RE: Cfengine daemons keep dying!!!

[Wheeler, John]

Apologies for completely mutating this thread, but just wanted to give
some feed back on the modification of the number of clients parameter
change in the cfservd.conf. This appears to have little impact. I did
not go through any statistical analysis of the emails sent, but based on
a rough sampling of ~70 hosts running cfengine, the change from the
default of 10 to 100 did not have any perceivable impact, with the
desired result of decreasing or eliminating these annoying "Challenge
respone... incorrect!" emails.

I have yet to try the other suggestion of binding to an interface. The
master host has many real interfaces but no virtual interfaces.

I'll try the binding trick and let you know.


> -----Original Message-----
> From: help-cfengine-bounces+jwheeler=eb.com@gnu.org
[mailto:help-cfengine-
> bounces+jwheeler=eb.com@gnu.org] On Behalf Of Chip Seraphine
> Sent: Wednesday, December 01, 2004 11:14 AM
> To: Brian Thomas
> Cc: Cfengine Mailing List Help
> Subject: Re: Cfengine daemons keep dying!!!
> 
> Same thing here-- happens several times a day on one host or another.
> Call it a little less than 1% of the time, figuring for the runs/day
and
> number of hosts.
> 
> I do see it happen much more often on some hosts than others, however,
> which is a bit odd.  I don't know if it is the host itself or just
when
> it happens to fire (splaytime is constant for a host if you don't
change
> the upper limit, as it is hashed from hostname and/or IP or
something).
> 
> I can never reproduce it when I run cfagent by hand.
> 
> Brian Thomas wrote:
> 
> >For what it's worth, this is also a relatively common problem for me
as
> >well, although for some reason this has faded significantly in the
past
> >few weeks. I just had it happen this morning though, randomly, on a
> >couple of systems.
> >
> >It also only appears to happen during copy, at random, and usually
does
> >not happen twice in a row.
> >
> >Brian
> >
> >
> >
> >>>However. The challenge response problems your talking about we
solve
> >>>the
> >>>following way:
> >>>
> >>>rm /var/cfengine/ppkeys/root-* on the servers. They will copied on
> >>>
> >>>
> >the
> >
> >
> >>>first request back when trustkey is yes. Also we have limited the
> >>>
> >>>
> >access
> >
> >
> >>>to the cfengine ports only from the local machines via a firewall.
> >>>
> >>>You have of course also delete the keys on the client side for some
> >>>
> >>>
> >rare
> >
> >
> >>>cases. (In case the server key has changed) or you had one of that
> >>>
> >>>
> >buggy
> >
> >
> >>>cfengine versions running (see archives for details).
> >>>
> >>>
> >>It's not a trust or re-key issue. The message:
> >>
> >>cfengine:--------: Challenge response from server
> >>
> >>
> >cfengine/10.xxx.xxx.xx
> >
> >
> >>was incorrect!
> >>cfengine:--------: Authentication dialogue with cfengine failed
> >>
> >>
> >>1. appears somewhat at random... but frequently ~2-3 times a day for
a
> >>given host.
> >>2. obviously only appears during a copy operation
> >>3. likely will not appear in the next run (about an hour later)
> >>
> >>
> >>to mark,
> >>Does it make sense that I'd get the message above if the server
> >>
> >>
> >couldn't
> >
> >
> >>fork a new child? I could just dig through the code, but thought I'd
> >>
> >>
> >try
> >
> >
> >>to be lazy first.
> >>
> >>thanks
> >>wheeler
> >>
> >>
> >
> >
> >_______________________________________________
> >Help-cfengine mailing list
> >Help-cfengine@gnu.org
> >http://lists.gnu.org/mailman/listinfo/help-cfengine
> >
> >
> >
> >
> >_______________________________________________
> >Help-cfengine mailing list
> >Help-cfengine@gnu.org
> >http://lists.gnu.org/mailman/listinfo/help-cfengine
> >
> >
> 
> 
> --
> 
> Chip Seraphine
> Unix Administrator
> TradeLink, LLC
> 312-264-2048
> chip@trdlnk.com
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine