libtirpc-devel — TI-RPC development mailing list.

Re: [Libtirpc-devel] [PATCH rpcbind 1/1] rpcb_prot.x: Update _PATH_RPCBINDSOCK

[Steve D. <st...@re...>]

On 9/1/24 8:06 AM, Petr Vorel wrote:
> 2f9ce0c updated rpcb_prot.h, but rpcb_prot.x must be updated as well.
> 
> Fixes: 2f9ce0c ("Move rpcbind.sock to /run")
> Signed-off-by: Petr Vorel<pv...@su...>
Committed... (tag: libtirpc-1-3-6-rc2)

steved.
> ---
> Actually, tirpc/rpc/rpcb_prot.h should be generated by rpcgen, but I
> just updated the header.
> 
>   tirpc/rpc/rpcb_prot.x | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/tirpc/rpc/rpcb_prot.x b/tirpc/rpc/rpcb_prot.x
> index 472c11f..e0e6031 100644
> --- a/tirpc/rpc/rpcb_prot.x
> +++ b/tirpc/rpc/rpcb_prot.x
> @@ -410,8 +410,8 @@ program RPCBPROG {
>   %#define	RPCBVERS_3		RPCBVERS
>   %#define	RPCBVERS_4		RPCBVERS4
>   %
> -%#define	_PATH_RPCBINDSOCK	"/var/run/rpcbind.sock"
> -%#define	_PATH_RPCBINDSOCK_ABSTRACT "\0/run/rpcbind.sock"
> +%#define	_PATH_RPCBINDSOCK	"/run/rpcbind.sock"
> +%#define	_PATH_RPCBINDSOCK_ABSTRACT "\0" _PATH_RPCBINDSOCK
>   %
>   %#else		/* ndef _KERNEL */
>   %#ifdef __cplusplus
> -- 2.45.2
> 

[Libtirpc-devel] [PATCH rpcbind 1/1] rpcb_prot.x: Update _PATH_RPCBINDSOCK

[Petr V. <pv...@su...>]

2f9ce0c updated rpcb_prot.h, but rpcb_prot.x must be updated as well.

Fixes: 2f9ce0c ("Move rpcbind.sock to /run")
Signed-off-by: Petr Vorel <pv...@su...>
---
Actually, tirpc/rpc/rpcb_prot.h should be generated by rpcgen, but I
just updated the header.

 tirpc/rpc/rpcb_prot.x | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tirpc/rpc/rpcb_prot.x b/tirpc/rpc/rpcb_prot.x
index 472c11f..e0e6031 100644
--- a/tirpc/rpc/rpcb_prot.x
+++ b/tirpc/rpc/rpcb_prot.x
@@ -410,8 +410,8 @@ program RPCBPROG {
 %#define	RPCBVERS_3		RPCBVERS
 %#define	RPCBVERS_4		RPCBVERS4
 %
-%#define	_PATH_RPCBINDSOCK	"/var/run/rpcbind.sock"
-%#define	_PATH_RPCBINDSOCK_ABSTRACT "\0/run/rpcbind.sock"
+%#define	_PATH_RPCBINDSOCK	"/run/rpcbind.sock"
+%#define	_PATH_RPCBINDSOCK_ABSTRACT "\0" _PATH_RPCBINDSOCK
 %
 %#else		/* ndef _KERNEL */
 %#ifdef __cplusplus
-- 
2.45.2

Re: [Libtirpc-devel] [PATCH rpcbind 0/4] Update systemd/rpcbind.service.in

[Steve D. <st...@re...>]

On 8/22/24 8:23 PM, Petr Vorel wrote:
> Hi,
> 
> NOTE I'm not systemd expert, others may understand more.
> 
> But trying to upstream various hardenings options which we have been
> using since 2021. Adding EnvironmentFile I tested locally today.
> systemd-tmpfiles-setup.service should be also safe.
> 
> Kind regards,
> Petr
> 
> Josue Ortega (1):
>    man/rpcbind: Add Files section to manpage
> 
> Petr Vorel (3):
>    systemd/rpcbind.service.in: Add few default EnvironmentFile
>    systemd/rpcbind.service.in: Add various hardenings options
>    systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup
> 
>   man/rpcbind.8              |  8 ++++++++
>   systemd/rpcbind.service.in | 16 +++++++++++++++-
>   2 files changed, 23 insertions(+), 1 deletion(-)
> 
Committed... (tag: rpcbind-1_2_8-rc1)

steved.

Re: [Libtirpc-devel] [PATCH] Move rpbind's default configuration to /run verses /var/run

[Steve D. <st...@re...>]

On 8/31/24 11:44 AM, Steve Dickson wrote:
> Signed-off-by: Steve Dickson <st...@re...>
Committed... (tag: rpcbind-1_2_8-rc1)

steved.
> ---
>   configure.ac     | 4 ++--
>   man/rpcbind-fr.8 | 4 ++--
>   2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 8f4cef3..cbbc172 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -32,8 +32,8 @@ AC_ARG_ENABLE([rmtcalls],
>   AM_CONDITIONAL(RMTCALLS, test x$enable_rmtcalls = xyes)
>   
>   AC_ARG_WITH([statedir],
> -  AS_HELP_STRING([--with-statedir=ARG], [use ARG as state dir @<:@default=/var/run/rpcbind@:>@])
> -  ,, [with_statedir=/var/run/rpcbind])
> +  AS_HELP_STRING([--with-statedir=ARG], [use ARG as state dir @<:@default=/run/rpcbind@:>@])
> +  ,, [with_statedir=/run/rpcbind])
>   AC_SUBST([statedir], [$with_statedir])
>   
>   AC_ARG_WITH([rpcuser],
> diff --git a/man/rpcbind-fr.8 b/man/rpcbind-fr.8
> index 7db39e7..711acdd 100644
> --- a/man/rpcbind-fr.8
> +++ b/man/rpcbind-fr.8
> @@ -138,8 +138,8 @@ est red
>   .Xr rpcbind 3 ,
>   .Xr rpcinfo 8
>   .Sh FILES
> -.Bl -tag -width /var/run/rpcbind.sock -compact
> -.It Pa /var/run/rpcbind.sock
> +.Bl -tag -width /run/rpcbind.sock -compact
> +.It Pa /run/rpcbind.sock
>   .Sh TRADUCTION
>   Aurelien CHARBON (Sept 2003)
>   .El

Re: [Libtirpc-devel] [PATCH rpcbind 1/1] Move rpcbind.lock to /run

[Steve D. <st...@re...>]

On 8/30/24 1:39 PM, Petr Vorel wrote:
> From: Thomas Blume <tho...@su...>
> 
> Most of the distros have /var/run as symlink to /run.
> 
> Because /var may be a separate partition, and could even be mounted via
> NFS, having to look directly to /run help to avoid issues rpcbind
> startup early in boot when /var might not be available.
> 
> Reviewed-by: Petr Vorel <pv...@su...>
> Signed-off-by: Thomas Blume <tho...@su...>
> Signed-off-by: Petr Vorel <pv...@su...>
Committed... (tag: rpcbind-1_2_8-rc1)

steved.
> ---
> NOTE: I chose opensuse patch for the simplicity, instead of Debian
> patch, which unsets _PATH_RPCBINDSOCK (libtirpc).
> 
> I'll send a separate patch for libtirpc.
> 
> Kind regards,
> Petr
> 
>   src/rpcbind.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/rpcbind.c b/src/rpcbind.c
> index ecebe97..9887b82 100644
> --- a/src/rpcbind.c
> +++ b/src/rpcbind.c
> @@ -105,7 +105,7 @@ char *nss_modules = "files";
>   /* who to suid to if -s is given */
>   #define RUN_AS  "daemon"
>   
> -#define RPCBINDDLOCK "/var/run/rpcbind.lock"
> +#define RPCBINDDLOCK "/run/rpcbind.lock"
>   
>   int runasdaemon = 0;
>   int insecure = 0;

Re: [Libtirpc-devel] [PATCH libtirpc 1/1] Move rpcbind.sock to /run

[Steve D. <st...@re...>]

On 8/30/24 1:43 PM, Petr Vorel wrote:
> Most of the distros have /var/run as symlink to /run.
> 
> Because /var may be a separate partition, and could even be mounted via
> NFS, having to look directly to /run help to avoid issues rpcbind
> startup early in boot when /var might not be available.
> 
> Signed-off-by: Petr Vorel <pv...@su...>
Committed... (tag: libtirpc-1-3-6-rc1)

steved.

> ---
> Follow up for rpcbind patch which touches rpcbind.lock location.
> 
> Kind regards,
> Petr
> 
>   tirpc/rpc/rpcb_prot.h | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/tirpc/rpc/rpcb_prot.h b/tirpc/rpc/rpcb_prot.h
> index eb3a0c4..06138bc 100644
> --- a/tirpc/rpc/rpcb_prot.h
> +++ b/tirpc/rpc/rpcb_prot.h
> @@ -476,8 +476,8 @@ extern bool_t xdr_netbuf(XDR *, struct netbuf *);
>   #define RPCBVERS_3 RPCBVERS
>   #define RPCBVERS_4 RPCBVERS4
>   
> -#define _PATH_RPCBINDSOCK "/var/run/rpcbind.sock"
> -#define _PATH_RPCBINDSOCK_ABSTRACT "\0/run/rpcbind.sock"
> +#define _PATH_RPCBINDSOCK "/run/rpcbind.sock"
> +#define _PATH_RPCBINDSOCK_ABSTRACT "\0" _PATH_RPCBINDSOCK
>   
>   #else /* ndef _KERNEL */
>   #ifdef __cplusplus

[Libtirpc-devel] [PATCH] Move rpbind's default configuration to /run verses /var/run

[Steve D. <st...@re...>]

Signed-off-by: Steve Dickson <st...@re...>
---
 configure.ac     | 4 ++--
 man/rpcbind-fr.8 | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index 8f4cef3..cbbc172 100644
--- a/configure.ac
+++ b/configure.ac
@@ -32,8 +32,8 @@ AC_ARG_ENABLE([rmtcalls],
 AM_CONDITIONAL(RMTCALLS, test x$enable_rmtcalls = xyes)
 
 AC_ARG_WITH([statedir],
-  AS_HELP_STRING([--with-statedir=ARG], [use ARG as state dir @<:@default=/var/run/rpcbind@:>@])
-  ,, [with_statedir=/var/run/rpcbind])
+  AS_HELP_STRING([--with-statedir=ARG], [use ARG as state dir @<:@default=/run/rpcbind@:>@])
+  ,, [with_statedir=/run/rpcbind])
 AC_SUBST([statedir], [$with_statedir])
 
 AC_ARG_WITH([rpcuser],
diff --git a/man/rpcbind-fr.8 b/man/rpcbind-fr.8
index 7db39e7..711acdd 100644
--- a/man/rpcbind-fr.8
+++ b/man/rpcbind-fr.8
@@ -138,8 +138,8 @@ est red
 .Xr rpcbind 3 ,
 .Xr rpcinfo 8
 .Sh FILES
-.Bl -tag -width /var/run/rpcbind.sock -compact
-.It Pa /var/run/rpcbind.sock
+.Bl -tag -width /run/rpcbind.sock -compact
+.It Pa /run/rpcbind.sock
 .Sh TRADUCTION
 Aurelien CHARBON (Sept 2003)
 .El
-- 
2.46.0

[Libtirpc-devel] [PATCH libtirpc 1/1] Move rpcbind.sock to /run

[Petr V. <pv...@su...>]

Most of the distros have /var/run as symlink to /run.

Because /var may be a separate partition, and could even be mounted via
NFS, having to look directly to /run help to avoid issues rpcbind
startup early in boot when /var might not be available.

Signed-off-by: Petr Vorel <pv...@su...>
---
Follow up for rpcbind patch which touches rpcbind.lock location.

Kind regards,
Petr

 tirpc/rpc/rpcb_prot.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tirpc/rpc/rpcb_prot.h b/tirpc/rpc/rpcb_prot.h
index eb3a0c4..06138bc 100644
--- a/tirpc/rpc/rpcb_prot.h
+++ b/tirpc/rpc/rpcb_prot.h
@@ -476,8 +476,8 @@ extern bool_t xdr_netbuf(XDR *, struct netbuf *);
 #define RPCBVERS_3 RPCBVERS
 #define RPCBVERS_4 RPCBVERS4
 
-#define _PATH_RPCBINDSOCK "/var/run/rpcbind.sock"
-#define _PATH_RPCBINDSOCK_ABSTRACT "\0/run/rpcbind.sock"
+#define _PATH_RPCBINDSOCK "/run/rpcbind.sock"
+#define _PATH_RPCBINDSOCK_ABSTRACT "\0" _PATH_RPCBINDSOCK
 
 #else /* ndef _KERNEL */
 #ifdef __cplusplus
-- 
2.45.2

[Libtirpc-devel] [PATCH rpcbind 1/1] Move rpcbind.lock to /run

[Petr V. <pv...@su...>]

From: Thomas Blume <tho...@su...>

Most of the distros have /var/run as symlink to /run.

Because /var may be a separate partition, and could even be mounted via
NFS, having to look directly to /run help to avoid issues rpcbind
startup early in boot when /var might not be available.

Reviewed-by: Petr Vorel <pv...@su...>
Signed-off-by: Thomas Blume <tho...@su...>
Signed-off-by: Petr Vorel <pv...@su...>
---
NOTE: I chose opensuse patch for the simplicity, instead of Debian
patch, which unsets _PATH_RPCBINDSOCK (libtirpc).

I'll send a separate patch for libtirpc.

Kind regards,
Petr

 src/rpcbind.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/rpcbind.c b/src/rpcbind.c
index ecebe97..9887b82 100644
--- a/src/rpcbind.c
+++ b/src/rpcbind.c
@@ -105,7 +105,7 @@ char *nss_modules = "files";
 /* who to suid to if -s is given */
 #define RUN_AS  "daemon"
 
-#define RPCBINDDLOCK "/var/run/rpcbind.lock"
+#define RPCBINDDLOCK "/run/rpcbind.lock"
 
 int runasdaemon = 0;
 int insecure = 0;
-- 
2.45.2

Re: [Libtirpc-devel] [RFC][PATCH rpcbind 4/4] systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup

[Petr V. <pv...@su...>]

Hi Steve,

> Hey!

> My apologies for taking so long to address these patches.
No problem, understand you're busy.

> On 8/22/24 9:01 PM, Petr Vorel wrote:
> > Hi Steve,

> > > Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
> > > rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
> > > where /var/run/rpcbind.lock cannot be created due missing /var/run/
> > > directory. But the suggestion to add RequiresMountFor=... was
> > > implemented in ee569be ("Fix boot dependency in systemd service file").

> > > But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
> > > /run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
> > > 1.2.6:

> > > rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system

> > > Adding systemd-tmpfiles-setup.service fixes it.

> > > NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
> > > systemd-tmpfiles-setup.service looks to me more specific).
> > > openSUSE uses only After=sysinit.target as a result of #1117217 [3]
> > > (also works).

> > Reading RH #1117217 once more I wonder if old Fedora patch [4], which places
> > rpcbind.lock into /var/run/rpcbind/ would be a better solution:

> > configure.ac
> > -  --with-statedir=ARG     use ARG as state dir [default=/var/run/rpcbind]
> > +  --with-statedir=ARG     use ARG as state dir [default=/run/rpcbind]
> > ...
> > -  with_statedir=/var/run/rpcbind
> > +  with_statedir=/run/rpcbind

> > src/rpcbind.c
> > -#define RPCBINDDLOCK "/var/run/rpcbind.lock"
> > +#define RPCBINDDLOCK RPCBIND_STATEDIR "/rpcbind.lock"

> > But I suppose other out-of-tree patch [5] is not a dependency for it, right?
> I don't like out-of-tree patch but sometimes they are necessary
> since I didn't what to force other distros to adapt what
> I made Fedora use.

Sure, let's drop this. I was also thinking to add this as a configuration issue,
but I suppose most of the distro maintainers are perfectly ok with this
directory patch.

> > Debian [6] and openSUSE [7] use more simpler version to move to /run. Maybe time
> > to upstream Fedora patch and distros will adopt it?
> It is time! :-) I'm all for distros to consolidate into one code
> base... it is much easier to find bugs and support. IMHO.

> Please send patches [6] and [7] in the correct patch form and
> I will commit them and mostly like create another release.

I'll do, thanks!

Kind regards,
Petr

> Thank you.. for point these differences out!!

> steved.


> > Kind regards,
> > Petr

> > > [1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
> > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
> > > [3] https://bugzilla.suse.com/show_bug.cgi?id=1117217

> > [4] https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.4-runstatdir.patch
> > [5] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-rundir.patch
> > [6] https://salsa.debian.org/debian/rpcbind/-/blob/master/debian/patches/run-migration?ref_type=heads
> > [7] https://build.opensuse.org/projects/openSUSE:Factory/packages/rpcbind/files/0001-change-lockingdir-to-run.patch?expand=1

> > > Signed-off-by: Petr Vorel <pv...@su...>
> > > ---
> > >   systemd/rpcbind.service.in | 3 ++-
> > >   1 file changed, 2 insertions(+), 1 deletion(-)

> > > diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
> > > index 272e55a..771b944 100644
> > > --- a/systemd/rpcbind.service.in
> > > +++ b/systemd/rpcbind.service.in
> > > @@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
> > >   # Make sure we use the IP addresses listed for
> > >   # rpcbind.socket, no matter how this unit is started.
> > >   Requires=rpcbind.socket
> > > -Wants=rpcbind.target
> > > +Wants=rpcbind.target systemd-tmpfiles-setup.service
> > > +After=systemd-tmpfiles-setup.service

> > >   [Service]
> > >   ProtectSystem=full

Re: [Libtirpc-devel] [RFC][PATCH rpcbind 4/4] systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup

[Steve D. <st...@re...>]

Hey!

My apologies for taking so long to address these patches.

On 8/22/24 9:01 PM, Petr Vorel wrote:
> Hi Steve,
> 
>> Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
>> rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
>> where /var/run/rpcbind.lock cannot be created due missing /var/run/
>> directory. But the suggestion to add RequiresMountFor=... was
>> implemented in ee569be ("Fix boot dependency in systemd service file").
> 
>> But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
>> /run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
>> 1.2.6:
> 
>> rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system
> 
>> Adding systemd-tmpfiles-setup.service fixes it.
> 
>> NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
>> systemd-tmpfiles-setup.service looks to me more specific).
>> openSUSE uses only After=sysinit.target as a result of #1117217 [3]
>> (also works).
> 
> Reading RH #1117217 once more I wonder if old Fedora patch [4], which places
> rpcbind.lock into /var/run/rpcbind/ would be a better solution:
> 
> configure.ac
> -  --with-statedir=ARG     use ARG as state dir [default=/var/run/rpcbind]
> +  --with-statedir=ARG     use ARG as state dir [default=/run/rpcbind]
> ...
> -  with_statedir=/var/run/rpcbind
> +  with_statedir=/run/rpcbind
> 
> src/rpcbind.c
> -#define RPCBINDDLOCK "/var/run/rpcbind.lock"
> +#define RPCBINDDLOCK RPCBIND_STATEDIR "/rpcbind.lock"
> 
> But I suppose other out-of-tree patch [5] is not a dependency for it, right?
I don't like out-of-tree patch but sometimes they are necessary
since I didn't what to force other distros to adapt what
I made Fedora use.

> 
> Debian [6] and openSUSE [7] use more simpler version to move to /run. Maybe time
> to upstream Fedora patch and distros will adopt it?
It is time! :-) I'm all for distros to consolidate into one code
base... it is much easier to find bugs and support. IMHO.

Please send patches [6] and [7] in the correct patch form and
I will commit them and mostly like create another release.

Thank you.. for point these differences out!!

steved.

> 
> Kind regards,
> Petr
> 
>> [1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
>> [3] https://bugzilla.suse.com/show_bug.cgi?id=1117217
> 
> [4] https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.4-runstatdir.patch
> [5] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-rundir.patch
> [6] https://salsa.debian.org/debian/rpcbind/-/blob/master/debian/patches/run-migration?ref_type=heads
> [7] https://build.opensuse.org/projects/openSUSE:Factory/packages/rpcbind/files/0001-change-lockingdir-to-run.patch?expand=1
> 
>> Signed-off-by: Petr Vorel <pv...@su...>
>> ---
>>   systemd/rpcbind.service.in | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
>> diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
>> index 272e55a..771b944 100644
>> --- a/systemd/rpcbind.service.in
>> +++ b/systemd/rpcbind.service.in
>> @@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
>>   # Make sure we use the IP addresses listed for
>>   # rpcbind.socket, no matter how this unit is started.
>>   Requires=rpcbind.socket
>> -Wants=rpcbind.target
>> +Wants=rpcbind.target systemd-tmpfiles-setup.service
>> +After=systemd-tmpfiles-setup.service
> 
>>   [Service]
>>   ProtectSystem=full
> 

Re: [Libtirpc-devel] [RFC][PATCH rpcbind 4/4] systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup

[Petr V. <pv...@su...>]

Hi Steve,

> Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
> rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
> where /var/run/rpcbind.lock cannot be created due missing /var/run/
> directory. But the suggestion to add RequiresMountFor=... was
> implemented in ee569be ("Fix boot dependency in systemd service file").

> But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
> /run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
> 1.2.6:

> rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system

> Adding systemd-tmpfiles-setup.service fixes it.

> NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
> systemd-tmpfiles-setup.service looks to me more specific).
> openSUSE uses only After=sysinit.target as a result of #1117217 [3]
> (also works).

Reading RH #1117217 once more I wonder if old Fedora patch [4], which places
rpcbind.lock into /var/run/rpcbind/ would be a better solution:

configure.ac
-  --with-statedir=ARG     use ARG as state dir [default=/var/run/rpcbind]
+  --with-statedir=ARG     use ARG as state dir [default=/run/rpcbind]
...
-  with_statedir=/var/run/rpcbind
+  with_statedir=/run/rpcbind

src/rpcbind.c
-#define RPCBINDDLOCK "/var/run/rpcbind.lock"
+#define RPCBINDDLOCK RPCBIND_STATEDIR "/rpcbind.lock"

But I suppose other out-of-tree patch [5] is not a dependency for it, right?

Debian [6] and openSUSE [7] use more simpler version to move to /run. Maybe time
to upstream Fedora patch and distros will adopt it?

Kind regards,
Petr

> [1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
> [3] https://bugzilla.suse.com/show_bug.cgi?id=1117217

[4] https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.4-runstatdir.patch
[5] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-rundir.patch
[6] https://salsa.debian.org/debian/rpcbind/-/blob/master/debian/patches/run-migration?ref_type=heads
[7] https://build.opensuse.org/projects/openSUSE:Factory/packages/rpcbind/files/0001-change-lockingdir-to-run.patch?expand=1

> Signed-off-by: Petr Vorel <pv...@su...>
> ---
>  systemd/rpcbind.service.in | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

> diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
> index 272e55a..771b944 100644
> --- a/systemd/rpcbind.service.in
> +++ b/systemd/rpcbind.service.in
> @@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
>  # Make sure we use the IP addresses listed for
>  # rpcbind.socket, no matter how this unit is started.
>  Requires=rpcbind.socket
> -Wants=rpcbind.target
> +Wants=rpcbind.target systemd-tmpfiles-setup.service
> +After=systemd-tmpfiles-setup.service

>  [Service]
>  ProtectSystem=full

[Libtirpc-devel] [RFC][PATCH rpcbind 3/4] systemd/rpcbind.service.in: Add various hardenings options

[Petr V. <pv...@su...>]

We've been running rpcbind 1.2.6 with it in openSUSE since 2021.

NOTE: In systemd < 244 (released Nov 2019) some of these options are
unknown and will produce warnings, see

https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

Cc: Johannes Segitz <js...@su...>
Signed-off-by: Petr Vorel <pv...@su...>
---
 systemd/rpcbind.service.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
index c5bbd5e..272e55a 100644
--- a/systemd/rpcbind.service.in
+++ b/systemd/rpcbind.service.in
@@ -10,6 +10,16 @@ Requires=rpcbind.socket
 Wants=rpcbind.target
 
 [Service]
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
 Type=notify
 # distro can provide a drop-in adding EnvironmentFile=-/??? if needed.
 EnvironmentFile=-/etc/rpcbind.conf
-- 
2.45.2

[Libtirpc-devel] [PATCH rpcbind 0/4] Update systemd/rpcbind.service.in

[Petr V. <pv...@su...>]

Hi,

NOTE I'm not systemd expert, others may understand more.

But trying to upstream various hardenings options which we have been
using since 2021. Adding EnvironmentFile I tested locally today.
systemd-tmpfiles-setup.service should be also safe.

Kind regards,
Petr

Josue Ortega (1):
  man/rpcbind: Add Files section to manpage

Petr Vorel (3):
  systemd/rpcbind.service.in: Add few default EnvironmentFile
  systemd/rpcbind.service.in: Add various hardenings options
  systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup

 man/rpcbind.8              |  8 ++++++++
 systemd/rpcbind.service.in | 16 +++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

-- 
2.45.2

[Libtirpc-devel] [PATCH rpcbind 1/4] systemd/rpcbind.service.in: Add few default EnvironmentFile

[Petr V. <pv...@su...>]

Add some defaults so that distros can drop patches to configure it.

* openSUSE and Fedora use /etc/sysconfig/rpcbind
https://build.opensuse.org/projects/network/packages/rpcbind/files/0001-systemd-unit-files.patch?expand=1
https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.3-systemd-envfile.patch

* Debian uses /etc/rpcbind.conf and /etc/default/rpcbind
https://salsa.debian.org/debian/rpcbind/-/blob/buster/debian/rpcbind.service?ref_type=heads

Add all these 3 in order:
* /etc/rpcbind.conf
* /etc/default/rpcbind
* /etc/sysconfig/rpcbind

Signed-off-by: Petr Vorel <pv...@su...>
---
 systemd/rpcbind.service.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
index c892ca8..c5bbd5e 100644
--- a/systemd/rpcbind.service.in
+++ b/systemd/rpcbind.service.in
@@ -12,6 +12,9 @@ Wants=rpcbind.target
 [Service]
 Type=notify
 # distro can provide a drop-in adding EnvironmentFile=-/??? if needed.
+EnvironmentFile=-/etc/rpcbind.conf
+EnvironmentFile=-/etc/default/rpcbind
+EnvironmentFile=-/etc/sysconfig/rpcbind
 ExecStart=@_sbindir@/rpcbind $RPCBIND_OPTIONS @warmstarts_opt@ -f
 
 [Install]
-- 
2.45.2

[Libtirpc-devel] [PATCH rpcbind 2/4] man/rpcbind: Add Files section to manpage

[Petr V. <pv...@su...>]

From: Josue Ortega <jo...@de...>

Previous commit added 3 non-default files, mention them in man page.

Signed-off-by: Petr Vorel <pv...@su...>
---
 man/rpcbind.8 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/man/rpcbind.8 b/man/rpcbind.8
index fbf0ace..cdcdcfd 100644
--- a/man/rpcbind.8
+++ b/man/rpcbind.8
@@ -150,6 +150,14 @@ starts up. The state file is created when
 .Nm
 terminates.
 .El
+.Sh FILES
+The
+.Nm
+utility tries to load configuration file in following order:
+.Bd -literal
+.Pa /etc/rpcbind.conf
+.Pa /etc/default/rpcbind
+.Pa /etc/sysconfig/rpcbind
 .Sh NOTES
 All RPC servers must be restarted if
 .Nm
-- 
2.45.2

[Libtirpc-devel] [RFC][PATCH rpcbind 4/4] systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup

[Petr V. <pv...@su...>]

Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
where /var/run/rpcbind.lock cannot be created due missing /var/run/
directory. But the suggestion to add RequiresMountFor=... was
implemented in ee569be ("Fix boot dependency in systemd service file").

But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
/run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
1.2.6:

rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system

Adding systemd-tmpfiles-setup.service fixes it.

NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
systemd-tmpfiles-setup.service looks to me more specific).
openSUSE uses only After=sysinit.target as a result of #1117217 [3]
(also works).

[1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
[3] https://bugzilla.suse.com/show_bug.cgi?id=1117217

Signed-off-by: Petr Vorel <pv...@su...>
---
 systemd/rpcbind.service.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
index 272e55a..771b944 100644
--- a/systemd/rpcbind.service.in
+++ b/systemd/rpcbind.service.in
@@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
 # Make sure we use the IP addresses listed for
 # rpcbind.socket, no matter how this unit is started.
 Requires=rpcbind.socket
-Wants=rpcbind.target
+Wants=rpcbind.target systemd-tmpfiles-setup.service
+After=systemd-tmpfiles-setup.service
 
 [Service]
 ProtectSystem=full
-- 
2.45.2

Re: [Libtirpc-devel] svctcp_create with fixed port fails in Linux

[Frank S. <fst...@bi...>]

One interesting finding: When I was looking into the nfs-client code
to compare how they do the fixed-port stuff for mountd etc., I realized
that nfs-utils-2.6.4/support/nfs/svc_create.c has two code blocks using

#ifdef HAVE_LIBTIRPC
...
#else   /* !HAVE_LIBTIRPC */

...
#endig

The else-block is basically just using a call "rpc_init" from rpcmisc.c
which uses almost the same code for creating a socked with a fixed
port in its "makesock" function. I even copied most of this code to
my function, but it didn't create a tcp socket either.

The HAVE_LIBTIRPC is way longer and uses a "SVCXPRT *xprt" structure
in all functions.

Thus, the NFS guys are intentionally not using the code that is also
created by rpcgen for compiling with the libtirc library.
Maybe they also figured out that it doesn't work with libtirc for some
reason and created new code for libtirc. So maybe a newer version of
rpcgen is neccessary to work with libtirc and recent rpcbind...

cu,
Frank
-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

Re: [Libtirpc-devel] svctcp_create with fixed port fails in Linux

[Frank S. <fst...@bi...>]

Hi Steve,

thanks a lot for caring!

Steve Dickson wrote:

> Why not just set the static port through something like /etc/nfs.conf?

The code for the remote uptime server isn't aware of /etc/nfs.conf,
so I can't use that, unfortunately.

>>           /* transp = svctcp_create(RPC_ANYSOCK, 0, 0);  */
>>           /* my code added: */
>>           int sd;
>>           struct sockaddr_in sin;
>>           sd = socket(AF_INET, SOCK_STREAM, 0);
>>           bzero(&sin, sizeof(sin));
>>           sin.sin_family = AF_INET;
>>           sin.sin_addr.s_addr = INADDR_ANY;
>>           sin.sin_port = htons(62222);
>>           bind(sd, &sin, sizeof(sin));
>>           transp = svctcp_create(sd, 0, 0);
>>           /* end of my code added */
>
> Looks reasonable... but where did you come up with  62222?
> Are you sure it is not already being used?

That was just an arbitrary one. I started with 852 which was used in
the past, then thought it might be a problem with ports < 1024 and
used different values above 60000. But it's always the same problem
no matter which port number I try.

> Just curious... is systemd involved with anything?

Yes, the systems are running systemd, and rpcbind is started
via rpcbind.service and rpcbind.socket.

Is it possible that the rpcbind daemon expects sth. different
from the uptime server for opening a fixed port, and refuses
to open the tcp port because my patched code is talking some
"too old" standard? However, there is no indication in the
journal, i.e. no message at all from rpcbind, though, even
not when starting it in debug mode.

> Yeah it is not obvious as to why this is happening... Again I would
> look at systemd "helping out" and make sure the port is not already
> be used.

I'm not sure I understand the comment about systemd: Do you mean it
might somehow prevent opening the port by some security restrictions
or similar? I stopped the rpcbind daemon (including rpcbind.socket)
and started it manually, but still the same error...

-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

Re: [Libtirpc-devel] svctcp_create with fixed port fails in Linux

[Steve D. <st...@re...>]

Sorry for the delay...

On 8/5/24 2:00 PM, Frank Steiner wrote:
> Hi,
> 
> I'm using a very old distributed uptime server https://ru1.sourceforge.net/
> which generates the code part for rpc communication by calling rpcgen.
> We compile and run it on SLES 15 SP6 (= opensuse leap 15.6) with
> libtirpc-1.3.4.
> 
> Due to firewall issues I've changed the resulting code such that a fixed
> tcp port is used instead of a random one created by using RPC_ANYSOCK.
> This worked fine as long as the sun rpc code was in glibc, but after it
> was moved to libtirpc it fails silently without any error message, i.e.
> it doesn't listen on any tcp port anymore.
Why not just set the static port through something like /etc/nfs.conf?

> 
> The server part code generated by rpgcen is this (only the main
> function). I've replaced the "transp = svctcp_create(RPC_ANYSOCK, 0, 0);"
> by some code using a socket with a fixed port:
> 
> nt main (int argc, char **argv) {
> 
>          int c;  // used by getopt
>          long server_port = -1;
> 
> 
>          register SVCXPRT *transp;
> 
>          pmap_unset (RWPROG, RWVERS);
> 
>          transp = svcudp_create(RPC_ANYSOCK);
>          if (transp == NULL) {
>                  fprintf (stderr, "%s", "cannot create udp service.");
>                  exit(1);
>          }
>          if (!svc_register(transp, RWPROG, RWVERS, rwprog_1, 
> IPPROTO_UDP)) {
>                  fprintf (stderr, "%s", "unable to register (RWPROG, 
> RWVERS, udp).");
>                  exit(1);
>          }
> 
>          /* transp = svctcp_create(RPC_ANYSOCK, 0, 0);  */
>          /* my code added: */
>          int sd;
>          struct sockaddr_in sin;
>          sd = socket(AF_INET, SOCK_STREAM, 0);
>          bzero(&sin, sizeof(sin));
>          sin.sin_family = AF_INET;
>          sin.sin_addr.s_addr = INADDR_ANY;
>          sin.sin_port = htons(62222);
>          bind(sd, &sin, sizeof(sin));
>          transp = svctcp_create(sd, 0, 0);
>          /* end of my code added */
Looks reasonable... but where did you come up with  62222?
Are you sure it is not already being used?

> 
>          if (transp == NULL) {
>                  fprintf (stderr, "%s", "cannot create tcp service.");
>                  exit(1);
>          }
>          if (!svc_register(transp, RWPROG, RWVERS, rwprog_1, 
> IPPROTO_TCP)) {
>                  fprintf (stderr, "%s", "unable to register (RWPROG, 
> RWVERS, tcp).");
>                  exit(1);
>          }
> 
>          svc_run ();
>          fprintf (stderr, "%s", "svc_run returned");
>          exit (1);
>          /* NOTREACHED */
> }
> 
> This compiles and starts fine, but when calling "netstat -tulpn"
> afterwards I see only the udp port is used (random port number).
> When reverting to "svctcp_create(RPC_ANYSOCK, 0, 0);" the server
> is also listening on a (random) tcp port.
> 
> Comparing both servers startups with strace I don't see why using the
> fixed port fails. That's the relevant part from using RPC_ANYSOCK:
Just curious... is systemd involved with anything?

> 
> 
> getsockname(4, {sa_family=AF_INET, sin_port=htons(0), 
> sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
> getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
> getsockname(4, {sa_family=AF_INET, sin_port=htons(0), 
> sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
> getsockname(4, {sa_family=AF_INET, sin_port=htons(0), 
> sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
> getsockname(4, {sa_family=AF_INET, sin_port=htons(0), 
> sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
> openat(AT_FDCWD, "/proc/sys/net/ipv4/ip_local_reserved_ports", O_RDONLY) 
> = 5
> fstat(5, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
> read(5, "\n", 1024)                     = 1
> read(5, "", 1024)                       = 0
> close(5)                                = 0
> bind(4, {sa_family=AF_INET, sin_port=htons(63242), 
> sin_addr=inet_addr("0.0.0.0")}, 16) = 0
> listen(4, 4096)                         = 0
> getpeername(4, 0x7ffe8af2fa10, [128])   = -1 ENOTCONN (Transport 
> endpoint is not connected)
> getsockname(4, {sa_family=AF_INET, sin_port=htons(63242), 
> sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
> getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
> getsockname(4, {sa_family=AF_INET, sin_port=htons(63242), 
> sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
> openat(AT_FDCWD, "/etc/netconfig", O_RDONLY) = 5
> fstat(5, {st_mode=S_IFREG|0644, st_size=767, ...}) = 0
> read(5, "#\n# The network configuration fi"..., 4096) = 767
> close(5)                                = 0
> socket(AF_UNIX, SOCK_STREAM, 0)         = 5
> rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
> getpeername(5, 0x7ffe8af2f730, [128])   = -1 ENOTCONN (Transport 
> endpoint is not connected)
> connect(5, {sa_family=AF_UNIX, sun_path="/var/run/rpcbind.sock"}, 23) = 0
> getsockname(5, {sa_family=AF_UNIX}, [128 => 2]) = 0
> getsockopt(5, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
> <polling for data>
> 
> 
> 
> And that's the from the code with the fixed port number:
> 
> openat(AT_FDCWD, "/etc/netconfig", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0644, st_size=767, ...}) = 0
> read(4, "#\n# The network configuration fi"..., 4096) = 767
> close(4)                                = 0
> socket(AF_UNIX, SOCK_STREAM, 0)         = 4
> rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
> getpeername(4, 0x7fff5be340b0, [128])   = -1 ENOTCONN (Transport 
> endpoint is not connected)
> connect(4, {sa_family=AF_UNIX, sun_path="/var/run/rpcbind.sock"}, 23) = 0
> getsockname(4, {sa_family=AF_UNIX}, [128 => 2]) = 0
> getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> getpid()                                = 1701
> rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> geteuid()                               = 0
> rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
> write(4, 
> "\200\0\0T<B\222\0\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0\3\0\0\0\1\0\0\0\0"..., 88) = 88
> read(4, 
> "\200\0\0\34<B\222\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1", 
> 9000) = 32
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
> close(4)                                = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 4
> bind(4, {sa_family=AF_INET, sin_port=htons(62222), 
> sin_addr=inet_addr("0.0.0.0")}, 16) = 0
> openat(AT_FDCWD, "/etc/netconfig", O_RDONLY) = 5
> fstat(5, {st_mode=S_IFREG|0644, st_size=767, ...}) = 0
> read(5, "#\n# The network configuration fi"..., 4096) = 767
> close(5)                                = 0
> getsockname(4, {sa_family=AF_INET, sin_port=htons(62222), 
> sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
> getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
> getsockname(4, {sa_family=AF_INET, sin_port=htons(62222), 
> sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
> getpeername(4, 0x7fff5be34390, [128])   = -1 ENOTCONN (Transport 
> endpoint is not connected)
> getsockname(4, {sa_family=AF_INET, sin_port=htons(62222), 
> sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
> getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
> getsockname(4, {sa_family=AF_INET, sin_port=htons(62222), 
> sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
> openat(AT_FDCWD, "/etc/netconfig", O_RDONLY) = 5
> fstat(5, {st_mode=S_IFREG|0644, st_size=767, ...}) = 0
> read(5, "#\n# The network configuration fi"..., 4096) = 767
> close(5)                                = 0
> socket(AF_UNIX, SOCK_STREAM, 0)         = 5
> rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
> getpeername(5, 0x7fff5be340b0, [128])   = -1 ENOTCONN (Transport 
> endpoint is not connected)
> connect(5, {sa_family=AF_UNIX, sun_path="/var/run/rpcbind.sock"}, 23) = 0
> getsockname(5, {sa_family=AF_UNIX}, [128 => 2]) = 0
> getsockopt(5, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
> <polling ...>
> 
> Do you have any ideas what's wrong with the above code when compiling
> it using the libtirpc library instead of the old sunrpc code from glibc?
Yeah it is not obvious as to why this is happening... Again I would
look at systemd "helping out" and make sure the port is not already
be used.

steved.

> 
> Many thanks!
> 
> cu,
> Frank
> 
> 
> _______________________________________________
> Libtirpc-devel mailing list
> Lib...@li...
> https://lists.sourceforge.net/lists/listinfo/libtirpc-devel
> 

[Libtirpc-devel] svctcp_create with fixed port fails in Linux

[Frank S. <fst...@bi...>]

Hi,

I'm using a very old distributed uptime server https://ru1.sourceforge.net/
which generates the code part for rpc communication by calling rpcgen.
We compile and run it on SLES 15 SP6 (= opensuse leap 15.6) with
libtirpc-1.3.4.

Due to firewall issues I've changed the resulting code such that a fixed
tcp port is used instead of a random one created by using RPC_ANYSOCK.
This worked fine as long as the sun rpc code was in glibc, but after it
was moved to libtirpc it fails silently without any error message, i.e.
it doesn't listen on any tcp port anymore.

The server part code generated by rpgcen is this (only the main
function). I've replaced the "transp = svctcp_create(RPC_ANYSOCK, 0, 0);"
by some code using a socket with a fixed port:

nt main (int argc, char **argv) {

         int c;  // used by getopt
         long server_port = -1;


         register SVCXPRT *transp;

         pmap_unset (RWPROG, RWVERS);

         transp = svcudp_create(RPC_ANYSOCK);
         if (transp == NULL) {
                 fprintf (stderr, "%s", "cannot create udp service.");
                 exit(1);
         }
         if (!svc_register(transp, RWPROG, RWVERS, rwprog_1, IPPROTO_UDP)) {
                 fprintf (stderr, "%s", "unable to register (RWPROG, RWVERS, udp).");
                 exit(1);
         }

         /* transp = svctcp_create(RPC_ANYSOCK, 0, 0);  */
         /* my code added: */
         int sd;
         struct sockaddr_in sin;
         sd = socket(AF_INET, SOCK_STREAM, 0);
         bzero(&sin, sizeof(sin));
         sin.sin_family = AF_INET;
         sin.sin_addr.s_addr = INADDR_ANY;
         sin.sin_port = htons(62222);
         bind(sd, &sin, sizeof(sin));
         transp = svctcp_create(sd, 0, 0);
         /* end of my code added */

         if (transp == NULL) {
                 fprintf (stderr, "%s", "cannot create tcp service.");
                 exit(1);
         }
         if (!svc_register(transp, RWPROG, RWVERS, rwprog_1, IPPROTO_TCP)) {
                 fprintf (stderr, "%s", "unable to register (RWPROG, RWVERS, tcp).");
                 exit(1);
         }

         svc_run ();
         fprintf (stderr, "%s", "svc_run returned");
         exit (1);
         /* NOTREACHED */
}

This compiles and starts fine, but when calling "netstat -tulpn"
afterwards I see only the udp port is used (random port number).
When reverting to "svctcp_create(RPC_ANYSOCK, 0, 0);" the server
is also listening on a (random) tcp port.

Comparing both servers startups with strace I don't see why using the
fixed port fails. That's the relevant part from using RPC_ANYSOCK:


getsockname(4, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
openat(AT_FDCWD, "/proc/sys/net/ipv4/ip_local_reserved_ports", O_RDONLY) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
read(5, "\n", 1024)                     = 1
read(5, "", 1024)                       = 0
close(5)                                = 0
bind(4, {sa_family=AF_INET, sin_port=htons(63242), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
listen(4, 4096)                         = 0
getpeername(4, 0x7ffe8af2fa10, [128])   = -1 ENOTCONN (Transport endpoint is not connected)
getsockname(4, {sa_family=AF_INET, sin_port=htons(63242), sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(63242), sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
openat(AT_FDCWD, "/etc/netconfig", O_RDONLY) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=767, ...}) = 0
read(5, "#\n# The network configuration fi"..., 4096) = 767
close(5)                                = 0
socket(AF_UNIX, SOCK_STREAM, 0)         = 5
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
getpeername(5, 0x7ffe8af2f730, [128])   = -1 ENOTCONN (Transport endpoint is not connected)
connect(5, {sa_family=AF_UNIX, sun_path="/var/run/rpcbind.sock"}, 23) = 0
getsockname(5, {sa_family=AF_UNIX}, [128 => 2]) = 0
getsockopt(5, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
<polling for data>



And that's the from the code with the fixed port number:

openat(AT_FDCWD, "/etc/netconfig", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=767, ...}) = 0
read(4, "#\n# The network configuration fi"..., 4096) = 767
close(4)                                = 0
socket(AF_UNIX, SOCK_STREAM, 0)         = 4
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
getpeername(4, 0x7fff5be340b0, [128])   = -1 ENOTCONN (Transport endpoint is not connected)
connect(4, {sa_family=AF_UNIX, sun_path="/var/run/rpcbind.sock"}, 23) = 0
getsockname(4, {sa_family=AF_UNIX}, [128 => 2]) = 0
getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
getpid()                                = 1701
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
geteuid()                               = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
write(4, "\200\0\0T<B\222\0\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0\3\0\0\0\1\0\0\0\0"..., 88) = 88
read(4, "\200\0\0\34<B\222\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1", 9000) = 32
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
close(4)                                = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(62222), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
openat(AT_FDCWD, "/etc/netconfig", O_RDONLY) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=767, ...}) = 0
read(5, "#\n# The network configuration fi"..., 4096) = 767
close(5)                                = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(62222), sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(62222), sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
getpeername(4, 0x7fff5be34390, [128])   = -1 ENOTCONN (Transport endpoint is not connected)
getsockname(4, {sa_family=AF_INET, sin_port=htons(62222), sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(62222), sin_addr=inet_addr("0.0.0.0")}, [128 => 16]) = 0
openat(AT_FDCWD, "/etc/netconfig", O_RDONLY) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=767, ...}) = 0
read(5, "#\n# The network configuration fi"..., 4096) = 767
close(5)                                = 0
socket(AF_UNIX, SOCK_STREAM, 0)         = 5
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
getpeername(5, 0x7fff5be340b0, [128])   = -1 ENOTCONN (Transport endpoint is not connected)
connect(5, {sa_family=AF_UNIX, sun_path="/var/run/rpcbind.sock"}, 23) = 0
getsockname(5, {sa_family=AF_UNIX}, [128 => 2]) = 0
getsockopt(5, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
<polling ...>

Do you have any ideas what's wrong with the above code when compiling
it using the libtirpc library instead of the old sunrpc code from glibc?

Many thanks!

cu,
Frank

[Libtirpc-devel] ANNOUNCE: rpcbind-1.2.7 released.

[Steve D. <st...@re...>]

This release contains:
- rpcinfo: try connecting using abstract address.
- Listen on an AF_UNIX abstract address if supported.
- autotools/systemd: call rpcbind with -w only on enabled warm starts
- rpcbind: fix double free in init_transport

Both the tarball and change log can be found at
   http://sourceforge.net/projects/rpcbind

The git tree was moved to:
    git://linux-nfs.org/~steved/rpcbind.git

Please send comments/bugs to lin...@vg... and/or
lib...@li...

steved.

[Libtirpc-devel] ANNOUNCE: libtirpc-1.3.5 released.

[Steve D. <st...@re...>]

Hello,

A couple of rpcbind enhancements and a memory
leak fix... as well as a few other bug fixes.

The tarball:
 
https://sourceforge.net/projects/libtirpc/files/libtirpc/1.3.5/libtirpc-1.3.5.tar.bz2

Release notes:
 
https://sourceforge.net/projects/libtirpc/files/libtirpc/1.3.5/Release-1-3-5.txt

The git tree is at:
    git://linux-nfs.org/~steved/libtirpc

steved.

Re: [Libtirpc-devel] RPC traffic over more than one TCP connection to the same server (Linux mount.nfs nconnect=)?

[Cedric B. <ced...@gm...>]

On Thu, 1 Feb 2024 at 06:23, Cedric Blancher <ced...@gm...> wrote:
>
> Good morning!
>
> Linux mount.nfs4 has the nconnect= option to use more than one TCP
> connection for traffic to or from the server.
>
> Could the same be done with a libtirpc-based RPC client? How?

?

Ced
-- 
Cedric Blancher <ced...@gm...>
[https://plus.google.com/u/0/+CedricBlancher/]
Institute Pasteur

Re: [Libtirpc-devel] [EXTERNAL] - RPC traffic over more than one TCP connection to the same server (Linux mount.nfs nconnect=)?

[David H. <dh...@op...>]

My reading of the code indicates that the libtirpc server code is single threaded, so it can't process multiple connections simultaneously, if that's what you're asking for.

FWIW, our projects have a strong need to make the server multi-threaded, so I hope to work on that code sometime in the next year or so.

Dave

-----Original Message-----
From: Cedric Blancher <ced...@gm...> 
Sent: Thursday, February 1, 2024 12:23 AM
To: lib...@li...
Subject: [EXTERNAL] - [Libtirpc-devel] RPC traffic over more than one TCP connection to the same server (Linux mount.nfs nconnect=)?

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you feel that the email is suspicious, please report it using PhishAlarm.


Good morning!

Linux mount.nfs4 has the nconnect= option to use more than one TCP connection for traffic to or from the server.

Could the same be done with a libtirpc-based RPC client? How?

Ced
--
Cedric Blancher <ced...@gm...> [https://urldefense.com/v3/__https://plus.google.com/u/0/*CedricBlancher/__;Kw!!Obbck6kTJA!fEYpvIYUUc9Gm8WFaSEx_I-nSAYP58DhkEFGUS3MAX-E5OP-uPZhendfyuOjwCCtod8y6S2-oY_QGlOjza7PhpNcfFI$ ] Institute Pasteur


_______________________________________________
Libtirpc-devel mailing list
Lib...@li...
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/libtirpc-devel__;!!Obbck6kTJA!fEYpvIYUUc9Gm8WFaSEx_I-nSAYP58DhkEFGUS3MAX-E5OP-uPZhendfyuOjwCCtod8y6S2-oY_QGlOjza7PXly6EBA$