Regression: openssh service fails to start if system has no IPv6

  • Done
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • André Batista
Owner
unassigned
Submitted by
André Batista
Severity
normal
A
A
André Batista wrote on 30 Jun 2022 21:20
(address . bug-guix@gnu.org)
Yr32oUimYFuhrFrB@andel
Hi Guix!

Since commit d2b3400f79ffaed3357650307376ab69a7ec3b1b, ssh-daemon
fails to start when the system is using shepherd 0.9.1, but has no
support to IPv6. This is a result of shepherd trying to listen on a
IPv6 address without prior checking.


PS: Yeah, I know, it's 2022 and in a few months it will be 2023 and
everyone's toilet should have its own IPv6 address by now and report
its users health conditions to a plethora of pharmaceutical
advertisers. Nonetheless, in this backward corner of the Earth there
is still one guix machine without IPv6, believe it or not! :D
A
A
André Batista wrote on 30 Jun 2022 21:31
(address . 56327@debbugs.gnu.org)
Yr36HQJ/ROA2Z7wh@andel
I've tested the following patch, which tests for IPv6 support, on
both a system without IPv6 and another with it, but I have not tested
on a system with shepherd < 0.9.1. Hopefuly it works as expected.

Cheers!
From 30feda7b5ce8803b10e4bca8e86e1caaadc71596 Mon Sep 17 00:00:00 2001
In-Reply-To: <Yr32oUimYFuhrFrB@andel>
References: <Yr32oUimYFuhrFrB@andel>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
Date: Thu, 30 Jun 2022 15:36:03 -0300
Subject: [PATCH] services: openssh: Check if IPv6 is supported and start
service accordingly.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To: 56327@debbugs.gnu.org

Reported by Andr� Batista <nandre@riseup.net>.

* gnu/services/ssh.scm (openssh-shepherd-service)[ipv6-support?]: New variable.
<start>: Use it. When using 'make-inetd-constructor', only pass a ipv6
endpoint if the system supports it.
---
gnu/services/ssh.scm | 38 ++++++++++++++++++++++++++------------
1 file changed, 26 insertions(+), 12 deletions(-)

Toggle diff (63 lines)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 57d3ad218c..050c3aa7c3 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -8,6 +8,7 @@
;;; Copyright � 2020 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright � 2020 Brice Waegeneire <brice@waegenei.re>
;;; Copyright � 2021 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright � 2022 Andr� Batista <nandre@riseup.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -536,23 +537,36 @@ (define inetd-style?
#~(and (defined? 'make-inetd-constructor)
(not (string=? (@ (shepherd config) Version) "0.9.0"))))
+ (define ipv6-support?
+ ;; Helper function to start/stop ssh service on systems with no IPv6.
+ ;; See https://issues.guix.gnu.org/56327.
+ #~(false-if-exception (socket AF_INET6 SOCK_STREAM 0)))
+
(list (shepherd-service
(documentation "OpenSSH server.")
(requirement '(syslogd loopback))
(provision '(ssh-daemon ssh sshd))
- (start #~(if #$inetd-style?
- (make-inetd-constructor
- (append #$openssh-command '("-i"))
- (list (endpoint
- (make-socket-address AF_INET INADDR_ANY
- #$port-number))
- (endpoint
- (make-socket-address AF_INET6 IN6ADDR_ANY
- #$port-number)))
- #:max-connections #$max-connections)
- (make-forkexec-constructor #$openssh-command
- #:pid-file #$pid-file)))
+ (start #~(cond ((and #$inetd-style? #$ipv6-support?)
+ (make-inetd-constructor
+ (append #$openssh-command '("-i"))
+ (list (endpoint
+ (make-socket-address AF_INET INADDR_ANY
+ #$port-number))
+ (endpoint
+ (make-socket-address AF_INET6 IN6ADDR_ANY
+ #$port-number)))
+ #:max-connections #$max-connections))
+ ((and #$inetd-style? (not #$ipv6-support?))
+ (make-inetd-constructor
+ (append #$openssh-command '("-i"))
+ (list (endpoint
+ (make-socket-address AF_INET INADDR_ANY
+ #$port-number)))
+ #:max-connections #$max-connections))
+ (else
+ (make-forkexec-constructor #$openssh-command
+ #:pid-file #$pid-file))))
(stop #~(if #$inetd-style?
(make-inetd-destructor)
(make-kill-destructor)))
--
2.36.0
L
L
Ludovic Courtès wrote on 1 Jul 2022 23:56
(name . André Batista)(address . nandre@riseup.net)(address . 56327-done@debbugs.gnu.org)
87zghs1oqm.fsf@gnu.org
Hi!

André Batista <nandre@riseup.net> skribis:

Toggle quote (4 lines)
> I've tested the following patch, which tests for IPv6 support, on
> both a system without IPv6 and another with it, but I have not tested
> on a system with shepherd < 0.9.1. Hopefuly it works as expected.

Older versions of shepherd are not relevant in this case.

I’ve fixed it slightly differently in commit
bf7e07d299b197891110fbd8c717badbab06a472, to avoid a file descriptor
leak. Thanks!

Out of curiosity: I suppose you’re explicitly disabling IPv6 by using a
custom kernel or with an activation snippet that fiddles with /proc or
/sys, right?

Ludo’.
Closed
A
A
André Batista wrote on 2 Jul 2022 02:27
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 56327-done@debbugs.gnu.org)
Yr+Q9DdQClNqN0D0@andel
sex 01 jul 2022 às 23:56:17 (1656730577), ludo@gnu.org enviou:
Toggle quote (4 lines)
> I’ve fixed it slightly differently in commit
> bf7e07d299b197891110fbd8c717badbab06a472, to avoid a file descriptor
> leak. Thanks!

Tremendous difference, I'd say, both for closing the socket and for
'consing' the single test condition instead of the cumbersome
repeated testing I had written. Thanks for lessoning me and for the
quick fix!

Toggle quote (4 lines)
> Out of curiosity: I suppose you’re explicitly disabling IPv6 by using a
> custom kernel or with an activation snippet that fiddles with /proc or
> /sys, right?

I am building a custom minimal kernel with 'CONFIG_IPV6=n'.

Toutes mes amitiés!
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 56327@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 56327
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch