Forum: CFEngine Help Subject: Re: Policy Servers Author: lauwersw Link to topic: https://cfengine.com/forum/read.php?3,24302,24304#msg-24304
tjavo87 Wrote: > - Do we need to bootstrap to both policy servers? I wouldn't know why: bootstrapping is just making sure that you have some initial code to run with. That code should be identical, independent of the bootstrap server it comes from. So no. > - I created a variable that defines multiple > policy servers (slist) and used that during > secure_cp. Is this a correct approach? That can be one approach, but it won't loadbalance, it will try every server in that list in order until one answers. Here's an example on loadbalancing: https://cfengine.com/forum/read.php?3,22618,22640 > - If we have multiple policy servers, how to be > sure the client/servers have both keys? You can either distribute the keys upfront (outside of cfengine), or you have to use "trustkey", as explained in the docs http://cfengine.com/manuals/cf3-reference.html#Key-exchange . With trustkey => "true" the keys will be automatically exchanged upon first contact. So even if a client always communicated with server1, upon failure of server1 it can connect to server2, exchange keys and keep on working from server2. > - How to keep the policy servers in sync with each > other? I recommend to put all your cfengine files in source control and regularly update all policy servers from there. They should always have identical code that way. Theoretically you could also have a number of "slave" policy servers syncing from one "master" policy server, but that's definitely less robuts. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
