In my cfe setup, the clients send me email every time the output changes
(which I think is fairly common in smaller installations). I always have a
report in a policy, so if it kicks in on a client to make a change, I get an
email receipt, very nice.
However, this feature is plagued by the spurios "Challenge response...
incorrect!" messages that keep on coming at irregular intervals, this spams
my inbox. I had hoped that this would go away with community cfe v3.2.0b3,
but the messages are still there. Below are some examples showing variations
of the error message when no policy has kicked in (1 and 2), confirmation
emails when something did change (3,4 - note that in 4, you have the error,
but the policy is still carried out), along with the server and update
policy I use.
Is there something wrong in my setup or is this a bug in cfe? How can I get
rid of this?
- Erlend
Example 1:
Challenge response from server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 172 !!
Authentication dialogue with 10.0.1.230 failed
Example 2:
Challenge response from server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 134 !!
Authentication dialogue with 10.0.1.230 failed Challenge response from
server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 141 !!
Authentication dialogue with 10.0.1.230 failed Challenge response from
server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 151 !!
Authentication dialogue with 10.0.1.230 failed Challenge response from
server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 158 !!
Authentication dialogue with 10.0.1.230 failed Challenge response from
server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 165 !!
Authentication dialogue with 10.0.1.230 failed Challenge response from
server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 172 !!
Authentication dialogue with 10.0.1.230 failed
Example 3:
R: my_common_bashrc: updated /etc/bashrc
Example 4:
Challenge response from server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 151 !!
Authentication dialogue with 10.0.1.230 failed Challenge response from
server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 158 !!
Authentication dialogue with 10.0.1.230 failed Challenge response from
server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 165 !!
Authentication dialogue with 10.0.1.230 failed Challenge response from
server 10.0.1.230/10.0.1.230 was incorrect!
I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 172 !!
Authentication dialogue with 10.0.1.230 failed
R: my_common_bashrc: updated /etc/bashrc
The server policy:
root@m5000# cat -n cf-serverd.cf
1
2
#------------------------------------------------------------------------
3 #controls for the cf-serverd process
4 body server control {
5 #trustkeysfrom => { "10.0.1.0/24" };
6 trustkeysfrom => { "10.0.1.*" };
7 allowconnects => { "10.0.1.*" };
8 allowusers => { "root" };
9 maxconnections => "100";
10 logallconnections => "true";
11 }
12
13
#------------------------------------------------------------------------
14 body executor control {
15 splaytime => "4"; #rule of thumb: 1+clientcount/50
16 mailto => "sys...@some.domain.com";
17 smtpserver => "mail.some.domain.com";
18 mailmaxlines => "1000";
19 #make policy updates apply in first run
20 exec_command => "$(sys.workdir)/bin/cf-agent -f failsafe.cf &&
$(sys.workdir)/bin/cf-agent";
21 }
22
23
#------------------------------------------------------------------------
24 #access rules for the cf-serverd process
25 bundle server access_rules {
26 access:
27 "/export/cfengine/master"
28 admit => { "10.0.1.*" };
29 "/export/cfengine/depot"
30 admit => { "10.0.1.*" };
31 "/usr/local/sbin"
32 admit => { "10.0.1.*" };
33 }
The update policy:
root@m5000# cat -n update.cf
1
#------------------------------------------------------------------------
2 bundle agent update{
3 vars:
4 "policyserver" string => "10.0.1.230";
5 "policyfiles" string => "/export/cfengine/master";
6 "cf3binaries" string => "/export/cfengine/depot/cfebin";
7
8 files:
9
10
#---------------------------------------------------------------------
11 #get policy files from policy server
12 "${sys.workdir}/inputs"
13 handle => "update_policy_files",
14 copy_from => getfiles("${policyserver}", "${policyfiles}"),
15 depth_search => recurse;
16
17
#---------------------------------------------------------------------
18 #get cf3 binaries from policy server
19 "/var/cfengine/bin"
20 handle => "cf3_update_binaries",
21 #perms => u_p("700"),
22 copy_from => getfiles("${policyserver}","${cf3binaries}"),
23 depth_search => recurse,
24 action => "immediate";
25 }
26
27
#------------------------------------------------------------------------
28 #define body of the getfiles "subroutine"
29 body copy_from getfiles(server, path) {
30 servers => { "${server}" };
31 encrypt => "true";
32 trustkey => "true";
33 source => "${path}";
34 compare => "digest";
35 preserve => "true";
36 verify => "true";
37 #purge => "true"; #can in some cases remove cfe binaries completely
38 }
39
40
#------------------------------------------------------------------------
41 body depth_search recurse {
42 depth => "inf";
43 }
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
