Project

General

Profile

Actions

Bug #5087

closed

Authorized networks in splitted environment, does not allow inventory sending

Added by Lionel Le Folgoc over 10 years ago. Updated over 10 years ago.

Status:
Released
Priority:
2
Assignee:
Jonathan CLARKE
Category:
System techniques
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

Hi,

I'm trying to set up a rudder server with 4 components (cf. #5080 too):
server-1: rudder-front
server-2: rudder-ldap + rudder-inventory-endpoint
server-3: rudder-db
server-4: rudder-webapp + rudder-techniques + CFEngine server

However, server-[123] cannot submit their inventory to server-4:

Jun 19 09:22:17 localhost rudder[7020]: /default/doInventory/methods/'any'/default/sendInventory/files/'/var/rudder/inventories'[0]: Finished command related to promiser '/var/rudder/inventories' -- an error occurred, returned 22
Jun 19 09:22:17 localhost rudder[7020]: /default/doInventory/methods/'any'/default/sendInventory/files/'/var/rudder/inventories'[0]: Transformer '/var/rudder/inventories/rudderfronttest-2014-06-18-08-32-01.ocs.gz' => '/usr/bin/curl -f -s --proxy '' --user rudder:rudder -T /var/rudder/inventories/rudderfronttest-2014-06-18-08-32-01.ocs.gz http://192.168.42.203/inventories/' returned error
Jun 19 09:22:17 localhost rudder[7020]: R: @@Inventory@@result_error@@inventory-all@@inventory-all@@00@@inventory@@None@@2014-06-19 13:21:32+00:00##556486fd-eb4a-4972-940b-5f5b8434a652@#Could not send the inventory

Running manually the curl command indeed returns a 403 Forbidden error.

The file /opt/rudder/etc/rudder-networks.conf only contains:

Deny from all

which could explain the error obtained.

I compared with a monolithic rudder installation, and the file is:

Allow from 127.0.0.0/8
Allow from %%POLICY_SERVER_ALLOWED_NETWORKS%%

And if I replace the content of the file on server-4 with this one, inventories can be sent.

So it would seem that /opt/rudder/bin/init does not correctly set up the trusted networks when the roles are shared among several servers?

Thanks.


Related issues 1 (0 open1 closed)

Has duplicate Rudder - Bug #5118: In splitted architecture, some checks mandatory on the Webapp are not performedRejectedNicolas CHARLES2014-06-23Actions
Actions #1

Updated by Jonathan CLARKE over 10 years ago

  • Category set to System techniques
  • Assignee set to Jonathan CLARKE
  • Priority changed from N/A to 2
  • Target version set to 2.11.0~beta2

I haven't been able to reproduce this. However, I think it may be related to #5089, because the /opt/rudder/etc/rudder-networks.conf file is actually set up by CFEngine (via our initial-promises) and they only edit that file on a server with UUID=root...

I will reconfirm with a fresh installation on RHEL6.

Actions #2

Updated by Jonathan CLARKE over 10 years ago

  • Status changed from New to 8
  • Assignee changed from Jonathan CLARKE to Nicolas CHARLES

We have figured out where this comes from: the bundle that sets up allowed networks was only called on relay servers and on full (monolithic) installations of the Rudder server. This condition shuold be changed to be on relay servers, full (monolithic) installs and nodes with the rudder-webapp role.

Actions #3

Updated by Nicolas CHARLES over 10 years ago

  • Status changed from 8 to Pending technical review
  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/423
Actions #4

Updated by Nicolas CHARLES over 10 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100

Applied in changeset policy-templates:commit:de2a75b4c96015947ec7062e34beabc3c62575aa.

Actions #5

Updated by Jonathan CLARKE over 10 years ago

Applied in changeset policy-templates:commit:9c3f0cc63583029a99e3f442ee3630663b98417f.

Actions #6

Updated by Vincent MEMBRÉ over 10 years ago

  • Subject changed from 403 on inventory submission to Authorized networks in splitted environment, does not allow inventory sending
Actions #7

Updated by Vincent MEMBRÉ over 10 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.0~beta2 (announcement , changelog), which were released today.

Actions

Also available in: Atom PDF