Fixes #7341: Update the Techniques for relay-promises-only and cfengine-mission-portal

initial-promises/node-server/common/1.0/site.cf

@@ -185,12 +185,15 @@ bundle common g
     "curl_installed"                 expression => isexecutable("${rudder_curl}");
 
     # Roles
-    "rudder_server_roles_dir_exists" expression => isdir("${server_roles_path}");
-    "role_rudder_server_root"        expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-server-root");
-    "role_rudder_inventory_ldap"     expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-inventory-ldap");
-    "role_rudder_jetty"              expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-jetty");
-    "role_rudder_webapp"             expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-webapp");
-    "role_rudder_inventory_endpoint" expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-inventory-endpoint");
-    "role_rudder_reports"            expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-reports");
-    "role_rudder_relay_top"          expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-relay-top");
+    "rudder_server_roles_dir_exists"       expression => isdir("${server_roles_path}");
+    "role_rudder_server_root"              expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-server-root");
+    "role_rudder_inventory_ldap"           expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-inventory-ldap");
+    "role_rudder_jetty"                    expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-jetty");
+    "role_rudder_webapp"                   expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-webapp");
+    "role_rudder_inventory_endpoint"       expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-inventory-endpoint");
+    "role_rudder_reports"                  expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-reports");
+    "role_rudder_relay_top"                expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-relay-top");
+    "role_rudder_relay_promises_only"      expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-relay-promises-only");
+    "role_rudder_cfengine_mission_portal"  expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-cfengine-mission-portal");
+
 }

initial-promises/node-server/server-roles/1.0/component-check.cf

@@ -86,12 +86,12 @@ bundle agent root_component_check
 
     # Do this if this is the root_server  a relay server
 
-    root_server|policy_server::
+    root_server|(policy_server.!role_rudder_relay_promises_only)::
       "any" usebundle => root_networks_check;
       "any" usebundle => root_password_check_dav;
       "any" usebundle => generic_process_check_process("${service[apache][binary]}", "${service[apache][initscript]}", "${service[apache][name]}", "false", "${service[apache][check_on_relay_server]}");
 
-    !(root_server|policy_server)::
+    !(root_server|(policy_server.!role_rudder_relay_promises_only))::
       "any" usebundle => rudder_common_report("${technique_name}", "result_na", "server-roles@@server-roles-directive@@0",
           "Check allowed networks configuration", "None", "Checking the allowed networks configuration is unnecessary on this machine, skipping..."
         );

initial-promises/node-server/server-roles/logrotate.conf/rudder

@@ -4,7 +4,7 @@
 # It will automatically be updated by Rudder itself if a new component to be managed
 # is added to the machine.
 
-[%CFEngine role_rudder_server_root|policy_server:: %]
+[%CFEngine role_rudder_server_root|(policy_server.!role_rudder_relay_promises_only):: %]
 /var/log/rudder/apache2/*.log {
         daily
         missingok
@@ -19,7 +19,7 @@
         endscript
 }
 
-[%CFEngine !redhat.(role_rudder_server_root|policy_server):: %]
+[%CFEngine !redhat.(role_rudder_server_root|(policy_server.!role_rudder_relay_promises_only)):: %]
 /var/log/rudder/reports/*.log {
         daily
         missingok
@@ -34,7 +34,7 @@
         endscript
 }
 
-[%CFEngine redhat.(role_rudder_server_root|policy_server):: %]
+[%CFEngine redhat.(role_rudder_server_root|(policy_server.!role_rudder_relay_promises_only)):: %]
 /var/log/rudder/reports/*.log {
         daily
         missingok

techniques/system/common/1.0/cf-served.st

@@ -24,11 +24,17 @@
 
 bundle server access_rules
 {
+&if(NOVA)&
+  vars:
+    enterprise::
+      "query_types" slist => {"delta", "rebase", "full"};
+&endif&
+
   # Access rules are only defined on a policy server. Standard nodes should not share any files.
   access:
 
 &if(MANAGED_NODES_NAME)&
-    policy_server::
+    policy_server|role_rudder_relay_promises_only::
       &if(NOVA)&
       "&UUID&"
         handle        => "policy_server_uuid",
@@ -62,6 +68,16 @@ bundle server access_rules
 
       &endif&
 
+    &if(NOVA)&
+    role_rudder_cfengine_mission_portal::
+      "$(query_types)"
+        handle             => "server_access_grant_$(query_types)_for_hub",
+        comment            => "Grant $(query_types) reporting query for the hub on the policy server",
+        resource_type      => "query",
+        report_data_select => rudder_data_select_policy_hub,
+        admit              => { ${def.policy_server}, @{sys.ip_addresses} }; # an enterprise policy server needs to be able to contact itself
+    &endif&
+
 
     any::
   &if(SKIPIDENTIFY)&
@@ -86,6 +102,16 @@ bundle server access_rules
       "/var/rudder/cfengine-community/bin/cf-agent"
         admit   => { host2ip("${server_info.cfserved}"), string_downcase(escape("${server_info.cfserved}")) };
 
+  &if(NOVA)&
+      "$(query_types)"
+        handle => "server_access_grant_$(query_types)_for_hosts",
+        comment => "Grant $(query_types) reporting query for the hub on the hosts",
+        resource_type => "query",
+        report_data_select => rudder_data_select_host,
+        admit => { ${def.policy_server}, @{sys.ip_addresses} };
+  &endif&
+
+
   roles:
       # Allow user root to set any class
       ".*"  authorize => { "root" };
@@ -230,3 +256,28 @@ body runagent control
 }
 &endif&
 
+&if(NOVA)&
+body report_data_select rudder_data_select_host
+# @brief Data to collect from remote hosts by default
+#
+# By convention variables and classes known to be internal, (having no
+# reporting value) should be prefixed with an underscore. By default the policy
+# framework explicitly excludes these variables and classes from collection.
+{
+    metatags_include => { "inventory", "report" };
+    metatags_exclude => { "noreport" };
+    monitoring_include => { ".*" };
+}
+
+body report_data_select rudder_data_select_policy_hub
+# @brief Data to collect from policy servers by default
+#
+# By convention variables and classes known to be internal, (having no
+# reporting value) should be prefixed with an underscore. By default the policy
+# framework explicitly excludes these variables and classes from collection.
+{
+    metatags_include => { "inventory", "report" };
+    metatags_exclude => { "noreport" };
+    monitoring_include => { ".*" };
+}
+&endif&

techniques/system/common/1.0/site.st

@@ -202,15 +202,16 @@ bundle common g
     "curl_installed"                 expression => isexecutable("${rudder_curl}");
 
     # Roles
-    "rudder_server_roles_dir_exists" expression => isdir("${server_roles_path}");
-    "role_rudder_server_root"        expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-server-root");
-    "role_rudder_inventory_ldap"     expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-inventory-ldap");
-    "role_rudder_jetty"              expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-jetty");
-    "role_rudder_webapp"             expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-webapp");
-    "role_rudder_inventory_endpoint" expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-inventory-endpoint");
-    "role_rudder_reports"            expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-reports");
-    "role_rudder_relay_top"          expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-relay-top");
-
+    "rudder_server_roles_dir_exists"       expression => isdir("${server_roles_path}");
+    "role_rudder_server_root"              expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-server-root");
+    "role_rudder_inventory_ldap"           expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-inventory-ldap");
+    "role_rudder_jetty"                    expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-jetty");
+    "role_rudder_webapp"                   expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-webapp");
+    "role_rudder_inventory_endpoint"       expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-inventory-endpoint");
+    "role_rudder_reports"                  expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-reports");
+    "role_rudder_relay_top"                expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-relay-top");
+    "role_rudder_relay_promises_only"      expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-relay-promises-only");
+    "role_rudder_cfengine_mission_portal"  expression => fileexists("${rudder_base}/etc/server-roles.d/rudder-cfengine-mission-portal");
 }
 
 # defines the path to the ncf configuration file

techniques/system/distributePolicy/1.0/propagatePromises.st

@@ -65,7 +65,7 @@ bundle agent propagatePromises
         comment      => "Enforce the ncf configuration file",
         classes      => classes_generic("configure_ncf_config");
 
-    policy_server.!root_server::
+    (policy_server|role_rudder_relay_promises_only).!root_server::
 
       "${client_data}"  #that's a loop on each files in client_inputs
         copy_from    => remote("${server_info.cfserved}","${server_data}"),
@@ -201,7 +201,7 @@ bundle agent sendInventoryToCmdb
         classes => rudder_common_classes("rudder_inventory_processing"),
         comment => "Processing a local inventory";
 
-    policy_server.!(root_server|role_rudder_relay_top)::
+    policy_server.!(root_server|role_rudder_relay_top|role_rudder_relay_promises_only)::
 
       "${g.rudder_inventories}/incoming"
         transformer => "/usr/bin/curl -k -1 -f -s --proxy '' --user rudder:rudder -T ${this.promiser}  ${g.inventory_upload_protocol}://${server_info.cfserved}/inventories/",
@@ -217,7 +217,7 @@ bundle agent sendInventoryToCmdb
         classes => rudder_common_classes("rudder_inventory_relay"),
         comment => "Sending an inventory to the root server";
 
-    policy_server.!(root_server|role_rudder_relay_top).!rudder_inventory_relay_error::
+    policy_server.!(root_server|role_rudder_relay_top|role_rudder_relay_promises_only).!rudder_inventory_relay_error::
 
       "${g.rudder_inventories}/incoming"
         transformer => "/bin/rm -f ${this.promiser}",
@@ -241,7 +241,7 @@ bundle agent sendInventoryToCmdb
     pass3.rudder_inventory_processing_error::
       "any" usebundle => rudder_common_report("DistributePolicy", "result_error", "&TRACKINGKEY&", "Send inventories to CMDB", "None", "Some inventories failed to add successfully to Rudder");
 
-    pass3.((root_server|role_rudder_relay_top).!rudder_inventory_processing_repaired.!rudder_inventory_processing_error)::
+    pass3.((root_server|role_rudder_relay_top|role_rudder_relay_promises_only).!rudder_inventory_processing_repaired.!rudder_inventory_processing_error)::
       "any" usebundle => rudder_common_report("DistributePolicy", "result_success", "&TRACKINGKEY&", "Send inventories to CMDB", "None", "No inventory to send");
 
     pass3.(rudder_inventory_relay_repaired.!rudder_inventory_relay_error)::
@@ -250,7 +250,7 @@ bundle agent sendInventoryToCmdb
     pass3.rudder_inventory_relay_error::
       "any" usebundle => rudder_common_report("DistributePolicy", "result_error", "&TRACKINGKEY&", "Send inventories to CMDB", "None", "Cannot relay some inventories to the root server");
 
-    pass3.(policy_server.!(root_server|role_rudder_relay_top).!rudder_inventory_relay_repaired.!rudder_inventory_relay_error)::
+    pass3.(policy_server.!(root_server|role_rudder_relay_top|role_rudder_relay_promises_only).!rudder_inventory_relay_repaired.!rudder_inventory_relay_error)::
       "any" usebundle => rudder_common_report("DistributePolicy", "result_success", "&TRACKINGKEY&", "Send inventories to CMDB", "None", "No inventory to relay");
 
     pass3.(rudder_inventory_cleanup_repaired.!rudder_inventory_cleanup_error)::

techniques/system/distributePolicy/1.0/rsyslogConf.st

@@ -40,7 +40,7 @@ bundle agent install_rsyslogd {
 
   files:
 
-    policy_server.!reports_disabled::
+    policy_server.!reports_disabled.!role_rudder_relay_promises_only::
 
       "/etc/rsyslog.d/rudder.conf"
         create    => "true",
@@ -62,7 +62,7 @@ bundle agent install_rsyslogd {
         classes => classes_generic("rudder_rsyslog_historical_conf_purged"),
         comment => "Deleting historical rudder-agent.conf file if it is there";
 
-    policy_server.debian.!reports_disabled::
+    policy_server.debian.!reports_disabled.!role_rudder_relay_promises_only::
       "/etc/rsyslog.d/pgsql.conf"
         edit_line => comment_all(),
         edit_defaults => noempty_backup,
@@ -71,7 +71,7 @@ bundle agent install_rsyslogd {
 
   packages:
 
-    policy_server.!SuSE.!redhat.!reports_disabled::
+    policy_server.!SuSE.!redhat.!reports_disabled.!role_rudder_relay_promises_only::
       "rsyslog"
         package_policy  => "add",
         package_method  => generic,
@@ -84,7 +84,7 @@ bundle agent install_rsyslogd {
         classes => cf2_if_else("rsyslog_pgsql_installed", "cant_install_rsyslog_pgsql"),
         comment => "Installing rsyslog_pgsql using apt backports";
 
-    policy_server.!SuSE.redhat.!reports_disabled::
+    policy_server.!SuSE.redhat.!reports_disabled.!role_rudder_relay_promises_only::
       "rsyslog"
         package_policy  => "add",
         package_method  => rudder_yum,

techniques/system/server-roles/1.0/component-check.st

@@ -85,13 +85,13 @@ bundle agent root_component_check
         );
 
     # Do this if this is the root_server or a relay server
-    root_server|policy_server::
+    root_server|(policy_server.!role_rudder_relay_promises_only)::
       "any" usebundle => root_networks_check;
       "any" usebundle => root_password_check_dav;
       "any" usebundle => generic_process_check_process("${service[apache][binary]}", "${service[apache][service]}", "${service[apache][name]}", "false", "${service[apache][check_on_relay_server]}");
       "any" usebundle => generic_process_check_bootstart("${service[apache][binary]}", "${service[apache][service]}", "${service[apache][name]}");
 
-    !(root_server|policy_server)::
+    !(root_server|policy_server)|role_rudder_relay_promises_only::
       "any" usebundle => rudder_common_report("${technique_name}", "result_na", "&TRACKINGKEY&",
           "Check allowed networks configuration", "None", "Checking the allowed networks configuration is unnecessary on this machine, skipping..."
         );

techniques/system/server-roles/1.0/rudder-logrotate.st

@@ -4,7 +4,7 @@
 # It will automatically be updated by Rudder itself if a new component to be managed
 # is added to the machine.
 
-[%CFEngine role_rudder_server_root|policy_server:: %]
+[%CFEngine role_rudder_server_root|(policy_server.!role_rudder_relay_promises_only):: %]
 /var/log/rudder/apache2/*.log {
         daily
         missingok
@@ -19,7 +19,7 @@
         endscript
 }
 
-[%CFEngine !redhat.(role_rudder_server_root|policy_server):: %]
+[%CFEngine !redhat.(role_rudder_server_root|(policy_server.!role_rudder_relay_promises_only)):: %]
 /var/log/rudder/reports/*.log {
         daily
         missingok
@@ -34,7 +34,7 @@
         endscript
 }
 
-[%CFEngine redhat.(role_rudder_server_root|policy_server):: %]
+[%CFEngine redhat.(role_rudder_server_root|(policy_server.!role_rudder_relay_promises_only)):: %]
 /var/log/rudder/reports/*.log {
         daily
         missingok