User story #3889
closedConfigure node-server communication security options from administration web interface
Description
By default cf-serverd refuses connections from clients that have a too big time difference - Don't know how much exactly - this has proven to be problematic for us in the past for two points:
1/ Infrastructure doesn't care if the machine bios has a correct date before provisioning the server - the rudder part of postinstall will fail
2/ We have subsidiaries all around the world with -9 to +7 time shifts - the rudder part of postinstall will fail
If an option could be added in the interface it would be nice.
Updated by Matthieu CERDA over 11 years ago
- Assignee set to François ARMAND
- Priority changed from N/A to 3
- Target version set to 2.7.1
OK, bug acknowledged.
FAR, do you think this would be possible ?
Updated by François ARMAND over 11 years ago
- Assignee changed from François ARMAND to Nicolas CHARLES
Well, adding an option is always possible, but:
- it won't go in 2.7.1
- the real problem is not to add an option in the UI, but to know what the option have to do. For now, the UI doesn't do anything to cf-served, so it would be intersting to look at that first.
Nicolas, do you have some idea about what is needed to accomplish the goal (allowing cf-served to accept node with big timeshit compared to server) ?
Updated by Nicolas CHARLES over 11 years ago
Yeah, that I know
In the body server control (which is in the common system technique), we need to add
denybadclocks => "false";
So we could have a Rudder system variable, that by default is true, and we could change it to false via the UI (or config file ?)
Updated by François ARMAND over 11 years ago
OK, in the UI seems great.
I propose to try to add that on 2.8, and perhaps we could just document a workaround explaining that in the doc (for version inferior at the one where the feature will go)?
Updated by Nicolas CHARLES over 11 years ago
- Assignee changed from Nicolas CHARLES to Jonathan CLARKE
Yes, it make sense to add it only on 2.8. What do you think about it Jon ?
Updated by Jonathan CLARKE over 11 years ago
- Status changed from New to 8
- Assignee changed from Jonathan CLARKE to François ARMAND
Nicolas CHARLES wrote:
Yes, it make sense to add it only on 2.8. What do you think about it Jon ?
Absolutely! Let's do it.
Updated by Nicolas PERRON over 11 years ago
- Target version changed from 2.7.1 to 2.8.0~beta1
Updated by Nicolas PERRON about 11 years ago
- Target version changed from 2.8.0~beta1 to 2.8.0~rc1
Updated by Vincent MEMBRÉ about 11 years ago
- Target version changed from 2.8.0~rc1 to Ideas (not version specific)
This will not be done in 2.8.0, and is postponed to a later version.
Updated by Nicolas CHARLES about 11 years ago
Now that we have tools to change config in the UI, it would be easier than before
Updated by Jonathan CLARKE about 11 years ago
Nicolas CHARLES wrote:
Now that we have tools to change config in the UI, it would be easier than before
In a similar manner, we should also add an option for the CFEngine configuration parameter to ignore reverse DNS lookups.
Updated by Jonathan CLARKE about 11 years ago
- Subject changed from Allow disabling cf-serverd "denybadclocks" option to Allow configuring cf-serverd "denybadclocks" and "skipverify" options
Updated by Jonathan CLARKE about 11 years ago
- Subject changed from Allow configuring cf-serverd "denybadclocks" and "skipverify" options to Allow configuring cf-serverd "denybadclocks" option
- Target version changed from Ideas (not version specific) to 2.9.0~rc1
Updated by Vincent MEMBRÉ about 11 years ago
- Category changed from System techniques to Web - Maintenance
Updated by Vincent MEMBRÉ about 11 years ago
- Subject changed from Allow configuring cf-serverd "denybadclocks" option to Configure CFEngine security options from administration web interface
Updated by Vincent MEMBRÉ about 11 years ago
- Subject changed from Configure CFEngine security options from administration web interface to Configure node-server communication security options from administration web interface
Updated by Matthieu CERDA about 11 years ago
- Status changed from 13 to Pending release
Updated by Vincent MEMBRÉ about 11 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 2.9.0~rc1, which was released on Friday 13/12/2013.
Check out:
- The release announcement: http://www.rudder-project.org/pipermail/rudder-announce/2013-December/000065.html
- The full ChangeLog: http://www.rudder-project.org/foswiki/bin/view/System/Documentation:ChangeLog29
- Download information: https://www.rudder-project.org/site/get-rudder/downloads/