1595170 – rpcbind sometimes uses port 749/UDP, which breaks Kerberos admin and FreeIPA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1595170 - rpcbind sometimes uses port 749/UDP, which breaks Kerberos admin and FreeIPA

Summary: rpcbind sometimes uses port 749/UDP, which breaks Kerberos admin and FreeIPA

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	rpcbind
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Dickson
QA Contact:	Yongcheng Yang
Docs Contact:
URL:
Whiteboard:
Depends On:	1592883
Blocks:	1644280
TreeView+	depends on / blocked

Reported:	2018-06-26 09:40 UTC by Christian Heimes
Modified:	2021-02-15 07:39 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1592883
Clones:	1644280 (view as bug list)
Environment:
Last Closed:	2021-02-15 07:39:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Christian Heimes 2018-06-26 09:40:36 UTC

+++ This bug was initially created as a clone of Bug #1592883 +++

Description of problem:
rpcbind uses a random UDP port between about 600/UDP and 1023/UDP. Sometimes rpcbind happens to use a UDP port that is required for Kerberos. In that case, Kerberos fails to start. FreeIPA's CI is running into the issue every now and then.

Version-Release number of selected component (if applicable):
rpcbind-0.2.4-8.rc3.fc27.x86_64

How reproducible:
rarely

Steps to Reproduce:
1. restart rpcbind a lot until it eventually uses 749/udp

Actual results:
kadmin fails to start

Jun 19 13:12:13 master.ipa.test kadmind[16427](info): setting up network...
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
kadmind: Address already in use - Cannot bind server socket on 0.0.0.0.749
Jun 19 13:12:13 master.ipa.test kadmind[16427](Error): Failed setting up a RPC socket (for 0.0.0.0.749)
kadmind: Address already in use - Error setting up network
Jun 19 13:13:13 master.ipa.test kadmind[17767](info): setting up network...
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
kadmind: Address already in use - Cannot bind server socket on 0.0.0.0.749
Jun 19 13:13:13 master.ipa.test kadmind[17767](Error): Failed setting up a RPC socket (for 0.0.0.0.749)
kadmind: Address already in use - Error setting up network


Expected results:
rpcbind never takes a Kerberos port

Additional info:
rpcbind should be more careful when it selects a random UDP port. I suggest that rpcbind never uses a UDP port that has been reserved for a service in /etc/services, e.g. with getservbyport(port, "udp"). See https://linux.die.net/man/3/getservbyport

The issue affects F27, F28, rawhide, and RHEL 7. RHEL 6 had portreserve but it's no longer available in RHEL 7.

Comment 2 Yongcheng Yang 2018-08-14 01:41:03 UTC

Looks like we need to wait for the upstream fix firstly.

#####################################
# Wait when rpcbind port=749 assigned
#####################################
[root ~]# cur_port=0; target=749; while [ "$cur_port" -ne "$target" ]; do systemctl reset-failed; systemctl restart rpcbind; sleep 1; cur_port=`netstat -apn4| awk -F: '/rpcbind/ {print $2}' | cut -d' ' -f1`; echo "current port is $cur_port"; done
current port is 913
<...>
current port is 730
current port is 749
[root ~]# netstat --program --all --numeric-ports | grep -w rpcbind
udp        0      0 0.0.0.0:749             0.0.0.0:*                           35766/rpcbind       
udp6       0      0 [::]:749                [::]:*                              35766/rpcbind       
unix  2      [ ACC ]     STREAM     LISTENING     10945    1/systemd            /var/run/rpcbind.sock
[root ~]# rpm -q rpcbind
rpcbind-0.2.0-45.el7.x86_64

Comment 3 Marko Myllynen 2018-08-27 08:12:01 UTC

AIUI, 749/UDP is just an example if the port is assigned at random, this could affect any other service using privileged UDP ports as well. It sounds like the port should be configurable so that it is possible to avoid these kinds of conflicts. Thanks.

Comment 4 Yongcheng Yang 2018-12-04 09:21:16 UTC

Will check it by hand based on comment #2 when it's fixed.

We may need rpcbind patch:

commit 2e9c289246c647e25649914bdb0d9400c66f486e (tag: pcbind-0_2_5-rc4)
Author: Steve Dickson <steved>
Date:   Wed Aug 15 10:22:36 2018 -0400

    rpcbind: Disable remote calls by default
    
    Added a new configuration flag --enable-rmtcalls
    which will be needed to enable the remote call
    functionality.
    
    This also stops rpcbind from opening up random
    listening ports.

Comment 6 Steve Dickson 2019-09-26 19:21:45 UTC

(In reply to Yongcheng Yang from comment #4)
> Will check it by hand based on comment #2 when it's fixed.
> 
> We may need rpcbind patch:
> 
> commit 2e9c289246c647e25649914bdb0d9400c66f486e (tag: pcbind-0_2_5-rc4)
> Author: Steve Dickson <steved>
> Date:   Wed Aug 15 10:22:36 2018 -0400
> 
>     rpcbind: Disable remote calls by default
>     
>     Added a new configuration flag --enable-rmtcalls
>     which will be needed to enable the remote call
>     functionality.
>     
>     This also stops rpcbind from opening up random
>     listening ports.

Yes this is the patch... but... it turns out this 
patch breaks NIS when it broadcasts for the 
ypserver... I just turn the listening back on
in Fedora just for that reason

Comment 9 RHEL Program Management 2021-02-15 07:39:48 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.