Project

General

Profile

Actions

Bug #17770

closed

SELinux perms on relay forbid to retrieve files from shared-folder (Windows DSC)

Added by Bas B over 4 years ago. Updated over 2 years ago.

Status:
Released
Priority:
N/A
Category:
Relay server or API
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Priority:
70
Name check:
To do
Fix check:
Checked
Regression:

Description

Hello Rudder,

I'm currently testing a distributed setup with multiple DSC agents/Relays in different networks, but I'm unable to retrieve files from the Relay's shared-folder. Adding new nodes and updating the inventory through the relays is working as expected. I also didn't experienced problems with controls which doesn't require file copies from the shared-folder. This problem is currently blocking us.

Error from the DSC-agent:
```
An unknown error occured while checking if file C:\Program Files\Rudder\DSC-Controls\winserver16-19_windows_defender.zip should be updated from shared folder (file:controls/windows/server2016-2019/windows_defender/winserver16-19_windows_defender.zip)
Log level informations:\ncurl.exe exited with error code 22 when executing:
&"C:\Program Files\Rudder\bin\curl.exe" --location --insecure --tlsv1.2 --silent --fail --noproxy xxxx-rudder.xxxx-xxx.com --cert "C:\Program Files\Rudder\etc\ssl\localhost.cert:Rudder-dsc passphrase" --key
"C:\Program Files\Rudder\etc\ssl\localhost.priv" "--output" "C:\Program Files\Rudder\DSC-Controls\winserver16-19_windows_defender.zip" "--dump-header" "-"
"https://xxxx-rudder.xxxx-xxx.com/rudder/relay-api/shared-folder/controls/windows/server2016-2019/windows_defender/winserver16-19_windows_defender.zip"
```

From the Relay's Apache2 Access Log:
```
10.1.XX.XX - 36c35124-0810-45xd-897e-ad3b3bfe9635 [17/Jun/2020:13:15:10 +0000] "GET /rudder/relay-api/shared-folder/controls/windows/server2016-2019/windows_defender/winserver16-19_windows_defender.zip HTTP/1.1" 404 - "-" "curl/7.69.1"
```

What I also noticed:
- The shared-files are correctly synchronized from the Rudder Root Server to the Relay;
- This problem doesn't occur when the DSC-node is getting the files directly from the Rudder Root Server.

What I tried so far:
- Completely reployed the relay (6.0.6), and freshly added to the Rudder Root Server (6.0.6);
- Tried multiple Windows DSC agent versions: 6.0-1.17, 6.0-1.18, 6.1-1.19-SNAPSHOT without result.

Thanks! Bas


Related issues 1 (0 open1 closed)

Related to Rudder - Bug #17802: shared-files acls are incorrect on relays, preventing the windows nodes from downloading themReleasedAlexis MoussetActions
Actions #1

Updated by Félix DALLIDET over 4 years ago

Hi, I was able to reproduce the issue. It is most likely a permissions issue.
My guess is that the shared-files folder located on the relays under "/var/rudder/configuration-repository/shared-files" is in root:root when it should instead be
root:rudder 750.

There are 2 issues here:
  1. The packaging does not set the rights correctly at package install
  2. The system technique on the relay which synchronize the files under the shared-files folder synchronize them in 600 root:root instead of 640 root:rudder for files
    and 750 root:rudder for folders.

Can you check the acl on your relay? If they are uncorrect, can you try to set them manually to validate that we are seeing the same issue, for instance by running:

chown -R root:rudder /var/rudder/configuration-repository/shared-files
chown -R 640 /var/rudder/configuration-repository/shared-files
chown -R +X /var/rudder/configuration-repository/shared-files

and test a windows agent under this relay to see if the shared-files methods are working.

I only tested this on relay synchronized using the "classic" method, if you are using the rsync one, or a customized one, please verify that it is correct.
You can see your relay synchronization method in the Rudder server settings webpage.

Actions #2

Updated by Félix DALLIDET over 4 years ago

  • Target version set to 6.0.7
Actions #3

Updated by Bas B over 4 years ago

Félix DALLIDET wrote in #note-1:

Hi, I was able to reproduce the issue. It is most likely a permissions issue.
My guess is that the shared-files folder located on the relays under "/var/rudder/configuration-repository/shared-files" is in root:root when it should instead be
root:rudder 750.

There are 2 issues here:
  1. The packaging does not set the rights correctly at package install
  2. The system technique on the relay which synchronize the files under the shared-files folder synchronize them in 600 root:root instead of 640 root:rudder for files
    and 750 root:rudder for folders.

Can you check the acl on your relay? If they are uncorrect, can you try to set them manually to validate that we are seeing the same issue, for instance by running:

[...]

and test a windows agent under this relay to see if the shared-files methods are working.

I only tested this on relay synchronized using the "classic" method, if you are using the rsync one, or a customized one, please verify that it is correct.
You can see your relay synchronization method in the Rudder server settings webpage.

I changed the following permissions on the Relay so they are the same compared to the Rudder Root Server, and it works now;

chown -R root:rudder /var/rudder/configuration-repository/shared-files
chown -R root:rudder /var/rudder/configuration-repository/ncf
find /var/rudder/configuration-repository/shared-files -type f -exec chmod 644 {} + -o -type d -exec chmod 755 {} +
chmod 770 /var/rudder/configuration-repository/shared-files
chmod 770 /var/rudder/configuration-repository/ncf
chmod -R 664 /var/rudder/configuration-repository/ncf/30_generic_methods
chmod 660 /var/rudder/configuration-repository/ncf/*
chmod 775 /var/rudder/configuration-repository/ncf/30_generic_methods

Disable SELinux is also a requirement to make this work for CentOS7. Would be nice to update the file attributes, so SELinux can be left enabled.

Thanks! Bas

Actions #4

Updated by Félix DALLIDET over 4 years ago

  • Translation missing: en.field_tag_list set to Sponsored
  • User visibility set to Operational - other Techniques | Rudder settings | Plugins
  • Priority changed from 0 to 84

Hi Bas,
Thanks for the feedback, we will try to patch the acl and SELinux issue on the next minor.

Actions #5

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 6.0.7 to 6.0.8
Actions #6

Updated by Félix DALLIDET over 4 years ago

  • Related to Bug #17802: shared-files acls are incorrect on relays, preventing the windows nodes from downloading them added
Actions #7

Updated by Félix DALLIDET over 4 years ago

The acl fix should be available in 6.0.7 but the SELinux one will only be available on a later minor.

Actions #9

Updated by François ARMAND over 4 years ago

  • Subject changed from Unable to retrieve files from the Rudder Relay shared-folder (Windows DSC) to SELinux perms on relay forbid to retrieve files from shared-folder (Windows DSC)
Actions #10

Updated by François ARMAND over 4 years ago

  • Assignee set to Alexis Mousset
Actions #11

Updated by Alexis Mousset over 4 years ago

I think we are missing a restorcon in relay postinst, I'll try to reproduce.

Actions #12

Updated by Alexis Mousset over 4 years ago

  • Status changed from New to In progress
Actions #13

Updated by Alexis Mousset over 4 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/2326
Actions #14

Updated by Alexis Mousset over 4 years ago

  • Status changed from Pending technical review to Pending release
Actions #15

Updated by Vincent MEMBRÉ over 4 years ago

  • Priority changed from 84 to 82
  • Fix check changed from To do to Checked
Actions #16

Updated by Vincent MEMBRÉ over 4 years ago

  • Status changed from Pending release to Released
  • Priority changed from 82 to 81

This bug has been fixed in Rudder 6.0.8 and 6.1.4 which were released today.

Actions #17

Updated by Alexis Mousset over 2 years ago

  • Priority changed from 81 to 70
Actions

Also available in: Atom PDF