Bug #17770
closed
SELinux perms on relay forbid to retrieve files from shared-folder (Windows DSC)
Description
Hello Rudder,
I'm currently testing a distributed setup with multiple DSC agents/Relays in different networks, but I'm unable to retrieve files from the Relay's shared-folder. Adding new nodes and updating the inventory through the relays is working as expected. I also didn't experienced problems with controls which doesn't require file copies from the shared-folder. This problem is currently blocking us.
Error from the DSC-agent:
```
An unknown error occured while checking if file C:\Program Files\Rudder\DSC-Controls\winserver16-19_windows_defender.zip should be updated from shared folder (file:controls/windows/server2016-2019/windows_defender/winserver16-19_windows_defender.zip)
Log level informations:\ncurl.exe exited with error code 22 when executing:
&"C:\Program Files\Rudder\bin\curl.exe" --location --insecure --tlsv1.2 --silent --fail --noproxy xxxx-rudder.xxxx-xxx.com --cert "C:\Program Files\Rudder\etc\ssl\localhost.cert:Rudder-dsc passphrase" --key
"C:\Program Files\Rudder\etc\ssl\localhost.priv" "--output" "C:\Program Files\Rudder\DSC-Controls\winserver16-19_windows_defender.zip" "--dump-header" "-"
"https://xxxx-rudder.xxxx-xxx.com/rudder/relay-api/shared-folder/controls/windows/server2016-2019/windows_defender/winserver16-19_windows_defender.zip"
```
From the Relay's Apache2 Access Log:
```
10.1.XX.XX - 36c35124-0810-45xd-897e-ad3b3bfe9635 [17/Jun/2020:13:15:10 +0000] "GET /rudder/relay-api/shared-folder/controls/windows/server2016-2019/windows_defender/winserver16-19_windows_defender.zip HTTP/1.1" 404 - "-" "curl/7.69.1"
```
What I also noticed:
- The shared-files are correctly synchronized from the Rudder Root Server to the Relay;
- This problem doesn't occur when the DSC-node is getting the files directly from the Rudder Root Server.
What I tried so far:
- Completely reployed the relay (6.0.6), and freshly added to the Rudder Root Server (6.0.6);
- Tried multiple Windows DSC agent versions: 6.0-1.17, 6.0-1.18, 6.1-1.19-SNAPSHOT without result.
Thanks! Bas
Updated by Félix DALLIDET over 4 years ago
Hi, I was able to reproduce the issue. It is most likely a permissions issue.
My guess is that the shared-files folder located on the relays under "/var/rudder/configuration-repository/shared-files" is in root:root when it should instead beroot:rudder 750.
- The packaging does not set the rights correctly at package install
- The system technique on the relay which synchronize the files under the shared-files folder synchronize them in
600 root:rootinstead of640 root:rudderfor files
and750 root:rudderfor folders.
Can you check the acl on your relay? If they are uncorrect, can you try to set them manually to validate that we are seeing the same issue, for instance by running:
chown -R root:rudder /var/rudder/configuration-repository/shared-files chown -R 640 /var/rudder/configuration-repository/shared-files chown -R +X /var/rudder/configuration-repository/shared-files
and test a windows agent under this relay to see if the shared-files methods are working.
I only tested this on relay synchronized using the "classic" method, if you are using the rsync one, or a customized one, please verify that it is correct.
You can see your relay synchronization method in the Rudder server settings webpage.
Updated by Bas B over 4 years ago
Félix DALLIDET wrote in #note-1:
Hi, I was able to reproduce the issue. It is most likely a permissions issue.
There are 2 issues here:
My guess is that the shared-files folder located on the relays under "/var/rudder/configuration-repository/shared-files" is inroot:rootwhen it should instead beroot:rudder 750.
- The packaging does not set the rights correctly at package install
- The system technique on the relay which synchronize the files under the shared-files folder synchronize them in
600 root:rootinstead of640 root:rudderfor files
and750 root:rudderfor folders.Can you check the acl on your relay? If they are uncorrect, can you try to set them manually to validate that we are seeing the same issue, for instance by running:
[...]
and test a windows agent under this relay to see if the shared-files methods are working.
I only tested this on relay synchronized using the "classic" method, if you are using the rsync one, or a customized one, please verify that it is correct.
You can see your relay synchronization method in the Rudder server settings webpage.
I changed the following permissions on the Relay so they are the same compared to the Rudder Root Server, and it works now;
chown -R root:rudder /var/rudder/configuration-repository/shared-files
chown -R root:rudder /var/rudder/configuration-repository/ncf
find /var/rudder/configuration-repository/shared-files -type f -exec chmod 644 {} + -o -type d -exec chmod 755 {} +
chmod 770 /var/rudder/configuration-repository/shared-files
chmod 770 /var/rudder/configuration-repository/ncf
chmod -R 664 /var/rudder/configuration-repository/ncf/30_generic_methods
chmod 660 /var/rudder/configuration-repository/ncf/*
chmod 775 /var/rudder/configuration-repository/ncf/30_generic_methodsDisable SELinux is also a requirement to make this work for CentOS7. Would be nice to update the file attributes, so SELinux can be left enabled.
Thanks! Bas
Updated by Félix DALLIDET over 4 years ago
- Translation missing: en.field_tag_list set to Sponsored
- User visibility set to Operational - other Techniques | Rudder settings | Plugins
- Priority changed from 0 to 84
Hi Bas,
Thanks for the feedback, we will try to patch the acl and SELinux issue on the next minor.
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 6.0.7 to 6.0.8
Updated by Félix DALLIDET over 4 years ago
- Related to Bug #17802: shared-files acls are incorrect on relays, preventing the windows nodes from downloading them added
Updated by Félix DALLIDET over 4 years ago
The acl fix should be available in 6.0.7 but the SELinux one will only be available on a later minor.
Updated by François ARMAND over 4 years ago
- Subject changed from Unable to retrieve files from the Rudder Relay shared-folder (Windows DSC) to SELinux perms on relay forbid to retrieve files from shared-folder (Windows DSC)
Updated by Alexis Mousset over 4 years ago
I think we are missing a restorcon in relay postinst, I'll try to reproduce.
Updated by Alexis Mousset over 4 years ago
- Status changed from New to In progress
Updated by Alexis Mousset over 4 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Vincent MEMBRÉ
- Pull Request set to https://github.com/Normation/rudder-packages/pull/2326
Updated by Alexis Mousset over 4 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-packages|fcee74eedd0c2fa0a31aee0b55c9b0ba98832d7a.
Updated by Vincent MEMBRÉ about 4 years ago
- Priority changed from 84 to 82
- Fix check changed from To do to Checked
Updated by Vincent MEMBRÉ about 4 years ago
- Status changed from Pending release to Released
- Priority changed from 82 to 81
This bug has been fixed in Rudder 6.0.8 and 6.1.4 which were released today.