Forum: Cfengine Help Subject: REFUSAL of request from connecting host: (SYNCH Author: bglomm Link to topic: https://cfengine.com/forum/read.php?3,17872,17872#msg-17872
Hello, I'm a "re-newbie" to cfengine, in 2005 I worked with cfengine2. Now I'm quite impressed with the new style and power. Although I happily managed to edit files I'm struggling with the key- feature COPYING files... (even those for the update) I would like to have my masterfiles in /srv/cfengine/masterfiles/inputs on my testserver "ping0server" and in the update those files should be copied to /var/lib/cfengine/inputs which is where cfengine lives in the Debian world... This should also work on the server itself, but I tried it with another client and run into the same problem: the server refuses the access to the masterfile directory (yes! it exists and is populated with my "masterfiles" which are at the moment a copy of the set in /var/lib/cfengine/inputs with just an outcommented tag to verifiy a successfull update) I looked in any corner I could think of (logfiles, the debug output), but I can't see a mistake... Does anybody got a hint for me??? TIA Bernhard here is what I do and get... I want to focus just on my server first , so I started cf-server, than cf-agent and checked the output: so with the cf-serverd runing and "waiting at incoming select..." I started: :~# cf-agent -vKI I got ...snipp... cf3 -> Handling file existence constraints on /var/lib/cfengine/inputs/failsafe.cf cf3 -> File permissions on /var/lib/cfengine/inputs/failsafe.cf as promised cf3 -> Copy file /var/lib/cfengine/inputs from /srv/cfengine/masterfiles/inputs check cf3 No existing connection to 10.0.6.116 is established... cf3 Set cfengine port number to 5308 = 5308 cf3 -> Connect to 10.0.6.116 = 10.0.6.116 on port 5308 cf3 LastSaw host 10.0.6.116 now cf3 skipidentify was promised, so we are trusting and simply announcing the identity as (ping0server.kinemathek.de) for this host cf3 Loaded /var/lib/cfengine3/ppkeys/root-10.0.6.116.pub cf3 .....................[.h.a.i.l.]................................. cf3 Strong authentication of server=10.0.6.116 connection confirmed cf3 Server returned error: Unspecified server refusal (see verbose server output) cf3 Can't stat /srv/cfengine/masterfiles/inputs in files.copyfrom promise ...snapp... while having cf-serverd started before with :~# cf-serverd -v -IF --no-lock I got ...snipp... cf3 cf3 Summarize control promises cf3 -> Host IPs allowed connection access : cf3 .... IP: 10.* cf3 Host IPs denied connection access : cf3 Host IPs allowed multiple connection access : cf3 .... IP: 10.* cf3 Host IPs from whom we shall accept public keys on trust : cf3 .... IP: 10.* cf3 Users from whom we accept connections : cf3 .... USERS: root cf3 Host IPs from NAT which we don't verify : cf3 .... IP: 10.* cf3 Dynamical Host IPs (e.g. DHCP) whose bindings could vary over time : cf3 Listening for connections ... cf3 -> No new promises found cf3 -> Waiting at incoming select... cf3 -> Accepting a connection cf3 Accepting connection from "10.0.6.116" cf3 New connection...(from 10.0.6.116/4) cf3 Spawning new thread... cf3 -> No new promises found cf3 -> Waiting at incoming select... cf3 Received: on socket 4 cf3 Allowing 10.0.6.116 to connect without (re)checking ID cf3 Non-verified Host ID is ping0server.kinemathek.de (Using skipverify) cf3 Non-verified User ID seems to be root (Using skipverify) cf3 LastSaw host ping0server.kinemathek.de now cf3 Received: on socket 4 cf3 Loaded /var/lib/cfengine3/ppkeys/root-10.0.6.116.pub cf3 A public key was already known from ping0server.kinemathek.de/10.0.6.116 - no trust required cf3 Adding IP 10.0.6.116 to SkipVerify - no need to check this if we have a key cf3 The public key identity was confirmed as [email protected] cf3 Strong authentication of client ping0server.kinemathek.de/10.0.6.116 achieved cf3 -> Receiving session key from client (size=256)... cf3 Received: on socket 4 cf3 Host ping0server.kinemathek.de denied access to /srv/cfengine/masterfiles/inputs cf3 Access control in sync cf3 From (host=ping0server.kinemathek.de,user=root,ip=10.0.6.116) cf3 REFUSAL of request from connecting host: (SYNCH 1281452209 STAT /srv/cfengine/masterfiles/inputs) ...snapp... Configuration: System is debian spueeze up-to-date today (2010-aug-10) I installed cfengine3 from the repository so cfengine version is "core community version 3.0.5" ipaddr=10.0.6.116/8 testconfiguration. Here the relevant (as far as I understand) configfiles: ####################################################### ####################################################### # # promises.cf # ####################################################### body common control { version => "0.2"; bundlesequence => { "update", "server", "executor", "garbage_collection", "main", "cfengine", "maintain_sshd_config" }; inputs => { "cf-serverd.cf", "update.cf", "cf-execd.cf", "cfengine_stdlib.cf", "library.cf", "variables.cf", "site.cf", "zone_1.cf" }; require_comments => "true"; } ####################################################### bundle agent globalset { vars: #"masterfiles" string => "/srv/cfengine"; #"inputs" string => "$(masterfiles)/masterfiles/inputs"; "inputs" string => "/srv/cfengine/masterfiles/inputs"; "workdir" string => "/var/lib/cfengine"; "cfmaster" string => "10.0.6.116"; } ####################################################### body agent control { # if default runtime is 5 mins we need this for long jobs ifelapsed => "1"; skipidentify => "true"; } ####################################################### body monitor control { forgetrate => "0.7"; histograms => "true"; } ####################################################### ####################################################### ####################################################### ####################################################### # # failsafe.cf # ####################################################### body common control { bundlesequence => { "update" }; inputs => { "update.cf" }; } ###################################################### ###################################################### ######################################################### ######################################################### # # update.cf # ######################################################### bundle agent update { vars: #"masterfiles" string => "/srv/cfengine"; #"inputs" string => "${masterfiles}/masterfiles/inputs"; "inputs" string => "/srv/cfengine/masterfiles/inputs"; "cfmaster" string => "10.0.6.116"; files: "/var/lib/cfengine3/." comment => "Make sure the cfengine dir exist with correct rights", perms => u_p("0700"), create => "true"; "/var/lib/cfengine3/bin/." comment => "Make sure the cfengines bin dir exist with correct rights", perms => u_p("0700"), create => "true"; "/var/lib/cfengine3/ppkeys/." comment => "Make sure the cfengines ppkeys dir exist with correct rights", perms => u_p("0700"), create => "true"; "/var/lib/cfengine/inputs" comment => "Copy new policies from the cfmaster server", perms => u_p("0600"), copy_from => mycopy("${inputs}"), depth_search => udepth("9"), action => immediate; } ######################################################### body depth_search udepth(d) { depth => "${d}"; } ######################################################### body perms u_p(p) { mode => "${p}"; owners => { "root" }; groups => { "root" }; } ######################################################### body copy_from mycopy(from){ source => "${from}"; servers => { "${cfmaster}" }; compare => "digest"; verify => "true"; purge => "true"; trustkey => "true"; } ######################################################### ######################################################### ####################################################### ####################################################### # # cf-serverd.cf # ####################################################### body server control { skipverify => { "10.*" }; allowconnects => { "10.*" }; allowallconnects => { "10.*" }; trustkeysfrom => { "10.*" }; bindtointerface => "10.0.6.116"; serverfacility => LOG_USER; maxconnections => "10"; logallconnections => "true"; allowusers => { "root" }; port => "5308"; cfruncommand => "/usr/sbin/cf-agent -f failsafe.cf && /usr/sbin/cf-agent"; } ####################################################### bundle agent server { processes: "cf-serverd" restart_class => "start_cf_serverd", comment => "bundle agent server check if cf-server is running"; commands: start_cf_serverd:: "/usr/sbin/cf-serverd", comment => "bundle agent server restarted the cf-server"; } ####################################################### bundle server access_rules { access: "${globalset.inputs}/" admit => { "10.*" }, comment => "Access rules to the masterfiles. All hosts on subnet are allowed"; "/usr/sbin/cf-agent" admit => { "${globalset.cfmaster}" }, comment => "Acess rules for cf-agent. Only the cfmaster is allowed"; roles: ".*" authorize => { "root" }, comment => "It must be root who maintain cfengine"; } ####################################################### body runagent control { hosts => { "${globalset.cfmaster}" }; } ####################################################### ####################################################### _______________________________________________ Help-cfengine mailing list [email protected] https://cfengine.org/mailman/listinfo/help-cfengine
