From 5021b2fbb696b09b5cd93d1e32bd2d06d3e52d57 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 15 Feb 2024 11:53:03 +0100 Subject: [PATCH 01/10] Pin rspec to < 3.13.0 to ensure it works with chefspec --- Gemfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Gemfile b/Gemfile index 27d5b563..f0a4390b 100644 --- a/Gemfile +++ b/Gemfile @@ -3,6 +3,7 @@ source 'https://rubygems.org' chef_version = ENV.fetch('CHEF_VERSION', '14.10.9') gem 'rake' +gem 'rspec', '~> 3.12.0' gem 'chef', "= #{chef_version}" gem 'cucumber-core', '~> 3.2.1' gem 'yaml' From 112c9f3793606a210d08c52c4c2f07bf8be72b1e Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 15 Feb 2024 11:59:44 +0100 Subject: [PATCH 02/10] Pin rspec-expectations to 3.12.3 --- Gemfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Gemfile b/Gemfile index f0a4390b..75503355 100644 --- a/Gemfile +++ b/Gemfile @@ -3,6 +3,7 @@ source 'https://rubygems.org' chef_version = ENV.fetch('CHEF_VERSION', '14.10.9') gem 'rake' +gem 'rspec-expectations', '= 3.12.3' gem 'rspec', '~> 3.12.0' gem 'chef', "= #{chef_version}" gem 'cucumber-core', '~> 3.2.1' From 3cbebf5bcecf80aab1f1ab75f939a6e29c924bb9 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 15 Feb 2024 12:03:02 +0100 Subject: [PATCH 03/10] Fix spec on Ruby 2.4.3 --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 75503355..edcb649b 100644 --- a/Gemfile +++ b/Gemfile @@ -3,7 +3,7 @@ source 'https://rubygems.org' chef_version = ENV.fetch('CHEF_VERSION', '14.10.9') gem 'rake' -gem 'rspec-expectations', '= 3.12.3' +gem 'rspec-expectations', '< 3.12.4' gem 'rspec', '~> 3.12.0' gem 'chef', "= #{chef_version}" gem 'cucumber-core', '~> 3.2.1' From edfa31e2a6df3c6235ab400e1cacaf48c3abb4f5 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 15 Feb 2024 12:05:27 +0100 Subject: [PATCH 04/10] maybe now? --- Gemfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Gemfile b/Gemfile index edcb649b..a2874d78 100644 --- a/Gemfile +++ b/Gemfile @@ -4,7 +4,6 @@ chef_version = ENV.fetch('CHEF_VERSION', '14.10.9') gem 'rake' gem 'rspec-expectations', '< 3.12.4' -gem 'rspec', '~> 3.12.0' gem 'chef', "= #{chef_version}" gem 'cucumber-core', '~> 3.2.1' gem 'yaml' From b7191e042fd310d1ddf8c04b59be3e9994922c93 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 15 Feb 2024 12:38:36 +0100 Subject: [PATCH 05/10] Fix error on Ruby 3.0.x --- Gemfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Gemfile b/Gemfile index a2874d78..b5550bf5 100644 --- a/Gemfile +++ b/Gemfile @@ -20,6 +20,10 @@ gem 'rbnacl', '~> 4.0.2' gem 'rbnacl-libsodium', '~> 1.0.16' gem 'bcrypt_pbkdf', '>= 1.0', '< 2.0' +if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0' + gem 'uri', '= 0.10.1' +end + if RUBY_VERSION < '2.4' gem 'json', '~> 2.4.1' end From 8d0d64c2f69f6aafefefb45ef729b773dfcf019f Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 15 Feb 2024 13:24:25 +0100 Subject: [PATCH 06/10] Fix error caused by new https://omnitruck.chef.io/install.sh --- kitchen.docker.yml | 31 ++++--------------------------- 1 file changed, 4 insertions(+), 27 deletions(-) diff --git a/kitchen.docker.yml b/kitchen.docker.yml index 40b3da76..acc03b95 100644 --- a/kitchen.docker.yml +++ b/kitchen.docker.yml @@ -15,39 +15,16 @@ platforms: # and http://support.ntp.org/bin/view/Support/KnownOsIssues#Section_9.2.4.2.5.3. # - name: ubuntu-12.04 - - name: ubuntu-14.04 - driver_config: - require_chef_omnibus: 14.12 - - name: centos-6.6 - driver_config: - require_chef_omnibus: 14.12 - image: 'datadog/docker-library:chef_kitchen_systemd_centos_6' - run_command: /root/start.sh - attributes: - datadog: - service_provider: Systemd - - name: centos-7.7 - driver_config: - require_chef_omnibus: 14.12 - image: 'datadog/docker-library:chef_kitchen_systemd_centos_7' - run_command: /root/start.sh - - name: centos-7.7 - driver_config: - require_chef_omnibus: 16.5 - image: 'datadog/docker-library:chef_kitchen_systemd_centos_7' - run_command: /root/start.sh - - name: debian-8.11 - driver_config: - require_chef_omnibus: 14.12 - # The Debian 8 (Jessie) GPG key expired on Sat Nov 19 2022 21:01:13 GMT+0000. - # This Docker image uses gpgv wrapper that ignores key expiration date but checks package signatures. - image: 'datadog/docker-library:chef_kitchen_apt_debian_8' - name: rocky-8 driver_config: platform: rhel # kitchen-docker doesn't recognize rocky otherwise require_chef_omnibus: 16.17.4 image: 'datadog/docker-library:chef_kitchen_systemd_rocky_8' run_command: /root/start.sh + # workaround https://github.com/chef/chef/issues/14034 which has been + # fixed, but only for fresh Chef versions (>= 18) + provision_command: + - echo "CentOS Linux release 8" > /etc/redhat-release suites: <% From 3c4c675481e44f51712728f4035cbb6eed9b2144 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 15 Feb 2024 13:41:51 +0100 Subject: [PATCH 07/10] Re-add mistakenly removed kitchen configs --- kitchen.docker.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/kitchen.docker.yml b/kitchen.docker.yml index acc03b95..6d2b5e3f 100644 --- a/kitchen.docker.yml +++ b/kitchen.docker.yml @@ -15,6 +15,33 @@ platforms: # and http://support.ntp.org/bin/view/Support/KnownOsIssues#Section_9.2.4.2.5.3. # - name: ubuntu-12.04 + - name: ubuntu-14.04 + driver_config: + require_chef_omnibus: 14.12 + - name: centos-6.6 + driver_config: + require_chef_omnibus: 14.12 + image: 'datadog/docker-library:chef_kitchen_systemd_centos_6' + run_command: /root/start.sh + attributes: + datadog: + service_provider: Systemd + - name: centos-7.7 + driver_config: + require_chef_omnibus: 14.12 + image: 'datadog/docker-library:chef_kitchen_systemd_centos_7' + run_command: /root/start.sh + - name: centos-7.7 + driver_config: + require_chef_omnibus: 16.5 + image: 'datadog/docker-library:chef_kitchen_systemd_centos_7' + run_command: /root/start.sh + - name: debian-8.11 + driver_config: + require_chef_omnibus: 14.12 + # The Debian 8 (Jessie) GPG key expired on Sat Nov 19 2022 21:01:13 GMT+0000. + # This Docker image uses gpgv wrapper that ignores key expiration date but checks package signatures. + image: 'datadog/docker-library:chef_kitchen_apt_debian_8' - name: rocky-8 driver_config: platform: rhel # kitchen-docker doesn't recognize rocky otherwise From e938d47aa88a596deea92c5ad1070c4c6edcfc1e Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Fri, 16 Feb 2024 08:36:42 +0100 Subject: [PATCH 08/10] Only set up security agent on supported releases --- recipes/dd-agent.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/recipes/dd-agent.rb b/recipes/dd-agent.rb index 3079d33e..97c0b852 100644 --- a/recipes/dd-agent.rb +++ b/recipes/dd-agent.rb @@ -159,6 +159,7 @@ def template_vars system_probe_managed = node['datadog']['system_probe']['manage_config'] agent_version_greater_than_6_11 = agent_major_version > 5 && (agent_minor_version.nil? || agent_minor_version > 11) || agent_major_version > 6 agent_version_greater_than_6_26 = agent_major_version > 5 && (agent_minor_version.nil? || agent_minor_version > 26) +agent_version_greater_than_6_49 = agent_major_version > 5 && (agent_minor_version.nil? || agent_minor_version > 49) # System probe requires at least agent 6.12 on Linux or 6.27 on Windows, before that it was called the network-tracer or unsupported. system_probe_supported = (agent_version_greater_than_6_11 && !is_windows) || (agent_version_greater_than_6_26 && is_windows) @@ -166,8 +167,11 @@ def template_vars # system-probe is a dependency of the agent on Linux or Windows include_recipe '::system-probe' if system_probe_managed && system_probe_supported +# Security Agent requires at least agent 6.27 on Linux or 6.50 on Windows, before that it was unsupported. +security_agent_supported = (agent_version_greater_than_6_26 && !is_windows) || (agent_version_greater_than_6_49 && is_windows) + # security-agent is a dependency of the agent on Linux or Windows -include_recipe '::security-agent' +include_recipe '::security-agent' && security_agent_supported # Installation metadata to let know the agent about installation method and its version include_recipe '::install_info' From 15fff5cf9405d17d1feb984b5bd58d4eb828123d Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Fri, 16 Feb 2024 09:43:24 +0100 Subject: [PATCH 09/10] Only include the security-agent recipe when supported and configured --- recipes/dd-agent.rb | 3 ++- recipes/security-agent.rb | 10 +++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/recipes/dd-agent.rb b/recipes/dd-agent.rb index 97c0b852..73b5073c 100644 --- a/recipes/dd-agent.rb +++ b/recipes/dd-agent.rb @@ -168,10 +168,11 @@ def template_vars include_recipe '::system-probe' if system_probe_managed && system_probe_supported # Security Agent requires at least agent 6.27 on Linux or 6.50 on Windows, before that it was unsupported. +security_agent_managed = node['datadog']['security_agent']['cws']['enabled'] || (!is_windows && node['datadog']['security_agent']['cspm']['enabled']) security_agent_supported = (agent_version_greater_than_6_26 && !is_windows) || (agent_version_greater_than_6_49 && is_windows) # security-agent is a dependency of the agent on Linux or Windows -include_recipe '::security-agent' && security_agent_supported +include_recipe '::security-agent' if security_agent_managed && security_agent_supported # Installation metadata to let know the agent about installation method and its version include_recipe '::install_info' diff --git a/recipes/security-agent.rb b/recipes/security-agent.rb index 983e731c..d4f3b887 100644 --- a/recipes/security-agent.rb +++ b/recipes/security-agent.rb @@ -20,8 +20,7 @@ is_windows = platform_family?('windows') # Set the correct agent startup action -security_agent_enabled = node['datadog']['security_agent']['cws']['enabled'] || (!is_windows && node['datadog']['security_agent']['cspm']['enabled']) -security_agent_start = security_agent_enabled && node['datadog']['agent_start'] && node['datadog']['agent_enable'] ? :start : :stop +security_agent_start = node['datadog']['agent_start'] && node['datadog']['agent_enable'] ? :start : :stop # # Configures security-agent agent @@ -64,10 +63,7 @@ mode '640' end - notifies :restart, 'service[datadog-agent-security]', :delayed if security_agent_enabled - - # Security agent is not enabled and the file doesn't exists, don't create it - not_if { !security_agent_enabled && !security_agent_config_file_exists } + notifies :restart, 'service[datadog-agent-security]', :delayed end # Common configuration @@ -86,5 +82,5 @@ else supports :restart => true, :status => true, :start => true, :stop => true end - subscribes :restart, "template[#{security_agent_config_file}]", :delayed if security_agent_enabled + subscribes :restart, "template[#{security_agent_config_file}]", :delayed end \ No newline at end of file From 40eb8a42cb06baf4336de1237b57aa983cc8ad25 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Fri, 16 Feb 2024 09:46:49 +0100 Subject: [PATCH 10/10] Remove useless variable --- recipes/security-agent.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/recipes/security-agent.rb b/recipes/security-agent.rb index d4f3b887..7f4564f6 100644 --- a/recipes/security-agent.rb +++ b/recipes/security-agent.rb @@ -30,7 +30,6 @@ else '/etc/datadog-agent/security-agent.yaml' end -security_agent_config_file_exists = ::File.exist?(security_agent_config_file) template security_agent_config_file do runtime_security_extra_config = {}