Re: sunrpc port allocation and IANA reserved list

From: Chuck Lever
Date: Tue Nov 10 2009 - 16:36:21 EST

Next message: Paul E. McKenney: "[PATCH tip/core/rcu 0/4] rcu inline, expedited, ->completedcleanups"
Previous message: Ingo Molnar: "Re: [patch v2] x86: reduce srat verbosity in the kernel log"
In reply to: Ben Hutchings: "Re: sunrpc port allocation and IANA reserved list"
Next in thread: Ben Hutchings: "Re: sunrpc port allocation and IANA reserved list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Nov 10, 2009, at 4:32 PM, Ben Hutchings wrote:

On Tue, 2009-11-10 at 15:06 -0600, Chris Friesen wrote:
On 11/10/2009 02:26 PM, Trond Myklebust wrote:
On Tue, 2009-11-10 at 12:37 -0600, Chris Friesen wrote:
On 11/10/2009 11:53 AM, Ben Hutchings wrote:
On Tue, 2009-11-10 at 11:43 -0600, Chris Friesen wrote:

Given that a userspace application can be stopped and restarted at any
time, and a sunrpc registration can happen at any time, what is the
expected mechanism to prevent the kernel from allocating a port for use
by sunrpc that reserved or well-known?

Apparently Redhat and Debian have distro-specific ways of dealing with
this, but is there a standard solution? Should there be?

The current setup seems suboptimal.

I believe both RH and Debian are using the same implementation:
<http://cyberelk.net/tim/software/portreserve/>.

That helps with the startup case, but still leaves a possible hole if an
app using a fixed port number is restarted at runtime. During the
window where nobody is bound to the port, the kernel could randomly
assign it to someone else.

Just use /proc/sys/sunrpc/{max,min}_resvport interface to restrict the
range used to a safer one. That's what it is for...

Unless I'm much mistaken, that only affects in-kernel SunRPC users.

What constitutes a "safer range"? IANA has ports assigned
intermittently all the way through the default RPC range. The largest
unassigned range is 922-988 (since 921 is used by lwresd). If someone
needs more than 66 ports, how are they supposed to handle it?

I'm sure we could afford 128 bytes for a blacklist of privileged ports.
However, the problem is that there is no API for userland to request
'any free privileged port' - it has to just try binding to different
ports until it finds one available.

bindresvport(3) and bindresvport_sa(3t) ?

This means that the kernel can't
tell whether a process is trying to allocate a specifically assigned
port or whether the blacklist should be applied.

Such a blacklist would have to be managed by glibc or libtirpc.

--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul E. McKenney: "[PATCH tip/core/rcu 0/4] rcu inline, expedited, ->completedcleanups"
Previous message: Ingo Molnar: "Re: [patch v2] x86: reduce srat verbosity in the kernel log"
In reply to: Ben Hutchings: "Re: sunrpc port allocation and IANA reserved list"
Next in thread: Ben Hutchings: "Re: sunrpc port allocation and IANA reserved list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]