Actions
Bug #10605
closed
Sharing files with "root" does not work
Pull Request:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Small
Priority:
56
Name check:
Fix check:
Regression:
Description
Usecase:
Share locally generated ssh hostkeys from all Nodes to the Root server.
Error:
The Root server tries to retrieve the files via cf-agent, and not directly access it on the FS (since it's its own policy server), and it appears to not trust itself, because it does not have localhost.pub named by the root-MD=${HASH}.pub format:
rudder verbose: P: BEGIN promise 'promise_sharedfile_from_node_cf_50' of type "files" (pass 1)
rudder verbose: P: Promiser/affected object: '/var/rudder/configuration-repository/sha'
rudder verbose: P: From parameterized bundle: sharedfile_from_node( {"752da888-c98b-46a9-81b5-0be9ce22322a","service_hostkey_rsa","/var/rudder/configurati
on-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub"})
rudder verbose: P: Base context class: any
rudder verbose: P: Stack path: /default/rudder_directives/methods/'Process SSH Keys/Process_Service_SSH_keys'/default/Process_Service_SSH_keys/methods/'me
thod_call'/default/sharedfile_from_node/files/'/var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey
_rsa.pub'[1]
rudder verbose: File '/var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub' copy_from '/var/rudder/shared-files/root/files/752da888-c98b-46a9-81b5-0be9ce22322a/service_hostkey_rsa'
rudder verbose: FindIdle: no existing connection to '127.0.0.1' is established.
rudder verbose: Connecting to host 127.0.0.1, port 5309 as address 127.0.0.1
rudder verbose: Waiting to connect...
rudder verbose: Setting socket timeout to 30 seconds.
rudder verbose: Connected to host 127.0.0.1 address 127.0.0.1 port 5309 (socket descriptor 4)
rudder verbose: TLS version negotiated: TLSv1.2; Cipher: AES256-GCM-SHA384,TLSv1/SSLv3
rudder verbose: TLS session established, checking trust...
rudder verbose: Did not find new key format '/var/rudder/cfengine-community/ppkeys/root-MD5=16340f76b8daa8d895e9633742ca7f50.pub'
rudder verbose: Trying old style '/var/rudder/cfengine-community/ppkeys/root-127.0.0.1.pub'
rudder verbose: Received key 'MD5=16340f76b8daa8d895e9633742ca7f50' not found in ppkeys
error: TRUST FAILED, server presented untrusted key: MD5=16340f76b8daa8d895e9633742ca7f50
rudder verbose: Connection to 127.0.0.1 is closed
rudder info: Unable to establish connection to '127.0.0.1'
error: No suitable server found
rudder verbose: C: + promise outcome class 'repair_failed_sharedfile_from_node_service_hostkey_rsa'
rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_failed'
rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_ok'
rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_error'
rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_kept'
rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_repaired'
rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_reached'
rudder info: Promise belongs to bundle 'sharedfile_from_node' in file '/var/rudder/ncf/common/30_generic_methods/sharedfile_from_node.cf' near line 50
rudder verbose: A: Promise NOT KEPT!
I can confirm, that symlinking the localhost.pub to the missing by-MD5-Name does solve the issue:
-rw------- 1 root root 1743 Apr 5 16:28 localhost.priv -rw------- 1 root root 426 Apr 5 16:28 localhost.pub lrwxrwxrwx 1 root root 13 Apr 18 12:09 root-MD5=16340f76b8daa8d895e9633742ca7f50.pub -> localhost.pub
Agent run now shows repaired:
E| repaired Process_Service_SSH_keys Sharedfile from node service_hostkey_e| Retrieving service_hostkey_ed25519 from 752da888-c98b-46a9-81b5-0be9ce22322a into /var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_ed25519.pub was repaired E| repaired Process_Service_SSH_keys Sharedfile from node service_hostkey_r| Retrieving service_hostkey_rsa from 752da888-c98b-46a9-81b5-0be9ce22322a into /var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub was repaired
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by
Actions