For the life of me, I can't get `cf-runagent` to work. I realize that it's somewhat deprecated, but as long as it's supported I want to grok it. I'm using community edition 3.3.1.
In promises.cf:
bundle server access_rules()
{
access:
any::
"$(def.dir_masterfiles)"
handle => "server_access_grant_access_policy",
comment => "Grant access to the policy updates",
admit => { ".*\.$(def.domain)", @(def.acl) };
"$(def.files)"
handle => "grant_access_to_files",
admit => { ".*\.$(def.domain)", @(def.acl) };
"$(sys.workdir)/masterfiles"
handle => "grant_access_to_cf_promises_validated",
admit => { ".*\.$(def.domain)", @(def.acl) };
"$(sys.cf_agent)"
handle => "grant_access_to_cf_agent",
admit => { "$(sys.policy_hub)" };
"$(sys.cf_runagent)"
handle => "grant_access_to_cf_runagent",
admit => { "$(sys.policy_hub)" };
roles:
}
On my host I'm running `sudo /var/cfengine/bin/cf-serverd -Fv` and I get this:
cf3> Listening for connections ...
cf3> -> Accepting a connection
cf3> Accepting connection from "****:****:****:****:216:3eff:fed5:f13"
cf3> New connection...(from ****:****:****:****:216:3eff:fed5:f13:sd 4)
cf3> Spawning new thread...
cf3> Allowing ****:****:****:****:216:3eff:fed5:f13 to connect without
(re)checking ID
cf3> Non-verified Host ID is ********.digitalelf.net (Using skipverify)
cf3> Non-verified User ID seems to be root (Using skipverify)
cf3> -> Public key identity of host
"****:****:****:****:216:3eff:fed5:f13" is
"MD5=6a95ec17f5e5574d68f3fc8902033eae"
cf3> A public key was already known from
********.digitalelf.net/****:****:****:****:216:3eff:fed5:f13 - no trust
required
cf3> Adding IP ****:****:****:****:216:3eff:fed5:f13 to SkipVerify - no
need to check this if we have a key
cf3> The public key identity was confirmed as root@********.digitalelf.net
cf3> -> Strong authentication of client
********.digitalelf.net/****:****:****:****:216:3eff:fed5:f13 achieved
cf3> -> Receiving session key from client (size=256)...
cf3> User root granted connection privileges
cf3> Filename /var/cfengine/bin/cf-agent is resolved to
/var/cfengine/bin/cf-agent
cf3> Host ********.digitalelf.net denied access to
/var/cfengine/bin/cf-agent
cf3> Server refusal due to denied access to requested object
cf3> From
(host=********.digitalelf.net,user=root,ip=****:****:****:****:216:3eff:fed5:f13)
cf3> REFUSAL of request from connecting host: (EXEC )^C
I've already worked through several errors to get to this point but now I'm
completely stuck. Haven't I granted access to that exact object that I am being
denied access to? (And I assure you the IP listed is correctly
$(sys.policy_hub). I tried changing `admit` to the hostname, the IP,
@(def.acl), and ".*".)
Either I'm missing something that should be obvious, making this work is far
harder than it should be, or this is a bug.
Does anybody have a working example of this?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
