Project

General

Profile

« Previous | Next » 

Revision bacecb87

Added by Alexis Mousset over 6 years ago

Fixes #11370: Deprecate techniques that have a more recent version and remove deprecated ones

View differences:

maintained-techniques
# Any missing or extra technique versions will cause tests to fail.
applications/apacheReverseProxy/2.0
applications/apacheServer/3.0
applications/aptPackageInstallation/4.0
applications/aptPackageManagerSettings/3.0
applications/aptPackageManagerSettings/3.1
applications/openvpnClient/3.0
applications/packageManagement/1.0
applications/packageManagement/1.1
applications/repoGpgKeyManagement/1.0
applications/rpmPackageInstallation/7.0
applications/zmdPackageManagerSettings/3.0
applications/zypperPackageManagerRepositories/1.0
applications/zypperPackageManagerSetup/1.0
fileConfiguration/fileManagement/4.0
fileConfiguration/fileSecurity/filesPermissions/2.1
fileDistribution/checkGenericFileContent/7.0
fileDistribution/copyGitFile/2.0
fileDistribution/copyGitFile/2.1
fileDistribution/downloadFile/3.0
fileDistribution/fileTemplate/1.0
fileDistribution/manageKeyValueFile/1.0
fileDistribution/manageKeyValueFile/1.1
jobScheduling/jobScheduler/1.0
jobScheduling/jobScheduler/2.0
system/common/1.0
system/distributePolicy/1.0
system/inventory/1.0
system/server-roles/1.0
systemSettings/misc/clockConfiguration/3.0
systemSettings/misc/clockConfiguration/3.1
systemSettings/misc/genericCommandVariableDefinition/3.0
systemSettings/misc/genericVariableDefinition/2.0
systemSettings/misc/partitionSizeMonitoring/3.0
systemSettings/misc/setVars/1.0
systemSettings/misc/variableFromJsonFile/1.0
systemSettings/misc/variableFromJsonFile/2.0
systemSettings/networking/dnsConfiguration/3.0
systemSettings/networking/hostsConfiguration/2.0
......
systemSettings/networking/routingManagement/2.0
systemSettings/process/servicesManagement/3.0
systemSettings/process/services/1.0
systemSettings/remoteAccess/sshConfiguration/4.0
systemSettings/remoteAccess/sshConfiguration/5.0
systemSettings/remoteAccess/sshKeyDistribution/3.0
systemSettings/security/fileAlterationMonitoring/2.0
systemSettings/security/fileAlterationMonitoring/2.1
systemSettings/systemManagement/cronManagement/3.0
systemSettings/systemManagement/cronManagement/3.1
systemSettings/systemManagement/fstabConfiguration/4.0
systemSettings/systemManagement/motdConfiguration/3.1
systemSettings/systemManagement/motdConfiguration/3.2
systemSettings/userManagement/groupManagement/5.0
systemSettings/userManagement/sudoParameters/3.0
systemSettings/userManagement/sudoParameters/3.1
systemSettings/userManagement/userManagement/6.0
systemSettings/userManagement/userManagement/7.0
systemSettings/userManagement/userManagement/7.1
systemSettings/userManagement/userManagement/8.0
techniques/applications/aptPackageInstallation/4.0/aptPackageInstallation.st
#####################################################################################
# Copyright 2011 Normation SAS
#####################################################################################
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, Version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#####################################################################################
##########################################################################
# Installs requested packages by OS #
# #
# - APT_PACKAGE_DEBLIST --> The OS dependant packages to install #
# #
# - APT_PACKAGE_DEBACTION --> The action to be made on these packages #
# #
##########################################################################
bundle agent check_apt_package_installation
{
vars:
&APT_PACKAGE_DEBLIST:{name |"apt_package[&i&]" string => "&name&";
}&
&APT_PACKAGE_DEBACTION:{action |"apt_action[&i&]" string => "&action&";
}&
&APT_PACKAGE_ALLOW_UNTRUSTED:{untrusted |"apt_allow_untrusted[&i&]" string => "&untrusted&";
}&
&APT_PACKAGE_VERSION_DEFINITION:{definition |"apt_version_definition[&i&]" string => "&definition&";
}&
&APT_PACKAGE_VERSION_CRITERION:{version_criterion |"apt_version_criterion[&i&]" string => "&version_criterion&";
}&
&APT_PACKAGE_VERSION:{version |"apt_version[&i&]" string => "&version&";
}&
&TRACKINGKEY:{piuuid |"apt_policy_instance_uuid[&i&]" string => "&piuuid&";
}&
# "debian_packagelist" slist => {&APT_PACKAGE_DEBLIST: { "&it&" };separator=", "&};
"index_aptpkg" slist => getindices("apt_package");
classes:
"${index_aptpkg}_package_version_defined" not => strcmp("${apt_version_definition[${index_aptpkg}]}", "default");
any::
"pass3" expression => "pass2";
"pass2" expression => "pass1";
"pass1" expression => "any";
packages:
debian::
"${apt_package[${index_aptpkg}]}"
package_policy => "${apt_action[${index_aptpkg}]}",
package_method => apt_nobulk("30", "${apt_allow_untrusted[${index_aptpkg}]}"),
classes => kept_if_else("debian_install_kept_${apt_package[${index_aptpkg}]}", "debian_installed_${apt_package[${index_aptpkg}]}", "debian_install_failed_${apt_package[${index_aptpkg}]}"),
ifvarclass => "!${index_aptpkg}_package_version_defined",
comment => "Handling ${apt_package[${index_aptpkg}]} using apt_nobulk, policy : ${apt_action[${index_aptpkg}]}";
"${apt_package[${index_aptpkg}]}"
package_policy => "${apt_action[${index_aptpkg}]}",
package_method => apt_nobulk_version("30", "${apt_allow_untrusted[${index_aptpkg}]}"),
package_select => "${apt_version_criterion[${index_aptpkg}]}",
package_version => "${apt_version[${index_aptpkg}]}",
classes => kept_if_else("debian_install_kept_${apt_package[${index_aptpkg}]}", "debian_installed_${apt_package[${index_aptpkg}]}", "debian_install_failed_${apt_package[${index_aptpkg}]}"),
ifvarclass => "${index_aptpkg}_package_version_defined",
comment => "Handling ${apt_package[${index_aptpkg}]} using apt_nobulk, policy : ${apt_action[${index_aptpkg}]}";
methods:
pass3.debian::
"any" usebundle => rudder_common_report("packageInstallation", "result_repaired", "${apt_policy_instance_uuid[${index_aptpkg}]}", "Debian/Ubuntu packages", "${apt_package[${index_aptpkg}]}", "Performed repair action for deb package ${apt_package[${index_aptpkg}]} with policy: ${apt_action[${index_aptpkg}]}"),
ifvarclass => canonify("debian_installed_${apt_package[${index_aptpkg}]}");
"any" usebundle => rudder_common_report("packageInstallation", "result_error", "${apt_policy_instance_uuid[${index_aptpkg}]}", "Debian/Ubuntu packages", "${apt_package[${index_aptpkg}]}", "Error taking action for deb package ${apt_package[${index_aptpkg}]} with policy: ${apt_action[${index_aptpkg}]}"),
ifvarclass => canonify("debian_install_failed_${apt_package[${index_aptpkg}]}");
"any" usebundle => rudder_common_report("packageInstallation", "result_success", "${apt_policy_instance_uuid[${index_aptpkg}]}", "Debian/Ubuntu packages", "${apt_package[${index_aptpkg}]}", "No action required for deb package ${apt_package[${index_aptpkg}]} with policy: ${apt_action[${index_aptpkg}]}"),
ifvarclass => canonify("debian_install_kept_${apt_package[${index_aptpkg}]}");
}
body package_method apt_nobulk(apt_pkg_timeout, allow_untrusted)
{
any::
# make correct version comparisons
package_version_less_command => "${rudder_debian_knowledge.dpkg_compare_less}";
package_version_equal_command => "${rudder_debian_knowledge.dpkg_compare_equal}";
debian::
package_changes => "individual";
package_list_update_ifelapsed => "${apt_pkg_timeout}";
package_list_command => "/usr/bin/dpkg -l";
package_list_name_regex => ".i\s+([^\s:]+).*";
package_list_version_regex => ".i\s+[^\s]+\s+([^\s]+).*";
package_installed_regex => ".i.*"; # packages that have been uninstalled may be listed
package_name_convention => "${name}";
package_add_command => "/usr/bin/env DEBIAN_FRONTEND=noninteractive LC_ALL=C /usr/bin/apt-get -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef -o APT::Get::AutomaticRemove=false -o Apt::Get::AllowUnauthenticated=${allow_untrusted} --yes install";
package_list_update_command => "/usr/bin/apt-get update";
package_delete_command => "/usr/bin/env DEBIAN_FRONTEND=noninteractive LC_ALL=C /usr/bin/apt-get -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef -o APT::Get::AutomaticRemove=false --yes -q remove";
package_update_command => "/usr/bin/env DEBIAN_FRONTEND=noninteractive LC_ALL=C /usr/bin/apt-get -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef -o APT::Get::AutomaticRemove=false -o Apt::Get::AllowUnauthenticated=${allow_untrusted} --yes install";
package_verify_command => "/usr/bin/dpkg -s";
package_noverify_returncode => "1";
}
body package_method apt_nobulk_version(apt_pkg_timeout, allow_untrusted)
{
any::
# make correct version comparisons
package_version_less_command => "${rudder_debian_knowledge.dpkg_compare_less}";
package_version_equal_command => "${rudder_debian_knowledge.dpkg_compare_equal}";
debian::
package_changes => "individual";
package_list_update_ifelapsed => "${apt_pkg_timeout}";
package_list_command => "/usr/bin/dpkg -l";
package_list_name_regex => ".i\s+([^\s:]+).*";
package_list_version_regex => ".i\s+[^\s]+\s+([^\s]+).*";
package_installed_regex => ".i.*"; # packages that have been uninstalled may be listed
package_name_convention => "${name}=${version}";
package_add_command => "/usr/bin/env DEBIAN_FRONTEND=noninteractive LC_ALL=C /usr/bin/apt-get -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef -o APT::Get::AutomaticRemove=false -o Apt::Get::AllowUnauthenticated=${allow_untrusted} --yes install";
package_list_update_command => "/usr/bin/apt-get update";
package_delete_command => "/usr/bin/env DEBIAN_FRONTEND=noninteractive LC_ALL=C /usr/bin/apt-get -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef -o APT::Get::AutomaticRemove=false --yes -q remove";
package_update_command => "/usr/bin/env DEBIAN_FRONTEND=noninteractive LC_ALL=C /usr/bin/apt-get -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef -o APT::Get::AutomaticRemove=false -o Apt::Get::AllowUnauthenticated=${allow_untrusted} --yes install";
package_verify_command => "/usr/bin/dpkg -s";
package_noverify_returncode => "1";
}
techniques/applications/aptPackageInstallation/4.0/changelog
-- Benoit PECCATTE <benoit.peccatte@normation.com> Tue Sep 9 08:52:55 CEST 2014
* Version 3.0
** Rewrite with normal ordering and {}
-- BenoƮt Peccatte <benoit.peccatte@normation.com> Fri Oct 17 14:10:43 CEST 2014
* Version 4.0
** Use rudder_common_report instead of reports:
techniques/applications/aptPackageInstallation/4.0/metadata.xml
<!--
Copyright 2011 Normation SAS
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, Version 3.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
-->
<TECHNIQUE name="Packages (Debian/Ubuntu/APT)">
<DESCRIPTION>This technique operates on individual packages.
It will ensure that the defined packages are installed, up-to-date or removed using the APT package manager.</DESCRIPTION>
<DEPRECATED>This technique is deprecated, use "Package Management" instead.</DEPRECATED>
<MULTIINSTANCE>true</MULTIINSTANCE>
<BUNDLES>
<NAME>check_apt_package_installation</NAME>
</BUNDLES>
<TMLS>
<TML name="aptPackageInstallation"/>
</TMLS>
<TRACKINGVARIABLE>
<SAMESIZEAS>APT_PACKAGE_DEBLIST</SAMESIZEAS>
</TRACKINGVARIABLE>
<SECTIONS>
<SECTION name="Debian/Ubuntu packages" multivalued="true" component="true" componentKey="APT_PACKAGE_DEBLIST">
<!-- debian like related Section , index 1-->
<INPUT>
<NAME>APT_PACKAGE_DEBLIST</NAME>
<DESCRIPTION>Package name</DESCRIPTION>
</INPUT>
<SELECT1>
<NAME>APT_PACKAGE_ALLOW_UNTRUSTED</NAME>
<DESCRIPTION>Allow untrusted package installation</DESCRIPTION>
<LONGDESCRIPTION>Allow the installation of unsigned / wrongly signed packages. This option should be used with care and only on some very special cases</LONGDESCRIPTION>
<ITEM>
<LABEL>No</LABEL>
<VALUE>false</VALUE>
</ITEM>
<ITEM>
<LABEL>Yes</LABEL>
<VALUE>true</VALUE>
</ITEM>
<CONSTRAINT>
<DEFAULT>false</DEFAULT>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>APT_PACKAGE_DEBACTION</NAME>
<DESCRIPTION>Action to perform on this package</DESCRIPTION>
<ITEM>
<LABEL>Install only (don't update)</LABEL>
<VALUE>add</VALUE>
</ITEM>
<ITEM>
<LABEL>Update only (don't install)</LABEL>
<VALUE>update</VALUE>
</ITEM>
<!--<ITEM> # CURRENTLY BROKEN IN CFENGINE #
<LABEL>Install and update automatically</LABEL>
<VALUE>addupdate</VALUE>
</ITEM>-->
<ITEM>
<LABEL>Remove</LABEL>
<VALUE>delete</VALUE>
</ITEM>
<CONSTRAINT>
<DEFAULT>add</DEFAULT>
</CONSTRAINT>
</SELECT1>
<SECTION name="Package version" component="false">
<SELECT1>
<NAME>APT_PACKAGE_VERSION_DEFINITION</NAME>
<DESCRIPTION>Define package version to install</DESCRIPTION>
<ITEM>
<LABEL>Use package manager default version</LABEL>
<VALUE>default</VALUE>
</ITEM>
<ITEM>
<LABEL>Define version criteria below</LABEL>
<VALUE>specific</VALUE>
</ITEM>
<CONSTRAINT>
<DEFAULT>default</DEFAULT>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>APT_PACKAGE_VERSION_CRITERION</NAME>
<DESCRIPTION>Package version match</DESCRIPTION>
<ITEM>
<LABEL><![CDATA[==]]> This exact version only</LABEL>
<VALUE><![CDATA[==]]></VALUE>
</ITEM>
<ITEM>
<LABEL><![CDATA[!=]]> Anything but this version</LABEL>
<VALUE><![CDATA[!=]]></VALUE>
</ITEM>
<ITEM>
<LABEL><![CDATA[>=]]> This version or any later one</LABEL>
<VALUE><![CDATA[>=]]></VALUE>
</ITEM>
<ITEM>
<LABEL><![CDATA[<=]]> This version or any earlier one</LABEL>
<VALUE><![CDATA[<=]]></VALUE>
</ITEM>
<ITEM>
<LABEL><![CDATA[>]]> Any later version</LABEL>
<VALUE><![CDATA[>]]></VALUE>
</ITEM>
<ITEM>
<LABEL><![CDATA[<]]> Any earlier version</LABEL>
<VALUE><![CDATA[<]]></VALUE>
</ITEM>
<CONSTRAINT>
<DEFAULT>==</DEFAULT>
</CONSTRAINT>
</SELECT1>
<INPUT>
<NAME>APT_PACKAGE_VERSION</NAME>
<DESCRIPTION>Package version number</DESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
</SECTION>
</SECTION>
</SECTIONS>
</TECHNIQUE>
techniques/applications/aptPackageManagerSettings/3.0/aptPackageManagerSettings.st
#####################################################################################
# Copyright 2011-2012 Normation SAS
#####################################################################################
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, Version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#####################################################################################
######################################################
# Configures the APT Package Manager #
######################################################
bundle agent check_apt_settings
{
vars:
debian_4::
"apt_detected_distro" string => "etch";
debian_5::
"apt_detected_distro" string => "lenny";
debian_6::
"apt_detected_distro" string => "squeeze";
debian_7::
"apt_detected_distro" string => "wheezy";
debian_8::
"apt_detected_distro" string => "jessie";
debian_9::
"apt_detected_distro" string => "stretch";
debian_10::
"apt_detected_distro" string => "buster";
ubuntu_karmic|ubuntu_9_10::
"apt_detected_distro" string => "karmic";
ubuntu_lucid|ubuntu_10_4::
"apt_detected_distro" string => "lucid";
ubuntu_maverick|ubuntu_10_10::
"apt_detected_distro" string => "maverick";
ubuntu_natty|ubuntu_11_4::
"apt_detected_distro" string => "natty";
ubuntu_oneiric|ubuntu_11_10::
"apt_detected_distro" string => "oneiric";
ubuntu_precise|ubuntu_12_4::
"apt_detected_distro" string => "precise";
ubuntu_quantal|ubuntu_12_10::
"apt_detected_distro" string => "quantal";
ubuntu_raring|ubuntu_13_4::
"apt_detected_distro" string => "raring";
ubuntu_saucy|ubuntu_13_10::
"apt_detected_distro" string => "saucy";
ubuntu_trusty|ubuntu_14_4::
"apt_detected_distro" string => "trusty";
ubuntu_utopic|ubuntu_14_10::
"apt_detected_distro" string => "utopic";
ubuntu_vivid|ubuntu_15_4::
"apt_detected_distro" string => "vivid";
ubuntu_willy|ubuntu_15_10::
"apt_detected_distro" string => "willy";
ubuntu_xenial|ubuntu_16_4::
"apt_detected_distro" string => "xenial";
ubuntu_yakkety|ubuntu_16_10::
"apt_detected_distro" string => "yakkety";
ubuntu_zesty|ubuntu_17_4::
"apt_detected_distro" string => "zesty";
ubuntu_artful|ubuntu_17_10::
"apt_detected_distro" string => "artful";
apt_installrecommends_edit::
"aptconf[APT::Install-Recommends]" string => "&APT_INSTALLRECOMMENDS&";
apt_installsuggests_edit::
"aptconf[APT::Install-Suggests]" string => "&APT_INSTALLSUGGESTS&";
any::
&if (APT_HTTPPROXY_URL)&
"aptconf[Acquire::http::Proxy]" string => "\"&APT_HTTPPROXY_URL&\";";
&endif&
&if (APT_FTPPROXY_URL)&
"aptconf[Acquire::ftp::Proxy]" string => "\"&APT_FTPPROXY_URL&\";";
&endif&
&APT_URL:{apt_url |"apt_url[&i&]" string => "&apt_url&";
}&
&APT_COMPONENT_MAIN, APT_COMPONENT_CONTRIB, APT_COMPONENT_NON_FREE, APT_COMPONENT_RESTRICTED, APT_COMPONENT_UNIVERSE, APT_COMPONENT_MULTIVERSE:{main, contrib, nonfree, restricted, universe, multiverse |"apt_components[&i&]" string => "&main& &contrib& &nonfree& &restricted& &universe& &multiverse&";
}&
&APT_DISTRIBUTION, APT_DISTRO_AUTODETECT:{apt_distro, apt_autodetect |"apt_distro[&i&]" string => "&if (apt_autodetect)&${apt_detected_distro}&else&&apt_distro&&endif&";
}&
classes:
# Repositories edition ?
"apt_repositories_edit" not => strcmp("&APT_ADDREPOSITORIES&","false");
# Disable repositories ?
"apt_disablerepositories" not => strcmp("&APT_DISABLEREPOSITORIES&","false");
# InstallRecommends edition ?
"apt_installrecommends_edit" not => strcmp("&APT_INSTALLRECOMMENDS&","dontchange");
# InstallSuggests edition ?
"apt_installsuggests_edit" not => strcmp("&APT_INSTALLSUGGESTS&","dontchange");
any::
"pass3" expression => "pass2";
"pass2" expression => "pass1";
"pass1" expression => "any";
files:
debian.apt_repositories_edit::
"/etc/apt/sources.list.d/rudder-apt.list"
create => "true",
perms => m("644"),
edit_line => set_apt_config_values_tier1("check_apt_settings.apt_url", "check_apt_settings.apt_distro", "check_apt_settings.apt_components"),
edit_defaults => empty_backup,
classes => kept_if_else("apt_tier1_kept", "apt_tier1_validated", "apt_tier1_failed");
debian::
"/etc/apt/apt.conf.d/99rudder"
create => "true",
perms => m("644"),
edit_defaults => empty_backup,
edit_line => set_apt_config_values_tier2("check_apt_settings.aptconf"),
classes => kept_if_else("apt_tier2_kept", "apt_tier2_validated", "apt_tier2_failed");
debian.apt_disablerepositories.(apt_tier1_validated|apt_tier1_kept)::
"/etc/apt/sources.list"
create => "true",
perms => m("644"),
edit_defaults => noempty_backup,
edit_line => comment_lines_matching("^[^#].*$","#"),
classes => kept_if_else("apt_disabled_kept", "apt_disabled_validated", "apt_disabled_failed");
"/etc/apt/sources.list.d/.*"
edit_line => comment_lines_matching("^[^#].*$","#"),
edit_defaults => noempty_backup,
file_select => not_rudderaptlist,
classes => kept_if_else("apt_disabled_kept", "apt_disabled_validated", "apt_disabled_failed");
methods:
# SUCCESS if:
## Do not need to edit repositories or repositories good = ((apt_tier1_kept|!apt_repositories_edit).!apt_tier1_validated)
## and
## APT Config good = (apt_tier2_kept.!apt_tier2_validated)
## and
## No need to disable other repositories (not require or already disabled) = ((!apt_disablerepositories|(apt_disabled_kept|!apt_repositories_edit)).!apt_disabled_validated)
## and
## No error = !(apt_tier1_failed|apt_tier2_failed|apt_disabled_failed)
pass3.(((apt_tier1_kept|!apt_repositories_edit).!apt_tier1_validated).(apt_tier2_kept.!apt_tier2_validated).((!apt_disablerepositories|(apt_disabled_kept|!apt_repositories_edit)).!apt_disabled_validated).!(apt_tier1_failed|apt_tier2_failed|apt_disabled_failed))::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "result_success", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT settings were all already correct");
# REPAIRED if:
## Need to edit repositories and no error= apt_tier1_validated
## or
## Need to edit APT config and no error = apt_tier2_validated
## or
## Need to disable other repositories and no error= apt_disabled_validated
## and
## No error = !(apt_tier1_failed|apt_tier2_failed|apt_disabled_failed)
pass3.((apt_tier1_validated|apt_tier2_validated|apt_disabled_validated).(!apt_tier1_failed|!apt_tier2_failed|!apt_disabled_failed))::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "result_repaired", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "Some APT settings were reset");
# Clear package caches, same class as for repaired reporting
"force_package_list_update" usebundle => file_remove("/var/rudder/cfengine-community/state/software_update_timestamp_apt-get");
pass3.apt_tier1_kept::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "log_info", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT repositories already correct");
pass3.apt_tier2_kept::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "log_info", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT configuration parameters already correct");
pass3.apt_tier1_validated::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "log_repaired", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT repositories have been reset");
pass3.apt_tier2_validated::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "log_repaired", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT configuration parameters have been reset");
pass3.apt_tier1_failed::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "result_error", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT repositories could not be edited");
pass3.apt_tier2_failed::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "result_error", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT configuration could not be set");
pass3.apt_disablerepositories::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "log_info", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT repository purge has been requested");
pass3.apt_disabled_validated::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "log_repaired", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT repositories deactivation is done");
pass3.apt_disabled_failed::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "result_error", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT repositories deactivation is failed");
pass3.(!debian)::
"any" usebundle => rudder_common_report("aptPackageManagerSettings", "result_error", "&TRACKINGKEY&", "aptPackageManagerSettings", "None", "APT cannot be configured on non Debian OSes");
}
bundle edit_line set_apt_config_values_tier1(apt_url, apt_distro, apt_components)
{
vars:
"apt_index" slist => getindices("${apt_url}");
insert_lines:
"${rudder_parameters.rudder_file_edit_header}"
location => start,
insert_type => "preserve_block";
"deb ${${apt_url}[${apt_index}]} ${${apt_distro}[${apt_index}]} ${${apt_components}[${apt_index}]}";
}
bundle edit_line set_apt_config_values_tier2(tab)
# Sets the RHS of configuration items in the file of the form
# LHS RHS
# If the line is commented out with #, it gets uncommented first.
# Adds a new line if none exists.
# The argument is an associative array containing v[LHS]="rhs"
# Based on set_variable_values from cfengine_stdlib.cf, modified to
# use whitespace as separator, and to handle commented-out lines.
{
vars:
"index" slist => getindices("${tab}");
# Be careful if the index string contains funny chars
"cindex[${index}]" string => canonify("${index}");
field_edits:
# If the line is there, but commented out, first uncomment it
"#+${index}\s+.*"
edit_field => col("\s+","1","${index}","set");
# match a line starting like the key something
"${index}\s+.*"
edit_field => col("\s+","2","${${tab}[${index}]}","set"),
classes => if_ok("not_${cindex[${index}]}");
insert_lines:
"// ### File managed by Rudder, edit with care ###"
location => start;
"${index} ${${tab}[${index}]}"
ifvarclass => "!not_${cindex[${index}]}";
}
body file_select not_rudderaptlist
{
leaf_name => { "^[^rudder.*?\.list].*" };
file_result => "leaf_name";
}
techniques/applications/aptPackageManagerSettings/3.0/changelog
-- Benoit PECCATTE <benoit.peccatte@normation.com> Tue Sep 9 08:52:55 CEST 2014
* Version 2.0
** Rewrite with normal ordering and {}
-- BenoƮt Peccatte <benoit.peccatte@normation.com> Fri Oct 17 14:10:43 CEST 2014
* Version 3.0
** Use rudder_common_report instead of reports:
techniques/applications/aptPackageManagerSettings/3.0/metadata.xml
<!--
Copyright 2011 Normation SAS
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, Version 3.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
-->
<!--
This is the APT Package Manager Configuration PT.
Compatibility : Debian like
It is intended to set a bunch of options commonly
appreciated by administrators on the APT package
manager, and eventually enforce them.
-->
<TECHNIQUE name="APT package manager configuration">
<DESCRIPTION>This technique configure the APT package manager.</DESCRIPTION>
<DEPRECATED>This version is deprecated, use 3.1 instead.</DEPRECATED>
<BUNDLES>
<NAME>check_apt_settings</NAME>
</BUNDLES>
<TMLS>
<TML name="aptPackageManagerSettings"/>
</TMLS>
<SECTIONS>
<!-- General settings Section , index 1-->
<SECTION name="General settings">
<SELECT1>
<NAME>APT_INSTALLRECOMMENDS</NAME>
<DESCRIPTION>Install 'recommended' packages automatically</DESCRIPTION>
<ITEM>
<VALUE>dontchange</VALUE>
<LABEL>Don't change</LABEL>
</ITEM>
<ITEM>
<VALUE>\"1\";</VALUE>
<LABEL>Yes</LABEL>
</ITEM>
<ITEM>
<VALUE>\"0\";</VALUE>
<LABEL>No</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT>dontchange</DEFAULT>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>APT_INSTALLSUGGESTS</NAME>
<DESCRIPTION>Install 'suggested' packages automatically</DESCRIPTION>
<ITEM>
<VALUE>dontchange</VALUE>
<LABEL>Don't change</LABEL>
</ITEM>
<ITEM>
<VALUE>\"1\";</VALUE>
<LABEL>Yes</LABEL>
</ITEM>
<ITEM>
<VALUE>\"0\";</VALUE>
<LABEL>No</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT>dontchange</DEFAULT>
</CONSTRAINT>
</SELECT1>
</SECTION>
<!-- Proxy settings Section , index 10-->
<SECTION name="Proxy settings" displayPriority="low">
<INPUT>
<NAME>APT_HTTPPROXY_URL</NAME>
<DESCRIPTION>HTTP proxy URL</DESCRIPTION>
<LONGDESCRIPTION>The URL should be in the following format: http://[user:password@]server[:port]/</LONGDESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>APT_FTPPROXY_URL</NAME>
<DESCRIPTION>FTP proxy URL</DESCRIPTION>
<LONGDESCRIPTION>The URL should be in the following format: ftp://[user:password@]server[:port]/</LONGDESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
</SECTION>
<!-- Repository settings Section , index 20 -->
<SECTION name="Repository settings">
<INPUT>
<NAME>APT_ADDREPOSITORIES</NAME>
<DESCRIPTION>Also add the following package repositories</DESCRIPTION>
<LONGDESCRIPTION>Tick this box if you want to add/edit the package repositories apt uses.</LONGDESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
<DEFAULT>false</DEFAULT>
</CONSTRAINT>
</INPUT>
<SECTION name="Repository" multivalued="true" displayPriority="low">
<INPUT>
<NAME>APT_URL</NAME>
<DESCRIPTION>Repository URL</DESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>APT_DISTRO_AUTODETECT</NAME>
<DESCRIPTION>Automatically detect the distribution</DESCRIPTION>
<LONGDESCRIPTION>Tick this box to use the distribution's name (ie, squeeze, lenny, lucid, ...) as the "path" on this repository. This is the default usage for apt repositories, but you may want to specify a different name (ie, squeeze-backports, stable, ...)</LONGDESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>APT_DISTRIBUTION</NAME>
<DESCRIPTION>Distribution</DESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<SELECT1>
<NAME>APT_COMPONENT_MAIN</NAME>
<DESCRIPTION>Use main</DESCRIPTION>
<ITEM>
<VALUE>main</VALUE>
<LABEL>Yes</LABEL>
</ITEM>
<ITEM>
<VALUE></VALUE>
<LABEL>No</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT>main</DEFAULT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>APT_COMPONENT_CONTRIB</NAME>
<DESCRIPTION>Use contrib</DESCRIPTION>
<ITEM>
<VALUE>contrib</VALUE>
<LABEL>Yes</LABEL>
</ITEM>
<ITEM>
<VALUE></VALUE>
<LABEL>No</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT></DEFAULT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>APT_COMPONENT_NON_FREE</NAME>
<DESCRIPTION>Use non-free</DESCRIPTION>
<ITEM>
<VALUE>non-free</VALUE>
<LABEL>Yes</LABEL>
</ITEM>
<ITEM>
<VALUE></VALUE>
<LABEL>No</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT></DEFAULT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>APT_COMPONENT_RESTRICTED</NAME>
<DESCRIPTION>Use restricted</DESCRIPTION>
<ITEM>
<VALUE>restricted</VALUE>
<LABEL>Yes</LABEL>
</ITEM>
<ITEM>
<VALUE></VALUE>
<LABEL>No</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT></DEFAULT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>APT_COMPONENT_UNIVERSE</NAME>
<DESCRIPTION>Use universe</DESCRIPTION>
<ITEM>
<VALUE>universe</VALUE>
<LABEL>Yes</LABEL>
</ITEM>
<ITEM>
<VALUE></VALUE>
<LABEL>No</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT></DEFAULT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>APT_COMPONENT_MULTIVERSE</NAME>
<DESCRIPTION>Use multiverse</DESCRIPTION>
<ITEM>
<VALUE>multiverse</VALUE>
<LABEL>Yes</LABEL>
</ITEM>
<ITEM>
<VALUE></VALUE>
<LABEL>No</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT></DEFAULT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</SELECT1>
</SECTION>
<INPUT>
<NAME>APT_DISABLEREPOSITORIES</NAME>
<DESCRIPTION>Disable all other repositories than these (potentially dangerous)</DESCRIPTION>
<LONGDESCRIPTION>If you tick this box, Rudder will remove all repositories defined in apt's settings, and only add in the ones above. Use with caution!</LONGDESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
<DEFAULT>false</DEFAULT>
</CONSTRAINT>
</INPUT>
</SECTION>
</SECTIONS>
</TECHNIQUE>
techniques/applications/openvpnClient/3.0/changelog
-- Benoit PECCATTE <benoit.peccatte@normation.com> Tue Sep 9 08:52:55 CEST 2014
* Version 2.0
** Rewrite with normal ordering and {}
-- BenoƮt Peccatte <benoit.peccatte@normation.com> Fri Oct 17 14:10:43 CEST 2014
* Version 3.0
** Use rudder_common_report instead of reports:
techniques/applications/openvpnClient/3.0/metadata.xml
<!--
Copyright 2011 Normation SAS
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, Version 3.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
-->
<TECHNIQUE name="VPN client (OpenVPN)">
<DESCRIPTION>This technique will configure the OpenVPN client service and ensure it is running.
It will ensure the "openvpn" package is installed (via the appropriate packaging tool for each OS), ensure the service is running and start it if not and ensure the service is configured to run on initial system startup.
Configuration will create a rudder.conf file.
As of this version, only the PSK peer identification method is supported, please use the "Download File" Technique to distribute the secret key.
</DESCRIPTION>
<DEPRECATED>This technique is deprecated</DEPRECATED>
<BUNDLES>
<NAME>check_openvpn_installation</NAME>
<NAME>check_openvpn_client_configuration</NAME>
</BUNDLES>
<TMLS>
<TML name="openvpnClientConfiguration"/>
<TML name="openvpnInstall"/>
</TMLS>
<TRACKINGVARIABLE>
<SAMESIZEAS>OVPN_CLIENT_REMOTE_SERVER</SAMESIZEAS>
</TRACKINGVARIABLE>
<SECTIONS>
<SECTION name="OpenVPN install" component="true" />
<SECTION name="OpenVPN configuration" component="true" />
<!-- general Section , index 1-->
<SECTION name="General settings">
<INPUT>
<NAME>OVPN_CLIENT_AUTOSTART</NAME>
<DESCRIPTION>Start OpenVPN automatically on boot</DESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
<DEFAULT>true</DEFAULT>
</CONSTRAINT>
</INPUT>
<SELECT1>
<NAME>OVPN_CLIENT_KEYMODE</NAME>
<DESCRIPTION>Which peer authentication method is desired</DESCRIPTION>
<LONGDESCRIPTION>The keys for the choosed method should be present for openvpn to function</LONGDESCRIPTION>
<ITEM>
<VALUE>psk</VALUE>
<LABEL>Pre-shared key</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT>psk</DEFAULT>
</CONSTRAINT>
</SELECT1>
<INPUT>
<NAME>OVPN_CLIENT_PSKFILE</NAME>
<DESCRIPTION>Which file should be used as psk shared
secret</DESCRIPTION>
<CONSTRAINT>
<DEFAULT>/etc/openvpn/secret.key</DEFAULT>
</CONSTRAINT>
</INPUT>
<SELECT1>
<NAME>OVPN_CLIENT_TUNTAP</NAME>
<DESCRIPTION>TUN/TAP virtual network device type</DESCRIPTION>
<ITEM>
<VALUE>tun</VALUE>
<LABEL>Routed mode (tun)</LABEL>
</ITEM>
<ITEM>
<VALUE>tap</VALUE>
<LABEL>Bridged mode (tap)</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT>tun</DEFAULT>
</CONSTRAINT>
</SELECT1>
</SECTION>
<SECTION name="Remote server settings" multivalued="true">
<INPUT>
<NAME>OVPN_CLIENT_REMOTE_SERVER</NAME>
<DESCRIPTION>Remote host name or IP address to connect to</DESCRIPTION>
<CONSTRAINT>
<TYPE>string</TYPE>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>OVPN_CLIENT_REMOTE_PORT</NAME>
<DESCRIPTION>Remote port to connect to</DESCRIPTION>
<CONSTRAINT>
<TYPE>string</TYPE>
<DEFAULT>1194</DEFAULT>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>OVPN_CLIENT_REMOTE_RANDOMIZE</NAME>
<DESCRIPTION>Randomize the remotes usage (basic load-balancing measure)</DESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
<DEFAULT>false</DEFAULT>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>OVPN_CLIENT_REMOTE_AUTH</NAME>
<DESCRIPTION>Authenticate with server using username/password (ENABLE WITH CERTIFICATE MODE ONLY)</DESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
<DEFAULT>false</DEFAULT>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>OVPN_CLIENT_REMOTE_USER</NAME>
<DESCRIPTION>Remote user</DESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
</CONSTRAINT>
</INPUT>
<INPUT>
<NAME>OVPN_CLIENT_REMOTE_PASSWORD</NAME>
<DESCRIPTION>Remote password</DESCRIPTION>
<CONSTRAINT>
<MAYBEEMPTY>true</MAYBEEMPTY>
<TYPE>password</TYPE>
<PASSWORDHASH>plain</PASSWORDHASH>
</CONSTRAINT>
</INPUT>
<SELECT1>
<NAME>OVPN_CLIENT_REMOTE_PROTOCOL</NAME>
<DESCRIPTION>Which protocol should be used to communicate with the server</DESCRIPTION>
<ITEM>
<VALUE>tcp</VALUE>
<LABEL>TCP</LABEL>
</ITEM>
<ITEM>
<VALUE>udp</VALUE>
<LABEL>UDP</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT>udp</DEFAULT>
</CONSTRAINT>
</SELECT1>
<INPUT>
<NAME>OVPN_CLIENT_REMOTE_KEEPTRYING</NAME>
<DESCRIPTION>Keep trying indefinitely to resolve the host name of the OpenVPN server</DESCRIPTION>
<CONSTRAINT>
<TYPE>boolean</TYPE>
<DEFAULT>true</DEFAULT>
</CONSTRAINT>
</INPUT>
</SECTION>
<SECTION name="Logging settings">
<!-- logging settings Section , index 20 -->
<SELECT1>
<NAME>OVPN_CLIENT_LOGGING_TARGET</NAME>
<DESCRIPTION>Log destination</DESCRIPTION>
<ITEM>
<VALUE>file</VALUE>
<LABEL>File</LABEL>
</ITEM>
<ITEM>
<VALUE>syslog</VALUE>
<LABEL>Syslog</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT>syslog</DEFAULT>
</CONSTRAINT>
</SELECT1>
<INPUT>
<NAME>OVPN_CLIENT_LOGGING_FILE</NAME>
<DESCRIPTION>Output logging messages to this file, including output to stdout/stderr which is generated by called scripts</DESCRIPTION>
<CONSTRAINT>
<DEFAULT>/var/log/openvpn-rudder.log</DEFAULT>
</CONSTRAINT>
</INPUT>
<SELECT1>
<NAME>OVPN_CLIENT_LOGGING_BEHAVIOR</NAME>
<DESCRIPTION>Log file behavior on restart</DESCRIPTION>
<ITEM>
<VALUE>append</VALUE>
<LABEL>Append</LABEL>
</ITEM>
<ITEM>
<VALUE>truncate</VALUE>
<LABEL>Truncate</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT>append</DEFAULT>
</CONSTRAINT>
</SELECT1>
<SELECT1>
<NAME>OVPN_CLIENT_LOGGING_VERBOSITY</NAME>
<DESCRIPTION>Log verbosity</DESCRIPTION>
<ITEM>
<VALUE>0</VALUE>
<LABEL>0 (No output except fatal errors)</LABEL>
</ITEM>
<ITEM>
<VALUE>1</VALUE>
<LABEL>1</LABEL>
</ITEM>
<ITEM>
<VALUE>2</VALUE>
<LABEL>2</LABEL>
</ITEM>
<ITEM>
<VALUE>3</VALUE>
<LABEL>3 (Recommended)</LABEL>
</ITEM>
<ITEM>
<VALUE>4</VALUE>
<LABEL>4</LABEL>
</ITEM>
<ITEM>
<VALUE>5</VALUE>
<LABEL>5 (Output R and W characters for each packet read and write)</LABEL>
</ITEM>
<ITEM>
<VALUE>6</VALUE>
<LABEL>6 (WARNING : As of this value, logging becomes HIGHLY verbose)</LABEL>
</ITEM>
<ITEM>
<VALUE>7</VALUE>
<LABEL>7</LABEL>
</ITEM>
<ITEM>
<VALUE>8</VALUE>
<LABEL>8</LABEL>
</ITEM>
<ITEM>
<VALUE>9</VALUE>
<LABEL>9</LABEL>
</ITEM>
<ITEM>
<VALUE>10</VALUE>
<LABEL>10</LABEL>
</ITEM>
<ITEM>
<VALUE>11</VALUE>
<LABEL>11</LABEL>
</ITEM>
<CONSTRAINT>
<DEFAULT>3</DEFAULT>
</CONSTRAINT>
</SELECT1>
</SECTION>
</SECTIONS>
</TECHNIQUE>
techniques/applications/openvpnClient/3.0/openvpnClientConfiguration.st
#####################################################################################
# Copyright 2011 Normation SAS
#####################################################################################
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, Version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#####################################################################################
bundle agent check_openvpn_client_configuration
{
vars:
&OVPN_CLIENT_REMOTE_SERVER, OVPN_CLIENT_REMOTE_PORT:{server, port |"ovpn_client_remote[&i&]" string => "&server& &port&";
}&
"ovpn_client[dev]" string => "&OVPN_CLIENT_TUNTAP&";
"ovpn_client[proto]" string => "&OVPN_CLIENT_REMOTE_PROTOCOL&";
"ovpn_client[script-security]" string => "2";
"ovpn_client[verb]" string => "&OVPN_CLIENT_LOGGING_VERBOSITY&";
ovpn_client_pskmode::
"ovpn_client[secret]" string => "&OVPN_CLIENT_PSKFILE&";
ovpn_client_randomize::
"ovpn_client[remote-random]" string => "";
ovpn_client_pwauth::
"ovpn_client[auth-user-pass]" string => "/etc/openvpn/keyring.pwd";
ovpn_client_keepretrying::
"ovpn_client[resolv-retry]" string => "infinite";
ovpn_client_logtofile.ovpn_client_appendfile::
"ovpn_client[log-append]" string => "&OVPN_CLIENT_LOGGING_FILE&";
ovpn_client_logtofile.!ovpn_client_appendfile::
"ovpn_client[log]" string => "&OVPN_CLIENT_LOGGING_FILE&";
classes:
# Security : if not there, OpenVPN too, so don't bother anymore
"openvpn_bin_present" expression => fileexists("/usr/sbin/openvpn");
# Autostart ?
"ovpn_client_autostart" expression => strcmp("&OVPN_CLIENT_AUTOSTART&","true");
# PSK mode ?
"ovpn_client_pskmode" expression => strcmp("&OVPN_CLIENT_KEYMODE&","psk");
# Randomize remotes ?
"ovpn_client_randomize" expression => strcmp("&OVPN_CLIENT_REMOTE_RANDOMIZE&","true");
# Use user/password ?
"ovpn_client_pwauth" expression => strcmp("&OVPN_CLIENT_REMOTE_AUTH&","true");
# Do not use user/password ?
"ovpn_client_nopwauth" expression => strcmp("&OVPN_CLIENT_REMOTE_AUTH&","false");
# Log to file ?
"ovpn_client_logtofile" expression => strcmp("&OVPN_CLIENT_LOGGING_TARGET&","file");
# Append logs ?
"ovpn_client_appendfile" expression => strcmp("&OVPN_CLIENT_LOGGING_BEHAVIOR&","true");
# Keep retrying connection ?
"ovpn_client_keepretrying" expression => strcmp("&OVPN_CLIENT_REMOTE_KEEPTRYING&","true");
any::
"pass3" expression => "pass2";
"pass2" expression => "pass1";
"pass1" expression => "any";
files:
(debian|redhat|SuSE)::
"/etc/openvpn/rudder.conf"
create => "true",
perms => m("644"),
edit_line => set_openvpn_config_values_tier1("check_openvpn_client_configuration.ovpn_client_remote"),
edit_defaults => noempty_backup,
classes => kept_if_else("openvpn_tier1_kept", "openvpn_tier1_validated", "openvpn_tier1_failed");
"/etc/openvpn/rudder.conf"
create => "true",
perms => m("644"),
edit_line => set_openvpn_config_values_tier2("check_openvpn_client_configuration.ovpn_client"),
edit_defaults => noempty_backup,
classes => kept_if_else("openvpn_tier2_kept", "openvpn_tier2_validated", "openvpn_tier2_failed");
ovpn_client_pwauth::
"/etc/openvpn/keyring.pwd"
create => "true",
edit_defaults => noempty_backup,
perms => mog("600", "root", "0"),
edit_line => set_openvpn_config_values_keyring("&OVPN_CLIENT_REMOTE_USER&", "&OVPN_CLIENT_REMOTE_PASS&"),
edit_defaults => noempty_backup,
classes => kept_if_else("openvpn_keyring_kept", "openvpn_keyring_validated", "openvpn_keyring_failed");
methods:
openvpn_bin_present.ovpn_client_autostart::
"autostart_openvpn" usebundle => service_ensure_started_at_boot("openvpn");
ovpn_client_autostart.(openvpn_tier1_validated|openvpn_tier2_validated|openvpn_keyring_validated|openvpn_down)::
"restart_openvpn" usebundle => service_restart("openvpn");
pass3.openvpn_tier1_kept::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "log_info", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN remotes list edition not needed");
pass3.openvpn_tier2_kept::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "log_info", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN general configuration is OK");
pass3.openvpn_keyring_kept::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "log_info", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN password keyring present");
pass3.openvpn_tier1_validated::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "log_repaired", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN remotes list edition done");
pass3.openvpn_tier2_validated::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "log_repaired", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN general configuration done");
pass3.openvpn_keyring_validated::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "log_repaired", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN keyring written");
pass3.openvpn_tier1_failed::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "result_error", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN remotes list edition failed");
pass3.openvpn_tier2_failed::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "result_error", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN general configuration failed");
pass3.openvpn_keyring_failed::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "result_error", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN keyring could not be written");
pass3.(ovpn_client_nopwauth.((openvpn_tier1_validated.openvpn_tier2_validated)|(openvpn_tier1_kept.openvpn_tier2_kept)))::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "result_success", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN configuration is set correctly");
pass3.(ovpn_client_pwauth.((openvpn_tier1_validated.openvpn_tier2_validated.openvpn_keyring_validated)|(openvpn_tier1_kept.openvpn_tier2_kept.openvpn_keyring_kept)))::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "result_success", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN configuration is set correctly");
pass3.((openvpn_tier1_validated.openvpn_tier2_validated.openvpn_keyring_validated)|(openvpn_tier1_kept.openvpn_tier2_kept.openvpn_keyring_kept))::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "result_success", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN configuration is set correctly"),
ifvarclass => canonify("ovpn_client_pwauth");
pass3.ovpn_client_autostart.service_ensure_started_at_boot_openvpn_repaired::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "log_repaired", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN is now starting on boot");
pass3.ovpn_client_autostart.service_ensure_started_at_boot_openvpn_not_ok::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "result_error", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN could not be set to start on boot");
pass3.ovpn_client_autostart.service_ensure_started_at_boot_openvpn_ok::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "log_info", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN already set to start on boot");
pass3.service_restart_openvpn_ok::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "log_repaired", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN restarted");
pass3.service_restart_openvpn_not_ok::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "result_error", "&TRACKINGKEY&", "OpenVPN configuration", "None", "Could not restart OpenVPN");
pass3.(!openvpn_bin_present)::
"any" usebundle => rudder_common_report("openvpnClientConfiguration", "result_error", "&TRACKINGKEY&", "OpenVPN configuration", "None", "OpenVPN binary is not present. Something is wrong (installation failure?)");
processes:
ovpn_client_autostart::
"/usr/sbin/openvpn"
restart_class => "openvpn_down",
comment => "Ensuring openvpn is up";
}
bundle edit_line set_openvpn_config_values_tier1(remotes)
{
vars:
"remotes_index" slist => getindices("${remotes}");
delete_lines:
"remote\ .*";
insert_lines:
"remote ${${remotes}[${remotes_index}]}";
}
bundle edit_line set_openvpn_config_values_tier2(tab)
# Sets the RHS of configuration items in the file of the form
# LHS RHS
# If the line is commented out with #, it gets uncommented first.
# Adds a new line if none exists.
# The argument is an associative array containing v[LHS]="rhs"
# Based on set_variable_values from cfengine_stdlib.cf, modified to
# use whitespace as separator, and to handle commented-out lines.
{
vars:
"index" slist => getindices("${tab}");
# Be careful if the index string contains funny chars
"cindex[${index}]" string => canonify("${index}");
field_edits:
# If the line is there, but commented out, first uncomment it
"#+${index}\s+.*"
edit_field => col("\s+","1","${index}","set");
# match a line starting like the key something
"${index}\s+.*"
edit_field => col("\s+","2","${${tab}[${index}]}","set"),
classes => if_ok("not_${cindex[${index}]}");
insert_lines:
"${rudder_parameters.rudder_file_edit_header}"
location => start,
insert_type => "preserve_block";
... This diff was truncated because it exceeds the maximum size that can be displayed.

Also available in: Unified diff