all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [RFC common/manger] use appropriate wildcard address for pveproxy/spiceproxy
@ 2021-04-29 13:37 Stoiko Ivanov
  2021-04-29 13:37 ` [pve-devel] [RFC common 1/1] tools: add get_wildcard_address Stoiko Ivanov
  2021-04-29 13:37 ` [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use Stoiko Ivanov
  0 siblings, 2 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2021-04-29 13:37 UTC (permalink / raw)
  To: pve-devel

The following patchset tries to address the small regression reported in our
forums [0,1], resulting from defaulting to '::' as listen-address in
pveproxy/spiceproxy.

The issue also affects proxmox-backup-proxy in PBS - and should this approach
be accepted I'll try to port it over to PBS as well.
(ftr: pmgproxy was not affected, since the patch for pmg-api was not applied)

In all cases the issue is only exhibited if ipv6 is diabled via kernel
commandline [2], not via sysctl [3].

* The patchset keeps the fix for pveproxy not starting if the /etc/hosts entry
  is not matching with a configured IP-address (I noticed and was pleasantly
  surprised while testing a v6only host and forgetting to set the entry)

I tested it in the following scenarios:
* ipv6 disabled via kernel commandline (listen on 0.0.0.0)
* ipv6 disabled via sysctl (listen on 0.0.0.0)
* no settings dual-stacked (listen on *)
* no settings v6 only (listen on *)

AFAICT listening on :: as long as possible is the best option, since it
makes the service available on all address-families (doing away, with
having a v4 only /etc/hosts entry, but a DNS AAAA record pointing to
the node for external access).

Took a quick look at how sshd [4,5] handles this (in the assumption that
they have to get it as right as possible), but it listens on multiple
sockets, something which I'd like to avoid for our proxy-daemons.

Sending as RFC, because whenever I come near getaddrinfo/getnameinfo I'm
certain to miss quite a few common cases.

[0] https://forum.proxmox.com/threads/connection-refused-595-nach-update-auf-pve-6-4.88347/#post-387034
[1] https://forum.proxmox.com/threads/ipv6-komplett-deaktivieren.88210/#post-387116
[2] https://www.kernel.org/doc/html/latest/networking/ipv6.html
[3] https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html
[4] https://github.com/openssh/openssh-portable/blob/master/servconf.c
[5] https://github.com/openssh/openssh-portable/blob/master/sshd.c

pve-common:
Stoiko Ivanov (1):
  tools: add get_wildcard_address

 src/PVE/Tools.pm | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

pve-manager:
Stoiko Ivanov (1):
  proxy: fix wildcard address use

 PVE/Service/pveproxy.pm   | 2 +-
 PVE/Service/spiceproxy.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

-- 
2.20.1





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [RFC common 1/1] tools: add get_wildcard_address
  2021-04-29 13:37 [pve-devel] [RFC common/manger] use appropriate wildcard address for pveproxy/spiceproxy Stoiko Ivanov
@ 2021-04-29 13:37 ` Stoiko Ivanov
  2021-04-29 13:37 ` [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use Stoiko Ivanov
  1 sibling, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2021-04-29 13:37 UTC (permalink / raw)
  To: pve-devel

the get_wildcard_address sub returns the appropriate wildcard address:
* '::' if the hosts has any v6 address (including link-local scoped)
  configured (i.e. default behavior without any modification to sysctl
  or kernel commandline)
* '0.0.0.0' if ipv6 is disabled via sysctl or kernel commandline

This should ensure the best behaviour for listening sockets in
dual-stacked environments:
* binding to '::' allows to connect via both v6 and v4 addresses (the
  latter are treated as v4-mapped-v6 addresses (::ffff:192.0.2.1))
* the current unconditional bind to '::' fails if AF_INET6 is not
  supported via kernel commandline setting [0].
* the previous approach of finding the family based on the node-name
  getaddrinfo result leads to the service only being available on v4
  despite having a working v6 address configured, in case it's
  /etc/hosts entry points only to the v4 address.

[0] on linux passing ipv6.disable=1 on the kernel commandline removes
support for AF_INET6 sockets (setting the net.ipv6.conf.*.disable_ipv6
sysctls keeps support)

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PVE/Tools.pm | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
index 16ae3d2..fb520ce 100644
--- a/src/PVE/Tools.pm
+++ b/src/PVE/Tools.pm
@@ -4,8 +4,8 @@ use strict;
 use warnings;
 use POSIX qw(EINTR EEXIST EOPNOTSUPP);
 use IO::Socket::IP;
-use Socket qw(AF_INET AF_INET6 AI_ALL AI_V4MAPPED AI_CANONNAME SOCK_DGRAM
-	      IPPROTO_TCP);
+use Socket qw(AF_INET AF_INET6 AI_ALL AI_V4MAPPED AI_CANONNAME AI_PASSIVE
+	    AI_ADDRCONFIG NI_NUMERICHOST NI_NUMERICSERV SOCK_DGRAM IPPROTO_TCP);
 use IO::Select;
 use File::Basename;
 use File::Path qw(make_path);
@@ -1405,6 +1405,24 @@ sub get_host_address_family {
     return $res[0]->{family};
 }
 
+# returns "::" if the host supports AF_INET6 else "0.0.0.0"
+sub get_wildcard_address {
+    my %hints = (
+	flags => AI_PASSIVE|AI_ADDRCONFIG,
+    );
+    my ($err, @res) = Socket::getaddrinfo('', '0', \%hints);
+    die "failed to get address info for wildcard address: $err\n" if $err;
+
+    my $sockaddr = $res[0]->{addr};
+    if (my @v6support = grep {$_->{family} eq AF_INET6} @res) {;
+	$sockaddr = $v6support[0]->{addr};
+    }
+    my $host;
+    ($err, $host) = Socket::getnameinfo($sockaddr, NI_NUMERICHOST|NI_NUMERICSERV);
+    die "failed to get name info for wildcard address: $err\n" if $err;
+    return $host;
+}
+
 # get the fully qualified domain name of a host
 # same logic as hostname(1): The FQDN is the name getaddrinfo(3) returns,
 # given a nodename as a parameter
-- 
2.20.1





^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use
  2021-04-29 13:37 [pve-devel] [RFC common/manger] use appropriate wildcard address for pveproxy/spiceproxy Stoiko Ivanov
  2021-04-29 13:37 ` [pve-devel] [RFC common 1/1] tools: add get_wildcard_address Stoiko Ivanov
@ 2021-04-29 13:37 ` Stoiko Ivanov
  2021-04-30  7:12   ` Wolfgang Bumiller
  1 sibling, 1 reply; 4+ messages in thread
From: Stoiko Ivanov @ 2021-04-29 13:37 UTC (permalink / raw)
  To: pve-devel

This patch fixes a regression for hosts disabling ipv6 via kernel
commandline ('ipv6.disable=1')introduced in commit
fc087ec2b924dc9c72d3bf80face8a1731c15405

by hardcoding the address to '::', pveproxy and spiceproxy failed to
start with:
'unable to create socket - Address family not supported by protocol'

Disabling IPv6 via sysctl did not exhibit these problems.

This patch depends on the commit in pve-common and needs a versioned
dependency bump on libpve-common-perl.

With this patch the listening addresses are (`ss -tlnp |grep 8006` output)
* disabled via kernel cmdline: '0.0.0.0:8006'
* disabled via sysctl net.ipv6.conf.all.disable_ipv6=1: '0.0.0.0:8006'
* else: '*:8006'

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 PVE/Service/pveproxy.pm   | 2 +-
 PVE/Service/spiceproxy.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index 4ecd442a..742c0a9a 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -69,7 +69,7 @@ sub init {
     my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
 	die "unable to open lock file '${accept_lock_fn}' - $!\n";
 
-    my $listen_ip = $proxyconf->{LISTEN_IP} // "::0";
+    my $listen_ip = $proxyconf->{LISTEN_IP} // PVE::Tools::get_wildcard_address();
     my $socket = $self->create_reusable_socket(8006, $listen_ip);
 
     my $dirs = {};
diff --git a/PVE/Service/spiceproxy.pm b/PVE/Service/spiceproxy.pm
index 24be0ed7..34882ca4 100755
--- a/PVE/Service/spiceproxy.pm
+++ b/PVE/Service/spiceproxy.pm
@@ -39,7 +39,7 @@ sub init {
     my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
 	die "unable to open lock file '${accept_lock_fn}' - $!\n";
 
-    my $listen_ip = $proxyconf->{LISTEN_IP} // "::0";
+    my $listen_ip = $proxyconf->{LISTEN_IP} // PVE::Tools::get_wildcard_address();
     my $socket = $self->create_reusable_socket(3128, $listen_ip);
 
     $self->{server_config} = {
-- 
2.20.1





^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use
  2021-04-29 13:37 ` [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use Stoiko Ivanov
@ 2021-04-30  7:12   ` Wolfgang Bumiller
  0 siblings, 0 replies; 4+ messages in thread
From: Wolfgang Bumiller @ 2021-04-30  7:12 UTC (permalink / raw)
  To: Stoiko Ivanov; +Cc: pve-devel

On Thu, Apr 29, 2021 at 03:37:02PM +0200, Stoiko Ivanov wrote:
> This patch fixes a regression for hosts disabling ipv6 via kernel
> commandline ('ipv6.disable=1')introduced in commit
> fc087ec2b924dc9c72d3bf80face8a1731c15405
> 
> by hardcoding the address to '::', pveproxy and spiceproxy failed to
> start with:
> 'unable to create socket - Address family not supported by protocol'
> 
> Disabling IPv6 via sysctl did not exhibit these problems.
> 
> This patch depends on the commit in pve-common and needs a versioned
> dependency bump on libpve-common-perl.
> 
> With this patch the listening addresses are (`ss -tlnp |grep 8006` output)
> * disabled via kernel cmdline: '0.0.0.0:8006'
> * disabled via sysctl net.ipv6.conf.all.disable_ipv6=1: '0.0.0.0:8006'
> * else: '*:8006'
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>  PVE/Service/pveproxy.pm   | 2 +-
>  PVE/Service/spiceproxy.pm | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> index 4ecd442a..742c0a9a 100755
> --- a/PVE/Service/pveproxy.pm
> +++ b/PVE/Service/pveproxy.pm
> @@ -69,7 +69,7 @@ sub init {
>      my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
>  	die "unable to open lock file '${accept_lock_fn}' - $!\n";
>  
> -    my $listen_ip = $proxyconf->{LISTEN_IP} // "::0";
> +    my $listen_ip = $proxyconf->{LISTEN_IP} // PVE::Tools::get_wildcard_address();
>      my $socket = $self->create_reusable_socket(8006, $listen_ip);

^ This passes `Domain => PF_INET6`. That makes no sense given that I can
literally give it an IPv4 :S

It also actually uses getaddrinfo in the background, however, the
commmit forcing this to be 0 explains:

    perl's IO::Socket::IP passes AI_ADDRCONFIG if no GetAddrInfoFlags are passed,
    which is often useful but also causes it to error when explicitly trying to
    bind to 127.0.0.1 when there are no _other_ IPv4 addresses present.

In this case however, we don't do that, so maybe instead of ending up using
`getaddrinfo` twice, we should just make this an optional parameter?
I'm hoping passing `undef` as host, the proper port and `AI_ADDRCONFIG |
AI_PASSIVE` here should do the same?

We also don't use `$listen_ip` for anything else either, so we don't need it
explicitly ;-)

>  
>      my $dirs = {};
> diff --git a/PVE/Service/spiceproxy.pm b/PVE/Service/spiceproxy.pm
> index 24be0ed7..34882ca4 100755
> --- a/PVE/Service/spiceproxy.pm
> +++ b/PVE/Service/spiceproxy.pm
> @@ -39,7 +39,7 @@ sub init {
>      my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
>  	die "unable to open lock file '${accept_lock_fn}' - $!\n";
>  
> -    my $listen_ip = $proxyconf->{LISTEN_IP} // "::0";
> +    my $listen_ip = $proxyconf->{LISTEN_IP} // PVE::Tools::get_wildcard_address();
>      my $socket = $self->create_reusable_socket(3128, $listen_ip);
>  
>      $self->{server_config} = {
> -- 
> 2.20.1




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-04-30  7:19 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-29 13:37 [pve-devel] [RFC common/manger] use appropriate wildcard address for pveproxy/spiceproxy Stoiko Ivanov
2021-04-29 13:37 ` [pve-devel] [RFC common 1/1] tools: add get_wildcard_address Stoiko Ivanov
2021-04-29 13:37 ` [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use Stoiko Ivanov
2021-04-30  7:12   ` Wolfgang Bumiller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal