Rudder

include::../glossary/policy-template.txt[]

include::../glossary/policy-instance.txt[]

include::../glossary/configuration-rule.txt[]

As illustrated in this summary diagram, the configuration rules are linking the

any packages for them. Moreover, the Policy Templates are likely to fail. If you

+rudder-policy-templates+::

Package for the Policy Templates. They are installed in

+/opt/rudder/share/policy-templates+. At runtime, the Policy Templates are

+/var/rudder/policy-templates+. It can be useful to have git installed on the

include::../glossary/big-red-button.txt[]

+/var/rudder/policy-templates+:: Policy Templates are stored here.

In the Configuration Management section, you can select the Policy Templates,

configure the Policy Instances and manage the Configuration Rules.

=== Policy Templates

==== Concepts

A Policy Template defines a set of operations and configurations to reach the

desired behaviour. This includes the initial set-up, but also a regular check on

the parameters, and automatic repairs (when possible).

All the Policy Templates are built with the possibility to change only part of a

service configuration: each parameter may be either active, either set on the

"Don't change" value, that will let the default values or in place. This allows

for a progressive deployment of the configuration management.

Finally, the Policy Templates will generate a set of reports which are sent to

the Rudder Root Server, which will let you analyse the percentage of compliance

of your policies, and soon, detailed reports on their application.

==== Manage the Policy Templates

The Policy Templates shipped with Rudder are presented in a library that you can

reorganize in *Administration > Policy Template Library Management*. The library

is organized in two parts: the available Policy Templates, and the selection

made by the user.

include::../glossary/reference-policy-template-library.txt[]

include::../glossary/user-policy-template-library.txt[]

[TIP]

====

The current version of Rudder has only an handful of *Policy Templates*. We are

aware that it considerably limits the use of the application, but we choose to

hold back other Policy Templates that did not, from our point of view, have the

sufficient quality. In the future, there will be some upgrades including more

Policy Templates.

====

[WARNING]

====

The creation of new Policy Templates is not covered by the Web interface. This

is an advanced task which is currently not covered by this guide.

====

==== Available Policy Templates

// FIXME: this list should be generated from PT source code see

// https://redmine.normation.com/issues/1621 when it is done, uncomment following

// line and delete uneeded paragraphs: include::../temp/available_pt.txt

===== Application management

Apache 2 HTTP server:: This Policy Template will configure the Apache HTTP

server and ensure it is running. It will ensure the "apache2" package is

installed (via the appropriate packaging tool for each OS), ensure the service

is running and start it if not and ensure the service is configured to run on

initial system startup. Configuration will create a rudder vhost file.

APT package manager configuration:: Configure the apt-get and aptitude tools on

GNU/Linux Debian and Ubuntu, especially the source repositories.

OpenVPN client:: This Policy Template will configure the OpenVPN client service

and ensure it is running. It will ensure the "openvpn" package is installed (via

the appropriate packaging tool for each OS), ensure the service is running and

start it if not and ensure the service is configured to run on initial system

startup. Configuration will create a rudder.conf file. As of this version, only

the PSK peer identification method is supported, please use the "Download File"

Policy Template to distribute the secret key.

Package management for Debian / Ubuntu / APT based systems:: Install, update or

delete packages, automatically and consistently on GNU/Linux Debian and Ubuntu.

Package management for RHEL / CentOS / RPM based systems:: Install, update or

delete packages, automatically and consistently on GNU/Linux CentOS and RedHat.

===== Distributing files

Copy a file:: Copy a file on the machine

Distribute ssh keys:: Distribute ssh keys on servers

Download a file:: Download a file for a standard URL (HTTP/FTP), and set

permissions on the downloaded file.

===== File state configuration

Set the permissions of files:: Set the permissions of files

===== System settings: Miscellaneous

Time settings:: Set up the time zone, the NTP server, and the frequency of time

synchronisation to the hardware clock. Also ensures that the NTP service is

installed and started.

===== System settings: Networking

Hosts settings:: Configure the contents of the hosts filed on any operating

system (Linux and Windows).

IPv4 routing management:: Control IPv4 routing on any system (Linux and

Windows), with four possible actions: add, delete (changes will be made), check

presence or check absence (a warning may be returned, but no changes will be

made) for a given route.

Name resolution:: Set up the IP address of the DNS server name, and the default

search domain.

NFS Server:: Configure a NFS server

===== System settings: Process

Process Management:: Enforce defined parameters on system processes

===== System settings: Remote access

OpenSSH server:: Install and set up the SSH service on Linux nodes. Many

parameters are available.

===== System settings: User management

Group management:: This Policy Template manages the target host(s) groups. It

will ensure that the defined groups are present on the system.

Sudo utility configuration:: This Policy Template configures the sudo utility.

It will ensure that the defined rights for given users and groups are correctly

defined.

User management:: Control users on any system (Linux and Windows), including

passwords, with four possible actions: add, delete (changes will be made), check

presence or check absence (a warning may be returned, but no changes will be

made) for a given user.

=== Policy Instances

Once you have selected and organized your Policy Templates, you can create your

configurations in the *Configuration Management > Policy Instances* section.

include::../glossary/policy-instance.txt[]

The screen is divided in three parts:

- on the left, your list of Policy Templates and Policy Instances,

- on the right the description of the selected Policy Template or Policy

Instance.

- at the bottom, the configuration items of the selected Policy Instance.

Click on the name of a Policy Template or to see its description.

Click on the name of a Policy Instance to see the Policy Summary containing the

description of the Policy Template its derived from, and the configuration items

of the Policy Instance.

.Create a Policy Instance for Name resolution

====

Use the Policy Template 'Name resolution' to create a new Policy Instance called

+Google DNS Servers+, and shortly described as 'Use Google DNS Server'. Check in

the options 'Set nameservers' and 'Set DNS search suffix'. Set the value of the

variable 'DNS resolver' to +8.8.8.8+ and of 'Domain search suffix' according to

your organization, like +rudder-project.org+.

====

=== Configuration rules

include::../glossary/configuration-rule.txt[]

When a Configuration Rule is created or modified, the promises for the target nodes are generated. Rudder computes all the promises each nodes must have, and makes them available for the nodes. This process can take up to several minutes, depending on the number of managed nodes and the Policy Server configuration. During this time, the "Regenerate now" button is replaced by a moving bar and a message stating "Generating configuration rules".

You can also press the "Regenerate now" button on the top of the interface if you feel the generated promises should be modified (for instance, if you changed the configuration of Rudder)

A Policy Instance contains one or multiple components. Each component generates

example, for a Sudoers Policy Instance, each user is a key. These states are

When a Policy Instance is applied, Rudder waits during 10 minutes for a report.

During this period, the Policy Instance is said 'Applying'.

A Policy Instance has gained conformity on a Node is every reports for each

Based on these facts, the compliance of a Configuration Rule is calculated like

Number of Nodes for which conformity is reached for every Policy Instance of the

Configuration Rule / Total number of Nodes on which the Configuration Rule has

Rudder policy server to get their updated configuration rules.

For example, using the provided Policy Templates, you could create a Name

resolution policy to use your own internal DNS servers for normal situations,

and a second, alternative policy, to use Google's public DNS servers, in case

Export policy library (categories, user polity templates, policy instantes).

Export configuration rules

===== Apply Policy Instances

. Policy Template has changed;

. Policy Instance has changed;

. Configuration Rule has changed;

Configuration Rule::

It is the application of a policy to a group of nodes. It is the glue between

both Asset Management and Configuration Management parts of the application.

Policy Instance::

This is an instance of a Policy Template, which allows to set values for the

parameters of the latter. Each Policy Instance can have an unique name. A Policy

Instance should be completed with a short and a long description, and a

collection of parameters for the variables defined by the Policy Template.

Policy Template::

This is a configuration skeleton, adapted to a function or a particular service

(eg DNS resolver configuration). This skeleton includes the configuration logic

for this function or service, and can be set according to a list of variables

(in the same example: IP addresses of DNS servers, the default search box, ...)

Reference Policy Template Library::

This is an organized list of every available Policy Templates. This list can't

be modified: every changes made by an user will be applied to the User Policy

Template Library.

User Policy Template Library::

This is an organized list of the Policy Templates selected and modified by the

user. By default this list is the same as the Reference Policy Template Library.

Policy Templates can be disabled or deleted, and then activated again with a

simple drag and drop. Categories can be reorganised according to the desired

taxonomy. A Policy Template can appear only once in the Library.