CFengine 3.17.0 and custom promise type

[Bas van der Vlies]

We are trying the custom promise type implementation. A colleague of mine (Dennis Staam) has written a custom promise type:
* certificate
* I forked it and adjust some smaal things: https://github.com/basvandervlies/cfengine-custom-promises

I is just a check if the certtifacte expires over “x” days.. We use the cfengine library module from core.

When we run the code we get and segmentation fault:
```
17:34 r16n18.mona.surfsara.nl:~/bas/cfengine-custom-promises (main)
root# cf-agent -KI -f ./promise_test.cf
Traceback (most recent call last):
File "/var/cfengine/promises/certificate.py", line 62, in <module>
CertificatePromiseTypeModule().start()
File "/var/cfengine/promises/cfengine.py", line 83, in start
self._handle_request(request)
File "/var/cfengine/promises/cfengine.py", line 105, in _handle_request
self._handle_validate(promiser, attributes)
File "/var/cfengine/promises/cfengine.py", line 124, in _handle_validate
self.validate_promise(promiser, attributes)
File "/var/cfengine/promises/certificate.py", line 34, in validate_promise
raise ValidationError(f"Certificate path '{promiser}' must be absolute")
cfengine.ValidationError: Certificate path 'etc/certificate/certificate.pem' must be absolute
Segmentation fault
```

When we remove the error line. I get 3 times the mssesage that the file does exists. Is this correct? I assumed we only get
1 message. The same is when the certitifcate expires in x days. We also get this message 3 times.




--
Bas van der Vlies
| Operations, Support & Development | SURFsara | Science Park 140 | 1098 XG Amsterdam
| T +31 (0) 20 800 1300 | bas.van...@surf.nl | www.surf.nl |

[Marco Marongiu]

Hi Bas

The line before segmentation fault hints that there is a missing / before etc, is that right?

As for the three messages, I guess it's because the promise fails and CFEngine tries it in all three passes. Does it make sense?

Ciao!

-- bronto

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/F43DAC49-A28A-4290-BC57-1B7C3A17165D%40surf.nl.

[Bas van der Vlies]

> On 6 Dec 2020, at 20:42, Marco Marongiu <bront...@gmail.com> wrote:
>
> Hi Bas
>
> The line before segmentation fault hints that there is a missing / before etc, is that right?
>

Yes that is the error message that I print in the promise validation phase. see the custome promise
* https://github.com/basvandervlies/cfengine-custom-promises/blob/b62a57f707e2196a8ac83240a1fe66191bb9f8d5/modules/certificate.py#L34

But I did not expect that cf-agent world crash and expect that it printedted the message and then exists/

> As for the three messages, I guess it's because the promise fails and CFEngine tries it in all three passes. Does it make sense?
>

That makes sense but with other promise type we also only have one error message and not three times the same message
eg:
```
bundle agent main
{
commands:
"cat /etc/group";
}
```

result:
```
error: Proposed executable file 'cat' doesn't exist
error: 'cat /etc/group' promises to be executable but isn’t
```

[Ole Elgesem]

@bas.van...@surfsara.nl I did not test your module yet, but from looking at the output it looks familiar.

What happens is essentially:

1. The module hits some exception, causing it to not output correct protocol data

2. The agent tries parsing output from the module, but it's either empty, or contains some exception output or something similar

3. The agent prints some errors and crashes.

Sorry about that, we have fixed quite a few things since 3.17.0 already:

https://github.com/cfengine/core/pull/4418

Can you try running with latest master, both for python library and cf-agent binary. It would eliminate a lot of these error handling issues.

-Ole

To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/ED3AFAC4-DEC3-4536-86B8-BC5AF38982E5%40surf.nl.

[Ole Elgesem]

Just reposting what I wrote in IRC chat:

I posted a PR to make your module use the latest version of the python library:

https://github.com/basvandervlies/cfengine-custom-promises/pull/1

I tested it, using a cf-agent compiled from the latest master, and it works well for me now.

To generate a cert, I used the command from this article:

https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

FYI, the changes we made to cf-agent after 3.17 were only related to logging and error handling, so 3.17 should work as well, without crashing, as long as the module sends correct data.

-Ole Herman

[Bas van der Vlies]

Thanke Ole,

It works as expected and also tested it with the class option ;-). Is the 3 message that are printed still on the todo list?

Regards

--
Bas van der Vlies
| Operations, Support & Development | SURFsara | Science Park 140 | 1098 XG Amsterdam
| T +31 (0) 20 800 1300 | bas.van...@surf.nl | www.surf.nl |

[Ole Elgesem]

I assume you mean that error messages are printed 3 times when a promise is not kept. Yes, it's something I'd like to address, but I'm not sure what's the best way. It happens because the agent actually evaluates the promise 3 times. The promise is not kept, and retried in subsequent evaluation passes. AFAIK that is similar to how it works for built-in promises. There are at least 2 ways to address it: Deduplicate log messages (don't print errors already printed), or don't retry not kept custom promises with the same attributes.

I'll have to think about it some more to make up my mind. I created this ticket to track the issue:

https://tracker.mender.io/browse/CFE-3526

-Ole

[Marco Marongiu]

My 2 cents here: if the standard behaviour of CFEngine is to retry not-kept promises up to three times (and it is), that behaviour must be preserved with custom promises for consistency. That leaves only one solution, that is: deduplicate error messages. That would also be consistent with what other software does, e.g. in syslog when a message is repeated identical N times in a row, syslog will print it once and then say "last message repeated N times".

Ciao

-- bronto

To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/CAN96iLZ4FXJh%3DdVH1Wr7Rj%3D9dixsG_O4kMPVchhBGLk%3DOUzF2g%40mail.gmail.com.

[Ole Herman S. Elgesem]

> that behaviour must be preserved with custom promises for consistency

I don’t agree with this. Custom Promise Types are a new feature, so we can place some additional restrictions on them, without breaking backwards compatibility.

Of course consistency is good, but if breaking consistency means improving the experience for policy writers, module developers or new CFEngine users, it might be worth it. Another point is that it makes sense to impose a lot of restrictions in the beginning when introducing a new feature, and then gradually open it up (because you cannot really go the other way without breaking backwards compatibility).

Again, I’m on the fence here on what is better. I will think about it some more and talk to the other team members.

-Ole