendString(command_buffer, a.packages.package_verify_command); verify = true; break; default: ProgrammingError("Unknown action attempted"); + BufferDestroy(command_buffer); return false; } /* if the command ends with $ then we assume the package manager does not accept package names */ - - if (*(command_string + strlen(command_string) - 1) == '$') + if (BufferData(command_buffer)[BufferSize(command_buffer) - 1] == '$') { - *(command_string + strlen(command_string) - 1) = '\0'; + BufferTrimToMaxLength(command_buffer, BufferSize(command_buffer) - 1); Log(LOG_LEVEL_VERBOSE, "Command does not allow arguments"); PromiseResult result = PROMISE_RESULT_NOOP; EvalContextStackPushPromiseFrame(ctx, pp); if (EvalContextStackPushPromiseIterationFrame(ctx, NULL)) { - if (ExecPackageCommand(ctx, command_string, verify, true, &a, pp, &result)) + if (ExecPackageCommand(ctx, BufferData(command_buffer), verify, true, &a, pp, &result)) { Log(LOG_LEVEL_VERBOSE, "Package schedule execution ok (outcome cannot be promised by cf-agent)"); } @@ -2715,9 +2679,9 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa } else { - strcat(command_string, " "); + BufferAppendChar(command_buffer, ' '); - Log(LOG_LEVEL_VERBOSE, "Command prefix '%s'", command_string); + Log(LOG_LEVEL_VERBOSE, "Command prefix '%s'", BufferData(command_buffer)); if (pm->policy == PACKAGE_ACTION_POLICY_INDIVIDUAL) { @@ -2727,15 +2691,14 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa const Promise *const ppi = pi->pp; Attributes a = GetPackageAttributes(ctx, ppi); - const size_t command_len = strlen(command_string); - char *offset = command_string + command_len; + const size_t offset = BufferSize(command_buffer); if ((a.packages.package_file_repositories) && ((action == PACKAGE_ACTION_ADD) || (action == PACKAGE_ACTION_UPDATE))) { const char *sp = PrefixLocalRepository(a.packages.package_file_repositories, pi->name); if (sp != NULL) { - strlcat(offset, sp, estimated_size - command_len); + BufferAppendString(command_buffer, sp); } else { @@ -2744,14 +2707,26 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa } else { - strcat(offset, pi->name); + if (a.packages.package_commands_useshell) + { + /* Put single quotes around package name and escape + * any pre-existing single quotes to prevent shell + * injection. */ + char *escaped = EscapeCharCopy(pi->name, '\'', '\\'); + BufferAppendF(command_buffer, "'%s'", escaped); + free(escaped); + } + else + { + BufferAppendString(command_buffer, pi->name); + } } PromiseResult result = PROMISE_RESULT_NOOP; EvalContextStackPushPromiseFrame(ctx, ppi); if (EvalContextStackPushPromiseIterationFrame(ctx, NULL)) { - bool ok = ExecPackageCommand(ctx, command_string, verify, true, &a, ppi, &result); + bool ok = ExecPackageCommand(ctx, BufferData(command_buffer), verify, true, &a, ppi, &result); if (StringEqual(pi->name, PACKAGE_IGNORED_CFE_INTERNAL)) { @@ -2774,7 +2749,7 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa EvalContextLogPromiseIterationOutcome(ctx, ppi, result); - *offset = '\0'; + BufferTrimToMaxLength(command_buffer, offset); } } else if (pm->policy == PACKAGE_ACTION_POLICY_BULK) @@ -2783,9 +2758,6 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa { if (pi->name) { - const size_t command_len = strlen(command_string); - char *offset = command_string + command_len; - if (a.packages.package_file_repositories && (action == PACKAGE_ACTION_ADD || action == PACKAGE_ACTION_UPDATE)) @@ -2793,7 +2765,7 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa const char *sp = PrefixLocalRepository(a.packages.package_file_repositories, pi->name); if (sp != NULL) { - strlcpy(offset, sp, estimated_size - command_len); + BufferAppendString(command_buffer, sp); } else { @@ -2802,10 +2774,21 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa } else { - strcpy(offset, pi->name); + if (a.packages.package_commands_useshell) + { + /* Put single quotes around package name and escape + * any pre-existing single quotes to prevent shell + * injection. */ + char *escaped = EscapeCharCopy(pi->name, '\'', '\\'); + BufferAppendF(command_buffer, "'%s'", escaped); + free(escaped); + } + else + { + BufferAppendString(command_buffer, pi->name); + } } - - strcat(command_string, " "); + BufferAppendChar(command_buffer, ' '); } } @@ -2813,7 +2796,7 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa EvalContextStackPushPromiseFrame(ctx, pp); if (EvalContextStackPushPromiseIterationFrame(ctx, NULL)) { - bool ok = ExecPackageCommand(ctx, command_string, verify, true, &a, pp, &result); + bool ok = ExecPackageCommand(ctx, BufferData(command_buffer), verify, true, &a, pp, &result); for (const PackageItem *pi = pm->pack_list; pi != NULL; pi = pi->next) { @@ -2841,10 +2824,7 @@ static bool ExecuteSchedule(EvalContext *ctx, const PackageManager *schedule, Pa } } - if (command_string) - { - free(command_string); - } + BufferDestroy(command_buffer); } /* We have performed some modification operation on packages, our cache is invalid */ @@ -3249,14 +3229,14 @@ const char *PrefixLocalRepository(const Rlist *repositories, const char *package return NULL; } -bool ExecPackageCommand(EvalContext *ctx, char *command, int verify, int setCmdClasses, const Attributes *a, +bool ExecPackageCommand(EvalContext *ctx, const char *command, int verify, int setCmdClasses, const Attributes *a, const Promise *pp, PromiseResult *result) { assert(a != NULL); assert(pp != NULL); // Dereferenced by cfPS macros bool retval = true; - char *cmd; + const char *cmd; FILE *pfp; int packmanRetval = 0; diff --git a/cf-agent/verify_users_pam.c b/cf-agent/verify_users_pam.c index f44db5ea56..eaf91419de 100644 --- a/cf-agent/verify_users_pam.c +++ b/cf-agent/verify_users_pam.c @@ -420,7 +420,7 @@ static bool ChangePasswordHashUsingChpasswd(const char *puser, const char *passw int status; const char *cmd_str = CHPASSWD " -e"; Log(LOG_LEVEL_VERBOSE, "Changing password hash for user '%s'. (command: '%s')", puser, cmd_str); - FILE *cmd = cf_popen_sh(cmd_str, "w"); + FILE *cmd = cf_popen(cmd_str, "w", true); if (!cmd) { Log(LOG_LEVEL_ERR, "Could not launch password changing command '%s': %s.", cmd_str, GetErrorStr()); @@ -600,7 +600,9 @@ static bool ChangePasswordHashUsingLckpwdf(const char *puser, const char *passwo } fclose(edit_fd); + edit_fd = NULL; // mark as NULL so we don't close it later fclose(passwd_fd); + passwd_fd = NULL; // mark as NULL so we don't close it later if (!CopyFilePermissionsDisk(passwd_file, edit_file)) { @@ -620,10 +622,16 @@ static bool ChangePasswordHashUsingLckpwdf(const char *puser, const char *passwo goto unlock_passwd; close_both: - fclose(edit_fd); + if (edit_fd != NULL) + { + fclose(edit_fd); + } unlink(edit_file); close_passwd_fd: - fclose(passwd_fd); + if (passwd_fd != NULL) + { + fclose(passwd_fd); + } unlock_passwd: ulckpwdf(); @@ -642,14 +650,22 @@ static bool ExecuteUserCommand(const char *puser, const char *cmd, size_t sizeof return false; } - Log(LOG_LEVEL_VERBOSE, "%s user '%s'. (command: '%s')", cap_action_msg, puser, cmd); + Log(LOG_LEVEL_VERBOSE, "ExecuteUserCommand: %s user '%s'.", cap_action_msg, puser); - int status = system(cmd); - if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + FILE *fptr = cf_popen(cmd, "w", true); + if (!fptr) { - Log(LOG_LEVEL_ERR, "Command returned error while %s user '%s'. (Command line: '%s')", action_msg, puser, cmd); + Log(LOG_LEVEL_ERR, "ExecuteUserCommand: returned error while %s user '%s'.", action_msg, puser); return false; } + + int status = cf_pclose(fptr); + if (status) + { + Log(LOG_LEVEL_ERR, "ExecuteUserCommand: returned non-zero status: %i\n", status); + return false; + } + return true; } @@ -664,7 +680,7 @@ static bool ChangePasswordHashUsingChpass(const char *puser, const char *passwor StringAppend(cmd, "\' ", sizeof(cmd)); StringAppend(cmd, puser, sizeof(cmd)); - Log(LOG_LEVEL_VERBOSE, "Changing password hash for user '%s'. (command: '%s')", puser, cmd); + Log(LOG_LEVEL_VERBOSE, "Changing password hash for user '%s' using chpass.", puser); return ExecuteUserCommand(puser, cmd, sizeof(cmd), "changing", "Changing"); } @@ -992,13 +1008,13 @@ static bool EqualGid(const char *key, const struct group *entry) { assert(entry != NULL); - unsigned long gid; + unsigned long gid; int ret = StringToUlong(key, &gid); if (ret != 0) { LogStringToLongError(key, "EqualGid", ret); return false; - } + } return (gid == entry->gr_gid); } @@ -1145,16 +1161,16 @@ static void TransformGidsToGroups(StringSet **list) StringSetDestroy(old_list); } -static bool VerifyIfUserNeedsModifs(const char *puser, const User *u, +static bool VerifyIfUserNeedsModifs(const char *puser, const User *u, const struct passwd *passwd_info, - uint32_t *changemap, - StringSet *groups_to_set, + uint32_t *changemap, + StringSet *groups_to_set, StringSet *current_secondary_groups) { assert(u != NULL); assert(passwd_info != NULL); - if (u->description != NULL && + if (u->description != NULL && !StringEqual(u->description, passwd_info->pw_gecos)) { CFUSR_SETBIT(*changemap, i_comment); @@ -1204,17 +1220,17 @@ static bool VerifyIfUserNeedsModifs(const char *puser, const User *u, if (SafeStringLength(u->group_primary) != 0) { - bool group_could_be_gid = (strlen(u->group_primary) == + bool group_could_be_gid = (strlen(u->group_primary) == strspn(u->group_primary, "0123456789")); // We try name first, even if it looks like a gid. Only fall back to gid. errno = 0; - struct group *group_info = GetGrEntry(u->group_primary, + struct group *group_info = GetGrEntry(u->group_primary, &EqualGroupName); if (group_info == NULL && errno != 0) { - Log(LOG_LEVEL_ERR, - "Could not obtain information about group '%s': %s", + Log(LOG_LEVEL_ERR, + "Could not obtain information about group '%s': %s", u->group_primary, GetErrorStr()); CFUSR_SETBIT(*changemap, i_group); } @@ -1226,7 +1242,7 @@ static bool VerifyIfUserNeedsModifs(const char *puser, const User *u, int ret = StringToUlong(u->group_primary, &gid); if (ret != 0) { - LogStringToLongError(u->group_primary, + LogStringToLongError(u->group_primary, "VerifyIfUserNeedsModifs", ret); CFUSR_SETBIT(*changemap, i_group); } diff --git a/cf-check/backup.c b/cf-check/backup.c index f37936a57b..221ae9259a 100644 --- a/cf-check/backup.c +++ b/cf-check/backup.c @@ -70,8 +70,9 @@ const char *create_backup_dir() return NULL; } - const int n = - snprintf(backup_dir, PATH_MAX, "%s%jd/", backup_root, (intmax_t)ts); + int n = + snprintf(backup_dir, PATH_MAX - 1, // trailing slash for later + "%s%jd-XXXXXX", backup_root, (intmax_t)ts); if (n >= PATH_MAX) { Log(LOG_LEVEL_ERR, @@ -81,7 +82,7 @@ const char *create_backup_dir() return NULL; } - if (mkdir(backup_dir, 0700) != 0) + if (mkdtemp(backup_dir) == NULL) { Log(LOG_LEVEL_ERR, "Could not create directory '%s' (%s)", @@ -90,6 +91,10 @@ const char *create_backup_dir() return NULL; } + // Add trailing forward slash + backup_dir[n++] = FILE_SEPARATOR; + backup_dir[n] = '\0'; + return backup_dir; } @@ -102,6 +107,11 @@ int backup_files_copy(Seq *filenames) assert_or_return(length > 0, 1); const char *backup_dir = create_backup_dir(); + if (backup_dir == NULL) + { + // Error already logged + return -1; + } Log(LOG_LEVEL_INFO, "Backing up to '%s'", backup_dir); diff --git a/cf-check/db_structs.h b/cf-check/db_structs.h index 0ca3d23a08..17ba14e73b 100644 --- a/cf-check/db_structs.h +++ b/cf-check/db_structs.h @@ -17,6 +17,7 @@ // Struct used for quality entries in /var/cfengine/state/cf_lastseen.lmdb: typedef struct { + bool acknowledged; time_t lastseen; QPoint Q; } KeyHostSeen; // Keep in sync with lastseen.h diff --git a/cf-check/diagnose.c b/cf-check/diagnose.c index 7689bca611..529a177499 100644 --- a/cf-check/diagnose.c +++ b/cf-check/diagnose.c @@ -39,6 +39,11 @@ size_t diagnose_files( #include #include +/* NOTE: Must be in sync with LMDB_MAXSIZE in libpromises/dbm_lmdb.c. */ +#ifndef LMDB_MAXSIZE +#define LMDB_MAXSIZE 104857600 +#endif + #define CF_CHECK_CREATE_STRING(name) \ #name, @@ -276,6 +281,7 @@ static int diagnose(const char *path, bool temporary_redirect, bool validate) return errno; } assert(f_result == stdout); + fclose(f_result); ret = lmdump(LMDUMP_VALUES_ASCII, path); } return lmdb_errno_to_cf_check_code(ret); @@ -524,6 +530,25 @@ static char *follow_symlink(const char *path) return xstrdup(target_buf); } +bool lmdb_file_needs_rotation(const char *file, int *usage) +{ + struct stat sb; + if (stat(file, &sb) == 0) + { + int usage_pct = (((float) sb.st_size) / LMDB_MAXSIZE) * 100; + if (usage != NULL) + { + *usage = usage_pct; + } + return (usage_pct >= 95); + } + else + { + Log(LOG_LEVEL_ERR, "Failed to stat() '%s' when checking usage: %s", file, GetErrorStr()); + return false; + } +} + /** * @param[in] filenames DB files to diagnose/check * @param[out] corrupt place to store the resulting sequence of corrupted @@ -590,18 +615,26 @@ size_t diagnose_files( if (symlink_target != NULL) { + int usage; + bool needs_rotation = lmdb_file_needs_rotation(symlink_target, &usage); Log(LOG_LEVEL_INFO, - "Status of '%s' -> '%s': %s\n", + "Status of '%s' -> '%s': %s [%d%% usage%s]\n", symlink, symlink_target, - CF_CHECK_STRING(r)); + CF_CHECK_STRING(r), + usage, + needs_rotation ? ", needs rotation" : ""); } else { + int usage; + bool needs_rotation = lmdb_file_needs_rotation(filename, &usage); Log(LOG_LEVEL_INFO, - "Status of '%s': %s\n", + "Status of '%s': %s [%d%% usage%s]\n", filename, - CF_CHECK_STRING(r)); + CF_CHECK_STRING(r), + usage, + needs_rotation ? ", needs rotation" : ""); } diff --git a/cf-check/diagnose.h b/cf-check/diagnose.h index 4bb01c7dde..5f6204b251 100644 --- a/cf-check/diagnose.h +++ b/cf-check/diagnose.h @@ -85,6 +85,8 @@ int lmdb_errno_to_cf_check_code(int r); int signal_to_cf_check_code(int sig); void report_mdb_error(const char *db_file, const char *op, int rc); +bool lmdb_file_needs_rotation(const char *file, int *usage); + size_t diagnose_files( const Seq *filenames, Seq **corrupt, bool foreground, bool validate, bool test_write); int diagnose_main(int argc, const char *const *argv); diff --git a/cf-check/dump.c b/cf-check/dump.c index d059612b46..6ded3c8bbd 100644 --- a/cf-check/dump.c +++ b/cf-check/dump.c @@ -103,9 +103,11 @@ static void print_struct_lastseen_quality( else { // TODO: improve names of struct members in QPoint and KeyHostSeen - const KeyHostSeen *const quality = value.mv_data; - const time_t lastseen = quality->lastseen; - const QPoint Q = quality->Q; + KeyHostSeen quality; + memcpy(&quality, value.mv_data, sizeof(quality)); + const time_t lastseen = quality.lastseen; + const QPoint Q = quality.Q; + bool acknowledged = quality.acknowledged; JsonElement *q_json = JsonObjectCreate(4); JsonObjectAppendReal(q_json, "q", Q.q); @@ -114,6 +116,7 @@ static void print_struct_lastseen_quality( JsonObjectAppendReal(q_json, "dq", Q.dq); JsonElement *top_json = JsonObjectCreate(2); + JsonObjectAppendBool(top_json, "acknowledged", acknowledged); JsonObjectAppendInteger(top_json, "lastseen", lastseen); JsonObjectAppendObject(top_json, "Q", q_json); @@ -136,10 +139,11 @@ static void print_struct_lock_data( else { // TODO: improve names of struct members in LockData - const LockData *const lock = value.mv_data; - const pid_t pid = lock->pid; - const time_t time = lock->time; - const time_t process_start_time = lock->process_start_time; + LockData lock; + memcpy(&lock, value.mv_data, sizeof(lock)); + const pid_t pid = lock.pid; + const time_t time = lock.time; + const time_t process_start_time = lock.process_start_time; JsonElement *json = JsonObjectCreate(3); JsonObjectAppendInteger(json, "pid", pid); @@ -168,8 +172,9 @@ static void print_struct_averages( { // TODO: clean up Averages char **obnames = NULL; - const Averages *const averages = value.mv_data; - const time_t last_seen = averages->last_seen; + Averages averages; + memcpy(&averages, value.mv_data, sizeof(averages)); + const time_t last_seen = averages.last_seen; obnames = GetObservableNames(tskey_filename); JsonElement *all_observables = JsonObjectCreate(CF_OBSERVABLES); @@ -178,7 +183,7 @@ static void print_struct_averages( { char *name = obnames[i]; JsonElement *observable = JsonObjectCreate(4); - QPoint Q = averages->Q[i]; + QPoint Q = averages.Q[i]; JsonObjectAppendReal(observable, "q", Q.q); JsonObjectAppendReal(observable, "expect", Q.expect); @@ -216,7 +221,11 @@ static void print_struct_persistent_class( } else { - const PersistentClassInfo *const class_info = value.mv_data; + /* Make a copy to ensure proper alignment. We cannot just copy data to a + * local PersistentClassInfo variable because it contains a + * variable-length string at the end (see the struct definition). */ + PersistentClassInfo *class_info = xmalloc(value.mv_size); + memcpy(class_info, value.mv_data, value.mv_size); const unsigned int expires = class_info->expires; const PersistentClassPolicy policy = class_info->policy; const char *policy_str; @@ -250,6 +259,7 @@ static void print_struct_persistent_class( // String is not terminated, abort or fall back to default: debug_abort_if_reached(); print_json_string(value.mv_data, value.mv_size, strip_strings); + free(class_info); return; } @@ -264,6 +274,7 @@ static void print_struct_persistent_class( JsonWriteCompact(w, top_json); FileWriterDetach(w); JsonDestroy(top_json); + free(class_info); } } @@ -277,49 +288,55 @@ static void print_struct_or_string( { if (structs) { - if (StringEndsWith(file, "cf_lastseen.lmdb") + if (StringContains(file, "cf_lastseen.lmdb") && StringStartsWith(key.mv_data, "q")) { print_struct_lastseen_quality(value, strip_strings); } - else if (StringEndsWith(file, "cf_lock.lmdb")) + else if (StringContains(file, "cf_lock.lmdb")) { print_struct_lock_data(value, strip_strings); } - else if (StringEndsWith(file, "cf_observations.lmdb")) + else if (StringContains(file, "cf_observations.lmdb")) { if (StringEqual(key.mv_data, "DATABASE_AGE")) { assert(sizeof(double) == value.mv_size); - const double *const age = value.mv_data; - printf("%f", *age); + double age; + memcpy(&age, value.mv_data, sizeof(age)); + printf("%f", age); } else { print_struct_averages(value, strip_strings, tskey_filename); } } - else if (StringEndsWith(file, "history.lmdb")) + else if (StringEqual(file, "history.lmdb") || + StringEndsWith(file, FILE_SEPARATOR_STR"history.lmdb") || + StringEqual(file, "history.lmdb.backup") || + StringEndsWith(file, FILE_SEPARATOR_STR"history.lmdb.backup")) { print_struct_averages(value, strip_strings, tskey_filename); } - else if (StringEndsWith(file, "cf_state.lmdb")) + else if (StringContains(file, "cf_state.lmdb")) { print_struct_persistent_class(value, strip_strings); } - else if (StringEndsWith(file, "nova_agent_execution.lmdb")) + else if (StringContains(file, "nova_agent_execution.lmdb")) { if (StringEqual(key.mv_data, "delta_gavr")) { assert(sizeof(double) == value.mv_size); - const double *const average = value.mv_data; - printf("%f", *average); + double average; + memcpy(&average, value.mv_data, sizeof(average)); + printf("%f", average); } else if (StringEqual(key.mv_data, "last_exec")) { assert(sizeof(time_t) == value.mv_size); - const time_t *const last_exec = value.mv_data; - printf("%ju", (uintmax_t) (*last_exec)); + time_t last_exec; + memcpy(&last_exec, value.mv_data, sizeof(last_exec)); + printf("%ju", (uintmax_t) (last_exec)); } else { diff --git a/cf-check/repair.c b/cf-check/repair.c index d2ad3409d6..bf2c784c16 100644 --- a/cf-check/repair.c +++ b/cf-check/repair.c @@ -38,7 +38,9 @@ static void print_usage(void) { printf("Usage: cf-check repair [-f] [FILE ...]\n"); printf("Example: cf-check repair /var/cfengine/state/cf_lastseen.lmdb\n"); - printf("Options: -f|--force repair LMDB files that look OK "); + printf("Options:\n" + "-f|--force repair LMDB files that look OK\n" + "-w|--test-write test writing when checking files\n"); } int remove_files(Seq *files) @@ -80,7 +82,7 @@ int remove_files(Seq *files) return failures; } -static bool record_repair_timestamp(int fd_tstamp) +static bool record_timestamp(int fd_tstamp) { time_t this_timestamp = time(NULL); lseek(fd_tstamp, 0, SEEK_SET); @@ -158,7 +160,7 @@ int repair_lmdb_file(const char *file, int fd_tstamp) } else { - if (!record_repair_timestamp(fd_tstamp)) + if (!record_timestamp(fd_tstamp)) { Log(LOG_LEVEL_ERR, "Failed to write the timestamp of repair of the '%s' file", file); @@ -178,7 +180,7 @@ int repair_lmdb_file(const char *file, int fd_tstamp) } else { - if (!record_repair_timestamp(fd_tstamp)) + if (!record_timestamp(fd_tstamp)) { Log(LOG_LEVEL_ERR, "Failed to write the timestamp of repair of the '%s' file", file); @@ -200,7 +202,7 @@ int repair_lmdb_file(const char *file, int fd_tstamp) ret = -1; goto cleanup; } - if (!record_repair_timestamp(fd_tstamp)) + if (!record_timestamp(fd_tstamp)) { Log(LOG_LEVEL_ERR, "Failed to write the timestamp of repair of the '%s' file", file); @@ -217,7 +219,71 @@ int repair_lmdb_file(const char *file, int fd_tstamp) return ret; } -int repair_lmdb_files(Seq *files, bool force) +/** + * @param file LMDB file to rotate + * @param fd_tstamp An open FD to the repair timestamp file or -1 + * + * @note If #fd_tstamp != -1 then it is expected to be open and with file locks + * taken care of. If #fd_tstamp == -1, this function opens the rotation + * timestamp file on its own and takes care of the file locks. + */ +int rotate_lmdb_file(const char *file, int fd_tstamp) +{ + int ret; + FileLock lock = EMPTY_FILE_LOCK; + if (fd_tstamp == -1) + { + char *tstamp_file = StringFormat("%s.rotated", file); + int lock_ret = ExclusiveFileLockPath(&lock, tstamp_file, true); /* wait=true */ + free(tstamp_file); + if (lock_ret < 0) + { + /* Should never happen because we tried to wait for the lock. */ + Log(LOG_LEVEL_ERR, + "Failed to acquire lock for the '%s' DB repair timestamp file", + file); + ret = -1; + goto cleanup; + } + fd_tstamp = lock.fd; + } + + time_t now = time(NULL); + { + char *rotated_file = StringFormat("%s.rotated_%jd", file, (intmax_t) now); + ret = rename(file, rotated_file); + free(rotated_file); + } + if (ret != 0) + { + Log(LOG_LEVEL_ERR, + "Failed to rotate the '%s' DB file (%s), will be removed instead", + file, GetErrorStr()); + ret = unlink(file); + if (ret != 0) + { + Log(LOG_LEVEL_ERR, "Failed to remove the '%s' DB file: %s", + file, GetErrorStr()); + } + } + if (ret == 0) + { + if (!record_timestamp(fd_tstamp)) + { + Log(LOG_LEVEL_ERR, "Failed to write the timestamp of rotation of the '%s' DB file", + file); + } + } + + cleanup: + if (lock.fd != -1) + { + ExclusiveFileUnlock(&lock, true); /* close=true */ + } + return ret; +} + +static int repair_lmdb_files(Seq *files, bool force, bool test_write) { assert(files != NULL); assert(SeqLength(files) > 0); @@ -229,7 +295,7 @@ int repair_lmdb_files(Seq *files, bool force) } else { - const int corruptions = diagnose_files(files, &corrupt, false, false, false); + const int corruptions = diagnose_files(files, &corrupt, false, false, test_write); if (corruptions != 0) { assert(corrupt != NULL); @@ -256,6 +322,14 @@ int repair_lmdb_files(Seq *files, bool force) { ret++; } + int usage; + if (lmdb_file_needs_rotation(file, &usage)) + { + if (rotate_lmdb_file(file, -1) != -1) + { + Log(LOG_LEVEL_INFO, "Rotated '%s' DB with %d%% usage", file, usage); + } + } } if (!force) @@ -278,15 +352,19 @@ int repair_lmdb_files(Seq *files, bool force) int repair_main(int argc, const char *const *const argv) { - size_t offset = 1; bool force = false; - if (argc > 1 && argv[1] != NULL && argv[1][0] == '-') + bool test_write = false; + int i = 1; + for (; (i < argc) && (argv[i] != NULL) && (argv[i][0] == '-'); i++) { - if (StringMatchesOption(argv[1], "--force", "-f")) + if (StringMatchesOption(argv[i], "--force", "-f")) { - offset++; force = true; } + else if (StringMatchesOption(argv[i], "--test-write", "-w")) + { + test_write = true; + } else { print_usage(); @@ -294,13 +372,18 @@ int repair_main(int argc, const char *const *const argv) return 1; } } + if (force && test_write) + { + Log(LOG_LEVEL_WARNING, "Ignoring --test-write due to --force skipping DB checks"); + } + size_t offset = i; Seq *files = argv_to_lmdb_files(argc, argv, offset); if (files == NULL || SeqLength(files) == 0) { Log(LOG_LEVEL_ERR, "No database files to repair"); return 1; } - const int ret = repair_lmdb_files(files, force); + const int ret = repair_lmdb_files(files, force, test_write); SeqDestroy(files); return ret; } @@ -325,7 +408,7 @@ int repair_lmdb_default(bool force) Log(LOG_LEVEL_INFO, "Skipping local database repair, no lmdb files"); return 0; } - const int ret = repair_lmdb_files(files, force); + const int ret = repair_lmdb_files(files, force, false); SeqDestroy(files); if (ret != 0) diff --git a/cf-check/repair.h b/cf-check/repair.h index f911af5d5f..9a1e1423bb 100644 --- a/cf-check/repair.h +++ b/cf-check/repair.h @@ -6,5 +6,6 @@ int repair_main(int argc, const char *const *argv); int repair_lmdb_default(bool force); int repair_lmdb_file(const char *file, int fd_tstamp); +int rotate_lmdb_file(const char *file, int fd_tstamp); #endif diff --git a/cf-check/validate.c b/cf-check/validate.c index 0b1b70309d..185444f1fe 100644 --- a/cf-check/validate.c +++ b/cf-check/validate.c @@ -301,9 +301,10 @@ static void UpdateValidatorLastseen( const char direction = key_string[1]; if (direction == 'i' || direction == 'o') { - const KeyHostSeen *const data = value.mv_data; + KeyHostSeen data; + memcpy(&data, value.mv_data, sizeof(data)); - const time_t lastseen = data->lastseen; + const time_t lastseen = data.lastseen; const time_t current = time(NULL); Log(LOG_LEVEL_DEBUG, @@ -353,8 +354,9 @@ static void UpdateValidatorLock( const char *key_string = key.mv_data; - const LockData *const lock = value.mv_data; - const time_t lock_time = lock->time; + LockData lock; + memcpy(&lock, value.mv_data, sizeof(lock)); + const time_t lock_time = lock.time; const time_t current = time(NULL); Log(LOG_LEVEL_DEBUG, diff --git a/cf-execd/cf-execd.c b/cf-execd/cf-execd.c index 1c294ab377..29c37835a0 100644 --- a/cf-execd/cf-execd.c +++ b/cf-execd/cf-execd.c @@ -424,6 +424,23 @@ void ThisAgentInit(void) umask(077); } +// Return 2 to 62 seconds depending on how much time is left until the next +// minute starts. Since cf-execd wakes up "every minute" to evaluate its +// schedule, we want to do this at the start of the minute, to avoid +// accidentally skipping any runs if things are slow. +// +// Why +2? Why not 0 to 60? Not a very good reason, but: +// Sleep at least 2 seconds to avoid 2 agent runs very close together +// Target waking up at :02 seconds, to reduce the chances of waking +// up at :59 in the previous minute, and unintentionally having 2 +// agent runs in the same minute +static inline time_t GetPulseTime() +{ + const time_t current_second = (time(NULL) % CFPULSETIME); + const time_t remaining_seconds = CFPULSETIME - current_second; + return remaining_seconds + 2; +} + /*****************************************************************************/ @@ -524,6 +541,7 @@ static bool HandleRequestsOrSleep(time_t seconds, const char *reason, return false; } +// Non-windows version of main loop: static void CFExecdMainLoop(EvalContext *ctx, Policy **policy, GenericAgentConfig *config, ExecdConfig **execd_config, ExecConfig **exec_config, int runagent_socket) @@ -554,7 +572,7 @@ static void CFExecdMainLoop(EvalContext *ctx, Policy **policy, GenericAgentConfi } } /* 1 Minute resolution is enough */ - terminate = HandleRequestsOrSleep(CFPULSETIME, "pulse time", runagent_socket, + terminate = HandleRequestsOrSleep(GetPulseTime(), "pulse time", runagent_socket, (*execd_config)->local_run_command); if (terminate) { @@ -621,19 +639,7 @@ static int SetupRunagentSocket(const ExecdConfig *execd_config) if (GetRunagentSocketInfo(&sock_info)) { sock_info.sun_family = AF_LOCAL; - - bool created; - MakeParentDirectory(sock_info.sun_path, true, &created); - - /* Make sure the permissions are correct if the directory was created - * (note: this code doesn't run on Windows). */ - if (created) - { - char *last_slash = strrchr(sock_info.sun_path, '/'); - *last_slash = '\0'; - chmod(sock_info.sun_path, (mode_t) 0750); - *last_slash = '/'; - } + MakeParentDirectoryPerms(sock_info.sun_path, true, NULL, (mode_t) 0700); /* Remove potential left-overs from old processes. */ unlink(sock_info.sun_path); @@ -657,6 +663,7 @@ static int SetupRunagentSocket(const ExecdConfig *execd_config) } else { + safe_chmod(sock_info.sun_path, (mode_t) 0600); ret = listen(runagent_socket, CF_EXECD_RUNAGENT_SOCKET_LISTEN_QUEUE); assert(ret == 0); if (ret == -1) @@ -700,6 +707,7 @@ static inline unsigned int MaybeSleepLog(LogLevel level, const char *msg_format, return sleep(seconds); } +// Windows version of main loop: static void CFExecdMainLoop(EvalContext *ctx, Policy **policy, GenericAgentConfig *config, ExecdConfig **execd_config, ExecConfig **exec_config, ARG_UNUSED int runagent_socket) @@ -725,8 +733,8 @@ static void CFExecdMainLoop(EvalContext *ctx, Policy **policy, GenericAgentConfi LocalExec(*exec_config); } } - /* 1 Minute resolution is enough */ - MaybeSleepLog(LOG_LEVEL_VERBOSE, "Sleeping for pulse time %u seconds...", CFPULSETIME); + // This is not just a log message, it maybe sleeps and maybe logs something: + MaybeSleepLog(LOG_LEVEL_VERBOSE, "Sleeping for pulse time %u seconds...", GetPulseTime()); } } #endif /* ! __MINGW32__ */ diff --git a/cf-net/cf-net.c b/cf-net/cf-net.c index 87d61724fe..840ec56e5c 100644 --- a/cf-net/cf-net.c +++ b/cf-net/cf-net.c @@ -156,7 +156,7 @@ static const char *command_strings[] = // INIT: static void CFNetSetDefault(CFNetOptions *opts); -static void CFNetInit(); +static void CFNetInit(const char *min_tls_version, const char *allow_ciphers); static void CFNetOptionsClear(CFNetOptions *opts); // MAIN LOGIC: diff --git a/cf-runagent/cf-runagent.c b/cf-runagent/cf-runagent.c index af7f1ec417..715bb0fbae 100644 --- a/cf-runagent/cf-runagent.c +++ b/cf-runagent/cf-runagent.c @@ -256,7 +256,7 @@ int main(int argc, char *argv[]) if (fork() == 0) /* child process */ { int remote_exit_code = HailServer(ctx, config, RlistScalarValue(rp)); - DoCleanupAndExit(remote_exit_code > 0 ? remote_exit_code : CF_RA_EXIT_CODE_OTHER_ERR); + DoCleanupAndExit(remote_exit_code >= 0 ? remote_exit_code : CF_RA_EXIT_CODE_OTHER_ERR); } else /* parent process */ { diff --git a/cf-serverd/server_common.c b/cf-serverd/server_common.c index a4fc8e5a77..06ae1b9b10 100644 --- a/cf-serverd/server_common.c +++ b/cf-serverd/server_common.c @@ -704,6 +704,7 @@ int StatFile(ServerConnectionState *conn, char *sendbuffer, char *ofilename) /* the simplest way to transfer the data is to convert them into */ /* plain text and interpret them on the other side. */ { + assert(conn != NULL); Stat cfst; struct stat statbuf, statlinkbuf; char linkbuf[CF_BUFSIZE], filename[CF_BUFSIZE - 128]; @@ -846,10 +847,17 @@ int StatFile(ServerConnectionState *conn, char *sendbuffer, char *ofilename) memset(sendbuffer, 0, CF_MSGSIZE); + // +3 because we need to prepend 'OK:' to the path + if (strlen(linkbuf)+3 > CF_MSGSIZE) { + NDEBUG_UNUSED int ret = snprintf(sendbuffer, CF_MSGSIZE, "BAD: Symlink resolves to a path too long (%ld) to send over the protocol.", strlen(linkbuf)+3); + assert(ret > 0 && ret < CF_MSGSIZE); + SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE); + return -1; + } if (cfst.cf_readlink != NULL) { - strcpy(sendbuffer, "OK:"); - strcat(sendbuffer, cfst.cf_readlink); + NDEBUG_UNUSED int ret = snprintf(sendbuffer, CF_MSGSIZE, "OK:%s", linkbuf); + assert(ret > 0 && ret < CF_MSGSIZE); } else { diff --git a/configure.ac b/configure.ac index e189b10f4c..932e22f18b 100644 --- a/configure.ac +++ b/configure.ac @@ -207,12 +207,12 @@ AS_IF([test x"$enable_fhs" = xyes], [ prefix=/var/cfengine case "$target_os" in mingw*) - WORKDIR=$(cmd /c "echo %PROGRAMFILES%\\Cfengine" | sed 's/\\/\\\\/g') + WORKDIR=$(wine cmd.exe /c "echo %PROGRAMFILES%\\Cfengine" 2>/dev/null | sed 's/\\/\\\\/g') MASTERDIR=default INPUTDIR=default DATADIR=default - LOGDIR=$(cmd /c "echo %PROGRAMFILES%\\Cfengine" | sed 's/\\/\\\\/g') - PIDDIR=$(cmd /c "echo %PROGRAMFILES%\\Cfengine" | sed 's/\\/\\\\/g') + LOGDIR=$(wine cmd.exe /c "echo %PROGRAMFILES%\\Cfengine" 2>/dev/null | sed 's/\\/\\\\/g') + PIDDIR=$(wine cmd.exe /c "echo %PROGRAMFILES%\\Cfengine" 2>/dev/null | sed 's/\\/\\\\/g') STATEDIR=default ;; *) @@ -455,10 +455,10 @@ if test x"$with_openssl" = xno ; then AC_MSG_ERROR([This release of CFEngine requires OpenSSL >= 0.9.7]) fi -if test -d /usr/local/Cellar/openssl/ && \ +if test -d /usr/local/Cellar/ && \ test -d /usr/local/opt/openssl/ && \ test "x$with_openssl" = "xyes" ; then - with_openssl="/usr/local/opt/openssl" + with_openssl=$(brew --prefix openssl) echo "OS X Homebrew detected" echo "Defaulting to: --with-openssl=$with_openssl" fi @@ -514,19 +514,6 @@ CF3_WITH_LIBRARY(pcre, [ AC_MSG_ERROR(Cannot find PCRE))]) ]) -dnl systemd-socket activation - -AC_ARG_WITH([systemd-socket], [AS_HELP_STRING([--with-systemd-socket[[=PATH]]], [support systemd socket activation])], [], [with_systemd_socket=check]) - - -if test "x$with_systemd_socket" != xno -then - CF3_WITH_LIBRARY(systemd_socket, [ - AC_CHECK_LIB(systemd, sd_listen_fds, [], [if test "x$with_systemd_socket" != xcheck; then AC_MSG_ERROR(Cannot find systemd library); fi]) - AC_CHECK_LIB(systemd, sd_notify_barrier, [AC_DEFINE([HAVE_SD_NOTIFY_BARRIER],[1],[sd_notify_barrier on recent systemd])]) - AC_CHECK_HEADERS(systemd/sd-daemon.h, [], [if test "x$with_systemd_socket" != xcheck; then AC_MSG_ERROR(Cannot find systemd headers); fi]) - ]) -fi dnl libvirt @@ -659,19 +646,20 @@ if test "x$with_libxml2" != "xno"; then LIBXML2_CPPFLAGS=-I$with_libxml2/include/libxml2 fi fi -fi -CF3_WITH_LIBRARY(libxml2, - [AC_CHECK_LIB(xml2, xmlFirstElementChild, - [], - [if test "x$with_libxml2" != xcheck; then - AC_MSG_ERROR(Cannot find libxml2); fi] - ) - AC_CHECK_HEADERS([libxml/xmlwriter.h], [break], + CF3_WITH_LIBRARY(libxml2, + [AC_CHECK_LIB(xml2, xmlFirstElementChild, + [], [if test "x$with_libxml2" != xcheck; then AC_MSG_ERROR(Cannot find libxml2); fi] - )] -) + ) + AC_CHECK_HEADERS([libxml/xmlwriter.h], [break], + [if test "x$with_libxml2" != xcheck; then + AC_MSG_ERROR(Cannot find libxml2); fi] + )] + ) + +fi AM_CONDITIONAL([HAVE_LIBXML2], [test "x$with_libxml2" != xno && @@ -1638,6 +1626,22 @@ else fi AC_SUBST([OS_ENVIRONMENT_PATH]) +dnl systemd-socket activation + +AC_ARG_WITH([systemd-socket], [AS_HELP_STRING([--with-systemd-socket[[=PATH]]], [support systemd socket activation])], [], [with_systemd_socket=check]) + +dnl ######################################################################## +dnl systemd socket feature, only available if systemd init scripts requested +dnl ######################################################################## +if test "x$with_systemd_service" != xno && test "x$with_systemd_socket" != xno +then + CF3_WITH_LIBRARY(systemd_socket, [ + AC_CHECK_LIB(systemd, sd_listen_fds, [], [if test "x$with_systemd_socket" != xcheck; then AC_MSG_ERROR(Cannot find systemd library); fi]) + AC_CHECK_LIB(systemd, sd_notify_barrier, [AC_DEFINE([HAVE_SD_NOTIFY_BARRIER],[1],[sd_notify_barrier on recent systemd])]) + AC_CHECK_HEADERS(systemd/sd-daemon.h, [], [if test "x$with_systemd_socket" != xcheck; then AC_MSG_ERROR(Cannot find systemd headers); fi]) + ]) +fi + dnl ##################################################################### dnl SELinux policy build and installation dnl ##################################################################### @@ -1647,6 +1651,13 @@ AC_ARG_WITH(selinux-policy, [], [with_selinux_policy=no]) AM_CONDITIONAL([WITH_SELINUX], [test "x$with_selinux_policy" != "xno"]) +if test "x$with_selinux_policy" != "xno"; then + platform_id=$(sed -r -e '/PLATFORM_ID/!d;s/PLATFORM_ID="platform:(@<:@^"@:>@+)"/\1/' < /etc/os-release) + if test -f ${srcdir}/misc/selinux/cfengine-enterprise.te.$platform_id; then + PLATFORM_SELINUX_POLICIES=cfengine-enterprise.te.$platform_id + AC_SUBST(PLATFORM_SELINUX_POLICIES) + fi +fi dnl ##################################################################### dnl Hostname and Version stuff @@ -1843,6 +1854,7 @@ fi if test "x$with_selinux_policy" != "xno"; then AC_MSG_RESULT([-> SELinux policy: enabled]) + AC_MSG_RESULT([-> SELinux platform policies: $PLATFORM_SELINUX_POLICIES]) else AC_MSG_RESULT([-> SELinux policy: disabled]) fi diff --git a/contrib/masterfiles-stage/common.sh b/contrib/masterfiles-stage/common.sh index 30b401be39..27e9306f2c 100755 --- a/contrib/masterfiles-stage/common.sh +++ b/contrib/masterfiles-stage/common.sh @@ -190,7 +190,16 @@ git_cfbs_deploy_refspec() { # (See long comment at end of function def.) # The chipmunk in cfbs output breaks things without this or similar - export LANG=en_US.utf-8 + # The chipmunk in cfbs output breaks things without this or similar + if [ -f "/etc/locale.conf" ]; then + source "/etc/locale.conf" + export LC_ALL="$LANG" # retrieved from locale.conf + else + _LOCALE=$(locale -a | grep -i utf | head -1) + if [ -n "$_LOCALE" ]; then + export LC_ALL="$_LOCALE" + fi + fi # Ensure absolute pathname is given [ "${1:0:1}" = / ] || @@ -218,12 +227,12 @@ git_cfbs_deploy_refspec() { _start_wrkdir=$(pwd) # Switch to the staging directory and build with cfbs cd "${temp_stage}" - cfbs build || error_exit "cfbs build failed" + CFBS_GLOBAL_DIR="/opt/cfengine/build/cfbs_global" cfbs build || error_exit "cfbs build failed" # Switch back to the original working dir cd "${_start_wrkdir}" # Grab HEAD so it can be used to populate cf_promises_release_id - mkdir -p "${temp_stage}/.git" - cp "${local_mirrored_repo}/HEAD" "${temp_stage}/.git/" + mkdir -p "${temp_stage}/out/masterfiles/.git" + cp "${local_mirrored_repo}/HEAD" "${temp_stage}/out/masterfiles/.git/" ########################## 3. SET PERMISSIONS ON POLICY SET chown -R root:root "${temp_stage}" || error_exit "Unable to chown '${temp_stage}'" diff --git a/examples/getusers.cf b/examples/getusers.cf index 97119aa92c..faa37a0450 100644 --- a/examples/getusers.cf +++ b/examples/getusers.cf @@ -29,6 +29,25 @@ body common control bundle agent example { vars: + + # The getusers function takes two filtering arguments: exclude_names and + # exclude_ids, both a comma separated list of usernames and user IDs + # respectively. + + # To get users with a uid 1000 and greater we generate a list of uids from + # 0 to 999 and convert it into a comma separated string used to filter the + # list of users. + + "users_with_uid_gt_999" + slist => getusers( "", join( ",", expandrange( "[0-999]", 1 ) ) ); + + # Here we get a list of users except usernames nfsnobody and vagrant as + # well as any users with uid 8 or 9 + + "users_except_nfsnobody_and_vagrant_and_uid_8_and_9" + slist => getusers( "nfsnobody,vagrant", "8,9" ); + + # Here we get a list of all users by not filtering any "allusers" slist => getusers("",""); "root_list" slist => { "root" }; # this will get just the root users out of the full user list diff --git a/examples/nth-key.cf b/examples/nth-key.cf new file mode 100644 index 0000000000..e9363c9e17 --- /dev/null +++ b/examples/nth-key.cf @@ -0,0 +1,20 @@ +#+begin_src cfengine3 +bundle agent main +{ + vars: + "d" data => '{ "key1": "dvalue1", "key2": "dvalue2" }'; + "a[key1]" string => "value1"; + "a[key2]" string => "value2"; + + reports: + "$(with)" with => nth( a, "key1" ); + "$(with)" with => nth( d, "key1" ); +} +#+end_src +############################################################################### +#+begin_src example_output +#@ ``` +#@ R: value1 +#@ R: dvalue1 +#@ ``` +#+end_src diff --git a/examples/peerleader.cf b/examples/peerleader.cf index fdc4eb2a52..e2f5a4e184 100644 --- a/examples/peerleader.cf +++ b/examples/peerleader.cf @@ -25,7 +25,8 @@ #@ echo beta >> /tmp/cfe_hostlist #@ echo gamma >> /tmp/cfe_hostlist #@ echo "Set HOSTNAME appropriately beforehand" -#@ echo "$(hostname -f)" | tr 'A-Z' 'a-z' >> /tmp/cfe_hostlist +#@ touch $CFENGINE_TEST_OVERRIDE_WORKDIR/inputs/promises.cf # to enable cf-promises to run +#@ bash -c "${CF_PROMISES} --show-vars=sys.fqhost | grep fqhost | awk '{print \$2}' | tr 'A-Z' 'a-z' 2>&1 >> /tmp/cfe_hostlist" #@ echo "Delta Delta Delta may I help ya help ya help ya" #@ echo delta1 >> /tmp/cfe_hostlist #@ echo delta2 >> /tmp/cfe_hostlist diff --git a/examples/peerleaders.cf b/examples/peerleaders.cf index fdc4eb2a52..e2f5a4e184 100644 --- a/examples/peerleaders.cf +++ b/examples/peerleaders.cf @@ -25,7 +25,8 @@ #@ echo beta >> /tmp/cfe_hostlist #@ echo gamma >> /tmp/cfe_hostlist #@ echo "Set HOSTNAME appropriately beforehand" -#@ echo "$(hostname -f)" | tr 'A-Z' 'a-z' >> /tmp/cfe_hostlist +#@ touch $CFENGINE_TEST_OVERRIDE_WORKDIR/inputs/promises.cf # to enable cf-promises to run +#@ bash -c "${CF_PROMISES} --show-vars=sys.fqhost | grep fqhost | awk '{print \$2}' | tr 'A-Z' 'a-z' 2>&1 >> /tmp/cfe_hostlist" #@ echo "Delta Delta Delta may I help ya help ya help ya" #@ echo delta1 >> /tmp/cfe_hostlist #@ echo delta2 >> /tmp/cfe_hostlist diff --git a/examples/peers.cf b/examples/peers.cf index fdc4eb2a52..e2f5a4e184 100644 --- a/examples/peers.cf +++ b/examples/peers.cf @@ -25,7 +25,8 @@ #@ echo beta >> /tmp/cfe_hostlist #@ echo gamma >> /tmp/cfe_hostlist #@ echo "Set HOSTNAME appropriately beforehand" -#@ echo "$(hostname -f)" | tr 'A-Z' 'a-z' >> /tmp/cfe_hostlist +#@ touch $CFENGINE_TEST_OVERRIDE_WORKDIR/inputs/promises.cf # to enable cf-promises to run +#@ bash -c "${CF_PROMISES} --show-vars=sys.fqhost | grep fqhost | awk '{print \$2}' | tr 'A-Z' 'a-z' 2>&1 >> /tmp/cfe_hostlist" #@ echo "Delta Delta Delta may I help ya help ya help ya" #@ echo delta1 >> /tmp/cfe_hostlist #@ echo delta2 >> /tmp/cfe_hostlist diff --git a/examples/services_default_service_bundle.cf b/examples/services_default_service_bundle.cf index 7182d20f8d..2adeafc400 100644 --- a/examples/services_default_service_bundle.cf +++ b/examples/services_default_service_bundle.cf @@ -9,7 +9,7 @@ bundle agent main body service_method my_custom_service { - service_type => "generic"; + service_bundle => service_my_custom_service($(this.promiser), $(this.service_policy)); } bundle agent service_my_custom_service(service, state) @@ -25,5 +25,3 @@ bundle agent service_my_custom_service(service, state) #@ ``` #+end_src - - diff --git a/libcfnet/client_code.c b/libcfnet/client_code.c index afaef5a2d5..032eebcf83 100644 --- a/libcfnet/client_code.c +++ b/libcfnet/client_code.c @@ -572,7 +572,7 @@ bool CompareHashNet(const char *file1, const char *file2, bool encrypt, AgentCon static bool EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, AgentConnection *conn) { - int blocksize = 2048, n_read = 0, plainlen, more = true, finlen, cnt = 0; + int blocksize = 2048, n_read = 0, plainlen, more = true, finlen; int tosend, cipherlen = 0; char *buf, in[CF_BUFSIZE], out[CF_BUFSIZE], workbuf[CF_BUFSIZE], cfchangedstr[265]; unsigned char iv[32] = @@ -658,7 +658,6 @@ static bool EncryptCopyRegularFileNet(const char *source, const char *dest, off_ return false; } - cnt++; /* If the first thing we get is an error message, break. */ @@ -752,7 +751,7 @@ static void FlushFileStream(int sd, int toget) /* TODO finalise socket or TLS session in all cases that this function fails * and the transaction protocol is out of sync. */ bool CopyRegularFileNet(const char *source, const char *dest, off_t size, - bool encrypt, AgentConnection *conn) + bool encrypt, AgentConnection *conn, mode_t mode) { char *buf, workbuf[CF_BUFSIZE], cfchangedstr[265]; const int buf_size = 2048; @@ -776,7 +775,7 @@ bool CopyRegularFileNet(const char *source, const char *dest, off_t size, unlink(dest); /* To avoid link attacks */ - int dd = safe_open_create_perms(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, CF_PERMS_DEFAULT); + int dd = safe_open_create_perms(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, mode); if (dd == -1) { Log(LOG_LEVEL_ERR, diff --git a/libcfnet/client_code.h b/libcfnet/client_code.h index f0d560088f..ba32d4acdb 100644 --- a/libcfnet/client_code.h +++ b/libcfnet/client_code.h @@ -48,7 +48,7 @@ void DisconnectServer(AgentConnection *conn); bool CompareHashNet(const char *file1, const char *file2, bool encrypt, AgentConnection *conn); bool CopyRegularFileNet(const char *source, const char *dest, off_t size, - bool encrypt, AgentConnection *conn); + bool encrypt, AgentConnection *conn, mode_t mode); Item *RemoteDirList(const char *dirname, bool encrypt, AgentConnection *conn); int TLSConnectCallCollect(ConnectionInfo *conn_info, const char *username); diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c index e94073058c..d8fbcda45d 100644 --- a/libenv/sysinfo.c +++ b/libenv/sysinfo.c @@ -1180,8 +1180,9 @@ static void OSReleaseParse(EvalContext *ctx, const char *file_path) { alias = "redhat"; } - else if (StringEqual(os_release_id, "opensuse") || - StringEqual(os_release_id, "sles")) + else if (StringEqual(os_release_id, "opensuse") || + StringEqual(os_release_id, "sles") || + StringEqual(os_release_id, "sled")) { alias = "suse"; } @@ -2659,7 +2660,7 @@ static void Linux_Amazon_Version(EvalContext *ctx) { char buffer[CF_BUFSIZE]; - // Amazon Linux AMI release 2016.09 + // Amazon Linux release 2 (Karoo) if (ReadLine("/etc/system-release", buffer, sizeof(buffer))) { @@ -2670,7 +2671,7 @@ static void Linux_Amazon_Version(EvalContext *ctx) ",derived-from-file=/etc/system-release"); char version[128]; - if (sscanf(buffer, "%*s %*s %*s %*s %127s", version) == 1) + if (sscanf(buffer, "%*s %*s %*s %127s", version) == 1) { char class[CF_MAXVARSIZE]; @@ -2679,8 +2680,16 @@ static void Linux_Amazon_Version(EvalContext *ctx) EvalContextClassPutHard(ctx, class, "inventory,attribute_name=none,source=agent" ",derived-from-file=/etc/system-release"); + SetFlavor(ctx, class); } - SetFlavor(ctx, "AmazonLinux"); + else + { + SetFlavor(ctx, "amazon_linux"); + } + // We set this class for backwards compatibility + EvalContextClassPutHard(ctx, "AmazonLinux", + "inventory,attribute_name=none,source=agent," + "derived-from=sys.flavor"); } } } @@ -3475,11 +3484,19 @@ static void SysOSNameHuman(EvalContext *ctx) "Solaris", CF_DATA_TYPE_STRING, "source=agent,derived-from=solaris"); } + else if (EvalContextClassGet(ctx, NULL, "amazon_linux") != NULL) + { + EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, lval, + "Amazon", CF_DATA_TYPE_STRING, + "source=agent,derived-from=amazon_linux"); + } else { EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, lval, "Unknown", CF_DATA_TYPE_STRING, "source=agent"); + Log(LOG_LEVEL_WARNING, + "Operating System not properly recognized, setting sys.os_name_human to \"Unknown\", please submit a bug report for us to fix this"); } } @@ -3487,13 +3504,13 @@ static void SysOSNameHuman(EvalContext *ctx) /** * Find next integer from string in place. Leading zero's are included. - * + * * @param [in] str string to extract next integer from * @param [out] num pointer to start of next integer or %NULL if no integer * number was found - * + * * @return pointer to the remaining string in `str` or %NULL if no remainder - * + * * @note `str` will be mutated */ static char *FindNextInteger(char *str, char **num) @@ -3561,8 +3578,8 @@ static void SysOsVersionMajor(EvalContext *ctx) } else { - EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, - "os_version_major", major, + EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, + "os_version_major", major, CF_DATA_TYPE_STRING, "source=agent,derived-from=flavor"); } diff --git a/libenv/unix_iface.c b/libenv/unix_iface.c index 0d8724a2ad..67af0cd936 100644 --- a/libenv/unix_iface.c +++ b/libenv/unix_iface.c @@ -713,7 +713,7 @@ static void FindV6InterfacesInfo(EvalContext *ctx, Rlist **interfaces, Rlist **h // We know there was more data, at least a colon: assert(src_length == bytes_to_copy); - const size_t dst_length = src_length - 1; + NDEBUG_UNUSED const size_t dst_length = src_length - 1; // We copied everything up to, but not including, the colon: assert(ifconfig_line[dst_length] == ':'); @@ -721,6 +721,11 @@ static void FindV6InterfacesInfo(EvalContext *ctx, Rlist **interfaces, Rlist **h } } + if (IgnoreInterface(current_interface)) + { + // Ignore interfaces listed in ignore_interfaces.rx + continue; + } const char *const stripped_ifconfig_line = TrimWhitespace(ifconfig_line); @@ -836,24 +841,70 @@ static void FindV6InterfacesInfo(EvalContext *ctx, Rlist **interfaces, Rlist **h static void InitIgnoreInterfaces() { FILE *fin; - char filename[CF_BUFSIZE],regex[256]; + char filename[CF_BUFSIZE], regex[256]; + + int ret = snprintf( + filename, + sizeof(filename), + "%s%c%s", + GetWorkDir(), + FILE_SEPARATOR, + CF_IGNORE_INTERFACES); + assert(ret >= 0 && (size_t) ret < sizeof(filename)); + + if ((fin = fopen(filename, "r")) == NULL) + { + Log((errno == ENOENT) ? LOG_LEVEL_VERBOSE : LOG_LEVEL_ERR, + "Failed to open interface exception file %s: %s", + filename, + GetErrorStr()); - snprintf(filename, sizeof(filename), "%s%c%s", GetInputDir(), FILE_SEPARATOR, CF_IGNORE_INTERFACES); + /* LEGACY: The 'ignore_interfaces.rx' file was previously located in + * $(sys.inputdir). Consequently, if the file is found in this + * directory but not in $(sys.workdir), we will still process it, but + * issue a warning. */ + ret = snprintf( + filename, + sizeof(filename), + "%s%c%s", + GetInputDir(), + FILE_SEPARATOR, + CF_IGNORE_INTERFACES); + assert(ret >= 0 && (size_t) ret < sizeof(filename)); + + if ((fin = fopen(filename, "r")) == NULL) + { + Log((errno == ENOENT) ? LOG_LEVEL_VERBOSE : LOG_LEVEL_ERR, + "Failed to open interface exception file %s: %s", + filename, + GetErrorStr()); + return; + } - if ((fin = fopen(filename,"r")) == NULL) - { - Log(LOG_LEVEL_VERBOSE, "No interface exception file %s",filename); - return; + Log(LOG_LEVEL_WARNING, + "Found interface exception file %s in %s but it should be in %s. " + "Please consider moving it to the appropriate location.", + CF_IGNORE_INTERFACES, + GetInputDir(), + GetWorkDir()); } while (!feof(fin)) { regex[0] = '\0'; - int scanCount = fscanf(fin,"%255s",regex); + int scanCount = fscanf(fin, "%255s", regex); + if (ferror(fin) != 0) + { + Log(LOG_LEVEL_ERR, + "Failed to read interface exception file %s: %s", + filename, + GetErrorStr()); + break; + } if (scanCount != 0 && *regex != '\0') { - RlistPrependScalarIdemp(&IGNORE_INTERFACES, regex); + RlistPrependScalarIdemp(&IGNORE_INTERFACES, regex); } } diff --git a/libntech b/libntech index 522ec6b324..1d9ceb62cf 160000 --- a/libntech +++ b/libntech @@ -1 +1 @@ -Subproject commit 522ec6b3240a332884d0f67059268edd8cf30cba +Subproject commit 1d9ceb62cf4cf64875199bd1454c74b8f124001f diff --git a/libpromises/attributes.c b/libpromises/attributes.c index dba903d60f..af61c16be2 100644 --- a/libpromises/attributes.c +++ b/libpromises/attributes.c @@ -1158,10 +1158,15 @@ Packages GetPackageConstraints(const EvalContext *ctx, const Promise *pp) if (bodies_and_args != NULL && SeqLength(bodies_and_args) > 0) { + Log(LOG_LEVEL_VERBOSE, "Package promise had no package_method attribute so it's being assigned a value of 'generic' as default."); const Body *bp = SeqAt(bodies_and_args, 0); // guaranteed to be non-NULL CopyBodyConstraintsToPromise((EvalContext*)ctx, (Promise*)pp, bp); has_generic_package_method = true; } + else + { + Log(LOG_LEVEL_VERBOSE, "Package promise had no package_method attibute and policy had no 'generic' package_method body so will use v2 package modules."); + } SeqDestroy(bodies_and_args); } @@ -1251,10 +1256,31 @@ NewPackages GetNewPackageConstraints(const EvalContext *ctx, const Promise *pp) p.package_options = PromiseGetConstraintAsList(ctx, "options", pp); p.is_empty = (memcmp(&p, &empty, sizeof(NewPackages)) == 0); + + bool have_policy = PromiseBundleOrBodyConstraintExists(ctx, "policy", pp); + bool have_package_policy = PromiseBundleOrBodyConstraintExists(ctx, "package_policy", pp); + if (!have_policy && !have_package_policy) + { + Log(LOG_LEVEL_DEBUG, "Package promise has no policy or package_policy attribute. Checking if default:control_common.package_module is defined to default the policy attribute to 'present' and force use of v2 package promise (package_module)."); + + const void *ret = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_PACKAGE_MODULE); + PackageModuleBody *package_module = GetPackageModuleFromContext(ctx, ret); + + if (package_module != NULL) + { + Log(LOG_LEVEL_DEBUG, "Package promise had no policy or package_policy attribute and default:control_common.package_module is defined so defaulting to v2 package promise (package_module) and setting 'policy' attribute to 'present' and 'package_module' to %s.", package_module->name); + PromiseAppendConstraint((Promise*)pp, "policy", (Rval) {xstrdup("present"), RVAL_TYPE_SCALAR }, false); + PromiseAppendConstraint((Promise*)pp, "package_module_name", (Rval) {xstrdup(package_module->name), RVAL_TYPE_SCALAR }, false); + } + else + { + Log(LOG_LEVEL_VERBOSE, "Package promise had no policy or package_policy attribute and default:control_common.package_module is undefined so will use v1 package promise (package_method)."); + } + } p.package_policy = GetNewPackagePolicy(PromiseGetConstraintAsRval(pp, "policy", RVAL_TYPE_SCALAR), new_packages_actions); - /* We can have only policy specified in new package promise definition. */ + /* We can have only policy specified in v2 package promise (package_module) definition. */ if (p.package_policy != NEW_PACKAGE_ACTION_NONE) { p.is_empty = false; diff --git a/libpromises/cmdb.c b/libpromises/cmdb.c index ddab5b2763..2e17fb9c9a 100644 --- a/libpromises/cmdb.c +++ b/libpromises/cmdb.c @@ -407,19 +407,40 @@ static bool ReadCMDBClasses(EvalContext *ctx, JsonElement *classes) bool ret = AddCMDBClass(ctx, key, default_tags, NULL); if (!ret) { - /* Details should have been logged already. */ - Log(LOG_LEVEL_ERR, "Failed to add CMDB class '%s'", key); + /* It does not have to be and error, it could be a result of + * the class already existing. Anyways, details about + * potential errors should have been logged already. */ + Log(LOG_LEVEL_DEBUG, "Did not add CMDB class '%s'", key); } } else if (JsonGetContainerType(data) == JSON_CONTAINER_TYPE_ARRAY && JsonArrayContainsOnlyPrimitives(data)) { - if ((JsonLength(data) != 1) || - (!StringEqual(JsonPrimitiveGetAsString(JsonArrayGet(data, 0)), "any::"))) + switch (JsonLength(data)) { + case 0: Log(LOG_LEVEL_ERR, - "Invalid class specification '%s' in CMDB data, only '[\"any::\"]' allowed", - JsonPrimitiveGetAsString(JsonArrayGet(data, 0))); + "Empty class specification '[]' in CMDB data not allowed, only '[\"any::\"]'"); + continue;; + case 1: + if (!StringEqual(JsonPrimitiveGetAsString(JsonArrayGet(data, 0)), "any::")) + { + Log(LOG_LEVEL_ERR, + "Invalid class specification '[\"%s\"]' in CMDB data, only '[\"any::\"]' allowed", + JsonPrimitiveGetAsString(JsonArrayGet(data, 0))); + continue; + } + // All good :) + break; + default: + { + Writer *const str = StringWriter(); + JsonWriteCompact(str, data); + Log(LOG_LEVEL_ERR, + "Too many elements in class specification '%s' in CMDB data, only '[\"any::\"]' allowed", + StringWriterData(str)); + WriterClose(str); + } continue; } StringSet *default_tags = StringSetNew(); @@ -427,8 +448,10 @@ static bool ReadCMDBClasses(EvalContext *ctx, JsonElement *classes) bool ret = AddCMDBClass(ctx, key, default_tags, NULL); if (!ret) { - /* Details should have been logged already. */ - Log(LOG_LEVEL_ERR, "Failed to add CMDB class '%s'", key); + /* It does not have to be and error, it could be a result of + * the class already existing. Anyways, details about + * potential errors should have been logged already. */ + Log(LOG_LEVEL_DEBUG, "Did not add CMDB class '%s'", key); } } else if (JsonGetContainerType(data) == JSON_CONTAINER_TYPE_OBJECT) @@ -465,8 +488,10 @@ static bool ReadCMDBClasses(EvalContext *ctx, JsonElement *classes) bool ret = AddCMDBClass(ctx, key, tags, comment); if (!ret) { - /* Details should have been logged already. */ - Log(LOG_LEVEL_ERR, "Failed to add CMDB class '%s'", key); + /* It does not have to be and error, it could be a result of + * the class already existing. Anyways, details about + * potential errors should have been logged already. */ + Log(LOG_LEVEL_DEBUG, "Did not add CMDB class '%s'", key); } } else diff --git a/libpromises/crypto.c b/libpromises/crypto.c index 5ba5a74a74..c9416286e9 100644 --- a/libpromises/crypto.c +++ b/libpromises/crypto.c @@ -63,6 +63,11 @@ static void CleanupOpenSSLThreadLocks(void); static bool crypto_initialized = false; /* GLOBAL_X */ +#if OPENSSL_VERSION_NUMBER > 0x30000000 +static OSSL_PROVIDER *legacy_provider = NULL; +static OSSL_PROVIDER *default_provider = NULL; +#endif + const char *CryptoLastErrorString() { const char *errmsg = ERR_reason_error_string(ERR_get_error()); @@ -114,6 +119,20 @@ void CryptoDeInitialize() EVP_cleanup(); CleanupOpenSSLThreadLocks(); ERR_free_strings(); + +#if OPENSSL_VERSION_NUMBER > 0x30000000 + if (legacy_provider != NULL) + { + OSSL_PROVIDER_unload(legacy_provider); + legacy_provider = NULL; + } + if (default_provider != NULL) + { + OSSL_PROVIDER_unload(default_provider); + default_provider = NULL; + } +#endif + crypto_initialized = false; } } @@ -869,11 +888,13 @@ static void SetupOpenSSLThreadLocks(void) } #ifndef __MINGW32__ +#if OPENSSL_VERSION_NUMBER < 0x10100000 CRYPTO_set_id_callback((unsigned long (*)())ThreadId_callback); #endif - // This is a no-op macro for OpenSSL >= 1.1.0 - // The callback function is not used (or defined) then +#endif +#if OPENSSL_VERSION_NUMBER < 0x10100000 CRYPTO_set_locking_callback((void (*)())OpenSSLLock_callback); +#endif } static void CleanupOpenSSLThreadLocks(void) @@ -881,7 +902,9 @@ static void CleanupOpenSSLThreadLocks(void) const int numLocks = CRYPTO_num_locks(); CRYPTO_set_locking_callback(NULL); #ifndef __MINGW32__ +#if OPENSSL_VERSION_NUMBER < 0x10100000 CRYPTO_set_id_callback(NULL); +#endif #endif for (int i = 0; i < numLocks; i++) diff --git a/libpromises/dbm_api.c b/libpromises/dbm_api.c index 0b6365c214..4ecd61416a 100644 --- a/libpromises/dbm_api.c +++ b/libpromises/dbm_api.c @@ -168,6 +168,42 @@ char *DBIdToSubPath(dbid id, const char *subdb_name) return native_filename; } +Seq *SearchExistingSubDBNames(const dbid id) +{ + // On Windows, GetStateDir() used in DBIdToSubPath() has backslashes + // GlobFileList() won't work with backslashes in 3.21.x so workaround this issue +#ifdef _WIN32 + char *const broken_pattern = DBIdToSubPath(id, "*"); + char *const glob_pattern = SearchAndReplace(broken_pattern, "\\", "/"); + free(broken_pattern); +#else + char *const glob_pattern = DBIdToSubPath(id, "*"); +#endif + StringSet *const db_paths = GlobFileList(glob_pattern); + free(glob_pattern); + + Seq *const db_names = SeqNew(StringSetSize(db_paths), free); + StringSetIterator iter = StringSetIteratorInit(db_paths); + const char *db_path; + + // Start after the '$(sys.statedir)/packages_installed_' part of the path + const size_t from = strlen(GetStateDir()) + 1 + + strlen(DB_PATHS_STATEDIR[id]) + 1; + + // End before the '.lmdb' part of the path + const size_t chop = from + 1 + strlen(DBPrivGetFileExtension()); + + while ((db_path = StringSetIteratorNext(&iter)) != NULL) + { + char *const db_name = SafeStringNDuplicate(db_path + from, + strlen(db_path) - chop); + SeqAppend(db_names, db_name); + } + + StringSetDestroy(db_paths); + return db_names; +} + char *DBIdToPath(dbid id) { assert(DB_PATHS_STATEDIR[id] != NULL); @@ -397,17 +433,23 @@ bool OpenDBInstance(DBHandle **dbp, dbid id, DBHandle *handle) } } - DBPathUnLock(&lock); - } - - if (handle->priv) - { - if (!DBMigrate(handle, id)) + if (handle->priv != NULL) { - DBPrivCloseDB(handle->priv); - handle->priv = NULL; - handle->open_tstamp = -1; + if (!DBMigrate(handle, id)) + { + /* Migration failed. The best we can do is to move the + * broken DB to the side and start fresh. */ + DBPrivCloseDB(handle->priv); + DBPathMoveBroken(handle->filename); + handle->priv = DBPrivOpenDB(handle->filename, id); + if (handle->priv == DB_PRIV_DATABASE_BROKEN) + { + handle->priv = NULL; + } + } } + + DBPathUnLock(&lock); } } @@ -497,8 +539,14 @@ void CloseDB(DBHandle *handle) handle->refcount--; if (handle->refcount == 0) { + FileLock lock = EMPTY_FILE_LOCK; + bool locked = DBPathLock(&lock, handle->filename); DBPrivCloseDB(handle->priv); handle->open_tstamp = -1; + if (locked) + { + DBPathUnLock(&lock); + } } } @@ -520,6 +568,12 @@ bool CleanDB(DBHandle *handle) return ret; } +int GetDBUsagePercentage(const DBHandle *handle) +{ + assert(handle != NULL); + return DBPrivGetDBUsagePercentage(handle->filename); +} + /** * Freezes the DB so that it is never touched by this process again. In * particular, new OpenDB() calls are ignored and CloseAllDBExit() also ignores diff --git a/libpromises/dbm_api.h b/libpromises/dbm_api.h index fe5ed6a9dd..e3d735e80a 100644 --- a/libpromises/dbm_api.h +++ b/libpromises/dbm_api.h @@ -29,6 +29,7 @@ #define EC_CORRUPTION_REPAIR_FAILED 121 #include +#include #include // Only append to the end, keep in sync with DB_PATHS_STATEDIR array @@ -77,6 +78,7 @@ void CloseDB(CF_DB *dbp); DBHandle *GetDBHandleFromFilename(const char *db_file_name); time_t GetDBOpenTimestamp(const DBHandle *handle); +int GetDBUsagePercentage(const DBHandle *handle); bool HasKeyDB(CF_DB *dbp, const char *key, int key_size); int ValueSizeDB(CF_DB *dbp, const char *key, int key_size); @@ -106,6 +108,7 @@ bool DeleteDBCursor(CF_DBC *dbcp); char *DBIdToPath(dbid id); char *DBIdToSubPath(dbid id, const char *subdb_name); +Seq *SearchExistingSubDBNames(dbid id); StringMap *LoadDatabaseToStringMap(dbid database_id); diff --git a/libpromises/dbm_lmdb.c b/libpromises/dbm_lmdb.c index 9475643744..ae613fca2d 100644 --- a/libpromises/dbm_lmdb.c +++ b/libpromises/dbm_lmdb.c @@ -69,6 +69,7 @@ struct DBCursorPriv_ MDB_cursor *mc; MDB_val delkey; void *curkv; + size_t curks; bool pending_delete; }; @@ -79,13 +80,18 @@ static int DB_MAX_READERS = -1; /******************************************************************************/ static void HandleLMDBCorruption(MDB_env *env, const char *msg); +static void HandleFullLMDB(MDB_env *env); -static inline void CheckLMDBCorrupted(int rc, MDB_env *env) +static inline void CheckLMDBUsable(int rc, MDB_env *env) { if (rc == MDB_CORRUPTED) { HandleLMDBCorruption(env, ""); } + else if (rc == MDB_MAP_FULL) + { + HandleFullLMDB(env); + } } static int GetReadTransaction(DBPriv *const db, DBTxn **const txn) @@ -134,7 +140,7 @@ static int GetWriteTransaction(DBPriv *const db, DBTxn **const txn) if (db_txn->txn != NULL && !db_txn->rw_txn) { rc = mdb_txn_commit(db_txn->txn); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != MDB_SUCCESS) { Log(LOG_LEVEL_ERR, "Unable to close read-only transaction in '%s': %s", @@ -146,7 +152,7 @@ static int GetWriteTransaction(DBPriv *const db, DBTxn **const txn) if (db_txn->txn == NULL) { rc = mdb_txn_begin(db->env, NULL, 0, &db_txn->txn); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc == MDB_SUCCESS) { db_txn->rw_txn = true; @@ -197,6 +203,7 @@ const char *DBPrivGetFileExtension(void) return "lmdb"; } +/* NOTE: Must be in sync with LMDB_MAXSIZE in cf-check/diagnose.c. */ #ifndef LMDB_MAXSIZE #define LMDB_MAXSIZE 104857600 #endif @@ -280,6 +287,43 @@ static bool RepairedAfterOpen(const char *lmdb_file, int fd_tstamp) return false; } +/** + * @warning Expects @fd_stamp to be locked. + */ +static bool RotatedAfterOpen(const char *lmdb_file, int fd_tstamp) +{ + time_t rotated_tstamp = -1; + ssize_t n_read = read(fd_tstamp, &rotated_tstamp, sizeof(time_t)); + lseek(fd_tstamp, 0, SEEK_SET); + + if (n_read < 0) + { + Log(LOG_LEVEL_ERR, "Failed to read %s: %s", lmdb_file, GetErrorStr()); + } + else if (n_read == 0) + { + /* EOF (empty file) => never rotated */ + Log(LOG_LEVEL_VERBOSE, "DB '%s' never rotated before", lmdb_file); + } + else if ((size_t) n_read < sizeof(time_t)) + { + /* error */ + Log(LOG_LEVEL_ERR, "Failed to read the timestamp of rotation of the '%s' DB", + lmdb_file); + } + else + { + /* read the timestamp => Check if the LMDB file was rotated after + * we opened it last time. */ + DBHandle *handle = GetDBHandleFromFilename(lmdb_file); + if (rotated_tstamp > GetDBOpenTimestamp(handle)) + { + return true; + } + } + return false; +} + static void HandleLMDBCorruption(MDB_env *env, const char *msg) { const char *lmdb_file = mdb_env_get_userctx(env); @@ -490,6 +534,220 @@ static void HandleLMDBCorruption(MDB_env *env, const char *msg) #endif /* __MINGW32__ */ } +/** + * A modified clone of HandleLMDBCorruption() for handling full LMDBs. It's not + * easy and nice to share much code between the two functions, unfortunately. + */ +static void HandleFullLMDB(MDB_env *env) +{ + const char *lmdb_file = mdb_env_get_userctx(env); + Log(LOG_LEVEL_CRIT, "'%s' DB full!", lmdb_file); + + /* Freeze the DB ASAP. This also makes the call to exit() safe regarding + * this particular DB because exit handlers will ignore it. */ + DBHandle *handle = GetDBHandleFromFilename(lmdb_file); + FreezeDB(handle); + +#ifdef _WIN32 + /* Not much we can do on Windows because there is no fork() and file locking + * is also not so nice. */ + Log(LOG_LEVEL_WARNING, "Moving the full DB file '%s' aside", + lmdb_file); + time_t now = time(NULL); + char *rotated_file = StringFormat("%s.rotated.%jd", lmdb_file, (intmax_t) now); + if (rename(lmdb_file, rotated_file) != 0) + { + free(rotated_file); + Log(LOG_LEVEL_CRIT, + "Failed to move the full DB file '%s' aside (%s), will be removed instead", + lmdb_file, GetErrorStr()); + if (unlink(lmdb_file) != 0) + { + Log(LOG_LEVEL_CRIT, "Failed to remove the full DB file '%s': %s", + lmdb_file, GetErrorStr()); + } + exit(EC_CORRUPTION_REPAIR_FAILED); + } + free(rotated_file); + exit(EC_CORRUPTION_REPAIRED); +#else + /* To avoid two processes acting on the same corrupted file at once, file + * locks are involved. Looking at OpenDBInstance() and DBPathLock() + * in libpromises/db_api.c might also be useful.*/ + + /* Only allow one thread at a time to handle a full or corrupted DB. File + * locks are *process* specific so threads could step on each others + * toes. */ + ThreadLock(cft_db_corruption_lock); + + char *tstamp_file = StringFormat("%s.rotated", lmdb_file); + char *db_lock_file = StringFormat("%s.lock", lmdb_file); + + int fd_tstamp = safe_open(tstamp_file, O_CREAT|O_RDWR); + if (fd_tstamp == -1) + { + Log(LOG_LEVEL_CRIT, "Failed to open the '%s' DB rotation timestamp file", + lmdb_file); + ThreadUnlock(cft_db_corruption_lock); + free(db_lock_file); + free(tstamp_file); + + exit(EC_CORRUPTION_REPAIR_FAILED); + } + FileLock tstamp_lock = { .fd = fd_tstamp }; + + int fd_db_lock = safe_open(db_lock_file, O_CREAT|O_RDWR); + if (fd_db_lock == -1) + { + Log(LOG_LEVEL_CRIT, "Failed to open the '%s' DB lock file", + lmdb_file); + ThreadUnlock(cft_db_corruption_lock); + close(fd_tstamp); + free(db_lock_file); + free(tstamp_file); + + exit(EC_CORRUPTION_REPAIR_FAILED); + } + FileLock db_lock = { .fd = fd_db_lock }; + + int ret; + bool handle_rotation = true; + + /* Make sure we are not holding the DB's lock (potentially needed by some + * other process for the repair or rotation) to avoid deadlocks. */ + Log(LOG_LEVEL_DEBUG, "Releasing lock on the '%s' DB", lmdb_file); + ExclusiveFileUnlock(&db_lock, false); /* close=false */ + + ret = SharedFileLock(&tstamp_lock, true); + if (ret == 0) + { + if (RotatedAfterOpen(lmdb_file, fd_tstamp)) + { + /* The corruption has already been handled. This process should just + * die because we have no way to return to the point where it would + * just open the new (repaired or rotated) LMDB file. */ + handle_rotation = false; + } + SharedFileUnlock(&tstamp_lock, false); + } + else + { + /* should never happen (we tried to wait), but if it does, just log an + * error and keep going */ + Log(LOG_LEVEL_ERR, + "Failed to get shared lock for the rotation timestamp of the '%s' DB", + lmdb_file); + } + + if (!handle_rotation) + { + /* Just clean after ourselves and terminate the process. */ + ThreadUnlock(cft_db_corruption_lock); + close(fd_db_lock); + close(fd_tstamp); + free(db_lock_file); + free(tstamp_file); + + exit(EC_CORRUPTION_REPAIRED); + } + + /* HERE is a window for some other process to do the rotation between when we + * checked the timestamp using the shared lock above and the attempt to get + * the exclusive lock right below. However, this is detected by checking the + * contents of the timestamp file again below, while holding the EXCLUSIVE + * lock. */ + + ret = ExclusiveFileLock(&tstamp_lock, true); + if (ret != 0) + { + /* should never happen (we tried to wait), but if it does, just + * terminate because doing the rotation without the lock could be + * disasterous */ + Log(LOG_LEVEL_ERR, + "Failed to get shared lock for the rotation timestamp of the '%s' DB", + lmdb_file); + + ThreadUnlock(cft_db_corruption_lock); + close(fd_db_lock); + close(fd_tstamp); + free(db_lock_file); + free(tstamp_file); + + exit(EC_CORRUPTION_REPAIR_FAILED); + } + + /* Cleared to resolve the corruption. */ + + /* 1. Acquire the lock for the DB to prevent more processes trying to use + * it while it is corrupted (wait till the lock is available). */ + while (ExclusiveFileLock(&db_lock, false) == -1) + { + /* busy wait to do the logging */ + Log(LOG_LEVEL_INFO, "Waiting for the lock on the '%s' DB", + lmdb_file); + sleep(1); + } + + /* 2. Check the last rotation timestamp again (see the big "HERE..." comment + * above) */ + if (RotatedAfterOpen(lmdb_file, fd_tstamp)) + { + /* Some other process rotated the DB since we checked last time, + * nothing more to do here. */ + ThreadUnlock(cft_db_corruption_lock); + close(fd_db_lock); /* releases locks */ + close(fd_tstamp); /* releases locks */ + free(db_lock_file); + free(tstamp_file); + + exit(EC_CORRUPTION_REPAIRED); + } + + /* 3. Rotate the DB or at least move it out of the way. */ + ret = rotate_lmdb_file(lmdb_file, fd_tstamp); + bool rotation_successful = (ret == 0); + if (rotation_successful) + { + Log(LOG_LEVEL_NOTICE, "DB '%s' successfully rotated", lmdb_file); + } + else + { + Log(LOG_LEVEL_CRIT, "Failed to rotate '%s' DB", lmdb_file); + } + + /* 4. Make the rotated DB available for others. Also release the locks + * in the opposite order in which they were acquired to avoid + * deadlocks. */ + if (ExclusiveFileUnlock(&db_lock, true) != 0) + { + Log(LOG_LEVEL_ERR, "Failed to release the acquired lock for '%s'", + db_lock_file); + } + + /* 5. Signal that the rotation is done (also closes fd_tstamp). */ + if (ExclusiveFileUnlock(&tstamp_lock, true) != 0) + { + Log(LOG_LEVEL_ERR, "Failed to release the acquired lock for '%s'", + tstamp_file); + } + + ThreadUnlock(cft_db_corruption_lock); + free(db_lock_file); + free(tstamp_file); + /* fd_db_lock and fd_tstamp are already closed by the calls to + * ExclusiveFileUnlock above. */ + + if (rotation_successful) + { + exit(EC_CORRUPTION_REPAIRED); + } + else + { + exit(EC_CORRUPTION_REPAIR_FAILED); + } +#endif /* _WIN32 */ +} + DBPriv *DBPrivOpenDB(const char *const dbpath, const dbid id) { DBPriv *const db = xcalloc(1, sizeof(DBPriv)); @@ -603,7 +861,7 @@ DBPriv *DBPrivOpenDB(const char *const dbpath, const dbid id) int attempts = N_LMDB_EINVAL_RETRIES; while ((rc != 0) && (attempts-- > 0)) { - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != EINVAL) { Log(LOG_LEVEL_ERR, "Could not open database txn %s: %s", @@ -624,7 +882,7 @@ DBPriv *DBPrivOpenDB(const char *const dbpath, const dbid id) goto err; } rc = mdb_open(txn, NULL, 0, &db->dbi); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc) { Log(LOG_LEVEL_ERR, "Could not open database dbi %s: %s", @@ -633,7 +891,7 @@ DBPriv *DBPrivOpenDB(const char *const dbpath, const dbid id) goto err; } rc = mdb_txn_commit(txn); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc) { Log(LOG_LEVEL_ERR, "Could not commit database dbi %s: %s", @@ -700,6 +958,18 @@ bool DBPrivClean(DBPriv *db) return (mdb_drop(txn->txn, db->dbi, EMPTY_DB) != 0); } +int DBPrivGetDBUsagePercentage(const char *db_path) +{ + struct stat sb; + int ret = stat(db_path, &sb); + if (ret == -1) + { + Log(LOG_LEVEL_ERR, "Failed to get size of '%s': %s", db_path, GetErrorStr()); + return -1; + } + return (int) ((((float) sb.st_size) / LMDB_MAXSIZE) * 100); +} + void DBPrivCommit(DBPriv *db) { assert(db != NULL); @@ -709,7 +979,7 @@ void DBPrivCommit(DBPriv *db) { assert(!db_txn->cursor_open); const int rc = mdb_txn_commit(db_txn->txn); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != MDB_SUCCESS) { Log(LOG_LEVEL_ERR, "Could not commit database transaction to '%s': %s", @@ -735,7 +1005,7 @@ bool DBPrivHasKey(DBPriv *db, const void *key, int key_size) mkey.mv_data = (void *) key; mkey.mv_size = key_size; rc = mdb_get(txn->txn, db->dbi, &mkey, &data); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != 0 && rc != MDB_NOTFOUND) { Log(LOG_LEVEL_ERR, "Could not read database entry from '%s': %s", @@ -764,7 +1034,7 @@ int DBPrivGetValueSize(DBPriv *const db, const void *const key, const int key_si mkey.mv_data = (void *) key; mkey.mv_size = key_size; rc = mdb_get(txn->txn, db->dbi, &mkey, &data); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc && rc != MDB_NOTFOUND) { Log(LOG_LEVEL_ERR, "Could not read database entry from '%s': %s", @@ -800,7 +1070,7 @@ bool DBPrivRead( mkey.mv_data = (void *) key; mkey.mv_size = key_size; rc = mdb_get(txn->txn, db->dbi, &mkey, &data); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc == MDB_SUCCESS) { if (dest_size > data.mv_size) @@ -842,7 +1112,7 @@ bool DBPrivWrite( data.mv_data = (void *)value; data.mv_size = value_size; rc = mdb_put(txn->txn, db->dbi, &mkey, &data, 0); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != MDB_SUCCESS) { Log(LOG_LEVEL_ERR, "Could not write database entry to '%s': %s", @@ -873,7 +1143,7 @@ bool DBPrivOverwrite(DBPriv *db, const char *key, int key_size, const void *valu mkey.mv_data = (void *) key; mkey.mv_size = key_size; rc = mdb_get(txn->txn, db->dbi, &mkey, &orig_data); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if ((rc != MDB_SUCCESS) && (rc != MDB_NOTFOUND)) { Log(LOG_LEVEL_ERR, "Could not read database entry from '%s': %s", @@ -914,7 +1184,7 @@ bool DBPrivOverwrite(DBPriv *db, const char *key, int key_size, const void *valu new_data.mv_data = (void *)value; new_data.mv_size = value_size; rc = mdb_put(txn->txn, db->dbi, &mkey, &new_data, 0); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc != MDB_SUCCESS) { Log(LOG_LEVEL_ERR, "Could not write database entry to '%s': %s", @@ -940,7 +1210,7 @@ bool DBPrivDelete(DBPriv *const db, const void *const key, const int key_size) mkey.mv_data = (void *) key; mkey.mv_size = key_size; rc = mdb_del(txn->txn, db->dbi, &mkey, NULL); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc == MDB_NOTFOUND) { Log(LOG_LEVEL_DEBUG, "Entry not found in '%s': %s", @@ -969,7 +1239,7 @@ DBCursorPriv *DBPrivOpenCursor(DBPriv *const db) { assert(!txn->cursor_open); rc = mdb_cursor_open(txn->txn, db->dbi, &mc); - CheckLMDBCorrupted(rc, db->env); + CheckLMDBUsable(rc, db->env); if (rc == MDB_SUCCESS) { cursor = xcalloc(1, sizeof(DBCursorPriv)); @@ -1009,7 +1279,7 @@ bool DBPrivAdvanceCursor( } int rc = mdb_cursor_get(cursor->mc, &mkey, &data, MDB_NEXT); - CheckLMDBCorrupted(rc, cursor->db->env); + CheckLMDBUsable(rc, cursor->db->env); if (rc == MDB_SUCCESS) { // Align second buffer to 64-bit boundary, to avoid alignment errors on @@ -1021,6 +1291,7 @@ bool DBPrivAdvanceCursor( } cursor->curkv = xmalloc(keybuf_size + data.mv_size); memcpy(cursor->curkv, mkey.mv_data, mkey.mv_size); + cursor->curks = mkey.mv_size; *key = cursor->curkv; *key_size = mkey.mv_size; *value_size = data.mv_size; @@ -1048,7 +1319,7 @@ bool DBPrivAdvanceCursor( { mkey.mv_data = *key; rc = mdb_cursor_get(cursor->mc, &mkey, NULL, MDB_SET); - CheckLMDBCorrupted(rc, cursor->db->env); + CheckLMDBUsable(rc, cursor->db->env); // TODO: Should the return value be checked? } cursor->pending_delete = false; @@ -1061,7 +1332,7 @@ bool DBPrivDeleteCursorEntry(DBCursorPriv *const cursor) assert(cursor != NULL); int rc = mdb_cursor_get(cursor->mc, &cursor->delkey, NULL, MDB_GET_CURRENT); - CheckLMDBCorrupted(rc, cursor->db->env); + CheckLMDBUsable(rc, cursor->db->env); if (rc == MDB_SUCCESS) { cursor->pending_delete = true; @@ -1086,10 +1357,10 @@ bool DBPrivWriteCursorEntry( { MDB_val curkey; curkey.mv_data = cursor->curkv; - curkey.mv_size = sizeof(cursor->curkv); + curkey.mv_size = cursor->curks; rc = mdb_cursor_put(cursor->mc, &curkey, &data, MDB_CURRENT); - CheckLMDBCorrupted(rc, cursor->db->env); + CheckLMDBUsable(rc, cursor->db->env); if (rc != MDB_SUCCESS) { Log(LOG_LEVEL_ERR, "Could not write cursor entry to '%s': %s", diff --git a/libpromises/dbm_migration.c b/libpromises/dbm_migration.c index b494636e83..b146765eac 100644 --- a/libpromises/dbm_migration.c +++ b/libpromises/dbm_migration.c @@ -26,11 +26,12 @@ #include #include +#include extern const DBMigrationFunction dbm_migration_plan_lastseen[]; -#ifdef LMDB +#ifndef LMDB bool DBMigrate(ARG_UNUSED DBHandle *db, ARG_UNUSED dbid id) { return true; @@ -64,6 +65,11 @@ bool DBMigrate(DBHandle *db, dbid id) { if (step_version == DBVersion(db)) { + Seq *seq = SeqNew(1, free); + SeqAppend(seq, DBIdToPath(id)); + backup_files_copy(seq); + SeqDestroy(seq); + if (!(*step)(db)) { return false; diff --git a/libpromises/dbm_migration_lastseen.c b/libpromises/dbm_migration_lastseen.c index df867be410..68dcee28f8 100644 --- a/libpromises/dbm_migration_lastseen.c +++ b/libpromises/dbm_migration_lastseen.c @@ -26,6 +26,7 @@ #include #include +#include typedef struct { @@ -34,6 +35,12 @@ typedef struct double var; } QPoint0; +typedef struct +{ + time_t lastseen; + QPoint Q; // Average time between connections (rolling weighted average) +} KeyHostSeen1; + #define QPOINT0_OFFSET 128 /* @@ -48,142 +55,95 @@ typedef struct static bool LastseenMigrationVersion0(DBHandle *db) { - bool errors = false; - DBCursor *cursor; + /* For some reason DB migration for LMDB was disabled in 2014 (in commit + * 8611970bfa33be7b3cf0724eb684833e08582850). Unfortunately there is no + * mention as to why this was done. Maybe it was not working? + * + * However, we're re-enabling it now (10 years later). Since this + * migration function has not been active for the last 10 years, the + * safest thing is to remove the migration logic, and only update the + * version number. + * + * If you have not upgraded CFEngine in the last 10 years, this will be + * the least of your problems. + */ + return WriteDB(db, "version", "1", sizeof("1")); +} +static bool LastseenMigrationVersion1(DBHandle *db) +{ + DBCursor *cursor; if (!NewDBCursor(db, &cursor)) { + Log(LOG_LEVEL_ERR, + "Unable to create database cursor during lastseen migration"); return false; } char *key; void *value; - int ksize, vsize; + int key_size, value_size; - while (NextDB(cursor, &key, &ksize, &value, &vsize)) + // Iterate through all key-value pairs + while (NextDB(cursor, &key, &key_size, &value, &value_size)) { - if (ksize == 0) + if (key_size == 0) { - Log(LOG_LEVEL_INFO, "LastseenMigrationVersion0: Database structure error -- zero-length key."); + Log(LOG_LEVEL_WARNING, + "Found zero-length key during lastseen migration"); continue; } - /* Only look for old [+-]kH -> IP entries */ - if ((key[0] != '+') && (key[0] != '-')) + // Only look for old KeyHostSeen entries + if (key[0] != 'q') { - /* Warn about completely unexpected keys */ - - if ((key[0] != 'q') && (key[0] != 'k') && (key[0] != 'a')) + // Warn about completely unexpected keys + if ((key[0] != 'k') && (key[0] != 'a') && !StringEqualN(key, "version", key_size)) { - Log(LOG_LEVEL_INFO, "LastseenMigrationVersion0: Malformed key found '%s'", key); + Log(LOG_LEVEL_WARNING, + "Found unexpected key '%s' during lastseen migration. " + "Only expecting 'version' or 'k', 'a' and 'q[i|o]' prefixed keys.", + key); } - - continue; - } - - bool incoming = key[0] == '-'; - const char *hostkey = key + 1; - - /* Only migrate sane data */ - if (vsize != QPOINT0_OFFSET + sizeof(QPoint0)) - { - Log(LOG_LEVEL_INFO, - "LastseenMigrationVersion0: invalid value size for key '%s', entry is deleted", - key); - DBCursorDeleteEntry(cursor); - continue; - } - - /* Properly align the data */ - const char *old_data_address = (const char *) value; - QPoint0 old_data_q; - memcpy(&old_data_q, (const char *) value + QPOINT0_OFFSET, - sizeof(QPoint0)); - - char hostkey_key[CF_BUFSIZE]; - snprintf(hostkey_key, CF_BUFSIZE, "k%s", hostkey); - - if (!WriteDB(db, hostkey_key, old_data_address, strlen(old_data_address) + 1)) - { - Log(LOG_LEVEL_INFO, "Unable to write version 1 lastseen entry for '%s'", key); - errors = true; - continue; - } - - char address_key[CF_BUFSIZE]; - snprintf(address_key, CF_BUFSIZE, "a%s", old_data_address); - - if (!WriteDB(db, address_key, hostkey, strlen(hostkey) + 1)) - { - Log(LOG_LEVEL_INFO, "Unable to write version 1 reverse lastseen entry for '%s'", key); - errors = true; - continue; - } - - char quality_key[CF_BUFSIZE]; - snprintf(quality_key, CF_BUFSIZE, "q%c%s", incoming ? 'i' : 'o', hostkey); - - /* - Ignore malformed connection quality data - */ - - if ((!isfinite(old_data_q.q)) - || (old_data_q.q < 0) - || (!isfinite(old_data_q.expect)) - || (!isfinite(old_data_q.var))) - { - Log(LOG_LEVEL_INFO, "Ignoring malformed connection quality data for '%s'", key); - DBCursorDeleteEntry(cursor); continue; } - KeyHostSeen data = { - .lastseen = (time_t)old_data_q.q, - .Q = { - /* - Previously .q wasn't stored in database, but was calculated - every time as a difference between previous timestamp and a - new timestamp. Given we don't have this information during - the database upgrade, just assume that last reading is an - average one. - */ - .q = old_data_q.expect, - .dq = 0, - .expect = old_data_q.expect, - .var = old_data_q.var, - } + KeyHostSeen1 *old_value = value; + KeyHostSeen new_value = { + .acknowledged = true, // We don't know, assume yes + .lastseen = old_value->lastseen, + .Q = old_value->Q, }; - if (!WriteDB(db, quality_key, &data, sizeof(data))) - { - Log(LOG_LEVEL_INFO, "Unable to write version 1 connection quality key for '%s'", key); - errors = true; - continue; - } - - if (!DBCursorDeleteEntry(cursor)) + // This will overwrite the entry + if (!DBCursorWriteEntry(cursor, &new_value, sizeof(new_value))) { - Log(LOG_LEVEL_INFO, "Unable to delete version 0 lastseen entry for '%s'", key); - errors = true; + Log(LOG_LEVEL_ERR, + "Unable to write version 2 of entry for key '%s' during lastseen migration.", + key); + return false; } } - if (DeleteDBCursor(cursor) == false) + if (!DeleteDBCursor(cursor)) { - Log(LOG_LEVEL_ERR, "LastseenMigrationVersion0: Unable to close cursor"); - errors = true; + Log(LOG_LEVEL_ERR, "Unable to close cursor during lastseen migration"); + return false; } - if ((!errors) && (!WriteDB(db, "version", "1", sizeof("1")))) + if (!WriteDB(db, "version", "2", sizeof("2"))) { - errors = true; + Log(LOG_LEVEL_ERR, "Failed to update version number during lastseen migration"); + return false; } - return !errors; + Log(LOG_LEVEL_INFO, "Migrated lastseen database from version 1 to 2"); + return true; } const DBMigrationFunction dbm_migration_plan_lastseen[] = { LastseenMigrationVersion0, + LastseenMigrationVersion1, NULL }; diff --git a/libpromises/dbm_priv.h b/libpromises/dbm_priv.h index b3d6edf77b..c36a6a6988 100644 --- a/libpromises/dbm_priv.h +++ b/libpromises/dbm_priv.h @@ -54,6 +54,8 @@ void DBPrivCloseDB(DBPriv *hdbp); void DBPrivCommit(DBPriv *hdbp); bool DBPrivClean(DBPriv *hdbp); +int DBPrivGetDBUsagePercentage(const char *db_path); + bool DBPrivHasKey(DBPriv *db, const void *key, int key_size); int DBPrivGetValueSize(DBPriv *db, const void *key, int key_size); diff --git a/libpromises/dbm_quick.c b/libpromises/dbm_quick.c index 424e8c3337..c907499df5 100644 --- a/libpromises/dbm_quick.c +++ b/libpromises/dbm_quick.c @@ -206,6 +206,12 @@ bool DBPrivClean(DBPriv *db) return true; } +int DBPrivGetDBUsagePercentage(ARG_UNUSED const char *db_path) +{ + Log(LOG_LEVEL_WARNING, "Cannot determine usage of a QuickDB database"); + return -1; +} + bool DBPrivRead(DBPriv *db, const void *key, int key_size, void *dest, size_t dest_size) { if (!Lock(db)) diff --git a/libpromises/dbm_tokyocab.c b/libpromises/dbm_tokyocab.c index 56f8876f2a..667fdc39ef 100644 --- a/libpromises/dbm_tokyocab.c +++ b/libpromises/dbm_tokyocab.c @@ -245,6 +245,12 @@ bool DBPrivClean(DBPriv *db) return true; } +int DBPrivGetDBUsagePercentage(ARG_UNUSED const char *db_path) +{ + Log(LOG_LEVEL_WARNING, "Cannot determine usage of a TokyoCabinet database"); + return -1; +} + bool DBPrivHasKey(DBPriv *db, const void *key, int key_size) { // FIXME: distinguish between "entry not found" and "error occurred" diff --git a/libpromises/eval_context.c b/libpromises/eval_context.c index 695ff8d045..de7f1b7d7a 100644 --- a/libpromises/eval_context.c +++ b/libpromises/eval_context.c @@ -2832,12 +2832,20 @@ bool EvalContextFunctionCacheGet(const EvalContext *ctx, const FnCall *fp ARG_UNUSED, const Rlist *args, Rval *rval_out) { + assert(fp != NULL); + assert(fp->name != NULL); + assert(ctx != NULL); + if (!(ctx->eval_options & EVAL_OPTION_CACHE_SYSTEM_FUNCTIONS)) { return false; } - Rval *rval = FuncCacheMapGet(ctx->function_cache, args); + // The cache key is made of the function name and all args values + Rlist *args_copy = RlistCopy(args); + Rlist *key = RlistPrepend(&args_copy, fp->name, RVAL_TYPE_SCALAR); + Rval *rval = FuncCacheMapGet(ctx->function_cache, key); + RlistDestroy(key); if (rval) { if (rval_out) @@ -2856,6 +2864,10 @@ void EvalContextFunctionCachePut(EvalContext *ctx, const FnCall *fp ARG_UNUSED, const Rlist *args, const Rval *rval) { + assert(fp != NULL); + assert(fp->name != NULL); + assert(ctx != NULL); + if (!(ctx->eval_options & EVAL_OPTION_CACHE_SYSTEM_FUNCTIONS)) { return; @@ -2863,7 +2875,11 @@ void EvalContextFunctionCachePut(EvalContext *ctx, Rval *rval_copy = xmalloc(sizeof(Rval)); *rval_copy = RvalCopy(*rval); - FuncCacheMapInsert(ctx->function_cache, RlistCopy(args), rval_copy); + + Rlist *args_copy = RlistCopy(args); + Rlist *key = RlistPrepend(&args_copy, fp->name, RVAL_TYPE_SCALAR); + + FuncCacheMapInsert(ctx->function_cache, key, rval_copy); } /* cfPS and associated machinery */ @@ -3484,6 +3500,65 @@ bool EvalContextIsIgnoringLocks(const EvalContext *ctx) return ctx->ignore_locks; } +StringSet *ClassesMatchingLocalRecursive( + const EvalContext *ctx, + const char *regex, + const Rlist *tags, + bool first_only, + size_t stack_index) +{ + assert(ctx != NULL); + StackFrame *frame = SeqAt(ctx->stack, stack_index); + StringSet *matches; + if (frame->type == STACK_FRAME_TYPE_BUNDLE) + { + ClassTableIterator *iter = ClassTableIteratorNew( + frame->data.bundle.classes, + frame->data.bundle.owner->ns, + false, + true); // from EvalContextClassTableIteratorNewLocal() + matches = ClassesMatching(ctx, iter, regex, tags, first_only); + ClassTableIteratorDestroy(iter); + } + else + { + matches = StringSetNew(); // empty for passing up the recursion chain + } + + if (stack_index > 0 && frame->inherits_previous) + { + StringSet *parent_matches = ClassesMatchingLocalRecursive( + ctx, regex, tags, first_only, stack_index - 1); + StringSetJoin(matches, parent_matches, xstrdup); + StringSetDestroy(parent_matches); + } + + return matches; +} + +StringSet *ClassesMatchingLocal( + const EvalContext *ctx, + const char *regex, + const Rlist *tags, + bool first_only) +{ + assert(ctx != NULL); + return ClassesMatchingLocalRecursive( + ctx, regex, tags, first_only, SeqLength(ctx->stack) - 1); +} + +StringSet *ClassesMatchingGlobal( + const EvalContext *ctx, + const char *regex, + const Rlist *tags, + bool first_only) +{ + ClassTableIterator *iter = + EvalContextClassTableIteratorNewGlobal(ctx, NULL, true, true); + StringSet *matches = ClassesMatching(ctx, iter, regex, tags, first_only); + ClassTableIteratorDestroy(iter); + return matches; +} StringSet *ClassesMatching(const EvalContext *ctx, ClassTableIterator *iter, const char* regex, const Rlist *tags, bool first_only) { StringSet *matching = StringSetNew(); diff --git a/libpromises/eval_context.h b/libpromises/eval_context.h index f5e72d5250..01b16788ba 100644 --- a/libpromises/eval_context.h +++ b/libpromises/eval_context.h @@ -249,7 +249,8 @@ static inline bool IsDefinedClass(const EvalContext *ctx, const char *context) return (CheckClassExpression(ctx, context) == EXPRESSION_VALUE_TRUE); } StringSet *ClassesMatching(const EvalContext *ctx, ClassTableIterator *iter, const char* regex, const Rlist *tags, bool first_only); - +StringSet *ClassesMatchingGlobal(const EvalContext *ctx, const char* regex, const Rlist *tags, bool first_only); +StringSet *ClassesMatchingLocal(const EvalContext *ctx, const char* regex, const Rlist *tags, bool first_only); bool EvalProcessResult(const char *process_result, StringSet *proc_attr); bool EvalFileResult(const char *file_result, StringSet *leaf_attr); diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c index 52c4c544bc..852d7fde43 100644 --- a/libpromises/evalfunction.c +++ b/libpromises/evalfunction.c @@ -22,6 +22,7 @@ included file COSL.txt. */ +#include #include #include @@ -1329,6 +1330,7 @@ static FnCallResult FnCallIfElse(EvalContext *ctx, static FnCallResult FnCallClassesMatching(EvalContext *ctx, ARG_UNUSED const Policy *policy, const FnCall *fp, const Rlist *finalargs) { + assert(finalargs != NULL); bool count_only = false; bool check_only = false; unsigned count = 0; @@ -1367,8 +1369,7 @@ static FnCallResult FnCallClassesMatching(EvalContext *ctx, ARG_UNUSED const Pol Rlist *matches = NULL; { - ClassTableIterator *iter = EvalContextClassTableIteratorNewGlobal(ctx, NULL, true, true); - StringSet *global_matches = ClassesMatching(ctx, iter, RlistScalarValue(finalargs), finalargs->next, check_only); + StringSet *global_matches = ClassesMatchingGlobal(ctx, RlistScalarValue(finalargs), finalargs->next, check_only); StringSetIterator it = StringSetIteratorInit(global_matches); const char *element = NULL; @@ -1385,7 +1386,6 @@ static FnCallResult FnCallClassesMatching(EvalContext *ctx, ARG_UNUSED const Pol } StringSetDestroy(global_matches); - ClassTableIteratorDestroy(iter); } if (check_only && count >= 1) @@ -1394,8 +1394,7 @@ static FnCallResult FnCallClassesMatching(EvalContext *ctx, ARG_UNUSED const Pol } { - ClassTableIterator *iter = EvalContextClassTableIteratorNewLocal(ctx); - StringSet *local_matches = ClassesMatching(ctx, iter, RlistScalarValue(finalargs), finalargs->next, check_only); + StringSet *local_matches = ClassesMatchingLocal(ctx, RlistScalarValue(finalargs), finalargs->next, check_only); StringSetIterator it = StringSetIteratorInit(local_matches); const char *element = NULL; @@ -1412,7 +1411,6 @@ static FnCallResult FnCallClassesMatching(EvalContext *ctx, ARG_UNUSED const Pol } StringSetDestroy(local_matches); - ClassTableIteratorDestroy(iter); } if (check_only) @@ -1810,7 +1808,7 @@ static bool GetLegacyPackagesMatching(pcre *matcher, JsonElement *json, const bo "Cannot open the %s packages inventory '%s' - " "This is not necessarily an error. " "Either the inventory policy has not been included, " - "or it has not had time to have an effect yet or you are using" + "or it has not had time to have an effect yet or you are using " "new package promise and check for legacy promise is made." "A future call may still succeed. (fopen: %s)", installed_mode ? "installed" : "available", @@ -1956,6 +1954,24 @@ static FnCallResult FnCallPackagesMatching(ARG_UNUSED EvalContext *ctx, ARG_UNUS Rlist *default_inventory = GetDefaultInventoryFromContext(ctx); + bool inventory_allocated = false; + if (default_inventory == NULL) + { + // Did not find default inventory from context, try looking for + // existing LMDB databases in the state directory + dbid database = (installed_mode ? dbid_packages_installed + : dbid_packages_updates); + Seq *const seq = SearchExistingSubDBNames(database); + const size_t length = SeqLength(seq); + for (size_t i = 0; i < length; i++) + { + const char *const db_name = SeqAt(seq, i); + RlistAppendString(&default_inventory, db_name); + inventory_allocated = true; + } + SeqDestroy(seq); + } + if (!default_inventory) { // Legacy package promise @@ -1983,10 +1999,18 @@ static FnCallResult FnCallPackagesMatching(ARG_UNUSED EvalContext *ctx, ARG_UNUS Log(LOG_LEVEL_DEBUG, "No valid package module inventory found"); pcre_free(matcher); JsonDestroy(json); + if (inventory_allocated) + { + RlistDestroy(default_inventory); + } return FnFailure(); } } + if (inventory_allocated) + { + RlistDestroy(default_inventory); + } pcre_free(matcher); if (ret == false) @@ -3644,7 +3668,6 @@ static FnCallResult FnCallMapData(EvalContext *ctx, ARG_UNUSED const Policy *pol { const JsonElement *e2; JsonIterator iter2 = JsonIteratorInit(e); - int position = 0; while ((e2 = JsonIteratorNextValueByType(&iter2, JSON_ELEMENT_TYPE_PRIMITIVE, true)) != NULL) { char *key = (char*) JsonGetPropertyAsString(e2); @@ -3697,7 +3720,6 @@ static FnCallResult FnCallMapData(EvalContext *ctx, ARG_UNUSED const Policy *pol EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_THIS, "k[1]"); } EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_THIS, "v"); - position++; } } break; @@ -5676,6 +5698,14 @@ static FnCallResult FnCallFormat(EvalContext *ctx, ARG_UNUSED const Policy *poli static FnCallResult FnCallIPRange(EvalContext *ctx, ARG_UNUSED const Policy *policy, const FnCall *fp, const Rlist *finalargs) { + assert(fp != NULL); + + if (finalargs == NULL) + { + Log(LOG_LEVEL_ERR, "Function '%s' requires at least one argument", fp->name); + return FnFailure(); + } + const char *range = RlistScalarValue(finalargs); const Rlist *ifaces = finalargs->next; @@ -5740,6 +5770,14 @@ static FnCallResult FnCallIsIpInSubnet(ARG_UNUSED EvalContext *ctx, ARG_UNUSED const Policy *policy, const FnCall *fp, const Rlist *finalargs) { + assert(fp != NULL); + + if (finalargs == NULL) + { + Log(LOG_LEVEL_ERR, "Function '%s' requires at least one argument", fp->name); + return FnFailure(); + } + const char *range = RlistScalarValue(finalargs); const Rlist *ips = finalargs->next; @@ -6857,6 +6895,12 @@ static FnCallResult FnCallEval(EvalContext *ctx, ARG_UNUSED const Policy *policy static FnCallResult FnCallReadFile(ARG_UNUSED EvalContext *ctx, ARG_UNUSED const Policy *policy, ARG_UNUSED const FnCall *fp, const Rlist *finalargs) { + if (finalargs == NULL) + { + Log(LOG_LEVEL_ERR, "Function 'readfile' requires at least one argument"); + return FnFailure(); + } + char *filename = RlistScalarValue(finalargs); const Rlist *next = finalargs->next; // max_size argument, default to inf: long maxsize = next ? IntFromString(RlistScalarValue(next)) : IntFromString("inf"); @@ -7089,7 +7133,7 @@ static FnCallResult ValidateDataGeneric(const char *const fname, } JsonElement *json = NULL; - JsonParseError err = JsonParse(&data, &json); + JsonParseError err = JsonParseAll(&data, &json); if (err != JSON_PARSE_OK) { Log(LOG_LEVEL_VERBOSE, "%s: %s", fname, JsonParseErrorToString(err)); @@ -8611,6 +8655,9 @@ void ModuleProtocol(EvalContext *ctx, const char *command, const char *line, int { assert(tags); + StringSetAdd(tags, xstrdup("source=module")); + StringSetAddF(tags, "derived_from=%s", command); + // see the sscanf() limit below if(context_size < 51) { @@ -8673,6 +8720,7 @@ void ModuleProtocol(EvalContext *ctx, const char *command, const char *line, int StringSetAddSplit(tags, content, ','); StringSetAdd(tags, xstrdup("source=module")); + StringSetAddF(tags, "derived_from=%s", command); } else if (sscanf(line + 1, "persistence=%ld", persistence) == 1) { @@ -9534,7 +9582,7 @@ static const FnCallArg READFILE_ARGS[] = static const FnCallArg VALIDDATATYPE_ARGS[] = { - {CF_ANYSTRING, CF_DATA_TYPE_STRING, "Data to validate"}, + {CF_ANYSTRING, CF_DATA_TYPE_STRING, "String to validate as JSON"}, {NULL, CF_DATA_TYPE_NONE, NULL} }; @@ -9589,7 +9637,7 @@ static const FnCallArg READDATA_ARGS[] = static const FnCallArg VALIDDATA_ARGS[] = { - {CF_ANYSTRING, CF_DATA_TYPE_STRING, "Data to validate"}, + {CF_ANYSTRING, CF_DATA_TYPE_STRING, "String to validate as JSON"}, {"JSON", CF_DATA_TYPE_OPTION, "Type of data to validate"}, {NULL, CF_DATA_TYPE_NONE, NULL} }; diff --git a/libpromises/expand.c b/libpromises/expand.c index 6a92ab9b72..6485ee20b3 100644 --- a/libpromises/expand.c +++ b/libpromises/expand.c @@ -607,8 +607,10 @@ char *ExpandScalar(const EvalContext *ctx, const char *ns, const char *scope, BufferDestroy(current_item); - LogDebug(LOG_MOD_EXPAND, "ExpandScalar( %s : %s . %s ) => %s", - SAFENULL(ns), SAFENULL(scope), string, BufferData(out)); + LogDebug(LOG_MOD_EXPAND, + "Expanded scalar '%s' to '%s' using %s namespace and %s scope.", + string, BufferData(out), (ns == NULL) ? "current" : ns, + (scope == NULL) ? "current" : scope); return out_belongs_to_us ? BufferClose(out) : BufferGet(out); } @@ -943,19 +945,26 @@ static void ResolveControlBody(EvalContext *ctx, GenericAgentConfig *config, Log(LOG_LEVEL_VERBOSE, "SET domain = %s", VDOMAIN); EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_SYS, "domain"); - EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_SYS, "fqhost"); - - // We don't expect hostname or domain name longer than 255, - // warnings are printed in sysinfo.c. - // Here we support up to 511 bytes, just in case, because we can: - snprintf(VFQNAME, CF_MAXVARSIZE, "%511s.%511s", VUQNAME, VDOMAIN); - EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "fqhost", - VFQNAME, CF_DATA_TYPE_STRING, - "inventory,source=agent,attribute_name=Host name"); EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "domain", VDOMAIN, CF_DATA_TYPE_STRING, "source=agent"); EvalContextClassPutHard(ctx, VDOMAIN, "source=agent"); + + int ret = snprintf(VFQNAME, CF_MAXVARSIZE, "%s.%s", VUQNAME, VDOMAIN); + assert(ret >= 0 && ret < CF_MAXVARSIZE); + if (ret < 0 || ret >= CF_MAXVARSIZE) + { + Log(LOG_LEVEL_ERR, + "Failed to update variable default:sys.fqhost to include domain name: " + "Maximum variable size was exceeded (%d >= %d)", ret, CF_MAXVARSIZE); + } + else + { + EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_SYS, "fqhost"); + EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "fqhost", + VFQNAME, CF_DATA_TYPE_STRING, + "inventory,source=agent,attribute_name=Host name"); + } } if (strcmp(lval, CFG_CONTROLBODY[COMMON_CONTROL_IGNORE_MISSING_INPUTS].lval) == 0) diff --git a/libpromises/files_lib.c b/libpromises/files_lib.c index 689b82571f..a380ea4660 100644 --- a/libpromises/files_lib.c +++ b/libpromises/files_lib.c @@ -120,11 +120,15 @@ bool MakeParentInternalDirectory(const char *parentandchild, bool force, bool *c parentandchild, force, true, created, DEFAULTMODE); } -bool MakeParentDirectoryForPromise(EvalContext *ctx, const Promise *pp, const Attributes *attr, - PromiseResult *result, const char *parentandchild, - bool force, bool *created) +bool MakeParentDirectoryForPromise(EvalContext *ctx, const Promise *pp, + const Attributes *attr, + PromiseResult *result, + const char *parentandchild, + bool force, bool *created, + const mode_t perms_mode) { - return MakeParentDirectoryImpl(ctx, pp, attr, result, parentandchild, force, false, created, DEFAULTMODE); + return MakeParentDirectoryImpl(ctx, pp, attr, result, parentandchild, + force, false, created, perms_mode); } static bool MakeParentDirectoryImpl(EvalContext *ctx, const Promise *pp, const Attributes *attr, diff --git a/libpromises/files_lib.h b/libpromises/files_lib.h index 718358e440..bff4b85a5a 100644 --- a/libpromises/files_lib.h +++ b/libpromises/files_lib.h @@ -52,9 +52,12 @@ bool MakeParentInternalDirectory(const char *parentandchild, bool force, bool *c * @warning This function will not behave right on Windows if the path * contains double (back)slashes! **/ -bool MakeParentDirectoryForPromise(EvalContext *ctx, const Promise *pp, const Attributes *attr, - PromiseResult *result, const char *parentandchild, - bool force, bool *created); +bool MakeParentDirectoryForPromise(EvalContext *ctx, const Promise *pp, + const Attributes *attr, + PromiseResult *result, + const char *parentandchild, + bool force, bool *created, + mode_t perms_mode); void RotateFiles(const char *name, int number); void CreateEmptyFile(char *name); diff --git a/libpromises/files_links.c b/libpromises/files_links.c index d032f1018b..2f6d5da076 100644 --- a/libpromises/files_links.c +++ b/libpromises/files_links.c @@ -137,9 +137,9 @@ PromiseResult VerifyLink(EvalContext *ctx, char *destination, const char *source } bool dir_created = false; - if (MakeParentDirectoryForPromise(ctx, pp, attr, &result, - destination, attr->move_obstructions, - &dir_created)) + if (MakeParentDirectoryForPromise(ctx, pp, attr, &result, destination, + attr->move_obstructions, + &dir_created, DEFAULTMODE)) { if (dir_created) { diff --git a/libpromises/fncall.c b/libpromises/fncall.c index e504b57e77..6782dc6589 100644 --- a/libpromises/fncall.c +++ b/libpromises/fncall.c @@ -228,7 +228,7 @@ void FnCallWrite(Writer *writer, const FnCall *call) switch (rp->val.type) { case RVAL_TYPE_SCALAR: - ScalarWrite(writer, RlistScalarValue(rp), true); + ScalarWrite(writer, RlistScalarValue(rp), true, false); break; case RVAL_TYPE_FNCALL: diff --git a/libpromises/generic_agent.c b/libpromises/generic_agent.c index 47d4721328..2c3af5608f 100644 --- a/libpromises/generic_agent.c +++ b/libpromises/generic_agent.c @@ -942,6 +942,8 @@ static void AddPolicyEntryVariables (EvalContext *ctx, const GenericAgentConfig void GenericAgentDiscoverContext(EvalContext *ctx, GenericAgentConfig *config, const char *program_name) { + assert(config != NULL); + strcpy(VPREFIX, ""); if (program_name != NULL) { @@ -1080,14 +1082,17 @@ void GenericAgentDiscoverContext(EvalContext *ctx, GenericAgentConfig *config, } /* Load CMDB data *before* augments. */ - if (!LoadCMDBData(ctx)) + if (!config->agent_specific.common.no_host_specific && !LoadCMDBData(ctx)) { Log(LOG_LEVEL_ERR, "Failed to load CMDB data"); } - /* load augments here so that they can make use of the classes added above - * (especially 'am_policy_hub' and 'policy_server') */ - LoadAugments(ctx, config); + if (!config->agent_specific.common.no_augments) + { + /* load augments here so that they can make use of the classes added above + * (especially 'am_policy_hub' and 'policy_server') */ + LoadAugments(ctx, config); + } } static bool IsPolicyPrecheckNeeded(GenericAgentConfig *config, bool force_validation) @@ -2518,6 +2523,9 @@ GenericAgentConfig *GenericAgentConfigNewDefault(AgentType agent_type, bool tty_ /* Log classes */ config->agent_specific.agent.report_class_log = false; + config->agent_specific.common.no_augments = false; + config->agent_specific.common.no_host_specific = false; + switch (agent_type) { case AGENT_TYPE_COMMON: diff --git a/libpromises/generic_agent.h b/libpromises/generic_agent.h index 2e334fe745..6238751720 100644 --- a/libpromises/generic_agent.h +++ b/libpromises/generic_agent.h @@ -80,6 +80,8 @@ typedef struct bool eval_functions; char *show_classes; char *show_variables; + bool no_augments; + bool no_host_specific; } common; struct { diff --git a/libpromises/iteration.c b/libpromises/iteration.c index 3fba1ed20f..8bcb77f8c8 100644 --- a/libpromises/iteration.c +++ b/libpromises/iteration.c @@ -100,9 +100,6 @@ typedef struct { * field never changes after Wheel initialisation. */ char *varname_unexp; - /* Number of dependencies of varname_unexp */ - // const size_t deps; - /* On each iteration of the wheels, the unexpanded string is * re-expanded, so the following is refilled, again and again. */ char *varname_exp; @@ -527,7 +524,6 @@ static char *ProcessVar(PromiseIterator *iterctx, const EvalContext *evalctx, s_end = s + s_max; } char *next_var = s + FindDollarParen(s, s_max); - size_t deps = 0; while (next_var < s_end) /* does it have nested variables? */ { @@ -552,7 +548,6 @@ static char *ProcessVar(PromiseIterator *iterctx, const EvalContext *evalctx, else /* inner variable processed correctly */ { /* This variable depends on inner expansions. */ - deps++; /* We are sure (subvar_end+1) is not out of bounds. */ char *s_next = subvar_end + 1; const size_t s_next_len = strlen(s_next); @@ -789,6 +784,108 @@ static Seq *IterableToSeq(const void *v, DataType t) } } +/* During initialization of the iteration engine, lists from foreign bundles are + * mangled in order to avoid overwriting the values in that bundle. However, the + * iteration engine has no way of knowing that some variables like + * $($(parent_bundle).lst) is a list during initialization. Hence, while + * crunching the wheels, this hack makes sure foreign variables are mangled when + * ever they expand into a list. + * + * How does it work? It looks for a '.' in both #iterctx->pp->promiser and + * #varname, where the left side of #varname is a bundle name and the right side + * of #iterctx->pp->promiser begins with the right side of #varname. If all of + * the constraints are fulfilled it swaps the '.' with '#' in both variables. + * Furthermore, if the variable also contains a namespace, it will mangle ':' + * with '*'. + * + * See ticket ENT-9491 & ENT-11923 for more info. + */ +static void WheelMangleAfterExpandingToList(const PromiseIterator *iterctx, + EvalContext *evalctx, char *varname) +{ + assert(iterctx != NULL); + assert(iterctx->pp != NULL); + assert(iterctx->pp->promiser != NULL); + + const StringSet *scopes = EvalContextGetBundleNames(evalctx); + + // In case there is a namespace + char *unexp_namespace_token = iterctx->pp->promiser; + while ((unexp_namespace_token = strchr(unexp_namespace_token, CF_NS)) != NULL) + { + char *exp_namespace_token = varname; + while ((exp_namespace_token = strchr(exp_namespace_token, CF_NS)) != NULL) + { + char *unexp_scope_token = iterctx->pp->promiser; + while ((unexp_scope_token = strchr(unexp_scope_token, '.')) != NULL) + { + char *exp_scope_token = varname; + while ((exp_scope_token = strchr(exp_scope_token, '.')) != NULL) + { + if (exp_scope_token < exp_namespace_token) + { + // A scope token cannot come before a namespace token + continue; + } + + *exp_scope_token = '\0'; + const char *exp_scope = exp_namespace_token + 1; + const char *unexp_name = unexp_scope_token + 1; + const char *exp_name = exp_scope_token + 1; + + if (StringStartsWith(unexp_name, exp_name) && + StringSetContains(scopes, exp_scope)) + { + *unexp_namespace_token = CF_MANGLED_NS; + *exp_namespace_token = CF_MANGLED_NS; + *unexp_scope_token = CF_MANGLED_SCOPE; + *exp_scope_token = CF_MANGLED_SCOPE; + + // We are done! + return; + } + + // Put things back the way they were + *exp_scope_token = '.'; + exp_scope_token += 1; + } + unexp_scope_token += 1; + } + exp_namespace_token += 1; + } + unexp_namespace_token += 1; + } + + // In case there is no namespace + char *unexp_scope_token = iterctx->pp->promiser; + while ((unexp_scope_token = strchr(unexp_scope_token, '.')) != NULL) + { + char *exp_scope_token = varname; + while ((exp_scope_token = strchr(exp_scope_token, '.')) != NULL) + { + *exp_scope_token = '\0'; + const char *exp_scope = varname; + const char *unexp_name = unexp_scope_token + 1 ; + const char *exp_name = exp_scope_token + 1; + + if (StringStartsWith(unexp_name, exp_name) && + StringSetContains(scopes, exp_scope)) + { + *unexp_scope_token = CF_MANGLED_SCOPE; + *exp_scope_token = CF_MANGLED_SCOPE; + + // We are done! + return; + } + + // Put things back the way they were + *exp_scope_token = '.'; + exp_scope_token += 1; + } + unexp_scope_token += 1; + } +} + /** * For each of the wheels to the right of wheel_idx (including this one) * @@ -804,6 +901,11 @@ static void ExpandAndPutWheelVariablesAfter( EvalContext *evalctx, size_t wheel_idx) { + assert(iterctx != NULL); + assert(iterctx->wheels != NULL); + assert(iterctx->pp != NULL); + assert(iterctx->pp->promiser != NULL); + /* Buffer to store the expanded wheel variable name, for each wheel. */ Buffer *tmpbuf = BufferNew(); @@ -864,6 +966,12 @@ static void ExpandAndPutWheelVariablesAfter( assert(SeqLength(wheel->values) > 0); assert( SeqAt(wheel->values, 0) != NULL); + if (!IsMangled(varname)) + { + WheelMangleAfterExpandingToList(iterctx, evalctx, + (char *) varname); + } + /* Put the first value of the iterable. */ IterListElementVariablePut(evalctx, varname, value_type, SeqAt(wheel->values, 0)); diff --git a/libpromises/lastseen.c b/libpromises/lastseen.c index 495fa418cb..2f333cce48 100644 --- a/libpromises/lastseen.c +++ b/libpromises/lastseen.c @@ -121,7 +121,10 @@ void UpdateLastSawHost(const char *hostkey, const char *address, char quality_key[CF_BUFSIZE]; snprintf(quality_key, CF_BUFSIZE, "q%c%s", incoming ? 'i' : 'o', hostkey); - KeyHostSeen newq = { .lastseen = timestamp }; + KeyHostSeen newq = { + .acknowledged = false, + .lastseen = timestamp, + }; KeyHostSeen q; if (ReadDB(db, quality_key, &q, sizeof(q))) @@ -763,3 +766,54 @@ int RemoveKeysFromLastSeen(const char *input, bool must_be_coherent, return 0; } + +static bool OnlyRewriteIfChanged(KeyHostSeen *entry, ARG_UNUSED size_t size, KeyHostSeen *new) +{ + assert(entry != NULL); + assert(new != NULL); + + if (entry->acknowledged) + { + return false; + } + + new->acknowledged = true; + new->lastseen = entry->lastseen; + new->Q = entry->Q; + + return true; +} + +bool LastSeenHostAcknowledge(const char *host_key, bool incoming) +{ + DBHandle *db = NULL; + if (!OpenDB(&db, dbid_lastseen)) + { + Log(LOG_LEVEL_ERR, "Unable to open lastseen DB"); + return false; + } + + // Update quality-of-connection entry + char key[CF_BUFSIZE]; + NDEBUG_UNUSED int ret = snprintf(key, CF_BUFSIZE, "q%c%s", incoming ? 'i' : 'o', host_key); + assert(ret > 0 && ret < CF_BUFSIZE); + + KeyHostSeen value; + value.lastseen = 0; /* To distinguish between entry not found and error */ + if (OverwriteDB(db, key, &value, sizeof(value), (OverwriteCondition)OnlyRewriteIfChanged, &value)) + { + Log(LOG_LEVEL_DEBUG, "Acknowledged observation of key '%s' to lastseen DB", key); + } + else if (value.lastseen != 0 /* was found */ && + !value.acknowledged /* should update */) + { + /* In this case, the entry was found and should have been updated. + * However, false was returned. Hence, this must be due to error. */ + Log(LOG_LEVEL_ERR, "Unable to overwrite key '%s' to lastseen DB", key); + CloseDB(db); + return false; + } + + CloseDB(db); + return true; +} diff --git a/libpromises/lastseen.h b/libpromises/lastseen.h index 8c0a7caf9e..b8b4f28bd9 100644 --- a/libpromises/lastseen.h +++ b/libpromises/lastseen.h @@ -29,6 +29,7 @@ typedef struct { + bool acknowledged; // True when acknowledged by cf-hub, false when updated time_t lastseen; QPoint Q; // Average time between connections (rolling weighted average) } KeyHostSeen; @@ -62,4 +63,12 @@ bool IsLastSeenCoherent(void); int RemoveKeysFromLastSeen(const char *input, bool must_be_coherent, char *equivalent, size_t equivalent_size); +/** + * @brief Acknowledge that lastseen host entry is observed. + * @param host_key The host key of the lastseen entry. + * @param incoming Whether it is an incoming or outgoing entry. + * @return true if host entry was successfully acknowledged, otherwise false. + */ +bool LastSeenHostAcknowledge(const char *host_key, bool incoming); + #endif diff --git a/libpromises/locks.c b/libpromises/locks.c index e891de9ce0..1460add4ff 100644 --- a/libpromises/locks.c +++ b/libpromises/locks.c @@ -50,7 +50,6 @@ #endif #define CFLOGSIZE 1048576 /* Size of lock-log before rotation */ -#define CF_LOCKHORIZON ((time_t)(SECONDS_PER_WEEK * 4)) #define CF_MAXLOCKNUM 8192 #define CF_CRITIAL_SECTION "CF_CRITICAL_SECTION" @@ -62,6 +61,20 @@ #define LOG_LOCK_OP(__lock, __lock_sum, __lock_data) \ log_lock("Performing", __FUNCTION__, __lock, __lock_sum, __lock_data) +/** + * Map the locks DB usage percentage to the lock horizon interval (how old locks + * we want to keep). + */ +#define N_LOCK_HORIZON_USAGE_INTERVALS 4 /* 0-25, 26-50,... */ +static const time_t LOCK_HORIZON_USAGE_INTERVALS[N_LOCK_HORIZON_USAGE_INTERVALS] = { + 0, /* plenty of space, no cleanup needed (0 is a special + * value) */ + 4 * SECONDS_PER_WEEK, /* used to be the fixed value */ + 2 * SECONDS_PER_WEEK, /* a bit more aggressive, but still reasonable */ + SECONDS_PER_WEEK, /* as far as we want to go to avoid making long locks + * unreliable and practically non-functional */ +}; + typedef struct CfLockStack_ { char lock[CF_BUFSIZE]; char last[CF_BUFSIZE]; @@ -72,7 +85,7 @@ static CfLockStack *LOCK_STACK = NULL; static void PushLock(char *lock, char *last) { - CfLockStack *new_lock = malloc(sizeof(CfLockStack)); + CfLockStack *new_lock = xmalloc(sizeof(CfLockStack)); strlcpy(new_lock->lock, lock, CF_BUFSIZE); strlcpy(new_lock->last, last, CF_BUFSIZE); @@ -95,46 +108,10 @@ static void CopyLockDatabaseAtomically(const char *from, const char *to, const char *from_pretty_name, const char *to_pretty_name); -static void RestoreLockDatabase(void); - -static void VerifyThatDatabaseIsNotCorrupt_once(void) -{ - int uptime = GetUptimeSeconds(time(NULL)); - if (uptime <= 0) - { - Log(LOG_LEVEL_VERBOSE, - "Not able to determine uptime when verifying lock database. " - "Will assume the database is in order."); - return; - } - - char *db_path = DBIdToPath(dbid_locks); - struct stat statbuf; - if (stat(db_path, &statbuf) == 0) - { - if (statbuf.st_mtime < time(NULL) - uptime) - { - // We have rebooted since the database was last updated. - // Restore it from our backup. - RestoreLockDatabase(); - } - } - - free(db_path); -} - -static void VerifyThatDatabaseIsNotCorrupt(void) -{ - static pthread_once_t uptime_verified = PTHREAD_ONCE_INIT; - pthread_once(&uptime_verified, &VerifyThatDatabaseIsNotCorrupt_once); -} - CF_DB *OpenLock() { CF_DB *dbp; - VerifyThatDatabaseIsNotCorrupt(); - if (!OpenDB(&dbp, dbid_locks)) { return NULL; @@ -554,6 +531,63 @@ static void PromiseTypeString(char *dst, size_t dst_size, const Promise *pp) } } +/** + * A helper best-effort function to prevent us from killing non CFEngine + * processes with matching PID-start_time combinations **when/where it's easy to + * check**. + */ +static bool IsCfengineLockHolder(pid_t pid) +{ + char procfile[PATH_MAX]; + snprintf(procfile, PATH_MAX, "/proc/%ju/comm", (uintmax_t) pid); + int f = open(procfile, O_RDONLY); + /* On platforms where /proc doesn't exist, we would have to do a more + complicated check probably not worth it in this helper best-effort + function. */ + if (f == -1) + { + /* assume true where we cannot check */ + return true; + } + + /* more than any possible CFEngine lock holder's name */ + char command[32] = {0}; + ssize_t n_read = FullRead(f, command, sizeof(command)); + close(f); + if ((n_read <= 1) || (n_read == sizeof(command))) + { + Log(LOG_LEVEL_VERBOSE, "Failed to get command for process %ju", (uintmax_t) pid); + /* assume true where we cannot check */ + return true; + } + if (command[n_read - 1] == '\n') + { + command[n_read - 1] = '\0'; + } + + /* potential CFEngine lock holders (others like cf-net, cf-key,... are not + * supposed/expected to be lock holders) */ + const char *const cfengine_procs[] = { + "cf-promises", + "lt-cf-agent", /* when running from a build with 'libtool --mode=execute' */ + "cf-agent", + "cf-execd", + "cf-serverd", + "cf-monitord", + "cf-hub", + NULL + }; + for (size_t i = 0; cfengine_procs[i] != NULL; i++) + { + if (StringEqual(cfengine_procs[i], command)) + { + return true; + } + } + Log(LOG_LEVEL_DEBUG, "'%s' not considered a CFEngine process", command); + return false; +} + static bool KillLockHolder(const char *lock) { bool ret; @@ -587,6 +621,13 @@ static bool KillLockHolder(const char *lock) CloseLock(dbp); + if (!IsCfengineLockHolder(lock_data.pid)) { + Log(LOG_LEVEL_VERBOSE, + "Lock holder with PID %ju was replaced by a non CFEngine process, ignoring request to kill it", + (uintmax_t) lock_data.pid); + return true; + } + if (GracefulTerminate(lock_data.pid, lock_data.process_start_time)) { Log(LOG_LEVEL_INFO, @@ -1074,11 +1115,10 @@ void GetLockName(char *lockname, const char *locktype, } } -static void RestoreLockDatabase(void) +void RestoreLockDatabase(void) { // We don't do any locking here (since we can't trust the database), but - // this should be right after bootup, so we should be the only one. - // Worst case someone else will just copy the same file to the same + // worst case someone else will just copy the same file to the same // location. char *db_path = DBIdToPath(dbid_locks); char *db_path_backup; @@ -1170,66 +1210,85 @@ void BackupLockDatabase(void) void PurgeLocks(void) { - CF_DBC *dbcp; - char *key; - int ksize, vsize; - LockData lock_horizon; - LockData *entry = NULL; + DBHandle *db = OpenLock(); + if (db == NULL) + { + return; + } + time_t now = time(NULL); - CF_DB *dbp = OpenLock(); - if (dbp == NULL) + int usage_pct = GetDBUsagePercentage(db); + if (usage_pct == -1) + { + /* error already logged */ + /* no usage info, assume 50% */ + usage_pct = 50; + } + + unsigned short interval_idx = MIN(usage_pct / (100 / N_LOCK_HORIZON_USAGE_INTERVALS), + N_LOCK_HORIZON_USAGE_INTERVALS - 1); + const time_t lock_horizon_interval = LOCK_HORIZON_USAGE_INTERVALS[interval_idx]; + if (lock_horizon_interval == 0) { + Log(LOG_LEVEL_VERBOSE, "No lock purging needed (lock DB usage: %d %%)", usage_pct); + CloseLock(db); return; } + const time_t purge_horizon = now - lock_horizon_interval; + LockData lock_horizon; memset(&lock_horizon, 0, sizeof(lock_horizon)); - - if (ReadDB(dbp, "lock_horizon", &lock_horizon, sizeof(lock_horizon))) + if (ReadDB(db, "lock_horizon", &lock_horizon, sizeof(lock_horizon))) { - if (now - lock_horizon.time < SECONDS_PER_WEEK * 4) + if (lock_horizon.time > purge_horizon) { Log(LOG_LEVEL_VERBOSE, "No lock purging scheduled"); - CloseLock(dbp); + CloseLock(db); return; } } - Log(LOG_LEVEL_VERBOSE, "Looking for stale locks to purge"); + Log(LOG_LEVEL_VERBOSE, + "Looking for stale locks (older than %jd seconds) to purge", + (intmax_t) lock_horizon_interval); - if (!NewDBCursor(dbp, &dbcp)) + DBCursor *cursor; + if (!NewDBCursor(db, &cursor)) { char *db_path = DBIdToPath(dbid_locks); Log(LOG_LEVEL_ERR, "Unable to get cursor for locks database '%s'", db_path); free(db_path); - CloseLock(dbp); + CloseLock(db); return; } - while (NextDB(dbcp, &key, &ksize, (void **)&entry, &vsize)) + char *key; + int ksize, vsize; + LockData *entry = NULL; + while (NextDB(cursor, &key, &ksize, (void **)&entry, &vsize)) { #ifdef LMDB LOG_LOCK_OP("", key, entry); #endif - if (STARTSWITH(key, "last.internal_bundle.track_license.handle")) + if (StringStartsWith(key, "last.internal_bundle.track_license.handle")) { continue; } - if (now - entry->time > (time_t) CF_LOCKHORIZON) + if (entry->time < purge_horizon) { Log(LOG_LEVEL_VERBOSE, "Purging lock (%jd s elapsed): %s", (intmax_t) (now - entry->time), key); - DBCursorDeleteEntry(dbcp); + DBCursorDeleteEntry(cursor); } } + DeleteDBCursor(cursor); Log(LOG_LEVEL_DEBUG, "Finished purging locks"); lock_horizon.time = now; - DeleteDBCursor(dbcp); - - WriteDB(dbp, "lock_horizon", &lock_horizon, sizeof(lock_horizon)); - CloseLock(dbp); + WriteDB(db, "lock_horizon", &lock_horizon, sizeof(lock_horizon)); + CloseLock(db); } diff --git a/libpromises/locks.h b/libpromises/locks.h index 28186d50a7..b46da61d52 100644 --- a/libpromises/locks.h +++ b/libpromises/locks.h @@ -38,6 +38,7 @@ void GetLockName(char *lockname, const char *locktype, const char *base, const Rlist *params); void PurgeLocks(void); void BackupLockDatabase(void); +void RestoreLockDatabase(void); // Used in enterprise/nova code: CF_DB *OpenLock(); diff --git a/libpromises/policy.c b/libpromises/policy.c index 3ef14360f0..c8f140b634 100644 --- a/libpromises/policy.c +++ b/libpromises/policy.c @@ -2107,7 +2107,7 @@ void BundleToString(Writer *writer, Bundle *bundle) } IndentPrint(writer, 2); - ScalarWrite(writer, pp->promiser, true); + ScalarWrite(writer, pp->promiser, true, false); /* FIX: add support * diff --git a/libpromises/processes_select.c b/libpromises/processes_select.c index f41843c052..1fd80aa4cc 100644 --- a/libpromises/processes_select.c +++ b/libpromises/processes_select.c @@ -718,6 +718,17 @@ static bool SplitProcLine(const char *line, Take these two examples: +Windows: + User field can contain spaces. E.g.: + + USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND + NETWORK SERVICE 540 0.0 0.3 5092 11180 ? ? Apr28 00:00 C:\\Windows\\system32\\svchost.exe -k RPCSS -p + etc. + + There is really no good way to do this with the current parsing logic. We + know that the next field will be a PID, so we can parse until we find a + number. + AIX: USER PID PPID PGID %CPU %MEM VSZ NI S STIME TIME COMMAND root 1 0 0 0.0 0.0 784 20 A Nov 28 00:00:00 /etc/init @@ -831,6 +842,7 @@ Solaris 9: bool cmd = (strcmp(names[field], "CMD") == 0 || strcmp(names[field], "COMMAND") == 0); bool stime = !cmd && (strcmp(names[field], "STIME") == 0); + bool is_user_field = StringEqual(names[field], "USER"); // Equal boolean results, either both must be true, or both must be // false. IOW we must either both be at the last field, and it must be @@ -921,6 +933,41 @@ Solaris 9: last++; } } + else if (is_user_field) + { + bool done = false; + while (!done) + { + while (line[last] != '\0' && !isspace(line[last])) + { + last++; + } + + /* On windows the USER field can contain spaces. We know that + * the next field will be PID. Hence, we seek past the spaces + * to see if the next thing is a number. If this is not the + * case, we assume it is still the USER field. This is not + * bulletproof. However, this parser never was. */ + int seek_past = last; + while (line[seek_past] != '\0' && isspace(line[seek_past])) + { + seek_past++; + } + + if (line[seek_past] == '\0') + { + done = true; + } + else if (isdigit(line[seek_past])) + { + done = true; + } + else + { + last = seek_past; + } + } + } else { // Generic fields diff --git a/libpromises/rlist.c b/libpromises/rlist.c index 8f44f5168b..27703dd786 100644 --- a/libpromises/rlist.c +++ b/libpromises/rlist.c @@ -373,13 +373,14 @@ Rval RvalNewRewriter(const void *item, RvalType type, JsonElement *map) Buffer *format = BufferNew(); StringCopy(item, buffer_from, max_size); + buffer_to[0] = '\0'; for (int iteration = 0; iteration < 10; iteration++) { bool replacement_made = false; int var_start = -1; char closing_brace = 0; - for (int c = 0; c < buffer_from[c]; c++) + for (int c = 0; buffer_from[c] != '\0'; c++) { if (buffer_from[c] == '$') { @@ -402,6 +403,7 @@ Rval RvalNewRewriter(const void *item, RvalType type, JsonElement *map) { char saved = buffer_from[c]; buffer_from[c] = '\0'; + const char *repl = JsonObjectGetAsString(map, buffer_from + var_start + 2); buffer_from[c] = saved; @@ -433,7 +435,15 @@ Rval RvalNewRewriter(const void *item, RvalType type, JsonElement *map) } } - char *ret = xstrdup(buffer_to); + char* ret; + if (buffer_to[0] == '\0') { + // If nothing has been written to buffer_to, we pass the input verbatim. + // This function only evaluates body parameters, but the body can also reference the global + // context. + ret = xstrdup(buffer_from); + } else { + ret = xstrdup(buffer_to); + } BufferDestroy(format); free(buffer_to); @@ -1339,7 +1349,7 @@ void RlistWrite(Writer *writer, const Rlist *list) WriterWriteChar(writer, '}'); } -void ScalarWrite(Writer *writer, const char *s, bool quote) +void ScalarWrite(Writer *writer, const char *s, bool quote, bool raw) { if (quote) { @@ -1347,7 +1357,7 @@ void ScalarWrite(Writer *writer, const char *s, bool quote) } for (; *s; s++) { - if (*s == '"') + if (*s == '"' && !raw) { WriterWriteChar(writer, '\\'); } @@ -1359,7 +1369,7 @@ void ScalarWrite(Writer *writer, const char *s, bool quote) } } -static void RvalWriteParts(Writer *writer, const void* item, RvalType type, bool quote) +static void RvalWriteParts(Writer *writer, const void* item, RvalType type, bool quote, bool raw) { if (item == NULL) { @@ -1369,7 +1379,7 @@ static void RvalWriteParts(Writer *writer, const void* item, RvalType type, bool switch (type) { case RVAL_TYPE_SCALAR: - ScalarWrite(writer, item, quote); + ScalarWrite(writer, item, quote, raw); break; case RVAL_TYPE_LIST: @@ -1392,12 +1402,17 @@ static void RvalWriteParts(Writer *writer, const void* item, RvalType type, bool void RvalWrite(Writer *writer, Rval rval) { - RvalWriteParts(writer, rval.item, rval.type, false); + RvalWriteParts(writer, rval.item, rval.type, false, false); } void RvalWriteQuoted(Writer *writer, Rval rval) { - RvalWriteParts(writer, rval.item, rval.type, true); + RvalWriteParts(writer, rval.item, rval.type, true, false); +} + +void RvalWriteRaw(Writer *writer, Rval rval) +{ + RvalWriteParts(writer, rval.item, rval.type, false, true); } char *RvalToString(Rval rval) @@ -1652,8 +1667,8 @@ bool RlistEqual(const Rlist *list1, const Rlist *list2) assert(rp1->val.item == NULL && rp2->val.item == NULL); } } - - return true; + // return false if lengths are different + return (rp1 == NULL && rp2 == NULL); } bool RlistEqual_untyped(const void *list1, const void *list2) diff --git a/libpromises/rlist.h b/libpromises/rlist.h index 1d5798da4a..8ce2a1858c 100644 --- a/libpromises/rlist.h +++ b/libpromises/rlist.h @@ -65,6 +65,7 @@ char *RvalToString(Rval rval); char *RlistToString(const Rlist *rlist); void RvalWrite(Writer *writer, Rval rval); void RvalWriteQuoted(Writer *writer, Rval rval); +void RvalWriteRaw(Writer *writer, Rval rval); unsigned RvalHash(Rval rval, unsigned seed); Rlist *RlistCopy(const Rlist *list); @@ -109,7 +110,7 @@ void RlistWrite(Writer *writer, const Rlist *list); Rlist *RlistLast(Rlist *start); void RlistFilter(Rlist **list, bool (*KeepPredicate)(void *item, void *predicate_data), void *predicate_user_data, void (*DestroyItem)(void *item)); void RlistReverse(Rlist **list); -void ScalarWrite(Writer *w, const char *s, bool quote); +void ScalarWrite(Writer *w, const char *s, bool quote, bool raw); void RlistFlatten(EvalContext *ctx, Rlist **list); bool RlistEqual (const Rlist *list1, const Rlist *list2); bool RlistEqual_untyped(const void *list1, const void *list2); diff --git a/libpromises/sort.c b/libpromises/sort.c index 371f7e9420..6c5d142995 100644 --- a/libpromises/sort.c +++ b/libpromises/sort.c @@ -203,7 +203,7 @@ static bool RlistCustomItemLess(void *lhs_, void *rhs_, void *ctx) { Rlist *lhs = lhs_; Rlist *rhs = rhs_; - bool (*cmp)() = ctx; + bool (*cmp)(void *a, void *b) = ctx; return (*cmp)(lhs->val.item, rhs->val.item); } diff --git a/libpromises/storage_tools.c b/libpromises/storage_tools.c index 5e44dc0341..1edd3052f8 100644 --- a/libpromises/storage_tools.c +++ b/libpromises/storage_tools.c @@ -22,6 +22,8 @@ included file COSL.txt. */ +#include + #include #ifdef HAVE_SYS_STATFS_H diff --git a/libpromises/unix.c b/libpromises/unix.c index 9985291854..5b56a98d60 100644 --- a/libpromises/unix.c +++ b/libpromises/unix.c @@ -246,8 +246,19 @@ static bool GetUserGroupInfoFromGetent(const char *type, const char *query, char *name, size_t name_size, uintmax_t *id, LogLevel error_log_level) { + struct stat sb; + char* getent_bin; + if (stat("/bin/getent", &sb) == 0) + { + getent_bin = "/bin/getent"; + } + else + { + getent_bin = "/usr/bin/getent"; + } + char buf[CF_BUFSIZE]; - NDEBUG_UNUSED int print_ret = snprintf(buf, sizeof(buf), "/bin/getent %s %s", type, query); + NDEBUG_UNUSED int print_ret = snprintf(buf, sizeof(buf), "%s %s %s", getent_bin, type, query); assert(print_ret < sizeof(buf)); FILE *out = cf_popen(buf, "r", OUTPUT_SELECT_STDOUT); diff --git a/m4/cf3_with_library.m4 b/m4/cf3_with_library.m4 index ee47d7d11d..dde7181dfb 100644 --- a/m4/cf3_with_library.m4 +++ b/m4/cf3_with_library.m4 @@ -84,7 +84,8 @@ AC_DEFUN([CF3_WITH_LIBRARY], if test "x$with_[$1]" != xyes && test "x$with_[$1]" != xcheck && test "x$with_[$1]" != x/usr && - test "x$with_[$1]" != x/ + test "x$with_[$1]" != x/ && + test -n "$with_[$1]" then ULN[]_LDFLAGS="$ULN[]_LDFLAGS -R$with_[$1]/lib" fi diff --git a/misc/Makefile.am b/misc/Makefile.am index ef2460fbd8..5fb39a2adc 100644 --- a/misc/Makefile.am +++ b/misc/Makefile.am @@ -36,3 +36,11 @@ install-data-hook: endif dist_bin_SCRIPTS = cf-support + +check-local: + @if command -v shellcheck 2>/dev/null; then \ + shellcheck --version; \ + shellcheck cf-support; \ + else \ + echo "Install shellcheck to check cf-support script."; \ + fi diff --git a/misc/cf-support b/misc/cf-support index b8b92c7655..9c5e82eee5 100755 --- a/misc/cf-support +++ b/misc/cf-support @@ -1,12 +1,25 @@ -#!/usr/bin/env bash +#!/usr/bin/env sh +# this script works with plain old POSIX sh so have to allow legacy subshell `command` instead of using $(command) +# shellcheck disable=SC2006 -export WORKDIR=/var/cfengine -export BINDIR="$WORKDIR/bin" -export non_interactive=0 +# be double-certain that we have needed PATH entries regardless of execution environment +PATH=/usr/contrib/bin:$PATH; export PATH # hpux +PATH=/usr/sbin:$PATH; export PATH # solaris +PATH=/usr/bin:$PATH; export PATH # sol10sparc has showrev in /usr/bin -if [ $# -gt 1 ]; then - echo "usage: $(basename "$0") [--yes]" - echo ' --yes - Non-interactive use. Assume no ticket number and assume include masterfiles.' +WORKDIR=/var/cfengine; export WORKDIR +BINDIR="$WORKDIR/bin"; export BINDIR +non_interactive=0; export non_interactive + +if [ $# -gt 1 ] || [ "$1" = "--help" ] || [ "$1" = "-h" ]; then + echo "usage: `basename "$0"` [OPTIONS]" + echo '' + echo 'Options:' + echo ' --yes, -y - Non-interactive use. Assume no ticket number and assume include masterfiles.' + echo ' --help, -h - Print the help message' + echo '' + echo 'Website: http://www.cfengine.com' + echo 'This software is Copyright (C) 2008,2010-present Northern.tech AS.' exit 1 fi @@ -36,7 +49,7 @@ if [ "$1" = "-M" ]; then e COSL.txt. .TH CF-SUPPORT 8 "2022-08-10" "CFEngine" "System Administrator" .SH NAME -cf-support \- create tarball of information to submit for support tickets. +cf-support \\- create tarball of information to submit for support tickets. .SH SYNOPSIS .B cf-support .RI [ OPTION ] @@ -47,7 +60,7 @@ cf-support gathers various details about the system and creates a tarball in the .IP "--yes" Non-interactive use. Assume no ticket number and assume include masterfiles. .SH CFENGINE -CFEngine provides automated configuration management of large-scale computer systems. A system administrator describes the desired state of a system using CFEngine policy code. The program \fBcf-agent\fR reads policy code and attempts to bring the current system state to the desired state described. Policy code is downloaded by \fBcf-agent\fR from a \fBcf-serverd\fR daemon. The daemon \fBcf-execd\fR is responsible for running \fBcf-agent\fR periodically. +CFEngine provides automated configuration management of large-scale computer systems. A system administrator describes the desired state of a system using CFEngine policy code. The program \\fBcf-agent\\fR reads policy code and attempts to bring the current system state to the desired state described. Policy code is downloaded by \\fBcf-agent\\fR from a \\fBcf-serverd\\fR daemon. The daemon \\fBcf-execd\\fR is responsible for running \\fBcf-agent\\fR periodically. .br Documentation for CFEngine is available at https://docs.cfengine.com/. .SH PROMISE THEORY @@ -80,7 +93,9 @@ fi [ "$1" = "--yes" ] || [ "$1" = "-y" ] && non_interactive=1 -if [ "$EUID" -ne 0 ]; then +# POSIX friendly version of bash $EUID +euid=`id | sed -n 's/uid=\([0-9]*\).*/\1/p'` +if [ "$euid" -ne 0 ]; then echo "$0 must be run as root" exit 1 fi @@ -91,25 +106,66 @@ if ! command -v gzip >/dev/null; then fi if [ $non_interactive -eq 0 ]; then - read -rp "If you have it, please enter your support case number: " case_number + printf "If you have it, please enter your support case number: " + read -r case_number fi case_number="${case_number:-NA}" -timestamp=$(date +%F-%H%M) -collection="cfengine_support_case_$case_number-$(hostname -f)-$timestamp" +timestamp=`date +%Y-%m-%d-%H%M` +collection="cfengine_support_case_$case_number-`hostname`-$timestamp" + +make_temp_dir() +{ + if command -v mktemp >/dev/null && [ "$OS" != "hpux" ]; then + mktemp -d + else + # shellcheck disable=SC2021 + # ^^ legacy/POSIX requires square brackets + _tmp="/tmp/`LC_CTYPE=C tr -dc "[A-Z][a-z][0-9]" /dev/null`" + mkdir "$_tmp" + echo "$_tmp" + fi +} + -tmpdir="$(mktemp -d)/$collection" +# determine operating system flavor +if command -v swlist 2>/dev/null; then + OS="hpux" +elif command -v oslevel 2>/dev/null; then + OS=aix +elif [ -f /etc/release ]; then + OS=solaris + OS_VERSION=$(uname -r) +elif [ -f /etc/redhat-release ] || [ -f /etc/os-release ] || [ -f /etc/lsb-release ]; then + OS=linux +elif command -v system_profiler 2>/dev/null; then + OS=macos +else + echo "unable to determine operating system, will try generic unix commands." + OS=unix +fi + +tmpdir="`make_temp_dir`/$collection" export tmpdir mkdir -p "$tmpdir" echo "Analyzing CFEngine core dumps" _core_log="$tmpdir"/core-dump.log -if command -v coredumpctl >/dev/null; then +if command -v sysctl >/dev/null; then + _sysctl_kernel_core_pattern="$(sysctl -n kernel.core_pattern)" +else + _sysctl_kernel_core_pattern="" +fi +if expr "$_sysctl_kernel_core_pattern" : ".*/systemd-coredump.*" > /dev/null 2>&1; then + echo "Found systemd-coredump used in sysctl kernel.core_pattern \"$_sysctl_kernel_core_pattern\"" echo "Using coredumpctl to analyze CFEngine core dumps" - coredumpctl info /var/cfengine/bin/cf-* 2>/dev/null >> "$_core_log" + find /var/cfengine -type f -executable | while IFS='' read -r line + do + coredumpctl info "$line" 2>/dev/null >> "$_core_log" || true + done elif command -v apport-unpack >/dev/null; then echo "Using apport-unpack to analyze CFEngine core dumps" # each crash report has a line with ExecutablePath: which tells us if it is a CFEngine core dump - crash_reports=$(grep -H "ExecutablePath: /var/cfengine/bin" /var/crash/* | sed "s/:ExecutablePath.*$//") + crash_reports=`grep -H "ExecutablePath: /var/cfengine/bin" /var/crash/* | sed "s/:ExecutablePath.*$//"` if [ -n "$crash_reports" ]; then if ! command -v gdb >/dev/null; then echo "CFEngine related core dumps were found but gdb is not installed. Please install gdb and retry the cf-support command." @@ -117,9 +173,9 @@ elif command -v apport-unpack >/dev/null; then fi # process crash reports with tmp dirs and all for report in $crash_reports; do - tmp=$(mktemp -d) + tmp=`make_temp_dir` apport-unpack "$report" "$tmp" - exe=$(cat "$tmp/ExecutablePath") + exe=`cat "$tmp/ExecutablePath"` # print out report up to the embedded core dump file # --null-data separate lines by NUL characters sed --null-data 's/CoreDump:.*$//' "$report" >> "$_core_log" @@ -129,35 +185,45 @@ elif command -v apport-unpack >/dev/null; then fi else if [ "$non_interactive" -eq 0 ]; then - read -r -p "Analyze coredumps found under /var/cfengine/bin? [Y//n]: " response + printf "Analyze coredumps found under /var/cfengine/bin? [Y//n]: " + read -r response fi response=${response:-/var/cfengine/bin} if [ "$response" != "n" ]; then # file command on core files results in lines like the following which we parse for cf-* binaries # core: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style, from '/var/cfengine/bin/cf-key', real uid: 0, effective uid: 0, realgid: 0, effective gid: 0, execfn: '/var/cfengine/bin/cf-key', platform: 'x86_64' - cf_core_files=$(find "$response" -name 'core*' -type f -exec file {} \; 2>/dev/null | grep "core file" | grep "cf-" | cut -d' ' -f1 | sed 's/:$//') + cf_core_files=`find "$response/." \( -name . -o -prune \) -name 'core*' -type f -exec file {} \; 2>/dev/null | grep "core file" | grep "cf-" | cut -d' ' -f1 | sed 's/:$//'` if [ -n "$cf_core_files" ]; then - if ! command -v gdb >/dev/null; then - echo "Please install gdb. This is required in order to analyze core dumps." - exit 1 + if [ "$OS" != "solaris" ]; then + if ! command -v gdb >/dev/null; then + echo "Please install gdb. This is required in order to analyze core dumps." + echo "Core dumps needing to be analyzed will be listed below:" + fi fi for core_file in $cf_core_files; do file "$core_file" >> "$_core_log" - execfn=$(file "$core_file" | sed 's/,/\n/g' | grep execfn | cut -d: -f2 | sed "s/[' ]//g") - exe="$(realpath "$execfn")" - gdb "$exe" --core="$core_file" -batch -ex "thread apply all bt full" >> "$_core_log" 2>&1 + if [ "$OS" = "solaris" ]; then + pstack "$core_file" >> "$_core_log" 2>&1 + elif command -v gdb >/dev/null; then + execfn=`file "$core_file" | sed 's/,/\n/g' | grep execfn | cut -d: -f2 | sed "s/[' ]//g"` + exe="`realpath "$execfn"`" + gdb "$exe" --core="$core_file" -batch -ex "thread apply all bt full" >> "$_core_log" 2>&1 + else + # shellcheck disable=SC2012 + ls -l "$core_file" | tee "$_core_log" + fi done fi fi fi -export info_file="$tmpdir/system-info.txt" +info_file="$tmpdir/system-info.txt" +export info_file -function file_add +file_add() { - local filename - filename="$(basename "$1")" + filename="`basename "$1"`" if [ -f "$1" ]; then cp "$1" "$tmpdir"/"$filename" echo "Added file $1" @@ -165,12 +231,10 @@ function file_add echo "$1 file not found" >> "$info_file" fi } -export -f file_add -function gzip_add +gzip_add() { - local filename - filename="$(basename "$1")" + filename="`basename "$1"`" if [ -f "$1" ]; then gzip -c "$1" > "$tmpdir"/"$filename".gz echo "Added compressed copy of file $1" @@ -178,64 +242,171 @@ function gzip_add echo "$1 file not found" >> "$info_file" fi } -export -f gzip_add -function log_cmd +log_cmd() { - echo "=== $1 ===" >> "$info_file" - eval "$1" >> "$info_file" 2>&1 || true - echo >> "$info_file" # one newline for easier to read output - echo "Captured output of command $1" + cmd="`echo "$1" | awk '{print $1}'`" + if command -v "$cmd" 2>/dev/null >/dev/null; then + echo "** $1" >> "$info_file" + sh -c "$1" >> "$info_file" 2>&1 || true + echo >> "$info_file" # one newline for easier to read output + echo "Captured output of command $1" + else + echo "Command not found: $cmd" + fi } -export -f log_cmd -log_cmd "hostname -f" +# first, collect basic information about the system log_cmd "uname -a" -[ -f "/etc/os-release" ] && log_cmd "cat /etc/os-release" log_cmd "$BINDIR/cf-promises -V" -log_cmd "free -m" -log_cmd "df -h" -log_cmd "ps auwwx" -log_cmd "top -b -H -c -n1" -log_cmd "netstat -ie" -log_cmd "ifconfig" + +if [ "$OS" = "solaris" ]; then + log_cmd "prtconf" # system configuration, memory size, peripherals + log_cmd "psrinfo -v" # verbose information about each processor, on-line since, type, speed + if [ "$OS_VERSION" = "5.10" ]; then + log_cmd "showrev" # hostname, hostid, release, kernel architecture, application architecutre, kernel version + fi + log_cmd "vmstat" # equivalent of free -h + log_cmd "zonename" # either global, or a named zone + if command -v zonestat 2>/dev/null; then + log_cmd "zonestat 1 1" # get information about memory/cpu in this zone + fi +elif [ "$OS" = "hpux" ]; then + if [ -x /opt/ignite/bin/print_manifest ]; then + log_cmd "/opt/ignite/bin/print_manifest" # contains info provided by other commands below + else + log_cmd "swlist" # list of bundles installed, includes HPUX-OE base os version + log_cmd "model" # type of machine + # machinfo provides cpu, speed, memory, firmware, platform, id, serial, OS, nodename/hostname, release, sysname + if command -v machinfo 2>/dev/null; then + log_cmd "machinfo" + fi + fi + # regardless, report status of interfaces/volumes and memory + log_cmd "dmesg" # not syslog related like on linux +elif [ "$OS" = "aix" ]; then + log_cmd "prtconf" # model, type, cpus, speed, memory, firmware, network info, volume groups, peripherals/resources + log_cmd "oslevel -s" # OS version +else # linux and "generic" unices like macos/bsds? + log_cmd "lscpu" + log_cmd "free -m" + log_cmd "hostname" + [ -f "/etc/os-release" ] && log_cmd "cat /etc/os-release" +fi + +# filesystems and usage +if [ "$OS" != "solaris" ] && [ "$OS" != "aix" ]; then + file_add "/etc/fstab" +fi +log_cmd "mount" +if [ "$OS" != "hpux" ] && [ "$OS" != "aix" ]; then + log_cmd "df -h" +else + log_cmd "df -g" # only needed on hpux/aix, -h is not available +fi + +# processes +# shellcheck disable=SC2166 +# ^^ allow grouping in test expression +if [ "$OS" = "hpux" ] || [ \( "$OS" = "solaris" -a "$OS_VERSION" = "5.10" \) ]; then + ps -efl >processes.log 2>&1 +else + ps auwwx >processes.log 2>&1 +fi + +# top procs +if [ "$OS" = "hpux" ]; then + # use -f option to force -d1 and include no console codes + top -f /tmp/top.log + file_add /tmp/top.log + rm /tmp/top.log +elif [ "$OS" = "aix" ] || [ "$OS" = "solaris" ]; then + log_cmd "ps aux | head -1; ps aux | sed '1d' | sort -rn +2 | head -10" +else + log_cmd "top -b -H -c -n1" +fi + +# network interfaces +if [ "$OS" = "hpux" ] || [ "$OS" = "solaris" ] || [ "$OS" = "aix" ]; then + log_cmd "netstat -in" +else + log_cmd "netstat -ie" +fi +if [ "$OS" = "aix" ] || [ "$OS" = "solaris" ]; then + log_cmd "ifconfig -a" +elif [ "$OS" = "hpux" ]; then + lanscan -p | while read -r lan + do + log_cmd "ifconfig lan${lan}" + done 2>/dev/null +else + log_cmd "ifconfig" +fi + +# open file handles if command -v lsof 2>/dev/null >/dev/null; then lsof > "$tmpdir/lsof.txt" echo "Captured output of command lsof" fi -log_cmd "mount" -file_add "/etc/fstab" + +# CFEngine specific log_cmd "$BINDIR/cf-key -p $WORKDIR/ppkeys/localhost.pub" log_cmd "grep 'version =' $WORKDIR/inputs/promises.cf" -log_cmd "$BINDIR/cf-key -s" +log_cmd "$BINDIR/cf-key -s -n" log_cmd "$BINDIR/cf-check diagnose" +$BINDIR/cf-promises --show-classes --show-vars > "$tmpdir/classes-and-vars.txt" 2>&1 +$BINDIR/cf-agent --no-lock --file update.cf --show-evaluated-classes --show-evaluated-vars > "$tmpdir/update-evaluated-classes-and-vars.txt" 2>&1 +$BINDIR/cf-agent --no-lock --file promises.cf --show-evaluated-classes --show-evaluated-vars > "$tmpdir/promises-evaluated-classes-and-vars.txt" 2>&1 + if command -v systemctl >/dev/null; then log_cmd "systemctl status cfengine3" -else + log_cmd "systemctl status cf-*" +elif [ -x /etc/init.d/cfengine3 ]; then log_cmd "/etc/init.d/cfengine3 status" +else + echo "No way to check on cfengine service status" fi for f in /var/log/CFEngine-Install*; do gzip_add "$f" done + +# system log [ -f /var/log/messages ] && syslog_cmd="cat /var/log/messages" [ -f /var/log/syslog ] && syslog_cmd="cat /var/log/syslog" -[ "$(command -v journalctl >/dev/null)" ] && syslog_cmd="journalctl" +command -v journalctl >/dev/null && syslog_cmd="journalctl" [ -z "$syslog_cmd" ] && syslog_cmd="dmesg" +if [ "$OS" = "solaris" ]; then + syslog_cmd="cat /var/adm/messages*" +fi _syslog_filtered="$tmpdir"/syslog-filtered-for-cfengine.log.gz -$syslog_cmd | grep -E 'cf-|CFEngine' | gzip -c > "$_syslog_filtered" || true + +if [ "$OS" = "aix" ]; then + syslog_cmd="errpt -a" + # error report can reference cfengine, reports are delimitted by bars of `-` characters + echo "r !errpt -a +g/cfengine/?---?,/---/p" | ed > "$_syslog_filtered" || true +else + $syslog_cmd | sed -n '/[Cc][Ff][Ee-]/p' | gzip -c > "$_syslog_filtered" || true +fi echo "Captured output of $syslog_cmd filtered for cf-|CFEngine" +# cf- component related SELinux denials +if command -v ausearch >/dev/null; then + ausearch -m avc -su cfengine > "$tmpdir"/ausearch-cfengine-avcs.log +fi + gzip_add $WORKDIR/outputs/previous file_add $WORKDIR/policy_server.dat if [ -f $WORKDIR/share/cf-support-nova-hub.sh ]; then # shellcheck source=/dev/null - source $WORKDIR/share/cf-support-nova-hub.sh + . $WORKDIR/share/cf-support-nova-hub.sh fi # Here we create the tarball one directory up # to preserve a top-level of $collection in the tarball. # This gives a nice context of timestamp, hostname and support ticket # if provided. (see $collection definition above) -tar czf "$collection.tar.gz" --directory "$tmpdir/../" . && rm -rf "$tmpdir" +tar cvf - -C "$tmpdir"/.. "$collection" | gzip > "$collection.tar.gz" +rm -rf "$tmpdir" echo "Please send $collection.tar.gz to CFEngine support staff." diff --git a/misc/init.d/cf-php-fpm.in b/misc/init.d/cf-php-fpm.in new file mode 100644 index 0000000000..7d217655a2 --- /dev/null +++ b/misc/init.d/cf-php-fpm.in @@ -0,0 +1,35 @@ +#! /bin/sh +# copied from /etc/init.d/procps written by Elrond +# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing. +if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then + set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script +fi +### BEGIN INIT INFO +# Provides: cf-php-fpm +# Required-Start: +# Required-Stop: +# Should-Start: +# X-Start-Before: +# Default-Start: S +# Default-Stop: +# Short-Description: Start CFEngine Mission Portal php-fpm service +# Description: CFEngine Enterprise PHP FastCGI Process Manager +### END INIT INFO + +# shellcheck disable=SC2034 +DESC=cf-php-fpm +PREFIX=${CFTEST_PREFIX:-@workdir@} +DAEMON=$PREFIX/httpd/php/sbin/php-fpm +PIDFILE=$PREFIX/httpd/php-fpm.pid + +do_start_cmd() { + STATUS=0 + "$DAEMON" --pid "$PIDFILE" --force-stderr || STATUS="$?" + return $STATUS +} + +do_stop_cmd() { + if [ -f "$PIDFILE" ]; then + kill -9 "-$(cat "$PIDFILE")" + fi +} diff --git a/misc/init.d/cfengine3.in b/misc/init.d/cfengine3.in index 6017e7e212..bb320630a8 100644 --- a/misc/init.d/cfengine3.in +++ b/misc/init.d/cfengine3.in @@ -150,7 +150,7 @@ fi CURRENT_PS_UID=__none__ INSIDE_CONTAINER=-1 -if ps --help 2>/dev/null | egrep -e '--cols\b' > /dev/null || ps --help output 2>/dev/null | egrep -e '--cols\b'; then +if ps --help 2>/dev/null | egrep -e '--cols\b' > /dev/null || ps --help output 2>/dev/null | egrep -e '--cols\b' > /dev/null; then # There is a bug in SUSE which means that ps output will be truncated even # when piped to grep, if the terminal size is small. However using --cols # will override it. NOTE: On Suse 12 and 15, `ps` mentions `--cols` only diff --git a/misc/selinux/Makefile.am b/misc/selinux/Makefile.am index 8598e7667b..870b866b30 100644 --- a/misc/selinux/Makefile.am +++ b/misc/selinux/Makefile.am @@ -1,9 +1,14 @@ if WITH_SELINUX +cfengine-enterprise.te: cfengine-enterprise.te.all $(PLATFORM_SELINUX_POLICIES) + cat cfengine-enterprise.te.all $(PLATFORM_SELINUX_POLICIES) > cfengine-enterprise.te + cfengine-enterprise.pp: cfengine-enterprise.te cfengine-enterprise.fc $(MAKE) -f /usr/share/selinux/devel/Makefile -j1 selinuxdir = $(prefix)/selinux selinux_DATA = cfengine-enterprise.pp +selinux_DATA += cfengine-enterprise.te +selinux_DATA += cfengine-enterprise.fc clean-local: rm -rf tmp @@ -11,6 +16,7 @@ endif # explicit DISTFILES are required for these files to be part of a 'make dist' # tarball even without running './configure --with-selinux-policy' -DISTFILES = Makefile.in Makefile.am cfengine-enterprise.te cfengine-enterprise.fc +DISTFILES = Makefile.in Makefile.am cfengine-enterprise.fc cfengine-enterprise.te.all +DISTFILES += cfengine-enterprise.te.el9 -CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if +CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te diff --git a/misc/selinux/cfengine-enterprise.te b/misc/selinux/cfengine-enterprise.te.all similarity index 80% rename from misc/selinux/cfengine-enterprise.te rename to misc/selinux/cfengine-enterprise.te.all index 37b721b6e4..154e5e9c7f 100644 --- a/misc/selinux/cfengine-enterprise.te +++ b/misc/selinux/cfengine-enterprise.te.all @@ -34,6 +34,7 @@ require { type proc_t; type proc_net_t; type proc_xen_t; + type proc_security_t; type cfengine_serverd_exec_t; type http_port_t; type ldap_port_t; @@ -52,6 +53,7 @@ require { type hugetlbfs_t; type init_exec_t; type init_var_run_t; + type ifconfig_t; type ifconfig_exec_t; type journalctl_exec_t; type cfengine_execd_t; @@ -89,83 +91,9 @@ require { type ssh_exec_t; type ssh_home_t; type rpm_script_t; - class tcp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown name_connect accept listen name_bind node_bind }; - class udp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown node_bind }; - class sock_file { create write getattr setattr unlink }; - class rawip_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class packet_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class unix_stream_socket { create ioctl read getattr lock write setattr append bind connect connectto getopt setopt shutdown }; - class unix_dgram_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown sendto }; - class appletalk_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_route_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown nlmsg_read getopt }; - class netlink_firewall_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_tcpdiag_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_nflog_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_xfrm_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_selinux_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_audit_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_ip6fw_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_dnrt_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_kobject_uevent_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class tun_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_iscsi_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_fib_lookup_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_connector_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_netfilter_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_generic_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_scsitransport_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_rdma_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netlink_crypto_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class sctp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class icmp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class ax25_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class ipx_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class netrom_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class atmpvc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class x25_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class xdp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class rose_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class decnet_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class atmsvc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class rds_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class irda_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class pppox_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class llc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class can_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class tipc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class bluetooth_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class iucv_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class rxrpc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class isdn_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class phonet_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class ieee802154_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class caif_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class alg_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class nfc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class vsock_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class kcm_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class qipcrtr_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class smc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class bridge_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class dccp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class ib_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class mpls_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }; - class process { setrlimit transition dyntransition execstack execheap execmem signull siginh getattr }; - class file { execute execute_no_trans getattr ioctl map open read unlink write entrypoint lock link rename append setattr create relabelfrom relabelto watch watch_reads }; - class fifo_file { create open getattr setattr read write append rename link unlink ioctl lock relabelfrom relabelto }; - class dir { getattr read search open write add_name remove_name lock ioctl create setattr rmdir }; - class filesystem getattr; - class lnk_file { create getattr read unlink }; - class capability { dac_read_search sys_module chown dac_read_search dac_override fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace kill net_bind_service }; - class cap_userns sys_ptrace; - class capability2 { mac_admin mac_override block_suspend syslog wake_alarm }; - class association { sendto recvfrom setcontext polmatch }; - class security setsecparam; - class service { start stop status reload enable disable }; - class memprotect mmap_zero; - class peer recv; - class chr_file { getattr }; + type fsadm_exec_t; + type lvm_exec_t; + all_kernel_class_perms } @@ -206,6 +134,10 @@ allow cfengine_execd_t cfengine_var_lib_t:file execute; # allow cf-execd to execute cf-promises allow cfengine_execd_t cfengine_var_lib_t:file execute_no_trans; +# allow cf-promises run by cf-execd to getattr everywhere and read symlinks +files_getattr_all_dirs(cfengine_execd_t) +files_getattr_all_files(cfengine_execd_t) +files_read_all_symlinks(cfengine_execd_t) # TODO: this should not be needed allow cfengine_execd_t ssh_port_t:tcp_socket name_connect; @@ -223,6 +155,7 @@ allow cfengine_execd_t cfengine_reactor_exec_t:file getattr; allow cfengine_execd_t cfengine_var_lib_t:sock_file { create unlink getattr setattr }; allow cfengine_execd_t self:capability sys_ptrace; +allow cfengine_execd_t self:cap_userns sys_ptrace; allow cfengine_execd_t crontab_exec_t:file getattr; allow cfengine_execd_t dmidecode_exec_t:file getattr; @@ -235,6 +168,8 @@ allow cfengine_execd_t init_t:unix_stream_socket connectto; allow cfengine_execd_t journalctl_exec_t:file getattr; allow cfengine_execd_t ping_exec_t:file getattr; allow cfengine_execd_t proc_net_t:file { getattr open read }; +allow cfengine_execd_t proc_net_t:lnk_file { getattr read }; +allow cfengine_execd_t proc_security_t:file { getattr open read }; allow cfengine_execd_t rpm_exec_t:file getattr; allow cfengine_execd_t rpm_var_lib_t:dir search; allow cfengine_execd_t rpm_var_lib_t:file open; @@ -261,6 +196,10 @@ allow cfengine_monitord_t cfengine_var_lib_t:file execute; # allow cf-monitord to execute cf-promises allow cfengine_monitord_t cfengine_var_lib_t:file execute_no_trans; +# allow cf-promises run by cf-monitord to getattr everywhere and read symlinks +files_getattr_all_dirs(cfengine_monitord_t) +files_getattr_all_files(cfengine_monitord_t) +files_read_all_symlinks(cfengine_monitord_t) allow cfengine_monitord_t cfengine_execd_exec_t:file getattr; allow cfengine_monitord_t cfengine_serverd_exec_t:file getattr; @@ -269,6 +208,9 @@ allow cfengine_monitord_t cfengine_hub_exec_t:file getattr; allow cfengine_monitord_t cfengine_reactor_exec_t:file getattr; allow cfengine_monitord_t var_log_t:file { open read }; +# cf-monitord collects arbitrary system data so needs complete access to filesystems and files +fs_unconfined(cfengine_monitord_t) +files_unconfined(cfengine_monitord_t) allow cfengine_monitord_t self:capability { dac_override dac_read_search sys_ptrace }; allow cfengine_monitord_t self:cap_userns sys_ptrace; @@ -291,6 +233,8 @@ allow cfengine_monitord_t tty_device_t:chr_file getattr; allow cfengine_monitord_t user_devpts_t:chr_file getattr; allow cfengine_monitord_t sysctl_t:dir read; allow cfengine_monitord_t ssh_exec_t:file getattr; +allow cfengine_monitord_t proc_net_t:file { getattr open read }; +allow cfengine_monitord_t proc_security_t:file { getattr open read }; # TODO: this should not be needed allow cfengine_monitord_t proc_xen_t:dir search; @@ -308,13 +252,20 @@ allow cfengine_serverd_t cfengine_var_lib_t:file execute; # allow cf-serverd to execute cf-promises allow cfengine_serverd_t cfengine_var_lib_t:file execute_no_trans; +# allow cf-promises run by cf-serverd to getattr everywhere and read symlinks +files_getattr_all_dirs(cfengine_serverd_t) +files_getattr_all_files(cfengine_serverd_t) +files_read_all_symlinks(cfengine_serverd_t) # allow cf-serverd to connect to the CFEngine port and to write into a local socket (in case of # call-collect on hosts and the hub itself, respectively) allow cfengine_serverd_t unreserved_port_t:tcp_socket name_connect; -allow cfengine_serverd_t cfengine_var_lib_t:sock_file write; +allow cfengine_serverd_t cfengine_var_lib_t:sock_file { getattr write }; allow cfengine_serverd_t cfengine_hub_t:unix_stream_socket connectto; +# allow cf-serverd to set its own limits, e.g. def.control_server_maxconnections +allow cfengine_serverd_t self:capability sys_resource; + # TODO: this should not be needed allow cfengine_serverd_t ssh_port_t:tcp_socket name_connect; allow cfengine_serverd_t proc_xen_t:dir search; @@ -336,6 +287,8 @@ allow cfengine_serverd_t init_t:file { getattr open read }; allow cfengine_serverd_t journalctl_exec_t:file getattr; allow cfengine_serverd_t ping_exec_t:file getattr; allow cfengine_serverd_t proc_net_t:file { getattr open read }; +allow cfengine_serverd_t proc_net_t:lnk_file { getattr read }; +allow cfengine_serverd_t proc_security_t:file { getattr open read }; allow cfengine_serverd_t rpm_exec_t:file getattr; allow cfengine_serverd_t self:process setrlimit; allow cfengine_serverd_t self:tcp_socket { accept listen }; @@ -354,6 +307,8 @@ type cfengine_hub_t; typeattribute cfengine_hub_t domain; role system_r types cfengine_hub_t; +# cf-hub uses setuid/setgid to initiate scheduled reports as cfapache:cfpostgres +allow cfengine_hub_t self:capability { setgid setuid }; # /var/cfengine/bin/cf-hub has the 'cfengine_hub_exec_t' context which is an # entrypoint for the 'cfengine_hub_t' domain type cfengine_hub_exec_t; @@ -370,6 +325,10 @@ allow init_t cfengine_hub_t:process siginh; allow cfengine_hub_t cfengine_hub_exec_t:file entrypoint; allow cfengine_hub_t cfengine_hub_exec_t:file { ioctl read getattr lock map execute open }; +# the following file permissions for cf-hub are not needed if masterfiles includes fixes from ENT-12954 making inventory and paths standard library bundles agent instead of common. +allow cfengine_hub_t fsadm_exec_t:file getattr; +allow cfengine_hub_t lvm_exec_t:file getattr; + # allow cf-hub to use/execute libpromises.so allow cfengine_hub_t cfengine_var_lib_t:file map; allow cfengine_hub_t cfengine_var_lib_t:file execute; @@ -389,7 +348,7 @@ allow cfengine_hub_t cfengine_postgres_t:unix_stream_socket connectto; allow cfengine_hub_t unreserved_port_t:tcp_socket name_connect; allow cfengine_hub_t cfengine_log_t:dir getattr; -allow cfengine_hub_t cfengine_var_lib_t:dir { add_name getattr open read search write remove_name }; +allow cfengine_hub_t cfengine_var_lib_t:dir { add_name create getattr open read search write remove_name }; allow cfengine_hub_t cfengine_var_lib_t:file { create ioctl lock write unlink append setattr }; allow cfengine_hub_t cfengine_var_lib_t:lnk_file { getattr read }; allow cfengine_hub_t cfengine_var_lib_t:sock_file { create unlink }; @@ -413,7 +372,7 @@ allow cfengine_hub_t sendmail_exec_t:file { execute execute_no_trans open read } allow cfengine_hub_t bin_t:file map; allow cfengine_hub_t bin_t:file { execute execute_no_trans }; -allow cfengine_hub_t cert_t:dir search; +allow cfengine_hub_t cert_t:dir { getattr open read search }; allow cfengine_hub_t cert_t:file { getattr open read }; allow cfengine_hub_t crontab_exec_t:file getattr; allow cfengine_hub_t devlog_t:lnk_file read; @@ -433,13 +392,15 @@ allow cfengine_hub_t net_conf_t:file { getattr open read }; allow cfengine_hub_t passwd_file_t:file { getattr open read }; allow cfengine_hub_t ping_exec_t:file getattr; allow cfengine_hub_t proc_net_t:file { getattr open read }; +allow cfengine_hub_t proc_net_t:lnk_file { getattr read }; +allow cfengine_hub_t proc_security_t:file { getattr open read }; allow cfengine_hub_t proc_t:dir read; allow cfengine_hub_t rpm_exec_t:file getattr; allow cfengine_hub_t self:capability { dac_override chown dac_read_search }; allow cfengine_hub_t self:process { execmem setrlimit }; allow cfengine_hub_t self:tcp_socket { connect create getopt setopt read write }; allow cfengine_hub_t self:udp_socket { connect create getattr ioctl setopt read write }; -allow cfengine_hub_t self:netlink_route_socket { create getopt setopt bind getattr nlmsg_read }; +allow cfengine_hub_t self:netlink_route_socket { create getopt setopt bind getattr nlmsg_read read write }; allow cfengine_hub_t self:unix_dgram_socket { create connect read write }; allow cfengine_hub_t semanage_exec_t:file getattr; allow cfengine_hub_t shadow_t:file getattr; @@ -462,8 +423,13 @@ allow cfengine_hub_t var_t:dir read; allow cfengine_hub_t ssh_exec_t:file getattr; allow cfengine_hub_t tmp_t:dir read; +# Use of the TLS kernel module +allow cfengine_hub_t kernel_t:system module_request; + # TODO: these should not be needed -allow cfengine_hub_t ifconfig_exec_t:file { execute execute_no_trans open read getattr map }; +# this is a macro invocation, the file has to be processed with +# make -f /usr/share/selinux/devel/Makefile +sysnet_domtrans_ifconfig(cfengine_hub_t) allow cfengine_hub_t shell_exec_t:file map; allow cfengine_hub_t shell_exec_t:file { execute execute_no_trans }; allow cfengine_hub_t proc_xen_t:dir search; @@ -492,12 +458,14 @@ allow cfengine_postgres_t cfengine_postgres_exec_t:file { ioctl read getattr loc # TODO: Why are 'map', 'execute' and 'execute_no_trans' needed for postgres? allow cfengine_postgres_t cfengine_var_lib_t:file map; -allow cfengine_postgres_t cfengine_var_lib_t:file { create execute execute_no_trans getattr link open read rename unlink write }; - +allow cfengine_postgres_t cfengine_var_lib_t:file { create execute execute_no_trans getattr link open read rename unlink write rename }; +allow cfengine_postgres_t cfengine_var_lib_t:lnk_file read; allow cfengine_postgres_t cfengine_var_lib_t:dir { add_name getattr open create read remove_name search write }; allow cfengine_postgres_t postgresql_port_t:tcp_socket name_bind; +allow cfengine_postgres_t cert_t:dir { getattr open read search }; +allow cfengine_postgres_t cert_t:file { getattr open read }; allow cfengine_postgres_t hugetlbfs_t:file map; allow cfengine_postgres_t hugetlbfs_t:file { read write }; allow cfengine_postgres_t init_t:unix_stream_socket { getattr ioctl read write }; # pg_ctl, systemd, PAM? @@ -510,6 +478,7 @@ allow cfengine_postgres_t proc_t:file { getattr open read }; allow cfengine_postgres_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow cfengine_postgres_t self:tcp_socket { bind create listen setopt read write }; allow cfengine_postgres_t self:udp_socket { bind connect create getattr getopt read write }; +allow cfengine_postgres_t self:unix_stream_socket connectto; allow cfengine_postgres_t sssd_public_t:dir search; allow cfengine_postgres_t sssd_public_t:file map; allow cfengine_postgres_t sssd_public_t:file { getattr open read }; @@ -517,7 +486,7 @@ allow cfengine_postgres_t sssd_var_lib_t:sock_file write; allow cfengine_postgres_t sssd_var_lib_t:dir search; allow cfengine_postgres_t sssd_t:unix_stream_socket connectto; allow cfengine_postgres_t tmp_t:dir { add_name write remove_name }; -allow cfengine_postgres_t tmp_t:file { create write unlink }; +allow cfengine_postgres_t tmp_t:file { create open write unlink }; allow cfengine_postgres_t tmp_t:sock_file { create setattr unlink write }; allow cfengine_postgres_t tmpfs_t:dir { add_name write remove_name }; allow cfengine_postgres_t tmpfs_t:file { create open read write map unlink getattr }; @@ -529,7 +498,7 @@ allow cfengine_postgres_t passwd_file_t:file { open read getattr }; # Needed for systemd to be able to check PostgreSQL's PID file allow init_t cfengine_var_lib_t:dir { read remove_name write }; -allow init_t cfengine_var_lib_t:file { getattr open read unlink }; +allow init_t cfengine_var_lib_t:file { getattr open read unlink ioctl }; # TODO: these should not be needed allow cfengine_postgres_t shell_exec_t:file map; @@ -557,7 +526,7 @@ allow init_t cfengine_httpd_t:process siginh; allow cfengine_httpd_t cfengine_httpd_exec_t:file entrypoint; allow cfengine_httpd_t cfengine_httpd_exec_t:file { ioctl read getattr lock map execute open }; -allow cfengine_httpd_t cert_t:dir search; +allow cfengine_httpd_t cert_t:dir { getattr open read search }; allow cfengine_httpd_t cert_t:file { getattr open read }; allow cfengine_httpd_t cert_t:lnk_file read; allow cfengine_httpd_t cfengine_httpd_exec_t:file execute_no_trans; @@ -614,7 +583,7 @@ allow cfengine_httpd_t sssd_var_lib_t:dir search; allow cfengine_httpd_t sssd_var_lib_t:sock_file write; allow cfengine_httpd_t syslogd_var_run_t:dir search; allow cfengine_httpd_t tmp_t:sock_file write; -allow cfengine_httpd_t tmp_t:file { create setattr unlink write rename }; +allow cfengine_httpd_t tmp_t:file { create setattr unlink write rename open }; allow cfengine_httpd_t tmp_t:dir { add_name remove_name write read }; allow cfengine_httpd_t var_t:dir read; @@ -634,6 +603,14 @@ allow cfengine_httpd_t system_dbusd_var_run_t:dir search; allow cfengine_httpd_t system_dbusd_var_run_t:sock_file write; allow init_t cfengine_httpd_t:dbus send_msg; +# allow httpd to run 'ps' and thus gather information about all running processes on the system +# this is a macro invocation, the file has to be processed with +# make -f /usr/share/selinux/devel/Makefile +ps_process_pattern(cfengine_httpd_t, domain) +allow cfengine_httpd_t bin_t:file { map execute execute_no_trans }; +allow cfengine_httpd_t proc_t:dir read; +allow cfengine_httpd_t proc_t:file { open read }; + # TODO: these should not be needed allow cfengine_httpd_t passwd_file_t:file { getattr open read }; allow cfengine_httpd_t shell_exec_t:file map; @@ -685,6 +662,8 @@ allow cfengine_apachectl_t proc_t:file { open read }; # this is a macro invocation, the file has to be processed with # make -f /usr/share/selinux/devel/Makefile ps_process_pattern(cfengine_apachectl_t, domain) +# ps_process_pattern() above doesn't include needed sys_ptrace capability for apachectl to run 'ps' +allow cfengine_apachectl_t self:cap_userns sys_ptrace; #============= cfengine_reactor_t ============== type cfengine_reactor_t; @@ -744,14 +723,14 @@ allow cfengine_reactor_t fs_t:filesystem getattr; allow cfengine_reactor_t shell_exec_t:file map; allow cfengine_reactor_t shell_exec_t:file { execute execute_no_trans }; -allow cfengine_reactor_t cert_t:dir search; +allow cfengine_reactor_t cert_t:dir { getattr open read search }; allow cfengine_reactor_t cert_t:file { getattr open read }; allow cfengine_reactor_t cert_t:lnk_file read; allow cfengine_reactor_t http_port_t:tcp_socket name_connect; allow cfengine_reactor_t net_conf_t:file { getattr open read }; allow cfengine_reactor_t self:capability { chown fsetid }; -allow cfengine_reactor_t self:netlink_route_socket { bind create getattr nlmsg_read }; +allow cfengine_reactor_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow cfengine_reactor_t self:tcp_socket { create ioctl read getattr write setattr append connect getopt setopt shutdown name_connect }; allow cfengine_reactor_t self:udp_socket { create ioctl read getattr write setattr append connect getopt setopt shutdown }; allow cfengine_reactor_t self:unix_stream_socket connectto; @@ -817,14 +796,18 @@ allow cfengine_cfbs_t cfengine_reactor_t:fifo_file { getattr ioctl read write }; allow cfengine_cfbs_t bin_t:file { map execute }; -allow cfengine_cfbs_t cert_t:dir search; +# cfbs runs some commands in a shell +allow cfengine_cfbs_t shell_exec_t:file map; +allow cfengine_cfbs_t shell_exec_t:file { execute execute_no_trans }; + +allow cfengine_cfbs_t cert_t:dir { getattr open read search }; allow cfengine_cfbs_t cert_t:file { getattr open read }; allow cfengine_cfbs_t cert_t:lnk_file read; allow cfengine_cfbs_t http_port_t:tcp_socket name_connect; allow cfengine_cfbs_t net_conf_t:file { getattr open read }; allow cfengine_cfbs_t passwd_file_t:file { getattr open read }; allow cfengine_cfbs_t self:capability dac_override; -allow cfengine_cfbs_t self:netlink_route_socket { bind create getattr nlmsg_read }; +allow cfengine_cfbs_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow cfengine_cfbs_t self:tcp_socket { create ioctl read getattr write setattr append connect getopt setopt shutdown name_connect }; allow cfengine_cfbs_t self:udp_socket { create ioctl read getattr write setattr append connect getopt setopt shutdown }; allow cfengine_cfbs_t sssd_public_t:dir search; diff --git a/misc/selinux/cfengine-enterprise.te.el9 b/misc/selinux/cfengine-enterprise.te.el9 new file mode 100644 index 0000000000..813a7f26b2 --- /dev/null +++ b/misc/selinux/cfengine-enterprise.te.el9 @@ -0,0 +1,14 @@ +require { + type systemd_userdbd_runtime_t; + type http_port_t; +} + +# PAM module for dynamic users +allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search }; +allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write; +allow cfengine_httpd_t kernel_t:unix_stream_socket connectto; + +# selinux-policy 38.1.45 requires the following http_port permissions whereas 3.14.3 does not. +# these permissions are not be needed if changes from ENT-12954 to masterfiles policy move inventory from common to an agent bundle are in place. +allow cfengine_serverd_t http_port_t:tcp_socket name_connect; +allow cfengine_execd_t http_port_t:tcp_socket name_connect; diff --git a/misc/systemd/cf-apache.service.in b/misc/systemd/cf-apache.service.in index 5b4373ec24..e0acc7a75c 100644 --- a/misc/systemd/cf-apache.service.in +++ b/misc/systemd/cf-apache.service.in @@ -10,6 +10,7 @@ PartOf=cfengine3.service Type=forking ExecStart=@workdir@/httpd/bin/apachectl start ExecStop=@workdir@/httpd/bin/apachectl stop +ExecReload=@workdir@/httpd/bin/apachectl graceful PIDFile=@workdir@/httpd/httpd.pid Restart=always RestartSec=10 @@ -17,4 +18,3 @@ UMask=0177 [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-execd.service.in b/misc/systemd/cf-execd.service.in index 95567bcfe0..66f1e235e3 100644 --- a/misc/systemd/cf-execd.service.in +++ b/misc/systemd/cf-execd.service.in @@ -14,4 +14,3 @@ KillMode=process [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-hub.service.in b/misc/systemd/cf-hub.service.in index 1c8c62aa46..a6027ce206 100644 --- a/misc/systemd/cf-hub.service.in +++ b/misc/systemd/cf-hub.service.in @@ -17,4 +17,3 @@ RestartSec=10 [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-monitord.service.in b/misc/systemd/cf-monitord.service.in index 7ceb1e78d6..351090d6e6 100644 --- a/misc/systemd/cf-monitord.service.in +++ b/misc/systemd/cf-monitord.service.in @@ -13,4 +13,3 @@ RestartSec=10 [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-postgres.service.in b/misc/systemd/cf-postgres.service.in index 609c90c4fa..393efad1ee 100644 --- a/misc/systemd/cf-postgres.service.in +++ b/misc/systemd/cf-postgres.service.in @@ -33,4 +33,3 @@ ExecReload=@bindir@/pg_ctl -w -D ${PGDATA} -l /var/log/postgresql.log reload -m [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-reactor.service.in b/misc/systemd/cf-reactor.service.in index e50248258f..9e751abec5 100644 --- a/misc/systemd/cf-reactor.service.in +++ b/misc/systemd/cf-reactor.service.in @@ -17,4 +17,3 @@ RestartSec=10 [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service diff --git a/misc/systemd/cf-runalerts.service.in b/misc/systemd/cf-runalerts.service.in index 989614c8d4..e87f199347 100644 --- a/misc/systemd/cf-runalerts.service.in +++ b/misc/systemd/cf-runalerts.service.in @@ -3,6 +3,7 @@ Description=CFEngine Enterprise SQL Alerts After=syslog.target ConditionPathExists=@bindir@/runalerts.php ConditionFileIsExecutable=@workdir@/httpd/php/bin/php +ConditionPathIsDirectory=@workdir@/httpd/php/runalerts-stamp PartOf=cfengine3.service After=cf-postgres.service @@ -19,5 +20,4 @@ RestartSec=10 [Install] WantedBy=multi-user.target -WantedBy=cfengine3.service WantedBy=cf-postgres.service diff --git a/misc/systemd/cf-serverd.service.in b/misc/systemd/cf-serverd.service.in index 50fb00b15f..03945f8fea 100644 --- a/misc/systemd/cf-serverd.service.in +++ b/misc/systemd/cf-serverd.service.in @@ -15,4 +15,3 @@ RestartSec=10 [Install] WantedBy=network-online.target -WantedBy=cfengine3.service diff --git a/tests/acceptance/00_basics/02_switches/dry_run_perms_doesnt_lie.cf b/tests/acceptance/00_basics/02_switches/dry_run_perms_doesnt_lie.cf index 3b7c5aa3bb..6755819227 100644 --- a/tests/acceptance/00_basics/02_switches/dry_run_perms_doesnt_lie.cf +++ b/tests/acceptance/00_basics/02_switches/dry_run_perms_doesnt_lie.cf @@ -19,6 +19,13 @@ bundle agent init running with dry-run."; } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/00_basics/03_bodies/dynamic_inputs_findfiles.cf b/tests/acceptance/00_basics/03_bodies/dynamic_inputs_findfiles.cf index 0b3cb8f34e..753e93cec3 100644 --- a/tests/acceptance/00_basics/03_bodies/dynamic_inputs_findfiles.cf +++ b/tests/acceptance/00_basics/03_bodies/dynamic_inputs_findfiles.cf @@ -36,9 +36,6 @@ bundle agent init bundle agent test { - meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4730" }; } bundle agent check diff --git a/tests/acceptance/00_basics/03_bodies/dynamic_inputs_maplist.cf b/tests/acceptance/00_basics/03_bodies/dynamic_inputs_maplist.cf index d35bf53646..f41108d1e6 100644 --- a/tests/acceptance/00_basics/03_bodies/dynamic_inputs_maplist.cf +++ b/tests/acceptance/00_basics/03_bodies/dynamic_inputs_maplist.cf @@ -37,9 +37,6 @@ bundle agent init bundle agent test { - meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4730" }; } bundle agent check diff --git a/tests/acceptance/00_basics/03_bodies/inherit_from_with_global_var.cf b/tests/acceptance/00_basics/03_bodies/inherit_from_with_global_var.cf new file mode 100644 index 0000000000..c9dec4f368 --- /dev/null +++ b/tests/acceptance/00_basics/03_bodies/inherit_from_with_global_var.cf @@ -0,0 +1,55 @@ +####################################################### +# +# Test that bodies can inherit attributes containing global variables +# +####################################################### + +body common control +{ + inputs => { "../../default.cf.sub" }; + bundlesequence => { default("$(this.promise_filename)") }; + version => "1.0"; +} + +####################################################### + + +bundle agent init +{ + vars: + "class" string => "_pass"; +} + +####################################################### + +body classes parent(p) +{ + promise_kept => { "${init.class}" }; +} + +body classes static(p) +{ + inherit_from => parent(p); +} + +bundle agent test { + meta: + "description" -> { "CFE-4254" } + string => "Test that bodies can inherit attributes containing global variables"; + + vars: + "test" string => "test", + classes => static("placeholder"); +} + +####################################################### + +bundle agent check +{ + methods: + _pass:: + "pass" usebundle => dcs_pass("$(this.promise_filename)"); + + !_pass:: + "pass" usebundle => dcs_fail("$(this.promise_filename)"); +} diff --git a/tests/acceptance/00_basics/04_bundles/dynamic_bundlesequence/dynamic_inputs_based_on_list_variable_dependent_on_class.cf b/tests/acceptance/00_basics/04_bundles/dynamic_bundlesequence/dynamic_inputs_based_on_list_variable_dependent_on_class.cf index d0ddd43db4..24a5516ed8 100644 --- a/tests/acceptance/00_basics/04_bundles/dynamic_bundlesequence/dynamic_inputs_based_on_list_variable_dependent_on_class.cf +++ b/tests/acceptance/00_basics/04_bundles/dynamic_bundlesequence/dynamic_inputs_based_on_list_variable_dependent_on_class.cf @@ -13,9 +13,11 @@ bundle common inventory !this_is_true:: "inputs" slist => { }; "bundles" slist => { "bad" }; - this_is_true:: + this_is_true.!windows:: "inputs" slist => { "$(this.promise_filename).sub" }; "bundles" slist => { "good" }; + windows:: + "bundles" slist => { "skip" }; } bundle agent bad @@ -23,3 +25,9 @@ bundle agent bad reports: "$(this.promise_filename) FAIL"; } + +bundle agent skip +{ + reports: + "$(this.promise_filename) Skip/unsupported"; +} diff --git a/tests/acceptance/00_basics/04_bundles/namespaced.cf b/tests/acceptance/00_basics/04_bundles/namespaced.cf index cc79f0eb34..6a10660840 100644 --- a/tests/acceptance/00_basics/04_bundles/namespaced.cf +++ b/tests/acceptance/00_basics/04_bundles/namespaced.cf @@ -16,6 +16,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; } bundle agent check diff --git a/tests/acceptance/00_basics/def.json/bad-json.cf b/tests/acceptance/00_basics/def.json/bad-json.cf index f89435572c..2eb0c23bf9 100644 --- a/tests/acceptance/00_basics/def.json/bad-json.cf +++ b/tests/acceptance/00_basics/def.json/bad-json.cf @@ -10,8 +10,12 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + methods: - "" usebundle => file_copy("$(this.promise_filename).json", "$(sys.inputdir)/def.json"); + "" usebundle => file_copy("$(this.promise_filename).json", "$(sys.inputdir)$(const.dirsep)def.json"); } ####################################################### @@ -22,5 +26,5 @@ bundle agent check "command" string => "$(sys.cf_promises) -v|$(G.grep) JSON"; methods: - "" usebundle => dcs_passif_output(".*Could not parse JSON file $(sys.inputdir)/def.json.*", "", $(command), $(this.promise_filename)); + "" usebundle => dcs_passif_output(".*Could not parse JSON file $(sys.inputdir)$(const.dirsep)def.json.*", "", $(command), $(this.promise_filename)); } diff --git a/tests/acceptance/00_basics/def.json/state.cf b/tests/acceptance/00_basics/def.json/state.cf index d7eeeccab1..5fee065ed2 100644 --- a/tests/acceptance/00_basics/def.json/state.cf +++ b/tests/acceptance/00_basics/def.json/state.cf @@ -8,6 +8,12 @@ body common control ####################################################### +bundle agent test +{ +} + +####################################################### + bundle agent check { methods: diff --git a/tests/acceptance/00_basics/macros/if_triple.cf b/tests/acceptance/00_basics/macros/if_triple.cf index 9577f54a99..0d4a252e61 100644 --- a/tests/acceptance/00_basics/macros/if_triple.cf +++ b/tests/acceptance/00_basics/macros/if_triple.cf @@ -1,7 +1,6 @@ ###################################################### # # Test that @if works with patch level -# ##################################################### body common control @@ -13,7 +12,7 @@ body common control bundle agent init { files: - "$(G.testdir)/test.cf" + "$(G.testdir)$(const.dirsep)test.cf" create => "true", edit_template => "$(this.promise_filename).sub.template", template_method => "mustache"; @@ -22,9 +21,15 @@ bundle agent init bundle agent check { methods: - "check" usebundle => dcs_passif_output(".*$(G.testdir)/test.cf Pass.*", + # Note: dcs_passif_output expects first argument to be regexp. + # To convert Windows-style path (with backslashes) to a regex which will match this path, + # we need to convert all backslashes to double-backslashes. + # In the command below, each backslash is escaped twice: + # once for regex, and once for CFEngine string parser. + "check" usebundle => dcs_passif_output(regex_replace(".*$(G.testdir)$(const.dirsep)test.cf Pass.*", + "\\\\", "\\\\\\\\", "g"), ".*FAIL.*", - "$(sys.cf_agent) -D AUTO -Kf $(G.testdir)/test.cf", + "$(sys.cf_agent) -D AUTO -Kf $(G.testdir)$(const.dirsep)test.cf", $(this.promise_filename)); } diff --git a/tests/acceptance/01_vars/01_basic/double_expansion_list.cf b/tests/acceptance/01_vars/01_basic/double_expansion_list.cf new file mode 100755 index 0000000000..34fd0a5d36 --- /dev/null +++ b/tests/acceptance/01_vars/01_basic/double_expansion_list.cf @@ -0,0 +1,68 @@ +############################################################################## +# +# Test double expansion of list from remote bundle (ENT-9491) +# +############################################################################## + +body common control +{ + bundlesequence => { "check" }; +} + +bundle agent test(parent_bundle) +{ + meta: + "description" -> { "ENT-9491", "CFE-1644" } + string => "Test double expansion of list from remote bundle"; + + reports: + "$($(parent_bundle).str)" + comment => "Double expansion of remote string works prior to fix", + bundle_return_value_index => "foo"; + + "$($(parent_bundle).lst)" + comment => "But double expansion of remote list does not work prior to fix", + bundle_return_value_index => "bar"; + + "$(check.lst)" + comment => "Single expansion of remote list works prior to fix", + bundle_return_value_index => "baz"; + + "$($(parent_bundle)#lst)" + comment => "We force mangle the variable, it works, but should this be possible?", + bundle_return_value_index => "qux"; + +} + +bundle agent check +{ + vars: + "str" + string => "EXPANDED"; + "lst" + slist => { "EXPANDED" }; + + methods: + "holder" + usebundle => test("$(this.bundle)"), + useresult => "ret"; + + reports: + "$(this.promise_filename) Pass" + if => and(strcmp("$(ret[foo])", "EXPANDED"), + strcmp("$(ret[bar])", "EXPANDED"), + strcmp("$(ret[baz])", "EXPANDED"), + strcmp("$(ret[qux])", "EXPANDED")); + + "$(this.promise_filename) FAIL" + unless => and(strcmp("$(ret[foo])", "EXPANDED"), + strcmp("$(ret[bar])", "EXPANDED"), + strcmp("$(ret[qux])", "EXPANDED"), + strcmp("$(ret[baz])", "EXPANDED")); + + DEBUG:: + "$(const.dollar)($(const.dollar)(parent_bundle).str) => $(ret[foo])"; + "$(const.dollar)($(const.dollar)(parent_bundle).lst) => $(ret[bar])"; + "$(const.dollar)(check.lst) => $(ret[baz])"; + "$(const.dollar)($(const.dollar)(parent_bundle)#lst) => $(ret[qux])"; +} diff --git a/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf b/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf new file mode 100755 index 0000000000..3553442985 --- /dev/null +++ b/tests/acceptance/01_vars/01_basic/double_expansion_list_namespace.cf @@ -0,0 +1,65 @@ +############################################################################## +# +# Test double expansion of list from remote bundle with namespace (ENT-11923) +# +############################################################################## + +body common control +{ + bundlesequence => { "bogus:check" }; +} + +bundle agent test(parent_namespace, parent_bundle) +{ + meta: + "description" -> { "ENT-11923" } + string => "Test double expansion of list from remote bundle with namespace"; + + reports: + "$($(parent_namespace):$(parent_bundle).str)" + comment => "Double expansion of remote string works prior to fix", + bundle_return_value_index => "foo"; + + "$($(parent_namespace):$(parent_bundle).lst)" + comment => "But double expansion of remote list does not work prior to fix", + bundle_return_value_index => "bar"; + + "$(bogus:check.lst)" + comment => "Single expansion of remote list works prior to fix", + bundle_return_value_index => "baz"; +} + +body file control +{ + namespace => "bogus"; +} + +bundle agent check +{ + vars: + "str" + string => "EXPANDED"; + "lst" + slist => { "EXPANDED" }; + + methods: + "holder" + usebundle => default:test("$(this.namespace)", "$(this.bundle)"), + useresult => "ret"; + + reports: + "$(this.promise_filename) Pass" + if => and(strcmp("$(ret[foo])", "EXPANDED"), + strcmp("$(ret[bar])", "EXPANDED"), + strcmp("$(ret[baz])", "EXPANDED")); + + "$(this.promise_filename) FAIL" + unless => and(strcmp("$(ret[foo])", "EXPANDED"), + strcmp("$(ret[bar])", "EXPANDED"), + strcmp("$(ret[baz])", "EXPANDED")); + + default:DEBUG:: + "$(const.dollar)($(const.dollar)(parent_namespace):$(const.dollar)(parent_bundle).str) => $(ret[foo])"; + "$(const.dollar)($(const.dollar)(parent_namespace):$(const.dollar)(parent_bundle).lst) => $(ret[bar])"; + "$(const.dollar)(default:check.lst) => $(ret[baz])"; +} diff --git a/tests/acceptance/01_vars/01_basic/fqhost_domain.cf b/tests/acceptance/01_vars/01_basic/fqhost_domain.cf new file mode 100644 index 0000000000..7fbc61785d --- /dev/null +++ b/tests/acceptance/01_vars/01_basic/fqhost_domain.cf @@ -0,0 +1,33 @@ +############################################################## +# +# Test default:sys.fqhost with domain CFE-4053 +# +############################################################## + +body common control +{ + domain => "cfengine.com"; + bundlesequence => { "check" }; +} + +bundle agent __main__ +{ + methods: + "check"; +} + +############################################################## + +bundle agent check +{ + reports: + DEBUG:: + "$(sys.fqhost), $(sys.uqhost).cfengine.com"; + + any:: + "$(this.promise_filename) Pass" + if => strcmp( "$(sys.fqhost)", "$(sys.uqhost).cfengine.com" ); + + "$(this.promise_filename) FAIL" + unless => strcmp( "$(sys.fqhost)", "$(sys.uqhost).cfengine.com" ); +} diff --git a/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/1/main.cf b/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/1/main.cf index aa880882f8..f7e36e8ead 100644 --- a/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/1/main.cf +++ b/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/1/main.cf @@ -13,6 +13,13 @@ bundle agent __main__ "bundlesequence" usebundle => default("$(this.promise_filename)"); } +bundle agent init +{ + commands: + windows:: + "$(G.dos2unix) $(this.promise_dirname)/expected_output.txt" -> { "ENT-10433" }; +} + bundle agent test { meta: diff --git a/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/2/main.cf b/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/2/main.cf index 1099dedeff..4dd235b4c9 100644 --- a/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/2/main.cf +++ b/tests/acceptance/01_vars/01_basic/namespaces/bundle_qualified_refs/2/main.cf @@ -13,6 +13,13 @@ bundle agent __main__ "bundlesequence" usebundle => default("$(this.promise_filename)"); } +bundle agent init +{ + commands: + windows:: + "$(G.dos2unix) $(this.promise_dirname)/expected_output.txt" -> { "ENT-10433" }; +} + bundle agent test { meta: diff --git a/tests/acceptance/01_vars/01_basic/os_name_human.cf b/tests/acceptance/01_vars/01_basic/os_name_human.cf index 48fd404b64..f4d98afe93 100755 --- a/tests/acceptance/01_vars/01_basic/os_name_human.cf +++ b/tests/acceptance/01_vars/01_basic/os_name_human.cf @@ -48,6 +48,8 @@ bundle agent test "expected" string => "macOS"; solaris:: "expected" string => "Solaris"; + amazon_linux:: + "expected" string => "Amazon"; } bundle agent check diff --git a/tests/acceptance/01_vars/01_basic/sysvars.cf b/tests/acceptance/01_vars/01_basic/sysvars.cf index 0062b8ec5d..4758b01c3c 100644 --- a/tests/acceptance/01_vars/01_basic/sysvars.cf +++ b/tests/acceptance/01_vars/01_basic/sysvars.cf @@ -32,6 +32,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; } ####################################################### diff --git a/tests/acceptance/01_vars/02_functions/cache_name.cf b/tests/acceptance/01_vars/02_functions/cache_name.cf new file mode 100644 index 0000000000..abbace9238 --- /dev/null +++ b/tests/acceptance/01_vars/02_functions/cache_name.cf @@ -0,0 +1,51 @@ +####################################################### +# +# Test that the function result cache checks function name +# +####################################################### + +body common control +{ + inputs => { "../../default.cf.sub" }; + bundlesequence => { default("$(this.promise_filename)") }; + version => "1.0"; +} + +####################################################### + + +bundle agent init +{ + vars: + "agent_regex" string => ".*cf-agent.*"; +} + +####################################################### + +bundle common test +{ + meta: + "description" -> { "CFE-4244" } + string => "Test that the function result cache checks function name"; + + vars: + "res1" data => findprocesses("${init.agent_regex}"); + + classes: + # must not reuse result from previous line + # is reused, produces a type error + "_pass" expression => processexists("${init.agent_regex}"); +} + + +####################################################### + +bundle agent check +{ + methods: + _pass:: + "pass" usebundle => dcs_pass("$(this.promise_filename)"); + + !_pass:: + "pass" usebundle => dcs_fail("$(this.promise_filename)"); +} diff --git a/tests/acceptance/01_vars/02_functions/execresult.cf b/tests/acceptance/01_vars/02_functions/execresult.cf index abe2e965ea..d4a64917fd 100644 --- a/tests/acceptance/01_vars/02_functions/execresult.cf +++ b/tests/acceptance/01_vars/02_functions/execresult.cf @@ -29,6 +29,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "dummy" string => "dummy"; } diff --git a/tests/acceptance/01_vars/02_functions/execresult_action_immediate.cf b/tests/acceptance/01_vars/02_functions/execresult_action_immediate.cf index f273355efa..91a4301b44 100644 --- a/tests/acceptance/01_vars/02_functions/execresult_action_immediate.cf +++ b/tests/acceptance/01_vars/02_functions/execresult_action_immediate.cf @@ -26,6 +26,8 @@ bundle agent test meta: "description" -> {"ENT-7478"} string => "If 'ifelapsed => 0' is used, execresult() should run the given command every time"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; methods: "foo" usebundle => check_date("foo"); diff --git a/tests/acceptance/01_vars/02_functions/execresult_select.cf b/tests/acceptance/01_vars/02_functions/execresult_select.cf index c1f0566693..4f3edda5a2 100644 --- a/tests/acceptance/01_vars/02_functions/execresult_select.cf +++ b/tests/acceptance/01_vars/02_functions/execresult_select.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3108" } string => "Test that you can select stderr/stdout in execresult"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "result_with_stdout_stderr" diff --git a/tests/acceptance/01_vars/02_functions/execresult_stderr.cf b/tests/acceptance/01_vars/02_functions/execresult_stderr.cf index 42a3675a26..d006607268 100644 --- a/tests/acceptance/01_vars/02_functions/execresult_stderr.cf +++ b/tests/acceptance/01_vars/02_functions/execresult_stderr.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3103" } string => "Test that execresult captures both stdout and stderr"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "result_with_stdout_stderr" diff --git a/tests/acceptance/01_vars/02_functions/findfiles.cf b/tests/acceptance/01_vars/02_functions/findfiles.cf index 585f34aba1..749caf0864 100644 --- a/tests/acceptance/01_vars/02_functions/findfiles.cf +++ b/tests/acceptance/01_vars/02_functions/findfiles.cf @@ -41,7 +41,7 @@ bundle agent test { meta: "test_suppress_fail" string => "windows", - meta => { "redmine4730" }; + meta => { "redmine4730,ENT-2145" }; vars: "patterns[a]" string => "$(G.testdir)/?"; diff --git a/tests/acceptance/01_vars/02_functions/findfiles_up.cf b/tests/acceptance/01_vars/02_functions/findfiles_up.cf index 269b8a3e04..c89b8dc18d 100755 --- a/tests/acceptance/01_vars/02_functions/findfiles_up.cf +++ b/tests/acceptance/01_vars/02_functions/findfiles_up.cf @@ -78,6 +78,8 @@ bundle agent test meta: "description" -> { "CFE-3577" } string => "Test for expected results from policy function search_up"; + "test_skip_needs_work" string => "windows", + meta => { "ENT-10250" }; methods: "Test 0" diff --git a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf index 01e0561ec1..27342861ab 100644 --- a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf +++ b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_array.cf @@ -37,10 +37,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "!any", - meta => { "redmine7116" }; - vars: "values_data_1" slist => getindices("init.data[bar]"); "values_data_2" slist => getindices("init.data[zebra][lion]"); diff --git a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf index 677b5a2d35..6fc8f93606 100644 --- a/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf +++ b/tests/acceptance/01_vars/02_functions/getindices_returns_expected_list_from_datacontainer.cf @@ -30,10 +30,6 @@ bundle agent init bundle agent test { - meta: - "test_soft_fail" string => "!any", - meta => { "redmine7116" }; - vars: # expected: one, two "values_data" slist => getindices("init.data[bar]"); diff --git a/tests/acceptance/01_vars/02_functions/getuserinfo.cf b/tests/acceptance/01_vars/02_functions/getuserinfo.cf index 36c1d55308..829610105e 100644 --- a/tests/acceptance/01_vars/02_functions/getuserinfo.cf +++ b/tests/acceptance/01_vars/02_functions/getuserinfo.cf @@ -13,6 +13,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: # this is pretty much all we can test across platforms "info_root" string => nth(getuserinfo("root"), "username"); diff --git a/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf b/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf index 86db569bcb..cdcc1fe67a 100644 --- a/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf +++ b/tests/acceptance/01_vars/02_functions/nth_datacontainer.cf @@ -25,7 +25,6 @@ bundle agent init bundle common test_common { vars: - "data" data => readjson("$(this.promise_filename).json", "100k"); "datastr" string => format("%S", data); diff --git a/tests/acceptance/01_vars/02_functions/readdata.cf b/tests/acceptance/01_vars/02_functions/readdata.cf index 588d2369b9..0485a19ea7 100644 --- a/tests/acceptance/01_vars/02_functions/readdata.cf +++ b/tests/acceptance/01_vars/02_functions/readdata.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10252" }; + vars: "explicit_csv" data => readdata("$(this.promise_filename).csv", "CSV"); "explicit_env" data => readdata("$(this.promise_filename).env", "ENV"); diff --git a/tests/acceptance/01_vars/02_functions/shuffle-exact.cf b/tests/acceptance/01_vars/02_functions/shuffle-exact.cf index a2c9b921b2..bc54c104f2 100644 --- a/tests/acceptance/01_vars/02_functions/shuffle-exact.cf +++ b/tests/acceptance/01_vars/02_functions/shuffle-exact.cf @@ -32,8 +32,8 @@ bundle agent test # for some reason, shuffle() produces different results on 64bit RHEL 4 # and Debian 4 than everywhere else "test_soft_fail" - string => "(centos_4|centos_5|debian_4).64_bit", - meta => { "CFE-2301" }; + string => "((centos_4|centos_5|debian_4).64_bit)|windows", + meta => { "CFE-2301,ENT-10254" }; vars: "lists" slist => { "a", "b" }; "seeds" slist => { "skruf", "cormorant", "dollhouse" }; diff --git a/tests/acceptance/01_vars/02_functions/sort.cf b/tests/acceptance/01_vars/02_functions/sort.cf index ebf2e48339..ae10bb3c4b 100644 --- a/tests/acceptance/01_vars/02_functions/sort.cf +++ b/tests/acceptance/01_vars/02_functions/sort.cf @@ -61,8 +61,10 @@ bundle agent init bundle agent test { meta: - "test_soft_fail" string => "hpux|sunos_5_9|windows", + "test_soft_fail" string => "hpux|sunos_5_9", meta => { "redmine4934", "redmine5107" }; + "test_flakey_fail" string => "windows", + meta => { "ENT-10254" }; vars: diff --git a/tests/acceptance/01_vars/02_functions/strftime.cf b/tests/acceptance/01_vars/02_functions/strftime.cf index e4ec61da24..0beb211a2e 100644 --- a/tests/acceptance/01_vars/02_functions/strftime.cf +++ b/tests/acceptance/01_vars/02_functions/strftime.cf @@ -50,6 +50,10 @@ bundle edit_line init_insert bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10253" }; + vars: "vals" slist => { strftime('gmtime', '%F %T', 100000000), diff --git a/tests/acceptance/01_vars/02_functions/url_get_local.cf b/tests/acceptance/01_vars/02_functions/url_get_local.cf index 9c2dcb2ae1..907c00bffe 100644 --- a/tests/acceptance/01_vars/02_functions/url_get_local.cf +++ b/tests/acceptance/01_vars/02_functions/url_get_local.cf @@ -33,6 +33,8 @@ bundle agent test { meta: "test_skip_unsupported" string => "!feature_curl"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "kept" data => mergedata( diff --git a/tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf b/tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf new file mode 100644 index 0000000000..e1f6686f0e --- /dev/null +++ b/tests/acceptance/01_vars/02_functions/validjson_trailing_bogus_data.cf @@ -0,0 +1,56 @@ +############################################################################## +# +# Test validjson() evaluates to !any:: when there is trailing bogus data after +# termination for JSON object. +# +############################################################################## + +body common control +{ + bundlesequence => { "test", "check" }; + version => "1.0"; +} + +############################################################################## + +bundle agent test +{ + meta: + "description" -> { "CFE-4080" } + string => "Test validjson() with trailing bogus data"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; +} + +############################################################################## + +bundle agent check +{ + classes: + "ok" + and => { + not(validjson('""a')), + validjson('""'), + not(validjson('{}b')), + validjson('{}'), + not(validjson('[]c')), + not(validjson('{}}')), + not(validjson('{"d": "e"}}')), + not(validjson('[]]')), + not(validjson('[[]]]')), + not(validjson('[[[]]]]')), + not(validjson(' []]')), + not(validjson('"some": [ "json" ] }')), + not(validjson('{ "some": [ "json" ] } [')), + not(validjson('["some", "json"]!')), + not(validjson(' ["some", "json"]a')), + not(validjson('["some", "json"] {"foo": "var"} ')), + validjson('{"test": [1, 2, 3]}'), + }; + + reports: + ok:: + "$(this.promise_filename) Pass"; + !ok:: + "$(this.promise_filename) FAIL"; +} diff --git a/tests/acceptance/01_vars/04_containers/execresult_and_as_data.cf b/tests/acceptance/01_vars/04_containers/execresult_and_as_data.cf new file mode 100644 index 0000000000..8404a26236 --- /dev/null +++ b/tests/acceptance/01_vars/04_containers/execresult_and_as_data.cf @@ -0,0 +1,41 @@ +####################################################### +# +# Test the ability to call the same command with execresult and execresult_as_data +# +####################################################### + +body common control +{ + inputs => { "../../default.cf.sub" }; + bundlesequence => { default("$(this.promise_filename)") }; + version => "1.0"; +} + +####################################################### + + +bundle agent init +{ +} + +####################################################### + +bundle agent test +{ + vars: + !windows:: + "res1" string => execresult("echo test", "useshell"); + "res2" data => execresult_as_data("echo test", "useshell", "stdout"); + windows:: + "res1" string => execresult("echo test", "powershell"); + "res2" data => execresult_as_data("echo test", "powershell", "stdout"); +} + + +####################################################### + +bundle agent check +{ + methods: + "any" usebundle => dcs_check_strcmp("${test.res1}", "${test.res2[output]}", "$(this.promise_filename)", "no"); +} diff --git a/tests/acceptance/01_vars/04_containers/iterate_over_data_container_with_nulls.cf b/tests/acceptance/01_vars/04_containers/iterate_over_data_container_with_nulls.cf index 5b6bdec183..795bd02e1e 100644 --- a/tests/acceptance/01_vars/04_containers/iterate_over_data_container_with_nulls.cf +++ b/tests/acceptance/01_vars/04_containers/iterate_over_data_container_with_nulls.cf @@ -7,6 +7,9 @@ body common control bundle agent init { + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected" -> { "ENT-10433" }; files: "$(G.testdir)/actual.txt" diff --git a/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_dynamic.cf b/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_dynamic.cf index ed2a131f78..f910fa561f 100644 --- a/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_dynamic.cf +++ b/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_dynamic.cf @@ -31,6 +31,10 @@ bundle agent init vars: "autorun" slist => bundlesmatching(".*", "autorun"); + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected" -> { "ENT-10433" }; + files: "$(G.testfile)" edit_line => empty; diff --git a/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_static.cf b/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_static.cf index 8f4bd66d61..b60b96afbb 100644 --- a/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_static.cf +++ b/tests/acceptance/01_vars/04_containers/multiple_cmerge_variable_static.cf @@ -12,6 +12,10 @@ bundle agent init vars: "autorun" slist => bundlesmatching(".*", "autorun"); + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected" -> { "ENT-10433" }; + files: "$(G.testfile)" edit_line => empty; diff --git a/tests/acceptance/01_vars/04_containers/pass_variable_container.cf b/tests/acceptance/01_vars/04_containers/pass_variable_container.cf index fd55182721..40727d8a3f 100644 --- a/tests/acceptance/01_vars/04_containers/pass_variable_container.cf +++ b/tests/acceptance/01_vars/04_containers/pass_variable_container.cf @@ -18,6 +18,10 @@ bundle agent init meta: "tags" slist => { "find" }; + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected" -> { "ENT-10433" }; + vars: # We want to be sure we can reference this data subsequently "d" data => parsejson( '{ diff --git a/tests/acceptance/01_vars/04_containers/pass_variable_container_index.cf b/tests/acceptance/01_vars/04_containers/pass_variable_container_index.cf index cd9f642688..35bfe052ca 100644 --- a/tests/acceptance/01_vars/04_containers/pass_variable_container_index.cf +++ b/tests/acceptance/01_vars/04_containers/pass_variable_container_index.cf @@ -17,6 +17,10 @@ bundle agent init { meta: "tags" slist => { "find" }; + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected" -> { "ENT-10433" }; + } bundle agent test diff --git a/tests/acceptance/01_vars/deep_delayed_expansion/main.cf b/tests/acceptance/01_vars/deep_delayed_expansion/main.cf index 3f134b4c31..86f99bcbe2 100644 --- a/tests/acceptance/01_vars/deep_delayed_expansion/main.cf +++ b/tests/acceptance/01_vars/deep_delayed_expansion/main.cf @@ -8,6 +8,8 @@ bundle agent test { meta: "description" string => "Test that variables containing other variales are de-referenced"; + "test_soft_fail" string => "windows", + meta => { "ENT-10256" }; } bundle agent check diff --git a/tests/acceptance/02_classes/01_basic/variable_class_expressions_with_if.cf b/tests/acceptance/02_classes/01_basic/variable_class_expressions_with_if.cf index 6015526242..d22cc90389 100644 --- a/tests/acceptance/02_classes/01_basic/variable_class_expressions_with_if.cf +++ b/tests/acceptance/02_classes/01_basic/variable_class_expressions_with_if.cf @@ -71,7 +71,7 @@ bundle agent test commands: - "/bin/true" + "$(G.true)" handle => "delay", comment => "This is a benign promise that is used to delay detection of failure classes until after normal order begins."; diff --git a/tests/acceptance/02_classes/02_functions/classesmatching_inherit.cf b/tests/acceptance/02_classes/02_functions/classesmatching_inherit.cf new file mode 100644 index 0000000000..add7db3e85 --- /dev/null +++ b/tests/acceptance/02_classes/02_functions/classesmatching_inherit.cf @@ -0,0 +1,38 @@ +bundle agent __main__ +{ + classes: + "defined_in_parent" expression => "cfengine"; + + methods: + "ENT-5850" + usebundle => ENT_5850, + inherit => "true"; +} + +bundle agent ENT_5850 +{ + vars: + "c_matching" + slist => classesmatching(".*"); + "c_matching_defined_in_parent" + slist => classesmatching("defined_in_parent"); + + classes: + "defined_here" expression => "cfengine"; + + reports: + "$(this.promise_filename) Pass" + if => some( "defined_in_parent", c_matching); + + "$(this.promise_filename) FAIL $(this.promise_filename)$(const.n)Could not find class 'defined_in_parent' in classesmatching() but it's defined" + if => and( not( some( "defined_in_parent", c_matching) ), + defined_in_parent + ); + + "Classes found by classesmatching() starting with 'defined' $(with)" + with => join( ", ", classesmatching("defined.*") ); + + "'defined_here' is defined" if => "defined_here"; + "'defined_in_parent' is defined" if => "defined_in_parent"; + "Running CFEngine: $(sys.cf_version)"; +} diff --git a/tests/acceptance/02_classes/02_functions/classesmatching_inherit_2.cf b/tests/acceptance/02_classes/02_functions/classesmatching_inherit_2.cf new file mode 100644 index 0000000000..a493934021 --- /dev/null +++ b/tests/acceptance/02_classes/02_functions/classesmatching_inherit_2.cf @@ -0,0 +1,65 @@ +bundle agent common +{ + vars: + "logfile" string => "$(this.promise_dirname)$(const.dirsep)defined_classes.log"; +} + +bundle agent __main__ +{ + classes: "defined_in_main"; + methods: + "init"; + "first" inherit => "true"; + "check"; +} + +bundle agent init +{ + files: + "$(common.logfile)" + delete => tidy; +} + +bundle agent first +{ + classes: "defined_in_first"; + methods: "second" inherit => "true"; +} + +bundle agent second +{ + classes: "defined_in_second"; + methods: "third" inherit => "true"; +} + +bundle agent third +{ + vars: + "defined_classes" slist => classesmatching("defined.*"); + + reports: + "defined_classes: $(defined_classes)" + report_to_file => "$(common.logfile)"; +} + +bundle agent check +{ + vars: + "expected" string => concat("defined_classes: defined_in_main$(const.n)", + "defined_classes: defined_in_first$(const.n)", + "defined_classes: defined_in_second$(const.n)"); + "actual" string => readfile("$(common.logfile)", inf); + + reports: + "$(this.promise_filename) Pass" + if => strcmp($(expected), $(actual)); + + "$(this.promise_filename) FAIL" + if => not(strcmp($(expected), $(actual))); +} + +body delete tidy +{ + dirlinks => "delete"; + rmdirs => "true"; +} diff --git a/tests/acceptance/02_classes/03_os/powershell.cf b/tests/acceptance/02_classes/03_os/powershell.cf index be2c89d6d7..9599a3b818 100644 --- a/tests/acceptance/02_classes/03_os/powershell.cf +++ b/tests/acceptance/02_classes/03_os/powershell.cf @@ -23,6 +23,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; vars: "dummy" string => "dummy"; } diff --git a/tests/acceptance/05_processes/01_matching/inverse_ttime_inverse_found.cf b/tests/acceptance/05_processes/01_matching/inverse_ttime_inverse_found.cf index f7896b9e47..49a79b08c0 100644 --- a/tests/acceptance/05_processes/01_matching/inverse_ttime_inverse_found.cf +++ b/tests/acceptance/05_processes/01_matching/inverse_ttime_inverse_found.cf @@ -25,9 +25,6 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4747" }; - "test_flakey_fail" string => "aix_7_1", meta => { "CFE-3313" }; diff --git a/tests/acceptance/05_processes/01_matching/owner.cf b/tests/acceptance/05_processes/01_matching/owner.cf index 7ea23b8123..c0b842c747 100644 --- a/tests/acceptance/05_processes/01_matching/owner.cf +++ b/tests/acceptance/05_processes/01_matching/owner.cf @@ -24,6 +24,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; + vars: "ok_list" slist => { "pass_root_1", "pass_root_2", "pass_nouser_3", "pass_nouser_4", diff --git a/tests/acceptance/05_processes/01_matching/process_select_fncalls.cf b/tests/acceptance/05_processes/01_matching/process_select_fncalls.cf index b1dc7c9697..6815f2028c 100644 --- a/tests/acceptance/05_processes/01_matching/process_select_fncalls.cf +++ b/tests/acceptance/05_processes/01_matching/process_select_fncalls.cf @@ -12,6 +12,9 @@ bundle agent test meta: "description" -> { "CFE-1968" } string => "Test that process_select body can have (failing) function calls"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; + vars: "canonified_uid" string => canonify(getuid("nosuchuser")); diff --git a/tests/acceptance/05_processes/01_matching/timed/stime.cf b/tests/acceptance/05_processes/01_matching/timed/stime.cf index fb6e3bd741..e1d0af8854 100644 --- a/tests/acceptance/05_processes/01_matching/timed/stime.cf +++ b/tests/acceptance/05_processes/01_matching/timed/stime.cf @@ -12,6 +12,8 @@ bundle agent init # Adding the test case revealed that these platforms do not work, but we # don't know why. "test_skip_needs_work" string => "solaris|hpux"; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; vars: # Random, but unique string for this test case. diff --git a/tests/acceptance/05_processes/process_stop.cf b/tests/acceptance/05_processes/process_stop.cf index 9094a44d48..b4935cbd01 100644 --- a/tests/acceptance/05_processes/process_stop.cf +++ b/tests/acceptance/05_processes/process_stop.cf @@ -9,6 +9,8 @@ bundle agent test meta: "description" -> { "ENT-4988" } string => "Test some basic expectations when using process_stop in processes type promises"; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; processes: diff --git a/tests/acceptance/07_packages/001.cf b/tests/acceptance/07_packages/001.cf index b35e0228d3..a0a1e55c04 100644 --- a/tests/acceptance/07_packages/001.cf +++ b/tests/acceptance/07_packages/001.cf @@ -39,6 +39,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; "version" string => "1.0i"; diff --git a/tests/acceptance/07_packages/002.cf b/tests/acceptance/07_packages/002.cf index 3b6cc4fd54..983f5eb156 100644 --- a/tests/acceptance/07_packages/002.cf +++ b/tests/acceptance/07_packages/002.cf @@ -39,6 +39,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; "version" string => "1.0i"; diff --git a/tests/acceptance/07_packages/003.cf b/tests/acceptance/07_packages/003.cf index c8cd82da4f..1497178bdb 100644 --- a/tests/acceptance/07_packages/003.cf +++ b/tests/acceptance/07_packages/003.cf @@ -39,6 +39,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; diff --git a/tests/acceptance/07_packages/004.cf b/tests/acceptance/07_packages/004.cf index 31adeeb8b9..4baf261f30 100644 --- a/tests/acceptance/07_packages/004.cf +++ b/tests/acceptance/07_packages/004.cf @@ -41,6 +41,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; diff --git a/tests/acceptance/07_packages/005.cf b/tests/acceptance/07_packages/005.cf index 48720bab52..9147b167d2 100644 --- a/tests/acceptance/07_packages/005.cf +++ b/tests/acceptance/07_packages/005.cf @@ -41,6 +41,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; diff --git a/tests/acceptance/07_packages/006.cf b/tests/acceptance/07_packages/006.cf index fc86899025..8d171f03fc 100644 --- a/tests/acceptance/07_packages/006.cf +++ b/tests/acceptance/07_packages/006.cf @@ -41,6 +41,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "name" string => "imagisoft"; diff --git a/tests/acceptance/07_packages/default_package_module.cf b/tests/acceptance/07_packages/default_package_module.cf new file mode 100644 index 0000000000..d06e1382ce --- /dev/null +++ b/tests/acceptance/07_packages/default_package_module.cf @@ -0,0 +1,48 @@ +# Based on 07_package/package_module_path.cf + +body common control +{ + inputs => { "../default.cf.sub" }; + bundlesequence => { default("$(this.promise_filename)") }; + package_module => test_module; # important! part of this specific test +} + +bundle agent init +{ + files: + "$(sys.workdir)/modules/packages/." + create => "true"; + "$(sys.workdir)/modules/packages/test_module_script.sh" + copy_from => local_cp("$(this.promise_filename).module"), + perms => m("ugo+x"); +} + +body package_module test_module +{ + query_installed_ifelapsed => "60"; + query_updates_ifelapsed => "14400"; + default_options => { "$(G.testfile)" }; + module_path => "$(sys.workdir)/modules/packages/test_module_script.sh"; +} + +bundle agent test +{ + meta: + "description" + string => "Test that a package with no attributes uses a configured common control package_module", + meta => { "CFE-4408" }; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; + + packages: + "first_pkg"; + "second_pkg"; +} + +bundle agent check +{ + methods: + "any" usebundle => dcs_check_diff($(G.testfile), + "$(this.promise_filename).expected", + $(this.promise_filename)); +} diff --git a/tests/acceptance/07_packages/default_package_module.cf.expected b/tests/acceptance/07_packages/default_package_module.cf.expected new file mode 100644 index 0000000000..835519d05b --- /dev/null +++ b/tests/acceptance/07_packages/default_package_module.cf.expected @@ -0,0 +1,6 @@ +Name=first_pkg +Version=1.0 +Architecture=generic +Name=second_pkg +Version=1.0 +Architecture=generic diff --git a/tests/acceptance/07_packages/default_package_module.cf.module b/tests/acceptance/07_packages/default_package_module.cf.module new file mode 100644 index 0000000000..4d185fe7f6 --- /dev/null +++ b/tests/acceptance/07_packages/default_package_module.cf.module @@ -0,0 +1,69 @@ +#!/bin/sh + +set -e + +remove_prefix() +{ + echo "$1" | sed "s/$2//" +} + +case "$1" in + supports-api-version) + echo 1 + ;; + get-package-data) + while read line; do + case "$line" in + File=*) + echo PackageType=repo + echo Name=`remove_prefix "${line}" "File="` + ;; + *) + true + ;; + esac + done + ;; + list-installed) + while read line; do + case "$line" in + options=*) + OUTPUT=`remove_prefix "${line}" "options="` + ;; + *) + exit 1 + ;; + esac + done + if [ -f "$OUTPUT" ]; then + cat "$OUTPUT" + fi + ;; + list-*) + # Drain input. + cat > /dev/null + ;; + repo-install) + while read line; do + case "$line" in + options=*) + OUTPUT=`remove_prefix "${line}" "options="` + ;; + Name=*) + NAME=`remove_prefix "${line}" "Name="` + ;; + *) + exit 1 + ;; + esac + done + echo "Name=$NAME" >> "$OUTPUT" + echo "Version=1.0" >> "$OUTPUT" + echo "Architecture=generic" >> "$OUTPUT" + ;; + *) + exit 1 + ;; +esac + +exit 0 diff --git a/tests/acceptance/07_packages/package_module_interpreter.cf b/tests/acceptance/07_packages/package_module_interpreter.cf index 64b80a68a9..86ef4c5259 100644 --- a/tests/acceptance/07_packages/package_module_interpreter.cf +++ b/tests/acceptance/07_packages/package_module_interpreter.cf @@ -20,7 +20,7 @@ body package_module test_module query_installed_ifelapsed => "60"; query_updates_ifelapsed => "14400"; default_options => { "$(G.testfile)" }; - interpreter => "/bin/sh"; # NOTE: no hashbang in the test_module script + interpreter => "$(G.sh)"; # /bin/sh; NOTE: no hashbang in the test_module script } bundle agent test @@ -29,6 +29,8 @@ bundle agent test "description" string => "Test that the interpreter for the package module script can be set", meta => { "CFE-2880" }; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; packages: "first_pkg" diff --git a/tests/acceptance/07_packages/package_module_path.cf b/tests/acceptance/07_packages/package_module_path.cf index 7b5e082c83..7590bd64fb 100644 --- a/tests/acceptance/07_packages/package_module_path.cf +++ b/tests/acceptance/07_packages/package_module_path.cf @@ -30,6 +30,8 @@ bundle agent test "description" string => "Test that the interpreter for the package module script can be set", meta => { "CFE-2880" }; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; packages: "first_pkg" diff --git a/tests/acceptance/07_packages/packages_command.cf b/tests/acceptance/07_packages/packages_command.cf new file mode 100644 index 0000000000..4bece4865f --- /dev/null +++ b/tests/acceptance/07_packages/packages_command.cf @@ -0,0 +1,92 @@ +####################################################### +# +# See ticket ENT-13536 for info +# +####################################################### + +body common control +{ + inputs => { "../default.cf.sub" }; + bundlesequence => { "G", "g", default("$(this.promise_filename)") }; + version => "1.0"; + cache_system_functions => "false"; +} + +body package_method mock +{ + package_changes => "individual"; + package_list_command => "$(g.pm) --list-installed"; + + package_list_name_regex => "^[^:]*"; + package_list_version_regex => ":(?<=:).*(?=:)"; + package_list_arch_regex => "[^:]\w+$"; + package_installed_regex => "^[^:]*"; + + package_add_command => "$(g.pm) --add "; + package_update_command => "$(g.pm) --update "; + package_delete_command => "$(g.pm) --delete "; + package_verify_command => "$(g.pm) --verify "; +} + +bundle common g +{ + classes: + "mpm_declared" not => strcmp(getenv("MOCK_PACKAGE_MANAGER", "65535"), ""); + + vars: + mpm_declared:: + "pm" string => getenv("MOCK_PACKAGE_MANAGER", "65535"); + + !mpm_declared:: + "pm" string => "$(G.mock_package_manager)"; +} + +####################################################### + +bundle agent init +{ + commands: + "$(g.pm) --clear-installed"; + "$(g.pm) --clear-available"; + "$(g.pm) --populate-available imagisoft:1.0i:teapot"; + + files: + "$(G.testfile)" + delete => tidy; +} + +####################################################### + +bundle agent test +{ + meta: + "test_skip_unsupported" string => "windows", + meta => { "ENT-10215" }; + + vars: + "name" string => "imagisoft"; + "version" string => "1.0i"; + "arch" string => "teapot"; + + packages: + "imagisoft; echo 'Hello CFEngine' > '$(G.testfile)';" + package_policy => "add", + package_method => mock; +} + +####################################################### + +bundle agent check +{ + reports: + "$(this.promise_filename) $(with)" + with => ifelse(fileexists("$(G.testfile)"), "FAIL", "Pass"); +} + +####################################################### + +bundle agent clean +{ + methods: + "init"; +} diff --git a/tests/acceptance/07_packages/repositories.cf b/tests/acceptance/07_packages/repositories.cf index 0691813510..13f6802c12 100644 --- a/tests/acceptance/07_packages/repositories.cf +++ b/tests/acceptance/07_packages/repositories.cf @@ -15,16 +15,18 @@ bundle agent init # Due to shell rules, windows includes certain characters on certain commands, # while Unix does not. windows:: + "single_quote" string => "'"; "q" string => '"'; "s" string => ' '; !windows:: + "single_quote" string => ''; "q" string => ''; "s" string => ''; methods: "make" usebundle => file_make("$(G.testfile).expected", " -$(s)filerepo DELETE delete-exact-version-2.2.3.i386.rpm +$(s)filerepo DELETE $(single_quote)delete-exact-version-2.2.3.i386.rpm$(single_quote) $(s)filerepo ADD $(q)$(G.cwd)$(d).$(d)07_packages$(d)test_repository$(d)install-greaterthan-version-2.2.3.i386.rpm$(q) $(s)filerepo ADD $(q)$(G.cwd)$(d).$(d)07_packages$(d)test_repository$(d)install-greaterorequal-version-2.2.3.i386.rpm$(q) $(s)filerepo ADD $(q)$(G.cwd)$(d).$(d)07_packages$(d)test_repository$(d)install-lessthan-version-2.2.3.i386.rpm$(q) diff --git a/tests/acceptance/08_commands/01_modules/long-module-lines.cf b/tests/acceptance/08_commands/01_modules/long-module-lines.cf index f6e523d157..b0535649a3 100644 --- a/tests/acceptance/08_commands/01_modules/long-module-lines.cf +++ b/tests/acceptance/08_commands/01_modules/long-module-lines.cf @@ -26,8 +26,8 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", - meta => { "redmine1884" }; + "test_soft_fail" string => "windows", + meta => { "ENT-1623" }; commands: "$(init.script_name)" module => "true"; diff --git a/tests/acceptance/08_commands/01_modules/module-array-allows-at.cf b/tests/acceptance/08_commands/01_modules/module-array-allows-at.cf index 88cad6a819..d3fa859c39 100644 --- a/tests/acceptance/08_commands/01_modules/module-array-allows-at.cf +++ b/tests/acceptance/08_commands/01_modules/module-array-allows-at.cf @@ -10,6 +10,8 @@ bundle agent test meta: "description" -> { "CFE-3099" } string => "Test that arrays defined by modules can contain @ just like classic arrays."; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; commands: diff --git a/tests/acceptance/08_commands/01_modules/module-array-allows-slash.cf b/tests/acceptance/08_commands/01_modules/module-array-allows-slash.cf index 2c3283b369..dfe1a565ed 100644 --- a/tests/acceptance/08_commands/01_modules/module-array-allows-slash.cf +++ b/tests/acceptance/08_commands/01_modules/module-array-allows-slash.cf @@ -10,6 +10,8 @@ bundle agent test meta: "description" -> { "CFE-2768" } string => "Test that arrays defined by modules can contain slashes just like classic arrays."; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; commands: diff --git a/tests/acceptance/08_commands/01_modules/module-array-indexing.cf b/tests/acceptance/08_commands/01_modules/module-array-indexing.cf index 7af352dc1e..9082c2e564 100644 --- a/tests/acceptance/08_commands/01_modules/module-array-indexing.cf +++ b/tests/acceptance/08_commands/01_modules/module-array-indexing.cf @@ -14,9 +14,6 @@ body common control bundle agent test { - meta: - "test_suppress_fail" string => "windows"; - commands: "$(G.cat) $(this.promise_filename).txt" module => "true"; diff --git a/tests/acceptance/08_commands/01_modules/module_file_test.cf b/tests/acceptance/08_commands/01_modules/module_file_test.cf index 955f868a1c..958dd7868e 100644 --- a/tests/acceptance/08_commands/01_modules/module_file_test.cf +++ b/tests/acceptance/08_commands/01_modules/module_file_test.cf @@ -26,6 +26,8 @@ bundle agent test meta: "description" string => "Test module file protocol"; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; commands: any:: diff --git a/tests/acceptance/08_commands/01_modules/set-persistent-class.cf b/tests/acceptance/08_commands/01_modules/set-persistent-class.cf index e3c5b0b0fe..07de575b34 100644 --- a/tests/acceptance/08_commands/01_modules/set-persistent-class.cf +++ b/tests/acceptance/08_commands/01_modules/set-persistent-class.cf @@ -12,6 +12,13 @@ body common control version => "1.0"; } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/08_commands/01_modules/set-tags.cf b/tests/acceptance/08_commands/01_modules/set-tags.cf index 73e474dc9a..530c1c84d4 100644 --- a/tests/acceptance/08_commands/01_modules/set-tags.cf +++ b/tests/acceptance/08_commands/01_modules/set-tags.cf @@ -24,6 +24,9 @@ bundle common init bundle agent test { + meta: + "test_flakey_fail" string => "windows", + meta => { "ENT-10257" }; commands: "$(G.cat) $(init.script_name)" contain => in_shell, @@ -62,10 +65,10 @@ bundle agent check "jtags2" string => join(",", "tags2"); "jtags3" string => join(",", "tags3"); - "etags0" string => "xyz,abc=def,,??what is this??,source=module"; - "etags1" string => "xyz,abc=def,,??what is this??,source=module"; - "etags2" string => "1,2,3,source=module"; - "etags3" string => "a,b,c,source=module"; + "etags0" string => "xyz,abc=def,,\?\?what is this\?\?,source=module,derived_from=.*"; + "etags1" string => "xyz,abc=def,,\?\?what is this\?\?,source=module,derived_from=.*"; + "etags2" string => "1,2,3,source=module,derived_from=.*"; + "etags3" string => "a,b,c,source=module,derived_from=.*"; classes: @@ -76,10 +79,10 @@ bundle agent check "var3ok" expression => strcmp("${this.joined3}" , "${this.actual3}"); "var4ok" expression => strcmp("hello there" , "${xyz.myvar}"); - "tags0ok" expression => strcmp($(jtags0), $(etags0)); - "tags1ok" expression => strcmp($(jtags1), $(etags1)); - "tags2ok" expression => strcmp($(jtags2), $(etags2)); - "tags3ok" expression => strcmp($(jtags3), $(etags3)); + "tags0ok" expression => regcmp($(etags0), $(jtags0)); + "tags1ok" expression => regcmp($(etags1), $(jtags1)); + "tags2ok" expression => regcmp($(etags2), $(jtags2)); + "tags3ok" expression => regcmp($(etags3), $(jtags3)); "ok" and => { "myclass", "var0ok", "var1ok", "var2ok", "var3ok", "var4ok", "tags0ok", "tags1ok", "tags2ok", "tags3ok", }; @@ -88,15 +91,15 @@ bundle agent check DEBUG:: "xyzvars = $(xyzvars)"; - "tags0ok => strcmp('$(jtags0)', '$(etags0)')" if => "tags0ok"; - "tags1ok => strcmp('$(jtags1)', '$(etags1)')" if => "tags1ok"; - "tags2ok => strcmp('$(jtags2)', '$(etags2)')" if => "tags2ok"; - "tags3ok => strcmp('$(jtags3)', '$(etags3)')" if => "tags3ok"; + "tags0ok => regcmp('$(etags0)', '$(jtags0)')" if => "tags0ok"; + "tags1ok => regcmp('$(etags1)', '$(jtags1)')" if => "tags1ok"; + "tags2ok => regcmp('$(etags2)', '$(jtags2)')" if => "tags2ok"; + "tags3ok => regcmp('$(etags3)', '$(jtags3)')" if => "tags3ok"; - "tags0 NOT ok => strcmp('$(jtags0)', '$(etags0)')" if => "!tags0ok"; - "tags1 NOT ok => strcmp('$(jtags1)', '$(etags1)')" if => "!tags1ok"; - "tags2 NOT ok => strcmp('$(jtags2)', '$(etags2)')" if => "!tags2ok"; - "tags3 NOT ok => strcmp('$(jtags3)', '$(etags3)')" if => "!tags3ok"; + "tags0 NOT ok => regcmp('$(etags0)', '$(jtags0)')" if => "!tags0ok"; + "tags1 NOT ok => regcmp('$(etags1)', '$(jtags1)')" if => "!tags1ok"; + "tags2 NOT ok => regcmp('$(etags2)', '$(jtags2)')" if => "!tags2ok"; + "tags3 NOT ok => regcmp('$(etags3)', '$(jtags3)')" if => "!tags3ok"; ok:: "$(this.promise_filename) Pass"; diff --git a/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf b/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf index 4b7b931d01..79746b5d24 100644 --- a/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf +++ b/tests/acceptance/08_commands/01_modules/vars-from-module-have-source-and-derived_from-tags.cf @@ -11,14 +11,11 @@ bundle agent test "description" -> { "ENT-7725" } string => "Test that vars defined by modules without explicit tags still have automatic tags identifying the source"; - "test_skip_unsupported" + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }, comment => "The subtest policy uses /bin/echo"; - "test_soft_fail" - string => "any", - meta => { "ENT-7725" }; - commands: "/bin/echo" args => "=my_var_from_module= my val from module", @@ -34,12 +31,12 @@ bundle agent check reports: # Every variable should have a source=SOMETHING tag - "Pass $(this.promise_filename)" + "$(this.promise_filename) Pass" if => and( reglist( @(my_var_from_module_tags), "source=.*" ), reglist( @(my_var_from_module_tags), "derived_from=.*" ) ); - "FAIL $(this.promise_filename)" + "$(this.promise_filename) FAIL" unless => and( reglist( @(my_var_from_module_tags), "source=.*" ), reglist( @(my_var_from_module_tags), "derived_from=.*" ) diff --git a/tests/acceptance/08_commands/02_syntax/arglist.cf b/tests/acceptance/08_commands/02_syntax/arglist.cf index 0417377bea..7ac630f5fb 100644 --- a/tests/acceptance/08_commands/02_syntax/arglist.cf +++ b/tests/acceptance/08_commands/02_syntax/arglist.cf @@ -15,6 +15,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; commands: "$(G.echo)" arglist => { "=abc=2'3\"4" }, module => "true"; # this will generate the command `echo =def=567 =ghi=8'9"a` diff --git a/tests/acceptance/08_commands/03_shells/shelltypes.cf b/tests/acceptance/08_commands/03_shells/shelltypes.cf index 28ef5f2187..2e5f28255a 100644 --- a/tests/acceptance/08_commands/03_shells/shelltypes.cf +++ b/tests/acceptance/08_commands/03_shells/shelltypes.cf @@ -34,6 +34,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; classes: "$(init.shelltypes)" expression => regcmp(".*(Succeeded|Powershell is only supported on Windows).*", execresult("$(sys.cf_agent) -D $(init.shelltypes) -Kf $(init.origtestdir)$(const.dirsep)tryshell.cf.sub", "noshell")); diff --git a/tests/acceptance/09_services/custom.cf b/tests/acceptance/09_services/custom.cf index dce6d60fe1..0830031e72 100644 --- a/tests/acceptance/09_services/custom.cf +++ b/tests/acceptance/09_services/custom.cf @@ -24,7 +24,7 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "CFE-2402" }; services: diff --git a/tests/acceptance/09_services/disable.cf b/tests/acceptance/09_services/disable.cf index a717a6e106..ad8d97aa1d 100644 --- a/tests/acceptance/09_services/disable.cf +++ b/tests/acceptance/09_services/disable.cf @@ -24,7 +24,7 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "CFE-2402" }; services: diff --git a/tests/acceptance/09_services/enable.cf b/tests/acceptance/09_services/enable.cf index 1a3424539f..86445a1963 100644 --- a/tests/acceptance/09_services/enable.cf +++ b/tests/acceptance/09_services/enable.cf @@ -24,7 +24,7 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", + "test_soft_fail" string => "windows", meta => { "CFE-2402" }; services: diff --git a/tests/acceptance/09_services/outcomes.cf b/tests/acceptance/09_services/outcomes.cf index 5ae95e23ef..fca336d67a 100644 --- a/tests/acceptance/09_services/outcomes.cf +++ b/tests/acceptance/09_services/outcomes.cf @@ -6,6 +6,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-2161" }; + vars: "services" slist => { "single" }; "policies" slist => { "enable", "disable", "start", "stop", "restart", "reload", "custom" }; diff --git a/tests/acceptance/09_services/reload.cf b/tests/acceptance/09_services/reload.cf index 968ddb764e..058b011fa8 100644 --- a/tests/acceptance/09_services/reload.cf +++ b/tests/acceptance/09_services/reload.cf @@ -24,8 +24,8 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4772" }; + "test_soft_fail" string => "windows", + meta => { "redmine4772,ENT-2161" }; services: "myservice" diff --git a/tests/acceptance/09_services/restart.cf b/tests/acceptance/09_services/restart.cf index c479139d96..167557cd91 100644 --- a/tests/acceptance/09_services/restart.cf +++ b/tests/acceptance/09_services/restart.cf @@ -24,8 +24,8 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4772" }; + "test_soft_fail" string => "windows", + meta => { "redmine4772,ENT-2161" }; services: "myservice" diff --git a/tests/acceptance/09_services/service_cannot_be_resolved.cf b/tests/acceptance/09_services/service_cannot_be_resolved.cf index 0e3a4b5573..48161dd1d9 100644 --- a/tests/acceptance/09_services/service_cannot_be_resolved.cf +++ b/tests/acceptance/09_services/service_cannot_be_resolved.cf @@ -20,8 +20,8 @@ bundle agent init bundle common test { meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4772" }; + "test_soft_fail" string => "windows", + meta => { "redmine4772,ENT-2161" }; classes: "resolution_warning" expression => returnszero("$(command) Service | $(G.grep) 'cannot be resolved' 2>&1", "useshell"); diff --git a/tests/acceptance/09_services/standard_services-from-non-default-namespace.cf b/tests/acceptance/09_services/standard_services-from-non-default-namespace.cf index 49708a868a..015b0a2ced 100644 --- a/tests/acceptance/09_services/standard_services-from-non-default-namespace.cf +++ b/tests/acceptance/09_services/standard_services-from-non-default-namespace.cf @@ -13,6 +13,9 @@ bundle agent test "description" -> { "ENT-5406" } string => "Test that standard_services can be used from non-default namespace"; + "test_soft_fail" string => "windows", + meta => { "ENT-2161" }; + methods: "Test" usebundle => ENT_5406:ns_test; } diff --git a/tests/acceptance/09_services/start.cf b/tests/acceptance/09_services/start.cf index 8b9df08b53..9a9d9b7b86 100644 --- a/tests/acceptance/09_services/start.cf +++ b/tests/acceptance/09_services/start.cf @@ -24,8 +24,8 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4772" }; + "test_soft_fail" string => "windows", + meta => { "redmine4772,ENT-2161" }; services: "myservice" diff --git a/tests/acceptance/09_services/stop.cf b/tests/acceptance/09_services/stop.cf index 8b3608fa3d..212be2b2ff 100644 --- a/tests/acceptance/09_services/stop.cf +++ b/tests/acceptance/09_services/stop.cf @@ -24,8 +24,8 @@ bundle agent init bundle agent test { meta: - "test_suppress_fail" string => "windows", - meta => { "redmine4772" }; + "test_soft_fail" string => "windows", + meta => { "redmine4772,ENT-2161" }; services: "myservice" diff --git a/tests/acceptance/10_files/01_create/cfengine_create_by_default.cf b/tests/acceptance/10_files/01_create/cfengine_create_by_default.cf index d1c57eca62..7c0ac6e174 100644 --- a/tests/acceptance/10_files/01_create/cfengine_create_by_default.cf +++ b/tests/acceptance/10_files/01_create/cfengine_create_by_default.cf @@ -48,6 +48,9 @@ bundle agent test "description" -> { "CFE-3955" } string => "template_method cfengine creates promiser by default"; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: # File should be created by default and rendered with content "$(G.testfile).test_1" diff --git a/tests/acceptance/10_files/01_create/perms-mode.cf b/tests/acceptance/10_files/01_create/perms-mode.cf index 5cd6205cfa..d86cdb8594 100644 --- a/tests/acceptance/10_files/01_create/perms-mode.cf +++ b/tests/acceptance/10_files/01_create/perms-mode.cf @@ -15,6 +15,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + vars: freebsd|solaris:: "modes" slist => { "1", "333", "100", "200", "777", "o=x", "ugo=wx", "u=x", "u=w", "ugo=rwx" }; diff --git a/tests/acceptance/10_files/02_maintain/016.cf b/tests/acceptance/10_files/02_maintain/016.cf index 2c8c6ee3bf..3bacebe06d 100644 --- a/tests/acceptance/10_files/02_maintain/016.cf +++ b/tests/acceptance/10_files/02_maintain/016.cf @@ -35,6 +35,10 @@ body contain shell bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: "$(G.testdir)/destfile" copy_from => cp_2_file("$(G.testdir)/afile"); diff --git a/tests/acceptance/10_files/02_maintain/changes_depth_search.cf b/tests/acceptance/10_files/02_maintain/changes_depth_search.cf index 99d4724057..61de4fcd03 100644 --- a/tests/acceptance/10_files/02_maintain/changes_depth_search.cf +++ b/tests/acceptance/10_files/02_maintain/changes_depth_search.cf @@ -89,6 +89,10 @@ subfile.same,N,New file found"); bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + commands: "$(sys.cf_agent) -Dpass1 -Kf $(this.promise_filename).sub"; "$(sys.cf_agent) -Dpass2 -Kf $(this.promise_filename).sub"; diff --git a/tests/acceptance/10_files/02_maintain/changes_depth_search_last_file.cf b/tests/acceptance/10_files/02_maintain/changes_depth_search_last_file.cf index 3ffb4f8e6e..02b7b474ba 100644 --- a/tests/acceptance/10_files/02_maintain/changes_depth_search_last_file.cf +++ b/tests/acceptance/10_files/02_maintain/changes_depth_search_last_file.cf @@ -27,6 +27,10 @@ file,R,File removed"); bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + commands: "$(sys.cf_agent) -Dpass1 -Kf $(this.promise_filename).sub"; "$(sys.cf_agent) -Dpass2 -Kf $(this.promise_filename).sub"; diff --git a/tests/acceptance/10_files/02_maintain/changes_update_hashes.cf b/tests/acceptance/10_files/02_maintain/changes_update_hashes.cf index 574c5e2cd7..a2f9479a79 100644 --- a/tests/acceptance/10_files/02_maintain/changes_update_hashes.cf +++ b/tests/acceptance/10_files/02_maintain/changes_update_hashes.cf @@ -35,6 +35,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + files: "$(G.testfile).update.updated" edit_line => insert_text; diff --git a/tests/acceptance/10_files/02_maintain/fifos.cf b/tests/acceptance/10_files/02_maintain/fifos.cf index 7b47bd07e4..7e1fe09ab1 100644 --- a/tests/acceptance/10_files/02_maintain/fifos.cf +++ b/tests/acceptance/10_files/02_maintain/fifos.cf @@ -10,9 +10,6 @@ body common control bundle agent init { - meta: - "test_skip_unsupported" string => "!has_mkfifo"; - vars: "test_fifo" string => "$(G.testfile).fifo"; @@ -22,6 +19,9 @@ bundle agent init bundle agent test { + meta: + "test_skip_unsupported" string => "!has_mkfifo|windows"; + files: "$(init.test_fifo)" create => "false", diff --git a/tests/acceptance/10_files/04_match/match_scope.cf b/tests/acceptance/10_files/04_match/match_scope.cf index 146c979c03..5ce45b60fc 100644 --- a/tests/acceptance/10_files/04_match/match_scope.cf +++ b/tests/acceptance/10_files/04_match/match_scope.cf @@ -31,6 +31,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + vars: "foo" string => "foo"; diff --git a/tests/acceptance/10_files/08_field_edits/file_content.cf b/tests/acceptance/10_files/08_field_edits/file_content.cf index 592d23bb80..8f2e9f5978 100644 --- a/tests/acceptance/10_files/08_field_edits/file_content.cf +++ b/tests/acceptance/10_files/08_field_edits/file_content.cf @@ -44,6 +44,10 @@ body edit_defaults init_empty bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + files: "$(G.testfile).actual.singleline" create => "true", diff --git a/tests/acceptance/10_files/09_insert_lines/block_insert_duplicate.cf b/tests/acceptance/10_files/09_insert_lines/block_insert_duplicate.cf index 25630e880d..7187a58b34 100644 --- a/tests/acceptance/10_files/09_insert_lines/block_insert_duplicate.cf +++ b/tests/acceptance/10_files/09_insert_lines/block_insert_duplicate.cf @@ -43,6 +43,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + files: "$(G.testfile).actual" create => "true", diff --git a/tests/acceptance/10_files/09_insert_lines/crlf-in-cftemplate.cf b/tests/acceptance/10_files/09_insert_lines/crlf-in-cftemplate.cf index 681cdecb5c..2df2c6c3a3 100644 --- a/tests/acceptance/10_files/09_insert_lines/crlf-in-cftemplate.cf +++ b/tests/acceptance/10_files/09_insert_lines/crlf-in-cftemplate.cf @@ -39,6 +39,10 @@ body copy_from copy_file(file) bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: "$(G.testdir)/$(init.filelist)" edit_template => "$(init.datadir)/$(init.filelist).cftemplate", diff --git a/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line-insert-file.cf b/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line-insert-file.cf index df014570d6..33b35afad4 100644 --- a/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line-insert-file.cf +++ b/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line-insert-file.cf @@ -39,6 +39,10 @@ body copy_from copy_file(file) bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: "$(G.testdir)/$(init.filelist)" edit_line => insert_line; diff --git a/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line.cf b/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line.cf index ba5f8d13a4..4981106520 100644 --- a/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line.cf +++ b/tests/acceptance/10_files/09_insert_lines/crlf-in-edit_line.cf @@ -39,6 +39,10 @@ body copy_from copy_file(file) bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: "$(G.testdir)/$(init.filelist)" edit_line => insert_line; diff --git a/tests/acceptance/10_files/09_insert_lines/crlf-in-mustache.cf b/tests/acceptance/10_files/09_insert_lines/crlf-in-mustache.cf index f3a94ab560..cd00b69c5e 100644 --- a/tests/acceptance/10_files/09_insert_lines/crlf-in-mustache.cf +++ b/tests/acceptance/10_files/09_insert_lines/crlf-in-mustache.cf @@ -39,6 +39,10 @@ body copy_from copy_file(file) bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: "$(G.testdir)/$(init.filelist)" edit_template => "$(init.datadir)/$(init.filelist).mustache", diff --git a/tests/acceptance/10_files/10_links/owner-mismatch-link-and-target.cf b/tests/acceptance/10_files/10_links/owner-mismatch-link-and-target.cf index 5625a4b7c4..1202fab036 100755 --- a/tests/acceptance/10_files/10_links/owner-mismatch-link-and-target.cf +++ b/tests/acceptance/10_files/10_links/owner-mismatch-link-and-target.cf @@ -28,13 +28,7 @@ bundle agent test "description" -> { "CFE-3116" } string => "Test that promising ownership of symlinks is not confused by target"; - "test_soft_fail" - string => "any", - meta => { "CFE-3116" }; - - # this test isn't super comprehensive, once the issue is fixed, it will - # need to be skipped on various platforms, at least windows. - # "test_skip_unsupported" string => "windows"; + "test_skip_unsupported" string => "windows"; files: "/tmp/symlink" diff --git a/tests/acceptance/10_files/11_xml_edits/CFE-3806.cf b/tests/acceptance/10_files/11_xml_edits/CFE-3806.cf index 4e5946f94a..0c1ea77478 100644 --- a/tests/acceptance/10_files/11_xml_edits/CFE-3806.cf +++ b/tests/acceptance/10_files/11_xml_edits/CFE-3806.cf @@ -29,10 +29,6 @@ bundle agent test "description" -> { "CFE-3806" } string => "Test that trailing newline on insert_tree promisers do not remove ending tag for select_xpath"; - "test_soft_fail" - string => "any", - meta => { "CFE-3860" }; - files: "$(G.testfile)-1.xml" diff --git a/tests/acceptance/10_files/11_xml_edits/build_xpath_001.cf b/tests/acceptance/10_files/11_xml_edits/build_xpath_001.cf index 3c39ccdc77..f66a8468c8 100644 --- a/tests/acceptance/10_files/11_xml_edits/build_xpath_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/build_xpath_001.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "xpath" string => "/Server/Service/Engine/Host[ @name=\"cfe_host\" | Alias = cfe_alias ]"; diff --git a/tests/acceptance/10_files/11_xml_edits/build_xpath_002.cf b/tests/acceptance/10_files/11_xml_edits/build_xpath_002.cf index c3a935e7bb..c16317aaa1 100644 --- a/tests/acceptance/10_files/11_xml_edits/build_xpath_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/build_xpath_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "xpath" string => "/Server/Service/Engine/Host[ Alias = cfe_alias | @name=\"cfe_host\" ]"; diff --git a/tests/acceptance/10_files/11_xml_edits/build_xpath_003.cf b/tests/acceptance/10_files/11_xml_edits/build_xpath_003.cf index d4388c2085..9f4e653f15 100644 --- a/tests/acceptance/10_files/11_xml_edits/build_xpath_003.cf +++ b/tests/acceptance/10_files/11_xml_edits/build_xpath_003.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "xpath" string => "/Server/Service/Engine/OneFish/TwoFish/RedFish/BlueFish/Host[ Alias = cfe_alias | @name=\"cfe_host\" ]"; diff --git a/tests/acceptance/10_files/11_xml_edits/delete_attribute_001.cf b/tests/acceptance/10_files/11_xml_edits/delete_attribute_001.cf index 263420a8ce..ee4d2742e3 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_attribute_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_attribute_001.cf @@ -61,6 +61,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "attribute_name" string => "topping"; diff --git a/tests/acceptance/10_files/11_xml_edits/delete_attribute_002.cf b/tests/acceptance/10_files/11_xml_edits/delete_attribute_002.cf index 11d0db2b92..e40fec30ff 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_attribute_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_attribute_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "attribute_name" string => "type"; diff --git a/tests/acceptance/10_files/11_xml_edits/delete_text_001.cf b/tests/acceptance/10_files/11_xml_edits/delete_text_001.cf index 566a8bbf58..3c57480ff4 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_text_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_text_001.cf @@ -59,6 +59,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Hot Potatoes!!!"; diff --git a/tests/acceptance/10_files/11_xml_edits/delete_text_002.cf b/tests/acceptance/10_files/11_xml_edits/delete_text_002.cf index c24b79fcfd..e6bb71b1d8 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_text_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_text_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Nemo"; diff --git a/tests/acceptance/10_files/11_xml_edits/delete_tree_001.cf b/tests/acceptance/10_files/11_xml_edits/delete_tree_001.cf index daef9a93b4..7d219b608f 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_tree_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_tree_001.cf @@ -78,6 +78,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "tree" string => " diff --git a/tests/acceptance/10_files/11_xml_edits/delete_tree_002.cf b/tests/acceptance/10_files/11_xml_edits/delete_tree_002.cf index df413c0711..e677aba6c7 100644 --- a/tests/acceptance/10_files/11_xml_edits/delete_tree_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/delete_tree_002.cf @@ -52,6 +52,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "tree" string => " "windows", + meta => { "ENT-10215" }; + vars: "host" string => " "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Hot Potatoes!!!"; diff --git a/tests/acceptance/10_files/11_xml_edits/insert_text_002.cf b/tests/acceptance/10_files/11_xml_edits/insert_text_002.cf index 5cd86d4c77..655bab0658 100644 --- a/tests/acceptance/10_files/11_xml_edits/insert_text_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/insert_text_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Nemo"; diff --git a/tests/acceptance/10_files/11_xml_edits/insert_tree_001.cf b/tests/acceptance/10_files/11_xml_edits/insert_tree_001.cf index 2fca31c18c..8c71f3b706 100644 --- a/tests/acceptance/10_files/11_xml_edits/insert_tree_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/insert_tree_001.cf @@ -78,6 +78,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "tree" string => " diff --git a/tests/acceptance/10_files/11_xml_edits/insert_tree_003.cf b/tests/acceptance/10_files/11_xml_edits/insert_tree_003.cf index 9ea96177af..f80f8cb340 100644 --- a/tests/acceptance/10_files/11_xml_edits/insert_tree_003.cf +++ b/tests/acceptance/10_files/11_xml_edits/insert_tree_003.cf @@ -52,6 +52,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "content" string => " "windows", + meta => { "ENT-10215" }; + vars: "attribute_name" string => "topping"; diff --git a/tests/acceptance/10_files/11_xml_edits/set_attribute_002.cf b/tests/acceptance/10_files/11_xml_edits/set_attribute_002.cf index ca92b33833..2c0347fcec 100644 --- a/tests/acceptance/10_files/11_xml_edits/set_attribute_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/set_attribute_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "attribute_name" string => "type"; diff --git a/tests/acceptance/10_files/11_xml_edits/set_attribute_003.cf b/tests/acceptance/10_files/11_xml_edits/set_attribute_003.cf index c25ba69d10..14b342a244 100644 --- a/tests/acceptance/10_files/11_xml_edits/set_attribute_003.cf +++ b/tests/acceptance/10_files/11_xml_edits/set_attribute_003.cf @@ -61,6 +61,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "attribute_name" string => "topping"; diff --git a/tests/acceptance/10_files/11_xml_edits/set_text_001.cf b/tests/acceptance/10_files/11_xml_edits/set_text_001.cf index 139e748c69..6f9ac85802 100644 --- a/tests/acceptance/10_files/11_xml_edits/set_text_001.cf +++ b/tests/acceptance/10_files/11_xml_edits/set_text_001.cf @@ -60,6 +60,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Hot Potatoes!!!"; diff --git a/tests/acceptance/10_files/11_xml_edits/set_text_002.cf b/tests/acceptance/10_files/11_xml_edits/set_text_002.cf index f75c6d2954..291ecb9c1f 100644 --- a/tests/acceptance/10_files/11_xml_edits/set_text_002.cf +++ b/tests/acceptance/10_files/11_xml_edits/set_text_002.cf @@ -47,6 +47,10 @@ body edit_defaults init_empty ####################################################### bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + vars: "text" string => "Nemo"; diff --git a/tests/acceptance/10_files/FIM/monitoring_symlinks_does_not_constantly_report_change.cf b/tests/acceptance/10_files/FIM/monitoring_symlinks_does_not_constantly_report_change.cf index dde6fe9a95..fe1b5d5cd0 100644 --- a/tests/acceptance/10_files/FIM/monitoring_symlinks_does_not_constantly_report_change.cf +++ b/tests/acceptance/10_files/FIM/monitoring_symlinks_does_not_constantly_report_change.cf @@ -25,7 +25,7 @@ bundle agent test test there"; "test_soft_fail" - string => "any", + string => "!windows", meta => { "redmine7692" }; } diff --git a/tests/acceptance/10_files/copy_from_preserve_false.cf b/tests/acceptance/10_files/copy_from_preserve_false.cf index 5b30fbbe71..70a7375919 100644 --- a/tests/acceptance/10_files/copy_from_preserve_false.cf +++ b/tests/acceptance/10_files/copy_from_preserve_false.cf @@ -38,6 +38,9 @@ bundle agent test string => "Test that preserve false in body copy_from doesn't modify permissions of the promised file"; + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + files: # We promise that the target is a copy of the source file Since preserve diff --git a/tests/acceptance/10_files/files_with_spaces.cf b/tests/acceptance/10_files/files_with_spaces.cf index 93db9c2592..01124151da 100644 --- a/tests/acceptance/10_files/files_with_spaces.cf +++ b/tests/acceptance/10_files/files_with_spaces.cf @@ -21,10 +21,6 @@ bundle agent test "description" string => "Test that file paths with spaces can be created without special treatment"; - "test_soft_fail" - string => "windows", - meta => { "redmine7934" }; - vars: "file[1]" string => "file with space.txt"; "file[2]" string => "path with/a space.txt"; diff --git a/tests/acceptance/10_files/move_obstructions-promiser-is-symlink.cf b/tests/acceptance/10_files/move_obstructions-promiser-is-symlink.cf new file mode 100644 index 0000000000..8e07372895 --- /dev/null +++ b/tests/acceptance/10_files/move_obstructions-promiser-is-symlink.cf @@ -0,0 +1,206 @@ + +############################################################################## +# +# Test that move_obstructions works consistently for various types of files +# promises targeting a specific file where the promiser is a symlink +# - copy_from +# +############################################################################## + +body file control +{ + inputs => { "../default.cf.sub" }; +} + +############################################################################## +bundle agent __main__ +{ + methods: + "init"; + "test"; + "check"; + "cleanup"; +} + +bundle agent cleanup +{ + vars: + "potential_files_to_delete" + slist => { + # The files we tested + "@(init.test_files)", + "$(init.orig_ln_target_filename)", + # .cfsaved files get created as copy_from replaces files + maplist( "$(this).cfsaved", @(init.test_files) ), + # The special case source file to copy from + maplist( "$(this).source", @(init.test_files) ), + }; + + files: + "$(potential_files_to_delete)" + delete => tidy, + if => fileexists( "$(this.promiser)" ); +} + +bundle agent init +{ + vars: + # Create test files that will serve as obstructions + "test_files" slist => { + "$(G.testdir)/copy_from", + "$(G.testdir)/content", + "$(G.testdir)/edit_template_string_inline_mustache", + "$(G.testdir)/edit_template_cfengine", + "$(G.testdir)/edit_template_mustache", + #"$(G.testdir)/edit_line", + }; + + "orig_ln_target_filename" + string => "$(G.testdir)/orig_ln_target"; + + "orig_ln_target_content" + string => "This content originally lived in a symlink target"; + + files: + # Here we initialize a file which will be a symlinks target + "$(orig_ln_target_filename)" + create => "true", + content => "$(orig_ln_target_content)"; + + # Here we have a symlink that we will be targeting with a content files promise + "$(test_files)" + create => "true", + move_obstructions => "true", + link_from => ln_s( "$(G.testdir)/orig_ln_target" ); + + reports: + DEBUG:: + "$(test_files) initalized" + if => and( fileexists( "$(test_files)" ), + islink( $(test_files) ) ); +} + +body link_from ln_s(x) +{ + link_type => "symlink"; + source => "$(x)"; + when_no_source => "force"; +} +############################################################################## + +bundle agent test +{ + meta: + "description" + string => concat( + "Test move_obstructions with content, edit_template,", + " and edit_template_string" + ); + + files: + # Test move_obstructions with copy_from + # This isn't in init because it's specific to copy_from needing to have a source file. + "$(G.testdir)/copy_from.source" + content => "$(check.expected_content)", + if => fileexists( "$(G.testdir)/copy_from" ); + + "$(G.testdir)/copy_from" + move_obstructions => "true", + copy_from => local_dcp("$(G.testdir)/copy_from.source"), + if => fileexists( "$(this.promiser)" ); + + "$(G.testdir)/edit_template_cfengine" + move_obstructions => "true", + template_method => "cfengine", + edit_template => "$(G.testdir)/copy_from.source", + if => fileexists( "$(this.promiser)" ); + + "$(G.testdir)/edit_template_mustache" + move_obstructions => "true", + template_method => "mustache", + edit_template => "$(G.testdir)/copy_from.source", + if => fileexists( "$(this.promiser)" ); + + # Test move_obstructions with content attribute + "$(G.testdir)/content" + move_obstructions => "true", + content => "$(check.expected_content)", + if => fileexists( "$(this.promiser)" ); + + # Test move_obstructions with template_method inline_mustache + "$(G.testdir)/edit_template_string_inline_mustache" + move_obstructions => "true", + template_method => "inline_mustache", + edit_template_string => "$(check.expected_content)", + if => fileexists( "$(this.promiser)" ); + + # # Test move_obstructions with edit_line + # "$(G.testdir)/edit_line" + # move_obstructions => "true", + # edit_line => insert_lines("$(check.expected_content)"), + # if => fileexists( "$(this.promiser)" ); + +} + +############################################################################## + +bundle agent check +{ + vars: + "expected_content" string => "This is content promised targeting a symlink."; + "num_test_files" int => length( @(init.test_files) ); + + # We check the promised: + # - for each test file + # - content + # - type + + "num_expected_test_ok_classes" + int => int( eval( "$(num_test_files)*2", math, infix) ); + + classes: + "DEBUG" expression => "any"; + "all_test_files_exist" + expression => filesexist( @(init.test_files) ); + + all_test_files_exist:: + # Once we verified that all the test files exist we can check all the expectations + + # These class strings will be canonified as classes, they are tagged for easy identification + + "$(init.test_files) type as expected" + meta => { "test_ok_class" }, + if => isplain( "$(init.test_files)" ); + + "$(init.test_files) content as expected" + meta => { "test_ok_class" }, + if => strcmp( readfile("$(init.test_files)"), + "$(expected_content)"); + + "overall_success" + expression => strcmp( length( classesmatching( ".*", "test_ok_class" ) ), + "$(num_expected_test_ok_classes)" ); + + reports: + !all_test_files_exist:: + "The test does not appear to have been initialized, the expected test files are missing $(with)" + with => concat( "(", join( ",", @(init.test_files) ), ")" ); + + DEBUG:: + + "Number of test files: $(num_test_files)"; + + "Number of expected test ok classes to pass: $(num_expected_test_ok_classes)"; + + "$(with) test_ok_classes:" + with => length( classesmatching( ".*", "test_ok_class" ) ); + + "$(with)" + with => join( "$(const.n)", classesmatching( ".*", "test_ok_class" ) ); + + overall_success:: + "$(this.promise_filename) Pass"; + + !overall_success:: + "$(this.promise_filename) FAIL"; +} diff --git a/tests/acceptance/10_files/templating/edit_template_string/mustache_edit_template_string_vs_string_mustache.cf b/tests/acceptance/10_files/templating/edit_template_string/mustache_edit_template_string_vs_string_mustache.cf index 3b5ddaa88c..510a706865 100644 --- a/tests/acceptance/10_files/templating/edit_template_string/mustache_edit_template_string_vs_string_mustache.cf +++ b/tests/acceptance/10_files/templating/edit_template_string/mustache_edit_template_string_vs_string_mustache.cf @@ -22,6 +22,9 @@ bundle agent test string => "Test that there is no difference when rendering the same mustache template with edit_template and edit_template_string"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + vars: "pghbadirectives" data => '[ diff --git a/tests/acceptance/10_files/templating/mustache_expect_list_find_string.cf b/tests/acceptance/10_files/templating/mustache_expect_list_find_string.cf index fc7a8701f7..69e115abb8 100644 --- a/tests/acceptance/10_files/templating/mustache_expect_list_find_string.cf +++ b/tests/acceptance/10_files/templating/mustache_expect_list_find_string.cf @@ -48,6 +48,10 @@ bundle agent init_filestat(n, f) bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; + methods: "mustache good" usebundle => file_mustache_jsonstring($(template), '{"mykeys": ["template expects list of strings"]}', diff --git a/tests/acceptance/10_files/this_promiser.cf b/tests/acceptance/10_files/this_promiser.cf index 5b3e62253a..c56ebc84ae 100644 --- a/tests/acceptance/10_files/this_promiser.cf +++ b/tests/acceptance/10_files/this_promiser.cf @@ -55,6 +55,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10257" }; commands: "$(G.true)" classes => promiser0_generic; @@ -154,7 +157,7 @@ body file_select by_exec_cmd # Redmine #3530 { leaf_name => {"ba"}; - exec_program => "/bin/ls $(this.promiser)"; + exec_program => "$(G.ls) $(this.promiser)"; file_result => "leaf_name.exec_program"; } diff --git a/tests/acceptance/14_reports/00_output/report_printfile_from_bot.cf b/tests/acceptance/14_reports/00_output/report_printfile_from_bot.cf index 4956118b88..7f140f924a 100644 --- a/tests/acceptance/14_reports/00_output/report_printfile_from_bot.cf +++ b/tests/acceptance/14_reports/00_output/report_printfile_from_bot.cf @@ -22,6 +22,8 @@ bundle agent check classes: "passed" expression => strcmp("$(test.expected)", "$(test.actual)"); reports: + windows:: + "$(this.promise_filename) SFAIL/ENT-10433"; DEBUG:: "Expected: '$(test.expected)'"; "Found: '$(test.actual)'"; diff --git a/tests/acceptance/14_reports/00_output/report_printfile_from_top.cf b/tests/acceptance/14_reports/00_output/report_printfile_from_top.cf index 66a9ec34f3..f0c0c3adf0 100644 --- a/tests/acceptance/14_reports/00_output/report_printfile_from_top.cf +++ b/tests/acceptance/14_reports/00_output/report_printfile_from_top.cf @@ -22,6 +22,8 @@ bundle agent check classes: "passed" expression => strcmp("$(test.expected)", "$(test.actual)"); reports: + windows:: + "$(this.promise_filename) SFAIL/ENT-10433"; DEBUG:: "Expected: '$(test.expected)'"; "Found: '$(test.actual)'"; diff --git a/tests/acceptance/14_reports/00_output/unresolved_vars.cf b/tests/acceptance/14_reports/00_output/unresolved_vars.cf index 6cd0ede62b..475b773ac4 100644 --- a/tests/acceptance/14_reports/00_output/unresolved_vars.cf +++ b/tests/acceptance/14_reports/00_output/unresolved_vars.cf @@ -34,6 +34,9 @@ bundle agent test "description" -> { "CFE-3776" } string => "Test that reports with unresolved variables are only emitted during the last pass of evaluation"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + commands: "$(sys.cf_agent) -Kf $(this.promise_filename).sub > $(G.testfile).actual" contain => shell; diff --git a/tests/acceptance/14_reports/00_output/unresolved_with.cf b/tests/acceptance/14_reports/00_output/unresolved_with.cf index 6965f5e9df..ba6ff0480b 100644 --- a/tests/acceptance/14_reports/00_output/unresolved_with.cf +++ b/tests/acceptance/14_reports/00_output/unresolved_with.cf @@ -26,6 +26,9 @@ bundle agent test "description" -> { "CFE-3776" } string => "Test that with reports its content during the last pass even when that content has unresolved variables "; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; + commands: "$(sys.cf_agent) -Kf $(this.promise_filename).sub > $(G.testfile).actual" contain => shell; diff --git a/tests/acceptance/16_cf-serverd/serial/007.cf b/tests/acceptance/16_cf-serverd/serial/007.cf index b9d298dc7f..1e8a9090d2 100644 --- a/tests/acceptance/16_cf-serverd/serial/007.cf +++ b/tests/acceptance/16_cf-serverd/serial/007.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/008.cf b/tests/acceptance/16_cf-serverd/serial/008.cf index b9d298dc7f..1e8a9090d2 100644 --- a/tests/acceptance/16_cf-serverd/serial/008.cf +++ b/tests/acceptance/16_cf-serverd/serial/008.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/010.cf b/tests/acceptance/16_cf-serverd/serial/010.cf index b9d298dc7f..1e8a9090d2 100644 --- a/tests/acceptance/16_cf-serverd/serial/010.cf +++ b/tests/acceptance/16_cf-serverd/serial/010.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/011.cf b/tests/acceptance/16_cf-serverd/serial/011.cf index b9d298dc7f..1e8a9090d2 100644 --- a/tests/acceptance/16_cf-serverd/serial/011.cf +++ b/tests/acceptance/16_cf-serverd/serial/011.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_ciphers_success.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_ciphers_success.cf index 21678b3bde..9585f5cbd1 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_ciphers_success.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_ciphers_success.cf @@ -7,6 +7,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different.cf index 7ae9a7c2ee..9882be5491 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: "any" usebundle => file_make("$(G.testdir)/source_file", "Source and Destination are DIFFERENT_A"); diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip.cf index 1c5c42b703..f327f6ca7f 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: "any" usebundle => file_make("$(G.testdir)/127.0.0.1.txt", "Source and Destination are different_A"); diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip_and_shortcut.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip_and_shortcut.cf index 731721978b..f327f6ca7f 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip_and_shortcut.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_ip_and_shortcut.cf @@ -8,6 +8,9 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; methods: "any" usebundle => file_make("$(G.testdir)/127.0.0.1.txt", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_shortcut.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_shortcut.cf index 1c504c8422..139a1e35ba 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_shortcut.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_digest_different_expand_shortcut.cf @@ -7,6 +7,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_encrypted_md5_zero_length_file.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_encrypted_md5_zero_length_file.cf index 5e2d54e74b..b99eaa6243 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_encrypted_md5_zero_length_file.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_encrypted_md5_zero_length_file.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_empty("$(G.testdir)/source_file"); diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_expand_ip_directory.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_expand_ip_directory.cf index f43712bf14..c79ff63c7e 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_expand_ip_directory.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_expand_ip_directory.cf @@ -15,6 +15,10 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: "any" usebundle => file_make("$(G.testdir)/127.0.0.1_DIR1/ADMIT_FILE", "ADMIT_FILE A CONTENTS"); diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed-classic_protocol.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed-classic_protocol.cf index a600670708..f3e45f0131 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed-classic_protocol.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed-classic_protocol.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed.cf index a600670708..f3e45f0131 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_inexistent_file_connection_closed.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_md5_zero_length_file.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_md5_zero_length_file.cf index 5e2d54e74b..b99eaa6243 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_md5_zero_length_file.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_md5_zero_length_file.cf @@ -8,6 +8,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_empty("$(G.testdir)/source_file"); diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_fail.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_fail.cf index 33473895eb..f580826488 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_fail.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_fail.cf @@ -13,6 +13,9 @@ bundle agent test "description" -> {"ENT-4617"} string => "Test that requiring TLS 1.3 works fine"; + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_success.cf b/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_success.cf index aa41db3bae..867d21ad96 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_success.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_from_tls_1_3_success.cf @@ -13,6 +13,8 @@ bundle agent test "description" -> {"ENT-4617"} string => "Test that CFEngine connections over TLS 1.3 work fine"; + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; methods: # source file "any" usebundle => file_make("$(G.testdir)/source_file", diff --git a/tests/acceptance/16_cf-serverd/serial/copy_missing_ok.cf b/tests/acceptance/16_cf-serverd/serial/copy_missing_ok.cf index 4cd3aac5c6..9ae428b473 100644 --- a/tests/acceptance/16_cf-serverd/serial/copy_missing_ok.cf +++ b/tests/acceptance/16_cf-serverd/serial/copy_missing_ok.cf @@ -7,6 +7,10 @@ body common control bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10401" }; + methods: # ensure destination files are not there "any" usebundle => dcs_fini("$(G.testdir)/dir"); diff --git a/tests/acceptance/16_cf-serverd/serial/simple_copy_from_admit_localhost.cf b/tests/acceptance/16_cf-serverd/serial/simple_copy_from_admit_localhost.cf index 19ab47de62..9dcb42bba0 100644 --- a/tests/acceptance/16_cf-serverd/serial/simple_copy_from_admit_localhost.cf +++ b/tests/acceptance/16_cf-serverd/serial/simple_copy_from_admit_localhost.cf @@ -17,7 +17,7 @@ bundle agent test # 'admit => { "localhost" };' and 'admit_hostnames => { "localhost" };' # are not enough to allow access for this test. # Test fails on SLES / OpenSUSE 15, pending investigation. - "test_skip_unsupported" string => "(ubuntu_20|ubuntu_22|sles_15|opensuse_leap_15)", + "test_skip_unsupported" string => "(ubuntu_20|ubuntu_22|debian_12|sles_15|opensuse_leap_15)", meta => { "ENT-2480", "ENT-7362", "ENT-9055" }; methods: diff --git a/tests/acceptance/16_cf-serverd/serial/simple_copy_from_deny_localhost.cf b/tests/acceptance/16_cf-serverd/serial/simple_copy_from_deny_localhost.cf index 89f117256a..6adaeadd97 100644 --- a/tests/acceptance/16_cf-serverd/serial/simple_copy_from_deny_localhost.cf +++ b/tests/acceptance/16_cf-serverd/serial/simple_copy_from_deny_localhost.cf @@ -17,7 +17,7 @@ bundle agent test # 'deny => { "localhost" };' and 'deny_hostnames => { "localhost" };' # are not enough to deny access for this test. # Test fails on SLES / OpenSUSE 15, pending investigation. - "test_skip_unsupported" string => "(ubuntu_20|ubuntu_22|sles_15|opensuse_leap_15)", + "test_skip_unsupported" string => "(ubuntu_20|ubuntu_22|debian_12|sles_15|opensuse_leap_15)", meta => { "ENT-2480", "ENT-7362", "ENT-9055" }; methods: diff --git a/tests/acceptance/17_users/unsafe/user_command.cf b/tests/acceptance/17_users/unsafe/user_command.cf new file mode 100644 index 0000000000..946f20ce35 --- /dev/null +++ b/tests/acceptance/17_users/unsafe/user_command.cf @@ -0,0 +1,61 @@ +############################################################################## +# +# See ticket ENT-13535 for info. +# +############################################################################## + +body common control +{ + bundlesequence => { "init", "test", "check", "clean" }; +} + +body delete tidy +{ + dirlinks => "delete"; + rmdirs => "true"; +} + +############################################################################## + +bundle agent init +{ + users: + "test_user" + policy => "absent"; + + files: + "/tmp/some-random-file.txt" + delete => tidy; +} + +############################################################################## + +bundle agent test +{ + meta: + "description" -> { "ENT-13535" } + string => "See ticket ENT-13535 for info"; + "test_skip_unsupported" + string => "windows", + comment => "Not applicable for Windows since it uses a C API"; + + users: + linux:: + "test_user; echo 'Hello CFEngine' > /tmp/some-random-file.txt" + policy => "present"; +} + +############################################################################## + +bundle agent check +{ + reports: + "$(this.promise_filename) $(with)" + with => ifelse(fileexists("/tmp/some-random-file.txt"), "FAIL", "Pass"); +} + +bundle agent clean +{ + methods: + "init"; +} diff --git a/tests/acceptance/21_methods/call_methods_using_array_expansion.cf b/tests/acceptance/21_methods/call_methods_using_array_expansion.cf index dbddadbaea..dfa945a782 100644 --- a/tests/acceptance/21_methods/call_methods_using_array_expansion.cf +++ b/tests/acceptance/21_methods/call_methods_using_array_expansion.cf @@ -13,6 +13,10 @@ body common control bundle agent init { + commands: + windows:: + "$(G.dos2unix) $(this.promise_filename).expected.txt" -> { "ENT-10433" }; + files: "$(G.testdir)/reports.txt" delete => tidy; diff --git a/tests/acceptance/22_cf-runagent/serial/bundles_all_allowed_regex_disallowed_admitted.cf b/tests/acceptance/22_cf-runagent/serial/bundles_all_allowed_regex_disallowed_admitted.cf index 8bc0b49463..84a92cb499 100644 --- a/tests/acceptance/22_cf-runagent/serial/bundles_all_allowed_regex_disallowed_admitted.cf +++ b/tests/acceptance/22_cf-runagent/serial/bundles_all_allowed_regex_disallowed_admitted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/cfruncommand_argv0_quoted.cf b/tests/acceptance/22_cf-runagent/serial/cfruncommand_argv0_quoted.cf index 4ffbb09f35..83901b0d19 100644 --- a/tests/acceptance/22_cf-runagent/serial/cfruncommand_argv0_quoted.cf +++ b/tests/acceptance/22_cf-runagent/serial/cfruncommand_argv0_quoted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/cfruncommand_open.cf b/tests/acceptance/22_cf-runagent/serial/cfruncommand_open.cf index 1abdc628e6..ea6acae5c3 100644 --- a/tests/acceptance/22_cf-runagent/serial/cfruncommand_open.cf +++ b/tests/acceptance/22_cf-runagent/serial/cfruncommand_open.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_admitted_1.cf index 6fe4422f51..66cc006c40 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_bundle2_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_bundle2_admitted_1.cf index c4f18222bb..d9f0ab8898 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_bundle2_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle1_bundle2_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle2_admitted.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle2_admitted.cf index eaa2daae37..421913028a 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle2_admitted.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-B_bundle2_admitted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_ns1_role2_-B_ns2_bundle2_admitted.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_ns1_role2_-B_ns2_bundle2_admitted.cf index 1c038f3575..9c2b39bf4d 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_ns1_role2_-B_ns2_bundle2_admitted.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_ns1_role2_-B_ns2_bundle2_admitted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1-B_bundle1_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1-B_bundle1_admitted_1.cf index 18de7a3704..cbaa462bcd 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1-B_bundle1_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1-B_bundle1_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_-D_role2_admitted.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_-D_role2_admitted.cf index c20bc3453d..2182a5ca01 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_-D_role2_admitted.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_-D_role2_admitted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_1.cf index 8ba30680a1..4f4fd72db2 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_2.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_2.cf index c01aeeecb5..0b0cb1f4f2 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_2.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_2.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_3.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_3.cf index 202358fd10..070d03b888 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_3.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_admitted_3.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_1.cf index 3cf9662b30..bd587cb715 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_2.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_2.cf index d64ea86453..3314a10f09 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_2.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role1_role2_admitted_2.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_-B_bundle2_admitted.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_-B_bundle2_admitted.cf index 3e372725c4..0cc93ef624 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_-B_bundle2_admitted.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_-B_bundle2_admitted.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_1.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_1.cf index 2d7ee1f0fc..e8ec9e91cf 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_1.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_1.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_2.cf b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_2.cf index 37f964e00c..6b9724740a 100644 --- a/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_2.cf +++ b/tests/acceptance/22_cf-runagent/serial/runagent_-D_role2_admitted_2.cf @@ -24,6 +24,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10404" }; vars: "runagent_cf" string => "$(this.promise_dirname)/empty_config.runagent.cf.sub"; diff --git a/tests/acceptance/24_cmd_line_arguments/parsed_policy.cf b/tests/acceptance/24_cmd_line_arguments/parsed_policy.cf index d74f7d8a80..d073ded8f5 100644 --- a/tests/acceptance/24_cmd_line_arguments/parsed_policy.cf +++ b/tests/acceptance/24_cmd_line_arguments/parsed_policy.cf @@ -21,6 +21,9 @@ bundle agent init bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; vars: "arg_list" slist => { "none", "cf", "json", "cf-full", "json-full" }; diff --git a/tests/acceptance/25_cf-execd/mail_1st_run_empty_new_log.cf b/tests/acceptance/25_cf-execd/mail_1st_run_empty_new_log.cf index 423ef8170e..accdd80788 100644 --- a/tests/acceptance/25_cf-execd/mail_1st_run_empty_new_log.cf +++ b/tests/acceptance/25_cf-execd/mail_1st_run_empty_new_log.cf @@ -28,6 +28,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { methods: diff --git a/tests/acceptance/25_cf-execd/mail_empty_old_and_new_log.cf b/tests/acceptance/25_cf-execd/mail_empty_old_and_new_log.cf index 9c48deb1ad..627a891db7 100644 --- a/tests/acceptance/25_cf-execd/mail_empty_old_and_new_log.cf +++ b/tests/acceptance/25_cf-execd/mail_empty_old_and_new_log.cf @@ -33,6 +33,13 @@ bundle agent init link_from => linkfrom("$(sys.workdir)/outputs/old.log", "symlink"); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { methods: diff --git a/tests/acceptance/25_cf-execd/mail_exclude_filter.cf b/tests/acceptance/25_cf-execd/mail_exclude_filter.cf index 41f35b3dee..62e868752d 100644 --- a/tests/acceptance/25_cf-execd/mail_exclude_filter.cf +++ b/tests/acceptance/25_cf-execd/mail_exclude_filter.cf @@ -25,6 +25,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/25_cf-execd/mail_include_and_exclude_filters.cf b/tests/acceptance/25_cf-execd/mail_include_and_exclude_filters.cf index 6023b6a474..26ecb478d3 100644 --- a/tests/acceptance/25_cf-execd/mail_include_and_exclude_filters.cf +++ b/tests/acceptance/25_cf-execd/mail_include_and_exclude_filters.cf @@ -34,6 +34,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/25_cf-execd/mail_include_filter.cf b/tests/acceptance/25_cf-execd/mail_include_filter.cf index b97e96c452..b5532d33da 100644 --- a/tests/acceptance/25_cf-execd/mail_include_filter.cf +++ b/tests/acceptance/25_cf-execd/mail_include_filter.cf @@ -25,6 +25,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/25_cf-execd/mail_no_filter.cf b/tests/acceptance/25_cf-execd/mail_no_filter.cf index 633e64f22d..c26b9bd775 100644 --- a/tests/acceptance/25_cf-execd/mail_no_filter.cf +++ b/tests/acceptance/25_cf-execd/mail_no_filter.cf @@ -22,6 +22,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { vars: diff --git a/tests/acceptance/25_cf-execd/mailfilter_1st_run_everything_filtered.cf b/tests/acceptance/25_cf-execd/mailfilter_1st_run_everything_filtered.cf index 346f8927fb..4dec4da34e 100644 --- a/tests/acceptance/25_cf-execd/mailfilter_1st_run_everything_filtered.cf +++ b/tests/acceptance/25_cf-execd/mailfilter_1st_run_everything_filtered.cf @@ -32,6 +32,13 @@ bundle agent init @(excludes)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { methods: diff --git a/tests/acceptance/25_cf-execd/mailfilter_empty_old_log_everything_filtered.cf b/tests/acceptance/25_cf-execd/mailfilter_empty_old_log_everything_filtered.cf index 8b19d6207f..bd01a2f260 100644 --- a/tests/acceptance/25_cf-execd/mailfilter_empty_old_log_everything_filtered.cf +++ b/tests/acceptance/25_cf-execd/mailfilter_empty_old_log_everything_filtered.cf @@ -38,6 +38,13 @@ bundle agent init link_from => linkfrom("$(sys.workdir)/outputs/old.log", "symlink"); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { methods: diff --git a/tests/acceptance/25_cf-execd/slow/dies_in_time.cf b/tests/acceptance/25_cf-execd/slow/dies_in_time.cf index 758ca963f5..e95942b2f6 100644 --- a/tests/acceptance/25_cf-execd/slow/dies_in_time.cf +++ b/tests/acceptance/25_cf-execd/slow/dies_in_time.cf @@ -74,6 +74,10 @@ echo DONE > $(G.testdir)/exec_command.status bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; + commands: "$(sys.cf_execd) -f $(this.promise_dirname)/kill_myself.execd.srv" diff --git a/tests/acceptance/25_cf-execd/timed/mailfilter_repeated_runs.cf b/tests/acceptance/25_cf-execd/timed/mailfilter_repeated_runs.cf index 29b611e793..1bcd8181b2 100644 --- a/tests/acceptance/25_cf-execd/timed/mailfilter_repeated_runs.cf +++ b/tests/acceptance/25_cf-execd/timed/mailfilter_repeated_runs.cf @@ -107,6 +107,13 @@ bundle agent init "any" usebundle => run_cf_execd(@(expected5), @(unexpected)); } +bundle agent test +{ + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10215" }; +} + bundle agent check { methods: diff --git a/tests/acceptance/26_cf-net/serial/cf-net_connect.cf b/tests/acceptance/26_cf-net/serial/cf-net_connect.cf index f5b0521ce5..033183ac17 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_connect.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_connect.cf @@ -34,6 +34,8 @@ bundle agent test contain => myshell; meta: "description" string => "Connect and authenticate with cf-serverd"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/26_cf-net/serial/cf-net_get.cf b/tests/acceptance/26_cf-net/serial/cf-net_get.cf index 12511dde21..3d0d78ee18 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_get.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_get.cf @@ -34,6 +34,9 @@ bundle agent test contain => myshell; meta: "description" string => "STAT+GET policy file from cf-serverd"; + "test_skip_needs_work" string => "windows", + comment => "for some reason, softfailing this test is not enough", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/26_cf-net/serial/cf-net_help.cf b/tests/acceptance/26_cf-net/serial/cf-net_help.cf index db8c487748..ebfbe74a8e 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_help.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_help.cf @@ -29,6 +29,8 @@ bundle agent test contain => myshell; meta: "description" string => "Argument parsing and help output"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/26_cf-net/serial/cf-net_stat.cf b/tests/acceptance/26_cf-net/serial/cf-net_stat.cf index 8d9c2f0c30..2fdb01740e 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_stat.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_stat.cf @@ -38,6 +38,8 @@ bundle agent test contain => myshell; meta: "description" string => "Stat a regular file (this policy file)"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/26_cf-net/serial/cf-net_stat_deny.cf b/tests/acceptance/26_cf-net/serial/cf-net_stat_deny.cf index 6f4d18d3ec..ecea92f941 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_stat_deny.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_stat_deny.cf @@ -38,6 +38,8 @@ bundle agent test contain => myshell; meta: "description" string => "Attempt to stat file without permission"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/26_cf-net/serial/cf-net_stat_dir.cf b/tests/acceptance/26_cf-net/serial/cf-net_stat_dir.cf index 80f1d5563a..685beb317c 100644 --- a/tests/acceptance/26_cf-net/serial/cf-net_stat_dir.cf +++ b/tests/acceptance/26_cf-net/serial/cf-net_stat_dir.cf @@ -38,6 +38,8 @@ bundle agent test contain => myshell; meta: "description" string => "Stat a directory"; + "test_soft_fail" string => "windows", + meta => { "ENT-10254" }; } bundle agent check diff --git a/tests/acceptance/27_cf-secret/decrypt.cf b/tests/acceptance/27_cf-secret/decrypt.cf index 1dbca5ce79..0baf3c522c 100644 --- a/tests/acceptance/27_cf-secret/decrypt.cf +++ b/tests/acceptance/27_cf-secret/decrypt.cf @@ -10,6 +10,8 @@ bundle agent test meta: "description" string => "Test that cf-secret can still decrypt content encrypted at the time of initial implementation"; + "test_soft_fail" string => "windows", + meta => { "ENT-10405" }; commands: "$(sys.cf_secret)" diff --git a/tests/acceptance/27_cf-secret/encrypt-decrypt-args.cf b/tests/acceptance/27_cf-secret/encrypt-decrypt-args.cf index d1979688cf..1a3208686e 100644 --- a/tests/acceptance/27_cf-secret/encrypt-decrypt-args.cf +++ b/tests/acceptance/27_cf-secret/encrypt-decrypt-args.cf @@ -21,6 +21,8 @@ bundle agent test "description" string => "Test cf-secret with different arguments/order"; + "test_soft_fail" string => "windows", + meta => { "ENT-10405" }; vars: "text" string => "This secret sauce should be encrypted and decrypted."; diff --git a/tests/acceptance/27_cf-secret/encrypt-decrypt.cf b/tests/acceptance/27_cf-secret/encrypt-decrypt.cf index 25fb244d8d..57a77623f5 100644 --- a/tests/acceptance/27_cf-secret/encrypt-decrypt.cf +++ b/tests/acceptance/27_cf-secret/encrypt-decrypt.cf @@ -21,6 +21,8 @@ bundle agent test "description" string => "Test that cf-secret basic key based encryption and decryption work"; + "test_soft_fail" string => "windows", + meta => { "ENT-10405" }; vars: "text" diff --git a/tests/acceptance/27_cf-secret/encrypt-no-key.cf b/tests/acceptance/27_cf-secret/encrypt-no-key.cf index ddc1ba9f93..ce84d42363 100644 --- a/tests/acceptance/27_cf-secret/encrypt-no-key.cf +++ b/tests/acceptance/27_cf-secret/encrypt-no-key.cf @@ -47,6 +47,9 @@ bundle agent test "description" -> { "CFE-3874" } string => "Test that encrypting with no host- / key argument defaults to encrypting for localhost."; + "test_soft_fail" string => "windows", + meta => { "ENT-10405" }; + commands: # Encrypt test file "$(sys.cf_secret)" diff --git a/tests/acceptance/28_inform_testing/01_files/copy_from01.cf.expected b/tests/acceptance/28_inform_testing/01_files/copy_from01.cf.expected index f08b81ddb5..b3203bcadb 100644 --- a/tests/acceptance/28_inform_testing/01_files/copy_from01.cf.expected +++ b/tests/acceptance/28_inform_testing/01_files/copy_from01.cf.expected @@ -1,4 +1,4 @@ - info: Created directory '/tmp/TEST.destination/subdir/.' + info: Created directory '/tmp/TEST.destination/subdir/.', mode 0700 info: Copied file '/tmp/TEST.source/file-perms-644' to '/tmp/TEST.destination/file-perms-644.cfnew' (permissions preserved) info: Moved '/tmp/TEST.destination/file-perms-644.cfnew' to '/tmp/TEST.destination/file-perms-644' info: Object '/tmp/TEST.destination/file-perms-644' had permissions 0600, changed it to 0644 diff --git a/tests/acceptance/28_inform_testing/01_files/copy_from02.cf.expected b/tests/acceptance/28_inform_testing/01_files/copy_from02.cf.expected index c37c43374e..39c5c0b160 100644 --- a/tests/acceptance/28_inform_testing/01_files/copy_from02.cf.expected +++ b/tests/acceptance/28_inform_testing/01_files/copy_from02.cf.expected @@ -1,4 +1,4 @@ - info: Created directory '/tmp/TEST.destination/subdir/.' + info: Created directory '/tmp/TEST.destination/subdir/.', mode 0700 info: Copied file '/tmp/TEST.source/file-perms-644' to '/tmp/TEST.destination/file-perms-644.cfnew' (mode '600') info: Moved '/tmp/TEST.destination/file-perms-644.cfnew' to '/tmp/TEST.destination/file-perms-644' info: Updated file '/tmp/TEST.destination/file-perms-644' from 'localhost:/tmp/TEST.source/file-perms-644' diff --git a/tests/acceptance/28_inform_testing/common.cf.sub b/tests/acceptance/28_inform_testing/common.cf.sub index 4a6ed12b57..2d031bf945 100644 --- a/tests/acceptance/28_inform_testing/common.cf.sub +++ b/tests/acceptance/28_inform_testing/common.cf.sub @@ -50,6 +50,10 @@ body delete init_delete bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10406" }, + if => not( strcmp( "insert_lines_noop.cf", "$(sys.policy_entry_basename)" ) ); vars: "cf_agent" string => ifelse(isvariable("sys.cf_agent"), "$(sys.cf_agent)", "/var/cfengine/bin/cf-agent"); "filter_list" slist => { " -e '/filestat bailing/d' ", diff --git a/tests/acceptance/29_simulate_mode/diff_mode.cf b/tests/acceptance/29_simulate_mode/diff_mode.cf index 494f17be78..1d031b2e80 100644 --- a/tests/acceptance/29_simulate_mode/diff_mode.cf +++ b/tests/acceptance/29_simulate_mode/diff_mode.cf @@ -19,9 +19,10 @@ bundle agent init bundle agent test { meta: - "test_soft_fail" string => "(solaris|aix|hpux)", - meta => { "ENT-6540" }; + "test_soft_fail" string => "(solaris|aix|hpux|windows)", + meta => { "ENT-6540,ENT-10254" }; # ENT-6540 exotics fail to delete chroot + # ENT-10254 tests fail on Windows due to CRLF "description" -> { "ENT-5302" } string => "Test that files promises in --simulate=diff mode produce proper output and only make changes in chroot"; diff --git a/tests/acceptance/29_simulate_mode/manifest_full_mode.cf b/tests/acceptance/29_simulate_mode/manifest_full_mode.cf index 84991051b1..c4906d5406 100644 --- a/tests/acceptance/29_simulate_mode/manifest_full_mode.cf +++ b/tests/acceptance/29_simulate_mode/manifest_full_mode.cf @@ -19,9 +19,10 @@ bundle agent init bundle agent test { meta: - "test_soft_fail" string => "(solaris|aix|hpux)", - meta => { "ENT-6540" }; + "test_soft_fail" string => "(solaris|aix|hpux|windows)", + meta => { "ENT-6540,ENT-10254" }; # ENT-6540 exotics fail to delete chroot + # ENT-10254 tests fail on Windows due to CRLF "description" -> { "ENT-5301" } string => "Test that files promises in --simulate=manifest-full mode produce proper output and only make changes in chroot"; diff --git a/tests/acceptance/29_simulate_mode/manifest_mode.cf b/tests/acceptance/29_simulate_mode/manifest_mode.cf index 841e76513c..dda53e7f42 100644 --- a/tests/acceptance/29_simulate_mode/manifest_mode.cf +++ b/tests/acceptance/29_simulate_mode/manifest_mode.cf @@ -19,9 +19,10 @@ bundle agent init bundle agent test { meta: - "test_soft_fail" string => "(solaris|aix|hpux)", - meta => { "ENT-6540" }; + "test_soft_fail" string => "(solaris|aix|hpux|windows)", + meta => { "ENT-6540,ENT-10254" }; # ENT-6540 exotics fail to delete chroot + # ENT-10254 tests fail on Windows due to CRLF "description" -> { "ENT-5301" } string => "Test that files promises in --simulate=manifest mode produce proper output and only make changes in chroot"; diff --git a/tests/acceptance/30_custom_promise_types/01_basic_module.cf b/tests/acceptance/30_custom_promise_types/01_basic_module.cf index e19c9a535b..812c362b7f 100644 --- a/tests/acceptance/30_custom_promise_types/01_basic_module.cf +++ b/tests/acceptance/30_custom_promise_types/01_basic_module.cf @@ -43,6 +43,9 @@ bundle agent test meta: "description" -> { "CFE-3443" } string => "Test that you can add a promise module and evaluate a custom promise"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; + vars: "test_string" diff --git a/tests/acceptance/30_custom_promise_types/02_if.cf b/tests/acceptance/30_custom_promise_types/02_if.cf index a54b9664a1..6c3ae9c0e9 100644 --- a/tests/acceptance/30_custom_promise_types/02_if.cf +++ b/tests/acceptance/30_custom_promise_types/02_if.cf @@ -58,6 +58,8 @@ bundle agent test meta: "description" -> { "CFE-3391" } string => "Test that custom promises work with if attribute"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "false_variable" diff --git a/tests/acceptance/30_custom_promise_types/05_meta_attr.cf b/tests/acceptance/30_custom_promise_types/05_meta_attr.cf index 4426b031ef..7e38995dce 100644 --- a/tests/acceptance/30_custom_promise_types/05_meta_attr.cf +++ b/tests/acceptance/30_custom_promise_types/05_meta_attr.cf @@ -45,6 +45,8 @@ bundle agent test meta: "description" -> { "CFE-3440" } string => "Test that you can use a meta attribute with a custom promise"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "test_string" diff --git a/tests/acceptance/30_custom_promise_types/11_unless.cf b/tests/acceptance/30_custom_promise_types/11_unless.cf index d845fde90b..8ca6cdf629 100644 --- a/tests/acceptance/30_custom_promise_types/11_unless.cf +++ b/tests/acceptance/30_custom_promise_types/11_unless.cf @@ -58,6 +58,8 @@ bundle agent test meta: "description" -> { "CFE-3431" } string => "Test that custom promises work with unless attribute"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "false_variable" diff --git a/tests/acceptance/30_custom_promise_types/12_multiple_promises.cf b/tests/acceptance/30_custom_promise_types/12_multiple_promises.cf index 7683de71d9..17fea8d49b 100644 --- a/tests/acceptance/30_custom_promise_types/12_multiple_promises.cf +++ b/tests/acceptance/30_custom_promise_types/12_multiple_promises.cf @@ -51,6 +51,8 @@ bundle agent test meta: "description" -> { "CFE-3443" } string => "Test that you can evaluate multiple custom promises of the same type"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "test_string" diff --git a/tests/acceptance/30_custom_promise_types/13_binary_path.cf b/tests/acceptance/30_custom_promise_types/13_binary_path.cf index ea1ba96939..bf85e2bb73 100644 --- a/tests/acceptance/30_custom_promise_types/13_binary_path.cf +++ b/tests/acceptance/30_custom_promise_types/13_binary_path.cf @@ -12,6 +12,9 @@ promise agent binary bundle agent test { + meta: + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; binary: "foobar" classes => if_ok("binary_ok"); diff --git a/tests/acceptance/30_custom_promise_types/14_multiple_promise_types_same_module.cf b/tests/acceptance/30_custom_promise_types/14_multiple_promise_types_same_module.cf index 19525601cf..bc8e134598 100644 --- a/tests/acceptance/30_custom_promise_types/14_multiple_promise_types_same_module.cf +++ b/tests/acceptance/30_custom_promise_types/14_multiple_promise_types_same_module.cf @@ -57,6 +57,8 @@ bundle agent test meta: "description" -> { "CFE-3443" } string => "Test that you can use the same custom module for two promise types"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "test_string" diff --git a/tests/acceptance/30_custom_promise_types/15_conflicting_interpreters.cf b/tests/acceptance/30_custom_promise_types/15_conflicting_interpreters.cf index 09781d7c84..410a7d76c0 100644 --- a/tests/acceptance/30_custom_promise_types/15_conflicting_interpreters.cf +++ b/tests/acceptance/30_custom_promise_types/15_conflicting_interpreters.cf @@ -58,6 +58,8 @@ bundle agent test meta: "description" -> { "CFE-3443" } string => "Test that you cannot use a promise module with two different interpreters"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; vars: "test_string" diff --git a/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf b/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf index b64c1a3f4e..8ad75fd22f 100644 --- a/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf +++ b/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf @@ -38,6 +38,8 @@ bundle agent test meta: "description" -> { "CFE-3723" } string => "Test that input from cf-agent to promise module matches expected data"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; example: cfengine:: diff --git a/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf.expected b/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf.expected index 25d30cdbfe..d06f1bc7c9 100644 --- a/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf.expected +++ b/tests/acceptance/30_custom_promise_types/22_what_module_gets.cf.expected @@ -4,7 +4,7 @@ operation=validate_promise log_level=info promise_type=example promiser=Promiser -line_number=44 +line_number=46 filename=./30_custom_promise_types/22_what_module_gets.cf attribute_attributeName=attributeValue @@ -12,7 +12,7 @@ operation=evaluate_promise log_level=info promise_type=example promiser=Promiser -line_number=44 +line_number=46 filename=./30_custom_promise_types/22_what_module_gets.cf attribute_attributeName=attributeValue diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_supported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_supported.cf index ed6aff3067..dbcdbd4f5c 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_supported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_supported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that dry-run can be used with custom promise modules supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_unsupported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_unsupported.cf index 3d0fdbf645..01cb2f2431 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_unsupported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/dryrun_unsupported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that --dry-run produces errors when used with custom promise modules not supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_fake_supported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_fake_supported.cf index e6ff2c80f2..7a0ba4207f 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_fake_supported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_fake_supported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that a bug in a module is reported if it advertises action_policy feature, but doesn't properly implement it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_supported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_supported.cf index 5030fb32e5..9472c4d3a3 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_supported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_supported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that action_policy can be used with custom promise modules supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_unsupported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_unsupported.cf index 18f8620447..52b33ccc1d 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_unsupported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/explicit_warn_unsupported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that action_policy produces errors when used with custom promise modules not supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_supported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_supported.cf index 7cf0b12c15..b8dd3d28ba 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_supported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_supported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that --simulate can be used with custom promise modules supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_unsupported.cf b/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_unsupported.cf index cfbf87327e..1232467af5 100644 --- a/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_unsupported.cf +++ b/tests/acceptance/30_custom_promise_types/23_action_policy/simulate_unsupported.cf @@ -18,6 +18,8 @@ bundle agent test meta: "description" -> { "CFE-3433" } string => "Test that --simulate produces errors when used with custom promise modules not supporting it"; + "test_soft_fail" string => "windows", + meta => { "ENT-10217" }; } bundle agent check diff --git a/tests/acceptance/31_tickets/ENT-8788/1/main.cf b/tests/acceptance/31_tickets/ENT-8788/1/main.cf index aebde408fc..d02bf2652b 100644 --- a/tests/acceptance/31_tickets/ENT-8788/1/main.cf +++ b/tests/acceptance/31_tickets/ENT-8788/1/main.cf @@ -11,6 +11,16 @@ bundle agent __main__ "bundlesequence" usebundle => default("$(this.promise_filename)"); } +bundle agent init +{ + vars: + "original_file" string => "$(this.promise_dirname)/start.xml.txt"; + "test_file" string => "$(sys.workdir)/start.xml.test"; + files: + "$(test_file)" + copy_from => local_cp("${original_file}"); +} + bundle agent test { meta: @@ -19,11 +29,10 @@ bundle agent test meta => { "ENT-8788" }; vars: - "test_file" string => "$(this.promise_dirname)/start.xml.txt"; "new_content_file" string => "$(this.promise_dirname)/newcontent.xml.txt"; files: - "$(test_file)" + "$(init.test_file)" create => "false", edit_defaults => size("500k"), edit_line => insert_file_as_block_relative_to_first_or_last_line( @@ -38,7 +47,7 @@ bundle agent check { methods: - "Pass/Fail" usebundle => dcs_check_diff($(test.test_file), + "Pass/Fail" usebundle => dcs_check_diff($(init.test_file), "$(this.promise_dirname)/desired-result.xml.txt", $(this.promise_filename)); } diff --git a/tests/acceptance/31_tickets/ENT-8788/2/main.cf b/tests/acceptance/31_tickets/ENT-8788/2/main.cf index 0f5226643e..0dd281f65b 100644 --- a/tests/acceptance/31_tickets/ENT-8788/2/main.cf +++ b/tests/acceptance/31_tickets/ENT-8788/2/main.cf @@ -11,6 +11,16 @@ bundle agent __main__ "bundlesequence" usebundle => default("$(this.promise_filename)"); } +bundle agent init +{ + vars: + "original_file" string => "$(this.promise_dirname)/start.xml.txt"; + "test_file" string => "$(sys.workdir)/start.xml.test"; + files: + "$(test_file)" + copy_from => local_cp("${original_file}"); +} + bundle agent test { meta: @@ -19,11 +29,10 @@ bundle agent test meta => { "ENT-8788" }; vars: - "test_file" string => "$(this.promise_dirname)/start.xml.txt"; "new_content_file" string => "$(this.promise_dirname)/newcontent.xml.txt"; files: - "$(test_file)" + "$(init.test_file)" create => "false", edit_defaults => size("500k"), edit_line => insert_file_as_block_relative_to_first_or_last_line( @@ -38,7 +47,7 @@ bundle agent check { methods: - "Pass/Fail" usebundle => dcs_check_diff($(test.test_file), + "Pass/Fail" usebundle => dcs_check_diff($(init.test_file), "$(this.promise_dirname)/desired-result.xml.txt", $(this.promise_filename)); } diff --git a/tests/acceptance/dcs.cf.sub b/tests/acceptance/dcs.cf.sub index a12db971d5..15bba3cd3d 100644 --- a/tests/acceptance/dcs.cf.sub +++ b/tests/acceptance/dcs.cf.sub @@ -24,6 +24,7 @@ bundle common G # General commands. "cmds" slist => { "date", "dd", + "dos2unix", "diff", "cat", "colordiff", @@ -83,27 +84,24 @@ bundle common G "paths[usr_local_bin]" string => "/usr/local/bin"; "paths[usr_contrib_bin]" string => "/usr/contrib/bin"; windows:: - "paths[mingw_msys_1_0_bin]" string => "c:\\mingw\\msys\\1.0\\bin"; - "paths[msys_1_0_bin]" string => "c:\\msys\\1.0\\bin"; - "paths[msys_bin]" string => "c:\\msys\\bin"; - "paths[pstools]" string => "c:\\PSTools"; - "paths[strawberry_perl_bin]" string => "c:\\strawberry\\perl\\bin"; + "paths[msys64_usr_bin]" string => "c:\\msys64\\usr\\bin"; + "paths[temp_msys64_usr_bin]" string => "d:\\a\\_temp\\msys64\\usr\\bin"; "paths[tool_wrappers]" string => "$(this.promise_dirname)\\tool_wrappers"; any:: "paths_indices" slist => getindices("paths"); # dereferenced path of the executable - "deref_paths[$(paths[$(paths_indices)])][$(cmds)]" string => + "deref_paths[$(paths[$(paths_indices)])][$(cmds)$(exeext)]" string => filestat("$(paths[$(paths_indices)])$(const.dirsep)$(cmds)$(exeext)", "linktarget"); classes: # General commands. "$(paths_indices)_$(cmds)$(exeext)" expression => - fileexists("$(deref_paths[$(paths[$(paths_indices)])][$(cmds)])"); + fileexists("$(deref_paths[$(paths[$(paths_indices)])][$(cmds)$(exeext)])"); "has_$(cmds)" expression => - fileexists("$(deref_paths[$(paths[$(paths_indices)])][$(cmds)])"), + fileexists("$(deref_paths[$(paths[$(paths_indices)])][$(cmds)$(exeext)])"), scope => "namespace"; # Special cases. diff --git a/tests/acceptance/plucked.cf.sub b/tests/acceptance/plucked.cf.sub index 297b6715a3..042642e5fe 100644 --- a/tests/acceptance/plucked.cf.sub +++ b/tests/acceptance/plucked.cf.sub @@ -667,16 +667,16 @@ bundle edit_line set_variable_values_ini(tab, sectionName) # If the line is there, but commented out, first uncomment it "#+\s*$(index)\s*=.*" - select_region => INI_section("$(sectionName)"), - edit_field => col("=","1","$(index)","set"), - ifvarclass => "edit_$(cindex[$(index)])"; + select_region => INI_section(escape("$(sectionName)")), + edit_field => col("\s*=\s*","1","$(index)","set"), + if => "edit_$(cindex[$(index)])"; # match a line starting like the key something - "$(index)\s*=.*" - edit_field => col("=","2","$($(tab)[$(sectionName)][$(index)])","set"), - select_region => INI_section("$(sectionName)"), + "\s*$(index)\s*=.*" + edit_field => col("\s*=\s*","2","$($(tab)[$(sectionName)][$(index)])","set"), + select_region => INI_section(escape("$(sectionName)")), classes => results("bundle", "set_variable_values_ini_not_$(cindex[$(index)])"), - ifvarclass => "edit_$(cindex[$(index)])"; + if => "edit_$(cindex[$(index)])"; insert_lines: "[$(sectionName)]" @@ -684,8 +684,8 @@ bundle edit_line set_variable_values_ini(tab, sectionName) comment => "Insert lines"; "$(index)=$($(tab)[$(sectionName)][$(index)])" - select_region => INI_section("$(sectionName)"), - ifvarclass => "!(set_variable_values_ini_not_$(cindex[$(index)])_kept|set_variable_values_ini_not_$(cindex[$(index)])_repaired).edit_$(cindex[$(index)])"; + select_region => INI_section(escape("$(sectionName)")), + if => "!(set_variable_values_ini_not_$(cindex[$(index)])_kept|set_variable_values_ini_not_$(cindex[$(index)])_repaired).edit_$(cindex[$(index)])"; } diff --git a/tests/acceptance/testall b/tests/acceptance/testall index 9d4fb2d594..aac5305646 100755 --- a/tests/acceptance/testall +++ b/tests/acceptance/testall @@ -431,7 +431,10 @@ runtest() { $LN_CMD "$CF_NET" "$WORKDIR/bin" $LN_CMD "$CF_CHECK" "$WORKDIR/bin" $LN_CMD "$CF_RUNAGENT" "$WORKDIR/bin" - $LN_CMD "$RPMVERCMP" "$WORKDIR/bin" + if [ "$NEED_RPMVERCMP" = "yes" ] + then + $LN_CMD "$RPMVERCMP" "$WORKDIR/bin" + fi $LN_CMD "$DIFF" "$WORKDIR/bin" fi for inc in $INCLUDE_IN_WORKDIR @@ -454,7 +457,7 @@ runtest() { fi if uname | grep MINGW > /dev/null then - PLATFORM_WORKDIR="$(echo $WORKDIR | sed -e 's%^/\([a-cA-Z]\)/%\1:/%' | sed -e 's%/%\\%g')" + PLATFORM_WORKDIR="$(echo $WORKDIR | sed -e 's%^/\([a-zA-Z]\)/%\1:/%' | sed -e 's%/%\\%g')" DS="\\" else PLATFORM_WORKDIR="$WORKDIR" @@ -730,6 +733,13 @@ export CFENGINE_TEST_OVERRIDE_WORKDIR TEMP CFENGINE_TEST_OVERRIDE_EXTENSION_LIBR ;; esac done + if [ "$GITHUB_ACTIONS" = "true" ] && [ "$RUNNER_OS" = "Windows" ] + then + # on Github Actions Windows runners, `rm -rf` moves files into /d/d/ directory. + # To clean this "Recycle bin", we delete this directory. + # Otherwise, runner promptly run out of disk space. + rm -rf /d/d/ + fi fi if [ -z "$QUIET" ] diff --git a/tests/acceptance/tool_wrappers/template.bat b/tests/acceptance/tool_wrappers/template.bat index b7a310d004..5beff82862 100644 --- a/tests/acceptance/tool_wrappers/template.bat +++ b/tests/acceptance/tool_wrappers/template.bat @@ -1,6 +1,5 @@ @echo off -if exist c:\mingw\msys\1.0\bin\sh.exe c:\mingw\msys\1.0\bin\sh.exe -c "%*" & goto end -if exist c:\msys\1.0\bin\sh.exe c:\msys\1.0\bin\sh.exe -c "%*" & goto end -if exist c:\msys\bin\sh.exe c:\msys\bin\sh.exe -c "%*" & goto end +if exist c:\msys64\usr\bin\sh.exe c:\msys64\usr\bin\sh.exe -c "%*" & goto end +if exist d:\a\_temp\msys64\usr\bin\sh.exe d:\a\_temp\msys64\usr\bin\sh.exe -c "%*" & goto end :end diff --git a/tests/load/run_lastseen_threaded_load.sh b/tests/load/run_lastseen_threaded_load.sh index aebcf21a91..64293cbb9a 100755 --- a/tests/load/run_lastseen_threaded_load.sh +++ b/tests/load/run_lastseen_threaded_load.sh @@ -1,10 +1,11 @@ #!/bin/sh -if [ "x$label" = "xPACKAGES_x86_64_solaris_10" ] ; -then - echo "Skipping lastseen_threaded_load on $label" +for skip_label in PACKAGES_x86_64_solaris_10 PACKAGES_ia64_hpux_11.23; do + if [ "$label" = "$skip_label" ]; then + echo "Skipping $0 on label $skip_label" exit 0; -fi + fi +done echo "Starting run_lastseen_threaded_load.sh test" diff --git a/tests/static-check/run.sh b/tests/static-check/run.sh index 168dc77d06..1a8d92cda8 100755 --- a/tests/static-check/run.sh +++ b/tests/static-check/run.sh @@ -1,6 +1,8 @@ #!/bin/bash +# Note that this container build requires about 700MB minimum RAM for dnf to operate +# use debian-12+ or rhel-8+, debian-11 buildah seems to fail setting up networking/dns for the container so dnf doesn't work (CFE-4295) -set -e +set -eE # include E so that create_image() failures bubble up to the surface trap "echo FAILURE" ERR if [ -z "$STATIC_CHECKS_FEDORA_VERSION" ]; then diff --git a/tests/static-check/run_checks.sh b/tests/static-check/run_checks.sh index 5cfe1d15d1..3803ccda07 100755 --- a/tests/static-check/run_checks.sh +++ b/tests/static-check/run_checks.sh @@ -3,34 +3,48 @@ set -x n_procs="$(getconf _NPROCESSORS_ONLN)" +use_procs=$((n_procs/2)) function check_with_gcc() { + # previous runs may have cached configuration based on a different CC rm -f config.cache make clean - ./configure -C --enable-debug CC=gcc - local gcc_exceptions="-Wno-sign-compare" - make -j -l${n_procs} --keep-going CFLAGS="-Werror -Wall -Wextra $gcc_exceptions" + # here --config-cache enables lots of checks in subdir libntech to re-use checks made in core + ./configure --config-cache --enable-debug CC=gcc + local gcc_exceptions="-Wno-sign-compare -Wno-enum-int-mismatch" + make -j -l${use_procs} --keep-going CFLAGS="-Werror -Wall -Wextra $gcc_exceptions" } function check_with_clang() { + # previous runs may have cached configuration based on a different CC rm -f config.cache make clean - ./configure -C --enable-debug CC=clang - make -j -l${n_procs} --keep-going CFLAGS="-Werror -Wall -Wextra -Wno-sign-compare" + # here --config-cache enables lots of checks in subdir libntech to re-use checks made in core + ./configure --config-cache --enable-debug CC=clang + make -j -l${use_procs} --keep-going CFLAGS="-Werror -Wall -Wextra -Wno-sign-compare" } function check_with_cppcheck() { + # previous runs may have cached configuration based on a different CC rm -f config.cache - ./configure -C --enable-debug + make clean + # here --config-cache enables lots of checks in subdir libntech to re-use checks made in core + ./configure --config-cache --enable-debug + make -C libpromises/ bootstrap.inc # needed by libpromises/bootstrap.c + + # print out cppcheck version for comparisons over time in case of regressions due to newer versions + cppcheck --version # cppcheck options: # -I -- include paths # -i -- ignored files/folders + # --include= -- force including a file, e.g. config.h # Identified issues are printed to stderr - cppcheck --quiet -j${n_procs} --error-exitcode=1 ./ \ + cppcheck --quiet -j${use_procs} --error-exitcode=1 ./ \ --suppressions-list=tests/static-check/cppcheck_suppressions.txt \ + --include=config.h \ -I cf-serverd/ -I libpromises/ -I libcfnet/ -I libntech/libutils/ \ - -i 3rdparty -i .lgtm -i libntech/.lgtm -i tests -i libpromises/cf3lex.c \ + -i 3rdparty -i .github/codeql -i libntech/.lgtm -i tests -i libpromises/cf3lex.c \ 2>&1 1>/dev/null } @@ -38,6 +52,13 @@ cd "$(dirname $0)"/../../ failure=0 failures="" + +# in jenkins the workdir is already autogen'd +# in github it is not, so do that work here +if [ ! -f configure ]; then + NO_CONFIGURE=1 ./autogen.sh --enable-debug +fi + check_with_gcc || { failures="${failures}FAIL: GCC check failed\n"; failure=1; } check_with_clang || { failures="${failures}FAIL: Clang check failed\n"; failure=1; } check_with_cppcheck || { failures="${failures}FAIL: cppcheck failed\n"; failure=1; } diff --git a/tests/unit/Makefile.am b/tests/unit/Makefile.am index 6a72dce240..90f65ec67c 100644 --- a/tests/unit/Makefile.am +++ b/tests/unit/Makefile.am @@ -106,6 +106,7 @@ libdb_la_LIBADD = libstr.la ../../libntech/libutils/libutils.la libdb_la_CFLAGS = $(AM_CFLAGS) check_PROGRAMS = \ + processes_select_test \ arg_split_test \ assoc_test \ item_test \ @@ -201,6 +202,10 @@ if HPUX XFAIL_TESTS = mon_load_test # Redmine #3569 endif + +processes_select_test_SOURCES = processes_select_test.c +processes_select_test_LDADD = libtest.la ../../libpromises/libpromises.la + # # OS X uses real system calls instead of our stubs unless this option is used # diff --git a/tests/unit/lastseen_test.c b/tests/unit/lastseen_test.c index 0344a2e59b..0cd28a31c7 100644 --- a/tests/unit/lastseen_test.c +++ b/tests/unit/lastseen_test.c @@ -70,6 +70,7 @@ static void test_newentry(void) KeyHostSeen q; assert_int_equal(ReadDB(db, "qiSHA-12345", &q, sizeof(q)), true); + assert_false(q.acknowledged); assert_int_equal(q.lastseen, 666); assert_double_close(q.Q.q, 0.0); assert_double_close(q.Q.dq, 0.0); @@ -102,6 +103,7 @@ static void test_update(void) KeyHostSeen q; assert_int_equal(ReadDB(db, "qiSHA-12345", &q, sizeof(q)), true); + assert_false(q.acknowledged); assert_int_equal(q.lastseen, 1110); assert_double_close(q.Q.q, 555.0); assert_double_close(q.Q.dq, 555.0); diff --git a/tests/unit/processes_select_test.c b/tests/unit/processes_select_test.c new file mode 100644 index 0000000000..f9cfbb805e --- /dev/null +++ b/tests/unit/processes_select_test.c @@ -0,0 +1,45 @@ +#include + +#include +#include +#include + +static void test_SplitProcLine_windows(void) +{ + + char buf[CF_BUFSIZE]; + snprintf(buf, sizeof(buf), "%-20s %5s %s %s %8s %8s %-3s %s %s %5s %s", + "USER", "PID", "%CPU", "%MEM", "VSZ", "RSS", "TTY", "STAT", "START", "TIME", "COMMAND"); + + char *names[CF_PROCCOLS] = {0}; + int start[CF_PROCCOLS]; + int end[CF_PROCCOLS]; + + GetProcessColumnNames(buf, names, start, end); + + const char *const proc_line = "NETWORK SERVICE 540 0.0 0.3 5092 11180 ? ? Apr28 00:00 C:\\Windows\\system32\\svchost.exe -k RPCSS -p"; + time_t pstime = time(NULL); + + char *column[CF_PROCCOLS] = {0}; + + bool ret = SplitProcLine(proc_line, pstime, names, start, end, PCA_AllColumnsPresent, column); + assert_true(ret); + assert_string_equal(column[0], "NETWORK SERVICE"); + + for (int i = 0; i < CF_PROCCOLS; i++) + { + free(names[i]); + free(column[i]); + } +} + +int main() +{ + PRINT_TEST_BANNER(); + const UnitTest tests[] = + { + unit_test(test_SplitProcLine_windows), + }; + + return run_tests(tests); +} diff --git a/tests/unit/rlist_test.c b/tests/unit/rlist_test.c index 32fb4e4a99..5064fe08a7 100644 --- a/tests/unit/rlist_test.c +++ b/tests/unit/rlist_test.c @@ -31,6 +31,23 @@ static void test_length(void) RlistDestroy(list); } +static void test_equality(void) +{ + Rlist *list1 = RlistFromSplitString("a,b,c", ','); + Rlist *list2 = RlistFromSplitString("a,b,c", ','); + Rlist *list3 = RlistFromSplitString("z,b,c", ','); + Rlist *list4 = RlistFromSplitString("a,b,c,d", ','); + + assert_true(RlistEqual(list1, list2)); + assert_false(RlistEqual(list1, list3)); + assert_false(RlistEqual(list1, list4)); + + RlistDestroy(list1); + RlistDestroy(list2); + RlistDestroy(list3); + RlistDestroy(list4); +} + static void test_prepend_scalar_idempotent(void) { Rlist *list = NULL; @@ -713,6 +730,36 @@ static void test_regex_split_overlapping_delimiters() RlistDestroy(list); } +static void test_rval_write() +{ + Rval rval = { "\"Hello World!\"", RVAL_TYPE_SCALAR }; + Writer *writer = StringWriter(); + RvalWrite(writer, rval); + const char *actual = StringWriterData(writer); + assert_string_equal(actual, "\\\"Hello World!\\\""); + WriterClose(writer); +} + +static void test_rval_write_quoted() +{ + Rval rval = { "\"Hello World!\"", RVAL_TYPE_SCALAR }; + Writer *writer = StringWriter(); + RvalWriteQuoted(writer, rval); + const char *actual = StringWriterData(writer); + assert_string_equal(actual, "\"\\\"Hello World!\\\"\""); + WriterClose(writer); +} + +static void test_rval_write_raw() +{ + Rval rval = { "\"Hello World!\"", RVAL_TYPE_SCALAR }; + Writer *writer = StringWriter(); + RvalWriteRaw(writer, rval); + const char *actual = StringWriterData(writer); + assert_string_equal(actual, "\"Hello World!\""); + WriterClose(writer); +} + int main() { PRINT_TEST_BANNER(); @@ -720,6 +767,7 @@ int main() { unit_test(test_prepend_scalar_idempotent), unit_test(test_length), + unit_test(test_equality), unit_test(test_copy), unit_test(test_rval_to_scalar), unit_test(test_rval_to_scalar2), @@ -744,7 +792,10 @@ int main() unit_test(test_regex_split_no_match), unit_test(test_regex_split_adjacent_separators), unit_test(test_regex_split_real_regex), - unit_test(test_regex_split_overlapping_delimiters) + unit_test(test_regex_split_overlapping_delimiters), + unit_test(test_rval_write), + unit_test(test_rval_write_quoted), + unit_test(test_rval_write_raw), }; return run_tests(tests); diff --git a/tests/valgrind-check/Containerfile b/tests/valgrind-check/Containerfile index 287d2dee4c..6e7ad4942b 100644 --- a/tests/valgrind-check/Containerfile +++ b/tests/valgrind-check/Containerfile @@ -1,7 +1,6 @@ FROM ubuntu:20.04 AS build -RUN DEBIAN_FRONTEND=noninteractive apt-get update -y -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y libssl-dev libxml2-dev libpam0g-dev liblmdb-dev libacl1-dev libpcre3 libpcre3-dev -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y python git flex bison byacc automake make autoconf libtool valgrind +RUN DEBIAN_FRONTEND=noninteractive apt-get update -y --fix-missing && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y libssl-dev libxml2-dev libpam0g-dev liblmdb-dev libacl1-dev libpcre3 libpcre3-dev python git flex bison byacc automake make autoconf libtool valgrind curl COPY masterfiles masterfiles COPY core core WORKDIR core diff --git a/tests/valgrind-check/valgrind.sh b/tests/valgrind-check/valgrind.sh index 534309751f..dfd334196b 100644 --- a/tests/valgrind-check/valgrind.sh +++ b/tests/valgrind-check/valgrind.sh @@ -58,13 +58,21 @@ function check_masterfiles_and_inputs { set -e set -x +# In case things go wrong and this hangs, let's make sure things get properly +# cleaned up from here rather than relying on the outer environment doing the +# cleanup. In case this runs in a container, it could be a big +# difference. Especially in a case of an SPC. +{ sleep 30m && kill -9 $$; } & +auto_destruct_pid=$! +trap "kill $auto_destruct_pid" EXIT + # Assume we are in core directory if [ -f ./configure ] ; then ./configure -C --enable-debug else ./autogen.sh -C --enable-debug fi -make +make -j -l $(getconf _NPROCESSORS_ONLN) make install cd ../masterfiles @@ -102,15 +110,25 @@ print_ps echo "Starting cf-serverd with valgrind in background:" valgrind $VG_OPTS --log-file=serverd.txt /var/cfengine/bin/cf-serverd --no-fork 2>&1 > serverd_output.txt & server_pid="$!" -sleep 20 echo "Starting cf-execd with valgrind in background:" valgrind $VG_OPTS --log-file=execd.txt /var/cfengine/bin/cf-execd --no-fork 2>&1 > execd_output.txt & exec_pid="$!" -sleep 10 print_ps +# cf-serverd running under valgrind can be really slow to start, let's give it +# some time before we move on and potentially hit the wall if it's actually +# malfunctioning +tries=12 # max 2 minutes +while /var/cfengine/bin/cf-net -H $BOOTSTRAP_IP connect | grep Failed; do + tries=$((tries - 1)) + if [ $tries -le 0 ]; then + break; + fi + sleep 10 +done + echo "Running cf-net:" valgrind $VG_OPTS /var/cfengine/bin/cf-net GET /var/cfengine/masterfiles/promises.cf 2>&1 | tee get.txt check_valgrind_output get.txt diff --git a/travis-scripts/after_script.sh b/travis-scripts/after_script.sh deleted file mode 100755 index 512ea2cabb..0000000000 --- a/travis-scripts/after_script.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh -set +e -cd $TRAVIS_BUILD_DIR || return 1 -mkdir artifacts -test "x$DIST_TARBALL" != x && cp "$DIST_TARBALL" artifacts/ -mv config.log artifacts/ 2>/dev/null -mv tests/acceptance/summary.log artifacts/ 2>/dev/null -mv tests/acceptance/test.log artifacts/ 2>/dev/null -mv tests/acceptance/workdir artifacts/ 2>/dev/null -mv serverd-multi-versions-logs artifacts/ 2>/dev/null - -VERSION=$(expr "$DIST_TARBALL" : "cfengine-\(.*\).tar.gz") -VERSION=${VERSION:-master} -test "$TRAVIS_PULL_REQUEST" = "false" && BRANCH_OR_PULL_REQUEST=$TRAVIS_BRANCH || BRANCH_OR_PULL_REQUEST=PULL_$TRAVIS_PULL_REQUEST - -filename=cfengine-$VERSION-$BRANCH_OR_PULL_REQUEST-$JOB_TYPE.artifacts.zip -zip -q -r $filename artifacts/ - -echo ===== uploading $filename to file.io ===== -curl -F "file=@$filename" https://file.io -echo 'Note that file.io DELETES file from their servers after first download,' -echo "so don't delete it from your machine if you still need it!" - -cd - >/dev/null diff --git a/travis-scripts/after_success.sh b/travis-scripts/after_success.sh deleted file mode 100755 index 1a2485251c..0000000000 --- a/travis-scripts/after_success.sh +++ /dev/null @@ -1 +0,0 @@ -#!/bin/sh diff --git a/travis-scripts/before_install.sh b/travis-scripts/before_install.sh deleted file mode 100755 index 4d0833b30a..0000000000 --- a/travis-scripts/before_install.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -set -e -if [ "$TRAVIS_OS_NAME" = osx ] -then - set +e - rvm get stable - brew update - brew install lmdb - brew install make - brew install autoconf - brew install automake - brew install openssl - # brew install gcc@7 || brew link --overwrite gcc@7 - set -e - # gcc-7 --version - #brew install python - #brew install libxml2 - #brew install fakeroot -else - sudo rm -vf /etc/apt/sources.list.d/*riak* - sudo apt-get --quiet update - # Needed to build - sudo apt-get install -y libssl-dev libpam0g-dev - sudo apt-get install -y liblmdb-dev - # Needed to test - sudo apt-get install -y fakeroot - # Optional - sudo apt-get install -y libxml2-dev libacl1-dev - # Code coverage dependency: - sudo apt-get install -y lcov - # Ensure traditional yacc compatibility - sudo apt-get purge -y bison - sudo apt-get autoremove -y - sudo apt-get install -y byacc - sudo apt-get -qy install curl - - if [ "$JOB_TYPE" = valgrind_health_check ] - then - sudo apt-get install -y valgrind - fi -fi diff --git a/travis-scripts/script.sh b/travis-scripts/script.sh deleted file mode 100755 index 981a60fbd7..0000000000 --- a/travis-scripts/script.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/sh -set -e -set -x - -cd $TRAVIS_BUILD_DIR || exit 1 - -if [ "$JOB_TYPE" = valgrind_health_check ] -then - sudo bash travis-scripts/valgrind.sh - exit -fi - -INSTDIR=$HOME/cf_install - -# if [ "$JOB_TYPE" = style_check ] -# then -# # sh tests/misc/style_check.sh -# exit 0 -# fi - -# Fetch the tags from upstream even if we are on a -# foreign clone. Needed for determine-version.sh to work. -git remote add upstream https://github.com/cfengine/core.git \ - && git fetch --no-recurse-submodules upstream 'refs/tags/*:refs/tags/*' - -if [ "$TRAVIS_OS_NAME" = osx ] -then - ./autogen.sh --enable-debug --with-openssl="$(brew --prefix openssl)" --prefix=$INSTDIR --bindir=$INSTDIR/var/cfengine/bin - gmake --version - gmake CFLAGS="-Werror -Wall" - # Tests are disabled on OS X, because they started hanging in travis, - # for no apparent reason. - # gmake --debug -C tests/unit check - exit -else - NO_CONFIGURE=1 ./autogen.sh - ./configure --enable-debug --prefix=$INSTDIR --with-systemd-service --bindir=$INSTDIR/var/cfengine/bin \ - `[ "x$COVERAGE" != xno ] && echo --enable-coverage` -fi - -make dist - -DIST_TARBALL=`echo cfengine-*.tar.gz` -export DIST_TARBALL - -if [ "$JOB_TYPE" = compile_only ] -then - make CFLAGS="-Werror" -k -elif [ "$JOB_TYPE" = compile_and_unit_test ] -then - make CFLAGS="-Wall -Wextra -Werror -Wno-sign-compare" - make -C tests/unit check - make -C tests/load check - exit -elif [ "$JOB_TYPE" = compile_and_unit_test_asan ] -then - make CFLAGS="-Werror -Wall -fsanitize=address" LDFLAGS="-fsanitize=address" - make -C tests/unit CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" check - make -C tests/load CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" check - exit -else - make -fi - -cd tests/acceptance || exit 1 -chmod -R go-w . - -if [ "$JOB_TYPE" = acceptance_tests_common ] -then - ./testall --printlog --tests=common,errorlog - exit -fi - -# WARNING: the following job runs the selected tests as root! -# We are chmod'ing in the end so that code coverage data is readable from user -if [ "$JOB_TYPE" = acceptance_tests_unsafe_serial_network_etc ] -then - ./testall --gainroot=sudo --tests=timed,slow,errorexit,libxml2,libcurl,serial,network,unsafe - exit -fi - -if [ "$JOB_TYPE" = serverd_multi_versions ] -then - cd ../.. - set +e - tests/acceptance/serverd-multi-versions.sh - exit -fi diff --git a/travis-scripts/valgrind.sh b/travis-scripts/valgrind.sh deleted file mode 100644 index a36b1ce975..0000000000 --- a/travis-scripts/valgrind.sh +++ /dev/null @@ -1,244 +0,0 @@ -#!/usr/bin/env bash -set -e - -if [ -d /var/cfengine ]; then - rm -rf /var/cfengine -fi - -# Test assumes we start in core or masterfiles directory -cd ../ - -if [ ! -d core ]; then - echo "Cloning core (master)" - git clone --recursive https://github.com/cfengine/core.git -fi - -if [ ! -d masterfiles ]; then - echo "Cloning masterfiles (master)" - git clone --recursive https://github.com/cfengine/masterfiles.git -fi - -echo "Checking for systemctl" -systemctl --version - -cd core/ -echo "Building CFEngine core" -set +e -git fetch --unshallow 2>&1 >> /dev/null -git remote add upstream https://github.com/cfengine/core.git \ - && git fetch upstream 'refs/tags/*:refs/tags/*' 2>&1 >> /dev/null -set -e - -./autogen.sh --enable-debug --with-systemd-service -make - -echo "Installing CFEngine core" -make install -cd ../ - -cd masterfiles/ -./autogen.sh -echo "Installing CFEngine masterfiles" -make install - -systemctl daemon-reload - -function print_ps { - set +e - echo "CFEngine processes:" - ps aux | grep [c]f- - - echo "Valgrind processes:" - ps aux | grep [v]algrind - set -e -} - -function no_errors { - set +e - grep -i "error" $1 - grep -i "error" $1 && exit 1 - set -e -} - -function check_daemon_output { - echo "Examining $1:" - no_errors $1 -} - -function check_output { - set -e - if [ ! -f "$1" ]; then - echo "$1 does not exists!" - exit 1 - fi - echo "Looking for problems in $1:" - grep -i "ERROR SUMMARY: 0 errors" "$1" - cat $1 | sed -e "/ 0 errors/d" -e "/and suppressed error/d" -e "/a memory error detector/d" -e "/This database contains unknown binary data/d" > filtered.txt - no_errors filtered.txt - set +e - grep -i "at 0x" filtered.txt - grep -i "at 0x" filtered.txt && exit 1 - grep -i "by 0x" filtered.txt - grep -i "by 0x" filtered.txt && exit 1 - grep -i "Failed to connect" filtered.txt - grep -i "Failed to connect" filtered.txt && exit 1 - set -e -} - -function check_serverd_valgrind_output { - if [ ! -f "$1" ]; then - echo "$1 does not exists!" - exit 1 - fi - set -e - echo "Serverd has 1 expected valgrind error in travis because of old glibc" - echo "Because of this we use special assertions on output" - echo "Looking for problems in $1:" - grep -i "definitely lost" $1 - grep -i "indirectly lost" $1 - grep -i "ERROR SUMMARY" $1 - grep -i "definitely lost: 0 bytes in 0 blocks" $1 - grep -i "indirectly lost: 0 bytes in 0 blocks" $1 - grep -i "ERROR SUMMARY: 0 errors" "$1" - - cat $1 | sed -e "/ERROR SUMMARY/d" -e "/and suppressed error/d" -e "/a memory error detector/d" > filtered.txt - - no_errors filtered.txt - set +e - grep -i "at 0x" filtered.txt - grep -i "at 0x" filtered.txt && exit 1 - grep -i "by 0x" filtered.txt - grep -i "by 0x" filtered.txt && exit 1 - set -e -} - -function check_masterfiles_and_inputs { - set -e - echo "Comparing promises.cf from inputs and masterfiles:" - diff /var/cfengine/inputs/promises.cf /var/cfengine/masterfiles/promises.cf -} - -/var/cfengine/bin/cf-agent --version - -VG_OPTS="--leak-check=full --track-origins=yes --error-exitcode=1" -BOOTSTRAP_IP="$(ifconfig | grep -A1 Ethernet | sed '2!d;s/.*addr:\([0-9.]*\).*/\1/')" - -valgrind $VG_OPTS /var/cfengine/bin/cf-key 2>&1 | tee cf-key.txt -check_output cf-key.txt -valgrind $VG_OPTS /var/cfengine/bin/cf-agent -B $BOOTSTRAP_IP 2>&1 | tee bootstrap.txt -check_output bootstrap.txt - -# Validate all databases here, because later, we cannot validate -# cf_lastseen.lmdb: -echo "Running cf-check diagnose --validate on all databases:" -valgrind $VG_OPTS /var/cfengine/bin/cf-check diagnose --validate 2>&1 | tee cf_check_validate_all.txt -check_output cf_check_validate_all.txt - -check_masterfiles_and_inputs - -print_ps - -echo "Stopping service to relaunch under valgrind" -systemctl stop cfengine3 -sleep 10 -print_ps - -# The IP we bootstrapped to cannot actually be used for communication. -# This ensures that cf-serverd binds to loopback interface, and cf-net -# connects to it: -echo "127.0.0.1" > /var/cfengine/policy_server.dat - -echo "Starting cf-serverd with valgrind in background:" -valgrind $VG_OPTS --log-file=serverd.txt /var/cfengine/bin/cf-serverd --no-fork 2>&1 > serverd_output.txt & -server_pid="$!" -sleep 20 - -echo "Starting cf-execd with valgrind in background:" -valgrind $VG_OPTS --log-file=execd.txt /var/cfengine/bin/cf-execd --no-fork 2>&1 > execd_output.txt & -exec_pid="$!" -sleep 10 - -print_ps - -echo "Running cf-net:" -valgrind $VG_OPTS /var/cfengine/bin/cf-net GET /var/cfengine/masterfiles/promises.cf 2>&1 | tee get.txt -check_output get.txt - -echo "Checking promises.cf diff (from cf-net GET):" -diff ./promises.cf /var/cfengine/masterfiles/promises.cf - -echo "Running update.cf:" -valgrind $VG_OPTS /var/cfengine/bin/cf-agent -K -f update.cf 2>&1 | tee update.txt -check_output update.txt -check_masterfiles_and_inputs -echo "Running update.cf without local copy:" -valgrind $VG_OPTS /var/cfengine/bin/cf-agent -K -f update.cf -D mpf_skip_local_copy_optimization 2>&1 | tee update2.txt -check_output update2.txt -check_masterfiles_and_inputs -echo "Running promises.cf:" -valgrind $VG_OPTS /var/cfengine/bin/cf-agent -K -f promises.cf 2>&1 | tee promises.txt -check_output promises.txt - -# Dump all databases, use grep to filter the JSON lines -# (optional whitespace then double quote or curly brackets). -# Some of the databases have strings containing "error" -# which check_output greps for. -echo "Running cf-check dump:" -valgrind $VG_OPTS /var/cfengine/bin/cf-check dump 2>&1 | grep -E '\s*[{}"]' --invert-match | tee cf_check_dump.txt -check_output cf_check_dump.txt - -echo "Running cf-check diagnose on all databases" -valgrind $VG_OPTS /var/cfengine/bin/cf-check diagnose 2>&1 | tee cf_check_diagnose.txt -check_output cf_check_diagnose.txt - -# Because of the hack with bootstrap IP / policy_server.dat above -# lastseen would not pass validation: -echo "Running cf-check diagnose --validate on all databases except cf_lastseen.lmdb:" -find /var/cfengine/state -name '*.lmdb' ! -name 'cf_lastseen.lmdb' -exec \ - valgrind $VG_OPTS /var/cfengine/bin/cf-check diagnose --validate {} + 2>&1 \ - | tee cf_check_validate_no_lastseen.txt -check_output cf_check_validate_no_lastseen.txt - -echo "Checking that bootstrap ID doesn't change" -/var/cfengine/bin/cf-agent --show-evaluated-vars | grep bootstrap_id > id_a -/var/cfengine/bin/cf-agent -K --show-evaluated-vars | grep bootstrap_id > id_b -cat id_a -diff id_a id_b - -echo "Checking that bootstrap ID has expected length" -[ `cat id_a | awk '{print $2}' | wc -c` -eq 41 ] - -print_ps - -echo "Checking that serverd and execd PIDs are still correct/alive:" -ps -p $exec_pid -ps -p $server_pid - -echo "Killing valgrind cf-execd" -kill $exec_pid -echo "Killing valgrind cf-serverd" -kill $server_pid -sleep 30 - -echo "Output from cf-execd in valgrind:" -cat execd.txt -check_output execd.txt -check_daemon_output execd_output.txt - -echo "Output from cf-serverd in valgrind:" -cat serverd.txt -check_serverd_valgrind_output serverd.txt -check_daemon_output serverd_output.txt - -echo "Stopping cfengine3 service" -systemctl stop cfengine3 - -echo "Done killing" -sleep 10 -print_ps - -echo "Check that bootstrap was successful" -grep "This host assumes the role of policy server" bootstrap.txt -grep "completed successfully!" bootstrap.txt - -echo "valgrind_health_check successful! (valgrind.sh)"