Skip to content

make ocf-create.conf readable only by root #1217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

make ocf-create.conf readable only by root #1217

wants to merge 1 commit into from

Conversation

nikhiljha
Copy link
Member

No description provided.

@ocfjenkins
Copy link

ocfjenkins bot commented Dec 10, 2021

Errored hosts (1)

Changed hosts (1)

Unaffected hosts (76)

Errored hosts
error for tornado.ocf.berkeley.edu 
W, [2021-12-09T16:06:45.354177 #22345]  WARN -- : Puppet command failed: STDOUT:
STDERR:
  Warning: The function 'hiera_include' is deprecated in favor of using 'lookup'. See https://puppet.com/docs/puppet/7.3/deprecated_language.html
     (file & line not available)
  Warning: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/hieradata/os/bullseye.yaml: file does not contain a valid yaml hash
  Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
  Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
  Error: Could not call 'find' on 'catalog': Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
  Error: Could not call 'find' on 'catalog': Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
  Error: Try 'puppet help catalog compile' for usage
W, [2021-12-09T16:06:45.354649 #22345]  WARN -- : Failed build_catalog for origin/master validation: OctocatalogDiff::Errors::CatalogError Catalog failed: Warning: The function 'hiera_include' is deprecated in favor of using 'lookup'. See https://puppet.com/docs/puppet/7.3/deprecated_language.html
   (file & line not available)
Warning: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/hieradata/os/bullseye.yaml: file does not contain a valid yaml hash
Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
Error: Could not call 'find' on 'catalog': Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
Error: Could not call 'find' on 'catalog': Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
Error: Try 'puppet help catalog compile' for usage

#<Thread:0x0000564ce6bdd358@/usr/lib/ruby/2.5.0/open3.rb:264 run> terminated with exception (report_on_exception is true):
/usr/lib/ruby/2.5.0/open3.rb:264:in `read': stream closed in another thread (IOError)
	from /usr/lib/ruby/2.5.0/open3.rb:264:in `block (2 levels) in capture3'
#<Thread:0x0000564ce6bdd218@/usr/lib/ruby/2.5.0/open3.rb:265 run> terminated with exception (report_on_exception is true):
/usr/lib/ruby/2.5.0/open3.rb:265:in `read': stream closed in another thread (IOError)
	from /usr/lib/ruby/2.5.0/open3.rb:265:in `block (2 levels) in capture3'
/usr/lib/ruby/vendor_ruby/octocatalog-diff/util/catalogs.rb:259:in `catalog_validator': Catalog failed: Warning: The function 'hiera_include' is deprecated in favor of using 'lookup'. See https://puppet.com/docs/puppet/7.3/deprecated_language.html (OctocatalogDiff::Errors::CatalogError)
   (file & line not available)
Warning: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/hieradata/os/bullseye.yaml: file does not contain a valid yaml hash
Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
Error: Could not call 'find' on 'catalog': Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
Error: Could not call 'find' on 'catalog': Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/X11/xorg.conf] is already declared at (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_desktop/manifests/drivers.pp, line: 13); cannot redeclare (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44) (file: /tmp/ocd-ipc-20211209-22200-1xabcdw/ocd-builddir-20211209-22345-go914b/environments/production/modules/ocf_tv/manifests/init.pp, line: 44, column: 3) on node tornado.ocf.berkeley.edu
Error: Try 'puppet help catalog compile' for usage
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/parallel.rb:39:in `call'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/parallel.rb:39:in `validate'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/parallel.rb:202:in `execute_task'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/parallel.rb:119:in `block (2 levels) in run_tasks_parallel'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/parallel.rb:117:in `fork'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/parallel.rb:117:in `block in run_tasks_parallel'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/parallel.rb:114:in `each'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/parallel.rb:114:in `each_with_index'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/parallel.rb:114:in `run_tasks_parallel'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/parallel.rb:94:in `run_tasks'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/catalogs.rb:92:in `build_catalog_parallelizer'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/util/catalogs.rb:29:in `catalogs'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/api/v1/catalog-diff.rb:34:in `catalog_diff'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/api/v1.rb:19:in `catalog_diff'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/cli.rb:151:in `run_octocatalog_diff'
	from /usr/lib/ruby/vendor_ruby/octocatalog-diff/cli.rb:125:in `cli'
	from /usr/bin/octocatalog-diff:34:in `<main>'
Changed hosts
diff for supernova.ocf.berkeley.edu 
*******************************************
  File[/etc/ocf-create/ocf-create.conf] =>
   parameters =>
     group =>
      - ocfstaff
      + ocfroot
*******************************************
Unaffected hosts 
acid.ocf.berkeley.edu
afterhours.ocf.berkeley.edu
anthrax.ocf.berkeley.edu
arsenic.ocf.berkeley.edu
asteroid.ocf.berkeley.edu
autocrat.ocf.berkeley.edu
avalanche.ocf.berkeley.edu
bedbugs.ocf.berkeley.edu
bigbang.ocf.berkeley.edu
blackout.ocf.berkeley.edu
blight.ocf.berkeley.edu
blizzard.ocf.berkeley.edu
chaos.ocf.berkeley.edu
corruption.ocf.berkeley.edu
coup.ocf.berkeley.edu
cyanide.ocf.berkeley.edu
cyclone.ocf.berkeley.edu
dataloss.ocf.berkeley.edu
deadlock.ocf.berkeley.edu
death.ocf.berkeley.edu
dementors.ocf.berkeley.edu
democracy.ocf.berkeley.edu
destruction.ocf.berkeley.edu
drought.ocf.berkeley.edu
eruption.ocf.berkeley.edu
fallingrocks.ocf.berkeley.edu
falsevacuum.ocf.berkeley.edu
famine.ocf.berkeley.edu
fire.ocf.berkeley.edu
firestorm.ocf.berkeley.edu
firewhirl.ocf.berkeley.edu
flood.ocf.berkeley.edu
fraud.ocf.berkeley.edu
fukushima.ocf.berkeley.edu
gridlock.ocf.berkeley.edu
hailstorm.ocf.berkeley.edu
headcrash.ocf.berkeley.edu
heatwave.ocf.berkeley.edu
hellfire.ocf.berkeley.edu
hozer-74.ocf.berkeley.edu
hurricane.ocf.berkeley.edu
invasion.ocf.berkeley.edu
jaws.ocf.berkeley.edu
lethe.ocf.berkeley.edu
lightning.ocf.berkeley.edu
lockdown.ocf.berkeley.edu
madcow.ocf.berkeley.edu
maelstrom.ocf.berkeley.edu
meteorstorm.ocf.berkeley.edu
nuke.ocf.berkeley.edu
outbreak.ocf.berkeley.edu
pandemic.ocf.berkeley.edu
panic.ocf.berkeley.edu
pestilence.ocf.berkeley.edu
pileup.ocf.berkeley.edu
plague.ocf.berkeley.edu
pox.ocf.berkeley.edu
reaper.ocf.berkeley.edu
riptide.ocf.berkeley.edu
scurvy.ocf.berkeley.edu
segfault.ocf.berkeley.edu
sinkhole.ocf.berkeley.edu
solarflare.ocf.berkeley.edu
surge.ocf.berkeley.edu
tempest.ocf.berkeley.edu
thunder.ocf.berkeley.edu
tsunami.ocf.berkeley.edu
typhoon.ocf.berkeley.edu
vampires.ocf.berkeley.edu
venom.ocf.berkeley.edu
volcano.ocf.berkeley.edu
war.ocf.berkeley.edu
whiteout.ocf.berkeley.edu
wildfire.ocf.berkeley.edu
worm.ocf.berkeley.edu
y2k.ocf.berkeley.edu

Jenkins

ethanwu10
ethanwu10 reviewed Dec 15, 2021
View reviewed changes
modules/ocf_admin/manifests/create.pp
'/etc/ocf-create/ocf-create.conf':
group => ocfstaff,
group => ocfroot,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approve still needs the file to read the celery connection info; did you intend for approve to become root-only?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, it seems the proper solution for this is to separate out celery.broker and celery.backend to a separate config file... is it worth the effort at this point when we're planning to redo secrets management for create when it gets moved into newk8s?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think approve is mostly used by rootstaff anyway, so this is probably a good idea?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you're going to make approve root-only, don't forget to update the docs. I can think of https://www.ocf.berkeley.edu/docs/staff/scripts/approve/ and https://www.ocf.berkeley.edu/docs/staff/powers/ as pages that mention this.

@ocfjenkins
Copy link

ocfjenkins bot commented Apr 11, 2023

Errored hosts (6)

Changed hosts (1)

Unaffected hosts (67)

WARNING: Output is too long for a comment, posted to a gist instead: https://gist.github.com/ocfbot/2b5d9b7512fe0bc5f2ea697113858021

Jenkins

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dkess dkess dkess left review comments

@ethanwu10 ethanwu10 ethanwu10 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nikhiljha @dkess @ethanwu10