Regression: openssh service fails to start if system has no IPv6

DoneSubmitted by André Batista.
Details
2 participants
  • Ludovic Courtès
  • André Batista
Owner
unassigned
Severity
normal
A
A
André Batista wrote on 30 Jun 21:20 +0200
(address . bug-guix@gnu.org)
Yr32oUimYFuhrFrB@andel
Hi Guix!

Since commit d2b3400f79ffaed3357650307376ab69a7ec3b1b, ssh-daemon
fails to start when the system is using shepherd 0.9.1, but has no
support to IPv6. This is a result of shepherd trying to listen on a
IPv6 address without prior checking.


PS: Yeah, I know, it's 2022 and in a few months it will be 2023 and
everyone's toilet should have its own IPv6 address by now and report
its users health conditions to a plethora of pharmaceutical
advertisers. Nonetheless, in this backward corner of the Earth there
is still one guix machine without IPv6, believe it or not! :D
A
A
André Batista wrote on 30 Jun 21:31 +0200
(address . 56327@debbugs.gnu.org)
Yr36HQJ/ROA2Z7wh@andel
I've tested the following patch, which tests for IPv6 support, on
both a system without IPv6 and another with it, but I have not tested
on a system with shepherd < 0.9.1. Hopefuly it works as expected.

Cheers!
From 30feda7b5ce8803b10e4bca8e86e1caaadc71596 Mon Sep 17 00:00:00 2001
In-Reply-To: <Yr32oUimYFuhrFrB@andel>
References: <Yr32oUimYFuhrFrB@andel>
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
Date: Thu, 30 Jun 2022 15:36:03 -0300
Subject: [PATCH] services: openssh: Check if IPv6 is supported and start
service accordingly.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To: 56327@debbugs.gnu.org

Reported by Andr� Batista <nandre@riseup.net>.

* gnu/services/ssh.scm (openssh-shepherd-service)[ipv6-support?]: New variable.
<start>: Use it. When using 'make-inetd-constructor', only pass a ipv6
endpoint if the system supports it.
---
gnu/services/ssh.scm | 38 ++++++++++++++++++++++++++------------
1 file changed, 26 insertions(+), 12 deletions(-)

Toggle diff (63 lines)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 57d3ad218c..050c3aa7c3 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -8,6 +8,7 @@
 ;;; Copyright � 2020 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright � 2020 Brice Waegeneire <brice@waegenei.re>
 ;;; Copyright � 2021 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright � 2022 Andr� Batista <nandre@riseup.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -536,23 +537,36 @@ (define inetd-style?
     #~(and (defined? 'make-inetd-constructor)
            (not (string=? (@ (shepherd config) Version) "0.9.0"))))
 
+  (define ipv6-support?
+    ;; Helper function to start/stop ssh service on systems with no IPv6.
+    ;; See https://issues.guix.gnu.org/56327.
+    #~(false-if-exception (socket AF_INET6 SOCK_STREAM 0)))
+
   (list (shepherd-service
          (documentation "OpenSSH server.")
          (requirement '(syslogd loopback))
          (provision '(ssh-daemon ssh sshd))
 
-         (start #~(if #$inetd-style?
-                      (make-inetd-constructor
-                       (append #$openssh-command '("-i"))
-                       (list (endpoint
-                              (make-socket-address AF_INET INADDR_ANY
-                                                   #$port-number))
-                             (endpoint
-                              (make-socket-address AF_INET6 IN6ADDR_ANY
-                                                   #$port-number)))
-                       #:max-connections #$max-connections)
-                      (make-forkexec-constructor #$openssh-command
-                                                 #:pid-file #$pid-file)))
+         (start #~(cond ((and #$inetd-style? #$ipv6-support?)
+                         (make-inetd-constructor
+                          (append #$openssh-command '("-i"))
+                          (list (endpoint
+                                 (make-socket-address AF_INET INADDR_ANY
+                                                      #$port-number))
+                                (endpoint
+                                 (make-socket-address AF_INET6 IN6ADDR_ANY
+                                                      #$port-number)))
+                          #:max-connections #$max-connections))
+                        ((and #$inetd-style? (not #$ipv6-support?))
+                         (make-inetd-constructor
+                          (append #$openssh-command '("-i"))
+                          (list (endpoint
+                                 (make-socket-address AF_INET INADDR_ANY
+                                                      #$port-number)))
+                          #:max-connections #$max-connections))
+                        (else
+                         (make-forkexec-constructor #$openssh-command
+                                                    #:pid-file #$pid-file))))
          (stop #~(if #$inetd-style?
                      (make-inetd-destructor)
                      (make-kill-destructor)))
-- 
2.36.0
L
L
Ludovic Courtès wrote on 1 Jul 23:56 +0200
(name . André Batista)(address . nandre@riseup.net)(address . 56327-done@debbugs.gnu.org)
87zghs1oqm.fsf@gnu.org
Hi!

André Batista <nandre@riseup.net> skribis:

Toggle quote (4 lines)
> I've tested the following patch, which tests for IPv6 support, on
> both a system without IPv6 and another with it, but I have not tested
> on a system with shepherd < 0.9.1. Hopefuly it works as expected.

Older versions of shepherd are not relevant in this case.

I’ve fixed it slightly differently in commit
bf7e07d299b197891110fbd8c717badbab06a472, to avoid a file descriptor
leak. Thanks!

Out of curiosity: I suppose you’re explicitly disabling IPv6 by using a
custom kernel or with an activation snippet that fiddles with /proc or
/sys, right?

Ludo’.
Closed
A
A
André Batista wrote on 2 Jul 02:27 +0200
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 56327-done@debbugs.gnu.org)
Yr+Q9DdQClNqN0D0@andel
sex 01 jul 2022 às 23:56:17 (1656730577), ludo@gnu.org enviou:
Toggle quote (4 lines)
> I’ve fixed it slightly differently in commit
> bf7e07d299b197891110fbd8c717badbab06a472, to avoid a file descriptor
> leak. Thanks!

Tremendous difference, I'd say, both for closing the socket and for
'consing' the single test condition instead of the cumbersome
repeated testing I had written. Thanks for lessoning me and for the
quick fix!

Toggle quote (4 lines)
> Out of curiosity: I suppose you’re explicitly disabling IPv6 by using a
> custom kernel or with an activation snippet that fiddles with /proc or
> /sys, right?

I am building a custom minimal kernel with 'CONFIG_IPV6=n'.

Toutes mes amitiés!
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 56327@debbugs.gnu.org