"Method 'methodname' failed in some repairs" for package verify bundle when package is not installed

[Ivan Kurnosov]

In the process of migrating from 3.5.x to 3.6.x I noticed that if a bundle invokes another bundle (using methods promise) which contains:

packages:

    "apache2"

        package_policy => "verify",

        package_method => apt_get_permissive;

then cf-agent outputs an error to stderr and puts the same message to outputs (OUTER and INNER are names of outer and inner bundles correspondingly):

2014-12-15T17:22:51+1300    error: /default/OUTER/methods/'INNER'[0]: Method 'INNER' failed in some repairs

This is what I see in a verbose log:

2014-12-15T17:22:51+1300  verbose: /default/OUTER/methods/'INNER'/default/INNER: Promises not kept in 'INNER' = 1
....
2014-12-15T17:22:51+1300  verbose: /default/OUTER: Promises not kept in 'OUTER' = 2

I find it barely expected. Could  anyone please tell if it's an expected behaviour or a bug.

If the former - how would one use "verify" for not installed packages?

[Neil Watson]

Have you confirmed via the shell that verify works? RPM verify md5sums
all files from the RPM, including the config files, so service rpms
rarely verify because people change the configs.

--
Neil H Watson
Sr. Partner, Architecture and Infrastructure
CFEngine reporting: https://github.com/evolvethinking/delta_reporting
CFEngine policy: https://github.com/evolvethinking/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
CFEngine support: http://evolvethinking.com

[Ivan Kurnosov]

I'm not sure what I need to check - apt-get by itself works as expected so does cfengine 3.5.x

1. It's apt-get

2. The package is not installed. Verification fails for any not installed package

3. The verification fails only if a promise invoked from another promise

--
You received this message because you are subscribed to a topic in the Google Groups "help-cfengine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/help-cfengine/hZSTkfC7j0M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to help-cfengine+unsubscribe@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.

--

With best regards, Ivan Kurnosov

[Ivan Kurnosov]

So here is the complete example:

outer.cf:

body common control
{
    inputs => { "$(sys.local_libdir)/stdlib.cf", "inner.cf" };
    bundlesequence => { "outer" };
}
bundle agent outer
{
methods:
    "inner" usebundle => inner;
#packages:
#    "postgresql"
#        package_policy => "verify",
#        package_method => apt_get_permissive;
reports:
    "outer";
}

inner.cf

bundle agent inner
{
packages:
    "postgresql"

        package_policy => "verify",
        package_method => apt_get_permissive;
}

Running with verify check uncommented in `outer:

$ cf-agent -KIf ./outer.cf
2014-12-16T09:05:04+1300     info: /default/outer/packages/'postgresql'[0]: Package 'postgresql' cannot be verified -- no match
R: outer

Running with nested verify check:

cf-agent -KIf ./outer.cf
2014-12-16T09:05:44+1300     info: /default/outer/methods/'inner'/default/inner/packages/'postgresql'[0]: Package 'postgresql' cannot be verified -- no match
2014-12-16T09:05:44+1300    error: /default/outer/methods/'inner'[0]: Method 'inner' failed in some repairs
R: outer

 apt-get is fine:

apt-cache policy postgresql
postgresql:
  Installed: (none)
  Candidate: 9.1+129ubuntu1
  Version table:
     9.1+129ubuntu1 0
        500 http://nz.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
     9.1+129 0
        500 http://nz.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

Version installed: cfengine-community-3.6.3-1, official debian package, x64.

For me this behaviour looks wrong, since now one cannot check if a package was installed or not

[Ivan Kurnosov]

So guys, no one uses `verify` at all? :-S

--
You received this message because you are subscribed to a topic in the Google Groups "help-cfengine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/help-cfengine/hZSTkfC7j0M/unsubscribe.

To unsubscribe from this group and all its topics, send an email to help-cfengin...@googlegroups.com.

To post to this group, send email to help-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.

[Neil Watson]

On Fri, Dec 19, 2014 at 03:26:11PM +1300, Ivan Kurnosov wrote:
> So guys, no one uses `verify` at all? :-S

Once, but it's not practical. In your example, postgres is verified, but
I'd very likely alter its configuration which would cause the verify to
fail.

It's more common for me to promise that the package is installed and the
service is configured and running.

[Ivan Kurnosov]

Neil,

not only that - now every not kept promise causes that error (details here: https://dev.cfengine.com/issues/6885 )

Plus I find it very practical:

say a vulnerability was found in some library and you want to upgrade it everywhere. You did not and do not to install a library explicitly, you just want to upgrade it everywhere it was installed as a dependency (and you don't know where it was)

--
You received this message because you are subscribed to a topic in the Google Groups "help-cfengine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/help-cfengine/hZSTkfC7j0M/unsubscribe.

To unsubscribe from this group and all its topics, send an email to help-cfengine+unsubscribe@googlegroups.com.

To post to this group, send email to help-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.

[Neil Watson]

On Sat, Dec 20, 2014 at 08:50:15AM +1300, Ivan Kurnosov wrote:
> not only that - now every not kept promise causes that error (details

> here: [1]https://dev.cfengine.com/issues/6885 )

> Plus I find it very practical:
> say a vulnerability was found in some library and you want to upgrade it
> everywhere. You did not and do not to install a library explicitly, you
> just want to upgrade it everywhere it was installed as a dependency (and
> you don't know where it was)

CFEngine is no substitute for a central package manager like Spacewalk
or Landscape. The ability to easily audit hosts and schedule upgrades
out classes CFEngine at this time. But, CFEngine can help you configure
all your hosts to work with said package manager.

[Ivan Kurnosov]

Well, it's not anymore. It was capable of in <= v3.5.x.

And it was just one example. Another example:

you want to configure collectd to gather some metrics which depend on a set of packages installed on machines (this is a real use case). And those packages are not installed directly but by dependencies, so you practically don't know where they are. So what I've been doing for years up to v3.5.x - I've checked if a package is installed then applied the corresponding collectd config. I cannot do like that with 3.6.x

What I also cannot understand is inconsistency: why nested not kept promise triggers a fault, while the top-level one does not.

--
You received this message because you are subscribed to a topic in the Google Groups "help-cfengine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/help-cfengine/hZSTkfC7j0M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to help-cfengine+unsubscribe@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.