Bug #10605
Updated by Janos Mattyasovszky over 7 years ago
Usecase: Share locally generated ssh hostkeys from all Nodes to the Root server. Error: The Root server tries to retrieve the files via cf-agent, and not directly access it on the FS (since it's its own policy server), and it It appears to not trust itself, because it does not have @localhost.pub@ named by the @root-MD=${HASH}.pub@ format: itself: <pre> rudder verbose: P: BEGIN promise 'promise_sharedfile_from_node_cf_50' of type "files" (pass 1) rudder verbose: P: Promiser/affected object: '/var/rudder/configuration-repository/sha' rudder verbose: P: From parameterized bundle: sharedfile_from_node( {"752da888-c98b-46a9-81b5-0be9ce22322a","service_hostkey_rsa","/var/rudder/configurati on-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub"}) rudder verbose: P: Base context class: any rudder verbose: P: Stack path: /default/rudder_directives/methods/'Process SSH Keys/Process_Service_SSH_keys'/default/Process_Service_SSH_keys/methods/'me thod_call'/default/sharedfile_from_node/files/'/var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey _rsa.pub'[1] rudder verbose: File '/var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub' copy_from '/var/rudder/shared-files/root/files/752da888-c98b-46a9-81b5-0be9ce22322a/service_hostkey_rsa' rudder verbose: FindIdle: no existing connection to '127.0.0.1' is established. rudder verbose: Connecting to host 127.0.0.1, port 5309 as address 127.0.0.1 rudder verbose: Waiting to connect... rudder verbose: Setting socket timeout to 30 seconds. rudder verbose: Connected to host 127.0.0.1 address 127.0.0.1 port 5309 (socket descriptor 4) rudder verbose: TLS version negotiated: TLSv1.2; Cipher: AES256-GCM-SHA384,TLSv1/SSLv3 rudder verbose: TLS session established, checking trust... rudder verbose: Did not find new key format '/var/rudder/cfengine-community/ppkeys/root-MD5=16340f76b8daa8d895e9633742ca7f50.pub' rudder verbose: Trying old style '/var/rudder/cfengine-community/ppkeys/root-127.0.0.1.pub' rudder verbose: Received key 'MD5=16340f76b8daa8d895e9633742ca7f50' not found in ppkeys error: TRUST FAILED, server presented untrusted key: MD5=16340f76b8daa8d895e9633742ca7f50 rudder verbose: Connection to 127.0.0.1 is closed rudder info: Unable to establish connection to '127.0.0.1' error: No suitable server found rudder verbose: C: + promise outcome class 'repair_failed_sharedfile_from_node_service_hostkey_rsa' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_failed' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_ok' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_error' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_kept' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_not_repaired' rudder verbose: C: + promise outcome class 'sharedfile_from_node_service_hostkey_rsa_reached' rudder info: Promise belongs to bundle 'sharedfile_from_node' in file '/var/rudder/ncf/common/30_generic_methods/sharedfile_from_node.cf' near line 50 rudder verbose: A: Promise NOT KEPT! </pre> I can confirm, that symlinking the localhost.pub to the missing by-MD5-Name does solve the issue: <pre> -rw------- 1 root root 1743 Apr 5 16:28 localhost.priv -rw------- 1 root root 426 Apr 5 16:28 localhost.pub lrwxrwxrwx 1 root root 13 Apr 18 12:09 root-MD5=16340f76b8daa8d895e9633742ca7f50.pub -> localhost.pub </pre> Agent run now shows repaired: <pre> E| repaired Process_Service_SSH_keys Sharedfile from node service_hostkey_e| Retrieving service_hostkey_ed25519 from 752da888-c98b-46a9-81b5-0be9ce22322a into /var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_ed25519.pub was repaired E| repaired Process_Service_SSH_keys Sharedfile from node service_hostkey_r| Retrieving service_hostkey_rsa from 752da888-c98b-46a9-81b5-0be9ce22322a into /var/rudder/configuration-repository/shared-files/hostkeys/752da888-c98b-46a9-81b5-0be9ce22322a.service_hostkey_rsa.pub was repaired </pre>