Bug #4442
closed
cf-serverd looks up reverse DNS for ALL nodes at start up
Added by Christophe Nowicki almost 11 years ago.
Updated over 10 years ago.
Category:
Performance and scalability
Description
Hi,
The /var/rudder/cfengine-community/inputs/common/1.0/cf-served.cf file is managed by rudder.
Every directory in "/var/rudder/share/*UUID*" is protected like that :
any::
"/var/rudder/share/*UUID*"
maproot => { host2ip("HOSTNAME"), escape("HOSTNAME") };
admit => { host2ip("HOSTNAME"), escape("HOSTNAME") };
When the cf-served process startup it will look up for the reverse DNS for HOSTNAME.
- If you have only 10 hosts, it doesn't matter ;
- If you have 100 hosts, you are flooding the DNS server ;
- If you have 50k hosts, you are benchmarking DNS root servers ;-) ;
If the DNS server is down or the HOSTNAME is wrong, the cf-served process will never start.
Could the host2ip("HOSTNAME") be replaced by the node ip address from the inventory in order to avoid DNS lookup at startup ?
Best Regards,
- Project changed from 24 to Rudder
- Category set to System techniques
- Assignee set to Nicolas CHARLES
I believe Nicolas could be the best to talk about that.
It might be, but would it work on NATed system, where the IP address known by the node is not the one seen by the server?
The issue with using only the published IP is that it will fail on NAT system
However, while trying to find a solution for NAT systems, i realized we could simply rely on the hostname (and no host2ip), as long as we add, on the client side
body agent control
{
skipidentify => "true";
}
what it does is that it tells not to trust the name resolution, and only trust the hostname
https://cfengine.com/archive/manuals/cf3-Reference#skipidentify-in-agent
it still allows for proper acls based on hostname (host1 won't be able to access to ressources shared only to host2), and removes completely the need of host2ip
- Status changed from New to In progress
- Target version set to 2.10.0~beta1
- Status changed from In progress to Pending technical review
- Assignee changed from Nicolas CHARLES to Jonathan CLARKE
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset policy-templates:commit:e1f24ddb642344abe0d04da599ff01d98cea1b7b.
Applied in changeset policy-templates:commit:d1333e2fbe07559383f4bef85062ea5a7eda9afc.
- Tracker changed from Bug to User story
- Subject changed from cf-served look up reverse DNS for ALL nodes at startup to At cf-serverd startup, use each node ip instead of resolving their hostname by reverse look up
- Tracker changed from User story to Bug
- Subject changed from At cf-serverd startup, use each node ip instead of resolving their hostname by reverse look up to cf-serverd looks up reverse DNS for ALL nodes at startup
- Subject changed from cf-serverd looks up reverse DNS for ALL nodes at startup to cf-serverd looks up reverse DNS for ALL nodes at start up
- Category changed from System techniques to Performance and scalability
- Status changed from Pending release to Released
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Jonathan CLARKE 
Updated by