Bug 762989 (GLUSTER-1257) - Possibility of GlusterFS port clashes with reserved ports
Summary: Possibility of GlusterFS port clashes with reserved ports
Status: CLOSED CURRENTRELEASE
Alias: GLUSTER-1257
Product: GlusterFS
Classification: Community
Component: protocol
Version: mainline
Hardware: All
OS: Linux
high
low
Target Milestone: ---
Assignee: Raghavendra Bhat
QA Contact:
URL:
Whiteboard:
Keywords: Triaged
: GLUSTER-3496 806504 (view as bug list)
Depends On:
Blocks: 852819 952693
TreeView+ depends on / blocked
 
Reported: 2010-08-02 06:02 UTC by Sachidananda Urs
Modified: 2014-03-13 02:43 UTC (History)
11 users (show)

(edit)
Clone Of:
: 852819 (view as bug list)
(edit)
Last Closed: 2013-07-24 17:12:43 UTC


Attachments (Terms of Use)

Description Sachidananda Urs 2010-08-02 06:02:57 UTC
If the number of servers increase then there is a chance of GlusterFS port clashing with reserved ports.

For example if the servers increase more than 28 a pop3 over ssl daemon,
which uses 995 port, cannot start after GlusterFS client.

Comment 1 Amar Tumballi 2011-04-25 09:33:21 UTC
Please update the status of this bug as its been more than 6months since its filed (bug id < 2000)

Please resolve it with proper resolution if its not valid anymore. If its still valid and not critical, move it to 'enhancement' severity.

Comment 2 Amar Tumballi 2011-09-27 05:50:11 UTC
Planing to keep 3.4.x branch as "internal enhancements" release without any features. So moving these bugs to 3.4.0 target milestone.

Comment 3 Sachidananda Urs 2011-11-21 15:22:21 UTC
Don't know if I can close this. Reported by Keisuke Takahashi... have to test this though.

Comment 4 Amar Tumballi 2012-03-25 09:11:14 UTC
*** Bug 806504 has been marked as a duplicate of this bug. ***

Comment 5 Amar Tumballi 2012-03-25 09:12:28 UTC
*** Bug 765228 has been marked as a duplicate of this bug. ***

Comment 6 Rodrigo Severo 2012-06-04 15:33:04 UTC
Paraphasing David Coulson at Gluster Users mailing list:

Why does not use ports within the /proc/sys/net/ipv4/ip_local_port_range?

Comment 7 Dave Botsch 2012-07-11 19:44:50 UTC
With two servers, glusterfs (v3.3) started up listening on port 993, which kept dovecot from starting. Not good. Please fix.

Comment 8 Jacob Vallejo 2012-10-23 21:54:43 UTC
I'm having similar issues, simple cluster of 3 replicating. 'glusterfs' takes over 995 and 993, going as low as 959 in my case. I'm confused why unused ephemeral ports aren't used instead of lower *more likely to be used* ports. 
Currently running glusterfs 3.3.0, I will update the packages to 3.3.1 and report any changes. I don't see anything in the release notes though..somewhat worrisome. This bug was opened in..? 2010..

Comment 9 JMW 2012-10-24 17:04:51 UTC
Can we change this to a feature request for a config option for those who can't give up ports below 1024?

Comment 10 Jacob Vallejo 2012-10-24 19:52:36 UTC
As a general rule of thumb, ports under 1024 aka well-known-ports are reserved..why does gluster want to use these? Its a bit confusing why the most used port range in the world would be chosen. But hey I'm not the developer, not my decision, thanks for a great piece of software either way!

Comment 11 Amar Tumballi 2012-11-29 11:10:12 UTC
http://review.gluster.org/4131

Comment 12 Amar Tumballi 2012-11-29 11:12:15 UTC
Hi Jacob, thats because we don't have *complete* security interms of trusting the client's connection. And if the process is using ports below 1024, that means, only root can do that, which is in many cases a good enough security. And that is the reason glusterfs uses the ports below 1024.

JMW, yes, with the patch posted above, it would make it configurable to ignore those ports.

Comment 13 Vijay Bellur 2012-12-03 11:03:13 UTC
CHANGE: http://review.gluster.org/4131 (socket,rdma: before binding to any port check if it is a reserved port) merged in master by Vijay Bellur (vbellur@redhat.com)

Comment 14 Vijay Bellur 2012-12-04 09:42:01 UTC
CHANGE: http://review.gluster.org/4264 (libglusterfs: fix unused-but-set-variable warning) merged in master by Anand Avati (avati@redhat.com)

Comment 15 Sachidananda Urs 2012-12-20 09:51:13 UTC
Current behavior is:

* Check if the port is listed in /proc/sys/net/ipv4/ip_local_reserved_ports
* If it is, then don't bind to that port, check next...

In this case if the sysadmin has forgotten to mention the list of well known ports that he wishes to use for different applications like dovecot, ssl... our solution would not work for him and we end up binding to the reserved ports.

We may have to document this behavior, so that the sysadmin remembers to add the reserved ports to the ip_local_reserved_ports file.

Comment 16 Vijay Bellur 2013-01-30 18:40:55 UTC
CHANGE: http://review.gluster.org/4426 (762989.t: fix a typo by grepping only the blocked port number from netstat o/p) merged in master by Anand Avati (avati@redhat.com)

Comment 17 Vijay Bellur 2013-02-09 01:39:16 UTC
CHANGE: http://review.gluster.org/4486 (tests/bugs/bug-762989.t: do not check the listening ports) merged in master by Anand Avati (avati@redhat.com)

Comment 18 Vijay Bellur 2013-02-28 23:23:00 UTC
CHANGE: http://review.gluster.org/4583 (libglusterfs: avoid the logging which says the port is invalid) merged in master by Anand Avati (avati@redhat.com)

Comment 19 Anand Avati 2013-04-13 09:14:34 UTC
REVIEW: http://review.gluster.org/4821 (libglusterfs: avoid the logging which says the port is invalid) posted (#1) for review on release-3.4 by Raghavendra Bhat (raghavendra@redhat.com)

Comment 20 Justin Clift 2013-04-15 11:12:43 UTC
The ideal solution (longer term, not right now) is to make GlusterFS firewall friendly, by listening on only one port for everything.

Preferably reserving that port with IANA (www.iana.org) as well, for good measure.

Comment 21 Anand Avati 2013-05-09 03:10:53 UTC
COMMIT: http://review.gluster.org/4821 committed in release-3.4 by Vijay Bellur (vbellur@redhat.com) 
------
commit 0762a610296dc0f9445f0c9f9261b449cadb0f0d
Author: Raghavendra Bhat <raghavendra@redhat.com>
Date:   Tue Feb 26 18:34:53 2013 +0530

    libglusterfs: avoid the logging which says the port is invalid
    
    If the reserved ports file in proc contains just a newline, then
    do not proceed with ports checking and reserving.
    
    Change-Id: I776d0be1c3824dcd982f0685b171f2172b4e11e6
    BUG: 762989
    Signed-off-by: Raghavendra Bhat <raghavendra@redhat.com>
    Reviewed-on: http://review.gluster.org/4821
    Tested-by: Gluster Build System <jenkins@build.gluster.com>
    Reviewed-by: Vijay Bellur <vbellur@redhat.com>


Note You need to log in before you can comment on or make changes to this bug.