Forum: CFEngine Help Subject: Re: Policy Servers Author: tjavo87 Link to topic: https://cfengine.com/forum/read.php?3,24302,24306#msg-24306
lauwersw Wrote: ------------------------------------------------------- > tjavo87 Wrote: > > - Do we need to bootstrap to both policy > servers? > > I wouldn't know why: bootstrapping is just making > sure that you have some initial code to run with. > That code should be identical, independent of the > bootstrap server it comes from. So no. > Now the bootstrap process is clear. > > > - I created a variable that defines multiple > > policy servers (slist) and used that during > > secure_cp. Is this a correct approach? > > That can be one approach, but it won't > loadbalance, it will try every server in that list > in order until one answers. Here's an example on > loadbalancing: > https://cfengine.com/forum/read.php?3,22618,22640 > > > > - If we have multiple policy servers, how to be > > sure the client/servers have both keys? > > You can either distribute the keys upfront > (outside of cfengine), or you have to use > "trustkey", as explained in the docs > http://cfengine.com/manuals/cf3-reference.html#Key > -exchange . With trustkey => "true" the keys will > be automatically exchanged upon first contact. So > even if a client always communicated with server1, > upon failure of server1 it can connect to server2, > exchange keys and keep on working from server2. > That's clear. I've enabled the trustkey option in the cfengine_stdlib.cf under secure_cp. > > - How to keep the policy servers in sync with > each > > other? > > I recommend to put all your cfengine files in > source control and regularly update all policy > servers from there. They should always have > identical code that way. Theoretically you could > also have a number of "slave" policy servers > syncing from one "master" policy server, but > that's definitely less robuts. Thanx! _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
