[pve-devel] firewall : possible bug/race when cluster.fw is replicated and rules are updated ?

Alexandre DERUMIER aderumier at odiso.com
Tue Jan 8 22:19:49 CET 2019


>>or those cases i use something like (pseudocode - i use salt not puppet):
>>
>>- manage copy of file
>>- if file has changed trigger:
>>   - mv -v $managedfile $realfile
>>

>>Greets,
>>Stefan

Thanks Stefan, works fine indeed.

I really didn't known/remember that /etc/pve was not atomic without a move.
Maybe should we add a warning in documentation about this.


also, maybe for firewall, could we add a protection for cluster.fw (

sub update {
    my $code = sub {

        my $cluster_conf = load_clusterfw_conf();
+       return if !$cluster_conf

        my $cluster_options = $cluster_conf->{options};

        if (!$cluster_options->{enable}) {
            PVE::Firewall::remove_pvefw_chains();
            return;
        }


----- Mail original -----
De: "Stefan Priebe, Profihost AG" <s.priebe at profihost.ag>
À: "pve-devel" <pve-devel at pve.proxmox.com>, "aderumier" <aderumier at odiso.com>, "Thomas Lamprecht" <thomas at lamprecht.org>
Envoyé: Mardi 8 Janvier 2019 21:59:44
Objet: Re: [pve-devel] firewall : possible bug/race when cluster.fw is replicated and rules are updated ?

Hi Alexandre, 


Am 08.01.19 um 21:55 schrieb Alexandre DERUMIER: 
>>> But, file_set_contents - which save_clusterfw_conf uses - does this already[0], 
>>> so maybe this is the "high-level fuse rename isn't atomic" bug again... 
>>> May need to take a closer look tomorrow. 
> 
> mmm, ok. 
> 
> In my case, it was with a simple file copy (cp /tmp/cluster.fw /etc/pve/firewall/cluster.fw). (I manage cluster.fw through puppet for multiple cluster). 
> can reproduce it too with a simple vi edition. 
> 
> I think others users could trigger this too, if they use scripts to automate ipset (blacklist, ....). 
> 
> Maybe could it be better to only disable firewall when option is setup with "enabled:0", and if cluster.fw is missing, don't change any rules. 
> ²²² 


for those cases i use something like (pseudocode - i use salt not puppet): 

- manage copy of file 
- if file has changed trigger: 
- mv -v $managedfile $realfile 


Greets, 
Stefan 

> 
> 
> 
> ----- Mail original ----- 
> De: "Thomas Lamprecht" <thomas at lamprecht.org> 
> À: "pve-devel" <pve-devel at pve.proxmox.com>, "aderumier" <aderumier at odiso.com> 
> Envoyé: Mardi 8 Janvier 2019 20:58:51 
> Objet: Re: [pve-devel] firewall : possible bug/race when cluster.fw is replicated and rules are updated ? 
> 
> Hi, 
> 
> On 1/8/19 7:37 PM, Alexandre DERUMIER wrote: 
>> I'm able to reproduce with: 
>> --------------------------- 
>> on 1 host: 
>> 
>> cluster.fw: 
>> [OPTIONS] 
>> 
>> enable: 1 
>> policy_in: ACCEPT 
>> 
>> 
>> 
>> 
>> #!/usr/bin/perl 
>> 
>> use IO::File; 
>> use PVE::Firewall; 
>> use Data::Dumper; 
>> use Time::HiRes qw ( time alarm sleep usleep ); 
>> 
>> while(1){ 
>> 
>> $filename = "/etc/pve/firewall/cluster.fw"; 
>> 
>> if (my $fh = IO::File->new($filename, O_RDONLY)) { 
>> 
>> $cluster_conf = PVE::Firewall::parse_clusterfw_config($filename, $fh, $verbose); 
>> my $cluster_options = $cluster_conf->{options}; 
>> 
>> if (!$cluster_options->{enable}) { 
>> print Dumper($cluster_options); 
>> die "error\n"; 
>> } 
>> 
>> } 
>> usleep(100); 
>> }; 
>> 
>> 
>> the script is running fine. 
>> 
>> 
>> on another host, edit the file (simple open/write), 
>> then the script on first host, return 
>> 
>> $VAR1 = {}; 
>> error 
> 
> that is expected, AFAICT, a modify operation shouldn't be: 
> * read FILE -> modify -> write FILE 
> but rather: 
> * read FILE -> modify -> write FILE.TMP -> move FILE.TMP to FILE 
> if it's wanted that always a valid content is read. Else yes, you may have a small 
> time window where the file is truncated. 
> 
> But, file_set_contents - which save_clusterfw_conf uses - does this already[0], 
> so maybe this is the "high-level fuse rename isn't atomic" bug again... 
> May need to take a closer look tomorrow. 
> 
> [0]: https://git.proxmox.com/?p=pve-common.git;a=blob;f=src/PVE/Tools.pm;h=accf6539da94d2b5d5b6f4539310fe5c4d526c7e;hb=HEAD#l213 
> 
>> 
>> ----- Mail original ----- 
>> De: "aderumier" <aderumier at odiso.com> 
>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Mardi 8 Janvier 2019 19:15:06 
>> Objet: [pve-devel] firewall : possible bug/race when cluster.fw is replicated and rules are updated ? 
>> 
>> Hi, 
>> I'm currently debugging a possible firewalling problem. 
>> I'm running some cephfs client in vm, firewalled by proxmox. 
>> cephfs client are really sensitive to network problem, and mainly with packets logss or dropped packets. 
>> 
>> I'm really not sure, but I have currently puppet updating my cluster.fw, at regular interval, 
>> and sometimes, I have all the vm on a specific host (or multiple hosts), at the same time, have a small disconnect (maybe some second). 
>> 
>> 
>> I would like to known, if cluster.fw replication is atomic in /etc/pve/ ? 
>> or if they are any chance, that during file replication, the firewall try to read the file, 
>> it could be empty ? 
>> 
>> 
>> I just wonder (I'm really really not sure) if I could trigger this: 
>> 
>> 
>> sub update { 
>> my $code = sub { 
>> 
>> my $cluster_conf = load_clusterfw_conf(); 
>> my $cluster_options = $cluster_conf->{options}; 
>> 
>> if (!$cluster_options->{enable}) { 
>> PVE::Firewall::remove_pvefw_chains(); 
>> return; 
>> } 
>> 
>> 
>> cluster.conf not readable/absent/.... , and remove_pvefw_chains called. 
>> then after some seconds, rules are applied again. 
>> 
>> 
>> I'm going to add some log to try to reproduce it. (BTW, it could be great to logs rules changed, maybe an audit log with a diff could be great) 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>> 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 




More information about the pve-devel mailing list