Project

General

Profile

« Previous | Next » 

Revision 6fc4569d

Added by Alexis Mousset over 6 years ago

Fixes #9502: Drop old protocol and acl for agents

View differences:

techniques/system/common/1.0/cf-served.st
policy_server|role_rudder_relay_promises_only::
"${def.dir_masterfiles}"
handle => "grant_access_policy",
comment => "Grant access to the policy updates",
handle => "grant_access_policy",
comment => "Grant access to the policy updates",
maproot => { @{def.acl} },
admit => { @{def.acl} };
admit_ips => { @{def.acl} };
"${g.rudder_tools}"
maproot => { @{def.acl} },
admit => { @{def.acl} };
admit_ips => { @{def.acl} };
&if(MANAGED_NODES_NAME)&
"${g.rudder_ncf_origin_common}"
maproot => { @{def.acl} },
admit => { @{def.acl} };
admit_ips => { @{def.acl} };
"${g.rudder_ncf_origin_local}"
maproot => { @{def.acl} },
admit => { @{def.acl} };
admit_ips => { @{def.acl} };
# Deny access to 50_techniques folder
"${g.rudder_ncf_origin_local}/50_techniques"
deny => { ".*" };
deny_ips => { "0.0.0.0/0" };
&if(SHARED_FILES_FOLDER)&
"&SHARED_FILES_FOLDER&"
comment => "Grant access to the share files",
comment => "Grant access to the share files",
maproot => { @{def.acl} },
admit => { @{def.acl} };
admit_ips => { @{def.acl} };
&endif&
......
comment => "Grant ${query_types} reporting query for the hub on the policy server",
resource_type => "query",
report_data_select => rudder_data_select_policy_hub,
admit => { ${def.policy_server}, @{sys.ip_addresses} }; # an enterprise policy server needs to be able to contact itself
admit_ips => { host2ip("${def.policy_server}"), @{sys.ip_addresses} }; # an enterprise policy server needs to be able to contact itself
&endif&
any::
&if(SKIPIDENTIFY)&
&MANAGED_NODES_NAME, MANAGED_NODES_ID, MANAGED_NODES_KEY: {host, uuid, key |
"/var/rudder/share/&uuid&/"
maproot => { string_downcase(escape("&host&")) },
admit => { string_downcase(escape("&host&")) },
admit_keys => { "&key&" };
"/var/rudder/shared-files/&uuid&/"
maproot => { string_downcase(escape("&host&")) },
admit => { string_downcase(escape("&host&")) },
admit_keys => { "&key&" };
} &
&else&
&MANAGED_NODES_NAME, MANAGED_NODES_ID, MANAGED_NODES_KEY : {host, uuid, key |
"/var/rudder/share/&uuid&/"
maproot => { host2ip("&host&"), string_downcase(escape("&host&")) },
admit => { host2ip("&host&"), string_downcase(escape("&host&")) },
maproot => { @{def.acl} },
admit_keys => { "&key&" };
"/var/rudder/shared-files/&uuid&/"
maproot => { host2ip("&host&"), string_downcase(escape("&host&")) },
admit => { host2ip("&host&"), string_downcase(escape("&host&")) },
maproot => { @{def.acl} },
admit_keys => { "&key&" };
} &
&endif&
&endif&
......
# Using ${sys.cf_agent} fails, as cf-serverd cannot canonize its path
windows::
"${sys.workdir}\bin\cf-agent.exe"
admit => { host2ip("${server_info.cfserved}"), string_downcase(escape("${server_info.cfserved}")) };
admit_ips => { host2ip("${server_info.cfserved}") };
!windows::
"${g.rudder_command}" comment => "Grant access to rudder agent command for cfruncommand",
admit => { host2ip("${server_info.cfserved}"), string_downcase(escape("${server_info.cfserved}")) };
admit_ips => { host2ip("${server_info.cfserved}") };
&if(NOVA)&
enterprise_edition::
......
comment => "Grant ${query_types} reporting query for the hub on the hosts",
resource_type => "query",
report_data_select => rudder_data_select_host,
admit => { ${def.policy_server}, @{sys.ip_addresses} };
admit_ips => { host2ip("${def.policy_server}"), @{sys.ip_addresses} };
&endif&
roles:
......
policy_server::
"acl" slist => {
"127.0.0.0/8" , "::1",
"127.0.0.0/8" , "::1",
&if(AUTHORIZED_NETWORKS)&
host2ip("${def.policy_server}"), # the policy server can connect to a relay
&AUTHORIZED_NETWORKS:{net|"&net&",}&
host2ip("${def.policy_server}"), # the policy server can connect to a relay
&AUTHORIZED_NETWORKS:{net|"&net&",}&
&endif&
};
!policy_server::
"acl" slist => {
"${def.policy_server}", host2ip("${def.policy_server}")
host2ip("${def.policy_server}")
};
}
......
body server control
{
&if(SKIPIDENTIFY)&
trustkeysfrom => {
@{def.acl} ,
&if(MANAGED_NODES_NAME)&
&MANAGED_NODES_NAME: {
"&it&"};separator=", "&
&endif&
}; #trustkey allows the exchange of keys
allowconnects => {
@{def.acl} ,
&if(MANAGED_NODES_NAME)&
&MANAGED_NODES_NAME: {
"&it&"};separator=", "&
&endif&
};
allowallconnects => {
@{def.acl} ,
&if(MANAGED_NODES_NAME)&
&MANAGED_NODES_NAME: {
"&it&"};separator=", "&
&endif&
};
&else&
trustkeysfrom => {
@{def.acl} ,
&if(MANAGED_NODES_NAME)&
&MANAGED_NODES_NAME: {
host2ip("&it&"), "&it&"};separator=", "&
&endif&
}; #trustkey allows the exchange of keys
allowconnects => {
@{def.acl} ,
&if(MANAGED_NODES_NAME)&
&MANAGED_NODES_NAME: {
host2ip("&it&"), "&it&"};separator=", "&
&endif&
};
allowallconnects => {
@{def.acl} ,
&if(MANAGED_NODES_NAME)&
&MANAGED_NODES_NAME: {
host2ip("&it&"), "&it&"};separator=", "&
&endif&
};
&endif&
maxconnections => "1000";
logallconnections => "true";
allowlegacyconnects => {
host2ip("${def.policy_server}"), # the policy server can connect
&if(AUTHORIZED_NETWORKS)&
&AUTHORIZED_NETWORKS:{net|"&net&",}&
&endif&
};
# Disallow old protocol
allowlegacyconnects => {};
windows::
cfruncommand => "${sys.cf_agent} -I -D cfruncommand -f \"failsafe.cf\" \&
techniques/system/common/1.0/failsafe.st
protocol_version => "2";
}
body agent control {
skipidentify => "&SKIPIDENTIFY&";
}
bundle common g
{
vars:
techniques/system/common/1.0/metadata.xml
<NAME>MANAGED_NODES_KEY</NAME>
<NAME>MANAGED_NODES_ADMIN</NAME>
<NAME>DENYBADCLOCKS</NAME>
<NAME>SKIPIDENTIFY</NAME>
<NAME>AGENT_RUN_INTERVAL</NAME>
<NAME>AGENT_RUN_SPLAYTIME</NAME>
<NAME>AGENT_RUN_SCHEDULE</NAME>
techniques/system/common/1.0/promises.st
agentfacility => "LOG_LOCAL6";
skipidentify => "&SKIPIDENTIFY&";
# Repository where to put the copy of modified files
default_repository => "${g.rudder_var}/modified-files";
variables.json
"SHARED_FILES_FOLDER": "/var/rudder/configuration-repository/shared-files",
"SEND_METRICS": "no",
"RUDDER_SERVER_ROLES": "rudder-ldap:localhost\nrudder-inventory-endpoint:localhost\nrudder-db:localhost\nrudder-web:localhost\nrudder-relay-top:localhost",
"SKIPIDENTIFY": "true",
"CFENGINE_OUTPUTS_TTL": "7",
"MODIFIED_FILES_TTL": "30",
"SKIPIDENTIFY": "true",

Also available in: Unified diff