Bug 919 - Throw an error if there's another host with the same IP in the subnet.
Throw an error if there's another host with the same IP in the subnet.
Product: OpenVZ
Classification: Unclassified
Component: vzctl
All Other Linux
: P2 normal
Assigned To: Igor Sukhih
Depends on:
  Show dependency treegraph
Reported: 2008-06-20 10:56 EDT by Konstantin Pavlov
Modified: 2009-11-18 19:22 EST (History)
3 users (show)

See Also:

Fail if there is another machine in the network with the same ip (764 bytes, patch)
2008-06-20 10:56 EDT, Konstantin Pavlov
Details | Diff
patch (1.31 KB, patch)
2008-07-02 07:42 EDT, Konstantin Pavlov
Details | Diff
Fail-if-there-s-another-host-with-the-same-IP-in-the-subnet (2.18 KB, patch)
2008-09-02 06:38 EDT, Konstantin Pavlov
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Pavlov 2008-06-20 10:56:20 EDT
Created attachment 659 [details]
Fail if there is another machine in the network with the same ip

vzctl displays a warning if there is a host in the same subnet with the same IP that's being assigned to CT.  This behaviour leads to DoS of another container/host, which is unacceptable in production environment.  Proposed patch causes vzctl to produce an error instead of warning, leaving the container fully alive with no networking, that doesnt cause any impact on already working CT with the same IP.

refs http://bugzilla.openvz.org/show_bug.cgi?id=869
Comment 1 Dmitry V. Levin 2008-06-20 11:47:29 EDT
Suggested behavior may be desired or unwanted depending on network configuration.
For example, there is at least one ISP in Moscow where such behavior would be unacceptable.  That is, suggested change in behavior should be optional.
Comment 2 Konstantin Pavlov 2008-06-25 06:03:18 EDT
I fail to see how it could be unwanted, please elaborate.

Looking forward to hear from bug assignee as well.
Comment 3 Konstantin Pavlov 2008-07-02 07:38:12 EDT
Ok, let's make it optional.

Here goes the updated patch.
Comment 4 Konstantin Pavlov 2008-07-02 07:42:49 EDT
Created attachment 669 [details]
Comment 5 Konstantin Pavlov 2008-07-30 09:55:56 EDT
uhm, would there be any comments?
Comment 6 Kir Kolyshkin 2008-08-20 11:13:06 EDT
Could you please redo the patch with

1. An appropriate addition to vz.conf(5) man page.
2. Default to "no" (maybe just comment it out in vz.conf)
3. "IP" in upper-case in a comment.

Comment 7 Konstantin Pavlov 2008-09-02 06:38:33 EDT
Created attachment 730 [details]

Updated patch with changes suggested by kir in c6.
Comment 8 Konstantin Pavlov 2008-10-24 10:52:44 EDT
Guys, i know you're busy and stuff, but please, take a look at this again one more time.
Comment 9 Kir Kolyshkin 2008-10-27 08:14:54 EDT
> +	[ "$ERROR_ON_ARPFAIL" = 'yes' ] && VZERROR=vzerror || VZERROR=vzwarning

I see two problems in this line:

(1) name VZERROR is misleading, especially in case it is set to vzwarning

(2) you initialize a new global variable within a function

Will fix it myself.
Comment 10 Kir Kolyshkin 2008-10-27 10:35:04 EDT
Another problem -- patched vzarpipdetect() prints "ERROR" instead of "WARNING" if ERROR_ON_ARPFAIL is set, but still vps_net-add exits with 0 exit code, which means vzctl continues to set up this IP inside the container and does everything else -- the only part that is skipped is in the vps-net_add file after 'vzarpipdetect' line.

So I guess you need to call vzerror with the second argument of 1.

Could you please redo the patch, taking into account my today's comments?
Comment 11 Konstantin Pavlov 2008-10-27 10:36:43 EDT
Yes, but it will take some time as now i'm overburdened with other activities.
Comment 12 Kir Kolyshkin 2008-10-29 10:52:18 EDT
JFYI: I'm going to give new vzctl build to QA in one or two days; rush if you want this to be included into 3.0.23, otherwise let's target this for >= 3.0.24.
Comment 13 Kir Kolyshkin 2009-10-19 10:52:26 EDT
Going to release vzctl-3.0.24 in a near future; please work on this patch if you want it to be included.
Comment 14 Kir Kolyshkin 2009-11-08 18:24:44 EST
OK I have reworked the patch myself.

Committed to GIT:
(part 1) http://git.openvz.org/?p=vzctl;a=commit;h=692078b1026bd2523b2e4dce2c68e37cd5219aca
(part 2) http://git.openvz.org/?p=vzctl;a=commit;h=c8c2e8caae6481546c9ad81df945822cd0ec5d89

Will be available in vzctl >= 3.0.24
Comment 15 Konstantin Pavlov 2009-11-18 19:22:57 EST
Thanks, Kir! Keep up the good work.