Installing CFEngine on images

When you install CFEngine from package, the packaged post-installation script generates a cryptographic identity for the host which is used to identify the host in CFEngine. CFEngine uses the host’s cryptographic identity to identify the host as IP addresses can change (e.g., when devices transition between mobile cells) and so can hostnames. A thumbprint of the public key servers as the host identifier.

The key pair is stored in /var/cfengine/ppkeys (private and public keys):

# ls /var/cfengine/ppkeys/localhost.p* -1
/var/cfengine/ppkeys/localhost.priv
/var/cfengine/ppkeys/localhost.pub
#

You can print the host id (thumbprint of public key) using cf-key -p:

# cf-key -p /var/cfengine/ppkeys/localhost.pub
SHA=e7442a534a682b5fade75d31087b1f9a9e802230f06f08f540460a541235e041
#

If you install CFEngine onto an image, that burns in the key pair, and then all hosts brought up with that image will have the same identity, which wreaks havoc with CFEngine reporting.

To handle this you have to: a) Remove the key pair before burning the image (“rm /var/cfengine/ppkeys/localhost.p*”) b) Generate a key pair on node initializing (by running “/var/cfengine/bin/cf-key”)

Or, rather than installing the package and then burning the image (i.e., “baking in” the keys), you can download, install and bootstrap CFEngine as part of the node initialization process (at “fry” time).

This entry was posted in Uncategorized. Bookmark the permalink.