Can't stat file

[Kevin Armstrong]

Hello,

When I execute my policy setupsudo.cf, I receive these two lines that I cannot resolve: 

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Server returned error: Unspecified server refusal (see verbose server output)

2015-10-04T10:56:33-0700     info: /default/sudoers/files/'/tmp/sudoers'[0]: Can't stat file '/tmp/mydir/myfile' on '192.168.1.228' in files.copy_from promise

I've proved an output of the command and its verbose output below. And just below that, I've proved the policy file I'm executing. I've tried googling the the problem but didn't locate anything relevant to my issue. Thanks

[root@cfe-m promises] #  cf-agent -f ./setupsudo.cf

2015-10-04T10:56:33-0700  verbose: body agent control, verbose => 'true', sets new log level to 'verbose'

2015-10-04T10:56:33-0700  verbose: Using bundlesequence =>  {'sudoers'}

2015-10-04T10:56:33-0700  verbose: /default/sudoers: Evaluating bundle pass 1

2015-10-04T10:56:33-0700  verbose: /default/sudoers/vars: Evaluating promise 'master_location'

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files: Evaluating promise '/tmp/sudoers'

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Comment 'Make sure the sudo configuration is secure and up to date'

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: File '/tmp/sudoers' copy_from '/tmp/mydir/myfile'

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: GetIdleConnectionToServer: no existing connection to '192.168.1.228' is established.

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Connecting to host 192.168.1.228 (address 192.168.1.228), port 5308

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Waiting to connect...

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Setting socket timeout to 30 seconds.

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Connected to host 192.168.1.228 address 192.168.1.228 port 5308

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: .....................[.h.a.i.l.].................................

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Strong authentication of server '192.168.1.228' connection confirmed

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Public key identity of host '192.168.1.228' is: MD5=5db9c555aaba613fa6092953e49d3e09

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Server returned error: Unspecified server refusal (see verbose server output)

2015-10-04T10:56:33-0700     info: /default/sudoers/files/'/tmp/sudoers'[0]: Can't stat file '/tmp/mydir/myfile' on '192.168.1.228' in files.copy_from promise

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files: Connection to 192.168.1.228 is closed

2015-10-04T10:56:33-0700  verbose: /default/sudoers: Evaluating bundle pass 2

2015-10-04T10:56:33-0700  verbose: /default/sudoers/vars: Evaluating promise 'master_location'

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files: Evaluating promise '/tmp/sudoers'

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Comment 'Make sure the sudo configuration is secure and up to date'

2015-10-04T10:56:33-0700  verbose: /default/sudoers: Evaluating bundle pass 3

2015-10-04T10:56:33-0700  verbose: /default/sudoers/vars: Evaluating promise 'master_location'

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files: Evaluating promise '/tmp/sudoers'

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Comment 'Make sure the sudo configuration is secure and up to date'

2015-10-04T10:56:33-0700  verbose: /default/sudoers: Bundle Accounting Summary for 'sudoers'

2015-10-04T10:56:33-0700  verbose: /default/sudoers: Promises kept in 'sudoers' = 0

2015-10-04T10:56:33-0700  verbose: /default/sudoers: Promises not kept in 'sudoers' = 1

2015-10-04T10:56:33-0700  verbose: /default/sudoers: Promises repaired in 'sudoers' = 0

2015-10-04T10:56:33-0700  verbose: /default/sudoers: Aggregate compliance (promises kept/repaired) for bundle 'sudoers' = 0.0%

2015-10-04T10:56:33-0700  verbose: No lock purging scheduled

2015-10-04T10:56:33-0700  verbose: Logging total compliance, total 'Outcome of version (not specified) (agent-0): Promises observed to be kept 85.71%, Promises repaired 0.00%, Promises not repaired 14.29%'

body common control

{

bundlesequence => { "sudoers" };

inputs => { "$(sys.libdir)/stdlib.cf" };

}

body agent control

{

   verbose => "true";

}

bundle agent sudoers

{

# Define the master location of the sudoers file

vars:

  "master_location" string => "/tmp/mydir";

# Copy the master sudoers file to /tmp/sudoers

files:

  "/tmp/sudoers"  # change to /etc/sudoers to use in production

     comment => "Make sure the sudo configuration is secure and up to date",

       perms => mog("440","root","root"),

   copy_from => secure_cp("$(master_location)/myfile","$(sys.policy_hub)");

}

[Aleksey Tsalolikhin]

Hi, Kevin.  Sounds like the remote cf-serverd refused access.  Do you have access to the remote server?  If so, how about killing the cf-serverd process (note: if this is a busy cf-serverd, you may want to find a time when it has the least load, as terminating cf-serverd may corrupt policy transfers that are in progess -- cf-serverd does not yet gracefully drain all connections while shutting down) so that you can restart it with: /var/cfengine/bin/cf-serverd -Fv   (-F means stay in the foreground / do not daemonize, and -v is verbose)

For security reasons, cf-serverd will not say over the network WHY it refused to serve the file (possible reasons are: it does not trust the remote server, or the directory has not been shared with an "access" promise) but if you run it in verbose mode, you will see why.

Yours,

Aleksey

 

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.

--

Aleksey Tsalolikhin

CFEngine Training & Consulting

Vertical Sysadmin, Inc.

+1-323-393-0779

[Natxo Asenjo]

Hi Kevin,

On Sun, Oct 4, 2015 at 9:20 PM, Kevin Armstrong <kevinra...@gmail.com> wrote:

Hello,

When I execute my policy setupsudo.cf, I receive these two lines that I cannot resolve: 

2015-10-04T10:56:33-0700  verbose: /default/sudoers/files/'/tmp/sudoers'[0]: Server returned error: Unspecified server refusal (see verbose server output)

2015-10-04T10:56:33-0700     info: /default/sudoers/files/'/tmp/sudoers'[0]: Can't stat file '/tmp/mydir/myfile' on '192.168.1.228' in files.copy_from promise

vars:

yesterday I had a similar problem. I wanted to remote copy files form the policy hub in the folder /repo/ ; the default configuration of cf-serverd does not include this directory, so it is blocked.

I changed this:

   added local /repo dir acl

diff --git a/controls/3.7/cf_serverd.cf b/controls/3.7/cf_serverd.cf
index 47442a8..37b099d 100644
--- a/controls/3.7/cf_serverd.cf
+++ b/controls/3.7/cf_serverd.cf
@@ -62,6 +62,10 @@ bundle server access_rules()
   access:
 
     any::
+     "/repo"
+      handle => "local files",
+      comment => "Grant access to the local files /repo ",
+      admit => { @(def.acl) };
 
       "$(def.dir_masterfiles)"
       handle => "server_access_grant_access_policy",

and now I can server files from /repo. Maybe this helps.

--

regards,

natxo

--

--
Groeten,
natxo

[Nick Anderson]

On 10/06/2015 11:13 AM, Natxo Asenjo wrote:
> I changed this:
>
> added local /repo dir acl
>

> diff --git a/controls/3.7/cf_serverd.cf <http://cf_serverd.cf>
> b/controls/3.7/cf_serverd.cf <http://cf_serverd.cf>
> index 47442a8..37b099d 100644
> --- a/controls/3.7/cf_serverd.cf <http://cf_serverd.cf>
> +++ b/controls/3.7/cf_serverd.cf <http://cf_serverd.cf>

> @@ -62,6 +62,10 @@ bundle server access_rules()
> access:
>
> any::
> + "/repo"
> + handle => "local files",
> + comment => "Grant access to the local files /repo ",
> + admit => { @(def.acl) };
>
> "$(def.dir_masterfiles)"
> handle => "server_access_grant_access_policy",
>
> and now I can server files from /repo. Maybe this helps.

Please note you do not HAVE to modify that policy in order to introduce
a new access rule. Access type promises are valid in any server bundle.

So instead of modifying controls/VER/cf_serverd.cf you can simply
introduce your own.

for example:

bundle server my_custom_acces_rules
{
access:

any::
"/repo"

handle => "local files",

comment => "Grant access to the local files /repo ",

admit => { @(def.acl) };
}

Then as long as whatever file you decide to place that file in gets
added to inputs, it will be picked up by serverd.

[Neil Watson]

In addition to Nick's suggestion, EFL also has a server bundle that
reads a user defined json file.

https://github.com/evolvethinking/evolve_cfengine_freelib/blob/master/HOWTO.md#cf-serverd-acls

--
Neil H Watson
Sr. Partner, Architecture and Infrastructure
CFEngine reporting: https://github.com/evolvethinking/delta_reporting
CFEngine policy: https://github.com/evolvethinking/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
CFEngine support: http://evolvethinking.com

[Aleksey Tsalolikhin]

You are welcome, Kevin!  Well done!

On Wed, Oct 7, 2015 at 2:49 PM, Kevin Armstrong <kevinra...@gmail.com> wrote:

Thank you for the reply Aleksey. running cf-serverd in verbose mode provide me with details to why I was receiving the error. Nick's answer and bundle snippet resolved my issue as well. Thanks guys!