Update server, client report bootstrap is successful but no files
30 views
Skip to first unread message
Bob
Sep 20, 2016, 1:09:51 PM9/20/16
to help-c...@googlegroups.com
I updated my policy hub hardware, it was old and need to be replaced. I did not "clone" the disk, but copied the relevant files to the new system. Existing clients appear to work fine.
However, when I try to bootstrap a new client my policy files are not downloaded to the client as I expect they would be. Here's the output of the bootstrap command:
root@client:~# $ROOTCMD cf-agent -B 192.168.80.105
R: This autonomous node assumes the role of voluntary client
R: Updated local policy from policy server
R: Did not start the scheduler
R: You are running a hard-coded failsafe. Please use the following command instead.
"/var/lib/cfengine3/bin/cf-agent" -f /var/lib/cfengine3/inputs/update.cf
2016-09-20T09:51:54-0700 notice: Bootstrap to '192.168.80.105' completed successfully!
However, I have around 6 policy files and none of those are on the client and the other files are the default.
Also, before I bootstrap the client I install my own "failsafe.cf" and "update.cf" files. The "failsafe.cf" executes the "update" bundle from the "update.cf" file. The "update.cf" is supposed to recursively copy all the files to the client. I can attach the "update.cf" file if that would be helpful.
This is cfengine (community) 3.6.2 on Debian Jessie.
However, when I try to bootstrap a new client my policy files are not downloaded to the client as I expect they would be. Here's the output of the bootstrap command:
root@client:~# $ROOTCMD cf-agent -B 192.168.80.105
R: This autonomous node assumes the role of voluntary client
R: Updated local policy from policy server
R: Did not start the scheduler
R: You are running a hard-coded failsafe. Please use the following command instead.
"/var/lib/cfengine3/bin/cf-agent" -f /var/lib/cfengine3/inputs/update.cf
2016-09-20T09:51:54-0700 notice: Bootstrap to '192.168.80.105' completed successfully!
However, I have around 6 policy files and none of those are on the client and the other files are the default.
Also, before I bootstrap the client I install my own "failsafe.cf" and "update.cf" files. The "failsafe.cf" executes the "update" bundle from the "update.cf" file. The "update.cf" is supposed to recursively copy all the files to the client. I can attach the "update.cf" file if that would be helpful.
This is cfengine (community) 3.6.2 on Debian Jessie.
Neil Watson
Sep 20, 2016, 1:17:35 PM9/20/16
to help-cfengine
What did you copy from the old to the new hardware?
What does a verbose bootstrap tell you?
--
Neil H Watson @neil_h_watson
CFEngine reporting: https://github.com/neilhwatson/delta_reporting
CFEngine policy: https://github.com/neilhwatson/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
What does a verbose bootstrap tell you?
--
Neil H Watson @neil_h_watson
CFEngine reporting: https://github.com/neilhwatson/delta_reporting
CFEngine policy: https://github.com/neilhwatson/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
Bob
Sep 20, 2016, 1:45:48 PM9/20/16
to help-cfengine, cfen...@watson-wilson.ca
On Tuesday, September 20, 2016 at 10:17:35 AM UTC-7, Neil Watson wrote:
What did you copy from the old to the new hardware?
What does a verbose bootstrap tell you?
I copied everything in "files", "inputs", and "masterfiles". Here's the important section of the bootstrap in verbose mode, I think:
2016-09-20T10:35:18-0700 verbose: /default/cfe_internal_update/reports: Evaluating promise 'Failed to copy policy from policy server at $(sys.policy_hub):$(sys.masterdir)
Please check
* cf-serverd is running on $(sys.policy_hub)
* network connectivity to $(sys.policy_hub) on port 5308
* masterfiles 'body server control' - in particular allowconnects, trustkeysfrom and skipverify
* masterfiles 'bundle server' -> access: -> masterfiles -> admit/deny
It is often useful to restart cf-serverd in verbose mode (cf-serverd -v) on $(sys.policy_hub) to diagnose connection issues.
When updating masterfiles, wait (usually 5 minutes) for files to propagate to inputs on $(sys.policy_hub) before retrying.'
The /default/cfe_internal_update/reports section comes from the default "promises.cf" file, which is not my file.
If it wasn't clear before, I do install the "ppkey" file for the server onto the client before the bootstrap command.
Neil Watson
Sep 20, 2016, 1:52:27 PM9/20/16
to help-cfengine
The server's and its client hosts keys are in ppkeys, which you did not
copy. Really you should copy all of /var/cfengine, or be prepared to
rebootstrap every client :(
copy. Really you should copy all of /var/cfengine, or be prepared to
rebootstrap every client :(
Bob
Sep 20, 2016, 1:54:44 PM9/20/16
to help-cfengine, cfen...@watson-wilson.ca
I just resurrected the old server and the bootstrap process works as I expect. I must have missed something.
Bob
Sep 20, 2016, 2:08:10 PM9/20/16
to help-cfengine, cfen...@watson-wilson.ca
On Tuesday, September 20, 2016 at 10:52:27 AM UTC-7, Neil Watson wrote:
The server's and its client hosts keys are in ppkeys, which you did not
copy. Really you should copy all of /var/cfengine, or be prepared to
rebootstrap every client :(
Sorry, I did copy all the files under "ppkeys" from the old server to the new server. Existing clients appear to be working. I have verified this morning that existing clients are getting policy updates.
Aleksey Tsalolikhin
Sep 20, 2016, 3:43:22 PM9/20/16
to Bob, help-cfengine, Neil Watson
Hi Bob,
What version of CFEngine are you using?
What happens if you don't install your own failsafe.cf/update.cf and just use what's built into CFEngine? Nowadays when you bootstrap a host to a hub, it does the key exchange the recursive copy of policy files automatically.
If that doesn't work, could you please post the complete verbose output from the bootstrap?
Best,
Aleksey
ᐧ
ᐧ--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengine+unsubscribe@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.
Bob
Sep 20, 2016, 4:08:21 PM9/20/16
to help-cfengine, buha...@gmail.com, cfen...@watson-wilson.ca
On Tuesday, September 20, 2016 at 12:43:22 PM UTC-7, Aleksey Tsalolikhin wrote:
Hi Bob,What version of CFEngine are you using?What happens if you don't install your own failsafe.cf/update.cf and just use what's built into CFEngine? Nowadays when you bootstrap a host to a hub, it does the key exchange the recursive copy of policy files automatically.If that doesn't work, could you please post the complete verbose output from the bootstrap?Best,Aleksey
Unfortunately, I am the source of the problem. On my old server, /var/lib/cfengine3/masterfiles was a symbolic link to /srv/cfengine3/ and I did not do that on the new server. I eventually found my comment where I had discovered this before:
bundle server access_rules()
{
access:
"/srv/cfengine3/masterfiles"
comment => "Source files",
admit => { "@(globals.allowed_ip_addrs)" };
# This is a symbolic link to /srv/cfengine/masterfiles/inputs because
# cfengine 3.6 is hard wired with the below path when using failsafe.cf
"/var/lib/cfengine3/masterfiles"
comment => "Mirror of source files",
admit => { "@(globals.allowed_ip_addrs)" };
}
Once I figure that out, everything started working as expected. Thank you to everyone for helping.
Bas van der Vlies
Sep 20, 2016, 5:33:14 PM9/20/16
to Bob, help-cfengine, cfen...@watson-wilson.ca
--
Bas van der Vlies
Are you still using cfengine 3.6? For cfengine 3.7 and higher you can use the shortcut masterfiles in cf-serverd. With this shortcut you can specify where your location of the masterfiles is on the policy hub. Cfagent bootstrap also use this shortcut name. See
Aleksey Tsalolikhin
Sep 20, 2016, 7:55:05 PM9/20/16
to Bob, help-cfengine
Great! Thanks good sharing outcome. :)
--
Reply all
Reply to author
Forward
0 new messages