Forum: Cfengine Help
Subject: Re: Connection reset by peer
Author: mwlarsen
Link to topic: https://cfengine.com/forum/read.php?3,17728,17749#msg-17749
Just for grins I added "localhost.localdomain" to the admit lines in bundle
server access_rules():
bundle server access_rules()
{
access:
"/var/cfengine/bin/cf-runagent"
admit => { "127.0.0.1" , "10.2.1.219" , "10.2.1.220" ,
"localhost.localdomain" };
"/var/cfengine/bin/cf-agent"
admit => { "127.0.0.1" , "10.2.1.219" , "10.2.1.220" ,
"localhost.localdomain" };
roles:
".*" authorize => { "autotest" };
}
and retried cf-runagent -i. The result was:
cf3 Received: on socket 4
cf3 Allowing 127.0.0.1 to connect without (re)checking ID
cf3 Non-verified Host ID is localhost.localdomain (Using skipverify)
cf3 Non-verified User ID seems to be root (Using skipverify)
cf3 LastSaw host localhost.localdomain now
cf3 Received: on socket 4
cf3 Loaded /var/cfengine/ppkeys/root-127.0.0.1.pub
cf3 A public key was already known from localhost.localdomain/::ffff:127.0.0.1
- no trust required
cf3 Adding IP ::ffff:127.0.0.1 to SkipVerify - no need to check this if we have
a key
cf3 The public key identity was confirmed as r...@localhost.localdomain
cf3 Strong authentication of client localhost.localdomain/::ffff:127.0.0.1
achieved
cf3 -> Receiving session key from client (size=256)...
cf3 Received: on socket 4
cf3 User root granted connection privileges
cf3 Found a matching rule in access list (/var/cfengine/bin/cf-agent in
/var/cfengine/bin/cf-agent)
cf3 No root privileges granted
cf3 Host localhost.localdomain granted access to /var/cfengine/bin/cf-agent
cf3 Examining command string:
cf3 Executing command /var/cfengine/bin/cf-agent -f failsafe.cf &&
/var/cfengine/bin/cf-agent --inform
Command line output from the cf-runagent terminal was:
# cf-runagent -i
cf3 -> Unexpected argument with no preceding option: &&
cf3 -> -> Object /var/cfengine/inputs/promises.cf.txt had permission 644,
changed it to 600
cf3 -> -> Object /var/cfengine/inputs/promises.cf.html had permission 644,
changed it to 600
cf3 -> -> Updated /var/cfengine/inputs/promises.cf.txt from source
/var/cfengine/masterfiles/promises.cf.txt on localhost
cf3 -> -> Updated /var/cfengine/inputs/promises.cf.html from source
/var/cfengine/masterfiles/promises.cf.html on localhost
cf3 !!
So it looks like it was successful, although it definitely didn't poll me to
accept the key from the other system. Does this look like it's functioning
correctly? Why did I have to add "localhost.localdomain" to the admit lines?
That doesn't seem like a "best practice" to me. Why did it refuse to grant root
privileges, but appear to function? Also, what might be the issue with the
cf-runagent output line in bold? Thanks!
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
