[ https://issues.apache.org/jira/browse/CLOUDSTACK-9360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rohit Yadav reassigned CLOUDSTACK-9360: --------------------------------------- Assignee: Rohit Yadav > Set guest password not working with redundant routers > ----------------------------------------------------- > > Key: CLOUDSTACK-9360 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9360 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Management Server, VPC > Affects Versions: 4.8.0 > Environment: Two CentOS7 MGMT Servers, redundant router vms > Reporter: Thomas > Assignee: Rohit Yadav > Priority: Critical > > We got a problem with the set guest password function. > When you spawn a redundant router (VPC or not) the VMs don`t set their > password correctly. > We broke it down to the /opt/cloud/bin/passwd_server_ip.py script which > checks the Client IP for the save password function on the routerVM: > --- > if clientAddress not in ['localhost', '127.0.0.1', listeningAddress]: > syslog.syslog('serve_password: non-localhost IP trying to save password: > %s' % clientAddress) > self.send_response(403) > return > --- > In the logs we see: > -- > Apr 21 09:02:01 r-80-VM passwd_server_ip.py: serve_password: non-localhost IP > trying to save password: 10.0.0.236 > -- > The routerVMs eth2 config: > -- > 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP > qlen 1000 > link/ether 02:00:2c:d7:00:08 brd ff:ff:ff:ff:ff:ff > inet 10.0.0.236/24 brd 10.0.0.255 scope global eth2 > inet 10.0.0.1/24 brd 10.0.0.255 scope global secondary eth2 > -- > So what happens: > The management server triggers the router vm to store a new password for a > new spawned or password reseting guest vm. > The router vm then tries locally to connect to the password python server > with it`s primary eth2 ip, in our example: 10.0.0.236 > The python password server then checks the client IP via: > if clientAddress not in ['localhost', '127.0.0.1', listeningAddress]: > and exists with: serve_password: non-localhost IP trying to save password: > 10.0.0.236 > cause the listeningAddress is filled with: 10.0.0.1 > How to fix > First possibility: > Configure the 10.0.0.1 IP as primary IP => maybe not possible cause its > managed by keepalived > Second possibilty: > Adjust the password server if check and check also for the ip 10.0.0.236. > I tried to implement this with a subprocess and grep in > /var/cache/cloud/processed/guest_network.json.* or with a os command and ip a > | grep eth2 | grep -v mtu | cut -d ' ' -f 6 | cut -d '/' -f 1 > Maybe someone could support here? -- This message was sent by Atlassian JIRA (v6.4.14#64029)