Bug #15188
closedAllow disabling the agent without stopping cf-serverd
Description
we have found that if you disable the agent on the root server, this prevents cf-serverd from starting, which I would guess would be intended if there was only an agent on the machine.
However, being the root server, with cf-serverd not running this then means that no agents can connect to it for policy updates, when the intended action was to only stop the root server's agent from getting a policy update.
Some form of logic needs to be devised which means that cf-serverd is not stopped if it is the rudder root server.
the disabled cf-serverd persists across a reboot if the agent is still disabled. (ie /opt/rudder/etc/agent-disabled exists)
The only current workaround is to ensure the agent is never disabled on the root server (which we usually do as a matter of course for things like distro upgrades, to prevent a policy run reverting repository lists part way)
OS: Debian 9 (Stretch), so processes being started (or disabled) by systemd units.
Updated by Vincent MEMBRÉ over 5 years ago
- Target version set to 5.0.13
I think you're right and maybe only the agent should be disabled on root server ? (and also relay ??)
@Team, Would it be possible ?? what do you think of it ?
Updated by Alexis Mousset over 5 years ago
- Subject changed from cf-serverd not starting on root server to Allow disabling the agent without stopping cf-serverd
- Category changed from Server components to Agent
- Target version changed from 5.0.13 to 6.0.0~beta1
- User visibility set to Operational - other Techniques | Rudder settings | Plugins
- Priority changed from 0 to 26
Thank you for reporting this, there is indeed a problem with current agent and cf-serverd's service behaviour.
Current situation¶
- The
rudder-agent
service starts two daemons:cf-serverd
wich:- allows trigerring a remote-run on all nodes
- serves policy files from relays and root servers (which is definitely a server feature)
cf-execd
which regularly triggers an agent run
- disabling the agent also prevents both agent services (cf-execd and cf-serverd) from starting
- there is an option is disable command to also stop the agent service
Problems:
- Keeping a service running but preventing it from restarting makes not sense.
- It is unexpected that acting on the agent would break policy server, and worse that it is not possible to keep it working with a disabled agent.
- There is a clash between cf-serverd usages between simple nodes and servers. It is part of agent (package, service, etc). but also acts as a server component.
Short term changes¶
- Make cf-serverd (and cf-execd for consistency) ignore agent state:
- change policies to ignore disable flag
- change systemd unit to ignore disable flag
rudder agent stop
orrudder agent disable -s
will still stop cf-execd and cf-serverd
Long term changes¶
This would requires wider changes to Rudder.
We could run two separate cf-serverd daemons, one for remote-run and one as policy-server, probably on different ports. This would allow better service organization and avoid unexpected behaviour.
What do you think about this solution?
Updated by Alexis Mousset over 5 years ago
- Related to Architecture #15191: Separate remote-run server from policy server added
Updated by Alexis Mousset about 5 years ago
- Target version changed from 6.0.0~beta1 to 6.1.0~beta1
- Priority changed from 26 to 25
Updated by François ARMAND about 5 years ago
- Target version changed from 6.1.0~beta1 to 6.0.0
- Priority changed from 25 to 50
Updated by Benoît PECCATTE about 5 years ago
- Effort required set to Small
- Priority changed from 50 to 64
The short term version is small
Updated by Benoît PECCATTE about 5 years ago
- Status changed from New to In progress
- Assignee set to Benoît PECCATTE
Updated by Benoît PECCATTE about 5 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Benoît PECCATTE to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder-packages/pull/2146
Updated by Benoît PECCATTE about 5 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-packages|4ee1137ef4eb945490fb4589b24f39b671118f92.
Updated by Alexis Mousset about 5 years ago
- Status changed from Pending release to Released
- Priority changed from 64 to 63
This bug has been fixed in Rudder 6.0.0 which was released today.