From: Jason Gunthorpe <jgg@ziepe.ca>
To: Mark Haywood <mark.haywood@oracle.com>
Cc: linux-rdma@vger.kernel.org
Subject: Re: bacm address config file no longer generated by service
Date: Mon, 22 Jan 2024 14:35:12 -0400 [thread overview]
Message-ID: <20240122183512.GQ50608@ziepe.ca> (raw)
In-Reply-To: <1ad5dadb-f6c6-40cf-83cf-f269233d8cfd@oracle.com>
On Thu, Jan 18, 2024 at 04:54:16PM -0500, Mark Haywood wrote:
> I see that the ibacm address configuration file,
> /etc/rdma/ibacm_addr.cfg, is no longer generated by the ibacm service.
> This change in behavior occurred as a result of service hardening
> implemented by patch https://github.com/linux-rdma/rdma-core/commit/c719619aaa0ec2651edc4e5dee9f5ff81208b185.
>
> The patch hardened the ibacm service by adding the following options to
> ibacm.service:
>
> > ProtectSystem=full
> > ProtectHome=true
> > ProtectHostname=true
> > ProtectKernelLogs=true
>
> ProtectSystem=full setting makes /etc read-only for processes invoked by
> the ibacm service.
>
> As a result, the code that generates the address configuration file (if
> it does not exist) fails:
>
> static FILE *acm_open_addr_file(void)
> {
> FILE *f;
>
> if ((f = fopen(addr_file, "r")))
> return f;
>
> acm_log(0, "notice - generating %s file\n", addr_file);
> if (!(f = popen(acme, "r"))) {
> acm_log(0, "ERROR - cannot generate %s\n", addr_file);
> return NULL;
> }
>
> pclose(f);
> return fopen(addr_file, "r");
> }
>
> The popen() code above is supposed to generate the file if it does not
> exist (i.e., fails the first fopen()). The popen() now fails as a result
> of the ProtectSystem option setting.
>
> ibacm(8) does say "If the address file cannot be found, the ibacm
> service will attempt to create one using default values."
>
> I guess my question is simply was this change in behavior expected? Are
> admins expected to run ib_acme to generate the address configuration
> file prior to starting the ibacm service?
I don't think it is intentional, but it seems like the right course of
action to me.
daemons should not write to /etc/. There are many good reasons for
that.
> Is the popen() code in acm_open_addr_file() being left in place in case
> an admin decides to remove the ProtectSystem option from the
> ibacm.service file?
No, I think it was just missed
Jason
prev parent reply other threads:[~2024-01-22 18:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-18 21:54 bacm address config file no longer generated by service Mark Haywood
2024-01-19 15:04 ` ibacm address config file is " Mark Haywood
2024-01-22 18:35 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240122183512.GQ50608@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=linux-rdma@vger.kernel.org \
--cc=mark.haywood@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox