help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: where is the best moment to populate the keys

From: Brian Youngstrom
Subject: Re: where is the best moment to populate the keys
Date: Thu, 30 May 2002 10:15:52 -0700 
Buddy,

I'm still experimenting with cfengine v2.0.x, but I have come up with
something that may work for you.  

I distribute cfengine via rpm (we're a Redhat shop).  As part of the
install, I create a file 'bootstrap' that contains:

control: actionsequence = ( resolve netconfig copy )
    sysadm  = ( my@email.addr )

    resolve:
        1.2.3.4
        1.2.3.5

    defaultroute:
        1_2_3::
            1.2.3.100
        1_2_4::
            1.2.4.100

    copy:
        /master/cf/
            dest=/var/cfengine/inputs/
            trustkey=true
            server=cfmaster
            recurse=1
            owner=root
            group=wheel
            mode=400
            backup=false
            purge=true
            inform=false

I call this script during rpm install (in the %post) as 'cfagent -f
bootstrap' (after calling cfkey).  This contacts the master server,
trusting the key this time only.  The server stores the new host key,
the client stores the server key and copies the most recent cfengine
scripts, purging the bootstrap file.

I have each potential client listed in the cfenvd.conf TrustKeysFrom
directive.

One of my scripts is cf.update.  This file is:

control: actionsequence = ( copy )
        access  = ( root )
        sysadm  = ( my@email.addr )

copy:
        /master/cf/
                dest=/var/cfengine/inputs
                server=cfmaster
                recurse=1
                owner=root
                group=wheel
                mode=400
                type=mtime
                backup=false
                purge=true
                inform=false

Very similar to bootstrap, but does not trust the server key.  I call
this file by 'cfagent -f cf.update' before calling 'cfagent' to run the
body of my scripts.  I have had problems with update.conf when there is
a syntax error in some other file.  Seems that cfengine parses
update.conf and all other files before executing update.conf (at least
with v2.0.1).

So far, this scheme has worked well for me.  Seems to avoid the implicit
trust while still providing the strong authentication that is desired.

-Brian

On Wed, May 29, 2002 at 06:23:22PM -0600, Lumpkin, Buddy wrote:
> Mark,
> 
> How do you have cfengine generate and replicate keys? What would be a good 
> (sane) practice that get's rid of the more manual burdon of generating the 
> keys manually?
> 
> I am about to setup our jumpstart server so that it copies over the cfengine 
> binaries and a startup script under /etc/rc2.d. I would like it to do 
> everything necessary to get keys in place and be properly bootstapped and 
> ready to run from then on.
> 
> My update.conf file makes sure that there is an entry in crontab that will 
> run cfexecd so im covered there ...
> 
> --Buddy
> 

-- 
Brian Youngstrom
byoung@cs.washington.edu
University of Washington
Department of Computer Science & Engineering
reply via email to
[Prev in Thread] Current Thread [Next in Thread]