forked from Normation/rudder-packages
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rudder-upgrade
executable file
·666 lines (580 loc) · 38.4 KB
/
rudder-upgrade
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
#!/bin/bash
set -e
#####################################################################################
# Copyright 2012 Normation SAS
#####################################################################################
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, Version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
################################################################################
#####################################################################################
# Upgrade script for Rudder
#####################################################################################
# Currently this script doesn't discriminate on versions, it just always runs
# all the tests and tries to upgrade what it can. It may in the future.
#
# This is mostly OK, because adding unused properties to the
# /opt/rudder/etc/rudder-web.properties configuration file is harmless. However,
# moving the policy-templates library would break Rudder, if this upgrade script
# were run on a version before 2.3.2.
#
# Upgrade checks currently implemented:
# - 2.3.2: Move /var/rudder/policy-templates to /var/rudder/configuration-repository/techniques
# - 2.3.2: Create and git init the shared-files directory under the configuration-repository
# - 2.3.2: Add "rudder.dir.shared.files.folder" configuration parameter to rudder-web.properties
# - 2.4.0: Add "rudder.autoArchiveItems" configuration parameter to rudder-web.properties
# - 2.4.0: Add "rudder.autoDeployOnModification" configuration parameter to rudder-web.properties
# - 2.4.0: Add "ldap.inventories.removed.basedn" configuration parameter to rudder-web.properties
# - 2.4.0: Migration DB schema to add a column to the SQL database for group type (static/dynamic)
# - 2.4.0: Migration DB schema to add a column to the SQL database for technique human name
# - 2.4.0: Migration DB schema to rename many columns and tables for the new naming scheme (PT->Technique, etc)
# - 2.4.0: Migration LDAP schema to rename many columns and tables for the new naming scheme (PT->Technique, etc)
# - 2.4.0: Migration LDAP schema to add new entries about removed inventories
# - 2.4.0: Migration LDAP convert cpuSpeed attributes to valid integers
# - 2.4.0: Migration LDAP add and modify entries about root server
# - 2.4.0: Move /var/rudder/configuration-repository/{policy-templates -> techniques}
# - 2.4.0: Rename the properties
# rudder.dir.policyPackages to rudder.dir.techniques
# rudder.batch.ptlib.updateInterval to rudder.batch.techniqueLibrary.updateInterval
# rudder.ptlib.git.refs.path to rudder.techniqueLibrary.git.refs.path
# - All versions: upgrade system Techniques automatically and reload the Techniqe library
# - 2.4.0: Force upgrade of the rsyslog configuration, otherwise Rudder won't get any reports
# - 2.4.0 : Migration DB schema to change the indexes in the SQL database to improve performances
# - 2.4.0 : Migration of rudder users from 2.3 to 2.4 (add roles)
# - 2.4.0 : Migration of Rudder logs for ops
# - All versions: Check that Rudder database is able to handle backslash
# - All versions: Migration of PT 'Set the permissions of files'
# - 2.4.0 : Disable base.url attribute in rudder-web.properties
# - 2.4.0 : Update logback.xml in order to have information about name historization
# - 2.4.1 : Add the group serialization table (GroupsNodesJoin) to the database
# - 2.5.0 : Add the automatic reports cleaning properties
# - 2.5.0 : Migration DB schema to add table to the SQL database to store error report logger state
# - 2.5.0 : Add "rudder.batch.reports.logInterval" configuration parameter to rudder-web.properties
# - 2.5.0 : Migration DB schema to add gitcommit table, to link a git commit to a modification
# - 2.5.0 : Migration DB schema to add modificationid column to eventLog table
# - 2.5.0 : Update logback.xml in order to have information about non compliant reports
# - 2.6.0 : Migration LDAP : Add "All Nodes" Group
#####################################################################################
# Some variables
VAR_RUDDER="/var/rudder"
PT_DIR="${VAR_RUDDER}/configuration-repository/techniques"
RUDDER_SHARE=/opt/rudder/share
RUDDER_UPGRADE_TOOLS=${RUDDER_SHARE}/upgrade-tools
LDAP_EXISTS=$(/opt/rudder/sbin/slapcat 2>/dev/null | grep "rudder-configuration" | wc -l)
LDAP_CREDENTIALS=`grep -E "^ldap.(authdn|authpw)=" /opt/rudder/etc/rudder-web.properties | wc -l`
if [ -f /opt/rudder/etc/rudder-web.properties -a ${LDAP_CREDENTIALS} -eq 2 ]; then
LDAP_USER=$(grep -E "^ldap.authdn=" /opt/rudder/etc/rudder-web.properties |cut -d "=" -f 2-)
LDAP_PASSWORD=$(grep -E "^ldap.authpw=" /opt/rudder/etc/rudder-web.properties |cut -d "=" -f 2-)
else
echo "WARNING: LDAP properties are missing in /opt/rudder/etc/rudder-web.properties"
if [ -f /opt/rudder/etc/openldap/slapd.conf ]; then
LDAP_USER=$(grep "^rootdn" /opt/rudder/etc/openldap/slapd.conf | sed "s/\w*\s*['\"]\?\([^\"']*\)['\"]\?$/\1/")
LDAP_PASSWORD=$(grep "^rootpw" /opt/rudder/etc/openldap/slapd.conf | sed "s/\w*\s*['\"]\?\([^\"']*\)['\"]\?$/\1/")
else
echo "ERROR: /opt/rudder/etc/openldap/slapd.conf doesn't exist"
exit 1
fi
fi
GIT_BRANCH_IS_SET=`grep -E "^rudder.(ptlib|techniqueLibrary).git.refs.path=" /opt/rudder/etc/rudder-web.properties | wc -l`
if [ ${GIT_BRANCH_IS_SET} -eq 1 ]; then
GIT_BRANCH=$(grep -E "^rudder.(ptlib|techniqueLibrary).git.refs.path=" /opt/rudder/etc/rudder-web.properties |cut -d "=" -f 2- | sed "s@\(refs/heads/\)\?\(refs/tags/\)\?\(refs/remote/origin/\)\?\(.*\)@\4@")
else
echo "The rudder.ptlib.git.refs.path attribute in rudder-web.properties does not seem to be set"
echo "Using 'master' by default"
GIT_BRANCH="master"
fi
# Helper function
# Function to check if a property exists in a configuration file and add it if not
# Parameters:
# - $1 = property name
# - $2 = value to add
function check_and_add_config_property {
PROPERTY_NAME=$1
PROPERTY_VALUE=$2
ATTRIBUTESET=`grep "^${PROPERTY_NAME}[ \t]*=" /opt/rudder/etc/rudder-web.properties | wc -l`
if [ ${ATTRIBUTESET} -eq 0 ]; then
echo "${PROPERTY_VALUE}" >> /opt/rudder/etc/rudder-web.properties
echo "New configuration property ${PROPERTY_NAME} added to /opt/rudder/etc/rudder-web.properties"
fi
}
# Before doing anything on git, set the branch to the Technique Reference Library branch
if [ -d /var/rudder/policy-templates/.git ];then
cd /var/rudder/policy-templates/ && git checkout ${GIT_BRANCH}
fi
if [ -d /var/rudder/configuration-repository/.git ];then
cd /var/rudder/configuration-repository/ && git checkout ${GIT_BRANCH}
fi
# Migrate from 2.3.0 format policy-template store (/var/rudder/policy-templates)
# to /var/rudder/configuration-repository/policy-templates
if [ -d /var/rudder/policy-templates -a ! -d /var/rudder/configuration-repository ]; then
echo "***** WARNING *****"
echo "The policy template store for Rudder has changed. It will be"
echo "automatically moved from /var/rudder/policy-templates to"
echo "/var/rudder/configuration-repository/policy-templates."
cd /var/rudder/policy-templates && git add . && git add -u && git commit -am "Committing all pending policy template changes for automatic migration of the policy template store to /var/rudder/configuration-repository/policy-templates" || true
mkdir -p /var/rudder/configuration-repository
mv /var/rudder/policy-templates/.git /var/rudder/configuration-repository/
mv /var/rudder/policy-templates /var/rudder/configuration-repository/
cd /var/rudder/configuration-repository/ && git add -u
cd /var/rudder/configuration-repository/ && git add policy-templates/
cd /var/rudder/configuration-repository/ && git commit -m "Move policy-templates into configuration-repository directory"
sed -i 's%^rudder.dir.policyPackages *= */var/rudder/policy-templates/\?$%rudder.dir.policyPackages=/var/rudder/configuration-repository/policy-templates%' /opt/rudder/etc/rudder-web.properties
echo "rudder.dir.gitRoot=/var/rudder/configuration-repository" >> /opt/rudder/etc/rudder-web.properties
echo "Automatic migration to /var/rudder/configuration-repository/policy-templates done."
fi
# Check default folder for shared-files exists
if [ ! -d /var/rudder/configuration-repository/shared-files ]; then
echo "/var/rudder/configuration-repository/shared-files doesn't exist!"
mkdir -p /var/rudder/configuration-repository/shared-files
# If this folder doesn't contain files, git won't commit it
# To simplify usage, we want that the user can add files simply
# So when he will add files into shared-files they will appears in git status
# So we force git to add the folder
CONTENT=`ls /var/rudder/configuration-repository/shared-files/ | wc -l`
if [ ${CONTENT} -eq 0 ]; then
touch /var/rudder/configuration-repository/shared-files/.placeholder
# Check if git init has been made, if not rudder will do it so we don't have to
if [ -d /var/rudder/configuration-repository/.git ]; then
cd /var/rudder/configuration-repository/ && git add shared-files/
cd /var/rudder/configuration-repository/ && git commit -m "Add default shared-files directory" shared-files/
fi
fi
echo "/var/rudder/configuration-repository/shared-files created"
fi
# Check shared-files folder is set in rudder-web.properties (added in 2.3.2)
check_and_add_config_property rudder.dir.shared.files.folder "##
# Shared folder
#
# Directory of the extra files the rudder root server will serve to the managed nodes
# If left empty, no extra files will be served
rudder.dir.shared.files.folder=/var/rudder/configuration-repository/shared-files"
# Check for configuration property added in 2.4
check_and_add_config_property rudder.autoArchiveItems "#
# Boolean, defaults to true.
# If true, an archive of rules, groups,
# directives and active techniques is recorded
# to the rudder.dir.gitRoot directory specified above
# and a git commit is performed when any of these items is modified.
#
rudder.autoArchiveItems=true"
# Check for configuration property added in 2.4
check_and_add_config_property rudder.autoDeployOnModification "#
# If true, when a directive, rule,
# group, node ... is modified, promises will be automatically
# regenerated. If false, only a manual request for deployment
# will trigger a deployment.
rudder.autoDeployOnModification=true"
# Check for configuration property added in 2.4
check_and_add_config_property rudder.rest.allowNonAuthenticatedUser "#
# Boolean, defaults to true
# If true, REST API urls under /api/... won't require
# to be authenticated to be use.
# The rational to have default=true for that is that the
# authorization/authentication part for the REST API
# will be done by a third party software, like Apache
#
rudder.rest.allowNonAuthenticatedUser=true"
# Check for configuration property added in 2.4
check_and_add_config_property ldap.inventories.removed.basedn "#
# Inventories information on removed inventories
ldap.inventories.removed.basedn=ou=Removed Inventories, ou=Inventories, cn=rudder-configuration
"
# Check for configuration property added in 2.4
check_and_add_config_property rudder.ui.changeMessage.enabled "#
# If true, in UI Rudder will prompt the user for a reason of the change.
# The message displayed to the user is based on the variable
# rudder.ui.changeMessage.explanation
# Based on the value of rudder.ui.changeMessage.mandatory, the user input
# can be mandatory or not
#
rudder.ui.changeMessage.enabled=true
"
# Check for configuration property added in 2.4
check_and_add_config_property rudder.ui.changeMessage.mandatory "#
# Boolean, defaults false
# If true, the user input will be mandatory (non empty reason message)
#
rudder.ui.changeMessage.mandatory=false
"
# Check for configuration property added in 2.4
check_and_add_config_property rudder.ui.changeMessage.explanation "#
# Text, defaults Please enter a message explaining the reason for this change.
# This variable defines the content of the message prompted to the user
# when he does modifications
#
rudder.ui.changeMessage.explanation=Please enter a message explaining the reason for this change.
"
# Check for configuration property added in 2.4
check_and_add_config_property rudder.webdav.user "#
# Authentication information for the webdav server used to
# receive Inventory Reports from nodes
#
rudder.webdav.user=rudder
"
# Check for configuration property added in 2.4
check_and_add_config_property rudder.webdav.password "
rudder.webdav.password=rudder
"
# Check for configuration property added in 2.4
check_and_add_config_property history.inventories.enable "#
# whether to historize inventory version as LDIF file or not
history.inventories.enable=true
"
# Check for configuration property added in 2.4
check_and_add_config_property rudder.syslog.port "#
# The port used by the rsyslog server on the Rudder root server.
# Default port number is 514, but in some cases this may need to be changed.
# For example, on Ubuntu version >= 12.04 rsyslog runs as a non-root user,
# so using port 514 is not permitted, thus we must use a port higher than 1024.
# (see: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/789174)
#
rudder.syslog.port=514
"
# Check for configuration property added in 2.5
check_and_add_config_property rudder.batch.reports.logInterval "###############################
# Non compliant reports logger #################################################
###############################
# Rudder can log a line for each 5 minute period when configuration policy is
# not correctly applied (in error or repaired).
#
# Default path is /var/log/rudder/compliance/non-compliant-reports.log, and can
# be changed in /opt/rudder/etc/logback.xml.
#
# See online documentation for more details.
#
# This log is generated by a job that runs at a regular interval, by default
# every minute. You can specify this interval (in minutes) below.
# A negative or 0 value disables the job, and won't log any non-compliant reports.
#
rudder.batch.reports.logInterval=1
"
# Upgrade database schema from 2.3 to 2.4 if necessary - first part: group type (static/dynamic)
RES=$(su - postgres -c "psql -t -d rudder -c \"select count(attname) from pg_attribute where attrelid = (select oid from pg_class where relname = 'groups') and attname = 'groupstatus'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.3-2.4-groups-isDynamic.sql > /dev/null
fi
# Upgrade database schema from 2.3 to 2.4 if necessary - second part: technique human name
RES1=$(su - postgres -c "psql -t -d rudder -c \"select count(attname) from pg_attribute where attrelid = (select oid from pg_class where relname = 'policyinstances') and attname = 'policytemplatehumanname'\"")
RES2=$(su - postgres -c "psql -t -d rudder -c \"select count(attname) from pg_attribute where attrelid = (select oid from pg_class where relname = 'directives') and attname = 'techniquehumanname'\"")
if [ $RES1 -eq 0 -a $RES2 -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.3-2.4-PT-history.sql > /dev/null
fi
# Upgrade database schema from 2.3 to 2.4 if necessary - third part: rename many tables and columns to match the new naming scheme (PT->Technique, PI->Directive, CR->Rule)
RES=$(su - postgres -c "psql -t -d rudder -c \"select count(attname) from pg_attribute where attrelid = (select oid from pg_class where relname = 'ruddersysevents') and attname = 'directiveid'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.3-2.4-PI-PT-CR-names-changed.sql > /dev/null
fi
# Upgrade database schema from 2.3 to 2.4 if necessary - fourth part: change the indexes of the databases to improve performance (caution, it might be slow on large databases)
RES=$(su - postgres -c "psql -t -d rudder -c \"select count(oid) from pg_class where lower(relname) = 'component_idx'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.3-2.4-index.sql > /dev/null
fi
# Upgrade database schema from 2.3 to 2.4 if necessary - fifth part: Add the MigrationEventLog table (and MigrationEventLogId sequence) so that we can trace EventLog migration status
RES=$(su - postgres -c "psql -t -d rudder -c \"select count(oid) from pg_class where lower(relname) = 'migrationeventlog'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.3-2.4-add-MigrationEventLog-table.sql > /dev/null
fi
# Upgrade database schema from 2.3 to 2.4 if necessary - sixth part: Check the presence of the reason column in the Evenlog table
RES=$(su - postgres -c "psql -t -d rudder -c \"select count(attname) from pg_attribute where attrelid = (select oid from pg_class where relname = 'eventlog') and attname = 'reason'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.3-2.4-add-EventLog-reason-column.sql > /dev/null
fi
# Upgrade database schema from 2.3 to 2.4 if necessary - seventh part: Check the lowest fileFormat version in the eventLog and update the date if necessary
RES=$(su - postgres -c "psql -t -d rudder -c \"select count(*) from (select xpath('/entry/*[@fileFormat=1]',data) AS x from eventlog) as Y where array_upper(x, 1) > 0;\"")
RES2=$(su - postgres -c "psql -t -d rudder -c \"select count(*) from (select xpath('/entry/addPending',data) AS x from eventlog) as Y where array_upper(x, 1) > 0;\"")
if [ $RES -ne 0 ] || [ $RES2 -ne 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.3-2.4-set-migration-needed-flag-for-EventLog.sql > /dev/null
fi
# Do the same for the fileFormat version 3
RES=$(su - postgres -c "psql -t -d rudder -c \"select count(*) from (select xpath('/entry/*[@fileFormat=2]',data) AS x from eventlog) as Y where array_upper(x, 1) > 0;\"")
RES2=$(su - postgres -c "psql -t -d rudder -c \"select count(*) from (select xpath('/entry/addPending',data) AS x from eventlog) as Y where array_upper(x, 1) > 0;\"")
if [ $RES -ne 0 ] || [ $RES2 -ne 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.4-2.4-set-migration-needed-flag-for-EventLog.sql > /dev/null
fi
# Upgrade database schema from 2.3 to 2.4 if necessary - eighth part: Check if archive of the eventlog exists and create it if necessary
RES=$(su - postgres -c "psql -d rudder -t -c \"select count(1) from pg_class where relname = 'archivedruddersysevents'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.3-2.4-archive.sql > /dev/null
fi
# Upgrade database schema from 2.3 to 2.4 if necessary - nineth part: Check if the archive of the eventlog contains indexes, and if not create them
RES=$(su - postgres -c "psql -d rudder -t -c \"select count(1) from pg_class where relname = 'executiontimestamp_archived_idx'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.3-2.4-index-archive.sql > /dev/null
fi
# Upgrade database schema from 2.4 to 2.5 if necessary - first part : Check if the rudder properties table is present, and create it if needed.
RES=$(su - postgres -c "psql -t -d rudder -c \"select count(oid) from pg_class where lower(relname) = 'rudderproperties'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.4-2.5-last-error-report-id.sql > /dev/null
fi
# Upgrade database schema from 2.4 to 2.5 if necessary - second part : Check if the git commit table is present, and create it if needed.
RES=$(su - postgres -c "psql -t -d rudder -c \"select count(oid) from pg_class where lower(relname) = 'gitcommit'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.4-2.5-git-commit.sql > /dev/null
fi
# Upgrade database schema from 2.4 to 2.5 if necessary - third part : Check if the modificationId column is present in event log table, and create it if needed.
RES=$(su - postgres -c "psql -t -d rudder -c \"select count(attname) from pg_attribute where attrelid = (select oid from pg_class where relname = 'eventlog') and attname = 'modificationid'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.4-2.5-add-modification-id-to-EventLog.sql > /dev/null
fi
# Upgrade LDAP schema from 2.3 to 2.4 if necessary: On RPM-like systems, we must upgrade the slapd.conf file manually
RES=$(grep isActivated /opt/rudder/etc/openldap/slapd.conf | wc -l)
if [ $RES -ne 0 -a -e /opt/rudder/etc/openldap/slapd.conf.rpmnew ]; then
echo "***** WARNING *****"
echo "Forcing upgrade of /opt/rudder/etc/openldap/slapd.conf"
BACKUP_SUFFIX="bak.`date +%Y%m%d%H%M%S`"
cp -a /opt/rudder/etc/openldap/slapd.conf /opt/rudder/etc/openldap/slapd.conf.${BACKUP_SUFFIX}
mv /opt/rudder/etc/openldap/slapd.conf.rpmnew /opt/rudder/etc/openldap/slapd.conf
echo "A backup is available in /opt/rudder/etc/openldap/slapd.conf.${BACKUP_SUFFIX}"
fi
# Upgrade LDAP schema from 2.3 to 2.4 if necessary: Add new entries about removed inventories
LDAP_TEST_REMOVED_INVENTORIES=$(/opt/rudder/sbin/slapcat 2>/dev/null | grep "dn: ou=Removed Inventories,ou=Inventories,cn=rudder-configuration" | wc -l)
if [ ${LDAP_TEST_REMOVED_INVENTORIES} -ne 1 -a ${LDAP_EXISTS} -ne 0 ]; then
echo "***** ATTENTION *****"
echo "The Rudder OpenLDAP schema is not up to date."
echo "Updating..."
/opt/rudder/bin/ldapadd -x -D ${LDAP_USER} -w ${LDAP_PASSWORD} -H ldap://localhost -f ${RUDDER_UPGRADE_TOOLS}/rudder-upgrade-LDAP-schema-2.3-2.4-add-entries.ldif
echo "...done"
fi
# Upgrade LDAP : convert cpuSpeed attributes to valid integers ( introduced in 2.4.0~beta2 update )
LDAP_CPUSPEED_IS_NOT_INTEGER=$(/opt/rudder/bin/ldapsearch -H ldap://localhost -x -w ${LDAP_PASSWORD} -D "${LDAP_USER}" -b cn=rudder-configuration -LLL "(cpuSpeed=*)" cpuSpeed |grep -E "^cpuSpeed: [0-9]+\.[0-9]+$"|wc -l)
if [ ${LDAP_CPUSPEED_IS_NOT_INTEGER} -ne 0 ]; then
/opt/rudder/bin/ldapsearch -H ldap://localhost -x -w ${LDAP_PASSWORD} -D ${LDAP_USER} -b cn=rudder-configuration -LLL "(cpuSpeed=*)" cpuSpeed| \
sed "s%\(cpuSpeed:.*\)%changetype: modify\nreplace: cpuSpeed\n\1%"| \
sed "s%cpuSpeed: \(.*\)\..*%cpuSpeed: \1%g"| \
/opt/rudder/bin/ldapmodify -H ldap://localhost -x -w ${LDAP_PASSWORD} -D ${LDAP_USER} >/dev/null 2>&1
echo "Some cpuSpeed attributes were converted to integers"
fi
## Change attribute from dn:ruleId=inventory-all,ou=Rules,ou=Rudder,cn=rudder-configuration
## Check if ruleTarget attribute contains all nodes or all execpt policy server and LDAP is setting up
CHECK_INVENTORY_TARGET=`/opt/rudder/bin/ldapsearch -H ldap://localhost -x -w ${LDAP_PASSWORD} -D ${LDAP_USER} -b "ruleId=inventory-all,ou=Rules,ou=Rudder,cn=rudder-configuration" -LLL "(ruleTarget=*)" | grep "^ruleTarget: special:all$" | wc -l`
if [ ${LDAP_EXISTS} -ne 0 -a ${CHECK_INVENTORY_TARGET} -ne 1 ]
then
echo "Change ruleTarget in dn:ruleId=inventory-all,ou=Rules,ou=Rudder,cn=rudder-configuration LDAP entry"
/opt/rudder/bin/ldapmodify -x -D ${LDAP_USER} -w ${LDAP_PASSWORD} -H ldap://localhost << EOF
dn: ruleId=inventory-all,ou=Rules,ou=Rudder,cn=rudder-configuration
changetype: modify
replace: ruleTarget
ruleTarget: special:all
EOF
fi
## Add group "All-Nodes"
## Check if the group "All-Nodes" exists
CHECK_ALLNODES_GROUP=`/opt/rudder/bin/ldapsearch -H ldap://localhost -x -w ${LDAP_PASSWORD} -D ${LDAP_USER} -b "groupCategoryId=GroupRoot,ou=Rudder,cn=rudder-configuration" -LLL "(nodeGroupId=All-Nodes)" | wc -l`
if [ ${LDAP_EXISTS} -ne 0 -a ${CHECK_ALLNODES_GROUP} -eq 0 ]
then
echo "Create node group \"All-Nodes\" dn:nodeGroupId=All-Nodes,groupCategoryId=GroupRoot,ou=Rudder,cn=rudder-configuration"
/opt/rudder/bin/ldapmodify -x -D ${LDAP_USER} -w ${LDAP_PASSWORD} -H ldap://localhost -f ${RUDDER_UPGRADE_TOOLS}/ldapMigration-2.5-2.6-Add-all-Nodes-Group.ldif
fi
# Migrate from old policy-template store in /var/rudder/configuration-repository/policy-templates
# to 2.4.0 in /var/rudder/configuration-repository/techniques
if [ -d /var/rudder/configuration-repository/policy-templates -a ! -d /var/rudder/configuration-repository/techniques ]; then
echo "***** ATTENTION *****"
echo "The policy template store for Rudder has been renamed. It will be"
echo "automatically moved from /var/rudder/configuration-repository/policy-templates to"
echo "/var/rudder/configuration-repository/techniques."
echo "Techniques are the new name for policy templates as of Rudder 2.4.0."
cd /var/rudder/configuration-repository/ && git commit -am "Committing all pending changes for automatic migration of the policy template store to /var/rudder/configuration-repository/techniques" || true
cd /var/rudder/configuration-repository/ && git mv /var/rudder/configuration-repository/policy-templates /var/rudder/configuration-repository/techniques > /dev/null
sed -i 's%^rudder.dir.policyPackages *= */var/rudder/configuration-repository/policy-templates/\?$%rudder.dir.policyPackages=/var/rudder/configuration-repository/techniques%' /opt/rudder/etc/rudder-web.properties
fi
if [ -d /var/rudder/configuration-repository/policy-templates ]; then
echo "WARNING: You have both /var/rudder/configuration-repository/policy-templates (obsolete) and /var/rudder/configuration-repository/techniques (new) folders"
fi
## Check that no policy.xml files are present
if [ -d /var/rudder/configuration-repository/techniques ]; then
PT_EXISTS=`find /var/rudder/configuration-repository/techniques -name policy.xml | wc -l`
if [ ${PT_EXISTS} -gt 0 ]; then
# Rename policy.xml files to metadata.xml and edit their content for renaming
find /var/rudder/configuration-repository/techniques -name policy.xml | while read oldfile
do
cd $(dirname "${oldfile}")
# Check that the files are already tracked by git
GIT_TRACKED=`git ls-files | grep "policy.xml" | wc -l`
if [ ${GIT_TRACKED} -eq 1 ]; then
## Rename the policy.xml to metadata.xml
git mv policy.xml metadata.xml > /dev/null
else
mv policy.xml metadata.xml
fi
# Edit metadata.xml to rename POLICY tag to TECHNIQUE
# Note for people reading the regex: look for <POLICY or </POLICY
sed -i "s%<\(/\)\?POLICY%<\1TECHNIQUE%" metadata.xml
# Try to add with git only tracked files
if [ ${GIT_TRACKED} -eq 1 ]; then git add metadata.xml > /dev/null; fi
done
# Commit all the lovely changes
cd /var/rudder/configuration-repository/ && git commit -m "Rename directory for policy-templates to techniques, rename policy.xml to metadata.xml and change names in metadata.xml" > /dev/null
echo "Automatic migration to /var/rudder/configuration-repository/techniques done."
fi
fi
# 2.4.0~alpha6: Rename the configuration-rules directory
# Note: this only applies to versions between 2.4.0~alpha1 and 2.4.0~alpha5
if [ -d /var/rudder/configuration-repository/configuration-rules -a ! -d /var/rudder/configuration-repository/rules ]; then
cd /var/rudder/configuration-repository/ && git commit -am "Committing all pending changes for automatic migration of the configuration-rules store to /var/rudder/configuration-repository/rules" || true
cd /var/rudder/configuration-repository/ && git mv /var/rudder/configuration-repository/configuration-rules /var/rudder/configuration-repository/rules > /dev/null
cd /var/rudder/configuration-repository/ && git commit -m "Rename directory for configuration-rules to rules" > /dev/null
fi
# 2.4.0~alpha6: Rename the policy-library directory and contents of some of the files
# Note: this only applies to versions between 2.4.0~alpha1 and 2.4.0~alpha5
if [ -d /var/rudder/configuration-repository/policy-library -a ! -d /var/rudder/configuration-repository/directives ]; then
cd /var/rudder/configuration-repository/ && git commit -am "Committing all pending changes for automatic migration of the policy-library store to /var/rudder/configuration-repository/directives" || true
cd /var/rudder/configuration-repository/ && git mv /var/rudder/configuration-repository/policy-library /var/rudder/configuration-repository/directives > /dev/null
# Rename userPolicyTemplateSettings.xml files to activeTechniqueSettings.xml and edit their content for renaming
find /var/rudder/configuration-repository/directives -name userPolicyTemplateSettings.xml | while read oldfile
do
cd $(dirname "${oldfile}")
# Rename the file
git mv userPolicyTemplateSettings.xml activeTechniqueSettings.xml
# Edit the file
sed -i "s%<\(/\)\?policyLibraryTemplate%<\1activeTechnique%" activeTechniqueSettings.xml
sed -i "s%<activeTechnique \+fileFormat=\"1.0\"%<activeTechnique fileFormat=\"2.0\"%" activeTechniqueSettings.xml
sed -i "s%<\(/\)\?policyTemplateName%<\1techniqueName%" activeTechniqueSettings.xml
git add activeTechniqueSettings.xml > /dev/null
done
cd /var/rudder/configuration-repository/ && git commit -m "Rename directory for policy-library to directives, rename userPolicyTemplateSettings.xml files to activeTechniqueSettings.xml and change some tags in activeTechniqueSettings.xml" > /dev/null
fi
# 2.4.0: Rename the properties that have changed in 2.4
sed -i 's/^rudder.dir.policyPackages *=/rudder.dir.techniques=/' /opt/rudder/etc/rudder-web.properties
sed -i 's/^rudder.batch.ptlib.updateInterval *=/rudder.batch.techniqueLibrary.updateInterval=/' /opt/rudder/etc/rudder-web.properties
sed -i 's/^rudder.ptlib.git.refs.path *=/rudder.techniqueLibrary.git.refs.path=/' /opt/rudder/etc/rudder-web.properties
# Upgrade system Techniques - always do this!
SRCTECHDIR=/opt/rudder/share/techniques/system/
TRGTECHDIR=/var/rudder/configuration-repository/techniques/system/
if [ -d ${SRCTECHDIR} -a -d ${TRGTECHDIR} ]; then
if ! diff -Naur /opt/rudder/share/techniques/system/ /var/rudder/configuration-repository/techniques/system/ > /dev/null; then
rsync --delete -rptgoq /opt/rudder/share/techniques/system/ /var/rudder/configuration-repository/techniques/system/
cd /var/rudder/configuration-repository/techniques/ && git add -A system/ && git commit -m "Upgrade system Techniques - automatically done by rudder-upgrade script"
# Check that the application is up before to call a Technique Library reload
CHECK_WEBAPP=`curl -s http://localhost/rudder/api/status`
if [ "z${CHECK_WEBAPP}" == "zOK" ]; then
echo "Reloading the Technique library... " && curl -s http://localhost/rudder/api/techniqueLibrary/reload && echo ""
else
echo "Rudder application is down, it might be reloading. Deferring restart."
fi
fi
fi
# 2.4.0: force upgrade of the rsyslog configuration for rudder
if [ -d ${TRGTECHDIR} ];then
mkdir -p /var/rudder/cfengine-community/inputs/distributePolicy/rsyslog.conf
cp -a /var/rudder/configuration-repository/techniques/system/distributePolicy/1.0/rudder.st /var/rudder/cfengine-community/inputs/distributePolicy/rsyslog.conf/rudder.conf
fi
# 2.4.0 : Migration of rudder users from 2.3 to 2.4 (add roles)
# Check if rudder-users.xml is from a Rudder 2.4 installation, a
# Rudder 2.3 migration or need to be migrated.
if [ -f /opt/rudder/etc/rudder-users.xml ]; then
NEWUSERS=`grep "<\!-- This file was originally made from Rudder 2.4 or later -->" /opt/rudder/etc/rudder-users.xml | wc -l`
MIGRATEDUSERS=`grep "<\!-- This file was migrated from 2.3 to 2.4 by adding the admin role to all users. Do not delete this line or it will happen again\! -->" /opt/rudder/etc/rudder-users.xml | wc -l`
if [ ${NEWUSERS} -eq 1 -o ${MIGRATEDUSERS} -eq 1 ]; then
echo "/opt/rudder/etc/rudder-users.xml is conform"
else
echo "/opt/rudder/etc/rudder-users.xml need to be migrated"
sed -i "/role=\".*\"/! s/\(^\s*<user name=\".*\"\s\+password=\".*\"\s\?\)\s*\(.*\/>\)$/\1 role=\"administrator\" \2/" /opt/rudder/etc/rudder-users.xml
echo >> /opt/rudder/etc/rudder-users.xml '<!-- This file was migrated from 2.3 to 2.4 by adding the admin role to all users. Do not delete this line or it will happen again! -->'
echo "/opt/rudder/etc/rudder-users.xml has been modified and is now conform"
fi
fi
# 2.4.0 : Migration of Rudder logs for ops
OLD_LOG_PATH="/var/log/rudder/webapp-opslog"
NEW_LOG_PATH="/var/log/rudder/core"
NEW_LOG_SET=`grep "${NEW_LOG_PATH}" /opt/rudder/etc/logback.xml | wc -l`
REGEXP_NEW_LOG_SET="s@^(\s*<property\s+name=\\\"OPSLOG_DIR\\\"\s+value=\\\").*(\\\"\s*\/>)@\1${NEW_LOG_PATH}\2@"
## Check if old log still exist . If so move it to the new path.
if [ -d ${OLD_LOG_PATH} ]; then
if [ ${NEW_LOG_SET} -eq 0 ]; then
## Set OPSLOG_DIR to /var/log/rudder/core
sed -r ${REGEXP_NEW_LOG_SET} -i /opt/rudder/etc/logback.xml
fi
## Check if new log already exist
if [ ! -d ${NEW_LOG_PATH} ];then
## Set OPSLOG_DIR to the new log path in logback.xml
mkdir -p ${NEW_LOG_PATH}
fi
ls -1 ${OLD_LOG_PATH} | xargs -I SRCFILES mv ${OLD_LOG_PATH}/SRCFILES ${NEW_LOG_PATH}/SRCFILES-migrated
rmdir ${OLD_LOG_PATH}
fi
# All versions: Check that Rudder database is able to handle backslash
CHECK_BACKSLASH=$(su - postgres -c "psql -t -d rudder -c \"select '\\foo';\"" 2> /dev/null | grep "foo" | wc -l)
if [ ${CHECK_BACKSLASH} -ne 1 ]; then
echo "Rudder database is not backslash compliant, then a modification will be made."
su - postgres -c "psql -t -d rudder -c \"alter database rudder set standard_conforming_strings=true;\""
echo "Done. PostgreSQL and Rudder will be restarted"
/etc/init.d/postgresql restart
/etc/init.d/jetty restart
fi
# All versions: Migration of PT 'Set the permissions of files' (Ensure that all actions below won't happen if migration has already made)
if [ ! -f ${PT_DIR}/fileConfiguration/fileSecurity/filesPermissions/1.0/metadata.xml -a -f ${PT_DIR}/fileConfiguration/security/filesPermissions/1.0/metadata.xml ]; then
## Commit all modifications before migration
cd ${PT_DIR} && git add . && git add -u && git commit -am "Committing all pending policy template changes for automatic migration of the policy template from ${PT_DIR}/fileConfiguration/security/ to ${PT_DIR}/fileConfiguration/fileSecurity/" || true
## Create right folder if it doesn't exist
if [ ! -d ${PT_DIR}/fileConfiguration/fileSecurity/ ]; then
mkdir -p "${PT_DIR}/fileConfiguration/fileSecurity"
echo "${PT_DIR}/fileConfiguration/fileSecurity has been created"
else
echo "${PT_DIR}/fileConfiguration/fileSecurity already exists"
fi
if [ -d ${PT_DIR}/fileConfiguration/security/ ]; then
## Check that filePermissions.st located in fileConfiguration/security/ is not duplicated and in the right folder
if [ -d ${PT_DIR}/fileConfiguration/security/filesPermissions/ ]; then
echo "The Policy Template 'Set the permissions of files' is not correctly located"
cd ${PT_DIR} && git mv fileConfiguration/security/* fileConfiguration/fileSecurity/
cd ${PT_DIR} && git commit -m "Correct Policy Template 'Set the permissions of files' location"
echo "The location of the Policy Template 'Set the permissions of files' is now correct"
fi
## Remove the folder which should contain no more files or folder
rm -rf ${PT_DIR}/fileConfiguration/security/ # Not using git since it can't manage folder without file
echo "${PT_DIR}/fileConfiguration/security/ has been removed"
fi
fi
# - 2.4.0 : Disable base.url attribute in rudder-web.properties
CHECK_BASEURL_ATTR=`grep "^\s*base.url" /opt/rudder/etc/rudder-web.properties | wc -l`
if [ ${CHECK_BASEURL_ATTR} -ge 1 ]; then
echo "Disabling base.url attribute in rudder-web.properties as it is no more used in Rudder 2.4"
sed -i "s@^\s*\(base\.url\s*=\s*.*\)\s*@#\1\t#This attribute has been disabled in Rudder 2.4@" /opt/rudder/etc/rudder-web.properties
echo "base.url attribute has been disabled"
fi
# - 2.4.0 : Update logback.xml in order to have information about name historization
if ! cat /opt/rudder/etc/logback.xml | perl -p0e 's/\n//g' | perl -p0e 's/<!--.(?:(?!-->).)*-->//g' | perl -p0e 's/> *</></g' | grep '<logger name="historization" level="info" additivity="false"><appender-ref ref="OPSLOG" /><appender-ref ref="STDOUT" /></logger>' > /dev/null
then
sed -i 's%^ *</configuration>% <logger name="historization" level="info" additivity="false">\n <appender-ref ref="OPSLOG" />\n <!-- comment the following appender if you dont want to have logs about report in both stdout and opslog -->\n <appender-ref ref="STDOUT" />\n </logger>\n </configuration>%' /opt/rudder/etc/logback.xml
fi
# - 2.5.0 : Update logback.xml in order to have information about non compliant reports
if ! cat /opt/rudder/etc/logback.xml | perl -p0e 's/\n//g' | perl -p0e 's/<!--.(?:(?!-->).)*-->//g' | perl -p0e 's/> *</></g' | grep -E '<property name="REPORT_DIR" value="[^"]+" />' > /dev/null
then
sed -i 's%^ *</configuration>% <!-- Here come non compliant reports logger -->\n\n <property name="REPORT_DIR" value="/var/log/rudder/compliance" />\n\n <!--\n A file log appender for exploitation logs about failure reports.\n -->\n <appender name="REPORTLOG" class="ch.qos.logback.core.FileAppender">\n <file>${REPORT_DIR}/non-compliant-reports.log</file>\n <append>true</append>\n <encoder>\n <pattern>\%msg\%n</pattern>\n </encoder>\n </appender>\n\n <logger name="non-compliant-reports" level="info" additivity="false">\n <appender-ref ref="REPORTLOG" />\n <!-- comment the following appender if you dont want to have logs about non compliant reports in both stdout and reportlog -->\n <appender-ref ref="STDOUT" />\n </logger>\n\n</configuration>%' /opt/rudder/etc/logback.xml
fi
# - 2.4.1 : Add the group serialization table (GroupsNodesJoin) to the database
RES=$(su - postgres -c "psql -d rudder -t -c \"select count(1) from pg_class where relname = 'groupsnodesjoin'\"")
if [ $RES -eq 0 ]; then
psql -q -U rudder -h localhost -d rudder -f ${RUDDER_UPGRADE_TOOLS}/dbMigration-2.4-2.5-group-serialisation.sql > /dev/null
fi
# - 2.5.0 : Add the automatic reports cleaning properties
# Check for configuration property added in 2.5
check_and_add_config_property rudder.batch.reportscleaner.archive.TTL "###########################
# Automatic reports cleaning ###########################################################
###########################
# Defaults: archive after 30 days, delete after 90 days.
rudder.batch.reportscleaner.archive.TTL=30
rudder.batch.reportscleaner.delete.TTL=90
# Default frequency: daily
rudder.batch.reportscleaner.frequency=daily
# Values : [0-59]
# Default : 0
rudder.batch.databasecleaner.runtime.minute=0
# Values : [0-23]
# Default : 0
rudder.batch.databasecleaner.runtime.hour=0
# Values : monday | tuesday | wednesday | thursday | friday | saturday | sunday
# Default : sunday
rudder.batch.databasecleaner.runtime.day=sunday"
# For every upgrade, we force the root server to run a new inventory on the next CFEngine run
touch /opt/rudder/etc/force_inventory