processes
Process promises refer to items in the system process table, i.e., a command insome state of execution (with a Process Control Block). Promiser objects arepatterns that areunanchored, meaning that they match parts ofcommand lines in the system process table.
processes:"regex contained in process line"process_select=process_filter_body,restart_class="activation class for process",..;Note: CFEngine uses the output from theps command to inspect runningprocesses, and these formats differ between platforms. You can see how cfengineviews the process table for your platform by inspectingcf_otherprocs,cf_procs, andcf_rootprocs which can be found in$(sys.workdir)/state/(typically/var/cfengine/state).
This is an example showing how to restart a splunk process owned by root:
bundleagentexample{processes:"splunkd"process_select=>by_owner("root"),handle=>"example_splunk_stop_gracefully",process_stop=>"/opt/splunkforwarder/bin/splunk stop",comment=>"Find splunkd processes owned by root. Stop it gracefully with the internal splunk binary.";"splunkd"restart_class=>"splunk_not_running",comment=>"Set splunk_not_running class if we cant find any root owned splunkd processes so that we can restart it using a commands promise";commands:splunk_not_running::"/opt/splunkforwarder/bin/splunk"args=>"--accept-license --answer-yes --no-prompt start";}This example shows usingprocess_select andprocess_count to define a classwhen a process has been running for longer than a day.
bundleagentmain{processes:"init"process_count=>any_count("booted_over_1_day_ago"),process_select=>days_older_than(1),comment=>"Define a class indicating we found an init process running for more than 1 day.";reports:booted_over_1_day_ago::"This system was booted over 1 days ago since there is an init process that is older than 1 day.";!booted_over_1_day_ago::"This system has been rebooted recently as the init process has been running for less than a day";}bodyprocess_countany_count(cl){match_range=>"0,0";out_of_range_define=>{"$(cl)"};}bodyprocess_selectdays_older_than(d){stime_range=>irange(ago(0,0,"$(d)",0,0,0),now);process_result=>"!stime";}This policy can be found in/var/cfengine/share/doc/examples/processes_define_class_based_on_process_runtime.cfand downloaded directly fromgithub.
Take care to not oversimplify your patterns as it may matchunexpected processes. For example, on many systems, the process pattern"^cp"may not match any processes, even though"cp" is running. This is because theprocess table entry may list"/bin/cp". However, the process pattern"cp"will also match a process containing"scp", (the PCRE pattern anchors"\b"and"\B" may prove very useful to you).
process_stop should only be used for commands that stop processes. To start orrestart a process, you should set a class to activate and then use acommandspromise together with that class.
processes:"/path/executable"restart_class=>"restart_me";commands:restart_me::"/path/executable"...;Notes:
CFEngine will not allow you to signal processes 1-4 or the agent processitself for fear of bringing down the system.
Process promises depend on the
psnative tool, which by default truncateslines at 128 columns on HP-UX. It is recommended to edit the file/etc/default/psand increase theDEFAULT_CMD_LINE_WIDTHsetting to 1024 toguarantee that process promises will work smoothly on that platform.
Attributes
Common attributes
Common attributes are available to all promise types. Full details for commonattributes can be found in theCommon promise attributes section ofthePromise types page. The common attributes are as follows:
action
classes
comment
depends_on
handle
if
unless
meta
with
process_count
Type:body process_count
See also:Common body attributes
in_range_define
Description: List of classes to define if the matches are in range
Classes are defined if the processes that are found in the process tablesatisfy the promised process count, in other words if the promise aboutthe number of processes matching the other criteria is kept.
Type:slist
Allowed input range: (arbitrary string)
Example:
bodyprocess_countexample{in_range_define=>{"class1","class2"};}match_range
Description: Integer range for acceptable number of matches for thisprocess
This is a numerical range for the number of occurrences of the processin the process table. As long as it falls within the specified limits,the promise is considered kept.
Type:irange[int,int]
Allowed input range:0,99999999999
Example:
bodyprocess_countexample{match_range=>irange("10","50");}out_of_range_define
Description: List of classes to define if the matches are out of range
Classes to activate remedial promises conditional on this promisefailure to be kept.
Type:slist
Allowed input range: (arbitrary string)
Example:
bodyprocess_countexample(s){out_of_range_define=>{"process_anomaly","anomaly_$(s)"};}process_select
Type:body process_select
See also:Common body attributes
command
Description: Regular expression matching the command/cmd field of aprocess
Note: For historical reasons, this attribute is identical to the matchperformed by using the promiser, except that the regular expression is anchored.
This expression should match the entireCOMMAND field of the processtable, not just a fragment. This field is usually the last field on theline, so it thus starts with the first non-space character and ends withthe end of line.
Type:string
Allowed input range: (arbitrary string)
Example:
bodyprocess_selectexample{command=>"cf-.*";process_result=>"command";}pid
Description: Range of integers matching the process id of a process
Type:irange[int,int]
Allowed input range:0,99999999999
Example:
bodyprocess_selectexample{pid=>irange("1","10");process_result=>"pid";}See also:Function: irange()
pgid
Description: Range of integers matching the parent group id of aprocess
Type:irange[int,int]
Allowed input range:0,99999999999
Example:
bodyprocess_selectexample{pgid=>irange("1","10");process_result=>"pgid";}See also:Function: irange()
ppid
Description: Range of integers matching the parent process id of aprocess
Type:irange[int,int]
Allowed input range:0,99999999999
Example:
bodyprocess_selectexample{ppid=>irange("407","511");process_result=>"ppid";}See also:Function: irange()
priority
Description: Range of integers matching the priority field (PRI/NI) ofa process
Type:irange[int,int]
Allowed input range:-20,+20
Example:
bodyprocess_selectexample{priority=>irange("-5","0");}See also:Function: irange()
process_owner
Description: List of regexes matching the user of a process
The regular expressions should match a legal user name on the system. Theregex isanchored, meaning it must match the entire name.
Type:slist
Allowed input range: (arbitrary string)
Example:
bundleagentmain{processes:# Any /usr/local/web/tomcat-logviewer processes not# running as buildsrv should be killed on sight."/usr/local/web/tomcat-logviewer"->{"security"}process_select=>not_running_as("buildsrv"),signals=>{"kill"},comment=>"It is against the security policy for this service to run under the wrong user id.";}bodyprocess_selectnot_running_as(owner){process_owner=>{$(owner)};process_result=>"!process_owner";}info: Signalled 'kill' (9) to process 7211 (root 7211 7199 7211 0.0 0.1 100908 0 596 1 15:26 00:06 00:00:00 /usr/local/web/tomcat-logviewer 500)This policy can be found in/var/cfengine/share/doc/examples/kill_process_running_wrong_user.cfand downloaded directly fromgithub.
process_result
Description: Boolean class expression with the logical combinationof process selection criteria
A logical combination of the process selection classifiers. The syntaxis the same as that for class expressions. Ifprocess_result is notspecified, then all set attributes in theprocess_select body are AND'edtogether.
Type:string
Allowed input range:[(process_owner|pid|ppid||pgid|rsize|vsize|status|command|ttime|stime|tty|priority|threads)[|!.]*]*
Example:
bodyprocess_selectproc_finder(p){process_owner=>{"avahi","bin"};command=>"$(p)";pid=>irange("100","199");vsize=>irange("0","1000");process_result=>"command.(process_owner|vsize).!pid";}See also:file_result
rsize
Description: Range of integers matching the resident memory size of aprocess, in kilobytes
Type:irange[int,int]
Allowed input range:0,99999999999
Example:
bodyprocess_select{rsize=>irange("4000","8000");}See also:Function: irange()
status
Description: Regular expression matching the status field of a process
For instance, characters in the setNRSsl+... Windows processes do nothave status fields.
Type:string
Allowed input range: (arbitrary string)
Example:
bodyprocess_selectexample{status=>"Z";}stime_range
Description: Range of integers matching the start time of a process
The calculation of time from process table entries is sensitive toDaylight Savings Time (Summer/Winter Time) so calculations could be anhour off. This is for now a bug to be fixed.
Type:irange[int,int]
Allowed input range:0,2147483647
Example:
bodyprocess_selectexample{stime_range=>irange(ago(0,0,0,1,0,0),now);}See also:Function: irange()
ttime_range
Description: Range of integers matching the total elapsed time of aprocess.
This is total accumulated time for a process.
Type:irange[int,int]
Allowed input range:0,2147483647
Example:
bodyprocess_selectexample{ttime_range=>irange(0,accumulated(0,1,0,0,0,0));}See also:Function: irange()
tty
Description: Regular expression matching the tty field of a process
Windows processes are not regarded as attached to any terminal, so theyall have tty '?'.
Type:string
Allowed input range: (arbitrary string)
Example:
bodyprocess_selectexample{tty=>"pts/[0-9]+";}threads
Description: Range of integers matching the threads (NLWP) field of aprocess
Type:irange[int,int]
Allowed input range:0,99999999999
Example:
bodyprocess_selectexample{threads=>irange(1,5);}See also:Function: irange()
vsize
Description: Range of integers matching the virtual memory size of aprocess, in kilobytes.
On Windows, the virtual memory size is the amount of memory that cannotbe shared with other processes. In Task Manager, this is called CommitSize (Windows 2008), or VM Size (Windows XP).
Type:irange[int,int]
Allowed input range:0,99999999999
Example:
bodyprocess_selectexample{vsize=>irange("4000","9000");}See also:Function: irange()
process_stop
Description: A command used to stop a running process
As an alternative to sending a termination or kill signal to a process,one may call a 'stop script' to perform a graceful shutdown.
Type:string
Allowed input range:"?(/.*)
Example:
processes:"snmpd"process_stop=>"/etc/init.d/snmp stop";restart_class
Description: A class to be defined globally if the process is notrunning, so that acommand: rule can be referred to restart the process
This is a signal to restart a process that should be running, if it isnot running. Processes are signaled first and then restarted later, atthe end of bundle execution, after all possible corrective actions havebeen made that could influence their execution.
Windows does not support having processes start themselves in thebackground, like Unix daemons usually do; as fork off a child process.Therefore, it may be useful to specify anaction body that setsbackground to true in a commands promise that is invoked by the classset byrestart_class. See thecommands promise type for moreinformation.
Type:string
Allowed input range:[a-zA-Z0-9_$(){}\[\].:]+
Example:
processes:"cf-serverd"restart_class=>"start_cfserverd";commands:start_cfserverd::"/var/cfengine/bin/cf-serverd";signals
Description: A list of names of signals to be sent to a process or sleepsbetween signals.
Signals from the given list are sent to the process in a sequence. Specialstrings of the formNs or justN whereN is a positive integer can be usedto add sleeps between the signals. On Windows, only the kill signal issupported, which terminates the process.
Type: (slist)
Allowed input range:
hupinttrapkillpipecontabrtstopquittermchildusr1usr2bussegv[0-9]+s?Example:
processes:cfservd_out_of_control::"cfservd"signals=>{"stop","term"},restart_class=>"start_cfserv";any::"snmpd"signals=>{"term","5s","kill"};History:
- 3.18.2, 3.20.0 Added ability to sleep between signals using
Ns
- Overview
- Getting started
- Reference
- Components
- Functions
- accessedbefore
- accumulated
- ago
- and
- basename
- bundlesmatching
- bundlestate
- callstack_callers
- callstack_promisers
- canonify
- canonifyuniquely
- cf_version_after
- cf_version_at
- cf_version_before
- cf_version_between
- cf_version_maximum
- cf_version_minimum
- changedbefore
- classesmatching
- classfiltercsv
- classify
- classmatch
- concat
- countclassesmatching
- countlinesmatching
- data_expand
- data_readstringarray
- data_readstringarrayidx
- data_regextract
- data_sysctlvalues
- datastate
- difference
- dirname
- diskfree
- escape
- eval
- every
- execresult
- execresult_as_data
- expandrange
- file_hash
- fileexists
- filesexist
- filesize
- filestat
- filter
- findfiles
- findfiles_up
- findprocesses
- format
- getclassmetatags
- getenv
- getfields
- getgid
- getindices
- getuid
- getuserinfo
- getusers
- getvalues
- getvariablemetatags
- grep
- groupexists
- hash
- hash_to_int
- hashmatch
- host2ip
- hostinnetgroup
- hostrange
- hostsseen
- hostswithclass
- hubknowledge
- ifelse
- int
- intersection
- ip2host
- iprange
- irange
- isdir
- isexecutable
- isgreaterthan
- isipinsubnet
- islessthan
- islink
- isnewerthan
- isplain
- isreadable
- isvariable
- join
- lastnode
- laterthan
- ldaparray
- ldaplist
- ldapvalue
- length
- lsdir
- makerule
- maparray
- mapdata
- maplist
- max
- mean
- mergedata
- min
- network_connections
- none
- not
- now
- nth
- on
- or
- packagesmatching
- packageupdatesmatching
- parseintarray
- parsejson
- parserealarray
- parsestringarray
- parsestringarrayidx
- parseyaml
- peerleader
- peerleaders
- peers
- processexists
- product
- randomint
- read_module_protocol
- readcsv
- readdata
- readenvfile
- readfile
- readintarray
- readintlist
- readjson
- readrealarray
- readreallist
- readstringarray
- readstringarrayidx
- readstringlist
- readtcp
- readyaml
- regarray
- regcmp
- regex_replace
- regextract
- registryvalue
- regldap
- regline
- reglist
- remoteclassesmatching
- remotescalar
- returnszero
- reverse
- rrange
- selectservers
- shuffle
- some
- sort
- splayclass
- splitstring
- storejson
- strcmp
- strftime
- string
- string_downcase
- string_head
- string_length
- string_mustache
- string_replace
- string_reverse
- string_split
- string_tail
- string_trim
- string_upcase
- sublist
- sum
- sysctlvalue
- translatepath
- type
- unique
- url_get
- usemodule
- userexists
- validdata
- validjson
- variablesmatching
- variablesmatching_as_data
- variance
- version_compare
- Language concepts
- Masterfiles Policy Framework
- promises.cf
- .no-distrib/
- update.cf
- standalone_self_upgrade.cf
- cfe_internal/
- cfe_internal/CFE_cfengine.cf
- cfe_internal/core/
- cfe_internal/core/watchdog
- cfe_internal/core/watchdog/watchdog.cf
- cfe_internal/enterprise/
- cfe_internal/enterprise/federation/
- cfe_internal/enterprise/federation/federation.cf
- cfe_internal/recommendations.cf
- cfe_internal/update/
- cfe_internal/update/cfe_internal_dc_workflow.cf
- cfe_internal/update/cfe_internal_update_from_repository.cf
- cfe_internal/update/lib.cf
- cfe_internal/update/systemd_units.cf
- cfe_internal/update/update_bins.cf
- cfe_internal/update/update_policy.cf
- cfe_internal/update/update_processes.cf
- controls/
- controls/cf_agent.cf
- controls/cf_execd.cf
- controls/cf_hub.cf
- controls/cf_monitord.cf
- controls/cf_runagent.cf
- controls/cf_serverd.cf
- controls/def.cf
- controls/def_inputs.cf
- controls/reports.cf
- controls/update_def.cf
- controls/update_def_inputs.cf
- inventory/
- inventory/any.cf
- inventory/debian.cf
- inventory/freebsd.cf
- inventory/generic.cf
- inventory/linux.cf
- inventory/lsb.cf
- inventory/macos.cf
- inventory/os.cf
- inventory/redhat.cf
- inventory/suse.cf
- inventory/windows.cf
- lib/
- lib/autorun.cf
- lib/bundles.cf
- lib/cfe_internal.cf
- lib/cfe_internal_hub.cf
- lib/cfengine_enterprise_hub_ha.cf
- lib/commands.cf
- lib/common.cf
- lib/databases.cf
- lib/edit_xml.cf
- lib/event.cf
- lib/examples.cf
- lib/feature.cf
- lib/files.cf
- lib/guest_environments.cf
- lib/monitor.cf
- lib/packages.cf
- lib/paths.cf
- lib/processes.cf
- lib/reports.cf
- lib/services.cf
- lib/stdlib.cf
- lib/storage.cf
- lib/testing.cf
- lib/users.cf
- lib/vcs.cf
- modules/
- modules/mustache/
- modules/packages/
- modules/packages/vendored/
- modules/promises/
- modules/promises/cfengine.py
- modules/promises/cfengine.sh
- services/
- services/autorun/
- services/main.cf
- Macros
- Promise types
- Special variables
- All promise and body types
- Release notes
- Web UI
- Settings
- Health
- Hosts
- Alerts and notifications
- Custom actions for alerts
- Enterprise reporting
- Federated reporting
- Measurements app
- Hub administration
- Decommissioning hosts
- Extending Mission Portal
- Extending query builder in Mission Portal
- Adjusting schedules
- Backup and restore
- Configure a custom LDAP port
- Custom LDAPs certificate
- Custom SSL certificate
- Enable plain http
- Lookup license info
- Policy deployment
- Public key distribution
- Re-installing Enterprise hub
- Regenerate self signed SSL certificate
- Reset administrative credentials
- Debugging Mission Portal
- License
- Examples and tutorials
- Example snippets
- General examples
- Administration examples
- Measuring examples
- Software administration examples
- Commands, scripts, and execution examples
- File and directory examples
- File template examples
- Interacting with directory services
- Database examples
- Network examples
- System security examples
- System information examples
- System administration examples
- System file examples
- Windows registry examples
- File permissions
- User management examples
- Common promise patterns
- Aborting execution
- Change detection
- Check filesystem space
- Copy single files
- Create files and directories
- Customize message of the day
- Distribute ssh keys
- Ensure a process is not running
- Ensure a service is enabled and running
- Find the MAC address
- Install packages
- Mount NFS filesystem
- Restart a process
- Set up name resolution with DNS
- Set up sudo
- Set up time management through NTP
- Updating from a central policy server
- Tutorials
- JSON and YAML support in CFEngine
- Installing CFEngine Enterprise agent
- Managing local users
- Managing network time protocol
- Managing processes and services
- Package management
- Writing CFEngine policy
- Distributing files from a central location
- File editing
- Reporting and remediation of security vulnerabilities
- Masterfiles Policy Framework upgrade
- Tags for variables, classes, and bundles
- Custom inventory
- Dashboard alerts
- Integrating alerts with PagerDuty
- Integrating alerts with ticketing systems
- Integrating with Sumo Logic
- Rendering files with Mustache templates
- Reporting
- File comparison
- High availability
- Writing and serving policy
- Example snippets
- Resources
- FAQ
- Why knowledge management?
- Requesting a CFEngine Enterprise License
- Uninstalling / reinstalling
- Agent output email
- Debugging slow queries
- Enterprise Report Filtering
- Enterprise report collection
- Enterprise reporting database
- How can I tell what classes and variables are defined?
- How do I find the public key for a given host
- How do I fix trust after an IP change?
- How do I fix undefined body errors?
- How do I integrate custom policy?
- How do I pass a data type variable?
- Manual execution
- Mustache templating
- Unable to log into Mission Portal
- Users
- What is promise locking?
- Why are remote agents not updating?
- Why are some files inside masterfiles not being updated/distributed?
- Why does CFEngine install into /var/cfengine instead of following the FHS?
- Bootstrapping
- Tuning PostgreSQL
- What did CFEngine do?
- External resources
- Additional topics
- Best practices
- FAQ
- API
- Enterprise API examples
- Enterprise API reference
- Actions API
- Build API
- CMDB API
- Changes REST API
- Federated reporting configuration API
- File changes API
- Health diagnostic API
- Host REST API
- Import & export API
- Import & export compliance report API
- Inventory API
- LDAP authentication API
- Personal groups API
- Query REST API
- SQL schema
- SSH keys API
- Shared groups API
- Status and settings REST API
- Two-factor authentication API
- Users and access-control REST API
- VCS settings API
- Web RBAC API