Rudder

As of now, I have a working shell script automating the password change. However, I got two questions:

• Do we want to make it usable with custom passwords ? (for now the script auto-generates passwords)
• Why does Rudder refuses to launch after this script has been run, throwing LDAP Invalid Credentials at my sorry face whereas using standard ldap utilities I can see that the password is perfectly fine in both the rudder-web.properties and the slapd.conf ? Is there a hardcoded password somewhere in the WebApp that I could not see ?

Testing procedure:

• PSQL:

psql -U rudder -d rudder -W -h localhost

• LDAP:

/opt/rudder/bin/ldapwhoami -h localhost -D "cn=Manager,cn=rudder-configuration" -x -W

Never mind, I did not take the inventory-web into account. It was the inventory webapp that was complaining !

Forget the second question !

• Implement logic in CFEngine to change each password in all appropriate places. This should be integrated in the distributePolicy Technique.
• Add a random password generation to the post-install script of appropriate packages.

To ensure we have a single definition point for all passwords, we will create a file /opt/rudder/etc/rudder-passwords.conf, with contents like this:

RUDDER_WEBDAV_USERNAME=rudder
RUDDER_WEBDAV_PASSWORD=secret
RUDDER_PSQL_USER=rudder
RUDDER_PSQL_PASSWORD=secret2
RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc...
RUDDER_OPENLDAP_BIND_PASSWORD=secret3

This file should be created by packaging, with particular caution to ensure that it is always mode 600. A check to this effect should also be added to the distributePolicy Technique.

The distributePolicy Technique can then read passwords from this file, and update them in the appropriate configuration files, restarting or reloading services when they are changed and if necessary.

Last but not least, there is one case that is trickier than the others: the WebDAV password will need to be read in by Rudder-webapp, from the rudder-web.properties file (this is important, it mustn't be read in directly from the rudder-passwords.conf files) and exported as a "special variable" for the distributePolicy Technique (like CMDBENDPOINT and CLIENTSFOLDERS). You'll need to ask a Rudder developer, probably Jean, to help you with this.

Well, I am sorry but using "=" is kind of difficult for one simple reason: "RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc..."

The equal sign is used both as a separator for the key and value and for the cn definition, which justs messes up the variable definition. But I am open to any other separator that might be used in the password file of course.

I'll look at the comments.

The Technique is nearly ready. There are just some more quirks to be addressed with the management of the postgresql password and I still have to use the code just commited by NCH to get the WebDAV password, but else we are good !

This task is FINALLY over ! yay !

See: http://www.rudder-project.org/redmine/projects/policy-templates/repository/revisions/f71438300b5575abdb70373f009dd3974ae05164

Nicolas, I do not agree with your commit commit:b16b897251fa8eab53148c48e1bcb016cfdc6e27 . You are using the internal endpoint URL to send a motd on ( thus creating a lot of useless error messages in the logs as the system motd is obviously and invalid inventory) and not the external URL ( Like http://localhost/inventories/ or http://<machine host name>/inventories/ ).

This is blocking me for the resolution of #2629, may we revert this ASAP ?

It is done! Thank you guys for being this fast to respond :D

Matthieu,

This last commit is really not DRY, you can't repeat the huge comment like that in two different files. A DRY approach would be to define the comment in the file installed by the package, then edit it using sed in rudder-init.sh.

Applied in changeset commit:0f2b65fe23ada13e8b0cf975c05dcbf2697b9d6e.

Thank you Matthieu.

Now please add documentation about this in rudder-doc!

Applied in changeset commit:4408586c94984665ac81a6491b071deb8ddd5ef6.

This all looks good to me now, thanks Matthieu!