Forum: CFEngine Help
Subject: Inconsistent behavior when using delete: ".*"; or
empty_file_before_editing default
Author: random
Link to topic: https://cfengine.com/forum/read.php?3,22912,22912#msg-22912
CFEngine 3.1.5
cf-execd -Fv via cron every 5 minutes, 3 minute splay
I've been able to reproduce this problem with verbose enabled. This is for
SSH.com style SSH, so it's a bit different than the openssh style keyring (of
course, that's not really the problem here...).
I am getting wildly inconsistent behavior from the bundle below. It looks like
there's a problem with creating an empty file in memory using either
delete_lines: ".*"; or with the empty_file_before_editing default (I tried them
both). This works the majority of the time but every now and then it will
modify the authorization file even though there have been no changes, not even
new inputs downloaded. When this happens iterates over the list of users
passed to update_pubkey_authfile but stops inserting lines at a random point.
This results in a partially built authorization file that includes only a small
portion or none of the users specified.
Usually after this broken run the next run is fine and repairs the file
correctly. Then it could be good for several hours or broken again on the next
run.
In the logs I see:
cf3> Promise handle:
cf3> Promise made by: Key id_user23.pub
cf3> .........................................................
cf3>
cf3> -> Inserting the promised line "Key id_user23.pub" into
/opt/amber/.ssh2/authorization after locator
That's the last successful bit, after that the logs show:
cf3> .........................................................
cf3> Promise handle:
cf3> Promise made by: Key id_user27.pub
cf3> .........................................................
cf3>
cf3> XX Nothing promised here (4/5 minutes elapsed)
subsequent iterations show:
cf3> -> This promise has already been verified
Here is the portion of the config that does the authorization file
modifications:
bundle agent public_keys {
vars:
"list1" string =>
"id_user1.pub,id_user2.pub,id_user3.pub,id_user4.pub,id_user5.pub";
"list2" string =>
"id_user20.pub,id_user21.pub,id_user22.pub,id_user23.pub,id_user24.pub,id_user25.pub,id_user26.pub,id_user27.pub,id_user28.pub,id_user29.pub,id_user30.pub,id_user31.pub,id_user32.pub,id_user33.pub,id_user34.pub,id_user35.pub,id_user36.pub,id_user37.pub,id_user38.pub,id_user39.pub";
host1|host2::
"homedir" string => "/home/remuser";
"members" string => "$(list1),$(list2)";
any::
# get a list of all the users
"local_users" slist => getindices("homedir");
methods:
any::
"any" usebundle =>
update_authorization("$(local_users)","$(homedir[$(local_users)])","$(members[$(local_users)])");
}
bundle agent update_authorization(user,homedir,members) {
classes:
"report" expression => "any";
vars:
"class_uid" string => canonify("$(user)_$(members)");
"$(homedir)/.ssh2/authorization"
edit_line => update_pubkey_authfile("$(members)"),
edit_defaults => authfile,
perms => mog("640", "$(user)", "users"),
create => "true",
classes => if_repaired("SSHAuthorization_$(class_uid)");
reports:
report::
"Updated authorization file $(homedir)/.ssh2/authorization" ifvarclass
=> canonify("SSHAuthorization_$(class_uid)");
}
bundle edit_line update_pubkey_authfile(keylist) {
vars:
"keys" slist => splitstring("$(keylist)",",","100");
# delete all the lines from the file. this happens in memory.
#delete_lines:
# ".*";
# add all the keys that should be here into the authorization file.
# this happens in memory, if the md5 of in-memory edits are different
# from the file on the disk it is updated.
insert_lines:
"Key $(keys)";
}
body edit_defaults authfile {
empty_file_before_editing => "true";
}
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
