Search Engine: Elastic

Article ID: 8163, created on Mar 9, 2010, last review on Jan 12, 2018

  • Applies to:
  • Odin Business Automation Standard 4.5

Symptoms

Virtuozzo for Windows server is marked as 'Offline' in OBAS control panel at Top > Service Director > Virtuozzo Manager > Nodes. The server itself is working, all containers on it are working as well and they are available.

The problem is taking place after restarting the Service Container on the node. I.e. the node may be working well and may be shown as 'Available' in OAS. As soon as Service Container is restarted the whole node will be shown as 'Offline'. It is also impossible to connect to the Virtuozzo server using any tool which is working via Parallels Agent - Parallels Management Console, Parallels Infrastructure Manager.

If you try to reconnect the node in OBAS the resulting error is "An error occurred while copying the keys to the Hardware Node".

Recreating Service Container does help to solve the problem, however it will re-appear after some period of time (two weeks or more).

Cause

OBAS is working with Parallels Agent on Virtuozzo servers in so called compatibility mode. This means that OBAS is communicating with Agent which is working inside Service Container via SSH protocol using the user 'vzagent0'.

Thus, Service Container on every Virtuozzo server registered in PS must have SSH server running inside. Depending on the version it might be either "OpenSSHd" or "CYGWIN sshd". These services runs under corresponding system users - sshd_server or cyg_server.

Due to default Windows security policy users must change password periodically. If password is not changed after password expiration period passed Windows disables system user which is used to run SSH server. As a result if Service Container is restarted (or just SSH server inside Service Container is restarted) SSH service becomes stopped and OBAS cannot connect to Parallels Agent via XML API and the Virtuozzo server is being marked as 'Offline'.

Resolution

To solve the problem it is needed to make sure that password of system user 'sshd_server' or 'cyg_server' does not expire.

  1. Log into Virtuozzo server using RDP and run 'cmd'.

  2. Check if firewall is running inside Service Container and stop it:

    C:\> vzctl exec 1 sc query sharedaccess 
    SERVICE_NAME: sharedaccess
            TYPE               : 20  WIN32_SHARE_PROCESS
            STATE              : 4  RUNNING
                                    (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
    Command 'exec' is successfully finished
    
    C:\> vzctl exec 1 sc stop sharedaccess  
    SERVICE_NAME: sharedaccess
            TYPE               : 20  WIN32_SHARE_PROCESS
            STATE              : 1  STOPPED
                                    (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
    
    
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
    
    Command 'exec' is successfully finished
  3. Create temporary user (in the example below user "sct" with password Secure*Pass) in Service Container for RDP access and add it to the local group 'administrators':

    C:\> vzctl exec 1 net user sct Secure*Pass /add
    The command completed successfully.
    
    C:\> vzctl exec 1 net localgroup administrators sct /add
    The command completed successfully.
    
  4. Log into Service Container using RDP under the just created user.

  5. Being logged into the Service Container via RDP change password policy for the user sshd_server (or cyg_server) and start SSH service (if it is stopped):

    • click "Start" > right click on "My Computer" > "Manage"
    • select "Services and Applications" > "Services" and find 'CYGWIN sshd' or 'OpenSSHd' in the list of services. If it is stopped try to start it. You will get error like below:

      Could not start the CYGWIN sshd service on Local Computer.
      Error 1069: The service did not start due to a logon failure.
      
    • go to "System Tools" > "Local Users and Groups" > "Users" > right click on sshd_server (or cyg_server) > "Properties". Ensure that:

      checkbox "User must change password at next logon" is disabled
      checkbox "Password never expires" is set
      checkbox "Account is disabled" is disabled
      

    It is worth to set new password for the user as well (right click on it > "Set password").

    After that go back to "Services", select corresponding SSH service, rigth click on it "Properties" > "Log On" tab - set the same password here. Start the SSH service.

    Log off form Service Container.

  6. Start firewall in Service Container back and remove temporary user:

    C:\> vzctl exec 1 sc start sharedaccess
    SERVICE_NAME: sharedaccess
            TYPE               : 20  WIN32_SHARE_PROCESS
            STATE              : 2  START_PENDING
                                    (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x7530
            PID                : 14284
            FLAGS              :
    Command 'exec' is successfully finished
    
    C:\> vzctl exec 1 net user sct /delete
    The command completed successfully.
    
  7. Repeat the steps above for each Virtuozzo for Windows server registered in OBAS.

Sure, one may use solution different to the described above, the main point is to make sure that password of system user which is used to run SSH service does not expire and SSH service is up and running.

Additional information

Configuring PVC 4.5 on Windows Server 2008 to work with PBA-S

Service Container on Windows 2008 refuses connections to 22 port

Running Virtuozzo Containers are shown with status Offline in PBA-S

caea8340e2d186a540518d08602aa065 400e18f6ede9f8be5575a475d2d6b0a6 0efe2234e2ce513f2186f26c68447702 624ca542e40215e6f1d39170d8e7ec75 70a5401e8b9354cd1d64d0346f2c4a3e

Email subscription for changes to this article
Save as PDF