Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature (rhel7/httpd 2.4) : hardening apache and code refactoring #251

Merged
merged 10 commits into from
Feb 22, 2019

Conversation

k-hamza
Copy link

@k-hamza k-hamza commented Nov 20, 2018

Context
The main goal of the changes is to be able to enforce values of directives for hardening purpose, based on CIS Benchmarks apache document
The structure of pillars is modified into lists / dictionnaries so the content can be "easily" parsed and modified

The result is a complete rewrite of config and vhosts states

All changes are backward compatible, they are all new files added (with -ng suffix)

Summary of Changes

  • added apache_directives.py module to manage both content of server config and vhosts content
  • vhosts contents are in managed in dictionnaries and there is no more need to maintain templates by type of vhost
  • enforced values are in yaml file
  • default server configurations (for rhel7, http 2.4) are in yaml file
  • changed vhostdir variable to /etc/httpd/conf.d because of /etc/httpd/vhosts.d doesn't belong to the httpd-2.4 rhel7 rpm

Testing

  • Tested on rhel7 httpd 2.4

@aboe76 aboe76 requested a review from alxwr November 20, 2018 19:09
Copy link
Member

@aboe76 aboe76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there are hard returns in modules-ng.sls I don't think you want those...

@k-hamza
Copy link
Author

k-hamza commented Nov 28, 2018

yes, you are right. Thanks !

@alxwr
Copy link
Member

alxwr commented Nov 28, 2018

@k-hamza I greatly appreciate your effort! Your code even solves some problems I came across. Thank you!
(The following is not a criticism of your work, but of the "ng" pattern in general.)

@aboe76 @whiteinge @javierbertoli @landergate
Is there a way not to use the "ng" pattern? In my opinion this leads into an maintenance mess.
To be honest I regard the "ng" pattern as some sort of redundant addition to Git. It's really a formula within a formula. Hard to understand, hard to maintain. In this case I can't easily see the changes, because everything is in a new file.

We already discussed this in saltstack-formulas/postfix-formula#83. (@ixs)

I suggest we start versioning this formula. (https://semver.org) Let's add a tag (i.e. 0.1.0) to mark the state before this PR and after that (depending on possible breaking of Pillar data) set 0.2.0 or 1.0.0.
People could reference the tags. Patches to old versions (if anyone wants to keep them) would go into branches like v0.1.0-master. From there they could be ported to other branches way easier than from one sub directory to another.

The only real disadvantage I can think of is having to write a migration guide from one version to the other.

If we really have to use the "ng" pattern, we should put everything into its very own namespace (read: directory) as the php-formula does.

In the hopes of providing constructive criticism,
alxwr


@aboe76 @k-hamza
I'll have to test the "ng" version of the formula on one of my machines. (Sadly I've got to finish other stuff first.)

@aboe76
Copy link
Member

aboe76 commented Nov 28, 2018

@alxwr I know about the issue, with "ng" formula's and I would like to split those too.

I don't think that semver and git branches are the solution, those are to "developer"-minded solutions and are hard for simple sysadmins to grasp or even create PR against.

I would like to suggest to create separate formula's:

php-formula\
  php\
  LICENSE
  README.rst
php-ng-formula
  php\
  LICENSE
  README.rst
apache-formula
  apache\
  LICENSE
  README.rst
apache-ng-formula
  apache\
  LICENSE
  README.rst

Only downside to this is if somebody wants to use both formula's on one saltmaster...

@javierbertoli
Copy link
Member

@alxwr, I completely dislike the ng solution mostly because, as you and @aboe76 mention, it follows a 'formula-in-formula' concept. But it has already crept into many formulas (from the top of my head, I rememeber it's present in apache, fail2ban, nginx, php...). It seems most of the times as the only solution to 'here's this big refactoring/update to the formula, it's a pain/impossible to make it backward compatible and there's no other proposed method in the formulas ecosystem to introduce these changes nicely' 😞

At this point, separating the formulas can be a solution, but I think that, sooner or later, somebody will again submit a 'formula-in-formula' 'ng-ng' PR, like 'apache-ng/ng' 😄

In the past, when writing Puppet & Chef, the Semver + Release Tags/Branches worked nice for me, but I again agree with @aboe76, it's not the easiest thing to learn how to use and interact for simple sysadmins (it took me a while to do it right 😋)

If we decide to do SemVer, we'll need to add proper documentation (perhaps in the template mentioning that:

  • The master branch will always point to the latest code and might be backward incompatible
  • Release tags should be used (ie, in gitfs), which might or might not be updated in time (that will depend on whoever pushes a PR)

etc, and try to enforce/maintain things that way whenever possible.

When I moved to Salt, I tried to read about the proposed method to maintain formulas, and found that Salt has a Salt Package Manager, but sincerely, never used it nor know if it is widely used.

My 2c.

@alxwr
Copy link
Member

alxwr commented Nov 29, 2018

@aboe76 @javierbertoli I hear your concerns regarding sysadmins. Those are my concerns too. :-)
In my opinion it's not too much to ask/force somebody to learn how Git branches work. (But I may be wrong.) This is state-of-the-art technology after all. Furthermore, ng/ is confusing too¹.

I'm not in favor of creating a new repository for every refactoring, because it's not easier to maintain for anyone.

I also was thinking about doing version control in sub directories like so: v1/apache/..., v2/apache/...
Current development would happen in the latest version directory. It's still a maintenance mess, but it seems better than ng/ng/ng/.../ng/.

The Formula File docs suggest the version format YYYYMM.release. This contains no assurance of compatibility anyways.
"We strongly recommend forking a formula repository into your own GitHub account to avoid unexpected changes to your infrastructure."
Since formulas never made a promise to be backwards compatible, nobody should use a potentially unstable master anyways.

Maybe we should give up on „be backwards compatible at any cost“.¹
In my view there are at least two effective options to kill an Open Source project.

a) Make it too hard to use.
b) Make it too hard to maintain.

I get that keeping backwards compatibility tries to avoid a), but it drives the formulas to b). (And furthermore: ng/ng/ng/ goes against a) again.)

Therefore, another proposal:

  • Use only the master branch.
  • Set tags before breaking changes happen. (or before PRs are merged)
  • Document breaking changes in a CHANGELOG.rst (including migration guidelines)
  • Let the formula fail early if we detect legacy Pillar data.
    (i.e. detect whether there is Pillar apache:sites)

Don't take me wrong. I'm not here to enforce my point of view. I'm just committed to keep usability high and maintenance cost low, because I want the formulas to succeed. In the end, I'll go with the developers' consensus. :-)


¹ Why do I have a strong opinion on this?
I held a one-day Salt workshop for sysadmins of several departments of a German corporation a few months ago. They really liked Salt and especially the formulas. They had two concerns regarding the formulas:

  • Sysadmin: How do I keep my system stable?
    Me: You fork/clone the formula's repository.
    Sysadmin: That's fine.
  • Sysadmin: Whats this ng/-stuff?
    Me: Those are major refactorings.
    Sysadmin: You should really get rid of legacy code, because this is really confusing. How would I know which one is current? (In German: „Ihr solltet diese alten Zöpfe abschneiden, das führt nur zu Verwirrung. Wie soll ich wissen, was aktueller Stand ist?“)

@ixs
Copy link
Contributor

ixs commented Nov 29, 2018

My 2cents as I got pinged. ;-)

It's good to see everybody agree that ng sucks and should not be used.
I really dislike the idea of forking off an ng change into a separate repository. This is mostly for the following two reasons:

  • Proliferation of formulas doing the same thing in different ways
  • Becomes a nightmare as soon as someone is doing a ng fork of the ng version. Look at amavis, amavis-ng, amavisd-new etc. as a terrible example.

But even in-repo -ng is terrible. I stumbled over the ng version of fail2ban the other day and while that version resolves a few bugs of the non-ng version, it was also not functional. Needed one or two patches first.
Does this mean noone was using -ng at all other than me?

At the end of the day, I think semver and controlled breakage is the sensible option.
And for the poor busy and overwhelmed sysadmin we can add some easy to understand documentation that explains how to update your formula and again suggest to use your own fork in order to control the rate of change.

@aboe76
Copy link
Member

aboe76 commented Nov 29, 2018

Ok, let's ask saltstack Organisation to make it clear what they have in mind with the formula's,
because there is something like spm https://docs.saltstack.com/en/latest/topics/spm/

And I too want the saltstack-formulas be as successful as it can be, because, one, I don't want a mess of multiple roles like ansible-galaxy and I don't want it to become another forge where you need to learn some pdk to submit...

@saltstack-formulas/core and @saltstack-formulas/moderators can we have some input on this so we can align all our efforts?

In case there no vhosts defined in pillar httpd will listen on port 80.
 Without this default it will not start
@javierbertoli
Copy link
Member

A valid question that relates to this discussion

@aboe76
Copy link
Member

aboe76 commented Dec 7, 2018

@javierbertoli yes it is, I was hoping to get the saltstack core team involved to maybe write something in saltstack docs on formulas and git tags...and how to use them, that way we can start teaching people on how to use them by letting them read the official saltstack docs.

@k-hamza
Copy link
Author

k-hamza commented Dec 8, 2018

I must say that I agree with you on "ng" pattern ... it is an "anti-pattern" of git usage

In the saltstack documentation I found this about formula versionning.

It seems that it is the "official answer" to the question, and it is mostly the same as the proposals above.
May be it would be usefull to report it on the template formula

What do you think about it ?

@noelmcloughlin
Copy link
Member

noelmcloughlin commented Dec 8, 2018

I'm think if there is any way to keep one-on-one relation between formula and implementation then we should aim for that. When rewriting the mongdb-formula recently I had this exact dilemma - how to improve without losing backwards compatibility - I eventually found a way to support old and new in same implementation by having a twin-track map.jinja

See section two for backwards-compat data structures:

In this pattern the first section is the current-preferred-implementation and the second section is a reconstruction of the depreciated dicts to keep backwards compatibility. In this way there is no need for two separate formulas for one piece of software. I will admit writing the SECOND section in map.jinja is challenging but advantage is that its transparent to end users. I'd advocate for some kind of similar approach - let map.jinja do the heavy lifting. Cheers.

@aboe76
Copy link
Member

aboe76 commented Dec 8, 2018

@k-hamza nice finds, in the documentation, let's make it so, I think the majority is for semver and tagging,
can you create a PR to document and link to the docs in the template formula.

@alxwr, @noelmcloughlin and @javierbertoli let's educate people and refer to the template-formula.

@aboe76
Copy link
Member

aboe76 commented Dec 8, 2018

@k-hamza maybe we can try this after we set some tags:
https://github.com/vaab/gitchangelog

@k-hamza
Copy link
Author

k-hamza commented Dec 10, 2018

can you create a PR to document and link to the docs in the template formula.

done : saltstack-formulas/template-formula#16

@k-hamza
Copy link
Author

k-hamza commented Feb 6, 2019

Hello team, hope you are doing well
@alxwr, did you have time to test or to look into the code ?
Thanks !

@alxwr
Copy link
Member

alxwr commented Feb 12, 2019

@k-hamza I'm trying hard to get some GitHub issues and PRs done. :-)
I'll give your code a try as soon as I can.

@alxwr
Copy link
Member

alxwr commented Feb 12, 2019

@k-hamza I (rather hastily) tested this on Ubuntu 18.04 by including all ng-states and running them against pillar.example. Other than minor distribution-related bugs this worked fine. I would merge it if it wasn't for the ng-stuff. :-)

@k-hamza @aboe76 @noelmcloughlin @javierbertoli we should now discuss a transition to apache-formula 2.0.
I'm against merging the PR in the ng-style. I propose we rather make this a good example of versioning a salt formula by using the means already established in https://github.com/saltstack-formulas/template-formula.

@myii Is saltstack-formulas/template-formula#21 sufficient to serve as a checklist for this transition?

@alxwr alxwr added the bump:major incompatible API changes; semver.org label Feb 12, 2019
Copy link
Member

@alxwr alxwr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd approve if it wasn't for the ng-pattern. :-)
We'll work that out.

@myii
Copy link
Member

myii commented Feb 12, 2019

@alxwr saltstack-formulas/template-formula#21 is still a WIP and does need more discussion (no-one has commented there yet for adjustments!). But if it helps with this process, then please feel free to use it by all means. As a member, you are able to edit the comment, in order to copy the Markdown directly. That will ease pasting and modifying it for any other formula.

@myii myii added bump:major incompatible API changes; semver.org and removed bump:major incompatible API changes; semver.org labels Feb 12, 2019
@myii
Copy link
Member

myii commented Feb 12, 2019

Sorry, I was checking for the other labels and I ended up removing the label by mistake! Reinstated, so nothing to see here!

@alxwr
Copy link
Member

alxwr commented Feb 12, 2019

minor note:
I'm looking forward to help with this PR, but I've already burnt through my GitHub time budget for this week. 😄

@myii
Copy link
Member

myii commented Feb 12, 2019

@alxwr Your efforts are appreciated. See you next week!

@noelmcloughlin
Copy link
Member

noelmcloughlin commented Feb 12, 2019

Nice PR @k-hamza I'm up to my neck in other formulae so cannot review.

@alxwr Regarding the ng pattern I have good idea how to smoothly transition away.

  1. Identify all ng-formulae.
  2. Assume ng is the primary content.
  3. Obsolete non-ng content but empower the non-ng API
  •    i.e.  update non-ng SLS files so they invoke `apache.ng.xxxx` states
    
  •    i.e.  delete apache/map.jinja and yaml files in non-ng formulae.
    
  •    i.e.  `apache.init`  points to `apache.ng.init` 
    
  •    i.e. update README and stop documenting ng API
    
  •    i.e. update pillar.example and stop documenting ng pillar data 
    

Note: we need to update the map.jinja so it can handle both ng and non-ng pillar data - this is possible I have experimented with this idea in mongoDB.

  1. In say 6 months time get rid of ng structure; the ng API has not be documented for 6 months so assume this is long enough for people to have re-adopted the non-ng API.

WDYT?

I hope focus can be on template-formulae before apache 2.0. There are some new concepts & ideas being discussed which I need to get up to speed with anyway. thanks.

@k-hamza
Copy link
Author

k-hamza commented Feb 18, 2019

I agree not to merge it in master branch.
I suggest that you create a "develop-v2.0.0" branch (name for example) where to merge this PR.
In the meantime, i will start cleaning the "ng-" stuff, so the merge will contain "clean" content that will need some little work in order to be a good example of versioning a salt formula.

@myii
Copy link
Member

myii commented Feb 18, 2019

@k-hamza Thanks for all of your hard work.

There have been quite a few developments over the last week or two and we're trying to revamp the way SaltStack-Formulas does things. One of the discussion points has been the ng concept. At the moment, it is still up for discussion how exactly this should be dealt with. For example:

  1. Using release tags, just bump the major version and merge into master.
  2. Use separate branches for different versions (as you have suggested).
  3. Use a separate repo for ng formulas.

A further issue is that we're working on how to integrate these formulas with SPM. That will also have an effect on the final decision.

So the takeaway is to keep track of developments before investing a portion of time into a specific option. Best ways to do that:

@alxwr
Copy link
Member

alxwr commented Feb 18, 2019

@k-hamza @aboe76 @myii I'm all for the "develop-v2.0.0" branch, as long as it will get merged into master at some point. :-) This gives us time to stabilize 2.0 while still having a stable master branch. Do you all agree?

@myii
Copy link
Member

myii commented Feb 18, 2019

@alxwr @k-hamza I prefer method 2 as well but I don't know what the repercussions are going to be.

One further point: we're close to providing a solution for automatically updating the changelog, FORMULA file, tags and releases for each PR merge. During this process, we've compared across all existing SaltStack Formulas to work out comparitive "starting" version numbers:

screenshot69

  • This is part of the spreadsheet, offering a rough outline of what we're proposing should be applied.

So if that is accepted, this apache-formula is currently v0.37.0. The new branch will then be develop-v1.0.0 accordingly. Please feel free to comment on this issue as well.

@k-hamza
Copy link
Author

k-hamza commented Feb 19, 2019

@alxwr @myii ok then, let's create develop-v1.0.0 branch so we can begin stabilize the code

@alxwr
Copy link
Member

alxwr commented Feb 20, 2019

@k-hamza @myii I just created the develop-v1.0.0 branch.

@aboe76
Copy link
Member

aboe76 commented Feb 20, 2019

@alxwr nice thanks for that,

@k-hamza shall I change the base branch of the PR to target develop-v1.0.0

this is possible with: https://github.blog/2016-08-15-change-the-base-branch-of-a-pull-request/

@k-hamza k-hamza changed the base branch from master to develop-v1.0.0 February 21, 2019 15:52
@k-hamza
Copy link
Author

k-hamza commented Feb 21, 2019

@aboe76 Thanks for this trick ! just changed the base branch of the PR now
@alxwr let me do some cleaning : remove all the "-ng" stuff

@aboe76 aboe76 merged commit 9662e8b into saltstack-formulas:develop-v1.0.0 Feb 22, 2019
@aboe76
Copy link
Member

aboe76 commented Feb 22, 2019

@k-hamza merged it,

@k-hamza
Copy link
Author

k-hamza commented Feb 25, 2019

Thanks for the merge

@k-hamza k-hamza deleted the hardening-refacto branch February 25, 2019 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bump:major incompatible API changes; semver.org
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants