cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-9360) Set guest password not working with redundant routers
Date Fri, 22 Apr 2016 10:10:12 GMT


Thomas commented on CLOUDSTACK-9360:

Hi Wei,

but there is also a logical mistake.
Lets assume that the client tries to get its password from the dhcp-server-identifier which
is the main IP from the VR for example:

The virtual router saved the password via: curl --header "DomU_Request: save_password" ""
-F "ip=" -F "password=NEWPW" -F "token=xxxxxxxxxxxxxxxxxxxxxxxxxxx"

So the password server with the was used. 
The password server with the looks in its password file: /var/cache/cloud/passwords-
and there is no new password for the client, cause its in the  /var/cache/cloud/passwords-

This could happen, so for me the better fix would be to remove the IP-Check for the DomU_Request:
save_password request, cause the token also will be checked, so it`s not a security risk.
The clients need to update their guest-set-password boot scripts and use the routers identifier
in their DHCP lease file for the password server connect.

What do you think?

> Set guest password not working with redundant routers
> -----------------------------------------------------
>                 Key: CLOUDSTACK-9360
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server, VPC
>    Affects Versions: 4.8.0
>         Environment: Two CentOS7 MGMT Servers, redundant router vms
>            Reporter: Thomas
>            Priority: Critical
> We got a problem with the set guest password function. 
> When you spawn a redundant router (VPC or not) the VMs don`t set their password correctly.
> We broke it down to the /opt/cloud/bin/ script which checks the Client
IP for the save password function on the routerVM:
> ---
> if clientAddress not in ['localhost', '', listeningAddress]:
>     syslog.syslog('serve_password: non-localhost IP trying to save password: %s' % clientAddress)
>     self.send_response(403)
>     return
> ---
> In the logs we see:
> --
> Apr 21 09:02:01 r-80-VM serve_password: non-localhost IP trying
to save password:
> --
> The routerVMs eth2 config:
> --
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
>     link/ether 02:00:2c:d7:00:08 brd ff:ff:ff:ff:ff:ff
>     inet brd scope global eth2
>     inet brd scope global secondary eth2
> --
> So what happens:
> The management server triggers the router vm to store a new password for a new spawned
or password reseting guest vm.
> The router vm then tries locally to connect to the password python server with it`s primary
eth2 ip, in our example:
> The python password server then checks the client IP via:
> if clientAddress not in ['localhost', '', listeningAddress]:
> and exists with: serve_password: non-localhost IP trying to save password:
> cause the listeningAddress is filled with:
> How to fix
> First possibility:
> Configure the IP as primary IP => maybe not possible cause its managed by
> Second possibilty:
> Adjust the password server if check and check also for the ip
> I tried to implement this with a subprocess and grep in /var/cache/cloud/processed/guest_network.json.*
or with a os command and ip a | grep eth2 | grep -v mtu | cut -d ' ' -f 6 | cut -d '/' -f
> Maybe someone could support here?

This message was sent by Atlassian JIRA

View raw message