[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: several questions on running cfengine

From: Andrew Stribblehill
Subject: Re: several questions on running cfengine
Date: Fri, 7 Mar 2003 00:24:04 +0000
User-agent: Mutt/1.5.3i

Quoting Eva Hocks <address@hidden> (2003-03-06 11:04:26 GMT):
> What is the difference to run cfagent or cfexecd?

cfexecd performs two roles: it wraps cfagent and squirrels away its
output, and by default it daemonises itself and runs cfagent hourly,
emailing the admin if there exists output and it is different from
the last run.

> While cfagent runs all right, cfexecd complains about:
>  b80n13: cfengine defines no system administrator address
>  b80n13: Need: sysadm = ( address@hidden ) in control

cfexecd asks cfagent for these things as par of its initialisation,
by calling 'cfagent -z'. It may not be necessary in your case to
define the sysadm or smtpserver variables if you don't plan to use
cfexecd as a daemon (you only invoke it with 'cfexecd -F').

> The CFINPUTS is in the root's .profile and cfagent finds it but cfexecd
> does not.

We could do with seeing the output from cfexecd to say what it can't

> Where are the run logs kept? There's nothing in /var/cfengine about the
> commands and results executed while cfagent ran.

$WORKDIR/outputs where $WORKDIR was defined as part of ./configure. I
forget what its default is -- possibly /var/cfengine. If there is no
symlink in there called 'previous' and you're running (I think) 2.0.4
or above, there was no output from cfagent.

> Running cfagent I get the following error:
> cfengine:b80n11: Server returned error:  Host authentication failed. Did
> you forget the domain name?
> The same setup ran yesterday. What changes the keys and how to keep them
> current on the server and client nodes? BTW I did not run the ppkey
> command manually, maybe some part of cfengine runs it?

If you have keys in $WORKDIR/ppkeys/ called and
localhost.priv, something has run ppkeys on your behalf. Check the
mtime and ctime for these files. They don't generally change,
especially without operator intervention.

If you don't have other <ip-address>.pub keys in this directory,
your host isn't trusting your server -- enable trust in a copy
directive for a while.

Likewise, if your server doesn't have <client's-ip>.pub in its ppkeys
directory, it hasn't trusted your client. I find that the best way to
introduce a client to a server is to set up cfservd.conf to trust the
server's IP address and to allow the 'root' user. Then from the
server, I run 'cfrun <client>' and allow it to trust the key. This is
then a one-shot trust at at time of my choosing.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]