Project

General

Profile

Bug #8450

High Availability Sync / xmlrpc.php removes "remote system username" on backup cluster member

Added by Alex S 11 months ago. Updated 11 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
XmlRPC
Target version:
Start date:
04/10/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.3
Affected Architecture:

Description

Two-member cluster:
- Primary: upgraded from 2.4.2-p1 to 2.4.3 using the GUI
- Backup: issue occurs both after an upgrade from 2.4.2-p1 to 2.4.3 using the GUI, as well as after a 2.4.3 clean install + configuration restore.

The php-fpm process running on the backup firewall removes the local user account ("xmlrpcsync") defined for configuration sync.

php-fpm 243 /xmlrpc.php: Removing user: xmlrpcsync

In addition, the "admins" group on the backup firewall is removed as well.

The behaviour is consistent on two pfSense two-node clusters running 2.4.3.

Primary FW - Configuration Synchronization Settings (XMLRPC Sync).png (30.7 KB) Primary FW - Configuration Synchronization Settings (XMLRPC Sync).png Configuration Synchronization settings on the primary firewall Alex S, 04/11/2018 12:19 AM
Secondary FW - Log excerpt - xmlrpc.php removing user.png (2.87 KB) Secondary FW - Log excerpt - xmlrpc.php removing user.png General system log entry depicting the removal of the configuration sync account Alex S, 04/11/2018 12:19 AM
Secondary FW - Users - After sync.png (6.89 KB) Secondary FW - Users - After sync.png User accounts on the backup firewall before configuration sync Alex S, 04/11/2018 12:19 AM
Secondary FW - Users - Before sync.png (8.92 KB) Secondary FW - Users - Before sync.png User accounts on the backup firewall after configuration sync Alex S, 04/11/2018 12:19 AM

Associated revisions

Revision ff13ca0d (diff)
Added by Jim Pingle 11 months ago

Only alter users/groups via XMLRPC when the primary is set to do so. Fixes #8450

(cherry picked from commit be4693a1e79d89cfc6ea797fcb7fb56b5052c26d)

Revision d3cc158c (diff)
Added by Jim Pingle 11 months ago

Only alter users/groups via XMLRPC when the primary is set to do so. Fixes #8450

History

#1 Updated by Chris Linstruth 11 months ago

Does the xmlrpcsync user exist on the primary?

I use a custom user (xmlrpc) for this and it survived the upgrade, as well as countless 2.4.3-DEV/BETA/RC upgrades so there might be something peculiar about your config.

I would suggest hashing this out on the forum and if a specific set of steps to duplicate can be found, post them. There has to be more to it than simply upgrading.

#2 Updated by Alex S 11 months ago

No, the xmlrpcsync user does not exist on the primary. However, since the "user manager users and groups" checkbox is not checked on the "configuration synchronisation settings" page, this should not be relevant to this particular scenario, right? FYI, I have created a test user and a test group on the primary, and - as expected - these are not created on the secondary.

Furthermore, the fact that the "admins" group was also removed, and that this behaviour can be duplicated on a fresh install with its configuration restored on two different clusters, has made me believe that this looks like a bug.

I will do some additional checks and report back.

#3 Updated by Chris Linstruth 11 months ago

OK now we're getting somewhere. I can confirm that there is something to look at here regarding syncing users from the primary to the secondary when the sync users box is unchecked on the primary. I saw the same as you. The admins group and xmlrpcsync user were deleted on the secondary.

It is unrelated to the upgrade though as simply disabling the sync user manager checkbox and forcing a config sync seems to trigger this when both nodes are already 2.4.3.

#4 Updated by Jim Pingle 11 months ago

  • Priority changed from Normal to High
  • Target version set to 2.4.4

#5 Updated by Jim Thompson 11 months ago

  • Assignee set to Jim Pingle

#6 Updated by Jim Pingle 11 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#7 Updated by Jim Pingle 11 months ago

  • Target version changed from 2.4.4 to 2.4.3_1

#8 Updated by Paighton Bisconer 11 months ago

Tested on 2.4.4.a.20180507.0753, confirmed resolved.

#9 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF