Project

General

Profile

Actions

Question #6467

closed

User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance

User story #2882: Rudder should be SELinux compliant

What are the webdav directories used for ?

Added by Benoît PECCATTE over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
5 (lowest)
Category:
System techniques
Target version:
-
Regression:

Description

We have different webdav directories:
- /var/rudder/inventories/incoming mapped to http://rudder/inventories
- /var/rudder/inventories/accepted-nodes-updates mapped to http://rudder/inventory-updates

It seems from the sendInventoryToCmdb bundle that both are checked to send to the ldap endpoint.

From the sendInventory bundle, it seems that only the second one is used by the fusion agent.

Side question, why is there a motd file in /var/rudder/inventories/accepted-nodes-updates ?

Actions #1

Updated by Matthieu CERDA over 9 years ago

  • Category set to System techniques
  • Status changed from New to Discussion
  • Assignee changed from Matthieu CERDA to Benoît PECCATTE
  • Priority changed from N/A to 5 (lowest)
So:
  1. /var/rudder/inventories/incoming: This directory is intended to accept node inventories sent from "unknown yet" machines (e.g. initial promises), with a default DAV user/password
  2. /var/rudder/inventories/accepted-nodes-updates: This directory accepts inventories from registered nodes (that have the Rudder installation DAV password in their promises)

The idea was to have an unsecured endpoint (for nodes not accepted yet), and a secured one for registered nodes. For now, no differenciation is made between the two, but in the future we would have liked to have a sort of different trust between the two...

At this moment though, those are considered equally.

The motd file is used by the rudder server itself, as a way to "probe" if the webdav setup is correct in the server-roles Techniques:
  • "Is the WebDAV endpoint using the correct password? meaning: Can I send something (my own motd) to this endpoint using the configured password ?"
  • If no, update the htpasswd file with the correct password
Actions #2

Updated by Benoît PECCATTE over 9 years ago

  • Status changed from Discussion to Resolved

Thank you!

Actions

Also available in: Atom PDF