Bug #8450
closed
High Availability Sync / xmlrpc.php removes "remote system username" on backup cluster member
100%
Description
Two-member cluster:
- Primary: upgraded from 2.4.2-p1 to 2.4.3 using the GUI
- Backup: issue occurs both after an upgrade from 2.4.2-p1 to 2.4.3 using the GUI, as well as after a 2.4.3 clean install + configuration restore.
The php-fpm process running on the backup firewall removes the local user account ("xmlrpcsync") defined for configuration sync.
php-fpm 243 /xmlrpc.php: Removing user: xmlrpcsync
In addition, the "admins" group on the backup firewall is removed as well.
The behaviour is consistent on two pfSense two-node clusters running 2.4.3.
Files
| Primary FW - Configuration Synchronization Settings (XMLRPC Sync).png (30.7 KB) Primary FW - Configuration Synchronization Settings (XMLRPC Sync).png | Configuration Synchronization settings on the primary firewall | ||
| Secondary FW - Log excerpt - xmlrpc.php removing user.png (2.87 KB) Secondary FW - Log excerpt - xmlrpc.php removing user.png | General system log entry depicting the removal of the configuration sync account | ||
| Secondary FW - Users - After sync.png (6.89 KB) Secondary FW - Users - After sync.png | User accounts on the backup firewall before configuration sync | ||
| Secondary FW - Users - Before sync.png (8.92 KB) Secondary FW - Users - Before sync.png | User accounts on the backup firewall after configuration sync |
Updated by Chris Linstruth about 6 years ago
Does the xmlrpcsync user exist on the primary?
I use a custom user (xmlrpc) for this and it survived the upgrade, as well as countless 2.4.3-DEV/BETA/RC upgrades so there might be something peculiar about your config.
I would suggest hashing this out on the forum and if a specific set of steps to duplicate can be found, post them. There has to be more to it than simply upgrading.
Updated by Alex S about 6 years ago
No, the xmlrpcsync user does not exist on the primary. However, since the "user manager users and groups" checkbox is not checked on the "configuration synchronisation settings" page, this should not be relevant to this particular scenario, right? FYI, I have created a test user and a test group on the primary, and - as expected - these are not created on the secondary.
Furthermore, the fact that the "admins" group was also removed, and that this behaviour can be duplicated on a fresh install with its configuration restored on two different clusters, has made me believe that this looks like a bug.
I will do some additional checks and report back.
Updated by Chris Linstruth about 6 years ago
OK now we're getting somewhere. I can confirm that there is something to look at here regarding syncing users from the primary to the secondary when the sync users box is unchecked on the primary. I saw the same as you. The admins group and xmlrpcsync user were deleted on the secondary.
It is unrelated to the upgrade though as simply disabling the sync user manager checkbox and forcing a config sync seems to trigger this when both nodes are already 2.4.3.
Updated by Jim Pingle about 6 years ago
- Priority changed from Normal to High
- Target version set to 2.4.4
Updated by .png){kind=link}
Updated by Jim Pingle almost 6 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset ff13ca0dfe2e016cb21141f0dbd7cdad44e55a46.
Updated by Jim Pingle almost 6 years ago
- Target version changed from 2.4.4 to 2.4.3-p1
Updated by Paighton Bisconer almost 6 years ago
Tested on 2.4.4.a.20180507.0753, confirmed resolved.
Updated by Jim Pingle almost 6 years ago
- Status changed from Feedback to Resolved