Project

General

Profile

Bug #4442

cf-serverd looks up reverse DNS for ALL nodes at start up

Added by Christophe Nowicki about 6 years ago. Updated about 6 years ago.

Status:
Released
Priority:
N/A
Category:
Performance and scalability
Target version:
Pull Request:
Severity:
User visibility:
Effort required:
Priority:

Description

Hi,

The /var/rudder/cfengine-community/inputs/common/1.0/cf-served.cf file is managed by rudder.

Every directory in "/var/rudder/share/*UUID*" is protected like that :

any::
   "/var/rudder/share/*UUID*" 
   maproot => { host2ip("HOSTNAME"), escape("HOSTNAME") };
   admit => { host2ip("HOSTNAME"), escape("HOSTNAME") };

When the cf-served process startup it will look up for the reverse DNS for HOSTNAME.

  • If you have only 10 hosts, it doesn't matter ;
  • If you have 100 hosts, you are flooding the DNS server ;
  • If you have 50k hosts, you are benchmarking DNS root servers ;-) ;

If the DNS server is down or the HOSTNAME is wrong, the cf-served process will never start.

Could the host2ip("HOSTNAME") be replaced by the node ip address from the inventory in order to avoid DNS lookup at startup ?

Best Regards,


Related issues

Related to Rudder - Bug #4429: duplicated IP addresses across nodes are not accepted, preventing to handle NATReleased2014-01-31Nicolas CHARLESActions
Has duplicate Rudder - Bug #3912: (Unecessary) Use of host-to-ip cause major slowdown of cf-promises on the rudder server when used with many nodesRejected2013-09-06Nicolas CHARLESActions
#1

Updated by François ARMAND about 6 years ago

  • Project changed from Techniques to Rudder
  • Category set to System techniques
  • Assignee set to Nicolas CHARLES

I believe Nicolas could be the best to talk about that.

#2

Updated by Nicolas CHARLES about 6 years ago

It might be, but would it work on NATed system, where the IP address known by the node is not the one seen by the server?

#3

Updated by Nicolas CHARLES about 6 years ago

The issue with using only the published IP is that it will fail on NAT system

However, while trying to find a solution for NAT systems, i realized we could simply rely on the hostname (and no host2ip), as long as we add, on the client side

body agent control
{
skipidentify => "true";
}

what it does is that it tells not to trust the name resolution, and only trust the hostname
https://cfengine.com/archive/manuals/cf3-Reference#skipidentify-in-agent

it still allows for proper acls based on hostname (host1 won't be able to access to ressources shared only to host2), and removes completely the need of host2ip

#4

Updated by Nicolas CHARLES about 6 years ago

  • Status changed from New to In progress
  • Target version set to 2.10.0~beta1
#5

Updated by Nicolas CHARLES about 6 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE

PR is there
https://github.com/Normation/rudder-techniques/pull/303

what it does is that if the skip identify is defined (configuration parameter on the web interface) then it does not host2ip
the client side was already handled (except for initial promises)

#6

Updated by Nicolas CHARLES about 6 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100

Applied in changeset policy-templates:commit:e1f24ddb642344abe0d04da599ff01d98cea1b7b.

#7

Updated by Jonathan CLARKE about 6 years ago

Applied in changeset policy-templates:commit:d1333e2fbe07559383f4bef85062ea5a7eda9afc.

#8

Updated by Vincent MEMBRÉ about 6 years ago

  • Tracker changed from Bug to User story
  • Subject changed from cf-served look up reverse DNS for ALL nodes at startup to At cf-serverd startup, use each node ip instead of resolving their hostname by reverse look up
#9

Updated by Vincent MEMBRÉ about 6 years ago

  • Tracker changed from User story to Bug
#10

Updated by Vincent MEMBRÉ about 6 years ago

  • Subject changed from At cf-serverd startup, use each node ip instead of resolving their hostname by reverse look up to cf-serverd looks up reverse DNS for ALL nodes at startup
#11

Updated by Vincent MEMBRÉ about 6 years ago

  • Subject changed from cf-serverd looks up reverse DNS for ALL nodes at startup to cf-serverd looks up reverse DNS for ALL nodes at start up
#12

Updated by Vincent MEMBRÉ about 6 years ago

  • Category changed from System techniques to Performance and scalability
#13

Updated by Vincent MEMBRÉ about 6 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.10.0~beta1, which was released today.
Check out:

The release announcement: http://www.rudder-project.org/pipermail/rudder-announce/2014-March/000084.html
The full ChangeLog: http://www.rudder-project.org/foswiki/bin/view/System/Documentation:ChangeLog210
Download information: https://www.rudder-project.org/site/get-rudder/downloads/

Also available in: Atom PDF