Project

General

Profile

Actions

Bug #8159

closed

Do not backup modified promise files and encrypt ncf/local transfer

Added by Alexis MOUSSET about 5 years ago. Updated about 5 years ago.

Status:
Released
Priority:
N/A
Category:
System techniques
Target version:
Severity:
User visibility:
Effort required:
Priority:

Description

The update/propagate techniques use 6 different bodies with inconsistent parameters, we should improve this.

what from to body move_obstructions action: immediate encrypt compare preserve perms verify purge trustkey copy_backup
update
ncf/{common,local} root root copy_digest_without_perms x x digest x false
ncf/{common,local} policy_server node remote_unsecured_without_perms x x digest x x x true
rudder_promises_generated policy_server node remote x x x digest x x x true
inputs policy_server node remote x x x digest x x x true
tools policy_server node remote_unsecured x x mtime x x x x true
rudder_tools_updated policy_server node remote_unsecured x x mtime x x x x true
propagate promises
tools root root copy mtime x false
ncf.conf root root copy_digest digest x timestamp
tools root relay remote_unsecured mtime x x x x true
ncf/{common,local} root relay remote x digest x x x true
shared_files root relay remote x digest x x x true
masterfiles root relay remote x digest x x x true
techniques
file_copy_from_* * node ncf_{remote,local}_cp_method configurable true
copyGitFile* policy_server node rudder_copy_from x configurable x configurable timestamp

Related issues

Related to Rudder - Bug #8158: When a relay propagate promises, it seems he's doing backup of previous promises in the modified_files folderRejectedAlexis MOUSSET2016-04-07Actions
Related to Rudder - User story #7986: Make copying the tools encrypted againRejectedBenoît PECCATTEActions
Related to ncf - Bug #8160: Remote file copies in ncf should be encryptedReleasedNicolas CHARLES2016-04-07Actions
Related to Rudder - Architecture #6349: Change promises to use encrypted communicationReleasedNicolas CHARLES2015-03-05Actions
Related to Rudder - User story #8607: Document security level of Rudder contentReleasedFrançois ARMANDActions
Actions #1

Updated by Alexis MOUSSET about 5 years ago

  • Related to Bug #8158: When a relay propagate promises, it seems he's doing backup of previous promises in the modified_files folder added
Actions #2

Updated by Alexis MOUSSET about 5 years ago

Actions #3

Updated by Alexis MOUSSET about 5 years ago

  • Description updated (diff)
  • Category set to System techniques
Actions #4

Updated by Alexis MOUSSET about 5 years ago

  • Description updated (diff)
Actions #5

Updated by Nicolas CHARLES about 5 years ago

I don't really know how to comment on this in a readable way, but:
In update
rudder_promises_generated, rudder_tools_updated don't need either copy_backup nor encrypt (no secret there, no real value there)
ncf/{common,local} should need encrypt (secret there) but no copy_backup (the backup need to be only on the rudder server)
inputs need encrypt, but no copy_backup

In propagate promises
ncf.conf doesn't need encrypt nor copy_backup
ncf/{common,local} should need encrypt (secret there) but no copy_backup (the backup need to be only on the rudder server)
shared_files need encrypt, but no copy_backup
masterfiles need encrypt, but no copy_backup

in tehcniques
file_copy_from_* should need copy_backup timestamp

Actions #6

Updated by Alexis MOUSSET about 5 years ago

  • Related to Bug #8160: Remote file copies in ncf should be encrypted added
Actions #7

Updated by Alexis MOUSSET about 5 years ago

ncf/local copy is encrypted since 3.1 (#6349).

Actions #8

Updated by Alexis MOUSSET about 5 years ago

Actions #9

Updated by Alexis MOUSSET about 5 years ago

  • Assignee set to Alexis MOUSSET
  • Target version set to 2.11.20
Actions #10

Updated by Alexis MOUSSET about 5 years ago

  • Tracker changed from User story to Bug
  • Subject changed from Clean up copy_from bodies to Fix copy_from bodies for Rudder files
  • Reproduced set to No
Actions #11

Updated by Alexis MOUSSET about 5 years ago

  • Status changed from New to In progress
Actions #12

Updated by Alexis MOUSSET about 5 years ago

The PR gives:

what from to body move_obstructions action: immediate encrypt compare preserve perms verify purge trustkey copy_backup
update
ncf/{common,local} root root copy_digest_without_perms x x digest x false
ncf/common policy_server node remote_unsecured_without_perms x x digest x x x false
ncf/local policy_server node remote x x x digest x x x false
rudder_promises_generated policy_server node remote_unsecured_without_perms x x -x- digest x x x false
inputs policy_server node remote x x x digest x x x false
tools policy_server node remote_unsecured x x mtime x x x x false
rudder_tools_updated policy_server node remote_unsecured_without_perms x x digest -x- x x x false
propagate promises
tools root root copy mtime x false
ncf.conf root root copy_digest_without_perms digest -x- x false
tools root relay remote_unsecured mtime x x x x false
ncf/common root relay remote_unsecured_without_perms -x- digest x x x false
ncf/local root relay remote x digest x x x false
shared_files root relay remote x digest x x x false
masterfiles root relay remote x digest x x x false
techniques
file_copy_from_* * node ncf_{remote,local}_cp_method x configurable timestamp
copyGitFile* policy_server node rudder_copy_from x configurable x configurable timestamp
Actions #13

Updated by Alexis MOUSSET about 5 years ago

  • Description updated (diff)
Actions #14

Updated by Alexis MOUSSET about 5 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis MOUSSET to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/906
Actions #15

Updated by Nicolas CHARLES about 5 years ago

This is super clear.

Actions #16

Updated by Alexis MOUSSET about 5 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100
Actions #17

Updated by Alexis MOUSSET about 5 years ago

  • Subject changed from Fix copy_from bodies for Rudder files to Do not backup modified promise files and encrypt ncf/local transfer
Actions #18

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.20, 3.0.15, 3.1.9 and 3.2.2 which were released today.

Actions #19

Updated by Alexis MOUSSET almost 5 years ago

Actions

Also available in: Atom PDF