Project

General

Profile

Actions

Bug #12248

closed

Base bundle apache_acl fails when SSL cert is symlinked

Added by Janos Mattyasovszky about 6 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
N/A
Assignee:
-
Category:
System techniques
Target version:
-
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

Getting an issue with "rudder agent run" after having installed 4.3.0.rc1 on sles12sp3:

E| error         DistributePolicy          Configure apache ACL                         Apache ACLs could not be edited
rudder  verbose: P: BEGIN promise 'promise_rudder_system_directives_cf_74' of type "methods" (pass 1)
rudder  verbose: P:    Promiser/affected object: 'distributePolicy/Distribute Policy'
rudder  verbose: P:    From parameterized bundle: rudder_system_directives( {"DistributePolicy","result_success","root-DP@@root-distributePolicy@@0","Send inventories to Rudder server","None","No inventory to send",""})
rudder  verbose: P:    Base context class: any
rudder  verbose: P:    Stack path: /default/rudder_system_directives/methods/'distributePolicy/Distribute Policy'[1]
rudder  verbose: B: *****************************************************************
rudder  verbose: B: BEGIN bundle apache_acl
rudder  verbose: B: *****************************************************************
rudder  verbose: V: .........................................................
rudder  verbose: V: BEGIN variables (pass 1)
rudder  verbose: V:     Computing value of 'destination'
rudder  verbose: V:     Computing value of 'ssl_ca_file'
rudder  verbose: V:     Computing value of 'ssl_ca_size'
rudder  verbose: V:     Computing value of 'apache_service'
rudder  verbose: C: .........................................................
rudder  verbose: C: BEGIN classes / conditions (pass 1)
rudder  verbose: C:     +  Private class: empty_ssl_ca
rudder  verbose: C:     +  Private class: pass1
rudder  verbose: Skipping promise 'src_ca_file' because 'if'/'ifvarclass' is not defined
rudder  verbose: V: .........................................................
rudder  verbose: V: BEGIN variables (pass 2)
rudder  verbose: V:     Computing value of 'destination'
rudder  verbose: V:     Computing value of 'ssl_ca_file'
rudder  verbose: V:     Computing value of 'ssl_ca_size'
rudder  verbose: Skipping promise 'src_ca_file' because 'if'/'ifvarclass' is not defined
rudder  verbose: V:     Computing value of 'src_ca_file'
rudder  verbose: V:     Computing value of 'apache_service'
rudder  verbose: C: .........................................................
rudder  verbose: C: BEGIN classes / conditions (pass 2)
rudder  verbose: C:     +  Private class: pass2
rudder  verbose: Skipping promise 'src_ca_file' because 'if'/'ifvarclass' is not defined
rudder  verbose: Using the default body: files_action
rudder  verbose: P: .........................................................
rudder  verbose: P: BEGIN promise 'promise_apache_acl_cf_48' of type "files" (pass 2)
rudder  verbose: P:    Promiser/affected object: '/opt/rudder/etc/ssl/ca.cert'
rudder  verbose: P:    From parameterized bundle: apache_acl( {"DistributePolicy","result_success","root-DP@@root-distributePolicy@@0","Send inventories to Rudder server","None","No inventory to send",""})
rudder  verbose: P:    Base context class: pass2
rudder  verbose: P:    Stack path: /default/rudder_system_directives/methods/'distributePolicy/Distribute Policy'/default/apache_acl/files/'/opt/rudder/etc/ssl/ca.cert'[1]
rudder  verbose: P:
rudder  verbose: P:    Comment:  Writing rudder apache ACL
rudder  verbose: Additional promise info: source path '/var/rudder/cfengine-community/inputs/distributePolicy/1.0/apache-acl.cf' at line 48 comment 'Writing rudder apache ACL'
rudder  verbose: File '/opt/rudder/etc/ssl/ca.cert' exists as promised
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_kept'
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_ok'
rudder  verbose: Handling file existence constraints on '/opt/rudder/etc/ssl/ca.cert'
rudder  verbose: Additional promise info: source path '/var/rudder/cfengine-community/inputs/distributePolicy/1.0/apache-acl.cf' at line 48 comment 'Writing rudder apache ACL'
rudder  verbose: File permissions on '/opt/rudder/etc/ssl/ca.cert' as promised
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_kept'
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_ok'
rudder  verbose: Additional promise info: source path '/var/rudder/cfengine-community/inputs/distributePolicy/1.0/apache-acl.cf' at line 48 comment 'Writing rudder apache ACL'
rudder  verbose: Basedir '/opt/rudder/etc/ssl/ca.cert' not promising anything
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_kept'
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_ok'
rudder  verbose: File '/opt/rudder/etc/ssl/ca.cert' copy_from '/opt/rudder/etc/ssl/rudder.crt'
rudder  verbose: Destination file '/opt/rudder/etc/ssl/ca.cert' already exists
rudder  verbose: Checksum comparison replaced by ctime: files not regular
rudder  verbose: Image file '/opt/rudder/etc/ssl/ca.cert' has a wrong digest/checksum, should be copy of '/opt/rudder/etc/ssl/rudder.crt'
rudder  verbose: Checking link from '/opt/rudder/etc/ssl/ca.cert' to 'sles12sp3.fqdn.crt'
   error: Object '/opt/rudder/etc/ssl/ca.cert' exists and is obstructing our promise
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_failed'
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_error'
   error: Unable to create link '/opt/rudder/etc/ssl/ca.cert' -> './sles12sp3.fqdn.crt', failed to move obstruction
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_failed'
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_error'
rudder  verbose: Handling file existence constraints on '/opt/rudder/etc/ssl/ca.cert'
rudder  verbose: Handling file existence constraints on '/opt/rudder/etc/ssl/ca.cert'
rudder  verbose: Additional promise info: source path '/var/rudder/cfengine-community/inputs/distributePolicy/1.0/apache-acl.cf' at line 48 comment 'Writing rudder apache ACL'
rudder  verbose: File permissions on '/opt/rudder/etc/ssl/ca.cert' as promised
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_kept'
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_ok'
rudder  verbose: A: Promise was KEPT
rudder  verbose: P: END files promise (/opt/rudder/etc/ssl/ca.cert)

I am even not sure what this file tries to accomplish after looking at it...

Actions #1

Updated by Benoît PECCATTE about 6 years ago

This is indeed weird, this files tries to fill the ca.cert from rudder.crt which can only work if the user has not touched rudder's certificate.

We need to handle this case at postinstall and not in promises : copy rudder.crt to ca.cert only if it doesn't exist.

Actions #2

Updated by Benoît PECCATTE almost 6 years ago

  • User visibility changed from Getting started - demo | first install | level 1 Techniques to Operational - other Techniques | Technique editor | Rudder settings
  • Priority changed from 50 to 32
Actions #3

Updated by Alexis Mousset about 2 years ago

  • Status changed from New to Resolved
  • Priority changed from 32 to 0

Fixed in 7.0, the users can now manage their own certificates.

Actions

Also available in: Atom PDF