Bug #19650: Need a migration script about changes in system directives, groups and rules - Rudder - Issue Tracker

Bug #19650

Updated by François ARMAND about 3 years ago

It needs to take into account all changes in system techniques and it also need to remove @all_servers_with_role@ and @all_servers_without_role@ 
 otherwise we have error in logs about ruleTargets: 

 <pre> 
 /var/log/rudder/webapp/2021_08_02.stderrout.log:[2021-08-02 11:50:48+0200] WARN    com.normation.rudder.repository.ldap.RoLDAPNodeGroupRepository - Error when mapping entry with DN 'ruleTarget=special:all_servers_with_role,groupCategoryId=SystemGroups,groupCategoryId=GroupRoot,ou=Rudder,cn=rudder-configuration' from node groups library, that entry will be ignored; cause was: UnexpectedObject: Can not unserialize target, 'special:all_servers_with_role' does not match any known target format 
 /var/log/rudder/webapp/2021_08_02.stderrout.log:[2021-08-02 11:50:47+0200] WARN    com.normation.rudder.repository.ldap.RoLDAPNodeGroupRepository - Error when mapping entry with DN 'ruleTarget=special:all_nodes_without_role,groupCategoryId=SystemGroups,groupCategoryId=GroupRoot,ou=Rudder,cn=rudder-configuration' from node groups library, that entry will be ignored; cause was: UnexpectedObject: Can not unserialize target, 'special:all_nodes_without_role' does not match any known target format 
 </pre> 

 The migration will be handled by the webapp.  
 Things to migrate: 

 - allowed networks from directive to their setting 
 - all system techniques & related objects 
 - remove old group linked to roles 

 For each one, we do it in a "create new config, validate it's ok, delete old config" fashion.  
 The first two step are linked because we can't delete allowed network in common directive before and of step 2. 

 The third is simpler (just deletion). 

 An error in that migration must lead to a coredump and a big error message and actionnable info for the poor ops.  

 Here comes a summary of all renaming and related migration for config objects:  

 <pre> 
 Techniques: we don't migrate them, but we need to check that we have these one loaded: 
 =========== 
 - common (applies on all nodes, be it root, a relay, or a simple node. Manage inventory, agent config and runs, etc) 
 - server-common (applies on policy servers, same naming scheme than dsc-common. Manage policy distribution, etc) 
 - rudder-service-apache 
 - rudder-service-postgresql 
 - rudder-service-relayd 
 - rudder-service-slapd 
 - rudder-service-webapp 

 If dsc plugin present: 
 - dsc-common  

 Directives: this is the target result: 
 =========== 
 Conventions: 
 - postfix by all if applied to all nodes 
 - each time the directive is specific to a policy server, postfix with its id 
 - commons depend upon the policy server of the node it is applied to, so postfix with "hasPolicyServer-${policyserverid}" 

 Example for root:  
 inventory/inventory-all 
 common/common-hasPolicyServer-root 
 server-common/server-common-root 
 rudder-service-apache/rudder-service-apache-root 
 rudder-service-postgresql/rudder-service-postgresql-root 
 rudder-service-relayd/rudder-service-relayd-root 
 rudder-service-slapd/rudder-service-slapd-root 
 rudder-service-webapp/rudder-service-webapp-root 

 And for relays: 
 server-common/server-common-$relayid 
 rudder-service-apache/rudder-service-apache-$relayid 
 rudder-service-relayd/rudder-service-relayd-$relayid 

 For DSC: 
 dsc-common/dsc-common-all => ok 

 We will get information from the following directives:  
 - common 
 - distributPolicy 
 - inventory 
 - dsc-common 



 Groups: target is: 
 ======= 

 - nodeGroupId=all-nodes-with-cfengine-agent  
 - nodeGroupId=all-nodes-with-dsc-agent       
 - nodeGroupId=hasPolicyServer-root           
 - ruleTarget=policyServer:root             

 (and for relay, same with $relayid) 

 So here, there is nothing to change. 

 Rules: 
 ====== 
 (convention: "-" for directives, "*" for groups) 

 inventory-all 
 - inventory-all 
 * group:all-nodes-with-cfengine-agent 

 => nothing to change 

 hasPolicyServer-root 
 - common-hasPolicyServer-root 
 * group:hasPolicyServer-root 

 => change directive from common-root to common-hasPolicyServer-root 

 root-DP => rename to policy-server-root + change all directives to match: 
 - server-common-root 
 - rudder-service-apache-root 
 - rudder-service-postgresql-root 
 - rudder-service-relayd-root 
 - rudder-service-slapd-root 
 - rudder-service-webapp-root 
 * policyServer:root 

 For relays:  
 ${relayId}-distributePolicy => policy-server-$relayid and change directives 
 - server-common-$relayid 
 - rudder-service-apache-$relayid 
 - rudder-service-relayd-$relayid 
 * policyServer:$relayid 



 DSC (keep it like in 6.2): 

 dsc-agent-all 
 - dsc-common-all 
 * group:all-nodes-with-dsc-agent 


 Server roles 
 ============ 
 Remove active techniques + directives "server-roles" 
 Remove rule "server-roles" 

 </pre>

Back

Project

General

Profile

Rudder

Bug #19650