Bug #5156
closedUnable to delete keys with cf-key
Description
Hi again,
We have a node that we reinstalled several times (so its inventory was sent several times with a different key/uuid), but never accepted into rudder (so it shouldn't matter, right?).
# cf-key -s | grep 114\.210 Incoming 10.210.114.210 - Tue Jun 3 14:16:06 2014 MD5=f6d73dbcca3722f5884426cd556a0e3d Incoming 10.210.114.210 - Tue Jun 10 15:36:13 2014 MD5=df54cbe64ceafd0caf5e554f2a065421 Incoming 10.210.114.210 - Wed Jun 11 12:36:23 2014 MD5=df5abf05c8a167c9154ce06cb97c2be6 Incoming 10.210.114.210 - Thu Jun 26 18:25:57 2014 MD5=150d297bddd11677115e8ad17d6f1df0
I wanted to kill them all(tm)(r):
# cf-key -r 10.210.114.210 # echo $? 0
So far so good. :)
# cf-key -s | grep 114\.210 Incoming 10.210.114.210 - Tue Jun 3 14:16:06 2014 MD5=f6d73dbcca3722f5884426cd556a0e3d Incoming 10.210.114.210 - Tue Jun 10 15:36:13 2014 MD5=df54cbe64ceafd0caf5e554f2a065421 Incoming 10.210.114.210 - Wed Jun 11 12:36:23 2014 MD5=df5abf05c8a167c9154ce06cb97c2be6
Okay, so the newest one was deleted, I retried:
# cf-key -r 10.210.114.210 2014-06-26T18:31:27+0200 error: No keys for host '10.210.114.210' were found # echo $? 1
So I've basically ghost keys I can't delete, and I think it's breaking stuff, because if I reinstall this system and accept it into rudder, it is not able to communicate with rudder.
Thanks.
Updated by Jonathan CLARKE almost 10 years ago
- Status changed from New to Discussion
- Assignee set to Lionel Le Folgoc
Hi Lionel,
I think you are confusing the actual keys on disk (in cfengine-community/ppkeys directory) and the lastseen database. cf-key's "-s" option shows a list of the date/time all hosts (a host = an IP address or hostname + a key) were seen connecting to cf-serverd.
The cf-key "-r" option does attempt to remove a host's key, but only one, and it's implementation is very clear that it will only do this if it finds the lastseen database to be "coherant". I assume that cf-key considers your lastseen database to not be coherant, since it contains several entries, with several different keys for one host.
I suggest you use "cf-key -x" instead. This should remove all keys for a given hostname/IP address. Can you test and confirm is this works for you?
Updated by Lionel Le Folgoc almost 10 years ago
Jonathan CLARKE wrote:
Hi Lionel,
I think you are confusing the actual keys on disk (in cfengine-community/ppkeys directory) and the lastseen database. cf-key's "-s" option shows a list of the date/time all hosts (a host = an IP address or hostname + a key) were seen connecting to cf-serverd.
I've no idea what I'm doing, probably. :)
I've a node accepted in webui that can't communicate with rudder and I'm trying to figure out why. The assumption "ip uniquely identifies a node" that cf-key does(?) seemed to me a possible reason for the failure.
The cf-key "-r" option does attempt to remove a host's key, but only one, and it's implementation is very clear that it will only do this if it finds the lastseen database to be "coherant". I assume that cf-key considers your lastseen database to not be coherant, since it contains several entries, with several different keys for one host.
I suggest you use "cf-key -x" instead. This should remove all keys for a given hostname/IP address. Can you test and confirm is this works for you?
" --remove-keys , -r value - Remove keys for specified hostname/IP"
So not very obvious, especially with the "key_S_", but that's minor (and probably not related to rudder). ;-)
Anyway, it's cfengine 3.5.3 (from a "monolithic" rudder 2.10 installation) which doesn't have the "-x" flag.
I'll go back debugging that once I've made the distributed rudder server work, so no problem for now.
Updated by Lionel Le Folgoc almost 10 years ago
I guess it was caused by skipidentify = false with old 2.9 agents (same as #5100). So feel free to close this issue, it seems I can't do it myself. Thanks.
Updated by Jonathan CLARKE almost 10 years ago
- Status changed from Discussion to Rejected
Lionel Le Folgoc wrote:
I guess it was caused by skipidentify = false with old 2.9 agents (same as #5100). So feel free to close this issue, it seems I can't do it myself. Thanks.
OK, thanks for confirming.