Fixes #19037: Refactor the system techniques by component

techniques/system/rudderRelay/1.0/apache/main.cf

@@ -0,0 +1,30 @@
+bundle agent rudder_system_apache_configuration {
+  vars:
+      "apache_service"   string => "apache2";
+    redhat::
+      "apache_service"   string => "httpd";
+
+  classes:
+      "pass3" expression => "pass2";
+      "pass2" expression => "pass1";
+      "pass1" expression => "any";
+  methods:
+    pass3::
+      "any" usebundle => enable_reporting;
+      # Force allowed networks
+      "any" usebundle => _method_reporting_context("Apache allowed networks", "None");
+      "any" usebundle => rudder_system_apache_networks_check;
+
+      # Force webdav user/password
+      "any" usebundle => rudder_system_apache_password_check_dav;
+
+      # Check that apache is running and enabled
+      "any" usebundle => _method_reporting_context("Apache service started", "None");
+      "any" usebundle => service_started("${apache_service}");
+
+      "any" usebundle => _method_reporting_context("Apache service enabled", "None");
+      "any" usebundle => service_enabled("${apache_service}");
+
+      # Configure relayd
+      "any" usebundle => rudder_system_relayd_configuration;
+}

techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf

@@ -0,0 +1,57 @@
+bundle agent rudder_system_apache_networks_check {
+  vars:
+      "policy_server_ip"     string => host2ip("${server_info.policy_server}");
+    server_ip_found::
+      "policy_server_acl"    slist => { "127.0.0.0/8", "::1",  "${policy_server_ip}" };
+    !server_ip_found::
+      "policy_server_acl"    slist => { "127.0.0.0/8", "::1" };
+
+    any::
+      "defacl"               slist => filter("0.0.0.0/0", "def.acl", "false", "true", "99999");
+      "nodes_acl_24"         slist => maplist("Require ip ${this}", "defacl");
+      "nodes_generate_24"    string => join("${const.n}","nodes_acl_24");
+
+      "allowed_network_file" string => "${g.rudder_base}/etc/rudder-networks-24.conf";
+      "remote_run_file"      string => "${g.rudder_base}/etc/rudder-networks-policy-server-24.conf";
+
+      "allowed_network_prefix" string => canonify("file_content_${allowed_network_file}");
+      "remote_run_prefix" string => canonify("file_content_${remote_run_file}");
+
+
+    server_ip_found::
+      "remote_run_acl"       string => "Require local${const.n}Require ip ${policy_server_ip}";
+    !server_ip_found::
+      "remote_run_acl"       string => "Require local";
+
+
+    has_all_granted::
+      "allowed_network_acl"          string => "Require all granted";
+    !has_all_granted::
+      "allowed_network_acl"          string => "${nodes_generate_24}";
+
+  classes:
+      "pass3" expression => "pass2";
+      "pass2" expression => "pass1";
+      "pass1" expression => "any";
+
+      "has_all_granted" expression => some("0.0.0.0/0", "def.acl");
+      "server_ip_found" expression => regcmp("^[0-9.]+$|^[0-9a-fA-F:]+:[0-9a-fA-F:]+$", "${policy_server_ip}");
+
+      # Restart apache at the end of the technique if needed
+      "system_restart_apache" expression => "${allowed_network_prefix}_repaired|${remote_run_prefix}_repaired",
+                                   scope => "namespace";
+
+  methods:
+    pass3::
+      # Allowed networks
+      "any" usebundle => _method_reporting_context("Apache allowed networks permissions", "None");
+      "any" usebundle => permissions("${allowed_network_file}", "600", "root", "0");
+      "any" usebundle => _method_reporting_context("Apache allowed networks configuration", "None");
+      "any" usebundle => file_content("${allowed_network_file}", "${allowed_network_acl}", "true");
+
+      # Remote run
+      "any" usebundle => _method_reporting_context("Apache allowed remote run permissions", "None");
+      "any" usebundle => permissions("${remote_run_file}", "600", "root", "0");
+      "any" usebundle => _method_reporting_context("Apache allowed remote run configuration", "None");
+      "any" usebundle => file_content("${remote_run_file}", "${remote_run_acl}", "true");
+}

techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf

@@ -0,0 +1,60 @@
+# This file contains bundles to manage password between all components of a
+# Rudder server (OpenLDAP, PostgreSQL, Apache WebDAV and web interface)
+
+# It is currently only used on root servers where all components are installed
+# on one host. It may be extended in the future to support changing passwords
+# across multiple hosts.
+
+bundle agent rudder_system_apache_password_check_dav {
+
+  vars:
+    debian::
+      "webdav_check_wwwgroup" string => "www-data";
+
+    redhat::
+      "webdav_check_wwwgroup" string => "apache";
+
+    !debian.!redhat::
+      "webdav_check_wwwgroup" string => "www";
+
+    SuSE::
+      "htpasswd_bin"          string => "/usr/bin/htpasswd2";
+
+    !SuSE::
+      "htpasswd_bin"          string => "/usr/bin/htpasswd";
+
+    any::
+     "no"                        int => getfields("RUDDER_WEBDAV_PASSWORD:.*","${g.rudder_base}/etc/rudder-passwords.conf",":","dav_password");
+     "technique_name"         string => "server-roles";
+     "report_string"          string => "Apache WebDAV user and password";
+
+      "webdav_pwd_cmd"        string => "${htpasswd_bin} -b ${g.rudder_base}/etc/htpasswd-webdav ${g.davuser} ${g.davpw}";
+      "args"                  slist  => { "${webdav_pwd_cmd}" };
+      "pwd_class_prefix"      string => canonify("command_execution_${webdav_pwd_cmd}");
+
+  classes:
+
+      "dav_cant_connect" not => returnszero("${g.rudder_curl} --tlsv1.2 --proxy '' ${g.rudder_verify_certs_option} --silent --fail --output /dev/null --user ${g.davuser}:${g.davpw} --upload-file ${g.rudder_base}/etc/uuid.hive https://localhost/inventory-updates/uuid.hive","noshell");
+
+    any::
+      "pass3" expression => "pass2";
+      "pass2" expression => "pass1";
+      "pass1" expression => "any";
+
+      "system_restart_apache" expression => "${pwd_class_prefix}_repaired",
+                                   scope => "namespace";
+
+  methods:
+      "any" usebundle => _method_reporting_context("Apache webdav permissions", "None");
+      "any" usebundle => permissions("${g.rudder_base}/etc/htpasswd-webdav", "640", "root", "${webdav_check_wwwgroup}");
+
+      "any" usebundle => _method_reporting_context("Apache webdav password", "None");
+
+    dav_cant_connect::
+      "any" usebundle => command_execution("${webdav_pwd_cmd}");
+    !dav_cant_connect::
+      "any" usebundle => _classes_success("${pwd_class_prefix}");
+    any::
+      "any" usebundle => _log_v3("Setting Apache webdav password", "${webdav_pwd_cmd}", "${pwd_class_prefix}", "${pwd_class_prefix}", @{args});
+
+}

techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf

@@ -0,0 +1,53 @@
+bundle agent reload_rudder_services {
+  vars:
+      "jetty_service_name"  string => "rudder-jetty";
+      "apache_service_name" string => "apache2";
+      "relayd_service_name" string => "rudder-relayd";
+    redhat::
+      "apache_service_name" string => "httpd";
+
+    any::
+      "jetty_prefix"         string => canonify("service_restart_${jetty_service_name}");
+      "apache_prefix"         string => canonify("service_restart_${apache_service_name}");
+      "relayd_prefix"         string => canonify("service_restart_${relayd_service_name}");
+
+      "prefixes"              slist => { "${jetty_prefix}",
+                                         "${apache_prefix}",
+                                         "${relayd_prefix}"
+                                       };
+
+      "technique_name"      string => "server_roles";
+      "component_name"      string => "reload rudder services";
+
+  classes:
+      "pass3" expression => "pass2";
+      "pass2" expression => "pass1";
+      "pass1" expression => "any";
+
+    pass3::
+      "result_error"    expression => "${prefixes}_error";
+    pass3.!result_error::
+      "result_repaired" expression => "${prefixes}_repaired";
+    pass3.!result_error.!result_repaired::
+      "result_na"  expression => "any";
+
+  methods:
+      "restart_jetty_password" usebundle => disable_reporting;
+      "restart_jetty_password" usebundle => _method_reporting_context("Reload rudder services", "None");
+    rudder_system_restart_jetty::
+      "restart_jetty_password" usebundle => service_restart("${jetty_service_name}");
+    rudder_system_restart_apache::
+      "restart_jetty_password" usebundle => service_reload("${apache_service}");
+    rudder_system_restart_relayd::
+      "restart_jetty_password" usebundle => service_reload("${relayd_service}");
+    pass3::
+      "restart_jetty_password" usebundle => enable_reporting;
+
+      # Reporting
+      "report_error"   usebundle  => rudder_common_report("${technique_name}", "result_error", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"),
+                       ifvarclass => "result_error";
+      "report_repaired" usebundle => rudder_common_report("${technique_name}", "result_error", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"),
+                       ifvarclass => "result_repaired";
+      "report_na"      usebundle  => rudder_common_report("${technique_name}", "result_na",    "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"),
+                       ifvarclass => "result_na";
+}

techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf

@@ -0,0 +1,9 @@
+bundle agent rudder_system_disclaimer {
+  vars:
+      "disclaim" slist => { "@{p.managed_files}" };
+
+  files:
+      "${disclaim}"
+        edit_line => insert_rudder_disclaimer,
+        comment => "Insert a disclaimer into Rudder";
+}

techniques/system/rudderRelay/1.0/metadata.xml

@@ -0,0 +1,52 @@
+<TECHNIQUE name="Relay server">
+  <DESCRIPTION>Configure the relay components</DESCRIPTION>
+  <SYSTEM>true</SYSTEM>
+
+  <FILES>
+    <FILE name="common/reload_rudder_services.cf">
+      <INCLUDED>true</INCLUDED>
+    </FILE>
+    <FILE name="common/rudder_system_disclaimer.cf">
+      <INCLUDED>true</INCLUDED>
+    </FILE>
+    <FILE name="apache/main.cf">
+      <INCLUDED>true</INCLUDED>
+    </FILE>
+    <FILE name="apache/rudder_system_apache_networks_check.cf">
+      <INCLUDED>true</INCLUDED>
+    </FILE>
+    <FILE name="apache/rudder_system_apache_password_check_dav.cf">
+      <INCLUDED>true</INCLUDED>
+    </FILE>
+    <FILE name="relayd/relayd.cf">
+      <INCLUDED>true</INCLUDED>
+    </FILE>
+    <FILE name="relayd/relayd.conf.tpl">
+      <OUTPATH>systemRelay/1.0/relayd/relayd.conf.tpl</OUTPATH>
+      <INCLUDED>false</INCLUDED>
+    </FILE>
+  </FILES>
+
+  <BUNDLES>
+    <NAME>rudder_system_apache_configuration</NAME>
+  </BUNDLES>
+
+  <SYSTEMVARS>
+    <NAME>RUDDER_SERVER_ROLES</NAME>
+  </SYSTEMVARS>
+
+  <SECTIONS>
+    <SECTION name="Apache service started" component="true"/>
+    <SECTION name="Apache service enabled" component="true"/>
+    <SECTION name="Apache allowed networks permissions" component="true"/>
+    <SECTION name="Apache allowed networks configuration" component="true"/>
+    <SECTION name="Apache allowed remote run permissions" component="true"/>
+    <SECTION name="Apache allowed remote run configuration" component="true"/>
+    <SECTION name="Apache webdav password" component="true"/>
+    <SECTION name="Apache webdav permissions" component="true"/>
+    <SECTION name="Relayd configuration permissions" component="true"/>
+    <SECTION name="Relayd configuration" component="true"/>
+    <SECTION name="Relayd service started" component="true"/>
+    <SECTION name="Relayd service enabled" component="true"/>
+  </SECTIONS>
+</TECHNIQUE>

techniques/system/rudderRelay/1.0/relayd/relayd.cf

@@ -0,0 +1,25 @@
+bundle agent rudder_system_relayd_configuration {
+  vars:
+      "config_dir"         string => "${g.rudder_base}/etc/relayd";
+      "config_file"        string => "${config_dir}/main.conf2";
+      "relayd_service"     string => "rudder-relayd";
+
+      "config_class_prefix" string => canonify("file_from_template_${config_file}");
+
+  methods:
+      "any" usebundle => _method_reporting_context("Relayd configuration permissions", "None");
+      "any" usebundle => permissions_recursive("${config_dir}", "640", "root", "rudder");
+
+      "any" usebundle => _method_reporting_context("Relayd configuration", "None");
+      "any" usebundle => file_from_template_mustache("${this.promise_dirname}/relayd.conf.tpl", "${config_file}");
+
+      "any" usebundle => _method_reporting_context("Relayd service started", "None");
+      "any" usebundle => service_started("${relayd_service}");
+
+      "any" usebundle => _method_reporting_context("Relayd service enabled", "None");
+      "any" usebundle => service_enabled("${relayd_service}");
+
+      # Restart relayd at the end of the technique if needed
+      "system_restart_relayd" expression => "${config_class_prefix}_repaired",
+                                   scope => "namespace";
+}

techniques/system/rudderRelay/1.0/relayd/relayd.conf.tpl

@@ -0,0 +1,79 @@
+# Format is TOML 0.5 (https://github.com/toml-lang/toml/blob/v0.5.0/README.md)
+
+[general]
+
+nodes_list_file = "{{{vars.g.rudder_var}}}/lib/relay/nodeslist.json"
+nodes_certs_file = "{{{vars.g.rudder_var}}}/lib/ssl/allnodescerts.pem"
+node_id = "{{{vars.g.uuid}}}"
+listen = "127.0.0.1:3030"
+
+# Use the number of CPUs
+#core_threads = "4"
+blocking_threads = 100
+
+[processing.inventory]
+directory = "{{{vars.g.rudder_var}}}/inventories"
+{{#classes.root_server}}
+output = "disabled"
+{{/classes.root_server}}
+{{^classes.root_server}}
+output = "upstream"
+{{/classes.root_server}}
+
+[processing.inventory.catchup]
+frequency = 10
+limit = 50
+
+[processing.inventory.cleanup]
+frequency = "10min"
+retention = "1day"
+
+[processing.reporting]
+directory = "{{{vars.g.rudder_var}}}/reports"
+{{#classes.root_server}}
+output = "database"
+{{/classes.root_server}}
+{{^classes.root_server}}
+output = "upstream"
+{{/classes.root_server}}
+skip_event_types = []
+
+[processing.reporting.catchup]
+frequency = 10
+limit = 0
+
+[processing.reporting.cleanup]
+frequency = "10min"
+retention = "1day"
+
+[output.database]
+{{#classes.root_server}}
+url = "postgres://{{{vars.rudder_postgresql.db_user}}}@{{{vars.rudder_postgresql.host}}}/{{{vars.rudder_postgresql.db_name}}}"
+password = "{{{vars.rudder_postgresql.db_pass}}}"
+{{/classes.root_server}}
+{{^classes.root_server}}
+url = "postgres://user@host/rudder"
+password = "password"
+{{/classes.root_server}}
+max_pool_size = 10
+
+[output.upstream]
+url = "https://{{{vars.server_info.policy_server}}}"
+user = "{{{vars.g.davuser}}}"
+password = "{{{vars.g.davpw}}}"
+{{#classes.rudder_verify_certs}}
+verify_certificates = true
+{{/classes.rudder_verify_certs}}
+{{^classes.rudder_verify_certs}}
+verify_certificates = false
+{{/classes.rudder_verify_certs}}
+
+[remote_run]
+command = "{{{vars.g.rudder_base}}}/bin/rudder"
+use_sudo = true
+
+[shared_files]
+path = "{{{vars.g.rudder_var}}}/shared-files/"
+
+[shared_folder]
+path = "{{{vars.g.shared_files}}}/"