Project

General

Profile

Actions

Bug #5238

closed

CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writable permissions

Added by Nicolas PERRON almost 8 years ago. Updated over 7 years ago.

Status:
Released
Priority:
1
Category:
Web - Config management
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:

Description

The folders /var/rudder/ncf/{local,common} are populated by CFEngine and it is there that the MetaTechniques are searched by CFEngine.
If MetaTechniques are realized and used in a Rule before that /var/rudder/ncf/local is populated:

$ /var/rudder/cfengine-community/bin/cf-agent -KI
2014-07-08T09:54:10+0000    error: Bundle 'MyTech' listed in the bundlesequence is not a defined bundle
2014-07-08T09:54:10+0000    error: Fatal CFEngine error: Errors in promise bundles: could not verify bundlesequence
2014-07-08T09:54:10+0000    error: Policy failed validation with command '"/var/rudder/cfengine-community/bin/cf-promises" -c "/var/rudder/cfengine-community/inputs/promises.cf"'

This error prevent cf-execd to be launched and the cron /etc/cron.d/rudder-agent does not seem to be able to fix it:

[...]
Jul  8 09:55:01 server /USR/SBIN/CRON[15153]: (root) CMD (. /etc/profile; if [ -e /opt/rudder/bin/check-rudder-agent ]; then /opt/rudder/bin/check-rudder-agent; else if [ ! -e /opt/rudder/etc/disable-agent -a `ps -efww | grep -E "(cf-execd|cf-agent)" | grep -E "/var/rudder/cfengine-community/bin/(cf-execd|cf-agent)" | grep -v grep | wc -l` -eq 0 ]; then /var/rudder/cfengine-community/bin/cf-agent -f failsafe.cf >/dev/null 2>&1 && /var/rudder/cfengine-community/bin/cf-agent >/dev/null 2>&1; if [ $? != 0 ]; then if [ -f /opt/rudder/etc/rudder-restart-message.txt ]; then cat /opt/rudder/etc/rudder-restart-message.txt; else echo "Rudder agent was unable to restart on $(hostname)."; fi; fi; fi; fi)
Jul  8 09:55:01 server cf3[15183]: File /var/rudder/cfengine-community/inputs/failsafe.cf (owner 0) is writable by others (security exception)
Jul  8 09:55:29 server cf3[15198]: Policy failed validation with command '"/var/rudder/cfengine-community/bin/cf-promises" -c "/var/rudder/cfengine-community/inputs/promises.cf"'
[...]

Nevertheless, the simple command "/var/rudder/cfengine-community/bin/cf-agent -f failsafe.cf" fixed the problem. The cron should do the same


Subtasks 1 (0 open1 closed)

Bug #5246: Remove group permission on promises after they have been generatedReleasedFrançois ARMAND2014-07-09Actions
Actions #1

Updated by Nicolas PERRON almost 8 years ago

  • Subject changed from Adding a MetaTechnique into a Rule before /var/rudder/ncf/ has been populated lead to broken promises to Adding a MetaTechnique into a Rule before /var/rudder/ncf/local has been populated lead to broken promises
Actions #2

Updated by Nicolas PERRON almost 8 years ago

In fact, the problem is more insidious than that.

The umask of Jetty has been changed to be ncf compliant (group must be able to write files generated by Rudder). However, this is not CFEngine compliant since every promises read by CFEngine in a non-interactive mode should not be writable by 'group' or 'other'.
Then, on the server, the agent would not be able to be launched automatically except if we adjust recursively the promises into /var/rudder/cfengine-community/

Actions #3

Updated by Nicolas PERRON almost 8 years ago

  • Subject changed from Adding a MetaTechnique into a Rule before /var/rudder/ncf/local has been populated lead to broken promises to CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have writables permissions
  • Assignee changed from Nicolas PERRON to Vincent MEMBRÉ

The solution seems to be:
Add specific permissions on files generated by Rudder under folder /var/rudder/cfengine/inputs/.

The mode can be 640 (rw-r-----) for files but the folders should be executables in order to be searchable.

Actions #4

Updated by Nicolas PERRON almost 8 years ago

Nicolas PERRON wrote:

The solution seems to be:
Add specific permissions on files generated by Rudder under folder /var/rudder/cfengine/inputs/.

The mode can be 640 (rw-r-----) for files but the folders should be executables in order to be searchable.

In fact, we've got a promise (common/1.0/internal_security.cf) to ensure that files are all 600 (rw------) in /var/rudder/cfengine/inputs/.

Actions #5

Updated by Vincent MEMBRÉ almost 8 years ago

  • Status changed from New to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to François ARMAND
  • Pull Request set to https://github.com/Normation/cf-clerk/pull/48
Actions #6

Updated by Vincent MEMBRÉ almost 8 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100

Applied in changeset clerk:commit:59bec00f4c55132d0f6fdc7b671e65807e993e1a.

Actions #7

Updated by François ARMAND almost 8 years ago

Applied in changeset clerk:commit:3e6977387923a26627e155dc90ef9cef1aa8de14.

Actions #8

Updated by Vincent MEMBRÉ almost 8 years ago

  • Category set to 14
Actions #9

Updated by Nicolas PERRON almost 8 years ago

  • Subject changed from CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have writables permissions to CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writables permissions
Actions #10

Updated by Vincent MEMBRÉ almost 8 years ago

  • Subject changed from CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writables permissions to CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writable permissions
Actions #11

Updated by Vincent MEMBRÉ almost 8 years ago

This was reverted and now fixed by #5246

Actions #12

Updated by Vincent MEMBRÉ almost 8 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.0~rc2 (announcement , changelog), which was released today.

Actions #13

Updated by Benoît PECCATTE over 7 years ago

  • Category changed from 14 to Web - Config management
Actions

Also available in: Atom PDF