<The CFEngine Blog

Configure which hosts can participate in CFEngine infrastructure management

Posted by Craig Comstock
May 6, 2024

Two modules are available for this task: allow-all-hosts and allow-hosts.

The first module, allow-all-hosts, configures the most open situation which is to accept hosts from anywhere. This is only recommended in network restricted environments such as a local machine’s virtual machine network or other such closed down situations.

The second module, allow-hosts, uses cfbs module input to let you decide which hosts (specified by IP addresses and subnets) are allowed to connect to your hub, authenticate, fetch policy, etc. This is by far the more common scenario.

By default the hub will accept requests from hosts on it’s own subnet e.g. hub-ip/16.

Add the allow-hosts module

When you install allow-hosts in the Build app in Mission Portal you will see an input field to enter one or more allowed hosts.

allow-hosts module added and editing an entry

I add several IPs for hosts in my environment, including the hub itself, 192.168.1.196:

list of IP address to allow to connect

and then make sure I push and deploy the policy:

Push and deploy button in Mission Portal Build application

Remove an IP and test

Next I remove one hosts IP: 192.168.1.103 and test if it can connect and pull policy from the hub.

list of IP addresses with 192.168.1.103 removed

The ip a command shows the IP address:

command
ip a | grep 192
output
inet 192.168.1.103/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp3s0

If we try to fetch policy we see that the hub rejects the connection:

command
cf-agent -KIf update.cf
output
error: Failed to establish TLS connection: underlying network error (Connection reset by peer)
 info: Unable to establish connection to '192.168.1.196'

The policy that has already been fetched will still be used but updates will not be received.

When I add that IP address back in, it can fetch policy again as desired.

Test with cf-net

An alternate way to test connectivity would be to use cf-net command:

command
cf-net -H 192.168.1.196 opendir /var/cfengine/data
output
...
host_specific.json

and if the IP is not included in the list of IPs you would get

command
cf-net -H 192.168.1.196 opendir /var/cfengine/data
output
error: Failed to establish TLS connection: underlying network error (Connection reset by peer)
Failed to connect to '192.168.1.196'

Questions?

If you have questions or need help, reach out on the mailing list or GitHub discussions. If you have a support contract, feel free to open a ticket in our support system.

Try CFEngine Enterprise for free

Sign up for CFEngine Enterprise and connect up to 25 hosts for free. No credit card required. Get started in minutes.

Try enterprise for free