Rudder 3.1 “Frigate” was released 9th July 2015.
The main changes are:
- Improvements on security: inventories are now signed and sent over HTTPS, a basic SELinux policy is now provided
- New features in the API: compliance, rule and group categories, complex queries on nodes
- Some UI improvements: compliance of each Node in Nodes list, a new filter box in Directive/Group tree in Rule details
- Rule and directive execution sorting is now possible!
- New commands in rudder cli
- A new init script to rule them all
The main focus of Rudder 3.1 is security.
Inventories sent from 3.1 agents are signed by default using their private key. On 3.1 servers, the public key will be displayed is the pending Nodes list, and once accepted, all inventories updates have to be signed with the same key to be accepted by the server. An icon in Node details will indicate the status of inventory signing, next to “Display Node Key”.
- A black icon indicates the inventory is not signed (expected behavior with pre-3.1 agents)
- A green icon indicates that only signed inventories will be accepted
Inventories sent over HTTPS
When using Rudder 3.1 on your policy servers, HTTPS is used to send inventories from nodes to policy server. This implies that port 80 is not needed anymore, but port 443 must now be opened.
Reporting on UDP
The other big network change is the ability to use UDP to send reports to servers (only TCP was used before 3.1), to avoid breaking things in case of networking problems. UDP is even the default for new installations. To change the protocol used for reporting, go to Administration -> Settings.
Compliance in Nodes list
The compliance of each node is now displayed in nodes list (and node search result) to easily identify problems.
A filter box in Directive/Group tree in Rule configuration
When the groups and directives number increases, it can be difficult to navigate to a particular one. There is now a search bar to get instant access to the group or directive you’re looking for.
New features in Rudder API
You can now:
- Get compliance
- Manage rule and group categories
- Make complex queries on nodes
The documentation is available at https://www.rudder-project.org/rudder-api-doc/.
Rules and directives ordering
Since 3.1.1, it is possible to order rules and directives execution. How? Use the name of the directive as order. That means faster convergence for complex configuration with inter-dependencies. First, the rules are ordered alphabetically, and within each rule, directives are also sorted alphabetically. The best way use that feature is to add a numeric prefix at the beginning of the rules or directives names (like “002. Install packages”).
New init script
We added a new init script, simple called rudder, deployed with rudder-agent. It is now the only script set to start at boot, and will take care of starting other services if needed.
For example, on a Rudder server:
rudder agent check
Check is rudder agent is working properly (configuration, processes, promises).
rudder agent info
Displays a summary of agent information, useful to debug problems:
rudder remote run <nodeId>
Triggers the execution of a remote agent from its policy server. You can use it to deploy quickly a policy update on your nodes, without having to wait for the agent run.
New supported OS
Rudder agent now runs on SLES 12.
- The underlying CFEngine is updated to the latest available version, 3.6.5, with a bunch of bugfixes.
- Users running Rudder server on Ubuntu 14.04 experienced recurrent problems with reports logging. This is caused by a bug is the rsyslog version distributed in Ubuntu 14.04. We now provide a fixed rsyslog package in our repositories, and upgrading to Rudder 3.1.1 should install the package as a dependency.
- A lot of other bugfixes, all are listed in the changelog
Versioning and Upgrades
Rudder 3.1 only supports direct upgrade from 2.11 and 3.0. If you are running 2.10 or older, you have to upgrade to 2.11 or 3.0 before upgrading to 3.1. Remember that, as usual, you have to upgrade the techniques manually to benefit from improvement and bugfixes in techniques.
Rudder 3.0 is now an old-latest version, and will thus be maintained until 9th October 2015. If you are currently running 3.0 you should plan to upgrade to 3.1 before this date. Rudder 3.1 will be maintained at least 3 months after the next major Rudder release.
Since Rudder 2.11 was marked as ESR, Rudder 2.10 support will end the 5th December 2015. If you are currently running 2.10 you should plan to upgrade to 2.11, the last ESR, before this date. Rudder 2.11 will be maintained at least 6 months after the next ESR.