Hi,
You are running into the same problems and questions I ran into with File Templates when creating a “/etc/issue” file on a system. I tried to address this in June of 2024 as a security issue via support ticket 206818. My observations:
I had found out that the code that drops the File Template onto a system basically blatantly does this:
chown root:morpheus-node “File Path”
chmod -R u+rwx,g+rwx,o+rx “File Path”
Which in the case of a file in /etc or other system folders is a very very bad thing and causes system daemons like SSH to complain or simply refuse to function as you experienced.
The response from support was:
I have been informed this is by design as the folder permissions need to be changed to allow the write into the folder.
To accomplish this into a folder like /etc I would suggest you add the file in a different location and then use a task to adjust the file permissions as needed and move the file to the desired folder.
I think this is not a proper response: The Morpheus Agent has the ability to execute commands as root (otherwise it couldn’t change the permissions of folder ‘/etc’ to begin with), so in the case of dropping File Templates it should be able to drop the file without the need to change permissions of any existing folders. The only permissions it would need to touch are those of non-existent folders it might need to create and the file itself. To my knowledge this part of the ticket is left unaddressed as the ticket was closed and this specific item was not set through to the development team for consideration of being fixed. Which reminds me to take this one up with our Account Manager.
In the same ticket I addressed the undocumented feature of being able to use “owner:group” and have the documentation and/or input hint be adjusted to show that format is permissible. This is supposedly a new case and with the Dev team. But I can’t see/track this specific new case. As of 7.0.6-2 the issue is still present.
A third item I tried to address in that ticket was that there is no way to set sane permissions on the file you are trying to create on the file. Which can be a security issue depending on the file being created and how long there is between the file being dumped on the system and a Task being run to fix the deficiencies in the File Template drop code. This is supposedly a new case as well and with the Dev team. But I can’t see/track this specific new case. As of 7.0.6-2 the issue is still present.
And lastly another item I tried to address regarding File Templates in this ticket (which was pulled out into a separate ticket 206885) was the fact the file contents all empty lines removed from the beginning and end of the file plus the final CR&LF stripped from what you enter in the Template input for the File Template. The response in ticket 206885 was:
After review of this by the development team it was determined to not be something that will be changed. String autotrim is system wide. A FILE template should not care about whitespace in general and trim is considered acceptable.
All these issues made the File Template feature unusable for dropping a file as simple as /etc/issue or /etc/motd on a UNIX system.
Two notes on your “Phase” question:
- You likely want to use “Provision” as the phase because “Pre-Provision” would attempt to drop the file on a still non-existent vm/server.
- There is a gotcha if you want to use ‘Post Provision’ as the phase: The Post-Provisioning phase is triggered for all nodes (aka vms, servers, or compute) of an Instance when a scale event occurs and the added node enters the Post-Provisioning Phase. I’m assuming that File Templates deployments only trigger on the newly added/deployed node but any ‘fix’ tasks needed because of the earlier discussed issues would be triggered on all nodes in an Instance. If this is the case, your fix Tasks need to be made re-entrant safe. Shameless plug for a vote: I opened a feature request to ‘fix’ this behavior by adding more Phases: Separate "Scale Up" Stage in Provisioning Workflow Needed
On your question regarding the file path: that, to my knowledge, should always be the full absolute path from the root.
-Yaron.