Bug #4442
closed
cf-serverd looks up reverse DNS for ALL nodes at start up
Description
Hi,
The /var/rudder/cfengine-community/inputs/common/1.0/cf-served.cf file is managed by rudder.
Every directory in "/var/rudder/share/*UUID*" is protected like that :
any::
"/var/rudder/share/*UUID*"
maproot => { host2ip("HOSTNAME"), escape("HOSTNAME") };
admit => { host2ip("HOSTNAME"), escape("HOSTNAME") };
When the cf-served process startup it will look up for the reverse DNS for HOSTNAME.
- If you have only 10 hosts, it doesn't matter ;
- If you have 100 hosts, you are flooding the DNS server ;
- If you have 50k hosts, you are benchmarking DNS root servers ;-) ;
If the DNS server is down or the HOSTNAME is wrong, the cf-served process will never start.
Could the host2ip("HOSTNAME") be replaced by the node ip address from the inventory in order to avoid DNS lookup at startup ?
Best Regards,
Updated by François ARMAND about 10 years ago
- Project changed from 24 to Rudder
- Category set to System techniques
- Assignee set to Nicolas CHARLES
I believe Nicolas could be the best to talk about that.
Updated by Nicolas CHARLES about 10 years ago
It might be, but would it work on NATed system, where the IP address known by the node is not the one seen by the server?
Updated by Nicolas CHARLES about 10 years ago
The issue with using only the published IP is that it will fail on NAT system
However, while trying to find a solution for NAT systems, i realized we could simply rely on the hostname (and no host2ip), as long as we add, on the client side
body agent control
{
skipidentify => "true";
}
what it does is that it tells not to trust the name resolution, and only trust the hostname
https://cfengine.com/archive/manuals/cf3-Reference#skipidentify-in-agent
it still allows for proper acls based on hostname (host1 won't be able to access to ressources shared only to host2), and removes completely the need of host2ip
Updated by Nicolas CHARLES about 10 years ago
- Status changed from New to In progress
- Target version set to 2.10.0~beta1
Updated by Nicolas CHARLES about 10 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Nicolas CHARLES to Jonathan CLARKE
PR is there
https://github.com/Normation/rudder-techniques/pull/303
what it does is that if the skip identify is defined (configuration parameter on the web interface) then it does not host2ip
the client side was already handled (except for initial promises)
Updated by Nicolas CHARLES about 10 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset policy-templates:commit:e1f24ddb642344abe0d04da599ff01d98cea1b7b.
Updated by Jonathan CLARKE about 10 years ago
Applied in changeset policy-templates:commit:d1333e2fbe07559383f4bef85062ea5a7eda9afc.
Updated by Vincent MEMBRÉ about 10 years ago
- Tracker changed from Bug to User story
- Subject changed from cf-served look up reverse DNS for ALL nodes at startup to At cf-serverd startup, use each node ip instead of resolving their hostname by reverse look up
Updated by Vincent MEMBRÉ about 10 years ago
- Tracker changed from User story to Bug
Updated by Vincent MEMBRÉ about 10 years ago
- Subject changed from At cf-serverd startup, use each node ip instead of resolving their hostname by reverse look up to cf-serverd looks up reverse DNS for ALL nodes at startup
Updated by Vincent MEMBRÉ about 10 years ago
- Subject changed from cf-serverd looks up reverse DNS for ALL nodes at startup to cf-serverd looks up reverse DNS for ALL nodes at start up
Updated by Vincent MEMBRÉ about 10 years ago
- Category changed from System techniques to Performance and scalability
Updated by Vincent MEMBRÉ about 10 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 2.10.0~beta1, which was released today.
Check out:
The release announcement: http://www.rudder-project.org/pipermail/rudder-announce/2014-March/000084.html
The full ChangeLog: http://www.rudder-project.org/foswiki/bin/view/System/Documentation:ChangeLog210
Download information: https://www.rudder-project.org/site/get-rudder/downloads/