0
Completed
bpoulain 5 months ago • updated by Alexis Mousset 4 months ago 8

Hi,

I have installed Rudder Server 4.1 and only one agent on debian 8 servers.

The server works normally (compliance is perfect). 

The agent seems to works normally ("rudder agent check" -> "Rudder agent check ran without errors", "rudder agent health" -> "OK") ... but compliance report is never send to the server. I suspect a certificat problem.

Can you help me ?

Thank you.

GOOD, I'M SATISFIED
Satisfaction mark by bpoulain 4 months ago

Is it applying a policy you defined ? Maybe it has not updated (what is the result of "rudder agent update" ?)


What is the output of "rudder agent run" ? 


In the details of your Node, is the table in the "Technical Logs" tab is empty ? 

Hi,


Yes, Technical Logs is empty.


Inventory is OK.


# rudder agent update
   error: No suitable server found
   error: No suitable server found
R: *********************************************************************************
* rudder-agent could not get an updated configuration from the policy server.   *
* This can be caused by:                                                        *
*   * an incorrect DNS resolution of this node                                  *
*   * an agent key that has been changed                                        *
*   * if this node is not accepted or deleted node on the Rudder root server    *
*   * if this node has changed policy server without sending a new inventory    *
* Any existing configuration policy will continue to be applied without change. *
*********************************************************************************
ok: Rudder agent promises were updated.


# rudder agent run
Rudder agent 4.1.1-wheezy0 (CFEngine Core 3.10.0)
Node uuid: 32de9fdd-a48e-42e1-acac-48774a63492d
Start execution with config [0]

M| State         Technique                 Component                 Key                Message
E| error         Common                    Update                                       Cannot update Rudder tools last updated file
E| error         Common                    Update                                       Cannot update node's policy
E| compliant     Common                    ncf Initialization                           The ncf initialization was correct
E| compliant     Common                    Security parameters                          The internal environment security is acceptable
E| compliant     Common                    Red Button                                   Red Button is not in effect, continuing as normal...
E| n/a           Common                    Process checking                             CFEngine proccesses check is done by the rudder-agent CRON job
E| compliant     Common                    CRON Daemon                                  Cron daemon status was correct
E| compliant     Inventory                 inventory                                    Next inventory scheduled between 00:00 and 06:00
E| compliant     Common                    Binaries update                              The CFEngine binaries in /var/rudder/cfengine-community/bin are up to date

## Summary #####################################################################
9 components verified in 2 directives
   => 9 components in Enforce mode
      -> 6 compliant
      -> 1 not-applicable
      -> 2 error
execution time: 1.04s
################################################################################


The node cannot update it's policies, this is likely to be a dns issue.


You can have more details on why it could not update by :


running on server : rudder server debug <node_ip>


then running "rudder agent update" on your Node


You will have logs appearing on the server side. (or not if the node cannot contact the server at all,  but nonetheless it will be interesting)


On a side note, We are likely to close this forum after we fix your issue, We prefer to focus questions from the community either on our Redmine / our irc or on ServerFault (#rudder] I will gladly answer all your questions on those media :)



This is not a dns issue. Server can resolve agent and agent can resolve server.


I have opened the TCP-5309 port on the firewall (between agent and serveur).


On the agent:

# rudder agent update
ok: Rudder agent promises were updated.


# rudder agent run
Rudder agent 4.1.1-wheezy0 (CFEngine Core 3.10.0)
Node uuid: 32de9fdd-a48e-42e1-acac-48774a63492d
Start execution with config [20170512-180841-96156606]

M| State         Technique                 Component                 Key                Message
E| compliant     Common                    Update                                       Rudder policy, tools and ncf instance are already up to date. No action required.
E| compliant     Common                    ncf Initialization                           The ncf initialization was correct
E| compliant     Common                    Security parameters                          The internal environment security is acceptable
E| compliant     Common                    Red Button                                   Red Button is not in effect, continuing as normal...
E| n/a           Common                    Process checking                             CFEngine proccesses check is done by the rudder-agent CRON job
E| compliant     Common                    CRON Daemon                                  Cron daemon status was correct
E| compliant     Common                    Log system for reports                       Logging system for report centralization is already correctly configured
E| compliant     Common                    Binaries update                              The CFEngine binaries in /var/rudder/cfengine-community/bin are up to date
E| compliant     Inventory                 inventory                                    Next inventory scheduled between 00:00 and 06:00
E| compliant     ntpConfiguration          Time synchronization (NT|                    ntp daemon installed, configured and running
E| compliant     ntpConfiguration          Time zone                                    Time zone edition disabled
E| compliant     ntpConfiguration          Hardware clock (RTC)                         The hardware clock has been synchronized with the NTP time

## Summary #####################################################################
12 components verified in 3 directives
   => 12 components in Enforce mode
      -> 11 compliant
      -> 1 not-applicable
execution time: 2.26s


################################################################################


On the server:

rudder server  debug -i <agentip>

...

rudder  verbose: Obtained IP address of '<agentip>' on socket 7 from accept
rudder  verbose: New connection (from <agentip>, sd 7), spawning new thread...
rudder     info: <agentip>> Accepting connection
rudder  verbose: <agentip>> Setting socket timeout to 600 seconds.
rudder  verbose: <agentip>> Peeked nothing important in TCP stream, considering the protocol as TLS
rudder  verbose: <agentip>> TLS version negotiated:  TLSv1.2; Cipher: AES256-GCM-SHA384,TLSv1/SSLv3
rudder  verbose: <agentip>> TLS session established, checking trust...
rudder  verbose: <agentip>> Setting IDENTITY: USERNAME=root
rudder  verbose: <agentip>> Received public key compares equal to the one we have stored
rudder  verbose: <agentip>> MD5=46f92002af5c85568a838845879e9128: Client is TRUSTED, public key MATCHES stored one.
rudder     info: <agentip>> Hostname (reverse looked up): AGENTRUDDER.DOMAIN
rudder  verbose: <agentip>>      Received:    STAT /var/rudder/share/32de9fdd-a48e-42e1-acac-48774a63492d/rules/cfengine-community/rudder_promises_generated
rudder  verbose: <agentip>> Translated to:    STAT /var/rudder/share/32de9fdd-a48e-42e1-acac-48774a63492d/rules/cfengine-community/rudder_promises_generated
rudder  verbose: <agentip>>      Received:     MD5 /var/rudder/share/32de9fdd-a48e-42e1-acac-48774a63492d/rules/cfengine-community/rudder_promises_generated
rudder  verbose: <agentip>> Translated to:     MD5 /var/rudder/share/32de9fdd-a48e-42e1-acac-48774a63492d/rules/cfengine-community/rudder_promises_generated
rudder  verbose: <agentip>>      Received:    STAT /usr/share/ncf/tree/ncf_hash_file
rudder  verbose: <agentip>> Translated to:    STAT /usr/share/ncf/tree/ncf_hash_file
rudder  verbose: <agentip>>      Received:     MD5 /usr/share/ncf/tree/ncf_hash_file
rudder  verbose: <agentip>> Translated to:     MD5 /usr/share/ncf/tree/ncf_hash_file
rudder  verbose: <agentip>>      Received:    STAT /var/rudder/configuration-repository/ncf/ncf_hash_file
rudder  verbose: <agentip>> Translated to:    STAT /var/rudder/configuration-repository/ncf/ncf_hash_file
rudder  verbose: <agentip>>      Received:     MD5 /var/rudder/configuration-repository/ncf/ncf_hash_file
rudder  verbose: <agentip>> Translated to:     MD5 /var/rudder/configuration-repository/ncf/ncf_hash_file
rudder  verbose: <agentip>>      Received:    STAT /var/rudder/tools/rudder_tools_updated
rudder  verbose: <agentip>> Translated to:    STAT /var/rudder/tools/rudder_tools_updated
rudder  verbose: <agentip>>      Received:     MD5 /var/rudder/tools/rudder_tools_updated
rudder  verbose: <agentip>> Translated to:     MD5 /var/rudder/tools/rudder_tools_updated
rudder  verbose: <agentip>> Remote peer terminated TLS session (SSL_read)
rudder     info: <agentip>> Closing connection, terminating thread


In LIST NODES, in LAST SEEN I have NEVER.

 

Ha it seems to work now, have you opened port 5309 right now? that would explain why it begins to work


Other ports to open (specially syslog one to send reporting, which may be missing) https://www.rudder-project.org/doc-4.1/rudder-installation-requirements.html#_mandatory_flows


From waht i see you node now apply correctly Rules (configuring ntp) it should send reports to the server via syslog (if they are received they should appear in /var/log/rudder/reports/all.log prefixed by ip/hostname of your node

You can close this demand.


I have opened TCP-514 and TCP-5309 and TCP-443 ... and all is OK now.


Thank you.

Accepted

Great! For future issues or questions, https://serverfault.com/questions/ask?tags=rudder is more appropriate as this forum is there for Feature ideas.