Fixes for upgrade, see #21. Boot-start fixes for older Splunk UF vers…

…ions

CHANGELOG.md

@@ -1,6 +1,9 @@
-### 3.4.0
+### 3.4.1
 
-- Added package_source for Linux for repository-less environments
+- Added package_source for Linux in repository-less environments
+- Perform first-time-run after an upgrade
+- Fix boot-start for older Splunk UF versions
+- Add ssl3 to intermediate_compatibility due to SPL-141961 and SPL-141964
 
 ### 3.4.0
 

README.md

@@ -756,6 +756,8 @@ node 'some-server.internal.corp.tld' {
   - `intermediate`
   - `old`
 
+  Also see the Compatibility section below.
+
 #### `reuse_puppet_certs`
 
    Optional. By default the certificates signed by the Puppet CA will be reused. However if you want to do some quick testing with non-Puppetized nodes, set this to `false`, and make sure to point `sslcertpath => 'server.pem'` and `sslrootcapath => 'cacert.pem'` to the default Splunk testing certs.
@@ -902,10 +904,11 @@ node 'some-server.internal.corp.tld' {
 
 ## Compatibility
 
-Requires Splunk and Splunkforwarders >= 6.2.0.
-However, if you still have versions < 6.2 , pass `sslcompatibility => 'intermediate'`.
+Set sslcompatibility in these cases:
 
-If you have version >= 6.2.0 servers but with stock settings from a previous Splunk installation, also pass `sslcompatibility => 'intermediate'` in the universal forwarder declaration, otherwise the SSL connections to the deploymentserver will fail.
+* If you have older 6.0, 6.1, 6,2 or 6.3 releases that connect to Splunk 6.6 (see SPL-141961, SPL-141964)
+* If you have older 6.0, 6,1 releases that connect to Splunk 6.2, 6,3, 6,4 or 6,5
+* If you have 6.2, 6,3, 6.4 or 6.5 releases with default Splunk ssl settings that connect to Splunk managed by this module
 
 ## Changelog
 

TEST_COVERAGE.md

@@ -9,6 +9,7 @@
 | v3.3.0  |   24   |  43   |
 | v3.4.0  |   26   |  45   |
 | v3.4.1  |   27   |  45   |
+| v3.4.2  |   27   |  45   |
 
 ## By operating system:
 

manifests/certs/s2s.pp

@@ -78,6 +78,7 @@
       }
       -> exec { 'openssl dhparam':
         command   => "openssl dhparam -outform PEM -out ${splunk_home}/etc/auth/certs/dhparam.pem ${dhparamsize}",
+        user      => $splunk_os_user,
         path      => ['/bin', '/sbin', '/usr/bin', '/usr/sbin', "${splunk_home}/bin"],
         creates   => [
           "${splunk_home}/etc/auth/certs/dhparam.pem",
@@ -104,7 +105,7 @@
         }
 
         # reuse certs from commercial Puppet
-        exec { 'openssl s2s ca commercial puppet':
+        -> exec { 'openssl s2s ca commercial puppet':
           command => "cat /etc/puppetlabs/puppet/ssl/certs/ca.pem > ${splunk_home}/etc/auth/${sslrootcapath}",
           path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin', "${splunk_home}/bin"],
           creates => [ "${splunk_home}/etc/auth/${sslrootcapath}", ],
@@ -119,7 +120,7 @@
         }
 
         # reuse certs from Red Hat packaged Puppet
-        exec { 'openssl s2s ca redhat puppet':
+        -> exec { 'openssl s2s ca redhat puppet':
           command => "cat /var/lib/puppet/ssl/certs/ca.pem > ${splunk_home}/etc/auth/${sslrootcapath}",
           path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin', "${splunk_home}/bin"],
           creates => [ "${splunk_home}/etc/auth/${sslrootcapath}", ],
@@ -132,6 +133,18 @@
           creates => [ "${splunk_home}/etc/auth/certs/s2s.pem", ],
           onlyif  => "/usr/bin/test -e /var/lib/puppet/ssl/private_keys/${::fqdn}.pem"
         }
+
+        # Fix permissions
+        -> file { "${splunk_home}/etc/auth/${sslrootcapath}":
+          owner => $splunk_os_user,
+          group => $splunk_os_group,
+          mode  => $splunk_file_mode,
+        }
+        -> file { "${splunk_home}/etc/auth/${sslcertpath}":
+          owner => $splunk_os_user,
+          group => $splunk_os_group,
+          mode  => $splunk_file_mode,
+        }
       }
     }
   }

manifests/first_time_run.pp

@@ -0,0 +1,23 @@
+# vim: ts=2 sw=2 et
+class splunk::first_time_run (
+  $package = $splunk::package,
+  $package_source = $splunk::package_source,
+  $splunk_home = $splunk::splunk_home,
+  $splunk_os_user = $splunk::real_splunk_os_user,
+  $version = $splunk::version
+) {
+  case $::osfamily {
+    /^[Ww]indows$/: {
+      # Do nothing
+    }
+    default: {
+      exec { 'splunk first time run':
+        command => "${splunk_home}/bin/splunk ftr -user ${splunk_os_user} --accept-license --answer-yes --no-prompt",
+        path    => ["${splunk_home}/bin", '/bin', '/sbin', '/usr/bin', '/usr/sbin'],
+        require => Package[$package],
+        user    => $splunk_os_user,
+        onlyif  => "/usr/bin/test -e ${splunk_home}/ftr"
+      }
+    }
+  }
+}

manifests/init.pp

@@ -131,6 +131,7 @@
   include splunk::distsearch
   include splunk::passwd
   include splunk::authentication
+  include splunk::first_time_run
   include splunk::service
 
   # make sure classes are properly ordered and contained
@@ -152,6 +153,7 @@
   -> Class['splunk::distsearch']
   -> Class['splunk::passwd']
   -> Class['splunk::authentication']
+  -> Class['splunk::first_time_run']
   -> Class['splunk::service']
   -> splunk::addsearchpeers { $searchpeers: }
   anchor { 'splunk_last': }

manifests/installed.pp

@@ -32,11 +32,19 @@
           ensure => $version,
         }
       }
-      exec { 'splunk enable boot-start etcetera':
-        command => "${splunk_home}/bin/splunk enable boot-start -user ${splunk_os_user} --accept-license --answer-yes --no-prompt",
+      exec { 'splunk initial run':
+        command => "${splunk_home}/bin/splunk version --accept-license --answer-yes --no-prompt",
         path    => ["${splunk_home}/bin", '/bin', '/sbin', '/usr/bin', '/usr/sbin'],
         require => Package[$package],
+        user    => $splunk_os_user,
         creates => "${splunk_home}/etc/system/local/server.conf",
+        notify  => Exec['splunk enable boot-start'],
+      }
+      exec { 'splunk enable boot-start':
+        command     => "${splunk_home}/bin/splunk enable boot-start -user ${splunk_os_user} --accept-license --answer-yes --no-prompt",
+        path        => ["${splunk_home}/bin", '/bin', '/sbin', '/usr/bin', '/usr/sbin'],
+        require     => Package[$package],
+        refreshonly => true,
       }
     }
   }

manifests/params.pp

@@ -16,7 +16,7 @@
   $ciphersuite_modern = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'
   $dhparamsize_modern = 2048
   $ecdhcurvename_modern = 'secp384r1'
-  $sslversions_intermediate = 'tls'
+  $sslversions_intermediate = '*,-ssl2'
   $ciphersuite_intermediate = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
   $dhparamsize_intermediate = 2048
   $ecdhcurvename_intermediate = 'secp384r1'

manifests/passwd.pp

@@ -7,30 +7,38 @@
   $splunk_dir_mode = $splunk::real_splunk_dir_mode,
   $splunk_file_mode = $splunk::real_splunk_file_mode
 ){
-  if $admin != undef {
-    $hash  = $admin[hash]
-    $fn    = $admin[fn]
-    $email = $admin[email]
-    file { "${splunk_home}/etc/passwd":
-      ensure  => present,
-      owner   => $splunk_os_user,
-      group   => $splunk_os_group,
-      mode    => $splunk_dir_mode,
-      content => ':admin:::',
-      replace => 'no',
+  case $::osfamily {
+    /^[Ww]indows$/: {
+      notify {'Setting admin password not supported on Windows':}
+      warning('Setting admin password not supported on Windows')
     }
-    -> exec { 'set admin passwd':
-      command => "sed -i -e 's#^:admin:.*$#:admin:${hash}::${fn}:admin:${email}::#g' ${splunk_home}/etc/passwd",
-      unless  => "grep -qe '^:admin:${hash}' ${splunk_home}/etc/passwd",
-      path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
-    }
-    -> file { "${splunk_home}/etc/.ui_login":
-      ensure  => present,
-      owner   => $splunk_os_user,
-      group   => $splunk_os_group,
-      mode    => $splunk_file_mode,
-      content => '',
-      replace => 'no',
+    default: {
+      if $admin != undef {
+        $hash  = $admin[hash]
+        $fn    = $admin[fn]
+        $email = $admin[email]
+        file { "${splunk_home}/etc/passwd":
+          ensure  => present,
+          owner   => $splunk_os_user,
+          group   => $splunk_os_group,
+          mode    => $splunk_dir_mode,
+          content => ':admin:::',
+          replace => 'no',
+        }
+        -> exec { 'set admin passwd':
+          command => "sed -i -e 's#^:admin:.*$#:admin:${hash}::${fn}:admin:${email}::#g' ${splunk_home}/etc/passwd",
+          unless  => "grep -qe '^:admin:${hash}' ${splunk_home}/etc/passwd",
+          path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
+        }
+        -> file { "${splunk_home}/etc/.ui_login":
+          ensure  => present,
+          owner   => $splunk_os_user,
+          group   => $splunk_os_group,
+          mode    => $splunk_file_mode,
+          content => '',
+          replace => 'no',
+        }
+      }
     }
   }
 }

manifests/splunk_launch.pp

@@ -6,6 +6,8 @@
 ){
   case $::osfamily {
     /^[Ww]indows$/: {
+      notify {'Setting splunk_os_user not supported on Windows':}
+      warning('Setting splunk_os_user not supported on Windows')
       # On Windows there is no Augeas
     }
     default: {