policy_server.dat IP to DNS

13 views
Skip to first unread message

Markus Rexhepi-Lindberg

unread,
Oct 20, 2025, 9:12:59 AM (2 days ago) Oct 20
to help-cfengine
Hello,

We have a lot of servers that was bootstrapped quite some time ago and they have the IP address instead of the DNS address of the policy server in their /var/cfengine/policy_server.dat file. Is there a recommended way to migrate these to use the DNS address instead? I was thinking that perhaps a simple bundle to update the file would suffice but I wanted to check with the community first to find out if there is a better way.

BR/
Markus

Marco Marongiu

unread,
Oct 20, 2025, 9:17:26 AM (2 days ago) Oct 20
to help-c...@googlegroups.com

Hello Markus

I think the file by design contains the IP address, and not the hostname, to avoid that a failure in name resolution could affect ability of the client to connect to the server and fetch policy updates. The documentation itself indicates that the file contains the IP of the policy server, not the name. See https://docs.cfengine.com/docs/3.24/overview-directory-structure.html#policy_server-dat

Ciao,
-- bronto

craig.c...@northern.tech

unread,
Oct 20, 2025, 11:07:03 AM (2 days ago) Oct 20
to Markus Rexhepi-Lindberg, help-cfengine
Hi Markus,
The policy_server.dat file will include what is given to cf-agent --bootstrap. As of CFEngine 3.11 and newer it is possible to use a hostname.

This commit added this ability: https://github.com/cfengine/core/commit/1a45d2043615c3627069b893759e9b7d275b9938

Using a hostname has benefits and drawbacks.
The benefit is that the DNS entry could change and you could avoid having to rebootstrap to a different IP address. The caveat here is that long-running processes like cf-serverd may need a restart in order to do the name to IP translation.
Drawbacks of using a hostname are if DNS doesn't work out, which certainly is not uncommon.

I do think that using an IP address is a bit more reliable.
Instead of manipulating that file you could instead re-bootstrap with a command like cf-agent --no-lock --inform --bootstrap <newip>.

Let us know what you think and how you proceed.

-Craig
signature.asc

Nick Anderson

unread,
Oct 20, 2025, 11:28:57 AM (2 days ago) Oct 20
to help-c...@googlegroups.com, Markus Rexhepi-Lindberg, craig.c...@northern.tech

I do think that using an IP address is a bit more reliable. Instead of manipulating that file you could instead re-bootstrap with a command like cf-agent –no-lock –inform –bootstrap <newip>.

I typically advise against a re-bootstrap. It's a bit heavy handed, and if it fails it can leave you in worse position.

When you --bootstrap , the content in $(sys.input_dir) is wiped and completely re-seeded. If your bootstrap fails you will not have a full policy in inputs, where as if you re-write policy_server.dat your existing policy will remain in place and the next time the agent starts it will resolve the new value for policy server.

Marco Marongiu

unread,
Oct 20, 2025, 4:38:29 PM (2 days ago) Oct 20
to help-c...@googlegroups.com


On 20/10/2025 17:06, craig.comstock via help-cfengine wrote:
> The policy_server.dat file will include what is given to cf-agent --
> bootstrap. As of CFEngine 3.11 and newer it is possible to use a
> hostname.

Then, I guess, an update of the documentation is in order ☺️

Ciao!
-- bronto

Reply all
Reply to author
Forward
0 new messages