On Wed, 2024-05-22 at 04:38 -0700, Markus Rexhepi-Lindberg wrote:
> It seems that the bootstrap fails AFAIK. For instance the `/var/cfengine/policy_server.dat` file does not get provisioned.
That looks like a bug we should fix. IMHO, the bootstrap run of cf-agent should
report errors, but it should do its best to actually finish the bootstrap
process.
Could you please file this at
https://northerntech.atlassian.net/jira/software/c/projects/CFE/issues ?
>
> I first run a bootstrap as I otherwise can't start cf-execd.
>
> Starting cf-execd without running a bootstrap first.
> ```
> # cf-execd
> error: There is no readable input file at '/var/cfengine/inputs/
promises.cf'. (stat: No such file or directory)
> error: Failsafe condition triggered. Interactive session detected, skipping
failsafe.cf execution.
> error: Error reading CFEngine policy. Exiting...
> ```
Yes, cf-execd is configured by policy so it needs to load the policy when it
starts.
>
> Running a boostrap and then starting cf-execd.
> ```
> # cf-agent -B <redacted>
> notice: Bootstrap mode: implicitly trusting server, use --trust-server=no if server trust is already established
> notice: Trusting new key: MD5=<redacted>
> R: Bootstrapping from host '<redacted>' via built-in policy '/var/cfengine/inputs/
failsafe.cf'
> R: This autonomous node assumes the role of voluntary client
> R: Updated local policy from policy server
> R: Triggered an initial run of the policy
> R: Restarted systemd unit cfengine3
> error: Bootstrapping failed, cf-execd is not running
> # cf-execd
> #
> ```
>
> After I have done this I attempt to run the policies.
> ```
> # cf-agent -KIC
> ...
> error: No suitable server found for '/var/cfengine/scripts/'
> ...
> ```
> I get errors suggesting that there is not suitable server to be found/used. The policies them self seem to run fine though.
This is because the var/cfengine/policy_server.dat file contains the information
about which server to contact for remote policy/data -- populated at the end of
the bootstrap process. Apparently only in case of a full successful bootstrap.
>
> If I run a bootstrap again as the last step.
> ```
> # cf-agent -B <redacted>
> notice: Bootstrap mode: implicitly trusting server, use --trust-server=no if server trust is already established
> R: Bootstrapping from host '<redacted>' via built-in policy '/var/cfengine/inputs/
failsafe.cf'
> R: This autonomous node assumes the role of voluntary client
> R: Updated local policy from policy server
> R: Triggered an initial run of the policy
> notice: Bootstrap to '<redacted>' completed successfully!
> # ls -l /var/cfengine/policy_server.dat
> -rw------- 1 root root 26 May 22 13:35 /var/cfengine/policy_server.dat
> ```
> It goes through and the `/var/cfengine/policy_server.dat` file gets provisioned and I do not get "No suitable server ..." errors when running `cf-agent`.
Right. Like I wrote above, I believe the bootstrap process should be fixed to do
as much as it can and only report failures that happened on the way.
--
Vratislav