On 12/23/2010 07:22 PM, Nicolas Charles wrote: > Ha, I must have misunderstood something > You should have a policy server, with a whole set of promises, which > accept the connection for a client (and possibly trust its key) > On the client, you should do the cf-runagent to accept the policy server key > Or you could also copy the key, using the former key file name > (root-ip.of.the.machine.pub), to the /var/cfengine/ppkeys
I have the policy server, what I am talking about is the minimum required to bootstrap a client. I have failsafe.cf that does not host trustkey -> "true"; in the body copy_from that copys the policy down including promises.cf. failsafe.cf cant copy the policy down without having the servers key. Cant get the key with cf-runagent unless I have the promises.cf (which i cant get without running failsafe.cf). See what I mean? Im new to cfengine and this confuses me. automatic trust relationship between server and client seems like a bad idea. I like trust one way, then interactive the other seems ok. Of course it dosnt mass scale for spinning 1k new nodes today but that isnt my typical use case. My typical is provision one or two servers every so often. -- Nick Anderson <n...@cmdln.org> _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
