From: Petr Vorel <pvorel@suse.cz>
To: NeilBrown <neilb@suse.de>
Cc: Steve Dickson <steved@redhat.com>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH 3/4] Listen on an AF_UNIX abstract address if supported.
Date: Mon, 4 Mar 2024 19:42:29 +0100 [thread overview]
Message-ID: <20240304184229.GC3408054@pevik> (raw)
In-Reply-To: <20240225235628.12473-4-neilb@suse.de>
Hi Neil, Steve,
> As RPC is primarily a network service it is best, on Linux, to use
> network namespaces to isolate it. However contacting rpcbind via an
> AF_UNIX socket allows escape from the network namespace.
> If clients could use an abstract address, that would ensure clients
> contact an rpcbind in the same network namespace.
> systemd can pass in a listening abstract socket by providing an '@'
> prefix. However with libtirpc 1.3.3 or earlier attempting this will
> fail as the library mistakenly determines that the socket is not bound.
> This generates unsightly error messages.
> So it is best not to request the abstract address when it is not likely
> to work.
> A patch to fix this also proposes adding a define for
> _PATH_RPCBINDSOCK_ABSTRACT to the header files. We can check for this
> and only include the new ListenStream when that define is present.
> Signed-off-by: NeilBrown <neilb@suse.de>
> ---
> configure.ac | 13 ++++++++++++-
> systemd/{rpcbind.socket => rpcbind.socket.in} | 1 +
> 2 files changed, 13 insertions(+), 1 deletion(-)
> rename systemd/{rpcbind.socket => rpcbind.socket.in} (88%)
NOTE: now systemd/rpcbind.socket should be in .gitignore.
The rest LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
> diff --git a/configure.ac b/configure.ac
> index c2069a2b3b0e..573e4fdf3a3e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -50,6 +50,17 @@ AC_SUBST([nss_modules], [$with_nss_modules])
> PKG_CHECK_MODULES([TIRPC], [libtirpc])
> +CPPFLAGS=$TIRPC_CFLAGS
> +AC_MSG_CHECKING([for abstract socket support in libtirpc])
> +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
> +#include <rpc/rpc.h>
> +],[
> +char *path = _PATH_RPCBINDSOCK_ABSTRACT;
> +])], [have_abstract=yes], [have_abstract=no])
> +CPPFLAGS=
> +AC_MSG_RESULT([$have_abstract])
> +AM_CONDITIONAL(ABSTRACT, [ test "x$have_abstract" = "xyes" ])
> +
> PKG_PROG_PKG_CONFIG
> AC_ARG_WITH([systemdsystemunitdir],
> AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),
> @@ -76,4 +87,4 @@ AC_CHECK_HEADERS([nss.h])
> AC_SUBST([_sbindir])
> AC_CONFIG_COMMANDS_PRE([eval eval _sbindir=$sbindir])
> -AC_OUTPUT([Makefile systemd/rpcbind.service])
> +AC_OUTPUT([Makefile systemd/rpcbind.service systemd/rpcbind.socket])
> diff --git a/systemd/rpcbind.socket b/systemd/rpcbind.socket.in
> similarity index 88%
> rename from systemd/rpcbind.socket
> rename to systemd/rpcbind.socket.in
> index 3b1a93694c21..5dd09a143e16 100644
> --- a/systemd/rpcbind.socket
> +++ b/systemd/rpcbind.socket.in
> @@ -6,6 +6,7 @@ Before=rpcbind.target
> [Socket]
> ListenStream=/run/rpcbind.sock
> +@ABSTRACT_TRUE@ListenStream=@/run/rpcbind.sock
> # RPC netconfig can't handle ipv6/ipv4 dual sockets
> BindIPv6Only=ipv6-only
next prev parent reply other threads:[~2024-03-04 18:42 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-25 23:53 [PATCH 0/4 rpcbind] Supprt abstract addresses and disable broadcast NeilBrown
2024-02-25 23:53 ` [PATCH 1/4] manpage: describe use of extra port for broadcast rpc NeilBrown
2024-02-25 23:53 ` [PATCH 2/4] rpcbind: allow broadcast RPC to be disabled NeilBrown
2024-03-04 18:32 ` Petr Vorel
2024-03-04 18:42 ` Roland Mainz
2024-02-25 23:53 ` [PATCH 3/4] Listen on an AF_UNIX abstract address if supported NeilBrown
2024-03-04 18:42 ` Petr Vorel [this message]
2024-02-25 23:53 ` [PATCH 4/4] rpcinfo: try connecting using abstract address NeilBrown
2024-03-04 18:58 ` Petr Vorel
2024-03-04 16:51 ` [PATCH 0/4 rpcbind] Supprt abstract addresses and disable broadcast Steve Dickson
2024-03-04 18:29 ` Petr Vorel
2024-03-04 20:32 ` Steve Dickson
2024-03-11 1:47 ` NeilBrown
2024-03-18 20:35 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240304184229.GC3408054@pevik \
--to=pvorel@suse.cz \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).