Hi Guido, On Mi 09 Aug 2023 13:17:03 CEST, Guido Berhoerster wrote:
On Thu, 20 Jul 2023 11:25:09 +0200 Guido Berhoerster <gu...@berhoerster.name> wrote:Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277 Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) No suitable server found for '/var/lib/cfengine3/inputs' Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Promise belongs to bundle 'failsafe_cfe_internal_update' in file '/var/lib/cfengine3/inputs/failsafe.cf' near line 121 Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Errors encountered when actuating files promise '/var/lib/cfengine3/inputs' Jul 20 10:35:34 tjener.intern cf-serverd[1168]: error: ::1> SSL_write: underlying network error (Broken pipe) Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> SSL_write: underlying network error (Broken pipe) Jul 20 10:35:34 tjener.intern cf-serverd[1168]: notice: ::1> Connection was hung up! Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> Connection was hung up! Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277 Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) No suitable server found for '/var/lib/cfengine3/modules' Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Promise belongs to bundle 'failsafe_cfe_internal_update' in file '/var/lib/cfengine3/inputs/failsafe.cf' near line 130 Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Errors encountered when actuating files promise '/var/lib/cfengine3/modules' Jul 20 10:35:34 tjener.intern cf-serverd[1168]: error: ::1> SSL_write: underlying network error (Broken pipe) Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> SSL_write: underlying network error (Broken pipe) Jul 20 10:35:34 tjener.intern cf-serverd[1168]: notice: ::1> Connection was hung up! Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> Connection was hung up! Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277 Jul 20 10:35:34 tjener.intern cf-serverd[1168]: error: ::1> Connection was hung up while receiving line: Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> Connection was hung up while receiving line: Jul 20 10:35:34 tjener.intern cf-serverd[1168]: notice: ::1> Client closed connection early! He probably does not trust our key... Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> Client closed connection early! He probably does not trust our key... Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) No suitable server found for '/var/lib/cfengine3/inputs' Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Promise belongs to bundle 'failsafe_cfe_internal_update' in file '/var/lib/cfengine3/inputs/failsafe.cf' near line 144 Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Comment is 'If we failed to fetch policy we try again using the legacy default in case we are fetching policy from a hub that is not serving mastefiles via a shortcut.' Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Errors encountered when actuating files promise '/var/lib/cfengine3/inputs' Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Method 'failsafe_cfe_internal_update' failed in some repairs Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277 Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) No suitable server found for '/var/lib/cfengine3/inputs/cf_promises_validated' Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) Promise belongs to bundle 'cfe_internal_update_policy_cpv' in file '/var/lib/cfengine3/inputs/cfe_internal/update/update_policy.cf' near line 229 Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) Comment is 'Check whether a validation stamp is available for a new policy update to reduce the distributed load'The untrusted server key issue can be fixed by following the procedure on manually establishing trust described in https://cfengine.com/blog/2015/securely-deploying-cfengine-on-untrusted-networks/#on-each-client-we-deployHowever, checking back on bullseye this error does not show up because cf-execdand other daemons are not running, the init script looks at /etc/default/cfengine3 where by default everything is disabled. So I suppose the solution is to simply not enable the systemd services by default. -- Guido Berhoerster
Indeed, cfengine3 for Debian Edu is only designed to be used for post-install adjustments, not for regular / continuous config management.
So, disabling the cfagent (cf-execd) service should be the way to go (we won't loose functionality compared to previous Debian Edu versions), the cf-agent run should happen only based on the local configuration files shipped by debian-edu-config.
Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpqXd6kV9XNm.pgp
Description: Digitale PGP-Signatur
