rcctl issue with rdomains

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

rcctl issue with rdomains

Pierre Emeriaud
I don't know if this is a known/expected behavior or a bug, and I
wanted your input on this. This is on 6.4-stable.

I have two sshd daemons running. One (sshd_public) in rdomain 0
(public internet), another (sshd_private) in rdomain 1 (private lan).

If I use rcctl to restart sshd_public while connected through
rdomain1, it fails but says (ok). I do have rtable=0 though for that
daemon:

lg(rdomain1)$ id -R
1

lg(rdomain1)$ rcctl get sshd_public rtable
0

lg(rdomain1)$ doas rcctl -d start sshd_public
doing _rc_parse_conf
doing _rc_quirks
sshd_public_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/sshd_public
doing _rc_quirks
doing rc_check
sshd_public
doing _rc_wait start
doing rc_start
doing rc_check
doing _rc_write_runfile
(ok)

lg(rdomain1)$ ps aux | grep sshd
root     44195  0.0  0.1  1000  1144 ??  Is     1:08PM    0:00.01
/usr/sbin/sshd -f /etc/ssh/sshd_config_private

lg(rdomain1)$ ps -o rtable -p 44195
RTABLE
     1

lg(rdomain1)$ doas route -T0 exec rcctl start sshd_public
sshd_public(ok)

lg(rdomain1)$ ps aux | grep sshd
root     44195  0.0  0.1  1000  1144 ??  Is     1:08PM    0:00.01
/usr/sbin/sshd -f /etc/ssh/sshd_config_private
root     71708  0.0  0.1  1004  1524 ??  Ss     8:33PM    0:00.00 /usr/sbin/sshd

lg(rdomain1)$ ps -o rtable -p 71708
RTABLE
     0

I'm ok with having to use route -T exec, but (ok) from rcctl seems
wrong, and I'd expect rcctl to be able to launch a daemon in any
rtable from any.
(on a possibly related note, I have similar issues with ping -V0 from
rdomain 1 - but I'll split up in another mail).

thanks,
pierre

Reply | Threaded
Open this post in threaded view
|

Re: rcctl issue with rdomains

YASUOKA Masahiko-3
On Mon, 18 Mar 2019 22:07:58 +0100
Pierre Emeriaud <[hidden email]> wrote:
> I don't know if this is a known/expected behavior or a bug, and I
> wanted your input on this. This is on 6.4-stable.

I posted the same behavior and a fix.

https://marc.info/?l=openbsd-tech&m=155064058824272&w=2

> I have two sshd daemons running. One (sshd_public) in rdomain 0
> (public internet), another (sshd_private) in rdomain 1 (private lan).
>
> If I use rcctl to restart sshd_public while connected through
> rdomain1, it fails but says (ok). I do have rtable=0 though for that
> daemon:
>
> lg(rdomain1)$ id -R
> 1

Is this desired?
You can avoid this by adding "RDomain 0" to sshd_config.

> lg(rdomain1)$ rcctl get sshd_public rtable
> 0
>
> lg(rdomain1)$ doas rcctl -d start sshd_public
> doing _rc_parse_conf
> doing _rc_quirks
> sshd_public_flags empty, using default ><
> doing _rc_parse_conf /var/run/rc.d/sshd_public
> doing _rc_quirks
> doing rc_check
> sshd_public
> doing _rc_wait start
> doing rc_start
> doing rc_check
> doing _rc_write_runfile
> (ok)
>
> lg(rdomain1)$ ps aux | grep sshd
> root     44195  0.0  0.1  1000  1144 ??  Is     1:08PM    0:00.01
> /usr/sbin/sshd -f /etc/ssh/sshd_config_private
>
> lg(rdomain1)$ ps -o rtable -p 44195
> RTABLE
>      1
>
> lg(rdomain1)$ doas route -T0 exec rcctl start sshd_public
> sshd_public(ok)
>
> lg(rdomain1)$ ps aux | grep sshd
> root     44195  0.0  0.1  1000  1144 ??  Is     1:08PM    0:00.01
> /usr/sbin/sshd -f /etc/ssh/sshd_config_private
> root     71708  0.0  0.1  1004  1524 ??  Ss     8:33PM    0:00.00 /usr/sbin/sshd
>
> lg(rdomain1)$ ps -o rtable -p 71708
> RTABLE
>      0
>
> I'm ok with having to use route -T exec, but (ok) from rcctl seems
> wrong, and I'd expect rcctl to be able to launch a daemon in any
> rtable from any.
> (on a possibly related note, I have similar issues with ping -V0 from
> rdomain 1 - but I'll split up in another mail).
>
> thanks,
> pierre
>

Reply | Threaded
Open this post in threaded view
|

Re: rcctl issue with rdomains

Antoine Jacoutot-7
On Tue, 2019-03-19 at 18:48 +0900, YASUOKA Masahiko wrote:
> On Mon, 18 Mar 2019 22:07:58 +0100
> Pierre Emeriaud <[hidden email]> wrote:
> > I don't know if this is a known/expected behavior or a bug, and I
> > wanted your input on this. This is on 6.4-stable.
>
> I posted the same behavior and a fix.
>
> https://marc.info/?l=openbsd-tech&m=155064058824272&w=2
>

What about doing this?

Index: rc.subr
===================================================================
RCS file: /cvs/src/etc/rc.d/rc.subr,v
retrieving revision 1.130
diff -u -p -r1.130 rc.subr
--- rc.subr 20 Jan 2019 04:52:07 -0000 1.130
+++ rc.subr 20 Mar 2019 08:47:55 -0000
@@ -320,5 +320,5 @@ unset _rcflags _rcrtable _rcuser _rctime
 # make sure pexp matches the process (i.e. doesn't include the quotes)
 pexp="$(eval echo ${daemon}${daemon_flags:+ ${daemon_flags}})"
 rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
-[ "${daemon_rtable}" -eq 0 ] ||
+[ "${daemon_rtable}" -eq "$(id -R)" ] ||
  rcexec="route -T ${daemon_rtable} exec ${rcexec}"


--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: rcctl issue with rdomains

YASUOKA Masahiko-3
Hi,

On Wed, 20 Mar 2019 09:51:50 +0100
Antoine Jacoutot <[hidden email]> wrote:

> On Tue, 2019-03-19 at 18:48 +0900, YASUOKA Masahiko wrote:
>> On Mon, 18 Mar 2019 22:07:58 +0100
>> Pierre Emeriaud <[hidden email]> wrote:
>> > I don't know if this is a known/expected behavior or a bug, and I
>> > wanted your input on this. This is on 6.4-stable.
>>
>> I posted the same behavior and a fix.
>>
>> https://marc.info/?l=openbsd-tech&m=155064058824272&w=2
>>
>
> What about doing this?

Yes, it seems better.

> Index: rc.subr
> ===================================================================
> RCS file: /cvs/src/etc/rc.d/rc.subr,v
> retrieving revision 1.130
> diff -u -p -r1.130 rc.subr
> --- rc.subr 20 Jan 2019 04:52:07 -0000 1.130
> +++ rc.subr 20 Mar 2019 08:47:55 -0000
> @@ -320,5 +320,5 @@ unset _rcflags _rcrtable _rcuser _rctime
>  # make sure pexp matches the process (i.e. doesn't include the quotes)
>  pexp="$(eval echo ${daemon}${daemon_flags:+ ${daemon_flags}})"
>  rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
> -[ "${daemon_rtable}" -eq 0 ] ||
> +[ "${daemon_rtable}" -eq "$(id -R)" ] ||
>   rcexec="route -T ${daemon_rtable} exec ${rcexec}"
>

Reply | Threaded
Open this post in threaded view
|

Re: rcctl issue with rdomains

Pierre Emeriaud
In reply to this post by Antoine Jacoutot-7
Le mer. 20 mars 2019 à 09:51, Antoine Jacoutot <[hidden email]> a écrit :
>
> What about doing this?
>
> -[ "${daemon_rtable}" -eq 0 ] ||
> +[ "${daemon_rtable}" -eq "$(id -R)" ] ||
>         rcexec="route -T ${daemon_rtable} exec ${rcexec}"

That would be great, thanks Antoine :)