copy file => Unspecified server refusal

[jehan procaccia]

I am moving from 2.X to 3.5 community edition, and I'am stuck with a very simple promise that fails to copy a file
I created a masterfiles/cf-classes.cf containing definition of a computer lab

promises.cf
bundlesequence => {"def","cfsketch_run","main","cf-classes","disi_policies",};
inputs => {"def.cf",.... "cf-classes.cf", "cf-policies.cf",};

cf-classes.cf
bundle agent disi_classes
{
classes:
"lab_b01" or => { "b01_01", "b01_02" };
}

bundle agent disi_policies
{
files:
        lab_b01::
        "/etc/sssd/sssd.conf"
        copy_from => secure_cp("/var/cfengine/masterdisifiles/fedora19/sssd.conf","cfengine3"),
        perms => m("600");
}

/var/cfengine/bin/cf-agent -v -d

2013-07-11T18:29:18+0200    debug: Log for bundle 'disi_policies', 'lock.disi_policies.files.copy_from.source.servers.compare.encrypt.-b01-02._etc_sssd_sssd_conf_7419_MD5=b29ff62d2786a70cd4e683172632d87a'
2013-07-11T18:29:18+0200    debug: Direct file reference '/etc/sssd/sssd.conf', no search implied
2013-07-11T18:29:18+0200  verbose: Copy file '/etc/sssd/sssd.conf' from '/var/cfengine/masterdisifiles/fedora19/sssd.conf' check
2013-07-11T18:29:18+0200  verbose: GetIdleConnectionToServer: no existing connection to '157.159.21.144' is established...
2013-07-11T18:29:18+0200  verbose: Set cfengine port number to '5308' = 5308
2013-07-11T18:29:18+0200  verbose: Set connection timeout to 30
2013-07-11T18:29:18+0200  verbose: Connect to 'cfengine3.int-evry.fr' = '157.159.21.144' on port '5308'
2013-07-11T18:29:18+0200  verbose: skipidentify was promised, so we are trusting and simply announcing the identity as 'b01-02.int-evry.fr' for this host
2013-07-11T18:29:19+0200  verbose: .....................[.h.a.i.l.].................................
2013-07-11T18:29:19+0200  verbose: Strong authentication of server 'cfengine3' connection confirmed
2013-07-11T18:29:19+0200  verbose: Public key identity of host '157.159.21.144' is 'MD5=ba9cb6e2a6831b0a90e5ba594ae51041'
2013-07-11T18:29:19+0200  verbose: Server returned error ' Unspecified server refusal (see verbose server output)'
2013-07-11T18:29:19+0200     info: /disi_policies/files/'/etc/sssd/sssd.conf': Can't stat '/var/cfengine/masterdisifiles/fedora19/sssd.conf' in files.copyfrom promise
2013-07-11T18:29:19+0200  verbose: Existing connection just became free...
2013-07-11T18:29:19+0200    debug: Yielding lock 'lock.disi_policies.files.copy_from.source.servers.compare.encrypt.-b01-02._etc_sssd_sssd_conf_7419_MD5=b29ff62d2786a70cd4e683172632d87a'
2013-07-11T18:29:19+0200    debug:   Aggregate result '', scanning at '$(server)' (current delta '')
2013-07-11T18:29:19+0200    debug: Returning substring value 'server'
2013-07-11T18:29:19+0200    debug: Delta 'server'

any idea of what could be wrong ?
thanks.

[Neil Watson]

If you are running 3.5.0, you must move to 3.5.1. 3.5.0 has a copy show
stopper bug. Either way the output give you a good hint. Check the
server's verbose output. Here's how:

On server host:
Kill running cf-serverd.
Run cf-serverd -vF > server.txt

On agent host:
Run agent to create problem.

On server host:
Kill cf-serverd and examine server.txt.

--
Neil Watson
Linux/UNIX Consultant
http://watson-wilson.ca

[Khushil Dep]

On 11 July 2013 19:29, jehan procaccia <jehan...@gmail.com> wrote:

2013-07-11T18:29:19+0200     info: /disi_policies/files/'/etc/sssd/sssd.conf': Can't stat '/var/cfengine/masterdisifiles/fedora19/sssd.conf' in files.copyfrom promise

Does this file exist in the policy hub? We see this too on 3.4.4 when files aren't present and to be honest the error message could be a bit more intelligent I think.

---

W. A. Khushil Dep - khush...@gmail.com -  07905 374 843

High Performance Web Platforms Architect & Engineer

@khushil

[jehan procaccia]

Yes the file existe on the policy host 

[root@cfengine3 cfengine]# ls -l /var/cfengine/masterdisifiles/fedora19/sssd.conf 

-rw------- 1 root root 4179 11 juil. 14:46 /var/cfengine/masterdisifiles/fedora19/sssd.conf

and the directory above is accessible too

[root@cfengine3 cfengine]# ls -ld /var/cfengine/masterdisifiles/

drwxr-xr-x 3 root root 4096 11 juil. 14:46 /var/cfengine/masterdisifiles/  # idem for fedora19 subdir

I also ran on the server

# cf-serverd -vF > server.txt

and the agent on the client still fails with same error :

2013-07-12T08:21:05+0200  verbose: Copy file '/etc/sssd/sssd.conf' from '/var/cfengine/masterdisifiles/fedora19/sssd.conf' check

2013-07-12T08:21:05+0200  verbose: GetIdleConnectionToServer: no existing connection to '157.159.21.144' is established...

2013-07-12T08:21:05+0200  verbose: Set cfengine port number to '5308' = 5308

2013-07-12T08:21:05+0200  verbose: Set connection timeout to 30

2013-07-12T08:21:05+0200  verbose: Connect to 'cfengine3.int-evry.fr' = '157.159.21.144' on port '5308'

2013-07-12T08:21:05+0200  verbose: skipidentify was promised, so we are trusting and simply announcing the identity as 'b01-02.int-evry.fr' for this host

2013-07-12T08:21:05+0200  verbose: .....................[.h.a.i.l.].................................

2013-07-12T08:21:05+0200  verbose: Strong authentication of server 'cfengine3.int-evry.fr' connection confirmed

2013-07-12T08:21:05+0200  verbose: Public key identity of host '157.159.21.144' is 'MD5=ba9cb6e2a6831b0a90e5ba594ae51041'

2013-07-12T08:21:05+0200  verbose: Server returned error ' Unspecified server refusal (see verbose server output)'

2013-07-12T08:21:05+0200     info: /disi_policies/files/'/etc/sssd/sssd.conf': Can't stat '/var/cfengine/masterdisifiles/fedora19/sssd.conf' in files.copyfrom promise

2013-07-12T08:21:05+0200  verbose: Existing connection just became free...

server.txt ends with 

2013-07-12T08:20:57+0200  verbose: Setting cfruncommand to '"/var/cfengine/bin/cf-agent" -f /var/cfengine/inputs/update.cf ; "/var/cfengine/bin/cf-agent"'

2013-07-12T08:20:57+0200  verbose: Summarize control promises

2013-07-12T08:20:57+0200  verbose: Granted access to paths :

2013-07-12T08:20:57+0200  verbose: Path '/var/cfengine/masterfiles' (encrypt=0)

2013-07-12T08:20:57+0200  verbose: Admit: '157.159.21.144/16' root=

2013-07-12T08:20:57+0200  verbose: Admit: '.*\.example.com' root=

2013-07-12T08:20:57+0200  verbose: Path '/var/cfengine/bin' (encrypt=0)

2013-07-12T08:20:57+0200  verbose: Admit: '157.159.21.144/16' root=

2013-07-12T08:20:57+0200  verbose: Admit: '.*example.com' root=

2013-07-12T08:20:57+0200  verbose: Path '/var/cfengine/modules' (encrypt=0)

2013-07-12T08:20:57+0200  verbose: Admit: '157.159.21.144/16' root=

2013-07-12T08:20:57+0200  verbose: Admit: '.*example.com' root=

2013-07-12T08:20:57+0200  verbose: Denied access to paths :

2013-07-12T08:20:57+0200  verbose: Path '/var/cfengine/masterfiles'

2013-07-12T08:20:57+0200  verbose: Path '/var/cfengine/bin'

2013-07-12T08:20:57+0200  verbose: Path '/var/cfengine/modules'

2013-07-12T08:20:57+0200  verbose: Granted access to literal/variable/query data :

2013-07-12T08:20:57+0200  verbose: Denied access to literal/variable/query data:

2013-07-12T08:20:57+0200  verbose: Host IPs allowed connection access:

2013-07-12T08:20:57+0200  verbose: IP '127.0.0.1'

2013-07-12T08:20:57+0200  verbose: IP '::1'

2013-07-12T08:20:57+0200  verbose: IP '157.159.21.144/16'

2013-07-12T08:20:57+0200  verbose: Host IPs denied connection access:

2013-07-12T08:20:57+0200  verbose: Host IPs allowed multiple connection access:

2013-07-12T08:20:57+0200  verbose: IP '127.0.0.1'

2013-07-12T08:20:57+0200  verbose: IP '::1'

2013-07-12T08:20:57+0200  verbose: IP '157.159.21.144/16'

2013-07-12T08:20:57+0200  verbose: Host IPs from whom we shall accept public keys on trust:

2013-07-12T08:20:57+0200  verbose: IP '127.0.0.1'

2013-07-12T08:20:57+0200  verbose: IP '::1'

2013-07-12T08:20:57+0200  verbose: IP '157.159.21.144/16'

2013-07-12T08:20:57+0200  verbose: Users from whom we accept connections:

2013-07-12T08:20:57+0200  verbose: USERS 'root'

2013-07-12T08:20:57+0200  verbose: Host IPs from NAT which we don't verify:

2013-07-12T08:20:57+0200  verbose: IP '.*\.example.com'

2013-07-12T08:20:57+0200  verbose: IP '127.0.0.1'

2013-07-12T08:20:57+0200  verbose: IP '::1'

2013-07-12T08:20:57+0200  verbose: IP '157.159.21.144/16'

2013-07-12T08:20:57+0200   notice: Server is starting...

2013-07-12T08:20:57+0200     info: cf-serverd starting Fri Jul 12 08:20:57 2013

2013-07-12T08:20:57+0200  verbose: Listening for connections ...

2013-07-12T08:21:05+0200  verbose: Accepting a connection

2013-07-12T08:21:05+0200  verbose: Obtained IP address of '157.159.21.211' on socket 5 from accept

2013-07-12T08:21:05+0200     info: Accepting connection from '157.159.21.211'

2013-07-12T08:21:05+0200  verbose: New connection...(from 157.159.21.211:sd 5)

2013-07-12T08:21:05+0200  verbose: Spawning new thread...

2013-07-12T08:21:24+0200  verbose: Accepting a connection

2013-07-12T08:21:24+0200  verbose: Obtained IP address of '157.159.21.211' on socket 5 from accept

2013-07-12T08:21:24+0200     info: Accepting connection from '157.159.21.211'

2013-07-12T08:21:24+0200  verbose: New connection...(from 157.159.21.211:sd 5)

2013-07-12T08:21:24+0200  verbose: Spawning new thread...

2013-07-12T08:21:25+0200  verbose: Accepting a connection

2013-07-12T08:21:25+0200  verbose: Obtained IP address of '157.159.21.211' on socket 5 from accept

2013-07-12T08:21:25+0200     info: Accepting connection from '157.159.21.211'

2013-07-12T08:21:25+0200  verbose: New connection...(from 157.159.21.211:sd 5)

2013-07-12T08:21:25+0200  verbose: Spawning new thread...

2013-07-12T08:22:01+0200   notice: Cleaning up and exiting...

one remark, my subnet should be /24 and not /16 as stated above in '157.159.21.144/16' ... is it important ?

also, I read about dns records of server, does it matter if reverse and forward don't match ?

here my server is in domain cfengine.tem-tsp.eu although PTR record in DNS for it's IP pount to domain cfengine.int-evry.fr !?

what If I change back to cfengine.int-evry.fr for hostname and forward ... would I need to re-generate server ppkeys !?

finally, I will probably upgrade to 3.5.1 , but let me know If can solve the pb without upgrade, I'am afraid to lose my configs ...

Thanks .

[Neil Watson]

The server output will show file downloads requested by the agent. Look
for the request that pertains to your failed download. That is not in
your last post.

[jehan procaccia]

I thought the server.txt last portion from my previous post  was sufficient, I don't really know/see where are the "downloads requested" in that output:

2013-07-12T08:20:57+0200  verbose: Work directory is /var/cfengine

2013-07-12T08:20:57+0200  verbose: Looking for a source of entropy in '/var/cfengine/randseed'

2013-07-12T08:20:57+0200  verbose: Making sure that locks are private...

2013-07-12T08:20:57+0200  verbose: Checking integrity of the state database

2013-07-12T08:20:57+0200  verbose: Checking integrity of the module directory

2013-07-12T08:20:57+0200  verbose: Checking integrity of the PKI directory

2013-07-12T08:20:57+0200  verbose: Loaded private key at '/var/cfengine/ppkeys/localhost.priv'

...

...

2013-07-12T08:20:57+0200  verbose: Verifying the syntax of the inputs...

2013-07-12T08:20:57+0200  verbose: Checking policy with command '"/var/cfengine/bin/cf-promises" -c "/var/cfengine/inputs/promises.cf"'

...

2013-07-12T08:20:57+0200  verbose: Skipping whole promise, as context is debian

2013-07-12T08:20:57+0200  verbose: Setting denybadclocks to 'false'

2013-07-12T08:20:57+0200  verbose: Setting allowing connections from ...

2013-07-12T08:20:57+0200  verbose: Setting allowing multiple connections from ...

2013-07-12T08:20:57+0200  verbose: Setting trust keys from ...

2013-07-12T08:20:57+0200  verbose: Setting skip verify connections from ...

2013-07-12T08:20:57+0200  verbose: SET Allowing users ...

2013-07-12T08:20:57+0200  verbose: Setting maxconnections to 100

Is that output missing something ?

I still don't see from it where things goes wrong in copying file, recall  client side cfagent logs:

2013-07-12T08:21:05+0200  verbose: Copy file '/etc/sssd/sssd.conf' from '/var/cfengine/masterdisifiles/fedora19/sssd.conf' check

...

2013-07-12T08:21:05+0200  verbose: Server returned error ' Unspecified server refusal (see verbose server output)'

2013-07-12T08:21:05+0200     info: /disi_policies/files/'/etc/sssd/sssd.conf': Can't stat '/var/cfengine/masterdisifiles/fedora19/sssd.conf' in files.copyfrom promise

could it be a problem of network mask (/16 vs /24) ?

or reverse / forward DNS name of the server not matching as I read sometimes ?

or owernship mode on the source file, I don't know why there's a "Can't stat '/var/cfengine/masterdisifiles/fedora19/sssd.conf" from cfagnent ?

Thanks .

[jehan procaccia]

I just updated to 3.5.1 both on client and server, pb still occurs => " Server returned error ' Unspecified server refusal",

from the server logs below, it is not clear to me if IP adress of the server itself is allowed/granted !?, see bold lines, server beeing at 157.159.21.144/24 (not /16 !) 

[root@cfengine3 ~]# cf-serverd -vF > server-3-5-1.txt

2013-07-15T19:18:58+0200  verbose: SET Allowing users ...

2013-07-15T19:18:58+0200  verbose: Setting maxconnections to 100

2013-07-15T19:18:58+0200  verbose: Setting cfruncommand to '"/var/cfengine/bin/cf-agent" -f /var/cfengine/inputs/update.cf ; "/var/cfengine/bin/cf-agent"'

2013-07-15T19:18:58+0200  verbose: Summarize control promises

2013-07-15T19:18:58+0200  verbose: Granted access to paths :

2013-07-15T19:18:58+0200  verbose: Path '/var/cfengine/masterfiles' (encrypt=0)

2013-07-15T19:18:58+0200  verbose: Admit: '157.159.21.144/16' root=

2013-07-15T19:18:58+0200  verbose: Admit: '.*\.example.com' root=

2013-07-15T19:18:58+0200  verbose: Path '/var/cfengine/bin' (encrypt=0)

2013-07-15T19:18:58+0200  verbose: Admit: '157.159.21.144/16' root=

2013-07-15T19:18:58+0200  verbose: Admit: '.*example.com' root=

2013-07-15T19:18:58+0200  verbose: Path '/var/cfengine/modules' (encrypt=0)

2013-07-15T19:18:58+0200  verbose: Admit: '157.159.21.144/16' root=

2013-07-15T19:18:58+0200  verbose: Admit: '.*example.com' root=

2013-07-15T19:18:58+0200  verbose: Denied access to paths :

2013-07-15T19:18:58+0200  verbose: Path '/var/cfengine/masterfiles'

2013-07-15T19:18:58+0200  verbose: Path '/var/cfengine/bin'

2013-07-15T19:18:58+0200  verbose: Path '/var/cfengine/modules'

2013-07-15T19:18:58+0200  verbose: Granted access to literal/variable/query data :

2013-07-15T19:18:58+0200  verbose: Denied access to literal/variable/query data:

2013-07-15T19:18:58+0200  verbose: Host IPs allowed connection access:

2013-07-15T19:18:58+0200  verbose: IP '127.0.0.1'

2013-07-15T19:18:58+0200  verbose: IP '::1'

2013-07-15T19:18:58+0200  verbose: IP '157.159.21.144/16'

2013-07-15T19:18:58+0200  verbose: Host IPs denied connection access:

2013-07-15T19:18:58+0200  verbose: Host IPs allowed multiple connection access:

2013-07-15T19:18:58+0200  verbose: IP '127.0.0.1'

2013-07-15T19:18:58+0200  verbose: IP '::1'

2013-07-15T19:18:58+0200  verbose: IP '157.159.21.144/16'

2013-07-15T19:18:58+0200  verbose: Host IPs from whom we shall accept public keys on trust:

2013-07-15T19:18:58+0200  verbose: IP '127.0.0.1'

2013-07-15T19:18:58+0200  verbose: IP '::1'

2013-07-15T19:18:58+0200  verbose: IP '157.159.21.144/16'

2013-07-15T19:18:58+0200  verbose: Users from whom we accept connections:

2013-07-15T19:18:58+0200  verbose: USERS 'root'

2013-07-15T19:18:58+0200  verbose: Host IPs from NAT which we don't verify:

2013-07-15T19:18:58+0200  verbose: IP '.*\.example.com'

2013-07-15T19:18:58+0200  verbose: IP '127.0.0.1'

2013-07-15T19:18:58+0200  verbose: IP '::1'

2013-07-15T19:18:58+0200  verbose: IP '157.159.21.144/16'

2013-07-15T19:18:58+0200   notice: Server is starting...

2013-07-15T19:18:58+0200     info: cf-serverd starting Mon Jul 15 19:18:58 2013

2013-07-15T19:18:58+0200  verbose: Listening for connections ...

2013-07-15T19:19:59+0200  verbose: Accepting a connection

2013-07-15T19:19:59+0200  verbose: Obtained IP address of '157.159.21.211' on socket 5 from accept

2013-07-15T19:19:59+0200     info: Accepting connection from '157.159.21.211'

2013-07-15T19:19:59+0200  verbose: New connection...(from 157.159.21.211:sd 5)

2013-07-15T19:19:59+0200  verbose: Spawning new thread...

2013-07-15T19:20:20+0200   notice: Cleaning up and exiting...

On the client side I still have

2013-07-15T19:19:59+0200  verbose: Copy file '/etc/sssd/sssd.conf' from '/var/cfengine/masterdisifiles/fedora19/sssd.conf' check

2013-07-15T19:19:59+0200  verbose: GetIdleConnectionToServer: no existing connection to '157.159.21.144' is established...

2013-07-15T19:19:59+0200  verbose: Set cfengine port number to '5308' = 5308

2013-07-15T19:19:59+0200  verbose: Set connection timeout to 30

2013-07-15T19:19:59+0200  verbose: Connect to 'cfengine.int-evry.fr' = '157.159.21.144' on port '5308'

2013-07-15T19:19:59+0200  verbose: skipidentify was promised, so we are trusting and simply announcing the identity as 'b01-02.int-evry.fr' for this host

2013-07-15T19:19:59+0200  verbose: .....................[.h.a.i.l.].................................

2013-07-15T19:19:59+0200  verbose: Strong authentication of server 'cfengine.int-evry.fr' connection confirmed

2013-07-15T19:19:59+0200  verbose: Public key identity of host '157.159.21.144' is 'MD5=ba9cb6e2a6831b0a90e5ba594ae51041'

2013-07-15T19:19:59+0200  verbose: Server returned error ' Unspecified server refusal (see verbose server output)'

2013-07-15T19:19:59+0200     info: /disi_policies/files/'/etc/sssd/sssd.conf': Can't stat '/var/cfengine/masterdisifiles/fedora19/sssd.conf' in files.copyfrom promise

2013-07-15T19:19:59+0200  verbose: Existing connection just became free...

2013-07-15T19:19:59+0200  verbose: Skipping next promise '/etc/sssd/sssd.conf', as context 'salle_b01' is not relevant

2013-07-15T19:19:59+0200  verbose: Skipping next promise '/etc/sssd/sssd.conf', as context 'salle_b01' is not relevant

2013-07-15T19:19:59+0200  verbose: Bundle Accounting Summary for 'disi_policies'

could it be

1)  IP/mask pb , 

2) DNS, domaine reverse/fowrward record of the server ? client ?

3) mode and chmod of the sources files /var/cfengine/masterdisifiles/fedora19/sssd.conf

4) any others idea, I am really stuck with that fondamental feature in cfengine to copy files ! I really need it .

Thanks

[Neil Watson]

Retry the test, but run the server is legacy verbose mode. Sadly, the
new verbose mode does not show file downloads. I've opened a bug for
this. Try cf-serverd -vFl > server.txt

[jehan procaccia]

OK, I run the server in legacy ouput format mode, but still nothing very relevant to help me , do you see something more in this log that can help ?

[root@cfengine3 ~]# cf-serverd -vFl > server-3-5-1-legacy-mode.txt

...

cf3> Loaded private key at '/var/cfengine/ppkeys/localhost.priv'

cf3> Loaded public key '/var/cfengine/ppkeys/localhost.pub'

cf3> Setting cfengine default port to 5308, '5308'

cf3> Reference time set to 'Tue Jul 16 00:07:37 2013'

cf3> CFEngine Core 3.5.1

cf3> ------------------------------------------------------------------------

cf3> Host name is: cfengine.int-evry.fr

cf3> Operating System Type is linux

cf3> Operating System Release is 2.6.32-042stab076.5

cf3> Architecture = i686

cf3> Using internal soft-class linux for host cfengine.int-evry.fr

...

cf3> This agent is bootstrapped to '157.159.21.144'

...

cf3> Parsing file '/var/cfengine/inputs/cf-disi-classes.cf'

...

cf3> Parsing file '/var/cfengine/inputs/cf-disi-policies.cf'

cf3> Skipping whole promise, as context is debian

cf3>

cf3>    =========================================================

cf3>    classes in bundle paths (0)

cf3>    =========================================================

cf3>

cf3> *****************************************************************

cf3> BUNDLE cfsketch_g

cf3> *****************************************************************

cf3> ***********************************************************

cf3>  Server control promises..

cf3> ***********************************************************

cf3> Setting denybadclocks to 'false'

cf3> Setting allowing connections from ...

cf3> Setting allowing multiple connections from ...

cf3> Setting trust keys from ...

cf3> Setting skip verify connections from ...

cf3> SET Allowing users ...

cf3> Setting maxconnections to 100

cf3> Setting cfruncommand to '"/var/cfengine/bin/cf-agent" -f /var/cfengine/inputs/update.cf ; "/var/cfengine/bin/cf-agent"'

cf3> *****************************************************************

cf3> BUNDLE def

cf3> *****************************************************************

cf3> *****************************************************************

cf3> BUNDLE access_rules

cf3> *****************************************************************

cf3>

cf3>    =========================================================

cf3>    access in bundle access_rules (0)

cf3>    =========================================================

cf3>

cf3>

cf3>    =========================================================

cf3>    roles in bundle access_rules (0)

cf3>    =========================================================

cf3>

cf3> *****************************************************************

cf3> BUNDLE debian_knowledge

cf3> *****************************************************************

cf3> *****************************************************************

cf3> BUNDLE paths

cf3> *****************************************************************

cf3> *****************************************************************

cf3> BUNDLE cfsketch_g

cf3> *****************************************************************

cf3> Summarize control promises

cf3> Granted access to paths :

cf3> Path '/var/cfengine/masterfiles' (encrypt=0)

cf3> Admit: '157.159.21.144/16' root=

cf3> Admit: '.*\.example.com' root=

cf3> Path '/var/cfengine/bin' (encrypt=0)

cf3> Admit: '157.159.21.144/16' root=

cf3> Admit: '.*example.com' root=

cf3> Path '/var/cfengine/modules' (encrypt=0)

cf3> Admit: '157.159.21.144/16' root=

cf3> Admit: '.*example.com' root=

cf3> Denied access to paths :

cf3> Path '/var/cfengine/masterfiles'

cf3> Path '/var/cfengine/bin'

cf3> Path '/var/cfengine/modules'

cf3> Granted access to literal/variable/query data :

cf3> Denied access to literal/variable/query data:

cf3> Host IPs allowed connection access:

cf3> IP '127.0.0.1'

cf3> IP '::1'

cf3> IP '157.159.21.144/16'

cf3> Host IPs denied connection access:

cf3> Host IPs allowed multiple connection access:

cf3> IP '127.0.0.1'

cf3> IP '::1'

cf3> IP '157.159.21.144/16'

cf3> Host IPs from whom we shall accept public keys on trust:

cf3> IP '127.0.0.1'

cf3> IP '::1'

cf3> IP '157.159.21.144/16'

cf3> Users from whom we accept connections:

cf3> USERS 'root'

cf3> Host IPs from NAT which we don't verify:

cf3> IP '.*\.example.com'

cf3> IP '127.0.0.1'

cf3> IP '::1'

cf3> IP '157.159.21.144/16'

Server is starting...

cf-serverd starting Tue Jul 16 00:07:38 2013

cf3> Listening for connections ...

cf3> Accepting a connection

cf3> Obtained IP address of '157.159.21.211' on socket 5 from accept

Accepting connection from '157.159.21.211'

cf3> New connection...(from 157.159.21.211:sd 5)

cf3> Spawning new thread...

Cleaning up and exiting...

apparently still no download logs :-(

for the record, my copy_files promise

[root@cfengine3 masterfiles]# cat cf-disi-policies.cf

bundle agent disi_policies

{

files:

        salle_b01::

        "/etc/sssd/sssd.conf"

        copy_from => remote_cp("/var/cfengine/masterdisifiles/fedora19/sssd.conf","cfengine.int-evry.fr"),

        perms => m("600");

        b01_02::

        "/etc/sssd/sssd.conf"

        copy_from => secure_cp("/var/cfengine/masterdisifiles/fedora19/sssd.conf","cfengine.int-evry.fr"),

        perms => m("600");

}

thanks for your help .

[Neil Watson]

On Mon, Jul 15, 2013 at 03:18:34PM -0700, jehan procaccia wrote:
>
cf3> IP '127.0.0.1'
> cf3> IP '::1'
> cf3> IP '157.159.21.144/16'
> Server is starting...
> cf-serverd starting Tue Jul 16 00:07:38 2013
> cf3> Listening for connections ...
> cf3> Accepting a connection
> cf3> Obtained IP address of '157.159.21.211' on socket 5 from accept
> Accepting connection from '157.159.21.211'
> cf3> New connection...(from 157.159.21.211:sd 5)
> cf3> Spawning new thread...
> Cleaning up and exiting...

Either you are cutting off this log, or the agent is contacting another
server. There must be more to the log if any agent contact is made. You
can confirm this using tcpdump on the server.

[Neil Watson]

Another thought is that the legacy verbose server output is also broken.
File requests are not being logged. In which case I'm not certain how
this can be debugged.

[jehan procaccia]

I did copy all relevant logs, and the client does connect to that server, 

But I finally found the source of my problem !

an access rules was missing... thanks to http://www.mail-archive.com/help-c...@cfengine.org/msg04947.html 

remember the source of my promise copy_file is (added _dsis_ to distinguished it better):

 "/etc/sssd/sssd.conf"

        copy_from => secure_cp("/var/cfengine/master_disi_files/fedora19/sssd.conf","cfengine.int-evry.fr"),

I had created a /var/cfengine/master_disi_files to differentiate from cfengine initial masterfiles, but didn't granted the corresponding access rule in masterfiles/controls/cf_serverd.cf

so I added in cf_served.cf:

 # disi

   "$(def.dir_master_disi_files)"

       handle => "server_access_rule_grant_access_disi_policy",

      comment => "Grant access to the policy disi updates",

        admit => { ".*\.$(def.domain)", @(def.acl) };

with in def.cf

 "dir_master_disi_files" string => translatepath("$(sys.workdir)/master_disi_files"),

also added in masterfiles/def.cf my full IP subnet /16 in var "acl" slist , to be sure ...

Now th copy_file works fine ;-) 

2013-07-16T10:46:47+0200  verbose: Skipping next promise '/etc/sssd/sssd.conf', as context 'salle_b01' is not relevant

2013-07-16T10:46:47+0200  verbose: Copy file '/etc/sssd/sssd.conf' from '/var/cfengine/master_disi_files/fedora19/sssd.conf' check

2013-07-16T10:46:47+0200  verbose: GetIdleConnectionToServer: no existing connection to '157.159.21.144' is established...

2013-07-16T10:46:47+0200  verbose: Set cfengine port number to '5308' = 5308

2013-07-16T10:46:47+0200  verbose: Set connection timeout to 30

2013-07-16T10:46:47+0200  verbose: Connect to 'cfengine3.int-evry.fr' = '157.159.21.144' on port '5308'

2013-07-16T10:46:47+0200  verbose: skipidentify was promised, so we are trusting and simply announcing the identity as 'b01-02.int-evry.fr' for this host

2013-07-16T10:46:47+0200  verbose: .....................[.h.a.i.l.].................................

2013-07-16T10:46:47+0200  verbose: Strong authentication of server 'cfengine.int-evry.fr' connection confirmed

2013-07-16T10:46:47+0200  verbose: Public key identity of host '157.159.21.144' is 'MD5=ba9cb6e2a6831b0a90e5ba594ae51041'

2013-07-16T10:46:48+0200  verbose: '/etc/sssd/sssd.conf' wasn't at destination (copying)

2013-07-16T10:46:48+0200     info: Copying from 'cfengine.int-evry.fr:/var/cfengine/master_disi_files/fedora19/sssd.conf'

2013-07-16T10:46:48+0200  verbose: Copy of regular file succeeded '/var/cfengine/master_disi_files/fedora19/sssd.conf' to '/etc/sssd/sssd.conf.cfnew'

2013-07-16T10:46:48+0200  verbose: Final verification of transmission ...

2013-07-16T10:46:48+0200  verbose: New file '/etc/sssd/sssd.conf.cfnew' transmitted correctly - verified

2013-07-16T10:46:48+0200  verbose: /disi_policies/files/'/etc/sssd/sssd.conf': Additional promise info: version 'Community Promises.cf 3.4.0' source path '/var/cfengine/inputs/cf-disi-policies.cf' at line 14

2013-07-16T10:46:48+0200  verbose: /disi_policies/files/'/etc/sssd/sssd.conf': File permissions on '/etc/sssd/sssd.conf' as promised

2013-07-16T10:46:48+0200  verbose: /disi_policies/files/'/etc/sssd/sssd.conf': Additional promise info: version 'Community Promises.cf 3.4.0' source path '/var/cfengine/inputs/cf-disi-policies.cf' at line 14

2013-07-16T10:46:48+0200  verbose: /disi_policies/files/'/etc/sssd/sssd.conf': Updated file from 'cfengine3.int-evry.fr:/var/cfengine/master_disi_files/fedora19/sssd.conf'

2013-07-16T10:46:48+0200  verbose: Existing connection just became free...

2013-07-16T10:46:48+0200  verbose: Handling file existence constraints on '/etc/sssd/sssd.conf'

2013-07-16T10:46:48+0200  verbose: /disi_policies/files/'/etc/sssd/sssd.conf': Additional promise info: version 'Community Promises.cf 3.4.0' source path '/var/cfengine/inputs/cf-disi-policies.cf' at line 14

2013-07-16T10:46:48+0200  verbose: /disi_policies/files/'/etc/sssd/sssd.conf': File permissions on '/etc/sssd/sssd.conf' as promised

2013-07-16T10:46:48+0200  verbose: Skipping next promise '/etc/sssd/sssd.conf', as context 'salle_b01' is not relevant

Back to our first debugs on the cf_serverd, I still don't see more "downloads" logs though ... ? 

 cf-serverd -vFl > server-3-5-1-legacy-mode-masterfiles.txt

cf3> Summarize control promises

cf3> Granted access to paths :

cf3> Path '/var/cfengine/masterfiles' (encrypt=0)

cf3> Admit: '157.159.0.0/16' root=

cf3> Admit: '157.159.21.144/16' root=

cf3> Admit: '.*\.example.com' root=

cf3> Path '/var/cfengine/bin' (encrypt=0)

cf3> Admit: '157.159.0.0/16' root=

cf3> Admit: '157.159.21.144/16' root=

cf3> Admit: '.*example.com' root=

cf3> Path '/var/cfengine/modules' (encrypt=0)

cf3> Admit: '157.159.0.0/16' root=

cf3> Admit: '157.159.21.144/16' root=

cf3> Admit: '.*example.com' root=

cf3> Path '/var/cfengine/master_disi_files' (encrypt=0)

cf3> Admit: '157.159.0.0/16' root=

cf3> Admit: '157.159.21.144/16' root=

cf3> Admit: '.*\.example.com' root=

cf3> Denied access to paths :

cf3> Path '/var/cfengine/masterfiles'

cf3> Path '/var/cfengine/bin'

cf3> Path '/var/cfengine/modules'

cf3> Path '/var/cfengine/master_disi_files'

cf3> Granted access to literal/variable/query data :

cf3> Denied access to literal/variable/query data:

cf3> Host IPs allowed connection access:

cf3> IP '127.0.0.1'

cf3> IP '::1'

cf3> IP '157.159.21.144/16'

cf3> IP '157.159.0.0/16'

cf3> Host IPs denied connection access:

cf3> Host IPs allowed multiple connection access:

cf3> IP '127.0.0.1'

cf3> IP '::1'

cf3> IP '157.159.21.144/16'

cf3> IP '157.159.0.0/16'

cf3> Host IPs from whom we shall accept public keys on trust:

cf3> IP '127.0.0.1'

cf3> IP '::1'

cf3> IP '157.159.21.144/16'

cf3> IP '157.159.0.0/16'

cf3> Users from whom we accept connections:

cf3> USERS 'root'

cf3> Host IPs from NAT which we don't verify:

cf3> IP '.*\.example.com'

cf3> IP '127.0.0.1'

cf3> IP '::1'

cf3> IP '157.159.21.144/16'

cf3> IP '157.159.0.0/16'

Server is starting...

cf-serverd starting Tue Jul 16 10:46:42 2013

cf3> Listening for connections ...

cf3> Accepting a connection

cf3> Obtained IP address of '157.159.21.211' on socket 5 from accept

Accepting connection from '157.159.21.211'

cf3> New connection...(from 157.159.21.211:sd 5)

cf3> Spawning new thread...

Cleaning up and exiting...