Right permissions to stop VM with "fence_pve"

[xtavras]

Hi,

I'm testing "fence_pve" [1] stonith agent right now, it works fine with root@pam user, but not with dedicated one.
I've created new role "Stonith-role" with "VM.PowerMgmt" and "VM.Audit" permissions and attached it to hitman@pam user, I can login with this user in Proxmox GUI and stop/start VM without problem, but using "fence_pve" I'm getting timeout.

redis1:~# fence_pve --action=reboot --ip=192.168.122.6 --username=hitman@pam --password=secret --plug=100
Failed: Timed out waiting to power OFF

but "status" action actually works

redis1:~# fence_pve --action=status --ip=192.168.122.6 --username=hitman@pam --password=secret --plug=100
Status: ON

Does anybody knows what missing?


[1] https://www.mankier.com/8/fence_pve

 

[LnxBil]

I also tried that last year and it was not working. I switch to 'root' and it was working as expected. Please try that.

 

[wbumiller]

See my post at https://bugzilla.proxmox.com/show_bug.cgi?id=924

 

[LnxBil]

Thank you for the reference Wolfgang.

 

[xtavras]

Hi wbumiller,

See my post at https://bugzilla.proxmox.com/show_bug.cgi?id=924

yep, regarding this bug issue it was my fault, sorry about that. However the "fence_agent" doesn't work with this user. Is there a way to debug it? Is it possible to deactivate SSL in Proxmox so I can see requests with tcpdump/wireshark (without using MITM decryption) ?

Best,
Stan

 

[LnxBil]

Wireshark has built-in support for decrypting SSL. You only need to supply wirewark with the corresponding SSL private and public keys/certificates and DH session key.

 

[xtavras]

LnxBil, yes, I've mentioned it by "without using MITM decryption", because as far I know I need to run wireshark live on server to be able to do that (importing tcpdump dump file wil not work).

 

[LnxBil]

I did a post-portem analysis of a tcpdump with given SSL certificates, but it was some years ago. It was possible then.

 

[xtavras]

aa,cool, thanks for the info!

 

[xtavras]

my co-worker has fixed the problem, I hope it will be merged here https://github.com/ClusterLabs/fence-agents/pull/75

here is the patch for "fence_pve":


fence_pve_disable_skiplock.patch

--- fence_pve    2016-05-25 10:25:27.794815427 +0200

+++ fence_pve.modified    2016-05-25 10:25:01.722815492 +0200
@@ -103,7 +103,10 @@
         conn.setopt(pycurl.COOKIE, options["auth"]["ticket"])
         conn.setopt(pycurl.HTTPHEADER, [options["auth"]["CSRF_token"]])
     if post is not None:
-        conn.setopt(pycurl.POSTFIELDS, urllib.urlencode(post))
+        if "skiplock" in post:
+            conn.setopt(conn.CUSTOMREQUEST, 'POST')
+        else:
+            conn.setopt(pycurl.POSTFIELDS, urllib.urlencode(post))
     conn.setopt(pycurl.WRITEFUNCTION, output_buffer.write)
     conn.setopt(pycurl.TIMEOUT, int(options["--shell-timeout"]))
     if options.has_key("--ssl") or options.has_key("--ssl-secure"):