Project

General

Profile

Bug #10605

Sharing files with "root" does not work

Added by Janos Mattyasovszky over 1 year ago. Updated about 1 month ago.

Status:
Released
Priority:
N/A
Category:
Techniques
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Small
Priority:
56

Description

Usecase:

Share locally generated ssh hostkeys from all Nodes to the Root server.

Error:

The Root server tries to retrieve the files via cf-agent, and not directly access it on the FS (since it's its own policy server), and it appears to not trust itself, because it does not have localhost.pub named by the root-MD=${HASH}.pub format:

rudder  verbose: P: BEGIN promise 'promise_sharedfile_from_node_cf_50' of type "files" (pass 1)
rudder  verbose: P:    Promiser/affected object: '/var/rudder/configuration-repository/sha'
rudder  verbose: P:    From parameterized bundle: sharedfile_from_node( {"752da888-c98b-46a9-81b5-0be9ce22322a","service_hostkey_rsa","/var/rudder/configurati
on-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub"})
rudder  verbose: P:    Base context class: any
rudder  verbose: P:    Stack path: /default/rudder_directives/methods/'Process SSH Keys/Process_Service_SSH_keys'/default/Process_Service_SSH_keys/methods/'me
thod_call'/default/sharedfile_from_node/files/'/var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey
_rsa.pub'[1]
rudder  verbose: File '/var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub' copy_from '/var/rudder/shared-files/root/files/752da888-c98b-46a9-81b5-0be9ce22322a/service_hostkey_rsa'
rudder  verbose: FindIdle: no existing connection to '127.0.0.1' is established.
rudder  verbose: Connecting to host 127.0.0.1, port 5309 as address 127.0.0.1
rudder  verbose: Waiting to connect...
rudder  verbose: Setting socket timeout to 30 seconds.
rudder  verbose: Connected to host 127.0.0.1 address 127.0.0.1 port 5309 (socket descriptor 4)
rudder  verbose: TLS version negotiated:  TLSv1.2; Cipher: AES256-GCM-SHA384,TLSv1/SSLv3
rudder  verbose: TLS session established, checking trust...
rudder  verbose: Did not find new key format '/var/rudder/cfengine-community/ppkeys/root-MD5=16340f76b8daa8d895e9633742ca7f50.pub'
rudder  verbose: Trying old style '/var/rudder/cfengine-community/ppkeys/root-127.0.0.1.pub'
rudder  verbose: Received key 'MD5=16340f76b8daa8d895e9633742ca7f50' not found in ppkeys
   error: TRUST FAILED, server presented untrusted key: MD5=16340f76b8daa8d895e9633742ca7f50
rudder  verbose: Connection to 127.0.0.1 is closed
rudder     info: Unable to establish connection to '127.0.0.1'
   error: No suitable server found
rudder  verbose: C:    + promise outcome class 'repair_failed_sharedfile_from_node_service_hostkey_rsa'
rudder  verbose: C:    + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_failed'
rudder  verbose: C:    + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_ok'
rudder  verbose: C:    + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_error'
rudder  verbose: C:    + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_kept'
rudder  verbose: C:    + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_repaired'
rudder  verbose: C:    + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_reached'
rudder     info: Promise belongs to bundle 'sharedfile_from_node' in file '/var/rudder/ncf/common/30_generic_methods/sharedfile_from_node.cf' near line 50
rudder  verbose: A: Promise NOT KEPT!

I can confirm, that symlinking the localhost.pub to the missing by-MD5-Name does solve the issue:

-rw------- 1 root root 1743 Apr  5 16:28 localhost.priv
-rw------- 1 root root  426 Apr  5 16:28 localhost.pub
lrwxrwxrwx 1 root root   13 Apr 18 12:09 root-MD5=16340f76b8daa8d895e9633742ca7f50.pub -> localhost.pub

Agent run now shows repaired:

E| repaired      Process_Service_SSH_keys  Sharedfile from node      service_hostkey_e| Retrieving service_hostkey_ed25519 from 752da888-c98b-46a9-81b5-0be9ce22322a into /var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_ed25519.pub was repaired
E| repaired      Process_Service_SSH_keys  Sharedfile from node      service_hostkey_r| Retrieving service_hostkey_rsa from 752da888-c98b-46a9-81b5-0be9ce22322a into /var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub was repaired


Subtasks

Bug #13761: Unexpected report caused by parent issueReleasedAlexis MOUSSET

Related issues

Related to Rudder - Bug #10283: Impossible to share file from root serverRejected
Related to Rudder - Bug #13689: Technique "File download (Rudder server)" does not correctly copy symlink on rudder root serverRejected

Associated revisions

Revision ffb30b86 (diff)
Added by Nicolas CHARLES about 2 months ago

Fixes #10605: Sharing files with \"root\" does not work

History

#1 Updated by Janos Mattyasovszky over 1 year ago

  • Description updated (diff)

#2 Updated by Janos Mattyasovszky over 1 year ago

  • Severity changed from Major - prevents use of part of Rudder | no simple workaround to Minor - inconvenience | misleading | easy workaround
  • Found in version (s) 4.1.2 added

Workaround by using ln -s on localhost.pub.

#3 Updated by François ARMAND over 1 year ago

  • Related to Bug #10599: Impossible to search or build groups based on JSON values in node properties added

#4 Updated by François ARMAND over 1 year ago

  • Related to deleted (Bug #10599: Impossible to search or build groups based on JSON values in node properties)

#5 Updated by François ARMAND over 1 year ago

  • Related to Bug #10283: Impossible to share file from root server added

#6 Updated by François ARMAND over 1 year ago

  • Severity changed from Minor - inconvenience | misleading | easy workaround to Major - prevents use of part of Rudder | no simple workaround
  • Effort required set to Small
  • Priority changed from 0 to 44

#7 Updated by Benoît PECCATTE over 1 year ago

  • Priority changed from 44 to 54

#8 Updated by Benoît PECCATTE about 1 year ago

  • Priority changed from 54 to 61

#9 Updated by Benoît PECCATTE 6 months ago

  • Assignee set to Benoît PECCATTE
  • Priority changed from 61 to 56

This is probably solved, we should check it

#10 Updated by Benoît PECCATTE 6 months ago

  • Status changed from New to Rejected

This now works, it is used by the centreon plugin successfully.

#11 Updated by Alexis MOUSSET about 2 months ago

  • Status changed from Rejected to New

Seen it again on 5.0.1, Ubuntu 18.04 with a fresh install.

Reopening. We need at least documentation to work around this issue.

#12 Updated by Nicolas CHARLES about 2 months ago

  • Target version set to 4.1.16

#13 Updated by Nicolas CHARLES about 2 months ago

  • Status changed from New to In progress
  • Assignee changed from Benoît PECCATTE to Nicolas CHARLES

#14 Updated by Nicolas CHARLES about 2 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Nicolas CHARLES to Alexis MOUSSET
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1348

#15 Updated by Nicolas CHARLES about 2 months ago

  • Status changed from Pending technical review to Pending release

#16 Updated by Alexis MOUSSET about 2 months ago

  • Related to Bug #13689: Technique "File download (Rudder server)" does not correctly copy symlink on rudder root server added

#17 Updated by Vincent MEMBRÉ about 1 month ago

  • Status changed from Pending release to Released
This bug has been fixed in Rudder 4.1.16, 4.3.6 and 5.0.2 which were released today.
Changelog
Changelog
Changelog

Also available in: Atom PDF