Bootstrapping
Frequently asked questions around bootstrapping, the process of starting CFEngine for the first time, and connecting the agents to the correct policy server.
Why did bootstrap fail?
When I bootstrap a host, I get errors:
No suitable server found for '<path>'No suitable server responded to hailAuthentication dialogue with '<IP>' failedProtocol transaction broken off (1). (ReceiveTransaction: Connection reset by peer)Couldn't receive. (recv: Connection reset by peer)Failed to establish TLS connection: underlying network error ()Failed to establish TLS connection: underlying network error (Connection reset by peer)
These types of errors typically indicate a problem with access.
To troubleshoot these types of errors review cf-serverd summary of access promises. allowconnects in body server control and trustkeysfrom in body server control should also be reviewed.
cf-serverd summary of access promises
cf-serverd provides a summary of access promises in verbose logs. Use this to see if cf-serverd is allowing access to the client.
Run cf-serverd with verbose logging and inspect the summary of access promises:
cf-serverd -v | awk '/=== BEGIN summary of access promises ===/,/=== END summary of access promises ===/'
Example Output:
verbose: === BEGIN summary of access promises ===
verbose: Host IPs allowed connection access (allowconnects):
verbose: IP: 192.168.56.2/16
verbose: IP: ::1
verbose: IP: 127.0.0.1
verbose: Host IPs denied connection access (denyconnects):
verbose: Host IPs allowed multiple connection access (allowallconnects):
verbose: IP: 192.168.56.2/16
verbose: IP: ::1
verbose: IP: 127.0.0.1
verbose: Host IPs whose keys we shall establish trust to (trustkeysfrom):
verbose: IP: 0.0.0.0/0
verbose: Host IPs allowed legacy connections (allowlegacyconnects):
verbose: Users from whom we accept cf-runagent connections (allowusers):
verbose: Access control lists:
verbose: Path: /usr/bin/bash
verbose: admit_ips: 192.168.56.2
verbose: Path: /var/cfengine/bin/
verbose: admit_ips: 192.168.56.2/16
verbose: Path: /var/cfengine/cmdb/$(connection.key)/
verbose: admit_keys: $(connection.key)
verbose: Path: /var/cfengine/data/
verbose: admit_ips: 192.168.56.2/16
verbose: Path: /var/cfengine/master_software_updates/
verbose: admit_ips: 192.168.56.2/16
verbose: Path: /var/cfengine/masterfiles/
verbose: admit_ips: 192.168.56.2/16
verbose: Path: /var/cfengine/masterfiles/.no-distrib/
verbose: deny_ips: 0.0.0.0/0
verbose: Path: /var/cfengine/modules/
verbose: admit_ips: 192.168.56.2/16
verbose: Query: collect_calls
verbose: admit_ips: 192.168.56.2/16
verbose: Query: delta
verbose: admit_ips: 127.0.0.1
verbose: admit_ips: 192.168.56.2
verbose: admit_ips: ::1
verbose: Query: full
verbose: admit_ips: 127.0.0.1
verbose: admit_ips: 192.168.56.2
verbose: admit_ips: ::1
verbose: Query: rebase
verbose: admit_ips: 127.0.0.1
verbose: admit_ips: 192.168.56.2
verbose: admit_ips: ::1
verbose: Role: .*
verbose: Access control lists for the classic network protocol:
verbose: Path: /var/cfengine/masterfiles
verbose: admit: 192.168.56.2/16
verbose: Path: /var/cfengine/bin
verbose: admit: 192.168.56.2/16
verbose: Path: /var/cfengine/data
verbose: admit: 192.168.56.2/16
verbose: Path: /var/cfengine/modules
verbose: admit: 192.168.56.2/16
verbose: Path: /var/cfengine/master_software_updates
verbose: admit: 192.168.56.2/16
verbose: Path: /usr/bin/bash
verbose: admit: 192.168.56.2
verbose: Path: /var/cfengine/masterfiles/.no-distrib
verbose: deny: 0.0.0.0/0
verbose: Object: collect_calls
verbose: Admit '192.168.56.2/16' root=
verbose: Object: delta
verbose: Admit '192.168.56.2' root=
verbose: Admit '::1' root=
verbose: Admit '127.0.0.1' root=
verbose: Object: rebase
verbose: Admit '192.168.56.2' root=
verbose: Admit '::1' root=
verbose: Admit '127.0.0.1' root=
verbose: Object: full
verbose: Admit '192.168.56.2' root=
verbose: Admit '::1' root=
verbose: Admit '127.0.0.1' root=
verbose: Object collect_calls
verbose: Object delta
verbose: Object rebase
verbose: Object full
verbose: === END summary of access promises ===
Notes:
If the summary of access promises looks correct, it may be that
cf-serverdhas not reloaded with a new access rule.Try stopping
cf-serverdand starting it in the foreground with verbose logging (cf-serverd --no-fork --log-level verbose) and look for logs related to the client that was failing.
allowconnects in body server control
In order for a host to communicate it must be within an IP range that is allowed to connect to the server.
cf-serverd logs errors when a host not in allow connects tries to communicate.
Remote host '<ip>' not in allowconnects, denying connection
Notes:
def.aclin the Masterfiles Policy Framework is included in this list by default.
See also: def.acl, def.trustkeysfrom
trustkeysfrom in body server control
This defines networks from which a host will automatically trust hosts. If you do not use automatic trust establishment you must arrange trust separately. The Secure bootstrap guide details a step-by-step procedure to securely bootstrap hosts.
cf-serverd logs verbose and notice messages relating to un-trusted clients trying to connect:
notice: 192.168.56.4> TRUST FAILED, peer presented an untrusted key, dropping connection!verbose: 192.168.56.4> Did not find new key format '/var/cfengine/ppkeys/root-SHA=85f8a23d6738599e03951e6930e661bcd9bb3ae12f32486c9795cc9baa7d5b4e.pub'verbose: 192.168.56.4> Trying old style '/var/cfengine/ppkeys/root-192.168.56.4.pub'verbose: 192.168.56.4> Received key 'SHA=85f8a23d6738599e03951e6930e661bcd9bb3ae12f32486c9795cc9baa7d5b4e' not found in ppkeys
See also: def.acl, def.trustkeysfrom
Chat
Ask a question on Github
Mailing list