That is totally OK as long as the documentation reflects the reality :-P I can work with my current setup, but I would have saved some time if I hadn't have to spend time to investigate "quirkiness's" like this. Just hope that my input can save some time for the next one in line.
Best regards, Emil Assarsson emil.assars...@sonyericsson.com Phone: +46 (0)10 8017422 -----Original Message----- From: Mark Burgess [mailto:mark.burg...@iu.hio.no] Sent: onsdag den 3 mars 2010 22:28 To: Assarsson, Emil Cc: 'help-cfengine@cfengine.org' Subject: Re: Can't use host name regexps with trustkeysfrom I am thinking about how to respond to this. Principally, it is not a bug but a feature to force the use of IP addresses for the initial authentication. No matter whether you use DHCP or not, IP addresses are more secure than hostnames and your DHCP ranges are at least as stable as the names the machines end up with. M Assarsson, Emil wrote: > Hi, > > FYI: I submitted 3 bug reports about this. > > Best regards, > Emil Assarsson emil.assars...@sonyericsson.com > Phone: +46 (0)10 8017422 > > -----Original Message----- > From: Assarsson, Emil > Sent: tisdag den 2 mars 2010 18:27 > To: 'Mark Burgess' > Cc: help-cfengine@cfengine.org > Subject: RE: Can't use host name regexps with trustkeysfrom > > Hi, > > This is my finding about using hostnames and dynamic IPs in cf3. I have > pounding the configuration with all possible variations. If someone can prove > me wrong and show me how to get it to work I would be most happy. > Please note that I'm not using trunk from SVN; Using 3.0.3 > > - > To get the server to save the keyfiles with hostnames I need to specify > dynamicaddresses with something that excludes the ip address. Otherwise > it will resort to save it with the IP. Hostnamekeys must be true. The > documentation on this is weak. > > - > Trustkeysfrom will not accept any regexps on hostname. Only regexps on IP > work. I want to use this to make the clients to conform to a specific name > template before I accept them. It can probably be solved in a different way. > > - > Allowconnects will not accept any regexps on hostname. Only regexps on IP > work. Not really a problem but a fact. > > > This is my working setup: > ---- > body server control > { > allowconnects => { "10\..*" }; > hostnamekeys => "true"; > trustkeysfrom => { "10.*"}; > dynamicaddresses => { ".*\.net"}; > } > ---- > > > > If I use hostname regexps on allowconnect: > > The configuration messages looks ok: > ---- > cf3 Cfengine - 3.0.3patch1 (C) Cfengine AS 2008- > cf3 ------------------------------------------------------------------------ > cf3 Host name is: seldlx0007 > cf3 Operating System Type is linux > cf3 Operating System Release is 2.6.31-19-generic-pae > cf3 Architecture = i686 > cf3 Using internal soft-class linux for host asflx0007 > cf3 The time is now Wed Mar 3 02:13:20 2010 > cf3 ------------------------------------------------------------------------ > cf3 # Extended system discovery is only available in version Nova and above > cf3 Additional hard class defined as: 32_bit > cf3 Additional hard class defined as: linux_2_6_31_19_generic_pae > cf3 Additional hard class defined as: linux_i686 > cf3 Additional hard class defined as: linux_i686_2_6_31_19_generic_pae > cf3 GNU autoconf class from compile time: compiled_on_linux_gnu > cf3 Address given by nameserver: 127.0.1.1 > cf3 Interface 1: lo > cf3 Interface 2: eth0 > cf3 Trying to locate my IPv6 address > cf3 Found IPv6 address fe80::223:7dff:fe1b:a87e > cf3 Looking for environment from cf-monitor... > cf3 Unable to detect environment from cfMonitord > cf3 This appears to be a debian system. > cf3 Looking for Debian version... > cf3 No Debian version number found. > cf3 This system seems to have the aptitude package system > cf3 This appears to be a LSB compliant system. > cf3 Reference time set to Wed Mar 3 02:13:20 2010 > cf3 > Parsing file /var/cfengine/inputs/promises.cf > cf3 Initiate variable convergence... > cf3 > Parsing file /var/cfengine/inputs/update.cf > cf3 > Parsing file /var/cfengine/inputs/site.cf > cf3 > Parsing file /var/cfengine/inputs/library.cf > cf3 > Parsing file /var/cfengine/inputs/main.cf > cf3 Initiate variable convergence... > cf3 -> Checking common class promises... > cf3 ?> defining additional global class one > cf3 # Knowledge map reporting feature is only available in version Nova and > above > cf3 -> Defined hard classes = { linux asflx0007_domain_net domain_net net > asflx0007 32_bit linux_2_6_31_19_generic_pae i686 linux_i686 > linux_i686_2_6_31_19_generic_pae > linux_i686_2_6_31_19_generic_pae__56_Ubuntu_SMP_Thu_Jan_28_02_29_51_UTC_2010 > compiled_on_linux_gnu net_iface_lo net_iface_eth0 10_123_64_235 > ipv4_10_123_64_235 ipv4_10_123_64 ipv4_10_123 ipv4_10 > fe80__223_7dff_fe1b_a87e any cfengine_3_0_3patch1 cfengine_3_0 cfengine_3 > debian have_aptitude lsb_compliant ubuntu ubuntu_karmic ubuntu_9_10 ubuntu_9 > Wednesday Hr02 Night Min13 Min10_15 Q1 Hr02_Q1 Day3 March Yr2010 Lcycle_0 > GMT_Hr17 one } > cf3 -> Negated Classes = { } > cf3 Initiate variable convergence... > cf3 -> Checking common class promises... > cf3 ?> defining additional global class one > cf3 Initiate control variable convergence... > cf3 SET Allowing connections from ... > cf3 SET Trust keys from ... > cf3 SET Dynamic addresses from ... > cf3 Skipping whole promise, as context is SuSE > cf3 ?> defining additional global class one > ---- > > Server side: > cf3 Not allowing connection from non-authorized IP 10.123.31.15 > > Client side: > cf3 LastSaw host listlx0007.domain.net now > cf3 Loaded /var/cfengine/ppkeys/root-10.123.64.235.pub > cf3 Couldn't send > cf3 !!! System error for send: "Broken pipe" > cf3 Couldn't send > cf3 !!! System error for send: "Broken pipe" > cf3 Couldn't send > cf3 !!! System error for send: "Broken pipe" > cf3 Challenge response from server asflx0007.domain.net/10.123.64.235 was > incorrect! > > > > > Best regards, > Emil Assarsson emil.assars...@sonyericsson.com > Phone: +46 (0)10 8017422 > > > -----Original Message----- > From: Mark Burgess [mailto:mark.burg...@iu.hio.no] > Sent: måndag den 1 mars 2010 16:12 > To: Assarsson, Emil > Cc: help-cfengine@cfengine.org > Subject: Re: Can't use host name regexps with trustkeysfrom > > > Try running the server with -v to see the reason for the failure. Regex are > allowed in > trustkeys > > Assarsson, Emil wrote: >> Hi, >> >> It seems like I can't use hostnames with (for example) trustkeysfrom: >> ---- >> body server control >> { >> trustkeysfrom => { '.*\.domain\.net' }; >> dynamicaddresses => { '10\..*'}; >> allowconnects => { '10\..*' }; >> hostnamekeys => "true"; >> } >> ---- >> I get a "!! Authentication dialogue with cfserver.domain.net failed" when I >> run "cf-agent -vK". The error occurs on the agent side. No key gets saved on >> server. >> From what I understand on the reference this should be possible. I'm running >> cfengine 3.0.3 patch 1. >> >> >> If I use this it works fine: >> ---- >> body server control >> { >> trustkeysfrom => { '10\..*' }; >> dynamicaddresses => { '10\..*'}; >> allowconnects => { '10\..*' }; >> hostnamekeys => "true"; >> } >> ---- >> >> I guess there is a problem with the name resolution inside cfengine. Do I >> need to configure anything special to make it work? I can run getent hosts >> on both ip and name without any problem on both sides. Dig works fine too. >> >> >> Best regards >> Operational Services LUX Application Platforms within BI Enterprise Services >> >> Emil Assarsson >> Sony Ericsson Mobile Communications AB >> Nya Vattentornet, SE-221 88 Lund, Sweden >> e-Mail: emil.assars...@sonyericsson.com >> Phone: +46 (0)10 8017422 >> "The information in this email, and attachment(s) thereto, is strictly >> confidential and may be legally privileged. It is intended solely for the >> named recipient(s), and access to this e-mail, or any attachment(s) thereto, >> by anyone else is unauthorized. Violations hereof may result in legal >> actions. Any attachment(s) to this e-mail has been checked for viruses, but >> please rely on your own virus-checker and procedures. If you contact us by >> e-mail, we will store your name and address to facilitate communications in >> the matter concerned. If you do not consent to us storing your name and >> address for above stated purpose, please notify the sender promptly. Also, >> if you are not the intended recipient please inform the sender by replying >> to this transmission, and delete the e-mail, its attachment(s), and any >> copies of it without, disclosing it." >> >> >> >> _______________________________________________ >> Help-cfengine mailing list >> Help-cfengine@cfengine.org >> https://cfengine.org/mailman/listinfo/help-cfengine > -- Mark Burgess ------------------------------------------------- Professor of Network and System Administration Oslo University College, Norway Personal Web: http://www.iu.hio.no/~mark Office Telf : +47 22453272 ------------------------------------------------- _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
