From: Carsten Aulbert <carsten.aulbert-l1a6w7hxd2yELgA04lAiVw@public.gmane.org>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: linux-nfs@vger.kernel.org,
Henning Fehrmann
<henning.fehrmann-l1a6w7hxd2yELgA04lAiVw@public.gmane.org>,
Steffen Grunewald
<steffen.grunewald-l1a6w7hxd2yELgA04lAiVw@public.gmane.org>
Subject: Re: Massive NFS problems on large cluster with large number of mounts
Date: Thu, 17 Jul 2008 07:53:27 +0200 [thread overview]
Message-ID: <487EDE57.4070100@aei.mpg.de> (raw)
In-Reply-To: <20080716190658.GF20298@fieldses.org>
Hi all,
J. Bruce Fields wrote:
>> Changing /proc/sys/sunrpc/max_resvport to 1023 again resolves this
>> issue, however defeats the purpose for the initial problem. I still need
>> to look into the code for hte portmapper, but is it easily possible that
>> the portmapper would accept nfsd requests from "insecure" ports also?
>> Since e are (mostly) in a controlled environment that should not pose a
>> problem.
>>
>> Anyone with an idea?
>
> The immediate problem seems like a kernel bug to me--it seems to me that
> the calls to local daemons should be ignoring {min_,max}_resvport. (Or
> is there some way the daemons can still know that those calls come from
> the local kernel?)
I just found this in the Makefile for the portmapper:
# To disable tcp-wrapper style access control, comment out the following
# macro definitions. Access control can also be turned off by providing
# no access control tables. The local system, since it runs the portmap
# daemon, is always treated as an authorized host.
HOSTS_ACCESS= -DHOSTS_ACCESS
#WRAP_LIB = $(WRAP_DIR)/libwrap.a
WRAP_LIB = -lwrap
# Comment out if your RPC library does not allocate privileged ports for
# requests from processes with root privilege, or the new portmap will
# always reject requests to register/unregister services on privileged
# ports. You can find out by running "rpcinfo -p"; if all mountd and NIS
# daemons use a port >= 1024 you should probably disable the next line.
CHECK_PORT = -DCHECK_PORT
I'll try to head down the road of not checking for the ports anymore -
on exposed ports I could block the listening daemons from the outside
world by iptables. Not nice, but probably a solution (and yet another
custom package for us).
Anyone who knows a good reason not to walk this route?
Cheers
Carsten
next prev parent reply other threads:[~2008-07-17 5:53 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-01 8:19 Massive NFS problems on large cluster with large number of mounts Carsten Aulbert
[not found] ` <4869E8AB.4060905-l1a6w7hxd2yELgA04lAiVw@public.gmane.org>
2008-07-01 18:22 ` J. Bruce Fields
2008-07-01 18:26 ` J. Bruce Fields
2008-07-02 14:00 ` Carsten Aulbert
[not found] ` <486B89F5.9000109-l1a6w7hxd2yELgA04lAiVw@public.gmane.org>
2008-07-02 20:31 ` J. Bruce Fields
2008-07-02 21:04 ` Trond Myklebust
2008-07-02 21:08 ` J. Bruce Fields
2008-07-03 5:31 ` Carsten Aulbert
[not found] ` <486C642B.3020100-l1a6w7hxd2yELgA04lAiVw@public.gmane.org>
2008-07-03 12:35 ` Carsten Aulbert
2008-07-16 9:49 ` Carsten Aulbert
[not found] ` <487DC43F.8040408-l1a6w7hxd2yELgA04lAiVw@public.gmane.org>
2008-07-16 19:06 ` J. Bruce Fields
2008-07-17 5:53 ` Carsten Aulbert [this message]
[not found] ` <487EDE57.4070100-l1a6w7hxd2yELgA04lAiVw@public.gmane.org>
2008-07-17 14:27 ` J. Bruce Fields
2008-07-17 14:47 ` Chuck Lever
[not found] ` <76bd70e30807170747r31af3280icf0bd3fdbde17bac-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-07-17 14:48 ` J. Bruce Fields
2008-07-17 15:11 ` Chuck Lever
[not found] ` <76bd70e30807170811s78175c0ep3a52da7c0ef95fc6-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-07-28 20:55 ` Chuck Lever
[not found] ` <76bd70e30807281355t4890a9b2q6960d79552538f60-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-07-29 11:32 ` Jeff Layton
[not found] ` <20080729073203.546a4269-RtJpwOs3+0O+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2008-07-29 17:43 ` Mike Mackovitch
2008-07-30 17:53 ` J. Bruce Fields
2008-07-30 19:33 ` Chuck Lever
[not found] ` <76bd70e30807301233t73f92775tbdeb3f8efbb34a4f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-07-30 22:01 ` Chuck Lever
[not found] ` <76bd70e30807301501p5c0ba3c6i38fee02a1e606e31-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-08-15 20:34 ` Chuck Lever
[not found] ` <76bd70e30808151334i19822280j67a08b92b17582ba-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-08-15 20:47 ` Trond Myklebust
2008-08-15 21:04 ` Trond Myklebust
2008-08-15 21:39 ` Chuck Lever
2008-07-30 22:13 ` J. Bruce Fields
2008-07-31 16:35 ` Chuck Lever
2008-07-17 15:35 ` Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=487EDE57.4070100@aei.mpg.de \
--to=carsten.aulbert-l1a6w7hxd2yelga04laivw@public.gmane.org \
--cc=bfields@fieldses.org \
--cc=henning.fehrmann-l1a6w7hxd2yELgA04lAiVw@public.gmane.org \
--cc=linux-nfs@vger.kernel.org \
--cc=steffen.grunewald-l1a6w7hxd2yELgA04lAiVw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.