Hi all,
Been trying to add a new subnet to the
cf_serverd.cf file for my new dc.
I'm running:
cf-agent -V
CFEngine Core 3.5.3
I'm trying to add subnet 10.133 it failing. Subnets 10.130 and 10.131 work perfectly.
when I run a bootstrap I get the following error:
cf-agent --bootstrap 10.131.72.50
2016-08-21T06:45:45+0000 error: Couldn't receceive. (recv: Connection reset by peer)
2016-08-21T06:45:45+0000 error: Protocol transaction broken off (1). (ReceiveTransaction: Connection reset by peer)
2016-08-21T06:45:45+0000 error: Authentication dialogue with '10.131.72.50' failed
2016-08-21T06:45:45+0000 error: Unable to establish any connection with server.
2016-08-21T06:45:45+0000 notice: R: This autonomous node assumes the role of voluntary client
2016-08-21T06:45:45+0000 notice: R: Failed to copy policy from policy server at 10.131.72.50:/var/cfengine/masterfiles
Please check
* cf-serverd is running on 10.131.72.50
* network connectivity to 10.131.72.50 on port 5308
* masterfiles 'body server control' - in particular allowconnects, trustkeysfrom and skipverify
* masterfiles 'bundle server' -> access: -> masterfiles -> admit/deny
It is often useful to restart cf-serverd in verbose mode (cf-serverd -v) on 10.131.72.50 to diagnose connection issues.
When updating masterfiles, wait (usually 5 minutes) for files to propagate to inputs on 10.131.72.50 before retrying.
2016-08-21T06:45:45+0000 notice: R: Did not start the scheduler
2016-08-21T06:45:45+0000 error: Bootstrapping failed, no input file at '/var/cfengine/inputs/
promises.cf' after bootstrap
Port check look good from the srerver:
nc -v -4 10.131.72.50 5308
Connection to 10.131.72.50 5308 port [tcp/cfengine] succeeded!
On the server I ran:
# /var/cfengine/bin/cf-serverd -v
...
2016-08-21T06:47:22+0000 verbose: Obtained IP address of '10.133.150.69' on socket 7 from accept
2016-08-21T06:47:22+0000 error: Not allowing connection from non-authorized IP '10.133.150.69'
2016-08-21T06:47:23+0000 verbose: Accepting a connection
2016-08-21T06:47:23+0000 verbose: Obtained IP address of '10.133.150.69' on socket 7 from accept
2016-08-21T06:47:23+0000 error: Not allowing connection from non-authorized IP '10.133.150.69'
...
My config file is below:
cf_serverd.cf###############################################################################
# This part is for cf-serverd
#
# Server controls are mainly about determining access policy for the connection
# protocol: i.e. access to the server itself.
# Access to specific files must be granted in addition.
###############################################################################
body server control
{
denybadclocks => "false";
allowconnects => { "127.0.0.1" , "::1", @(def.acl) };
allowallconnects => { "127.0.0.1" , "::1", @(def.acl) };
trustkeysfrom => { "127.0.0.1" , "::1", @(def.acl) };
skipverify => { ".*\.$(def.domain)", "127.0.0.1" , "::1", @(def.acl) };
allowusers => { "root" };
maxconnections => "100";
!windows::
cfruncommand => "$(sys.cf_twin) -f $(sys.workdir)/inputs/
update.cf ; $(sys.cf_agent)";
}
###############################################################################
bundle server access_rules()
{
access:
any::
"$(def.dir_masterfiles)"
handle => "server_access_rule_grant_access_policy",
comment => "Grant access to the policy updates",
admit => { ".*\.$(def.domain)", @(def.acl) };
"$(def.dir_bin)"
handle => "server_access_grant_access_binary",
comment => "Grant access to binary for cf-runagent",
admit => { ".*$(def.domain)", @(def.acl) };
"$(def.dir_modules)"
handle => "server_access_grant_access_modules",
comment => "Grant access to modules directory",
admit => { ".*$(def.domain)", @(def.acl) };
# Uncomment the promise below to allow cf-runagent to
# access cf-agent on Windows machines
#
# "c:\program files\cfengine\bin\cf-agent.exe"
#
# handle => "server_access_rule_grant_access_cfagent_windows",
# comment => "Grant access to the agent (for cf-runagent)",
# admit => { ".*\.$(def.domain)", @(def.acl) };
#
"${g.repo}" admit => { "10.131\..*" };
"${g.inputs}" admit => { "10.131\..*" };
"${g.modules}" admit => { "10.131\..*" };
"${g.binaries}" admit => { "10.131\..*" };
"${g.libraries}" admit => { "10.131\..*" };
"/var/cfengine/failsafe" admit => { "10.131\..*" };
# The init scripts
"/etc/init.d/cf-execd" admit => { "10.131\..*" };
"/usr/sbin/cf-execd" admit => { "10.131\..*" };
#access 10.133
"${g.repo}" admit => { "10.133\..*" };
"${g.inputs}" admit => { "10.133\..*" };
"${g.modules}" admit => { "10.133\..*" };
"${g.binaries}" admit => { "10.133\..*" };
"${g.libraries}" admit => { "10.133\..*" };
"/var/cfengine/failsafe" admit => { "10.133\..*" };
# The init scripts
"/etc/init.d/cf-execd" admit => { "10.133\..*" };
"/usr/sbin/cf-execd" admit => { "10.133\..*" };
#access 10.130
"${g.repo}" admit => { "10.130\..*" };
"${g.inputs}" admit => { "10.130\..*" };
"${g.modules}" admit => { "10.130\..*" };
"${g.binaries}" admit => { "10.130\..*" };
"${g.libraries}" admit => { "10.130\..*" };
"/var/cfengine/failsafe" admit => { "10.130\..*" };
# The init scripts
"/etc/init.d/cf-execd" admit => { "10.130\..*" };
"/usr/sbin/cf-execd" admit => { "10.130\..*" };
roles:
# Use roles to allow specific remote cf-runagent users to
# define certain soft-classes when running cf-agent on this host
cfengine_3::
".*" authorize => { "root" };
}