Bug #10605
closedSharing files with "root" does not work
Description
Usecase:
Share locally generated ssh hostkeys from all Nodes to the Root server.
Error:
The Root server tries to retrieve the files via cf-agent, and not directly access it on the FS (since it's its own policy server), and it appears to not trust itself, because it does not have localhost.pub
named by the root-MD=${HASH}.pub
format:
rudder verbose: P: BEGIN promise 'promise_sharedfile_from_node_cf_50' of type "files" (pass 1) rudder verbose: P: Promiser/affected object: '/var/rudder/configuration-repository/sha' rudder verbose: P: From parameterized bundle: sharedfile_from_node( {"752da888-c98b-46a9-81b5-0be9ce22322a","service_hostkey_rsa","/var/rudder/configurati on-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub"}) rudder verbose: P: Base context class: any rudder verbose: P: Stack path: /default/rudder_directives/methods/'Process SSH Keys/Process_Service_SSH_keys'/default/Process_Service_SSH_keys/methods/'me thod_call'/default/sharedfile_from_node/files/'/var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey _rsa.pub'[1] rudder verbose: File '/var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub' copy_from '/var/rudder/shared-files/root/files/752da888-c98b-46a9-81b5-0be9ce22322a/service_hostkey_rsa' rudder verbose: FindIdle: no existing connection to '127.0.0.1' is established. rudder verbose: Connecting to host 127.0.0.1, port 5309 as address 127.0.0.1 rudder verbose: Waiting to connect... rudder verbose: Setting socket timeout to 30 seconds. rudder verbose: Connected to host 127.0.0.1 address 127.0.0.1 port 5309 (socket descriptor 4) rudder verbose: TLS version negotiated: TLSv1.2; Cipher: AES256-GCM-SHA384,TLSv1/SSLv3 rudder verbose: TLS session established, checking trust... rudder verbose: Did not find new key format '/var/rudder/cfengine-community/ppkeys/root-MD5=16340f76b8daa8d895e9633742ca7f50.pub' rudder verbose: Trying old style '/var/rudder/cfengine-community/ppkeys/root-127.0.0.1.pub' rudder verbose: Received key 'MD5=16340f76b8daa8d895e9633742ca7f50' not found in ppkeys error: TRUST FAILED, server presented untrusted key: MD5=16340f76b8daa8d895e9633742ca7f50 rudder verbose: Connection to 127.0.0.1 is closed rudder info: Unable to establish connection to '127.0.0.1' error: No suitable server found rudder verbose: C: + promise outcome class 'repair_failed_sharedfile_from_node_service_hostkey_rsa' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_failed' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_ok' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_error' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_kept' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_repaired' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_reached' rudder info: Promise belongs to bundle 'sharedfile_from_node' in file '/var/rudder/ncf/common/30_generic_methods/sharedfile_from_node.cf' near line 50 rudder verbose: A: Promise NOT KEPT!
I can confirm, that symlinking the localhost.pub to the missing by-MD5-Name does solve the issue:
-rw------- 1 root root 1743 Apr 5 16:28 localhost.priv -rw------- 1 root root 426 Apr 5 16:28 localhost.pub lrwxrwxrwx 1 root root 13 Apr 18 12:09 root-MD5=16340f76b8daa8d895e9633742ca7f50.pub -> localhost.pub
Agent run now shows repaired:
E| repaired Process_Service_SSH_keys Sharedfile from node service_hostkey_e| Retrieving service_hostkey_ed25519 from 752da888-c98b-46a9-81b5-0be9ce22322a into /var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_ed25519.pub was repaired E| repaired Process_Service_SSH_keys Sharedfile from node service_hostkey_r| Retrieving service_hostkey_rsa from 752da888-c98b-46a9-81b5-0be9ce22322a into /var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub was repaired
Updated by Janos Mattyasovszky over 7 years ago
- Severity changed from Major - prevents use of part of Rudder | no simple workaround to Minor - inconvenience | misleading | easy workaround
- Found in version (s) 4.1.2 added
Workaround by using ln -s
on localhost.pub
.
Updated by François ARMAND over 7 years ago
- Related to Bug #10599: Impossible to search or build groups based on JSON values in node properties added
Updated by François ARMAND over 7 years ago
- Related to deleted (Bug #10599: Impossible to search or build groups based on JSON values in node properties)
Updated by François ARMAND over 7 years ago
- Related to Bug #10283: Impossible to share file from root server added
Updated by François ARMAND over 7 years ago
- Severity changed from Minor - inconvenience | misleading | easy workaround to Major - prevents use of part of Rudder | no simple workaround
- Effort required set to Small
- Priority changed from 0 to 44
Updated by Benoît PECCATTE over 6 years ago
- Assignee set to Benoît PECCATTE
- Priority changed from 61 to 56
This is probably solved, we should check it
Updated by Benoît PECCATTE over 6 years ago
- Status changed from New to Rejected
This now works, it is used by the centreon plugin successfully.
Updated by Alexis Mousset about 6 years ago
- Status changed from Rejected to New
Seen it again on 5.0.1, Ubuntu 18.04 with a fresh install.
Reopening. We need at least documentation to work around this issue.
Updated by Nicolas CHARLES about 6 years ago
- Status changed from New to In progress
- Assignee changed from Benoît PECCATTE to Nicolas CHARLES
Updated by Nicolas CHARLES about 6 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Nicolas CHARLES to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1348
Updated by Nicolas CHARLES about 6 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-techniques|ffb30b8661085c20581d32d79fa7eff56ab50fad.
Updated by Alexis Mousset about 6 years ago
- Related to Bug #13689: Technique "File download (Rudder server)" does not correctly copy symlink on rudder root server added
Updated by Vincent MEMBRÉ about 6 years ago
- Status changed from Pending release to Released