Re: Bug#638322: nfs-common: rpc.statd binds to udp port 631 preventing cups startup
On Sat, 20 Aug 2011, Adam Borowski <firstname.lastname@example.org> wrote:
> > It seems to me that the only problem is if you run multiple instances of
> > a daemon on different ports and don't use /etc/bindresvport.blacklist,
> > SE Linux, or some other method of telling bindresvport() to leave your
> > port alone. That wouldn't be an issue of sysadmin freedom but sysadmin
> > ignorance (and I am one of the people who was ignorant of
> > bindresvport.blacklist).
> You can't blame "sysadmin ignorance". I've just grepped through every
> single man page in Debian (ok, amd64 main), and there is not a single
Ignorance means not knowing. Sure there are probably some bug reports about
man pages due, but it's still something you or I could have found out.
apt-get source libc6
> No other daemon I know has this problem. If I install daemon foo, I can
> expect it to not touch any ports it hasn't been configured to use. It's
> just portmap/SunRPC that uses random scatter-shot that can trample on
> something else.
Yes, SunRPC and anything that opens a port for callback.
> So what about this: let's reserve a number of ports for portmap's exclusive
> usage. There's like 900 unused assignments, so there's plenty of space
> than could be parcelled off. SunRPC has long since degenerated from
> something with a general purpose to a peculiarity of NFS, so not many ports
> are needed. Only under a pathological configuration one could exceed any
> reasonable static limit, and in that case bindresvport() would revert to
> the blacklist+scattershot.
The problem with this theory is the fact that the problem that was reported
with CUPS only occurred after bindresvport() had used every port from 1023
down to 631. A casual scan of /etc/services reveals that there are no long
contiguous ranges available without reserved ports. If you start at the top
the common ports pop3s and imaps could be reached quite quickly.
So it seems that some sort of blacklist is the only way to go.
The idea of a .d directory for blacklist files such that every package
installation that is likely to use some ports will automatically have a
reservation is a good one. Of course there's still the corner case of trying
to install CUPS (or some other daemon) after a long-running RPC service has
grabbed the port.
Maybe we should default to having ports such as 631, 993, 995, 873, 587, 636,
546, and 547 reserved at all times. From a quick scan of /etc/services they
seem to be the most likely ports to be used in the 500-1024 range.
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/