lxd icon indicating copy to clipboard operation
lxd copied to clipboard
verified publisher icon canonical

lxd/certificates: Improve token handling when clustered

Open simondeziel opened this issue 1 year ago • 1 comments

From https://github.com/lxc/incus/pull/565

I have an Incus cluster which is reachable through a VIP managed by Keepalived. The core.https_address of each node is set to listen on the VIP (net.ipv4.ip_nonlocal_bind=1 on each node). To add a remote client I followed this procedure:

From one of the node (not the one with the VIP), I created a token using incus config trust add <client_name> On the client I created a new remote using incus remote add <remote_name>

But unfortunately it failed with a cryptic error message Error: Failed to create certificate: Bad certificate add operation data. If I create the token on the node with the VIP, everything is OK.

Digging through the code I discovered that the problem is due to the token operation retrieval. The code assume that the token operation is a local operation but in fact the operation can be a remote one : in my case, the token was created on one node, but the token processing was done on the node with the VIP. This PR fixes this issue.

simondeziel avatar Feb 29 '24 23:02 simondeziel

The commit message does not explain what improvements are being made so hard to review im afraid.

Added description and link to original PR.

tomponline avatar Mar 01 '24 09:03 tomponline

Feels like a niche edge case and I don't fully understand the go code and the warnings from revive so I'd be inclined to simply close this.

simondeziel avatar Mar 07 '24 14:03 simondeziel

static analysis failing too

tomponline avatar Apr 05 '24 07:04 tomponline