pcp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [pcp] pcp updates: pmcd clients use "local:" as the default instead

from [Nathan Scott] [Permanent Link][Original]
To: Dave Brolley <brolley@xxxxxxxxxx>
Subject: Re: [pcp] pcp updates: pmcd clients use "local:" as the default instead of gethostname() or localhost
From: Nathan Scott <nathans@xxxxxxxxxx>
Date: Wed, 7 Aug 2013 22:30:33 -0400 (EDT)
Cc: PCP <pcp@xxxxxxxxxxx>
Delivered-to: pcp@xxxxxxxxxxx
In-reply-to: <51F81D2C.6090905@xxxxxxxxxx>
References: <51F81D2C.6090905@xxxxxxxxxx>
Reply-to: Nathan Scott <nathans@xxxxxxxxxx>
Thread-index: NNQwYyHgkrUaXs84XDnF7zFdEHe8Ng==
Thread-topic: pcp updates: pmcd clients use "local:" as the default instead of gethostname() or localhost 
Hi Dave,

----- Original Message -----
> The following changes have been committed to the brolley/dev branch in
> the pcpfans repository. They change the default connection for pmcd
> clients from gethostname() or localhost to "local:" which tries pmcd's
> unix domain socket, if supported, followed by localhost.
> 
> A final qa run is underway to catch any problems caused by the final
> commit (b2568...)
> 

Just coming back to the latest commits here & I'm seeing a few new
QA failures (looks like you're running "-g local" now?) - the test
qa/069 one is a bit worrying...

--- 069.out     2013-08-08 05:18:22.000000000 +1000
+++ 069.out.bad 2013-08-08 12:16:47.745059980 +1000
@@ -7,8 +7,12 @@ pmcd.numclients
     value 2
 
 expect two access control errors:
-pminfo: Cannot connect to PMCD on host "LOCALHOST": No permission to perform 
requested operation
-pminfo: Cannot connect to PMCD on host "LOCALHOST": No permission to perform 
requested operation
+
+pmcd.numclients
+    value 1
+
+pmcd.numclients
+    value 1
 
 expect two connection limit errors:
 pminfo: Cannot connect to PMCD on host "OTHERHOST1": PMCD connection limit for 
this host exceeded


... so we appear to be no longer enforcing the host-based access control
for unix domain socket connections.  I think we need to do that, in the
same way we did for "-h localhost", but its worth discussing more widely
as others may not think so (can we control local pmcd over-subscription
without this?).

Digging into the code a bit, looks like we avoid having the same access
rules as apply to localhost because __pmSockAddrIsLoopBack returns false
for af_unix sockets.  Call chain there from pmcd to libpcp is:
__pmAccAddClient -> getClientIds -> __pmSockAddrIsLoopBack ... which is
gonna send us down a different path to the /* Map "localhost" to the real
IP addresses. */ path we would've travelled before.

For some reason, the simple change (pretend unix: is like loopback here)
causes other unexpected failure later in the test ... not sure what that
was caused by.  Figured I was far down a rathole at that point, time to
bail out and call for the cavalry.

The other bad files are attached and some other fixes (plus that initial
not-quite-right patch for loopback pretending).

cheers.

--
Nathan

Attachment: unix-domain-qa.patch
Description: Text Data

Attachment: unix-domain-qa.bads
Description: Binary data

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Bug#698735: [pcp] Bug#698735: CVE-2012-5530, Nathan Scott
Next by Date:  pcp updates: dynamic metrics, qa, Nathan Scott
Previous by Thread:  Bug#698735: [pcp] Bug#698735: CVE-2012-5530, Nathan Scott
Next by Thread:  Re: [pcp] pcp updates: pmcd clients use "local:" as the default instead of gethostname() or localhost, Dave Brolley
Indexes:  [Date] [Thread] [Top] [All Lists]