User story #3889
closed
Configure node-server communication security options from administration web interface
Added by Olivier Mauras about 11 years ago.
Updated almost 11 years ago.
Category:
Web - Maintenance
Description
By default cf-serverd refuses connections from clients that have a too big time difference - Don't know how much exactly - this has proven to be problematic for us in the past for two points:
1/ Infrastructure doesn't care if the machine bios has a correct date before provisioning the server - the rudder part of postinstall will fail
2/ We have subsidiaries all around the world with -9 to +7 time shifts - the rudder part of postinstall will fail
If an option could be added in the interface it would be nice.
- Assignee set to François ARMAND
- Priority changed from N/A to 3
- Target version set to 2.7.1
OK, bug acknowledged.
FAR, do you think this would be possible ?
- Assignee changed from François ARMAND to Nicolas CHARLES
Well, adding an option is always possible, but:
- it won't go in 2.7.1
- the real problem is not to add an option in the UI, but to know what the option have to do. For now, the UI doesn't do anything to cf-served, so it would be intersting to look at that first.
Nicolas, do you have some idea about what is needed to accomplish the goal (allowing cf-served to accept node with big timeshit compared to server) ?
Yeah, that I know
In the body server control (which is in the common system technique), we need to add
denybadclocks => "false";
So we could have a Rudder system variable, that by default is true, and we could change it to false via the UI (or config file ?)
OK, in the UI seems great.
I propose to try to add that on 2.8, and perhaps we could just document a workaround explaining that in the doc (for version inferior at the one where the feature will go)?
- Assignee changed from Nicolas CHARLES to Jonathan CLARKE
Yes, it make sense to add it only on 2.8. What do you think about it Jon ?
- Status changed from New to 8
- Assignee changed from Jonathan CLARKE to François ARMAND
Nicolas CHARLES wrote:
Yes, it make sense to add it only on 2.8. What do you think about it Jon ?
Absolutely! Let's do it.
- Target version changed from 2.7.1 to 2.8.0~beta1
- Target version changed from 2.8.0~beta1 to 2.8.0~rc1
- Target version changed from 2.8.0~rc1 to Ideas (not version specific)
This will not be done in 2.8.0, and is postponed to a later version.
Now that we have tools to change config in the UI, it would be easier than before
Nicolas CHARLES wrote:
Now that we have tools to change config in the UI, it would be easier than before
In a similar manner, we should also add an option for the CFEngine configuration parameter to ignore reverse DNS lookups.
- Status changed from 8 to 13
- Subject changed from Allow disabling cf-serverd "denybadclocks" option to Allow configuring cf-serverd "denybadclocks" and "skipverify" options
- Subject changed from Allow configuring cf-serverd "denybadclocks" and "skipverify" options to Allow configuring cf-serverd "denybadclocks" option
- Target version changed from Ideas (not version specific) to 2.9.0~rc1
- Category changed from System techniques to Web - Maintenance
- Subject changed from Allow configuring cf-serverd "denybadclocks" option to Configure CFEngine security options from administration web interface
- Subject changed from Configure CFEngine security options from administration web interface to Configure node-server communication security options from administration web interface
- Status changed from 13 to Pending release
- Status changed from Pending release to Released
This bug has been fixed in Rudder 2.9.0~rc1, which was released on Friday 13/12/2013.
Check out:
Also available in: Atom
PDF
Updated by Matthieu CERDA 
Updated by 
Updated by 
Updated by Jonathan CLARKE 
Updated by Nicolas PERRON 
Updated by