core.trust_password is reset when leaving a cluster
21 views
Skip to first unread message
Felix Gläske
Jun 7, 2021, 2:41:47 AM6/7/21
to lxc-users
When I remove a node from a cluster via "lxc cluster remove nodeX" the nodes config setting for "trust_password" is reset/unset.
The issue is that, I can not access the lxd rest api anymore after that operation and therefor loose my ability to remotely control the lxd node.
I'm not sure if this is a bug or a feature.
Stéphane Graber
Jun 7, 2021, 4:09:51 PM6/7/21
to Felix Gläske, lxc-users
So this is intended. When a cluster node is removed, it's effectively wiped.
Removing the cluster node first checks that all instances and volumes
are gone from it (it will refuse to remove otherwise), it then wipes
any remaining local references to storage pools and networks, the
server certificate is then removed from the trusted store in the
cluster and the server instructed to remove the certificate and
restart using its own local certificate. Lastly the database available
to the remote cluster server is stripped of just about everything
except the records that were specific to that node (like its address).
This means that the trust store is completely wiped as is config like
core.trust_password (which you only use on initial join, the
certificate in the trust store being gone is what's actually
preventing you access).
> --
> You received this message because you are subscribed to the Google Groups "lxc-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to lxc-users+...@lists.linuxcontainers.org.
> To view this discussion on the web visit https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-users/5c66895a-b2d5-4500-b165-bec2f2d506ddn%40lists.linuxcontainers.org.
Removing the cluster node first checks that all instances and volumes
are gone from it (it will refuse to remove otherwise), it then wipes
any remaining local references to storage pools and networks, the
server certificate is then removed from the trusted store in the
cluster and the server instructed to remove the certificate and
restart using its own local certificate. Lastly the database available
to the remote cluster server is stripped of just about everything
except the records that were specific to that node (like its address).
This means that the trust store is completely wiped as is config like
core.trust_password (which you only use on initial join, the
certificate in the trust store being gone is what's actually
preventing you access).
> You received this message because you are subscribed to the Google Groups "lxc-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to lxc-users+...@lists.linuxcontainers.org.
> To view this discussion on the web visit https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-users/5c66895a-b2d5-4500-b165-bec2f2d506ddn%40lists.linuxcontainers.org.
Reply all
Reply to author
Forward
0 new messages