Regression: openssh service fails to start if system has no IPv6

  • Done
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • André Batista
Owner
unassigned
Submitted by
André Batista
Severity
normal
A
A
André Batista wrote on 30 Jun 2022 21:20
(address . bug-guix@gnu.org)
Yr32oUimYFuhrFrB@andel
Hi Guix!

Since commit d2b3400f79ffaed3357650307376ab69a7ec3b1b, ssh-daemon
fails to start when the system is using shepherd 0.9.1, but has no
support to IPv6. This is a result of shepherd trying to listen on a
IPv6 address without prior checking.


PS: Yeah, I know, it's 2022 and in a few months it will be 2023 and
everyone's toilet should have its own IPv6 address by now and report
its users health conditions to a plethora of pharmaceutical
advertisers. Nonetheless, in this backward corner of the Earth there
is still one guix machine without IPv6, believe it or not! :D
A
A
André Batista wrote on 30 Jun 2022 21:31
(address . 56327@debbugs.gnu.org)
Yr36HQJ/ROA2Z7wh@andel
I've tested the following patch, which tests for IPv6 support, on
both a system without IPv6 and another with it, but I have not tested
on a system with shepherd < 0.9.1. Hopefuly it works as expected.

Cheers!
From 30feda7b5ce8803b10e4bca8e86e1caaadc71596 Mon Sep 17 00:00:00 2001
In-Reply-To: <Yr32oUimYFuhrFrB@andel>
References: <Yr32oUimYFuhrFrB@andel>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
Date: Thu, 30 Jun 2022 15:36:03 -0300
Subject: [PATCH] services: openssh: Check if IPv6 is supported and start
service accordingly.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To: 56327@debbugs.gnu.org

Reported by Andr� Batista <nandre@riseup.net>.

* gnu/services/ssh.scm (openssh-shepherd-service)[ipv6-support?]: New variable.
<start>: Use it. When using 'make-inetd-constructor', only pass a ipv6
endpoint if the system supports it.
---
gnu/services/ssh.scm | 38 ++++++++++++++++++++++++++------------
1 file changed, 26 insertions(+), 12 deletions(-)

Toggle diff (63 lines)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 57d3ad218c..050c3aa7c3 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -8,6 +8,7 @@
;;; Copyright � 2020 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright � 2020 Brice Waegeneire <brice@waegenei.re>
;;; Copyright � 2021 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright � 2022 Andr� Batista <nandre@riseup.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -536,23 +537,36 @@ (define inetd-style?
#~(and (defined? 'make-inetd-constructor)
(not (string=? (@ (shepherd config) Version) "0.9.0"))))
+ (define ipv6-support?
+ ;; Helper function to start/stop ssh service on systems with no IPv6.
+ ;; See https://issues.guix.gnu.org/56327.
+ #~(false-if-exception (socket AF_INET6 SOCK_STREAM 0)))
+
(list (shepherd-service
(documentation "OpenSSH server.")
(requirement '(syslogd loopback))
(provision '(ssh-daemon ssh sshd))
- (start #~(if #$inetd-style?
- (make-inetd-constructor
- (append #$openssh-command '("-i"))
- (list (endpoint
- (make-socket-address AF_INET INADDR_ANY
- #$port-number))
- (endpoint
- (make-socket-address AF_INET6 IN6ADDR_ANY
- #$port-number)))
- #:max-connections #$max-connections)
- (make-forkexec-constructor #$openssh-command
- #:pid-file #$pid-file)))
+ (start #~(cond ((and #$inetd-style? #$ipv6-support?)
+ (make-inetd-constructor
+ (append #$openssh-command '("-i"))
+ (list (endpoint
+ (make-socket-address AF_INET INADDR_ANY
+ #$port-number))
+ (endpoint
+ (make-socket-address AF_INET6 IN6ADDR_ANY
+ #$port-number)))
+ #:max-connections #$max-connections))
+ ((and #$inetd-style? (not #$ipv6-support?))
+ (make-inetd-constructor
+ (append #$openssh-command '("-i"))
+ (list (endpoint
+ (make-socket-address AF_INET INADDR_ANY
+ #$port-number)))
+ #:max-connections #$max-connections))
+ (else
+ (make-forkexec-constructor #$openssh-command
+ #:pid-file #$pid-file))))
(stop #~(if #$inetd-style?
(make-inetd-destructor)
(make-kill-destructor)))
--
2.36.0
L
L
Ludovic Courtès wrote on 1 Jul 2022 23:56
(name . André Batista)(address . nandre@riseup.net)(address . 56327-done@debbugs.gnu.org)
87zghs1oqm.fsf@gnu.org
Hi!

André Batista <nandre@riseup.net> skribis:

Toggle quote (4 lines)
> I've tested the following patch, which tests for IPv6 support, on
> both a system without IPv6 and another with it, but I have not tested
> on a system with shepherd < 0.9.1. Hopefuly it works as expected.

Older versions of shepherd are not relevant in this case.

I’ve fixed it slightly differently in commit
bf7e07d299b197891110fbd8c717badbab06a472, to avoid a file descriptor
leak. Thanks!

Out of curiosity: I suppose you’re explicitly disabling IPv6 by using a
custom kernel or with an activation snippet that fiddles with /proc or
/sys, right?

Ludo’.
Closed
A
A
André Batista wrote on 2 Jul 2022 02:27
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 56327-done@debbugs.gnu.org)
Yr+Q9DdQClNqN0D0@andel
sex 01 jul 2022 às 23:56:17 (1656730577), ludo@gnu.org enviou:
Toggle quote (4 lines)
> I’ve fixed it slightly differently in commit
> bf7e07d299b197891110fbd8c717badbab06a472, to avoid a file descriptor
> leak. Thanks!

Tremendous difference, I'd say, both for closing the socket and for
'consing' the single test condition instead of the cumbersome
repeated testing I had written. Thanks for lessoning me and for the
quick fix!

Toggle quote (4 lines)
> Out of curiosity: I suppose you’re explicitly disabling IPv6 by using a
> custom kernel or with an activation snippet that fiddles with /proc or
> /sys, right?

I am building a custom minimal kernel with 'CONFIG_IPV6=n'.

Toutes mes amitiés!
Closed
?