ECS:由於節點上的 SSH 速率限制器導致節點鎖定失敗

摘要: 升級到 ECS 4.0 後,如果節點上的 SSH 速率限制器處於活動狀態,則鎖定節點的嘗試可能會失敗。這會導致節點狀態在 ECS Web UI 中顯示為「未知」或「鎖定」,而 SSH 存取仍然可用。套用與 SLES15 不相容的 SSH 速率限制器的 STIG 規則會導致此問題。

本文章適用於 本文章不適用於 本文無關於任何特定產品。 本文未識別所有產品版本。
查看其他資源

症狀

升級至 ECS 4.0 後觀察到問題。

節點狀態在 ECS Web UI

中顯示為「未知」或「鎖定」。CLI 鎖定命令無法執行。

儘管嘗試鎖定,節點的 SSH 存取仍然可用。

在 ECS Web UI 中,節點狀態顯示為「未知」或「鎖定」  

原因

使用 STIG 規則 (SLES-12-030040) 套用的 SSH 速率限制器會導致此問題。此規則與 SLES15 並不相容,且一旦套用,就無法使用 SLES12 STIG 架構還原。

以下命令顯示作業系統的相關資訊:

admin@node1:~> cat /etc/os-release
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp4"
DOCUMENTATION_URL="https://documentation.suse.com/"

解析度

若要解決此問題,請從受影響的節點移除 SSH 速率限制器:

  1. 檢查 SSH 速率限制器: 
admin@node1:~> sudo iptables -L | grep limit  | grep ssh
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp dpt:ssh ctstate NEW recent: CHECK seconds: 60 hit_count: 3 name: ssh side: source mask: 255.255.255.255 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROPr "
  1. 還原 STIG 規則:
admin@node1:~> cd /opt/emc/security/hardening/root/sbin; sudo ./revert-harden -i SLES-12-030040
Changes reverted: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Changes reverted: TCP="ssh"
Restarting SuSEfirewall2.service ...
SuSEfirewall2.service restarted successfully.
Reverted STIG ID: SLES-12-030040 on /etc/sysconfig/SuSEfirewall2.d/services/sshd successfully
  1. 確認變更:
admin@node1:/opt/emc/security/hardening/root/sbin> sudo iptables -L | grep limit  | grep ssh
  1. 使用 WEB UI 或 CLI 鎖定節點:
admin@node1:~> sudo -i lockdown set lock
[lockdown] :Info: Suspend fabric agent firewall check
INFO: Parsing /opt/emc/nile/etc/conf/nan/emc-firewall-cfg
dev_ext: public - dev_int: private private.4 pslave-0 pslave-1
INFO: Updating /etc/sysconfig/SuSEfirewall2.d/services/emc-ecs-custom
INFO: Updating /etc/sysconfig/SuSEfirewall2
<38>Jun 25 10:34:47 SuSEfirewall2[32514]: Firewall rules unloaded.
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: using default zone 'ext' for interface docker0
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: using default zone 'ext' for interface public_mgmt
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: using default zone 'ext' for interface slave_0
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: using default zone 'ext' for interface slave_1
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: Firewall custom rules loaded from /opt/emc/nile/etc/conf/nan/nan_pbr_rules
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/all/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/default/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/docker0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/lo/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/private/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/pslave-0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/pslave-1/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/public/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/slave-0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:49 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/slave-1/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:49 SuSEfirewall2[32594]: Firewall rules successfully set
INFO: Updating /etc/sysconfig/SuSEfirewall2
<38>Jun 25 10:34:57 SuSEfirewall2[35003]: Firewall rules unloaded.
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: using default zone 'ext' for interface docker0
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: using default zone 'ext' for interface public_mgmt
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: using default zone 'ext' for interface slave_0
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: using default zone 'ext' for interface slave_1
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: Firewall custom rules loaded from /opt/emc/nile/etc/conf/nan/nan_pbr_rules
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/all/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/default/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/docker0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/lo/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/private/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:58 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/pslave-0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:58 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/pslave-1/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:58 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/public/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:58 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/slave-0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:58 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/slave-1/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:59 SuSEfirewall2[35084]: Firewall rules successfully set
locked
[lockdown] :Info: Resume fabric agent firewall check

其他資訊

此因應措施僅適用於先前已套用 SLES12 STIG 框架的 SLES15 節點。在套用或還原 STIG 規則之前,請確定相容性。

受影響的產品

ECS Appliance Gen 3, ECS Appliance Hardware Gen3 EX500, ECS Appliance Hardware Series

產品

ECS, ObjectScale, ECS Appliance Hardware Gen3 EX5000, ECS Appliance, ECS Appliance Hardware Gen3 EX300, ECS Appliance Hardware Gen3 EX3000, ECS Appliance Hardware Gen3 EXF900, ECS Appliance Software with Encryption , ECS Appliance Software without Encryption ...
文章屬性
文章編號: 000337531
文章類型: Solution
上次修改時間: 24 9月 2025
版本:  2
向其他 Dell 使用者尋求您問題的答案
支援服務
檢查您的裝置是否在支援服務的涵蓋範圍內。