-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #19037: Refactor the system techniques by component
- Loading branch information
Showing
8 changed files
with
365 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
bundle agent rudder_system_apache_configuration { | ||
vars: | ||
"apache_service" string => "apache2"; | ||
redhat:: | ||
"apache_service" string => "httpd"; | ||
|
||
classes: | ||
"pass3" expression => "pass2"; | ||
"pass2" expression => "pass1"; | ||
"pass1" expression => "any"; | ||
methods: | ||
pass3:: | ||
"any" usebundle => enable_reporting; | ||
# Force allowed networks | ||
"any" usebundle => _method_reporting_context("Apache allowed networks", "None"); | ||
"any" usebundle => rudder_system_apache_networks_check; | ||
|
||
# Force webdav user/password | ||
"any" usebundle => rudder_system_apache_password_check_dav; | ||
|
||
# Check that apache is running and enabled | ||
"any" usebundle => _method_reporting_context("Apache service started", "None"); | ||
"any" usebundle => service_started("${apache_service}"); | ||
|
||
"any" usebundle => _method_reporting_context("Apache service enabled", "None"); | ||
"any" usebundle => service_enabled("${apache_service}"); | ||
|
||
# Configure relayd | ||
"any" usebundle => rudder_system_relayd_configuration; | ||
} |
57 changes: 57 additions & 0 deletions
57
techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
bundle agent rudder_system_apache_networks_check { | ||
vars: | ||
"policy_server_ip" string => host2ip("${server_info.policy_server}"); | ||
server_ip_found:: | ||
"policy_server_acl" slist => { "127.0.0.0/8", "::1", "${policy_server_ip}" }; | ||
!server_ip_found:: | ||
"policy_server_acl" slist => { "127.0.0.0/8", "::1" }; | ||
|
||
any:: | ||
"defacl" slist => filter("0.0.0.0/0", "def.acl", "false", "true", "99999"); | ||
"nodes_acl_24" slist => maplist("Require ip ${this}", "defacl"); | ||
"nodes_generate_24" string => join("${const.n}","nodes_acl_24"); | ||
|
||
"allowed_network_file" string => "${g.rudder_base}/etc/rudder-networks-24.conf"; | ||
"remote_run_file" string => "${g.rudder_base}/etc/rudder-networks-policy-server-24.conf"; | ||
|
||
"allowed_network_prefix" string => canonify("file_content_${allowed_network_file}"); | ||
"remote_run_prefix" string => canonify("file_content_${remote_run_file}"); | ||
|
||
|
||
server_ip_found:: | ||
"remote_run_acl" string => "Require local${const.n}Require ip ${policy_server_ip}"; | ||
!server_ip_found:: | ||
"remote_run_acl" string => "Require local"; | ||
|
||
|
||
has_all_granted:: | ||
"allowed_network_acl" string => "Require all granted"; | ||
!has_all_granted:: | ||
"allowed_network_acl" string => "${nodes_generate_24}"; | ||
|
||
classes: | ||
"pass3" expression => "pass2"; | ||
"pass2" expression => "pass1"; | ||
"pass1" expression => "any"; | ||
|
||
"has_all_granted" expression => some("0.0.0.0/0", "def.acl"); | ||
"server_ip_found" expression => regcmp("^[0-9.]+$|^[0-9a-fA-F:]+:[0-9a-fA-F:]+$", "${policy_server_ip}"); | ||
|
||
# Restart apache at the end of the technique if needed | ||
"system_restart_apache" expression => "${allowed_network_prefix}_repaired|${remote_run_prefix}_repaired", | ||
scope => "namespace"; | ||
|
||
methods: | ||
pass3:: | ||
# Allowed networks | ||
"any" usebundle => _method_reporting_context("Apache allowed networks permissions", "None"); | ||
"any" usebundle => permissions("${allowed_network_file}", "600", "root", "0"); | ||
"any" usebundle => _method_reporting_context("Apache allowed networks configuration", "None"); | ||
"any" usebundle => file_content("${allowed_network_file}", "${allowed_network_acl}", "true"); | ||
|
||
# Remote run | ||
"any" usebundle => _method_reporting_context("Apache allowed remote run permissions", "None"); | ||
"any" usebundle => permissions("${remote_run_file}", "600", "root", "0"); | ||
"any" usebundle => _method_reporting_context("Apache allowed remote run configuration", "None"); | ||
"any" usebundle => file_content("${remote_run_file}", "${remote_run_acl}", "true"); | ||
} |
60 changes: 60 additions & 0 deletions
60
techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# This file contains bundles to manage password between all components of a | ||
# Rudder server (OpenLDAP, PostgreSQL, Apache WebDAV and web interface) | ||
|
||
# It is currently only used on root servers where all components are installed | ||
# on one host. It may be extended in the future to support changing passwords | ||
# across multiple hosts. | ||
|
||
bundle agent rudder_system_apache_password_check_dav { | ||
|
||
vars: | ||
debian:: | ||
"webdav_check_wwwgroup" string => "www-data"; | ||
|
||
redhat:: | ||
"webdav_check_wwwgroup" string => "apache"; | ||
|
||
!debian.!redhat:: | ||
"webdav_check_wwwgroup" string => "www"; | ||
|
||
SuSE:: | ||
"htpasswd_bin" string => "/usr/bin/htpasswd2"; | ||
|
||
!SuSE:: | ||
"htpasswd_bin" string => "/usr/bin/htpasswd"; | ||
|
||
any:: | ||
"no" int => getfields("RUDDER_WEBDAV_PASSWORD:.*","${g.rudder_base}/etc/rudder-passwords.conf",":","dav_password"); | ||
"technique_name" string => "server-roles"; | ||
"report_string" string => "Apache WebDAV user and password"; | ||
|
||
"webdav_pwd_cmd" string => "${htpasswd_bin} -b ${g.rudder_base}/etc/htpasswd-webdav ${g.davuser} ${g.davpw}"; | ||
"args" slist => { "${webdav_pwd_cmd}" }; | ||
"pwd_class_prefix" string => canonify("command_execution_${webdav_pwd_cmd}"); | ||
|
||
classes: | ||
|
||
"dav_cant_connect" not => returnszero("${g.rudder_curl} --tlsv1.2 --proxy '' ${g.rudder_verify_certs_option} --silent --fail --output /dev/null --user ${g.davuser}:${g.davpw} --upload-file ${g.rudder_base}/etc/uuid.hive https://localhost/inventory-updates/uuid.hive","noshell"); | ||
|
||
any:: | ||
"pass3" expression => "pass2"; | ||
"pass2" expression => "pass1"; | ||
"pass1" expression => "any"; | ||
|
||
"system_restart_apache" expression => "${pwd_class_prefix}_repaired", | ||
scope => "namespace"; | ||
|
||
methods: | ||
"any" usebundle => _method_reporting_context("Apache webdav permissions", "None"); | ||
"any" usebundle => permissions("${g.rudder_base}/etc/htpasswd-webdav", "640", "root", "${webdav_check_wwwgroup}"); | ||
|
||
"any" usebundle => _method_reporting_context("Apache webdav password", "None"); | ||
|
||
dav_cant_connect:: | ||
"any" usebundle => command_execution("${webdav_pwd_cmd}"); | ||
!dav_cant_connect:: | ||
"any" usebundle => _classes_success("${pwd_class_prefix}"); | ||
any:: | ||
"any" usebundle => _log_v3("Setting Apache webdav password", "${webdav_pwd_cmd}", "${pwd_class_prefix}", "${pwd_class_prefix}", @{args}); | ||
|
||
} |
53 changes: 53 additions & 0 deletions
53
techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
bundle agent reload_rudder_services { | ||
vars: | ||
"jetty_service_name" string => "rudder-jetty"; | ||
"apache_service_name" string => "apache2"; | ||
"relayd_service_name" string => "rudder-relayd"; | ||
redhat:: | ||
"apache_service_name" string => "httpd"; | ||
|
||
any:: | ||
"jetty_prefix" string => canonify("service_restart_${jetty_service_name}"); | ||
"apache_prefix" string => canonify("service_restart_${apache_service_name}"); | ||
"relayd_prefix" string => canonify("service_restart_${relayd_service_name}"); | ||
|
||
"prefixes" slist => { "${jetty_prefix}", | ||
"${apache_prefix}", | ||
"${relayd_prefix}" | ||
}; | ||
|
||
"technique_name" string => "server_roles"; | ||
"component_name" string => "reload rudder services"; | ||
|
||
classes: | ||
"pass3" expression => "pass2"; | ||
"pass2" expression => "pass1"; | ||
"pass1" expression => "any"; | ||
|
||
pass3:: | ||
"result_error" expression => "${prefixes}_error"; | ||
pass3.!result_error:: | ||
"result_repaired" expression => "${prefixes}_repaired"; | ||
pass3.!result_error.!result_repaired:: | ||
"result_na" expression => "any"; | ||
|
||
methods: | ||
"restart_jetty_password" usebundle => disable_reporting; | ||
"restart_jetty_password" usebundle => _method_reporting_context("Reload rudder services", "None"); | ||
rudder_system_restart_jetty:: | ||
"restart_jetty_password" usebundle => service_restart("${jetty_service_name}"); | ||
rudder_system_restart_apache:: | ||
"restart_jetty_password" usebundle => service_reload("${apache_service}"); | ||
rudder_system_restart_relayd:: | ||
"restart_jetty_password" usebundle => service_reload("${relayd_service}"); | ||
pass3:: | ||
"restart_jetty_password" usebundle => enable_reporting; | ||
|
||
# Reporting | ||
"report_error" usebundle => rudder_common_report("${technique_name}", "result_error", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"), | ||
ifvarclass => "result_error"; | ||
"report_repaired" usebundle => rudder_common_report("${technique_name}", "result_error", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"), | ||
ifvarclass => "result_repaired"; | ||
"report_na" usebundle => rudder_common_report("${technique_name}", "result_na", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"), | ||
ifvarclass => "result_na"; | ||
} |
9 changes: 9 additions & 0 deletions
9
techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
bundle agent rudder_system_disclaimer { | ||
vars: | ||
"disclaim" slist => { "@{p.managed_files}" }; | ||
|
||
files: | ||
"${disclaim}" | ||
edit_line => insert_rudder_disclaimer, | ||
comment => "Insert a disclaimer into Rudder"; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
<TECHNIQUE name="Relay server"> | ||
<DESCRIPTION>Configure the relay components</DESCRIPTION> | ||
<SYSTEM>true</SYSTEM> | ||
|
||
<FILES> | ||
<FILE name="common/reload_rudder_services.cf"> | ||
<INCLUDED>true</INCLUDED> | ||
</FILE> | ||
<FILE name="common/rudder_system_disclaimer.cf"> | ||
<INCLUDED>true</INCLUDED> | ||
</FILE> | ||
<FILE name="apache/main.cf"> | ||
<INCLUDED>true</INCLUDED> | ||
</FILE> | ||
<FILE name="apache/rudder_system_apache_networks_check.cf"> | ||
<INCLUDED>true</INCLUDED> | ||
</FILE> | ||
<FILE name="apache/rudder_system_apache_password_check_dav.cf"> | ||
<INCLUDED>true</INCLUDED> | ||
</FILE> | ||
<FILE name="relayd/relayd.cf"> | ||
<INCLUDED>true</INCLUDED> | ||
</FILE> | ||
<FILE name="relayd/relayd.conf.tpl"> | ||
<OUTPATH>systemRelay/1.0/relayd/relayd.conf.tpl</OUTPATH> | ||
<INCLUDED>false</INCLUDED> | ||
</FILE> | ||
</FILES> | ||
|
||
<BUNDLES> | ||
<NAME>rudder_system_apache_configuration</NAME> | ||
</BUNDLES> | ||
|
||
<SYSTEMVARS> | ||
<NAME>RUDDER_SERVER_ROLES</NAME> | ||
</SYSTEMVARS> | ||
|
||
<SECTIONS> | ||
<SECTION name="Apache service started" component="true"/> | ||
<SECTION name="Apache service enabled" component="true"/> | ||
<SECTION name="Apache allowed networks permissions" component="true"/> | ||
<SECTION name="Apache allowed networks configuration" component="true"/> | ||
<SECTION name="Apache allowed remote run permissions" component="true"/> | ||
<SECTION name="Apache allowed remote run configuration" component="true"/> | ||
<SECTION name="Apache webdav password" component="true"/> | ||
<SECTION name="Apache webdav permissions" component="true"/> | ||
<SECTION name="Relayd configuration permissions" component="true"/> | ||
<SECTION name="Relayd configuration" component="true"/> | ||
<SECTION name="Relayd service started" component="true"/> | ||
<SECTION name="Relayd service enabled" component="true"/> | ||
</SECTIONS> | ||
</TECHNIQUE> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
bundle agent rudder_system_relayd_configuration { | ||
vars: | ||
"config_dir" string => "${g.rudder_base}/etc/relayd"; | ||
"config_file" string => "${config_dir}/main.conf2"; | ||
"relayd_service" string => "rudder-relayd"; | ||
|
||
"config_class_prefix" string => canonify("file_from_template_${config_file}"); | ||
|
||
methods: | ||
"any" usebundle => _method_reporting_context("Relayd configuration permissions", "None"); | ||
"any" usebundle => permissions_recursive("${config_dir}", "640", "root", "rudder"); | ||
|
||
"any" usebundle => _method_reporting_context("Relayd configuration", "None"); | ||
"any" usebundle => file_from_template_mustache("${this.promise_dirname}/relayd.conf.tpl", "${config_file}"); | ||
|
||
"any" usebundle => _method_reporting_context("Relayd service started", "None"); | ||
"any" usebundle => service_started("${relayd_service}"); | ||
|
||
"any" usebundle => _method_reporting_context("Relayd service enabled", "None"); | ||
"any" usebundle => service_enabled("${relayd_service}"); | ||
|
||
# Restart relayd at the end of the technique if needed | ||
"system_restart_relayd" expression => "${config_class_prefix}_repaired", | ||
scope => "namespace"; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
# Format is TOML 0.5 (https://github.com/toml-lang/toml/blob/v0.5.0/README.md) | ||
|
||
[general] | ||
|
||
nodes_list_file = "{{{vars.g.rudder_var}}}/lib/relay/nodeslist.json" | ||
nodes_certs_file = "{{{vars.g.rudder_var}}}/lib/ssl/allnodescerts.pem" | ||
node_id = "{{{vars.g.uuid}}}" | ||
listen = "127.0.0.1:3030" | ||
|
||
# Use the number of CPUs | ||
#core_threads = "4" | ||
blocking_threads = 100 | ||
|
||
[processing.inventory] | ||
directory = "{{{vars.g.rudder_var}}}/inventories" | ||
{{#classes.root_server}} | ||
output = "disabled" | ||
{{/classes.root_server}} | ||
{{^classes.root_server}} | ||
output = "upstream" | ||
{{/classes.root_server}} | ||
|
||
[processing.inventory.catchup] | ||
frequency = 10 | ||
limit = 50 | ||
|
||
[processing.inventory.cleanup] | ||
frequency = "10min" | ||
retention = "1day" | ||
|
||
[processing.reporting] | ||
directory = "{{{vars.g.rudder_var}}}/reports" | ||
{{#classes.root_server}} | ||
output = "database" | ||
{{/classes.root_server}} | ||
{{^classes.root_server}} | ||
output = "upstream" | ||
{{/classes.root_server}} | ||
skip_event_types = [] | ||
|
||
[processing.reporting.catchup] | ||
frequency = 10 | ||
limit = 0 | ||
|
||
[processing.reporting.cleanup] | ||
frequency = "10min" | ||
retention = "1day" | ||
|
||
[output.database] | ||
{{#classes.root_server}} | ||
url = "postgres://{{{vars.rudder_postgresql.db_user}}}@{{{vars.rudder_postgresql.host}}}/{{{vars.rudder_postgresql.db_name}}}" | ||
password = "{{{vars.rudder_postgresql.db_pass}}}" | ||
{{/classes.root_server}} | ||
{{^classes.root_server}} | ||
url = "postgres://user@host/rudder" | ||
password = "password" | ||
{{/classes.root_server}} | ||
max_pool_size = 10 | ||
|
||
[output.upstream] | ||
url = "https://{{{vars.server_info.policy_server}}}" | ||
user = "{{{vars.g.davuser}}}" | ||
password = "{{{vars.g.davpw}}}" | ||
{{#classes.rudder_verify_certs}} | ||
verify_certificates = true | ||
{{/classes.rudder_verify_certs}} | ||
{{^classes.rudder_verify_certs}} | ||
verify_certificates = false | ||
{{/classes.rudder_verify_certs}} | ||
|
||
[remote_run] | ||
command = "{{{vars.g.rudder_base}}}/bin/rudder" | ||
use_sudo = true | ||
|
||
[shared_files] | ||
path = "{{{vars.g.rudder_var}}}/shared-files/" | ||
|
||
[shared_folder] | ||
path = "{{{vars.g.shared_files}}}/" |