Bug #13664
closed
Mustache templating in audit mode always considers destination compliant once it exists
Added by Alexis Mousset about 6 years ago.
Updated about 6 years ago.
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Very Small
Description
We should compare the content of the file with the rendered template when in audit mode (as we do in enforce mode, but without actual destination changes). This is what is done by file_from_string_mustache and file_from_template_jinja2.
It seems (tested with 5.0 on Ubuntu 16.04) that this is not the case and that the agent skips content comparison and defines classes based on file existence only, which breaks mustache templated-files auditing.
rudder verbose: P: .........................................................
rudder verbose: P: BEGIN promise 'promise_file_from_template_type_cf_131' of type "files" (pass 1)
rudder verbose: P: Promiser/affected object: '/tmp/dst'
rudder verbose: P: From parameterized bundle: file_from_template_type( {"/tmp/tpl","/tmp/dst","mustache"})
rudder verbose: P: Base context class: any
rudder verbose: P: "if" class condition: !is_jinja2.template_exists
rudder verbose: P: Stack path: /default/rudder_directives/methods/'Global configuration for all nodes/Static website'/default/Static_website/methods/'method_call'/default/file_from_template_mustache/methods/'file template mustache type'/default/file_from_template_type/files/'/tmp/dst'[1]
rudder verbose: Using literal pathtype for '/tmp/dst'
rudder verbose: Additional promise info: source path '/var/rudder/ncf/common/30_generic_methods/file_from_template_type.cf' at line 131
rudder verbose: File '/tmp/dst' exists as promised
rudder verbose: C: + promise outcome class 'promise_kept_file_from_template__tmp_dst'
rudder verbose: C: + promise outcome class 'file_from_template__tmp_dst_kept'
rudder verbose: C: + promise outcome class 'file_from_template__tmp_dst_ok'
rudder verbose: C: + promise outcome class 'file_from_template__tmp_dst_not_repaired'
rudder verbose: C: + promise outcome class 'file_from_template__tmp_dst_reached'
rudder verbose: C: + promise outcome class 'promise_kept_file_from_template__tmp_tpl__tmp_dst_mustache'
rudder verbose: C: + promise outcome class 'file_from_template__tmp_tpl__tmp_dst_mustache_kept'
rudder verbose: C: + promise outcome class 'file_from_template__tmp_tpl__tmp_dst_mustache_ok'
rudder verbose: C: + promise outcome class 'file_from_template__tmp_tpl__tmp_dst_mustache_not_repaired'
rudder verbose: C: + promise outcome class 'file_from_template__tmp_tpl__tmp_dst_mustache_reached'
rudder verbose: Build file model from a blank slate (emptying)
rudder verbose: Rendering '/tmp/dst' using template '/tmp/tpl' with method 'mustache'
warning: Need to render '/tmp/dst' from mustache template '/tmp/tpl' but policy is dry-run
rudder verbose: Handling file existence constraints on '/tmp/dst'
rudder verbose: A: Promise NOT KEPT!
rudder verbose: P: END files promise (/tmp/dst)
rudder verbose: P: .........................................................
Looks like the file is rendered but the outcome class is not actually updated after failed comparison.
- Effort required set to Very Small
- Priority changed from 76 to 104
- Status changed from New to In progress
- Assignee set to Alexis Mousset
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder-packages/pull/1695
- Status changed from Pending technical review to Pending release
- Status changed from Pending release to Released
Also available in: Atom
PDF
Updated by 
Updated by