FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 07-06-2008, 10:09 PM
Steve Langasek
 
Default correct definition of localhost?

Hi folks,

I've run across an ipv4/ipv6 configuration issue which I think needs to have
light cast on it so we can try to resolve this in time for lenny (whatever
the right resolution actually is), in order to avoid a pile-up of
/etc/hosts-related kludges as has been known to happen before...

In response to bug #427067, the netbase maintainer made a change that adds
localhost as an alias for ::1 on new installs. In April of this year, the
Debian Installer team followed suit, adding this line in the netcfg udeb.

The result of these changes is that since July 2007, any new lenny or sid
chroots have had two addresses listed for localhost, and since April of this
year, any new installs of lenny done using d-i have had it as well.

Now, the problem I ran into is that when I enabled the test suite in the
openldap2.3 package, the build failed mysteriously on a seemingly random set
of architectures. The reason? The test suite configures slapd to run on a
particular port on localhost, and the glibc "files" NSS backend
special-cases the ::1 IPv6 loopback address, so that when you request an
IPv4 address, it will map any ::1 entries to 127.0.0.1 for you. But of
course we already have an entry for localhost as 127.0.0.1, so now we end up
with duplicate addresses returned, and slapd tries to bind twice to the same
address and port!

A test program showing this behavior is attached - compile and run it on a
system with '::1 localhost' set in /etc/hosts, and you'll see 127.0.0.1
returned twice. An alternate test case, which also works on systems with
older /etc/hosts and which I think shows the counterintuitiveness of the
nss_files special-casing, is to run "getent ahostsv4 ip6-localhost".

I don't think it's the responsibility of callers such as slapd to check that
getaddrinfo() hasn't returned duplicate entries, so I see a couple of
solutions here:

- the ::1 address should *not* be special-cased by nss_files. I really
can't perceive any reason why it should be special-cased in the first
place; i.e., why should the files backend behave differently than the DNS
backend, and why would we want names that were specifically assigned to
::1, including names like "ip6-loopback", to be automatically mapped to
127.0.0.1?

- we should only set up a single 'localhost' entry in /etc/hosts, pointing
at ::1, and let nss_files handle the mapping to 127.0.0.1 automatically.

Are there other solutions that should be considered? Is one of these more
acceptable than the other? To me it seems obvious that the best choice is
to not treat the files backend specially in the first place, but I don't
know the rationale behind this special-casing either.

Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
 
Old 07-06-2008, 11:39 PM
Kurt Roeckx
 
Default correct definition of localhost?

On Sun, Jul 06, 2008 at 03:09:09PM -0700, Steve Langasek wrote:
> Hi folks,
>
> I've run across an ipv4/ipv6 configuration issue which I think needs to have
> light cast on it so we can try to resolve this in time for lenny (whatever
> the right resolution actually is), in order to avoid a pile-up of
> /etc/hosts-related kludges as has been known to happen before...
>
> In response to bug #427067, the netbase maintainer made a change that adds
> localhost as an alias for ::1 on new installs. In April of this year, the
> Debian Installer team followed suit, adding this line in the netcfg udeb.
>
> The result of these changes is that since July 2007, any new lenny or sid
> chroots have had two addresses listed for localhost, and since April of this
> year, any new installs of lenny done using d-i have had it as well.
>
> Now, the problem I ran into is that when I enabled the test suite in the
> openldap2.3 package, the build failed mysteriously on a seemingly random set
> of architectures. The reason? The test suite configures slapd to run on a
> particular port on localhost, and the glibc "files" NSS backend
> special-cases the ::1 IPv6 loopback address, so that when you request an
> IPv4 address, it will map any ::1 entries to 127.0.0.1 for you. But of
> course we already have an entry for localhost as 127.0.0.1, so now we end up
> with duplicate addresses returned, and slapd tries to bind twice to the same
> address and port!

You don't seem to request ipv4 addresses, you request AF_UNSPEC, which
should get you both ipv4 and ipv6. You get 127.0.0.1 twice, and ::1 one
time.

> A test program showing this behavior is attached - compile and run it on a
> system with '::1 localhost' set in /etc/hosts, and you'll see 127.0.0.1
> returned twice. An alternate test case, which also works on systems with
> older /etc/hosts and which I think shows the counterintuitiveness of the
> nss_files special-casing, is to run "getent ahostsv4 ip6-localhost".
>
> I don't think it's the responsibility of callers such as slapd to check that
> getaddrinfo() hasn't returned duplicate entries, so I see a couple of
> solutions here:
>
> - the ::1 address should *not* be special-cased by nss_files. I really
> can't perceive any reason why it should be special-cased in the first
> place; i.e., why should the files backend behave differently than the DNS
> backend, and why would we want names that were specifically assigned to
> ::1, including names like "ip6-loopback", to be automatically mapped to
> 127.0.0.1?

I can't find any good reason why it should be changing ::1 to 127.0.0.1.
So I think that atleast glibc should stop doing that. In any case, it
shouldn't return 127.0.0.1 twice when it's not configured to return
it twice.

> - we should only set up a single 'localhost' entry in /etc/hosts, pointing
> at ::1, and let nss_files handle the mapping to 127.0.0.1 automatically.

- You could also argue that openldap should get fixed to deal with cases
where it tries to bind to the same ip/port twice. On the other hand,
I don't think it a normal case, and I think it's unlikely that people
would set up dns to have 2 times the same IP address and then try
to bind to that hostname.


Kurt


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-07-2008, 12:14 AM
Steve Langasek
 
Default correct definition of localhost?

On Mon, Jul 07, 2008 at 01:39:37AM +0200, Kurt Roeckx wrote:

> You don't seem to request ipv4 addresses, you request AF_UNSPEC, which
> should get you both ipv4 and ipv6. You get 127.0.0.1 twice, and ::1 one
> time.

You'll find that the duplication of 127.0.0.1 is still there if you specify
AF_INET instead, because the problematic duplication happens when requesting
records for the ipv4 address family. I left it as AF_UNSPEC in the test
case to show that the problem exists when using protocol-agnostic best
practices, which is what slapd does.

>> - the ::1 address should *not* be special-cased by nss_files. I really
>> can't perceive any reason why it should be special-cased in the first
>> place; i.e., why should the files backend behave differently than the DNS
>> backend, and why would we want names that were specifically assigned to
>> ::1, including names like "ip6-loopback", to be automatically mapped to
>> 127.0.0.1?

> I can't find any good reason why it should be changing ::1 to 127.0.0.1.
> So I think that atleast glibc should stop doing that. In any case, it
> shouldn't return 127.0.0.1 twice when it's not configured to return
> it twice.

What do you mean by "configured to return it twice"? Would that mean
duplicate lines in /etc/hosts (i.e., misconfiguration)?

>> - we should only set up a single 'localhost' entry in /etc/hosts, pointing
>> at ::1, and let nss_files handle the mapping to 127.0.0.1 automatically.

> - You could also argue that openldap should get fixed to deal with cases
> where it tries to bind to the same ip/port twice. On the other hand,
> I don't think it a normal case, and I think it's unlikely that people
> would set up dns to have 2 times the same IP address and then try
> to bind to that hostname.

Well, as I said before,

>> I don't think it's the responsibility of callers such as slapd to check that
>> getaddrinfo() hasn't returned duplicate entries [...]

so if you have an argument of why extra complexity should be added to the
caller to deal with duplicate records which, one way or another, should not
exist (IMHO), I'm interested to hear it.

As for DNS, at least in the case of bind I find that duplicate records are
weeded out by the server. If you can suggest a DNS server that would not
condense the duplicate records, I'd be happy to test to see what the
behavior of nss_dns is.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-07-2008, 03:14 AM
William Pitcock
 
Default correct definition of localhost?

On Sun, 2008-07-06 at 17:14 -0700, Steve Langasek wrote:
>
> As for DNS, at least in the case of bind I find that duplicate records
> are
> weeded out by the server. If you can suggest a DNS server that would
> not
> condense the duplicate records, I'd be happy to test to see what the
> behavior of nss_dns is.

PowerDNS doesn't condense anything. It returns whatever is in the MySQL
database...

William
 

Thread Tools




All times are GMT. The time now is 12:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org