My master policy servers have multiple VLAN interfaces. I want to be able to
grab data off of clients, so my clients also run cf-serverd. I lock down which
machines they’ll accept connections from by IP address. So, I define a single
address that my clients will accept connections from.
This means that my master policy servers are required to connect to clients
using a specific interface. It can’t use any VLAN interface it wants... I
attempt to set this using bindtointerface. In my promises.cf on my master
policy servers, I have the below...
bundle common g
{
# Define some global variables
vars:
"global_nic"
string => execresult("/usr/bin/getent hosts `/bin/hostname` |
awk '{print $1}'","useshell");
}
body agent control
{
# Bind to the global NIC on all inbound / outbound network i/o
bindtointerface => "$(g.global_nic)";
}
Executing the above command returns the IP address of the interface I want to
bind to.
# /usr/bin/getent hosts `/bin/hostname` | awk '{print $1}'
172.17.50.245
So that maps to the following VLAN interface on the master policy server
# ifconfig e1000g750001
e1000g750001: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500
index 2
inet 172.17.50.245 netmask ffffff00 broadcast 172.17.50.255
ether 0:14:4f:8d:97:ad
I noticed that my clients were rejecting connections from the master policy
server. Putting cf-serverd into verbose mode, I’m seeing this...
(Network information for the client)
# ifconfig nge2
nge2: flags=1040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4> mtu 1500
index 2
inet 172.17.74.172 netmask ffffff00 broadcast 172.17.74.255
groupname primary
ether 0:21:28:a2:47:6
# /var/cfengine/bin/cf-serverd –v
...
..
.....
cf3> Summarize control promises
cf3> Granted access to paths :
cf3> Path: /var/cfengine/outgoing (encrypt=1)
cf3> Admit: 172\.17\..* root=
cf3> 172\.17\..*,
cf3> Path: /var/cfengine/bin/cf-agent (encrypt=0)
cf3> Admit: 172\.17\..* root=
cf3> 172\.17\..*,
cf3> Denied access to paths :
cf3> Path: /var/cfengine/outgoing
cf3> Path: /var/cfengine/bin/cf-agent
cf3> -> Host IPs allowed connection access :
cf3> .... IP: 172.17.50.245
cf3> Host IPs denied connection access :
cf3> Host IPs allowed multiple connection access :
cf3> .... IP: 172.17.50.245
cf3> Users from whom we accept connections :
cf3> .... USERS: root
cf3> Host IPs from NAT which we don't verify :
cf3> Dynamical Host IPs (e.g. DHCP) whose bindings could vary over time :
cf3> Listening for connections ...
cf3> -> Accepting a connection
cf3> Not allowing connection from non-authorized IP 172.17.74.245
So, bindtointerface really isn’t working here. My master policy server
connected to a client on a different VLAN interface than what I instructed it
to bind to. Why? Because it had a VLAN interface on the same subnet as this
client. I suppose the operating system is getting in the way here. Its trying
to not send packets out the default gateway and route them. Instead, its
sending traffic out the interface where both machines are on the same VLAN.
My master policy server has a VLAN interface on this same subnet.
# ifconfig e1000g774001
e1000g774001: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500
index 26
inet 172.17.74.245 netmask ffffff00 broadcast 172.17.74.255
ether 0:14:4f:8d:97:ad
Anyways, short of defining every single VLAN address in cf-serverd, does anyone
have / can think of any workarounds? I don’t want to have to modify
cf-serverd.cf on every client and bounce the daemon every time a new VLAN is
introduced on my master policy servers, but it seems that there’s no way that I
can think of forcing outbound Cfengine traffic / requests through a single
interface when other interfaces exist on the same subnet.
Thanks
Mike
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
