CCM is a small-scale Configuration Management system designed to meet users where they are - enabling experimentation, R&D, and exploration without the overhead of full-system management while still following sound Configuration Management principles.
We focus on great UX, immediate feedback, and interactive use with minimal friction.
Small and Focused
Embraces the popular package-config-service style of Configuration Management.
Focused on the needs of a single application or unit of software.
Minimal design for easy adoption, experimentation, and integration with tools like LLMs.
Loves Snowflakes
Brings true Configuration Management principles to ad-hoc systems, enabling use cases where traditional CM fails.
Use management bundles in an à la carte fashion to quickly bring experimental infrastructure to a known state.
External Data
Rich, Hierarchical Data and Facts accessible in the command line, scripts, and manifests.
Democratizes and opens the data that drives systems management to the rest of your stack.
No Dependencies
Zero-dependency binaries, statically linked and fast.
Easy deployment in any environment without the overhead-cost of traditional CM.
Embraces a Just Works philosophy with no, or minimal, configuration.
Optional Networking
Optional Network infrastructure needed only when your needs expand.
Choose from simple webservers to clustered, reliable, Object and Key-Value stores using technology you already know.
Everywhere
Great at the CLI, shell scripts, YAML manifests, Choria Agents, and Go applications.
Scales from a single IoT Raspberry Pi 3 to millions of nodes.
Integrates easily with other software via SDK or Unix-like APIs.
Shell Example
Here we do a package-config-service style deployment using a shell script. The script is safe to run multiple times as the CCM commands are all idempotent.
When run, this will create a session in a temporary directory and manage the resources. If the file resource changes after initial deployment, the service will restart.
We support dynamic data on the CLI, ccm will read .env files and .hiera files and feed that into the runtime data. Using this even shell scripts can easily gain access to rich data.
Here we define the inputs in data and the Hiera hierarchy along with OS-specific overrides. The data is referenced in the manifest using the {{ Data.package_name }} syntax.
Status
This is a new project seeking contributors and early adopters.
Currently, only archive, exec, file, service, scaffold and package resources are implemented, with support limited to dnf, apt and systemd.
The CLI and shell interaction have reached a mature state. Next, we’re exploring network-related features and deeper monitoring integration.
Subsections of Introduction
Resources
Resources describe the desired state of your infrastructure. Each resource represents something to manage and is backed by a provider that implements platform-specific management logic.
Every resource has a type, a unique name, and resource-specific properties.
Resource Types
Archive - Download, extract and copy files from tar.gz and zip archives
Here we install zsh on all linux machines unless they are running inside a docker container.
The following table shows how the two conditions interact:
if
unless
Resource Managed?
(not set)
(not set)
Yes
true
(not set)
Yes
false
(not set)
No
(not set)
true
No
(not set)
false
Yes
true
true
No
true
false
Yes
false
true
No
false
false
No
About Names
Resources can be specified like:
/etc/motd:
ensure: present
This sets name to /etc/motd, in the following paragraphs we will refer to this as name.
Subsections of Resources
Archive
The archive resource downloads and extracts archives from HTTP/HTTPS URLs. It supports tar.gz, tgz, tar, and zip formats.
Note
The archive file path (name) must have the same archive type extension as the URL. For example, if the URL ends in .tar.gz, the name must also end in .tar.gz.
This downloads the archive, extracts it to /opt/app, and removes the archive file after extraction. Future runs skip the download if /opt/app/bin/app exists.
Ensure Values
Value
Description
present
The archive must be downloaded
absent
The archive file must not exist
Properties
Property
Description
name
Absolute path where the archive will be saved
url
HTTP/HTTPS URL to download the archive from
checksum
Expected SHA256 checksum of the downloaded file
extract_parent
Directory to extract the archive contents into
creates
File path; if this file exists, the archive is not downloaded or extracted
cleanup
Remove the archive file after successful extraction (requires extract_parent and creates)
owner
Owner of the downloaded archive file (username)
group
Group of the downloaded archive file (group name)
username
Username for HTTP Basic Authentication
password
Password for HTTP Basic Authentication
headers
Additional HTTP headers to send with the request (map of header name to value)
provider
Force a specific provider (http only)
Authentication
The archive resource supports two authentication methods:
The archive resource is idempotent through multiple mechanisms:
Checksum verification: If a checksum is provided and the existing file matches, no download occurs.
Creates file: If creates is specified and that file exists, neither download nor extraction occurs.
File existence: If the archive file exists with matching checksum and owner/group, no changes are made.
For best idempotency, always specify either checksum or creates (or both).
Cleanup Behavior
When cleanup: true is set:
The archive file is deleted after successful extraction
The extract_parent property is required
The creates property is required to track extraction state across runs
Supported Archive Formats
Extension
Extraction Tool
.tar.gz, .tgz
tar -xzf
.tar
tar -xf
.zip
unzip
Note
The extraction tools (tar, unzip) must be available in the system PATH.
Exec
The exec resource executes commands to bring the system into the desired state. It is idempotent when used with the creates property or refreshonly mode.
Warning
Specify commands with their full path, or use the path property to set the search path.
The shell provider passes the entire command string to /bin/sh -c, so shell quoting rules apply. The posix provider parses arguments using shell-like quoting but does not invoke a shell.
Properties
Property
Description
name
The command to execute (used as the resource identifier)
command
Alternative command to run instead of name
cwd
Working directory for command execution
environment (array)
Environment variables in KEY=VALUE format
path
Search path for executables as a colon-separated list (e.g., /usr/bin:/bin)
returns (array)
Exit codes indicating success (default: [0])
timeout
Maximum execution time (e.g., 30s, 5m); command is killed if exceeded
creates
File path; if this file exists, the command does not run
refreshonly (boolean)
Only run when notified by a subscribed resource
subscribe (array)
Resources to subscribe to for refresh notifications (type#name or type#alias)
logoutput (boolean)
Log the command output
provider
Force a specific provider (posix or shell)
File
The file resource manages files and directories, including their content, ownership, and permissions.
The APT provider preserves existing configuration files during package installation and upgrades. When a package is upgraded and the maintainer has provided a new version of a configuration file, the existing file is kept (--force-confold behavior).
Packages in a partially installed or config-files state (removed but configuration remains) are treated as absent. Reinstalling such packages will preserve the existing configuration files.
Note
The provider will not run apt update before installing a package. Use an exec resource to update the package index if necessary.
The provider runs non-interactively and suppresses prompts from apt-listbugs and apt-listchanges.
Scaffold
The scaffold resource renders files from a source template directory to a target directory. Templates have access to facts and Hiera data, enabling dynamic configuration generation from directory structures.
Warning
Target paths must be absolute and canonical (no . or .. components).
This renders templates from the templates/app directory into /etc/app using the Jet template engine, removing any files in the target not present in the source.
Tip
This is implemented using the github.com/choria-io/scaffold Go library, you can use this in your own projects or use the included scaffold CLI tool.
Ensure Values
Value
Description
present
Target directory must exist with rendered template files
absent
Managed files must be removed; target directory removed if empty
Properties
Property
Description
name
Absolute path to the target directory
source
Source template directory path (relative to working directory or absolute)
engine
Template engine: go or jet (default: jet)
skip_empty
Do not create empty files in rendered output
left_delimiter
Custom left template delimiter
right_delimiter
Custom right template delimiter
purge
Remove files in target not present in source
post
Post-processing commands: glob pattern to command mapping
provider
Force a specific provider (choria only)
Template Engines
Two template engines are supported:
Engine
Library
Default Delimiters
Description
go
Go text/template
{{ / }}
Standard Go templates
jet
Jet templating
[[ / ]]
Jet template language
The engine defaults to jet if not specified. Delimiters can be customized via left_delimiter and right_delimiter.
The post property defines commands to run on rendered files. Each entry is a map where the key is a glob pattern matched against the file’s basename and the value is a command to execute. Use {} in the command as a placeholder for the file’s full path; if omitted, the path is appended as the last argument.
Post-processing runs immediately after each file is rendered. Files skipped due to skip_empty are not post-processed.
Purge Behavior
When purge: true is set, files in the target directory that are not present in the source template directory are deleted during rendering. In noop mode, these deletions are logged but not performed.
When purge is disabled (the default), files not present in the source are tracked but not removed. They do not affect idempotency checks for ensure: present, meaning the resource is considered stable even if extra files exist in the target.
Removal Behavior
When ensure: absent, only managed files (changed and stable) are removed. Files not belonging to the scaffold (purged files) are left untouched. After removing managed files and empty subdirectories, the target directory itself is removed on a best-effort basis — it is only deleted if empty. If unrelated files remain, the directory is preserved and no error is raised.
Idempotency
The scaffold resource determines idempotency by rendering templates in noop mode and comparing results against the target directory.
For ensure: present:
Changed files: Files that would be created or modified. Any changed files make the resource unstable.
Stable files: Files whose content matches the rendered output. At least one stable file must exist for the resource to be considered stable.
Purged files: Files in the target not present in the source. These only affect stability when purge is enabled.
For ensure: absent, the status check filters Changed and Stable lists to only include files that actually exist on disk. This means after a successful removal, the scaffold is considered absent even if the target directory still exists with unrelated files. Purged files never affect the absent stability check.
Source Resolution
The source property is resolved relative to the manager’s working directory when it is a relative path. URL sources (with a scheme) are passed through unchanged. This allows manifests bundled with template directories to use relative paths.
Template Environment
Templates receive the full template environment, which provides access to:
facts - System facts for the managed node
data - Hiera-resolved configuration data
Template helper functions
Creating Scaffolds
A scaffold source is a directory tree where every file is a template. The directory structure is mirrored directly into the target, so the source layout becomes the output layout.
The Jet engine is the default because its [[ / ]] delimiters avoid conflicts with configuration files that use curly braces (YAML, JSON, systemd units). Use the Go engine when you need access to Sprig functions.
Partials
Files inside a _partials directory are reusable template fragments. They are rendered on demand using the render function but are excluded from the output.
This is useful for shared headers, repeated configuration blocks, or any content used across multiple files.
Two functions are available in both template engines:
render evaluates another template file from the source directory and returns its output as a string. The partial is rendered using the same engine and data as the calling template.
[[ render("_partials/database.conf", .) ]]
{{ render "_partials/database.conf" . }}
write creates an additional file in the target directory from within a template. This is useful for dynamically generating files based on data — for example, creating one configuration file per service.
[[ write("extra.conf", "generated content") ]]
{{ write "extra.conf" "generated content" }}
Sprig Functions
When using the Go template engine, all Sprig template functions are available. These provide string manipulation, math, date formatting, list operations, and more:
# Go engine example with Sprig functions
hostname: {{ .facts.hostname | upper }}
packages: {{ join ", " .data.packages }}
generated: {{ now | date "2006-01-02" }}
Example Scaffold
A complete scaffold for an application configuration:
log_level = info
log_file = /var/log/myapp/web01.log
[server]
bind = 0.0.0.0
port = 8080
workers = 4
Service
The service resource manages system services. Services have two independent properties: whether they are running and whether they are enabled to start at boot.
Warning
Use real service names, not virtual names or aliases.
Services can subscribe to other resources and restart when those resources change.
If ensure is not specified, it defaults to running.
Properties
Property
Description
name
Service name
ensure
Desired state (running or stopped; default: running)
enable (boolean)
Enable the service to start at boot
subscribe (array)
Resources to watch; restart the service when they change (type#name or type#alias)
provider
Force a specific provider (systemd only)
Hierarchical Data
The Choria Hierarchical Data Resolver is a small data resolver inspired by Hiera. It evaluates a YAML or JSON document alongside a set of facts to produce a final data map.
The resolver supports first and deep merge strategies and relies on expression-based string interpolation for hierarchy entries. It is optimized for single files that hold both hierarchy and data, rather than the multi-file approach common in Hiera.
Type-preserving lookups (returns typed data, not just strings)
Command-line tool with built-in system facts
Go library for embedding
Usage
Here’s an annotated example:
hierarchy:
# Lookup and override order - facts are resolved in expressions# Use GJSON path syntax for nested facts: {{ lookup('facts.host.info.hostname') }}order:
- env:{{ lookup('facts.env') }} - role:{{ lookup('facts.role') }} - host:{{ lookup('facts.hostname') }}merge: deep # "deep" merges all matches; "first" stops at first match# Base data - hierarchy results are merged into thisdata:
log_level: INFOpackages:
- ca-certificatesweb:
listen_port: 80tls: false# Override sections keyed by hierarchy order entriesoverrides:
env:prod:
log_level: WARNrole:web:
packages:
- nginxweb:
listen_port: 443tls: truehost:web01:
log_level: TRACE
The templating here is identical to that in the Template documentation, except only the lookup() function is available (no file access functions).
Default Hierarchy
If no hierarchy section is provided, the resolver uses a default hierarchy of ["default"].
CLI Example
The ccm hiera command resolves hierarchy files with facts. It is designed to be a generally usable tool, with flexible options for providing facts.
Facts can come from multiple sources, which are merged together:
System facts (-S or --system-facts):
# View system facts
$ ccm hiera facts -S
# Resolve using system facts
$ ccm hiera parse data.json -S
Environment variables as facts (-E or --env-facts):
ccm hiera parse data.json -E
Facts file (--facts FILE):
ccm hiera parse data.json --facts facts.yaml
Command-line facts (key=value pairs):
ccm hiera parse data.json env=prod role=web
All fact sources can be combined. Command-line facts take highest precedence.
Data in NATS
NATS is a lightweight messaging system that supports Key-Value stores. Hierarchy data can be stored in NATS and used with ccm ensure and ccm hiera commands.
To use NATS as a hierarchy store, configure a NATS context for authentication:
Running ccm ensure package '{{ lookup("data.package_name") }}' installs httpd on RHEL-based systems and apache2 on Debian-based systems.
Note
See the Hiera section for details on configuring Hiera data in NATS.
Environment
The shell environment and variables defined in ./.env can be accessed in two ways:
# Direct accesshome_dir: "{{ Environ.HOME }}"# Via lookup (with default value)my_var: "{{ lookup('environ.MY_VAR', 'default') }}"
The .env file uses standard KEY=value format, one variable per line.
Shell Usage
CCM is designed as a CLI-first tool. Each resource type has its own subcommand under ccm ensure, with required inputs as arguments and optional settings as flags.
The ccm ensure commands are idempotent, making them safe to run multiple times in shell scripts.
Use ccm --help and ccm <command> --help to explore available commands and options.
Managing a Single Resource
Managing a single resource is straightforward.
ccm ensure package zsh 5.8
This ensures the package zsh is installed at version 5.8.
To view the current state of a resource:
ccm status package zsh
Managing Multiple Resources
When managing multiple resources in a script, create a session first. The session records the outcome of each resource, enabling features like refreshing a service when a file changes.
CCM gathers system facts that can be used in templates and conditions:
# Show all facts as JSON
$ ccm facts
# Show facts as YAML
$ ccm facts --yaml
# Query specific facts using gjson syntax
$ ccm facts host.info.platformFamily
Resolving Hiera Data
The ccm hiera command helps debug and test Hiera data resolution:
# Resolve a Hiera file with system facts
$ ccm hiera parse data.yaml -S
# Resolve with custom facts
$ ccm hiera parse data.yaml os=linux env=production
# Query a specific key from the result
$ ccm hiera parse data.yaml --query packages
Subsections of Shell Usage
JSON API
CCM provides a STDIN/STDOUT API for managing resources programmatically. This enables integration with external languages, allowing you to build DSLs in Ruby, Perl, Python, or any language that can execute processes and handle JSON or YAML.
Overview
The API uses a simple request/response pattern:
Send a request to ccm ensure api pipe via STDIN
Receive a response on STDOUT
Both JSON and YAML formats are supported for requests. The response format is always JSON, but can be explicitly set to YAML using --yaml.
Command
ccm ensure api pipe [--yaml] [--noop] [--facts <file>] [--data <file>]
Flag
Description
--yaml
Output response in YAML format instead of JSON
--noop
Dry-run mode; report what would change without making changes
--facts <file>
Load additional facts from a YAML file
--data <file>
Load Hiera-style data from a YAML file
Request Format
Requests must include a protocol identifier, resource type, and properties.
For detailed information about each resource type and its properties, see the Resource Documentation
CLI Plugins
CCM supports extending the CLI with custom commands using App Builder. This allows you to create organization-specific workflows that integrate with the ccm command.
Plugin Locations
CCM searches for plugins in two directories:
Location
Purpose
/etc/choria/ccm/plugins/
System-wide plugins
$XDG_CONFIG_HOME/choria/ccm/plugins/
User plugins (typically ~/.config/choria/ccm/plugins/)
Plugins in the user directory override system plugins with the same name.
Plugin File Format
Plugin files must be named <command>-plugin.yaml. The filename determines the command name:
For complete App Builder documentation including all command types, templating features, and advanced options, see the App Builder documentation.
Since version 0.13.0 of App Builder it has a transform and a command that can invoke CCM Manifests, this combines well with flags, arguments and form wizards to create custom UI’s that manage your infrastructure.
YAML Manifests
A manifest is a YAML file that combines data, hierarchy configuration, and resources in a single file.
Manifests support template expressions but not procedural logic. Think of them as declarative configuration similar to multi-resource shell scripts.
CCM Studio
An experimental visual editor for manifests is available at CCM Studio.
Apply the manifest with ccm apply. The first run makes changes; subsequent runs are stable:
$ ccm apply manifest.yaml
INFO Creating new session record resources=1
WARN package#httpd changed ensure=latest runtime=3.560699287s provider=dnf
$ ccm apply manifest.yaml
INFO Creating new session record resources=1
INFO package#httpd stable ensure=latest runtime=293.448824ms provider=dnf
To preview the fully resolved manifest without applying it:
The first two files inherit the defaults values. The /app/bin/app file overrides just the mode. The /etc/motd file is a separate resource block, so defaults do not apply.
Templating
Manifests support template expressions like {{ lookup("key") }} for adjusting values. These expressions cannot generate new resources; they only modify values in valid YAML.
Available Variables
Templates have access to:
Variable
Description
Facts
System facts
Data
Resolved Hiera data
Environ
Environment variables
Generating Resources with Jet Templates
To dynamically generate resources from data, use Jet Templates.
If the required resource fails, the dependent resource is skipped.
Dry Run (Noop Mode)
Preview changes without applying them:
ccm apply manifest.yaml --noop
Note
Noop mode cannot always detect cascading effects. If one resource change would affect a later resource, that dependency may not be reflected in the dry run.
Health Check Only Mode
Run only health checks without applying resources:
ccm apply manifest.yaml --monitor-only
This is useful for verifying system state without making changes.
Manifests in NATS Object Store
Manifests can be stored in NATS Object Stores, avoiding the need to distribute files locally.
$ tar -C /tmp/manifest/ -cvzf /tmp/manifest.tgz .
$ nats obj put CCM manifest.tgz --context ccm
Apply the manifest:
$ ccm apply obj://CCM/manifest.tgz --context ccm
INFO Using manifest from Object Store in temporary directory bucket=CCM file=manifest.tgz
INFO file#/etc/motd stable ensure=present runtime=0s provider=posix
Manifests on Web Servers
Store gzipped tar archives on a web server and apply them directly:
$ ccm apply https://example.net/manifest.tar.gz
INFO Executing manifest manifest=https://example.net/manifest.tar.gz resources=1
INFO file#/etc/motd stable ensure=present runtime=0s provider=posix
Facts from these sources are merged with system facts, with command-line facts taking precedence.
Agent
For certain use cases, it is useful to run YAML Manifests continuously. For example, you might not want to manage your dotfiles automatically (allowing for local modifications), but you do want to keep Docker up to date.
The CCM Agent runs manifests continuously, loading them from local files, Object Storage, or HTTP(S) URLs, with Key-Value data overlaid.
In time, the Agent will become a key part of a service registry system, allowing for continuous monitoring of managed resources and sharing that state into a registry—enabling other nodes to use file resources to create configurations that combine knowledge of all nodes.
Run Modes
The agent supports two modes of operation that combine to be efficient and fast-reacting:
Full manifest apply: Manages the complete state of every resource
Health check mode: Runs only Monitoring checks, which can trigger a full manifest apply as remediation
By enabling both modes, you can run health checks very frequently (even at 10- or 20-second intervals) while keeping full Configuration Management runs less frequent (every few hours).
Enabling both modes is optional but recommended. We also recommend adding health checks to your key resources.
Supported Manifest and Data Sources
Manifest Sources
Manifests can be loaded from:
Local file: /path/to/manifest.yaml
Object Storage: obj://bucket/key.tar.gz
HTTP(S): https://example.com/manifest.tar.gz (supports Basic Auth via URL credentials)
Remote sources (Object Storage and HTTP) must be .tar.gz archives containing a manifest.yaml file, templates and file sources.
External Data Sources
For Hiera data resolution, the agent supports:
Local file: file:///path/to/data.yaml
Key-Value store: kv://bucket/key
HTTP(S): https://example.com/data.yaml
Logical Flow
The agent continuously runs and manages manifests as follows:
At startup, the agent fetches data and gathers facts
Starts a worker for each manifest source
Each worker starts watchers to download and manage the manifest (polling every 30 seconds for remote sources)
Triggers workers at the configured interval for a full apply
Each run updates facts (minimum 2-minute interval) and data
Applies each manifest serially
Triggers workers at the configured health check interval
Health check runs do not update facts or data
Runs health checks for each manifest serially
If any health checks are critical (not warning), the agent triggers a full apply for that worker
In the background, object stores and HTTP sources are watched for changes. Updates trigger immediate apply runs with exponential backoff retry on failures.
Prometheus Metrics
When monitor_port is configured, the agent exposes Prometheus metrics on /metrics. These metrics can be used to monitor agent health, track resource states and events, and observe health check statuses.
Agent Metrics
Metric
Type
Labels
Description
choria_ccm_agent_apply_duration_seconds
Summary
manifest
Time taken to apply manifests
choria_ccm_agent_healthcheck_duration_seconds
Summary
manifests
Time taken for health check runs
choria_ccm_agent_healthcheck_remediations_count
Counter
manifest
Health checks that triggered remediation
choria_ccm_agent_data_resolve_duration_seconds
Summary
-
Time taken to resolve external data
choria_ccm_agent_data_resolve_error_count
Counter
url
Data resolution failures
choria_ccm_agent_facts_resolve_duration_seconds
Summary
-
Time taken to resolve facts
choria_ccm_agent_facts_resolve_error_count
Counter
-
Facts resolution failures
choria_ccm_agent_manifest_fetch_count
Counter
manifest
Remote manifest fetches
choria_ccm_agent_manifest_fetch_error_count
Counter
manifest
Remote manifest fetch failures
Resource Metrics
Metric
Type
Labels
Description
choria_ccm_manifest_apply_duration_seconds
Summary
source
Time taken to apply an entire manifest
choria_ccm_resource_apply_duration_seconds
Summary
type, provider, name
Time taken to apply a resource
choria_ccm_resource_state_total_count
Counter
type, name
Total resources processed
choria_ccm_resource_state_stable_count
Counter
type, name
Resources in stable state
choria_ccm_resource_state_changed_count
Counter
type, name
Resources that changed
choria_ccm_resource_state_refreshed_count
Counter
type, name
Resources that were refreshed
choria_ccm_resource_state_failed_count
Counter
type, name
Resources that failed
choria_ccm_resource_state_error_count
Counter
type, name
Resources with errors
choria_ccm_resource_state_skipped_count
Counter
type, name
Resources that were skipped
choria_ccm_resource_state_noop_count
Counter
type, name
Resources in noop mode
Health Check Metrics
Metric
Type
Labels
Description
choria_ccm_healthcheck_duration_seconds
Summary
type, name, check
Time taken for health checks
choria_ccm_healthcheck_status_count
Counter
type, name, status, check
Health check results by status
Facts Metrics
Metric
Type
Labels
Description
choria_ccm_facts_gather_duration_seconds
Summary
-
Time taken to gather system facts
Configuration
The agent is included in the ccm binary. To use it, create a configuration file and enable the systemd service.
The configuration file is located at /etc/choria/ccm/config.yaml:
# CCM Agent Configuration Example# Time between scheduled manifest apply runs.# Must be at least 30s. Defaults to 5m.interval: 5m# Time between health check runs.# When set, health checks run independently of apply runs and can trigger# remediation applies when critical issues are detected.# Omit to disable periodic health checks.health_check_interval: 1m# List of manifest sources to apply. Each source creates a separate worker.# Supported formats:# - Local file: /path/to/manifest.yaml# - Object store: obj://bucket/key.tar.gz# - HTTP(S): https://example.com/manifest.tar.gz# - HTTP with Basic Auth: https://user:pass@example.com/manifest.tar.gz# Remote sources must be .tar.gz archives containing a manifest.yaml file.manifests:
- /etc/choria/ccm/manifests/base.yaml - obj://ccm-manifests/app.tar.gz - https://config.example.com/manifests/web.tar.gz# Logging level: debug, info, warn, errorlog_level: info# NATS context for authentication. Defaults to 'CCM'.nats_context: CCM# Optional URL for external Hiera data resolution.# Supported formats: file://, kv://, http(s)://# The resolved data is merged into the manifest data context.external_data_url: kv://ccm-data/common# Directory for caching remote manifest sources.# Defaults to /etc/choria/ccm/source.cache_dir: /etc/choria/ccm/source# Port for Prometheus metrics endpoint (/metrics).# Set to 0 or omit to disable.monitor_port: 9100
After configuring, start the service:
ccm ensure service ccm-agent running --enable
Monitoring
By default, CCM verifies resource health using the resource’s native state. For example, if a service should be running and systemd reports it as running, CCM considers it healthy.
For deeper validation, all resources support custom health checks. These checks run after a resource is managed and can verify that the resource is functioning correctly, not just present.
Each health check must specify either command or goss_rules – they are mutually exclusive. The format is auto-detected based on which field is set (nagios for command, goss for goss_rules), but can be overridden explicitly.
Nagios Format
Health checks using command follow Nagios plugin conventions for exit codes:
The CLI supports a single health check per resource. For multiple health checks, use a manifest.
This example verifies that the web server responds with content containing “Acme Inc”. If the check fails, it retries up to 5 times with 1 second between attempts.
Goss Format
Health checks using goss_rules embed Goss validation rules directly in the manifest. This allows you to validate system state – running services, listening ports, file contents, HTTP responses, and more – without writing external check scripts.
The check result is OK when all Goss rules pass, or CRITICAL when any rule fails. See the Goss documentation for the full list of supported resource types and matchers.
This validates that the httpd service is running and enabled, port 80 is listening, and the web server responds with a 200 status containing “Acme Inc”.
Templates in Goss Rules
Goss rules are processed through CCM’s own template engine before evaluation. This means you can use the standard {{ }} expression syntax with access to Facts, Data, and Environ, as well as the lookup(), template(), and jet() functions. See the Data section for full details on template syntax.
CCM resolves templates before passing rules to Goss. Goss’s own template variables are not used.
Agent Integration
When running the Agent with health_check_interval configured, health checks run independently of full manifest applies. If any health check returns a CRITICAL status, the agent triggers a remediation apply for that manifest.
Design Documents
Design documents provide detailed implementation guidance for CCM’s resource types, providers, and internal components. They are intended for developers contributing to CCM or those seeking to understand specific implementation details.
For end-user documentation on how to use resources, see Resources.
Note
These design documents are largely written with AI assistance and reviewed before publication.
Contents
Each design document covers:
Purpose and scope: What the component does and its responsibilities
Architecture: How the component fits into CCM’s overall design
Implementation details: Key data structures, interfaces, and algorithms
Provider contracts: Requirements for implementing new providers
Multiple actions are joined with “. " (e.g., “Would have downloaded. Would have extracted”).
Desired State Validation
After applying changes (in non-noop mode), the type verifies the archive reached the desired state by calling Status() again and checking all conditions. If validation fails, ErrDesiredStateFailed is returned.
Subsections of Archive Type
HTTP Provider
This document describes the implementation details of the HTTP archive provider for downloading and extracting archives from HTTP/HTTPS URLs.
Provider Selection
The HTTP provider is selected when:
The URL scheme is http or https
The archive file extension is supported (.tar.gz, .tgz, .tar, .zip)
The required extraction tool (tar or unzip) is available in PATH
The IsManageable() function checks these conditions and returns a priority of 1 if all are met.
Operations
Download
Process:
Parse the URL and add Basic Auth credentials if username/password provided
Create HTTP request with custom headers (if specified)
Execute GET request via util.HttpGetResponse()
Verify HTTP 200 status code
Create temporary file in the same directory as the target
Check if creates file exists, return current state
Execute
Run the command, return exit code
Status Response
The Status method returns an ExecState containing:
typeExecStatestruct {
CommonResourceStateExitCode*int// Exit code from last execution (nil if not run)CreatesSatisfiedbool// Whether creates file exists}
The Ensure field in CommonResourceState is set to:
present if the creates file exists
absent if the creates file does not exist (or not specified)
Subscribe takes precedence over other idempotency checks - if a subscribed resource changed, the command executes regardless of creates file existence.
Exit Code Validation
By default, exit code 0 indicates success. The returns property customizes acceptable codes:
This document describes the implementation details of the Posix exec provider for executing commands without a shell.
Provider Selection
The Posix provider is the default exec provider. It is always available and returns priority 1 for all exec resources unless a different provider is explicitly requested via the provider property.
To use the shell provider instead, specify provider: shell in the resource properties.
Comparison with Shell Provider
Feature
Posix
Shell
Shell invocation
No
Yes (/bin/sh -c)
Pipes (|)
Not supported
Supported
Redirections (>, <)
Not supported
Supported
Shell builtins (cd, export)
Not supported
Supported
Glob expansion
Not supported
Supported
Command substitution ($(...))
Not supported
Supported
Argument parsing
shellquote.Split()
Passed as single string
Security
Lower attack surface
Shell injection possible
When to use Posix (default):
Simple commands with arguments
When shell features are not needed
For better security (no shell injection risk)
When to use Shell:
Commands with pipes, redirections, or shell builtins
Complex command strings
When shell expansion is required
Operations
Execute
Process:
Determine command source (Command property or Name if Command is empty)
Parse command string into words using shellquote.Split()
Extract command (first word) and arguments (remaining words)
Execute via CommandRunner.ExecuteWithOptions()
Optionally log output line-by-line if LogOutput is enabled
Command Parsing:
The command string is parsed using github.com/kballard/go-shellquote, which handles:
Syntax
Example
Result
Simple words
echo hello world
["echo", "hello", "world"]
Single quotes
echo 'hello world'
["echo", "hello world"]
Double quotes
echo "hello world"
["echo", "hello world"]
Escaped spaces
echo hello\ world
["echo", "hello world"]
Mixed quoting
echo "it's a test"
["echo", "it's a test"]
Execution Options:
Option
Source
Description
Command
First word after parsing
Executable path or name
Args
Remaining words
Command arguments
Cwd
properties.Cwd
Working directory
Environment
properties.Environment
Additional env vars (KEY=VALUE format)
Path
properties.Path
Search path for executables
Timeout
properties.ParsedTimeout
Maximum execution time
Output Logging:
When LogOutput: true is set and a user logger is provided:
The model validates exec properties before execution:
Property
Validation
name
Must be parseable by shellquote (balanced quotes)
timeout
Must be valid duration format (e.g., 30s, 5m)
subscribe
Each entry must be type#name format
path
Each directory must be absolute (start with /)
environment
Each entry must be KEY=VALUE format with non-empty key and value
Platform Support
The Posix provider works on all platforms supported by Go’s os/exec package. It does not use any platform-specific system calls directly.
The command runner (model.CommandRunner) handles the actual process execution, which may have platform-specific implementations.
Security Considerations
No Shell Injection
Unlike the shell provider, the posix provider does not invoke a shell. Arguments are passed directly to the executable, preventing shell injection attacks:
# Safe with posix provider - $USER is passed literally, not expanded- exec:
- /bin/echo $USER:
provider: posix # Default# Potentially dangerous with shell provider - $USER is expanded- exec:
- /bin/echo $USER:
provider: shell
Path Validation
The path property only accepts absolute directory paths, preventing path traversal via relative paths.
Environment Validation
Environment variables must have non-empty keys and values, preventing injection of empty or malformed entries.
Shell Provider
This document describes the implementation details of the Shell exec provider for executing commands via /bin/sh.
Provider Selection
The Shell provider is selected when provider: shell is explicitly specified in the resource properties. It has a lower priority (99) than the Posix provider (1), so it is never automatically selected.
Availability: The provider checks for the existence of /bin/sh via util.FileExists(). If /bin/sh does not exist, the provider is not available.
Comparison with Posix Provider
Feature
Shell
Posix
Shell invocation
Yes (/bin/sh -c)
No
Pipes (|)
Supported
Not supported
Redirections (>, <, >>)
Supported
Not supported
Shell builtins (cd, export, source)
Supported
Not supported
Glob expansion (*.txt, ?)
Supported
Not supported
Command substitution ($(...), `...`)
Supported
Not supported
Variable expansion ($VAR, ${VAR})
Supported
Not supported
Logical operators (&&, ||)
Supported
Not supported
Argument parsing
Passed as single string
shellquote.Split()
Security
Shell injection possible
Lower attack surface
When to use Shell:
Commands with pipes: cat file.txt | grep pattern | sort
Commands with redirections: echo "data" > /tmp/file
Commands with shell builtins: cd /tmp && pwd
Commands with variable expansion: echo $HOME
Complex one-liners with logical operators
When to use Posix (default):
Simple commands with arguments
When shell features are not needed
For better security (no shell injection risk)
Operations
Execute
Process:
Determine command source (Command property or Name if Command is empty)
Validate command is not empty
Execute via CommandRunner.ExecuteWithOptions() with /bin/sh -c "<command>"
Optionally log output line-by-line if LogOutput is enabled
Execution Method:
The entire command string is passed to the shell as a single argument:
/bin/sh -c "<entire command string>"
This allows the shell to interpret all shell syntax, including:
Pipes and redirections
Variable expansion
Glob patterns
Command substitution
Logical operators
Execution Options:
Option
Value
Description
Command
/bin/sh
Shell executable path
Args
["-c", "<command>"]
Shell flag and command string
Cwd
properties.Cwd
Working directory
Environment
properties.Environment
Additional env vars (KEY=VALUE format)
Path
properties.Path
Search path for executables
Timeout
properties.ParsedTimeout
Maximum execution time
Output Logging:
When LogOutput: true is set and a user logger is provided:
This allows manifests bundled with their source files to use relative paths.
Noop Mode
In noop mode, the file type:
Queries current state normally
Computes content checksums
Logs what actions would be taken
Sets appropriate NoopMessage:
“Would have created the file”
“Would have created directory”
“Would have removed the file”
Reports Changed: true if changes would occur
Does not call provider Store/CreateDirectory methods
Does not remove files
Desired State Validation
After applying changes (in non-noop mode), the type verifies the file reached the desired state by calling Status() again and checking all attributes match. If validation fails, ErrDesiredStateFailed is returned.
Subsections of File Type
Posix Provider
This document describes the implementation details of the Posix file provider for managing files and directories on Unix-like systems.
Provider Selection
The Posix provider is the default and only file provider. It is always available and returns priority 1 for all file resources.
Operations
Store (Create/Update File)
Process:
Verify parent directory exists
Parse file mode from octal string
Open source file if source property is set
Create temporary file in the same directory as target
Set file permissions on temp file
Write content (from source file or contents property)
This allows manifests to use relative paths for source files bundled with the manifest.
Platform Support
The Posix provider uses Unix-specific system calls:
Operation
System Call
Get file owner/group
syscall.Stat_t (UID/GID from stat)
Set ownership
os.Chown() → chown(2)
Set permissions
os.Chmod() → chmod(2)
The provider has separate implementations for Unix and Windows (file_unix.go, file_windows.go in internal/util), with Windows returning errors for ownership operations.
Security Considerations
Atomic Writes
Files are written atomically via temp file + rename. This prevents:
Partial file reads during write
Corruption if process is interrupted
Race conditions with concurrent readers
Permission Ordering
Permissions and ownership are set on the temp file before rename:
Chmod - Set permissions
Write content
Chown - Set ownership
Rename to target
This ensures the file never exists at the target path with incorrect permissions.
Path Validation
File paths must be absolute and clean (no . or .. components):
iffilepath.Clean(p.Name) !=p.Name {
returnfmt.Errorf("file path must be absolute")
}
Required Properties
Owner, group, and mode are required properties and cannot be empty, preventing accidental creation of files with default/inherited permissions.
Package Type
This document describes the design of the package resource type for managing software packages.
Overview
The package resource manages software packages with two aspects:
Existence: Whether the package is installed or absent
Version: The specific version installed (when applicable)
Provider Interface
Package providers must implement the PackageProvider interface:
┌─────────────────────────────────────────┐
│ Get current state via Status() │
└─────────────────┬───────────────────────┘
│
▼
┌─────────────────────────────────────────┐
│ Is ensure = "latest"? │
└─────────────────┬───────────────────────┘
Yes │ No
▼ │
┌─────────────────────┐ │
│ Is package absent? │ │
└─────────────┬───────┘ │
Yes │ No │
▼ ▼ │
┌────────┐ ┌────────┐
│Install │ │Upgrade │
│latest │ │latest │
└────────┘ └────────┘
│
▼
┌─────────────────────────┐
│ Is desired state met? │
└─────────────┬───────────┘
Yes │ No
▼ │
┌───────────┐ │
│ No change │ ▼
└───────────┘ (Phase 2)
Phase 2: Handle Ensure Values
┌─────────────────────────┐
│ What is desired ensure? │
└─────────────┬───────────┘
│
┌───────────────────────┼───────────────────────┐
│ absent │ present │ <version>
▼ ▼ ▼
┌────────────┐ ┌───────────────┐ ┌───────────────┐
│ Uninstall │ │ Is absent? │ │ Is absent? │
└────────────┘ └───────┬───────┘ └───────┬───────┘
Yes │ No Yes │ No
▼ ▼ ▼ ▼
┌────────┐ ┌────────┐ ┌────────┐ ┌────────────┐
│Install │ │No │ │Install │ │Compare │
│ │ │change │ │version │ │versions │
└────────┘ └────────┘ └────────┘ └─────┬──────┘
│
┌────────────────┼────────────────┐
│ current < │ current = │ current >
▼ ▼ ▼
┌───────────┐ ┌───────────┐ ┌───────────┐
│ Upgrade │ │ No change │ │ Downgrade │
└───────────┘ └───────────┘ └───────────┘
Version Comparison
The VersionCmp method compares two version strings:
Return Value
Meaning
-1
versionA < versionB (upgrade needed)
0
versionA == versionB (no change)
1
versionA > versionB (downgrade needed)
Version comparison is delegated to the provider, allowing platform-specific version parsing (e.g., RPM epoch handling, Debian revision suffixes).
Idempotency
The package resource is idempotent through state comparison:
Decision Table
Desired
Current State
Action
ensure: present
installed (any version)
None
ensure: present
absent
Install
ensure: absent
absent
None
ensure: absent
installed
Uninstall
ensure: latest
absent
Install latest
ensure: latest
installed
Upgrade (always runs)
ensure: <version>
same version
None
ensure: <version>
older version
Upgrade
ensure: <version>
newer version
Downgrade
ensure: <version>
absent
Install
Special Case: ensure: latest
When ensure: latest is used:
The package manager determines what “latest” means
Upgrade is always called when the package exists (package manager is idempotent)
The type cannot verify if “latest” was achieved (package managers may report stale data)
Desired state validation only checks that the package is not absent
Package Name Validation
Package names are validated to prevent injection attacks:
Allowed Characters:
Alphanumeric (a-z, A-Z, 0-9)
Period (.), underscore (_), plus (+)
Colon (:), tilde (~), hyphen (-)
Rejected:
Shell metacharacters (;, |, &, $, etc.)
Whitespace
Quotes and backticks
Path separators
Version strings (when ensure is a version) are also validated for dangerous characters.
Noop Mode
In noop mode, the package type:
Queries current state normally
Computes version comparison
Logs what actions would be taken
Sets appropriate NoopMessage:
“Would have installed latest”
“Would have upgraded to latest”
“Would have installed version X”
“Would have upgraded to X”
“Would have downgraded to X”
“Would have uninstalled”
Reports Changed: true if changes would occur
Does not call provider Install/Upgrade/Downgrade/Uninstall methods
Desired State Validation
After applying changes (in non-noop mode), the type verifies the package reached the desired state:
func (t*Type) isDesiredState(properties, state) bool {
switchproperties.Ensure {
case"present":
// Any installed version is acceptablereturnstate.Ensure!="absent"case"absent":
returnstate.Ensure=="absent"case"latest":
// Cannot verify "latest", just check not absentreturnstate.Ensure!="absent"default:
// Specific version must matchreturnVersionCmp(state.Ensure, properties.Ensure, false) ==0 }
}
If the desired state is not reached, an ErrDesiredStateFailed error is returned.
Subsections of Package Type
APT Provider
This document describes the implementation details of the APT package provider for Debian-based systems.
Environment
All commands are executed with the following environment variables to ensure non-interactive operation:
Variable
Value
Purpose
DEBIAN_FRONTEND
noninteractive
Prevents dpkg from prompting for user input
APT_LISTBUGS_FRONTEND
none
Suppresses apt-listbugs prompts
APT_LISTCHANGES_FRONTEND
none
Suppresses apt-listchanges prompts
Concurrency
A global package lock (model.PackageGlobalLock) is held during all command executions to prevent concurrent apt/dpkg operations within the same process. This prevents lock contention on /var/lib/dpkg/lock.
Helper methods: LessThan, GreaterThan, Equal, etc.
DNF Provider
This document describes the implementation details of the DNF package provider for RHEL/Fedora-based systems.
Concurrency
A global package lock (model.PackageGlobalLock) is held during all command executions to prevent concurrent dnf/rpm operations within the same process. This prevents lock contention on the RPM database.
Target directory must exist with rendered template files
absent
Managed files must be removed from the target
Template Engines
Two template engines are supported:
Engine
Library
Default Delimiters
Description
go
Go text/template
{{ / }}
Standard Go templates
jet
Jet templating
[[ / ]]
Jet template language
The engine defaults to jet if not specified. Delimiters can be customized via left_delimiter and right_delimiter properties.
Properties
Property
Type
Required
Description
source
string
Yes
Source template directory path or URL
engine
string
No
Template engine: go or jet (default: jet)
skip_empty
bool
No
Skip empty files in rendered output
left_delimiter
string
No
Custom left template delimiter
right_delimiter
string
No
Custom right template delimiter
purge
bool
No
Remove files in target not present in source
post
[]map[string]string
No
Post-processing: glob pattern to command mapping
# Render configuration templates using Jet engine- scaffold:
- /etc/app:
ensure: presentsource: templates/appengine: jetpurge: true# Render with Go templates and custom delimiters- scaffold:
- /etc/myservice:
ensure: presentsource: templates/myserviceengine: goleft_delimiter: "<<"right_delimiter: ">>"# With post-processing commands- scaffold:
- /opt/app:
ensure: presentsource: templates/apppost:
- "*.go": "go fmt {}"
Apply Logic
┌─────────────────────────────────────────┐
│ Get current state via Status() │
└─────────────────┬───────────────────────┘
│
▼
┌─────────────────────────────────────────┐
│ Is current state desired state? │
└─────────────────┬───────────────────────┘
Yes │ No
▼ │
┌───────────┐ │
│ No change │ │
└───────────┘ │
▼
┌─────────────────────────┐
│ What is desired ensure? │
└─────────────┬───────────┘
│
┌───────────────┴───────────────┐
│ absent │ present
▼ ▼
┌───────────┐ ┌───────────┐
│ Noop? │ │ Noop? │
└─────┬─────┘ └─────┬─────┘
Yes │ No Yes │ No
▼ │ ▼ │
┌────────────┐│ ┌────────────┐│
│ Set noop ││ │ Set noop ││
│ message ││ │ message ││
└────────────┘│ └────────────┘│
▼ ▼
┌───────────────┐ ┌─────────────────────┐
│ Remove all │ │ Scaffold │
│ managed files │ │ (render templates) │
│ and empty dirs│ │ │
└───────────────┘ └─────────────────────┘
Idempotency
The scaffold resource determines idempotency by rendering templates in noop mode and comparing results against the target directory.
State Checks
Ensure absent: Target must not exist, or no managed files remain on disk (Changed and Stable lists empty). Purged files (files not belonging to the scaffold) do not affect this check.
Ensure present: The Changed list must be empty, and the Purged list must be empty when purge is enabled (all files are stable). When purge is disabled, purged files do not affect stability.
Decision Table
For ensure: absent, purged files never affect stability since they don’t belong to the scaffold. For ensure: present, purged files only affect stability when purge is enabled.
When ensure: absent, the Status method filters Changed and Stable lists to only include files that actually exist on disk, so the state reflects reality after removal rather than what the scaffold would create.
Desired
Target Exists
Changed Files
Purged Files
Purge Enabled
Stable?
absent
No
N/A
N/A
N/A
Yes
absent
Yes
None
Any
N/A
Yes (no managed files on disk)
absent
Yes
Some
Any
N/A
No (managed files remain)
present
Yes
None
None
Any
Yes
present
Yes
None
Some
No
Yes (purged files ignored)
present
Yes
None
Some
Yes
No (purge needed)
present
Yes
Some
Any
Any
No (render needed)
present
No
N/A
N/A
Any
No (target missing)
Source Resolution
The source property is resolved relative to the manager’s working directory when it is a relative path:
This allows manifests bundled with template directories to use relative paths. URL sources (with a scheme) are passed through unchanged.
Path Validation
Target paths (the resource name) must be:
Absolute (start with /)
Canonical (no . or .. components, filepath.Clean(path) == path)
Post-Processing
The post property defines commands to run on rendered files. Each entry is a map where the key is a glob pattern matched against the file’s basename and the value is a command to execute. Use {} as a placeholder for the file’s full path; if omitted, the path is appended as the last argument.
Post-processing runs immediately after each file is rendered. Validation ensures neither keys nor values are empty.
Noop Mode
In noop mode, the scaffold type queries the current state via Status() and reports what would change without modifying the filesystem. Neither Scaffold() nor Remove() are called.
For ensure: present, the affected count is the number of changed files plus purged files (when purge is enabled). For ensure: absent, the affected count is the number of changed and stable files plus purged files (when purge is enabled).
Desired
Affected Count
Message
present
Changed + Purged (if purge enabled)
Would have changed N scaffold files
absent
Changed + Stable + Purged (if purge enabled)
Would have removed N scaffold files
Changed is set to true only when the affected count is greater than zero. When the resource is already in the desired state, Changed is false and NoopMessage is empty.
Desired State Validation
After applying changes (in non-noop mode), the type verifies the scaffold reached the desired state by checking the changed and purged file lists. If validation fails, ErrDesiredStateFailed is returned.
Subsections of Scaffold Type
Choria Provider
This document describes the implementation details of the Choria scaffold provider for rendering template directories using the choria-io/scaffold library.
Provider Selection
The Choria provider is the default and only scaffold provider. It is always available and returns priority 1 for all scaffold resources.
Operations
Scaffold (Render Templates)
Process:
Check if target directory exists
Configure scaffold with source, target, engine, delimiters, post-processing, and skip_empty settings
Create scaffold instance using the appropriate engine (scaffold.New() for Go, scaffold.NewJet() for Jet)
Call Render() (real mode) or RenderNoop() (noop mode)
Categorize results into changed, stable, and purged file lists
Scaffold Configuration:
Config Field
Source Property
Description
TargetDirectory
Name
Target directory for rendered files
SourceDirectory
Source
Source template directory
MergeTargetDirectory
(always true)
Merge into existing target directory
Post
Post
Post-processing commands
SkipEmpty
SkipEmpty
Skip empty rendered files
CustomLeftDelimiter
LeftDelimiter
Custom template left delimiter
CustomRightDelimiter
RightDelimiter
Custom template right delimiter
Engine Selection:
Engine
Constructor
Default Delimiters
go
scaffold.New()
{{ / }}
jet
scaffold.NewJet()
[[ / ]]
Result Categorization:
Scaffold Action
Metadata List
Description
FileActionEqual
Stable
File content unchanged
FileActionAdd
Changed
New file created
FileActionUpdate
Changed
Existing file modified
FileActionRemove
Purged
File removed from target
File paths in the metadata lists are absolute paths, constructed by joining the target directory with the relative path from the scaffold result.
Purge Behavior:
When purge is enabled and a file has FileActionRemove, the provider deletes the file from disk during Scaffold(). In noop mode, the removal is logged but not performed. When purge is disabled, purged files are only tracked in metadata and not removed.
Status
Process:
Perform a dry-run render (noop mode) to determine what the scaffold would do
When ensure is absent, filter Changed and Stable lists to only include files that actually exist on disk
The noop render reports what would happen if the scaffold were applied. For ensure: present, this is the desired output — it shows what needs to change. For ensure: absent, the raw render output is misleading after removal (it would show files to be added), so the lists are filtered to reflect what managed files actually remain on disk.
State Detection:
Target Directory
Ensure Value
Metadata
Exists
present
Changed, stable, and purged file lists from render
Exists
absent
Changed and stable filtered to files on disk, purged from render
Does not exist
Any
Empty metadata, TargetExists: false
Remove
Process:
Collect managed files from the state’s Changed and Stable lists (purged files are not removed as they don’t belong to the scaffold)
Stop when no more empty directories can be removed
Best-effort removal of the target directory (only succeeds if empty)
File Removal Order:
Files are collected from two metadata lists:
Changed - Files that were added or modified
Stable - Files that were unchanged
Purged files are not removed because they are unrelated to the scaffold and may belong to other processes.
Directory Cleanup:
For each removed file:
Track its parent directory
Repeat:
For each tracked directory:
Skip if it is the target directory itself
Skip if not empty
Remove the directory
Track its parent directory
Until no more directories removed
Best-effort: remove the target directory (fails silently if not empty)
The target directory is removed if empty after all managed files and subdirectories are cleaned up. If unrelated files remain (purged files), the directory is preserved.
Error Handling:
Condition
Behavior
Non-absolute file path
Return error immediately
File removal fails
Log error, continue with remaining files
Directory removal fails
Log error, continue with remaining directories
File does not exist
Silently skip (os.IsNotExist check)
Target directory removal fails
Log at debug level, no error returned
Template Environment
Templates receive the full templates.Env environment, which provides access to:
facts - System facts for the managed node
data - Hiera-resolved configuration data
Template helper functions
This allows templates to generate host-specific configurations based on facts and hierarchical data.
Logging
The provider wraps the CCM logger in a scaffold-compatible interface:
This adapter translates the scaffold library’s Debugf/Infof calls to CCM’s structured logging.
Platform Support
The Choria provider is platform-independent. It uses the choria-io/scaffold library for template rendering, which operates on standard filesystem operations. No platform-specific system calls are used.
Service Type
This document describes the design of the service resource type for managing system services.
Overview
The service resource manages system services with two independent dimensions:
Running state: Whether the service is currently running or stopped
Enabled state: Whether the service starts automatically at boot
These are managed independently, allowing combinations like “running but disabled” or “stopped but enabled”.
Provider Interface
Service providers must implement the ServiceProvider interface:
The Status method returns a ServiceState containing:
typeServiceStatestruct {
CommonResourceStateMetadata*ServiceMetadata}
typeServiceMetadatastruct {
Namestring// Service nameProviderstring// Provider name (e.g., "systemd")Enabledbool// Whether service starts at bootRunningbool// Whether service is currently running}
The Ensure field in CommonResourceState is set to:
If the desired state is not reached, an ErrDesiredStateFailed error is returned.
Service Name Validation
Service names are validated to prevent injection attacks:
Allowed Characters:
Alphanumeric (a-z, A-Z, 0-9)
Period (.), underscore (_), plus (+)
Colon (:), tilde (~), hyphen (-)
Rejected:
Shell metacharacters (;, |, &, etc.)
Whitespace
Path separators
Noop Mode
In noop mode, the service type:
Queries current state normally
Logs what actions would be taken
Sets appropriate NoopMessage (e.g., “Would have started”, “Would have enabled”)
Reports Changed: true if changes would occur
Does not call provider Start/Stop/Restart/Enable/Disable methods
Subsections of Service Type
Systemd Provider
This document describes the implementation details of the Systemd service provider for managing system services via systemctl.
Provider Selection
The Systemd provider is selected when systemctl is found in the system PATH. The provider checks for the executable using util.ExecutableInPath("systemctl").
Availability Check:
Searches PATH for systemctl
Returns priority 1 if found
Returns unavailable if not found
Concurrency
A global service lock (model.ServiceGlobalLock) is held during all systemctl command executions to prevent concurrent systemd operations within the same process. This prevents race conditions when multiple service resources are managed simultaneously.
The provider performs a systemctl daemon-reload once per provider instance before any service operations. This ensures systemd picks up any unit file changes made by other resources (e.g., file resources managing unit files).
Integration points - Factory functions and registry
CLI commands - User-facing command line interface
JSON schemas - Validation for manifests and API requests
Documentation - User and design documentation
CCM Studio - Web-based manifest designer
File Checklist
File
Action
Purpose
model/resource_<type>.go
Create
Properties, state, metadata structs
model/resource_<type>_test.go
Create
Property validation tests
model/resource.go
Modify
Add case to factory function
resources/<type>/<type>.go
Create
Provider interface definition
resources/<type>/type.go
Create
Resource type implementation
resources/<type>/type_test.go
Create
Resource type tests
resources/<type>/provider_mock_test.go
Generate
Mock provider for tests
resources/<type>/<provider>/factory.go
Create
Provider factory
resources/<type>/<provider>/<provider>.go
Create
Provider implementation
resources/<type>/<provider>/<provider>_test.go
Create
Provider tests
resources/resources.go
Modify
Add case to NewResourceFromProperties
cmd/ensure_<type>.go
Create
CLI command handler
cmd/ensure.go
Modify
Register CLI command
internal/fs/schemas/manifest.json
Modify
Add resource schema definitions
internal/fs/schemas/resource_ensure_request.json
Modify
Add API request schema
docs/content/resources/<type>.md
Create
User documentation
docs/content/design/<type>/_index.md
Create
Design documentation
docs/content/design/<type>/<provider>.md
Create
Provider documentation
Step 1: Model Definitions
Create model/resource_<type>.go with the following components.
Constants
const (
// ResourceStatus<Type>Protocol is the protocol identifier for <type> resource stateResourceStatus<Type>Protocol = "io.choria.ccm.v1.resource.<type>.state"// <Type>TypeName is the type name for <type> resources <Type>TypeName = "<type>")
Properties Struct
The properties struct must satisfy model.ResourceProperties:
type <Type>Metadatastruct {
Namestring`json:"name" yaml:"name"`Providerstring`json:"provider,omitempty" yaml:"provider,omitempty"`// Add fields describing current system state}
type <Type>Statestruct {
CommonResourceStateMetadata*<Type>Metadata`json:"metadata,omitempty"`}
Embedding *base.Base provides implementations for Apply(), Healthcheck(), Type(), Name(), Properties(), and NewTransactionEvent(). The type must implement:
See resources/archive/type.go for a complete constructor example.
ApplyResource Method
The ApplyResource method (part of base.EmbeddedResource) contains the core logic. It should follow this pattern:
Get initial state via provider.Status()
Check if already in desired state (implement isDesiredState() helper)
If stable, call t.FinalizeState() and return early
Apply changes, respecting t.mgr.NoopMode()
Get final state and verify desired state was achieved
Call t.FinalizeState() with appropriate flags
See resources/archive/type.go:ApplyResource() for a complete example.
Provider Selection Methods
The SelectProvider() method should use registry.FindSuitableProvider() to select an appropriate provider. See resources/archive/type.go for the standard implementation pattern.
if !noop {
// Make actual changest.log.Info("Applying changes")
err = p.SomeAction(ctx, properties)
} else {
t.log.Info("Skipping changes as noop")
noopMessage = "Would have applied changes"}
Error Handling
Use sentinel errors from model/errors.go:
var (
ErrResourceInvalid = errors.New("resource invalid")
ErrProviderNotFound = errors.New("provider not found")
ErrNoSuitableProvider = errors.New("no suitable provider")
ErrDesiredStateFailed = errors.New("desired state not achieved")
)
Wrap errors with context:
err:=os.Remove(path)
iferr!=nil {
returnfmt.Errorf("could not remove file: %w", err)
}
Template Resolution
The ResolveTemplates method (part of model.ResourceProperties) should resolve all user-facing string fields using templates.ResolveTemplateString(). Always call the embedded CommonResourceProperties.ResolveTemplates(env) first.
Provider Selection
Providers declare manageability via IsManageable on the factory (see model.ProviderFactory in Step 3). Multiple providers can match; the one with highest priority is selected.
Documentation
Create user documentation in docs/content/resources/<type>.md covering:
Overview and use cases
Ensure states table
Properties table with descriptions
Usage examples (manifest, CLI, API)
Create design documentation in docs/content/design/<type>/_index.md covering:
Provider interface specification
State checking logic
Apply logic flowchart
Create provider documentation in docs/content/design/<type>/<provider>.md covering:
Provider selection criteria
Platform requirements
Implementation details
CCM Studio
CCM Studio is a web-based manifest designer. After adding a new resource type, update CCM Studio to support it:
Note
CCM Studio is a closed-source project. The maintainers will complete this step.
Add the new resource type to the resource palette
Create property editors for type-specific fields
Add validation matching the JSON schema definitions
Update any resource type documentation or help text