Project

General

Profile

Actions

Bug #4442

closed

cf-serverd looks up reverse DNS for ALL nodes at start up

Added by Christophe Nowicki almost 11 years ago. Updated over 10 years ago.

Status:
Released
Priority:
N/A
Assignee:
Jonathan CLARKE
Category:
Performance and scalability
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

Hi,

The /var/rudder/cfengine-community/inputs/common/1.0/cf-served.cf file is managed by rudder.

Every directory in "/var/rudder/share/*UUID*" is protected like that :

any::
   "/var/rudder/share/*UUID*" 
   maproot => { host2ip("HOSTNAME"), escape("HOSTNAME") };
   admit => { host2ip("HOSTNAME"), escape("HOSTNAME") };

When the cf-served process startup it will look up for the reverse DNS for HOSTNAME.

  • If you have only 10 hosts, it doesn't matter ;
  • If you have 100 hosts, you are flooding the DNS server ;
  • If you have 50k hosts, you are benchmarking DNS root servers ;-) ;

If the DNS server is down or the HOSTNAME is wrong, the cf-served process will never start.

Could the host2ip("HOSTNAME") be replaced by the node ip address from the inventory in order to avoid DNS lookup at startup ?

Best Regards,


Related issues 2 (0 open2 closed)

Related to Rudder - Bug #4429: duplicated IP addresses across nodes are not accepted, preventing to handle NATReleasedNicolas CHARLES2014-01-31Actions
Has duplicate Rudder - Bug #3912: (Unecessary) Use of host-to-ip cause major slowdown of cf-promises on the rudder server when used with many nodesRejectedNicolas CHARLES2013-09-06Actions
Actions #1

Updated by François ARMAND almost 11 years ago

  • Project changed from 24 to Rudder
  • Category set to System techniques
  • Assignee set to Nicolas CHARLES

I believe Nicolas could be the best to talk about that.

Actions #2

Updated by Nicolas CHARLES almost 11 years ago

It might be, but would it work on NATed system, where the IP address known by the node is not the one seen by the server?

Actions #3

Updated by Nicolas CHARLES over 10 years ago

The issue with using only the published IP is that it will fail on NAT system

However, while trying to find a solution for NAT systems, i realized we could simply rely on the hostname (and no host2ip), as long as we add, on the client side

body agent control
{
skipidentify => "true";
}

what it does is that it tells not to trust the name resolution, and only trust the hostname
https://cfengine.com/archive/manuals/cf3-Reference#skipidentify-in-agent

it still allows for proper acls based on hostname (host1 won't be able to access to ressources shared only to host2), and removes completely the need of host2ip

Actions #4

Updated by Nicolas CHARLES over 10 years ago

  • Status changed from New to In progress
  • Target version set to 2.10.0~beta1
Actions #5

Updated by Nicolas CHARLES over 10 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE

PR is there
https://github.com/Normation/rudder-techniques/pull/303

what it does is that if the skip identify is defined (configuration parameter on the web interface) then it does not host2ip
the client side was already handled (except for initial promises)

Actions #6

Updated by Nicolas CHARLES over 10 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100

Applied in changeset policy-templates:commit:e1f24ddb642344abe0d04da599ff01d98cea1b7b.

Actions #7

Updated by Jonathan CLARKE over 10 years ago

Applied in changeset policy-templates:commit:d1333e2fbe07559383f4bef85062ea5a7eda9afc.

Actions #8

Updated by Vincent MEMBRÉ over 10 years ago

  • Tracker changed from Bug to User story
  • Subject changed from cf-served look up reverse DNS for ALL nodes at startup to At cf-serverd startup, use each node ip instead of resolving their hostname by reverse look up
Actions #9

Updated by Vincent MEMBRÉ over 10 years ago

  • Tracker changed from User story to Bug
Actions #10

Updated by Vincent MEMBRÉ over 10 years ago

  • Subject changed from At cf-serverd startup, use each node ip instead of resolving their hostname by reverse look up to cf-serverd looks up reverse DNS for ALL nodes at startup
Actions #11

Updated by Vincent MEMBRÉ over 10 years ago

  • Subject changed from cf-serverd looks up reverse DNS for ALL nodes at startup to cf-serverd looks up reverse DNS for ALL nodes at start up
Actions #12

Updated by Vincent MEMBRÉ over 10 years ago

  • Category changed from System techniques to Performance and scalability
Actions #13

Updated by Vincent MEMBRÉ over 10 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.10.0~beta1, which was released today.
Check out:

The release announcement: http://www.rudder-project.org/pipermail/rudder-announce/2014-March/000084.html
The full ChangeLog: http://www.rudder-project.org/foswiki/bin/view/System/Documentation:ChangeLog210
Download information: https://www.rudder-project.org/site/get-rudder/downloads/
Actions

Also available in: Atom PDF