* [PVE-User] Problem with ssh sessions
@ 2023-07-25 8:12 Fabian Abplanalp
0 siblings, 0 replies; only message in thread
From: Fabian Abplanalp @ 2023-07-25 8:12 UTC (permalink / raw)
To: PVE User List
Hi there
The sessions are opened by a Nagios server for various tests, which
means there is always a clean exit status, otherwise the tests would not
work.
However, the same happens with sessions opened manually.
The sessions run over a ProxyCommand/JumpHost with Proxmox 8.0.3/Debian
12.1 to the VMs (All Debian 11) over the internal bridge.
Nagios -> Proxmox -> VM hosts
Since the sshd remain on the Proxmox and the VM hosts, they also eat up
all the memory over time.
On the VM host:
user@vm:~$ ps -ALf | grep nagios
[...]
root 196819 732 196819 0 1 09:17 ? 00:00:00 sshd: nagios [priv]
nagios 196825 196819 196825 0 1 09:17 ? 00:00:00 sshd: nagios@notty
[...]
user@proxmox:~# ps -ALf | grep nagios
[...]
nagios 617299 1 617299 0 1 09:17 ? 00:00:00 nc 10.0.0.80 22
nagios 617300 1 617300 0 1 09:17 ? 00:00:00 nc 10.0.0.25 22
[...]
With loginctl the sessions are still listed:
root@vm:~# loginctl
[...]
18112 6000 nagios
18113 6000 nagios
[...]
root@proxmox:~# loginctl
[...]
129729 6000 nagios
129730 6000 nagios
[...]
It even records on the proxmox that the session has been closed:
root@proxmox:~# loginctl session-status 129538
129538 - nagios (6000)
Since: Tue 2023-07-25 09:17:03 CEST; 24min ago
Leader: 617115
Remote: 84.xx.xx.xx
Service: sshd; type tty; class user
State: closing
Unit: session-129538.scope
└─617299 nc 10.0.0.80 22
Jul 25 09:17:03 proxmox systemd[1]: Started session-129538.scope -
Session 129538 of User nagios.
Jul 25 09:17:04 proxmox sshd[617273]: Received disconnect from
84.xx.xx.xx port 8152:11: disconnected by user
Jul 25 09:17:04 proxmox sshd[617273]: Disconnected from user nagios
84.xx.xx.xx port 8152
Jul 25 09:17:04 proxmox sshd[617115]: pam_unix(sshd:session): session
closed for user nagios
...in contrast on the VMs:
root@vm:~# loginctl session-status 18084
18084 - nagios (6000)
Since: Tue 2023-07-25 09:17:04 CEST; 25min ago
Leader: 196819 (sshd)
Remote: 10.0.0.11
Service: sshd; type tty; class user
State: active
Unit: session-18084.scope
├─196819 sshd: nagios [priv].
└─196825 sshd: nagios@notty
Jul 25 09:17:04 webserver systemd[1]: Started session 18084 of user nagios.
If I kill the sessions on the Proxmox/Jumphost, they also disappear on
the VMs.
The irritating thing is that this problem did not exist before with
Debian 11.7 and KVM/qemu, the VMs did not change.
Any Ideas?
BR,
Fabian
From alwin@antreich.com Tue Jul 25 12:48:40 2023
Return-Path: <alwin@antreich.com>
X-Original-To: pve-user@lists.proxmox.com
Delivered-To: pve-user@lists.proxmox.com
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id 54DF0FF25
for <pve-user@lists.proxmox.com>; Tue, 25 Jul 2023 12:48:40 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 2E77919415
for <pve-user@lists.proxmox.com>; Tue, 25 Jul 2023 12:48:10 +0200 (CEST)
Received: from mx.antreich.com (mx.antreich.com [173.249.42.230])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS
for <pve-user@lists.proxmox.com>; Tue, 25 Jul 2023 12:48:09 +0200 (CEST)
Received: from mail2.antreich.com (unknown [172.16.9.25])
by mx.antreich.com (Postfix) with ESMTPS id 2DCCCA0371;
Tue, 25 Jul 2023 12:40:58 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=antreich.com;
s=2018; t=1690281658;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=s2yM/Dfptz5dCDXB1bcGp10VmFcRxK4TO//tD7P0Vs0=;
b=Cm36IqBgRIXPXscxSuY+uWw52ixeSymjqcuXqkGlq90Mwobh3yOKDs2HkEau3GC8/f8q63
OCzAD+2kJ3s3cXxAfXX1mX7qEXNwMEFqjIu3N8tu617TXCYkXSDjRZqgGrHUZnM2wJ8xV+
oIfcpUHS0ahwtNWIBjDFjpkBsvhr0wpJlOBuINPSgRRf5orbXCIv/gA3ZWHHk9N/S5ih1f
dLEmFM6HlnyFiUeQsujo/hUoAj5GxgRaKrbEoUm5e9Llsn+ch31kqqHmrC4eHaEOPbYv5M
QMsp3DcMbw9URQOcFFcjMWcJ6F4oKffofq6PTZBxaG9WnwnYzoJMcdEw/KSTMw==
MIME-Version: 1.0
Date: Tue, 25 Jul 2023 10:40:57 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: "Alwin Antreich" <alwin@antreich.com>
Message-ID: <dc743429b8e92c12ec74c8844605f4b1@antreich.com>
Subject: Re: [PVE-User] DeviceMapper devices get filtered by Proxmox
To: uwe.sauter.de@gmail.com, "Proxmox VE user list"
<pve-user@lists.proxmox.com>
In-Reply-To: <d94e484f-7504-fb07-80a1-13fd52518594@gmail.com>
References: <d94e484f-7504-fb07-80a1-13fd52518594@gmail.com>
<2b5b83bb-c90e-b6dd-4b15-a57414b42542@gmail.com>
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.167 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature,
not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from
domain DMARC_PASS -0.1 DMARC pass policy
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
SPF_PASS -0.001 SPF: sender matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
information. [diskmanage.pm, proxmox.com, antreich.com, ceph.com]
X-List-Received-Date: Tue, 25 Jul 2023 10:48:40 -0000
Hi Uwe,
July 25, 2023 9:24 AM, "Uwe Sauter" <uwe.sauter.de@gmail.com> wrote:
> So, I've been looking further into this and indeed, there seem to be ve=
ry strict filters regarding
> the block device names that Proxmox allows to be used.
>=20
>=20/usr/share/perl5/PVE/Diskmanage.pm
>=20
>=20512 # whitelisting following devices
> 513 # - hdX ide block device
> 514 # - sdX scsi/sata block device
> 515 # - vdX virtIO block device
> 516 # - xvdX: xen virtual block device
> 517 # - nvmeXnY: nvme devices
> 518 # - cciss!cXnY cciss devices
> 519 print Dumper($dev);
> 520 return if $dev !~ m/^(h|s|x?v)d[a-z]+$/ &&
> 521 $dev !~ m/^nvme\d+n\d+$/ &&
> 522 $dev !~ m/^cciss\!c\d+d\d+$/;
>=20
>=20I don't understand all the consequences of allowing ALL ^dm-\d+$ devi=
ces but with proper filtering
> it should be possible to allow multipath devices (and given that there =
might be udev rules that
> create additinal symlinks below /dev, each device's name should be reso=
lved to its canonical name
> before checking).
It is also a matter of ceph support [0]. Aside the extra complexity, usin=
g the amount of HDDs is not a good use-case for virtualization. And HDDs =
definitely need the DB/WAL on a separate device (60x disks -> 5x NVMe).
Best to set it up with ceph-volume directly. See the forum post [1] for t=
he experience of other users.
Cheers,
Alwin
[0] https://docs.ceph.com/en/latest/ceph-volume/lvm/prepare/#multipath-su=
pport
[1] https://forum.proxmox.com/threads/ceph-with-multipath.70813/
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-07-25 8:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-25 8:12 [PVE-User] Problem with ssh sessions Fabian Abplanalp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox