[new API] two-phased qb_ipcs_create required #325
Comments
|
Note that this would also (finally, one wants to say) offer client I'm currently split whether it should be a Nonetheless, it must be documented that normally, this socket is |
|
API looks sane, but what is the use case? Also I was unable to understand following part:
If it is about daemonization process, then why should daemon do the exec after fork? I can imagine situation with child processes, but sharing fd is just asking for a big troubles. |
|
On 27/09/18 00:18 -0700, Jan Friesse wrote:
If it is about daemonization process, then why should daemon do the
exec after fork?
In case it's a hierarchical daemon of daemons (e.g. pacemaker).
I can imagine situation with child processes, but sharing fd is just
asking for a big troubles.
Why? This is the same mechanism that, e.g., systemd uses to share
the notification socket into services accommodating that signaling
scheme.
…--
Jan (Poki)
|
So it's not about daemonization.
Because current libqb IPC is not prepared for concurrent access. Could you please explain the intended use case?
|
|
On 30/09/18 23:23 -0700, Jan Friesse wrote:
> On 27/09/18 00:18 -0700, Jan Friesse wrote:
>> If it is about daemonization process, then why should daemon do the exec after fork?
> In case it's a hierarchical daemon of daemons (e.g. pacemaker).
So it's not about daemonization.
In part, it is. Well behaved daemonizing daemon will either
synchronize with the effective service, the child process,
to indicate any initialization failures early back to the
launching environment truthfully, or, less optimally perhaps,
will perform some of these initializations on its own, only
to pass the successfully opened IO resources to the child.
For IPC listening parts based on libqb, the latter wasn't
possible thus far, but the proposed extension will enable it.
But it may also come handy in case the superdaemon spawns
sub-daemons -- with this extension, this superdaemon can
do some substantial initializations on its own, only to share
this prepared environment with the spawned sub-daemons,
partially eliminating risk of their later failure
(i.e., fail early principle).
> I can imagine situation with child processes, but sharing fd is
> just asking for a big troubles. Why? This is the same mechanism
> that, e.g., systemd uses to share the notification socket into
> services accommodating that signaling scheme.
Because current libqb IPC is not prepared for concurrent access.
Well, how does that differ with plain descriptors treatment wrt.
read/write syscalls, for instance? It still remains the
responsibility of the user of these interfaces to preserve sanity,
e.g. prevent multiple readers that would mutually corrupt their view
on the IO stream. System-wide, there's only CLOEXEC flag that's meant
to prevent misuses in one direction, but here we mean to propagate
descriptor in the opposite direction and there's nothing to prevent
possible misuse (sharing side will reuse the descriptor even if it's
meant to be fully acquired by its child) in a portable way
-- it's up to the interface user to behave wisely, as usual in Unix
tradition, so I fail to see any regression in this respect.
…--
Jan (Poki)
|
|
Ok, now it makes a little more sense. I have doubts about the solution really solves any real problem (especially when daemon is systemd enabled and notifies its state), but as long as old api is kept, then why not. |
|
Yes, it indeed does help with real use cases, details forthcoming. |
[2/4: pacemakerd to trust pre-existing processes via new checks instead] In pacemakerd in the context of entrusting pre-existing processes, we now resort to procfs-based solution only in boundary, fouled cases, and primarily examine the credentials of the processes already occupying known IPC end-points before adopting them. The commit applies the new helpers from 1/1 so as to close the both related sensitive problems, CVE-2018-16877 and CVE-2018-16878, in a unified manner, this time limited to the main daemon of pacemaker (pacemakerd). To be noted that it is clearly not 100% for this purpose for still allowing for TOCTTOU, but that's what commit (3/3) is meant to solve for the most part, plus there may be optimizations solving this concern as a side effect, but that requires an active assistance on the libqb side (ClusterLabs/libqb#325) since any improvement on pacemaker side in isolation would be very cumbersome if generally possible at all, but either way means a new, soft compatibility encumberment. As a follow-up to what was put in preceding 1/3 commit, PID of 1 tracked as child's identification on FreeBSD (or when socket-based activation is used with systemd) is treated specially, incl. special precaution with child's PID discovered as 1 elsewhere. v2: courtesy of Yan Gao of SUSE for early discovery and report for what's primarily solved with 4/4 commit, in extension, child daemons in the initialization phase coinciding with IPC-feasibility based process scan in pacemakerd in a way that those are missed (although they are to come up fully just moments later only to interfere with naturally spawned ones) are now considered so that if any native children later fail for said clash, the pre-existing counterpart may get adopted instead of ending up with repeated spawn-bury loop ad nauseam without real progress (note that PCMK_fail_fast=true could possibly help, but that's rather a big hammer not suitable for all the use cases, not the ones we try to deal with gracefully here)
[2/4: pacemakerd to trust pre-existing processes via new checks instead] In pacemakerd in the context of entrusting pre-existing processes, we now resort to procfs-based solution only in boundary, fouled cases, and primarily examine the credentials of the processes already occupying known IPC end-points before adopting them. The commit applies the new helpers from 1/1 so as to close the both related sensitive problems, CVE-2018-16877 and CVE-2018-16878, in a unified manner, this time limited to the main daemon of pacemaker (pacemakerd). To be noted that it is clearly not 100% for this purpose for still allowing for TOCTTOU, but that's what commit (3/3) is meant to solve for the most part, plus there may be optimizations solving this concern as a side effect, but that requires an active assistance on the libqb side (ClusterLabs/libqb#325) since any improvement on pacemaker side in isolation would be very cumbersome if generally possible at all, but either way means a new, soft compatibility encumberment. As a follow-up to what was put in preceding 1/3 commit, PID of 1 tracked as child's identification on FreeBSD (or when socket-based activation is used with systemd) is treated specially, incl. special precaution with child's PID discovered as 1 elsewhere. v2: courtesy of Yan Gao of SUSE for early discovery and report for what's primarily solved with 4/4 commit, in extension, child daemons in the initialization phase coinciding with IPC-feasibility based process scan in pacemakerd in a way that those are missed (although they are to come up fully just moments later only to interfere with naturally spawned ones) are now considered so that if any native children later fail for said clash, the pre-existing counterpart may get adopted instead of ending up with repeated spawn-bury loop ad nauseam without real progress (note that PCMK_fail_fast=true could possibly help, but that's rather a big hammer not suitable for all the use cases, not the ones we try to deal with gracefully here)
|
Have discovered that ability to force non-abstract sockets where they'd The main problem is that For pacemaker in particular, the solution is as "simple" as adopting Any timeframe we can expect this? |
Signatures
Allow safe nesting wrt. NULL checking, e.g.,
The
qb_ipcs_listener_tabstraction is meant to allow for (and enforce)extra checking on libqb side (so that the same internal coherency as with
monolithic
qb_ipcs_createis achieved), as that type is only used asan opaque pointer in the client program.
The text was updated successfully, but these errors were encountered: