incusd/certificates: Improve token handling when clustered #565
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: montag451 <[email protected]>
stgraber
reviewed
Feb 29, 2024
stgraber
approved these changes
Feb 29, 2024
|
Confirmed that the code path is safe, thanks! |
simondeziel
pushed a commit
to simondeziel/lxd
that referenced
this pull request
Mar 7, 2024
From lxc/incus#565: > I have an Incus cluster which is reachable through a VIP managed by > Keepalived. The `core.https_address` of each node is set to listen on the VIP > (`net.ipv4.ip_nonlocal_bind=1` on each node). To add a remote client I followed > this procedure: > > From one of the node (not the one with the VIP), I created a token using: > `incus config trust add <client_name>` > On the client I created a new remote using: > `incus remote add <remote_name> <token>` > > But unfortunately it failed with a cryptic error message `Error: Failed to > create certificate: Bad certificate add operation data.`. If I create the token > on the node with the VIP, everything is OK. > > Digging through the code I discovered that the problem is due to the token > operation retrieval. The code assume that the token operation is a local > operation but in fact the operation can be a remote one : in my case, the > token was created on one node, but the token processing was done on the node > with the VIP. This PR fixes this issue. Signed-off-by: montag451 <[email protected]> (cherry picked from commit e0de0664549cb6031088a88efde97261ef368d73) Signed-off-by: Simon Deziel <[email protected]> License: Apache-2.0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
I have an Incus cluster which is reachable through a VIP managed by Keepalived. The
core.https_addressof each node is set to listen on the VIP (net.ipv4.ip_nonlocal_bind=1 on each node). To add a remote client I followed this procedure:incus config trust add <client_name>incus remote add <remote_name> <token>But unfortunately it failed with a cryptic error message
Error: Failed to create certificate: Bad certificate add operation data. If I create the token on the node with the VIP, everything is OK.Digging through the code I discovered that the problem is due to the token operation retrieval. The code assume that the token operation is a local operation but in fact the operation can be a remote one : in my case, the token was created on one node, but the token processing was done on the node with the VIP. This PR fixes this issue.