Re: [SAGE] cfengine install help?

[Eric Sorenson <eric@explosive.net>]

On Mon, 12 Apr 2004, Mark C. Langston wrote:

> Hi all -

Hi Mark, hope this helps. 

> 1) I know I need to manually execute cfenvd and cfkey on each client.  
> Must I transfer /var/cfengine/inputs/* manually as well?

All you need is update.conf, included with your distribution.
update.conf always runs first thing upon cfagent invocation, and
therefore ought to include something like:

## BEGIN update.conf
control:
     actionsequence  = ( copy )
     master_cfinput  = ( /local/cfengine2/inputs )
     workdir         = ( /var/cfengine )
     policyhost      = ( masterserver.domain.com )

copy:
     $(master_cfinput)            dest=$(workdir)/inputs
                                  recurse=10
                                  server=$(policyhost)
                                  trustkey=true
## END update.conf

Your mail suggested you have post-installation-type actions in 
update.conf, which is OK, but those things are doable in normal
config files too, whereas update.conf is the only place it makes
sense to download the latest copy of the inputs directory.

> 2)  According to what little I can find about it, cfengine 2.x is
> supposed to take care of the key transfer between client and host
> automagically. 

The public-key transfer happens automatically, like an SSL session key
gets generated automatically.  Whether each side decides to allow the
other's key to do anything useful depends on the trust settings.

>  The client accepts the host's public key (per the
> directive in cfagent.conf, and per the permissions in cfservd.conf), but
> cfagent always gives "cfengine:: Server returned error:  Host
> authentication failed. " when attempting to transfer files from server
> to client.  It's very much not a name resolution error, cfservd is
> running on the server, and the pub/priv keys have been generated on both
> the server and client in question. 

This is likely due to confusion in cfservd.conf on the server. 
Here's mine, with caveats post-fix.

## BEGIN cfservd.conf
groups:
  # these are hostnames (==always-defined classes) of the servers, for
  # conditional
  cfservers = ( masterserver testserver )

control:
  domain = ( domain.com )
  any::
      IfElapsed = ( 1 )
      # These are the IPs of masterserver/testserver - enables 'cfrun'
      TrustKeysFrom = ( 10.0.0.20 10.0.0.30 )
  cfservers::
      MaxConnections = ( 100 )
      # NB security warning - this is a big convenience tradeoff!
      TrustKeysFrom = ( 10.0.0.0/8 )
      DynamicAddresses = ( 10.0.0.0/8 )
      DenyBadClocks  = ( false )

admit:   # or grant:
    cfservers::
        /export/home/local/cfengine2/dist *
        /export/home/local/cfengine2/inputs *
    any::
	/ masterserver.domain.com testserver.domain.com
## END cfservd.conf 

The convenience tradeoff here is that you don't need to out-of-band slurp 
keys from the clients back up to the master servers in order for cfengine
to work. The security you trade is that your servers no longer care who
talks to them. This may or may not matter to you, there was a big thread
about this in Feb 2004 on the list, originally titled "Bootstrapping". 
    google groops: http://snipurl.com/5nw9

If you choose not to TrustKeysFrom your client IPs on the server, you'll
have to get the pubkey from the client's 'cfkey' run back into the
server somehow.

> 3. What I'm not grokking is how the clients periodically pull config
> changes from the server and execute them, and otherwise execute the
> stuff in the existing configs. 

See 1. above -- this is what update.conf is for.

-- 

    Eric Sorenson - EXPLOSIVE Networking - http://explosive.net