Hi,
This is my finding about using hostnames and dynamic IPs in cf3. I have
pounding the configuration with all possible variations. If someone can prove
me wrong and show me how to get it to work I would be most happy.
Please note that I'm not using trunk from SVN; Using 3.0.3
-
To get the server to save the keyfiles with hostnames I need to specify
dynamicaddresses with something that excludes the ip address. Otherwise it
will resort to save it with the IP. Hostnamekeys must be true. The
documentation on this is weak.
-
Trustkeysfrom will not accept any regexps on hostname. Only regexps on IP work.
I want to use this to make the clients to conform to a specific name template
before I accept them. It can probably be solved in a different way.
-
Allowconnects will not accept any regexps on hostname. Only regexps on IP work.
Not really a problem but a fact.
This is my working setup:
----
body server control
{
allowconnects => { "10\..*" };
hostnamekeys => "true";
trustkeysfrom => { "10.*"};
dynamicaddresses => { ".*\.net"};
}
----
If I use hostname regexps on allowconnect:
The configuration messages looks ok:
----
cf3 Cfengine - 3.0.3patch1 (C) Cfengine AS 2008-
cf3 ------------------------------------------------------------------------
cf3 Host name is: seldlx0007
cf3 Operating System Type is linux
cf3 Operating System Release is 2.6.31-19-generic-pae
cf3 Architecture = i686
cf3 Using internal soft-class linux for host asflx0007
cf3 The time is now Wed Mar 3 02:13:20 2010
cf3 ------------------------------------------------------------------------
cf3 # Extended system discovery is only available in version Nova and above
cf3 Additional hard class defined as: 32_bit
cf3 Additional hard class defined as: linux_2_6_31_19_generic_pae
cf3 Additional hard class defined as: linux_i686
cf3 Additional hard class defined as: linux_i686_2_6_31_19_generic_pae
cf3 GNU autoconf class from compile time: compiled_on_linux_gnu
cf3 Address given by nameserver: 127.0.1.1
cf3 Interface 1: lo
cf3 Interface 2: eth0
cf3 Trying to locate my IPv6 address
cf3 Found IPv6 address fe80::223:7dff:fe1b:a87e
cf3 Looking for environment from cf-monitor...
cf3 Unable to detect environment from cfMonitord
cf3 This appears to be a debian system.
cf3 Looking for Debian version...
cf3 No Debian version number found.
cf3 This system seems to have the aptitude package system
cf3 This appears to be a LSB compliant system.
cf3 Reference time set to Wed Mar 3 02:13:20 2010
cf3 > Parsing file /var/cfengine/inputs/promises.cf
cf3 Initiate variable convergence...
cf3 > Parsing file /var/cfengine/inputs/update.cf
cf3 > Parsing file /var/cfengine/inputs/site.cf
cf3 > Parsing file /var/cfengine/inputs/library.cf
cf3 > Parsing file /var/cfengine/inputs/main.cf
cf3 Initiate variable convergence...
cf3 -> Checking common class promises...
cf3 ?> defining additional global class one
cf3 # Knowledge map reporting feature is only available in version Nova and
above
cf3 -> Defined hard classes = { linux asflx0007_domain_net domain_net net
asflx0007 32_bit linux_2_6_31_19_generic_pae i686 linux_i686
linux_i686_2_6_31_19_generic_pae
linux_i686_2_6_31_19_generic_pae__56_Ubuntu_SMP_Thu_Jan_28_02_29_51_UTC_2010
compiled_on_linux_gnu net_iface_lo net_iface_eth0 10_123_64_235
ipv4_10_123_64_235 ipv4_10_123_64 ipv4_10_123 ipv4_10 fe80__223_7dff_fe1b_a87e
any cfengine_3_0_3patch1 cfengine_3_0 cfengine_3 debian have_aptitude
lsb_compliant ubuntu ubuntu_karmic ubuntu_9_10 ubuntu_9 Wednesday Hr02 Night
Min13 Min10_15 Q1 Hr02_Q1 Day3 March Yr2010 Lcycle_0 GMT_Hr17 one }
cf3 -> Negated Classes = { }
cf3 Initiate variable convergence...
cf3 -> Checking common class promises...
cf3 ?> defining additional global class one
cf3 Initiate control variable convergence...
cf3 SET Allowing connections from ...
cf3 SET Trust keys from ...
cf3 SET Dynamic addresses from ...
cf3 Skipping whole promise, as context is SuSE
cf3 ?> defining additional global class one
----
Server side:
cf3 Not allowing connection from non-authorized IP 10.123.31.15
Client side:
cf3 LastSaw host listlx0007.domain.net now
cf3 Loaded /var/cfengine/ppkeys/root-10.123.64.235.pub
cf3 Couldn't send
cf3 !!! System error for send: "Broken pipe"
cf3 Couldn't send
cf3 !!! System error for send: "Broken pipe"
cf3 Couldn't send
cf3 !!! System error for send: "Broken pipe"
cf3 Challenge response from server asflx0007.domain.net/10.123.64.235 was
incorrect!
Best regards,
Emil Assarsson emil.assars...@sonyericsson.com
Phone: +46 (0)10 8017422
-----Original Message-----
From: Mark Burgess [mailto:mark.burg...@iu.hio.no]
Sent: måndag den 1 mars 2010 16:12
To: Assarsson, Emil
Cc: help-cfengine@cfengine.org
Subject: Re: Can't use host name regexps with trustkeysfrom
Try running the server with -v to see the reason for the failure. Regex are
allowed in
trustkeys
Assarsson, Emil wrote:
> Hi,
>
> It seems like I can't use hostnames with (for example) trustkeysfrom:
> ----
> body server control
> {
> trustkeysfrom => { '.*\.domain\.net' };
> dynamicaddresses => { '10\..*'};
> allowconnects => { '10\..*' };
> hostnamekeys => "true";
> }
> ----
> I get a "!! Authentication dialogue with cfserver.domain.net failed" when I
> run "cf-agent -vK". The error occurs on the agent side. No key gets saved on
> server.
> From what I understand on the reference this should be possible. I'm running
> cfengine 3.0.3 patch 1.
>
>
> If I use this it works fine:
> ----
> body server control
> {
> trustkeysfrom => { '10\..*' };
> dynamicaddresses => { '10\..*'};
> allowconnects => { '10\..*' };
> hostnamekeys => "true";
> }
> ----
>
> I guess there is a problem with the name resolution inside cfengine. Do I
> need to configure anything special to make it work? I can run getent hosts on
> both ip and name without any problem on both sides. Dig works fine too.
>
>
> Best regards
> Operational Services LUX Application Platforms within BI Enterprise Services
>
> Emil Assarsson
> Sony Ericsson Mobile Communications AB
> Nya Vattentornet, SE-221 88 Lund, Sweden
> e-Mail: emil.assars...@sonyericsson.com
> Phone: +46 (0)10 8017422
> "The information in this email, and attachment(s) thereto, is strictly
> confidential and may be legally privileged. It is intended solely for the
> named recipient(s), and access to this e-mail, or any attachment(s) thereto,
> by anyone else is unauthorized. Violations hereof may result in legal
> actions. Any attachment(s) to this e-mail has been checked for viruses, but
> please rely on your own virus-checker and procedures. If you contact us by
> e-mail, we will store your name and address to facilitate communications in
> the matter concerned. If you do not consent to us storing your name and
> address for above stated purpose, please notify the sender promptly. Also, if
> you are not the intended recipient please inform the sender by replying to
> this transmission, and delete the e-mail, its attachment(s), and any copies
> of it without, disclosing it."
>
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
--
Mark Burgess
-------------------------------------------------
Professor of Network and System Administration
Oslo University College, Norway
Personal Web: http://www.iu.hio.no/~mark
Office Telf : +47 22453272
-------------------------------------------------
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
