There’s an often misunderstood feature of XCP-ng that allows system admins to limit access to a particular VM.
Its name? Allowed IPs.
On one hand, it seems obvious. On deeper examination, it’s really not.
You see, the allowed IPs are attached to a particular Virtual Interface (VIF), each with its own virtual MAC address, UUID, and numerous other system identifiers and parameters.
One of those parameters – and this is the confusing part – is the locking mode of that VIF.
From the UI, it’s not clear that the IP is associated with the locking mode. In fact, there’s another parameter in between (traffic rules).
To further confuse things, locking mode is automatically engaged when you save an IP in the Allowed IPs field.
I’m unsure of why, but once locking mode has engaged, even a request from an allowed IP seems to not be able to update the Allowed IPs list. It’s possible that to use multiple IPs, you have to configure an alias in the pool – but I haven’t tested this, it’s just from reading documentation.
If you’re not on the allowed IP, you can no longer access the UI. Fortunately, access restriction is only for the web UI. The CLI is still accessible. So here’s how to clear the lock:
First, get a list of your VM UUIDs:
xe vm-list
Find the UUID for XOA. Then get a list for VIF UUIDs and match the VM UUID:
xe vif-list
Copy the VIF UUID and issue this command:
xe vif-param-set uuid=<VIF UUID> locking-mode=unlocked
There you have it. Your web UI should now once again be accessible.