Bug 1316308

Summary: oidentd started from xinetd as a non-root user with loaded nf_conntrack kernel module fails to initialize: Error initializing core
Product: [Fedora] Fedora Reporter: Darrien Lambert <dkocher>
Component: oidentdAssignee: Petr Pisar <ppisar>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 22CC: matthias, ppisar
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: oidentd-2.0.8-20.fc25 oidentd-2.0.8-19.fc23 oidentd-2.0.8-17.fc22 oidentd-2.0.8-20.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-21 23:53:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Log core_init() failures
none
Skip opening conntracking table if masquerading is not requestd none

Description Darrien Lambert 2016-03-09 23:11:31 UTC
Description of problem:
-----------------------
oidentd can't start after recent update (oidentd-2.0.8-16.fc22.x86_64).
Works with previous version (oidentd-2.0.8-15.fc22.x86_64)

Version-Release number of selected component (if applicable): oidentd-2.0.8-16.fc22.x86_64


How reproducible:
-----------------
Always.


Steps to Reproduce:
-------------------
1. Install an update oidentd-2.0.8-16.fc22.x86_64.
2. Perform ident query (http://www.anta.net/misc/telnet-troubleshooting/ident.shtml)


Actual results:
---------------
1.
2. Connection drops. There is an error in messages:
 oidentd[1942]: Error initializing core


Expected results:
-----------------
1.
2. Standard response from ident server. 

Additional info:
----------------
It seems this is related to the recent request https://bugzilla.redhat.com/show_bug.cgi?id=1305491
It enabled masquerade support for oidentd. When oidentd starts it calls core_init() and if it was compiled with MASQ_SUPPORT it looks for these files:

#define MASQFILE	"/proc/net/ip_masquerade"
#define CONNTRACK	"/proc/net/ip_conntrack"

They are missing on my workstation and therefore oidentd fails to start.

Comment 1 Petr Pisar 2016-03-11 07:01:26 UTC
Could you provide more details about your workstation? Is the queried port non-local? I.e. is the queried connection masqueraded and originating on different hosts that is masqueraded? Does the error message appear on starting oidentd or on the query? Is there another oidentd error massage? Does your system have /proc/net/nf_conntrack file?

I tried it on a host that is not a router and that does not masquerade any traffic, thus does not have loaded any network translation kernel modules, and it works for me. The oident server provides response and does not log any error.

Comment 2 Darrien Lambert 2016-03-11 07:25:15 UTC
This workstation is a router and NAT translator in fact. Queried port is local, but it does not matter. The error appears on the starting oidentd during the query since it is running under xinetd. Take a look at the core_init() it tries to open those files which could be missing on a server.

$ ll /proc/net/ip*
-r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ip6_flowlabel
-r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ip6_mr_cache
-r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ip6_mr_vif
-r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip6_tables_matches
-r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip6_tables_names
-r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip6_tables_targets
-r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ip_mr_cache
-r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ip_mr_vif
-r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip_tables_matches
-r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip_tables_names
-r--r-----. 1 root root 0 Mar 11 10:21 /proc/net/ip_tables_targets
-r--r--r--. 1 root root 0 Mar 11 10:21 /proc/net/ipv6_route

Comment 3 Petr Pisar 2016-03-11 08:07:50 UTC
The core_init() tries to open one of these three files in this order:

/proc/net/ip_masquerade
/proc/net/ip_conntrack
/proc/net/nf_conntrack

The only case when core_init() returns error, so the "Error initializing core" is logged, is when opening of the files fails because of different reason than the file does not exist. It survives if the files do not exist.

I suspect the issue is SELinux policy that does not allow oidentd spawned from xinetd to open /proc/net/nf_conntrack. This is the file that should exist on your host when nf_conntrack kernel module is loaded. The other former two files actually does not exist on Fedora.

There is a mistake in the core_init() logging. It does not report the opening failures into log as an error. It reports it only when oident is compiled with enabled debugging.

Do you encounter the "Error initializing core" bug if you use oidentd deamon (systemctl start oidentd) instead of the one-shot xinetd service?

Comment 4 Darrien Lambert 2016-03-11 08:28:47 UTC
You're right, it only fails to start under xinetd. I don't see any selinux errors though.

Comment 5 Petr Pisar 2016-03-11 08:36:32 UTC
I tried an xinetd service and it works for me. How does look your xinetd configuration file for oidentd? This is my:

# cat /etc/xinetd.d/auth-stream 
service auth
{
        disable                 = no
        port                    = 113
        socket_type             = stream
        protocol                = tcp
        wait                    = no
        user                    = root
        server                  = /usr/sbin/oidentd
        server_args             = --stdio -u nobody -g nobody
}

Could you trace the oidentd executed by xinetd using strace command? Like this (the 17941 argument is PID of xinetd):

# strace -f -p 17941 -e open
strace: Process 17941 attached
strace: Process 17955 attached
[pid 17955] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 0
[pid 17955] open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 0
[pid 17955] open("/etc/group", O_RDONLY|O_CLOEXEC) = 0
[pid 17955] open("/etc/hosts.allow", O_RDONLY) = 0
[pid 17955] open("/etc/hosts.deny", O_RDONLY) = 0
[pid 17955] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
[pid 17955] open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
[pid 17955] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
[pid 17955] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
[pid 17955] open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
[pid 17955] open("/etc/services", O_RDONLY|O_CLOEXEC) = 3
[pid 17955] open("/etc/services", O_RDONLY|O_CLOEXEC) = 3
[pid 17955] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid 17955] open("/etc/group", O_RDONLY|O_CLOEXEC) = 3
[pid 17955] open("/etc/oidentd.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 17955] open("/proc/net/ip_masquerade", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 17955] open("/proc/net/ip_conntrack", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 17955] open("/proc/net/nf_conntrack", O_RDONLY) = 4
[pid 17955] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 6
[pid 17955] open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 6
[pid 17955] open("/etc/group", O_RDONLY|O_CLOEXEC) = 6
[pid 17955] open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 6
[pid 17955] open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 6
[pid 17955] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 6
[pid 17955] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 6
[pid 17955] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 6
[pid 17955] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=17955, si_uid=99, si_status=0, si_utime=0, si_stime=1} ---
^Cstrace: Process 17941 detached

Comment 6 Darrien Lambert 2016-03-11 08:43:49 UTC
Oh I know why. I run it as non-privileged user:

  user = nobody

and file permissions are:

-r--r-----. 1 root root 0 Mar 11 11:38 /proc/net/nf_conntrack


On the other hand, I did not want masq support for oidentd, otherwise I'd specify "-m" option. I think it should not try reading nf_conntrack file if masq option was not specified.

Comment 7 Petr Pisar 2016-03-11 10:02:46 UTC
Created attachment 1135170 [details]
Log core_init() failures

Comment 8 Petr Pisar 2016-03-11 10:03:24 UTC
Created attachment 1135171 [details]
Skip opening conntracking table if masquerading is not requestd

Comment 9 Petr Pisar 2016-03-11 10:05:43 UTC
I will apply these two patches and submit a new update. I hope it will fix your issue.

Comment 10 Fedora Update System 2016-03-11 10:24:49 UTC
oidentd-2.0.8-20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a99a162ce1

Comment 11 Fedora Update System 2016-03-11 10:25:02 UTC
oidentd-2.0.8-19.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6aba35f43f

Comment 12 Fedora Update System 2016-03-11 10:27:37 UTC
oidentd-2.0.8-17.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-07b5dc88a6

Comment 13 Fedora Update System 2016-03-11 19:25:31 UTC
oidentd-2.0.8-20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-a99a162ce1

Comment 14 Fedora Update System 2016-03-12 16:53:02 UTC
oidentd-2.0.8-17.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-07b5dc88a6

Comment 15 Fedora Update System 2016-03-12 17:25:08 UTC
oidentd-2.0.8-19.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6aba35f43f

Comment 16 Fedora Update System 2016-03-21 23:53:57 UTC
oidentd-2.0.8-19.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2016-03-22 06:19:24 UTC
oidentd-2.0.8-17.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2016-03-26 18:12:18 UTC
oidentd-2.0.8-20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.