Forum: Cfengine Help
Subject: Need help troubleshooting Remote Access key exchange
Author: regan99
Link to topic: https://cfengine.com/forum/read.php?3,21233,21233#msg-21233
Hi,
I've been having a tough time getting two machines (one policy server, one
client) to exchange keys and allow cf-runagent to work correctly. I based my
setup on the instructions given in Section 7 of the Cfengine3 Tutorial, but
things are not behaving the way the documentation says. Is there any better
documentation available for setting up remote access? In particular,
understanding the complete options available to the cf-key command, and
understanding all of the components needed in the server control and server
access_rules bundles would be extremely helpful.
And for those who may be interested in helping me troubleshoot directly, here's
what I have going on:
The bundle configs in promises.cf... I'm listing the one from the client, but
the policy server's is identical, except it allows the entire Class C IP
netblock 192.168.52.0/24 (these are just VM's running on my PC):
#
# Body to control cf-runagent execution
#
body runagent control
{
trustkey => "true";
hosts => { "127.0.0.1", "192.168.52.140" };
RUNAGENT_WEB_SERVERS::
hosts => { "web1", "web2", "web3" };
}
#
# Body to control cf-serverd execution
#
body server control
{
# Which hosts are permitted/trusted to connect to cf-serverd
allowallconnects => { "127.0.0.1", "192.168.52.140" };
trustkeysfrom => { "127.0.0.1", "192.168.52.140" };
# Control access on a per user basis
allowusers => { "root" };
# The command to be executed by cf-runagent (through cf-serverd)
cfruncommand => "$(sys.workdir)/bin/cf-execd -FK -f runagent.cf";
}
#
# Access rules for cf-serverd
#
bundle server access_rules() {
# What part of the system available to be run via cf-runcommand. If you execute
# programs other than cf-engine programs, you will need to specify the path for
# those programs here.
access:
"$(sys.workdir)/bin" admit => { "127.0.0.1", "192.168.52.140" };
# Here you can control in details which users can define what classes (which
# may be used to control execution). You can use this to restrict what bundles
# can be executed by different users, by controlling bundle execution with
# classes and then only allowing users to define classes for bundles they are
# authorized to run.
roles:
".*" authorize => { "root" };
}
And here is the output when i run 'cf-runagent -v -H 192.168.52.140' on the
client:
community> Initiate variable convergence...
community> -> Checking common class promises...
community> -> Checking common class promises...
community> SET trustkey = 1
community> -> Matched IP 192.168.52.140 to key
MD5=044aab4cdce604d9d767b5772699c26e
community>
...........................................................................
community> * Hailing 192.168.52.140 : 5308, with options "" (serial)
community>
...........................................................................
community> No existing connection to 192.168.52.140 is established...
community> Set cfengine port number to 5308 = 5308
community> Set connection timeout to 10
community> -> Connect to 192.168.52.140 = 192.168.52.140 on port 5308
community> -> Matched IP 192.168.52.140 to key
MD5=044aab4cdce604d9d767b5772699c26e
community> -> Going to secondary storage for key
community> .....................[.h.a.i.l.].................................
community> Strong authentication of server=192.168.52.140 connection confirmed
community> -> Public key identity of host "192.168.52.140" is
"MD5=044aab4cdce604d9d767b5772699c26e"
community> -> Last saw 192.168.52.140 (+MD5=044aab4cdce604d9d767b5772699c26e)
first time now
community> -> Going to secondary storage for key
community> !! Unspecified server refusal (see verbose server
output)community> Couldn't recv
community> !!! System error for recv: "Connection reset by peer"
community> -> Writing last-seen observations
community> -> Last-seen record for -MD5=09e1e924604de306fd8b23f57527e40c
expired after 318.5 > 168.0 hours
community> -> Last-seen record for -MD5=7d1032521c7eb1c496b83129c51d29f7
expired after 264.8 > 168.0 hours
community> -> Last saw +MD5=044aab4cdce604d9d767b5772699c26e (alias
192.168.52.140) at Mon Mar 21 17:10:31 2011
(noexpiry 0.3 <= 168.0)
Has anybody had this same problem? And if so, how did you solve it? Thanks!
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
