Project

General

Profile

Actions

User story #3889

closed

Configure node-server communication security options from administration web interface

Added by Olivier Mauras over 11 years ago. Updated about 11 years ago.

Status:
Released
Priority:
2
Category:
Web - Maintenance
Target version:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

By default cf-serverd refuses connections from clients that have a too big time difference - Don't know how much exactly - this has proven to be problematic for us in the past for two points:

1/ Infrastructure doesn't care if the machine bios has a correct date before provisioning the server - the rudder part of postinstall will fail
2/ We have subsidiaries all around the world with -9 to +7 time shifts - the rudder part of postinstall will fail

If an option could be added in the interface it would be nice.


Subtasks 3 (0 open3 closed)

User story #4216: Add "denybadclocks" system variable and make it configurable in UIReleasedNicolas CHARLES2013-12-06Actions
User story #4218: Add "DENYBADCLOCKS" and "SKIPIDENTIFY" system variable specificationReleasedNicolas CHARLES2013-12-06Actions
User story #4226: Add the CFEngine logic to use DENYBADCLOCKS and SKIPIDENTIFYReleasedVincent MEMBRÉ2013-12-06Actions

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #4640: Changing server security settings should trigger a promise generationReleasedFrançois ARMAND2014-03-18Actions
Actions #1

Updated by Matthieu CERDA over 11 years ago

  • Assignee set to François ARMAND
  • Priority changed from N/A to 3
  • Target version set to 2.7.1

OK, bug acknowledged.

FAR, do you think this would be possible ?

Actions #2

Updated by François ARMAND over 11 years ago

  • Assignee changed from François ARMAND to Nicolas CHARLES

Well, adding an option is always possible, but:

  • it won't go in 2.7.1
  • the real problem is not to add an option in the UI, but to know what the option have to do. For now, the UI doesn't do anything to cf-served, so it would be intersting to look at that first.

Nicolas, do you have some idea about what is needed to accomplish the goal (allowing cf-served to accept node with big timeshit compared to server) ?

Actions #3

Updated by Nicolas CHARLES over 11 years ago

Yeah, that I know
In the body server control (which is in the common system technique), we need to add

 denybadclocks => "false";

So we could have a Rudder system variable, that by default is true, and we could change it to false via the UI (or config file ?)

Actions #4

Updated by François ARMAND over 11 years ago

OK, in the UI seems great.

I propose to try to add that on 2.8, and perhaps we could just document a workaround explaining that in the doc (for version inferior at the one where the feature will go)?

Actions #5

Updated by Nicolas CHARLES over 11 years ago

  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE

Yes, it make sense to add it only on 2.8. What do you think about it Jon ?

Actions #6

Updated by Jonathan CLARKE over 11 years ago

  • Status changed from New to 8
  • Assignee changed from Jonathan CLARKE to François ARMAND

Nicolas CHARLES wrote:

Yes, it make sense to add it only on 2.8. What do you think about it Jon ?

Absolutely! Let's do it.

Actions #7

Updated by Nicolas PERRON over 11 years ago

  • Target version changed from 2.7.1 to 2.8.0~beta1
Actions #8

Updated by Nicolas PERRON about 11 years ago

  • Target version changed from 2.8.0~beta1 to 2.8.0~rc1
Actions #9

Updated by Vincent MEMBRÉ about 11 years ago

  • Target version changed from 2.8.0~rc1 to Ideas (not version specific)

This will not be done in 2.8.0, and is postponed to a later version.

Actions #10

Updated by Nicolas CHARLES about 11 years ago

Now that we have tools to change config in the UI, it would be easier than before

Actions #11

Updated by Jonathan CLARKE about 11 years ago

Nicolas CHARLES wrote:

Now that we have tools to change config in the UI, it would be easier than before

In a similar manner, we should also add an option for the CFEngine configuration parameter to ignore reverse DNS lookups.

Actions #12

Updated by François ARMAND about 11 years ago

  • Status changed from 8 to 13
Actions #13

Updated by Jonathan CLARKE about 11 years ago

  • Subject changed from Allow disabling cf-serverd "denybadclocks" option to Allow configuring cf-serverd "denybadclocks" and "skipverify" options
Actions #14

Updated by Jonathan CLARKE about 11 years ago

  • Subject changed from Allow configuring cf-serverd "denybadclocks" and "skipverify" options to Allow configuring cf-serverd "denybadclocks" option
  • Target version changed from Ideas (not version specific) to 2.9.0~rc1
Actions #15

Updated by Vincent MEMBRÉ about 11 years ago

  • Category changed from System techniques to Web - Maintenance
Actions #16

Updated by Vincent MEMBRÉ about 11 years ago

  • Subject changed from Allow configuring cf-serverd "denybadclocks" option to Configure CFEngine security options from administration web interface
Actions #17

Updated by Vincent MEMBRÉ about 11 years ago

  • Subject changed from Configure CFEngine security options from administration web interface to Configure node-server communication security options from administration web interface
Actions #18

Updated by Matthieu CERDA about 11 years ago

  • Status changed from 13 to Pending release
Actions #19

Updated by Vincent MEMBRÉ about 11 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.9.0~rc1, which was released on Friday 13/12/2013.
Check out:

Actions

Also available in: Atom PDF