help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cfengine in test lab....


From: Juha Ylitalo
Subject: cfengine in test lab....
Date: 17 Jun 2002 13:58:55 +0300

Environment:
  cfengine version is 2.0.2 on all hosts
  cfservd running on FreeBSD 4.5-RELEASE-p5
  cfagent running on Solaris 8

Question:
  Why does cfengine create /var/cfengine/ppkeys/root-a.b.c.d.pub files, 
when I have following lines in cfservd.conf?

  TrustKeysFrom = ( 10.21.165.2 10.21.165.5 10.21.165.6 10.21.165.8
10.21.165.11 )
  DynamicAddresses = ( 10.21.165.2 10.21.165.5-6 10.21.165.8
10.21.165.11 )

Or to phrase it otherwise. How should I change my configuration to
achieve following in product testing environment:
- I go to one of the boxes that is listed on TrustKeysFrom and
DynamicAddresses and give 'reboot "net - install"' as command, which
makes Solaris do network installation from JumpStart server.
- In postconf of that installation, it will install cfengine and copy
root-a.b.c.d.pub from cfservd and update.conf into /var/cfengine/ppkeys
- System reboots and as it comes up, it will run cfkey and start cfexecd
- cfexecd will install rest of the add-on software, create user accounts
and so on.

According to "cfservd -F -d", cfservd host seems to recognize my
cfagent/cfexec box as system, whose identity it should already know.
However, since Solaris box was just reinstalled with new key files,
those obviously won't match with the ones cfservd has in mind.
Network is isolated from all other networks with firewalls, but I would
still prefer solution, where I don't have to put systems private keys
into NFS mounted filesystem. 

P.S. This is related to the earlier problem, where I assumed that there
would be problem with ipranges in trustkeysfrom. So these problems would
indicate that problem is not in ipranges....

-- 
Juha Ylitalo       address@hidden           <work e-mail>
+358 40 562 6152   http://linux.nokia.com/~jylitalo/  <work www>
"Some tools are used, because its policy, others because they are good."



reply via email to

[Prev in Thread] Current Thread [Next in Thread]