Hi list,
my problem is, rpcbind gave a tcp port to nlockmgr where I assumed
this port is reserved.
Now, I didn't find the spec that says which ports rpcbind is allowed
to use, but I thought it is the ephemeral ports, on linux defined with
the range in kernel configuration net.ipv4.ip_local_reserved_ports
minus exclusions from net.ipv4.ip_local_reserved_ports.
So, my questions are
1) Is my assumption about allowed ports correct?
2) If not: how can I define that range?
3) If yes: was there a fix for that since my rather old SLES 12
version rpcbind-0.2.1_rc4 (kernel 3.12.55)? I didn't find something
obvious to me in the changelog.
Bonus question: would it have been safe/possible to free up the port,
e.g. with rpcbind -d? I only found out about that option after a
reboot...
BR,
Joachim
(please keep me in cc)
On Fri, Dec 02 2016, Joachim Banzhaf wrote:
> Hi list,
>
> my problem is, rpcbind gave a tcp port to nlockmgr where I assumed
> this port is reserved.
That isn't how it works. rpcbind doesn't give ports to anyone.
lockd chooses a port, and asks rpcbind to register it against the
nlockmgr service.
If lockd is choosing a port that you don't want it to, you need to
get lockd to change its behavior.
One way is to explicitly tell lockd what port to use. The "--nlm-port"
option to rpc.statd can do this.
By default, a number will be chosen from the range given in
/proc/sys/net/ipv4/ip_local_port_range
You can change that range, and that will affect all sockets which don't
ask for an explicit port.
NeilBrown
>
> Now, I didn't find the spec that says which ports rpcbind is allowed
> to use, but I thought it is the ephemeral ports, on linux defined with
> the range in kernel configuration net.ipv4.ip_local_reserved_ports
> minus exclusions from net.ipv4.ip_local_reserved_ports.
>
> So, my questions are
> 1) Is my assumption about allowed ports correct?
> 2) If not: how can I define that range?
> 3) If yes: was there a fix for that since my rather old SLES 12
> version rpcbind-0.2.1_rc4 (kernel 3.12.55)? I didn't find something
> obvious to me in the changelog.
>
> Bonus question: would it have been safe/possible to free up the port,
> e.g. with rpcbind -d? I only found out about that option after a
> reboot...
>
> BR,
> Joachim
>
> (please keep me in cc)
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> On Dec 1, 2016, at 19:14, NeilBrown <[email protected]> wrote:
>=20
> On Fri, Dec 02 2016, Joachim Banzhaf wrote:
>=20
>> Hi list,
>>=20
>> my problem is, rpcbind gave a tcp port to nlockmgr where I assumed
>> this port is reserved.
>=20
> That isn't how it works. rpcbind doesn't give ports to anyone.
>=20
> lockd chooses a port, and asks rpcbind to register it against the
> nlockmgr service.
> If lockd is choosing a port that you don't want it to, you need to
> get lockd to change its behavior.
>=20
> One way is to explicitly tell lockd what port to use. The "--nlm-port"
> option to rpc.statd can do this.
>=20
> By default, a number will be chosen from the range given in
> /proc/sys/net/ipv4/ip_local_port_range=20
>=20
> You can change that range, and that will affect all sockets which don't
> ask for an explicit port.
Alternatively, you can just pin the port using the kernel parameters interf=
aces:
http://lxr.free-electrons.com/source/Documentation/kernel-parameters.txt#L2=
036
>=20
> NeilBrown
>=20
>=20
>>=20
>> Now, I didn't find the spec that says which ports rpcbind is allowed
>> to use, but I thought it is the ephemeral ports, on linux defined with
>> the range in kernel configuration net.ipv4.ip_local_reserved_ports
>> minus exclusions from net.ipv4.ip_local_reserved_ports.
>>=20
>> So, my questions are
>> 1) Is my assumption about allowed ports correct?
>> 2) If not: how can I define that range?
>> 3) If yes: was there a fix for that since my rather old SLES 12
>> version rpcbind-0.2.1_rc4 (kernel 3.12.55)? I didn't find something
>> obvious to me in the changelog.
>>=20
>> Bonus question: would it have been safe/possible to free up the port,
>> e.g. with rpcbind -d? I only found out about that option after a
>> reboot...
>>=20
>> BR,
>> Joachim
>>=20
>> (please keep me in cc)
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to [email protected]
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Neil and Trond, thanks for the infos. Already helped a lot.
My primary goal is not to pin lockd to a specific port.
I want to prevent any ip service that does not ask for a specific port
to use ports I know are needed later for something else.
I thought, the mechanism is (sorry, had a cut&paste error here) by
defining range /proc/sys/net/ipv4/ip_local_port_range minus ports or
ranges in /proc/sys/net/ipv4/ip_local_reserved_ports (as described
here: http://lxr.free-electrons.com/source/Documentation/networking/ip-sysctl.txt#L809).
I wasn't sure, this mechanism is used here, but Neil, you already
confirmed at least part 1, and that is what happened. Just the
exclusion via /proc/sys/net/ipv4/ip_local_reserved_ports has not
worked.
To be specific, the ip_local_port_range is "40000 65299", and
ip_local_reserved_ports includes, among many others, 50000-50628 and
the port to protect but still picked for lockd was 50213.
Unfortunately, choosing another ip_local_port_range outside 50213 is
not possible, because there is no single range left that is big enough
(and there are other ports to protect like this one).
So, either ip_local_reserved_ports is not used (although I think it
should) or it is used but too long (at least sysctl used in SLES 12
has a bug: it cannot display the whole list) or the list is not
defined at the time lockd gets its port (I did not find where this is
defined, it is not in /etc/sysctl.conf, like ip_local_port_range).
BR,
Joachim
mystery solved:
The ip_local_port_range used by rpc services (and others) is set via
/etc/sysctl.conf during boot, and the application that needs ports
from that range sets ip_local_reserved_ports, but later in the boot
process. Too late. I need to solve this there.
Thanks for the support, you put me on the right track.
BR,
Joachim
2016-12-02 9:32 GMT+01:00 Joachim Banzhaf <[email protected]>:
> Hi Neil and Trond, thanks for the infos. Already helped a lot.
>
> My primary goal is not to pin lockd to a specific port.
> I want to prevent any ip service that does not ask for a specific port
> to use ports I know are needed later for something else.
>
> I thought, the mechanism is (sorry, had a cut&paste error here) by
> defining range /proc/sys/net/ipv4/ip_local_port_range minus ports or
> ranges in /proc/sys/net/ipv4/ip_local_reserved_ports (as described
> here: http://lxr.free-electrons.com/source/Documentation/networking/ip-sysctl.txt#L809).
>
> I wasn't sure, this mechanism is used here, but Neil, you already
> confirmed at least part 1, and that is what happened. Just the
> exclusion via /proc/sys/net/ipv4/ip_local_reserved_ports has not
> worked.
> To be specific, the ip_local_port_range is "40000 65299", and
> ip_local_reserved_ports includes, among many others, 50000-50628 and
> the port to protect but still picked for lockd was 50213.
>
> Unfortunately, choosing another ip_local_port_range outside 50213 is
> not possible, because there is no single range left that is big enough
> (and there are other ports to protect like this one).
>
> So, either ip_local_reserved_ports is not used (although I think it
> should) or it is used but too long (at least sysctl used in SLES 12
> has a bug: it cannot display the whole list) or the list is not
> defined at the time lockd gets its port (I did not find where this is
> defined, it is not in /etc/sysctl.conf, like ip_local_port_range).
>
> BR,
> Joachim