CFEngine is designed to be comprehensive and to let you model nearly any aspect of system configuration. There are tens of promise types and hundreds of unique promise attributes to enable modeling the desired configuration. The purpose of this Appendix is to facilitate learning and to serve as reference.
To make this sea of options navigable, this Appendix lists the promise types and attributes affecting the agent (the part of CFEngine that actually makes changes to your system) in a short format (name and synopsis only).
For full details, please consult the Promise Types and Attributes section of the CFEngine documentation.
Don’t let the complexity of hundreds of promise attributes scare you—CFEngine 3 is designed to address the challenges of Knowledge Management,
including complexity, and allows you to summarize and abstract the
underlying details, to the extent of Webserver("on") to
configure a web server.
But if you need to configure your web server a special way, the below details will enable you to do so. Have fun getting under the hood of your system configuration and getting greasy to the elbows!
Scope of the class set by this promise (namespace or bundle). | |
Combine class sources with AND | |
Generate a probabilistic class distribution (from strategies in cfengine 2) | |
Evaluate string expression of classes in normal form | |
Combine class sources with inclusive OR | |
Make the class persistent (cached) to avoid reevaluation, time in minutes | |
Evaluate the negation of string expression in normal form | |
Select one of the named list of classes to define based on host identity | |
Combine class sources with XOR |
If this regular expression matches the current value of the variable, replace it with default | |
A scalar string | |
A list of scalar strings |
A list of scalar strings |
Regular expression to keep selected hosts from the friends report list | ||
Real number threshold [0,1] of intermittency about current peers, report above | ||
Integer time threshold in hours since current peers were last seen, report absence | ||
Path name to the file that is to be sent to standard output | ||
Integer maximum number of lines to print from selected file*) | ||
The path and filename to which output should be appended | ||
The promiser is to be interpreted as a phrase value that the caller can accept as a result for this bundle; in other words, a return value with array index defined by this attribute. | ||
List of services about which status reports should be reported to standard output | ||
Whether to repair or report about non-kept promises | ||
True/false switch for detailed audit records of this promise | ||
True/false switch for parallelizing the promise repair | ||
Number of minutes before a repair action is interrupted and retried | ||
Number of minutes before next allowed assessment of promise | ||
A message to be written to the log when a promise verification leads to a repair | ||
The reporting level sent to syslog | ||
This should be filename of a file to which log_string will be saved, if undefined it goes to the system logger | ||
The priority level of the log message, as interpreted by a syslog server | ||
This should be filename of a file to which log_string will be saved, if undefined it goes to the system logger | ||
This should be filename of a file to which log_string will be saved, if undefined it goes to the system logger | ||
If set performance will be measured and recorded under this identifier | ||
The reporting level for standard output for this promise | ||
A real number value attributed to keeping this promise | ||
A real number value attributed to reparing this promise | ||
A real number value (possibly negative) attributed to not keeping this promise | ||
Scope of the class set by this promise (namespace or bundle). | ||
A list of classes to be defined globally | ||
A list of classes to be defined globally | ||
A list of classes to be defined globally | ||
A list of classes to be defined globally | ||
A list of classes to be defined globally | ||
A list of classes to be cancelled if the promise is kept | ||
A list of classes to be cancelled if the promise is repaired | ||
A list of classes to be cancelled if the promise is not kept for any reason | ||
A list of return codes indicating a kept command-related promise | ||
A list of return codes indicating a repaired command-related promise | ||
A list of return codes indicating a failed command-related promise | ||
A number of minutes the specified classes should remain active | ||
Whether a persistent class restarts its counter when rediscovered | ||
A comment about this promise’s real intention that follows through the program | ||
A list of promise handles that this promise builds on or depends on somehow (for knowledge management) | ||
A unique id-tag string for referring to this as a promisee elsewhere | ||
Extended classes ANDed with context | ||
Promise meta-data, e.g. author, revision date, version, etc. | ||
Alternative string of arguments for the command (concatenated with promiser string) | ||
true/false embed the command in a shell environment | ||
The umask value for the child process | ||
The user name or id under which to run the process | ||
The group name or id under which to run the process | ||
Timeout in seconds for command completion | ||
Directory for setting current/base directory for the process | ||
Directory of root sandbox for process | ||
true/false preview command when running in dry-run mode (with -n) | ||
true/false discard all output from the command | ||
User name for database connection | ||
Clear text password for database connection | ||
Hostname or address for connection to database, blank means localhost | ||
The dialect of the database server | ||
The name of an existing database to connect to in order to create/manage other databases | ||
The type of database that is to be manipulated | ||
The nature of the promise - to be or not to be | ||
A list of column definitions to be promised by SQL databases | ||
An ordered list of row values to be promised by SQL databases | ||
A list of regular expressions to ignore in key/value verification | ||
A class indicating which physical node will execute this guest machine | ||
The IP addresses of the environment’s network interfaces | ||
The hostname of the virtual environment | ||
The hostname of the virtual network | ||
Number of virtual CPUs in the environment | ||
Amount of primary storage (RAM) in the virtual environment (KB) | ||
Amount of secondary storage (DISK) in the virtual environment (MB) | ||
The path to an image with which to baseline the virtual environment | ||
A string containing a technology specific set of promises for the virtual instance | ||
The desired dynamical state of the specified environment | ||
Virtual environment type | ||
Native settings for access control entry | ||
Access control list type for the affected file system | ||
The access control list type for the affected file system is determined by acl_default. | ||
Editing method for access control list | ||
Access control list type for the affected file system | ||
Native settings for access control entry | ||
The slist specify_default_aces specifies the native settings for access control entry. | ||
Controls inheritance behavior on Windows. | ||
Hash files for change detection | ||
Specify criteria for change warnings | ||
Update hash values immediately after change warning | ||
Generate reports summarizing the major differences between individual text files | ||
Reference source file from which to copy | ||
List of servers in order of preference from which to copy | ||
true/false Place files in subdirectories into the root destination directory during copy | ||
Menu option policy for comparing source and image file attributes | ||
Menu option policy for file backup/version control | ||
true/false use encrypted data stream to connect to remote host | ||
true/false check permissions on the root directory when depth_search | ||
List of patterns matching files that should be copied instead of linked | ||
Integer range of file sizes that may be copied | ||
Menu option for default finder type on MacOSX | ||
List of patterns matching files that should be replaced with symbolic links | ||
Menu option for type of links to use when copying | ||
true/false force copy update always | ||
force_ipv4 | true/false force use of ipv4 on ipv6 enabled network | |
Port number to connect to on server host | ||
true/false whether to preserve file permissions on copied file | ||
true/false purge files on client that do not match files on server when a depth_search is used | ||
true/false whether to preserve time stamps on copied file | ||
Connection timeout, seconds | ||
true/false trust public keys from remote server if previously unknown | ||
true/false compare file types before copying and require match | ||
true/false verify transferred file by hashing after copy (resource penalty) | ||
true/false whether to create non-existing file | ||
Menu option policy for dealing with symbolic links to directories during deletion | ||
true/false whether to delete empty directories during recursive deletion | ||
Maximum depth level for search | ||
List of regexes of directory names NOT to include in depth search | ||
true/false include the start/root dir of the search results | ||
List of regexes of directory names to include in depth search | ||
true/false remove links that point to nowhere | ||
true/false traverse symbolic links to directories | ||
true/false exclude directories that are on different devices | ||
Menu option for backup policy on edit changes | ||
Baseline memory model of file to zero/empty before commencing promised edits | ||
If true this causes the sub-bundle to inherit the private classes of its parent | ||
Do not edit files bigger than this number of bytes | ||
Join together lines that end with a backslash, up to 4kB limit | ||
How many backups to store if rotate edit_backup strategy is selected. Defaults to 1. | ||
Specifies name of edit_line bundle | ||
The name of a special CFEngine template file to expand | ||
Specifies name of edit_xml bundle | ||
List of regexes that match an acceptable name | ||
List of pathnames to match acceptable target | ||
A list of mode masks for acceptable file permissions | ||
Integer range of file sizes | ||
List of acceptable user names or ids for the file, or regexes to match | ||
List of acceptable group names or ids for the file, or regexes to match | ||
String of flags for bsd file system flags expected set | ||
Range of change times (ctime) for acceptable files | ||
Range of modification times (mtime) for acceptable files | ||
Range of access times (atime) for acceptable files | ||
Matches file if this regular expression matches any full line returned by the command | ||
Execute this command on each file and match if the exit status is zero | ||
List of acceptable file types from menu choices | ||
List of regular expressions to match file objects | ||
Logical expression combining classes defined by file search criteria | ||
A set of patterns that should be copied and synchronized instead of linked | ||
true/false whether to link all directory’s children to source originals | ||
The type of link used to alias the file | ||
The source file to which the link should point | ||
Policy for overriding existing files when linking directories of children | ||
Behaviour when the source file to link to does not exist | ||
true/false whether to move obstructions to file-object creation | ||
Menu option for interpreting promiser file object | ||
List of menu options for bsd file system flags to set | ||
List of acceptable groups of group ids, first is change target | ||
File permissions (like posix chmod) | ||
List of acceptable owners or user ids, first is change target | ||
true/false add execute flag for directories if read flag is set | ||
true/false automatically rename and remove permissions | ||
The permissions to set when a file is disabled | ||
The suffix to add to files when disabling (.cfdisabled) | ||
The desired name for the current file | ||
Maximum number of file rotations to keep | ||
Name of a repository for versioning | ||
true/false whether to touch time stamps on file | ||
Command (with full path) used to transform current file (no shell wrapper used) | ||
Restrict edit_line promise to a specific region of a file. | ||
Whether to include the section delimiter | ||
Whether to include the section delimiter | ||
Regular expression matching start of edit region | ||
Regular expression matches end of edit region from start | ||
Delete line if it starts with a string in the list | ||
Delete line if it DOES NOT start with a string in the list | ||
Delete line if it fully matches a regex in the list | ||
Delete line if it DOES NOT fully match a regex in the list | ||
Delete line if a regex in the list match a line fragment | ||
Delete line if a regex in the list DOES NOT match a line fragment | ||
true/false negate match criterion | ||
Expand any unexpanded variables | ||
Type of object the promiser string refers to | ||
Insert line if it starts with a string in the list | ||
Insert line if it DOES NOT start with a string in the list | ||
Insert line if it fully matches a regex in the list | ||
Insert line if it DOES NOT fully match a regex in the list | ||
Insert line if a regex in the list match a line fragment | ||
Insert line if a regex in the list DOES NOT match a line fragment | ||
Menu option, point cursor before of after matched line | ||
Menu option, choose first or last occurrence of match in file | ||
Regular expression for matching file line location | ||
Criteria for matching and recognizing existing lines | ||
true/false allow blank fields in a line (do not purge) | ||
true/false add new fields at end of line if necessary to complete edit | ||
Menu option policy for editing subfields | ||
The regular expression used to separate fields in a line | ||
Set field value to a fixed value | ||
Integer index of the field required 0..n (default starts from 1) | ||
If set, the default field numbering starts from 0 | ||
Character separator for subfields inside the selected field |
Menu option to replace all occurrences or just first (NB the latter is non-convergent) | ||
Value used to replace regular expression matches in search |
Build an XPath within the XML file | |
Select the XPath node in the XML file to edit |
This promise type does not have any attributes.
This promise type does not have any attributes.
This promise type does not have any attributes.
This promise type does not have any attributes.
Value of the attribute to be inserted into the XPath node of the XML file |
This promise type does not have any attributes.
This promise type does not have any attributes.
This promise type does not have any attributes.
Select the architecture for package selection | ||
Command to install a package to the system | ||
Regular expression with one backreference to extract package architecture string | ||
Menu option - whether to group packages into a single aggregate command | ||
Command to remove a package from the system | ||
This is how the package manager expects the package to be referred to in the deletion part of a package update, e.g. $(name) | ||
A list of machine-local directories to search for packages | ||
Regular expression which matches packages that are already installed | ||
Command to detect the default packages’ architecture | ||
Regular expression with one backreference to extract | ||
Command to obtain a list of available packages | ||
Regular expression with one backreference to extract package name string | ||
Command to update the list of available packages (if any) | ||
The ifelapsed locking time in between updates of the package list | ||
Regular expression with one backreference to extract package version string | ||
This is how the package manager expects the package to be referred to, e.g. $(name).$(arch) | ||
Regular expression with one backreference to extract package name string | ||
Regular expression to match verification failure output | ||
Integer return code indicating package verification failure | ||
Regular expression with one backreference to extract update architecture string | ||
Command to update to the latest patch release of an installed package | ||
Regular expression which matches packages that are already installed | ||
Command to obtain a list of available patches or updates | ||
Regular expression with one backreference to extract update name string | ||
Regular expression with one backreference to extract update version string | ||
Command to update to the latest version a currently installed package | ||
Command to verify the correctness of an installed package | ||
Regular expression with one backreference to extract package version string | ||
Regular expression which matches the start of a new package in multiline output | ||
Whether to use shell for commands in this body | ||
Command to check whether first supplied package version is less than second one | ||
Command to check whether first supplied package version is equal to second one | ||
Criteria for package installation/upgrade on the current system | ||
A criterion for first acceptable match relative to “package_version” | ||
Version reference point for determining promised version | ||
List of classes to define if the matches are in range | ||
Integer range for acceptable number of matches for this process | ||
List of classes to define if the matches are out of range | ||
Regular expression matching the command/cmd field of a process | ||
Range of integers matching the process id of a process | ||
Range of integers matching the parent group id of a process | ||
Range of integers matching the parent process id of a process | ||
Range of integers matching the priority field (PRI/NI) of a process | ||
List of regexes matching the user of a process | ||
Boolean class expression returning the logical combination of classes set by a process selection test | ||
Range of integers matching the resident memory size of a process, in kilobytes | ||
Range of integers matching the start time of a process | ||
Range of integers matching the total elapsed time of a process | ||
Regular expression matching the tty field of a process | ||
Range of integers matching the threads (NLWP) field of a process | ||
Range of integers matching the virtual memory size of a process, in kilobytes | ||
A command used to stop a running process | ||
A class to be defined globally if the process is not running, so that a command: rule can be referred to restart the process | ||
A list of menu options representing signals to be sent to a process | ||
Policy for cfengine service status | ||
A list of services on which the named service abstraction depends | ||
Parameters for starting the service as command | ||
Should the service be started automatically by the OS | ||
Name of a bundle describing how to handle a service | ||
Service abstraction type | ||
Menu option for specifying how to handle dependencies and dependent services | ||
true/false add or remove entries to the file system table (“fstab”) | ||
Protocol type of remote file system | ||
Path of remote file system to mount | ||
Hostname or IP or remote file system server | ||
List of option strings to add to the file system table (“fstab”) | ||
true/false unmount a previously mounted filesystem | ||
true/false verify storage that is mounted from a foreign system on this host | ||
Absolute or percentage minimum disk space that should be available before warning | ||
Minimum size in bytes that should be used on a sensible-looking storage device | ||
Minimum number of files that should be defined on a sensible-looking storage device | ||
true/false generate pseudo-periodic disk change arrival distribution |
Control promise attributes supplement the built-in “control” promises. Control promises affect the runtime behavior of CFEngine.
Control attributes of type “common” apply to all parts of CFEngine, e.g. monitor, server, executor, agent, etc. We include them here because they can affect the agent.
Contains promise bundles to verify, in a specific order. | |
Contains regular expressions that match promisees/topics considered to be organizational goals. | |
Determines whether to ignore missing bundles. | |
If any input files do not exist, ignore and continue. | |
The inputs slist contains additional filenames to parse for promises. | |
The version string contains the scalar version identifier of the configuration. | |
Number of minutes after which last-seen entries are purged. | |
The string prefix for standard output. | |
The domain string specifies the domain name for this host. | |
The require_comments menu option policy warns about promises that do not have comment documentation. | |
A site_classes contains classes that will represent geographical site locations for hosts. These should be defined elsewhere in the configuration in a classes promise. | |
The syslog_host contains the name or address of a host to which syslog messages should be sent directly by UDP. | |
The value of syslog_port represents the port number of a UDP syslog service. | |
The fips_mode menu option policy determines whether to activate full FIPS mode restrictions. |
Agent control promise attributes apply to the agent control promise which affects the behavior of the agent only.
A list of classes which if defined lead to termination of cf-agent | |
A list of classes which if defined lead to termination of current bundle | |
A list of classes to be defined always in the current context | |
A list of user names allowed to execute cf-agent | |
The syslog facility for cf-agent | |
Generate allclasses.txt report | |
true/false flag to determine whether configurations will always be checked before executing, or only after updates | |
Use this interface for outgoing connections | |
true/false whether stored hashes are updated when change is detected in source | |
LD_LIBRARY_PATH for child processes | |
The persistence time for the checksum_alert class | |
ctime or mtime differ | |
All talk and no action mode | |
Integer limit on maximum binary file size to be edited | |
Integer limit on maximum text file size to be edited | |
List of environment variables to be inherited by children | |
Global default for time before on-going promise repairs are interrupted | |
List of filenames to be watched for multiple-source conflicts | |
List of filenames to define classes if copied | |
true/false label ppkeys by hostname not IP address | |
Global default for time that must elapse before promise will be rechecked | |
true/false set inform level default | |
This option is deprecated, does nothing and is kept for backward compatibility | |
Maximum number of background tasks that should be allowed concurrently | |
Maximum number of outgoing connections to cf-serverd | |
true/false mount any filesystems promised | |
true/false warn about filenames with no alphanumeric content | |
The character used to canonize pathnames in the file repository | |
Reload the process table before verifying the bundles named in this list (lazy evaluation) | |
Path to the default file repository | |
true/false check whether input files are writable by unauthorized users | |
Minimum number of files a mounted filesystem is expected to have | |
Minimum number of bytes a mounted filesystem is expected to have | |
Do not send IP/name during server connection because address resolution is broken | |
List of names to warn about if found during any file search | |
true/false switches on tracking of promise valuation | |
List of allowed timezones this machine must comply with | |
Maximum time a network connection should attempt to connect | |
true/false switches on verbose standard output |
Switch to a private namespace to protect current file from duplicate definitions |