Actions
Anomalie #1115
fermécontroller.vm.april-int openvpn est tombé
Difficulté:
3 Moyen
Description
openvpn ne fonctionne plus sur controller.vm.april-int. Il est relancé. Un effet de bord est que toutes les instances openstack ne ping plus 192.168.0.0/16. Sur nagios.vm.april-int par exemple:
root@nagios:~# ip r
default via 10.145.4.4 dev eth0
10.145.4.0/24 dev eth0 proto kernel scope link src 10.145.4.9
192.168.0.0/16 via 192.168.4.1 dev eth0 src 192.168.4.5
192.168.4.0/24 dev eth0 proto kernel scope link src 192.168.4.5
root@nagios:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:1a:bb:7b brd ff:ff:ff:ff:ff:ff
inet 10.145.4.9/24 brd 10.145.4.255 scope global eth0
inet 192.168.4.5/24 scope global eth0
inet6 fe80::f816:3eff:fe1a:bb7b/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
malgré tout c'est 10.145.4.4 qui est utilisé pour router 192.168.2.12 au lieu de 192.168.4.1
root@nagios:~# ip r get 192.168.2.12
192.168.2.12 via 10.145.4.4 dev eth0 src 192.168.4.5
cache <redirected> ipid 0x8c6f
ce qui est probablement un effet de bord du fait que la route vers 192.168.2.12 a échoué pendant la panne du VPN et que la route par défaut a été utilisée a la place. Pour rétablir la situation il suffit de flusher le cache:
root@nagios:~# ip r flush cache
root@nagios:~# ip r get 192.168.2.12 from 192.168.4.5
192.168.2.12 from 192.168.4.5 via 192.168.4.1 dev eth0
cache ipid 0x8c6f
Actions
#1
Mis à jour par Loïc Dachary il y a environ 12 ans
Pour reproduire le problème:
ssh root@controller.vm.april-int
root@controller:~# ip r
default via 10.145.4.4 dev eth0
10.145.4.0/24 dev eth0 proto kernel scope link src 10.145.4.5
192.168.0.0/24 via 192.168.0.21 dev tun0 src 192.168.4.1
192.168.0.21 dev tun0 proto kernel scope link src 192.168.0.22
192.168.1.0/24 via 192.168.0.21 dev tun0
192.168.2.0/24 via 192.168.0.21 dev tun0
192.168.3.0/24 via 192.168.0.21 dev tun0
192.168.4.0/24 dev eth0 proto kernel scope link src 192.168.4.1
192.168.5.0/24 via 192.168.0.21 dev tun0
root@controller:~# ip r show cache 192.168.42.42
root@controller:~#
root@controller:~# ping -c1 192.168.42.42
PING 192.168.42.42 (192.168.42.42) 56(84) bytes of data.
From 212.27.40.57 icmp_seq=1 Packet filtered
--- 192.168.42.42 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
root@controller:~# ip r show cache 192.168.42.42
192.168.42.42 via 10.145.4.4 dev eth0 src 10.145.4.5
cache
192.168.42.42 from 10.145.4.5 via 10.145.4.4 dev eth0
cache
Actions
#2
Mis à jour par Loïc Dachary il y a environ 12 ans
- Statut changé de En cours de traitement à Résolu
commit 54aa1c40732654736401962f0775e94b10456169
Author: Loic Dachary <loic@dachary.org>
Date: Mon Dec 17 09:55:23 2012 +0000
flush all routes when the VPN goes up to discard incorrect cached routes https://agir.april.org/issues/1115
diff --git a/.etckeeper b/.etckeeper
index ba2ed97..c69f180 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -441,6 +441,8 @@ maybe chmod 0644 './openvpn/keys/ca.crt'
maybe chmod 0644 './openvpn/keys/yopo.crt'
maybe chmod 0644 './openvpn/keys/yopo.csr'
maybe chmod 0600 './openvpn/keys/yopo.key'
+maybe chgrp staff './openvpn/route-flush'
+maybe chmod 0755 './openvpn/route-flush'
maybe chmod 0755 './openvpn/update-resolv-conf'
maybe chmod 0755 './opt'
maybe chmod 0644 './os-release'
diff --git a/openvpn/client.conf b/openvpn/client.conf
index 743a6fa..168f74a 100644
--- a/openvpn/client.conf
+++ b/openvpn/client.conf
@@ -133,4 +133,6 @@ mute 20
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
-
+script-security 2
+# for more information https://agir.april.org/issues/1115
+up /etc/openvpn/route-flush
diff --git a/openvpn/route-flush b/openvpn/route-flush
new file mode 100755
index 0000000..384dc57
--- /dev/null
+++ b/openvpn/route-flush
@@ -0,0 +1,2 @@
+#!/bin/bash
+/sbin/ip route flush cache
Actions
#4
Mis à jour par Loïc Dachary il y a environ 12 ans
Si le controller envoie des ICMP redirect c'est pas bon. On tente de le desactiver mais il envoie encore des redirect.
root@controller:~# tcpdump -i eth0 host jenkins.vm.april-int tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:38:05.968852 IP 192.168.4.3 > 192.168.20.238: ICMP echo request, id 22377, seq 1, length 64 11:38:05.968899 IP 192.168.4.1 > 192.168.4.3: ICMP redirect 192.168.20.238 to host 10.145.4.4, length 92 11:38:05.968926 IP 192.168.4.3 > 192.168.20.238: ICMP echo request, id 22377, seq 1, length 64 11:38:10.977876 ARP, Request who-has 192.168.4.3 tell 192.168.4.1, length 28 11:38:10.978251 ARP, Reply 192.168.4.3 is-at fa:16:3e:54:fc:2f (oui Unknown), length 28 ^C 5 packets captured 9 packets received by filter 0 packets dropped by kernel root@controller:~# sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects = 0
Actions
#5
Mis à jour par Loïc Dachary il y a environ 12 ans
http://dachary.org/?p=1704 flushing OpenVPN routes to prevent temporary incorrect routing
Actions