Bug #5238
closedCFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writable permissions
Description
The folders /var/rudder/ncf/{local,common} are populated by CFEngine and it is there that the MetaTechniques are searched by CFEngine.
If MetaTechniques are realized and used in a Rule before that /var/rudder/ncf/local is populated:
$ /var/rudder/cfengine-community/bin/cf-agent -KI 2014-07-08T09:54:10+0000 error: Bundle 'MyTech' listed in the bundlesequence is not a defined bundle 2014-07-08T09:54:10+0000 error: Fatal CFEngine error: Errors in promise bundles: could not verify bundlesequence 2014-07-08T09:54:10+0000 error: Policy failed validation with command '"/var/rudder/cfengine-community/bin/cf-promises" -c "/var/rudder/cfengine-community/inputs/promises.cf"'
This error prevent cf-execd to be launched and the cron /etc/cron.d/rudder-agent does not seem to be able to fix it:
[...] Jul 8 09:55:01 server /USR/SBIN/CRON[15153]: (root) CMD (. /etc/profile; if [ -e /opt/rudder/bin/check-rudder-agent ]; then /opt/rudder/bin/check-rudder-agent; else if [ ! -e /opt/rudder/etc/disable-agent -a `ps -efww | grep -E "(cf-execd|cf-agent)" | grep -E "/var/rudder/cfengine-community/bin/(cf-execd|cf-agent)" | grep -v grep | wc -l` -eq 0 ]; then /var/rudder/cfengine-community/bin/cf-agent -f failsafe.cf >/dev/null 2>&1 && /var/rudder/cfengine-community/bin/cf-agent >/dev/null 2>&1; if [ $? != 0 ]; then if [ -f /opt/rudder/etc/rudder-restart-message.txt ]; then cat /opt/rudder/etc/rudder-restart-message.txt; else echo "Rudder agent was unable to restart on $(hostname)."; fi; fi; fi; fi) Jul 8 09:55:01 server cf3[15183]: File /var/rudder/cfengine-community/inputs/failsafe.cf (owner 0) is writable by others (security exception) Jul 8 09:55:29 server cf3[15198]: Policy failed validation with command '"/var/rudder/cfengine-community/bin/cf-promises" -c "/var/rudder/cfengine-community/inputs/promises.cf"' [...]
Nevertheless, the simple command "/var/rudder/cfengine-community/bin/cf-agent -f failsafe.cf" fixed the problem. The cron should do the same
Updated by Nicolas PERRON over 10 years ago
- Subject changed from Adding a MetaTechnique into a Rule before /var/rudder/ncf/ has been populated lead to broken promises to Adding a MetaTechnique into a Rule before /var/rudder/ncf/local has been populated lead to broken promises
Updated by Nicolas PERRON over 10 years ago
In fact, the problem is more insidious than that.
The umask of Jetty has been changed to be ncf compliant (group must be able to write files generated by Rudder). However, this is not CFEngine compliant since every promises read by CFEngine in a non-interactive mode should not be writable by 'group' or 'other'.
Then, on the server, the agent would not be able to be launched automatically except if we adjust recursively the promises into /var/rudder/cfengine-community/
Updated by Nicolas PERRON over 10 years ago
- Subject changed from Adding a MetaTechnique into a Rule before /var/rudder/ncf/local has been populated lead to broken promises to CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have writables permissions
- Assignee changed from Nicolas PERRON to Vincent MEMBRÉ
The solution seems to be:
Add specific permissions on files generated by Rudder under folder /var/rudder/cfengine/inputs/.
The mode can be 640 (rw-r-----) for files but the folders should be executables in order to be searchable.
Updated by Nicolas PERRON over 10 years ago
Nicolas PERRON wrote:
The solution seems to be:
Add specific permissions on files generated by Rudder under folder /var/rudder/cfengine/inputs/.The mode can be 640 (rw-r-----) for files but the folders should be executables in order to be searchable.
In fact, we've got a promise (common/1.0/internal_security.cf) to ensure that files are all 600 (rw------) in /var/rudder/cfengine/inputs/.
Updated by Vincent MEMBRÉ over 10 years ago
- Status changed from New to Pending technical review
- Assignee changed from Vincent MEMBRÉ to François ARMAND
- Pull Request set to https://github.com/Normation/cf-clerk/pull/48
Updated by Vincent MEMBRÉ over 10 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset clerk:commit:59bec00f4c55132d0f6fdc7b671e65807e993e1a.
Updated by François ARMAND over 10 years ago
Applied in changeset clerk:commit:3e6977387923a26627e155dc90ef9cef1aa8de14.
Updated by Nicolas PERRON over 10 years ago
- Subject changed from CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have writables permissions to CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writables permissions
Updated by Vincent MEMBRÉ over 10 years ago
- Subject changed from CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writables permissions to CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writable permissions
Updated by Vincent MEMBRÉ over 10 years ago
This was reverted and now fixed by #5246
Updated by Vincent MEMBRÉ over 10 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 2.11.0~rc2 (announcement , changelog), which was released today.
- Download information: https://www.rudder-project.org/site/get-rudder/downloads/
Updated by Benoît PECCATTE almost 10 years ago
- Category changed from 14 to Web - Config management