Redundant VPC - cloud-init can no longer retrieve passwords from VPC router password server

[Jayd603]

Existing templates no longer work with password reset or initial password set.

VPC Router log
Nov 19 17:46:54 systemvm passwd_server_ip.py: serve_password: password saved for VM IP 10.207.2.196

ok great, but then on the VM

2025-11-19 17:47:23,191 - performance.py[DEBUG]: Getting password took 0.007 seconds
2025-11-19 17:47:23,191 - log_util.py[DEBUG]: Failed to fetch password from virtual router 10.207.5.244

root@pw-test:/var/log# wget --header 'DomU_Request: send_my_password' 10.207.5.244:8080
--2025-11-19 18:41:52--  http://10.207.5.244:8080/
Connecting to 10.207.5.244:8080... failed: Connection refused.

However: using the gateway IP works!

wget --header 'DomU_Request: send_my_password' 10.207.0.1:8080

NOTES:
This is with a redundant VPC network with source NAT and it appears to make it so cloud-init cannot fetch from the router interface IPs, only the gateway IP of the VPC.

In the VPC router:
tcp 0 0 10.207.0.1:8080 0.0.0.0:* LISTEN

so it is not listening on .244 at all - the iptables rules look correct however.

cloud-password-server@10.207.0.1\x2c10.207.11.141.service loaded active running Cloud password server

Looks like it is trying to start it with multiple addresses but it's only accepting the first argument.

[weizhouapache]

this issue seems to be caused by #11879

[weizhouapache]

@Jayd603
can you test with the change in #12161 in the VPC VR, and reload/restart dnsmasq service ?

[Jayd603]

@Jayd603 can you test with the change in #12161 in the VPC VR, and reload/restart dnsmasq service ?

This appears to have resolved the issue. Thank you.

The password server is still only listening on the gateway IP but seemingly trying to listen on the non-VirtualIP, so not sure if that needs cleanup/fixes or not.

root@r-94-VM:~# systemctl | grep password-serv
  cloud-password-server@10.207.0.1\x2c10.207.5.97.service                                   loaded active running   Cloud password server on 10.207.0.1,10.207.5.97

[weizhouapache]

@Jayd603 can you test with the change in #12161 in the VPC VR, and reload/restart dnsmasq service ?

This appears to have resolved the issue. Thank you.

The password server is still only listening on the gateway IP but seemingly trying to listen on the non-VirtualIP, so not sure if that needs cleanup/fixes or not.

root@r-94-VM:~# systemctl | grep password-serv
  cloud-password-server@10.207.0.1\x2c10.207.5.97.service                                   loaded active running   Cloud password server on 10.207.0.1,10.207.5.97

@Jayd603
it is expected

cloud-init tries to get password from data-server (VPC VR gateway IP, 10.207.5.1). If data-server is not found, fall back to VR guest IP (10.207.5.97)
With #12161, the data-server works, no need to listen on the VR guest IP.
actually VR guest IPs are not stable, when VPC is restarted with cleanup, the RVRs get different guest IPs.