Config-validator - Failed to load server failed to compile dependency code - rego_parse_error: rule name conflicts with built-in function #167
Comments
|
+Hemant Kunda ***@***.***>
…On Wed, Jul 21, 2021 at 1:30 AM Jose Roberto Almaraz < ***@***.***> wrote:
Hi,
We've been using the forseti policy-library as a base and built other
policies on top of it to work with Custom Governance.
We're currently evaluating if the same policies would work with Forseti
config-validator as a back-up option as Custom Governance is still a pre-GA
product and there are restrictions of running it in production.
I have copied the working policy library from Custom Governance to a new
modulerelease522 forseti installation and currently face the below error
when try to start the config-validator service.
Is there a way we can verify what version of OPA is being currently used
by config validator ?
Also, is there a way we can upgrade the OPA version used by Forseti
config-validator ?
We've been using and testing the policies with opa version 0.17.3 and
wonder if that might be the cause of the problem.
Thank you.
Jose
------------------------------
***@***.***:~/policy-library/policy-library$ sudo
systemctl status config-validator
● config-validator.service - Config Validator API Server
Loaded: loaded (/lib/systemd/system/config-validator.service; disabled;
vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2021-07-21 00:25:29 UTC;
52min ago
Process: 28016
ExecStart=/home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer
--policyPath=/home/ubuntu/policy-library/policy-library/policies
--policyLibraryPath=/home/ubuntu/policy-library/policy-libra
Main PID: 28016 (code=exited, status=1/FAILURE)
Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]: Started Config
Validator API Server.
Jul 21 00:25:29 forseti-server-vm-eb216d0f
ConfigValidatorRPCServer[28016]: 2021/07/21 00:25:29 Failed to load server
failed to compile dependency code: 2 errors occurred:
Jul 21 00:25:29 forseti-server-vm-eb216d0f
ConfigValidatorRPCServer[28016]:
/home/ubuntu/policy-library/policy-library/lib/common/labels.rego:21:
rego_parse_error: rule name conflicts with built-in function
Jul 21 00:25:29 forseti-server-vm-eb216d0f
ConfigValidatorRPCServer[28016]:
/home/ubuntu/policy-library/policy-library/lib/common/labels.rego:28:
rego_parse_error: rule name conflicts with built-in function
Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]:
config-validator.service: Main process exited, code=exited, status=1/FAILURE
Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]:
config-validator.service: Failed with result 'exit-code'.
***@***.***:/policy-library/policy-library$ cat
/lib/systemd/system/config-validator.service
[Unit]
Description=Config Validator API Server
[Service]
User=ubuntu
Environment="GOGC=1000"
ExecStart=/home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer
--policyPath='/home/ubuntu/policy-library/policy-library/policies'
--policyLibraryPath='/home/ubuntu/policy-library/policy-library/lib'
-port=50052
[Install]
WantedBy=multi-user.target
***@***.***:/policy-library/policy-library$ sudo
/home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer
--policyPath='/home/ubuntu/policy-library/policy-library/policies'
--policyLibraryPath='/home/ubuntu/policy-library/policy-library/lib'
-port=50052
2021/07/21 01:18:28 Failed to load server failed to compile dependency
code: 2 errors occurred:
/home/ubuntu/policy-library/policy-library/lib/common/labels.rego:21:
rego_parse_error: rule name conflicts with built-in function
/home/ubuntu/policy-library/policy-library/lib/common/labels.rego:28:
rego_parse_error: rule name conflicts with built-in function
`
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#167>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAZQCJXUTHSZ3O5EFURMEEDTY2ASRANCNFSM5AXO4XMQ>
.
|
|
Hi Jose! I believe you would be using OPA 0.17.2 if you didn't override any of the Terraform defaults listed here (specifically What version of Custom Governance are you currently using? CG 1.3.x should be using OPA 0.17.2 as well, while CG 1.4.x uses OPA 0.24.0. Can you attach |
|
Hi @hkundag , thanks for the reply. I didn't override any of the default Terraform tags apart from config_validator_enabled and the variables. We're using OPA 0.17.2 and Custom Governance 1.3.2. We have just also completed an upgrade from CG 1.3.2 to 1.4.2 and the policy library works well (we did have to change all their kind/names as there's a mandatory naming format where they should all start with a GCP or GKE prefix). We did extend some of the libraries and they work well on CG 1.3.2 and 1.4.2 and our goal is to measure the impact in case we temporarily need to use Forseti until CG becomes GA. Thanks! |
|
Forgot to mention, we're not using the forseti GKE deployment, but the regular GCE due to the same reason (beta/pre-GA versus GA). So, basically deployed the terraform-google-forseti/examples/install_simple with config_validator_enabled and configured the policy on the forseti-server VM. Cheers. |
Just to be totally clear, Config Validator is independent of Forseti. Custom Governance also uses Config Validator. Forseti also embeds Config Validator, but Forseti is not actively updated/maintained currently. Based on this line, it looks like Forseti is using a version of Config Validator from August 2020. At the time, Config Validator used OPA 0.17.2. |
|
Thanks for clarifying, @morgante! @jralmaraz I'm not able to reproduce those errors in the CV server unless I go pretty far back, to On a side note, OPA v0.17.2 is used on master in |
|
Thanks @hkundag . I will try a new installation from master branch, I used the 5.2.2 just because it was pointed in this doc: https://forsetisecurity.org/docs/latest/setup/install/index.html I tried that yesterday (replacing
I will keep you posted when I run the installation from master and updating the validator tag hash to a more recent one. Thanks again for all the feedback on this guys. |
|
I have re-provisioned the installation from the master branch and config-validator is able to compile our policies. Thanks for looking at this. `ubuntu@forseti-server-vm-6495cb00:~$ sudo systemctl status config-validator Jul 22 02:48:52 forseti-server-vm-6495cb00 docker[30744]: } |
Hi,
We've been using the forseti policy-library as a base and built other policies on top of it to work with Custom Governance.
We're currently evaluating if the same policies would work with Forseti config-validator as a back-up option as Custom Governance is still a pre-GA product and there are restrictions of running it in production.
I have copied the working policy library from Custom Governance to a new
modulerelease522forseti installation and currently face the below error when try to start the config-validator service.Is there a way we can verify what version of OPA is being currently used by config validator ?
Also, is there a way we can upgrade the OPA version used by Forseti config-validator ?
We've been using and testing the policies with opa version 0.17.3 and wonder if that might be the cause of the problem.
Thank you.
Jose
`ubuntu@forseti-server-vm-eb216d0f:~/policy-library/policy-library$ sudo systemctl status config-validator
● config-validator.service - Config Validator API Server
Loaded: loaded (/lib/systemd/system/config-validator.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2021-07-21 00:25:29 UTC; 52min ago
Process: 28016 ExecStart=/home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath=/home/ubuntu/policy-library/policy-library/policies --policyLibraryPath=/home/ubuntu/policy-library/policy-libra
Main PID: 28016 (code=exited, status=1/FAILURE)
Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]: Started Config Validator API Server.
Jul 21 00:25:29 forseti-server-vm-eb216d0f ConfigValidatorRPCServer[28016]: 2021/07/21 00:25:29 Failed to load server failed to compile dependency code: 2 errors occurred:
Jul 21 00:25:29 forseti-server-vm-eb216d0f ConfigValidatorRPCServer[28016]: /home/ubuntu/policy-library/policy-library/lib/common/labels.rego:21: rego_parse_error: rule name conflicts with built-in function
Jul 21 00:25:29 forseti-server-vm-eb216d0f ConfigValidatorRPCServer[28016]: /home/ubuntu/policy-library/policy-library/lib/common/labels.rego:28: rego_parse_error: rule name conflicts with built-in function
Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]: config-validator.service: Main process exited, code=exited, status=1/FAILURE
Jul 21 00:25:29 forseti-server-vm-eb216d0f systemd[1]: config-validator.service: Failed with result 'exit-code'.
ubuntu@forseti-server-vm-eb216d0f:
/policy-library/policy-library$ cat /lib/systemd/system/config-validator.service/policy-library/policy-library$ sudo /home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath='/home/ubuntu/policy-library/policy-library/policies' --policyLibraryPath='/home/ubuntu/policy-library/policy-library/lib' -port=50052[Unit]
Description=Config Validator API Server
[Service]
User=ubuntu
Environment="GOGC=1000"
ExecStart=/home/ubuntu/forseti-security/external-dependencies/config-validator/ConfigValidatorRPCServer --policyPath='/home/ubuntu/policy-library/policy-library/policies' --policyLibraryPath='/home/ubuntu/policy-library/policy-library/lib' -port=50052
[Install]
WantedBy=multi-user.target
ubuntu@forseti-server-vm-eb216d0f:
2021/07/21 01:18:28 Failed to load server failed to compile dependency code: 2 errors occurred:
/home/ubuntu/policy-library/policy-library/lib/common/labels.rego:21: rego_parse_error: rule name conflicts with built-in function
/home/ubuntu/policy-library/policy-library/lib/common/labels.rego:28: rego_parse_error: rule name conflicts with built-in function
`
The text was updated successfully, but these errors were encountered: