Bug #5087
closed
Authorized networks in splitted environment, does not allow inventory sending
Description
Hi,
I'm trying to set up a rudder server with 4 components (cf. #5080 too):
server-1: rudder-front
server-2: rudder-ldap + rudder-inventory-endpoint
server-3: rudder-db
server-4: rudder-webapp + rudder-techniques + CFEngine server
However, server-[123] cannot submit their inventory to server-4:
Jun 19 09:22:17 localhost rudder[7020]: /default/doInventory/methods/'any'/default/sendInventory/files/'/var/rudder/inventories'[0]: Finished command related to promiser '/var/rudder/inventories' -- an error occurred, returned 22 Jun 19 09:22:17 localhost rudder[7020]: /default/doInventory/methods/'any'/default/sendInventory/files/'/var/rudder/inventories'[0]: Transformer '/var/rudder/inventories/rudderfronttest-2014-06-18-08-32-01.ocs.gz' => '/usr/bin/curl -f -s --proxy '' --user rudder:rudder -T /var/rudder/inventories/rudderfronttest-2014-06-18-08-32-01.ocs.gz http://192.168.42.203/inventories/' returned error Jun 19 09:22:17 localhost rudder[7020]: R: @@Inventory@@result_error@@inventory-all@@inventory-all@@00@@inventory@@None@@2014-06-19 13:21:32+00:00##556486fd-eb4a-4972-940b-5f5b8434a652@#Could not send the inventory
Running manually the curl command indeed returns a 403 Forbidden error.
The file /opt/rudder/etc/rudder-networks.conf only contains:
Deny from all
which could explain the error obtained.
I compared with a monolithic rudder installation, and the file is:
Allow from 127.0.0.0/8 Allow from %%POLICY_SERVER_ALLOWED_NETWORKS%%
And if I replace the content of the file on server-4 with this one, inventories can be sent.
So it would seem that /opt/rudder/bin/init does not correctly set up the trusted networks when the roles are shared among several servers?
Thanks.
Updated by Jonathan CLARKE over 10 years ago
- Category set to System techniques
- Assignee set to Jonathan CLARKE
- Priority changed from N/A to 2
- Target version set to 2.11.0~beta2
I haven't been able to reproduce this. However, I think it may be related to #5089, because the /opt/rudder/etc/rudder-networks.conf file is actually set up by CFEngine (via our initial-promises) and they only edit that file on a server with UUID=root...
I will reconfirm with a fresh installation on RHEL6.
Updated by Jonathan CLARKE over 10 years ago
- Status changed from New to 8
- Assignee changed from Jonathan CLARKE to Nicolas CHARLES
We have figured out where this comes from: the bundle that sets up allowed networks was only called on relay servers and on full (monolithic) installations of the Rudder server. This condition shuold be changed to be on relay servers, full (monolithic) installs and nodes with the rudder-webapp role.
Updated by Nicolas CHARLES over 10 years ago
- Status changed from 8 to Pending technical review
- Assignee changed from Nicolas CHARLES to Jonathan CLARKE
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/423
Updated by Nicolas CHARLES over 10 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset policy-templates:commit:de2a75b4c96015947ec7062e34beabc3c62575aa.
Updated by Jonathan CLARKE over 10 years ago
Applied in changeset policy-templates:commit:9c3f0cc63583029a99e3f442ee3630663b98417f.
Updated by Vincent MEMBRÉ over 10 years ago
- Subject changed from 403 on inventory submission to Authorized networks in splitted environment, does not allow inventory sending
Updated by Vincent MEMBRÉ over 10 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 2.11.0~beta2 (announcement , changelog), which were released today.
- Download information: https://www.rudder-project.org/site/get-rudder/downloads/