From f40479bd763c0f60967ec5cd7141caa213544d5d Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 8 Oct 2024 18:29:01 +0200 Subject: [PATCH 1/4] Atomic copy_from in files promise Changes to `files` promise in `copy_from` attribute: - The new file (i.e., `.cfnew`) is now created with correct permission during remote copy. Previously it would be created with default permissions. - The destination file (i.e., ``) is no longer deleted on backup during file copy. Previously it would be renamed to `.cfsaved`, causing the original file to dissappear. Now an actual copy of the original file with the same permissions is created instead. As a result, there will no longer be a brief moment where the original file is inaccessible. Ticket: ENT-11988 Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit 224ccc33652c2c97923ab97a29317f6c930671e1) --- cf-agent/verify_files_utils.c | 4 ++-- libcfnet/client_code.c | 4 ++-- libcfnet/client_code.h | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cf-agent/verify_files_utils.c b/cf-agent/verify_files_utils.c index db18da5091..22ee22a18a 100644 --- a/cf-agent/verify_files_utils.c +++ b/cf-agent/verify_files_utils.c @@ -1552,7 +1552,7 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con } if (!CopyRegularFileNet(source, ToChangesPath(new), - sstat->st_size, attr->copy.encrypt, conn)) + sstat->st_size, attr->copy.encrypt, conn, sstat->st_mode)) { RecordFailure(ctx, pp, attr, "Failed to copy file '%s' from '%s'", source, conn->remoteip); @@ -1712,7 +1712,7 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con } } - if (rename(dest, changes_backup) == 0) + if (CopyRegularFileDisk(dest, changes_backup)) { RecordChange(ctx, pp, attr, "Backed up '%s' as '%s'", dest, backup); *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE); diff --git a/libcfnet/client_code.c b/libcfnet/client_code.c index f31463c385..7dccb88324 100644 --- a/libcfnet/client_code.c +++ b/libcfnet/client_code.c @@ -750,7 +750,7 @@ static void FlushFileStream(int sd, int toget) /* TODO finalise socket or TLS session in all cases that this function fails * and the transaction protocol is out of sync. */ bool CopyRegularFileNet(const char *source, const char *dest, off_t size, - bool encrypt, AgentConnection *conn) + bool encrypt, AgentConnection *conn, mode_t mode) { char *buf, workbuf[CF_BUFSIZE], cfchangedstr[265]; const int buf_size = 2048; @@ -774,7 +774,7 @@ bool CopyRegularFileNet(const char *source, const char *dest, off_t size, unlink(dest); /* To avoid link attacks */ - int dd = safe_open_create_perms(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, CF_PERMS_DEFAULT); + int dd = safe_open_create_perms(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, mode); if (dd == -1) { Log(LOG_LEVEL_ERR, diff --git a/libcfnet/client_code.h b/libcfnet/client_code.h index d926541721..4aaaa5ff4c 100644 --- a/libcfnet/client_code.h +++ b/libcfnet/client_code.h @@ -48,7 +48,7 @@ void DisconnectServer(AgentConnection *conn); bool CompareHashNet(const char *file1, const char *file2, bool encrypt, AgentConnection *conn); bool CopyRegularFileNet(const char *source, const char *dest, off_t size, - bool encrypt, AgentConnection *conn); + bool encrypt, AgentConnection *conn, mode_t mode); Item *RemoteDirList(const char *dirname, bool encrypt, AgentConnection *conn); int TLSConnectCallCollect(ConnectionInfo *conn_info, const char *username); From b12c41151eb63619c1db2528663ad041bfbad737 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Thu, 12 Sep 2024 16:42:00 +0200 Subject: [PATCH 2/4] Workaround cppcheck ignoring `-i libpromises/cf3lex.c` When running cppcheck in static checks, we use `-i libpromises/cf3lex.c` in order to make cppcheck ignore the generated cf3lex.c file. However, the new version of cppcheck ignores this option and fails on issues found in the file. However, we don't want this file or any other generated files except for bootstrap.inc which contains the bootstrap policy. So we can run `make clean` and `make -C libpromise/ boostrap.inc` before running cppcheck to get a cleaner environment. (cherry picked from commit e9cfa4105cf5718a4bbfcb06adc737437d9bd3fa) Signed-off-by: Lars Erik Wik --- tests/static-check/run_checks.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/static-check/run_checks.sh b/tests/static-check/run_checks.sh index c5cd3120d5..5b5fcce3df 100755 --- a/tests/static-check/run_checks.sh +++ b/tests/static-check/run_checks.sh @@ -21,6 +21,8 @@ function check_with_clang() { function check_with_cppcheck() { rm -f config.cache + make clean + make -C libpromises/ bootstrap.inc # needed by libpromises/bootstrap.c ./configure -C --enable-debug # cppcheck options: From d8510d3fab8bf1fd8346deb45a8e9f151740b625 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 6 Aug 2024 17:54:26 +0200 Subject: [PATCH 3/4] Fixed failure to install cf-remote ``` error: externally-managed-environment ``` Since this is a container, it should be OK to potentially break system packages. Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 0195e21b735ccf0da8d889ecf34919689641d6db) --- .github/workflows/windows_acceptance_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/windows_acceptance_tests.yml b/.github/workflows/windows_acceptance_tests.yml index 06e9cefd25..fc29bb95ae 100644 --- a/.github/workflows/windows_acceptance_tests.yml +++ b/.github/workflows/windows_acceptance_tests.yml @@ -24,7 +24,7 @@ jobs: uses: actions/checkout@v3 - name: install cf-remote - run: pip install cf-remote + run: pip install cf-remote --break-system-packages # Note that msiexec can't install packages when running under msys; # But cf-remote currently can't run under powershell From ce81cada94ef89ed8654755b24a02c5a09cb4a8c Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 11 Oct 2024 13:47:08 +0200 Subject: [PATCH 4/4] Fixed error in static checks libncurses5 was not available in the noble repository, but maybe libncurses6 will work. ``` E: Unable to locate package libncurses5 ``` Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 4d1944adc423ac19a99cb37d83f1a461909d4c53) --- .github/workflows/job-static-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/job-static-check.yml b/.github/workflows/job-static-check.yml index a86a5836f8..63d63116d7 100644 --- a/.github/workflows/job-static-check.yml +++ b/.github/workflows/job-static-check.yml @@ -38,7 +38,7 @@ jobs: - name: Prepare Environment run: | sudo apt-get update && \ - sudo apt-get install -y dpkg-dev debhelper g++ libncurses5 pkg-config \ + sudo apt-get install -y dpkg-dev debhelper g++ libncurses6 pkg-config \ build-essential libpam0g-dev fakeroot gcc make autoconf buildah \ liblmdb-dev libacl1-dev libcurl4-openssl-dev libyaml-dev libxml2-dev \ libssl-dev libpcre2-dev