> You lost me after you said 'force policy updates'.
> This is not the Cfengine way.
"To force" is probably wrong word. I wan't to notify agents that
the policy definition was updated. I beleive that notifying agents
about policy updates and allowing them to obtain new versions
inputs by admin signal is better than periodical checks and scheduled
updates in many cases. At least, it reduces time lag between the time
the policy was updated on a server and time when it is applied by
agents. Why it is not the Cfengine way? What is wrong with it?
> I did not quite catch the rest of your description.
Here is an example of configuration I want to create.
* cfserv@localhost - runs cf-serverd instance that acts as policy
distribution point.
* cftest@localhost, cftest1@localhost - are managed environments. Both
agents are on the same host. So cftest@localhost uses port 5309
and cftest1@localhost uses port 5310.
I want to notify cftest@localhost and cftest1@localhost, after new
version of policy was deployed at cfserv@localhost. As I understand,
I should run at cfserv@localhost command:
cf-runagent -H 127.0.0.1:5309,127.0.0.1:5310 -D updates_available
In return cf-serverd instance in cftest and cftest1 should activate
cf-agent with class updates_available.
Here is my promises.cf on cftest*@localhost side:
body common control
{
bundlesequence => { "main" };
}
bundle agent main
{
reports:
updates_available::
"Have updates for cftest"; # cftest1 in the other case
}
body server control
{
port => "5309"; # 5310 in the other case
allowconnects => { "127.0.0.1" };
allowusers => { "cfserv", "root" };
trustkeysfrom => { "127.0.0.1" };
cfruncommand => "$(sys.cf_agent)";
}
bundle server main
{
access:
"$(sys.workdir)/bin/cf-agent"
admit => { "127.0.0.1" },
maproot => { "127.0.0.1" };
roles:
"updates_available" authorize => { "cfserv" };
}
On cfserv@localhost promises.cf looks like:
body common control
{
bundlesequence => { "cf_null" };
}
body runagent control
{
trustkey => "true";
}
In this configuration both agents are activated by cf-runagent,
but it looks like, cf-runagent updates agent keys on every run.
Also it writes keys in files ppkeys/cfserv-*.pub, which I can't
understand. Agents work from cftest and cftest1 users.
I want to avoid trustkey promises. I'm trying to remove trustkey
and trustkeysfrom promises from promises.cf. Instead I want to
deploy public keys of peers to ppkeys directory manually.
Can you help me to choose proper file names for the keys?
If I first run cf-runagent with trustkey promise in place it
creates two .pub files in ppkeys. Then I comment trustkey out
and run cf-runagent, but it fails with error:
!! Not authorized to trust the server=127.0.0.1's public key (trustkey=false)
!! Authentication dialogue with 127.0.0.1 failed
Unable to establish connection with 127.0.0.1
!! Not authorized to trust the server=127.0.0.1's public key (trustkey=false)
!! Authentication dialogue with 127.0.0.1 failed
Unable to establish connection with 127.0.0.1
Probably I don't understand something in client-server
authentication. Could you help me or direct to some
documentation on this subject.
Thank you,
Andrey Bondarenko
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
