From 9d45a8d6f1535ac70a296870ba082b94831d1398 Mon Sep 17 00:00:00 2001 From: Robert Frank Date: Wed, 30 Sep 2015 15:22:06 +0100 Subject: [PATCH 1/7] updated apache auth for perfsonar 3.5 fixed setm augeas directive added perfsonar version fact added new directories and locations that use auth --- lib/facter/perfsonar_version.rb | 7 ++ manifests/apache.pp | 109 +++++++++++++++----------------- 2 files changed, 59 insertions(+), 57 deletions(-) create mode 100644 lib/facter/perfsonar_version.rb diff --git a/lib/facter/perfsonar_version.rb b/lib/facter/perfsonar_version.rb new file mode 100644 index 0000000..db0a23c --- /dev/null +++ b/lib/facter/perfsonar_version.rb @@ -0,0 +1,7 @@ +Facter.add(:perfsonar_version) do + confine :osfamily => 'RedHat' + setcode do + perfsonar = Facter::Util::Resolution::exec('/bin/rpm -q --qf "%{NAME} %{VERSION}\n" perl-perfSONAR_PS-Toolkit | grep "^perl-perfSONAR_PS-Toolkit "') + perfsonar.split(/ /)[1] if perfsonar + end +end diff --git a/manifests/apache.pp b/manifests/apache.pp index 6ac6871..258f469 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -39,34 +39,32 @@ default => size($authdn), } if $have_auth > 0 { + # new web gui + $changes35 = versioncmp($perfsonar_version, '3.5') ? { + /^[01]$/ => [ + "rm Location[arg='\"/toolkit/auth\"']/directive[.='AuthShadow']", + "rm Location[arg='\"/toolkit/auth\"']/directive[.='AuthType']", + "rm Location[arg='\"/toolkit/auth\"']/directive[.='AuthName']", + "rm Location[arg='\"/toolkit/auth\"']/directive[.='Require']", + "setm Location[arg='\"/toolkit/auth\"'] directive[.='Include'] 'Include'", + "setm Location[arg='\"/toolkit/auth\"'] *[.='Include']/arg '${perfsonar::params::httpd_dir}/ssl_auth.conf'", + ], + default => [], + } + $changes34 = [ + "rm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')]/directive[.='AuthShadow']", + "rm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')]/directive[.='AuthType']", + "rm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')]/directive[.='AuthName']", + "rm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')]/directive[.='Require']", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] directive[.='Include'] 'Include'", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] *[.='Include']/arg '${perfsonar::params::httpd_dir}/ssl_auth.conf'", + ] + $auges_changes = concat($changes34, $changes35) augeas { 'set mod_ssl auth': incl => "${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", lens => 'Httpd.lns', context => "/files/${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", - changes => [ - "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthShadow']", - "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthType']", - "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthName']", - "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='Require']", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='Include'] 'Include'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='Include']/arg '${perfsonar::params::httpd_dir}/ssl_auth.conf'", - "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthShadow']", - "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthType']", - "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthName']", - "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='Require']", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='Include'] 'Include'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='Include']/arg '${perfsonar::params::httpd_dir}/ssl_auth.conf'", - # instead of the set commands above, the setm regex versions below should work as well (they do in augtool), - # but for some reason they produce an error when run by puppet ('Could not evaluate: missing string argument 2 for setm', no useful debug output either) - # the rm commands below work, but we shouldn't use them with the single set commands above because they can cause security problems - # e.g., if the original auth section is removed from an unexpected directory entry without adding the include - #"rm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')]/directive[.='AuthShadow']", - #"rm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')]/directive[.='AuthType']", - #"rm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')]/directive[.='AuthName']", - #"rm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')]/directive[.='Require']", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] directive[.='Include'] 'Include'", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='Include']/arg '${perfsonar::params::httpd_dir}/ssl_auth.conf'", - ], + changes => $auges_changes, notify => Service[$::perfsonar::params::httpd_service], require => [ Package[$::perfsonar::params::httpd_package], @@ -83,6 +81,35 @@ require => Package[$::perfsonar::params::httpd_package], } } else { + $changes35 = versioncmp($perfsonar_version, '3.5') ? { + /^[01]$/ => [ + "rm Location[arg='\"/toolkit/auth\"']/*[.='Include']", + "setm Location[arg='\"/toolkit/auth\"'] directive[.='AuthShadow'] 'AuthShadow'", + "setm Location[arg='\"/toolkit/auth\"'] *[.='AuthShadow']/arg 'on'", + "setm Location[arg='\"/toolkit/auth\"'] directive[.='AuthType'] 'AuthType'", + "setm Location[arg='\"/toolkit/auth\"'] *[.='AuthType']/arg 'Basic'", + "setm Location[arg='\"/toolkit/auth\"'] directive[.='AuthName'] 'AuthName'", + "setm Location[arg='\"/toolkit/auth\"'] *[.='AuthName']/arg '\"Password Required\"'", + "setm Location[arg='\"/toolkit/auth\"'] directive[.='Require'] 'Require'", + "setm Location[arg='\"/toolkit/auth\"'] *[.='Require']/arg[1] 'group'", + "setm Location[arg='\"/toolkit/auth\"'] *[.='Require']/arg[2] 'psadmin'", + ], + default => [], + } + $changes34 = [ + # below should work, but the setm command suffers the same problem as the ones in the "if $have_auth > 0" block + "rm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')]/*[.='Include']", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] directive[.='AuthShadow'] 'AuthShadow'", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] *[.='AuthShadow']/arg 'on'", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] directive[.='AuthType'] 'AuthType'", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] *[.='AuthType']/arg 'Basic'", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] directive[.='AuthName'] 'AuthName'", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] *[.='AuthName']/arg '\"Password Required\"'", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] directive[.='Require'] 'Require'", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] *[.='Require']/arg[1] 'group'", + "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] *[.='Require']/arg[2] 'psadmin'", + ] + $auges_changes = concat($changes34, $changes35) # restore apache user auth for perfsonar admin # this is problematic as it only restores the configuration file to the state that was known # to the author at the time of writing @@ -91,39 +118,7 @@ incl => "${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", lens => 'Httpd.lns', context => "/files/${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", - changes => [ - "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='Include']", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthShadow'] 'AuthShadow'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='AuthShadow']/arg 'on'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthType'] 'AuthType'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='AuthType']/arg 'Basic'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthName'] 'AuthName'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='AuthName']/arg '\"Password Required\"'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='Require'] 'Require'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='Require']/arg[1] 'group'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='Require']/arg[2] 'psadmin'", - "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='Include']", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthShadow'] 'AuthShadow'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='AuthShadow']/arg 'on'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthType'] 'AuthType'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='AuthType']/arg 'Basic'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthName'] 'AuthName'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='AuthName']/arg '\"Password Required\"'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='Require'] 'Require'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='Require']/arg[1] 'group'", - "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='Require']/arg[2] 'psadmin'", - # below should work, but the setm command suffers the same problem as the ones in the "if $have_auth > 0" block - #"rm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')]/*[.='Include']", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] directive[.='AuthShadow'] 'AuthShadow'", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='AuthShadow']/arg 'on'", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] directive[.='AuthType'] 'AuthType'", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='AuthType']/arg 'Basic'", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] directive[.='AuthName'] 'AuthName'", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='AuthName']/arg '\"Password Required\"'", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] directive[.='Require'] 'Require'", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='Require']/arg[1] 'group'", - #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='Require']/arg[2] 'psadmin'", - ], + changes => $auges_changes, notify => Service[$::perfsonar::params::httpd_service], require => Package[$::perfsonar::params::httpd_package], } From 4295cd905c0968ffdbff29fc70ea070cf1d4fd84 Mon Sep 17 00:00:00 2001 From: Robert Frank Date: Fri, 2 Oct 2015 09:58:21 +0100 Subject: [PATCH 2/7] fixed dependency problems --- manifests/ls_cache_daemon/install.pp | 1 + manifests/ls_registration_daemon/install.pp | 1 + 2 files changed, 2 insertions(+) diff --git a/manifests/ls_cache_daemon/install.pp b/manifests/ls_cache_daemon/install.pp index ccf1be1..1325685 100644 --- a/manifests/ls_cache_daemon/install.pp +++ b/manifests/ls_cache_daemon/install.pp @@ -3,5 +3,6 @@ ) inherits perfsonar::params { package { $::perfsonar::params::ls_cache_daemon_packages: ensure => $ensure, + before => File['/opt/perfsonar_ps/ls_cache_daemon/etc/ls_cache_daemon-logger.conf'], } } diff --git a/manifests/ls_registration_daemon/install.pp b/manifests/ls_registration_daemon/install.pp index 3da20c8..82c5d67 100644 --- a/manifests/ls_registration_daemon/install.pp +++ b/manifests/ls_registration_daemon/install.pp @@ -3,5 +3,6 @@ ) inherits perfsonar::params { package { $::perfsonar::params::ls_registration_daemon_packages: ensure => $ensure, + before => File['/opt/perfsonar_ps/ls_registration_daemon/etc/ls_registration_daemon-logger.conf'], } } From 1950616a46969bec9add1a94da604853bfbb43c8 Mon Sep 17 00:00:00 2001 From: Robert Frank Date: Fri, 2 Oct 2015 14:43:21 +0100 Subject: [PATCH 3/7] fixed apache configuration to work with PS >= 3.5 updated apache configuration to accommodate changes in Perfsonar 3.5 added patches to allow certificate authentication with Perfsonar 3.5 --- .../01_perfsonar_webservice_auth.patch.3.5.0 | 22 ++++ ..._perfsonar_webservice_pageauth.patch.3.5.0 | 120 ++++++++++++++++++ manifests/apache.pp | 8 ++ manifests/params.pp | 13 ++ manifests/patches.pp | 65 ++++++++++ 5 files changed, 228 insertions(+) create mode 100644 files/patches/01_perfsonar_webservice_auth.patch.3.5.0 create mode 100644 files/patches/02_perfsonar_webservice_pageauth.patch.3.5.0 create mode 100644 manifests/patches.pp diff --git a/files/patches/01_perfsonar_webservice_auth.patch.3.5.0 b/files/patches/01_perfsonar_webservice_auth.patch.3.5.0 new file mode 100644 index 0000000..ff92bf6 --- /dev/null +++ b/files/patches/01_perfsonar_webservice_auth.patch.3.5.0 @@ -0,0 +1,22 @@ +--- WebService/Auth.pm.org 2015-10-02 10:14:10.625379915 +0100 ++++ WebService/Auth.pm 2015-10-02 13:40:13.356715712 +0100 +@@ -1,3 +1,4 @@ ++# puppet perfsonar::patches applied patch: 01_perfsonar_webservice_auth.patch.3.5.0 + package perfSONAR_PS::NPToolkit::WebService::Auth; + use base 'Exporter'; + +@@ -8,10 +9,12 @@ + my $cgi = shift; + my $authenticated = 0; + return if (! defined $cgi); +- if( defined $cgi->auth_type() && $cgi->auth_type ne '' && defined $cgi->remote_user() ){ ++ my $auth_type = (defined $cgi->auth_type() && $cgi->auth_type ne '') ? $cgi->auth_type : ++ ((defined $ENV{SSL_CLIENT_VERIFY} && $ENV{SSL_CLIENT_VERIFY} eq 'SUCCESS') ? 'Certificate' : ''); ++ if( $auth_type ne '' && defined $cgi->remote_user() ){ + $authenticated = 1; + } +- return $authenticated; ++ return wantarray ? ($authenticated, $cgi->remote_user(), $auth_type) : $authenticated; + } + + sub unauthorized_output { diff --git a/files/patches/02_perfsonar_webservice_pageauth.patch.3.5.0 b/files/patches/02_perfsonar_webservice_pageauth.patch.3.5.0 new file mode 100644 index 0000000..4c3cb79 --- /dev/null +++ b/files/patches/02_perfsonar_webservice_pageauth.patch.3.5.0 @@ -0,0 +1,120 @@ +diff -Nur root.org/admin/host.cgi root/admin/host.cgi +--- root.org/admin/host.cgi 2015-10-02 10:23:09.329116608 +0100 ++++ root/admin/host.cgi 2015-10-02 14:02:50.149557766 +0100 +@@ -21,13 +21,8 @@ + my $cgi = CGI->new(); + + my $section = 'host'; +-my $remote_user = $cgi->remote_user(); +-my $auth_type = ''; + +-if($cgi->auth_type()){ +- $auth_type = $cgi->auth_type(); +-} +-my $authenticated = is_authenticated($cgi); ++my ($authenticated, $remote_user, $auth_type) = is_authenticated($cgi); + + if ( !$authenticated ) { + print unauthorized_output($cgi); +diff -Nur root.org/admin/index.cgi root/admin/index.cgi +--- root.org/admin/index.cgi 2015-10-02 10:23:09.330116611 +0100 ++++ root/admin/index.cgi 2015-10-02 14:02:42.739559216 +0100 +@@ -21,13 +21,8 @@ + my $cgi = CGI->new(); + + my $section = 'admin'; +-my $remote_user = $cgi->remote_user(); +-my $auth_type = ''; + +-if($cgi->auth_type()){ +- $auth_type = $cgi->auth_type(); +-} +-my $authenticated = is_authenticated($cgi); ++my ($authenticated, $remote_user, $auth_type) = is_authenticated($cgi); + + if ( !$authenticated ) { + print unauthorized_output($cgi); +diff -Nur root.org/admin/services.cgi root/admin/services.cgi +--- root.org/admin/services.cgi 2015-10-02 10:23:09.329116608 +0100 ++++ root/admin/services.cgi 2015-10-02 14:02:59.016556034 +0100 +@@ -21,20 +21,13 @@ + + my $section = 'services'; + +-my $authenticated = is_authenticated($cgi); ++my ($authenticated, $remote_user, $auth_type) = is_authenticated($cgi); + + if ( !$authenticated ) { + print unauthorized_output($cgi); + exit; + } + +-my $remote_user = $cgi->remote_user(); +-my $auth_type = ''; +- +-if($cgi->auth_type()) { +- $auth_type = $cgi->auth_type(); +-} +- + my $full_url = url( -path=>1, -query=>1); + my $https_url = $full_url; + #if (!$full_url =~ /^https/) { +diff -Nur root.org/admin/tests.cgi root/admin/tests.cgi +--- root.org/admin/tests.cgi 2015-10-02 10:23:09.330116611 +0100 ++++ root/admin/tests.cgi 2015-10-02 14:03:05.606554727 +0100 +@@ -21,13 +21,8 @@ + my $cgi = CGI->new(); + + my $section = 'tests'; +-my $remote_user = $cgi->remote_user(); +-my $auth_type = ''; + +-if($cgi->auth_type()){ +- $auth_type = $cgi->auth_type(); +-} +-my $authenticated = is_authenticated($cgi); ++my ($authenticated, $remote_user, $auth_type) = is_authenticated($cgi); + + if ( !$authenticated ) { + print unauthorized_output($cgi); +diff -Nur root.org/index.cgi root/index.cgi +--- root.org/index.cgi 2015-10-02 10:23:09.329116608 +0100 ++++ root/index.cgi 2015-10-02 13:41:15.866709369 +0100 +@@ -1,4 +1,5 @@ + #!/usr/bin/perl ++# puppet perfsonar::patches applied patch: 02_perfsonar_webservice_pageauth.patch.3.5.0 + + use strict; + use warnings; +@@ -7,26 +8,20 @@ + use Template; + #use POSIX; + use Data::Dumper; +-#use FindBin qw($RealBin); + + # Set some variable to control the page layout + my $include_prefix = ''; + my $sidebar = 1; + +-#my $basedir = "$RealBin/../../.."; ++use FindBin qw($RealBin); ++my $basedir = "$RealBin/../.."; ++use lib "$RealBin/../../lib"; + +-#use lib "$RealBin/../../../../lib"; ++use perfSONAR_PS::NPToolkit::WebService::Auth qw( is_authenticated ); + + my $cgi = CGI->new(); + +-my $remote_user = $cgi->remote_user(); +-my $auth_type = ''; +- +-if($cgi->auth_type()){ +- $auth_type = $cgi->auth_type(); +-} +-my $authenticated = 0; +-$authenticated = 1 if ($auth_type ne ''); ++my ($authenticated, $remote_user, $auth_type) = is_authenticated($cgi); + + my $full_url = url( -path=>1, -query=>1); + my $https_url = $full_url; diff --git a/manifests/apache.pp b/manifests/apache.pp index 258f469..d6c4434 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -30,6 +30,14 @@ "set *[.='SSLVerifyClient']/arg ${clientauth}", "set directive[.='SSLVerifyDepth'] 'SSLVerifyDepth'", "set *[.='SSLVerifyDepth']/arg ${verifydepth}", + # the changes below are required by the new web interface (perfsonar >= 3.5), + # but they won't hurt if they are present on older versions as well + "set directive[.='SSLUserName'] 'SSLUserName'", + "set *[.='SSLUserName']/arg 'SSL_CLIENT_S_DN_CN'", + "set directive[.='RewriteEngine'] 'RewriteEngine'", + "set *[.='RewriteEngine']/arg 'on'", + "set directive[.='RewriteOptions'] 'RewriteOptions'", + "set *[.='RewriteOptions']/arg 'Inherit'", ], notify => Service[$::perfsonar::params::httpd_service], require => Package[$::perfsonar::params::httpd_package], diff --git a/manifests/params.pp b/manifests/params.pp index 471c6ee..9cb6576 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -41,6 +41,9 @@ $ls_cache_daemon_lr_order = '04', $ls_cache_daemon_lr_options = [ 'weekly', 'compress', 'rotate 50', 'missingok', 'notifempty', 'postrotate', ' /sbin/service ls_cache_daemon restart > /dev/null 2>/dev/null || true', 'endscript' ], + $patchdir = '/usr/share/perfsonar_patches', + $patchpackage = 'patch', + $patchpackage_ensure = 'present', ) { # package list taken from centos6-netinstall.cfg (from the perfsonar netinstall cd) # system packages (already installed on standard installation) and @@ -58,6 +61,16 @@ 'cassandra20', # don't want to install SystemEnvironment because it keeps overwriting my configurations during updates # 'perl-perfSONAR_PS-Toolkit-SystemEnvironment', +# packages that are installed by perl-perfSONAR_PS-Toolkit-SystemEnvironment: +# perl-perfSONAR_PS-Toolkit-ntp +# configures ntp server (replaces existing config) +# perl-perfSONAR_PS-Toolkit-security +# configures iptables +# perl-perfSONAR_PS-Toolkit-service-watcher +# monitors status of services: mysql, httpd, cassandra, owamp, bwctl, npad, ndt, regular_testing, ls_registration_daemon, ls_cache_daemon, config_daemon +# according to /opt/perfsonar_ps/toolkit/lib/perfSONAR_PS/NPToolkit/Services/*.pm, the following services need regular restarts: OWAMP, RegularTesting +# perl-perfSONAR_PS-Toolkit-sysctl +# configures /etc/sysctl.conf (appends values) # don't want to install gcc and mysql, it's not required # 'gcc', # 'mysql-devel', diff --git a/manifests/patches.pp b/manifests/patches.pp new file mode 100644 index 0000000..f856ae6 --- /dev/null +++ b/manifests/patches.pp @@ -0,0 +1,65 @@ +class perfsonar::patches( + $patchdir = $perfsonar::params::patchdir, + $patchpackage = $perfsonar::params::patchpackage, + $patchpackage_ensure = $perfsonar::params::patchpackage_ensure, +) inherits perfsonar::params { + if $patchpackage { + package { $patchpackage: + ensure => $patchpackage_ensure, + # adding dependency here and not in the exec because it avoids possible + # dependency failures if $package is not set and this block is + # not executed + before => File[$patchdir], + } + } + case $perfsonar_version { + /^3\.5\.0/: { + $patches = { + '01_perfsonar_webservice_auth.patch.3.5.0' => { + path => '/opt/perfsonar_ps/toolkit/lib/perfSONAR_PS/NPToolkit/WebService', + strip => 1, + # file itself is part of perl-perfSONAR_PS-Toolkit-Library + # which is installed as a dependency of perl-perfSONAR_PS-Toolkit + # therefore we use the latter as a dependency for the patch + deps => [Package['perl-perfSONAR_PS-Toolkit']], + checkfile => 'Auth.pm', # relative to path + }, + '02_perfsonar_webservice_pageauth.patch.3.5.0' => { + path => '/opt/perfsonar_ps/toolkit/web-ng/root', + strip => 1, + deps => [Package['perl-perfSONAR_PS-Toolkit']], + checkfile => 'index.cgi', # relative to path + } + } + } + default: { + $patches = {} + } + } + if size(keys($patches)) > 0 { + file { $patchdir: + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0750', + } + create_resources('perfsonar_apply_patch', $patches) + } +} + +define perfsonar_apply_patch($path, $strip = 0, $deps = [], $checkfile) { + $patch = "${perfsonar::patches::patchdir}/${name}" + file { $patch: + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0640', + source => "puppet:///modules/${module_name}/patches/${name}", + require => File[$perfsonar::patches::patchdir], + } + exec { "exec test patch ${name}": + command => "/usr/bin/patch -d ${path} -N -t -p${strip} -i ${patch}", + require => concat($deps, File[$patch]), + unless => "/bin/grep -q '^# puppet perfsonar::patches applied patch: ${name}$' '${path}/${checkfile}'", + } +} From 0bbbc7c893c1af06813684e6f1a7ffd4450194b6 Mon Sep 17 00:00:00 2001 From: Robert Frank Date: Tue, 13 Oct 2015 14:37:52 +0100 Subject: [PATCH 4/7] fixed redirect issues and improvements fixed apache redirect to /toolkit (use global config and removed http only) improved structure of apache class --- manifests/apache.pp | 105 ++++++++++++++++++++++++++------------------ 1 file changed, 62 insertions(+), 43 deletions(-) diff --git a/manifests/apache.pp b/manifests/apache.pp index d6c4434..6a325d4 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -5,23 +5,45 @@ $clientauth = $perfsonar::params::clientauth, $verifydepth = $perfsonar::params::verifydepth, $authdn = [], + $sslprotocol = 'all -SSLv2 -SSLv3', + $sslciphers = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4', ) inherits perfsonar::params { + # /opt/perfsonar_ps/toolkit/scripts/system_environment/disable_http_trace + # disables trace requests + file { "${perfsonar::params::conf_dir}/disable_trace.conf": + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0644', + content => "TraceEnable Off\n", + notify => Service[$::perfsonar::params::httpd_service], + require => Package[$::perfsonar::params::httpd_package], + } file { "${perfsonar::params::conf_dir}/tk_redirect.conf": ensure => 'present', owner => 'root', group => 'root', mode => '0644', - content => "RedirectMatch 301 ^/$ http://${::fqdn}/toolkit/\n", + content => "RedirectMatch 301 ^/$ /toolkit/\n", notify => Service[$::perfsonar::params::httpd_service], require => Package[$::perfsonar::params::httpd_package], } + # remove the http only redirect from perfsonar apache configuration (introduced in 3.5) + # the global rule in tk_redirect covers both, http and https + $remove_redirect = versioncmp($perfsonar_version, '3.5') ? { + /^[01]$/ => "rm VirtualHost/directive[.='RedirectMatch' and arg='^/$']", + default => [], + } + # the augeas lens uses an array for the ssl protocol values + # which means we need a separate set commmand for each value + $sslprotocol_changes = split(inline_template('<%= cmds = []; i=1; @sslprotocol.split(" ").each { |x| cmds.push("set directive[.=\"SSLProtocol\"]/arg[#{i}] \"#{x}\""); i+=1; }; cmds.join("\n") %>'), "\n") augeas { 'set mod_ssl params': incl => "${perfsonar::params::mod_dir}/ssl.conf", lens => 'Httpd.lns', context => "/files/${perfsonar::params::mod_dir}/ssl.conf/VirtualHost", - changes => [ + changes => concat([ "set *[.='SSLCertificateFile']/arg ${hostcert}", "set *[.='SSLCertificateKeyFile']/arg ${hostkey}", "set directive[.='SSLCACertificatePath'] 'SSLCACertificatePath'", # create node if not exist @@ -38,16 +60,25 @@ "set *[.='RewriteEngine']/arg 'on'", "set directive[.='RewriteOptions'] 'RewriteOptions'", "set *[.='RewriteOptions']/arg 'Inherit'", - ], + # update of ssl cipher options + "set directive[.='SSLHonorCipherOrder'] 'SSLHonorCipherOrder'", + "set directive[.='SSLHonorCipherOrder']/arg 'on'", + "set directive[.='SSLCipherSuite'] 'SSLCipherSuite'", + "set directive[.='SSLCipherSuite']/arg '${sslciphers}'", + # remove ssl protocol value, they will be set again by the merged sslprotocol_changes rules + # this is required to ensure only the passed values are present in the configuration + "rm directive[.='SSLProtocol']/arg", + ], $sslprotocol_changes), notify => Service[$::perfsonar::params::httpd_service], require => Package[$::perfsonar::params::httpd_package], } + $have_auth = $authdn ? { undef => 0, default => size($authdn), } if $have_auth > 0 { - # new web gui + # additions for new web gui $changes35 = versioncmp($perfsonar_version, '3.5') ? { /^[01]$/ => [ "rm Location[arg='\"/toolkit/auth\"']/directive[.='AuthShadow']", @@ -67,28 +98,12 @@ "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] directive[.='Include'] 'Include'", "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] *[.='Include']/arg '${perfsonar::params::httpd_dir}/ssl_auth.conf'", ] - $auges_changes = concat($changes34, $changes35) - augeas { 'set mod_ssl auth': - incl => "${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", - lens => 'Httpd.lns', - context => "/files/${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", - changes => $auges_changes, - notify => Service[$::perfsonar::params::httpd_service], - require => [ - Package[$::perfsonar::params::httpd_package], - File["${perfsonar::params::httpd_dir}/ssl_auth.conf"], - ], - } - file { "${perfsonar::params::httpd_dir}/ssl_auth.conf": - ensure => 'present', - owner => 'root', - group => 'root', - mode => '0644', - content => template("${module_name}/ssl_auth.conf.erb"), - notify => Service[$::perfsonar::params::httpd_service], - require => Package[$::perfsonar::params::httpd_package], - } + $ssl_auth_ensure = 'present' } else { + # restore apache user auth for perfsonar admin + # this is problematic as it only restores the configuration file to the state that was known + # to the author at the time of writing + # it's safer to reinstall the configuration file from the rpm $changes35 = versioncmp($perfsonar_version, '3.5') ? { /^[01]$/ => [ "rm Location[arg='\"/toolkit/auth\"']/*[.='Include']", @@ -117,23 +132,27 @@ "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] *[.='Require']/arg[1] 'group'", "setm Directory[arg=~regexp('\".*/web(-ng)?/root/admin(/.*)?\"?')] *[.='Require']/arg[2] 'psadmin'", ] - $auges_changes = concat($changes34, $changes35) - # restore apache user auth for perfsonar admin - # this is problematic as it only restores the configuration file to the state that was known - # to the author at the time of writing - # it's safer to reinstall the configuration file from the rpm - augeas { 'restore mod_ssl auth': - incl => "${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", - lens => 'Httpd.lns', - context => "/files/${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", - changes => $auges_changes, - notify => Service[$::perfsonar::params::httpd_service], - require => Package[$::perfsonar::params::httpd_package], - } - file { "${perfsonar::params::httpd_dir}/ssl_auth.conf": - ensure => 'absent', - notify => Service[$::perfsonar::params::httpd_service], - require => Package[$::perfsonar::params::httpd_package], - } + $ssl_auth_ensure = 'absent' + } + file { "${perfsonar::params::httpd_dir}/ssl_auth.conf": + ensure => $ssl_auth_ensure, + owner => 'root', + group => 'root', + mode => '0644', + content => template("${module_name}/ssl_auth.conf.erb"), + notify => Service[$::perfsonar::params::httpd_service], + require => Package[$::perfsonar::params::httpd_package], + } + $auges_changes = concat($changes34, $changes35, $remove_redirect) + augeas { 'update perfsonar apache config': + incl => "${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", + lens => 'Httpd.lns', + context => "/files/${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", + changes => $auges_changes, + notify => Service[$::perfsonar::params::httpd_service], + require => [ + Package[$::perfsonar::params::httpd_package], + File["${perfsonar::params::httpd_dir}/ssl_auth.conf"], + ], } } From f98e0a1dd168516b94ab94429b61be0fca320ca6 Mon Sep 17 00:00:00 2001 From: Robert Frank Date: Tue, 13 Oct 2015 14:41:02 +0100 Subject: [PATCH 5/7] added cleanup class added a cleanup class which uninstalls unused packages in newer perfsonar versions (>= 3.5) after upgrading an existing installation --- lib/facter/perfsonar_systemenvironment.rb | 7 +++++++ manifests/cleanup.pp | 21 +++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 lib/facter/perfsonar_systemenvironment.rb create mode 100644 manifests/cleanup.pp diff --git a/lib/facter/perfsonar_systemenvironment.rb b/lib/facter/perfsonar_systemenvironment.rb new file mode 100644 index 0000000..3a64e5a --- /dev/null +++ b/lib/facter/perfsonar_systemenvironment.rb @@ -0,0 +1,7 @@ +Facter.add(:perfsonar_systemenvironment) do + confine :osfamily => 'RedHat' + setcode do + ps_se = Facter::Util::Resolution::exec('/bin/rpm -q --qf "%{NAME}\n" perl-perfSONAR_PS-Toolkit-SystemEnvironment | grep "^perl-perfSONAR_PS-Toolkit-SystemEnvironment$"') + ps_se && !ps_se.empty? ? true : false + end +end diff --git a/manifests/cleanup.pp b/manifests/cleanup.pp new file mode 100644 index 0000000..6279ea8 --- /dev/null +++ b/manifests/cleanup.pp @@ -0,0 +1,21 @@ +class perfsonar::cleanup( +) { + if versioncmp($perfsonar_version, '3.5') >= 0 { + # php is not being used by perfsonar >= 3.5 + # why keep iperf3 devel packages if not needed + package { [ 'php-xml', 'php-gd', 'iperf3-devel']: + ensure => 'absent', + } + if ! $::perfsonar_systemenvironment { + # don't remove the following packages if + # perl-perfSONAR_PS-Toolkit-SystemEnvironment is installed + # they are dependencies and can't be removed without removing + # perl-perfSONAR_PS-Toolkit-SystemEnvironment as well + package { [ 'php-common', 'perl-DBD-MySQL', ]: + ensure => 'absent', + } + # mysql server and client aren't needed in newer versions, + # but it's too risky to remove them automatically. + } + } +} From ac2a4e5f8a85a53b45aad294c0e926e869ecee4e Mon Sep 17 00:00:00 2001 From: Robert Frank Date: Wed, 14 Oct 2015 08:57:09 +0100 Subject: [PATCH 6/7] fixed dependency issue fixed dependency issue in patches.pp changed default directory where patch files are stored --- manifests/params.pp | 2 +- manifests/patches.pp | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 9cb6576..9c0d31e 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -41,7 +41,7 @@ $ls_cache_daemon_lr_order = '04', $ls_cache_daemon_lr_options = [ 'weekly', 'compress', 'rotate 50', 'missingok', 'notifempty', 'postrotate', ' /sbin/service ls_cache_daemon restart > /dev/null 2>/dev/null || true', 'endscript' ], - $patchdir = '/usr/share/perfsonar_patches', + $patchdir = '/usr/local/share/perfsonar_patches', $patchpackage = 'patch', $patchpackage_ensure = 'present', ) { diff --git a/manifests/patches.pp b/manifests/patches.pp index f856ae6..877fc73 100644 --- a/manifests/patches.pp +++ b/manifests/patches.pp @@ -21,13 +21,13 @@ # file itself is part of perl-perfSONAR_PS-Toolkit-Library # which is installed as a dependency of perl-perfSONAR_PS-Toolkit # therefore we use the latter as a dependency for the patch - deps => [Package['perl-perfSONAR_PS-Toolkit']], + deps => Package['perl-perfSONAR_PS-Toolkit'], checkfile => 'Auth.pm', # relative to path }, '02_perfsonar_webservice_pageauth.patch.3.5.0' => { path => '/opt/perfsonar_ps/toolkit/web-ng/root', strip => 1, - deps => [Package['perl-perfSONAR_PS-Toolkit']], + deps => Package['perl-perfSONAR_PS-Toolkit'], checkfile => 'index.cgi', # relative to path } } @@ -53,13 +53,15 @@ ensure => 'file', owner => 'root', group => 'root', - mode => '0640', + mode => '0640', source => "puppet:///modules/${module_name}/patches/${name}", require => File[$perfsonar::patches::patchdir], + before => Exec["exec test patch ${name}"], } exec { "exec test patch ${name}": command => "/usr/bin/patch -d ${path} -N -t -p${strip} -i ${patch}", - require => concat($deps, File[$patch]), + require => $deps, unless => "/bin/grep -q '^# puppet perfsonar::patches applied patch: ${name}$' '${path}/${checkfile}'", + notify => Service[$::perfsonar::params::httpd_service], } } From 69ef84f72631a6c113754b6ef557942568afd10c Mon Sep 17 00:00:00 2001 From: Robert Frank Date: Wed, 14 Oct 2015 13:46:41 +0100 Subject: [PATCH 7/7] fixed more dependency issues --- manifests/apache.pp | 6 +++++- manifests/params.pp | 34 ++++++++++++++++++---------------- manifests/patches.pp | 19 +++++++++++-------- 3 files changed, 34 insertions(+), 25 deletions(-) diff --git a/manifests/apache.pp b/manifests/apache.pp index 6a325d4..4447e78 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -31,6 +31,8 @@ } # remove the http only redirect from perfsonar apache configuration (introduced in 3.5) # the global rule in tk_redirect covers both, http and https + # all version dependent options require puppet to be installed (the fact queries which version is installed) + # they are not applied during the initial run which installs perfsonar, a second run is needed to apply those changes $remove_redirect = versioncmp($perfsonar_version, '3.5') ? { /^[01]$/ => "rm VirtualHost/directive[.='RedirectMatch' and arg='^/$']", default => [], @@ -70,7 +72,9 @@ "rm directive[.='SSLProtocol']/arg", ], $sslprotocol_changes), notify => Service[$::perfsonar::params::httpd_service], - require => Package[$::perfsonar::params::httpd_package], + # need to make sure mod_ssl is installed, it's not a dependency of apache, + # so can't depend on apache here (but apache depends on mod_ssl, obviously) + require => Package[$::perfsonar::params::modssl_package], } $have_auth = $authdn ? { diff --git a/manifests/params.pp b/manifests/params.pp index 9c0d31e..4141995 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -45,6 +45,22 @@ $patchpackage = 'patch', $patchpackage_ensure = 'present', ) { + # os specifics + case $::osfamily { + 'RedHat': { + $modssl_package = 'mod_ssl' + $httpd_package = 'httpd' + $httpd_service = 'httpd' + $httpd_hasrestart = true + $httpd_hasstatus = true + $httpd_dir = '/etc/httpd' + $mod_dir = "${httpd_dir}/conf.d" + $conf_dir = "${httpd_dir}/conf.d" + } + default: { + fail("osfamily ${::osfamily} is not supported") + } + } # package list taken from centos6-netinstall.cfg (from the perfsonar netinstall cd) # system packages (already installed on standard installation) and # packages that are dependencies of packages in this list have been removed from the original list @@ -52,13 +68,14 @@ $install_packages = [ 'perl-perfSONAR_PS-Toolkit', # installed as dependencies, but need them here to get the dependencies in puppet right - 'httpd', + $httpd_package, 'esmond', 'perl-perfSONAR_PS-SimpleLS-BootStrap-client', 'ndt-server', 'npad', 'nscd', 'cassandra20', + $modssl_package, # don't want to install SystemEnvironment because it keeps overwriting my configurations during updates # 'perl-perfSONAR_PS-Toolkit-SystemEnvironment', # packages that are installed by perl-perfSONAR_PS-Toolkit-SystemEnvironment: @@ -155,19 +172,4 @@ send_error_emails => 1, skip_redundant_tests => 1, } - # paths - case $::osfamily { - 'RedHat': { - $httpd_package = 'httpd' - $httpd_service = 'httpd' - $httpd_hasrestart = true - $httpd_hasstatus = true - $httpd_dir = '/etc/httpd' - $mod_dir = "${httpd_dir}/conf.d" - $conf_dir = "${httpd_dir}/conf.d" - } - default: { - fail("osfamily ${::osfamily} is not supported") - } - } } diff --git a/manifests/patches.pp b/manifests/patches.pp index 877fc73..87994aa 100644 --- a/manifests/patches.pp +++ b/manifests/patches.pp @@ -6,11 +6,10 @@ if $patchpackage { package { $patchpackage: ensure => $patchpackage_ensure, - # adding dependency here and not in the exec because it avoids possible - # dependency failures if $package is not set and this block is - # not executed - before => File[$patchdir], } + $patchpackage_require = Package[$patchpackage] + } else { + $patchpackage_require = undef } case $perfsonar_version { /^3\.5\.0/: { @@ -38,10 +37,14 @@ } if size(keys($patches)) > 0 { file { $patchdir: - ensure => 'directory', - owner => 'root', - group => 'root', - mode => '0750', + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0750', + # adding dependency here and not in the exec because it avoids possible + # dependency failures if $package is not set and this block is + # not executed + require => $patchpackage_require, } create_resources('perfsonar_apply_patch', $patches) }