Project

General

Profile

Actions

Bug #5238

closed

CFEngine is unable to run automatically on Rudder Server 2.11.0.rc1 since its generated promises have group writable permissions

Added by Nicolas PERRON over 10 years ago. Updated over 9 years ago.

Status:
Released
Priority:
1 (highest)
Category:
Web - Config management
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

The folders /var/rudder/ncf/{local,common} are populated by CFEngine and it is there that the MetaTechniques are searched by CFEngine.
If MetaTechniques are realized and used in a Rule before that /var/rudder/ncf/local is populated:

$ /var/rudder/cfengine-community/bin/cf-agent -KI
2014-07-08T09:54:10+0000    error: Bundle 'MyTech' listed in the bundlesequence is not a defined bundle
2014-07-08T09:54:10+0000    error: Fatal CFEngine error: Errors in promise bundles: could not verify bundlesequence
2014-07-08T09:54:10+0000    error: Policy failed validation with command '"/var/rudder/cfengine-community/bin/cf-promises" -c "/var/rudder/cfengine-community/inputs/promises.cf"'

This error prevent cf-execd to be launched and the cron /etc/cron.d/rudder-agent does not seem to be able to fix it:

[...]
Jul  8 09:55:01 server /USR/SBIN/CRON[15153]: (root) CMD (. /etc/profile; if [ -e /opt/rudder/bin/check-rudder-agent ]; then /opt/rudder/bin/check-rudder-agent; else if [ ! -e /opt/rudder/etc/disable-agent -a `ps -efww | grep -E "(cf-execd|cf-agent)" | grep -E "/var/rudder/cfengine-community/bin/(cf-execd|cf-agent)" | grep -v grep | wc -l` -eq 0 ]; then /var/rudder/cfengine-community/bin/cf-agent -f failsafe.cf >/dev/null 2>&1 && /var/rudder/cfengine-community/bin/cf-agent >/dev/null 2>&1; if [ $? != 0 ]; then if [ -f /opt/rudder/etc/rudder-restart-message.txt ]; then cat /opt/rudder/etc/rudder-restart-message.txt; else echo "Rudder agent was unable to restart on $(hostname)."; fi; fi; fi; fi)
Jul  8 09:55:01 server cf3[15183]: File /var/rudder/cfengine-community/inputs/failsafe.cf (owner 0) is writable by others (security exception)
Jul  8 09:55:29 server cf3[15198]: Policy failed validation with command '"/var/rudder/cfengine-community/bin/cf-promises" -c "/var/rudder/cfengine-community/inputs/promises.cf"'
[...]

Nevertheless, the simple command "/var/rudder/cfengine-community/bin/cf-agent -f failsafe.cf" fixed the problem. The cron should do the same


Subtasks 1 (0 open1 closed)

Bug #5246: Remove group permission on promises after they have been generatedReleasedFrançois ARMAND2014-07-09Actions
Actions

Also available in: Atom PDF