Identifying duplicate ppkeys

[Cory Coager]

I realize that every agent is supposed to have a unique ppkey when talking to the policy hub. The issue that some may have is when a server is cloned but someone forgets to recreate the ppkey. You are left with two or more duplicate ppkeys in your environment. When the agents talk to the hub to check in their reports, the hostname is overwritten from whatever the last agent checked in with that duplicate key.

The question I have is, has anyone developed a policy to identify when you have duplicate keys in your environment? I figure I could write a policy easy enough using the hostname as the key and the ppkey as the value. I wanted to ask before reinventing the wheel as I figure this is a common problem for some.

[Nick Anderson]

Hi Cory,

Can you try this sql?

#+BEGIN_SRC sql

  SELECT VariablesLog.VariableValue AS "Host name",

         VariablesLog.HostKey AS "CFEngine ID",

         VariablesLog.ChangeTimeStamp AS "Change time"

  FROM VariablesLog

  WHERE VariablesLog.VariableName = 'fqhost'

  AND VariablesLog.ChangeOperation = 'CHANGE'

#+END_SRC

[Cory Coager]

Looks like the where clause for VariablesLog.ChangeOperation = 'CHANGE' fails as all entries seem to have 'ADD' in this field.

[Nick Anderson]

Hurm, how about this one.

SELECT VariablesLog.VariableValue AS "Host name", VariablesLog.HostKey AS "CFEngine ID", VariablesLog.ChangeTimeStamp AS "Change time", ChangeOperation FROM VariablesLog WHERE VariablesLog.VariableName = 'fqhost' order by VariablesLog.VariableValue, VariablesLog.ChangeTimeStamp

[Cory Coager]

That returns thousands of results...

[mike.w...@verticalsysadmin.com]

I'm sure this could be polished, but here is the procedure and script I've used to handle this scenario (detection of duplicate CFEngine keys) in an enterprise-scale environment:

Put the following into a file called "detect_duplicate_keys.sh" on the CFEngine hub:

#!/bin/sh

# Author: unknown

tmpfile=/tmp/keys

while sleep 10

do

  mv -f "$tmpfile"2 "$tmpfile"1

  cf-key -s |

    sed -n 's/^Incoming *\([0-9.]*\).*\(\(SHA\|MD5\)=[0-9a-f]*\)$/\1\t\2/p' |

    sort -k2 > "$tmpfile"2

  printf '%s: Number of Incoming hosts: %s Diff from previous:\n' "$(date)" "$(cat "$tmpfile"2 | wc -l)"

  diff "$tmpfile"1 "$tmpfile"2

done

Then, run the script with "nohup ./detect_duplicate_keys.sh &" for about an hour (you can do less, it's up to you).  Make sure the "keys1" and "keys2" files aren't still sitting in /tmp from a previous run of the script, first.  And also ensure "nohup.out" isn't already present in the current directory beforehand (because that's what you'll be appending to).

Run "sed -n 's/^> //p;s/^< //p' nohup.out | sort -u" after the script has been running a while.  You'll see a list of the unique IP addresses with duplicate CFEngine keys.  These are the hosts on which you need to wipe and reinstall CFEngine (or you could muck around with removing the existing key and regenerating a key on each of those hosts, but I wouldn't bother, personally).

Disclaimer: I may have made a typo in transcribing this; it wasn't copy-and-pasted.  However, if it works at all, it will work.  :)  (In other words if I haven't made a dumb typo that stops it from even running, then it will work as intended and as it did for me.)

Best,

--Mike Weilgart

Vertical Sysadmin, Inc.

[Aleksey Tsalolikhin]

Hi Cory,

You can see https://github.com/cfengine/core/pull/2898 for my current solution to this problem.

This should work on both Enterprise and Community policy hubs.

I found checking cf-key output more productive than trying to solve this at the database level.

Thanks,

Aleksey

[Aleksey Tsalolikhin]

And this pull request has been merged and is now available in master.  Thanks, Nick!

-- 

Achieve real learning.  Email trai...@verticalsysadmin.com.

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengine+unsubscribe@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.