> On May 2, 2017, 12:34 a.m., Benjamin Mahler wrote: > > 3rdparty/libprocess/src/process.cpp > > Lines 480-492 (patched) > > <https://reviews.apache.org/r/58224/diff/2/?file=1693806#file1693806line480> > > > > I'm wondering if we can eliminate the need for this via global flag > > access and peer caching in the Socket implementation, see other comments.
Fixed the global flag, filed MESOS-7452 for the peer address caching. > On May 2, 2017, 12:34 a.m., Benjamin Mahler wrote: > > 3rdparty/libprocess/src/process.cpp > > Line 942 (original), 965 (patched) > > <https://reviews.apache.org/r/58224/diff/2/?file=1693806#file1693806line979> > > > > Per our offline discussion, could we acheive the elimination of > > `getpeername`-per-read by having the `Socket` perform this optimization for > > a connected socket? That would also avoid the need to carry the peer around. I filed [MESOS-7452](https://issues.apache.org/jira/browse/MESOS-7452) to implement the `Socket` peer address caching. - James ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/58224/#review173536 ----------------------------------------------------------- On May 3, 2017, 10:35 p.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/58224/ > ----------------------------------------------------------- > > (Updated May 3, 2017, 10:35 p.m.) > > > Review request for mesos and Benjamin Mahler. > > > Bugs: MESOS-7401 > https://issues.apache.org/jira/browse/MESOS-7401 > > > Repository: mesos > > > Description > ------- > > In general, libprocess is unable to validate that a peer > is a legitimate owner of the UPID it claims in a libprocess > message. This change adds a check that the IP address in the > UPID matches the peer address. This makes spoofing the UPID > harder (eg. to send authenticated messages), but also breaks > some legitimate configurations, particularly on multihomed > hosts. > > > Diffs > ----- > > 3rdparty/libprocess/src/process.cpp > f5b666f894215cb1861c244c94b382e0739bc5c9 > > > Diff: https://reviews.apache.org/r/58224/diff/5/ > > > Testing > ------- > > make check (Fedora 25). Light manual testing. > > With LIBPROCESS_pin_peer_address=true, all Mesos tests pass except > ``ExamplesTest.DiskFullFramework``, however enabling this will definitely > break some libprocess APIs (though not in the way that Mesos uses them) and > legitimate multi-homed configurations. Note that setting > LIBPROCESS_ip=127.0.0.1 makes you multihomed for this purpose, which is why > ``ExamplesTest.DiskFullFramework`` breaks. > > > Thanks, > > James Peach > >
