Rules¶
The Rules plugin resolves the following Abstract Configuration Entities:
- Service
- Package
- Path
- Action
- All SELinux entries
- POSIXUser
- POSIXGroup
to literal configuration entries suitable for the client drivers to consume.
For an entity specification to be included in the Literal configuration the name attribute from an Abstract Entity Tag (from Base or Bundler) must match the name attribute of an Entity tag in Rules, along with the appropriate group associations of course.
Each file in the Rules directory has a priority. This allows the same Entities to be served by multiple files. The priorities can be used to break ties in the case that multiple files serve data for the same Entity.
Usage of Groups in Rules¶
Groups are used by the Rules plugin, along with host metadata, for selecting the Configuration Entity entries to include in the clients literal configuration. They can be thought of as:
if client is a member of group1 then
assign to literal config
Nested groups are conjunctive (logical and).:
if client is a member of group1 and group2 then
assign to literal config
Group membership may be negated.
Tag Attributes in Rules¶
Running bcfg2-lint will check your configuration specification for
the presence of any mandatory attributes that are necessary for the
entry specified.
Rules Tag¶
Package Tag¶
- complexType PackageType¶
Concrete specification of a package to be installed. A package can be specified in one of two ways:
- A single Package tag that lists all of the attributes for the single instance of the package that should be installed.
- A Package tag with any number of
Instancechildren, each of which lists the attributes of an instance of the package that should be installed. In this case, the Package tag should only havenameandtype.
Note that many of the attributes listed below are specific to one or a few package drivers.
- Attributes:
Name Description Values Required Default namePackage name.stringYes None typeThe package type, which determines which client driver will handle installation of this package.apk|ips|macport|opencsw|pacman|deb|rpm|blast|encap|sysv|ebuild|yum|freebsdpkgYes None archThe architecture of the package to be installed.stringNo None bnameThe name of the package for installing (as opposed to the name when verifying) with the Blast and OpenCSW drivers.stringNo None filePackage file name. Several other attributes (name, version) can be automatically defined based on regular expressions defined in the Pkgmgr plugin, which is the only plugin with which this is useful.stringNo None multiarchComma-separated list of architectures of this package that should be installed. This is only used by the Pkgmgr plugin.stringNo None pkg_checksWhether or not to perform basic package checks (version, release, etc.) on this package with the YUM, YUM24, or RPM driver.true|falseNo None pkg_verifyWhether or not to perform full package verification (file integrity, etc.) on this package with the YUM, YUM24, or RPM driver.true|falseNo truereleaseThe release of the package to be installed.stringNo None simplefilePackage file name. No name parsing is performed, so no extra fields get set. This is only used for some edge cases with Pkgmgr.stringNo None srcsFilename creation rules for multiarch packages. This is only used by the Pkgmgr plugin.stringNo None verifyWhether or not to perform package verification. This is not supported by the YUM driver.true|falseNo falseverify_flagsFlags to pass to the package verification routines of the YUM, YUM24, or RPM driver.stringNo None versionThe version of the package to be installed. This should only be the version, i.e., not the release. Release should be specified in
release, and it is an error to append the release to this.This can also be one of two “special” values:
autowill select the newest version of the package available.anywill select any version of the package, and can be used to ensure that a package is installed without requiring any particular version.
stringNo None - Attribute groups:
- Child elements:
- element Instance¶
An Instance element describes a single instance of a package that may have several different versions, arches, etc., installed at once.
- Attributes:
Name Description Values Required Default archThe architecture of the package to be installed.stringNo None epochThe epoch of the package to be installed.integerNo None installed_actionIf this is set to any value other than “install”, package installation will be suppressed with the YUM24 and RPM drivers.stringNo installpkg_verifyWhether or not to perform full package verification (file integrity, etc.) on this package with the YUM, YUM24, or RPM driver.true|falseNo None releaseThe release of the package to be installed.stringNo None simplefilePackage file name. No name parsing is performed, so no extra fields get set. This is only used for manual maintenance ofgpg-pubkeypackages with the YUM, YUM24, or RPM driver.stringNo None verify_fail_actionIf this is set to any value other than “reinstall”, a package that fails package verification will not be reinstalled with the YUM24 and RPM drivers.stringNo None verify_flagsComma-separated list of flags to pass to the package verification routines of the YUM, YUM24, or RPM driver. Seeman rpmfor details on the flags.stringNo None versionThe version of the package to be installed. Seeversionfor details.stringNo None version_fail_actionIf this is set to any value other than “upgrade”, a package that has the incorrect version installed will not be fixed with the YUM24 and RPM drivers. Note that “upgrade” is misleading; if a package is installed that is newer than the desired version, it will not be downgraded if this attribute is set to anything other than “upgrade”.stringNo upgrade- Attribute groups:
- Element groups:
py:genshiElements
- group py:genshiElements¶
- Most Genshi templating directives can be used either as standalone elements or as attributes on existing elements. This element group defines the standalone tags.
- Elements:
- element py:with¶
-
- Attributes:
Name Description Values Required Default py:varsA semicolon-delimited list of variables to define and their values.stringYes None - Text content:
- Any
Any arbitrary child elements allowed
- element py:replace¶
-
- Attributes:
Name Description Values Required Default py:valueThe value to replace the contents with.stringYes None - Text content:
- Any
Any arbitrary child elements allowed
- element py:choose¶
-
- Attributes:
Name Description Values Required Default py:testIftestis set, the childpy:whendirectives are tested for equality to the value of the expression.stringNo None - Child elements:
- element py:when¶
The
whendirective is used insidepy:chooseTypeorchooseto handle a single specific condition.- Attributes:
Name Description Values Required Default py:testThe statement giving the value to teststringYes None - Text content:
Any
Any arbitrary child elements allowed
- element py:otherwise¶
-
- Text content:
Any
Any arbitrary child elements allowed
- Text content:
- Any
- element py:for¶
-
- Attributes:
Name Description Values Required Default py:eachThe loop iteratorstringYes None - Text content:
- Any
Any arbitrary child elements allowed
- element py:if¶
-
- Attributes:
Name Description Values Required Default py:testThe statement giving the value to teststringYes None - Text content:
- Any
Any arbitrary child elements allowed
- element py:match¶
-
- Attributes:
Name Description Values Required Default py:pathXPath expression to search for in the template.stringYes None py:bufferWhether the matched content should be buffered in memory. Buffering can improve performance a bit at the cost of needing more memory during rendering. Buffering is required for match templates that contain more than one invocation of theselect()function. If there is only one call, and the matched content can potentially be very long, consider disabling buffering to avoid excessive memory use.true|falseNo truepy:onceWhether the engine should stop looking for more matching elements after the first match. Use this on match templates that match elements that can only occur once in the stream, such as the <head> or <body> elements in an HTML template, or elements with a specific ID.true|falseNo falsepy:recursiveWhether the match template should be applied to its own output. Note that once implies non-recursive behavior, so this attribute only needs to be set for match templates that don’t also have once set.true|falseNo true- Text content:
- Any
Any arbitrary child elements allowed
Action Tag¶
- complexType ActionType¶
- Action entries are external shell commands that are executed either before bundle installation, after bundle installation or both.
- Attributes:
Name Description Values Required Default commandThe command to run.stringYes None nameThe freeform name of the action.stringYes None buildAlso execute the action in build mode.true|falseNo trueshellWhether the command string should be executeed within a shell. If enabled flow control and other shell-specific things can be used.true|falseNo None statusWhether or not to check the return code of the action. If this is “check”, then a non-zero return code will result in the entry being flagged as bad.ignore|checkNo None timingWhen the action is run. Actions with “pre” timing are run after important entries have been installed and before bundle entries are installed. Actions with “post” timing are run after bundle entries are installed.both|pre|postNo None whenIf the action is always run, or is only run when a bundle has been modified.modified|alwaysNo None - Attribute groups:
See also Actions.
Service Tag¶
- complexType ServiceType¶
- Concrete description of a service entry. Note that, due to the great proliferation of init systems, many of the attributes listed only apply to one or a few client tools.
- Attributes:
Name Description Values Required Default nameThe name of the service.stringYes None FMRIThe resource identifier for SMF services.stringNo None bootstatusWhether the service should start at boot. The default value corresponds to the value of the status attribute.on|offNo offinstallWhether or not to install the service initially. (New in 1.3; replaces “mode” attribute.)true|falseNo trueparametersParameters to pass to the service. Only meaningful for Upstart services.stringNo None restartWhether or not to restart the service when the bundle is modified. (New in 1.3; replaces “mode” attribute.)true|false|interactiveNo truesequenceOrder for service startup. Only meaningful for DebInit services.stringNo None statusWhether the service should be on or off when the bcfg2 client is run. This attribute may have different behavior depending on the characteristics of the client tool. If set to “ignore”, then the status of the service will not be checked.on|off|ignoreNo offtargetCommand to pass to the service management system when restarting a service.stringNo restarttypeDriver to use on the client to manage this service.chkconfig|deb|rc-update|smf|upstart|systemd|launchd|freebsdNo None - Attribute groups:
Service mode specification¶
New in version 1.3.0.
In the 1.3.0 release, the “mode” attribute has been replaced by a pair
of attributes, restart and
install, which control how a service is
handled more granularly than the old “mode” attribute. The old “mode”
attribute values are equivalent as follows:
| Mode attribute | Equivalent |
|---|---|
mode="default" |
restart="true" install="true" |
mode="interactive_only" |
restart="interactive" install="true" |
mode="supervised" |
restart="true" install="true" |
mode="manual" |
restart="false" install="false" |
The default is restart="true" install="true"
Previously, “supervised” could be used to start a service during the verification phase; this is no longer supported. Services that have been stopped on a client will be started during the install phase.
Path Tag¶
The Path tag has different values depending on the type attribute of the path specified in your configuration. Below is a set of tables which describe the attributes available for various Path types.
Note that secontext below expects a full context, not just the
type. For instance, “system_u:object_r:etc_t:s0”, not just
etc_t. You can also specify “__default__”, which will restore
the context of the file to the default set by policy. If a file has
no default context rule, and you don’t wish to set one, you can
specify secontext='' (i.e., an empty secontext), in which case
the client will not try to manage the SELinux context of the file at
all.
See SELinux for more information.
Attributes common to all Path tags:
- Attributes:
Name Description Values Required Default nameFull path.stringYes None typeType of path to manage.augeas|device|directory|file|hardlink|ignore|nonexistent|permissions|symlink|vcsNo None
augeas¶
Run Augeas commands. See Augeas for more details.
- Attributes:
Name Description Values Required Default groupGroup name or GID numberstringYes None modePermissions mode in octal format.nonNegativeIntegerYes None ownerOwner username or UID numberstringYes None lensThe Augeas lens to use when editing files in a non-standard (according to Augeas) location.tokenNo None secontextSELinux context for the path. This should be a full context, not just the type. E.g.,system_u:object_r:etc_t:s0, not justetc_t. You can also specify__default__, which will restore the context of the file to the default set by policy. See SELinux for more information.stringNo __default__
device¶
Manage devices.
- Attributes:
Name Description Values Required Default dev_typeType of device.block|char|fifoYes None groupGroup name or GID numberstringYes None modePermissions mode in octal format.nonNegativeIntegerYes None ownerOwner username or UID numberstringYes None majorMajor device number (blockandchardevices only).nonNegativeIntegerNo None minorMinor device number (blockandchardevices only).nonNegativeIntegerNo None secontextSELinux context for the path. This should be a full context, not just the type. E.g.,system_u:object_r:etc_t:s0, not justetc_t. You can also specify__default__, which will restore the context of the file to the default set by policy. See SELinux for more information.stringNo __default__
directory¶
Entry represents a directory. prune can be
set to remove all contents from the directory that are not explicitly
specified in Bcfg2.
- Attributes:
Name Description Values Required Default groupGroup name or GID numberstringYes None modePermissions mode in octal format.nonNegativeIntegerYes None ownerOwner username or UID numberstringYes None pruneRemove entries that are not in the Bcfg2 specification from the directory.true|falseNo None secontextSELinux context for the path. This should be a full context, not just the type. E.g.,system_u:object_r:etc_t:s0, not justetc_t. You can also specify__default__, which will restore the context of the file to the default set by policy. See SELinux for more information.stringNo __default__
file¶
Distribute an file with content explicitly specified in-line (i.e., as
opposed to using Cfg for this file).
If the file has no content, empty must be
set to true.
- Attributes:
Name Description Values Required Default groupGroup name or GID numberstringYes None modePermissions mode in octal format.nonNegativeIntegerYes None ownerOwner username or UID numberstringYes None emptyThe file entry has no content. This must be set as a safeguard against accidentally empty content.true|falseNo None secontextSELinux context for the path. This should be a full context, not just the type. E.g.,system_u:object_r:etc_t:s0, not justetc_t. You can also specify__default__, which will restore the context of the file to the default set by policy. See SELinux for more information.stringNo __default__- Text content:
- Any
hardlink¶
Manage a hard link.
- Attributes:
Name Description Values Required Default groupGroup name or GID numberstringYes None modePermissions mode in octal format.nonNegativeIntegerYes None ownerOwner username or UID numberstringYes None toFile to link tostringYes None secontextSELinux context for the path. This should be a full context, not just the type. E.g.,system_u:object_r:etc_t:s0, not justetc_t. You can also specify__default__, which will restore the context of the file to the default set by policy. See SELinux for more information.stringNo __default__
ignore¶
ignore lets you flag files that are distributed by system software
packages, but have been modified locally, to be ignored by package
verification routines. This is useful for, e.g., a package that
installs an initial version of a file and then modifies it
automatically.
- Attributes:
Name Description Values Required Default nameFull path.stringYes None
nonexistent¶
Remove the specified file or directory. If
recursive is set, remove the directory
recursively (i.e., rm -rf).
- Attributes:
Name Description Values Required Default recursiveRecursively remove files or set permissions, as appropriate.true|falseNo None
permissions¶
Merely set permissions on the specified path, which is presumed to already exist.
- Attributes:
Name Description Values Required Default groupGroup name or GID numberstringYes None modePermissions mode in octal format.nonNegativeIntegerYes None ownerOwner username or UID numberstringYes None recursiveRecursively remove files or set permissions, as appropriate.true|falseNo None secontextSELinux context for the path. This should be a full context, not just the type. E.g.,system_u:object_r:etc_t:s0, not justetc_t. You can also specify__default__, which will restore the context of the file to the default set by policy. See SELinux for more information.stringNo __default__
symlink¶
Manage symlinks.
- Attributes:
Name Description Values Required Default toFile to link tostringYes None
vcs¶
Check out the specified VCS repository to the given path.
ACLs¶
New in version 1.3.0.
ACLs on a Path entry are specified not by attributes on the tag but by
child <ACL> tags. For instance:
<Path name="/etc/foo" type="directory" owner="root" group="root"
mode="0775">
<ACL type="default" scope="user" user="foouser" perms="rw"/>
<ACL type="default" scope="group" group="users" perms="rx"/>
<ACL type="default" scope="other" perms="r"/>
</Path>
- element ACL¶
-
- Attributes:
Name Description Values Required Default permsPermissions for the ACL. This can either be a single octal digit (e.g.,
6would indicate read and write, but not execute), or a symbolic mode including ‘r’, ‘w’, and ‘x’. You can include ‘-‘ for operations that are not permitted, but it’s not required. I.e., all of the following are identical:perms="5" perms="rx" perms="r-x"
stringYes None typeACL typedefault|accessYes None groupGroup the ACL applies to (withscope=group).stringNo None scopeACL scope. This is omitted fortype=default.user|group|otherNo None userUser the ACL applies to (withscope=user).stringNo None - Attribute groups:
It is not currently possible to manually set an effective rights mask; the mask will be automatically calculated from the given ACLs when they are applied.
For directories either no default ACL entries or at least an entry for the owner, owning group and other must be defined.
Note that it is possible to set ACLs that demand different permissions
on a file than those specified in the perms attribute on the
Path tag. For instance:
<Path name="/etc/foo" mode="0644" group="root" owner="root">
<ACL type="access" scope="user" user="foouser" perms="rwx"/>
</Path>
In this case, we’ve specified permissions of 0644, but the
effective rights mask will be “rwx,” so setting the ACL will change
the permissions to 0674. When this happens, Bcfg2 will change the
permissions and set the ACLs on every run and the entry will be
eternally marked as bad.
SELinux Entries¶
New in version 1.3.0.
Note
In order to use these entries, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.
Below is a set of tables which describe the attributes available
for various SELinux types. The entry types (except for module)
correspond to semanage subcommands.
Note that the selinuxtype attribute takes only an SELinux type,
not a full context; e.g., “etc_t”, not
“system_u:object_r:etc_t:s0”.
As it can be very tedious to create a baseline of all existing SELinux
entries, you can use selinux_baseline.py located in the tools/
directory to do that for you.
See SELinux for more information.
SEBoolean Tag¶
SEPort Tag¶
- complexType SEPortType¶
- Concrete SELinux port entry
SEFcontext Tag¶
- complexType SEFcontextType¶
- Concrete SELinux file context (“fcontext”) entry
- Attributes:
Name Description Values Required Default nameRegular expression file specificationstringYes None selinuxtypeSELinux type to apply to files matching this specificationtokenYes None filetypeFile type to matchall|regular|directory|symlink|pipe|socket|block|charNo allmlsrangeSELinux MLS range to apply to files matching this specificationtokenNo None - Attribute groups:
SENode Tag¶
- complexType SENodeType¶
- Concrete SELinux node entry
- Attributes:
Name Description Values Required Default nameIP address and netmask of node<addr>/<netmask>. Netmask can be numeric (/16) or dotted-quad (/255.255.0.0).Yes None selinuxtypeSELinux type to apply to this nodetokenYes None mlsrangeSELinux MLS range to apply to this nodetokenNo None protoProtocolipv4|ipv6No None - Attribute groups:
SELogin Tag¶
SEUser Tag¶
- complexType SEUserType¶
- Concrete SELinux user entry
SEInterface Tag¶
- complexType SEInterfaceType¶
- Concrete SELinux interface entry
SEPermissive Tag¶
POSIXUser Tag¶
New in version 1.3.0.
Note
In order to use this, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.
- complexType POSIXUserType¶
- The POSIXUser tag allows you to create users on client machines.
- Attributes:
Name Description Values Required Default nameUsernametokenYes None gecosThis field is typically used to record general informationstringNo None groupName of the user’s primary group. If this is not set, the user’s primary group will be the same as the username.tokenNo None homeUser’s home directory. Default is/rootfor the root user,/home/<username>otherwise.stringNo None shellUser’s shellstringNo /bin/bashuidUser ID number. If this is not specified, each client is allowed to set the UID.integerNo None - Attribute groups:
- Child elements:
For example:
<POSIXUser name="daemon" home="/sbin" shell="/sbin/nologin"
gecos="daemon" uid="2" group="daemon">
<MemberOf group="lp"/>
<MemberOf group="adm"/>
<MemberOf group="bin/>
</POSIXUser>
The group specified will automatically be created if it does not
exist, even if there is no POSIXGroup tag
for it. If you need to specify a particular GID for the group, you
must specify that in a POSIXGroup tag.
If you with to change the default shell, you can do so with the Defaults plugin.
See POSIXUsers for more information on managing users and groups.
POSIXGroup Tag¶
New in version 1.3.0.
Note
In order to use this, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.
- complexType POSIXGroupType¶
- The POSIXGroup tag allows you to create groups on client machines.
See POSIXUsers for more information on managing users and groups.
Rules Directory¶
The Rules/ directory keeps the XML files that define what rules are available for a host. All the files in the directory are processed.
The names of the XML files have no special meaning to Bcfg2; they are simply named so it’s easy for the administrator to know what the contents hold. All Rules could be kept in a single file if so desired. Bcfg2 simply uses the Groups in the files and priorities to determine how to assign Rules to a host’s literal configuration.
<Rules priority="0">
<Path type='directory' group="root" name="/autonfs" owner="root" mode="0755"/>
<Path type='directory' group="utmp" name="/var/run/screen" owner="root" mode="0775"/>
<Path type='directory' group="root" name="/autonfs/stage" owner="root" mode="0755"/>
<Path type='directory' group="root" name="/exports" owner="root" mode="0755"/>
<Path type='directory' name="/etc/condor" owner="root" group="root" mode="0755"/>
<Path type='directory' name="/logs" group="wwwtrans" owner="root" mode="0775"/>
<Path type='directory' name="/mnt" group="root" owner="root" mode="0755"/>
<Path type='directory' name="/my" owner="root" group="root" mode="0755"/>
<Path type='directory' name="/my/bin" owner="root" group="root" mode="0755"/>
<Path type='directory' name="/nfs" owner="root" group="root" mode="0755"/>
<Path type='directory' name="/sandbox" mode="0777" owner="root" group="root"/>
<Path type='directory' name="/software" group="root" owner="root" mode="0755"/>
<Path type='permissions' mode="0555" group="audio" owner="root" name="/dev/dsp"/>
<Path type='permissions' mode="0555" group="audio" owner="root" name="/dev/mixer"/>
<Path type='symlink' name="/bin/whatami" to="/mcs/adm/bin/whatami"/>
<Path type='symlink' name="/chibahomes" to="/nfs/chiba-homefarm"/>
<Path type='symlink' name="/home" to="/nfs/mcs-homefarm"/>
<Path type='symlink' name="/homes" to="/home"/>
<Path type='symlink' name="/mcs" to="/nfs/mcs"/>
<Path type='symlink' name="/my/bin/bash" to="/bin/bash"/>
<Path type='symlink' name="/my/bin/tcsh" to="/bin/tcsh"/>
<Path type='symlink' name="/my/bin/zsh" to="/bin/zsh"/>
<Path type='symlink' name="/software/common" to="/nfs/software-common"/>
<Path type='symlink' name="/software/linux" to="/nfs/software-linux"/>
<Path type='symlink' name="/software/linux-debian_sarge" to="/nfs/linux-debian_sarge"/>
<Path type='symlink' name="/usr/bin/passwd" to="/usr/bin/yppasswd"/>
<Path type='symlink' name="/usr/bin/yppasswd" to="/mcs/bin/passwd"/>
<Path type='symlink' name="/usr/lib/libgd.so.1.8" to="/usr/lib/libgd.so.1.8.4"/>
<Path type='symlink' name="/usr/lib/libtermcap.so.2" to="/usr/lib/libtermcap.so"/>
<Path type='symlink' name="/usr/local/bin/perl" to="/usr/bin/perl"/>
<Path type='symlink' name="/usr/local/bin/perl5" to="/usr/bin/perl"/>
<Path type='symlink' name="/usr/local/bin/tcsh" to="/bin/tcsh"/>
<Service name='ntpd' status='on' type='chkconfig'/>
<Service name='haldaemon' status='on' type='chkconfig'/>
<Service name='messagebus' status='on' type='chkconfig'/>
<Service name='netfs' status='on' type='chkconfig'/>
<Service name='network' status='on' type='chkconfig'/>
<Service name='rawdevices' status='on' type='chkconfig'/>
<Service name='sshd' status='on' type='chkconfig'/>
<Service name='syslog' status='on' type='chkconfig'/>
<Service name='vmware-tools' status='on' type='chkconfig'/>
</Rules>
Using Regular Expressions in Rules¶
If you wish, you can configure the Rules plugin to support regular
expressions. This entails a small performance and memory usage
penalty. To do so, add the following setting to bcfg2.conf:
[rules]
regex = yes
With regular expressions enabled, you can use a regex in the name
attribute to match multiple abstract configuration entries.
Regular expressions are anchored at both ends, so <Service
name="bcfg2".../> will not match a Service named bcfg2-server;
you’d have to explicitly specify <Service name="bcfg2.*".../>.
Note that only one Rule can apply to any abstract entry, so you cannot specify multiple regexes to match the same rule.