Cfengine client not updating
Bootstrapping is done by running cf-agent on the managed server with the –bootstrap (-B) switch with the IP address of the policy server as the argument: Running cf-agent with the –bootstrap (-B) switch is saying “yes” to the SSH-like question, “I haven’t seen the other server before, are you sure you want to accept its key and connect? The managed nodes pull policy from the policy server: The CFEngine component that handles inter-node communication is cf-serverd.
” After exchanging keys (which are stored in /var/cfengine/ppkeys), the managed node records the hub’s address, and the hub records the managed node’s address so that managed node can download policy updates from the hub and the hub can download reports from the managed node. That’s the part of CFEngine that listens on a TCP socket (cfengine/5308) for incoming connections.
I strongly recommend that you also install the containing the actions to be conducted upon each of the hosts we manage.
Each managed client will retrieve this rule file and then execute the rules locally.
This simplifies the description of the setup enormously; but it does weaken security.
# tidy: /tmp pattern=* age=$(maxage) recurse=inf /home pattern=*~ age=$(maxage) recurse=inf directories: /tmp mode=1777 owner=root group=root resolve: "search my.flat" 192.168.1.1 "# Edit with cfengine" # # /etc/cfengine/- for the server control: domain = ( ) Trust Keys From = ( 192.168.1.0/24 ) Allow Users = ( root ) any:: If Elapsed = ( 0 ) Expire After = ( 15 ) Max Connections = ( 50 ) Multiple Connections = ( true ) grant: # Grant access to all hosts in
/var/lib/cfengine2/masterfiles/inputs *flat # # /etc/cfengine/- for the clients # control: actionsequence = ( copy ) domain = ( ) policyhost = ( flat ) # smtpserver = ( smtp.) # sysadm = ( [email protected]) master_cfinput = ( /var/lib/cfengine2/masterfiles/inputs ) repository = ( /var/lib/cfengine2/outputs ) # # Download the most recent 'cfagent.conf' file from the # server, and install it to /etc/cfengine # copy: $(master_cfinput)/dest=/etc/cfengine/mode=600 server=$(policyhost) force=true trustkey=true # # /etc/cfengine/for the clients # control: domain = ( ) Allow Connections From = ( 192.168.1.0/24 ) Trust Keys From = ( 192.168.1.0/24 ) cfrun Command = ( "/usr/sbin/cfagent" ) Allow Users = ( root ) Log All Connections = ( true ) If Elapsed = ( 1 ) Expire After = ( 15 ) Max Connections = ( 50 ) Multiple Connections = ( true ) grant: /usr/sbin/cfagent *flat [email protected]:~# ls -l /var/lib/cfengine2/ppkeys/ total 12 -rw------- 1 root root 1743 2005-08-22 -rw------- 1 root root 426 2005-08-22 -rw-r--r-- 1 root root 426 2005-08-22 [email protected]:~# cfrun flat cfrun(0): .......... cfengine:: Update of image /etc/cfengine/from master /var/lib/cfengine2/masterfiles/inputs/on flat cfengine:: Moved /etc/cfengine/cfsaved to repository location /var/lib/cfengine2/outputs/_etc_cfengine_cfsaved cfengine:scratchy: Object /etc/gshadow had permission 0, changed it to 640 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I finally got cfengine going after reading the article, thanks.
However due partly to misleading error messages and a lack of good discussion this is a common stumbling point.
As the communication is key to getting something working if you don't manage to get the keys setup correctly you'll not get anything working if you have problems.