Project

General

Profile

Actions
Copy link

Bug #17770

closed

SELinux perms on relay forbid to retrieve files from shared-folder (Windows DSC)

Added by Bas B almost 4 years ago. Updated almost 2 years ago.

Status:
Released
Priority:
N/A
Assignee:
Vincent MEMBRÉ
Category:
Relay server or API
Target version:
6.0.8
Pull Request:
https://github.com/Normation/rudder-p...
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Priority:
70
Name check:
To do
Fix check:
Checked
Regression:

Description

Hello Rudder,

I'm currently testing a distributed setup with multiple DSC agents/Relays in different networks, but I'm unable to retrieve files from the Relay's shared-folder. Adding new nodes and updating the inventory through the relays is working as expected. I also didn't experienced problems with controls which doesn't require file copies from the shared-folder. This problem is currently blocking us.

Error from the DSC-agent:
```
An unknown error occured while checking if file C:\Program Files\Rudder\DSC-Controls\winserver16-19_windows_defender.zip should be updated from shared folder (file:controls/windows/server2016-2019/windows_defender/winserver16-19_windows_defender.zip)
Log level informations:\ncurl.exe exited with error code 22 when executing:
&"C:\Program Files\Rudder\bin\curl.exe" --location --insecure --tlsv1.2 --silent --fail --noproxy xxxx-rudder.xxxx-xxx.com --cert "C:\Program Files\Rudder\etc\ssl\localhost.cert:Rudder-dsc passphrase" --key
"C:\Program Files\Rudder\etc\ssl\localhost.priv" "--output" "C:\Program Files\Rudder\DSC-Controls\winserver16-19_windows_defender.zip" "--dump-header" "-"
"https://xxxx-rudder.xxxx-xxx.com/rudder/relay-api/shared-folder/controls/windows/server2016-2019/windows_defender/winserver16-19_windows_defender.zip"
```

From the Relay's Apache2 Access Log:
```
10.1.XX.XX - 36c35124-0810-45xd-897e-ad3b3bfe9635 [17/Jun/2020:13:15:10 +0000] "GET /rudder/relay-api/shared-folder/controls/windows/server2016-2019/windows_defender/winserver16-19_windows_defender.zip HTTP/1.1" 404 - "-" "curl/7.69.1"
```

What I also noticed:
- The shared-files are correctly synchronized from the Rudder Root Server to the Relay;
- This problem doesn't occur when the DSC-node is getting the files directly from the Rudder Root Server.

What I tried so far:
- Completely reployed the relay (6.0.6), and freshly added to the Rudder Root Server (6.0.6);
- Tried multiple Windows DSC agent versions: 6.0-1.17, 6.0-1.18, 6.1-1.19-SNAPSHOT without result.

Thanks! Bas

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #17802: shared-files acls are incorrect on relays, preventing the windows nodes from downloading themReleasedAlexis MoussetActions
Actions
Copy link

Also available in: Atom PDF