diff --git a/dev/configuration.properties b/dev/configuration.properties
index 0e68111..66d95e6 100644
--- a/dev/configuration.properties
+++ b/dev/configuration.properties
@@ -3,12 +3,12 @@
#####################################################################################
#
# This file is part of Rudder.
-#
+#
# Rudder is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
-#
+#
# In accordance with the terms of section 7 (7. Additional Terms.) of
# the GNU General Public License version 3, the copyright holders add
# the following Additional permissions:
@@ -21,12 +21,12 @@
# documentation that, without modification of the Source Code, enables
# supplementary functions or services in addition to those offered by
# the Software.
-#
+#
# Rudder is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
-#
+#
# You should have received a copy of the GNU General Public License
# along with Rudder. If not, see .
@@ -34,27 +34,18 @@
#####################################################################################
##
-# Default configuration file for the application.
+# Default configuration file for the application.
# You can define the location of the file by
# setting "rudder.configFile" JVM property,
# for example:
# java .... -Drudder.configFile=/opt/rudder/etc/rudder-web.conf
##
+bin.emergency.stop=/opt/rudder/bin/cfe-red-button.sh
-###########################
+##########################
# Application information ###########################################################
-###########################
-
-#
-#define that property if you are behind a proxy
-#or anything that make the URL served by the
-#servlet container be different than the public one
-#note: if defined, must not end with /
-#let blank to use default value
-#
-## This property is no more use since Rudder 2.4
-#base.url=
+##########################
#
# Directory used to store locks about
@@ -75,7 +66,7 @@ rudder.endpoint.cmdb=http://localhost:8080/endpoint/upload/
rudder.server.relay.api=https://localhost/rudder/relay-api
#
-# The port used by the rsyslog server on the Rudder root server.
+# The port used by the rsyslog server on the Rudder root server.
# Default port number is 514, but in some cases this may need to be changed.
# For example, on Ubuntu version >= 12.04 rsyslog runs as a non-root user,
# so using port 514 is not permitted, thus we must use a port higher than 1024.
@@ -83,9 +74,9 @@ rudder.server.relay.api=https://localhost/rudder/relay-api
#
rudder.syslog.port=514
-###################
+##################
# LDAP properties ###################################################################
-###################
+##################
#
# LDAP directory connection information
@@ -93,17 +84,17 @@ rudder.syslog.port=514
ldap.host=localhost
ldap.port=1389
ldap.authdn=cn=manager,cn=rudder-configuration
+ldap.maxPoolSize=2
#
-# Password used to connect to the OpenLDAP server.
-# On a standard Rudder installation, the password is managed in
+# Password used to connect to the OpenLDAP server.
+# On a standard Rudder installation, the password is managed in
# "/opt/rudder/etc/rudder-passwords.conf" and the value below
-# will be overriden.
+# will be overriden.
#
ldap.authpw=secret
-
###########################
-# SQL database properties ###########################################################
+# SQL database properties ##########################################################
###########################
#
@@ -114,18 +105,18 @@ rudder.jdbc.driver=org.postgresql.Driver
rudder.jdbc.url=jdbc:postgresql://localhost:15432/rudder
rudder.jdbc.username=rudder
#
-# Password used to connect to the PostgreSQL server.
-# On a standard Rudder installation, the password is managed in
+# Password used to connect to the PostgreSQL server.
+# On a standard Rudder installation, the password is managed in
# "/opt/rudder/etc/rudder-passwords.conf" and the value below
-# will be overriden.
+# will be overriden.
#
rudder.jdbc.password=Normation
rudder.jdbc.maxPoolSize=25
-###########################
+#############################
# Automatic reports cleaning ###########################################################
-###########################
+#############################
#
# Automatic reports cleaning
@@ -141,11 +132,35 @@ rudder.jdbc.maxPoolSize=25
# If the archive TTL is greater than the delete TTL then archiving will be disabled
# as there will be no reports to archive (they would be deleted first).
#
-# Defaults: archive after 4 days, delete after 90 days.
+# Reports need between 500 and 900 kB per Directive per Node per Day, while
+# archived reports need 150 kB per Directive per Node per Day (but archived data
+# are not available in the web interface, they are just here for auditability)
+#
+# Defaults: archive disabled, delete after 4 days.
#
rudder.batch.reportscleaner.archive.TTL=4
-rudder.batch.reportscleaner.delete.TTL=90
+rudder.batch.reportscleaner.delete.TTL=4
+
+# Report with level "log" (log_info, log_warn, etc) are not kept more than a couple of runs.
+# They are used for debugging purpose, and so have a limited interest span (but can consume a lot
+# of DB space).
+# The TTL is given as a number of run to keep (the max run period of all nodes will be used),
+# with the format: Nx (with N a positive integer); or by a number of minutes: N (with N a positive integer).
+# The value is only updated date when rudder starts.
+rudder.batch.reportsCleaner.deleteLogReport.TTL=2x
+
+#
+# Automatic compliance levels cleaning.
+# This allows you to define the periode of time during which
+# compliance level data for nodes, by run, up to directive
+# granularity are kept.
+# The tables grow at ~150kB / node / directive / day
+# (ie, for 100 nodes, with 15 rules having each of them 10 directives,
+# you need ~65GB for a month back of data).
+# There is no archive state for compliance levels.
+#
+rudder.batch.reportscleaner.compliancelevels.delete.TTL=8
#
# Schedule option for automatic cleaning
@@ -176,10 +191,74 @@ rudder.batch.databasecleaner.runtime.hour=0
# Default : sunday
rudder.batch.databasecleaner.runtime.day=sunday
+#########################
+# Inventories processing ###########################################################
+#########################
-#####################
+#
+# Inventories are processed throught a file watcher
+# (inotify) which react to new
+# inventories put in ${inventories.root.directory}/incoming.
+# You can [start, stop, restart] the watcher with POST to API
+# /api/latest/inventories/watcher/[start, stop, restart].
+#
+inventories.root.directory=/var/rudder/inventories
+
+# 'inventories.watcher.waitForSignatureDuration' is the time
+# in seconds the watcher will wait for the signature file
+# in case there is only an inventory file before sending
+# only inventory to backend.
+inventories.watcher.waitForSignatureDuration=10
+
+#
+# Max number of inventories waiting to be processed internally.
+# For a rough estimation, you can consider that an inventory in queue
+# takes 5 MB, so to handle 50 (default), the application will
+# need around 250 MB of spare memory.
+#
+waiting.inventory.queue.size=50
+
+#
+# You may want to limit the number of inventory files parsed in parallele.
+# The goal is to avoid parsing hundreds of XML in parallel when we prefer
+# to totally parse some (and then the others) and send them to backend.
+# You can specify a positive integer or a string formated "Nx" where
+# "N" is an Int and x means "number of available core".
+# A safe default is "0.5x"
+inventory.parse.parallelization=0.5x
+
+#
+# You can keep exhaustive information about LDAP base modification
+# happening in relation to inventory processing. It is mostly used
+# for debug.
+# You can enable that log by setting the following logger in
+# /opt/rudder/etc/logback.xml file to "trace" level (default "off"):
+#
+#
+ldif.tracelog.rootdir=/var/rudder/inventories/debug
+
+#
+# Automatic inventories cleaning
+# This allows you to schedule the purge of deleted inventoried
+#
+#
+# TTL defines for how long an inventory stays in "Deleted Inventories" once deleted
+# before it is purged (in days). There is no functional value of keeping these deleted inventories
+# A negative value disable the automatic purging of deleted inventories.
+#
+# Check is made every interval hours
+#
+# Defaults: purge after being deleted for 7 days, check runs every 24 hours.
+#
+
+# TTL in days
+rudder.batch.purge.inventories.delete.TTL=7
+# Interval in hours
+rudder.batch.purge.inventories.delete.interval=24
+
+####################
# Webdav properties #################################################################
-#####################
+####################
#
# Authentication information for the webdav server used to
@@ -188,26 +267,26 @@ rudder.batch.databasecleaner.runtime.day=sunday
rudder.webdav.user=rudder
rudder.webdav.password=rudder
-####################################
+###################################
# CFEngine and promises properties ##################################################
-####################################
+###################################
#
-# Port used by the community edition of CFEngine agent to
+# Port used by the community edition of CFEngine agent to
# contact the server (that's the server port).
#
rudder.community.port=5309
#
-# Path to where CFEngine Enterprise (ex Nova) licenses are stored.
+# Path to where CFEngine Enterprise (ex Nova) licenses are stored.
#
rudder.dir.licensesFolder=/opt/rudder/etc/licenses
#
-# Directories used to write nodes promises.
+# Directories used to write nodes promises.
# - promises generated for a node with id UUID go in ***/var/rudder/share/UUID***
# For now, that property can not be modified, because there is no simple
-# way of doing that and letting node knowing where to go look for there promises.
+# way of doing that and letting node knowing where to go look for there promises.
# - promises generated for CFEngine community server go into ***/var/rudder/cfengine-community/inputs***
# - promises generated for CFEngine Nova server go into ***/var/cfengine/inputs***
# - 'rudder.dir.backup' is the directory path where previous configuration of each node are stored
@@ -224,41 +303,41 @@ rudder.dir.shared.files.folder=/var/rudder/configuration-repository/shared-files
#
# Debug Node Configuration parameters
-#
-# Node Configurations are all the parameters (global parameters,
+#
+# Node Configurations are all the parameters (global parameters,
# applied rules/directives with their parameters, node information, etc)
# contextualized for the node. They are the resources used to actually
-# generate promises for THAT node.
+# generate promises for THAT node.
#
# By default, these information are only used internally by Rudder and
-# are not available to the user. But they may be needed in some cases,
-# for debugging.
+# are not available to the user. But they may be needed in some cases,
+# for debugging.
#
# This option allows to define the directory where the node configurations
-# (in JSON format) will go.
-#
-# To enable the writing of node configurations, enable the logger
+# (in JSON format) will go.
+#
+# To enable the writing of node configurations, enable the logger
# named "rudder.debug.nodeconfiguration" in logback.xml
#
rudder.debug.nodeconfiguration.path=/var/log/rudder/nodeConfigurations
############################################
-# Technique library and its Git properties ##########################################
+# Technique library and its Git properties #########################################
############################################
#
-# The path of the root directory of the Technique library.
-# It MUST be the same directory of ${rudder.dir.gitRoot}
+# The path of the root directory of the Technique library.
+# It MUST be the same directory of ${rudder.dir.gitRoot}
# or one of its sub-directories
#
rudder.dir.techniques=/var/rudder/configuration-repository/techniques
#
-# The directory containing tools used by Rudder or nodes.
+# The directory containing tools used by Rudder or nodes.
# You should configure the path of that directory to be
# the "tools" subdirectory of "rudder-technique" local
-# clone of git repository
+# clone of git repository
# (see property rudder.git.rudder-technique)
#
rudder.dir.dependencies=/var/rudder/tools
@@ -274,10 +353,10 @@ rudder.batch.techniqueLibrary.updateInterval=5
#
# Configure the refs path to use for the git repository for
-# the Technique Reference Library.
+# the Technique Reference Library.
# The default is to use "refs/heads/master" (the local master
-# branch).
-# You have to use the full ref path.
+# branch).
+# You have to use the full ref path.
#
rudder.techniqueLibrary.git.refs.path=refs/heads/master
@@ -288,26 +367,26 @@ rudder.techniqueLibrary.git.refs.path=refs/heads/master
#
# Configuration repository is the place where all Group/Directive/Rules
-# configured by the user are historized.
+# configured by the user are historized.
#
#
-# The full path to the directory containing the
+# The full path to the directory containing the
# .git, directives, groups and rules directories.
#
rudder.dir.gitRoot=/var/rudder/configuration-repository
#
-# If true, an archive of Rules, groups,
+# If true, an archive of Rules, groups,
# Directives and Active Techniques are recorded
# to the rudder.dir.gitRoot directory specified above
# and a git commit is performed when any of these items is modified.
# Boolean, defaults to true.
-#
+#
rudder.autoArchiveItems=true
###############################
-# Dynamic group configuration #######################################################
+# Dynamic group configuration ######################################################
###############################
#
@@ -319,23 +398,23 @@ rudder.batch.dyngroup.updateInterval=5
##########################
-# REST API configuration ############################################################
+# REST API configuration ###########################################################
##########################
#
# Boolean, defaults to true
# If true, REST API urls v1 won't require
-# to be authenticated to be accessed.
-# The reason to have default=true for that is
-# that in that use case, the authorization and
+# to be authenticated to be accessed.
+# The reason to have default=true for that is
+# that in that use case, the authorization and
# authentication part for the REST API
# will be done by a third party software, like Apache
#
# If false, these API will need to be authenticated
-# with a valid token managed in the
-# "Administration => API Accounts" screen of Rudder
+# with a valid token managed in the
+# "Administration => API Accounts" screen of Rudder
# web application.
-#
+#
# API affected by that property:
# - /api/status
# - /api/techniqueLibrary/reload
@@ -344,7 +423,7 @@ rudder.batch.dyngroup.updateInterval=5
# - /api/archives/*
#
# DEPRECATED: use of authentication token will become
-# mandatory for all API URLs.
+# mandatory for all API URLs.
#
rudder.rest.allowNonAuthenticatedUser=true
@@ -356,10 +435,10 @@ rudder.rest.allowNonAuthenticatedUser=true
# Inventory historization root directory
#
# The directory used as root directory to store LDIF dump
-# of historized inventories.
-# It must be synchronise with the property of the same name in
-# the "inventory endpoint" web application (inventory-web.properties),
-# which is the application actually writing the files.
+# of historized inventories.
+# It must be synchronise with the property of the same name in
+# the "inventory endpoint" web application (inventory-web.properties),
+# which is the application actually writing the files.
#
# This historized inventories are used in the node acceptation
# screen, to keep information about the state of the node
@@ -371,9 +450,9 @@ history.inventories.rootdir=/var/rudder/inventories/historical
# Non compliant reports logger #################################################
###############################
-# Rudder can log a line for each 5 minute period when configuration policy is
+# Rudder can log a line for each 5 minute period when configuration policy is
# not correctly applied (in error or repaired).
-#
+#
# Default path is /var/log/rudder/compliance/non-compliant-reports.log, and can
# be changed in /opt/rudder/etc/logback.xml.
#
@@ -387,21 +466,30 @@ history.inventories.rootdir=/var/rudder/inventories/historical
rudder.batch.reports.logInterval=1
#########################
-# Store Agent Run Times #############################################################
+# Store Agent Run Times ############################################################
#########################
-# Maximum Days of reports handled (default : 5)
+# Maximum catchup on reports at start (default : 30 minutes)
#
# To avoid handling too much reports at one time, the "Store Agent Run Times" process
-# will only take reports after X days from the last one processed.
+# will only take reports from catchup time from now
# This is mainly used on the first Run, when the process has to catch on old reports,
# and build execution history.
-# This value is expressed in days.
+# Set by two fields, maxDays in days, and maxMinutes in minuts
+
+rudder.batch.storeAgentRunTimes.maxDays=0
+rudder.batch.storeAgentRunTimes.maxMinutes=30
+
+# Maximum batch size of report handled (default: 5 minutes)
+#
+# To avoid handling too much reports at one time, the "Store Agent Run Times" process
+# will work on chunk of maxBatchSize minutes.
+# This is mainly used to avoid using too much memory at once, and ease database
-rudder.batch.storeAgentRunTimes.maxDays=5
+rudder.batch.storeAgentRunTimes.maxBatchSize=5
# Delay before to launch of the reports executions actor (default : 5)
-#
+#
# This value determine the frequency of the reports executions actor.
# This needs to be run very often so you should keep it as low as possible.
# Having a low delay will means that agent executions are almost synchronized with now.
@@ -410,88 +498,28 @@ rudder.batch.storeAgentRunTimes.maxDays=5
rudder.batch.storeAgentRunTimes.updateInterval=5
-###########################
-# Rudder Authentication #############################################################
-###########################
+#########################
+# Rudder Authentication ###############################################################
+#########################
#
# Rudder has a root admin account, with full rights on the
-# application, and whose authentication is independant from
-# the authentication provider chosen (file, LDAP, etc).
+# application, and whose authentication is independant from
+# the authentication provider chosen (file, LDAP, etc).
# By default, the accound is disabled (either by letting the
-# the login or the password empty, or by commenting it).
+# the login or the password empty, or by commenting it).
#
#rudder.auth.admin.login=rootadmin
#rudder.auth.admin.password=secret
#
-# By default, both authentication and authorization are handle in the rudder-users.xml
-# file. But you may want to rely on your existing entreprise Active Directory or LDAP
-# to take care of the authentication part.
-# To choose the scheme to use, either use 'file' or 'ldap' for the rudder.auth.type
-# parameter.
-# You can also use a comma separated list of authentication provider to use,
-# like 'ldap, file' in which case each one will be tested in turned for authentication.
-#
-# When set to 'ldap', passwords in rudder-users.xml are ignored and the
-# authentication is delegated to the LDAP server configured below.
-# By convention, when LDAP authentication is enable, 'password' field in
-# rudder-users.xml are set to 'LDAP'
-#
-# Comma separated list of authentication providers. Default provider are
-# 'file', 'ldap'.
+# Both authentication and authorization are handle in the rudder-users.xml
+# file. You can use plugins to add other authentication backends to connect to
+# your existing entreprise Active Directory or LDAP directory.
#
rudder.auth.provider=file
-
-# The following parameters allow to configure the LDAP authentication provider.
-# The LDAP authentication procedure is a typical bind/search/rebind, in which
-# an application connection (bind) is used to search (search) for an user entry
-# given some base and filter parameters, and then, a bind (rebind) is tried on
-# that entry with the credential provided by the user.
-# That allows to seperate the user DN (especially RDN) from the search criteria.
-#
-# Be careful, the authorization is still done in the rudder-user.xml, what means
-# that each user should have access to Rudder MUST have a line in that file.
-# Without that line, the user can have a successful LDAP authentication, but
-# won't be able to do or see anything in Rudder (safe logout).
-#
-
-#
-# Connection URL to the LDAP server, in the form:
-# ldap://hostname:port/base_dn
-#
-rudder.auth.ldap.connection.url=ldap://ldap.mycorp.com:389/dc=mycorp,dc=com
-
-#
-# Bind DN used by Rudder to do the search
-# LDAP dn, no default value.
-#
-rudder.auth.ldap.connection.bind.dn=cn=admin,dc=mycorp,dc=com
-
-#
-# Bind password used by Rudder to do the search.
-# String, no default value.
-#
-rudder.auth.ldap.connection.bind.password=secret
-
-#
-# Search base and filter to use to find the user.
-# The search base can be left empty.
-# In the filter, {0} denotes the value provided as
-# login by the user.
-#
-rudder.auth.ldap.searchbase=ou=People
-rudder.auth.ldap.filter=(&(uid={0})(objectclass=person))
-
-#
-# An AD example would be:
-#
-#rudder.auth.ldap.searchbase=
-#rudder.auth.ldap.filter=(&(sAMAccountName={0})(objectclass=user))
-
-
###########################
# Rudder roles definition #############################################################
###########################
@@ -533,12 +561,12 @@ rudder.server-roles.cfengine-mission-portal=autodetect
# Server side Hooks #############################################################
####################
-# This property contains the comma separated list of suffixes that will be checked
-# before running a hook under /opt/rudder/etc/hooks.d.
+# This property contains the comma separated list of suffixes that will be checked
+# before running a hook under /opt/rudder/etc/hooks.d.
# If an executable file has one of the following suffixes, it
-# will be IGNORED and the corresponding hook skipped. Non executable files are
-# always ignored, with or without any of these suffixes.
-#
+# will be IGNORED and the corresponding hook skipped. Non executable files are
+# always ignored, with or without any of these suffixes.
+#
# Spaces are trimmed. Case is not relevant (both .disabled and .DISABLED will be ignored)
rudder.hooks.ignore-suffixes= .swp, ~, .bak, \
@@ -548,60 +576,58 @@ rudder.hooks.ignore-suffixes= .swp, ~, .bak, \
.ucf-old , .ucf-dist , .ucf-new ,\
.rpmnew , .rpmsave , .rpmorig
+########################
+# Relayd reload command ########################################################
+########################
-#########################
-# DEPRECATED properties #############################################################
-#########################
-
-
+# We have to way to identify nodes: by key of by certificated. When certificates,
+# we update a file used by relayd at: /var/rudder/lib/ssl/allnodescerts.pem
+# After change, we need to notify relayd to reload that file. This is the reload
+# command.
#
-# Command line tools used to check the validity of generated promises
-# DEPRECATED: these commands aren't used anymore. This task is now managed by hook:
-# /opt/rudder/etc/hooks.d/policy-generation-node-ready/10-cf-promise-check
-#
-#rudder.community.checkpromises.command=/var/rudder/cfengine-community/bin/cf-promises
-#rudder.nova.checkpromises.command=/bin/true
+rudder.relayd.reload=/opt/rudder/bin/rudder relay reload -p
+
+###################
+# Fatal exceptions #############################################################
+###################
#
-# Command to force the server to reload its promises
-# This will be run every time promises are regenerated on the root server
-# DEPRECATED: that command isn't used anymore. This task is now managed by hook:
-# /opt/rudder/etc/hooks.d/policy-generation-finished/50-reload-policy-file-server
+# This is a list of unhandled exception that should cause rudder to stop.
+# When they happen, something went clearly wrong and even if rudder continues
+# to work, it is most likely in an inconsistant state, so people should know
+# it and not discover it at random when something else start go crazy.
+# Subclasses of java.lang.Error always lead to termination.
#
-#rudder.cfengine.reload.server.command=/opt/rudder/bin/rudder-reload-cf-serverd
+rudder.jvm.fatal.exceptions=
+########################
+# DEPRECATED properties #############################################################
+########################
#
-# A list of properties actually used in Rudder, but for features disable in the UI.
+# A list of properties actually used in Rudder, but for features disable in the UI.
#
#
# Upload directory
# The directory where new uploaded files are stored
-# DEPRECATED: not used any more in Rudder UI.
+# DEPRECATED: not used any more in Rudder UI.
#
upload.root.directory=/var/rudder/files/
#
# The directory used to put uploaded files shared between
-# several nodes.
+# several nodes.
# A symlink from the file to the relevant node promise directory
# will be created on each node needing the file in place
# of copying it.
# DEPRECATED: not used anymore in Rudder UI
rudder.dir.uploaded.file.sharing=/var/rudder/files/
-#
-# Emergency stop
-# path to the script/binary that allows emergency orchestrator stop
-# DEPRECATED: feature no more available in Rudder UI.
-#
-bin.emergency.stop=/opt/rudder/bin/cfe-red-button.sh
-
#
# LDAP DIT configuration
#
-# You must not modify the following properties, used to
+# You must not modify the following properties, used to
# configure the internal structure of the LDAP Directory.
# DEPRECATED: Changing these values will result in a non-working Rudder server
#
diff --git a/vagrant.rb b/vagrant.rb
index 61db1b0..6fc7345 100644
--- a/vagrant.rb
+++ b/vagrant.rb
@@ -388,6 +388,7 @@ def configure(config, os, pf_name, pf_id, host_name, host_id,
server_config.vm.network :forwarded_port, guest: 5432, host: 15432
server_config.vm.synced_folder "/var/rudder/share", "/var/rudder/share", :create => true
+ server_config.vm.synced_folder "/var/rudder/inventories", "/var/rudder/inventories", :create => true, :owner => "root", :group => "root"
server_config.vm.synced_folder "/var/rudder/cfengine-community/inputs", "/var/rudder/cfengine-community/inputs", :create => true, :owner => "root", :group => "root"
end
server_config.vm.network :private_network, ip: ip