trigger action on policy server after a bootstrap

[kagehisa]

Hi everyone!
I'm new to cfengine and in the middle of the process of moving our base machine configuration away from ansible to cfengine.
Although ansible works fine for the initial setup of a machine I would like an agent based system to make sure the basic configuration on all my machines is and stays the way I defined it.
At the moment I'm making sure all hosts are getting the credentials to access our vault. cf-secret seems to be the perfect tool for the job and I already implemented the copy process of the encrypted vault tokens to the respective clients. The only thing that is missing is the actual run of cf-secret after a new system bootstrapped itself to the policy server. Which brings me to my actual question:

Is there a way to run a certain action on the policy server after a client performed the bootstrapping process?

It would be easy to fall back to ansible for this step but I would like it if there is a way for cfengine to perform this step on its own.

Sorry if this seems basic to most of you but I couldn't find a starting point to dig further for this problem.

Thanks for reading this far and I hope someone could give me a hint where to look for further information to answer my question.

[basvandervlies]

@kagehisa After succesful bootstrapping a policy run is done. I do not know you setup, but can you detect that the vault is copied or is local present. IF the class is set (VAUlT_FILE_IS_PRESENT). You can run cf-secret command if this class has been set. I suppose it has to run only once.

[kagehisa]

Thank you for your answer. Hmm ok just as an example:

• 1 policy server that holds the "master" file with the token
• 1 client (more later on)

If I understood correctly cfengine will perform a policy run on the policy server and the client, as soon as the client performed a successful bootstrap.
So I would define a class that identifies if the unencoded "master" file exists on my policy server and write a policy that performs three steps:

1. encode token file if the respective class is set (I hope the terminology is right)
2. copy (pull) the encoded token from the policy server
3. decrypt the encrypted token if it exists

I always forget that the policy server is also bootstrapped to itself unlike with ansible so steps 2 and 3 should be done on the policy server as well.

Would this be a feasible way of doing it?

[basvandervlies]

You want the file with the token be copied to a client when client is bootstrapped? When a client is bootstrapped a policy run is only done on the client. The file is the same for all clients?

What I would do it define in cf-serverd a shortcut:

bundle server access_rules()                                                                             
{                                                                                                        
    access:
      policy_server::                                                                    
            "<token_dir>"                                                                                           
                shortcut => "vault_dir",                                                               
                admit_ips => { "@(def.acl)" };    

then you can copy this file in you cfengine masterfiles:

files:
  any::
        "/tmp/token_file"                                                           
                  copy_from => secure_cp("vault_dir/token_file", "$(sys.policy_hub)"),                                                                                                                                                           
                  classes => results("token_file");

commands:
     "cf-secret command"
        if =>  "token_file_repaired";

This is just an example

[kagehisa]

You want the file with the token be copied to a client when client is bootstrapped?

Yes, because the bootstrap is when the key exchange is done and the policy hub "learns" the public key of the host. With this key I intended to encrypt the token file for the newly bootstrapped host.

When a client is bootstrapped a policy run is only done on the client. The file is the same for all clients?

The file is the same (for now), so the access rule might be the most feasible solution.

My original idea was like this.
On the policy hub:

• have unencrypted file with the token as content (only accessible by the policy hub)
• when a host bootstraps to the policy hub us the hosts pub_key to encrypt the token file and save it as token_$(key_id).encrypted in an accessible folder (but I'm not sure how to get the host keys of newly bootstrapped hosts or even trigger this rule)

On the client:

• after bootdtrap copy the file token_$(key_id).encrypted from the policy hub
• decrypt the file whenever the token is needed (or do this once and store its content in a variable)

But thank you! Your example would also work, I would just need to make sure the file gets encrypted on the client and the original discarded.

[basvandervlies]

I am just reading how cf-secret works. You need the pub-lkey of the client . So how I see it you bootstrap a new client. In the bootstrap process the key-pair is generated.

Then on the policy_server you need a process that detects the new key and then generate a token file encrypted with the pub key. You can protect the file so that only that client can fetch this file and use a the vault_file shortcut

            "/data/cfengine3/vault//key/$(connection.key).json"                                
                comment => "vault",                                              
                shortcut => "vault_file",                                                  
                admit_keys => { "$(connection.key)" };

When the file is present the host will fetch it with a run and you can continue. If not wait for the file to be generated.. It all depends on your workflow.

[kagehisa]

Yes that's what I'm trying to do, the only real issue for me atm. is this step:

Then on the policy_server you need a process that detects the new key

I still don't know much aubout what cfengine provides to do this, so if there is a better way of doing it I'm always happy for suggestions. For now I would loop over the content in /var/cfengine/ppkeys and for each key I would check if there is a corresponding file with the keyID in its name. If not create it with cf-secret.

[basvandervlies]

@kagehisa yes that is a solution. At our organization we use static keys. So when a machine is installed during the installation process the cfengine keys are copied. You need some kind of key management. It can also be dynamaically as you do and then you need something on the policy server to detect the new key

all the keys for the clients are in /var/cfengine/ppkeys on the policy server. maybe you can watch that for changes. Or if the ip/hostname stays the same you can just have a process spawned that uses cf-secret -H <ip|hostname> if this succeeds then a client has been bootstrapped and the file has been generated and the client will pick it up. cf-key -s shows the keys and ypu can loop over this command