From: Petr Vorel <pvorel@suse.cz>
To: NeilBrown <neilb@suse.de>
Cc: Steve Dickson <steved@redhat.com>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH 3/4] Listen on an AF_UNIX abstract address if supported.
Date: Mon, 4 Mar 2024 19:42:29 +0100 [thread overview]
Message-ID: <20240304184229.GC3408054@pevik> (raw)
In-Reply-To: <20240225235628.12473-4-neilb@suse.de>
Hi Neil, Steve,
> As RPC is primarily a network service it is best, on Linux, to use
> network namespaces to isolate it. However contacting rpcbind via an
> AF_UNIX socket allows escape from the network namespace.
> If clients could use an abstract address, that would ensure clients
> contact an rpcbind in the same network namespace.
> systemd can pass in a listening abstract socket by providing an '@'
> prefix. However with libtirpc 1.3.3 or earlier attempting this will
> fail as the library mistakenly determines that the socket is not bound.
> This generates unsightly error messages.
> So it is best not to request the abstract address when it is not likely
> to work.
> A patch to fix this also proposes adding a define for
> _PATH_RPCBINDSOCK_ABSTRACT to the header files. We can check for this
> and only include the new ListenStream when that define is present.
> Signed-off-by: NeilBrown <neilb@suse.de>
> ---
> configure.ac | 13 ++++++++++++-
> systemd/{rpcbind.socket => rpcbind.socket.in} | 1 +
> 2 files changed, 13 insertions(+), 1 deletion(-)
> rename systemd/{rpcbind.socket => rpcbind.socket.in} (88%)
NOTE: now systemd/rpcbind.socket should be in .gitignore.
The rest LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
> diff --git a/configure.ac b/configure.ac
> index c2069a2b3b0e..573e4fdf3a3e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -50,6 +50,17 @@ AC_SUBST([nss_modules], [$with_nss_modules])
> PKG_CHECK_MODULES([TIRPC], [libtirpc])
> +CPPFLAGS=$TIRPC_CFLAGS
> +AC_MSG_CHECKING([for abstract socket support in libtirpc])
> +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
> +#include <rpc/rpc.h>
> +],[
> +char *path = _PATH_RPCBINDSOCK_ABSTRACT;
> +])], [have_abstract=yes], [have_abstract=no])
> +CPPFLAGS=
> +AC_MSG_RESULT([$have_abstract])
> +AM_CONDITIONAL(ABSTRACT, [ test "x$have_abstract" = "xyes" ])
> +
> PKG_PROG_PKG_CONFIG
> AC_ARG_WITH([systemdsystemunitdir],
> AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),
> @@ -76,4 +87,4 @@ AC_CHECK_HEADERS([nss.h])
> AC_SUBST([_sbindir])
> AC_CONFIG_COMMANDS_PRE([eval eval _sbindir=$sbindir])
> -AC_OUTPUT([Makefile systemd/rpcbind.service])
> +AC_OUTPUT([Makefile systemd/rpcbind.service systemd/rpcbind.socket])
> diff --git a/systemd/rpcbind.socket b/systemd/rpcbind.socket.in
> similarity index 88%
> rename from systemd/rpcbind.socket
> rename to systemd/rpcbind.socket.in
> index 3b1a93694c21..5dd09a143e16 100644
> --- a/systemd/rpcbind.socket
> +++ b/systemd/rpcbind.socket.in
> @@ -6,6 +6,7 @@ Before=rpcbind.target
> [Socket]
> ListenStream=/run/rpcbind.sock
> +@ABSTRACT_TRUE@ListenStream=@/run/rpcbind.sock
> # RPC netconfig can't handle ipv6/ipv4 dual sockets
> BindIPv6Only=ipv6-only
next prev parent reply other threads:[~2024-03-04 18:42 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-25 23:53 [PATCH 0/4 rpcbind] Supprt abstract addresses and disable broadcast NeilBrown
2024-02-25 23:53 ` [PATCH 1/4] manpage: describe use of extra port for broadcast rpc NeilBrown
2024-02-25 23:53 ` [PATCH 2/4] rpcbind: allow broadcast RPC to be disabled NeilBrown
2024-03-04 18:32 ` Petr Vorel
2024-03-04 18:42 ` Roland Mainz
2024-02-25 23:53 ` [PATCH 3/4] Listen on an AF_UNIX abstract address if supported NeilBrown
2024-03-04 18:42 ` Petr Vorel [this message]
2024-02-25 23:53 ` [PATCH 4/4] rpcinfo: try connecting using abstract address NeilBrown
2024-03-04 18:58 ` Petr Vorel
2024-03-04 16:51 ` [PATCH 0/4 rpcbind] Supprt abstract addresses and disable broadcast Steve Dickson
2024-03-04 18:29 ` Petr Vorel
2024-03-04 20:32 ` Steve Dickson
2024-03-11 1:47 ` NeilBrown
2024-03-18 20:35 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240304184229.GC3408054@pevik \
--to=pvorel@suse.cz \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.