[jira] [Commented] (CLOUDSTACK-4184) VM password reset works inconsistently

Chiradeep Vittal (JIRA) Mon, 12 Aug 2013 18:14:39 -0700

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-4184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13737669#comment-13737669
 ]


Chiradeep Vittal commented on CLOUDSTACK-4184:
----------------------------------------------

#1. if you add fork to the TCP_LISTEN option of SOCAT, then it will fork a 
process for each connection, allowing more parallelism
#2. There is a bug in serve_password.sh (see below)
#3. You can also add 'su=nobody' to the TCP4_LISTEN option to increase the 
security of the procedure (after all we are blindly accepting strings from 
potentially untrusted vm)

diff --git a/patches/systemvm/debian/config/opt/cloud/bin/passwd_server_ip 
b/patches/systemvm/debian/config/opt/cloud/bin/passwd_server_ip
index 8d62dff..4622860 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/passwd_server_ip
+++ b/patches/systemvm/debian/config/opt/cloud/bin/passwd_server_ip
@@ -20,7 +20,7 @@
 addr=$1;
 while [ "$ENABLED" == "1" ]
 do
-       socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=$addr 
SYSTEM:"/opt/cloud/bin/serve_password.sh \"\$SOCAT_PEERADDR\""
+       socat -lf /var/log/cloud.log 
TCP4-LISTEN:8080,reuseaddr,su=nobody,fork,crnl,bind=$addr 
SYSTEM:"/opt/cloud/bin/serve_password.sh \"\$SOCAT_PEERADDR\""
 
        rc=$?
        if [ $rc -ne 0 ]
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/serve_password.sh 
b/patches/systemvm/debian/config/opt/cloud/bin/serve_password.sh
index b829b54..a3a2732 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/serve_password.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/serve_password.sh
@@ -62,7 +62,7 @@ do
                break
        fi
 
-       request=$(echo $input | grep "DomU_Request:" | cut -d: -f2 | sed 's/^[ 
\t]*//')
+       request=$(echo "$input" | grep "DomU_Request:" | cut -d: -f2 | sed 
's/^[ \t]*//')
 
        if [ "$request" != "" ]
        then

                
> VM password reset works inconsistently
> --------------------------------------
>
>                 Key: CLOUDSTACK-4184
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-4184
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Virtual Router
>    Affects Versions: 4.2.0
>            Reporter: Jayapal Reddy
>            Assignee: Jayapal Reddy
>            Priority: Blocker
>             Fix For: 4.2.0
>
>         Attachments: cloud-set-guest-password, pass4.pcap, pass.pcap, 
> passwords, test.log, test.log
>
>
> 1. When password reset fails for one vm then password reset is not working 
> then on.
> 2. In router the password entries are made properly.
> 3. serve password script is giving the password correctly but the vm did not 
> recieved it
> Here are the logs:
> === serve_password.sh debug logs
> + PASSWD_FILE=/var/cache/cloud/passwords
> + ip=10.1.1.143
> + logger -t cloud 'serve_password called to service a request for 10.1.1.143.'
> + read input
> + '[' 'GET / HTTP/1.0' == '' ']'
> ++ sed 's/^[ \t]*//'
> ++ cut -d: -f2
> ++ grep DomU_Request:
> ++ echo GET / HTTP/1.0
> + request=
> + '[' '' '!=' '' ']'
> + read input
> + '[' 'User-Agent: Wget/1.11.4 Red Hat modified' == '' ']'
> ++ sed 's/^[ \t]*//'
> ++ cut -d: -f2
> ++ grep DomU_Request:
> ++ echo User-Agent: Wget/1.11.4 Red Hat modified
> + request=
> + '[' '' '!=' '' ']'
> + read input
> + '[' 'Accept: */*' == '' ']'
> ++ sed 's/^[ \t]*//'
> ++ cut -d: -f2
> ++ grep DomU_Request:
> ++ echo Accept: redundant_router/arping_gateways.sh.templ 
> redundant_router/backup.sh.templ redundant_router/check_bumpup.sh 
> redundant_router/check_heartbeat.sh.templ 
> redundant_router/checkrouter.sh.templ redundant_router/conntrackd.conf.templ 
> redundant_router/disable_pubip.sh redundant_router/enable_pubip.sh.templ 
> redundant_router/fault.sh.templ redundant_router/heartbeat.sh.templ 
> redundant_router/keepalived.conf.templ redundant_router/master.sh.templ 
> redundant_router/primary-backup.sh.templ redundant_router/services.sh
> + request=
> + '[' '' '!=' '' ']'
> + read input
> + '[' 'Host: 10.1.1.1:8080' == '' ']'
> ++ sed 's/^[ \t]*//'
> ++ cut -d: -f2
> ++ grep DomU_Request:
> ++ echo Host: 10.1.1.1:8080
> + request=
> + '[' '' '!=' '' ']'
> + read input
> + '[' 'Connection: Keep-Alive' == '' ']'
> ++ sed 's/^[ \t]*//'
> ++ cut -d: -f2
> ++ grep DomU_Request:
> ++ echo Connection: Keep-Alive
> + request=
> + '[' '' '!=' '' ']'
> + read input
> + '[' 'DomU_Request: send_my_password' == '' ']'
> ++ sed 's/^[ \t]*//'
> ++ cut -d: -f2
> ++ grep DomU_Request:
> ++ echo DomU_Request: send_my_password
> + request=send_my_password
> + '[' send_my_password '!=' '' ']'
> + break
> + '[' send_my_password == send_my_password ']'
> ++ get_value /var/cache/cloud/passwords 10.1.1.143
> ++ local filename=/var/cache/cloud/passwords
> ++ local keyname=10.1.1.143
> ++ cut -d= -f2
> ++ grep -i 10.1.1.143= /var/cache/cloud/passwords
> + password=bG9wrskhw
> + '[' bG9wrskhw == '' ']'
> + logger -t cloud 'serve_password sent a password to 10.1.1.143.'
> + echo bG9wrskhw
> bG9wrskhw
> + unlock_exit 0 passwdlock 1
> + releaseLockFile passwdlock 1
> + __LOCKDIR=/tmp
> + __LOCKFILE='/tmp/*-29091-passwdlock.lock'
> + __locked=1
> + '[' 1 == 1 ']'
> + rm /tmp/1375947770244011718-29091-passwdlock.lock
> + exit 0
> ^C
> root@r-36-QA:~# ps aux | grep socat
> root     29139  0.0  0.8   4788  1024 pts/0    S    07:42   0:00 socat -lf 
> /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=10.1.1.1 
> SYSTEM:/opt/cloud/bin/serve_password.sh "$SOCAT_PEERADDR"
> root     29141  0.0  0.6   3796   804 pts/0    S+   07:43   0:00 grep socat
> root@r-36-QA:~#
> ====== Guest vm cloud-set-guest-password script logs
> PASSWORD_SERVER_IP=10.1.1.1
> + '[' -n 10.1.1.1 ']'
> + logger -t cloud 'Found password server IP 10.1.1.1 in 
> /var/lib/dhclient/dhclient-eth0.leases'
> + logger -t cloud 'Sending request to password server at 10.1.1.1'
> ++ wget -q -t 3 -T 20 -O - --header 'DomU_Request: send_my_password' 
> 10.1.1.1:8080
> + password=
> ++ echo
> ++ tr -d '\r'
> + password=
> + '[' 0 -eq 0 ']'
> + logger -t cloud 'Got response from server at 10.1.1.1'
> + case $password in
> + logger -t cloud 'Password server at 10.1.1.1 did not have any password for 
> the VM'
> + continue
> + for DHCP_FILE in '$DHCP_FOLDERS'
> + '[' -f '/var/lib/dhcp3/*' ']'
> + '[' 0 == 0 ']'
> + '[' 0 == 1 ']'
> + logger -t cloud 'Did not need to change password.'
> + exit 0
> [root@v3 init.d]# 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CLOUDSTACK-4184) VM password reset works inconsistently

Reply via email to