How to get cf-runagent to work on centos7?
40 views
Skip to first unread message
Leo Liu
Oct 13, 2014, 10:23:48 PM10/13/14
to help-c...@googlegroups.com
I failed to run cf-runagent on centos7:
!! unspecified server refusal please see verbose server output ....
and the verbose server output is:
2014-10-14T10:08:24+0100 verbose: New connection (from 127.0.0.1, sd 7), spawning new thread...
2014-10-14T10:08:24+0100 info: 127.0.0.1> Accepting connection
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Setting socket timeout to 600 seconds.
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Peeked CAUTH in TCP stream, considering the protocol as Classic
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Peer's identity is: MD5=36d114f3687b81915e7dc86421c4e86c
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> A public key was already known from localhost/127.0.0.1 - no trust required
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> The public key identity was confirmed as root@localhost
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Authentication of client localhost/127.0.0.1 achieved
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> User root granted connection privileges
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Filename /bin/sh is resolved to /usr/bin/bash
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Found a matching rule in access list (/usr/bin/bash in /usr/bin/bash)
2014-10-14T10:08:24+0100 info: 127.0.0.1> Host localhost denied access to /bin/sh
2014-10-14T10:08:24+0100 info: 127.0.0.1> REFUSAL due to denied access to requested object
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> REFUSAL to (user=root,ip=127.0.0.1) of request: EXEC
2014-10-14T10:08:24+0100 info: 127.0.0.1> Closed connection, terminating thread
Ideas?
Leo
!! unspecified server refusal please see verbose server output ....
and the verbose server output is:
2014-10-14T10:08:24+0100 verbose: New connection (from 127.0.0.1, sd 7), spawning new thread...
2014-10-14T10:08:24+0100 info: 127.0.0.1> Accepting connection
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Setting socket timeout to 600 seconds.
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Peeked CAUTH in TCP stream, considering the protocol as Classic
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Peer's identity is: MD5=36d114f3687b81915e7dc86421c4e86c
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> A public key was already known from localhost/127.0.0.1 - no trust required
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> The public key identity was confirmed as root@localhost
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Authentication of client localhost/127.0.0.1 achieved
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> User root granted connection privileges
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Filename /bin/sh is resolved to /usr/bin/bash
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> Found a matching rule in access list (/usr/bin/bash in /usr/bin/bash)
2014-10-14T10:08:24+0100 info: 127.0.0.1> Host localhost denied access to /bin/sh
2014-10-14T10:08:24+0100 info: 127.0.0.1> REFUSAL due to denied access to requested object
2014-10-14T10:08:24+0100 verbose: 127.0.0.1> REFUSAL to (user=root,ip=127.0.0.1) of request: EXEC
2014-10-14T10:08:24+0100 info: 127.0.0.1> Closed connection, terminating thread
Ideas?
Leo
Neil Watson
Oct 14, 2014, 8:32:34 AM10/14/14
to help-c...@googlegroups.com
On Tue, Oct 14, 2014 at 10:23:29AM +0800, Leo Liu wrote:
>and the verbose server output is:
>
> 2014-10-14T10:08:24+0100 verbose: New connection (from 127.0.0.1, sd 7), spawning new thread...
> 2014-10-14T10:08:24+0100 info: 127.0.0.1> Accepting connection
I don't think the loopback address should be used. Cf-runnagent should
>and the verbose server output is:
>
> 2014-10-14T10:08:24+0100 verbose: New connection (from 127.0.0.1, sd 7), spawning new thread...
> 2014-10-14T10:08:24+0100 info: 127.0.0.1> Accepting connection
talk to the proper IP address of the host. The server should also be
bootstrapped to its proper IP and not loopback.
--
Neil H Watson
Sr. Partner, Architecture and Infrastructure
CFEngine reporting: https://github.com/evolvethinking/delta_reporting
CFEngine policy: https://github.com/evolvethinking/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
CFEngine support: http://evolvethinking.com
Leo Liu
Oct 14, 2014, 9:46:12 AM10/14/14
to help-c...@googlegroups.com
On 2014-10-14 08:32 -0400, Neil Watson wrote:
> I don't think the loopback address should be used. Cf-runnagent should
> talk to the proper IP address of the host. The server should also be
> bootstrapped to its proper IP and not loopback.
Thanks. Does this mean that we need to change controls/cf_runagent.cf
> I don't think the loopback address should be used. Cf-runnagent should
> talk to the proper IP address of the host. The server should also be
> bootstrapped to its proper IP and not loopback.
to include the IPs of all managed computers?
Leo
Neil Watson
Oct 14, 2014, 9:49:05 AM10/14/14
to help-c...@googlegroups.com
On Tue, Oct 14, 2014 at 09:45:53PM +0800, Leo Liu wrote:
>Thanks. Does this mean that we need to change controls/cf_runagent.cf
>to include the IPs of all managed computers?
I submit to you that you probably don't want to use the runagent. It's
>Thanks. Does this mean that we need to change controls/cf_runagent.cf
>to include the IPs of all managed computers?
not a practical tool. Please tell us your use case and we'll help you.
Reply all
Reply to author
Forward
0 new messages