Fixes #16024: Make a plugin from the current openSCAP technique

Normation · Oct 23, 2019 · f67952f · f67952f
1 parent ff71ebd
commit f67952f
Show file tree

Hide file tree

Showing 10 changed files with 921 additions and 0 deletions.
diff --git a/ansible-report/LICENSE b/ansible-report/LICENSE
diff --git a/ansible-report/LICENSE_EXCEPTION b/ansible-report/LICENSE_EXCEPTION
@@ -0,0 +1,27 @@
+Copyright 2011 Normation SAS
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+In accordance with the terms of section 7 (7. Additional Terms.) of
+the GNU General Public License version 3, the copyright holders add
+the following Additional permissions:
+Notwithstanding to the terms of section 5 (5. Conveying Modified Source
+Versions) and 6 (6. Conveying Non-Source Forms.) of the GNU General
+Public License version 3, when you create a Related Module, this
+Related Module is not considered as a part of the work and may be
+distributed under the license agreement of your choice.
+A "Related Module" means a set of sources files including their
+documentation that, without modification of the Source Code, enables
+supplementary functions or services in addition to those offered by
+the Software.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
diff --git a/ansible-report/Makefile b/ansible-report/Makefile
@@ -0,0 +1,18 @@
+FILES = ncf techniques
+SCRIPTS = postinst prerm
+
+TECHNIQUES=$(shell ls -1 configuration-repository/ncf/50_techniques)
+
+include ../makefiles/common-plugin.mk
+
+target/ncf:
+	cp -a configuration-repository/ncf target
+
+target/techniques:
+	cp -a configuration-repository/techniques target
+	mkdir -p target/techniques/ncf_techniques
+	for technique in "$(TECHNIQUES)";                                \
+	do                                                               \
+		cd target && mkdir -p techniques/ansible_report/$$technique && cd -;  \
+		cd target/techniques/ncf_techniques && ln -rs ../ansible_report/$$technique $$techniques  && cd -;   \
+	done;
diff --git a/ansible-report/README.asciidoc b/ansible-report/README.asciidoc
@@ -0,0 +1,89 @@
+# Rudder plugin: ansible_report
+
+This project is part of Rudder - IT infrastructure Automation and Compliance.
+See: http://rudder.io for more information.
+
+See repository main README for information about licensing, contribution, and
+other general information.
+
+
+// Everything after this line goes into Rudder documentation
+// ====doc====
+[ansible_report-plugin]
+= ansible_report
+
+This plugin distributes a technique to run Ansible jobs from Rudder and reports their results.
+
+Ansible is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments.
+This Rudder technique aims to integrate the execution and reporting of an Ansible agent in the Rudder one.
+
+Basically, when assigning a directive declined from this technique to a node, it will:
+
+* Make sure the Ansible package is installed
+* Download a playbook from your Rudder Server to the node
+* Execute this playbook from the target node
+* Report back the execution to the Rudder Server
+
+== Usage
+
+Make sure that the target node has SSH access to every Ansible targetted hosts.
+The technique takes two arguments:
+
+* `PathPlaybookServer` Relative path (relative to `/var/rudder/configuration-repository/shared-files/`) to the playbook that will be downloaded on your executioner.
+* `PathPlaybookAgent` Absolute path where to put the playbook on the node.
+
+NOTE: To trigger periodic playbooks execution you can use the `Schedule Simple Stateless` generic method.
+
+There is also an Ansible plugin available to use the Rudder inventory, groups and node properties in your Ansible playbooks.
+
+To get more information about it, see the https://docs.rudder.io/reference/5.0/administration/integration.html[dedicated documentation]
+
+==== Reference
+
+Ansible playbooks can configure and orchestrate steps of any manual ordered process and they can launch tasks synchronously or asynchronously.
+
+An example of a basic playbook to check the status of services and report the hostname of the target:
+
+----
+
+---
+- name: run the playbook tasks on the localhost and check service status
+  hosts: 127.0.0.1
+  connection: local
+  become:
+  tasks:
+
+  - name: print out the hostname of target
+    command: hostname
+  - name: checking service status
+    command: systemctl status "{{ item }}"
+    with_items:
+    - apache2
+    - sshd
+
+----
+
+At runtime, the technique will store the Ansible output in a local temporary file under `/var/rudder/tmp/ansible_report`. It will then be reported in a classic Rudder report to be available in the Rudder interface by using the generic method `File report content`.
+The execution is done through the `Command execution result` generic method to differentiate the repaired/kept cases. If the Ansible runner did make a change on the system, it will report a repaired, else, a kept report.
+
+An example of Ansible runner output
+
+----
+
+PLAY [run the playbook tasks on the localhost and check service status] ********
+
+TASK [setup] *******************************************************************
+ok: [127.0.0.1]
+
+TASK [print out the hostname of target] ****************************************
+changed: [127.0.0.1]
+
+TASK [checking service status] *************************************************
+changed: [127.0.0.1] => (item=apache2)
+changed: [127.0.0.1] => (item=sshd)
+
+PLAY RECAP *********************************************************************
+127.0.0.1                  : ok=3    changed=2    unreachable=0    failed=0
+
+----
+
diff --git a/ansible-report/build.conf b/ansible-report/build.conf
@@ -0,0 +1,29 @@
+#
+# This file defines the release information about the plugin like
+# its version and its ABI compability.
+#
+# So version are not managed in pom.xml (safe for parent-pom version,
+# which can't be a parameter, and must be equals to rudder-branch here)
+#
+
+# Unique identifier of the plugin
+plugin-name=ansible_report
+# the full name is derived from rudder-plugin-name
+plugin-fullname=rudder-plugin-${plugin-name}
+
+# Human readable short/title descrption (used for one line text)
+plugin-title-description="""This plugin distributes a technique to run Ansible jobs from Rudder and reports their results."""
+
+# WEB, HTML description.
+plugin-web-description=<p>This plugin distributes a technique to run Ansible jobs from Rudder and reports their results.</p>
+
+# Plugin version. It is build as follow: A.B-x.y(.z) with:
+# - A.B: Rudder major.minor
+# - x.y(.z): plugin major.minor.micro. Micro should be omitted. When omitted, z is assumed to be 0.
+# For the build, we split the information between two properties, rudder branch and plugin version,
+# which must be concaneted with "-" to build the plugin version.
+plugin-branch=0.1
+
+# rudder branch comes from parent
+plugin-version=${rudder-branch}-${plugin-branch}
+
diff --git a/ansible-report/configuration-repository/ncf/50_techniques/ansible_report/ansible_report.cf b/ansible-report/configuration-repository/ncf/50_techniques/ansible_report/ansible_report.cf
@@ -0,0 +1,22 @@
+# @name ansible report
+# @description This technique install and deploy an Ansible Playbook on a target node and execute it. Its result will be reported in details in a Rudder report.
+# @version 1.0
+# @parameter {"id": "dd26d25f-4315-41e6-9387-8df289710de4", "name": "PathPlaybookAgent", "constraints": {"allow_whitespace_string": false, "allow_empty_string": false, "max_length": 16384}}
+# @parameter {"id": "0ca6b218-2dd1-44e6-a216-88e7bdf2a5ef", "name": "PathPlaybookServer", "constraints": {"allow_whitespace_string": false, "allow_empty_string": false, "max_length": 16384}}
+
+bundle agent ansible_report(PathPlaybookAgent, PathPlaybookServer)
+{
+  methods:
+    "Package present_context_${report_data.directive_id}_0" usebundle => _method_reporting_context("Package present", "ansible");
+    "Package present" usebundle => package_present("ansible", "", "", ""),
+      ifvarclass => concat("any");
+    "File copy from Rudder shared folder_context_${report_data.directive_id}_1" usebundle => _method_reporting_context("File copy from Rudder shared folder", "${PathPlaybookAgent}");
+    "File copy from Rudder shared folder" usebundle => file_from_shared_folder("${PathPlaybookServer}", "${PathPlaybookAgent}", "sha256"),
+      ifvarclass => concat("any");
+    "Command execution result_context_${report_data.directive_id}_2" usebundle => _method_reporting_context("Command execution result", "ansible-playbook ${PathPlaybookAgent} | tee /var/rudder/tmp/ansible_report | ${paths.grep} -qE \"changed=[1-9][0-9]*\"");
+    "Command execution result" usebundle => command_execution_result("ansible-playbook ${PathPlaybookAgent} | tee /var/rudder/tmp/ansible_report | ${paths.grep} -qE \"changed=[1-9][0-9]*\"", "1", "0"),
+      ifvarclass => concat("any");
+    "File report content_context_${report_data.directive_id}_3" usebundle => _method_reporting_context("File report content", "/var/rudder/tmp/ansible_report");
+    "File report content" usebundle => file_report_content("/var/rudder/tmp/ansible_report", "", ""),
+      ifvarclass => concat("any");
+}
diff --git a/ansible-report/configuration-repository/techniques/ansible_report/category.xml b/ansible-report/configuration-repository/techniques/ansible_report/category.xml
@@ -0,0 +1,22 @@
+<!--
+Copyright 2019 Normation SAS
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, Version 3.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+-->
+
+<xml>
+    <name>Ansible-report</name>
+    <description>
+       Contains techniques from the Ansible-report plugin.
+    </description>
+</xml>
diff --git a/ansible-report/packaging/metadata b/ansible-report/packaging/metadata
@@ -0,0 +1,10 @@
+{
+  "type": "plugin",
+  "name": "${plugin-id}",
+  "version": "${plugin-version}",
+  "build-date": "${maven.build.timestamp}",
+  "build-commit": "${commit-id}",
+  "content": {
+    "files.txz": "/var/rudder/configuration-repository"
+  }
+}
diff --git a/ansible-report/packaging/postinst b/ansible-report/packaging/postinst
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -x
+
+# Import Ansible Technique
+FOLDERS="ncf/50_techniques/ansible_report techniques/ansible_report techniques/ncf_techniques"
+cd /var/rudder/configuration-repository/
+git reset
+for folder in $FOLDERS
+do
+  chown -R ncf-api-venv:rudder $folder
+  chmod 664 -R $folder
+  chmod -R +X $folder
+  git add $folder
+done
+git commit -m "Ansible-report plugin installation"
+rudder server reload-techniques
diff --git a/ansible-report/packaging/prerm b/ansible-report/packaging/prerm
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -x
+
+# Import Ansible Technique
+FOLDERS="ncf/50_techniques/ansible_report techniques/ansible_report"
+cd /var/rudder/configuration-repository/
+git reset
+for folder in $FOLDERS
+do
+  git rm -R $folder
+done
+git commit -m "Ansible-report plugin uninstallation"
+rudder server reload-techniques
+