Project

General

Profile

Bug #10605

Updated by Janos Mattyasovszky over 7 years ago

Usecase: 

 Share locally generated ssh hostkeys from all Nodes to the Root server. 

 Error: 

 The Root server tries to retrieve the files via cf-agent, and not directly access it on the FS (since it's its own policy server), and it It appears to not trust itself, because it does not have @localhost.pub@ named by the @root-MD=${HASH}.pub@ format: itself: 

 <pre> 
 rudder    verbose: P: BEGIN promise 'promise_sharedfile_from_node_cf_50' of type "files" (pass 1) 
 rudder    verbose: P:      Promiser/affected object: '/var/rudder/configuration-repository/sha' 
 rudder    verbose: P:      From parameterized bundle: sharedfile_from_node( {"752da888-c98b-46a9-81b5-0be9ce22322a","service_hostkey_rsa","/var/rudder/configurati 
 on-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub"}) 
 rudder    verbose: P:      Base context class: any 
 rudder    verbose: P:      Stack path: /default/rudder_directives/methods/'Process SSH Keys/Process_Service_SSH_keys'/default/Process_Service_SSH_keys/methods/'me 
 thod_call'/default/sharedfile_from_node/files/'/var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey 
 _rsa.pub'[1] 
 rudder    verbose: File '/var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub' copy_from '/var/rudder/shared-files/root/files/752da888-c98b-46a9-81b5-0be9ce22322a/service_hostkey_rsa' 
 rudder    verbose: FindIdle: no existing connection to '127.0.0.1' is established. 
 rudder    verbose: Connecting to host 127.0.0.1, port 5309 as address 127.0.0.1 
 rudder    verbose: Waiting to connect... 
 rudder    verbose: Setting socket timeout to 30 seconds. 
 rudder    verbose: Connected to host 127.0.0.1 address 127.0.0.1 port 5309 (socket descriptor 4) 
 rudder    verbose: TLS version negotiated:    TLSv1.2; Cipher: AES256-GCM-SHA384,TLSv1/SSLv3 
 rudder    verbose: TLS session established, checking trust... 
 rudder    verbose: Did not find new key format '/var/rudder/cfengine-community/ppkeys/root-MD5=16340f76b8daa8d895e9633742ca7f50.pub' 
 rudder    verbose: Trying old style '/var/rudder/cfengine-community/ppkeys/root-127.0.0.1.pub' 
 rudder    verbose: Received key 'MD5=16340f76b8daa8d895e9633742ca7f50' not found in ppkeys 
    error: TRUST FAILED, server presented untrusted key: MD5=16340f76b8daa8d895e9633742ca7f50 
 rudder    verbose: Connection to 127.0.0.1 is closed 
 rudder       info: Unable to establish connection to '127.0.0.1' 
    error: No suitable server found 
 rudder    verbose: C:      + promise outcome class 'repair_failed_sharedfile_from_node_service_hostkey_rsa' 
 rudder    verbose: C:      + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_failed' 
 rudder    verbose: C:      + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_ok' 
 rudder    verbose: C:      + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_error' 
 rudder    verbose: C:      + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_kept' 
 rudder    verbose: C:      + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_repaired' 
 rudder    verbose: C:      + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_reached' 
 rudder       info: Promise belongs to bundle 'sharedfile_from_node' in file '/var/rudder/ncf/common/30_generic_methods/sharedfile_from_node.cf' near line 50 
 rudder    verbose: A: Promise NOT KEPT! 
 </pre> 

 I can confirm, that symlinking the localhost.pub to the missing by-MD5-Name does solve the issue: 
 <pre> 
 -rw------- 1 root root 1743 Apr    5 16:28 localhost.priv 
 -rw------- 1 root root    426 Apr    5 16:28 localhost.pub 
 lrwxrwxrwx 1 root root     13 Apr 18 12:09 root-MD5=16340f76b8daa8d895e9633742ca7f50.pub -> localhost.pub 
 </pre> 

 Agent run now shows repaired: 
 <pre> 
 E| repaired        Process_Service_SSH_keys    Sharedfile from node        service_hostkey_e| Retrieving service_hostkey_ed25519 from 752da888-c98b-46a9-81b5-0be9ce22322a into /var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_ed25519.pub was repaired 
 E| repaired        Process_Service_SSH_keys    Sharedfile from node        service_hostkey_r| Retrieving service_hostkey_rsa from 752da888-c98b-46a9-81b5-0be9ce22322a into /var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub was repaired 
 </pre> 

Back