Fresh install not working. Bootstrap fails for any agent.

[Mike Brugnoni]

My company is interested in using CFEngine and I'm trying to demo it in our lab. I have a fresh CFEngine policy server installed on Redhat. It bootstapped successfully but the Mission Portal page is not available. Also, on a new fresh agent install, the bootstrap fails with the error below. I've done nothing except a fresh install at this point. Any help appreciated.

2015-02-20T16:21:57EST    error: /default/cfe_internal_update/files/'/var/cfengine/inputs'[0]: No suitable server responded to hail

R: This autonomous node assumes the role of voluntary client

R: Failed to copy policy from policy server at xxx:/var/cfengine/masterfiles

       Please check

       * cf-serverd is running on xxx

       * network connectivity to xxx on port 5308

       * masterfiles 'body server control' - in particular allowconnects, trustkeysfrom and skipverify

       * masterfiles 'bundle server' -> access: -> masterfiles -> admit/deny

       It is often useful to restart cf-serverd in verbose mode (cf-serverd -v) on xxx to diagnose connection issues.

       When updating masterfiles, wait (usually 5 minutes) for files to propagate to inputs on xxx before retrying.

R: Did not start the scheduler

2015-02-20T16:22:30EST   notice: /default/cfe_internal_call_update/commands/'"/var/cfengine/bin/cf-agent" -f update.cf'[0]: Q: ".../cf-agent" -f u": 2015-02-20T16:21:58EST    error: There is no readable input file at '/var/cfengine/inputs/update.cf'. (stat: No such file or directory)

Q: ".../cf-agent" -f u": 2015-02-20T16:21:58EST    error: CFEngine was not able to get confirmation of promises from cf-promises, so going to failsafe

Q: ".../cf-agent" -f u": 2015-02-20T16:22:28EST    error: /default/cfe_internal_update/files/'/var/cfengine/inputs'[0]: No suitable server responded to hail

Q: ".../cf-agent" -f u": R: Failed to copy policy from policy server at xxx:/var/cfengine/masterfiles

Q: ".../cf-agent" -f u":        Please check

Q: ".../cf-agent" -f u":        * cf-serverd is running on xxx

Q: ".../cf-agent" -f u":        * network connectivity to xxx on port 5308

Q: ".../cf-agent" -f u":        * masterfiles 'body server control' - in particular allowconnects, trustkeysfrom and skipverify

Q: ".../cf-agent" -f u":        * masterfiles 'bundle server' -> access: -> masterfiles -> admit/deny

Q: ".../cf-agent" -f u":        It is often useful to restart cf-serverd in verbose mode (cf-serverd -v) on xxx to diagnose connection issues.

Q: ".../cf-agent" -f u":        When updating masterfiles, wait (usually 5 minutes) for files to propagate to inputs on xxx before retrying.

Q: ".../cf-agent" -f u": R: Did not start the scheduler

Q: ".../cf-agent" -f u": 2015-02-20T16:22:30EST   notice: /default/cfe_internal_call_update/commands/'"/var/cfengine/bin/cf-agent" -f update.cf'[0]: Q: ".../cf-agent" -f u": 2015-02-20T16:22:30EST    error: There is no readable input file at '/var/cfengine/inputs/update.cf'. (stat: No such file or directory)

Q: ".../cf-agent" -f u": Q: ".../cf-agent" -f u": 2015-02-20T16:22:30EST    error: CFEngine was not able to get confirmation of promises from cf-promises, so going to failsafe

2015-02-20T16:22:30EST    error: Bootstrapping failed, no input file at '/var/cfengine/inputs/promises.cf' after bootstrap

[Neil Watson]

In client server issues step up the OSI.

Can the agent host connect to the server host on tcp port 5308?
'nc -v <server> 5308' to test.

The client and server authenticate each other via key pairs. Does each
trust the other or have the keys been copied by hand?

The server authorizes the agent to copy files (think of the server as a
file server) by consulting the server's access promises. Details for
this, and trust above, are usually in the def.cf file.

To test it all, stop cf-serverd on the server and run it cf-server -vF
and you'll see the output. That will show you the access rules the
server knows and when you bootstrap an agent you'll see the server
accept or reject connections. In the case of rejection a reason may be
given.

--
Neil H Watson
Sr. Partner, Architecture and Infrastructure
CFEngine reporting: https://github.com/evolvethinking/delta_reporting
CFEngine policy: https://github.com/evolvethinking/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
CFEngine support: http://evolvethinking.com

[kanika shridhar]

I also had the similar issue few time back. The reason was i already had some ppa_keys present at my client before bootstrapping, removing them helped me.

[Aleksey Tsalolikhin]

On Fri, Feb 20, 2015 at 1:27 PM, Mike Brugnoni <z33...@gmail.com> wrote:

My company is interested in using CFEngine and I'm trying to demo it in our lab. I have a fresh CFEngine policy server installed on Redhat. It bootstapped successfully but the Mission Portal page is not available.

Hi, Mike. 

What happens when you try to bring up the Mission Portal page?

 

Also, on a new fresh agent install, the bootstrap fails with the error below. I've done nothing except a fresh install at this point. Any help appreciated.

2015-02-20T16:21:57EST    error: /default/cfe_internal_update/files/'/var/cfengine/inputs'[0]: No suitable server responded to hail

R: This autonomous node assumes the role of voluntary client

R: Failed to copy policy from policy server at xxx:/var/cfengine/masterfiles

       Please check

       * cf-serverd is running on xxx

You can confirm the above with "ps -ef | grep cf-serverd" on the policy server.

 

       * network connectivity to xxx on port 5308

 

As Neil wrote, you can confirm this with 'nc -v <server> 5308' on the agent.  (From your message, I wasn't sure if the agent and the policy server are on the same server in your lab.)

Best,

Aleksey Tsalolikhin

[Mike Brugnoni]

I don't have nc installed but using telnet I am not able to connect on that port.

I did not set up any sort of authentication keys. Did I miss something in the documentation or is this documented elsewhere? I was following the main guide.

Thanks,

Mike

[Mike Brugnoni]

Nothing happens. The page just times out.

I do see the cf-serverd processes running.

I don't have nc installed but using telnet I am not able to connect on that port.

Neil mentioned key authenticated though. I did not see that documented in the guide so maybe this is what I am missing?

Thanks,

Mike

[Neil Watson]

On Mon, Feb 23, 2015 at 06:33:41AM -0800, Mike Brugnoni wrote:
> Nothing happens. The page just times out.
> I do see the cf-serverd processes running.

There's the problem. The hub must be running cf-serverd which is a file
server listening on port 5308. The agent host must be able to connect to
that port.

Configure and start cf-serverd then bootstrap the server to itself.

[Mike Brugnoni]

Are there additional steps not documented at https://docs.cfengine.com/latest/guide-installation-and-configuration-general-installation.html that I am missing before performing the bootstrap? Based on this, it just says to install and then bootstrap.

[Neil Watson]

If cf-serverd and cf-execd are not running on the host then something
went wrong with your installation and boostrap. Go back and try again.
Look for errors.

[Nick Anderson]

Usually that’s all you have to do. When you install the hub package
Mission Portal should be running right away. You should see the a
process that looks something like this:

```
cfapache 1667 0.0 3.0 344376 15116 ? S Feb22 0:01
/var/cfengine/httpd/bin/httpd -k start
```

You still have to bootstrap the server to itself after installing the
package.

```
cf-agent --bootstrap <ip>
```

Which packages did you install?

[Mike Brugnoni]

Those processes are indeed running.

[Mike Brugnoni]

The bootstrap to the server itself was successful. I installed cfengine-nova-hub-3.6.4-1.x86_64.rpm.

[Neil Watson]

On Mon, Feb 23, 2015 at 06:33:41AM -0800, Mike Brugnoni wrote:
>
>

> Nothing happens. The page just times out.
> I do see the cf-serverd processes running.
> I don't have nc installed but using telnet I am not able to connect on
> that port.

Firewall. Double check with tcpdump.

[Nick Anderson]

On 02/23/2015 09:05 AM, Mike Brugnoni wrote:
> The bootstrap to the server itself was successful. I
> installed cfengine-nova-hub-3.6.4-1.x86_64.rpm.

You can look through some of the logs
/var/cfengine/httpd/logs
/var/cfengine/httpd/htdocs/application/logs

Do you have a firewall running that is blocking the ports? `iptables -L`

[Mike Brugnoni]

Thank you! There was no firewall between the servers and I had SELinux disabled, but firewalld was still running from the default RHEL install and was blocking the port. Should be all set now. Thanks again.

[Nick Anderson]

Yay

[David Ramirez]

In my case:
The first bootstrap attempt was blocked by a firewall. It fails, but a
'failsafe.cf' file is left over under /var/cfengine/inputs in the client.
Once the firewall obstacle was removed, the bootstrap kept failing (actually
producing the error text above which is printed by the failsafe.cf policy).
Removing that failsafe.cf file cleared the way for the bootstrap to succeed.