Migration tool duplicates Redis keys of node

mrmarkuz · May 6, 2024, 9:46pm

I needed to correct a wrong value, my NS8 runs on Debian 12. It seems that reconnecting the migration tool in some cases (like wrong DNS settings) increases the last octet of the Wireguard VPN IP of the NS7 (10.5.4.10) but doesn’t adapt the “AllowedIPs” on NS8 correctly that still was set to 10.5.4.3.
Following steps helped:

Get the right Wireguard IP of NS7:

[root@testserver ~]# ip a s dev ns8
5: ns8: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.5.4.10/32 scope global ns8

Edit /etc/wireguard/wg0.conf on NS8 and change the AllowedIPs of the NS7 peer to the right one.

[Peer]
PublicKey = UjwxpNWsdRF/egLJDaJofb7fEYrUrH3pT3CxdS4Ws4o=
AllowedIPs = 10.5.4.10/32
Endpoint = 192.168.3.162:53080
PersistentKeepalive = 25

Restart wireguard service on NS8:

systemctl restart wg-quick@wg0

Here’s a similar issue, partly solved by changing the IP on NS7 to the allowed one on NS8 (other way round):

davidep · June 3, 2024, 3:10pm

Bug filed here

github.com/NethServer/dev

Migration tool duplicates Redis keys of node

opened 03:00PM - 03 Jun 24 UTC

DavidePrincipi

bug

If the ns8-join command of the migration tool fails, a duplicate Redis key is ge…nerated for each failed attempt. If many failed attempts were run, the Wireguard peer table is polluted by duplicates and the wg0 configuration breaks. **Steps to reproduce** - Create a cluster with a bad VPN host endpoint (explode the VPN advanced form to find it). For example, set `myhost.dom.test`. As consequence, the leader FQDN is not in DNS: it is a condition that despite the docs, is often forgot. - Join NS8 cluster with the IP address. E.g. `ns8-join --no-tlsverify <LEADER_IP> admin Nethesis,1234` - Leave the cluster, e.g. `ns8-leave` - Repeat leave/join steps 5 times **Expected behavior** Join fails. Only the last join attempt is left in the Redis DB, with the higher NODE_ID. **Actual behavior** After last join attempt in ns7: ``` [root@nscom2 ~]# config show wg-quick@ns8 wg-quick@ns8=service Address=10.5.4.7 RemoteEndpoint=rl1.dom.test:55820 RemoteKey=XXXXXXXX RemoteNetwork=10.5.4.0/24 status=enabled ``` Node keys from the first join attempt are still in place: ``` [root@rl1 ~]# redis-cli keys node/*/vpn 1) "node/7/vpn" 2) "node/5/vpn" 3) "node/4/vpn" 4) "node/6/vpn" 5) "node/3/vpn" 6) "node/2/vpn" 7) "node/1/vpn" ``` They overwrite the Wireguard "allowed ips" field, breaking the VPN configuration: ``` [root@rl1 ~]# wg interface: wg0 public key: pfd5Bm8HnII6ZC18Ojuhrn02sBen1fvDX29KroKARxs= private key: (hidden) listening port: 55820 peer: RKUWF/SLwotQJq5OfDxUFSoHhSZ0D7kwGMAocwX9FSI= allowed ips: 10.5.4.5/32 persistent keepalive: every 25 seconds ``` :warning: note IP 10.5.4.5, from a stale Redis node key. **Components** - core 2.8.1 - nethserver-ns8-migration-1.0.12-1.ns7.x86_64 **See also** https://community.nethserver.org/t/migration-tool-duplicates-redis-keys-of-node/23789 Thanks to @mrmarkuz

davidep · June 6, 2024, 3:13pm

Fix released in core 2.8.2 and migration tool 1.0.13

robb · June 6, 2024, 4:28pm

I’ll give it a go later this evening. Thnx for the effort.

robb · June 7, 2024, 10:05am

After updating the migration tool on NS7 to 1.0.13 I retried the connection and this time this was successful. I was presented with a list of possible applications to migrate.
To try the tool I migrated Mattermost and this went flawlessly.
I updated DNS record to the new server and was able to log in Mattermost on the new NS8 instance.
I will open a new support ticket for the other applications since that migration is offtopic in this thread