cf-agent floods logs with execv errors
57 views
Skip to first unread message
Xander Cage
Apr 16, 2024, 5:26:08 AMApr 16
to help-cfengine
Hi,
cf-agent complains about /usr/bin/getent not found. as this is an aix environment this
makes no sense. getent is a linux thing.
Apr 16 09:36:35 kug01132 user:err|error cf-agent[10617102]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:41:25 kug01132 user:err|error cf-agent[2556430]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:46:15 kug01132 user:err|error cf-agent[36569520]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:51:06 kug01132 user:err|error cf-agent[18416128]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:55:56 kug01132 user:err|error cf-agent[54067624]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:01:47 kug01132 user:err|error cf-agent[459462]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:06:37 kug01132 user:err|error cf-agent[20120026]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:11:27 kug01132 user:err|error cf-agent[58458376]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:16:17 kug01132 user:err|error cf-agent[58458558]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:21:07 kug01132 user:err|error cf-agent[17564104]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:25:57 kug01132 user:err|error cf-agent[43057456]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:31:48 kug01132 user:err|error cf-agent[23462412]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:36:37 kug01132 user:err|error cf-agent[4325842]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:41:28 kug01132 user:err|error cf-agent[52036014]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:46:18 kug01132 user:err|error cf-agent[18875116]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:51:09 kug01132 user:err|error cf-agent[43057622]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:55:58 kug01132 user:err|error cf-agent[46203222]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:41:25 kug01132 user:err|error cf-agent[2556430]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:46:15 kug01132 user:err|error cf-agent[36569520]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:51:06 kug01132 user:err|error cf-agent[18416128]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:55:56 kug01132 user:err|error cf-agent[54067624]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:01:47 kug01132 user:err|error cf-agent[459462]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:06:37 kug01132 user:err|error cf-agent[20120026]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:11:27 kug01132 user:err|error cf-agent[58458376]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:16:17 kug01132 user:err|error cf-agent[58458558]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:21:07 kug01132 user:err|error cf-agent[17564104]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:25:57 kug01132 user:err|error cf-agent[43057456]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:31:48 kug01132 user:err|error cf-agent[23462412]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:36:37 kug01132 user:err|error cf-agent[4325842]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:41:28 kug01132 user:err|error cf-agent[52036014]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:46:18 kug01132 user:err|error cf-agent[18875116]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:51:09 kug01132 user:err|error cf-agent[43057622]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:55:58 kug01132 user:err|error cf-agent[46203222]: CFEngine(agent) Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
needs to be fixed...
wbr
chris
Xander Cage
Apr 16, 2024, 6:12:48 AMApr 16
to help-cfengine
i was just informed the getent is not a linux specific thing but is part of posix . anyway, its not in aix so still a fix is necessary.
Xander Cage
Apr 16, 2024, 7:31:30 AMApr 16
to help-cfengine
a quick grep in the masterfiles showed two instances of a getent call...
root@nimvie: /var/cfengine/masterfiles # grep -r getent *
lib/paths.cf: "path[getent]" string => "/usr/bin/getent";
lib/vcs.cf: string => execresult("$(paths.getent) passwd $(repo_uid)", noshell),
lib/paths.cf: "path[getent]" string => "/usr/bin/getent";
lib/vcs.cf: string => execresult("$(paths.getent) passwd $(repo_uid)", noshell),
vcs.cf seemst to be the culprit...
Craig Comstock
Apr 16, 2024, 1:06:17 PMApr 16
to Xander Cage, help-cfengine
Thanks for the report Xander.
It does look like that bit of policy could use some refactoring to work on systems without getent.
Probably we could use the `getuserinfo()` policy function instead which includes the home_dir entry.
Let us know if you want to work on the fix.
I created a ticket:
-Craig
--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/ca18dddf-38ea-4027-9aec-9840369106dbn%40googlegroups.com.
 | Craig Comstock (he/him)
CFEngineer/Digger | CFEngine Kansas, USA |
   | Northern.tech | Securing the world's connected devices |
Message has been deleted
Nick Anderson
Apr 19, 2024, 10:04:03 AMApr 19
to Xander Cage, help-cfengine
Do you plan to open a pull request to refactor it to use getuserinfo()?
On Fri, Apr 19, 2024 at 8:48 AM Xander Cage <christia...@itsv.at> wrote:
getuserinfo function works in aix...root@aixtest01: /root/cfe_testbed # /var/cfengine/bin/cf-agent -KI -f ./getuserinfo.cf
R: I am '', root shell is '/usr/bin/ksh', and the agent was started by {"description":"","gid":0,"home_dir":"/root","shell":"/usr/bin/ksh","uid":0,"username":"root"}
To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/55df1c75-5450-4723-b6b4-998dd55828afn%40googlegroups.com.
Nick Anderson
Apr 19, 2024, 10:25:56 AMApr 19
to Xander Cage, help-cfengine
I think this will do it:
```
modified lib/vcs.cf
@@ -290,14 +290,10 @@ bundle agent git(repo_path, subcmd, args)
comment => "So that we don't mess up permissions, we will just execute
all commands as the current group of .git";
- # We get the passwd entry from the user that owns the repo so
- # that we can extract the home directory for later use.
- "repo_uid_passwd_ent"
- string => execresult("$(paths.getent) passwd $(repo_uid)", noshell),
- comment => "We need to extract the home directory of the repo
- owner so that it can be used to avoid errors from
- unprivledged execution trying to access the root
- users git config.";
+ # Data container with user info
+ # {"description":"Luke Skywalker","gid":1000,"home_dir":"/home/luke","shell":"/bin/bash","uid":1000,"username":"luke"}
+ "repo_userinfo"
+ data => getuserinfo( "$(repo_uid)" );
classes:
"am_root" expression => strcmp($(this.promiser_uid), "0");
@@ -311,24 +307,14 @@ bundle agent git(repo_path, subcmd, args)
not => strcmp($(this.promiser_uid), $(repo_uid)),
if => isvariable( repo_uid );
- am_root.need_to_drop::
- # This regular expression could be tightened up
- # Extract the home directory from the owner of the repository
- # into $(repo_uid_passwd[1])
- "extracted_repo_uid_home"
- expression => regextract( ".*:.*:\d+:\d+:.*:(.*):.*",
- $(repo_uid_passwd_ent),
- "repo_uid_passwd" ),
- if => isvariable("repo_uid_passwd_ent");
-
- commands:
+ commands:
am_root.need_to_drop::
# Because cfengine does not inherit the shell environment when
# executing commands, git will look for the root users git
# config and error when the executing user does not have
# access. So we need to set the home directory of the executing
# user.
- "$(paths.env) HOME=$(repo_uid_passwd[1]) $(oneliner)"
+ "$(paths.env) HOME=$(repo_userinfo[home_dir]) $(oneliner)"
args => "$(subcmd) $(args)",
classes => kept_successful_command,
contain => setuidgid_dir( $(repo_uid), $(repo_gid), $(repo_path) );
@@ -341,8 +327,8 @@ bundle agent git(repo_path, subcmd, args)
reports:
"DEBUG|DEBUG_$(this.bundle).am_root.need_to_drop"::
- "DEBUG $(this.bundle): with dropped privileges to uid '$(repo_uid)' and gid '$(repo_gid)', in directory '$(repo_path)', running Git command '$(paths.env) HOME=\"$(repo_uid_passwd[1])\" $(oneliner) $(subcmd) $(args)'"
- if => isvariable("repo_uid_passwd[1]");
+ "DEBUG $(this.bundle): with dropped privileges to uid '$(repo_uid)' and gid '$(repo_gid)', in directory '$(repo_path)', running Git command '$(paths.env) HOME=\"$(repo_userinfo[home_dir])\" $(oneliner) $(subcmd) $(args)'"
+ if => isvariable("repo_userinfo[home_dir]");
@@ -290,14 +290,10 @@ bundle agent git(repo_path, subcmd, args)
comment => "So that we don't mess up permissions, we will just execute
all commands as the current group of .git";
- # We get the passwd entry from the user that owns the repo so
- # that we can extract the home directory for later use.
- "repo_uid_passwd_ent"
- string => execresult("$(paths.getent) passwd $(repo_uid)", noshell),
- comment => "We need to extract the home directory of the repo
- owner so that it can be used to avoid errors from
- unprivledged execution trying to access the root
- users git config.";
+ # Data container with user info
+ # {"description":"Luke Skywalker","gid":1000,"home_dir":"/home/luke","shell":"/bin/bash","uid":1000,"username":"luke"}
+ "repo_userinfo"
+ data => getuserinfo( "$(repo_uid)" );
classes:
"am_root" expression => strcmp($(this.promiser_uid), "0");
@@ -311,24 +307,14 @@ bundle agent git(repo_path, subcmd, args)
not => strcmp($(this.promiser_uid), $(repo_uid)),
if => isvariable( repo_uid );
- am_root.need_to_drop::
- # This regular expression could be tightened up
- # Extract the home directory from the owner of the repository
- # into $(repo_uid_passwd[1])
- "extracted_repo_uid_home"
- expression => regextract( ".*:.*:\d+:\d+:.*:(.*):.*",
- $(repo_uid_passwd_ent),
- "repo_uid_passwd" ),
- if => isvariable("repo_uid_passwd_ent");
-
- commands:
+ commands:
am_root.need_to_drop::
# Because cfengine does not inherit the shell environment when
# executing commands, git will look for the root users git
# config and error when the executing user does not have
# access. So we need to set the home directory of the executing
# user.
- "$(paths.env) HOME=$(repo_uid_passwd[1]) $(oneliner)"
+ "$(paths.env) HOME=$(repo_userinfo[home_dir]) $(oneliner)"
args => "$(subcmd) $(args)",
classes => kept_successful_command,
contain => setuidgid_dir( $(repo_uid), $(repo_gid), $(repo_path) );
@@ -341,8 +327,8 @@ bundle agent git(repo_path, subcmd, args)
reports:
"DEBUG|DEBUG_$(this.bundle).am_root.need_to_drop"::
- "DEBUG $(this.bundle): with dropped privileges to uid '$(repo_uid)' and gid '$(repo_gid)', in directory '$(repo_path)', running Git command '$(paths.env) HOME=\"$(repo_uid_passwd[1])\" $(oneliner) $(subcmd) $(args)'"
- if => isvariable("repo_uid_passwd[1]");
+ "DEBUG $(this.bundle): with dropped privileges to uid '$(repo_uid)' and gid '$(repo_gid)', in directory '$(repo_path)', running Git command '$(paths.env) HOME=\"$(repo_userinfo[home_dir])\" $(oneliner) $(subcmd) $(args)'"
+ if => isvariable("repo_userinfo[home_dir]");
```
Care to test that out and open a pull request?
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Nick Anderson
Apr 22, 2024, 10:31:16 AMApr 22
to help-cfengine
Xander,
I don't know why your messages are constantly held for moderation. I permanently approved them, but for whatever reason they show up as "deleted". Can you try to respond again?
Xander Cage
Apr 25, 2024, 10:11:34 AMApr 25
to help-cfengine
knock, knock...
Nick Anderson
Apr 25, 2024, 11:24:30 AMApr 25
to Xander Cage, help-cfengine
Hey it finally landed.
You received this message because you are subscribed to a topic in the Google Groups "help-cfengine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/help-cfengine/tkSCOPYIxBk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to help-cfengin...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/d966f88a-6b85-4bf3-a188-fe82392cfb8dn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages