Bug 762989 (GLUSTER-1257)
Summary: | Possibility of GlusterFS port clashes with reserved ports | |||
---|---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Sachidananda Urs <sac> | |
Component: | protocol | Assignee: | Raghavendra Bhat <rabhat> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ||
Severity: | low | Docs Contact: | ||
Priority: | high | |||
Version: | mainline | CC: | amarts, botsch, gluster-bugs, jclift, jdarcy, joe, johnmark, josh, rodrigo, vijay, you | |
Target Milestone: | --- | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | glusterfs-3.4.0 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 852819 (view as bug list) | Environment: | ||
Last Closed: | 2013-07-24 17:12:43 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 852819, 952693 |
Description
Sachidananda Urs
2010-08-02 06:02:57 UTC
Please update the status of this bug as its been more than 6months since its filed (bug id < 2000) Please resolve it with proper resolution if its not valid anymore. If its still valid and not critical, move it to 'enhancement' severity. Planing to keep 3.4.x branch as "internal enhancements" release without any features. So moving these bugs to 3.4.0 target milestone. Don't know if I can close this. Reported by Keisuke Takahashi... have to test this though. *** Bug 806504 has been marked as a duplicate of this bug. *** *** Bug 765228 has been marked as a duplicate of this bug. *** Paraphasing David Coulson at Gluster Users mailing list: Why does not use ports within the /proc/sys/net/ipv4/ip_local_port_range? With two servers, glusterfs (v3.3) started up listening on port 993, which kept dovecot from starting. Not good. Please fix. I'm having similar issues, simple cluster of 3 replicating. 'glusterfs' takes over 995 and 993, going as low as 959 in my case. I'm confused why unused ephemeral ports aren't used instead of lower *more likely to be used* ports. Currently running glusterfs 3.3.0, I will update the packages to 3.3.1 and report any changes. I don't see anything in the release notes though..somewhat worrisome. This bug was opened in..? 2010.. Can we change this to a feature request for a config option for those who can't give up ports below 1024? As a general rule of thumb, ports under 1024 aka well-known-ports are reserved..why does gluster want to use these? Its a bit confusing why the most used port range in the world would be chosen. But hey I'm not the developer, not my decision, thanks for a great piece of software either way! Hi Jacob, thats because we don't have *complete* security interms of trusting the client's connection. And if the process is using ports below 1024, that means, only root can do that, which is in many cases a good enough security. And that is the reason glusterfs uses the ports below 1024. JMW, yes, with the patch posted above, it would make it configurable to ignore those ports. CHANGE: http://review.gluster.org/4131 (socket,rdma: before binding to any port check if it is a reserved port) merged in master by Vijay Bellur (vbellur) CHANGE: http://review.gluster.org/4264 (libglusterfs: fix unused-but-set-variable warning) merged in master by Anand Avati (avati) Current behavior is: * Check if the port is listed in /proc/sys/net/ipv4/ip_local_reserved_ports * If it is, then don't bind to that port, check next... In this case if the sysadmin has forgotten to mention the list of well known ports that he wishes to use for different applications like dovecot, ssl... our solution would not work for him and we end up binding to the reserved ports. We may have to document this behavior, so that the sysadmin remembers to add the reserved ports to the ip_local_reserved_ports file. CHANGE: http://review.gluster.org/4426 (762989.t: fix a typo by grepping only the blocked port number from netstat o/p) merged in master by Anand Avati (avati) CHANGE: http://review.gluster.org/4486 (tests/bugs/bug-762989.t: do not check the listening ports) merged in master by Anand Avati (avati) CHANGE: http://review.gluster.org/4583 (libglusterfs: avoid the logging which says the port is invalid) merged in master by Anand Avati (avati) REVIEW: http://review.gluster.org/4821 (libglusterfs: avoid the logging which says the port is invalid) posted (#1) for review on release-3.4 by Raghavendra Bhat (raghavendra) The ideal solution (longer term, not right now) is to make GlusterFS firewall friendly, by listening on only one port for everything. Preferably reserving that port with IANA (www.iana.org) as well, for good measure. COMMIT: http://review.gluster.org/4821 committed in release-3.4 by Vijay Bellur (vbellur) ------ commit 0762a610296dc0f9445f0c9f9261b449cadb0f0d Author: Raghavendra Bhat <raghavendra> Date: Tue Feb 26 18:34:53 2013 +0530 libglusterfs: avoid the logging which says the port is invalid If the reserved ports file in proc contains just a newline, then do not proceed with ports checking and reserving. Change-Id: I776d0be1c3824dcd982f0685b171f2172b4e11e6 BUG: 762989 Signed-off-by: Raghavendra Bhat <raghavendra> Reviewed-on: http://review.gluster.org/4821 Tested-by: Gluster Build System <jenkins.com> Reviewed-by: Vijay Bellur <vbellur> |