Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Eric Renfro
    @erenfro
    Hmmm. I really am entranced by the idea of rudder though. Like even the ability to continue to operate even if the rudder server is down for whatever reason.
    norbertoaquino
    @norbertoaquino
    I worked with cfengine2 and cfengine3 for almost 10 years. cfengine and very complex. Rudder facilitates administration and maintains the desired state. The best tool in my opinion !!!
    Eric Renfro
    @erenfro
    It definitely is interesting to see cfengine used in such a different way than I had. :)
    I'm coming from having knowledge with cfengine1/2, puppet, saltstack, chef, ansible, and now, looking at rudder to replace my current saltstack implementation.
    And, my first task, to begin making this possible, is to create techniques/directives to setup a usable CFSSL Certificate Authority that will be used to generate and maintain an internal CA for things like Consul & Vault LOL
    Which saltstack's x509 module has been completely broken of this for going on 2 years now. :/
    Alexis Mousset
    @amousset
    We really only use CFEngine as an agent platform for the configuration we generate, and Rudder has very different workflows and configuration modelization so the CFEngine layer should be pretty transparent for the users. For the next major release (7.0) we're working on our own DSL that will make this even more visible: we'll have a high-level configuration language that will be compiled/transpiled for different configuration backends (for now, CFEngine and Windows DSC). This way we'll continue to benefit from CFEngine strengths (lightweight and portable) while providing a flexible and consistent interface, with improved static checks for reliability.
    Eric Renfro
    @erenfro
    Hmmmm.. What I'm trying to figure out now is how to simply... create a file, like at the moment, a static systemd service unit file, then after that a configuration file that's templated. And I notice in Techniques, File from template with type, needs a source file on the target node?!?
    Yeah, Alexis. It's pretty ingenious really, Utilize what's viable and available, while making your own interfacing to make a standard construct, mostly similar and sane.
    I hated cfengine, but it has/had its place in the world as pretty much the first config management system in Unix & Linux.
    Alexis Mousset
    @amousset
    Methods are low-level building blocks, and templating indeed takes a local source file that you have to deploy somehow. There is one built-in way for files belonging to a technique: technique resources. Any file added as a resource is deployed on all nodes where it is applied to, and the resource has a special variable containing its local path, that you can use in the technique.
    Eric Renfro
    @erenfro
    Hmmmm...
    Alexis Mousset
    @amousset
    For simple static file deployment you could:
    • Use File content method and provide the content directly
    • Use a technique resource and upload the file
    • Use the global shared-files directory and use a File from Rudder server method to copy it
    Eric Renfro
    @erenfro
    Ahhh that makes sense. Little different. But that’s expected.
    I’m creating a Technique to install, configure, and deploy cfssl, service unit to run the multirootca service, and create and check the root CA and Intermediate CA for use in cfssl automation.
    Which will be used to have the Consul certificates on every server maintained and updated appropriately.
    If I can get all that to work, AND get at least Consul similarly installed and working with templated automated configurations, then I will be pretty well sold on Rudder. :)
    Eric Renfro
    @erenfro
    So template Files would ultimately be either deployed by the shared-files method which all nodes get, or provided to individual nodes as static, then processed as a template by another step?
    So templated Files would either be deployed by one of the methods?
    • Static file direct to node, then processed as template.
    • shared-files (all servers get) and processed as template.
      Something like that?
    Alexis Mousset
    @amousset
    Template files can be:
    • A technique resource that is automatically deployed everywhere the technique is applied. You can directly use the templating method with the ${resources_dir}/RESOURCE_NAME as source
    • A file in the global shared-files, in this case you nee to use a File from Rudder server method to download it to a tmp location in the technique before appplying the templating method with the tmp path as source
    • If it's very short and simple, you could even use the File content method that allows specifying the file content directly in the Web interface, in the method form. Then you can use the templating method over the target file of the File content method
    Eric Renfro
    @erenfro
    Well, this is a good start. Partly thanks to the fact cfssl is actually in debian repos, but, just the sheer simplicity of creating this Technique so far. :)
    Of course, the next viable question is. How does one... Actually develop and maintain this not just via the webUI, but versioned in one's own git repo, or at least... backed up in some way.
    Eric Renfro
    @erenfro
    I see the backup docs. Hehe
    Alexis Mousset
    @amousset
    Yes, all config is actually stored in a very standard git repo
    Eric Renfro
    @erenfro
    Oh, snap!
    Yeah, in the /var/rudder/configuration-repository. Very nice!
    So, yeah, I can easily automate the process of backing this up too, to my borgbackup repostory on a regular basis.
    Eric Renfro
    @erenfro
    So, I added a file as a resource to the Technique. Where is the ${resources_dir} on Linux generally?
    (and can you actually use ${resources_dir} in the source in the technique?
    Alexis Mousset
    @amousset
    yes you can use it directly
    it's /var/rudder/cfengine-community/inputs/TECHNIQUE_ID/resources on the nodes
    Eric Renfro
    @erenfro
    Ahhhh, nice
    Eric Renfro
    @erenfro
    Huh, interesting. As a curiosity, I found the File key-value in INI section. And so I created three items to generate an INI from static KV pairs. But, it only created the Section, not the key=value items at all.
    2020-10-30T16:12:59+00:00    error: The promised column edit '#+\s*config\s*=.*' could not select an edit region in '/var/lib/cfssl/server/multiroot-profile.ini'
    2020-10-30T16:12:59+00:00    error: The promised column edit 'config\s*=.*' could not select an edit region in '/var/lib/cfssl/server/multiroot-profile.ini'
    2020-10-30T16:12:59+00:00    error: The promised line insertion 'config=/var/lib/cfssl/certs/config.json' could not select an edit region in '/var/lib/cfssl/server/multiroot-profile.ini'
    2020-10-30T16:12:59+00:00    error: The promised column edit '#+\s*config\s*=.*' could not select an edit region in '/var/lib/cfssl/server/multiroot-profile.ini'
    2020-10-30T16:12:59+00:00    error: The promised column edit 'config\s*=.*' could not select an edit region in '/var/lib/cfssl/server/multiroot-profile.ini'
    2020-10-30T16:12:59+00:00    error: The promised line insertion 'config=/var/lib/cfssl/certs/config.json' could not select an edit region in '/var/lib/cfssl/server/multiroot-profile.ini'
    2020-10-30T16:12:59+00:00    error: The promised column edit '#+\s*config\s*=.*' could not select an edit region in '/var/lib/cfssl/server/multiroot-profile.ini'
    2020-10-30T16:12:59+00:00    error: The promised column edit 'config\s*=.*' could not select an edit region in '/var/lib/cfssl/server/multiroot-profile.ini'
    2020-10-30T16:12:59+00:00    error: The promised line insertion 'config=/var/lib/cfssl/certs/config.json' could not select an edit region in '/var/lib/cfssl/server/multiroot-profile.ini'
    E| compliant     CFSSL                     File key-value in INI se| /var/lib/cfssl/se| Set line key=value in section default into /var/lib/cfssl/server/multiroot-profile.ini was correct
    Alexis Mousset
    @amousset
    cc @Fdall I think you worked on something similar lately, may be a known bug that will be fixed soon
    Eric Renfro
    @erenfro
    heh, finding bugs again. :)
    Nicolas Charles
    @ncharles
    @erenfro PR is there Normation/rudder-techniques#1642
    Eric Renfro
    @erenfro
    Heh, wow that's a lot of little changes for one thing. :)
    Eric Renfro
    @erenfro
    I don't suppose it would be possible to have rudder actually do a command, which makes a file, and take that file that was created and put it into the rudder resource files for that technique, or something to that effect?
    Eric Renfro
    @erenfro
    Hmmm... I suppose it's likely possible because this particular thing is being setup on the same server as rudder server is running on. heh
    Eric Renfro
    @erenfro
    @ncharles Hmmm... How do I test that manually? I tried simply replacing the files (with taking a backup of them prior), but it still gives the same errors, so far.
    Ahhhh, there we go.
    I had to remove it from the rule and re-add it, saving between to force it to update.
    But, then, somehow, it doesn't again..
    Alexis Mousset
    @amousset

    @erenfro When editing policy files in /var/rudder/cfengine-community/inputs/ they are replaced at the next policy update. To fix the problem you need to modify the source file in:

    /var/rudder/configuration/repository/techniques

    Then commit and reload with:

    cd /var/rudder/configuration-repository
    git add <CHANGED FILES>
    git commit -m "MYCHANGES"
    rudder server reload-techniques
    Eric Renfro
    @erenfro
    Trying that now, thank you!
    I don't suppose there's a way to have rudder interactively run things on agents, or are they more on a agent-poll basis?
    Like, with salt, just as an example, you can use salt 'targets' cmd.run 'command to run' and do so immediately on matching targeted hosts.
    Eric Renfro
    @erenfro
    Well, there we go! Now I'm almost at 100% compliance, except with one of my custom techniques to install cfssl stuff for internal certificate authority. For some reason..... when two techniques try to insure a package is installed, one of them fails.
    Eric Renfro
    @erenfro
    Well suddenly all my hosts have triangles with exclaimation marks, and show 100% red non-compliance (missing reports 100%).