From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 07FC779797 for ; Wed, 5 May 2021 07:25:08 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id ED476101EC for ; Wed, 5 May 2021 07:25:07 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D2AE8101DD for ; Wed, 5 May 2021 07:25:06 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A9A8442A04 for ; Wed, 5 May 2021 07:25:06 +0200 (CEST) Message-ID: <4d4d9ebc-fbd2-2c3c-20ed-80f65719a6db@proxmox.com> Date: Wed, 5 May 2021 07:25:05 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Thunderbird/89.0 Content-Language: en-US To: Proxmox VE development discussion , Stoiko Ivanov References: <20210504170032.8721-1-s.ivanov@proxmox.com> From: Thomas Lamprecht In-Reply-To: <20210504170032.8721-1-s.ivanov@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.006 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [anyevent.pm, spiceproxy.pm, utils.pm, proxmox.com, daemon.pm, pveproxy.pm] Subject: Re: [pve-devel] [PATCH common/manager/http-server/docs] v2] improve binding, docs and access-control for pveproxy/spiceproxy X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 May 2021 05:25:08 -0000 On 04.05.21 19:00, Stoiko Ivanov wrote: > v1 -> v2: > * incorporated Wolfgangs feedback regarding not checking for $@ but rather > for definedness of the socket > * added Oguz Tested-By tags (Thanks for testing!) to the common/manager/ > http-server patches but at least the changed common patch was not tested?! Please do not do that for patches you alter, makes no sense... > > original cover-letter for the v1: > this series is based on the RFC 'use appropriate wildcard address > for pveproxy/spiceproxy' I sent some time ago: > https://lists.proxmox.com/pipermail/pve-devel/2021-April/047988.html > > changes from the RFC: > * incorporate Wolfgang's excellent feedback - huge Thanks! > (or what I took away from it): > ** instead of calling getaddrinfo a few additional times and sifting through > the results simply doing in create_reusable_socket, what we want to do: > * if not listen-address is provided try to bind to '::' and only if this > fails (due to ipv6-disablement via kernel commandline), bind to '0.0.0.0' > ** the PF_INET6 parameter added to the IO::Socket::IP->new call was unnecessary > and misleading - I dropped it > * one of the original reporters of the bind-problems also created a thread in > our community forum about the acls (ALLOW_FROM/DENY_FROM) not working anymore > when set in /etc/default/pveproxy [0] - the patches for pve-http-server > address the issue (at least in my tests) > * the 'all' ACL entry only matched IPv4 addresses, the second patch for > pve-http-server changes this. > * added 3 documentation patches - mostly for the changed behavior, although > the disabling ipv6 section in pve-networking.adoc is meant as an RFC > (I just noticed that we have not official docs, and that too many HOWTOs > suggest disabling it via kernel-cmdline, which I consider problematic) > > > > [0] https://forum.proxmox.com/threads/my-pveproxy-file-doesnt-work.83228 > original cover-letter for the RFC for reference: > The following patchset tries to address the small regression reported in our > forums [0,1], resulting from defaulting to '::' as listen-address in > pveproxy/spiceproxy. > > The issue also affects proxmox-backup-proxy in PBS - and should this approach > be accepted I'll try to port it over to PBS as well. > (ftr: pmgproxy was not affected, since the patch for pmg-api was not applied) > > In all cases the issue is only exhibited if ipv6 is diabled via kernel > commandline [2], not via sysctl [3]. > > * The patchset keeps the fix for pveproxy not starting if the /etc/hosts entry > is not matching with a configured IP-address (I noticed and was pleasantly > surprised while testing a v6only host and forgetting to set the entry) > > I tested it in the following scenarios: > * ipv6 disabled via kernel commandline (listen on 0.0.0.0) > * ipv6 disabled via sysctl (listen on 0.0.0.0) > * no settings dual-stacked (listen on *) > * no settings v6 only (listen on *) > > AFAICT listening on :: as long as possible is the best option, since it > makes the service available on all address-families (doing away, with > having a v4 only /etc/hosts entry, but a DNS AAAA record pointing to > the node for external access). > > Took a quick look at how sshd [4,5] handles this (in the assumption that > they have to get it as right as possible), but it listens on multiple > sockets, something which I'd like to avoid for our proxy-daemons. > > Sending as RFC, because whenever I come near getaddrinfo/getnameinfo I'm > certain to miss quite a few common cases. > > [0] https://forum.proxmox.com/threads/connection-refused-595-nach-update-auf-pve-6-4.88347/#post-387034 > [1] https://forum.proxmox.com/threads/ipv6-komplett-deaktivieren.88210/#post-387116 > [2] https://www.kernel.org/doc/html/latest/networking/ipv6.html > [3] https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html > [4] https://github.com/openssh/openssh-portable/blob/master/servconf.c > [5] https://github.com/openssh/openssh-portable/blob/master/sshd.c > > > pve-common: > Stoiko Ivanov (2): > daemon: drop Domain parameter from create_reusable_socket > daemon: explicitly bind to wildcard address. > > src/PVE/Daemon.pm | 18 +++++++++++++----- > 1 file changed, 13 insertions(+), 5 deletions(-) > > pve-manager: > Stoiko Ivanov (1): > proxy: fix wildcard address use > > PVE/Service/pveproxy.pm | 2 +- > PVE/Service/spiceproxy.pm | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > pve-http-server: > Stoiko Ivanov (2): > access control: correctly match v4-mapped-v6 addresses > access control: also include ipv6 in 'all' > > PVE/APIServer/AnyEvent.pm | 2 ++ > PVE/APIServer/Utils.pm | 19 +++++++++++++++++-- > 2 files changed, 19 insertions(+), 2 deletions(-) > > pve-docs: > Stoiko Ivanov (3): > pveproxy: add note about bindv6only sysctl > pveproxy: update documentation on 'all' alias > network: shortly document disabling ipv6 support > > pve-network.adoc | 19 +++++++++++++++++++ > pveproxy.adoc | 12 +++++++++++- > 2 files changed, 30 insertions(+), 1 deletion(-) >