Re: cfrun vs. cfservd

[Marion Hakanson]

> I want to configure a small number of hosts as fileservers, and then
> configure one or two hosts as fortress servers which can contact any host
> on the network and run cfagent.
> 
> I specifically don't want any host to have the ability to initiate cfagent
> on any other host, and I specifically don't want to enable every host to
> be a fileserver.
> 
> Is there a conflict between these two types of functionality, or is there
> a way to get around it that I'm not seeing?

You can use the "admit:" section to control each of these roles.  In your
case, the entry for the local cfagent command would only allow access for
your one or two "fortress" servers.  Thus any other machine that tried
a "cfrun" would be denied access to the remote cfagent command(s).

Similarly, the entry for your file repository would be used to open up
access on your fileserver hosts, but on the bulk of the systems, there
would be no access (the files wouldn't be there anyway).  For example:

##############################

classes:
  fileserver = ( fileser1 fileser2 fileser3 fileser4 )

control:
  cfrunCommand = /var/cfengine/bin/cfagent
  master_configs = /var/local/master_configs
  AllowUsers = ( root )         # This is always required.

admit:
  # This controls which remote hosts can invoke cfagent here
  #  remotely via their cfrun command.
  $(cfrunCommand)       cfrun1.your.domain cfrun2.your.domain

  # This controls who has access to files served by this host.
  #   Only a fileserver should have anything to serve up.
  fileserver::
    $(master_configs)   *.your.domain *.other.domain

##############################



Another way of doing this is by defining "AllowConnectionsFrom" differently,
depending on whether the machine is a fileserver or not.  In this case, the
"admit" section can be simpler & rely on the connection restrictions alone.
Here's an example of that approach:

##############################

classes:
  fileserver = ( fileser1 fileser2 fileser3 fileser4 )
  
control:
  cfrunCommand = /var/cfengine/bin/cfagent
  master_configs = /var/local/master_configs
  AllowUsers = ( root )         # This is always required.
  ip_of_cfrun1 = ( 192.168.39.1 )
  ip_of_cfrun2 = ( 192.168.39.2 )

  # Make new installs easier.
  # A future release may allow hostnames in the below.
  TrustKeysFrom = ( "$(ip_of_cfrun1)" "$(ip_of_cfrun2)" )

  fileserver::
    # This should include $(ip_of_cfrun1) and $(ip_of_cfrun2).
    AllowConnectionsFrom = ( 192.168.39.* 192.168.45.* )

  !fileserver::
    # A future release may allow hostnames in the below.
    AllowConnectionsFrom = ( "$(ip_of_cfrun1)" "$(ip_of_cfrun2)" )


admit:
  # This controls which remote hosts can invoke cfagent here
  #  remotely via their cfrun command.
  #   Allow in anyone who can connect.
  $(cfrunCommand)       *

  # This controls who has access to files served by this host.
  #   Only a fileserver should have anything to serve up.
  #   Allow in anyone who can connect.
  fileserver::
    $(master_configs)   *

##############################



Of course, you could do both, but then you'd change the list in one
section and forget to change it in the other section, and waste a bunch
of time and hair trying to figure out what went wrong.  That error message
to the effect of "did you forget the domain name?" isn't very helpful (:-).



> Also, although the docs for cfrun claim that cfrun.hosts should be in
> CFINPUTS, I can't get it to see the file anywhere except in the CWD I'm
> running cfrun from.

Me too, for 2.0.5pre2.  Haven't yet tried 2.0.5.  I also have trouble
with the "-f cfagent.conf" option to the "cfrun" command, but haven't
had the time to track it down yet.

Regards,

-- 
Marion Hakanson <hakanson@cse.ogi.edu>
CSE Computing Facilities