* [pve-devel] [RFC common/manger] use appropriate wildcard address for pveproxy/spiceproxy
@ 2021-04-29 13:37 Stoiko Ivanov
2021-04-29 13:37 ` [pve-devel] [RFC common 1/1] tools: add get_wildcard_address Stoiko Ivanov
2021-04-29 13:37 ` [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use Stoiko Ivanov
0 siblings, 2 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2021-04-29 13:37 UTC (permalink / raw)
To: pve-devel
The following patchset tries to address the small regression reported in our
forums [0,1], resulting from defaulting to '::' as listen-address in
pveproxy/spiceproxy.
The issue also affects proxmox-backup-proxy in PBS - and should this approach
be accepted I'll try to port it over to PBS as well.
(ftr: pmgproxy was not affected, since the patch for pmg-api was not applied)
In all cases the issue is only exhibited if ipv6 is diabled via kernel
commandline [2], not via sysctl [3].
* The patchset keeps the fix for pveproxy not starting if the /etc/hosts entry
is not matching with a configured IP-address (I noticed and was pleasantly
surprised while testing a v6only host and forgetting to set the entry)
I tested it in the following scenarios:
* ipv6 disabled via kernel commandline (listen on 0.0.0.0)
* ipv6 disabled via sysctl (listen on 0.0.0.0)
* no settings dual-stacked (listen on *)
* no settings v6 only (listen on *)
AFAICT listening on :: as long as possible is the best option, since it
makes the service available on all address-families (doing away, with
having a v4 only /etc/hosts entry, but a DNS AAAA record pointing to
the node for external access).
Took a quick look at how sshd [4,5] handles this (in the assumption that
they have to get it as right as possible), but it listens on multiple
sockets, something which I'd like to avoid for our proxy-daemons.
Sending as RFC, because whenever I come near getaddrinfo/getnameinfo I'm
certain to miss quite a few common cases.
[0] https://forum.proxmox.com/threads/connection-refused-595-nach-update-auf-pve-6-4.88347/#post-387034
[1] https://forum.proxmox.com/threads/ipv6-komplett-deaktivieren.88210/#post-387116
[2] https://www.kernel.org/doc/html/latest/networking/ipv6.html
[3] https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html
[4] https://github.com/openssh/openssh-portable/blob/master/servconf.c
[5] https://github.com/openssh/openssh-portable/blob/master/sshd.c
pve-common:
Stoiko Ivanov (1):
tools: add get_wildcard_address
src/PVE/Tools.pm | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
pve-manager:
Stoiko Ivanov (1):
proxy: fix wildcard address use
PVE/Service/pveproxy.pm | 2 +-
PVE/Service/spiceproxy.pm | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--
2.20.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [RFC common 1/1] tools: add get_wildcard_address
2021-04-29 13:37 [pve-devel] [RFC common/manger] use appropriate wildcard address for pveproxy/spiceproxy Stoiko Ivanov
@ 2021-04-29 13:37 ` Stoiko Ivanov
2021-04-29 13:37 ` [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use Stoiko Ivanov
1 sibling, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2021-04-29 13:37 UTC (permalink / raw)
To: pve-devel
the get_wildcard_address sub returns the appropriate wildcard address:
* '::' if the hosts has any v6 address (including link-local scoped)
configured (i.e. default behavior without any modification to sysctl
or kernel commandline)
* '0.0.0.0' if ipv6 is disabled via sysctl or kernel commandline
This should ensure the best behaviour for listening sockets in
dual-stacked environments:
* binding to '::' allows to connect via both v6 and v4 addresses (the
latter are treated as v4-mapped-v6 addresses (::ffff:192.0.2.1))
* the current unconditional bind to '::' fails if AF_INET6 is not
supported via kernel commandline setting [0].
* the previous approach of finding the family based on the node-name
getaddrinfo result leads to the service only being available on v4
despite having a working v6 address configured, in case it's
/etc/hosts entry points only to the v4 address.
[0] on linux passing ipv6.disable=1 on the kernel commandline removes
support for AF_INET6 sockets (setting the net.ipv6.conf.*.disable_ipv6
sysctls keeps support)
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PVE/Tools.pm | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
index 16ae3d2..fb520ce 100644
--- a/src/PVE/Tools.pm
+++ b/src/PVE/Tools.pm
@@ -4,8 +4,8 @@ use strict;
use warnings;
use POSIX qw(EINTR EEXIST EOPNOTSUPP);
use IO::Socket::IP;
-use Socket qw(AF_INET AF_INET6 AI_ALL AI_V4MAPPED AI_CANONNAME SOCK_DGRAM
- IPPROTO_TCP);
+use Socket qw(AF_INET AF_INET6 AI_ALL AI_V4MAPPED AI_CANONNAME AI_PASSIVE
+ AI_ADDRCONFIG NI_NUMERICHOST NI_NUMERICSERV SOCK_DGRAM IPPROTO_TCP);
use IO::Select;
use File::Basename;
use File::Path qw(make_path);
@@ -1405,6 +1405,24 @@ sub get_host_address_family {
return $res[0]->{family};
}
+# returns "::" if the host supports AF_INET6 else "0.0.0.0"
+sub get_wildcard_address {
+ my %hints = (
+ flags => AI_PASSIVE|AI_ADDRCONFIG,
+ );
+ my ($err, @res) = Socket::getaddrinfo('', '0', \%hints);
+ die "failed to get address info for wildcard address: $err\n" if $err;
+
+ my $sockaddr = $res[0]->{addr};
+ if (my @v6support = grep {$_->{family} eq AF_INET6} @res) {;
+ $sockaddr = $v6support[0]->{addr};
+ }
+ my $host;
+ ($err, $host) = Socket::getnameinfo($sockaddr, NI_NUMERICHOST|NI_NUMERICSERV);
+ die "failed to get name info for wildcard address: $err\n" if $err;
+ return $host;
+}
+
# get the fully qualified domain name of a host
# same logic as hostname(1): The FQDN is the name getaddrinfo(3) returns,
# given a nodename as a parameter
--
2.20.1
^ permalink raw reply [flat|nested] 4+ messages in thread* [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use
2021-04-29 13:37 [pve-devel] [RFC common/manger] use appropriate wildcard address for pveproxy/spiceproxy Stoiko Ivanov
2021-04-29 13:37 ` [pve-devel] [RFC common 1/1] tools: add get_wildcard_address Stoiko Ivanov
@ 2021-04-29 13:37 ` Stoiko Ivanov
2021-04-30 7:12 ` Wolfgang Bumiller
1 sibling, 1 reply; 4+ messages in thread
From: Stoiko Ivanov @ 2021-04-29 13:37 UTC (permalink / raw)
To: pve-devel
This patch fixes a regression for hosts disabling ipv6 via kernel
commandline ('ipv6.disable=1')introduced in commit
fc087ec2b924dc9c72d3bf80face8a1731c15405
by hardcoding the address to '::', pveproxy and spiceproxy failed to
start with:
'unable to create socket - Address family not supported by protocol'
Disabling IPv6 via sysctl did not exhibit these problems.
This patch depends on the commit in pve-common and needs a versioned
dependency bump on libpve-common-perl.
With this patch the listening addresses are (`ss -tlnp |grep 8006` output)
* disabled via kernel cmdline: '0.0.0.0:8006'
* disabled via sysctl net.ipv6.conf.all.disable_ipv6=1: '0.0.0.0:8006'
* else: '*:8006'
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
PVE/Service/pveproxy.pm | 2 +-
PVE/Service/spiceproxy.pm | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index 4ecd442a..742c0a9a 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -69,7 +69,7 @@ sub init {
my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
die "unable to open lock file '${accept_lock_fn}' - $!\n";
- my $listen_ip = $proxyconf->{LISTEN_IP} // "::0";
+ my $listen_ip = $proxyconf->{LISTEN_IP} // PVE::Tools::get_wildcard_address();
my $socket = $self->create_reusable_socket(8006, $listen_ip);
my $dirs = {};
diff --git a/PVE/Service/spiceproxy.pm b/PVE/Service/spiceproxy.pm
index 24be0ed7..34882ca4 100755
--- a/PVE/Service/spiceproxy.pm
+++ b/PVE/Service/spiceproxy.pm
@@ -39,7 +39,7 @@ sub init {
my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
die "unable to open lock file '${accept_lock_fn}' - $!\n";
- my $listen_ip = $proxyconf->{LISTEN_IP} // "::0";
+ my $listen_ip = $proxyconf->{LISTEN_IP} // PVE::Tools::get_wildcard_address();
my $socket = $self->create_reusable_socket(3128, $listen_ip);
$self->{server_config} = {
--
2.20.1
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use
2021-04-29 13:37 ` [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use Stoiko Ivanov
@ 2021-04-30 7:12 ` Wolfgang Bumiller
0 siblings, 0 replies; 4+ messages in thread
From: Wolfgang Bumiller @ 2021-04-30 7:12 UTC (permalink / raw)
To: Stoiko Ivanov; +Cc: pve-devel
On Thu, Apr 29, 2021 at 03:37:02PM +0200, Stoiko Ivanov wrote:
> This patch fixes a regression for hosts disabling ipv6 via kernel
> commandline ('ipv6.disable=1')introduced in commit
> fc087ec2b924dc9c72d3bf80face8a1731c15405
>
> by hardcoding the address to '::', pveproxy and spiceproxy failed to
> start with:
> 'unable to create socket - Address family not supported by protocol'
>
> Disabling IPv6 via sysctl did not exhibit these problems.
>
> This patch depends on the commit in pve-common and needs a versioned
> dependency bump on libpve-common-perl.
>
> With this patch the listening addresses are (`ss -tlnp |grep 8006` output)
> * disabled via kernel cmdline: '0.0.0.0:8006'
> * disabled via sysctl net.ipv6.conf.all.disable_ipv6=1: '0.0.0.0:8006'
> * else: '*:8006'
>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> PVE/Service/pveproxy.pm | 2 +-
> PVE/Service/spiceproxy.pm | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> index 4ecd442a..742c0a9a 100755
> --- a/PVE/Service/pveproxy.pm
> +++ b/PVE/Service/pveproxy.pm
> @@ -69,7 +69,7 @@ sub init {
> my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
> die "unable to open lock file '${accept_lock_fn}' - $!\n";
>
> - my $listen_ip = $proxyconf->{LISTEN_IP} // "::0";
> + my $listen_ip = $proxyconf->{LISTEN_IP} // PVE::Tools::get_wildcard_address();
> my $socket = $self->create_reusable_socket(8006, $listen_ip);
^ This passes `Domain => PF_INET6`. That makes no sense given that I can
literally give it an IPv4 :S
It also actually uses getaddrinfo in the background, however, the
commmit forcing this to be 0 explains:
perl's IO::Socket::IP passes AI_ADDRCONFIG if no GetAddrInfoFlags are passed,
which is often useful but also causes it to error when explicitly trying to
bind to 127.0.0.1 when there are no _other_ IPv4 addresses present.
In this case however, we don't do that, so maybe instead of ending up using
`getaddrinfo` twice, we should just make this an optional parameter?
I'm hoping passing `undef` as host, the proper port and `AI_ADDRCONFIG |
AI_PASSIVE` here should do the same?
We also don't use `$listen_ip` for anything else either, so we don't need it
explicitly ;-)
>
> my $dirs = {};
> diff --git a/PVE/Service/spiceproxy.pm b/PVE/Service/spiceproxy.pm
> index 24be0ed7..34882ca4 100755
> --- a/PVE/Service/spiceproxy.pm
> +++ b/PVE/Service/spiceproxy.pm
> @@ -39,7 +39,7 @@ sub init {
> my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
> die "unable to open lock file '${accept_lock_fn}' - $!\n";
>
> - my $listen_ip = $proxyconf->{LISTEN_IP} // "::0";
> + my $listen_ip = $proxyconf->{LISTEN_IP} // PVE::Tools::get_wildcard_address();
> my $socket = $self->create_reusable_socket(3128, $listen_ip);
>
> $self->{server_config} = {
> --
> 2.20.1
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-04-30 7:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-29 13:37 [pve-devel] [RFC common/manger] use appropriate wildcard address for pveproxy/spiceproxy Stoiko Ivanov
2021-04-29 13:37 ` [pve-devel] [RFC common 1/1] tools: add get_wildcard_address Stoiko Ivanov
2021-04-29 13:37 ` [pve-devel] [RFC manager 1/1] proxy: fix wildcard address use Stoiko Ivanov
2021-04-30 7:12 ` Wolfgang Bumiller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox