Actions
Bug #6687
closed
User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance
Architecture #6355: Agent should sign their inventory using their private key
bundle sendInventoryToCmdb tries to send .sign files to the endpoint
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:
Description
webapp logs:
[2015-06-01 15:28:20] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs.sign' [2015-06-01 15:28:20] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to parse inventory <- Can't parse the input inventory, aborting <- Cannot parse uploaded file as an XML Fusion Inventory report [2015-06-01 15:28:20] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Exception was: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog. [2015-06-01 15:28:20] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs' [2015-06-01 15:28:20] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs' parsed in 44 milliseconds, now checking signature [2015-06-01 15:28:20] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Reject inventory 'agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs' for Node 'e0854638-aa77-4d89-b3e6-b49877d5f0d7' because signature is missing, you can go back to unsigned state by running the following command '/opt/rudder/bin/rudder-keys reset-status e0854638-aa77-4d89-b3e6-b49877d5f0d7'
The missing signature seems to happen because the .sign file is moved into failed directory.
agent logs:
2015-06-01T15:28:20+0000 error: /default/sendInventoryToCmdb/files/'/var/rudder/inventories/accepted-nodes-updates'[0]: Finished command related to promiser '/var/rudder/inventories/accepted-nodes-updates' -- an error occurred, returned 22 2015-06-01T15:28:20+0000 error: /default/sendInventoryToCmdb/files/'/var/rudder/inventories/accepted-nodes-updates'[0]: Transformer '/var/rudder/inventories/accepted-nodes-updates/agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs.sign' => '/var/rudder/tools/send-clean.sh http://localhost:8080/endpoint/upload/ /var/rudder/inventories/accepted-nodes-updates/agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs.sign /var/rudder/inventories/received/ /var/rudder/inventories/failed/' returned error 2015-06-01T15:28:20+0000 error: /default/sendInventoryToCmdb/files/'/var/rudder/inventories/accepted-nodes-updates'[0]: Finished command related to promiser '/var/rudder/inventories/accepted-nodes-updates' -- an error occurred, returned 22 2015-06-01T15:28:20+0000 error: /default/sendInventoryToCmdb/files/'/var/rudder/inventories/accepted-nodes-updates'[0]: Transformer '/var/rudder/inventories/accepted-nodes-updates/agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs' => '/var/rudder/tools/send-clean.sh http://localhost:8080/endpoint/upload/ /var/rudder/inventories/accepted-nodes-updates/agent2-e0854638-aa77-4d89-b3e6-b49877d5f0d7.ocs /var/rudder/inventories/received/ /var/rudder/inventories/failed/' returned error
The problem seems to be in:
"${g.rudder_inventories}/incoming"
transformer => "${g.rudder_tools}/send-clean.sh &CMDBENDPOINT& ${this.promiser} ${g.rudder_inventories}/received/ ${g.rudder_inventories}/failed/",
depth_search => recurse_visible(1),
file_select => all_files,
classes => rudder_common_classes("rudder_inventory_processing"),
comment => "Processing a local inventory";
We should select only .ocs files in the file_select.
Updated by 
Updated by 
Updated by
Actions