Design Documents

Design documents provide detailed implementation guidance for CCM’s resource types, providers, and internal components. They are intended for developers contributing to CCM or those seeking to understand specific implementation details.

For end-user documentation on how to use resources, see Resources.

Note

These design documents are largely written with AI assistance and reviewed before publication.

Each design document covers:

Purpose and scope: What the component does and its responsibilities
Architecture: How the component fits into CCM’s overall design
Implementation details: Key data structures, interfaces, and algorithms
Provider contracts: Requirements for implementing new providers
Testing considerations: How to test the component

Available Documents

Document	Description
Archive	Archive resource for downloading and extracting archives
Exec	Exec resource for command execution
File	File resource for managing files and directories
Package	Package resource for system package management
Scaffold	Scaffold resource for template directory rendering
Service	Service resource for system service management
New Type	How to add a new resource type to CCM

Archive Type

This document describes the design of the archive resource type for downloading and extracting archives.

Overview

The archive resource manages remote archives with three phases:

Download: Fetch archive from a URL to local filesystem
Extract: Unpack archive contents to a target directory
Cleanup: Optionally remove the archive file after extraction

These phases are conditional based on current state and configuration.

Provider Interface

Archive providers must implement the ArchiveProvider interface:

type ArchiveProvider interface {
    model.Provider

    Download(ctx context.Context, properties *model.ArchiveResourceProperties, log model.Logger) error
    Extract(ctx context.Context, properties *model.ArchiveResourceProperties, log model.Logger) error
    Status(ctx context.Context, properties *model.ArchiveResourceProperties) (*model.ArchiveState, error)
}

Method Responsibilities

Method	Responsibility
`Status`	Query archive file existence, checksum, attributes, and creates file
`Download`	Fetch archive from URL, verify checksum, set ownership
`Extract`	Unpack archive contents to extract parent directory

Status Response

The Status method returns an ArchiveState containing:

type ArchiveState struct {
    CommonResourceState
    Metadata *ArchiveMetadata
}

type ArchiveMetadata struct {
    Name          string    // Archive file path
    Checksum      string    // SHA256 hash of archive
    ArchiveExists bool      // Whether archive file exists
    CreatesExists bool      // Whether creates marker file exists
    Owner         string    // Archive file owner
    Group         string    // Archive file group
    MTime         time.Time // Modification time
    Size          int64     // File size in bytes
    Provider      string    // Provider name (e.g., "http")
}

The Ensure field in CommonResourceState is set to:

present if the archive file exists
absent if the archive file does not exist

Available Providers

Provider	Source	Documentation
`http`	HTTP/HTTPS URLs	HTTP

Ensure States

Value	Description
`present`	Archive must be downloaded (and optionally extracted)
`absent`	Archive file must not exist

Supported Archive Formats

Extension	Description
`.tar.gz`, `.tgz`	Gzip-compressed tar archive
`.tar`	Uncompressed tar archive
`.zip`	ZIP archive

The URL and local file name must have matching archive type extensions.

Apply Logic

┌─────────────────────────────────────────┐
│ Get current state via Status()          │
└─────────────────┬───────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────┐
│ Is current state desired state?         │
└─────────────────┬───────────────────────┘
              Yes │         No
                  ▼         │
          ┌───────────┐     │
          │ No change │     │
          └───────────┘     │
                            ▼
              ┌─────────────────────────┐
              │ What is desired ensure? │
              └─────────────┬───────────┘
                            │
            ┌───────────────┴───────────────┐
            │ absent                        │ present
            ▼                               ▼
    ┌───────────────┐             ┌─────────────────────┐
    │ Remove archive│             │ Download needed?    │
    │ file          │             │ (checksum mismatch  │
    └───────────────┘             │  or file missing)   │
                                  └─────────┬───────────┘
                                        Yes │         No
                                            ▼         │
                                    ┌───────────┐     │
                                    │ Download  │     │
                                    └─────┬─────┘     │
                                          │           │
                                          ▼           ▼
                                  ┌─────────────────────────┐
                                  │ Extract needed?         │
                                  │ (extract_parent set AND │
                                  │  (download occurred OR  │
                                  │   creates file missing))│
                                  └─────────┬───────────────┘
                                        Yes │         No
                                            ▼         │
                                    ┌───────────┐     │
                                    │ Extract   │     │
                                    └─────┬─────┘     │
                                          │           │
                                          ▼           ▼
                                  ┌─────────────────────────┐
                                  │ Cleanup enabled?        │
                                  └─────────┬───────────────┘
                                        Yes │         No
                                            ▼         ▼
                                    ┌───────────┐ ┌───────┐
                                    │ Remove    │ │ Done  │
                                    │ archive   │ └───────┘
                                    └───────────┘

Idempotency

The archive resource uses multiple checks for idempotency:

State Checks (in order)

Ensure absent: Archive file must not exist
Creates file: If creates is set, the marker file must exist
Archive existence: If cleanup: false, archive must exist
Owner/Group: Archive file attributes must match
Checksum: If specified, archive checksum must match

Decision Table

Condition	Stable?
`ensure: absent` + archive missing	Yes
`ensure: absent` + archive exists	No (remove)
`creates` file exists	Yes (skip all)
`creates` file missing	No (extract needed)
`cleanup: false` + archive missing	No (download needed)
Archive checksum mismatch	No (re-download needed)
Archive owner/group mismatch	No (re-download needed)

Creates Property

The creates property provides idempotency for extraction:

- archive:
    - /tmp/app.tar.gz:
        url: https://example.com/app.tar.gz
        extract_parent: /opt/app
        creates: /opt/app/bin/app
        owner: root
        group: root

Behavior:

If /opt/app/bin/app exists, skip download and extraction
Useful when extracted files indicate successful prior extraction
Prevents re-extraction on every run

Cleanup Property

The cleanup property removes the archive after extraction:

- archive:
    - /tmp/app.tar.gz:
        url: https://example.com/app.tar.gz
        extract_parent: /opt/app
        creates: /opt/app/bin/app
        cleanup: true
        owner: root
        group: root

Requirements:

extract_parent must be set (cleanup only makes sense with extraction)
creates must be set to track extraction state

Behavior:

After successful extraction, remove the archive file
On subsequent runs, creates file prevents re-download

Checksum Verification

When checksum is specified:

- archive:
    - /tmp/app.tar.gz:
        url: https://example.com/app.tar.gz
        checksum: "a1b2c3d4..."
        owner: root
        group: root

Behavior:

Downloaded file is verified against SHA256 checksum
Existing file checksum is compared to detect changes
Checksum mismatch triggers re-download
Download fails if fetched content doesn’t match

Authentication

Archives support two authentication methods:

Basic Authentication

- archive:
    - /tmp/app.tar.gz:
        url: https://private.example.com/app.tar.gz
        username: deploy
        password: "{{ lookup('data.password') }}"
        owner: root
        group: root

Custom Headers

- archive:
    - /tmp/app.tar.gz:
        url: https://api.example.com/releases/app.tar.gz
        headers:
          Authorization: "Bearer {{ lookup('data.token') }}"
        owner: root
        group: root

Required Properties

Property	Required	Description
`url`	Yes	Source URL for download
`owner`	Yes	Username that owns the archive file
`group`	Yes	Group that owns the archive file

URL Validation

URLs are validated during resource creation:

Must be valid URL format
Scheme must be http or https
Path must end with supported archive extension
Extension must match the name property extension

Noop Mode

In noop mode, the archive type:

Queries current state normally
Computes what actions would be taken
Sets appropriate NoopMessage:
- “Would have downloaded”
- “Would have extracted”
- “Would have cleaned up”
- “Would have removed”
Reports Changed: true if changes would occur
Does not call provider Download/Extract methods
Does not remove files

Multiple actions are joined with “. " (e.g., “Would have downloaded. Would have extracted”).

Desired State Validation

After applying changes (in non-noop mode), the type verifies the archive reached the desired state by calling Status() again and checking all conditions. If validation fails, ErrDesiredStateFailed is returned.

HTTP Provider

This document describes the implementation details of the HTTP archive provider for downloading and extracting archives from HTTP/HTTPS URLs.

Provider Selection

The HTTP provider is selected when:

The URL scheme is http or https
The archive file extension is supported (.tar.gz, .tgz, .tar, .zip)
The required extraction tool (tar or unzip) is available in PATH

The IsManageable() function checks these conditions and returns a priority of 1 if all are met.

Operations

Download

Process:

Parse the URL and add Basic Auth credentials if username/password provided
Create HTTP request with custom headers (if specified)
Execute GET request via util.HttpGetResponse()
Verify HTTP 200 status code
Create temporary file in the same directory as the target
Set ownership on temp file before writing content
Copy response body to temp file
Verify checksum if provided
Atomic rename temp file to target path

Atomic Write Pattern:

[parent dir]/archive-name-* (temp file)
    ↓ write content
    ↓ set owner/group
    ↓ verify checksum
    ↓ rename
[parent dir]/archive-name (final file)

The temp file is created in the same directory as the target to ensure os.Rename() is atomic (same filesystem).

Error Handling:

Condition	Behavior
HTTP non-200	Return error with status code
Write failure	Clean up temp file, return error
Checksum mismatch	Clean up temp file, return error with expected vs actual
Rename failure	Temp file cleaned up by defer

Authentication:

Method	Implementation
Basic Auth	URL userinfo is passed to `HttpGetResponse()` which sets `Authorization` header
Username/Password properties	Embedded in URL before request: `url.UserPassword(username, password)`
Custom Headers	Added to request via `http.Header.Add()`

Extract

Process:

Validate ExtractParent is set
Create ExtractParent directory if it doesn’t exist (mode 0755)
Determine archive type from file extension
Execute appropriate extraction command

Extraction Commands:

Extension	Command
`.tar.gz`, `.tgz`	`tar -xzf <archive> -C <extract_parent>`
`.tar`	`tar -xf <archive> -C <extract_parent>`
`.zip`	`unzip -d <extract_parent> <archive>`

Command Execution:

Commands are executed via model.CommandRunner.ExecuteWithOptions() with:

Option	Value
`Command`	`tar` or `unzip`
`Args`	Extraction flags and paths
`Cwd`	`ExtractParent` directory
`Timeout`	1 minute

Error Handling:

Condition	Behavior
Unsupported extension	Return “archive type not supported” error
Command not found	Runner returns error
Non-zero exit code	Return error with exit code and stderr

Status

Process:

Initialize state with EnsureAbsent default
Check if archive file exists via os.Stat()
If exists: set EnsurePresent, populate metadata (size, mtime, owner, group, checksum)
If Creates property set: check if creates file exists

Metadata Collected:

Field	Source
`Name`	From properties
`Provider`	“http”
`ArchiveExists`	`os.Stat()` success
`Size`	`FileInfo.Size()`
`MTime`	`FileInfo.ModTime()`
`Owner`	`util.GetFileOwner()` - resolves UID to username
`Group`	`util.GetFileOwner()` - resolves GID to group name
`Checksum`	`util.Sha256HashFile()`
`CreatesExists`	`os.Stat()` on `Creates` path

Idempotency

The provider supports idempotency through the type’s isDesiredState() function:

State Checks (in order)

Ensure Absent: If ensure: absent, archive must not exist
Creates File: If Creates set and file doesn’t exist → not stable
Archive Existence: If cleanup: false, archive must exist
Owner/Group: Must match properties
Checksum: If specified in properties, must match

Note: When cleanup: true, the creates property is required (enforced at validation time).

Decision Matrix

Archive Exists	Creates Exists	Checksum Match	Cleanup	Stable?
No	No	N/A	false	No (download needed)
Yes	No	Yes	false	No (extract needed)
Yes	Yes	Yes	false	Yes
No	Yes	N/A	true	Yes
Yes	Yes	Yes	true	No (cleanup needed)

Checksum Verification

Algorithm: SHA-256

Implementation:

sum, err := util.Sha256HashFile(tempFile)
if sum != properties.Checksum {
    return fmt.Errorf("checksum mismatch, expected %q got %q", properties.Checksum, sum)
}

Timing: Checksum is verified after download completes but before the atomic rename. This ensures:

Corrupted downloads are never placed at the target path
Temp file is cleaned up on mismatch
Clear error message with both expected and actual checksums

Security Considerations

Credential Handling

Credentials in URL are redacted in log messages via util.RedactUrlCredentials()
Basic Auth header is set by Go’s http.Request.SetBasicAuth(), not manually constructed

Archive Extraction

Extraction uses system tar/unzip commands
No path traversal protection beyond what the tools provide
ExtractParent must be an absolute path (validated in model)

Temporary Files

Created with os.CreateTemp() using pattern <archive-name>-*
Deferred removal ensures cleanup on all exit paths
Ownership set before content written

Platform Support

The provider is Unix-only due to:

Dependency on util.GetFileOwner() which uses syscall for UID/GID resolution
Dependency on util.ChownFile() for ownership management

Timeouts

Operation	Timeout	Configurable
HTTP Download	1 minute (default in `HttpGetResponse`)	No
Archive Extraction	1 minute	No

Large archives may require increased timeouts in future versions.

Exec Type

This document describes the design of the exec resource type for executing commands.

Overview

The exec resource executes commands with idempotency controls:

Creates: Skip execution if a file exists
Refresh Only: Only execute when triggered by a subscribed resource
Exit Codes: Validate success via configurable return codes

Provider Interface

Exec providers must implement the ExecProvider interface:

type ExecProvider interface {
    model.Provider

    Execute(ctx context.Context, properties *model.ExecResourceProperties, log model.Logger) (int, error)
    Status(ctx context.Context, properties *model.ExecResourceProperties) (*model.ExecState, error)
}

Method Responsibilities

Method	Responsibility
`Status`	Check if `creates` file exists, return current state
`Execute`	Run the command, return exit code

Status Response

The Status method returns an ExecState containing:

type ExecState struct {
    CommonResourceState

    ExitCode         *int // Exit code from last execution (nil if not run)
    CreatesSatisfied bool // Whether creates file exists
}

The Ensure field in CommonResourceState is set to:

present if the creates file exists
absent if the creates file does not exist (or not specified)

Available Providers

Provider	Execution Method	Documentation
`posix`	Direct exec (no shell)	Posix
`shell`	Via `/bin/sh -c`	Shell

Properties

Property	Type	Description
`command`	string	Command to run (defaults to `name` if not set)
`cwd`	string	Working directory for command execution
`environment`	[]string	Additional environment variables (`KEY=value`)
`path`	string	Search path for executables (colon-separated)
`returns`	[]int	Acceptable exit codes (default: `[0]`)
`timeout`	string	Maximum execution time (e.g., `30s`, `5m`)
`creates`	string	File path; skip execution if exists
`refresh_only`	bool	Only execute via subscribe refresh
`subscribe`	[]string	Resources to watch for changes (`type#name`)
`logoutput`	bool	Log command output

Apply Logic

┌─────────────────────────────────────────┐
│ Get current state via Status()          │
└─────────────────┬───────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────┐
│ Check for subscribe refresh             │
└─────────────────┬───────────────────────┘
                  │
    ┌─────────────┴─────────────┐
    │ Subscribed resource       │
    │ changed?                  │
    └─────────────┬─────────────┘
              Yes │         No
                  ▼         │
          ┌───────────┐     │
          │ Execute   │     │
          └───────────┘     │
                            ▼
              ┌─────────────────────────┐
              │ Is desired state met?   │
              │ (creates file exists OR │
              │  refresh_only is true)  │
              └─────────────┬───────────┘
                        Yes │         No
                            ▼         │
                    ┌───────────┐     │
                    │ Skip      │     │
                    └───────────┘     │
                                      ▼
                        ┌─────────────────────────┐
                        │ Is refresh_only = true? │
                        └─────────────┬───────────┘
                                  Yes │         No
                                      ▼         │
                              ┌───────────┐     │
                              │ Skip      │     │
                              └───────────┘     │
                                                ▼
                                        ┌───────────┐
                                        │ Execute   │
                                        └───────────┘

Idempotency

The exec resource provides idempotency through two mechanisms:

Creates Property

The creates property specifies a file that indicates successful prior execution:

- exec:
    - extract-archive:
        command: tar xzf /tmp/app.tar.gz -C /opt
        creates: /opt/app/bin/app

Behavior:

If /opt/app/bin/app exists, skip execution
Useful for one-time setup commands
Provider checks file existence via Status()

Refresh Only Property

The refresh_only property limits execution to subscribe refreshes:

- exec:
    - reload-nginx:
        command: systemctl reload nginx
        refresh_only: true
        subscribe:
          - file#/etc/nginx/nginx.conf

Behavior:

Command only runs when subscribed resource changes
Without a subscribe trigger, command is skipped
Useful for reload/restart commands

Decision Table

Condition	Action
Subscribe triggered	Execute
`creates` file exists	Skip
`refresh_only: true` + no trigger	Skip
`refresh_only: false` + no `creates`	Execute

Exec resources can subscribe to other resources and execute when they change:

- file:
    - /etc/app/config.yaml:
        ensure: present
        content: "..."

- exec:
    - reload-app:
        command: systemctl reload app
        refresh_only: true
        subscribe:
          - file#/etc/app/config.yaml

Subscribe takes precedence over other idempotency checks - if a subscribed resource changed, the command executes regardless of creates file existence.

Exit Code Validation

By default, exit code 0 indicates success. The returns property customizes acceptable codes:

- exec:
    - check-status:
        command: /usr/local/bin/check-health
        returns:
          - 0
          - 1
          - 2

Behavior:

Command succeeds if exit code is in returns list
Command fails if exit code is not in returns list
Used for desired state validation after execution

Noop Mode

In noop mode, the exec type:

Queries current state normally (checks creates file)
Evaluates subscribe triggers
Logs what actions would be taken
Sets appropriate NoopMessage:
- “Would have executed”
- “Would have executed via subscribe”
Reports Changed: true if execution would occur
Does not call provider Execute method

Desired State Validation

After execution (in non-noop mode), the type verifies success:

func (t *Type) isDesiredState(properties, status) bool {
    // Creates file check takes precedence
    if properties.Creates != "" && status.CreatesSatisfied {
        return true
    }

    // Refresh-only without execution is stable
    if status.ExitCode == nil && properties.RefreshOnly {
        return true
    }

    // Check exit code against acceptable returns
    returns := []int{0}
    if len(properties.Returns) > 0 {
        returns = properties.Returns
    }

    if status.ExitCode != nil {
        return slices.Contains(returns, *status.ExitCode)
    }

    return false
}

If the exit code is not in the acceptable returns list, an ErrDesiredStateFailed error is returned.

Command vs Name

The command property is optional. If not specified, the name is used as the command:

# These are equivalent:
- exec:
    - /usr/bin/myapp --config /etc/myapp.conf:

- exec:
    - run-myapp:
        command: /usr/bin/myapp --config /etc/myapp.conf

Using a descriptive name with explicit command is recommended for clarity.

Environment and Path

Commands can be configured with custom environment:

- exec:
    - build-app:
        command: make build
        cwd: /opt/app
        environment:
          - CC=gcc
          - CFLAGS=-O2
        path: /usr/local/bin:/usr/bin:/bin

Environment:

Added to the command’s environment
Format: KEY=value
Does not replace existing environment

Path:

Sets the PATH for executable lookup
Must be absolute directories
Colon-separated list

Posix Provider

This document describes the implementation details of the Posix exec provider for executing commands without a shell.

Provider Selection

The Posix provider is the default exec provider. It is always available and returns priority 1 for all exec resources unless a different provider is explicitly requested via the provider property.

To use the shell provider instead, specify provider: shell in the resource properties.

Comparison with Shell Provider

Feature	Posix	Shell
Shell invocation	No	Yes (`/bin/sh -c`)
Pipes (`\|`)	Not supported	Supported
Redirections (`>`, `<`)	Not supported	Supported
Shell builtins (`cd`, `export`)	Not supported	Supported
Glob expansion	Not supported	Supported
Command substitution (`$(...)`)	Not supported	Supported
Argument parsing	`shellquote.Split()`	Passed as single string
Security	Lower attack surface	Shell injection possible

When to use Posix (default):

Simple commands with arguments
When shell features are not needed
For better security (no shell injection risk)

When to use Shell:

Commands with pipes, redirections, or shell builtins
Complex command strings
When shell expansion is required

Operations

Execute

Process:

Determine command source (Command property or Name if Command is empty)
Parse command string into words using shellquote.Split()
Extract command (first word) and arguments (remaining words)
Execute via CommandRunner.ExecuteWithOptions()
Optionally log output line-by-line if LogOutput is enabled

Command Parsing:

The command string is parsed using github.com/kballard/go-shellquote, which handles:

Syntax	Example	Result
Simple words	`echo hello world`	`["echo", "hello", "world"]`
Single quotes	`echo 'hello world'`	`["echo", "hello world"]`
Double quotes	`echo "hello world"`	`["echo", "hello world"]`
Escaped spaces	`echo hello\ world`	`["echo", "hello world"]`
Mixed quoting	`echo "it's a test"`	`["echo", "it's a test"]`

Execution Options:

Option	Source	Description
`Command`	First word after parsing	Executable path or name
`Args`	Remaining words	Command arguments
`Cwd`	`properties.Cwd`	Working directory
`Environment`	`properties.Environment`	Additional env vars (`KEY=VALUE` format)
`Path`	`properties.Path`	Search path for executables
`Timeout`	`properties.ParsedTimeout`	Maximum execution time

Output Logging:

When LogOutput: true is set and a user logger is provided:

scanner := bufio.NewScanner(bytes.NewReader(stdout))
for scanner.Scan() {
    log.Info(scanner.Text())
}

Each line of stdout is logged as a separate Info message.

Error Handling:

Condition	Behavior
Empty command string	Return error: “no command specified”
Invalid shell quoting	Return parsing error (e.g., “Unterminated single quote”)
Runner not configured	Return error: “no command runner configured”
Command execution fails	Return error from runner
Non-zero exit code	Return exit code (not an error by itself)

Status

Process:

Create state with EnsurePresent (exec resources are always “present”)
Check if Creates file exists via util.FileExists()
Set CreatesSatisfied accordingly

State Fields:

Field	Value
`Protocol`	`io.choria.ccm.v1.resource.exec.state`
`ResourceType`	`exec`
`Name`	Resource name
`Ensure`	`present` (always)
`CreatesSatisfied`	`true` if `Creates` file exists

Idempotency

The exec resource achieves idempotency through multiple mechanisms:

Creates File

If creates is specified and the file exists, the command does not run:

- exec:
    - /usr/bin/tar -xzf app.tar.gz:
        creates: /opt/app/bin/app
        cwd: /opt

RefreshOnly Mode

When refreshonly: true, the command only runs when triggered by a subscribed resource:

- exec:
    - systemctl reload httpd:
        refreshonly: true
        subscribe:
          - file#/etc/httpd/conf/httpd.conf

Exit Code Validation

The returns property specifies acceptable exit codes (default: [0]):

- exec:
    - /opt/app/healthcheck:
        returns: [0, 1, 2]  # 0=healthy, 1=degraded, 2=warning

Decision Flow

┌─────────────────────────────────────────┐
│ Should resource be applied?             │
└─────────────────┬───────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────┐
│ Subscribe triggered?                     │
│ (subscribed resource changed)            │
└─────────────┬───────────────┬───────────┘
              │ Yes           │ No
              ▼               ▼
┌─────────────────┐   ┌───────────────────┐
│ Execute command │   │ Creates satisfied? │
└─────────────────┘   └─────────┬─────────┘
                                │
                      ┌─────────┴─────────┐
                      │ Yes               │ No
                      ▼                   ▼
              ┌───────────────┐   ┌───────────────────┐
              │ Skip (stable) │   │ RefreshOnly mode? │
              └───────────────┘   └─────────┬─────────┘
                                            │
                                  ┌─────────┴─────────┐
                                  │ Yes               │ No
                                  ▼                   ▼
                          ┌───────────────┐   ┌───────────────┐
                          │ Skip (stable) │   │ Execute       │
                          └───────────────┘   └───────────────┘

Properties Validation

The model validates exec properties before execution:

Property	Validation
`name`	Must be parseable by shellquote (balanced quotes)
`timeout`	Must be valid duration format (e.g., `30s`, `5m`)
`subscribe`	Each entry must be `type#name` format
`path`	Each directory must be absolute (start with `/`)
`environment`	Each entry must be `KEY=VALUE` format with non-empty key and value

Platform Support

The Posix provider works on all platforms supported by Go’s os/exec package. It does not use any platform-specific system calls directly.

The command runner (model.CommandRunner) handles the actual process execution, which may have platform-specific implementations.

Security Considerations

No Shell Injection

Unlike the shell provider, the posix provider does not invoke a shell. Arguments are passed directly to the executable, preventing shell injection attacks:

# Safe with posix provider - $USER is passed literally, not expanded
- exec:
    - /bin/echo $USER:
        provider: posix  # Default

# Potentially dangerous with shell provider - $USER is expanded
- exec:
    - /bin/echo $USER:
        provider: shell

Path Validation

The path property only accepts absolute directory paths, preventing path traversal via relative paths.

Environment Validation

Environment variables must have non-empty keys and values, preventing injection of empty or malformed entries.

Shell Provider

This document describes the implementation details of the Shell exec provider for executing commands via /bin/sh.

Provider Selection

The Shell provider is selected when provider: shell is explicitly specified in the resource properties. It has a lower priority (99) than the Posix provider (1), so it is never automatically selected.

Availability: The provider checks for the existence of /bin/sh via util.FileExists(). If /bin/sh does not exist, the provider is not available.

Comparison with Posix Provider

Feature	Shell	Posix
Shell invocation	Yes (`/bin/sh -c`)	No
Pipes (`\|`)	Supported	Not supported
Redirections (`>`, `<`, `>>`)	Supported	Not supported
Shell builtins (`cd`, `export`, `source`)	Supported	Not supported
Glob expansion (`*.txt`, `?`)	Supported	Not supported
Command substitution (`$(...)`, `...`)	Supported	Not supported
Variable expansion (`$VAR`, `${VAR}`)	Supported	Not supported
Logical operators (`&&`, `\|\|`)	Supported	Not supported
Argument parsing	Passed as single string	`shellquote.Split()`
Security	Shell injection possible	Lower attack surface

When to use Shell:

Commands with pipes: cat file.txt | grep pattern | sort
Commands with redirections: echo "data" > /tmp/file
Commands with shell builtins: cd /tmp && pwd
Commands with variable expansion: echo $HOME
Complex one-liners with logical operators

When to use Posix (default):

Simple commands with arguments
When shell features are not needed
For better security (no shell injection risk)

Operations

Execute

Process:

Determine command source (Command property or Name if Command is empty)
Validate command is not empty
Execute via CommandRunner.ExecuteWithOptions() with /bin/sh -c "<command>"
Optionally log output line-by-line if LogOutput is enabled

Execution Method:

The entire command string is passed to the shell as a single argument:

/bin/sh -c "<entire command string>"

This allows the shell to interpret all shell syntax, including:

Pipes and redirections
Variable expansion
Glob patterns
Command substitution
Logical operators

Execution Options:

Option	Value	Description
`Command`	`/bin/sh`	Shell executable path
`Args`	`["-c", "<command>"]`	Shell flag and command string
`Cwd`	`properties.Cwd`	Working directory
`Environment`	`properties.Environment`	Additional env vars (`KEY=VALUE` format)
`Path`	`properties.Path`	Search path for executables
`Timeout`	`properties.ParsedTimeout`	Maximum execution time

Output Logging:

When LogOutput: true is set and a user logger is provided:

scanner := bufio.NewScanner(bytes.NewReader(stdout))
for scanner.Scan() {
    log.Info(scanner.Text())
}

Each line of stdout is logged as a separate Info message.

Error Handling:

Condition	Behavior
Empty command string	Return error: “no command to execute”
Runner not configured	Return error: “no command runner configured”
Shell not found	Provider not available (checked at selection time)
Command execution fails	Return error from runner
Non-zero exit code	Return exit code (not an error by itself)

Status

Process:

Create state with EnsurePresent (exec resources are always “present”)
Check if Creates file exists via util.FileExists()
Set CreatesSatisfied accordingly

State Fields:

Field	Value
`Protocol`	`io.choria.ccm.v1.resource.exec.state`
`ResourceType`	`exec`
`Name`	Resource name
`Ensure`	`present` (always)
`CreatesSatisfied`	`true` if `Creates` file exists

Use Cases

Pipes and Filters

- exec:
    - filter-logs:
        command: cat /var/log/app.log | grep ERROR | tail -100 > /tmp/errors.txt
        provider: shell
        creates: /tmp/errors.txt

Conditional Execution

- exec:
    - ensure-running:
        command: pgrep myapp || /opt/myapp/bin/start
        provider: shell

Complex Scripts

- exec:
    - deploy-app:
        command: |
          cd /opt/app &&
          git pull origin main &&
          npm install &&
          npm run build &&
          systemctl restart app
        provider: shell
        timeout: 5m

Variable Expansion

- exec:
    - backup-home:
        command: tar -czf /backup/home-$(date +%Y%m%d).tar.gz $HOME
        provider: shell

Idempotency

The shell provider uses the same idempotency mechanisms as the posix provider:

Creates File

If creates is specified and the file exists, the command does not run:

- exec:
    - extract-archive:
        command: cd /opt && tar -xzf /tmp/app.tar.gz
        provider: shell
        creates: /opt/app/bin/app

RefreshOnly Mode

When refreshonly: true, the command only runs when triggered by a subscribed resource:

- exec:
    - reload-nginx:
        command: nginx -t && systemctl reload nginx
        provider: shell
        refreshonly: true
        subscribe:
          - file#/etc/nginx/nginx.conf

Exit Code Validation

The returns property specifies acceptable exit codes (default: [0]):

- exec:
    - check-service:
        command: systemctl is-active myapp || true
        provider: shell
        returns: [0]

Security Considerations

Shell Injection Risk

The shell provider passes the command string directly to /bin/sh, making it vulnerable to shell injection if user input is incorporated:

# DANGEROUS if filename comes from untrusted input
- exec:
    - process-file:
        command: cat {{ user_provided_filename }} | process
        provider: shell

Mitigations:

Validate and sanitize any templated values
Use the posix provider when shell features aren’t needed
Prefer explicit file paths over user-provided values

Environment Variable Exposure

Shell commands can access environment variables, including sensitive ones:

# $SECRET_KEY will be expanded by the shell
- exec:
    - use-secret:
        command: myapp --key=$SECRET_KEY
        provider: shell

Consider using the environment property to explicitly pass required variables rather than relying on inherited environment.

Command Logging

The full command string (including any expanded variables) may appear in logs. Avoid embedding secrets directly in commands:

# BAD - password visible in logs
- exec:
    - bad-example:
        command: mysql -p'secret123' -e 'SELECT 1'
        provider: shell

# BETTER - use environment variable
- exec:
    - better-example:
        command: mysql -p"$MYSQL_PWD" -e 'SELECT 1'
        provider: shell
        environment:
          - MYSQL_PWD={{ lookup('data.mysql_password') }}

Platform Support

The shell provider requires /bin/sh to be available. This is standard on:

Linux distributions
macOS
BSD variants
Most Unix-like systems

On Windows, the provider will not be available unless /bin/sh exists (e.g., via WSL or Cygwin).

Shell Compatibility

The provider uses /bin/sh, which is typically:

Linux: Often a symlink to bash, dash, or another POSIX-compliant shell
macOS: /bin/sh is bash (older) or zsh (newer) in POSIX mode
BSD: Usually ash or similar

For maximum portability, use POSIX shell syntax and avoid bash-specific features like:

Arrays (arr=(1 2 3))
[[ conditionals (use [ instead)
source (use . instead)
Process substitution (<(command))

File Type

This document describes the design of the file resource type for managing files and directories.

Overview

The file resource manages files and directories with three aspects:

Existence: Whether the file/directory exists or is absent
Content: The contents of a file (from inline content or source file)
Attributes: Owner, group, and permissions

Provider Interface

File providers must implement the FileProvider interface:

type FileProvider interface {
    model.Provider

    CreateDirectory(ctx context.Context, dir string, owner string, group string, mode string) error
    Store(ctx context.Context, file string, contents []byte, source string, owner string, group string, mode string) error
    Status(ctx context.Context, file string) (*model.FileState, error)
}

Method Responsibilities

Method	Responsibility
`Status`	Query current file state (existence, type, content hash, attributes)
`Store`	Create or update a file with content and attributes
`CreateDirectory`	Create a directory with attributes

Status Response

The Status method returns a FileState containing:

type FileState struct {
    CommonResourceState
    Metadata *FileMetadata
}

type FileMetadata struct {
    Name     string         // File path
    Checksum string         // SHA256 hash of contents (files only)
    Owner    string         // Owner username
    Group    string         // Group name
    Mode     string         // Permissions in octal (e.g., "0644")
    Provider string         // Provider name (e.g., "posix")
    MTime    time.Time      // Modification time
    Size     int64          // File size in bytes
    Extended map[string]any // Provider-specific metadata
}

The Ensure field in CommonResourceState is set to:

present if a regular file exists
directory if a directory exists
absent if the path does not exist

Available Providers

Provider	Platform	Documentation
`posix`	Unix/Linux	Posix

Ensure States

Value	Description
`present`	Path must be a regular file with specified content
`absent`	Path must not exist
`directory`	Path must be a directory

Content Sources

Files can receive content from two mutually exclusive sources:

Property	Description
`contents`	Inline string content (template-resolved)
`source`	Path to local file to copy from

# Inline content with template
- file:
    - /etc/motd:
        ensure: present
        content: |
          Welcome to {{ lookup('facts.hostname') }}
          Managed by CCM
        owner: root
        group: root
        mode: "0644"

# Copy from source file
- file:
    - /etc/app/config.yaml:
        ensure: present
        source: files/config.yaml
        owner: app
        group: app
        mode: "0640"

When using source, the path is relative to the manifest’s working directory if one is set.

Required Properties

Unlike some resources, file resources require explicit attributes:

Property	Required	Description
`owner`	Yes	Username that owns the file
`group`	Yes	Group that owns the file
`mode`	Yes	Permissions in octal notation

This prevents accidental creation of files with default or inherited permissions.

Apply Logic

┌─────────────────────────────────────────┐
│ Get current state via Status()          │
└─────────────────┬───────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────┐
│ Is current state desired state?         │
└─────────────────┬───────────────────────┘
              Yes │         No
                  ▼         │
          ┌───────────┐     │
          │ No change │     │
          └───────────┘     │
                            ▼
              ┌─────────────────────────┐
              │ What is desired ensure? │
              └─────────────┬───────────┘
                            │
    ┌───────────────────────┼───────────────────────┐
    │ absent                │ directory             │ present
    ▼                       ▼                       ▼
┌────────────┐      ┌───────────────┐      ┌───────────────┐
│ Remove     │      │ CreateDir     │      │ Store         │
│ (os.Remove)│      │               │      │               │
└────────────┘      └───────────────┘      └───────────────┘

Idempotency

The file resource checks multiple attributes for idempotency:

State Checks (in order)

Ensure match: Current type matches desired (present/absent/directory)
Content match: SHA256 checksum of contents matches (for ensure: present)
Owner match: Current owner matches desired
Group match: Current group matches desired
Mode match: Current permissions match desired

Decision Table

Desired	Current State	Action
`absent`	absent	None
`absent`	present/directory	Remove
`directory`	directory + matching attrs	None
`directory`	absent/present	CreateDirectory
`directory`	directory + wrong attrs	CreateDirectory (updates attrs)
`present`	present + matching all	None
`present`	absent	Store
`present`	present + wrong content	Store
`present`	present + wrong attrs	Store

Content Comparison

Content is compared using SHA256 checksums:

Source	Checksum Method
`contents` property	`Sha256HashBytes([]byte(contents))`
`source` property	`Sha256HashFile(adjustedPath)`
Existing file	`Sha256HashFile(filePath)`

Mode Validation

File modes are validated during resource creation:

Valid Formats:

"0644" - Standard octal
"644" - Without leading zero
"0o755" - With 0o prefix
"0O700" - With 0O prefix

Validation Rules:

Must be valid octal number (digits 0-7)
Must be ≤ 0777 (no setuid/setgid/sticky via mode)

Path Validation

File paths must be:

Absolute (start with /)
Clean (no . or .. components, filepath.Clean(path) == path)

if filepath.Clean(p.Name) != p.Name {
    return fmt.Errorf("file path must be absolute")
}

Working Directory

When a manifest has a working directory (e.g., extracted from an archive), the source property is resolved relative to it:

if properties.Source != "" && mgr.WorkingDirectory() != "" {
    source = filepath.Join(mgr.WorkingDirectory(), properties.Source)
}

This allows manifests bundled with their source files to use relative paths.

Noop Mode

In noop mode, the file type:

Queries current state normally
Computes content checksums
Logs what actions would be taken
Sets appropriate NoopMessage:
- “Would have created the file”
- “Would have created directory”
- “Would have removed the file”
Reports Changed: true if changes would occur
Does not call provider Store/CreateDirectory methods
Does not remove files

Desired State Validation

After applying changes (in non-noop mode), the type verifies the file reached the desired state by calling Status() again and checking all attributes match. If validation fails, ErrDesiredStateFailed is returned.

Posix Provider

This document describes the implementation details of the Posix file provider for managing files and directories on Unix-like systems.

Provider Selection

The Posix provider is the default and only file provider. It is always available and returns priority 1 for all file resources.

Operations

Store (Create/Update File)

Process:

Verify parent directory exists
Parse file mode from octal string
Open source file if source property is set
Create temporary file in the same directory as target
Set file permissions on temp file
Write content (from source file or contents property)
Set ownership (chown) on temp file
Close temp file
Atomic rename temp file to target path

Atomic Write Pattern:

[parent dir]/<basename>.* (temp file)
    ↓ chmod (set permissions)
    ↓ write content
    ↓ chown (set owner/group)
    ↓ close
    ↓ rename
[parent dir]/<basename> (final file)

The temp file is created in the same directory as the target to ensure os.Rename() is atomic (same filesystem).

Content Sources:

Property	Behavior
`contents`	Write string directly to file (template-resolved)
`source`	Copy from local file path (adjusted for working directory)

If both are empty, an empty file is created.

Error Handling:

Condition	Behavior
Parent directory doesn’t exist	Return error: “is not a directory”
Invalid mode format	Return error from `strconv.ParseUint`
Source file not found	Return error from `os.Open`
Permission denied	Return error from underlying syscall
Rename failure	Return error: “could not rename temporary file”

CreateDirectory

Process:

Parse file mode from octal string
Create directory and parents via os.MkdirAll()
Lookup numeric UID/GID from owner/group names
Set permissions via os.Chmod() (ensures correct mode even if umask affected MkdirAll)
Set ownership via os.Chown()

Command Sequence:

os.MkdirAll(dir, parsedMode)    // Create directory tree
os.Chmod(dir, parsedMode)        // Ensure correct permissions
os.Chown(dir, uid, gid)          // Set ownership

The explicit Chmod after MkdirAll is necessary because MkdirAll applies the process umask to the mode.

Status

Process:

Initialize state with default metadata
Call os.Stat() on file path
Based on result, populate state accordingly

State Detection:

`os.Stat()` Result	Ensure Value	Metadata
File exists	`present`	Size, mtime, owner, group, mode, checksum
Directory exists	`directory`	Size, mtime, owner, group, mode
`os.ErrNotExist`	`absent`	None
`os.ErrPermission`	`absent`	None (logged as warning)
Other error	(unchanged)	None (logged as warning)

Metadata Collection:

Field	Source
`Name`	From properties
`Provider`	“posix”
`Size`	`FileInfo.Size()`
`MTime`	`FileInfo.ModTime()`
`Owner`	`util.GetFileOwner()` - resolves UID to username
`Group`	`util.GetFileOwner()` - resolves GID to group name
`Mode`	`util.GetFileOwner()` - octal string (e.g., “0644”)
`Checksum`	`util.Sha256HashFile()` - SHA256 hash (files only)

Note: Checksum is only calculated for regular files, not directories.

Idempotency

The file resource achieves idempotency by comparing current state against desired state:

State Checks

The isDesiredState() function checks (in order):

Ensure value matches - present, absent, or directory
Content checksum matches - SHA256 of contents vs existing file (for files only)
Owner matches - Username comparison
Group matches - Group name comparison
Mode matches - Octal permission string comparison

Decision Flow

┌─────────────────────────────────────────┐
│ What is the desired ensure state?       │
└─────────────────┬───────────────────────┘
                  │
    ┌─────────────┼─────────────┬─────────────┐
    │ absent      │ directory   │ present     │
    ▼             ▼             ▼             │
┌───────────┐ ┌───────────┐ ┌───────────────┐ │
│ File      │ │ Directory │ │ File exists?  │ │
│ exists?   │ │ exists?   │ │ Content match?│ │
└─────┬─────┘ └─────┬─────┘ │ Owner match?  │ │
      │             │       │ Group match?  │ │
  Yes │ No      Yes │ No    │ Mode match?   │ │
      ▼             ▼       └───────┬───────┘ │
┌─────────┐ ┌───────────┐           │         │
│ Remove  │ │ Stable    │     All Yes│    No   │
│ file    │ │           │           ▼         ▼
└─────────┘ └───────────┘   ┌───────────┐ ┌───────────┐
                            │ Stable    │ │ Store     │
                            └───────────┘ └───────────┘

Content Comparison

For files with ensure: present:

Content Source	Checksum Calculation
`contents` property	`Sha256HashBytes([]byte(contents))`
`source` property	`Sha256HashFile(adjustedSourcePath)`

The source path is adjusted based on the manager’s working directory when set.

Mode Validation

File modes are validated during resource creation:

Strip optional 0o or 0O prefix
Parse as octal number (base 8)
Validate range: must be ≤ 0777

Valid Mode Examples:

Input	Parsed Value
`"0644"`	0o644
`"644"`	0o644
`"0o755"`	0o755
`"0O700"`	0o700

Invalid Mode Examples:

Input	Error
`"0888"`	Invalid octal digit
`"1777"`	Exceeds maximum (setuid/setgid not supported via mode)
`"rw-r--r--"`	Not octal format

Ownership Resolution

Owner and group names are resolved to numeric UID/GID via:

uid, gid, err := util.LookupOwnerGroup(owner, group)

This uses the system’s user database (/etc/passwd, /etc/group, or equivalent):

user.Lookup(owner) → UID
user.LookupGroup(group) → GID

Error Handling:

Condition	Behavior
User not found	Return error: “could not lookup user”
Group not found	Return error: “could not lookup group”
Invalid UID/GID format	Return error from `strconv.Atoi`

Working Directory Support

When a manager has a working directory set (e.g., from extracted manifest), the source property path is adjusted:

func (t *Type) adjustedSource(properties *model.FileResourceProperties) string {
    source := properties.Source
    if properties.Source != "" && t.mgr.WorkingDirectory() != "" {
        source = filepath.Join(t.mgr.WorkingDirectory(), properties.Source)
    }
    return source
}

This allows manifests to use relative paths for source files bundled with the manifest.

Platform Support

The Posix provider uses Unix-specific system calls:

Operation	System Call
Get file owner/group	`syscall.Stat_t` (UID/GID from stat)
Set ownership	`os.Chown()` → `chown(2)`
Set permissions	`os.Chmod()` → `chmod(2)`

The provider has separate implementations for Unix and Windows (file_unix.go, file_windows.go in internal/util), with Windows returning errors for ownership operations.

Security Considerations

Atomic Writes

Files are written atomically via temp file + rename. This prevents:

Partial file reads during write
Corruption if process is interrupted
Race conditions with concurrent readers

Permission Ordering

Permissions and ownership are set on the temp file before rename:

Chmod - Set permissions
Write content
Chown - Set ownership
Rename to target

This ensures the file never exists at the target path with incorrect permissions.

Path Validation

File paths must be absolute and clean (no . or .. components):

if filepath.Clean(p.Name) != p.Name {
    return fmt.Errorf("file path must be absolute")
}

Required Properties

Owner, group, and mode are required properties and cannot be empty, preventing accidental creation of files with default/inherited permissions.

Package Type

This document describes the design of the package resource type for managing software packages.

Overview

The package resource manages software packages with two aspects:

Existence: Whether the package is installed or absent
Version: The specific version installed (when applicable)

Provider Interface

Package providers must implement the PackageProvider interface:

type PackageProvider interface {
    model.Provider

    Install(ctx context.Context, pkg string, version string) error
    Upgrade(ctx context.Context, pkg string, version string) error
    Downgrade(ctx context.Context, pkg string, version string) error
    Uninstall(ctx context.Context, pkg string) error
    Status(ctx context.Context, pkg string) (*model.PackageState, error)
    VersionCmp(versionA, versionB string, ignoreTrailingZeroes bool) (int, error)
}

Method Responsibilities

Method	Responsibility
`Status`	Query current package state (installed version or absent)
`Install`	Install package at specified version (or latest if “latest”)
`Upgrade`	Upgrade package to specified version
`Downgrade`	Downgrade package to specified version
`Uninstall`	Remove the package
`VersionCmp`	Compare two version strings (-1, 0, 1)

Status Response

The Status method returns a PackageState containing:

type PackageState struct {
    CommonResourceState
    Metadata *PackageMetadata
}

type PackageMetadata struct {
    Name        string         // Package name
    Version     string         // Installed version
    Arch        string         // Architecture (e.g., "x86_64")
    License     string         // Package license
    URL         string         // Package URL
    Summary     string         // Short description
    Description string         // Full description
    Provider    string         // Provider name (e.g., "dnf")
    Extended    map[string]any // Provider-specific metadata
}

The Ensure field in CommonResourceState is set to:

The installed version string if the package is installed
absent if the package is not installed

Available Providers

Provider	Package Manager	Documentation
`dnf`	DNF (Fedora/RHEL)	DNF
`apt`	APT (Debian/Ubuntu)	APT

Ensure States

Value	Description
`present`	Package must be installed (any version)
`absent`	Package must not be installed
`latest`	Package must be upgraded to latest available
`<version>`	Package must be at specific version

# Install any version
- package:
    - vim:
        ensure: present

# Install latest version
- package:
    - vim:
        ensure: latest

# Install specific version
- package:
    - nginx:
        ensure: "1.24.0-1.el9"

# Remove package
- package:
    - telnet:
        ensure: absent

Apply Logic

Phase 1: Handle Special Cases

┌─────────────────────────────────────────┐
│ Get current state via Status()          │
└─────────────────┬───────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────┐
│ Is ensure = "latest"?                   │
└─────────────────┬───────────────────────┘
              Yes │         No
                  ▼         │
    ┌─────────────────────┐ │
    │ Is package absent?  │ │
    └─────────────┬───────┘ │
              Yes │     No  │
                  ▼     ▼   │
          ┌────────┐ ┌────────┐
          │Install │ │Upgrade │
          │latest  │ │latest  │
          └────────┘ └────────┘
                            │
                            ▼
              ┌─────────────────────────┐
              │ Is desired state met?   │
              └─────────────┬───────────┘
                        Yes │         No
                            ▼         │
                    ┌───────────┐     │
                    │ No change │     ▼
                    └───────────┘  (Phase 2)

Phase 2: Handle Ensure Values

              ┌─────────────────────────┐
              │ What is desired ensure? │
              └─────────────┬───────────┘
                            │
    ┌───────────────────────┼───────────────────────┐
    │ absent                │ present               │ <version>
    ▼                       ▼                       ▼
┌────────────┐      ┌───────────────┐      ┌───────────────┐
│ Uninstall  │      │ Is absent?    │      │ Is absent?    │
└────────────┘      └───────┬───────┘      └───────┬───────┘
                        Yes │     No           Yes │     No
                            ▼     ▼                ▼     ▼
                    ┌────────┐ ┌────────┐  ┌────────┐ ┌────────────┐
                    │Install │ │No      │  │Install │ │Compare     │
                    │        │ │change  │  │version │ │versions    │
                    └────────┘ └────────┘  └────────┘ └─────┬──────┘
                                                            │
                                           ┌────────────────┼────────────────┐
                                           │ current <      │ current =      │ current >
                                           ▼                ▼                ▼
                                   ┌───────────┐    ┌───────────┐    ┌───────────┐
                                   │ Upgrade   │    │ No change │    │ Downgrade │
                                   └───────────┘    └───────────┘    └───────────┘

Version Comparison

The VersionCmp method compares two version strings:

Return Value	Meaning
`-1`	versionA < versionB (upgrade needed)
`0`	versionA == versionB (no change)
`1`	versionA > versionB (downgrade needed)

Version comparison is delegated to the provider, allowing platform-specific version parsing (e.g., RPM epoch handling, Debian revision suffixes).

Idempotency

The package resource is idempotent through state comparison:

Decision Table

Desired	Current State	Action
`ensure: present`	installed (any version)	None
`ensure: present`	absent	Install
`ensure: absent`	absent	None
`ensure: absent`	installed	Uninstall
`ensure: latest`	absent	Install latest
`ensure: latest`	installed	Upgrade (always runs)
`ensure: <version>`	same version	None
`ensure: <version>`	older version	Upgrade
`ensure: <version>`	newer version	Downgrade
`ensure: <version>`	absent	Install

Special Case: `ensure: latest`

When ensure: latest is used:

The package manager determines what “latest” means
Upgrade is always called when the package exists (package manager is idempotent)
The type cannot verify if “latest” was achieved (package managers may report stale data)
Desired state validation only checks that the package is not absent

Package Name Validation

Package names are validated to prevent injection attacks:

Allowed Characters:

Alphanumeric (a-z, A-Z, 0-9)
Period (.), underscore (_), plus (+)
Colon (:), tilde (~), hyphen (-)

Rejected:

Shell metacharacters (;, |, &, $, etc.)
Whitespace
Quotes and backticks
Path separators

Version strings (when ensure is a version) are also validated for dangerous characters.

Noop Mode

In noop mode, the package type:

Queries current state normally
Computes version comparison
Logs what actions would be taken
Sets appropriate NoopMessage:
- “Would have installed latest”
- “Would have upgraded to latest”
- “Would have installed version X”
- “Would have upgraded to X”
- “Would have downgraded to X”
- “Would have uninstalled”
Reports Changed: true if changes would occur
Does not call provider Install/Upgrade/Downgrade/Uninstall methods

Desired State Validation

After applying changes (in non-noop mode), the type verifies the package reached the desired state:

func (t *Type) isDesiredState(properties, state) bool {
    switch properties.Ensure {
    case "present":
        // Any installed version is acceptable
        return state.Ensure != "absent"

    case "absent":
        return state.Ensure == "absent"

    case "latest":
        // Cannot verify "latest", just check not absent
        return state.Ensure != "absent"

    default:
        // Specific version must match
        return VersionCmp(state.Ensure, properties.Ensure, false) == 0
    }
}

If the desired state is not reached, an ErrDesiredStateFailed error is returned.

APT Provider

This document describes the implementation details of the APT package provider for Debian-based systems.

Environment

All commands are executed with the following environment variables to ensure non-interactive operation:

Variable	Value	Purpose
`DEBIAN_FRONTEND`	`noninteractive`	Prevents dpkg from prompting for user input
`APT_LISTBUGS_FRONTEND`	`none`	Suppresses apt-listbugs prompts
`APT_LISTCHANGES_FRONTEND`	`none`	Suppresses apt-listchanges prompts

Concurrency

A global package lock (model.PackageGlobalLock) is held during all command executions to prevent concurrent apt/dpkg operations within the same process. This prevents lock contention on /var/lib/dpkg/lock.

Operations

Status Check

Command:

dpkg-query -W -f='${Package} ${Version} ${Architecture} ${db:Status-Status}' <package>

Behavior:

Exit code 0 with installed status → Package is present, returns version info
Exit code non-zero OR status not installed → Package is absent

Package States: The db:Status-Status field can return various values. Only installed is treated as present:

Status	Treated As	Description
`installed`	Present	Package fully installed
`config-files`	Absent	Removed but config files remain
`half-installed`	Absent	Installation started but failed
`half-configured`	Absent	Configuration failed
`unpacked`	Absent	Unpacked but not configured
`not-installed`	Absent	Not installed

Treating non-installed states as absent allows apt-get install to repair broken installations.

Install

Ensure Present:

apt-get install -y -q -o DPkg::Options::=--force-confold <package>

Ensure Latest:

apt-cache policy <package>                    # Get candidate version
apt-get install -y -q -o DPkg::Options::=--force-confold <package>=<version>

Specific Version:

apt-get install -y -q -o DPkg::Options::=--force-confold --allow-downgrades <package>=<version>

Flags:

Flag	Purpose
`-y`	Assume yes to prompts
`-q`	Quiet output
`-o DPkg::Options::=--force-confold`	Keep existing config files on upgrade
`--allow-downgrades`	Allow installing older versions (specific version only)

Upgrade

Delegates to Install() with the target version. The --allow-downgrades flag is only added for specific version requests, not for latest.

Downgrade

Delegates to Install() with the target version. The --allow-downgrades flag enables this operation.

Uninstall

Command:

apt-get -q -y remove <package>

Note: Uses remove not purge, so configuration files are preserved. A subsequent install will find existing config files.

Latest Available Version

Command:

apt-cache policy <package>

Parsing: Extracts the Candidate: line from output.

Example output:

zsh:
  Installed: 5.9-8+b18
  Candidate: 5.9-8+b18
  Version table:
 *** 5.9-8+b18 500
        500 http://deb.debian.org/debian trixie/main amd64 Packages
        100 /var/lib/dpkg/status

Version Comparison

Version comparison follows the Debian Policy Manual algorithm.

Version Format

[epoch:]upstream_version[-debian_revision]

Component	Required	Description
`epoch`	No	Integer, default 0. Higher epoch always wins.
`upstream_version`	Yes	The main version from upstream
`debian_revision`	No	Debian-specific revision

Examples:

1.0 → epoch=0, upstream=1.0, revision=""
1:2.0-3 → epoch=1, upstream=2.0, revision=3
2:1.0.0+git-20190109-0ubuntu2 → epoch=2, upstream=1.0.0+git-20190109, revision=0ubuntu2

Comparison Algorithm

Compare epochs numerically - Higher epoch wins regardless of other components
Compare upstream_version and debian_revision using the Debian string comparison:
The string is processed left-to-right in segments:
a. Tildes (~) - Compared first. More tildes = earlier version. Tilde sorts before everything, even empty string.
- 1.0~alpha < 1.0 (tilde before empty)
- 1.0~~ < 1.0~ (more tildes = earlier)
b. Letters (A-Za-z) - Compared lexically (ASCII order)
- Letters sort before non-letters
c. Non-letters (., +, -) - Compared lexically
d. Digits - Compared numerically (not lexically)
- 9 < 13 (numeric comparison)
These steps repeat until a difference is found or both strings are exhausted.

Comparison Examples

A	B	Result	Reason
`1.0`	`2.0`	A < B	Numeric comparison
`1:1.0`	`2.0`	A > B	Epoch 1 > epoch 0
`1.0~alpha`	`1.0`	A < B	Tilde sorts before empty
`1.0~alpha`	`1.0~beta`	A < B	Lexical: alpha < beta
`1.0.1`	`1.0.2`	A < B	Numeric: 1 < 2
`1.0-1`	`1.0-2`	A < B	Revision comparison
`1.0a`	`1.0-`	A < B	Letters sort before non-letters

Implementation

The version comparison is implemented in version.go, ported from Puppet’s Puppet::Util::Package::Version::Debian module. It provides:

ParseVersion(string) - Parse a version string into components
CompareVersionStrings(a, b) - Compare two version strings directly
Version.Compare(other) - Compare parsed versions (-1, 0, 1)
Helper methods: LessThan, GreaterThan, Equal, etc.

DNF Provider

This document describes the implementation details of the DNF package provider for RHEL/Fedora-based systems.

Concurrency

A global package lock (model.PackageGlobalLock) is held during all command executions to prevent concurrent dnf/rpm operations within the same process. This prevents lock contention on the RPM database.

Operations

Status Check

Command:

rpm -q <package> --queryformat '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}'

Query Format (NEVRA): The query format extracts the full NEVRA (Name, Epoch, Version, Release, Architecture):

Field	Description
`%{NAME}`	Package name
`%\|EPOCH?{%{EPOCH}}:{0}\|`	Epoch (0 if not set)
`%{VERSION}`	Upstream version
`%{RELEASE}`	Release/build number
`%{ARCH}`	Architecture (x86_64, noarch, etc.)

Example output:

zsh 0 5.8 9.el9 x86_64

Behavior:

Exit code 0 → Package is present, parses NEVRA components
Exit code non-zero → Package is absent

Returned Version Format: The version returned combines VERSION and RELEASE: 5.8-9.el9

The epoch and release are stored separately in the Extended metadata.

Install

Ensure Present or Latest:

dnf install -y <package>

Specific Version:

dnf install -y <package>-<version>

Flags:

Flag	Purpose
`-y`	Assume yes to all prompts

Note: DNF uses - (hyphen) to separate package name from version, unlike APT which uses =.

Upgrade

Delegates to Install(). DNF’s install command handles upgrades automatically when a newer version is available or specified.

Downgrade

Command:

dnf downgrade -y <package>-<version>

Note: Unlike upgrade, downgrade uses a dedicated DNF command rather than delegating to install.

Uninstall

Command:

dnf remove -y <package>

Version Format

RPM versions follow the EVR (Epoch:Version-Release) format:

[epoch:]version-release

Component	Required	Description
`epoch`	No	Integer, default 0. Higher epoch always wins.
`version`	Yes	Upstream version number
`release`	Yes	Distribution-specific release/build number

Examples:

5.8-9.el9 → epoch=0, version=5.8, release=9.el9
1:2.0-3.fc39 → epoch=1, version=2.0, release=3.fc39
0:1.0.0-1.el9 → epoch=0 (explicit), version=1.0.0, release=1.el9

Version Comparison

Version comparison uses a generic algorithm ported from Puppet, implemented in internal/util.VersionCmp().

Algorithm

The version string is tokenized into segments by splitting on -, ., digits, and non-digit sequences. Segments are compared left-to-right:

Hyphens (-) - A hyphen loses to any other character
Dots (.) - A dot loses to any non-hyphen character
Digit sequences - Compared numerically, except:
- Leading zeros trigger lexical comparison (01 vs 1 compared as strings)
Non-digit sequences - Compared lexically (case-insensitive)

If all segments match, falls back to whole-string comparison.

Trailing Zero Normalization

When ignoreTrailingZeroes is enabled, trailing .0 segments before the first - are removed:

1.0.0-rc1 → 1-rc1
2.0.0 → 2

This allows 1.0.0 to equal 1.0 when the flag is set.

Comparison Examples

A	B	Result	Reason
`1.0`	`2.0`	A < B	Numeric: 1 < 2
`1.10`	`1.9`	A > B	Numeric: 10 > 9
`1.0`	`1.0.1`	A < B	A exhausted first
`1.0-1`	`1.0-2`	A < B	Release comparison
`1.0a`	`1.0b`	A < B	Lexical: a < b
`01`	`1`	A < B	Leading zero: lexical comparison
`1.0.0`	`1.0`	A > B	Without normalization
`1.0.0`	`1.0`	A = B	With `ignoreTrailingZeroes=true`

Implementation

The version comparison is implemented in internal/util/util.go and provides:

VersionCmp(a, b, ignoreTrailingZeroes) - Compare two version strings
Returns -1 (a < b), 0 (a == b), or 1 (a > b)

Scaffold Type

This document describes the design of the scaffold resource type for rendering template directories into target directories.

Overview

The scaffold resource renders files from a source template directory to a target directory:

Rendering: Process templates using Go text/template or Jet engine
Synchronization: Detect changed, stable, and purgeable files
Cleanup: Optionally remove files in the target not present in the source

Templates have access to facts and data from Hiera, enabling dynamic configuration generation from directory structures.

Provider Interface

Scaffold providers must implement the ScaffoldProvider interface:

type ScaffoldProvider interface {
    model.Provider

    Remove(ctx context.Context, prop *model.ScaffoldResourceProperties, state *model.ScaffoldState) error
    Scaffold(ctx context.Context, env *templates.Env, prop *model.ScaffoldResourceProperties, noop bool) (*model.ScaffoldState, error)
    Status(ctx context.Context, env *templates.Env, prop *model.ScaffoldResourceProperties) (*model.ScaffoldState, error)
}

Method Responsibilities

Method	Responsibility
`Status`	Render in noop mode to determine current state of managed files
`Scaffold`	Render templates to target directory (or noop to preview changes)
`Remove`	Delete managed files (changed and stable) and clean up directories

Status Response

The Status method returns a ScaffoldState containing:

type ScaffoldState struct {
    CommonResourceState
    Metadata *ScaffoldMetadata
}

type ScaffoldMetadata struct {
    Name         string                 // Target directory
    Provider     string                 // Provider name (e.g., "choria")
    TargetExists bool                   // Whether target directory exists
    Changed      []string               // Files created or modified
    Purged       []string               // Files removed (not in source)
    Stable       []string               // Files unchanged
    Engine       ScaffoldResourceEngine // Template engine used
}

The Ensure field in CommonResourceState is set to:

present if the target directory exists
absent if the target directory does not exist

Available Providers

Provider	Engine Support	Documentation
`choria`	Go, Jet	Choria

Ensure States

Value	Description
`present`	Target directory must exist with rendered template files
`absent`	Managed files must be removed from the target

Template Engines

Two template engines are supported:

Engine	Library	Default Delimiters	Description
`go`	Go `text/template`	`{{` / `}}`	Standard Go templates
`jet`	Jet templating	`[[` / `]]`	Jet template language

The engine defaults to jet if not specified. Delimiters can be customized via left_delimiter and right_delimiter properties.

Properties

Property	Type	Required	Description
`source`	string	Yes	Source template directory path or URL
`engine`	string	No	Template engine: `go` or `jet` (default: `jet`)
`skip_empty`	bool	No	Skip empty files in rendered output
`left_delimiter`	string	No	Custom left template delimiter
`right_delimiter`	string	No	Custom right template delimiter
`purge`	bool	No	Remove files in target not present in source
`post`	[]map[string]string	No	Post-processing: glob pattern to command mapping

# Render configuration templates using Jet engine
- scaffold:
    - /etc/app:
        ensure: present
        source: templates/app
        engine: jet
        purge: true

# Render with Go templates and custom delimiters
- scaffold:
    - /etc/myservice:
        ensure: present
        source: templates/myservice
        engine: go
        left_delimiter: "<<"
        right_delimiter: ">>"

# With post-processing commands
- scaffold:
    - /opt/app:
        ensure: present
        source: templates/app
        post:
          - "*.go": "go fmt {}"

Apply Logic

┌─────────────────────────────────────────┐
│ Get current state via Status()          │
└─────────────────┬───────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────┐
│ Is current state desired state?         │
└─────────────────┬───────────────────────┘
              Yes │         No
                  ▼         │
          ┌───────────┐     │
          │ No change │     │
          └───────────┘     │
                            ▼
              ┌─────────────────────────┐
              │ What is desired ensure? │
              └─────────────┬───────────┘
                            │
            ┌───────────────┴───────────────┐
            │ absent                        │ present
            ▼                               ▼
      ┌───────────┐                   ┌───────────┐
      │ Noop?     │                   │ Noop?     │
      └─────┬─────┘                   └─────┬─────┘
        Yes │     No                    Yes │     No
            ▼     │                         ▼     │
    ┌────────────┐│                 ┌────────────┐│
    │ Set noop   ││                 │ Set noop   ││
    │ message    ││                 │ message    ││
    └────────────┘│                 └────────────┘│
                  ▼                               ▼
        ┌───────────────┐             ┌─────────────────────┐
        │ Remove all    │             │ Scaffold            │
        │ managed files │             │ (render templates)  │
        │ and empty dirs│             │                     │
        └───────────────┘             └─────────────────────┘

Idempotency

The scaffold resource determines idempotency by rendering templates in noop mode and comparing results against the target directory.

State Checks

Ensure absent: Target must not exist, or no managed files remain on disk (Changed and Stable lists empty). Purged files (files not belonging to the scaffold) do not affect this check.
Ensure present: The Changed list must be empty, and the Purged list must be empty when purge is enabled (all files are stable). When purge is disabled, purged files do not affect stability.

Decision Table

For ensure: absent, purged files never affect stability since they don’t belong to the scaffold. For ensure: present, purged files only affect stability when purge is enabled.

When ensure: absent, the Status method filters Changed and Stable lists to only include files that actually exist on disk, so the state reflects reality after removal rather than what the scaffold would create.

Desired	Target Exists	Changed Files	Purged Files	Purge Enabled	Stable?
`absent`	No	N/A	N/A	N/A	Yes
`absent`	Yes	None	Any	N/A	Yes (no managed files on disk)
`absent`	Yes	Some	Any	N/A	No (managed files remain)
`present`	Yes	None	None	Any	Yes
`present`	Yes	None	Some	No	Yes (purged files ignored)
`present`	Yes	None	Some	Yes	No (purge needed)
`present`	Yes	Some	Any	Any	No (render needed)
`present`	No	N/A	N/A	Any	No (target missing)

Source Resolution

The source property is resolved relative to the manager’s working directory when it is a relative path:

parsed, _ := url.Parse(properties.Source)
if parsed == nil || parsed.Scheme == "" {
    if !filepath.IsAbs(properties.Source) {
        t.prop.Source = filepath.Join(mgr.WorkingDirectory(), properties.Source)
    }
}

This allows manifests bundled with template directories to use relative paths. URL sources (with a scheme) are passed through unchanged.

Path Validation

Target paths (the resource name) must be:

Absolute (start with /)
Canonical (no . or .. components, filepath.Clean(path) == path)

Post-Processing

The post property defines commands to run on rendered files. Each entry is a map where the key is a glob pattern matched against the file’s basename and the value is a command to execute. Use {} as a placeholder for the file’s full path; if omitted, the path is appended as the last argument.

post:
  - "*.go": "go fmt {}"
  - "*.sh": "chmod +x {}"

Post-processing runs immediately after each file is rendered. Validation ensures neither keys nor values are empty.

Noop Mode

In noop mode, the scaffold type queries the current state via Status() and reports what would change without modifying the filesystem. Neither Scaffold() nor Remove() are called.

For ensure: present, the affected count is the number of changed files plus purged files (when purge is enabled). For ensure: absent, the affected count is the number of changed and stable files plus purged files (when purge is enabled).

Desired	Affected Count	Message
`present`	`Changed` + `Purged` (if purge enabled)	`Would have changed N scaffold files`
`absent`	`Changed` + `Stable` + `Purged` (if purge enabled)	`Would have removed N scaffold files`

Changed is set to true only when the affected count is greater than zero. When the resource is already in the desired state, Changed is false and NoopMessage is empty.

Desired State Validation

After applying changes (in non-noop mode), the type verifies the scaffold reached the desired state by checking the changed and purged file lists. If validation fails, ErrDesiredStateFailed is returned.

Choria Provider

This document describes the implementation details of the Choria scaffold provider for rendering template directories using the choria-io/scaffold library.

Provider Selection

The Choria provider is the default and only scaffold provider. It is always available and returns priority 1 for all scaffold resources.

Operations

Scaffold (Render Templates)

Process:

Check if target directory exists
Configure scaffold with source, target, engine, delimiters, post-processing, and skip_empty settings
Create scaffold instance using the appropriate engine (scaffold.New() for Go, scaffold.NewJet() for Jet)
Call Render() (real mode) or RenderNoop() (noop mode)
Categorize results into changed, stable, and purged file lists

Scaffold Configuration:

Config Field	Source Property	Description
`TargetDirectory`	`Name`	Target directory for rendered files
`SourceDirectory`	`Source`	Source template directory
`MergeTargetDirectory`	(always `true`)	Merge into existing target directory
`Post`	`Post`	Post-processing commands
`SkipEmpty`	`SkipEmpty`	Skip empty rendered files
`CustomLeftDelimiter`	`LeftDelimiter`	Custom template left delimiter
`CustomRightDelimiter`	`RightDelimiter`	Custom template right delimiter

Engine Selection:

Engine	Constructor	Default Delimiters
`go`	`scaffold.New()`	`{{` / `}}`
`jet`	`scaffold.NewJet()`	`[[` / `]]`

Result Categorization:

Scaffold Action	Metadata List	Description
`FileActionEqual`	`Stable`	File content unchanged
`FileActionAdd`	`Changed`	New file created
`FileActionUpdate`	`Changed`	Existing file modified
`FileActionRemove`	`Purged`	File removed from target

File paths in the metadata lists are absolute paths, constructed by joining the target directory with the relative path from the scaffold result.

Purge Behavior:

When purge is enabled and a file has FileActionRemove, the provider deletes the file from disk during Scaffold(). In noop mode, the removal is logged but not performed. When purge is disabled, purged files are only tracked in metadata and not removed.

Status

Process:

Perform a dry-run render (noop mode) to determine what the scaffold would do
When ensure is absent, filter Changed and Stable lists to only include files that actually exist on disk

The noop render reports what would happen if the scaffold were applied. For ensure: present, this is the desired output — it shows what needs to change. For ensure: absent, the raw render output is misleading after removal (it would show files to be added), so the lists are filtered to reflect what managed files actually remain on disk.

State Detection:

Target Directory	Ensure Value	Metadata
Exists	`present`	Changed, stable, and purged file lists from render
Exists	`absent`	Changed and stable filtered to files on disk, purged from render
Does not exist	Any	Empty metadata, `TargetExists: false`

Remove

Process:

Collect managed files from the state’s Changed and Stable lists (purged files are not removed as they don’t belong to the scaffold)
Remove each file individually
Track parent directories of removed files
Iteratively remove empty directories deepest-first
Stop when no more empty directories can be removed
Best-effort removal of the target directory (only succeeds if empty)

File Removal Order:

Files are collected from two metadata lists:

Changed - Files that were added or modified
Stable - Files that were unchanged

Purged files are not removed because they are unrelated to the scaffold and may belong to other processes.

Directory Cleanup:

For each removed file:
    Track its parent directory

Repeat:
    For each tracked directory:
        Skip if it is the target directory itself
        Skip if not empty
        Remove the directory
        Track its parent directory
Until no more directories removed

Best-effort: remove the target directory (fails silently if not empty)

The target directory is removed if empty after all managed files and subdirectories are cleaned up. If unrelated files remain (purged files), the directory is preserved.

Error Handling:

Condition	Behavior
Non-absolute file path	Return error immediately
File removal fails	Log error, continue with remaining files
Directory removal fails	Log error, continue with remaining directories
File does not exist	Silently skip (`os.IsNotExist` check)
Target directory removal fails	Log at debug level, no error returned

Template Environment

Templates receive the full templates.Env environment, which provides access to:

facts - System facts for the managed node
data - Hiera-resolved configuration data
Template helper functions

This allows templates to generate host-specific configurations based on facts and hierarchical data.

Logging

The provider wraps the CCM logger in a scaffold-compatible interface:

type logger struct {
    log model.Logger
}

func (l *logger) Debugf(format string, v ...any)
func (l *logger) Infof(format string, v ...any)

This adapter translates the scaffold library’s Debugf/Infof calls to CCM’s structured logging.

Platform Support

The Choria provider is platform-independent. It uses the choria-io/scaffold library for template rendering, which operates on standard filesystem operations. No platform-specific system calls are used.

Service Type

This document describes the design of the service resource type for managing system services.

Overview

The service resource manages system services with two independent dimensions:

Running state: Whether the service is currently running or stopped
Enabled state: Whether the service starts automatically at boot

These are managed independently, allowing combinations like “running but disabled” or “stopped but enabled”.

Provider Interface

Service providers must implement the ServiceProvider interface:

type ServiceProvider interface {
    model.Provider

    Enable(ctx context.Context, service string) error
    Disable(ctx context.Context, service string) error
    Start(ctx context.Context, service string) error
    Stop(ctx context.Context, service string) error
    Restart(ctx context.Context, service string) error
    Status(ctx context.Context, service string) (*model.ServiceState, error)
}

Method Responsibilities

Method	Responsibility
`Status`	Query current running and enabled state
`Start`	Start the service if not running
`Stop`	Stop the service if running
`Restart`	Stop and start the service (for refresh)
`Enable`	Configure service to start at boot
`Disable`	Configure service to not start at boot

Status Response

The Status method returns a ServiceState containing:

type ServiceState struct {
    CommonResourceState
    Metadata *ServiceMetadata
}

type ServiceMetadata struct {
    Name     string  // Service name
    Provider string  // Provider name (e.g., "systemd")
    Enabled  bool    // Whether service starts at boot
    Running  bool    // Whether service is currently running
}

The Ensure field in CommonResourceState is set to:

running if the service is active
stopped if the service is inactive

Available Providers

Provider	Init System	Documentation
`systemd`	systemd	Systemd

Ensure States

Value	Description
`running`	Service must be running (default)
`stopped`	Service must be stopped

If ensure is not specified, it defaults to running.

Enable Property

The enable property is a boolean pointer (*bool) with three possible states:

Value	Behavior
`true`	Enable service to start at boot
`false`	Disable service from starting at boot
`nil` (not set)	Leave boot configuration unchanged

This allows managing running state without affecting boot configuration:

# Start service but don't change boot config
- service:
    - myapp:
        ensure: running

# Start and enable at boot
- service:
    - myapp:
        ensure: running
        enable: true

# Stop and disable at boot
- service:
    - myapp:
        ensure: stopped
        enable: false

Apply Logic

The service type applies changes in two phases:

Phase 1: Running State

┌─────────────────────────────────────────┐
│ Check for subscribe refresh             │
└─────────────────┬───────────────────────┘
                  │
    ┌─────────────┴─────────────┐
    │ Subscribed resource       │
    │ changed?                  │
    └─────────────┬─────────────┘
              Yes │         │ No
                  ▼         │
    ┌─────────────────────┐ │
    │ ensure=running?     │ │
    │ already running?    │ │
    └─────────────┬───────┘ │
          Yes+Yes │         │
                  ▼         │
          ┌───────────┐     │
          │ Restart   │     │
          └───────────┘     │
                            ▼
              ┌─────────────────────────┐
              │ Compare ensure vs state │
              └─────────────┬───────────┘
                            │
    ┌───────────────────────┼───────────────────────┐
    │ ensure=stopped        │ ensure=running        │
    │ state=running         │ state=stopped         │
    ▼                       ▼                       │
┌────────┐            ┌────────┐                    │
│ Stop   │            │ Start  │                    │
└────────┘            └────────┘                    │
                                                    ▼
                                          ┌───────────────┐
                                          │ No change     │
                                          └───────────────┘

Phase 2: Enabled State

After running state is handled, enabled state is processed:

┌─────────────────────────────────────────┐
│ enable property set?                    │
└─────────────────┬───────────────────────┘
                  │
          nil     │     true/false
          ▼       │
  ┌───────────┐   │
  │ No change │   │
  └───────────┘   │
                  ▼
    ┌─────────────────────────────┐
    │ Compare enable vs enabled   │
    └─────────────┬───────────────┘
                  │
    ┌─────────────┼─────────────┐
    │ enable=true │ enable=false│
    │ !enabled    │ enabled     │
    ▼             ▼             │
┌────────┐  ┌─────────┐         │
│ Enable │  │ Disable │         │
└────────┘  └─────────┘         │
                                ▼
                      ┌───────────────┐
                      │ No change     │
                      └───────────────┘

Services can subscribe to other resources and restart when they change:

- service:
    - httpd:
        ensure: running
        subscribe:
          - file#/etc/httpd/conf/httpd.conf
          - package#httpd

Special Cases:

Condition	Behavior
`ensure: stopped`	Subscribe ignored (no restart)
Service not running + `ensure: running`	Start (not restart)
Service running + `ensure: running`	Restart

This prevents restarting stopped services and ensures a clean start when the service should be running but isn’t.

Idempotency

The service resource is idempotent through state comparison:

Desired	Current	Action
`ensure: running`	running	None
`ensure: running`	stopped	Start
`ensure: stopped`	stopped	None
`ensure: stopped`	running	Stop
`enable: true`	enabled	None
`enable: true`	disabled	Enable
`enable: false`	enabled	Disable
`enable: false`	disabled	None
`enable: nil`	any	None

Desired State Validation

After applying changes, the type verifies the service reached the desired state:

func (t *Type) isDesiredState(properties, state) bool {
    // Check running state
    if properties.Ensure != state.Ensure {
        return false
    }

    // Check enabled state (only if explicitly set)
    if properties.Enable != nil {
        if *properties.Enable != state.Metadata.Enabled {
            return false
        }
    }

    return true
}

If the desired state is not reached, an ErrDesiredStateFailed error is returned.

Service Name Validation

Service names are validated to prevent injection attacks:

Allowed Characters:

Alphanumeric (a-z, A-Z, 0-9)
Period (.), underscore (_), plus (+)
Colon (:), tilde (~), hyphen (-)

Rejected:

Shell metacharacters (;, |, &, etc.)
Whitespace
Path separators

Noop Mode

In noop mode, the service type:

Queries current state normally
Logs what actions would be taken
Sets appropriate NoopMessage (e.g., “Would have started”, “Would have enabled”)
Reports Changed: true if changes would occur
Does not call provider Start/Stop/Restart/Enable/Disable methods

Systemd Provider

This document describes the implementation details of the Systemd service provider for managing system services via systemctl.

Provider Selection

The Systemd provider is selected when systemctl is found in the system PATH. The provider checks for the executable using util.ExecutableInPath("systemctl").

Availability Check:

Searches PATH for systemctl
Returns priority 1 if found
Returns unavailable if not found

Concurrency

A global service lock (model.ServiceGlobalLock) is held during all systemctl command executions to prevent concurrent systemd operations within the same process. This prevents race conditions when multiple service resources are managed simultaneously.

func (p *Provider) execute(ctx context.Context, cmd string, args ...string) (...) {
    model.ServiceGlobalLock.Lock()
    defer model.ServiceGlobalLock.Unlock()
    return p.runner.Execute(ctx, cmd, args...)
}

Daemon Reload

The provider performs a systemctl daemon-reload once per provider instance before any service operations. This ensures systemd picks up any unit file changes made by other resources (e.g., file resources managing unit files).

func (p *Provider) maybeReload(ctx context.Context) error {
    p.mu.Lock()
    defer p.mu.Unlock()

    if p.didReload {
        return nil
    }

    _, _, _, err := p.execute(ctx, "systemctl", "daemon-reload")
    return err
}

The reload is performed only once, tracked by the didReload flag.

Operations

Status

Commands:

systemctl is-active --system <service>
systemctl is-enabled --system <service>

Active State Detection:

`is-active` Output	Interpreted As
`active`	Running
`inactive`	Stopped
`failed`	Stopped
`activating`	Stopped
Other	Error

Enabled State Detection:

`is-enabled` Output	Interpreted As
`enabled`	Enabled
`enabled-runtime`	Enabled
`alias`	Enabled
`static`	Enabled
`indirect`	Enabled
`generated`	Enabled
`transient`	Enabled
`linked`	Disabled
`linked-runtime`	Disabled
`masked`	Disabled
`masked-runtime`	Disabled
`disabled`	Disabled
`not-found`	Error: service not found

Returned State:

Field	Value
`Ensure`	`running` or `stopped` based on is-active
`Metadata.Enabled`	Boolean from is-enabled
`Metadata.Running`	Boolean from is-active
`Metadata.Provider`	“systemd”

Start

Command:

systemctl start --system <service>

Called when ensure: running and service is currently stopped.

Stop

Command:

systemctl stop --system <service>

Called when ensure: stopped and service is currently running.

Restart

Command:

systemctl restart --system <service>

Called when a subscribed resource has changed and the service should be refreshed.

Enable

Command:

systemctl enable --system <service>

Called when enable: true and service is currently disabled.

Disable

Command:

systemctl disable --system <service>

Called when enable: false and service is currently enabled.

Command Flags

All commands use the --system flag to explicitly target system-level units (as opposed to user-level units managed with --user).

Decision Flow

Ensure State (Running/Stopped)

┌─────────────────────────────────────────┐
│ Subscribe triggered?                     │
│ (subscribed resource changed)            │
└─────────────┬───────────────┬───────────┘
              │ Yes           │ No
              │               │
              │               ▼
              │       ┌───────────────────┐
              │       │ Ensure = stopped? │
              │       └─────────┬─────────┘
              │           Yes   │   No
              │           ▼     ▼
              │   ┌─────────┐ ┌───────────────────┐
              │   │ Running?│ │ Ensure = running? │
              │   └────┬────┘ └─────────┬─────────┘
              │    Yes │ No         Yes │   No
              │        ▼               ▼
              │   ┌────────┐    ┌─────────┐
              │   │ Stop   │    │ Running?│
              │   └────────┘    └────┬────┘
              │                  No  │ Yes
              │                      ▼
              │                 ┌────────┐
              │                 │ Start  │
              │                 └────────┘
              │
              ▼
      ┌───────────────────────────────┐
      │ Ensure = running?             │
      │ (only restart running services)│
      └───────────────┬───────────────┘
                  Yes │   No
                      ▼
              ┌─────────────┐
              │ Restart     │
              └─────────────┘

Subscribe Behavior Notes:

Restart only occurs if ensure: running
If service is stopped and ensure: running, it starts instead of restarting
Subscribe is ignored if ensure: stopped

Enable State

Enable/disable is processed independently after ensure state:

┌─────────────────────────────────────────┐
│ Enable property set?                     │
└─────────────┬───────────────┬───────────┘
              │ Yes           │ No (nil)
              │               │
              │               ▼
              │       ┌───────────────┐
              │       │ No change     │
              │       └───────────────┘
              ▼
      ┌───────────────────────────────┐
      │ Enable = true?                 │
      └───────────────┬───────────────┘
                  Yes │   No
                      ▼
      ┌───────────────────────────────┐
      │ Currently enabled?             │
      └───────────────┬───────────────┘
                  No  │ Yes
                      ▼
              ┌─────────────┐
              │ Enable      │
              └─────────────┘

      (Similar flow for disable when enable=false)

Idempotency

The service resource checks current state before making changes:

Desired State	Current State	Action
`running`	`running`	None
`running`	`stopped`	Start
`stopped`	`stopped`	None
`stopped`	`running`	Stop
`enable: true`	enabled	None
`enable: true`	disabled	Enable
`enable: false`	enabled	Disable
`enable: false`	disabled	None
`enable: nil`	any	None

Service Name Validation

Service names are validated to prevent shell injection:

Dangerous Characters Check:

if dangerousCharsRegex.MatchString(p.Name) {
    return fmt.Errorf("service name contains dangerous characters: %q", p.Name)
}

Allowed Characters:

Alphanumeric (a-z, A-Z, 0-9)
Period (.)
Underscore (_)
Plus (+)
Colon (:)
Tilde (~)
Hyphen (-)

Examples:

Name	Valid
`httpd`	Yes
`nginx.service`	Yes
`my-app_v2`	Yes
`app@instance`	No (@ not allowed)
`app; rm -rf /`	No (shell metacharacters)

Services can subscribe to other resources and restart when they change:

- file:
    - /etc/myapp/config.yaml:
        ensure: present
        content: "..."
        owner: root
        group: root
        mode: "0644"

- service:
    - myapp:
        ensure: running
        enable: true
        subscribe:
          - file#/etc/myapp/config.yaml

Behavior:

When the file resource changes, the service is restarted
Restart only occurs if ensure: running
If service was stopped and should be running, it starts (not restarts)

Error Handling

Condition	Behavior
`systemctl` not in PATH	Provider unavailable
Service not found	Error from `is-enabled`: “service not found”
Unknown `is-active` output	Error: “invalid systemctl is-active output”
Unknown `is-enabled` output	Error: “invalid systemctl is-enabled output”
Command execution failure	Error propagated from runner

Platform Support

The Systemd provider requires:

Linux with systemd as init system
systemctl command available in PATH

It does not support:

Non-systemd init systems (SysVinit, Upstart, OpenRC)
User-level units (uses --system flag)
Windows, macOS, or BSD systems

Adding a Type

This guide documents the process for adding a new resource type to CCM. It uses the archive type as a reference implementation.

Overview

Adding a new resource type requires changes across several packages:

Model definitions - Properties, state, and metadata structs
Resource type implementation - Core logic and provider interface
Provider implementation - Platform-specific operations
Integration points - Factory functions and registry
CLI commands - User-facing command line interface
JSON schemas - Validation for manifests and API requests
Documentation - User and design documentation
CCM Studio - Web-based manifest designer

File Checklist

File	Action	Purpose
`model/resource_<type>.go`	Create	Properties, state, metadata structs
`model/resource_<type>_test.go`	Create	Property validation tests
`model/resource.go`	Modify	Add case to factory function
`resources/<type>/<type>.go`	Create	Provider interface definition
`resources/<type>/type.go`	Create	Resource type implementation
`resources/<type>/type_test.go`	Create	Resource type tests
`resources/<type>/provider_mock_test.go`	Generate	Mock provider for tests
`resources/<type>/<provider>/factory.go`	Create	Provider factory
`resources/<type>/<provider>/<provider>.go`	Create	Provider implementation
`resources/<type>/<provider>/<provider>_test.go`	Create	Provider tests
`resources/resources.go`	Modify	Add case to `NewResourceFromProperties`
`cmd/ensure_<type>.go`	Create	CLI command handler
`cmd/ensure.go`	Modify	Register CLI command
`internal/fs/schemas/manifest.json`	Modify	Add resource schema definitions
`internal/fs/schemas/resource_ensure_request.json`	Modify	Add API request schema
`docs/content/resources/<type>.md`	Create	User documentation
`docs/content/design/<type>/_index.md`	Create	Design documentation
`docs/content/design/<type>/<provider>.md`	Create	Provider documentation

Step 1: Model Definitions

Create model/resource_<type>.go with the following components.

Constants

const (
    // ResourceStatus<Type>Protocol is the protocol identifier for <type> resource state
    ResourceStatus<Type>Protocol = "io.choria.ccm.v1.resource.<type>.state"

    // <Type>TypeName is the type name for <type> resources
    <Type>TypeName = "<type>"
)

Properties Struct

The properties struct must satisfy model.ResourceProperties:

type ResourceProperties interface {
    CommonProperties() *CommonResourceProperties
    Validate() error
    ResolveTemplates(*templates.Env) error
    ToYamlManifest() (yaml.RawMessage, error)
}

Structure:

type <Type>ResourceProperties struct {
    CommonResourceProperties `yaml:",inline"`

    // Add type-specific fields here
    Url      string `json:"url" yaml:"url"`
    Checksum string `json:"checksum,omitempty" yaml:"checksum,omitempty"`
    // ...
}

Key points:

Embed CommonResourceProperties with yaml:",inline" tag
Use JSON and YAML struct tags for serialization
In Validate(), call p.CommonResourceProperties.Validate() first, then add type-specific validation
In ResolveTemplates(), call p.CommonResourceProperties.ResolveTemplates(env) first, then resolve type-specific fields

State Struct

The state struct must satisfy model.ResourceState:

type ResourceState interface {
    CommonState() *CommonResourceState
}

Structure:

type <Type>Metadata struct {
    Name     string `json:"name" yaml:"name"`
    Provider string `json:"provider,omitempty" yaml:"provider,omitempty"`
    // Add fields describing current system state
}

type <Type>State struct {
    CommonResourceState
    Metadata *<Type>Metadata `json:"metadata,omitempty"`
}

Factory Function

Provide a factory function for YAML parsing:

func New<Type>ResourcePropertiesFromYaml(raw yaml.RawMessage) ([]ResourceProperties, error) {
    return parseProperties(raw, <Type>TypeName, func() ResourceProperties {
        return &<Type>ResourceProperties{}
    })
}

Step 2: Resource Type Implementation

Provider Interface (`resources/<type>/<type>.go`)

Define a type-specific provider interface that embeds model.Provider and adds type-specific methods:

package <type>resource

import (
    "context"

    "github.com/choria-io/ccm/model"
    "github.com/choria-io/ccm/resources/<type>/<provider>"
)

type <Type>Factory interface {
    model.ProviderFactory
}

func init() {
    <provider>.Register()
}

type <Type>Provider interface {
    model.Provider

    Status(ctx context.Context, properties *model.<Type>ResourceProperties) (*model.<Type>State, error)
    // Add provider-specific methods (e.g., Download, Extract for archive)
}

Type Implementation (`resources/<type>/type.go`)

The Type struct must satisfy both model.Resource and base.EmbeddedResource:

// model.Resource interface
type Resource interface {
    Type() string
    Name() string
    Provider() string
    Properties() ResourceProperties
    Apply(context.Context) (*TransactionEvent, error)
    Info(context.Context) (any, error)
    Healthcheck(ctx context.Context) (*TransactionEvent, error)
}

// base.EmbeddedResource interface
type EmbeddedResource interface {
    NewTransactionEvent() *model.TransactionEvent
    ApplyResource(ctx context.Context) (model.ResourceState, error)
    SelectProvider() (string, error)
    Type() string
}

Embedding *base.Base provides implementations for Apply(), Healthcheck(), Type(), Name(), Properties(), and NewTransactionEvent(). The type must implement:

ApplyResource() - core resource application logic
SelectProvider() - provider selection
Provider() - return current provider name
Info() - return resource information

Structure:

type Type struct {
    *base.Base

    prop     *model.<Type>ResourceProperties
    mgr      model.Manager
    log      model.Logger
    provider model.Provider
    facts    map[string]any
    data     map[string]any

    mu sync.Mutex
}

var _ model.Resource = (*Type)(nil)

See resources/archive/type.go for a complete constructor example.

ApplyResource Method

The ApplyResource method (part of base.EmbeddedResource) contains the core logic. It should follow this pattern:

Get initial state via provider.Status()
Check if already in desired state (implement isDesiredState() helper)
If stable, call t.FinalizeState() and return early
Apply changes, respecting t.mgr.NoopMode()
Get final state and verify desired state was achieved
Call t.FinalizeState() with appropriate flags

See resources/archive/type.go:ApplyResource() for a complete example.

Provider Selection Methods

The SelectProvider() method should use registry.FindSuitableProvider() to select an appropriate provider. See resources/archive/type.go for the standard implementation pattern.

Step 3: Provider Implementation

Factory (`resources/<type>/<provider>/factory.go`)

The factory must satisfy model.ProviderFactory:

type ProviderFactory interface {
    TypeName() string
    Name() string
    New(log Logger, runner CommandRunner) (Provider, error)
    IsManageable(facts map[string]any, properties ResourceProperties) (bool, int, error)
}

The IsManageable method returns:

bool - whether this provider can manage the resource
int - priority (higher wins when multiple providers match)
error - any error encountered

Structure:

package <provider>

import (
    "github.com/choria-io/ccm/internal/registry"
    "github.com/choria-io/ccm/model"
)

const ProviderName = "<provider>"

func Register() {
    registry.MustRegister(&factory{})
}

type factory struct{}

func (p *factory) TypeName() string { return model.<Type>TypeName }
func (p *factory) Name() string     { return ProviderName }
func (p *factory) New(log model.Logger, runner model.CommandRunner) (model.Provider, error) {
    return New<Provider>Provider(log, runner)
}
func (p *factory) IsManageable(facts map[string]any, prop model.ResourceProperties) (bool, int, error) {
    // Type assert and check if this provider can handle the resource
    return true, 1, nil
}

See resources/archive/http/factory.go for a complete example.

Provider Implementation (`resources/<type>/<provider>/<provider>.go`)

The provider must satisfy the type-specific provider interface defined in Step 2 (which embeds model.Provider):

type Provider interface {
    Name() string
}

Structure:

package <provider>

import (
    "context"

    "github.com/choria-io/ccm/model"
)

type <Provider>Provider struct {
    log    model.Logger
    runner model.CommandRunner
}

func New<Provider>Provider(log model.Logger, runner model.CommandRunner) (*<Provider>Provider, error) {
    return &<Provider>Provider{log: log, runner: runner}, nil
}

func (p *<Provider>Provider) Name() string {
    return ProviderName
}

func (p *<Provider>Provider) Status(ctx context.Context, properties *model.<Type>ResourceProperties) (*model.<Type>State, error) {
    state := &model.<Type>State{
        CommonResourceState: model.NewCommonResourceState(
            model.ResourceStatus<Type>Protocol,
            model.<Type>TypeName,
            properties.Name,
            model.EnsureAbsent,
        ),
        Metadata: &model.<Type>Metadata{
            Name:     properties.Name,
            Provider: ProviderName,
        },
    }

    // Query system state and populate metadata

    return state, nil
}

// Implement other type-specific provider methods...

See resources/archive/http/http.go for a complete example.

Step 4: Integration Points

Update `resources/resources.go`

Add the import and case statement:

import (
    // ...
    <type>resource "github.com/choria-io/ccm/resources/<type>"
)

func NewResourceFromProperties(ctx context.Context, mgr model.Manager, props model.ResourceProperties) (model.Resource, error) {
    switch rprop := props.(type) {
    // ... existing cases ...
    case *model.<Type>ResourceProperties:
        return <type>resource.New(ctx, mgr, *rprop)
    default:
        return nil, fmt.Errorf("unsupported resource property type %T", rprop)
    }
}

Update `model/resource.go`

Add the case to NewResourcePropertiesFromYaml:

func NewResourcePropertiesFromYaml(typeName string, rawProperties yaml.RawMessage, env *templates.Env) ([]ResourceProperties, error) {
    switch typeName {
    // ... existing cases ...
    case <Type>TypeName:
        props, err = New<Type>ResourcePropertiesFromYaml(rawProperties)
    default:
        return nil, fmt.Errorf("%w: %s %s", ErrResourceInvalid, ErrUnknownType, typeName)
    }
    // ...
}

Step 5: CLI Command

Create cmd/ensure_<type>.go:

package main

import (
    "github.com/choria-io/ccm/model"
    "github.com/choria-io/fisk"
)

type ensure<Type>Command struct {
    name string
    // Add command-specific fields for flags

    parent *ensureCommand
}

func registerEnsure<Type>Command(ccm *fisk.CmdClause, parent *ensureCommand) {
    cmd := &ensure<Type>Command{parent: parent}

    <type> := ccm.Command("<type>", "<Type> management").Action(cmd.<type>Action)
    <type>.Arg("name", "Resource name").Required().StringVar(&cmd.name)
    // Add type-specific flags

    parent.addCommonFlags(<type>)
}

func (c *ensure<Type>Command) <type>Action(_ *fisk.ParseContext) error {
    properties := model.<Type>ResourceProperties{
        CommonResourceProperties: model.CommonResourceProperties{
            Name:     c.name,
            Ensure:   model.EnsurePresent,
            Provider: c.parent.provider,
        },
        // Set type-specific properties from flags
    }

    return c.parent.commonEnsureResource(&properties)
}

Update cmd/ensure.go:

func registerEnsureCommand(ccm *fisk.Application) {
    // ... existing code ...
    registerEnsure<Type>Command(ens, cmd)
}

Step 6: JSON Schemas

Update `internal/fs/schemas/manifest.json`

Add to the $defs/resource properties:

"<type>": {
  "oneOf": [
    { "$ref": "#/$defs/<type>ResourceList" },
    { "$ref": "#/$defs/<type>ResourcePropertiesWithName" }
  ]
}

Add resource list definition:

"<type>ResourceList": {
  "type": "array",
  "description": "List of <type> resources to manage (named format)",
  "items": {
    "type": "object",
    "additionalProperties": {
      "$ref": "#/$defs/<type>ResourceProperties"
    },
    "minProperties": 1,
    "maxProperties": 1
  }
}

Add properties definitions:

"<type>ResourcePropertiesWithName": {
  "allOf": [
    { "$ref": "#/$defs/<type>ResourceProperties" },
    {
      "type": "object",
      "properties": {
        "name": {
          "type": "string",
          "description": "Resource name"
        }
      },
      "required": ["name"]
    }
  ]
},
"<type>ResourceProperties": {
  "type": "object",
  "properties": {
    "ensure": {
      "type": "string",
      "enum": ["present", "absent"]
    }
    // Add type-specific properties
  }
}

Update `internal/fs/schemas/resource_ensure_request.json`

Add to the type enum:

"enum": ["package", "service", "file", "exec", "archive", "<type>"]

Add to properties.oneOf:

{ "$ref": "#/$defs/<type>Properties" }

Add properties definition under $defs:

"<type>Properties": {
  "allOf": [
    { "$ref": "#/$defs/commonProperties" },
    {
      "type": "object",
      "properties": {
        "name": {
          "type": "string",
          "description": "Resource name"
        }
        // Add type-specific properties
      },
      "required": ["name"]
    }
  ]
}

Copy Schemas to Documentation Site

After updating the schema files in internal/fs/schemas/, copy them to docs/static/schemas/v1/ so they are available on the documentation website:

cp internal/fs/schemas/manifest.json docs/static/schemas/v1/manifest.json
cp internal/fs/schemas/resource_ensure_request.json docs/static/schemas/v1/resource_ensure_request.json

Step 7: Generate Mocks

Generate the provider mock for tests:

mockgen -write_generate_directive \
  -source resources/<type>/<type>.go \
  -destination resources/<type>/provider_mock_test.go \
  -package <type>resource

Or use the project command:

abt gen mocks

Step 8: Testing

Model Tests (`model/resource_<type>_test.go`)

Test property validation:

var _ = Describe("<Type>ResourceProperties", func() {
    Describe("Validate", func() {
        It("should require name", func() {
            p := &model.<Type>ResourceProperties{}
            p.Ensure = model.EnsurePresent
            Expect(p.Validate()).To(MatchError(model.ErrResourceNameRequired))
        })

        It("should validate ensure values", func() {
            p := &model.<Type>ResourceProperties{}
            p.Name = "test"
            p.Ensure = "invalid"
            Expect(p.Validate()).To(HaveOccurred())
        })
    })
})

Type Tests (`resources/<type>/type_test.go`)

Use the mock manager helper:

var _ = Describe("<Type> Type", func() {
    var mockctl *gomock.Controller

    BeforeEach(func() {
        mockctl = gomock.NewController(GinkgoT())
        registry.Clear()
        // Register mock factory
    })

    AfterEach(func() {
        mockctl.Finish()
    })

    Describe("Apply", func() {
        It("should handle present ensure state", func() {
            mgr, _ := modelmocks.NewManager(facts, data, false, mockctl)
            // Test implementation
        })
    })
})

Key Patterns

State Checking

Always check current state before making changes:

initialStatus, err := p.Status(ctx, t.prop)
if err != nil {
    return nil, err
}

isStable := t.isDesiredState(properties, initialStatus)
if isStable {
    // No changes needed
    t.FinalizeState(initialStatus, noop, "", false, true, false)
    return initialStatus, nil
}

Noop Mode

All resources must respect noop mode:

if !noop {
    // Make actual changes
    t.log.Info("Applying changes")
    err = p.SomeAction(ctx, properties)
} else {
    t.log.Info("Skipping changes as noop")
    noopMessage = "Would have applied changes"
}

Error Handling

Use sentinel errors from model/errors.go:

var (
    ErrResourceInvalid    = errors.New("resource invalid")
    ErrProviderNotFound   = errors.New("provider not found")
    ErrNoSuitableProvider = errors.New("no suitable provider")
    ErrDesiredStateFailed = errors.New("desired state not achieved")
)

Wrap errors with context:

err := os.Remove(path)
if err != nil {
    return fmt.Errorf("could not remove file: %w", err)
}

Template Resolution

The ResolveTemplates method (part of model.ResourceProperties) should resolve all user-facing string fields using templates.ResolveTemplateString(). Always call the embedded CommonResourceProperties.ResolveTemplates(env) first.

Provider Selection

Providers declare manageability via IsManageable on the factory (see model.ProviderFactory in Step 3). Multiple providers can match; the one with highest priority is selected.

Documentation

Create user documentation in docs/content/resources/<type>.md covering:

Overview and use cases
Ensure states table
Properties table with descriptions
Usage examples (manifest, CLI, API)

Create design documentation in docs/content/design/<type>/_index.md covering:

Provider interface specification
State checking logic
Apply logic flowchart

Create provider documentation in docs/content/design/<type>/<provider>.md covering:

Provider selection criteria
Platform requirements
Implementation details

CCM Studio

CCM Studio is a web-based manifest designer. After adding a new resource type, update CCM Studio to support it:

Note

CCM Studio is a closed-source project. The maintainers will complete this step.

Add the new resource type to the resource palette
Create property editors for type-specific fields
Add validation matching the JSON schema definitions
Update any resource type documentation or help text

Design Documents

Contents

Available Documents

Subsections of Design Documents

Archive Type

Overview

Provider Interface

Method Responsibilities

Status Response

Available Providers

Ensure States

Supported Archive Formats

Apply Logic

Idempotency

State Checks (in order)

Decision Table

Creates Property

Cleanup Property

Checksum Verification

Authentication

Basic Authentication

Custom Headers

Required Properties

URL Validation

Noop Mode

Desired State Validation

Subsections of Archive Type

HTTP Provider

Provider Selection

Operations

Download

Extract

Status

Idempotency

State Checks (in order)

Decision Matrix

Checksum Verification

Security Considerations

Credential Handling

Archive Extraction

Temporary Files

Platform Support

Timeouts

Exec Type

Overview

Provider Interface

Method Responsibilities

Status Response

Available Providers

Properties

Apply Logic

Idempotency

Creates Property

Refresh Only Property

Decision Table

Subscribe Behavior

Exit Code Validation

Noop Mode

Desired State Validation

Command vs Name

Environment and Path

Subsections of Exec Type

Posix Provider

Provider Selection

Comparison with Shell Provider

Operations

Execute

Status

Idempotency

Creates File

RefreshOnly Mode

Exit Code Validation

Decision Flow

Properties Validation

Platform Support

Security Considerations

No Shell Injection

Path Validation

Environment Validation

Shell Provider