-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #16024: Make a plugin from the current openSCAP technique
- Loading branch information
Showing
10 changed files
with
921 additions
and
0 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
Copyright 2011 Normation SAS | ||
|
||
This program is free software: you can redistribute it and/or modify | ||
it under the terms of the GNU General Public License as published by | ||
the Free Software Foundation, either version 3 of the License, or | ||
(at your option) any later version. | ||
|
||
In accordance with the terms of section 7 (7. Additional Terms.) of | ||
the GNU General Public License version 3, the copyright holders add | ||
the following Additional permissions: | ||
Notwithstanding to the terms of section 5 (5. Conveying Modified Source | ||
Versions) and 6 (6. Conveying Non-Source Forms.) of the GNU General | ||
Public License version 3, when you create a Related Module, this | ||
Related Module is not considered as a part of the work and may be | ||
distributed under the license agreement of your choice. | ||
A "Related Module" means a set of sources files including their | ||
documentation that, without modification of the Source Code, enables | ||
supplementary functions or services in addition to those offered by | ||
the Software. | ||
|
||
This program is distributed in the hope that it will be useful, | ||
but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
GNU General Public License for more details. | ||
|
||
You should have received a copy of the GNU General Public License | ||
along with this program. If not, see <http://www.gnu.org/licenses/>. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
FILES = ncf techniques | ||
SCRIPTS = postinst prerm | ||
|
||
TECHNIQUES=$(shell ls -1 configuration-repository/ncf/50_techniques) | ||
|
||
include ../makefiles/common-plugin.mk | ||
|
||
target/ncf: | ||
cp -a configuration-repository/ncf target | ||
|
||
target/techniques: | ||
cp -a configuration-repository/techniques target | ||
mkdir -p target/techniques/ncf_techniques | ||
for technique in "$(TECHNIQUES)"; \ | ||
do \ | ||
cd target && mkdir -p techniques/ansible_report/$$technique && cd -; \ | ||
cd target/techniques/ncf_techniques && ln -rs ../ansible_report/$$technique $$techniques && cd -; \ | ||
done; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
# Rudder plugin: ansible_report | ||
|
||
This project is part of Rudder - IT infrastructure Automation and Compliance. | ||
See: http://rudder.io for more information. | ||
|
||
See repository main README for information about licensing, contribution, and | ||
other general information. | ||
|
||
|
||
// Everything after this line goes into Rudder documentation | ||
// ====doc==== | ||
[ansible_report-plugin] | ||
= ansible_report | ||
|
||
This plugin distributes a technique to run Ansible jobs from Rudder and reports their results. | ||
|
||
Ansible is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments. | ||
This Rudder technique aims to integrate the execution and reporting of an Ansible agent in the Rudder one. | ||
|
||
Basically, when assigning a directive declined from this technique to a node, it will: | ||
|
||
* Make sure the Ansible package is installed | ||
* Download a playbook from your Rudder Server to the node | ||
* Execute this playbook from the target node | ||
* Report back the execution to the Rudder Server | ||
|
||
== Usage | ||
|
||
Make sure that the target node has SSH access to every Ansible targetted hosts. | ||
The technique takes two arguments: | ||
|
||
* `PathPlaybookServer` Relative path (relative to `/var/rudder/configuration-repository/shared-files/`) to the playbook that will be downloaded on your executioner. | ||
* `PathPlaybookAgent` Absolute path where to put the playbook on the node. | ||
|
||
NOTE: To trigger periodic playbooks execution you can use the `Schedule Simple Stateless` generic method. | ||
|
||
There is also an Ansible plugin available to use the Rudder inventory, groups and node properties in your Ansible playbooks. | ||
|
||
To get more information about it, see the https://docs.rudder.io/reference/5.0/administration/integration.html[dedicated documentation] | ||
|
||
==== Reference | ||
|
||
Ansible playbooks can configure and orchestrate steps of any manual ordered process and they can launch tasks synchronously or asynchronously. | ||
|
||
An example of a basic playbook to check the status of services and report the hostname of the target: | ||
|
||
---- | ||
--- | ||
- name: run the playbook tasks on the localhost and check service status | ||
hosts: 127.0.0.1 | ||
connection: local | ||
become: | ||
tasks: | ||
- name: print out the hostname of target | ||
command: hostname | ||
- name: checking service status | ||
command: systemctl status "{{ item }}" | ||
with_items: | ||
- apache2 | ||
- sshd | ||
---- | ||
|
||
At runtime, the technique will store the Ansible output in a local temporary file under `/var/rudder/tmp/ansible_report`. It will then be reported in a classic Rudder report to be available in the Rudder interface by using the generic method `File report content`. | ||
The execution is done through the `Command execution result` generic method to differentiate the repaired/kept cases. If the Ansible runner did make a change on the system, it will report a repaired, else, a kept report. | ||
|
||
An example of Ansible runner output | ||
|
||
---- | ||
PLAY [run the playbook tasks on the localhost and check service status] ******** | ||
TASK [setup] ******************************************************************* | ||
ok: [127.0.0.1] | ||
TASK [print out the hostname of target] **************************************** | ||
changed: [127.0.0.1] | ||
TASK [checking service status] ************************************************* | ||
changed: [127.0.0.1] => (item=apache2) | ||
changed: [127.0.0.1] => (item=sshd) | ||
PLAY RECAP ********************************************************************* | ||
127.0.0.1 : ok=3 changed=2 unreachable=0 failed=0 | ||
---- | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# | ||
# This file defines the release information about the plugin like | ||
# its version and its ABI compability. | ||
# | ||
# So version are not managed in pom.xml (safe for parent-pom version, | ||
# which can't be a parameter, and must be equals to rudder-branch here) | ||
# | ||
|
||
# Unique identifier of the plugin | ||
plugin-name=ansible_report | ||
# the full name is derived from rudder-plugin-name | ||
plugin-fullname=rudder-plugin-${plugin-name} | ||
|
||
# Human readable short/title descrption (used for one line text) | ||
plugin-title-description="""This plugin distributes a technique to run Ansible jobs from Rudder and reports their results.""" | ||
|
||
# WEB, HTML description. | ||
plugin-web-description=<p>This plugin distributes a technique to run Ansible jobs from Rudder and reports their results.</p> | ||
|
||
# Plugin version. It is build as follow: A.B-x.y(.z) with: | ||
# - A.B: Rudder major.minor | ||
# - x.y(.z): plugin major.minor.micro. Micro should be omitted. When omitted, z is assumed to be 0. | ||
# For the build, we split the information between two properties, rudder branch and plugin version, | ||
# which must be concaneted with "-" to build the plugin version. | ||
plugin-branch=0.1 | ||
|
||
# rudder branch comes from parent | ||
plugin-version=${rudder-branch}-${plugin-branch} | ||
|
22 changes: 22 additions & 0 deletions
22
ansible-report/configuration-repository/ncf/50_techniques/ansible_report/ansible_report.cf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# @name ansible report | ||
# @description This technique install and deploy an Ansible Playbook on a target node and execute it. Its result will be reported in details in a Rudder report. | ||
# @version 1.0 | ||
# @parameter {"id": "dd26d25f-4315-41e6-9387-8df289710de4", "name": "PathPlaybookAgent", "constraints": {"allow_whitespace_string": false, "allow_empty_string": false, "max_length": 16384}} | ||
# @parameter {"id": "0ca6b218-2dd1-44e6-a216-88e7bdf2a5ef", "name": "PathPlaybookServer", "constraints": {"allow_whitespace_string": false, "allow_empty_string": false, "max_length": 16384}} | ||
|
||
bundle agent ansible_report(PathPlaybookAgent, PathPlaybookServer) | ||
{ | ||
methods: | ||
"Package present_context_${report_data.directive_id}_0" usebundle => _method_reporting_context("Package present", "ansible"); | ||
"Package present" usebundle => package_present("ansible", "", "", ""), | ||
ifvarclass => concat("any"); | ||
"File copy from Rudder shared folder_context_${report_data.directive_id}_1" usebundle => _method_reporting_context("File copy from Rudder shared folder", "${PathPlaybookAgent}"); | ||
"File copy from Rudder shared folder" usebundle => file_from_shared_folder("${PathPlaybookServer}", "${PathPlaybookAgent}", "sha256"), | ||
ifvarclass => concat("any"); | ||
"Command execution result_context_${report_data.directive_id}_2" usebundle => _method_reporting_context("Command execution result", "ansible-playbook ${PathPlaybookAgent} | tee /var/rudder/tmp/ansible_report | ${paths.grep} -qE \"changed=[1-9][0-9]*\""); | ||
"Command execution result" usebundle => command_execution_result("ansible-playbook ${PathPlaybookAgent} | tee /var/rudder/tmp/ansible_report | ${paths.grep} -qE \"changed=[1-9][0-9]*\"", "1", "0"), | ||
ifvarclass => concat("any"); | ||
"File report content_context_${report_data.directive_id}_3" usebundle => _method_reporting_context("File report content", "/var/rudder/tmp/ansible_report"); | ||
"File report content" usebundle => file_report_content("/var/rudder/tmp/ansible_report", "", ""), | ||
ifvarclass => concat("any"); | ||
} |
22 changes: 22 additions & 0 deletions
22
ansible-report/configuration-repository/techniques/ansible_report/category.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
<!-- | ||
Copyright 2019 Normation SAS | ||
This program is free software: you can redistribute it and/or modify | ||
it under the terms of the GNU General Public License as published by | ||
the Free Software Foundation, Version 3. | ||
This program is distributed in the hope that it will be useful, | ||
but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
GNU General Public License for more details. | ||
You should have received a copy of the GNU General Public License | ||
along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
--> | ||
|
||
<xml> | ||
<name>Ansible-report</name> | ||
<description> | ||
Contains techniques from the Ansible-report plugin. | ||
</description> | ||
</xml> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"type": "plugin", | ||
"name": "${plugin-id}", | ||
"version": "${plugin-version}", | ||
"build-date": "${maven.build.timestamp}", | ||
"build-commit": "${commit-id}", | ||
"content": { | ||
"files.txz": "/var/rudder/configuration-repository" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
#!/bin/bash | ||
set -x | ||
|
||
# Import Ansible Technique | ||
FOLDERS="ncf/50_techniques/ansible_report techniques/ansible_report techniques/ncf_techniques" | ||
cd /var/rudder/configuration-repository/ | ||
git reset | ||
for folder in $FOLDERS | ||
do | ||
chown -R ncf-api-venv:rudder $folder | ||
chmod 664 -R $folder | ||
chmod -R +X $folder | ||
git add $folder | ||
done | ||
git commit -m "Ansible-report plugin installation" | ||
rudder server reload-techniques |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
#!/bin/bash | ||
set -x | ||
|
||
# Import Ansible Technique | ||
FOLDERS="ncf/50_techniques/ansible_report techniques/ansible_report" | ||
cd /var/rudder/configuration-repository/ | ||
git reset | ||
for folder in $FOLDERS | ||
do | ||
git rm -R $folder | ||
done | ||
git commit -m "Ansible-report plugin uninstallation" | ||
rudder server reload-techniques | ||
|