I am following the "Troubleshooting remote connections" section in the manual.
1. I've set skipverify on the server:
body server control
{
allowconnects => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
allowallconnects => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
trustkeysfrom => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
skipverify => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
# Make updates and runs happen in one
cfruncommand => "$(sys.workdir)/bin/cf-agent -f failsafe.cf
&& $(sys.workdir)/bin/cf-agent";
allowusers => { "root" };
}
1b. I've set skipidentify on the client:
body agent control {
skipidentify => "true";
}
2. I've granted access to my client in the server body:
body server control
{
allowconnects => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
# I've xxx'ed out my IP
allowallconnects => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
trustkeysfrom => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
skipverify => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
# Make updates and runs happen in one
cfruncommand => "$(sys.workdir)/bin/cf-agent -f failsafe.cf
&& $(sys.workdir)/bin/cf-agent";
allowusers => { "root" };
}
3. both sides have keys. I just ran cf-key on both and got:
A key file already exists at /var/cfengine/ppkeys/localhost.pub
4. I am not using secure copy. (though I've tried it both ways)
body copy_from mycopy(from,server)
{
source => "$(from)";
servers => { "$(server)" };
compare => "digest";
encrypt => "true";
trustkey => "true"; # trust the server's public key
}
5. I've tried debugging mode -d1 on cf-serverd. As the manual
suggests, I tried -d2.
I got 200,047 lines of output in -d2.
Here's the bit right before the refusal:
Delete lval = package_add_command,s
DeleteRvalItem(s)/usr/bin/aptitude --assume-yes install
AccessControl, match(/var/cfengine/masterfiles/DATE,ve.cfengine.com)
encrypt request=1
cf-serverd access list is empty, no files are visible
Access control error
Transaction Send[t 59][Packed text]
Attempting to send 67 bytes
Delete lval = package_list_update_command,s
DeleteRvalItem(s)/usr/bin/aptitude update
Delete lval = package_delete_command,s
DeleteRvalItem(s)/usr/bin/aptitude --assume-yes remove
Delete lval = package_update_command,s
DeleteRvalItem(s)/usr/bin/aptitude --assume-yes install
SendSocketStream, sent 67
Delete lval = package_add_command,s
DeleteRvalItem(s)/usr/bin/apt-get --yes install
>From (host=ve.cfengine.com,user=root,ip=::ffff:xxx.xxx.xxx.xxx)
Delete lval = package_list_update_command,s
DeleteRvalItem(s)/usr/bin/apt-get update
Delete lval = package_delete_command,s
DeleteRvalItem(s)/usr/bin/apt-get --yes remove
Delete lval = package_update_command,s
DeleteRvalItem(s)/usr/bin/apt-get --yes install
REFUSAL of request from connecting host: (SGET 48 2048)
Terminating thread...
***Closing socket 5 from ::ffff:xxx.xxx.xxx.xxx
Here is the server configuration:
bundle server access_rules()
{
access:
"/var/cfengine/masterfiles"
admit => { "127.0.0.1", "xxx.xxx.xxx.xxx" };
roles:
".*" authorize => { "root" };
}
body server control
{
allowconnects => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
allowallconnects => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
trustkeysfrom => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
skipverify => { "127.0.0.1" , "::1", "xxx.xxx.xxx.xxx" };
# Make updates and runs happen in one
cfruncommand => "$(sys.workdir)/bin/cf-agent -f failsafe.cf
&& $(sys.workdir)/bin/cf-agent";
allowusers => { "root" };
}
My client configuration is:
#########################################################
body agent control {
skipidentify => "true";
}
#########################################################
bundle agent updatefrom2
{
vars:
"master_location" string => "/var/cfengine/masterfiles";
files:
"/var/cfengine/inputs"
perms => u_p("600"),
copy_from => mycopy("$(master_location)","cfengine02"),
depth_search => recurse("inf"),
action => immediate;
}
############################################
body perms u_p(p)
{
mode => "$(p)";
}
#########################################################
body copy_from mycopy(from,server)
{
source => "$(from)";
servers => { "$(server)" };
compare => "digest";
encrypt => "true";
trustkey => "true"; # trust the server's public key
}
So what's the next step?
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
