<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Le 13/07/2018 à 11:30, GALLET Tristan a écrit :<br>
<blockquote type="cite"
cite="mid:VI1PR0402MB35344F08785394523D27A4EEFE580@VI1PR0402MB3534.eurprd04.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello everybody,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ve just migrated from Rudder 4.2 to
4.3.2. (not 4.3.3, Debian has not yet this version in the
repository).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Server and client are on Debian 8.11, all
updates from today.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">After upgrade, clients can not update their
policies :<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">From a client :<o:p></o:p></p>
<p class="MsoNormal"><b>rudder agent update<o:p></o:p></b></p>
<p class="MsoNormal"><b>R:
*********************************************************************************<o:p></o:p></b></p>
<p class="MsoNormal"><b>* rudder-agent could not get an updated
configuration from the policy server. *<o:p></o:p></b></p>
<p class="MsoNormal"><b>* This can be caused
by: *<o:p></o:p></b></p>
<p class="MsoNormal"><b>* * an agent key that has been
changed *<o:p></o:p></b></p>
<p class="MsoNormal"><b>* * if this node is not accepted or
deleted node on the Rudder root server *<o:p></o:p></b></p>
<p class="MsoNormal"><b>* * if this node has changed policy
server without sending a new inventory *<o:p></o:p></b></p>
<p class="MsoNormal"><b>* Any existing configuration policy will
continue to be applied without change. *<o:p></o:p></b></p>
<p class="MsoNormal"><b>*********************************************************************************<o:p></o:p></b></p>
<p class="MsoNormal"><b>ok: Rudder agent promises were updated.<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">From the serveur :<o:p></o:p></p>
<p class="MsoNormal">rudder server debug 10.X.X.X<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Logs from server :<o:p></o:p></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Setting
IDENTITY: USERNAME=root<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Received
public key compares equal to the one we have stored<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
MD5=70b5b4d90fa8c1176cd2c1a00deb9884: Client is TRUSTED,
public key MATCHES stored one.<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: STAT
/var/rudder/share/02dfe0b6-fee5-491a-96bb-95ecf27b07bb/rules/cfengine-community/rudder_promises_generated<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: STAT
/var/rudder/share/02dfe0b6-fee5-491a-96bb-95ecf27b07bb/rules/cfengine-community/rudder_promises_generated<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder info: 10.X.X.X> access
denied to STAT:
/var/rudder/share/02dfe0b6-fee5-491a-96bb-95ecf27b07bb/rules/cfengine-community/rudder_promises_generated<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> REFUSAL to
user='root' of request: SYNCH 1531473776 STAT
/var/rudder/share/02dfe0b6-fee5-491a-96bb-95ecf27b07bb/rules/cfengine-community/rudder_promises_generated<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: STAT /usr/share/ncf/tree/ncf_hash_file<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: STAT /usr/share/ncf/tree/ncf_hash_file<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: MD5 /usr/share/ncf/tree/ncf_hash_file<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: MD5 /usr/share/ncf/tree/ncf_hash_file<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: STAT
/var/rudder/configuration-repository/ncf/ncf_hash_file<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: STAT
/var/rudder/configuration-repository/ncf/ncf_hash_file<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: MD5
/var/rudder/configuration-repository/ncf/ncf_hash_file<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: MD5
/var/rudder/configuration-repository/ncf/ncf_hash_file<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: STAT /var/rudder/tools/rudder_tools_updated<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: STAT /var/rudder/tools/rudder_tools_updated<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: MD5 /var/rudder/tools/rudder_tools_updated<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: MD5 /var/rudder/tools/rudder_tools_updated<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Remote
peer terminated TLS session (SSL_read)<o:p></o:p></b></p>
<p class="MsoNormal"><b>rudder info: 10.X.X.X> Closing
connection, terminating thread<o:p></o:p></b></p>
<p class="MsoNormal"><b><o:p> </o:p></b></p>
<p class="MsoNormal">DNS is ok, server and client resolve each
other.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Is there something to do after migration ?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:FR"
lang="FR">Cordialement,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:FR"
lang="FR"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:FR"
lang="FR">Tristan</span><br>
</p>
</div>
</blockquote>
<br>
Hi Tristan,<br>
<br>
Thank you very much for the detailed explanation and debug logs, it
is very useful. I'm sorry for the delay in the answer, the mail was
caught in a moderation zone :/<br>
<br>
Normally, there shouldn't be anything to do after an upgrade, so you
are hitting a bug.<br>
We've encountered a very rare bug where inventories or keys could be
lost during an upgrade, due to cache issue - it may be related to
that. Can you do the following:<br>
<br>
<ul>
<li>On the failing node, can you run</li>
</ul>
rudder agent inventory<br>
<br>
<ul>
<li>then, on the server Rudder, run:</li>
</ul>
rudder agent inventory && rudder agent run<br>
to be sure that the Rudder server inventory is there and up to date.<br>
<br>
<ul>
<li>trigger a full policies generation, by clicking on "Status" in
the menu bar of Rudder, then "Regenerate all policies"</li>
</ul>
<br>
<ul>
<li>then, on the node, once the policy generation is finished, run</li>
</ul>
rudder agent run -u<br>
<br>
If it doesn't work, we'll have to investigate further: did you have
any error during the upgrade ? Do you have any "ERROR" in you
/var/log/rudder/webapp folder, post-upgrade ? <br>
Does the file
/var/rudder/share/02dfe0b6-fee5-491a-96bb-95ecf27b07bb/rules/cfengine-community/rudder_promises_generated
exist on the server ?<br>
<br>
Thank you,<br>
Nicolas<br>
<br>
<br>
</body>
</html>