adding new subnet to cf_serverd.cf fails .
49 views
Skip to first unread message
jab2805
Aug 21, 2016, 2:50:20 AM8/21/16
to help-cfengine
Hi all,
Been trying to add a new subnet to the cf_serverd.cf file for my new dc.
I'm running:
cf-agent -V
CFEngine Core 3.5.3
I'm trying to add subnet 10.133 it failing. Subnets 10.130 and 10.131 work perfectly.
when I run a bootstrap I get the following error:
cf-agent --bootstrap 10.131.72.50
2016-08-21T06:45:45+0000 error: Couldn't receceive. (recv: Connection reset by peer)
2016-08-21T06:45:45+0000 error: Protocol transaction broken off (1). (ReceiveTransaction: Connection reset by peer)
2016-08-21T06:45:45+0000 error: Authentication dialogue with '10.131.72.50' failed
2016-08-21T06:45:45+0000 error: Unable to establish any connection with server.
2016-08-21T06:45:45+0000 notice: R: This autonomous node assumes the role of voluntary client
2016-08-21T06:45:45+0000 notice: R: Failed to copy policy from policy server at 10.131.72.50:/var/cfengine/masterfiles
Please check
* cf-serverd is running on 10.131.72.50
* network connectivity to 10.131.72.50 on port 5308
* masterfiles 'body server control' - in particular allowconnects, trustkeysfrom and skipverify
* masterfiles 'bundle server' -> access: -> masterfiles -> admit/deny
It is often useful to restart cf-serverd in verbose mode (cf-serverd -v) on 10.131.72.50 to diagnose connection issues.
When updating masterfiles, wait (usually 5 minutes) for files to propagate to inputs on 10.131.72.50 before retrying.
2016-08-21T06:45:45+0000 notice: R: Did not start the scheduler
2016-08-21T06:45:45+0000 error: Bootstrapping failed, no input file at '/var/cfengine/inputs/promises.cf' after bootstrap
Port check look good from the srerver:
nc -v -4 10.131.72.50 5308
Connection to 10.131.72.50 5308 port [tcp/cfengine] succeeded!
On the server I ran:
# /var/cfengine/bin/cf-serverd -v
...
2016-08-21T06:47:22+0000 verbose: Obtained IP address of '10.133.150.69' on socket 7 from accept
2016-08-21T06:47:22+0000 error: Not allowing connection from non-authorized IP '10.133.150.69'
2016-08-21T06:47:23+0000 verbose: Accepting a connection
2016-08-21T06:47:23+0000 verbose: Obtained IP address of '10.133.150.69' on socket 7 from accept
2016-08-21T06:47:23+0000 error: Not allowing connection from non-authorized IP '10.133.150.69'
...
My config file is below:
cf_serverd.cf
###############################################################################
# This part is for cf-serverd
#
# Server controls are mainly about determining access policy for the connection
# protocol: i.e. access to the server itself.
# Access to specific files must be granted in addition.
###############################################################################
body server control
{
denybadclocks => "false";
allowconnects => { "127.0.0.1" , "::1", @(def.acl) };
allowallconnects => { "127.0.0.1" , "::1", @(def.acl) };
trustkeysfrom => { "127.0.0.1" , "::1", @(def.acl) };
skipverify => { ".*\.$(def.domain)", "127.0.0.1" , "::1", @(def.acl) };
allowusers => { "root" };
maxconnections => "100";
!windows::
cfruncommand => "$(sys.cf_twin) -f $(sys.workdir)/inputs/update.cf ; $(sys.cf_agent)";
}
###############################################################################
bundle server access_rules()
{
access:
any::
"$(def.dir_masterfiles)"
handle => "server_access_rule_grant_access_policy",
comment => "Grant access to the policy updates",
admit => { ".*\.$(def.domain)", @(def.acl) };
"$(def.dir_bin)"
handle => "server_access_grant_access_binary",
comment => "Grant access to binary for cf-runagent",
admit => { ".*$(def.domain)", @(def.acl) };
"$(def.dir_modules)"
handle => "server_access_grant_access_modules",
comment => "Grant access to modules directory",
admit => { ".*$(def.domain)", @(def.acl) };
# Uncomment the promise below to allow cf-runagent to
# access cf-agent on Windows machines
#
# "c:\program files\cfengine\bin\cf-agent.exe"
#
# handle => "server_access_rule_grant_access_cfagent_windows",
# comment => "Grant access to the agent (for cf-runagent)",
# admit => { ".*\.$(def.domain)", @(def.acl) };
#
"${g.repo}" admit => { "10.131\..*" };
"${g.inputs}" admit => { "10.131\..*" };
"${g.modules}" admit => { "10.131\..*" };
"${g.binaries}" admit => { "10.131\..*" };
"${g.libraries}" admit => { "10.131\..*" };
"/var/cfengine/failsafe" admit => { "10.131\..*" };
# The init scripts
"/etc/init.d/cf-execd" admit => { "10.131\..*" };
"/usr/sbin/cf-execd" admit => { "10.131\..*" };
#access 10.133
"${g.repo}" admit => { "10.133\..*" };
"${g.inputs}" admit => { "10.133\..*" };
"${g.modules}" admit => { "10.133\..*" };
"${g.binaries}" admit => { "10.133\..*" };
"${g.libraries}" admit => { "10.133\..*" };
"/var/cfengine/failsafe" admit => { "10.133\..*" };
# The init scripts
"/etc/init.d/cf-execd" admit => { "10.133\..*" };
"/usr/sbin/cf-execd" admit => { "10.133\..*" };
#access 10.130
"${g.repo}" admit => { "10.130\..*" };
"${g.inputs}" admit => { "10.130\..*" };
"${g.modules}" admit => { "10.130\..*" };
"${g.binaries}" admit => { "10.130\..*" };
"${g.libraries}" admit => { "10.130\..*" };
"/var/cfengine/failsafe" admit => { "10.130\..*" };
# The init scripts
"/etc/init.d/cf-execd" admit => { "10.130\..*" };
"/usr/sbin/cf-execd" admit => { "10.130\..*" };
roles:
# Use roles to allow specific remote cf-runagent users to
# define certain soft-classes when running cf-agent on this host
cfengine_3::
".*" authorize => { "root" };
}
Been trying to add a new subnet to the cf_serverd.cf file for my new dc.
I'm running:
cf-agent -V
CFEngine Core 3.5.3
I'm trying to add subnet 10.133 it failing. Subnets 10.130 and 10.131 work perfectly.
when I run a bootstrap I get the following error:
cf-agent --bootstrap 10.131.72.50
2016-08-21T06:45:45+0000 error: Couldn't receceive. (recv: Connection reset by peer)
2016-08-21T06:45:45+0000 error: Protocol transaction broken off (1). (ReceiveTransaction: Connection reset by peer)
2016-08-21T06:45:45+0000 error: Authentication dialogue with '10.131.72.50' failed
2016-08-21T06:45:45+0000 error: Unable to establish any connection with server.
2016-08-21T06:45:45+0000 notice: R: This autonomous node assumes the role of voluntary client
2016-08-21T06:45:45+0000 notice: R: Failed to copy policy from policy server at 10.131.72.50:/var/cfengine/masterfiles
Please check
* cf-serverd is running on 10.131.72.50
* network connectivity to 10.131.72.50 on port 5308
* masterfiles 'body server control' - in particular allowconnects, trustkeysfrom and skipverify
* masterfiles 'bundle server' -> access: -> masterfiles -> admit/deny
It is often useful to restart cf-serverd in verbose mode (cf-serverd -v) on 10.131.72.50 to diagnose connection issues.
When updating masterfiles, wait (usually 5 minutes) for files to propagate to inputs on 10.131.72.50 before retrying.
2016-08-21T06:45:45+0000 notice: R: Did not start the scheduler
2016-08-21T06:45:45+0000 error: Bootstrapping failed, no input file at '/var/cfengine/inputs/promises.cf' after bootstrap
Port check look good from the srerver:
nc -v -4 10.131.72.50 5308
Connection to 10.131.72.50 5308 port [tcp/cfengine] succeeded!
On the server I ran:
# /var/cfengine/bin/cf-serverd -v
...
2016-08-21T06:47:22+0000 verbose: Obtained IP address of '10.133.150.69' on socket 7 from accept
2016-08-21T06:47:22+0000 error: Not allowing connection from non-authorized IP '10.133.150.69'
2016-08-21T06:47:23+0000 verbose: Accepting a connection
2016-08-21T06:47:23+0000 verbose: Obtained IP address of '10.133.150.69' on socket 7 from accept
2016-08-21T06:47:23+0000 error: Not allowing connection from non-authorized IP '10.133.150.69'
...
My config file is below:
cf_serverd.cf
###############################################################################
# This part is for cf-serverd
#
# Server controls are mainly about determining access policy for the connection
# protocol: i.e. access to the server itself.
# Access to specific files must be granted in addition.
###############################################################################
body server control
{
denybadclocks => "false";
allowconnects => { "127.0.0.1" , "::1", @(def.acl) };
allowallconnects => { "127.0.0.1" , "::1", @(def.acl) };
trustkeysfrom => { "127.0.0.1" , "::1", @(def.acl) };
skipverify => { ".*\.$(def.domain)", "127.0.0.1" , "::1", @(def.acl) };
allowusers => { "root" };
maxconnections => "100";
!windows::
cfruncommand => "$(sys.cf_twin) -f $(sys.workdir)/inputs/update.cf ; $(sys.cf_agent)";
}
###############################################################################
bundle server access_rules()
{
access:
any::
"$(def.dir_masterfiles)"
handle => "server_access_rule_grant_access_policy",
comment => "Grant access to the policy updates",
admit => { ".*\.$(def.domain)", @(def.acl) };
"$(def.dir_bin)"
handle => "server_access_grant_access_binary",
comment => "Grant access to binary for cf-runagent",
admit => { ".*$(def.domain)", @(def.acl) };
"$(def.dir_modules)"
handle => "server_access_grant_access_modules",
comment => "Grant access to modules directory",
admit => { ".*$(def.domain)", @(def.acl) };
# Uncomment the promise below to allow cf-runagent to
# access cf-agent on Windows machines
#
# "c:\program files\cfengine\bin\cf-agent.exe"
#
# handle => "server_access_rule_grant_access_cfagent_windows",
# comment => "Grant access to the agent (for cf-runagent)",
# admit => { ".*\.$(def.domain)", @(def.acl) };
#
"${g.repo}" admit => { "10.131\..*" };
"${g.inputs}" admit => { "10.131\..*" };
"${g.modules}" admit => { "10.131\..*" };
"${g.binaries}" admit => { "10.131\..*" };
"${g.libraries}" admit => { "10.131\..*" };
"/var/cfengine/failsafe" admit => { "10.131\..*" };
# The init scripts
"/etc/init.d/cf-execd" admit => { "10.131\..*" };
"/usr/sbin/cf-execd" admit => { "10.131\..*" };
#access 10.133
"${g.repo}" admit => { "10.133\..*" };
"${g.inputs}" admit => { "10.133\..*" };
"${g.modules}" admit => { "10.133\..*" };
"${g.binaries}" admit => { "10.133\..*" };
"${g.libraries}" admit => { "10.133\..*" };
"/var/cfengine/failsafe" admit => { "10.133\..*" };
# The init scripts
"/etc/init.d/cf-execd" admit => { "10.133\..*" };
"/usr/sbin/cf-execd" admit => { "10.133\..*" };
#access 10.130
"${g.repo}" admit => { "10.130\..*" };
"${g.inputs}" admit => { "10.130\..*" };
"${g.modules}" admit => { "10.130\..*" };
"${g.binaries}" admit => { "10.130\..*" };
"${g.libraries}" admit => { "10.130\..*" };
"/var/cfengine/failsafe" admit => { "10.130\..*" };
# The init scripts
"/etc/init.d/cf-execd" admit => { "10.130\..*" };
"/usr/sbin/cf-execd" admit => { "10.130\..*" };
roles:
# Use roles to allow specific remote cf-runagent users to
# define certain soft-classes when running cf-agent on this host
cfengine_3::
".*" authorize => { "root" };
}
Nick Anderson
Aug 22, 2016, 9:22:13 AM8/22/16
to help-c...@googlegroups.com
On 08/21/2016 01:50 AM, jab2805 wrote:
> Hi all, Been trying to add a new subnet to the
> cf_serverd.cf file for my new dc. I'm running: cf-agent
> -V CFEngine Core 3.5.3 I'm trying to add subnet 10.133
> it failing. Subnets 10.130 and 10.131 work perfectly.
You seem to be re-defining the acl promise for each of your paths. I
> Hi all, Been trying to add a new subnet to the
> cf_serverd.cf file for my new dc. I'm running: cf-agent
> -V CFEngine Core 3.5.3 I'm trying to add subnet 10.133
> it failing. Subnets 10.130 and 10.131 work perfectly.
see that you define the access promise `${g.repo}' with an admit value
of `10.133.*'.
"${g.repo}" admit => { "10.133\..*" };
but with a different match.
#access 10.130 "${g.repo}" admit => { "10.130\..*" };
they should work (but your other acls won't).
Note that the `admit' access promise attribute can take a *list*.
So you can do:
,----
| vars:
| "subnets" slist => { "10.130\..*", "10.131\..*", "10.133\..*" };
|
| "${g.repo}" admit => { @(subnets) };
`----
Also note, *you are not required to use `bundle server access_rules'*.
You can define your own ACLs in your own server bundle instead.
,----
| bundle server my_special_access_rules
| {
|
| vars:
| "subnets" slist => { "10.130\..*", "10.131\..*", "10.133\..*" };
|
| access:
|
| "${g.repo}" admit => { @(subnets) };
| "${g.inputs}" admit => { @(subnets) };
| "${g.modules}" admit => { @(subnets) };
| "${g.binaries}" admit => { @(subnets) };
| "${g.libraries}" admit => { @(subnets) };
| "/var/cfengine/failsafe" admit => { @(subnets) };
|
| }
`----
Also note, that there are other admit options available after you
upgrade to 3.6 or later with the new protocol.
[https://docs.cfengine.com/lts/reference-promise-types-access.html]
jab2805
Aug 22, 2016, 10:13:44 AM8/22/16
to help-cfengine
I made the suggest edits but it still not working. I can see my changed file in the inputs and tried a new bootstrap that still fails. Hmmm...
Edits:
[root@XXXXX controls]# cat /var/cfengine/inputs/controls/cf_serverd.cf
###############################################################################
# This part is for cf-serverd
#
# Server controls are mainly about determining access policy for the connection
# protocol: i.e. access to the server itself.
# Access to specific files must be granted in addition.
###############################################################################
body server control
{
denybadclocks => "false";
allowconnects => { "127.0.0.1" , "::1", @(def.acl) };
allowallconnects => { "127.0.0.1" , "::1", @(def.acl) };
trustkeysfrom => { "127.0.0.1" , "10.133.150.69" , "::1", @(def.acl) };
skipverify => { ".*\.$(def.domain)", "127.0.0.1" , "::1", @(def.acl) };
allowusers => { "root" };
maxconnections => "100";
!windows::
cfruncommand => "$(sys.cf_twin) -f $(sys.workdir)/inputs/update.cf ; $(sys.cf_agent)";
}
###############################################################################
bundle server access_rules()
{
vars:
"subnets" slist => { "10.130\..*", "10.131\..*", "10.133\..*" };
access:
any::
"$(def.dir_masterfiles)"
handle => "server_access_rule_grant_access_policy",
comment => "Grant access to the policy updates",
admit => { ".*\.$(def.domain)", @(def.acl) };
"$(def.dir_bin)"
handle => "server_access_grant_access_binary",
comment => "Grant access to binary for cf-runagent",
admit => { ".*$(def.domain)", @(def.acl) };
"$(def.dir_modules)"
handle => "server_access_grant_access_modules",
comment => "Grant access to modules directory",
admit => { ".*$(def.domain)", @(def.acl) };
"${g.repo}" admit => { @(subnets) };
"${g.inputs}" admit => { @(subnets) };
"${g.modules}" admit => { @(subnets) };
"${g.binaries}" admit => { @(subnets) };
"${g.libraries}" admit => { @(subnets) };
"/var/cfengine/failsafe" admit => { @(subnets) };
# The init scripts
"/etc/init.d/cf-execd" admit => { @(subnets) };
"/usr/sbin/cf-execd" admit => { @(subnets) };
roles:
cfengine_3::
".*" authorize => { "root" };
}
From startup of the new config :
---
2016-08-22T14:05:24+0000 verbose: Summarize control promises
2016-08-22T14:05:24+0000 verbose: Granted access to paths :
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/masterfiles' (encrypt=0)
2016-08-22T14:05:24+0000 verbose: Admit: '10.131.72.50/16' root=
2016-08-22T14:05:24+0000 verbose: Admit: '.*\.example.com' root=
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/bin' (encrypt=0)
2016-08-22T14:05:24+0000 verbose: Admit: '10.131.72.50/16' root=
2016-08-22T14:05:24+0000 verbose: Admit: '.*example.com' root=
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/modules' (encrypt=0)
2016-08-22T14:05:24+0000 verbose: Admit: '10.133\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.131\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.130\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.131.72.50/16' root=
2016-08-22T14:05:24+0000 verbose: Admit: '.*example.com' root=
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/master' (encrypt=0)
2016-08-22T14:05:24+0000 verbose: Admit: '10.133\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.131\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.130\..*' root=
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/inputs' (encrypt=0)
2016-08-22T14:05:24+0000 verbose: Admit: '10.133\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.131\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.130\..*' root=
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/sbin' (encrypt=0)
2016-08-22T14:05:24+0000 verbose: Admit: '10.133\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.131\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.130\..*' root=
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/lib' (encrypt=0)
2016-08-22T14:05:24+0000 verbose: Admit: '10.133\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.131\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.130\..*' root=
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/failsafe' (encrypt=0)
2016-08-22T14:05:24+0000 verbose: Admit: '10.133\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.131\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.130\..*' root=
2016-08-22T14:05:24+0000 verbose: Path '/etc/init.d/cf-execd' (encrypt=0)
2016-08-22T14:05:24+0000 verbose: Admit: '10.133\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.131\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.130\..*' root=
2016-08-22T14:05:24+0000 verbose: Path '/usr/sbin/cf-execd' (encrypt=0)
2016-08-22T14:05:24+0000 verbose: Admit: '10.133\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.131\..*' root=
2016-08-22T14:05:24+0000 verbose: Admit: '10.130\..*' root=
2016-08-22T14:05:24+0000 verbose: Denied access to paths :
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/masterfiles'
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/bin'
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/modules'
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/master'
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/inputs'
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/sbin'
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/lib'
2016-08-22T14:05:24+0000 verbose: Path '/var/cfengine/failsafe'
2016-08-22T14:05:24+0000 verbose: Path '/etc/init.d/cf-execd'
2016-08-22T14:05:24+0000 verbose: Path '/usr/sbin/cf-execd'
2016-08-22T14:05:24+0000 verbose: Granted access to literal/variable/query data :
2016-08-22T14:05:24+0000 verbose: Denied access to literal/variable/query data:
Access issues:
---
2016-08-22T14:09:04+0000 verbose: Obtained IP address of '10.133.150.48' on socket 7 from accept
2016-08-22T14:09:04+0000 error: Not allowing connection from non-authorized IP '10.133.150.48'
2016-08-22T14:09:05+0000 verbose: Accepting a connection
2016-08-22T14:09:05+0000 verbose: Obtained IP address of '10.133.150.48' on socket 7 from accept
2016-08-22T14:09:05+0000 error: Not allowing connection from non-authorized IP '10.133.150.48'
Nick Anderson
Aug 22, 2016, 10:15:54 AM8/22/16
to help-c...@googlegroups.com
On 08/22/2016 09:13 AM, jab2805 wrote:
> I made the suggest edits but it still not working. I can see my
> changed file in the inputs and tried a new bootstrap that still fails.
> Hmmm...
Did you re-start cf-serverd on the hub after making the changes?
> I made the suggest edits but it still not working. I can see my
> changed file in the inputs and tried a new bootstrap that still fails.
> Hmmm...
jab2805
Aug 22, 2016, 2:02:59 PM8/22/16
to help-cfengine
Yes I did I killed it with a -9 and restarted it with -v option for debugging.
On Sunday, August 21, 2016 at 2:50:20 AM UTC-4, jab2805 wrote:
Nick Anderson
Aug 22, 2016, 2:19:14 PM8/22/16
to jab2805, help-cfengine
On 08/22/2016 01:02 PM, jab2805 wrote:
> Yes I did I killed it with a -9 and restarted it with -v option for
> debugging.
Can you attach the full output from cf-serverd -Fv.
> Yes I did I killed it with a -9 and restarted it with -v option for
> debugging.
There should be an access summary reported after the policy has been
evaluated.
jab2805
Aug 23, 2016, 12:43:51 PM8/23/16
to help-cfengine
I think this is it. Strange why is still not allowing host
016-08-23T16:35:11+0000 verbose: Summarize control promises
2016-08-23T16:35:11+0000 verbose: Granted access to paths :
2016-08-23T16:35:11+0000 verbose: Path '/var/cfengine/masterfiles' (encrypt=0)
2016-08-23T16:35:11+0000 verbose: Admit: '10.131.72.50/16' root=
2016-08-23T16:35:11+0000 verbose: Admit: '.*\.example.com' root=
2016-08-23T16:35:11+0000 verbose: Path '/var/cfengine/bin' (encrypt=0)
2016-08-23T16:35:11+0000 verbose: Admit: '10.131.72.50/16' root=
2016-08-23T16:35:11+0000 verbose: Admit: '.*example.com' root=
2016-08-23T16:35:11+0000 verbose: Path '/var/cfengine/modules' (encrypt=0)
2016-08-23T16:35:11+0000 verbose: Admit: '10.133\..*' root=
2016-08-23T16:35:11+0000 verbose: Admit: '10.131\..*' root=
2016-08-23T16:35:11+0000 verbose: Admit: '10.130\..*' root=
2016-08-23T16:35:11+0000 verbose: Admit: '10.131.72.50/16' root=
2016-08-23T16:35:11+0000 verbose: Admit: '.*example.com' root=
2016-08-23T16:35:11+0000 verbose: Path '/var/cfengine/master' (encrypt=0)
2016-08-23T16:35:11+0000 verbose: Admit: '10.133\..*' root=
2016-08-23T16:35:11+0000 verbose: Admit: '10.131\..*' root=
2016-08-23T16:35:11+0000 verbose: Admit: '10.130\..*' root=
2016-08-23T16:35:11+0000 verbose: Path '/var/cfengine/inputs' (encrypt=0)
2016-08-23T16:35:11+0000 verbose: Admit: '10.133\..*' root=
2016-08-23T16:35:11+0000 verbose: Admit: '10.131\..*' root=
2016-08-23T16:35:11+0000 verbose: Admit: '10.130\..*' root=
2016-08-23T16:35:11+0000 verbose: Path '/var/cfengine/sbin' (encrypt=0)
Meaages from cf-servd -v
----
2016-08-23T16:42:10+0000 verbose: New connection...(from 10.131.72.167:sd 7)
2016-08-23T16:42:10+0000 verbose: Spawning new thread...
2016-08-23T16:42:10+0000 verbose: Accepting a connection
2016-08-23T16:42:10+0000 verbose: Obtained IP address of '10.131.72.167' on socket 7 from accept
2016-08-23T16:42:10+0000 info: Accepting connection from '10.131.72.167'
2016-08-23T16:42:10+0000 verbose: New connection...(from 10.131.72.167:sd 7)
2016-08-23T16:42:10+0000 verbose: Spawning new thread...
2016-08-23T16:42:12+0000 verbose: Accepting a connection
2016-08-23T16:42:12+0000 verbose: Obtained IP address of '10.133.150.94' on socket 7 from accept
2016-08-23T16:42:12+0000 error: Not allowing connection from non-authorized IP '10.133.150.94'
2016-08-23T16:42:13+0000 verbose: Accepting a connection
2016-08-23T16:42:13+0000 verbose: Obtained IP address of '10.133.150.103' on socket 7 from accept
2016-08-23T16:42:13+0000 error: Not allowing connection from non-authorized IP '10.133.150.103'
2016-08-23T16:42:14+0000 verbose: Accepting a connection
2016-08-23T16:42:14+0000 verbose: Obtained IP address of '10.133.150.94' on socket 7 from accept
2016-08-23T16:42:14+0000 error: Not allowing connection from non-authorized IP '10.133.150.94'
On Sunday, August 21, 2016 at 2:50:20 AM UTC-4, jab2805 wrote:
Neil Watson
Aug 23, 2016, 12:55:22 PM8/23/16
to help-cfengine
Version 3.5* of cf-serverd does not properly log client connections.
You'll never find the results in the logs. I suggest you upgrade to the
LTS version 3.7.
--
Neil H Watson @neil_h_watson
CFEngine reporting: https://github.com/neilhwatson/delta_reporting
CFEngine policy: https://github.com/neilhwatson/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
You'll never find the results in the logs. I suggest you upgrade to the
LTS version 3.7.
--
Neil H Watson @neil_h_watson
CFEngine reporting: https://github.com/neilhwatson/delta_reporting
CFEngine policy: https://github.com/neilhwatson/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
Aleksey Tsalolikhin
Aug 23, 2016, 1:59:18 PM8/23/16
to help-cfengine, Jeffrey Brewster
Hi Jeffrey,
There are a lot of performance improvements in cf-serverd 3.7.2 or higher compared to 3.5 and 3.6. If you can, I second Neil's suggestion to upgrade your cf-serverd's. Can you?
Best,
-at
--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengine+unsubscribe@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.
ᐧ
ᐧNeil Watson
Aug 23, 2016, 2:03:49 PM8/23/16
to help-cfengine
On Tue, Aug 23, 2016 at 10:58:55AM -0700, Aleksey Tsalolikhin wrote:
> Hi Jeffrey,
> There are a lot of performance improvements in cf-serverd 3.7.2 or
> higher compared to 3.5 and 3.6. If you can, I second Neil's suggestion
> to upgrade your cf-serverd's. Can you?
Once caveat to 3.7.* is bug 2447, but I'm hoping CFEngine Inc. will
> Hi Jeffrey,
> There are a lot of performance improvements in cf-serverd 3.7.2 or
> higher compared to 3.5 and 3.6. If you can, I second Neil's suggestion
> to upgrade your cf-serverd's. Can you?
confirm a 3.7.5 release in the very near future.
https://tracker.mender.io/browse/CFEngine-2447
Aleksey Tsalolikhin
Aug 23, 2016, 2:38:29 PM8/23/16
to Neil Watson, help-cfengine
Neil Watson
Aug 23, 2016, 2:40:30 PM8/23/16
to help-cfengine
Darn vim abbreviation ;)
On Tue, Aug 23, 2016 at 11:38:27AM -0700, Aleksey Tsalolikhin wrote:
>
>
> [1]https://tracker.mender.io/browse/CFE-2447
>
> On Aug 23, 2016 11:03 AM, "Neil Watson" <[2]cfen...@watson-wilson.ca>
> CFEngine policy:
> [5]https://github.com/neilhwatson/evolve_cfengine_freelib
> CFEngine and vim: [6]https://github.com/neilhwatson/vim_cf3
> Visit this group at [9]https://groups.google.com/group/help-cfengine.
> For more options, visit [10]https://groups.google.com/d/optout.
>
>References
>
> Visible links
> 1. https://tracker.mender.io/browse/CFE-2447
> 2. mailto:cfen...@watson-wilson.ca
> 3. https://tracker.mender.io/browse/CFEngine-2447
> 4. https://github.com/neilhwatson/delta_reporting
> 5. https://github.com/neilhwatson/evolve_cfengine_freelib
> 6. https://github.com/neilhwatson/vim_cf3
> 7. mailto:help-cfengine%2Bunsu...@googlegroups.com
> 8. mailto:help-c...@googlegroups.com
> 9. https://groups.google.com/group/help-cfengine
> 10. https://groups.google.com/d/optout
>ELinks: No such file or directory
On Tue, Aug 23, 2016 at 11:38:27AM -0700, Aleksey Tsalolikhin wrote:
>
>
> [1]https://tracker.mender.io/browse/CFE-2447
>
> On Aug 23, 2016 11:03 AM, "Neil Watson" <[2]cfen...@watson-wilson.ca>
> wrote:
>
> On Tue, Aug 23, 2016 at 10:58:55AM -0700, Aleksey Tsalolikhin wrote:
>
> Hi Jeffrey,
> There are a lot of performance improvements in cf-serverd 3.7.2
> or
> higher compared to 3.5 and 3.6. If you can, I second Neil's
> suggestion
> to upgrade your cf-serverd's. Can you?
>
> Once caveat to 3.7.* is bug 2447, but I'm hoping CFEngine Inc. will
> confirm a 3.7.5 release in the very near future.
>
> [3]https://tracker.mender.io/browse/CFEngine-2447
>
> On Tue, Aug 23, 2016 at 10:58:55AM -0700, Aleksey Tsalolikhin wrote:
>
> Hi Jeffrey,
> There are a lot of performance improvements in cf-serverd 3.7.2
> or
> higher compared to 3.5 and 3.6. If you can, I second Neil's
> suggestion
> to upgrade your cf-serverd's. Can you?
>
> Once caveat to 3.7.* is bug 2447, but I'm hoping CFEngine Inc. will
> confirm a 3.7.5 release in the very near future.
>
>
> --
> Neil H Watson @neil_h_watson
> CFEngine reporting: [4]https://github.com/neilhwatson/delta_reporting
> --
> Neil H Watson @neil_h_watson
> CFEngine policy:
> [5]https://github.com/neilhwatson/evolve_cfengine_freelib
> CFEngine and vim: [6]https://github.com/neilhwatson/vim_cf3
>
> --
> You received this message because you are subscribed to the Google
> Groups "help-cfengine" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [7]help-cfengin...@googlegroups.com.
> --
> You received this message because you are subscribed to the Google
> Groups "help-cfengine" group.
> To unsubscribe from this group and stop receiving emails from it, send
> To post to this group, send email to
> [8]help-c...@googlegroups.com.
> Visit this group at [9]https://groups.google.com/group/help-cfengine.
> For more options, visit [10]https://groups.google.com/d/optout.
>
>References
>
> Visible links
> 1. https://tracker.mender.io/browse/CFE-2447
> 2. mailto:cfen...@watson-wilson.ca
> 3. https://tracker.mender.io/browse/CFEngine-2447
> 4. https://github.com/neilhwatson/delta_reporting
> 5. https://github.com/neilhwatson/evolve_cfengine_freelib
> 6. https://github.com/neilhwatson/vim_cf3
> 7. mailto:help-cfengine%2Bunsu...@googlegroups.com
> 8. mailto:help-c...@googlegroups.com
> 9. https://groups.google.com/group/help-cfengine
> 10. https://groups.google.com/d/optout
>ELinks: No such file or directory
jab2805
Aug 23, 2016, 2:57:33 PM8/23/16
to help-cfengine
Sorry I can't upgrade now we are moving to a new datacenter.
This was work fine with to other subnets hmmm...
On Sunday, August 21, 2016 at 2:50:20 AM UTC-4, jab2805 wrote:
jab2805
Aug 23, 2016, 3:00:12 PM8/23/16
to help-cfengine
Maybe a certain part of the rule set is hanging around. I restart cfengine A few times.
On Sunday, August 21, 2016 at 2:50:20 AM UTC-4, jab2805 wrote:
Neil Watson
Aug 23, 2016, 3:03:32 PM8/23/16
to help-cfengine
On Tue, Aug 23, 2016 at 11:57:33AM -0700, jab2805 wrote:
>
>
> Sorry I can't upgrade now we are moving to a new datacenter.
A least try testing your rules set on a 3.7.4 test host. The better
>
>
> Sorry I can't upgrade now we are moving to a new datacenter.
logging may reveal the error.
jab2805
Aug 23, 2016, 3:05:03 PM8/23/16
to help-cfengine
is be the issue I ran a verbose boostrap.. it looks like it can't find the key
Could th
cf-agent -v --bootstrap 10.131.72.50 |
2016-08-23T19:03:13+0000 verbose: Connect to '10.131.72.50' = '10.131.72.50' on port '5308'
2016-08-23T19:03:13+0000 verbose: skipidentify was promised, so we are trusting and simply announcing the identity as 'va-cms-01-ran-prod.private.linksynergy.com' for this host
2016-08-23T19:03:13+0000 verbose: Did not find new key format '/var/cfengine/ppkeys/root-.pub'
2016-08-23T19:03:13+0000 verbose: Trying old style '/var/cfengine/ppkeys/root-10.131.72.50.pub'
2016-08-23T19:03:13+0000 error: Challenge response from server '10.131.72.50/10.131.72.50' was incorrect
2016-08-23T19:03:13+0000 error: Authentication dialogue with '10.131.72.50' failed
2016-08-23T19:03:13+0000 info: Unable to establish connection with 10.131.72.50
2016-08-23T19:03:13+0000 error: Unable to establish any connection with server.
2016-08-23T19:03:13+0000 info: /cfe_internal_update/files/'$(sys#workdir)/inputs': No suitable server responded to hail
2016-08-23T19:03:13+0000 info: Promise belongs to bundle 'cfe_internal_update' in file '/var/cfengine/inputs/failsafe.cf' near line 49
On Sunday, August 21, 2016 at 2:50:20 AM UTC-4, jab2805 wrote:
Aleksey Tsalolikhin
Aug 23, 2016, 6:33:23 PM8/23/16
to jab2805, help-cfengine
Great, you are making progress!
Looks like a trust issue.
Do you already have a key for this IP in /var/cfengine/ppkeys?
> --
> You received this message because you are subscribed to the Google Groups "help-cfengine" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
> To post to this group, send email to help-c...@googlegroups.com.
> Visit this group at https://groups.google.com/group/help-cfengine.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages