Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 09E0919586 for ; Thu, 21 Apr 2016 12:49:26 +0000 (UTC) Received: (qmail 39781 invoked by uid 500); 21 Apr 2016 12:49:25 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 39742 invoked by uid 500); 21 Apr 2016 12:49:25 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 39625 invoked by uid 500); 21 Apr 2016 12:49:25 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 39620 invoked by uid 99); 21 Apr 2016 12:49:25 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Apr 2016 12:49:25 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 9070A2C1F68 for ; Thu, 21 Apr 2016 12:49:25 +0000 (UTC) Date: Thu, 21 Apr 2016 12:49:25 +0000 (UTC) From: "Wei Zhou (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-9360) Set guest password not working with redundant routers MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-9360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15251844#comment-15251844 ] Wei Zhou commented on CLOUDSTACK-9360: -------------------------------------- this is because the parameter of passwd_server_ip is None, not guest ip. you can test this change. {code} diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py index a0b4c6e..6968bb8 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py @@ -76,6 +76,8 @@ class CsPasswdSvc(): proc = CsProcess(["Password Service"]) pid = proc.grep("passwd_server_ip %s" % self.ip) proc.kill(pid) + pid = proc.grep("passwd_server_ip.py %s" % self.ip) + proc.kill(pid) pid = proc.grep("8080,reuseaddr,fork,crnl,bind=%s" % self.ip) proc.kill(pid) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py index c8d7425..bd5c7b3 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py @@ -243,9 +243,16 @@ class CsRedundant(object): CsHelper.service("xl2tpd", "stop") CsHelper.service("dnsmasq", "stop") - ips = [ip for ip in self.address.get_ips() if ip.needs_vrrp()] - for ip in ips: - CsPasswdSvc(ip.get_gateway()).stop() + if self.config.is_vpc(): + ads = [o for o in self.address.get_ips() if o.needs_vrrp()] + for o in ads: + CsPasswdSvc(o.get_gateway()).stop() + CsPasswdSvc(o.get_ip()).stop() + else: + interfaces = [interface for interface in self.address.get_ips() if interface.is_guest()] + for interface in interfaces: + CsPasswdSvc(interface.get_ip()).stop() + CsPasswdSvc(self.cl.get_guest_gw()).stop() self.cl.set_fault_state() self.cl.save() @@ -276,9 +283,17 @@ class CsRedundant(object): CsHelper.service("ipsec", "stop") CsHelper.service("xl2tpd", "stop") - ips = [ip for ip in self.address.get_ips() if ip.needs_vrrp()] - for ip in ips: - CsPasswdSvc(ip.get_gateway()).stop() + if self.config.is_vpc(): + ads = [o for o in self.address.get_ips() if o.needs_vrrp()] + for o in ads: + CsPasswdSvc(o.get_gateway()).stop() + CsPasswdSvc(o.get_ip()).stop() + else: + interfaces = [interface for interface in self.address.get_ips() if interface.is_guest()] + for interface in interfaces: + CsPasswdSvc(interface.get_ip()).stop() + CsPasswdSvc(self.cl.get_guest_gw()).stop() + CsHelper.service("dnsmasq", "stop") self.cl.set_master_state(False) @@ -308,9 +323,16 @@ class CsRedundant(object): CsHelper.execute("%s -B" % cmd) CsHelper.service("ipsec", "restart") CsHelper.service("xl2tpd", "restart") - ads = [o for o in self.address.get_ips() if o.needs_vrrp()] - for o in ads: - CsPasswdSvc(o.get_gateway()).restart() + if self.config.is_vpc(): + ads = [o for o in self.address.get_ips() if o.needs_vrrp()] + for o in ads: + CsPasswdSvc(o.get_gateway()).restart() + CsPasswdSvc(o.get_ip()).restart() + else: + interfaces = [interface for interface in self.address.get_ips() if interface.is_guest()] + for interface in interfaces: + CsPasswdSvc(interface.get_ip()).restart() + CsPasswdSvc(self.cl.get_guest_gw()).restart() CsHelper.service("dnsmasq", "restart") self.cl.set_master_state(True) {code} > Set guest password not working with redundant routers > ----------------------------------------------------- > > Key: CLOUDSTACK-9360 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9360 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: Management Server, VPC > Affects Versions: 4.8.0 > Environment: Two CentOS7 MGMT Servers, redundant router vms > Reporter: Thomas > Priority: Critical > > We got a problem with the set guest password function. > When you spawn a redundant router (VPC or not) the VMs don`t set their password correctly. > We broke it down to the /opt/cloud/bin/passwd_server_ip.py script which checks the Client IP for the save password function on the routerVM: > --- > if clientAddress not in ['localhost', '127.0.0.1', listeningAddress]: > syslog.syslog('serve_password: non-localhost IP trying to save password: %s' % clientAddress) > self.send_response(403) > return > --- > In the logs we see: > -- > Apr 21 09:02:01 r-80-VM passwd_server_ip.py: serve_password: non-localhost IP trying to save password: 10.0.0.236 > -- > The routerVMs eth2 config: > -- > 4: eth2: mtu 1500 qdisc pfifo_fast state UP qlen 1000 > link/ether 02:00:2c:d7:00:08 brd ff:ff:ff:ff:ff:ff > inet 10.0.0.236/24 brd 10.0.0.255 scope global eth2 > inet 10.0.0.1/24 brd 10.0.0.255 scope global secondary eth2 > -- > So what happens: > The management server triggers the router vm to store a new password for a new spawned or password reseting guest vm. > The router vm then tries locally to connect to the password python server with it`s primary eth2 ip, in our example: 10.0.0.236 > The python password server then checks the client IP via: > if clientAddress not in ['localhost', '127.0.0.1', listeningAddress]: > and exists with: serve_password: non-localhost IP trying to save password: 10.0.0.236 > cause the listeningAddress is filled with: 10.0.0.1 > How to fix > First possibility: > Configure the 10.0.0.1 IP as primary IP => maybe not possible cause its managed by keepalived > Second possibilty: > Adjust the password server if check and check also for the ip 10.0.0.236. > I tried to implement this with a subprocess and grep in /var/cache/cloud/processed/guest_network.json.* or with a os command and ip a | grep eth2 | grep -v mtu | cut -d ' ' -f 6 | cut -d '/' -f 1 > Maybe someone could support here? -- This message was sent by Atlassian JIRA (v6.3.4#6332)