Cfengine Help: Need help troubleshooting Remote Access key exchange

[no-reply]

Forum: Cfengine Help
Subject: Need help troubleshooting Remote Access key exchange
Author: regan99
Link to topic: https://cfengine.com/forum/read.php?3,21233,21233#msg-21233

Hi,

I've been having a tough time getting two machines (one policy server, one 
client) to exchange keys and allow cf-runagent to work correctly. I based my 
setup on the instructions given in Section 7 of the Cfengine3 Tutorial, but 
things are not behaving the way the documentation says. Is there any better 
documentation available for setting up remote access? In particular, 
understanding the complete options available to the cf-key command, and 
understanding all of the components needed in the server control and server 
access_rules bundles would be extremely helpful.

And for those who may be interested in helping me troubleshoot directly, here's 
what I have going on:

The bundle configs in promises.cf... I'm listing the one from the client, but 
the policy server's is identical, except it allows the entire Class C IP 
netblock 192.168.52.0/24 (these are just VM's running on my PC):


#
# Body to control cf-runagent execution
#
body runagent control
{
    trustkey => "true";
    hosts    => { "127.0.0.1", "192.168.52.140" };
RUNAGENT_WEB_SERVERS::
    hosts    => { "web1", "web2", "web3" };
}

#
# Body to control cf-serverd execution
#
body server control
{
    # Which hosts are permitted/trusted to connect to cf-serverd
    allowallconnects    => { "127.0.0.1", "192.168.52.140" };
    trustkeysfrom       => { "127.0.0.1", "192.168.52.140" };

    # Control access on a per user basis
    allowusers          => { "root" };

    # The command to be executed by cf-runagent (through cf-serverd)
    cfruncommand        => "$(sys.workdir)/bin/cf-execd -FK -f runagent.cf";
}

#
# Access rules for cf-serverd
#
bundle server access_rules() {

# What part of the system available to be run via cf-runcommand.  If you execute
# programs other than cf-engine programs, you will need to specify the path for
# those programs here.
access:

    "$(sys.workdir)/bin" admit => { "127.0.0.1", "192.168.52.140" };

# Here you can control in details which users can define what classes (which
# may be used to control execution). You can use this to restrict what bundles
# can be executed by different users, by controlling bundle execution with
# classes and then only allowing users to define classes for bundles they are
# authorized to run.
roles:

    ".*" authorize => { "root" };

}


And here is the output when i run 'cf-runagent -v -H 192.168.52.140' on the 
client:


community> Initiate variable convergence...
community>  -> Checking common class promises...
community>  -> Checking common class promises...
community> SET trustkey = 1
community>  -> Matched IP 192.168.52.140 to key 
MD5=044aab4cdce604d9d767b5772699c26e
community> 
...........................................................................
community>  * Hailing 192.168.52.140 : 5308, with options "" (serial)
community> 
...........................................................................
community> No existing connection to 192.168.52.140 is established...
community> Set cfengine port number to 5308 = 5308
community> Set connection timeout to 10
community>  -> Connect to 192.168.52.140 = 192.168.52.140 on port 5308
community>  -> Matched IP 192.168.52.140 to key 
MD5=044aab4cdce604d9d767b5772699c26e
community>  -> Going to secondary storage for key
community> .....................[.h.a.i.l.].................................
community> Strong authentication of server=192.168.52.140 connection confirmed
community>  -> Public key identity of host "192.168.52.140" is 
"MD5=044aab4cdce604d9d767b5772699c26e"
community>  -> Last saw 192.168.52.140 (+MD5=044aab4cdce604d9d767b5772699c26e) 
first time now
community>  -> Going to secondary storage for key
community>  !!  Unspecified server refusal (see verbose server 
output)community> Couldn't recv
community>  !!! System error for recv: "Connection reset by peer"
community>  -> Writing last-seen observations
community>  -> Last-seen record for -MD5=09e1e924604de306fd8b23f57527e40c 
expired after 318.5 > 168.0 hours
community>  -> Last-seen record for -MD5=7d1032521c7eb1c496b83129c51d29f7 
expired after 264.8 > 168.0 hours
community>  -> Last saw +MD5=044aab4cdce604d9d767b5772699c26e (alias 
192.168.52.140) at Mon Mar 21 17:10:31 2011
 (noexpiry 0.3 <= 168.0)


Has anybody had this same problem? And if so, how did you solve it? Thanks!

_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine