Bugzilla – Bug 919
Throw an error if there's another host with the same IP in the subnet.
Last modified: 2009-11-18 19:22:57 EST
Created attachment 659 [details]
Fail if there is another machine in the network with the same ip
vzctl displays a warning if there is a host in the same subnet with the same IP that's being assigned to CT. This behaviour leads to DoS of another container/host, which is unacceptable in production environment. Proposed patch causes vzctl to produce an error instead of warning, leaving the container fully alive with no networking, that doesnt cause any impact on already working CT with the same IP.
Suggested behavior may be desired or unwanted depending on network configuration.
For example, there is at least one ISP in Moscow where such behavior would be unacceptable. That is, suggested change in behavior should be optional.
I fail to see how it could be unwanted, please elaborate.
Looking forward to hear from bug assignee as well.
Ok, let's make it optional.
Here goes the updated patch.
Created attachment 669 [details]
uhm, would there be any comments?
Could you please redo the patch with
1. An appropriate addition to vz.conf(5) man page.
2. Default to "no" (maybe just comment it out in vz.conf)
3. "IP" in upper-case in a comment.
Created attachment 730 [details]
Updated patch with changes suggested by kir in c6.
Guys, i know you're busy and stuff, but please, take a look at this again one more time.
> + [ "$ERROR_ON_ARPFAIL" = 'yes' ] && VZERROR=vzerror || VZERROR=vzwarning
I see two problems in this line:
(1) name VZERROR is misleading, especially in case it is set to vzwarning
(2) you initialize a new global variable within a function
Will fix it myself.
Another problem -- patched vzarpipdetect() prints "ERROR" instead of "WARNING" if ERROR_ON_ARPFAIL is set, but still vps_net-add exits with 0 exit code, which means vzctl continues to set up this IP inside the container and does everything else -- the only part that is skipped is in the vps-net_add file after 'vzarpipdetect' line.
So I guess you need to call vzerror with the second argument of 1.
Could you please redo the patch, taking into account my today's comments?
Yes, but it will take some time as now i'm overburdened with other activities.
JFYI: I'm going to give new vzctl build to QA in one or two days; rush if you want this to be included into 3.0.23, otherwise let's target this for >= 3.0.24.
Going to release vzctl-3.0.24 in a near future; please work on this patch if you want it to be included.
OK I have reworked the patch myself.
Committed to GIT:
(part 1) http://git.openvz.org/?p=vzctl;a=commit;h=692078b1026bd2523b2e4dce2c68e37cd5219aca
(part 2) http://git.openvz.org/?p=vzctl;a=commit;h=c8c2e8caae6481546c9ad81df945822cd0ec5d89
Will be available in vzctl >= 3.0.24
Thanks, Kir! Keep up the good work.