Erlend, To clarify the application startup script adds an IP address to the network interface card on the host where it is started. So the host can be reach by its assigned DNS entry and by the application IP. That address is map in the DNS with a well know name for users to use. Of course the same application shutdown script removes the IP address from the NIC.
Now my understanding is that when cfengine first connects to a host with the application DNS names (with trustkey enable) it really gets a copy of the host public key (localhost.pub) and stores it under the IP address of the application. Now let us assume the application is moved to a different host. The key authentification will obtain the localhost.pub of that new host and compare it to the key obtained the first time around. Of course these will not match hence the key authentification error. Well, at least, that is how I understand it I could be wrong and if I am please do not hesitate to let me know if not what are my options to fix this? Many thanks, Marco ________________________________ From: help-cfengine-boun...@cfengine.org [mailto:help-cfengine-boun...@cfengine.org] On Behalf Of Erlend Leganger Sent: Thursday, April 01, 2010 3:05 AM To: help-cfengine@cfengine.org Subject: Re: Question about keys and trust On 31 March 2010 23:37, Lebel, Marco <marco.le...@domtar.com<mailto:marco.le...@domtar.com>> wrote: I have applications that have IP addresses and DNS names associated with them. These applications can run on any number of physical hosts but on only one at the time. Whenever I try to copy files across the network using cfengine specifying the application DNS name it works fine upon the first copy when the key exchanges happen but if the application is later move to another physical box then I get authentification failures. What does "applications that have IP and DNS names associated with them" mean? Can these apps only run on hosts with certain IP or DNS names? And when you get authentication failures after moving the app to another box, are those failures from cfengine or from the app? Is it the app or cfengine that is the problem (I would guess your app, but can't really tell...). Does your cfengine work OK for other types of files (such as for example /etc/inet/ntp.conf - copies the file over from master to client if it doesn't exist or is different from the master)? - Erlend
_______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
