-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for CWS on Windows #907
Conversation
recipes/system-probe.rb
Outdated
@@ -22,7 +22,7 @@ | |||
# Set the correct agent startup action | |||
cws_enabled = node['datadog']['security_agent']['cws']['enabled'] | |||
sysprobe_enabled = if is_windows |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sysprobe_enabled = if is_windows | |
cws_enabled = node['datadog']['security_agent']['cws']['enabled'] | |
npm_enabled = node['datadog']['system_probe']['network_enabled'] | |
usm_enabled = node['datadog']['system_probe']['service_monitoring_enabled'] | |
sysprobe_enabled = node['datadog']['system_probe']['enabled'] | |
sysprobe_enabled = sysprobe_enabled || cws_enabled || npm_enabled || usm_enabled | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my suggestion didn't work out as clearly as I'd hoped.
I'd replace the whole sysprobe_enabled = if is_windows...
block
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did something similar to what you suggested, I think it makes things easier anyway even if we still have a small if is_windows
a92f7c4
to
a233d8f
Compare
recipes/system-probe.rb
Outdated
end | ||
|
||
sysprobe_enabled ||= npm_enabled || cws_enabled | ||
unless is_windows |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Windows has USM; so on windows system probe should be enabled if usm is enabled.
(this is also somewhat outside the scope of what you're doing, because it's clear the USM support for windows is lacking in the chef recipe). So, I'm fine either way. But there's no underlying reason for the conditional at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah didn't know that, yeah the USM is checked here but not plugged anywhere after that. I will simplify further then
a233d8f
to
a654c73
Compare
a654c73
to
4a73c82
Compare
4628528
to
6233eab
Compare
6233eab
to
0617920
Compare
@@ -20,11 +20,17 @@ | |||
is_windows = platform_family?('windows') | |||
|
|||
# Set the correct agent startup action | |||
security_agent_enabled = !is_windows && node['datadog']['security_agent']['cws']['enabled'] || node['datadog']['security_agent']['cspm']['enabled'] | |||
security_agent_enabled = node['datadog']['security_agent']['cws']['enabled'] || (!is_windows && node['datadog']['security_agent']['cspm']['enabled']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you enable cws
on windows, why do you change the condition on cspm
? Was it initially incorrect?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the original code was wrong, CSPM does not support windows for now. So I'm moving the is windows check to only apply to the CSPM part
@@ -65,14 +73,18 @@ | |||
# Common configuration | |||
service_provider = Chef::Datadog.service_provider(node) | |||
|
|||
service_name = 'datadog-agent-security' | |||
service_name = is_windows ? 'datadog-security-agent' : 'datadog-agent-security' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is probably not related to this PR, but why???
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no idea.. I'm just copying what has been done for system probe
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is the name of the service on linux datadog-security-agent
or datadog-agent-security
?
Right now, the name of the service (on windows) is datadog-security-agent
. Since we haven't shipped, we can make it datadog-agent-security
without breaking anything, and then it will match linux if that's desirable.
solo.resource_collection.insert( | ||
Chef::Resource::Service.new('datadog-agent', solo.run_context)) | ||
solo.resource_collection.insert( | ||
Chef::Resource::Service.new('datadog-agent-security', solo.run_context)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I believe line 76 in recipes/security-agent.rb
in windows the name changes, correct?
Chef::Resource::Service.new('datadog-agent-security', solo.run_context)) | |
Chef::Resource::Service.new('datadog-security-agent', solo.run_context)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there is a difference between the "public name" of the service which changes on windows, and the name of the chef service which is common on both platforms
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved as is; but noted there are some options we might want to take since we haven't shipped anything yet.
|
||
# | ||
# Configures security-agent agent | ||
security_agent_config_file = '/etc/datadog-agent/security-agent.yaml' | ||
security_agent_config_file = | ||
if is_windows |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is probably OK for now, and is probably how we do it for system-probe.yaml, too.
But the root config dir is configurable on windows.
So, c:\programdata...
is the correct default. But in theory it could be changed. it's not clear if the chef recipe as a whole supports that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't support changing the PROJECTLOCATION
nor the APPLICATIONDATADIRECTORY
with Chef on Windows.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks. that's even better.
@@ -65,14 +73,18 @@ | |||
# Common configuration | |||
service_provider = Chef::Datadog.service_provider(node) | |||
|
|||
service_name = 'datadog-agent-security' | |||
service_name = is_windows ? 'datadog-security-agent' : 'datadog-agent-security' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is the name of the service on linux datadog-security-agent
or datadog-agent-security
?
Right now, the name of the service (on windows) is datadog-security-agent
. Since we haven't shipped, we can make it datadog-agent-security
without breaking anything, and then it will match linux if that's desirable.
This reverts commit 9c2c583.
What does this PR do?
This PR adds support for CWS on Windows. It also slightly cleans up the system probe recipe and adds a rspec test for this new support.
Motivation
Windows agent builders use chef to install the agent, since we want to enable CWS there, we need this new support.
Additional Notes
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes
Use:
and check that CWS is actually enabled (this requires a custom agent build until 7.52 is released)
Reviewer's Checklist