Revision 5f5cd238
Added by Jonathan CLARKE about 7 years ago
.gitignore | ||
---|---|---|
scripts/technique-files
|
initial-promises/node-server/common/1.0/process_matching.cf | ||
---|---|---|
restart_cf.!windows::
|
||
"${sys.workdir}/bin/cf-execd" signals => { "${stop_signal}" };
|
||
|
||
# Note: cron will get restarted automatically by init (respawn directive in inittab)
|
||
# Note: cron will get restarted automatically by init (respawn directive in inittab)
|
||
aix.rudder_aix_crontab_insertion::
|
||
"^/usr/sbin/cron" signals => { "${stop_signal}" };
|
||
|
initial-promises/node-server/common/1.0/rudder_lib.cf | ||
---|---|---|
portnumber => "5309";
|
||
}
|
||
|
||
# This is an evolved version of copy_from scp that uses local copies if we are
|
||
# This is an evolved version of copy_from scp that uses local copies if we are
|
||
# running on a policy server instead of copying from a localhost remote blindly.
|
||
body copy_from rudder_copy_from(from, server,compare,trustkey,preserve,purge) {
|
||
|
initial-promises/node-server/common/1.0/site.cf | ||
---|---|---|
|
||
classes:
|
||
|
||
# Utilities
|
||
# Utilities
|
||
"gzip_installed" expression => isexecutable("${rudder_gzip}");
|
||
"curl_installed" expression => isexecutable("${rudder_curl}");
|
||
|
initial-promises/node-server/common/utilities/minicurl | ||
---|---|---|
my $program_version = "1.0";
|
||
my $program_description = "Perl HTTP, HTTP/S, FTP download and upload tool";
|
||
|
||
## Argument handling (Getopt)
|
||
## Argument handling (Getopt)
|
||
my ($get, $put, $httpstatus, $help, $debug, $version, $no_verify);
|
||
$get = $put = $httpstatus = $help = $debug = $version = $no_verify = 0;
|
||
|
||
... | ... | |
exit(1);
|
||
}
|
||
|
||
# Build the file basename
|
||
# Build the file basename
|
||
my $file_basename = basename($file);
|
||
|
||
# Create a HTTP Basic authentication string if applicable
|
||
... | ... | |
# Make sure we use SSLv3 at least while connecting to HTTP/S
|
||
$ENV{HTTPS_VERSION} = 3;
|
||
|
||
# Create a new LWP object
|
||
# Create a new LWP object
|
||
my $ua = LWP::UserAgent->new;
|
||
if($no_verify) {
|
||
|
||
... | ... | |
}
|
||
|
||
if ($put == 1) {
|
||
# PUT
|
||
# PUT
|
||
|
||
# Create a variable from the target file
|
||
# Create a variable from the target file
|
||
my $message;
|
||
open(my $fh, '<', $file) or die "ERROR: Unable to open file $file.\n";
|
||
{
|
||
... | ... | |
}
|
||
close($fh);
|
||
|
||
# Send the file using the PUT method
|
||
# Send the file using the PUT method
|
||
if ($authentication eq "") {
|
||
$response = $ua->request(PUT $url . $file_basename, Content => $message);
|
||
} else {
|
||
... | ... | |
|
||
} else {
|
||
|
||
# GET
|
||
# GET
|
||
|
||
# Get the file using the GET method
|
||
# Get the file using the GET method
|
||
if ($authentication eq "") {
|
||
$response = $ua->request(GET $url);
|
||
} else {
|
initial-promises/node-server/server-roles/1.0/component-check.cf | ||
---|---|---|
|
||
"index" slist => getindices("service");
|
||
|
||
# Reporting
|
||
# Reporting
|
||
"root_integrity_check" slist => { "Check configuration-repository folder", "Check configuration-repository GIT lock" };
|
||
"root_password_check_ldap" slist => { "Check LDAP in rudder-webapp.properties", "Check LDAP credentials" };
|
||
"root_password_check_psql" slist => { "Check SQL in rudder-webapp.properties", "Check SQL credentials" };
|
||
... | ... | |
|
||
# This is to be done only if the package rudder-server-root is present
|
||
role_rudder_server_root::
|
||
# Password management is expected to be done manually in case of a splitted/relayed installation for now.
|
||
# Password management is expected to be done manually in case of a splitted/relayed installation for now.
|
||
"any" usebundle => root_password_check_ldap;
|
||
"any" usebundle => root_password_check_psql;
|
||
"any" usebundle => root_password_check_file;
|
||
... | ... | |
"Check rudder-passwords.conf and pgpass files", "None", "Checking the password files is unnecessary on this machine, skipping..."
|
||
);
|
||
|
||
# Do this if this is the root_server a relay server
|
||
# Do this if this is the root_server a relay server
|
||
|
||
root_server|policy_server::
|
||
"any" usebundle => root_networks_check;
|
initial-promises/node-server/server-roles/1.0/service-check.cf | ||
---|---|---|
|
||
"forced_trigger_${canoname}" expression => strcmp("${force_restart}", "true");
|
||
|
||
# Raise this class if we are handling a process that should be checked even on
|
||
# relay servers.
|
||
# Raise this class if we are handling a process that should be checked even on
|
||
# relay servers.
|
||
"process_exception_on_relay" expression => strcmp("${check_on_relay_server}", "true");
|
||
|
||
processes:
|
initial-promises/rootServerInitialPromises/cfengine-nova/common/core-lib.cf | ||
---|---|---|
portnumber => "5309";
|
||
}
|
||
|
||
# This is an evolved version of copy_from scp that uses local copies if we are
|
||
# This is an evolved version of copy_from scp that uses local copies if we are
|
||
# running on a policy server instead of copying from a localhost remote blindly.
|
||
body copy_from rudder_copy_from(from, server,compare,trustkey,preserve,purge) {
|
||
|
initial-promises/rootServerInitialPromises/cfengine-nova/common/site.cf | ||
---|---|---|
|
||
classes:
|
||
|
||
# Utilities
|
||
# Utilities
|
||
"gzip_installed" expression => isexecutable("${rudder_gzip}");
|
||
|
||
# Roles
|
initial-promises/rootServerInitialPromises/cfengine-nova/distributePolicy/apacheCheck.cf | ||
---|---|---|
vars:
|
||
|
||
# I WANT to use this but there is no crypt support... yet
|
||
# "dav_password" string => hash("rudder","crypt");
|
||
# "dav_password" string => hash("rudder","crypt");
|
||
|
||
"dav_user[1]" string => "rudder";
|
||
"dav_password[1]" string => "PoBZbSkW/8bcE";
|
initial-promises/rootServerInitialPromises/cfengine-nova/distributePolicy/ldapCheck.cf | ||
---|---|---|
|
||
linux::
|
||
|
||
# slapd configuration
|
||
# slapd configuration
|
||
"@@DistributePolicy@@Success@@root-DP#@root-distributePolicy##${g.uuid}@#The Rudder OpenLDAP daemon password is OK"
|
||
ifvarclass => "rudder_ldap_slapd_password_ok.!rudder_ldap_slapd_password_changed.!rudder_ldap_slapd_password_failed";
|
||
|
||
... | ... | |
"@@DistributePolicy@@Error@@root-DP#@root-distributePolicy##${g.uuid}@#The Rudder OpenLDAP daemon password failed to update"
|
||
ifvarclass => "rudder_ldap_slapd_password_failed";
|
||
|
||
# properties configuration
|
||
# properties configuration
|
||
"@@DistributePolicy@@Success@@root-DP#@root-distributePolicy##${g.uuid}@#The Rudder LDAP properties files passwords are OK"
|
||
ifvarclass => "rudder_ldap_prop_password_ok.!rudder_ldap_prop_password_changed.!rudder_ldap_prop_password_failed";
|
||
|
scripts/check-techniques.sh | ||
---|---|---|
fi
|
||
done || EXIT=1
|
||
|
||
# Check that there is an empry line after each endif
|
||
# Check that there is an empty line after each endif
|
||
${REPOSITORY_PATH}/scripts/technique-files -l -f '*.cf' -f '*.st' "${REPOSITORY_PATH}" | while read filename
|
||
do
|
||
if grep -n -A1 "^[[:space:]]*&endif&[[:space:]]*$" "${filename}" | grep -E -B1 -- "^[[:digit:]]+-.+"; then
|
||
... | ... | |
fi
|
||
done || EXIT=1
|
||
|
||
# Check that there are non non-breaking spaces in files
|
||
# See http://www.rudder-project.org/redmine/issues/7622 - these cause regex failures.
|
||
${REPOSITORY_PATH}/scripts/technique-files -p "${REPOSITORY_PATH}" | while read filename
|
||
do
|
||
if grep -n -P '\xA0' "${filename}" > /dev/null; then
|
||
echo "Non-breakable space in ${filename}:"
|
||
echo "---------------------------------------------------------------------"
|
||
grep -Hn -P '\xA0' "${filename}"
|
||
grep -P '\xA0' "${filename}" | od -t x2c | grep -A1 --color -i a0
|
||
echo "---------------------------------------------------------------------"
|
||
exit 1
|
||
fi
|
||
done || EXIT=1
|
||
|
||
if [ ${EXIT} -eq 0 ]; then
|
||
echo "This repository seems clean"
|
||
else
|
techniques/applications/apacheReverseProxy/1.0/configuration.st | ||
---|---|---|
classes => rudder_common_classes("rudder_reverse_proxy_apache_configuration"),
|
||
comment => "Edit the Apache reverse proxy file";
|
||
|
||
# Class visibility forces us to use these bundles here.
|
||
# Class visibility forces us to use these bundles here.
|
||
methods:
|
||
|
||
# Modules edition
|
||
... | ... | |
usebundle => rudder_common_report("${internal_name}", "result_success", "${${params}[tracking_key]}", "SELinux parameters", "None", "No ${service_name} SELinux modification needed"),
|
||
ifvarclass => "!rudder_reverse_proxy_apache_selinux_adjust|rudder_reverse_proxy_apache_selinux_proxy_policy";
|
||
|
||
# Apache restart/reload
|
||
# Apache restart/reload
|
||
"any"
|
||
usebundle => rudder_common_report("${internal_name}", "log_info", "${${params}[tracking_key]}", "Daemon status", "None", "${service_name} has been restarted or reloaded"),
|
||
ifvarclass => "rudder_reverse_proxy_apache_restart_repaired|rudder_reverse_proxy_apache_reload_repaired";
|
techniques/applications/apacheReverseProxy/1.0/installation.st | ||
---|---|---|
methods:
|
||
"any" usebundle => rudder_common_reports_generic("${internal_name}", "rudder_reverse_proxy_apache_package", "${${params}[tracking_key]}", "Installation parameters", "None", "The ${service_name} package installation");
|
||
|
||
# Special case if no installation is needed
|
||
# Special case if no installation is needed
|
||
"any"
|
||
usebundle => rudder_common_report("${internal_name}", "result_success", "${${params}[tracking_key]}", "Installation parameters", "None", "${service_name} installation is not required. Skipping..."),
|
||
ifvarclass => "!rudder_reverse_proxy_apache_install_package";
|
techniques/applications/apacheReverseProxy/1.0/main.st | ||
---|---|---|
{
|
||
vars:
|
||
|
||
# Common declarations
|
||
# Common declarations
|
||
"rudder_reverse_proxy_apache_service_name"
|
||
string => "Apache (as a reverse proxy)";
|
||
"rudder_reverse_proxy_apache_internal_name"
|
||
string => "apacheReverseProxy";
|
||
|
||
# Parameters
|
||
# Parameters
|
||
"rudder_reverse_proxy_params[package_install]"
|
||
string => "&APACHE_REVERSE_PROXY_INSTALL&";
|
||
|
techniques/applications/apacheReverseProxy/2.0/configuration.st | ||
---|---|---|
classes => rudder_common_classes("rudder_reverse_proxy_apache_configuration"),
|
||
comment => "Edit the Apache reverse proxy file";
|
||
|
||
# Class visibility forces us to use these bundles here.
|
||
# Class visibility forces us to use these bundles here.
|
||
methods:
|
||
|
||
# Modules edition
|
||
... | ... | |
|
||
"apache_reload" usebundle => service_restart("httpd");
|
||
|
||
# Apache restart/reload reporting
|
||
# Apache restart/reload reporting
|
||
service_reload_apache2_ok|service_reload_httpd_ok|service_restart_apache2_ok|service_restart_httpd_ok::
|
||
"any" usebundle => rudder_common_report("${internal_name}", "log_info", "${${params}[tracking_key]}", "Daemon status", "None", "Apache has been restarted or reloaded");
|
||
|
techniques/applications/apacheReverseProxy/2.0/installation.st | ||
---|---|---|
methods:
|
||
"any" usebundle => rudder_common_reports_generic("${internal_name}", "rudder_reverse_proxy_apache_package", "${${params}[tracking_key]}", "Installation parameters", "None", "The ${service_name} package installation");
|
||
|
||
# Special case if no installation is needed
|
||
# Special case if no installation is needed
|
||
"any"
|
||
usebundle => rudder_common_report("${internal_name}", "result_success", "${${params}[tracking_key]}", "Installation parameters", "None", "${service_name} installation is not required. Skipping..."),
|
||
ifvarclass => "!rudder_reverse_proxy_apache_install_package";
|
techniques/applications/apacheReverseProxy/2.0/main.st | ||
---|---|---|
{
|
||
vars:
|
||
|
||
# Common declarations
|
||
# Common declarations
|
||
"rudder_reverse_proxy_apache_service_name"
|
||
string => "Apache (as a reverse proxy)";
|
||
"rudder_reverse_proxy_apache_internal_name"
|
||
string => "apacheReverseProxy";
|
||
|
||
# Parameters
|
||
# Parameters
|
||
"rudder_reverse_proxy_params[package_install]"
|
||
string => "&APACHE_REVERSE_PROXY_INSTALL&";
|
||
|
techniques/applications/apacheServer/1.0/apacheServerConfiguration.st | ||
---|---|---|
# Adjust SELinux ?
|
||
"apache_selinux_adjust" expression => strcmp("&APACHE_SELINUX&","true");
|
||
|
||
# Is the SELinux binary "chcon" present ?
|
||
# Is the SELinux binary "chcon" present ?
|
||
"selinux_bin_present" expression => fileexists("/usr/bin/chcon");
|
||
|
||
# Define if the list of module to verify has been specified by the user
|
techniques/applications/apacheServer/2.0/apacheServerConfiguration.st | ||
---|---|---|
# Adjust SELinux ?
|
||
"apache_selinux_adjust" expression => strcmp("&APACHE_SELINUX&","true");
|
||
|
||
# Is the SELinux binary "chcon" present ?
|
||
# Is the SELinux binary "chcon" present ?
|
||
"selinux_bin_present" expression => fileexists("/usr/bin/chcon");
|
||
|
||
# Define if the list of module to verify has been specified by the user
|
techniques/applications/apacheServer/3.0/apacheServerConfiguration.st | ||
---|---|---|
# Adjust SELinux ?
|
||
"apache_selinux_adjust" expression => strcmp("&APACHE_SELINUX&","true");
|
||
|
||
# Is the SELinux binary "chcon" present ?
|
||
# Is the SELinux binary "chcon" present ?
|
||
"selinux_bin_present" expression => fileexists("/usr/bin/chcon");
|
||
|
||
# Define if the list of module to verify has been specified by the user
|
techniques/applications/aptPackageInstallation/1.0/aptPackageInstallation.st | ||
---|---|---|
&TRACKINGKEY:{directiveId |"apt_directive_id[&i&]" string => "&directiveId&";
|
||
}&
|
||
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
|
||
"index_aptpkg" slist => getindices("apt_package");
|
||
|
techniques/applications/aptPackageInstallation/1.0/metadata.xml | ||
---|---|---|
<LABEL>Update only (don't install)</LABEL>
|
||
<VALUE>update</VALUE>
|
||
</ITEM>
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<LABEL>Install and update automatically</LABEL>
|
||
<VALUE>addupdate</VALUE>
|
||
</ITEM>-->
|
techniques/applications/aptPackageInstallation/1.1/aptPackageInstallation.st | ||
---|---|---|
&TRACKINGKEY:{piuuid |"apt_policy_instance_uuid[&i&]" string => "&piuuid&";
|
||
}&
|
||
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
|
||
"index_aptpkg" slist => getindices("apt_package");
|
||
|
techniques/applications/aptPackageInstallation/1.1/metadata.xml | ||
---|---|---|
<LABEL>Update only (don't install)</LABEL>
|
||
<VALUE>update</VALUE>
|
||
</ITEM>
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<LABEL>Install and update automatically</LABEL>
|
||
<VALUE>addupdate</VALUE>
|
||
</ITEM>-->
|
techniques/applications/aptPackageInstallation/1.2/aptPackageInstallation.st | ||
---|---|---|
&TRACKINGKEY:{piuuid |"apt_policy_instance_uuid[&i&]" string => "&piuuid&";
|
||
}&
|
||
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
|
||
"index_aptpkg" slist => getindices("apt_package");
|
||
|
techniques/applications/aptPackageInstallation/1.2/metadata.xml | ||
---|---|---|
<LABEL>Update only (don't install)</LABEL>
|
||
<VALUE>update</VALUE>
|
||
</ITEM>
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<LABEL>Install and update automatically</LABEL>
|
||
<VALUE>addupdate</VALUE>
|
||
</ITEM>-->
|
techniques/applications/aptPackageInstallation/2.0/aptPackageInstallation.st | ||
---|---|---|
&TRACKINGKEY:{piuuid |"apt_policy_instance_uuid[&i&]" string => "&piuuid&";
|
||
}&
|
||
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
|
||
"index_aptpkg" slist => getindices("apt_package");
|
||
|
techniques/applications/aptPackageInstallation/2.0/metadata.xml | ||
---|---|---|
<LABEL>Update only (don't install)</LABEL>
|
||
<VALUE>update</VALUE>
|
||
</ITEM>
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<LABEL>Install and update automatically</LABEL>
|
||
<VALUE>addupdate</VALUE>
|
||
</ITEM>-->
|
techniques/applications/aptPackageInstallation/3.0/aptPackageInstallation.st | ||
---|---|---|
&TRACKINGKEY:{piuuid |"apt_policy_instance_uuid[&i&]" string => "&piuuid&";
|
||
}&
|
||
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
|
||
"index_aptpkg" slist => getindices("apt_package");
|
||
|
techniques/applications/aptPackageInstallation/3.0/metadata.xml | ||
---|---|---|
<LABEL>Update only (don't install)</LABEL>
|
||
<VALUE>update</VALUE>
|
||
</ITEM>
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<LABEL>Install and update automatically</LABEL>
|
||
<VALUE>addupdate</VALUE>
|
||
</ITEM>-->
|
techniques/applications/aptPackageInstallation/4.0/aptPackageInstallation.st | ||
---|---|---|
&TRACKINGKEY:{piuuid |"apt_policy_instance_uuid[&i&]" string => "&piuuid&";
|
||
}&
|
||
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
|
||
|
||
"index_aptpkg" slist => getindices("apt_package");
|
||
|
techniques/applications/aptPackageInstallation/4.0/metadata.xml | ||
---|---|---|
<LABEL>Update only (don't install)</LABEL>
|
||
<VALUE>update</VALUE>
|
||
</ITEM>
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
|
||
<LABEL>Install and update automatically</LABEL>
|
||
<VALUE>addupdate</VALUE>
|
||
</ITEM>-->
|
techniques/applications/zypperPackageManagerRepositories/1.0/zypper-repositories-management.st | ||
---|---|---|
|
||
classes:
|
||
# Disable repositories if the value of the variable start by true
|
||
# Since variable is unique, it can contain only one value, however, it is repeated
|
||
# as many time as there are instance of the directive, rendering the strcmp unusable in this case
|
||
# Since variable is unique, it can contain only one value, however, it is repeated
|
||
# as many time as there are instance of the directive, rendering the strcmp unusable in this case
|
||
"zypper_disable_other_repositories" expression => regcmp("true.*", "&ZYPPER_REPO_DISABLE_OTHER_REPOSITORIES&");
|
||
|
||
files:
|
techniques/fileDistribution/copyGitFile/1.6/copyFileFromSharedFolder.st | ||
---|---|---|
|
||
# Error conditons
|
||
|
||
## The destination is not an existing directory
|
||
## The destination is not an existing directory
|
||
"@@copyFile@@result_error@@${copyfile[${index}][uuid]}@@Copy file@@${copyfile[${index}][name]}@@${g.execRun}##${g.uuid}@#The copy of the file failed: the destination (${copyfile[${index}][destination]}) is not stored in a valid directory"
|
||
ifvarclass => "copy_file_${index}_dest_notdir";
|
||
|
||
## File access denied
|
||
## File access denied
|
||
"@@copyFile@@result_error@@${copyfile[${index}][uuid]}@@Copy file@@${copyfile[${index}][name]}@@${g.execRun}##${g.uuid}@#The copy of the file failed: access to ${copyfile[${index}][name]} denied by the server"
|
||
ifvarclass => "copy_file_${index}_denied";
|
||
|
||
## User does not exist
|
||
## User does not exist
|
||
"@@copyFile@@result_error@@${copyfile[${index}][uuid]}@@Copy file@@${copyfile[${index}][name]}@@${g.execRun}##${g.uuid}@#The permissions could not be applied on the file: user \"${copyfile[${index}][owner]}\" not found"
|
||
ifvarclass => "copy_file_${index}_user_absent";
|
||
|
||
## Group does not exist
|
||
## Group does not exist
|
||
"@@copyFile@@result_error@@${copyfile[${index}][uuid]}@@Copy file@@${copyfile[${index}][name]}@@${g.execRun}##${g.uuid}@#The permissions could not be applied on the file: group \"${copyfile[${index}][group]}\" not found"
|
||
ifvarclass => "copy_file_${index}_group_absent";
|
||
|
||
## Generic failure
|
||
## Generic failure
|
||
"@@copyFile@@result_error@@${copyfile[${index}][uuid]}@@Copy file@@${copyfile[${index}][name]}@@${g.execRun}##${g.uuid}@#The content or permissions of the file(s) could not have been repaired (file not found?)"
|
||
ifvarclass => "copy_file_${index}_error.!copy_file_${index}_dest_notdir.!copy_file_${index}_denied.!copy_file_${index}_user_absent.!copy_file_${index}_group_absent";
|
||
|
techniques/fileDistribution/copyGitFile/1.7/copyFileFromSharedFolder.st | ||
---|---|---|
|
||
# Error conditons
|
||
|
||
## The destination is not an existing directory
|
||
## The destination is not an existing directory
|
||
"@@copyFile@@result_error@@${copyfile[${index}][uuid]}@@Copy file@@${copyfile[${index}][name]}@@${g.execRun}##${g.uuid}@#The copy of the file failed: the destination (${copyfile[${index}][destination]}) is not stored in a valid directory"
|
||
ifvarclass => "copy_file_${index}_dest_notdir";
|
||
|
||
## File access denied
|
||
## File access denied
|
||
"@@copyFile@@result_error@@${copyfile[${index}][uuid]}@@Copy file@@${copyfile[${index}][name]}@@${g.execRun}##${g.uuid}@#The copy of the file failed: access to ${copyfile[${index}][name]} denied by the server"
|
||
ifvarclass => "copy_file_${index}_denied";
|
||
|
||
## User does not exist
|
||
## User does not exist
|
||
"@@copyFile@@result_error@@${copyfile[${index}][uuid]}@@Copy file@@${copyfile[${index}][name]}@@${g.execRun}##${g.uuid}@#The permissions could not be applied on the file: user \"${copyfile[${index}][owner]}\" not found"
|
||
ifvarclass => "copy_file_${index}_user_absent";
|
||
|
||
## Group does not exist
|
||
## Group does not exist
|
||
"@@copyFile@@result_error@@${copyfile[${index}][uuid]}@@Copy file@@${copyfile[${index}][name]}@@${g.execRun}##${g.uuid}@#The permissions could not be applied on the file: group \"${copyfile[${index}][group]}\" not found"
|
||
ifvarclass => "copy_file_${index}_group_absent";
|
||
|
||
## Generic failure
|
||
## Generic failure
|
||
"@@copyFile@@result_error@@${copyfile[${index}][uuid]}@@Copy file@@${copyfile[${index}][name]}@@${g.execRun}##${g.uuid}@#The content or permissions of the file(s) could not have been repaired (file not found?)"
|
||
ifvarclass => "copy_file_${index}_error.!copy_file_${index}_dest_notdir.!copy_file_${index}_denied.!copy_file_${index}_user_absent.!copy_file_${index}_group_absent";
|
||
|
techniques/fileDistribution/copyGitFile/2.0/copyFileFromSharedFolder.st | ||
---|---|---|
|
||
# Error conditons
|
||
|
||
## The destination is not an existing directory or symbolic link
|
||
## The destination is not an existing directory or symbolic link
|
||
"any" usebundle => rudder_common_report("copyFile", "result_error", "${copyfile[${index}][uuid]}", "Copy file", "${copyfile[${index}][name]}", "The copy of the file failed: the destination (${copyfile[${index}][destination]}) is not stored in a valid directory"),
|
||
ifvarclass => "copy_file_${index}_dest_notdir.file_check_symlink_${canon_dirname_${index}}_failed";
|
||
|
||
## File access denied
|
||
## File access denied
|
||
"any" usebundle => rudder_common_report("copyFile", "result_error", "${copyfile[${index}][uuid]}", "Copy file", "${copyfile[${index}][name]}", "The copy of the file failed: access to ${copyfile[${index}][name]} denied by the server"),
|
||
ifvarclass => "copy_file_${index}_denied";
|
||
|
||
## User does not exist
|
||
## User does not exist
|
||
"any" usebundle => rudder_common_report("copyFile", "result_error", "${copyfile[${index}][uuid]}", "Copy file", "${copyfile[${index}][name]}", "The permissions could not be applied on the file: user \"${copyfile[${index}][owner]}\" not found"),
|
||
ifvarclass => "copy_file_${index}_user_absent";
|
||
|
||
## Group does not exist
|
||
## Group does not exist
|
||
"any" usebundle => rudder_common_report("copyFile", "result_error", "${copyfile[${index}][uuid]}", "Copy file", "${copyfile[${index}][name]}", "The permissions could not be applied on the file: group \"${copyfile[${index}][group]}\" not found"),
|
||
ifvarclass => "copy_file_${index}_group_absent";
|
||
|
||
## Generic failure
|
||
## Generic failure
|
||
"any" usebundle => rudder_common_report("copyFile", "result_error", "${copyfile[${index}][uuid]}", "Copy file", "${copyfile[${index}][name]}", "The content or permissions of the file(s) could not have been repaired (file not found?)"),
|
||
ifvarclass => "copy_file_${index}_error.!copy_file_${index}_dest_notdir.!copy_file_${index}_denied.!copy_file_${index}_user_absent.!copy_file_${index}_group_absent";
|
||
|
techniques/fileDistribution/copyGitFile/2.1/copyFileFromSharedFolder.st | ||
---|---|---|
|
||
# Error conditons
|
||
|
||
## The destination is not an existing directory or symbolic link
|
||
## The destination is not an existing directory or symbolic link
|
||
"any" usebundle => rudder_common_report("copyFile", "result_error", "${copyfile[${index}][uuid]}", "Copy file", "${copyfile[${index}][name]}", "The copy of the file failed: the destination (${copyfile[${index}][destination]}) is not stored in a valid directory"),
|
||
ifvarclass => "copy_file_${index}_dest_notdir.file_check_symlink_${canon_dirname_${index}}_failed";
|
||
|
||
## File access denied
|
||
## File access denied
|
||
"any" usebundle => rudder_common_report("copyFile", "result_error", "${copyfile[${index}][uuid]}", "Copy file", "${copyfile[${index}][name]}", "The copy of the file failed: access to ${copyfile[${index}][name]} denied by the server"),
|
||
ifvarclass => "copy_file_${index}_denied";
|
||
|
||
## User does not exist
|
||
## User does not exist
|
||
"any" usebundle => rudder_common_report("copyFile", "result_error", "${copyfile[${index}][uuid]}", "Copy file", "${copyfile[${index}][name]}", "The permissions could not be applied on the file: user \"${copyfile[${index}][owner]}\" not found"),
|
||
ifvarclass => "copy_file_${index}_user_absent";
|
||
|
||
## Group does not exist
|
||
## Group does not exist
|
||
"any" usebundle => rudder_common_report("copyFile", "result_error", "${copyfile[${index}][uuid]}", "Copy file", "${copyfile[${index}][name]}", "The permissions could not be applied on the file: group \"${copyfile[${index}][group]}\" not found"),
|
||
ifvarclass => "copy_file_${index}_group_absent";
|
||
|
||
## Generic failure
|
||
## Generic failure
|
||
"any" usebundle => rudder_common_report("copyFile", "result_error", "${copyfile[${index}][uuid]}", "Copy file", "${copyfile[${index}][name]}", "The content or permissions of the file(s) could not have been repaired (file not found?)"),
|
||
ifvarclass => "copy_file_${index}_error.!copy_file_${index}_dest_notdir.!copy_file_${index}_denied.!copy_file_${index}_user_absent.!copy_file_${index}_group_absent";
|
||
|
techniques/fileDistribution/downloadFile/3.0/downloadFile.st | ||
---|---|---|
|
||
vars:
|
||
|
||
# If curl is here, use it
|
||
# If curl is here, use it
|
||
!windows.curl_installed::
|
||
"download_command" string => "${g.rudder_curl} -L -f --proxy '' -o \"&DOWNLOADFILE_DESTINATION&\" &DOWNLOADFILE_SOURCE&";
|
||
|
||
... | ... | |
!windows.!curl_installed::
|
||
"download_command" string => "${g.minicurl} --get --file \"&DOWNLOADFILE_DESTINATION&\" --url &DOWNLOADFILE_SOURCE&";
|
||
|
||
# Windows always use curl
|
||
# Windows always use curl
|
||
windows::
|
||
"download_command" string => "\"${g.rudder_curl}\" -L -f --proxy '' -o \"&DOWNLOADFILE_DESTINATION&\" &DOWNLOADFILE_SOURCE&";
|
||
|
techniques/system/common/1.0/minicurl.st | ||
---|---|---|
my $program_version = "1.0";
|
||
my $program_description = "Perl HTTP, HTTP/S, FTP download and upload tool";
|
||
|
||
## Argument handling (Getopt)
|
||
## Argument handling (Getopt)
|
||
my ($get, $put, $httpstatus, $help, $debug, $version, $no_verify);
|
||
$get = $put = $httpstatus = $help = $debug = $version = $no_verify = 0;
|
||
|
||
... | ... | |
exit(1);
|
||
}
|
||
|
||
# Build the file basename
|
||
# Build the file basename
|
||
my $file_basename = basename($file);
|
||
|
||
# Create a HTTP Basic authentication string if applicable
|
||
... | ... | |
# Make sure we use SSLv3 at least while connecting to HTTP/S
|
||
$ENV{HTTPS_VERSION} = 3;
|
||
|
||
# Create a new LWP object
|
||
# Create a new LWP object
|
||
my $ua = LWP::UserAgent->new;
|
||
if($no_verify) {
|
||
|
||
... | ... | |
}
|
||
|
||
if ($put == 1) {
|
||
# PUT
|
||
# PUT
|
||
|
||
# Create a variable from the target file
|
||
# Create a variable from the target file
|
||
my $message;
|
||
open(my $fh, '<', $file) or die "ERROR: Unable to open file $file.\n";
|
||
{
|
||
... | ... | |
}
|
||
close($fh);
|
||
|
||
# Send the file using the PUT method
|
||
# Send the file using the PUT method
|
||
if ($authentication eq "") {
|
||
$response = $ua->request(PUT $url . $file_basename, Content => $message);
|
||
} else {
|
||
... | ... | |
|
||
} else {
|
||
|
||
# GET
|
||
# GET
|
||
|
||
# Get the file using the GET method
|
||
# Get the file using the GET method
|
||
if ($authentication eq "") {
|
||
$response = $ua->request(GET $url);
|
||
} else {
|
techniques/system/common/1.0/promises.st | ||
---|---|---|
pass3::
|
||
|
||
"any" usebundle => rudder_common_report("Common", "result_success", "&TRACKINGKEY&", "Process checking", "None", "There is an acceptable number of CFEngine processes running on the machine"),
|
||
# Here, I can not use the binaries variable as CFEngine will iterate and output two reports, breaking the reporting.
|
||
# Here, I can not use the binaries variable as CFEngine will iterate and output two reports, breaking the reporting.
|
||
ifvarclass => "!agent_has_gone_wild.!agent_has_gone_really_wild.!execd_has_gone_wild.!execd_has_gone_really_wild";
|
||
|
||
"any" usebundle => rudder_common_report("Common", "result_repaired", "&TRACKINGKEY&", "Process checking", "None", "Warning, more than ${process_term[${binaries}]} cf-${binaries} processes were detected. They have been sent a graceful termination signal."),
|
techniques/system/common/1.0/rudder_agent_nova_cron.st | ||
---|---|---|
# Don't forget to remove that file when you're done!
|
||
#
|
||
# If you want to report a specific message if the Rudder agent fails to restart, please create the
|
||
# /opt/rudder/etc/rudder-restart-message.txt file with your custom message inside. It will be sent by mail
|
||
# instead of the default one.
|
||
# /opt/rudder/etc/rudder-restart-message.txt file with your custom message inside. It will be sent by mail
|
||
# instead of the default one.
|
||
|
||
# Add a decent PATH to the environment before triggering anything
|
||
# Add a decent PATH to the environment before triggering anything
|
||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||
|
||
0,5,10,15,20,25,30,35,40,45,50,55 * * * * root . /etc/profile; if [ ! -e ${g.rudder_base}/etc/disable-agent -a `ps -efww | grep -E "(cf-execd|cf-agent)" | grep -E "${sys.workdir}/bin/(cf-execd|cf-agent)" | grep -v grep | wc -l` -eq 0 ]; then ${sys.workdir}/bin/cf-agent -f failsafe.cf >/dev/null 2>\&1 \&\& ${sys.workdir}/bin/cf-agent >/dev/null 2>\&1; if [ $? != 0 ]; then if [ -f /opt/rudder/etc/rudder-restart-message.txt ]; then cat /opt/rudder/etc/rudder-restart-message.txt; else echo "Rudder agent was unable to restart on ${hostname}."; fi; fi; fi
|
techniques/system/common/1.0/rudder_lib.st | ||
---|---|---|
portnumber => "&COMMUNITYPORT&";
|
||
}
|
||
|
||
# This is an evolved version of copy_from scp that uses local copies if we are
|
||
# This is an evolved version of copy_from scp that uses local copies if we are
|
||
# running on a policy server instead of copying from a localhost remote blindly.
|
||
body copy_from rudder_copy_from(from, server,compare,trustkey,preserve,purge) {
|
||
|
techniques/system/common/1.0/site.st | ||
---|---|---|
|
||
classes:
|
||
|
||
# Utilities
|
||
# Utilities
|
||
"gzip_installed" expression => isexecutable("${gzip}");
|
||
"curl_installed" expression => isexecutable("${rudder_curl}");
|
||
|
techniques/system/inventory/1.0/fusionAgent.st | ||
---|---|---|
comment => "Sending the inventory to the server";
|
||
|
||
&if(NOVA)&
|
||
# On windows, the this.promiser variable is not evaluated the same way. We are forced to duplicate this block
|
||
# On windows, the this.promiser variable is not evaluated the same way. We are forced to duplicate this block
|
||
windows::
|
||
"${g.rudder_inventories}"
|
||
transformer => "${download_command_prefix} \"${this.promiser}\" ${download_command_suffix}",
|
techniques/system/server-roles/1.0/component-check.st | ||
---|---|---|
|
||
"index" slist => getindices("service");
|
||
|
||
# Reporting
|
||
# Reporting
|
||
"root_integrity_check" slist => { "Check configuration-repository folder", "Check configuration-repository GIT lock" };
|
||
"root_password_check_ldap" slist => { "Check LDAP in rudder-webapp.properties", "Check LDAP credentials" };
|
||
"root_password_check_psql" slist => { "Check SQL in rudder-webapp.properties", "Check SQL credentials" };
|
||
... | ... | |
|
||
# This is to be done only if the package rudder-server-root is present
|
||
role_rudder_server_root::
|
||
# Password management is expected to be done manually in case of a splitted/relayed installation for now.
|
||
# Password management is expected to be done manually in case of a splitted/relayed installation for now.
|
||
"any" usebundle => root_password_check_ldap;
|
||
"any" usebundle => root_password_check_file;
|
||
"any" usebundle => root_password_check_psql;
|
||
... | ... | |
"Check rudder-passwords.conf and pgpass files", "None", "Checking the password files is unnecessary on this machine, skipping..."
|
||
);
|
||
|
||
# Do this if this is the root_server or a relay server
|
||
# Do this if this is the root_server or a relay server
|
||
root_server|policy_server::
|
||
"any" usebundle => root_networks_check;
|
||
"any" usebundle => root_password_check_dav;
|
techniques/systemSettings/misc/clockConfiguration/1.0/clockConfiguration.st | ||
---|---|---|
|
||
commands:
|
||
|
||
# Restart commands
|
||
# Restart commands
|
||
!windows.!redhat.(repaired_ntpconf|repaired_localtime|repaired_debiantz|repaired_susetz|ntpd_down)::
|
||
"/etc/init.d/ntp"
|
||
args => "restart",
|
||
... | ... | |
classes => cf2_if_else("ntp_win32time_started", "ntp_win32time_error"),
|
||
comment => "Restart the windows NTP service";
|
||
|
||
# HW clock sync command
|
||
# HW clock sync command
|
||
!windows::
|
||
"/sbin/hwclock"
|
||
args => "--systohc",
|
||
... | ... | |
|
||
files:
|
||
|
||
# Adjust ntp.conf (Add the servers)
|
||
# Adjust ntp.conf (Add the servers)
|
||
!windows.(ntp_config_file_exists|ntp_installed)::
|
||
"/etc/ntp.conf"
|
||
edit_line => setNtpServer("@{this.ntpServers}"),
|
||
... | ... | |
comment => "Updating the /etc/localtime file",
|
||
classes => kept_if_else("localtime_kept", "repaired_localtime", "not_repaired_localtime");
|
||
|
||
# Edit the distro dependant files to set the TZ on boot
|
||
# Edit the distro dependant files to set the TZ on boot
|
||
(redhat.!clock_timezone_noedit).clock_vardef::
|
||
"/etc/sysconfig/clock"
|
||
edit_line => EditCentOSTimezone("${linux_timezone}"),
|
techniques/systemSettings/misc/clockConfiguration/2.0/clockConfiguration.st | ||
---|---|---|
|
||
files:
|
||
|
||
# Adjust ntp.conf (Add the servers)
|
||
# Adjust ntp.conf (Add the servers)
|
||
!windows.(ntp_config_file_exists|ntp_installed)::
|
||
"/etc/ntp.conf"
|
||
edit_line => setNtpServer("@{this.ntpServers}"),
|
||
... | ... | |
comment => "Updating the /etc/localtime file",
|
||
classes => kept_if_else("localtime_kept", "repaired_localtime", "not_repaired_localtime");
|
||
|
||
# Edit the distro dependant files to set the TZ on boot
|
||
# Edit the distro dependant files to set the TZ on boot
|
||
(redhat.!clock_timezone_noedit).clock_vardef::
|
||
"/etc/sysconfig/clock"
|
||
edit_line => EditCentOSTimezone("${linux_timezone}"),
|
||
... | ... | |
|
||
commands:
|
||
|
||
# Restart commands
|
||
# Restart commands
|
||
!windows.!redhat.(repaired_ntpconf|repaired_localtime|repaired_debiantz|repaired_susetz|ntpd_down)::
|
||
"/etc/init.d/ntp"
|
||
args => "restart",
|
||
... | ... | |
classes => cf2_if_else("ntp_win32time_started", "ntp_win32time_error"),
|
||
comment => "Restart the windows NTP service";
|
||
|
||
# HW clock sync command
|
||
# HW clock sync command
|
||
!windows::
|
||
"/sbin/hwclock"
|
||
args => "--systohc",
|
techniques/systemSettings/misc/clockConfiguration/3.0/clockConfiguration.st | ||
---|---|---|
|
||
files:
|
||
|
||
# Adjust ntp.conf (Add the servers)
|
||
# Adjust ntp.conf (Add the servers)
|
||
!windows.(ntp_config_file_exists|ntp_installed)::
|
||
"/etc/ntp.conf"
|
||
edit_line => setNtpServer("@{this.ntpServers}"),
|
||
... | ... | |
comment => "Updating the /etc/localtime file",
|
||
classes => kept_if_else("localtime_kept", "repaired_localtime", "not_repaired_localtime");
|
||
|
||
# Edit the distro dependant files to set the TZ on boot
|
||
# Edit the distro dependant files to set the TZ on boot
|
||
(redhat.!clock_timezone_noedit).clock_vardef::
|
||
"/etc/sysconfig/clock"
|
||
edit_line => EditCentOSTimezone("${linux_timezone}"),
|
||
... | ... | |
|
||
pass2::
|
||
|
||
# Restart commands
|
||
# Restart commands
|
||
|
||
!windows.!redhat.(repaired_ntpconf|repaired_localtime|repaired_debiantz|repaired_susetz|ntpd_down)::
|
||
"restart_ntp" usebundle => service_restart("ntp");
|
||
... | ... | |
classes => cf2_if_else("ntp_win32time_started", "ntp_win32time_error"),
|
||
comment => "Restart the windows NTP service";
|
||
|
||
# HW clock sync command
|
||
# HW clock sync command
|
||
!windows.clock_hwclock_sync::
|
||
"/sbin/hwclock"
|
||
args => "--systohc",
|
techniques/systemSettings/misc/clockConfiguration/3.1/clockConfiguration.st | ||
---|---|---|
|
||
files:
|
||
|
||
# Adjust ntp.conf (Add the servers)
|
||
# Adjust ntp.conf (Add the servers)
|
||
!windows.(ntp_config_file_exists|ntp_installed)::
|
||
"/etc/ntp.conf"
|
||
edit_line => setNtpServer("@{this.ntpServers}"),
|
||
... | ... | |
comment => "Updating the /etc/localtime file",
|
||
classes => kept_if_else("localtime_kept", "repaired_localtime", "not_repaired_localtime");
|
||
|
||
# Edit the distro dependant files to set the TZ on boot
|
||
# Edit the distro dependant files to set the TZ on boot
|
||
redhat.!clock_timezone_noedit::
|
||
"/etc/sysconfig/clock"
|
||
edit_line => EditCentOSTimezone("${linux_timezone}"),
|
||
... | ... | |
|
||
commands:
|
||
|
||
# Restart commands
|
||
# Restart commands
|
||
!windows.!redhat.(repaired_ntpconf|repaired_localtime|repaired_debiantz|repaired_susetz|ntpd_down)::
|
||
"/etc/init.d/ntp"
|
||
args => "restart",
|
||
... | ... | |
classes => cf2_if_else("ntp_win32time_started", "ntp_win32time_error"),
|
||
comment => "Restart the windows NTP service";
|
||
|
||
# HW clock sync command
|
||
# HW clock sync command
|
||
!windows.clock_hwclock_sync::
|
||
"/sbin/hwclock"
|
||
args => "--systohc",
|
techniques/systemSettings/networking/hostsConfiguration/1.0/hostsConfiguration.st | ||
---|---|---|
#
|
||
# NOTE : I permitted the creation of the hosts file if absent, but on a purely
|
||
# functionnal side, its absence means a severe breakage of your IP stack. Be
|
||
# aware of this if a file creation is reported !
|
||
# aware of this if a file creation is reported !
|
||
#
|
||
|
||
bundle agent check_hosts_configuration
|
||
... | ... | |
"${sys.winsysdir}\drivers\etc\hosts"
|
||
|
||
create => "true",
|
||
# perms => m("644"),
|
||
# perms => m("644"),
|
||
&if (HOSTS_ENFORCE)&
|
||
edit_defaults => empty_backup,
|
||
&else&
|
techniques/systemSettings/networking/hostsConfiguration/1.1/hostsConfiguration.st | ||
---|---|---|
#
|
||
# NOTE : I permitted the creation of the hosts file if absent, but on a purely
|
||
# functionnal side, its absence means a severe breakage of your IP stack. Be
|
||
# aware of this if a file creation is reported !
|
||
# aware of this if a file creation is reported !
|
||
#
|
||
|
||
bundle agent check_hosts_configuration
|
||
... | ... | |
"${sys.winsysdir}\drivers\etc\hosts"
|
||
|
||
create => "true",
|
||
# perms => m("644"),
|
||
# perms => m("644"),
|
||
&if (HOSTS_ENFORCE)&
|
||
edit_defaults => empty_backup,
|
||
&else&
|
techniques/systemSettings/networking/hostsConfiguration/2.0/hostsConfiguration.st | ||
---|---|---|
#
|
||
# NOTE : I permitted the creation of the hosts file if absent, but on a purely
|
||
# functionnal side, its absence means a severe breakage of your IP stack. Be
|
||
# aware of this if a file creation is reported !
|
||
# aware of this if a file creation is reported !
|
||
#
|
||
|
||
bundle agent check_hosts_configuration
|
||
... | ... | |
"${sys.winsysdir}\drivers\etc\hosts"
|
||
|
||
create => "true",
|
||
# perms => m("644"),
|
||
# perms => m("644"),
|
||
&if (HOSTS_ENFORCE)&
|
||
edit_defaults => empty_backup,
|
||
&else&
|
techniques/systemSettings/remoteAccess/sshConfiguration/1.0/sshConfiguration.st | ||
---|---|---|
# If ssh is not installed, install it (linux)
|
||
# Change the server configuration, and restart the daemon
|
||
# if the configuration changed
|
||
# WARNING : You may inadvertently create conflict with processManagement !
|
||
# WARNING : You may inadvertently create conflict with processManagement !
|
||
# This promise restarts sshd if not there, which could be done by processManagement too.
|
||
# dontchange is a generic value to prohibit the edition of the value
|
||
|
techniques/systemSettings/remoteAccess/sshConfiguration/2.0/configuration.st | ||
---|---|---|
# If ssh is not installed, install it (linux)
|
||
# Change the server configuration, and restart the daemon
|
||
# if the configuration changed
|
||
# WARNING : You may inadvertently create conflict with processManagement !
|
||
# WARNING : You may inadvertently create conflict with processManagement !
|
||
# This promise restarts sshd if not there, which could be done by processManagement too.
|
||
# dontchange is a generic value to prohibit the edition of the value
|
||
#####################################################################################
|
||
... | ... | |
"rudder_openssh_server_startup_init_activation_command"
|
||
string => "/sbin/chkconfig --del sshd \&\& /sbin/chkconfig --add sshd";
|
||
|
||
# Class specific parameters
|
||
# Class specific parameters
|
||
rudder_openssh_server_address_family_edit.!(debian_3|redhat_3|redhat_4|centos_3|centos_4)::
|
||
"sshd[AddressFamily]"
|
||
string => "&OPENSSH_SERVER_ADDRESSFAMILY&";
|
||
... | ... | |
comment => "Insert the standard Rudder disclaimer in the OpenSSHd configuration file";
|
||
|
||
(debian|redhat|SuSE)::
|
||
# This promise will detect if there is a startup script for OpenSSH enabled on the system,
|
||
# and set a class if there is one indeed.
|
||
# This promise will detect if there is a startup script for OpenSSH enabled on the system,
|
||
# and set a class if there is one indeed.
|
||
"${rudder_openssh_server_startup_script_regex}"
|
||
create => "true",
|
||
action => WarnOnly,
|
techniques/systemSettings/remoteAccess/sshConfiguration/2.0/installation.st | ||
---|---|---|
string => "openssh";
|
||
|
||
packages:
|
||
# Install OpenSSH if needed, using generic installation.
|
||
# Install OpenSSH if needed, using generic installation.
|
||
(debian|redhat|SuSE)::
|
||
"${rudder_openssh_server_package_name}"
|
||
package_policy => "add",
|
techniques/systemSettings/remoteAccess/sshConfiguration/3.0/config.st | ||
---|---|---|
"rudder_openssh_server_config[edit_ports]"
|
||
string => "&OPENSSH_SERVER_PORTSEDIT&";
|
||
|
||
# Class specific parameters
|
||
# Class specific parameters
|
||
rudder_openssh_server_address_family_edit.!(debian_3|redhat_3|redhat_4|centos_3|centos_4)::
|
||
"rudder_openssh_server_config[config][AddressFamily]"
|
||
string => "&OPENSSH_SERVER_ADDRESSFAMILY&";
|
techniques/systemSettings/remoteAccess/sshConfiguration/3.0/installation.st | ||
---|---|---|
string => "openssh";
|
||
|
||
packages:
|
||
# Install OpenSSH if needed, using generic installation.
|
||
# Install OpenSSH if needed, using generic installation.
|
||
linux::
|
||
"${rudder_openssh_server_package_name}"
|
||
package_policy => "add",
|
techniques/systemSettings/remoteAccess/sshConfiguration/3.0/main.st | ||
---|---|---|
# If ssh is not installed, install it (linux)
|
||
# Change the server configuration, and restart the daemon
|
||
# if the configuration changed
|
||
# WARNING : You may inadvertently create conflict with processManagement !
|
||
# WARNING : You may inadvertently create conflict with processManagement !
|
||
# This promise restarts sshd if not there, which could be done by processManagement too.
|
||
# dontchange is a generic value to prohibit the edition of the value
|
||
#####################################################################################
|
||
... | ... | |
comment => "Insert the standard Rudder disclaimer in the OpenSSHd configuration file";
|
||
|
||
(debian|redhat|SuSE)::
|
||
# This promise will detect if there is a startup script for OpenSSH enabled on the system,
|
||
# and set a class if there is one indeed.
|
||
# This promise will detect if there is a startup script for OpenSSH enabled on the system,
|
||
# and set a class if there is one indeed.
|
||
"${rudder_openssh_server_startup_script_regex}"
|
||
create => "true",
|
||
action => WarnOnly,
|
techniques/systemSettings/remoteAccess/sshConfiguration/4.0/config.st | ||
---|---|---|
"rudder_openssh_server_config[edit_ports]"
|
||
string => "&OPENSSH_SERVER_PORTSEDIT&";
|
||
|
||
# Class specific parameters
|
||
# Class specific parameters
|
||
rudder_openssh_server_address_family_edit.!(debian_3|redhat_3|redhat_4|centos_3|centos_4)::
|
||
"rudder_openssh_server_config[config][AddressFamily]"
|
||
string => "&OPENSSH_SERVER_ADDRESSFAMILY&";
|
techniques/systemSettings/remoteAccess/sshConfiguration/4.0/installation.st | ||
---|---|---|
string => "openssh";
|
||
|
||
packages:
|
||
# Install OpenSSH if needed, using generic installation.
|
||
# Install OpenSSH if needed, using generic installation.
|
||
linux::
|
||
"${rudder_openssh_server_package_name}"
|
||
package_policy => "add",
|
techniques/systemSettings/remoteAccess/sshConfiguration/4.0/main.st | ||
---|---|---|
# If ssh is not installed, install it (linux)
|
||
# Change the server configuration, and restart the daemon
|
||
# if the configuration changed
|
||
# WARNING : You may inadvertently create conflict with processManagement !
|
||
# WARNING : You may inadvertently create conflict with processManagement !
|
||
# This promise restarts sshd if not there, which could be done by processManagement too.
|
||
# dontchange is a generic value to prohibit the edition of the value
|
||
#####################################################################################
|
||
... | ... | |
"rudder_openssh_server_startup_command"
|
||
string => "/usr/bin/stopsrc -s sshd \&\& until /usr/bin/lssrc -s sshd | ${paths.grep} -q inoperative; do ${paths.perl} -e 'select(undef,undef,undef,.25)'; done; /usr/bin/startsrc -s sshd";
|
||
|
||
# Here are the details about the arguments given to mkssys:
|
||
## -p: Specifies the absolute path to the subsystem executable program.
|
||
## -s: Specifies a name that uniquely identifies the subsystem.
|
||
# Here are the details about the arguments given to mkssys:
|
||
## -p: Specifies the absolute path to the subsystem executable program.
|
||
## -s: Specifies a name that uniquely identifies the subsystem.
|
||
## -G: Specifies that the subsystem belongs to the Group specified.
|
||
## -u: Specifies the user ID for the subsystem.
|
||
## -S: Specifies that the subsystem uses the signals communication method.
|
techniques/systemSettings/remoteAccess/sshConfiguration/5.0/config.st | ||
---|---|---|
"rudder_openssh_server_config[edit_addresses]"
|
||
string => "&OPENSSH_SERVER_ADDRESSESEDIT&";
|
||
|
||
# Class specific parameters
|
||
# Class specific parameters
|
||
rudder_openssh_server_address_family_edit.!(debian_3|redhat_3|redhat_4|centos_3|centos_4)::
|
||
"rudder_openssh_server_config[config][AddressFamily]"
|
||
string => "&OPENSSH_SERVER_ADDRESSFAMILY&";
|
techniques/systemSettings/remoteAccess/sshConfiguration/5.0/installation.st | ||
---|---|---|
string => "openssh";
|
||
|
||
packages:
|
||
# Install OpenSSH if needed, using generic installation.
|
||
# Install OpenSSH if needed, using generic installation.
|
||
linux::
|
||
"${rudder_openssh_server_package_name}"
|
||
package_policy => "add",
|
techniques/systemSettings/remoteAccess/sshConfiguration/5.0/main.st | ||
---|---|---|
# If ssh is not installed, install it (linux)
|
||
# Change the server configuration, and restart the daemon
|
||
# if the configuration changed
|
||
# WARNING : You may inadvertently create conflict with processManagement !
|
||
# WARNING : You may inadvertently create conflict with processManagement !
|
||
# This promise restarts sshd if not there, which could be done by processManagement too.
|
||
# dontchange is a generic value to prohibit the edition of the value
|
||
#####################################################################################
|
||
... | ... | |
"rudder_openssh_server_startup_command"
|
||
string => "/usr/bin/stopsrc -s sshd \&\& until /usr/bin/lssrc -s sshd | ${paths.grep} -q inoperative; do ${paths.perl} -e 'select(undef,undef,undef,.25)'; done; /usr/bin/startsrc -s sshd";
|
||
|
||
# Here are the details about the arguments given to mkssys:
|
||
## -p: Specifies the absolute path to the subsystem executable program.
|
||
## -s: Specifies a name that uniquely identifies the subsystem.
|
||
# Here are the details about the arguments given to mkssys:
|
||
## -p: Specifies the absolute path to the subsystem executable program.
|
||
## -s: Specifies a name that uniquely identifies the subsystem.
|
||
## -G: Specifies that the subsystem belongs to the Group specified.
|
||
## -u: Specifies the user ID for the subsystem.
|
||
## -S: Specifies that the subsystem uses the signals communication method.
|
techniques/systemSettings/remoteAccess/sshKeyDistribution/2.0/sshKeyDistribution.st | ||
---|---|---|
"homedir[${sshkey_distribution_index}]"
|
||
string => "${userarray_${sshkey_distribution_index}[${sshkey_distribution_name[${sshkey_distribution_index}]}][5]}";
|
||
|
||
# Only Linuxes (not Slackware), Solaris and FreeBSD support PAM/getent
|
||
# Only Linuxes (not Slackware), Solaris and FreeBSD support PAM/getent
|
||
(linux.!slackware)|solaris|freebsd::
|
||
|
||
"userdata_${sshkey_distribution_index}"
|
||
string => execresult("/usr/bin/getent passwd ${sshkey_distribution_name[${sshkey_distribution_index}]}", "noshell");
|
||
|
||
# On systems without PAM, directly read entries from /etc/passwd instead (compatibility)
|
||
# On systems without PAM, directly read entries from /etc/passwd instead (compatibility)
|
||
!((linux.!slackware)|solaris|freebsd)::
|
||
|
||
"userdata_${sshkey_distribution_index}"
|
techniques/systemSettings/remoteAccess/sshKeyDistribution/3.0/sshKeyDistribution.st | ||
---|---|---|
"homedir[${sshkey_distribution_index}]"
|
||
string => "${userarray_${sshkey_distribution_index}[${sshkey_distribution_name[${sshkey_distribution_index}]}][5]}";
|
||
|
||
# Only Linuxes (not Slackware), Solaris and FreeBSD support PAM/getent
|
||
# Only Linuxes (not Slackware), Solaris and FreeBSD support PAM/getent
|
||
(linux.!slackware)|solaris|freebsd::
|
||
|
||
"userdata_${sshkey_distribution_index}"
|
||
string => execresult("/usr/bin/getent passwd ${sshkey_distribution_name[${sshkey_distribution_index}]}", "noshell");
|
||
|
||
# On systems without PAM, directly read entries from /etc/passwd instead (compatibility)
|
||
# On systems without PAM, directly read entries from /etc/passwd instead (compatibility)
|
||
!((linux.!slackware)|solaris|freebsd)::
|
||
|
||
"userdata_${sshkey_distribution_index}"
|
techniques/systemSettings/systemManagement/motdConfiguration/2.0/main.st | ||
---|---|---|
"rudder_motd_absent" not => fileexists("/etc/motd");
|
||
|
||
files:
|
||
# Set every MOTD file to the wanted value
|
||
# Set every MOTD file to the wanted value
|
||
!windows::
|
||
"${rudder_motd_file}"
|
||
create => "true",
|
techniques/systemSettings/systemManagement/motdConfiguration/3.0/main.st | ||
---|---|---|
"rudder_motd_absent" not => fileexists("/etc/motd");
|
||
|
||
files:
|
||
# Set every MOTD file to the wanted value
|
||
# Set every MOTD file to the wanted value
|
||
!windows::
|
||
"${rudder_motd_file}"
|
||
create => "true",
|
techniques/systemSettings/systemManagement/motdConfiguration/3.1/main.st | ||
---|---|---|
"rudder_motd_absent" not => fileexists("/etc/motd");
|
||
|
||
files:
|
||
# Set every MOTD file to the wanted value
|
||
# Set every MOTD file to the wanted value
|
||
!windows::
|
||
"${rudder_motd_file}"
|
||
create => "true",
|
techniques/systemSettings/systemManagement/motdConfiguration/3.2/main.st | ||
---|---|---|
"pass1" expression => "any";
|
||
|
||
files:
|
||
# Set every MOTD file to the wanted value
|
||
# Set every MOTD file to the wanted value
|
||
pass2.!windows::
|
||
"${rudder_motd_issue_files}"
|
||
create => "true",
|
techniques/systemSettings/userManagement/userManagement/3.0/userManagement.st | ||
---|---|---|
|
||
aix::
|
||
|
||
# Only execute this on AIX to prevent costly executions on irrelevant OSes:
|
||
# Only execute this on AIX to prevent costly executions on irrelevant OSes:
|
||
# We only need this to update /etc/security/passwd, which is AIX specific.
|
||
"timestamp" string => execresult("/bin/date +%s", "noshell");
|
||
|
||
... | ... | |
classes => kept_if_else("usermanagement_user_password_ok_${usergroup_user_index}", "usermanagement_user_password_repaired_${usergroup_user_index}", "usermanagement_user_password_failed_${usergroup_user_index}"),
|
||
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
|
||
|
||
# AIX has a specific approach for passwords, needing a different approach (no tabular edition)
|
||
# AIX has a specific approach for passwords, needing a different approach (no tabular edition)
|
||
|
||
aix::
|
||
|
||
... | ... | |
classes => kept_if_else("usermanagement_user_password_ok_${usergroup_user_index}", "usermanagement_user_password_repaired_${usergroup_user_index}", "usermanagement_user_password_failed_${usergroup_user_index}"),
|
||
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
|
||
|
||
# If a password update is needed, also update the timestamp to avoid administrative headaches (password expiration/policies)
|
||
# If a password update is needed, also update the timestamp to avoid administrative headaches (password expiration/policies)
|
||
"/etc/security/passwd"
|
||
create => "false",
|
||
edit_line => rudder_change_aix_password_entry("${usergroup_user_login[${usergroup_user_index}]}", "lastupdate", "${timestamp}"),
|
techniques/systemSettings/userManagement/userManagement/4.0/userManagement.st | ||
---|---|---|
|
||
aix::
|
||
|
||
# Only execute this on AIX to prevent costly executions on irrelevant OSes:
|
||
# Only execute this on AIX to prevent costly executions on irrelevant OSes:
|
||
# We only need this to update /etc/security/passwd, which is AIX specific.
|
||
"timestamp" string => execresult("/bin/date +%s", "noshell");
|
||
|
||
... | ... | |
classes => kept_if_else("usermanagement_user_password_ok_${usergroup_user_index}", "usermanagement_user_password_repaired_${usergroup_user_index}", "usermanagement_user_password_failed_${usergroup_user_index}"),
|
||
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
|
||
|
||
# AIX has a specific approach for passwords, needing a different approach (no tabular edition)
|
||
# AIX has a specific approach for passwords, needing a different approach (no tabular edition)
|
||
|
||
aix::
|
||
|
||
... | ... | |
classes => kept_if_else("usermanagement_user_password_ok_${usergroup_user_index}", "usermanagement_user_password_repaired_${usergroup_user_index}", "usermanagement_user_password_failed_${usergroup_user_index}"),
|
||
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
|
||
|
||
# If a password update is needed, also update the timestamp to avoid administrative headaches (password expiration/policies)
|
||
# If a password update is needed, also update the timestamp to avoid administrative headaches (password expiration/policies)
|
||
"/etc/security/passwd"
|
||
create => "false",
|
||
edit_line => rudder_change_aix_password_entry("${usergroup_user_login[${usergroup_user_index}]}", "lastupdate", "${timestamp}"),
|
Also available in: Unified diff
Fixes #7622: Technique files contains UTF-8 chars (especially spaces)