Bug #5238
closed
CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writable permissions
Added by Nicolas PERRON over 10 years ago.
Updated about 10 years ago.
Category:
Web - Config management
Description
The folders /var/rudder/ncf/{local,common} are populated by CFEngine and it is there that the MetaTechniques are searched by CFEngine.
If MetaTechniques are realized and used in a Rule before that /var/rudder/ncf/local is populated:
$ /var/rudder/cfengine-community/bin/cf-agent -KI
2014-07-08T09:54:10+0000 error: Bundle 'MyTech' listed in the bundlesequence is not a defined bundle
2014-07-08T09:54:10+0000 error: Fatal CFEngine error: Errors in promise bundles: could not verify bundlesequence
2014-07-08T09:54:10+0000 error: Policy failed validation with command '"/var/rudder/cfengine-community/bin/cf-promises" -c "/var/rudder/cfengine-community/inputs/promises.cf"'
This error prevent cf-execd to be launched and the cron /etc/cron.d/rudder-agent does not seem to be able to fix it:
[...]
Jul 8 09:55:01 server /USR/SBIN/CRON[15153]: (root) CMD (. /etc/profile; if [ -e /opt/rudder/bin/check-rudder-agent ]; then /opt/rudder/bin/check-rudder-agent; else if [ ! -e /opt/rudder/etc/disable-agent -a `ps -efww | grep -E "(cf-execd|cf-agent)" | grep -E "/var/rudder/cfengine-community/bin/(cf-execd|cf-agent)" | grep -v grep | wc -l` -eq 0 ]; then /var/rudder/cfengine-community/bin/cf-agent -f failsafe.cf >/dev/null 2>&1 && /var/rudder/cfengine-community/bin/cf-agent >/dev/null 2>&1; if [ $? != 0 ]; then if [ -f /opt/rudder/etc/rudder-restart-message.txt ]; then cat /opt/rudder/etc/rudder-restart-message.txt; else echo "Rudder agent was unable to restart on $(hostname)."; fi; fi; fi; fi)
Jul 8 09:55:01 server cf3[15183]: File /var/rudder/cfengine-community/inputs/failsafe.cf (owner 0) is writable by others (security exception)
Jul 8 09:55:29 server cf3[15198]: Policy failed validation with command '"/var/rudder/cfengine-community/bin/cf-promises" -c "/var/rudder/cfengine-community/inputs/promises.cf"'
[...]
Nevertheless, the simple command "/var/rudder/cfengine-community/bin/cf-agent -f failsafe.cf" fixed the problem. The cron should do the same
- Subject changed from Adding a MetaTechnique into a Rule before /var/rudder/ncf/ has been populated lead to broken promises to Adding a MetaTechnique into a Rule before /var/rudder/ncf/local has been populated lead to broken promises
In fact, the problem is more insidious than that.
The umask of Jetty has been changed to be ncf compliant (group must be able to write files generated by Rudder). However, this is not CFEngine compliant since every promises read by CFEngine in a non-interactive mode should not be writable by 'group' or 'other'.
Then, on the server, the agent would not be able to be launched automatically except if we adjust recursively the promises into /var/rudder/cfengine-community/
- Subject changed from Adding a MetaTechnique into a Rule before /var/rudder/ncf/local has been populated lead to broken promises to CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have writables permissions
- Assignee changed from Nicolas PERRON to Vincent MEMBRÉ
The solution seems to be:
Add specific permissions on files generated by Rudder under folder /var/rudder/cfengine/inputs/.
The mode can be 640 (rw-r-----) for files but the folders should be executables in order to be searchable.
Nicolas PERRON wrote:
The solution seems to be:
Add specific permissions on files generated by Rudder under folder /var/rudder/cfengine/inputs/.
The mode can be 640 (rw-r-----) for files but the folders should be executables in order to be searchable.
In fact, we've got a promise (common/1.0/internal_security.cf) to ensure that files are all 600 (rw------) in /var/rudder/cfengine/inputs/.
- Status changed from New to Pending technical review
- Assignee changed from Vincent MEMBRÉ to François ARMAND
- Pull Request set to https://github.com/Normation/cf-clerk/pull/48
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset clerk:commit:59bec00f4c55132d0f6fdc7b671e65807e993e1a.
Applied in changeset clerk:commit:3e6977387923a26627e155dc90ef9cef1aa8de14.
- Subject changed from CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have writables permissions to CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writables permissions
- Subject changed from CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writables permissions to CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writable permissions
This was reverted and now fixed by #5246
- Status changed from Pending release to Released
- Category changed from 14 to Web - Config management
Also available in: Atom
PDF
Updated by Nicolas PERRON 
Updated by 
Updated by 
Updated by