Rudder

The password should be distributed as part of the policies (and is in clear text on the server in /opt/rudder/etc/rudder-passwords.conf, named "RUDDER_WEBDAV_PASSWORD").

This may happen because no policy update happened since server upgrade, is it possible? Does rudder agent update succeed on the nodes?

Could you also try restarting the apache service on the server and test again? Could be a missing restart in postinst.

Hello,

Restarting apache does not help unfortunately, the problem is still here.

I think your point about policies could be a good idea, I do not have the passwords file on the node, and agent update does nothing about it:

# ls /opt/rudder/etc/rudder-passwords.conf
/opt/rudder/etc/rudder-passwords.conf: Aucun fichier ou dossier de ce type
# rudder agent update
ok: Rudder agent promises were updated.
# ls /opt/rudder/etc/rudder-passwords.conf
/opt/rudder/etc/rudder-passwords.conf: Aucun fichier ou dossier de ce type

However, I have indeed the file on the rudder server, but the agent on the server node does not work with the same error, even if the file is here :-/

The agent still use the rudder:rudder credentials:

# ls /opt/rudder/etc/rudder-passwords.conf
/opt/rudder/etc/rudder-passwords.conf
# rudder agent inventory
Rudder agent 6.0.5-debian9
Node uuid: root
Start execution with config [20200426-114025-f46d2b21]

   error: Finished command related to promiser '/var/rudder/inventories/rudder-root.ocs\..*' -- an error occurred, returned 22
   error: Transformer '/var/rudder/inventories/rudder-root.ocs.gz' => '/opt/rudder/bin/curl --tlsv1.2 --location --insecure --fail --silent --proxy '' --user rudder:rudder --upload-file /var/rudder/inventories/rudder-root.ocs.gz https://192.168.201.173/inventory-updates/' returned error
   error: Finished command related to promiser '/var/rudder/inventories/rudder-root.ocs\..*' -- an error occurred, returned 22

Just to be sure I have fully rebooted the server (in case some other restart could have been missed), but it does not help.

I have copy/paste the passwords file manually to the node and restarted rudder services (rudder-agent and rudder-cf-serverd.service) but the inventory still use rudder:rudder

There is something odd 😅

/opt/rudder/etc/rudder-passwords.conf is only supposed to exist on the root server.

Agents have the password in their policies:

grep DAVPASSWORD /var/rudder/cfengine-community/inputs/rudder.json

And it should match the passord in /opt/rudder/etc/rudder-passwords.conf (that should also be the one in htpasswd file).

What do you have in the node's policies?

Thanks for the help!

Indeed, I have this file, and it contains "rudder" as password:

# grep DAVPASSWORD /var/rudder/cfengine-community/inputs/rudder.json
  "DAVPASSWORD":"rudder",

This is the same on the agent node, the server node, and even on old 5.0.17 nodes 🤔

Not upgraded nodes have this file with rudder as password too, and they indeed have the error to send inventory, I hadn'nt noticed that Oo

I am sure it worked before the server update to 6.0, as my compliance reports for all nodes were complete.

So it's perhaps a problem with the server and not with the agent as I first guess.

I have followed the doc from https://docs.rudder.io/reference/6.0/installation/upgrade/debian.html

And ran "rudder server upgrade-techniques -o" on the server. Not sure if it impacts policies thought.

If I run "rudder agent update" then "rudder agent run" on node, there is a repair for the policy:

E| repaired      Common                    Update                                       Policy or configuration library were updated

But the webdav password is still "rudder".

In fact, each time I run "rudder agent update" (with or without -f), this promise is Repaired, is this normal?

Victor Héry wrote in #note-8:

But the webdav password is still "rudder".

Ok, so it's the problem here. The following commands:

• grep "rudder.webdav.password" /opt/rudder/etc/rudder-web.properties
• grep "DAV_PASSWORD" /opt/rudder/etc/rudder-passwords.conf

should return the same password value. I think they are different and rudder-web.properties contains rudder instead of the actual password, which cases the problem. In this case you can manually update rudder-web.properties to check if it fixes the problem.

In fact, each time I run "rudder agent update" (with or without -f), this promise is Repaired, is this normal?

The "repaired" state persists for 5 minutes after the actual repair, so it's probably normal.

I confirm that both command return the same password, and it's the good one.

I have tried to set manually this password on the node in /var/rudder/cfengine-community/inputs/rudder.json to see if it works, and restart rudder services.

But, when I run rudder agent update then rudder agent run, the file is modified back to "rudder" as password.

So it seems there is something somewhere that think this password is rudder, even if the server files are corrects 😅

I am sorry, this seems a tricky one :-/

Not sure if it could help, but all these nodes came from debian 6 and rudder 4.
I have regularly updated them to now debian 9 and rudder 5.0.17/6.0.3, perhaps a post-inst script on one previous version could have been missed?

Does

grep davpw /var/rudder/cfengine-community/inputs/common/1.0/common.cf

(on the node) return "rudder" too?

Silly question, but is the generation status in the webapp green?

Yes, it returns rudder on all nodes (5 and 6 nodes):

# grep davpw /var/rudder/cfengine-community/inputs/common/1.0/common.cf
    "davpw"                 string => "rudder";

In the web interface, all regarding rudder policy are green:

However, there is an error, I think regarding the inventory problem, but not sure:

All nodes have this error message, but the compliance are green

Could you try the "Regenrate all policies" in the generation status menu? Maybe a cache problem in the web application.

Wow, it works!

After regeneration of the policies, the password is ok!

And after running rudder agent update on nodes, the password is also ok in /var/rudder/cfengine-community/inputs/common/1.0/common.cf and /var/rudder/cfengine-community/inputs/rudder.json

And, rudder agent inventory works!

Do you know if there is a way to do that regeneration with the cli, when upgrading from 5 to 6?

Anyway, thanks a lot for the help 🙏

Good I will keep this trick somewhere :-D

Regarding the cause of the problem, I have still a backup (while not rotated yet) of the 5.0.17 server, if you want I may restore and do some tests, do not hesitate to tell me if you have commands or verification to tests!

Simply triggering a policy generation at webapp start would solve the issue
It would check if any variable changed, and if so regenerate