From 4a38e5585877944dde203131ae157446e697b330 Mon Sep 17 00:00:00 2001 From: Felix Dallidet Date: Wed, 17 Mar 2021 15:55:59 +0100 Subject: [PATCH] Fixes #19037: Refactor the system techniques by component --- .../system/rudderRelay/1.0/apache/main.cf | 30 +++++++ .../rudder_system_apache_networks_check.cf | 57 +++++++++++++ ...rudder_system_apache_password_check_dav.cf | 60 ++++++++++++++ .../1.0/common/reload_rudder_services.cf | 53 +++++++++++++ .../1.0/common/rudder_system_disclaimer.cf | 9 +++ .../system/rudderRelay/1.0/metadata.xml | 52 ++++++++++++ .../system/rudderRelay/1.0/relayd/relayd.cf | 25 ++++++ .../rudderRelay/1.0/relayd/relayd.conf.tpl | 79 +++++++++++++++++++ 8 files changed, 365 insertions(+) create mode 100644 techniques/system/rudderRelay/1.0/apache/main.cf create mode 100644 techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf create mode 100644 techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf create mode 100644 techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf create mode 100644 techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf create mode 100644 techniques/system/rudderRelay/1.0/metadata.xml create mode 100644 techniques/system/rudderRelay/1.0/relayd/relayd.cf create mode 100644 techniques/system/rudderRelay/1.0/relayd/relayd.conf.tpl diff --git a/techniques/system/rudderRelay/1.0/apache/main.cf b/techniques/system/rudderRelay/1.0/apache/main.cf new file mode 100644 index 000000000..f0f9a62b6 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/apache/main.cf @@ -0,0 +1,30 @@ +bundle agent rudder_system_apache_configuration { + vars: + "apache_service" string => "apache2"; + redhat:: + "apache_service" string => "httpd"; + + classes: + "pass3" expression => "pass2"; + "pass2" expression => "pass1"; + "pass1" expression => "any"; + methods: + pass3:: + "any" usebundle => enable_reporting; + # Force allowed networks + "any" usebundle => _method_reporting_context("Apache allowed networks", "None"); + "any" usebundle => rudder_system_apache_networks_check; + + # Force webdav user/password + "any" usebundle => rudder_system_apache_password_check_dav; + + # Check that apache is running and enabled + "any" usebundle => _method_reporting_context("Apache service started", "None"); + "any" usebundle => service_started("${apache_service}"); + + "any" usebundle => _method_reporting_context("Apache service enabled", "None"); + "any" usebundle => service_enabled("${apache_service}"); + + # Configure relayd + "any" usebundle => rudder_system_relayd_configuration; +} diff --git a/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf b/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf new file mode 100644 index 000000000..0b44777f2 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf @@ -0,0 +1,57 @@ +bundle agent rudder_system_apache_networks_check { + vars: + "policy_server_ip" string => host2ip("${server_info.policy_server}"); + server_ip_found:: + "policy_server_acl" slist => { "127.0.0.0/8", "::1", "${policy_server_ip}" }; + !server_ip_found:: + "policy_server_acl" slist => { "127.0.0.0/8", "::1" }; + + any:: + "defacl" slist => filter("0.0.0.0/0", "def.acl", "false", "true", "99999"); + "nodes_acl_24" slist => maplist("Require ip ${this}", "defacl"); + "nodes_generate_24" string => join("${const.n}","nodes_acl_24"); + + "allowed_network_file" string => "${g.rudder_base}/etc/rudder-networks-24.conf"; + "remote_run_file" string => "${g.rudder_base}/etc/rudder-networks-policy-server-24.conf"; + + "allowed_network_prefix" string => canonify("file_content_${allowed_network_file}"); + "remote_run_prefix" string => canonify("file_content_${remote_run_file}"); + + + server_ip_found:: + "remote_run_acl" string => "Require local${const.n}Require ip ${policy_server_ip}"; + !server_ip_found:: + "remote_run_acl" string => "Require local"; + + + has_all_granted:: + "allowed_network_acl" string => "Require all granted"; + !has_all_granted:: + "allowed_network_acl" string => "${nodes_generate_24}"; + + classes: + "pass3" expression => "pass2"; + "pass2" expression => "pass1"; + "pass1" expression => "any"; + + "has_all_granted" expression => some("0.0.0.0/0", "def.acl"); + "server_ip_found" expression => regcmp("^[0-9.]+$|^[0-9a-fA-F:]+:[0-9a-fA-F:]+$", "${policy_server_ip}"); + + # Restart apache at the end of the technique if needed + "system_restart_apache" expression => "${allowed_network_prefix}_repaired|${remote_run_prefix}_repaired", + scope => "namespace"; + + methods: + pass3:: + # Allowed networks + "any" usebundle => _method_reporting_context("Apache allowed networks permissions", "None"); + "any" usebundle => permissions("${allowed_network_file}", "600", "root", "0"); + "any" usebundle => _method_reporting_context("Apache allowed networks configuration", "None"); + "any" usebundle => file_content("${allowed_network_file}", "${allowed_network_acl}", "true"); + + # Remote run + "any" usebundle => _method_reporting_context("Apache allowed remote run permissions", "None"); + "any" usebundle => permissions("${remote_run_file}", "600", "root", "0"); + "any" usebundle => _method_reporting_context("Apache allowed remote run configuration", "None"); + "any" usebundle => file_content("${remote_run_file}", "${remote_run_acl}", "true"); +} diff --git a/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf b/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf new file mode 100644 index 000000000..e996e8271 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf @@ -0,0 +1,60 @@ +# This file contains bundles to manage password between all components of a +# Rudder server (OpenLDAP, PostgreSQL, Apache WebDAV and web interface) + +# It is currently only used on root servers where all components are installed +# on one host. It may be extended in the future to support changing passwords +# across multiple hosts. + +bundle agent rudder_system_apache_password_check_dav { + + vars: + debian:: + "webdav_check_wwwgroup" string => "www-data"; + + redhat:: + "webdav_check_wwwgroup" string => "apache"; + + !debian.!redhat:: + "webdav_check_wwwgroup" string => "www"; + + SuSE:: + "htpasswd_bin" string => "/usr/bin/htpasswd2"; + + !SuSE:: + "htpasswd_bin" string => "/usr/bin/htpasswd"; + + any:: + "no" int => getfields("RUDDER_WEBDAV_PASSWORD:.*","${g.rudder_base}/etc/rudder-passwords.conf",":","dav_password"); + "technique_name" string => "server-roles"; + "report_string" string => "Apache WebDAV user and password"; + + "webdav_pwd_cmd" string => "${htpasswd_bin} -b ${g.rudder_base}/etc/htpasswd-webdav ${g.davuser} ${g.davpw}"; + "args" slist => { "${webdav_pwd_cmd}" }; + "pwd_class_prefix" string => canonify("command_execution_${webdav_pwd_cmd}"); + + classes: + + "dav_cant_connect" not => returnszero("${g.rudder_curl} --tlsv1.2 --proxy '' ${g.rudder_verify_certs_option} --silent --fail --output /dev/null --user ${g.davuser}:${g.davpw} --upload-file ${g.rudder_base}/etc/uuid.hive https://localhost/inventory-updates/uuid.hive","noshell"); + + any:: + "pass3" expression => "pass2"; + "pass2" expression => "pass1"; + "pass1" expression => "any"; + + "system_restart_apache" expression => "${pwd_class_prefix}_repaired", + scope => "namespace"; + + methods: + "any" usebundle => _method_reporting_context("Apache webdav permissions", "None"); + "any" usebundle => permissions("${g.rudder_base}/etc/htpasswd-webdav", "640", "root", "${webdav_check_wwwgroup}"); + + "any" usebundle => _method_reporting_context("Apache webdav password", "None"); + + dav_cant_connect:: + "any" usebundle => command_execution("${webdav_pwd_cmd}"); + !dav_cant_connect:: + "any" usebundle => _classes_success("${pwd_class_prefix}"); + any:: + "any" usebundle => _log_v3("Setting Apache webdav password", "${webdav_pwd_cmd}", "${pwd_class_prefix}", "${pwd_class_prefix}", @{args}); + +} diff --git a/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf b/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf new file mode 100644 index 000000000..82b93e32c --- /dev/null +++ b/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf @@ -0,0 +1,53 @@ +bundle agent reload_rudder_services { + vars: + "jetty_service_name" string => "rudder-jetty"; + "apache_service_name" string => "apache2"; + "relayd_service_name" string => "rudder-relayd"; + redhat:: + "apache_service_name" string => "httpd"; + + any:: + "jetty_prefix" string => canonify("service_restart_${jetty_service_name}"); + "apache_prefix" string => canonify("service_restart_${apache_service_name}"); + "relayd_prefix" string => canonify("service_restart_${relayd_service_name}"); + + "prefixes" slist => { "${jetty_prefix}", + "${apache_prefix}", + "${relayd_prefix}" + }; + + "technique_name" string => "server_roles"; + "component_name" string => "reload rudder services"; + + classes: + "pass3" expression => "pass2"; + "pass2" expression => "pass1"; + "pass1" expression => "any"; + + pass3:: + "result_error" expression => "${prefixes}_error"; + pass3.!result_error:: + "result_repaired" expression => "${prefixes}_repaired"; + pass3.!result_error.!result_repaired:: + "result_na" expression => "any"; + + methods: + "restart_jetty_password" usebundle => disable_reporting; + "restart_jetty_password" usebundle => _method_reporting_context("Reload rudder services", "None"); + rudder_system_restart_jetty:: + "restart_jetty_password" usebundle => service_restart("${jetty_service_name}"); + rudder_system_restart_apache:: + "restart_jetty_password" usebundle => service_reload("${apache_service}"); + rudder_system_restart_relayd:: + "restart_jetty_password" usebundle => service_reload("${relayd_service}"); + pass3:: + "restart_jetty_password" usebundle => enable_reporting; + + # Reporting + "report_error" usebundle => rudder_common_report("${technique_name}", "result_error", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"), + ifvarclass => "result_error"; + "report_repaired" usebundle => rudder_common_report("${technique_name}", "result_error", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"), + ifvarclass => "result_repaired"; + "report_na" usebundle => rudder_common_report("${technique_name}", "result_na", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"), + ifvarclass => "result_na"; +} diff --git a/techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf b/techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf new file mode 100644 index 000000000..22d49794b --- /dev/null +++ b/techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf @@ -0,0 +1,9 @@ +bundle agent rudder_system_disclaimer { + vars: + "disclaim" slist => { "@{p.managed_files}" }; + + files: + "${disclaim}" + edit_line => insert_rudder_disclaimer, + comment => "Insert a disclaimer into Rudder"; +} diff --git a/techniques/system/rudderRelay/1.0/metadata.xml b/techniques/system/rudderRelay/1.0/metadata.xml new file mode 100644 index 000000000..d23c1a04b --- /dev/null +++ b/techniques/system/rudderRelay/1.0/metadata.xml @@ -0,0 +1,52 @@ + + Configure the relay components + true + + + + true + + + true + + + true + + + true + + + true + + + true + + + systemRelay/1.0/relayd/relayd.conf.tpl + false + + + + + rudder_system_apache_configuration + + + + RUDDER_SERVER_ROLES + + + +
+
+
+
+
+
+
+
+
+
+
+
+ + diff --git a/techniques/system/rudderRelay/1.0/relayd/relayd.cf b/techniques/system/rudderRelay/1.0/relayd/relayd.cf new file mode 100644 index 000000000..4a5561df0 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/relayd/relayd.cf @@ -0,0 +1,25 @@ +bundle agent rudder_system_relayd_configuration { + vars: + "config_dir" string => "${g.rudder_base}/etc/relayd"; + "config_file" string => "${config_dir}/main.conf2"; + "relayd_service" string => "rudder-relayd"; + + "config_class_prefix" string => canonify("file_from_template_${config_file}"); + + methods: + "any" usebundle => _method_reporting_context("Relayd configuration permissions", "None"); + "any" usebundle => permissions_recursive("${config_dir}", "640", "root", "rudder"); + + "any" usebundle => _method_reporting_context("Relayd configuration", "None"); + "any" usebundle => file_from_template_mustache("${this.promise_dirname}/relayd.conf.tpl", "${config_file}"); + + "any" usebundle => _method_reporting_context("Relayd service started", "None"); + "any" usebundle => service_started("${relayd_service}"); + + "any" usebundle => _method_reporting_context("Relayd service enabled", "None"); + "any" usebundle => service_enabled("${relayd_service}"); + + # Restart relayd at the end of the technique if needed + "system_restart_relayd" expression => "${config_class_prefix}_repaired", + scope => "namespace"; +} diff --git a/techniques/system/rudderRelay/1.0/relayd/relayd.conf.tpl b/techniques/system/rudderRelay/1.0/relayd/relayd.conf.tpl new file mode 100644 index 000000000..153390f21 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/relayd/relayd.conf.tpl @@ -0,0 +1,79 @@ +# Format is TOML 0.5 (https://github.com/toml-lang/toml/blob/v0.5.0/README.md) + +[general] + +nodes_list_file = "{{{vars.g.rudder_var}}}/lib/relay/nodeslist.json" +nodes_certs_file = "{{{vars.g.rudder_var}}}/lib/ssl/allnodescerts.pem" +node_id = "{{{vars.g.uuid}}}" +listen = "127.0.0.1:3030" + +# Use the number of CPUs +#core_threads = "4" +blocking_threads = 100 + +[processing.inventory] +directory = "{{{vars.g.rudder_var}}}/inventories" +{{#classes.root_server}} +output = "disabled" +{{/classes.root_server}} +{{^classes.root_server}} +output = "upstream" +{{/classes.root_server}} + +[processing.inventory.catchup] +frequency = 10 +limit = 50 + +[processing.inventory.cleanup] +frequency = "10min" +retention = "1day" + +[processing.reporting] +directory = "{{{vars.g.rudder_var}}}/reports" +{{#classes.root_server}} +output = "database" +{{/classes.root_server}} +{{^classes.root_server}} +output = "upstream" +{{/classes.root_server}} +skip_event_types = [] + +[processing.reporting.catchup] +frequency = 10 +limit = 0 + +[processing.reporting.cleanup] +frequency = "10min" +retention = "1day" + +[output.database] +{{#classes.root_server}} +url = "postgres://{{{vars.rudder_postgresql.db_user}}}@{{{vars.rudder_postgresql.host}}}/{{{vars.rudder_postgresql.db_name}}}" +password = "{{{vars.rudder_postgresql.db_pass}}}" +{{/classes.root_server}} +{{^classes.root_server}} +url = "postgres://user@host/rudder" +password = "password" +{{/classes.root_server}} +max_pool_size = 10 + +[output.upstream] +url = "https://{{{vars.server_info.policy_server}}}" +user = "{{{vars.g.davuser}}}" +password = "{{{vars.g.davpw}}}" +{{#classes.rudder_verify_certs}} +verify_certificates = true +{{/classes.rudder_verify_certs}} +{{^classes.rudder_verify_certs}} +verify_certificates = false +{{/classes.rudder_verify_certs}} + +[remote_run] +command = "{{{vars.g.rudder_base}}}/bin/rudder" +use_sudo = true + +[shared_files] +path = "{{{vars.g.rudder_var}}}/shared-files/" + +[shared_folder] +path = "{{{vars.g.shared_files}}}/"