Project

General

Profile

Bug #15801

Rudder agent cannot copy the certificate if the user defined one that is a link to a file in a different mount point

Added by Nicolas CHARLES about 2 months ago. Updated about 1 month ago.

Status:
Pending release
Priority:
N/A
Category:
System techniques
Target version:
Severity:
User visibility:
Effort required:
Priority:
0

Description

If a user set a rudder.crt certificate as a link to a file to a different mount point, it won't be copied

rudder    debug: Setting class: default:rudder_apache_acl_kept
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_ok'
rudder    debug: Setting class: default:rudder_apache_acl_ok
rudder    debug: Direct file reference '/opt/rudder/etc/ssl/ca.cert', no search implied
rudder    debug: Direct file reference '/opt/rudder/etc/ssl/ca.cert', no search implied
rudder  verbose: Handling file existence constraints on '/opt/rudder/etc/ssl/ca.cert'
rudder    debug: Modestring [PLUS = 600] [MINUS = 7177]
rudder    debug: File okay, newperm '600', stat '600'
rudder  verbose: Additional promise info: source path '/var/rudder/cfengine-community/inputs/distributePolicy/1.0/apache-acl.cf' at line 48 comment 'Writing rudder a
pache ACL'
rudder  verbose: File permissions on '/opt/rudder/etc/ssl/ca.cert' as promised
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_kept'
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_ok'
rudder  verbose: Additional promise info: source path '/var/rudder/cfengine-community/inputs/distributePolicy/1.0/apache-acl.cf' at line 48 comment 'Writing rudder a
pache ACL'
rudder  verbose: Basedir '/opt/rudder/etc/ssl/ca.cert' not promising anything
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_kept'
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_ok'
rudder  verbose: File '/opt/rudder/etc/ssl/ca.cert' copy_from '/opt/rudder/etc/ssl/rudder.crt'
rudder    debug: Trying to create a parent directory for: /opt/rudder/etc/ssl/ca.cert
rudder    debug: Directory for '/opt/rudder/etc/ssl/ca.cert' exists. Okay
rudder  verbose: Destination file '/opt/rudder/etc/ssl/ca.cert' already exists
rudder  verbose: Checksum comparison replaced by ctime: files not regular
rudder  verbose: Checking link from '/opt/rudder/etc/ssl/ca.cert' to '/etc/apache2/ssl.crt/my-certificate-file.crt'
rudder    debug: Trying to create a parent directory for: /opt/rudder/etc/ssl/ca.cert
rudder    debug: Directory for '/opt/rudder/etc/ssl/ca.cert' exists. Okay
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_failed'
rudder    debug: Setting class: default:rudder_apache_acl_failed
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_error'
rudder    debug: Setting class: default:rudder_apache_acl_error
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_failed'
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_error'
rudder  verbose: Handling file existence constraints on '/opt/rudder/etc/ssl/ca.cert'
rudder    debug: Modestring [PLUS = 600] [MINUS = 7177]
rudder    debug: File okay, newperm '600', stat '600'
rudder  verbose: Additional promise info: source path '/var/rudder/cfengine-community/inputs/distributePolicy/1.0/apache-acl.cf' at line 48 comment 'Writing rudder apache ACL'
rudder  verbose: File permissions on '/opt/rudder/etc/ssl/ca.cert' as promised
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_kept'
rudder  verbose: C:    + promise outcome class 'rudder_apache_acl_ok'

so the agent first create the file, sets its permission, and finally realize it's a copy - and don't copy as the file is there


Subtasks

Bug #15806: Agent should not try to set permission of certificate if it is a symbolic linkPending releaseAlexis MOUSSETActions
Bug #15905: If "ca.cert" exists, you can't have link for "rudder.crt"Pending releaseAlexis MOUSSETActions

Associated revisions

Revision 48170f6d (diff)
Added by Nicolas CHARLES about 2 months ago

Fixes #15801: Rudder agent cannot copy the certificate if the user defined one that is a link to a file in a different mount point

History

#1

Updated by Nicolas CHARLES about 2 months ago

removing the create => "true" fixes the issue

#2

Updated by Nicolas CHARLES about 2 months ago

  • Status changed from New to In progress
  • Assignee set to Nicolas CHARLES
#3

Updated by Nicolas CHARLES about 2 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Nicolas CHARLES to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1516
#4

Updated by Nicolas CHARLES about 2 months ago

  • Status changed from Pending technical review to Pending release
#9

Updated by Vincent MEMBRÉ about 1 month ago

This bug has been fixed in Rudder 5.0.14 which was released today.

Also available in: Atom PDF