Project

General

Profile

Actions

Bug #6687

closed

User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance

Architecture #6355: Agent should sign their inventory using their private key

bundle sendInventoryToCmdb tries to send .sign files to the endpoint

Added by Alexis Mousset over 9 years ago. Updated over 9 years ago.

Status:
Released
Priority:
N/A
Category:
Techniques
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

webapp logs:

[2015-06-01 15:28:20] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs.sign'
[2015-06-01 15:28:20] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to parse inventory <- Can't parse the input inventory, aborting <- Cannot parse uploaded file as an XML Fusion Inventory report
[2015-06-01 15:28:20] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Exception was: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.
[2015-06-01 15:28:20] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs'
[2015-06-01 15:28:20] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs' parsed in 44 milliseconds, now checking signature
[2015-06-01 15:28:20] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Reject inventory 'agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs' for Node 'e0854638-aa77-4d89-b3e6-b49877d5f0d7' because signature is missing,  you can go back to unsigned state by running the following command '/opt/rudder/bin/rudder-keys reset-status e0854638-aa77-4d89-b3e6-b49877d5f0d7'

The missing signature seems to happen because the .sign file is moved into failed directory.

agent logs:

2015-06-01T15:28:20+0000    error: /default/sendInventoryToCmdb/files/'/var/rudder/inventories/accepted-nodes-updates'[0]: Finished command related to promiser '/var/rudder/inventories/accepted-nodes-updates' -- an error occurred, returned 22
2015-06-01T15:28:20+0000    error: /default/sendInventoryToCmdb/files/'/var/rudder/inventories/accepted-nodes-updates'[0]: Transformer '/var/rudder/inventories/accepted-nodes-updates/agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs.sign' => '/var/rudder/tools/send-clean.sh http://localhost:8080/endpoint/upload/ /var/rudder/inventories/accepted-nodes-updates/agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs.sign /var/rudder/inventories/received/ /var/rudder/inventories/failed/' returned error
2015-06-01T15:28:20+0000    error: /default/sendInventoryToCmdb/files/'/var/rudder/inventories/accepted-nodes-updates'[0]: Finished command related to promiser '/var/rudder/inventories/accepted-nodes-updates' -- an error occurred, returned 22
2015-06-01T15:28:20+0000    error: /default/sendInventoryToCmdb/files/'/var/rudder/inventories/accepted-nodes-updates'[0]: Transformer '/var/rudder/inventories/accepted-nodes-updates/agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs' => '/var/rudder/tools/send-clean.sh http://localhost:8080/endpoint/upload/ /var/rudder/inventories/accepted-nodes-updates/agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs /var/rudder/inventories/received/ /var/rudder/inventories/failed/' returned error

The problem seems to be in:

      "${g.rudder_inventories}/incoming" 
        transformer => "${g.rudder_tools}/send-clean.sh &CMDBENDPOINT& ${this.promiser} ${g.rudder_inventories}/received/ ${g.rudder_inventories}/failed/",
        depth_search => recurse_visible(1),
        file_select => all_files,
        classes => rudder_common_classes("rudder_inventory_processing"),
        comment => "Processing a local inventory";

We should select only .ocs files in the file_select.


Subtasks 1 (0 open1 closed)

Bug #6692: Syntax error in site.cfReleasedMatthieu CERDA2015-06-03Actions
Actions #1

Updated by Alexis Mousset over 9 years ago

  • Assignee changed from Alexis Mousset to Benoît PECCATTE
Actions #2

Updated by Alexis Mousset over 9 years ago

  • Assignee changed from Benoît PECCATTE to Vincent MEMBRÉ
Actions #3

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from New to In progress
Actions #4

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/678
Actions #5

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100
Actions #7

Updated by Vincent MEMBRÉ over 9 years ago

  • Parent task set to #6355
Actions #8

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.0~beta1 which were released today.

Actions

Also available in: Atom PDF