[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A couple more questions...
From: |
Tracy R Reed |
Subject: |
A couple more questions... |
Date: |
Wed, 13 Nov 2002 13:14:29 -0800 |
User-agent: |
Mutt/1.2.5i |
Thanks to those who helped me with my last query. The problem with
authenticating was mainly due to the fact that our architecture involves a
lot of NAT so machines did not appear to cfservd to be coming from the ip
they claimed they were coming from. I had to add nearly all of our
netblocks to SkipVerify. Not good for security, I know. But it seems to be
the only way out. I also found a lot of machines which had been
reinstalled and thus had the public key changed so I had to delete that
from the cache on cfservd not to mention a wide variety of client
misconfigurations.
So now that I think I have all of the clients configured correctly I am
running into what might be performance issues. Sometimes the clients take
a long time to get authenticated. cfagent is started every 5 minutes from
cron on the client machines. Is this too often? The server is coughing up
a lot of:
Nov 13 01:02:32 cfmaster cfmaster.mydomain.com[9423]: Denying repeated
connection from 1.2.3.4
Nov 13 01:06:23 cfmaster cfmaster.mydomain.com[25083]: Host
authorization/authentication failed or access denied
And occasionally I get this:
Nov 13 06:09:11 cfmaster cfservd[17286]: Server seems to be paralyzed. DOS
attack? Committing apoptosis...
When the clients take a long time authenticating I think other cfagent
processes are getting started (every 5 minutes) and they produce these
errors:
cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was
incorrect!
cfengine:cfclient: Authentication dialogue with cfmaster failed
cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was
incorrect!
cfengine:cfclient: Authentication dialogue with cfmaster failed
cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was
incorrect!
cfengine:cfclient: Authentication dialogue with cfmaster failed
cfengine:cfclient: Received signal 13 (SIGPIPE) while doing
[lock.cfagent_conf.cfclient.tidy._var_cfengine_inputs]
cfengine:cfclient: Logical start time Tue Nov 12 21:38:10 2002
cfengine:cfclient: This sub-task started really at Tue Nov 12 21:38:10 2002
cfengine:cfclient: Received signal 13 (SIGPIPE) while doing
[lock.cfagent_conf.cfclient.tidy._var_cfengine_inputs]
cfengine:cfclient: Logical start time Tue Nov 12 21:38:10 2002
cfengine:cfclient: This sub-task started really at Tue Nov 12 21:38:10 2002
cfengine:cfclient: Received signal 13 (SIGPIPE) while doing
[lock.cfagent_conf.cfclient.tidy._var_cfengine_inputs]
cfengine:cfclient: Logical start time Tue Nov 12 21:38:10 2002
cfengine:cfclient: This sub-task started really at Tue Nov 12 21:38:10 2002
cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was
incorrect!
cfengine:cfclient: Authentication dialogue with cfmaster failed
Once I was debugging cfservd and ctrl-z'd it to look at some output and
forgot to resume and a whole lot of machines ended up with a bunch of
cfagent processes running on them. Shouldn't it do some sort of locking
and not try to run if a cfagent is already running?
Today I have received 5146 emails from 903 hosts that are having this
problem. Suggestions?
--
Tracy Reed http://www.ultraviolet.org
pgpu_LghVwtBL.pgp
Description: PGP signature
- A couple more questions...,
Tracy R Reed <=