Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-3578

Files promise for permissions on an immutable file results in kept and not_kept

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.18.0
    • Component/s: None
    • Labels:
      None
    • Story Points:
      3

      Description

      When I promised permissions for an immutable file I got both kept and not_kept results. I did not expect to get a kept result since I did not have create => "true"; attached. If create => "true" was attached, then I would have expected to also have a kept result because the file did indeed already exist.

      bundle agent main
      {
        files:
      
            "/tmp/immutable"
              perms => mode( 777 ),
              classes => results("bundle", "my_id_immutable_file_perms"),
              handle => "modify_immutable_file";
      
        reports:
          "$(with)" with => join( "$(const.n)", classesmatching( "my_id.*" ) );
      }
      body perms mode( m )
      {
        mode => "$(m)";
      }
      
      body classes results(scope, class_prefix)
      # @brief Define classes prefixed with `class_prefix` and suffixed with
      # appropriate outcomes: _kept, _repaired, _not_kept, _error, _failed,
      # _denied, _timeout, _reached
      #
      # @param scope The scope in which the class should be defined (`bundle` or `namespace`)
      # @param class_prefix The prefix for the classes defined
      #
      # This body can be applied to any promise and sets global
      # (`namespace`) or local (`bundle`) classes based on its outcome. For
      # instance, with `class_prefix` set to `abc`:
      #
      # * if the promise is to change a file's owner to `nick` and the file
      # was already owned by `nick`, the classes `abc_reached` and
      # `abc_kept` will be set.
      #
      # * if the promise is to change a file's owner to `nick` and the file
      # was owned by `adam` and the change succeeded, the classes
      # `abc_reached` and `abc_repaired` will be set.
      #
      # This body is a simpler, more consistent version of the body
      # `scoped_classes_generic`, which see. The key difference is that
      # fewer classes are defined, and only for outcomes that we can know.
      # For example this body does not define "OK/not OK" outcome classes,
      # since a promise can be both kept and failed at the same time.
      #
      # It's important to understand that promises may do multiple things,
      # so a promise is not simply "OK" or "not OK." The best way to
      # understand what will happen when your specific promises get this
      # body is to test it in all the possible combinations.
      #
      # **Suffix Notes:**
      #
      # * `_reached` indicates the promise was tried. Any outcome will result
      #   in a class with this suffix being defined.
      #
      # * `_kept` indicates some aspect of the promise was kept
      #
      # * `_repaired` indicates some aspect of the promise was repaired
      #
      # * `_not_kept` indicates some aspect of the promise was not kept.
      #   error, failed, denied and timeout outcomes will result in a class
      #   with this suffix being defined
      #
      # * `_error` indicates the promise repair encountered an error
      #
      # * `_failed` indicates the promise failed
      #
      # * `_denied` indicates the promise repair was denied
      #
      # * `_timeout` indicates the promise timed out
      #
      # **Example:**
      #
      # ```cf3
      # bundle agent example
      # {
      #   commands:
      #     "/bin/true"
      #       classes => results("bundle", "my_class_prefix");
      #
      #   reports:
      #     my_class_prefix_kept::
      #       "My promise was kept";
      #
      #     my_class_prefix_repaired::
      #       "My promise was repaired";
      # }
      # ```
      #
      # **See also:** `scope`, `scoped_classes_generic`, `classes_generic`
      {
        scope => "$(scope)";
      
        promise_kept => { "$(class_prefix)_reached",
                          "$(class_prefix)_kept" };
      
        promise_repaired => { "$(class_prefix)_reached",
                              "$(class_prefix)_repaired" };
      
        repair_failed => { "$(class_prefix)_reached",
                           "$(class_prefix)_error",
                           "$(class_prefix)_not_kept",
                           "$(class_prefix)_failed" };
      
        repair_denied => { "$(class_prefix)_reached",
                           "$(class_prefix)_error",
                           "$(class_prefix)_not_kept",
                           "$(class_prefix)_denied" };
      
        repair_timeout => { "$(class_prefix)_reached",
                            "$(class_prefix)_error",
                            "$(class_prefix)_not_kept",
                            "$(class_prefix)_timeout" };
      }
      
      root@nickanderson-ThinkPad-W550s:/tmp# chattr -i immutable; rm immutable; touch immutable; chattr +i immutable; cf-agent -Kf ./immutable.cf
         error: Failed to change permissions of '/tmp/immutable'. (chmod: Operation not permitted)
         error: Failed to change permissions of '/tmp/immutable'. (chmod: Operation not permitted)
      R: my_id_immutable_file_perms_failed
      my_id_immutable_file_perms_not_kept
      my_id_immutable_file_perms_error
      my_id_immutable_file_perms_kept
      my_id_immutable_file_perms_reached
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              vpodzime Vratislav Podzimek
              Reporter:
              a10042 Nick Anderson
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: