Forum: Cfengine Help Subject: Re: OpenSSL errors on a 3.1.4 MPS Author: msvob...@linkedin.com Link to topic: https://cfengine.com/forum/read.php?3,20661,20663#msg-20663
I'm starting to think that the OpenSSL error was just a red herring here. It seems to be some sort of issue that I'm hitting with cf-serverd trying to re-cache the output of cf-promises? After it re-reads promises.cf, the access list goes empty, and the client is refused? I disabled encryption, and still had issues performing network transfers. Looking at the verbose output on the client, I'm actually seeing some bits come over the wire. # /var/cfengine/bin/cf-agent -I -K -f failsafe.cf -v .... .... cf3 Skipping matched excluded directory /var/cfengine/masterfiles/generic_cf-agent_policies/.svn cf3 -> Destination file "/var/cfengine/inputs/cfengine_automated_execution.cf" already exists cf3 -> File /var/cfengine/inputs/cfengine_automated_execution.cf is an up to date copy of source cf3 -> Destination file "/var/cfengine/inputs/verify_disk_health.cf" already exists cf3 -> File /var/cfengine/inputs/verify_disk_health.cf is an up to date copy of source cf3 -> Destination file "/var/cfengine/inputs/check_postfix_aliases.cf" already exists cf3 -> File /var/cfengine/inputs/check_postfix_aliases.cf is an up to date copy of source cf3 ->> Entering /var/cfengine/inputs/config-solaris cf3 decryption FAILED at final of 59: error:0606506D:digital envelope routines:EVP_DecryptFinal:wrong final block length cf3 !! Transmission refused or failed statting /var/cfengine/masterfiles/generic_cf-agent_policies/config-solaris/+k?7?l-?T:?%??T?La?$F?yC1N)ɳ???1?0?&?дo???K????z?ut) Got: cf3 !! (Can't stat /var/cfengine/masterfiles/generic_cf-agent_policies/config-solaris/+k?7?l-?T:?%??T?La?$F?yC1N)ɳ???1?0?&?дo???K????z?ut)) cf3 !!! System error for cf_stat: "Not owner" cf3 Couldn't send cf3 !!! System error for send: "Broken pipe" cf3 Transmission failed/refused talking to ech3-cfe-dmz-zone-v753.prod.linkedin.com:/var/cfengine/masterfiles/generic_cf-agent_policies/verify_hardware_health.cf in stat cf3 !!! System reports error for send: "Broken pipe" So, it actually worked looking at the policy /var/cfengine/inputs/check_postfix_aliases.cf. Checking the verbose output of the server, I see it trying to re-read promises.cf. So I guess I'm hitting a bug here from the caching mechanism of cf-promises? $ /var/cfengine/bin/cf-serverd -K -v .... .... ommunity> Found a matching rule in access list (/var/cfengine/masterfiles/generic_cf-agent_policies/cfengine_automated_execution.cf in /var/cfengine/masterfiles) community> Host ech3-zrepo01.prod granted access to /var/cfengine/masterfiles/generic_cf-agent_policies/cfengine_automated_execution.cf community> Found a matching rule in access list (/var/cfengine/masterfiles/generic_cf-agent_policies/verify_disk_health.cf in /var/cfengine/masterfiles) community> Host ech3-zrepo01.prod granted access to /var/cfengine/masterfiles/generic_cf-agent_policies/verify_disk_health.cf community> Found a matching rule in access list (/var/cfengine/masterfiles/generic_cf-agent_policies/check_postfix_aliases.cf in /var/cfengine/masterfiles) community> Host ech3-zrepo01.prod granted access to /var/cfengine/masterfiles/generic_cf-agent_policies/check_postfix_aliases.cf community> Found a matching rule in access list (/var/cfengine/masterfiles/generic_cf-agent_policies/config-solaris in /var/cfengine/masterfiles) community> Host ech3-zrepo01.prod granted access to /var/cfengine/masterfiles/generic_cf-agent_policies/config-solaris community> -> Caching the state of validation community> Rereading config files /var/cfengine/inputs/promises.cf.. community> Cfengine - 3.1.4 Copyright (C) Cfengine AS 2008,2010- community> ------------------------------------------------------------------------ community> Host name is: ech3-cfe-dmz-zone-v753.prod community> Operating System Type is sunos community> Operating System Release is 5.10 community> Architecture = i86pc community> Using internal soft-class solarisx86 for host ech3-cfe-dmz-zone-v753.prod community> The time is now Mon Feb 14 21:04:53 2011 community> ------------------------------------------------------------------------ community> # Extended system discovery is only available in version Nova and above community> Additional hard class defined as: 32_bit community> Additional hard class defined as: sunos_5_10 community> Additional hard class defined as: sunos_i86pc community> Additional hard class defined as: sunos_i86pc_5_10 community> Additional hard class defined as: i386 community> Additional hard class defined as: i86pc community> GNU autoconf class from compile time: compiled_on_solaris2_10 community> Address given by nameserver: 172.17.53.69 community> Adding alias loghost.. community> Trying to locate my IPv6 address community> Looking for environment from cf-monitord... community> Unable to detect environment from cf-monitord community> Reference time set to Mon Feb 14 21:04:53 2011 community> > Parsing file /var/cfengine/inputs/promises.cf community> Initiate variable convergence... community> -> Checking common class promises... community> Executing and using module community> Activated classes: PROD community> Activated classes: ECH3 community> ?> defining additional global class no_site_env_defined community> ?> defining additional global class xaa_exists community> > Parsing file /var/cfengine/inputs/update.cf community> Initiate variable convergence... community> -> Checking common class promises... community> Executing and using module community> cf-serverd access list is empty, no files are visible community> Access error community> From (host=ech3-zrepo01.prod,user=root,ip=172.17.53.57) community> REFUSAL of request from connecting host: (OPENDIR /var/cfengine/masterfiles/generic_cf-agent_policies/config-solaris) _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
