From 4a38e5585877944dde203131ae157446e697b330 Mon Sep 17 00:00:00 2001 From: Felix Dallidet Date: Wed, 17 Mar 2021 15:55:59 +0100 Subject: [PATCH 1/4] Fixes #19037: Refactor the system techniques by component --- .../system/rudderRelay/1.0/apache/main.cf | 30 +++++++ .../rudder_system_apache_networks_check.cf | 57 +++++++++++++ ...rudder_system_apache_password_check_dav.cf | 60 ++++++++++++++ .../1.0/common/reload_rudder_services.cf | 53 +++++++++++++ .../1.0/common/rudder_system_disclaimer.cf | 9 +++ .../system/rudderRelay/1.0/metadata.xml | 52 ++++++++++++ .../system/rudderRelay/1.0/relayd/relayd.cf | 25 ++++++ .../rudderRelay/1.0/relayd/relayd.conf.tpl | 79 +++++++++++++++++++ 8 files changed, 365 insertions(+) create mode 100644 techniques/system/rudderRelay/1.0/apache/main.cf create mode 100644 techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf create mode 100644 techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf create mode 100644 techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf create mode 100644 techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf create mode 100644 techniques/system/rudderRelay/1.0/metadata.xml create mode 100644 techniques/system/rudderRelay/1.0/relayd/relayd.cf create mode 100644 techniques/system/rudderRelay/1.0/relayd/relayd.conf.tpl diff --git a/techniques/system/rudderRelay/1.0/apache/main.cf b/techniques/system/rudderRelay/1.0/apache/main.cf new file mode 100644 index 000000000..f0f9a62b6 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/apache/main.cf @@ -0,0 +1,30 @@ +bundle agent rudder_system_apache_configuration { + vars: + "apache_service" string => "apache2"; + redhat:: + "apache_service" string => "httpd"; + + classes: + "pass3" expression => "pass2"; + "pass2" expression => "pass1"; + "pass1" expression => "any"; + methods: + pass3:: + "any" usebundle => enable_reporting; + # Force allowed networks + "any" usebundle => _method_reporting_context("Apache allowed networks", "None"); + "any" usebundle => rudder_system_apache_networks_check; + + # Force webdav user/password + "any" usebundle => rudder_system_apache_password_check_dav; + + # Check that apache is running and enabled + "any" usebundle => _method_reporting_context("Apache service started", "None"); + "any" usebundle => service_started("${apache_service}"); + + "any" usebundle => _method_reporting_context("Apache service enabled", "None"); + "any" usebundle => service_enabled("${apache_service}"); + + # Configure relayd + "any" usebundle => rudder_system_relayd_configuration; +} diff --git a/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf b/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf new file mode 100644 index 000000000..0b44777f2 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf @@ -0,0 +1,57 @@ +bundle agent rudder_system_apache_networks_check { + vars: + "policy_server_ip" string => host2ip("${server_info.policy_server}"); + server_ip_found:: + "policy_server_acl" slist => { "127.0.0.0/8", "::1", "${policy_server_ip}" }; + !server_ip_found:: + "policy_server_acl" slist => { "127.0.0.0/8", "::1" }; + + any:: + "defacl" slist => filter("0.0.0.0/0", "def.acl", "false", "true", "99999"); + "nodes_acl_24" slist => maplist("Require ip ${this}", "defacl"); + "nodes_generate_24" string => join("${const.n}","nodes_acl_24"); + + "allowed_network_file" string => "${g.rudder_base}/etc/rudder-networks-24.conf"; + "remote_run_file" string => "${g.rudder_base}/etc/rudder-networks-policy-server-24.conf"; + + "allowed_network_prefix" string => canonify("file_content_${allowed_network_file}"); + "remote_run_prefix" string => canonify("file_content_${remote_run_file}"); + + + server_ip_found:: + "remote_run_acl" string => "Require local${const.n}Require ip ${policy_server_ip}"; + !server_ip_found:: + "remote_run_acl" string => "Require local"; + + + has_all_granted:: + "allowed_network_acl" string => "Require all granted"; + !has_all_granted:: + "allowed_network_acl" string => "${nodes_generate_24}"; + + classes: + "pass3" expression => "pass2"; + "pass2" expression => "pass1"; + "pass1" expression => "any"; + + "has_all_granted" expression => some("0.0.0.0/0", "def.acl"); + "server_ip_found" expression => regcmp("^[0-9.]+$|^[0-9a-fA-F:]+:[0-9a-fA-F:]+$", "${policy_server_ip}"); + + # Restart apache at the end of the technique if needed + "system_restart_apache" expression => "${allowed_network_prefix}_repaired|${remote_run_prefix}_repaired", + scope => "namespace"; + + methods: + pass3:: + # Allowed networks + "any" usebundle => _method_reporting_context("Apache allowed networks permissions", "None"); + "any" usebundle => permissions("${allowed_network_file}", "600", "root", "0"); + "any" usebundle => _method_reporting_context("Apache allowed networks configuration", "None"); + "any" usebundle => file_content("${allowed_network_file}", "${allowed_network_acl}", "true"); + + # Remote run + "any" usebundle => _method_reporting_context("Apache allowed remote run permissions", "None"); + "any" usebundle => permissions("${remote_run_file}", "600", "root", "0"); + "any" usebundle => _method_reporting_context("Apache allowed remote run configuration", "None"); + "any" usebundle => file_content("${remote_run_file}", "${remote_run_acl}", "true"); +} diff --git a/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf b/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf new file mode 100644 index 000000000..e996e8271 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf @@ -0,0 +1,60 @@ +# This file contains bundles to manage password between all components of a +# Rudder server (OpenLDAP, PostgreSQL, Apache WebDAV and web interface) + +# It is currently only used on root servers where all components are installed +# on one host. It may be extended in the future to support changing passwords +# across multiple hosts. + +bundle agent rudder_system_apache_password_check_dav { + + vars: + debian:: + "webdav_check_wwwgroup" string => "www-data"; + + redhat:: + "webdav_check_wwwgroup" string => "apache"; + + !debian.!redhat:: + "webdav_check_wwwgroup" string => "www"; + + SuSE:: + "htpasswd_bin" string => "/usr/bin/htpasswd2"; + + !SuSE:: + "htpasswd_bin" string => "/usr/bin/htpasswd"; + + any:: + "no" int => getfields("RUDDER_WEBDAV_PASSWORD:.*","${g.rudder_base}/etc/rudder-passwords.conf",":","dav_password"); + "technique_name" string => "server-roles"; + "report_string" string => "Apache WebDAV user and password"; + + "webdav_pwd_cmd" string => "${htpasswd_bin} -b ${g.rudder_base}/etc/htpasswd-webdav ${g.davuser} ${g.davpw}"; + "args" slist => { "${webdav_pwd_cmd}" }; + "pwd_class_prefix" string => canonify("command_execution_${webdav_pwd_cmd}"); + + classes: + + "dav_cant_connect" not => returnszero("${g.rudder_curl} --tlsv1.2 --proxy '' ${g.rudder_verify_certs_option} --silent --fail --output /dev/null --user ${g.davuser}:${g.davpw} --upload-file ${g.rudder_base}/etc/uuid.hive https://localhost/inventory-updates/uuid.hive","noshell"); + + any:: + "pass3" expression => "pass2"; + "pass2" expression => "pass1"; + "pass1" expression => "any"; + + "system_restart_apache" expression => "${pwd_class_prefix}_repaired", + scope => "namespace"; + + methods: + "any" usebundle => _method_reporting_context("Apache webdav permissions", "None"); + "any" usebundle => permissions("${g.rudder_base}/etc/htpasswd-webdav", "640", "root", "${webdav_check_wwwgroup}"); + + "any" usebundle => _method_reporting_context("Apache webdav password", "None"); + + dav_cant_connect:: + "any" usebundle => command_execution("${webdav_pwd_cmd}"); + !dav_cant_connect:: + "any" usebundle => _classes_success("${pwd_class_prefix}"); + any:: + "any" usebundle => _log_v3("Setting Apache webdav password", "${webdav_pwd_cmd}", "${pwd_class_prefix}", "${pwd_class_prefix}", @{args}); + +} diff --git a/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf b/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf new file mode 100644 index 000000000..82b93e32c --- /dev/null +++ b/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf @@ -0,0 +1,53 @@ +bundle agent reload_rudder_services { + vars: + "jetty_service_name" string => "rudder-jetty"; + "apache_service_name" string => "apache2"; + "relayd_service_name" string => "rudder-relayd"; + redhat:: + "apache_service_name" string => "httpd"; + + any:: + "jetty_prefix" string => canonify("service_restart_${jetty_service_name}"); + "apache_prefix" string => canonify("service_restart_${apache_service_name}"); + "relayd_prefix" string => canonify("service_restart_${relayd_service_name}"); + + "prefixes" slist => { "${jetty_prefix}", + "${apache_prefix}", + "${relayd_prefix}" + }; + + "technique_name" string => "server_roles"; + "component_name" string => "reload rudder services"; + + classes: + "pass3" expression => "pass2"; + "pass2" expression => "pass1"; + "pass1" expression => "any"; + + pass3:: + "result_error" expression => "${prefixes}_error"; + pass3.!result_error:: + "result_repaired" expression => "${prefixes}_repaired"; + pass3.!result_error.!result_repaired:: + "result_na" expression => "any"; + + methods: + "restart_jetty_password" usebundle => disable_reporting; + "restart_jetty_password" usebundle => _method_reporting_context("Reload rudder services", "None"); + rudder_system_restart_jetty:: + "restart_jetty_password" usebundle => service_restart("${jetty_service_name}"); + rudder_system_restart_apache:: + "restart_jetty_password" usebundle => service_reload("${apache_service}"); + rudder_system_restart_relayd:: + "restart_jetty_password" usebundle => service_reload("${relayd_service}"); + pass3:: + "restart_jetty_password" usebundle => enable_reporting; + + # Reporting + "report_error" usebundle => rudder_common_report("${technique_name}", "result_error", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"), + ifvarclass => "result_error"; + "report_repaired" usebundle => rudder_common_report("${technique_name}", "result_error", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"), + ifvarclass => "result_repaired"; + "report_na" usebundle => rudder_common_report("${technique_name}", "result_na", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"), + ifvarclass => "result_na"; +} diff --git a/techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf b/techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf new file mode 100644 index 000000000..22d49794b --- /dev/null +++ b/techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf @@ -0,0 +1,9 @@ +bundle agent rudder_system_disclaimer { + vars: + "disclaim" slist => { "@{p.managed_files}" }; + + files: + "${disclaim}" + edit_line => insert_rudder_disclaimer, + comment => "Insert a disclaimer into Rudder"; +} diff --git a/techniques/system/rudderRelay/1.0/metadata.xml b/techniques/system/rudderRelay/1.0/metadata.xml new file mode 100644 index 000000000..d23c1a04b --- /dev/null +++ b/techniques/system/rudderRelay/1.0/metadata.xml @@ -0,0 +1,52 @@ + + Configure the relay components + true + + + + true + + + true + + + true + + + true + + + true + + + true + + + systemRelay/1.0/relayd/relayd.conf.tpl + false + + + + + rudder_system_apache_configuration + + + + RUDDER_SERVER_ROLES + + + +
+
+
+
+
+
+
+
+
+
+
+
+ + diff --git a/techniques/system/rudderRelay/1.0/relayd/relayd.cf b/techniques/system/rudderRelay/1.0/relayd/relayd.cf new file mode 100644 index 000000000..4a5561df0 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/relayd/relayd.cf @@ -0,0 +1,25 @@ +bundle agent rudder_system_relayd_configuration { + vars: + "config_dir" string => "${g.rudder_base}/etc/relayd"; + "config_file" string => "${config_dir}/main.conf2"; + "relayd_service" string => "rudder-relayd"; + + "config_class_prefix" string => canonify("file_from_template_${config_file}"); + + methods: + "any" usebundle => _method_reporting_context("Relayd configuration permissions", "None"); + "any" usebundle => permissions_recursive("${config_dir}", "640", "root", "rudder"); + + "any" usebundle => _method_reporting_context("Relayd configuration", "None"); + "any" usebundle => file_from_template_mustache("${this.promise_dirname}/relayd.conf.tpl", "${config_file}"); + + "any" usebundle => _method_reporting_context("Relayd service started", "None"); + "any" usebundle => service_started("${relayd_service}"); + + "any" usebundle => _method_reporting_context("Relayd service enabled", "None"); + "any" usebundle => service_enabled("${relayd_service}"); + + # Restart relayd at the end of the technique if needed + "system_restart_relayd" expression => "${config_class_prefix}_repaired", + scope => "namespace"; +} diff --git a/techniques/system/rudderRelay/1.0/relayd/relayd.conf.tpl b/techniques/system/rudderRelay/1.0/relayd/relayd.conf.tpl new file mode 100644 index 000000000..153390f21 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/relayd/relayd.conf.tpl @@ -0,0 +1,79 @@ +# Format is TOML 0.5 (https://github.com/toml-lang/toml/blob/v0.5.0/README.md) + +[general] + +nodes_list_file = "{{{vars.g.rudder_var}}}/lib/relay/nodeslist.json" +nodes_certs_file = "{{{vars.g.rudder_var}}}/lib/ssl/allnodescerts.pem" +node_id = "{{{vars.g.uuid}}}" +listen = "127.0.0.1:3030" + +# Use the number of CPUs +#core_threads = "4" +blocking_threads = 100 + +[processing.inventory] +directory = "{{{vars.g.rudder_var}}}/inventories" +{{#classes.root_server}} +output = "disabled" +{{/classes.root_server}} +{{^classes.root_server}} +output = "upstream" +{{/classes.root_server}} + +[processing.inventory.catchup] +frequency = 10 +limit = 50 + +[processing.inventory.cleanup] +frequency = "10min" +retention = "1day" + +[processing.reporting] +directory = "{{{vars.g.rudder_var}}}/reports" +{{#classes.root_server}} +output = "database" +{{/classes.root_server}} +{{^classes.root_server}} +output = "upstream" +{{/classes.root_server}} +skip_event_types = [] + +[processing.reporting.catchup] +frequency = 10 +limit = 0 + +[processing.reporting.cleanup] +frequency = "10min" +retention = "1day" + +[output.database] +{{#classes.root_server}} +url = "postgres://{{{vars.rudder_postgresql.db_user}}}@{{{vars.rudder_postgresql.host}}}/{{{vars.rudder_postgresql.db_name}}}" +password = "{{{vars.rudder_postgresql.db_pass}}}" +{{/classes.root_server}} +{{^classes.root_server}} +url = "postgres://user@host/rudder" +password = "password" +{{/classes.root_server}} +max_pool_size = 10 + +[output.upstream] +url = "https://{{{vars.server_info.policy_server}}}" +user = "{{{vars.g.davuser}}}" +password = "{{{vars.g.davpw}}}" +{{#classes.rudder_verify_certs}} +verify_certificates = true +{{/classes.rudder_verify_certs}} +{{^classes.rudder_verify_certs}} +verify_certificates = false +{{/classes.rudder_verify_certs}} + +[remote_run] +command = "{{{vars.g.rudder_base}}}/bin/rudder" +use_sudo = true + +[shared_files] +path = "{{{vars.g.rudder_var}}}/shared-files/" + +[shared_folder] +path = "{{{vars.g.shared_files}}}/" From 76516e6638b85ece0ad44c044bb1dade4e8c93af Mon Sep 17 00:00:00 2001 From: Felix Dallidet Date: Tue, 30 Mar 2021 16:26:49 +0200 Subject: [PATCH 2/4] fixup! Fixes #19037: Refactor the system techniques by component Fixes #19037: Refactor the system techniques by component --- .../system/rudderRelay/1.0/apache/main.cf | 18 ++---- .../rudder_system_apache_networks_check.cf | 57 ------------------- ...em_rudder_apache_networks_configuration.cf | 55 ++++++++++++++++++ ...tem_rudder_apache_webdav_configuration.cf} | 26 ++------- .../1.0/common/reload_rudder_services.cf | 6 +- .../1.0/common/rudder_system_disclaimer.cf | 9 --- .../system/rudderRelay/1.0/metadata.xml | 50 +++++++++------- .../system/rudderRelay/1.0/relayd/relayd.cf | 24 ++++---- 8 files changed, 113 insertions(+), 132 deletions(-) delete mode 100644 techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf create mode 100644 techniques/system/rudderRelay/1.0/apache/system_rudder_apache_networks_configuration.cf rename techniques/system/rudderRelay/1.0/apache/{rudder_system_apache_password_check_dav.cf => system_rudder_apache_webdav_configuration.cf} (65%) delete mode 100644 techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf diff --git a/techniques/system/rudderRelay/1.0/apache/main.cf b/techniques/system/rudderRelay/1.0/apache/main.cf index f0f9a62b6..ba126f080 100644 --- a/techniques/system/rudderRelay/1.0/apache/main.cf +++ b/techniques/system/rudderRelay/1.0/apache/main.cf @@ -1,30 +1,24 @@ -bundle agent rudder_system_apache_configuration { +bundle agent system_rudder_apache_configuration { vars: "apache_service" string => "apache2"; redhat:: "apache_service" string => "httpd"; - classes: - "pass3" expression => "pass2"; - "pass2" expression => "pass1"; - "pass1" expression => "any"; methods: - pass3:: "any" usebundle => enable_reporting; # Force allowed networks - "any" usebundle => _method_reporting_context("Apache allowed networks", "None"); - "any" usebundle => rudder_system_apache_networks_check; + "any" usebundle => system_rudder_apache_networks_configuration; # Force webdav user/password - "any" usebundle => rudder_system_apache_password_check_dav; + "any" usebundle => system_rudder_apache_webdav_configuration; # Check that apache is running and enabled - "any" usebundle => _method_reporting_context("Apache service started", "None"); + "any" usebundle => _method_reporting_context("Apache service", "Started"); "any" usebundle => service_started("${apache_service}"); - "any" usebundle => _method_reporting_context("Apache service enabled", "None"); + "any" usebundle => _method_reporting_context("Apache service", "Enabled"); "any" usebundle => service_enabled("${apache_service}"); # Configure relayd - "any" usebundle => rudder_system_relayd_configuration; + #"any" usebundle => rudder_system_relayd_configuration; } diff --git a/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf b/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf deleted file mode 100644 index 0b44777f2..000000000 --- a/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_networks_check.cf +++ /dev/null @@ -1,57 +0,0 @@ -bundle agent rudder_system_apache_networks_check { - vars: - "policy_server_ip" string => host2ip("${server_info.policy_server}"); - server_ip_found:: - "policy_server_acl" slist => { "127.0.0.0/8", "::1", "${policy_server_ip}" }; - !server_ip_found:: - "policy_server_acl" slist => { "127.0.0.0/8", "::1" }; - - any:: - "defacl" slist => filter("0.0.0.0/0", "def.acl", "false", "true", "99999"); - "nodes_acl_24" slist => maplist("Require ip ${this}", "defacl"); - "nodes_generate_24" string => join("${const.n}","nodes_acl_24"); - - "allowed_network_file" string => "${g.rudder_base}/etc/rudder-networks-24.conf"; - "remote_run_file" string => "${g.rudder_base}/etc/rudder-networks-policy-server-24.conf"; - - "allowed_network_prefix" string => canonify("file_content_${allowed_network_file}"); - "remote_run_prefix" string => canonify("file_content_${remote_run_file}"); - - - server_ip_found:: - "remote_run_acl" string => "Require local${const.n}Require ip ${policy_server_ip}"; - !server_ip_found:: - "remote_run_acl" string => "Require local"; - - - has_all_granted:: - "allowed_network_acl" string => "Require all granted"; - !has_all_granted:: - "allowed_network_acl" string => "${nodes_generate_24}"; - - classes: - "pass3" expression => "pass2"; - "pass2" expression => "pass1"; - "pass1" expression => "any"; - - "has_all_granted" expression => some("0.0.0.0/0", "def.acl"); - "server_ip_found" expression => regcmp("^[0-9.]+$|^[0-9a-fA-F:]+:[0-9a-fA-F:]+$", "${policy_server_ip}"); - - # Restart apache at the end of the technique if needed - "system_restart_apache" expression => "${allowed_network_prefix}_repaired|${remote_run_prefix}_repaired", - scope => "namespace"; - - methods: - pass3:: - # Allowed networks - "any" usebundle => _method_reporting_context("Apache allowed networks permissions", "None"); - "any" usebundle => permissions("${allowed_network_file}", "600", "root", "0"); - "any" usebundle => _method_reporting_context("Apache allowed networks configuration", "None"); - "any" usebundle => file_content("${allowed_network_file}", "${allowed_network_acl}", "true"); - - # Remote run - "any" usebundle => _method_reporting_context("Apache allowed remote run permissions", "None"); - "any" usebundle => permissions("${remote_run_file}", "600", "root", "0"); - "any" usebundle => _method_reporting_context("Apache allowed remote run configuration", "None"); - "any" usebundle => file_content("${remote_run_file}", "${remote_run_acl}", "true"); -} diff --git a/techniques/system/rudderRelay/1.0/apache/system_rudder_apache_networks_configuration.cf b/techniques/system/rudderRelay/1.0/apache/system_rudder_apache_networks_configuration.cf new file mode 100644 index 000000000..66abda205 --- /dev/null +++ b/techniques/system/rudderRelay/1.0/apache/system_rudder_apache_networks_configuration.cf @@ -0,0 +1,55 @@ +bundle agent system_rudder_apache_networks_configuration { + vars: + any:: + "component" string => "Apache configuration"; + "defacl" slist => filter("0.0.0.0/0", "def.acl", "false", "true", "99999"); + "nodes_acl_24" slist => maplist("Require ip ${this}", "defacl"); + "nodes_generate_24" string => join("${const.n}","nodes_acl_24"); + + "allowed_network_file" string => "${g.rudder_base}/etc/rudder-networks-24.conf"; + "remote_run_file" string => "${g.rudder_base}/etc/rudder-networks-policy-server-24.conf"; + + "allowed_network_prefix" string => canonify("file_content_${allowed_network_file}"); + "remote_run_prefix" string => canonify("file_content_${remote_run_file}"); + + "policy_server_ip" string => host2ip("${server_info.policy_server}"); + + + server_ip_found:: + "policy_server_acl" slist => { "127.0.0.0/8", "::1", "${policy_server_ip}" }; + !server_ip_found:: + "policy_server_acl" slist => { "127.0.0.0/8", "::1" }; + + + server_ip_found:: + "remote_run_acl" string => "Require local${const.n}Require ip ${policy_server_ip}"; + !server_ip_found:: + "remote_run_acl" string => "Require local"; + + + has_all_granted:: + "allowed_network_acl" string => "Require all granted"; + !has_all_granted:: + "allowed_network_acl" string => "${nodes_generate_24}"; + + classes: + "has_all_granted" expression => some("0.0.0.0/0", "def.acl"); + "server_ip_found" expression => regcmp("^[0-9.]+$|^[0-9a-fA-F:]+:[0-9a-fA-F:]+$", "${policy_server_ip}"); + + # Restart apache at the end of the technique if needed + "rudder_server_system_restart_apache" expression => "${allowed_network_prefix}_repaired|${remote_run_prefix}_repaired", + scope => "namespace"; + + methods: + # Allowed networks + "any" usebundle => _method_reporting_context("${component}", "Allowed networks permissions"); + "any" usebundle => permissions("${allowed_network_file}", "600", "root", "0"); + "any" usebundle => _method_reporting_context("${component}", "Allowed networks configuration"); + "any" usebundle => file_content("${allowed_network_file}", "${allowed_network_acl}", "true"); + + # Remote run + "any" usebundle => _method_reporting_context("${component}", "Remote run permissions"); + "any" usebundle => permissions("${remote_run_file}", "600", "root", "0"); + "any" usebundle => _method_reporting_context("${component}", "Remote run configuration"); + "any" usebundle => file_content("${remote_run_file}", "${remote_run_acl}", "true"); +} diff --git a/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf b/techniques/system/rudderRelay/1.0/apache/system_rudder_apache_webdav_configuration.cf similarity index 65% rename from techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf rename to techniques/system/rudderRelay/1.0/apache/system_rudder_apache_webdav_configuration.cf index e996e8271..bccc2d3c7 100644 --- a/techniques/system/rudderRelay/1.0/apache/rudder_system_apache_password_check_dav.cf +++ b/techniques/system/rudderRelay/1.0/apache/system_rudder_apache_webdav_configuration.cf @@ -1,12 +1,4 @@ -# This file contains bundles to manage password between all components of a -# Rudder server (OpenLDAP, PostgreSQL, Apache WebDAV and web interface) - -# It is currently only used on root servers where all components are installed -# on one host. It may be extended in the future to support changing passwords -# across multiple hosts. - -bundle agent rudder_system_apache_password_check_dav { - +bundle agent system_rudder_apache_webdav_configuration { vars: debian:: "webdav_check_wwwgroup" string => "www-data"; @@ -25,30 +17,24 @@ bundle agent rudder_system_apache_password_check_dav { any:: "no" int => getfields("RUDDER_WEBDAV_PASSWORD:.*","${g.rudder_base}/etc/rudder-passwords.conf",":","dav_password"); - "technique_name" string => "server-roles"; "report_string" string => "Apache WebDAV user and password"; "webdav_pwd_cmd" string => "${htpasswd_bin} -b ${g.rudder_base}/etc/htpasswd-webdav ${g.davuser} ${g.davpw}"; "args" slist => { "${webdav_pwd_cmd}" }; "pwd_class_prefix" string => canonify("command_execution_${webdav_pwd_cmd}"); + "component" string => "Apache configuration"; classes: - "dav_cant_connect" not => returnszero("${g.rudder_curl} --tlsv1.2 --proxy '' ${g.rudder_verify_certs_option} --silent --fail --output /dev/null --user ${g.davuser}:${g.davpw} --upload-file ${g.rudder_base}/etc/uuid.hive https://localhost/inventory-updates/uuid.hive","noshell"); - any:: - "pass3" expression => "pass2"; - "pass2" expression => "pass1"; - "pass1" expression => "any"; - - "system_restart_apache" expression => "${pwd_class_prefix}_repaired", - scope => "namespace"; + "rudder_server_system_restart_apache" expression => "${pwd_class_prefix}_repaired", + scope => "namespace"; methods: - "any" usebundle => _method_reporting_context("Apache webdav permissions", "None"); + "any" usebundle => _method_reporting_context("${component}", "Webdav permissions"); "any" usebundle => permissions("${g.rudder_base}/etc/htpasswd-webdav", "640", "root", "${webdav_check_wwwgroup}"); - "any" usebundle => _method_reporting_context("Apache webdav password", "None"); + "any" usebundle => _method_reporting_context("${component}", "Webdav configuration"); dav_cant_connect:: "any" usebundle => command_execution("${webdav_pwd_cmd}"); diff --git a/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf b/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf index 82b93e32c..de69a736c 100644 --- a/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf +++ b/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf @@ -34,11 +34,11 @@ bundle agent reload_rudder_services { methods: "restart_jetty_password" usebundle => disable_reporting; "restart_jetty_password" usebundle => _method_reporting_context("Reload rudder services", "None"); - rudder_system_restart_jetty:: + rudder_server_system_restart_jetty:: "restart_jetty_password" usebundle => service_restart("${jetty_service_name}"); - rudder_system_restart_apache:: + rudder_server_system_restart_apache:: "restart_jetty_password" usebundle => service_reload("${apache_service}"); - rudder_system_restart_relayd:: + rudder_server_system_restart_relayd:: "restart_jetty_password" usebundle => service_reload("${relayd_service}"); pass3:: "restart_jetty_password" usebundle => enable_reporting; diff --git a/techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf b/techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf deleted file mode 100644 index 22d49794b..000000000 --- a/techniques/system/rudderRelay/1.0/common/rudder_system_disclaimer.cf +++ /dev/null @@ -1,9 +0,0 @@ -bundle agent rudder_system_disclaimer { - vars: - "disclaim" slist => { "@{p.managed_files}" }; - - files: - "${disclaim}" - edit_line => insert_rudder_disclaimer, - comment => "Insert a disclaimer into Rudder"; -} diff --git a/techniques/system/rudderRelay/1.0/metadata.xml b/techniques/system/rudderRelay/1.0/metadata.xml index d23c1a04b..d1f11114a 100644 --- a/techniques/system/rudderRelay/1.0/metadata.xml +++ b/techniques/system/rudderRelay/1.0/metadata.xml @@ -1,4 +1,4 @@ - + Configure the relay components true @@ -6,29 +6,27 @@ true - - true - true - + true - + true true - systemRelay/1.0/relayd/relayd.conf.tpl + rudderRelay/1.0/relayd/relayd.conf.tpl false - rudder_system_apache_configuration + system_rudder_apache_configuration + system_rudder_relay_configuration @@ -36,17 +34,29 @@ -
-
-
-
-
-
-
-
-
-
-
-
+
+ + Enabled + Started + +
+
+ + Allowed networks permissions + Allowed networks configuration + Remote run permissions + Remote run configuration + Webdav configuration + Webdav permissions + +
+
+ + Configuration permissions + Configuration + Enabled + Started + +
diff --git a/techniques/system/rudderRelay/1.0/relayd/relayd.cf b/techniques/system/rudderRelay/1.0/relayd/relayd.cf index 4a5561df0..f5f143adb 100644 --- a/techniques/system/rudderRelay/1.0/relayd/relayd.cf +++ b/techniques/system/rudderRelay/1.0/relayd/relayd.cf @@ -1,25 +1,27 @@ -bundle agent rudder_system_relayd_configuration { +bundle agent system_rudder_relay_configuration { vars: - "config_dir" string => "${g.rudder_base}/etc/relayd"; - "config_file" string => "${config_dir}/main.conf2"; - "relayd_service" string => "rudder-relayd"; + "config_dir" string => "${g.rudder_base}/etc/relayd"; + "config_file" string => "${config_dir}/main.conf2"; + "relayd_service" string => "rudder-relayd"; "config_class_prefix" string => canonify("file_from_template_${config_file}"); + "component" string => "Rudder-relayd service"; + classes: + # Restart relayd at the end of the technique if needed + "system_restart_relayd" expression => "${config_class_prefix}_repaired", + scope => "namespace"; methods: - "any" usebundle => _method_reporting_context("Relayd configuration permissions", "None"); + "any" usebundle => _method_reporting_context("${component}", "Configuration permissions"); "any" usebundle => permissions_recursive("${config_dir}", "640", "root", "rudder"); - "any" usebundle => _method_reporting_context("Relayd configuration", "None"); + "any" usebundle => _method_reporting_context("${component}", "Configuration"); "any" usebundle => file_from_template_mustache("${this.promise_dirname}/relayd.conf.tpl", "${config_file}"); - "any" usebundle => _method_reporting_context("Relayd service started", "None"); + "any" usebundle => _method_reporting_context("${component}", "Started"); "any" usebundle => service_started("${relayd_service}"); - "any" usebundle => _method_reporting_context("Relayd service enabled", "None"); + "any" usebundle => _method_reporting_context("${component}", "Enabled"); "any" usebundle => service_enabled("${relayd_service}"); - # Restart relayd at the end of the technique if needed - "system_restart_relayd" expression => "${config_class_prefix}_repaired", - scope => "namespace"; } From 59d01cd9a70ec5a5f3ccf3876c42a258c9d59ed0 Mon Sep 17 00:00:00 2001 From: Felix Dallidet Date: Tue, 30 Mar 2021 16:31:57 +0200 Subject: [PATCH 3/4] fixup! fixup! Fixes #19037: Refactor the system techniques by component Fixes #19037: Refactor the system techniques by component --- .../rudderRelay/1.0/common/reload_rudder_services.cf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf b/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf index de69a736c..b768a4c6c 100644 --- a/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf +++ b/techniques/system/rudderRelay/1.0/common/reload_rudder_services.cf @@ -32,16 +32,16 @@ bundle agent reload_rudder_services { "result_na" expression => "any"; methods: - "restart_jetty_password" usebundle => disable_reporting; - "restart_jetty_password" usebundle => _method_reporting_context("Reload rudder services", "None"); + "any" usebundle => disable_reporting; + "any" usebundle => _method_reporting_context("Reload rudder services", "None"); rudder_server_system_restart_jetty:: - "restart_jetty_password" usebundle => service_restart("${jetty_service_name}"); + "any" usebundle => service_restart("${jetty_service_name}"); rudder_server_system_restart_apache:: - "restart_jetty_password" usebundle => service_reload("${apache_service}"); + "any" usebundle => service_reload("${apache_service}"); rudder_server_system_restart_relayd:: - "restart_jetty_password" usebundle => service_reload("${relayd_service}"); + "any" usebundle => service_reload("${relayd_service}"); pass3:: - "restart_jetty_password" usebundle => enable_reporting; + "any" usebundle => enable_reporting; # Reporting "report_error" usebundle => rudder_common_report("${technique_name}", "result_error", "${server_roles_common.directiveId}", "${component_name}", "None", "${report_string}"), From 9107ce6454f97e31564dffb8b7dc178d0003c3e3 Mon Sep 17 00:00:00 2001 From: Felix Dallidet Date: Tue, 30 Mar 2021 16:32:23 +0200 Subject: [PATCH 4/4] fixup! fixup! fixup! Fixes #19037: Refactor the system techniques by component Fixes #19037: Refactor the system techniques by component --- techniques/system/rudderRelay/1.0/apache/main.cf | 3 --- 1 file changed, 3 deletions(-) diff --git a/techniques/system/rudderRelay/1.0/apache/main.cf b/techniques/system/rudderRelay/1.0/apache/main.cf index ba126f080..5a2c70c0a 100644 --- a/techniques/system/rudderRelay/1.0/apache/main.cf +++ b/techniques/system/rudderRelay/1.0/apache/main.cf @@ -18,7 +18,4 @@ bundle agent system_rudder_apache_configuration { "any" usebundle => _method_reporting_context("Apache service", "Enabled"); "any" usebundle => service_enabled("${apache_service}"); - - # Configure relayd - #"any" usebundle => rudder_system_relayd_configuration; }