Project

General

Profile

Actions
Copy link

User story #3889

closed

Configure node-server communication security options from administration web interface

Added by Olivier Mauras over 10 years ago. Updated over 10 years ago.

Status:
Released
Priority:
2
Assignee:
François ARMAND
Category:
Web - Maintenance
Target version:
2.9.0~rc1
Pull Request:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

By default cf-serverd refuses connections from clients that have a too big time difference - Don't know how much exactly - this has proven to be problematic for us in the past for two points:

1/ Infrastructure doesn't care if the machine bios has a correct date before provisioning the server - the rudder part of postinstall will fail
2/ We have subsidiaries all around the world with -9 to +7 time shifts - the rudder part of postinstall will fail

If an option could be added in the interface it would be nice.

Subtasks 3 (0 open3 closed)

User story #4216: Add "denybadclocks" system variable and make it configurable in UIReleasedNicolas CHARLES2013-12-06Actions
User story #4218: Add "DENYBADCLOCKS" and "SKIPIDENTIFY" system variable specificationReleasedNicolas CHARLES2013-12-06Actions
User story #4226: Add the CFEngine logic to use DENYBADCLOCKS and SKIPIDENTIFYReleasedVincent MEMBRÉ2013-12-06Actions

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #4640: Changing server security settings should trigger a promise generationReleasedFrançois ARMAND2014-03-18Actions
Actions
Copy link
 #1

Updated by Matthieu CERDA over 10 years ago

  • Assignee set to François ARMAND
  • Priority changed from N/A to 3
  • Target version set to 2.7.1

OK, bug acknowledged.

FAR, do you think this would be possible ?

Actions
Copy link
 #2

Updated by François ARMAND over 10 years ago

  • Assignee changed from François ARMAND to Nicolas CHARLES

Well, adding an option is always possible, but:

  • it won't go in 2.7.1
  • the real problem is not to add an option in the UI, but to know what the option have to do. For now, the UI doesn't do anything to cf-served, so it would be intersting to look at that first.

Nicolas, do you have some idea about what is needed to accomplish the goal (allowing cf-served to accept node with big timeshit compared to server) ?

Actions
Copy link
 #3

Updated by Nicolas CHARLES over 10 years ago

Yeah, that I know
In the body server control (which is in the common system technique), we need to add 

 denybadclocks => "false";

So we could have a Rudder system variable, that by default is true, and we could change it to false via the UI (or config file ?)

Actions
Copy link
 #4

Updated by François ARMAND over 10 years ago

OK, in the UI seems great.

I propose to try to add that on 2.8, and perhaps we could just document a workaround explaining that in the doc (for version inferior at the one where the feature will go)?

Actions
Copy link
 #5

Updated by Nicolas CHARLES over 10 years ago

  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE

Yes, it make sense to add it only on 2.8. What do you think about it Jon ?

Actions
Copy link
 #6

Updated by Jonathan CLARKE over 10 years ago

  • Status changed from New to 8
  • Assignee changed from Jonathan CLARKE to François ARMAND

Nicolas CHARLES wrote:

Yes, it make sense to add it only on 2.8. What do you think about it Jon ?

Absolutely! Let's do it.

Actions
Copy link
 #7

Updated by Nicolas PERRON over 10 years ago

  • Target version changed from 2.7.1 to 2.8.0~beta1
Actions
Copy link
 #8

Updated by Nicolas PERRON over 10 years ago

  • Target version changed from 2.8.0~beta1 to 2.8.0~rc1
Actions
Copy link
 #9

Updated by Vincent MEMBRÉ over 10 years ago

  • Target version changed from 2.8.0~rc1 to Ideas (not version specific)

This will not be done in 2.8.0, and is postponed to a later version.

Actions
Copy link
 #10

Updated by Nicolas CHARLES over 10 years ago

Now that we have tools to change config in the UI, it would be easier than before

Actions
Copy link
 #11

Updated by Jonathan CLARKE over 10 years ago

Nicolas CHARLES wrote:

Now that we have tools to change config in the UI, it would be easier than before

In a similar manner, we should also add an option for the CFEngine configuration parameter to ignore reverse DNS lookups.

Actions
Copy link
 #12

Updated by François ARMAND over 10 years ago

  • Status changed from 8 to 13
Actions
Copy link
 #13

Updated by Jonathan CLARKE over 10 years ago

  • Subject changed from Allow disabling cf-serverd "denybadclocks" option to Allow configuring cf-serverd "denybadclocks" and "skipverify" options
Actions
Copy link
 #14

Updated by Jonathan CLARKE over 10 years ago

  • Subject changed from Allow configuring cf-serverd "denybadclocks" and "skipverify" options to Allow configuring cf-serverd "denybadclocks" option
  • Target version changed from Ideas (not version specific) to 2.9.0~rc1
Actions
Copy link
 #15

Updated by Vincent MEMBRÉ over 10 years ago

  • Category changed from System techniques to Web - Maintenance
Actions
Copy link
 #16

Updated by Vincent MEMBRÉ over 10 years ago

  • Subject changed from Allow configuring cf-serverd "denybadclocks" option to Configure CFEngine security options from administration web interface
Actions
Copy link
 #17

Updated by Vincent MEMBRÉ over 10 years ago

  • Subject changed from Configure CFEngine security options from administration web interface to Configure node-server communication security options from administration web interface
Actions
Copy link
 #18

Updated by Matthieu CERDA over 10 years ago

  • Status changed from 13 to Pending release
Actions
Copy link
 #19

Updated by Vincent MEMBRÉ over 10 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.9.0~rc1, which was released on Friday 13/12/2013.
Check out:

Actions
Copy link

Also available in: Atom PDF