Project

General

Profile

Actions
Copy link

User story #3889

closed

Configure node-server communication security options from administration web interface

User story #3889: Configure node-server communication security options from administration web interface

Added by Olivier Mauras over 12 years ago. Updated about 12 years ago.

Status:
Released
Priority:
2
Assignee:
François ARMAND
Category:
Web - Maintenance
Target version:
2.9.0~rc1
Pull Request:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

By default cf-serverd refuses connections from clients that have a too big time difference - Don't know how much exactly - this has proven to be problematic for us in the past for two points:

1/ Infrastructure doesn't care if the machine bios has a correct date before provisioning the server - the rudder part of postinstall will fail
2/ We have subsidiaries all around the world with -9 to +7 time shifts - the rudder part of postinstall will fail

If an option could be added in the interface it would be nice.

Subtasks 3 (0 open3 closed)

User story #4216: Add "denybadclocks" system variable and make it configurable in UIReleasedNicolas CHARLESActions
User story #4218: Add "DENYBADCLOCKS" and "SKIPIDENTIFY" system variable specificationReleasedNicolas CHARLESActions
User story #4226: Add the CFEngine logic to use DENYBADCLOCKS and SKIPIDENTIFYReleasedVincent MEMBRÉActions

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #4640: Changing server security settings should trigger a promise generationReleasedFrançois ARMANDActions

Updated by Matthieu CERDA over 12 years ago Actions
Copy link
 #1

  • Assignee set to François ARMAND
  • Priority changed from N/A to 3
  • Target version set to 2.7.1

OK, bug acknowledged.

FAR, do you think this would be possible ?

Updated by François ARMAND over 12 years ago Actions
Copy link
 #2

  • Assignee changed from François ARMAND to Nicolas CHARLES

Well, adding an option is always possible, but:

  • it won't go in 2.7.1
  • the real problem is not to add an option in the UI, but to know what the option have to do. For now, the UI doesn't do anything to cf-served, so it would be intersting to look at that first.

Nicolas, do you have some idea about what is needed to accomplish the goal (allowing cf-served to accept node with big timeshit compared to server) ?

Updated by Nicolas CHARLES over 12 years ago Actions
Copy link
 #3

Yeah, that I know
In the body server control (which is in the common system technique), we need to add 

 denybadclocks => "false";

So we could have a Rudder system variable, that by default is true, and we could change it to false via the UI (or config file ?)

Updated by François ARMAND over 12 years ago Actions
Copy link
 #4

OK, in the UI seems great.

I propose to try to add that on 2.8, and perhaps we could just document a workaround explaining that in the doc (for version inferior at the one where the feature will go)?

Updated by Nicolas CHARLES over 12 years ago Actions
Copy link
 #5

  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE

Yes, it make sense to add it only on 2.8. What do you think about it Jon ?

Updated by Jonathan CLARKE over 12 years ago Actions
Copy link
 #6

  • Status changed from New to 8
  • Assignee changed from Jonathan CLARKE to François ARMAND

Nicolas CHARLES wrote:

Yes, it make sense to add it only on 2.8. What do you think about it Jon ?

Absolutely! Let's do it.

Updated by Nicolas PERRON over 12 years ago Actions
Copy link
 #7

  • Target version changed from 2.7.1 to 2.8.0~beta1

Updated by Nicolas PERRON over 12 years ago Actions
Copy link
 #8

  • Target version changed from 2.8.0~beta1 to 2.8.0~rc1

Updated by Vincent MEMBRÉ over 12 years ago Actions
Copy link
 #9

  • Target version changed from 2.8.0~rc1 to Ideas (not version specific)

This will not be done in 2.8.0, and is postponed to a later version.

Updated by Nicolas CHARLES about 12 years ago Actions
Copy link
 #10

Now that we have tools to change config in the UI, it would be easier than before

Updated by Jonathan CLARKE about 12 years ago Actions
Copy link
 #11

Nicolas CHARLES wrote:

Now that we have tools to change config in the UI, it would be easier than before

In a similar manner, we should also add an option for the CFEngine configuration parameter to ignore reverse DNS lookups.

Updated by François ARMAND about 12 years ago Actions
Copy link
 #12

  • Status changed from 8 to 13

Updated by Jonathan CLARKE about 12 years ago Actions
Copy link
 #13

  • Subject changed from Allow disabling cf-serverd "denybadclocks" option to Allow configuring cf-serverd "denybadclocks" and "skipverify" options

Updated by Jonathan CLARKE about 12 years ago Actions
Copy link
 #14

  • Subject changed from Allow configuring cf-serverd "denybadclocks" and "skipverify" options to Allow configuring cf-serverd "denybadclocks" option
  • Target version changed from Ideas (not version specific) to 2.9.0~rc1

Updated by Vincent MEMBRÉ about 12 years ago Actions
Copy link
 #15

  • Category changed from System techniques to Web - Maintenance

Updated by Vincent MEMBRÉ about 12 years ago Actions
Copy link
 #16

  • Subject changed from Allow configuring cf-serverd "denybadclocks" option to Configure CFEngine security options from administration web interface

Updated by Vincent MEMBRÉ about 12 years ago Actions
Copy link
 #17

  • Subject changed from Configure CFEngine security options from administration web interface to Configure node-server communication security options from administration web interface

Updated by Matthieu CERDA about 12 years ago Actions
Copy link
 #18

  • Status changed from 13 to Pending release

Updated by Vincent MEMBRÉ about 12 years ago Actions
Copy link
 #19

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.9.0~rc1, which was released on Friday 13/12/2013.
Check out:

Actions
Copy link

Also available in: PDF Atom