[rudder-dev] Having correct FQDN in (first) inventory
Francois Armand
francois.armand at normation.com
Thu Apr 7 15:33:25 CEST 2016
On 07/04/2016 15:08, Vincent Membré wrote:
> Le 31/03/2016 12:37, Francois Armand a écrit :
>> Hello,
>>
>> So, here goes for a summary of
>> http://www.rudder-project.org/redmine/issues/8022, "Node's
>> FQDN-Resolution is sometimes invalid" and related tickets.
>> The problem cover up several sub-cases, which need to be addressed
>> systematically to achieve some result.
>> They are:
>>
>> * 1/ the node FQDN is used for identifying a node, and then manage
>> authentication and authorization to access its promises. If
>> Rudder server, CFEngine promise server, and the node don't agree
>> on it, the node can't get its promises. This is a hard problem
>> because:
>> o FQDN is fragile. It needs a perfectly up to date and shared
>> DNS environment. But "it's always a DNS problem", what gives
>> an idea.
>> o FQDN tools are notoriously broken, and don't always agree
>> about what is the FQDN of a host
>> o even in a perfectly working and up-to-date DNS env, there may
>> have voluntary decision not to have the same FQDN from the
>> host and the server, as explained in #8022 ticket.
>> * 2/ if the node FQDN is not correct in the first sent inventory,
>> the node configuration is delayed by one day, because from the
>> node point of view, the inventory was correctly sent and so the
>> standard frequency for sending inventories is applied.
>>
>>
>> The long-term solution for 1/ is to use something else that FQDN to
>> identify the node - we have for example an UUID for that. The problem
>> here is that it is a hard limitation of the protocol used by
>> cf-serverd. So to use another identification scheme (and why not our
>> own authentication/authorization), we need to either patch cf-serverd
>> or use a different client-server protocol for promises transfer. Both
>> solutions are open, but are out of scope.
>>
>> Meanwhile, we can address at best 1/ and 2/
>>
>> *For 1/, *we need to prevent as much as we can to give bad FQDN and
>> in all case, give the user a possibility to hook what he knows should
>> be the correct value.
>> *- Prevent more bad FQDN:**
>> *=> update perl version:
>> http://www.rudder-project.org/redmine/issues/8123
>> I didn't find anything else on that subject, compared to what we are
>> doing now.
>>
>> *- Let the user hook the correct value: **
>> *=> http://www.rudder-project.org/redmine/issues/8022#note-20
>> Here, we still need to specify the path convention for command and
>> file to look for the correct FDQN.
> I have some remarks/questions here:
>
> * If I understand correctly the process will be: Inventory is ran on
> the Node, then inventory is modified to add data from commands / file
> ? or will this be used when runnig fusionInventory ?
The idea is to patch fusion inventory plugin for Rudder to use that logic.
>
> * In Which entry will they be stored ? RUDDER/HOSTAME? another one
Yes, RUDDER/HOSTNAME
>
> * Do we want to define Hostname only ? Would it not be better if the
> solution was much more adaptable and can modify any entry from the
> inventory ?
It's an other ticket, #4670, linked in #8022. HOSTNAME (FQDN, really) is
different from the general use case (at least adding information into
inventory) because of the special importance of FQDN in CFengine
server/agent identification protocol. So it is kind of ok to see #8022
as a bug in the existing versions, and #4670 (or an extension of it) as
a new feature going to next versions.
>
>
> About the path, I suggest we should put them under
> /var/rudder/inventories :
>
> * If we modify only hostname (RUDDER/HOSTNAME):
> o /var/rudder/inventories/hostname-command: Command to execute
> the get the correct hostname
> o /var/rudder/inventories/hostname-file: File containing the
> path the file containing the correct hostname
>
No specific feeling on that... Any idea, other ?
> * If we want something more general:
> o /var/rudder/inventories/commands or
> /var/rudder/inventories/hooks.d : to put all commands/hooks
> o /var/rudder/inventories/mapping: a file mapping a Key in
> inventory to an action to do, ie:
> + RUDDER/HOSTNAME => get_fqdn.sh # Will run get_fqdn.sh
> (from hooks directory!) and put output into the correct tag
> + OPERATINGSYSTEM/OSVERSION => /some/path/to/file # Will
> read that file to fill the tag
>
> I hope I'm not going too far from the original idea ...
Let's had that in #4670 :)
Thanks,
>
>
>>
>> *For 2/, *we need to prevent the sending of inventory that will be
>> rejected by the server for sure. *
>> *=> http://www.rudder-project.org/redmine/issues/8127
>>
>> Hope it helps sum up the whole solution.
>>
>> Cheers,
>>
>> --
>> ------------------------------------------------------------------------
>> *François ARMAND*
>> /Co-founder & CTO/
>> Normation <http://www.normation.com>
>> ------------------------------------------------------------------------
>> *87 rue de Turbigo, 75003 Paris, France*
>> Telephone: +33 (0)1 83 62 99 23
>> Mobile: +33 (0)6 63 37 60 55
>> ------------------------------------------------------------------------
>>
>>
>>
>> _______________________________________________
>> rudder-dev mailing list
>> rudder-dev at lists.rudder-project.org
>> http://www.rudder-project.org/mailman/listinfo/rudder-dev
>
>
> --
> ------------------------------------------------------------------------
> *Logo Normation Vincent Membré*
> /Developer / Release manager/
> Normation <http://www.normation.com>
> ------------------------------------------------------------------------
> *87, Rue de Turbigo, 75003 Paris, France*
> Phone: +33 (0)1 84 16 06 00
> Mobile: +33 (0)6 10 14 76 78
> ------------------------------------------------------------------------
>
>
>
> _______________________________________________
> rudder-dev mailing list
> rudder-dev at lists.rudder-project.org
> http://www.rudder-project.org/mailman/listinfo/rudder-dev
--
------------------------------------------------------------------------
*François ARMAND*
/Co-founder & CTO/
Normation <http://www.normation.com>
------------------------------------------------------------------------
*87 rue de Turbigo, 75003 Paris, France*
Telephone: +33 (0)1 83 62 99 23
Mobile: +33 (0)6 63 37 60 55
------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.rudder-project.org/pipermail/rudder-dev/attachments/20160407/e59bebe2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1036 bytes
Desc: not available
URL: <http://www.rudder-project.org/pipermail/rudder-dev/attachments/20160407/e59bebe2/attachment-0002.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 23693 bytes
Desc: not available
URL: <http://www.rudder-project.org/pipermail/rudder-dev/attachments/20160407/e59bebe2/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo-square.gif
Type: image/gif
Size: 1036 bytes
Desc: not available
URL: <http://www.rudder-project.org/pipermail/rudder-dev/attachments/20160407/e59bebe2/attachment-0003.gif>
More information about the rudder-dev
mailing list