Bug 1595170

Summary: rpcbind sometimes uses port 749/UDP, which breaks Kerberos admin and FreeIPA
Product: Red Hat Enterprise Linux 7 Reporter: Christian Heimes <cheimes>
Component: rpcbindAssignee: Steve Dickson <steved>
Status: CLOSED WONTFIX QA Contact: Yongcheng Yang <yoyang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: extras-qa, myllynen, rharwood, steved, xzhou, yoyang
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1592883
: 1644280 (view as bug list) Environment:
Last Closed: 2021-02-15 07:39:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1592883    
Bug Blocks: 1644280    

Description Christian Heimes 2018-06-26 09:40:36 UTC 
+++ This bug was initially created as a clone of Bug #1592883 +++

Description of problem:
rpcbind uses a random UDP port between about 600/UDP and 1023/UDP. Sometimes rpcbind happens to use a UDP port that is required for Kerberos. In that case, Kerberos fails to start. FreeIPA's CI is running into the issue every now and then.

Version-Release number of selected component (if applicable):
rpcbind-0.2.4-8.rc3.fc27.x86_64

How reproducible:
rarely

Steps to Reproduce:
1. restart rpcbind a lot until it eventually uses 749/udp

Actual results:
kadmin fails to start

Jun 19 13:12:13 master.ipa.test kadmind[16427](info): setting up network...
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
kadmind: Address already in use - Cannot bind server socket on 0.0.0.0.749
Jun 19 13:12:13 master.ipa.test kadmind[16427](Error): Failed setting up a RPC socket (for 0.0.0.0.749)
kadmind: Address already in use - Error setting up network
Jun 19 13:13:13 master.ipa.test kadmind[17767](info): setting up network...
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
kadmind: Address already in use - Cannot bind server socket on 0.0.0.0.749
Jun 19 13:13:13 master.ipa.test kadmind[17767](Error): Failed setting up a RPC socket (for 0.0.0.0.749)
kadmind: Address already in use - Error setting up network


Expected results:
rpcbind never takes a Kerberos port

Additional info:
rpcbind should be more careful when it selects a random UDP port. I suggest that rpcbind never uses a UDP port that has been reserved for a service in /etc/services, e.g. with getservbyport(port, "udp"). See https://linux.die.net/man/3/getservbyport

The issue affects F27, F28, rawhide, and RHEL 7. RHEL 6 had portreserve but it's no longer available in RHEL 7.
Comment 2 Yongcheng Yang 2018-08-14 01:41:03 UTC 
Looks like we need to wait for the upstream fix firstly.

#####################################
# Wait when rpcbind port=749 assigned
#####################################
[root ~]# cur_port=0; target=749; while [ "$cur_port" -ne "$target" ]; do systemctl reset-failed; systemctl restart rpcbind; sleep 1; cur_port=`netstat -apn4| awk -F: '/rpcbind/ {print $2}' | cut -d' ' -f1`; echo "current port is $cur_port"; done
current port is 913
<...>
current port is 730
current port is 749
[root ~]# netstat --program --all --numeric-ports | grep -w rpcbind
udp        0      0 0.0.0.0:749             0.0.0.0:*                           35766/rpcbind       
udp6       0      0 [::]:749                [::]:*                              35766/rpcbind       
unix  2      [ ACC ]     STREAM     LISTENING     10945    1/systemd            /var/run/rpcbind.sock
[root ~]# rpm -q rpcbind
rpcbind-0.2.0-45.el7.x86_64
Comment 3 Marko Myllynen 2018-08-27 08:12:01 UTC 
AIUI, 749/UDP is just an example if the port is assigned at random, this could affect any other service using privileged UDP ports as well. It sounds like the port should be configurable so that it is possible to avoid these kinds of conflicts. Thanks.
Comment 4 Yongcheng Yang 2018-12-04 09:21:16 UTC 
Will check it by hand based on comment #2 when it's fixed.

We may need rpcbind patch:

commit 2e9c289246c647e25649914bdb0d9400c66f486e (tag: pcbind-0_2_5-rc4)
Author: Steve Dickson <steved>
Date:   Wed Aug 15 10:22:36 2018 -0400

    rpcbind: Disable remote calls by default
    
    Added a new configuration flag --enable-rmtcalls
    which will be needed to enable the remote call
    functionality.
    
    This also stops rpcbind from opening up random
    listening ports.
Comment 6 Steve Dickson 2019-09-26 19:21:45 UTC 
(In reply to Yongcheng Yang from comment #4)
> Will check it by hand based on comment #2 when it's fixed.
> 
> We may need rpcbind patch:
> 
> commit 2e9c289246c647e25649914bdb0d9400c66f486e (tag: pcbind-0_2_5-rc4)
> Author: Steve Dickson <steved>
> Date:   Wed Aug 15 10:22:36 2018 -0400
> 
>     rpcbind: Disable remote calls by default
>     
>     Added a new configuration flag --enable-rmtcalls
>     which will be needed to enable the remote call
>     functionality.
>     
>     This also stops rpcbind from opening up random
>     listening ports.

Yes this is the patch... but... it turns out this 
patch breaks NIS when it broadcasts for the 
ypserver... I just turn the listening back on
in Fedora just for that reason
Comment 9 RHEL Program Management 2021-02-15 07:39:48 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.