Bug 712239
Summary: | Timeout with yppush and iptables enabled pushing maps to NIS slave server | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Jim Roland, RHCE <jroland> | ||||
Component: | ypserv | Assignee: | Honza Horak <hhorak> | ||||
Status: | CLOSED ERRATA | QA Contact: | qe-baseos-daemons | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 5.6 | CC: | azelinka, baboo, ovasik, psklenar | ||||
Target Milestone: | rc | Keywords: | ManPageChange, Patch | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 863952 (view as bug list) | Environment: | |||||
Last Closed: | 2012-02-21 05:53:43 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 863952 | ||||||
Attachments: |
|
Description
Jim Roland, RHCE
2011-06-09 21:33:11 UTC
(In reply to comment #0) > The only workaround I've been able to accomplish is to change the line in > /var/yp/Makefile from: > YPPUSH = $(YPSBINDIR)/yppush > to: > YPPUSH = $(YPSBINDIR)/yppush --port 838 > (838 is a port I have opened up in iptables on the master) > After making this change, the push to the slave is flawless and does not > timeout. This solution looks good and afaik it's the exactly way how others solve this issue. /var/yp/Makefile is a kind of config file, though a bit dubious (see bug #481780) and it is already not being replaced during update in RHEL-6 and Fedora). So, from my point of view it is legitimate to change your Makefile to correspond with your objections, exactly as you did. What is probably a flaw is a missing comment about this possibility, so the best fix would be to add the following comment into this Makefile: # yppush sends maps to slave servers and waits for their call-back on # a random port selected by a portmap by default. It is possible to specify # a fixed port as well as any other additional yppush arguments using # variable YPPUSH_ARGS. # e.g. YPPUSH_ARGS = --port 1002 YPPUSH_ARGS = ..and then use this variable when running yppush: -YPPUSH = $(YPSBINDIR)/yppush +YPPUSH = $(YPSBINDIR)/yppush $(YPPUSH_ARGS) The other way how to solve this issue is to parse a config file (like you suggest), but I'm not sure if it is necessary. I'll consult both solutions with upstream. I've consulted this issue with upstream and there is no better way how to do this. Even implementing a new feature just for adding options to yppush would be overkill. Please, consider your /var/yp/Makefile as a config file and feel free to adjust it if you need, while this is exactly what other do in your situation. If you won't disagree I'm going to close this bug soon. I will agree with the stipulation that the RH Knowledgebase docs (https://access.redhat.com/kb/docs/DOC-48333) be updated as to this information. I wasted 3 days figuring this out, delaying my project. Although I'm an RHCE, I'm not a developer/programmer. This doc (https://access.redhat.com/kb/docs/DOC-9022) should also be updated since it contains port information for securing NIS, securing a server with iptables and having to specify ports is part of this problem/bug-report. (In reply to comment #4) > This doc (https://access.redhat.com/kb/docs/DOC-9022) should also be updated > since it contains port information for securing NIS, securing a server with > iptables and having to specify ports is part of this problem/bug-report. Thanks for pointing me out, I've proposed to add a comment about how to add options to yppush in https://access.redhat.com/kb/docs/DOC-9022. It should be there in the foreseeable future. A comment in /var/yp/Makefile has been added and yppush man page has been adjusted in Fedora: http://lists.fedoraproject.org/pipermail/scm-commits/2011-June/614557.html Created attachment 504683 [details]
proposed patch that adjust man page for yppush
It would be also good to adjust man page in RHEL, but it doesn't make sense to change Makefile, which is not going to be updated during package update. So the attached patch adjusts only yppush man page.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0205.html That problem is also/still present in recent versions of RHEL 6. The fix stays the same (yppush --port xxx). I belive that the fix can be applied to the recent version of ypserv. |