Conflicting assignment of priviledged ports on boot
On boot some daemons (like nis/ypbind) obtain priviledged ports
via portmap/bindresvport(). Portmap assigns ports that are not in use
at the time of request, usually above 600. This strategy sometimes
conflicts with daemons that rely on fixed ports and that
start after ypbind (like cups, slapd): they find that their port
is already in use.
This problem is well known since at least two years, not just with Debian
but also with other Linux versions like Redhat [1,2].
Starting ypbind later during boot is no solution in general since some
services rely on ypbind AND fixed priviledged ports.
Possible solutions are:
- Modify portmap/bindresvport such that certain blacklisted
ports are skipped even if they are not yet in use when a
new priviledged port ist requested.
- Make use of a program like portreserve/portrelease [3].
When the portreserve daemon is started, it examines the /etc/portreserve/
directory. Each file not containing "." or "~" in its name is considered
to be a service configuration file, and must contain a service name
(as listed in /etc/services) or a port number. For example,
/etc/portreserve/cups might contain the string "ipp".
For each service configuration file, a socket is created and bound
to the appropriate port. A service wishing to bind to its port must
first run portrelease, which instructs portreserve to release the port
associated with the service.
The second solution requires only a few changes to Debian:
- every daemon relying on a fixed port that might be affected by portmap
has to drop a file in /etc/portreserve upon package installation.
Furthermore, its init script has to call portrelease before the
daemon is started.
- portreserve/portrelease has to be included with Debian.
I propose to modify Debian in this way.
Gernot
[1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103401
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=306465
[3] http://cyberelk.net/tim/portreserve/
Reply to: