Actions
Bug #11633
closed
When upgrading from 4.1 to 4.2 on Centos 7, generated policy are invalid
Pull Request:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:
Description
I upgraded from 4.1 nightly to 4.2 nightly and generated policy are invalid
Indeed, group hasPolicyServer-root is empty
[2017-10-19 15:10:15] INFO com.normation.rudder.batch.UpdateDynamicGroups$LAUpdateDyngroupManager - Dynamic group hasPolicyServer-root: added node with id: nothing, removed: [ 81934fe2-dcf9-4f14-9ba0-896d4da807e5, 9ed9ed2e-dd31-4b11-9ac0-38476c9acd22, 0711c800-9b7b-4626-b0eb-1dcaeefaa200 ]
when creating the query in group:
Node Summary/Agent Type/=/ with either Any CFEngine based agent, or Rudder (cfengine community) doesn't find anything
Ldap does contain
agentName: {"agentType":"cfengine-community","version":"4.1.8.rc1.git2017101
90339-1.EL.7","securityToken":{"value":"-----BEGIN RSA PUBLIC KEY-----\nMII
BCgKCAQEAw5jMPmwGQe38ugsKbTGoIw5cNyJuLOsSv8v5S799IxNEjV/CcxXz\n5T4tO2Ve+v43
dEnKT8EBWdAB4T6pxtc62rVW8CGuDe1kj3VnXE1mtTI9+HZM/SCB\nBr5Zcz7OrxKgfFQa/Vilz
utHF9RB91aU+xWB0kXokKuHhq71d/xZZv5jazKxjNrU\n9kxOmUmXIMVyM/7ULrmluyJYJYYNzo
XAV0QKyA7RkjWYoZulEReWszMo0MglYXpo\nuR9FGqaxlMQIpxZNlG/xI8/MedhKGgsV8BnNQT/
gxPtRu2peIPjpp0xeQH2f90/0\n0LICETTuuDcd8SVgdjbdCKnkuMAqYyBqYwIDAQAB\n-----E
ND RSA PUBLIC KEY-----","type":"publicKey"}}
Updated by Nicolas CHARLES over 6 years ago
indeed, query is
[2017-10-19 15:33:18] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [898201587952] Start search for { returnType:'NodeReturnType' with 'And' criteria [node.agentName eq cfengine] }
[2017-10-19 15:33:18] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [898201587952] |- (final query) LDAPObjectType(ou=Nodes,ou=Accepted Inventories,ou=Inventories,cn=rudder-configuration,One,LDAPObjectTypeFilter((objectClass=*)),Some((|(agentName=*"agentType":"cfengine-community"*)(agentName=community)(agentName=*"agentType":"cfengine-nova"*)(agentName=nova))),DNJoin,Set())
[2017-10-19 15:33:18] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [898201587952] |--- SearchRequest(baseDN='ou=Nodes,ou=Accepted Inventories,ou=Inventories,cn=rudder-configuration', scope=ONE, deref=NEVER, sizeLimit=0, timeLimit=0, filter='(&(objectClass=*)(|(agentName=*"agentType":"cfengine-community"*)(agentName=community)(agentName=*"agentType":"cfengine-nova"*)(agentName=nova)))', attrs={isSystem, serializedHeartbeatRunConfiguration, ram, policyServerId, description, machineId, osArchitectureType, osFullName, timezoneName, localAdministratorAccountName, osKernelVersion, windowsKey, container, componentSerialNumber, cn, osServicePack, serializedAgentRunInterval, windowsUserDomain, serializedNodeProperty, timezoneOffset, keyStatus, createTimestamp, agentName, windowsRegistrationCompany, osName, ipHostNumber, publicKey, isBroken, inventoryDate, policyMode, manufacturer, osVersion, nodeId, nodeHostname, rudderServerRole, objectClass, windowsId})
Updated by Nicolas CHARLES over 6 years ago
query has been updated at upgrade as
[2017-10-19 15:05:17] INFO bootchecks - Updating system configuration stored in entry 'nodeGroupId=hasPolicyServer-root,groupCategoryId=SystemGroups,groupCategoryId=GroupRoot,ou=Rudder,cn=rudder-configuration': LDIFModifyChangeRecord(dn='nodeGroupId=hasPolicyServer-root,groupCategoryId=SystemGroups,groupCategoryId=GroupRoot,ou=Rudder,cn=rudder-configuration', mods={LDAPModification(type=replace, attr=cn, values={'All classic Nodes managed by root policy server'}), LDAPModification(type=replace, attr=description, values={'All classic Nodes known by Rudder directly connected to the root server. This group exists only as internal purpose and should not be used to configure nodes.'}), LDAPModification(type=replace, attr=jsonNodeGroupQuery, values={'{"select":"nodeAndPolicyServer","composition":"And","where":[{"objectType":"node","attribute":"policyServerId","comparator":"eq","value":"root"},{"objectType":"node","attribute":"agentName","comparator":"eq","value":"cfengine"}]}'})})
[2017-10-19 15:05:17] INFO com.normation.rudder.services.policies.PromiseGenerationServiceImpl - Start policy generation, checking updated rules
[2017-10-19 15:05:17] INFO bootchecks - Updating system configuration stored in entry 'ruleId=inventory-all,ou=Rules,ou=Rudder,cn=rudder-configuration': LDIFModifyChangeRecord(dn='ruleId=inventory-all,ou=Rules,ou=Rudder,cn=rudder-configuration', mods={LDAPModification(type=replace, attr=ruleTarget, values={'group:all-nodes-with-cfengine-agent'})})
Updated by Nicolas CHARLES over 6 years ago
policy server has agentname
agentName: {"agentType":"cfengine-community","version":"4.1.8.rc1.git2017101
90339-1.EL.7","securityToken":{"value":"-----BEGIN RSA PUBLIC KEY-----\nMII
while node have
agentName: {"agentType":"Community","version":"3.1.24.rc1.git201710190736-1.
EL.7"}
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.1 to 4.2.2
Updated by Benoît PECCATTE over 6 years ago
- Is duplicate of Bug #11634: CFEngine agent are not more matched after parent-ticket correction added
Actions