Bug 1316308
Summary: | oidentd started from xinetd as a non-root user with loaded nf_conntrack kernel module fails to initialize: Error initializing core | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Darrien Lambert <dkocher> | ||||||
Component: | oidentd | Assignee: | Petr Pisar <ppisar> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 22 | CC: | matthias, ppisar | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | oidentd-2.0.8-20.fc25 oidentd-2.0.8-19.fc23 oidentd-2.0.8-17.fc22 oidentd-2.0.8-20.fc24 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2016-03-21 23:53:59 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Darrien Lambert
2016-03-09 23:11:31 UTC
Could you provide more details about your workstation? Is the queried port non-local? I.e. is the queried connection masqueraded and originating on different hosts that is masqueraded? Does the error message appear on starting oidentd or on the query? Is there another oidentd error massage? Does your system have /proc/net/nf_conntrack file? I tried it on a host that is not a router and that does not masquerade any traffic, thus does not have loaded any network translation kernel modules, and it works for me. The oident server provides response and does not log any error. This workstation is a router and NAT translator in fact. Queried port is local, but it does not matter. The error appears on the starting oidentd during the query since it is running under xinetd. Take a look at the core_init() it tries to open those files which could be missing on a server. $ ll /proc/net/ip* -r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ip6_flowlabel -r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ip6_mr_cache -r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ip6_mr_vif -r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip6_tables_matches -r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip6_tables_names -r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip6_tables_targets -r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ip_mr_cache -r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ip_mr_vif -r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip_tables_matches -r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip_tables_names -r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip_tables_targets -r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ipv6_route The core_init() tries to open one of these three files in this order: /proc/net/ip_masquerade /proc/net/ip_conntrack /proc/net/nf_conntrack The only case when core_init() returns error, so the "Error initializing core" is logged, is when opening of the files fails because of different reason than the file does not exist. It survives if the files do not exist. I suspect the issue is SELinux policy that does not allow oidentd spawned from xinetd to open /proc/net/nf_conntrack. This is the file that should exist on your host when nf_conntrack kernel module is loaded. The other former two files actually does not exist on Fedora. There is a mistake in the core_init() logging. It does not report the opening failures into log as an error. It reports it only when oident is compiled with enabled debugging. Do you encounter the "Error initializing core" bug if you use oidentd deamon (systemctl start oidentd) instead of the one-shot xinetd service? You're right, it only fails to start under xinetd. I don't see any selinux errors though. I tried an xinetd service and it works for me. How does look your xinetd configuration file for oidentd? This is my: # cat /etc/xinetd.d/auth-stream service auth { disable = no port = 113 socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/oidentd server_args = --stdio -u nobody -g nobody } Could you trace the oidentd executed by xinetd using strace command? Like this (the 17941 argument is PID of xinetd): # strace -f -p 17941 -e open strace: Process 17941 attached strace: Process 17955 attached [pid 17955] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 0 [pid 17955] open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 0 [pid 17955] open("/etc/group", O_RDONLY|O_CLOEXEC) = 0 [pid 17955] open("/etc/hosts.allow", O_RDONLY) = 0 [pid 17955] open("/etc/hosts.deny", O_RDONLY) = 0 [pid 17955] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 [pid 17955] open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 [pid 17955] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3 [pid 17955] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 [pid 17955] open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 [pid 17955] open("/etc/services", O_RDONLY|O_CLOEXEC) = 3 [pid 17955] open("/etc/services", O_RDONLY|O_CLOEXEC) = 3 [pid 17955] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 [pid 17955] open("/etc/group", O_RDONLY|O_CLOEXEC) = 3 [pid 17955] open("/etc/oidentd.conf", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 17955] open("/proc/net/ip_masquerade", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 17955] open("/proc/net/ip_conntrack", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 17955] open("/proc/net/nf_conntrack", O_RDONLY) = 4 [pid 17955] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 6 [pid 17955] open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 6 [pid 17955] open("/etc/group", O_RDONLY|O_CLOEXEC) = 6 [pid 17955] open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 6 [pid 17955] open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 6 [pid 17955] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 6 [pid 17955] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 6 [pid 17955] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 6 [pid 17955] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=17955, si_uid=99, si_status=0, si_utime=0, si_stime=1} --- ^Cstrace: Process 17941 detached Oh I know why. I run it as non-privileged user: user = nobody and file permissions are: -r--r-----. 1 root root 0 Mar 11 11:38 /proc/net/nf_conntrack On the other hand, I did not want masq support for oidentd, otherwise I'd specify "-m" option. I think it should not try reading nf_conntrack file if masq option was not specified. Created attachment 1135170 [details]
Log core_init() failures
Created attachment 1135171 [details]
Skip opening conntracking table if masquerading is not requestd
I will apply these two patches and submit a new update. I hope it will fix your issue. oidentd-2.0.8-20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a99a162ce1 oidentd-2.0.8-19.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6aba35f43f oidentd-2.0.8-17.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-07b5dc88a6 oidentd-2.0.8-20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-a99a162ce1 oidentd-2.0.8-17.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-07b5dc88a6 oidentd-2.0.8-19.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6aba35f43f oidentd-2.0.8-19.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. oidentd-2.0.8-17.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. oidentd-2.0.8-20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |