Bug #5371
closed
rudder-networks.conf doesn't allow v6 loopack
Description
one tiny thing i noticed is there's no v6 ::1 entry in the rudder-networks.conf, noticed via some error from the local rudder-agent (permission denied)
rudders1:/opt/rudder # cat /opt/rudder/etc/rudder-networks.conf Allow from 127.0.0.0/8 Allow from %%POLICY_SERVER_ALLOWED_NETWORKS%%
Adding ::1 here would be useful - v6 was chosen as default transport in the OS w/o any manual preference setting. My lab network is even, sadly, v4 only.
(SLES 11SP3)
Updated by Matthieu CERDA over 9 years ago
- Status changed from New to Discussion
- Assignee set to Matthieu CERDA
- Priority changed from N/A to 3
Hello Florian,
I can see that in the 2.10 system Techniques, the following statement is used to complete the allowed networks file:
policy_server::
"acl" slist => {
"127.0.0.0/8" , "::1",
"${def.policy_server}", # the policy server can connect to a relay
&AUTHORIZED_NETWORKS:{net|"&net&",}&
};
As far as I can tell (and reproduce :) ) the /opt/rudder/etc/rudder-networks.conf from a 2.10 test machine file contains:
Allow from 127.0.0.0/8 Allow from ::1 Allow from 127.0.0.1 Allow from 192.168.0.0/16 (...)
Can you please tell me which version of Rudder are you running, and if you see the following block in /var/rudder/configuration-repository/techniques/system/common/1.0/cf-served.st on your Rudder server ?
# List here the IP masks that we grant access to on the server
&if(AUTHORIZED_NETWORKS)&
policy_server::
"acl" slist => {
"127.0.0.0/8" , "::1",
"${def.policy_server}", # the policy server can connect to a relay
&AUTHORIZED_NETWORKS:{net|"&net&",}&
};
&endif&
Thanks in advance !
Updated by Matthieu CERDA over 9 years ago
Note: according to #5370, if I assume you run a Rudder 2.11.1, you should still have this block in your Techniques normally :)
Updated by Florian Heigl over 9 years ago
Hi,
That block is there. I don't understand why I then see a 127.0.00/8 but not ::1
&if(AUTHORIZED_NETWORKS)&
policy_server::
"acl" slist => {
"127.0.0.0/8" , "::1",
"${def.policy_server}", # the policy server can connect to a relay
&AUTHORIZED_NETWORKS:{net|"&net&",}&
};
&endif&
unless, and that's what I'd assume, it's because the agent can never download this policy since it connects via v6 per default, but only the v4 loopback "allow" statement is there.
I think it'd need to deliver, before cfagent can run, a file that allows both loopback addresses.
Obviously I'll do a test with adding ::1 soon.
Updated by Florian Heigl over 9 years ago
Hi,
apparently main culprit was on server side:
missing initial git commit -m "blah" in /var/rudder/configuration-repository
after this, the file got autopopulated:
rudders1:/opt/rudder/etc # cat rudder-networks.conf
Allow from 127.0.0.0/8
Allow from 127.0.0.0/8 # <- idk why this
Allow from ::1
Allow from 127.0.0.1 # <- idk why this
Allow from 192.168.51.0/24 # <- lab net given in rudder-init.sh
Updated by Matthieu CERDA over 9 years ago
Ah, you migrated the configuration-repository manually from one server to another ?
Updated by Florian Heigl over 9 years ago
No, there was no migration involved.
It just didn't get committed after rudder-init.sh had run.
Updated by
Updated by Alexis Mousset about 7 years ago
- Status changed from Discussion to Rejected
This is fixed, closing.