Forum: Cfengine Help
Subject: Upgrading MPS to 3.1.4, cf-serverd starts refusing clients?
Author: msvob...@linkedin.com
Link to topic: https://cfengine.com/forum/read.php?3,20488,20488#msg-20488
I'm in the process of upgrading my infrastructure to 3.1.4, and ran into a
weird issue once the MPS was updated.
Here's my cf-serverd.cf for this specific MPS.
body server control
{
hostnamekeys => "true";
allowconnects => { "172.17.54.0/24" };
allowallconnects => { "172.17.54.0/24" };
trustkeysfrom => { "172.17.54.0/24" };
logallconnections => "true";
maxconnections => "1000";
bindtointerface => "172.17.54.61";
allowusers => { "root" };
cfruncommand => "/var/cfengine/bin/cf-agent -f
failsafe.cf && /var/cfengine/bin/cf-agent";
}
###################################################################
bundle server access_rules {
access:
# Admit clients to access /var/cfengine/masterfiles only under an
encrypted session.
# Allow clients to map as the root user -- being able to pull files
from the master policy server
# even if the file is not owned by root.
# The specific VLANS which we accept traffic from are more restrictive
above. If you're not in one of the VLANs
# above, you wont get here.
"${g.masterfiles}"
admit => { "172\.17\..*" },
ifencrypted => "true",
maproot => { "172\.17\..*" };
}
###################################################################
body runagent control
{
hosts => { "172.17.54.61" };
port => "5308";
output_to_file => "true";
}
When I execute from the client, it doesn't appear as if I've hit any error.
The key exchange works fine. Cf-serverd does start complaining about access
rules?
(client)
# /var/cfengine/bin/cf-agent -I -K -f failsafe.cf
#
Running cf-serverd in verbose mode, here's what I see
community> -> Accepting a connection
community> Accepting connection from "172.17.54.33"
community> New connection...(from 172.17.54.33:sd 5)
community> Spawning new thread...
community> >> Detected change in /var/cfengine/inputs
community> -> Quick search detected file changes
community> -> New promises detected...
community> -> Verifying the syntax of the inputs...
community> Allowing 172.17.54.33 to connect without (re)checking ID
community> Non-verified Host ID is ech3-pxy02.prod (Using skipverify)
community> Non-verified User ID seems to be root (Using skipverify)
community> -> Public key identity of host "172.17.54.33" is
"MD5=e39d52a1de3739a50ee1c866b6e165bf"
community> -> Last saw 172.17.54.33 (-MD5=e39d52a1de3739a50ee1c866b6e165bf)
first time now
community> -> Going to secondary storage for key
community> -> Going to secondary storage for key
community> A public key was already known from ech3-pxy02.prod/172.17.54.33 -
no trust required
community> Adding IP 172.17.54.33 to SkipVerify - no need to check this if we
have a key
community> The public key identity was confirmed as r...@ech3-pxy02.prod
community> -> Strong authentication of client ech3-pxy02.prod/172.17.54.33
achieved
community> -> Receiving session key from client (size=256)...
community> Found a matching rule in access list
(/var/cfengine/masterfiles/generic_cf-agent_policies in
/var/cfengine/masterfiles)
community> Mapping root privileges to access non-root files
community> Host ech3-pxy02.prod granted access to
/var/cfengine/masterfiles/generic_cf-agent_policies
community> Found a matching rule in access list
(/var/cfengine/masterfiles/generic_cf-agent_policies in
/var/cfengine/masterfiles)
community> Mapping root privileges to access non-root files
.....
...
.....
.....
community> cf-serverd access list is empty, no files are visible
community> Access control in sync
community> From (host=ech3-pxy02.prod,user=root,ip=172.17.54.33)
community> REFUSAL of request from connecting host: (SYNCH 1296917313 STAT
/var/cfengine/masterfiles/generic_cf-agent_policies/config-general/check_postfix_aliases)
community> cf-serverd access list is empty, no files are visible
community> Access control in sync
community> From (host=ech3-pxy02.prod,user=root,ip=172.17.54.33)
community> REFUSAL of request from connecting host: (SYNCH 1296917313 STAT
/var/cfengine/masterfiles/generic_cf-agent_policies/config-general/cfengine_automated_execution)
community> cf-serverd access list is empty, no files are visible
community> Access control in sync
community> From (host=ech3-pxy02.prod,user=root,ip=172.17.54.33)
community> REFUSAL of request from connecting host: (SYNCH 1296917313 STAT
/var/cfengine/masterfiles/generic_cf-agent_policies/config-general/check_postfix_master)
Anyone have a clue? Why is it complaining that the access list is empty and no
files are visible? The cf-serverd.cf config up there works against 3.0.5p1.
I've tried replacing "${g.masterfiles}" with /var/cfengine/masterfiles,
thinking that the variable in the access rules somehow were breaking things,
with no luck.
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
