[Freeipa-devel] Ticket #1107 - firewall troubles
Hello, I am working on ticket #1107 and I am looking for some ideas hot to deal with it. The problem is that when we are installing a replica and have firewall on, the installation may fail or (even worse) hang. There question is how to deal with this situation since we cannot test if the ports are not blocked locally. It must be done from the remote master. I discussed this with Rob and I see two solutions here: 1) Don't complicate this and limit our user handholding (my favorite) - just tell him what ports he should open before proceeding with the installation. If he doesn't, the installation will fail later. The problem is when the installation hangs - its hard to detect. This is the easy way. 2) Implement and register a mod_wsgi application on a master server and let it test remotely if the ports on the replica are open. We would have to open and listen them in ipa-replica-install as we cannot tell if port is not-yet-opened or firewalled just from the network error code. If the application would report a firewalled port, we would throw an error in the ipa-replica-install. However, as Rob pointed out, it would open a possible security hole as we would basically behave as port scanner. Any opinions, suggestions, ideas on this? Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ticket #1107 - firewall troubles
On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: > Hello, > > I am working on ticket #1107 and I am looking for some ideas hot to deal > with it. > > The problem is that when we are installing a replica and have firewall > on, the installation may fail or (even worse) hang. There question is > how to deal with this situation since we cannot test if the ports are > not blocked locally. It must be done from the remote master. > > I discussed this with Rob and I see two solutions here: > > 1) Don't complicate this and limit our user handholding (my favorite) - > just tell him what ports he should open before proceeding with the > installation. If he doesn't, the installation will fail later. The > problem is when the installation hangs - its hard to detect. This is the > easy way. > > 2) Implement and register a mod_wsgi application on a master server and > let it test remotely if the ports on the replica are open. We would have > to open and listen them in ipa-replica-install as we cannot tell if port > is not-yet-opened or firewalled just from the network error code. If the > application would report a firewalled port, we would throw an error in > the ipa-replica-install. > > However, as Rob pointed out, it would open a possible security hole as > we would basically behave as port scanner. It may also create SELinux issues as I think apache is not allowed to contact random ports normally. > Any opinions, suggestions, ideas on this? I think a much better solution is to create a simple program pair one for the master and one for the wannabe replica. The one on the replica opens all relevant ports. The one to be run on the master tries to connect to all these ports. Each side will report port,service name,success/failure Bonus points if we create the replica program so that it can use admin credentials to ssh into the master and run the master side automatically properly merging the output of that side. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ticket #1107 - firewall troubles
On 05/19/2011 04:41 PM, Simo Sorce wrote: > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: >> Hello, >> >> I am working on ticket #1107 and I am looking for some ideas hot to deal >> with it. >> >> The problem is that when we are installing a replica and have firewall >> on, the installation may fail or (even worse) hang. There question is >> how to deal with this situation since we cannot test if the ports are >> not blocked locally. It must be done from the remote master. >> >> I discussed this with Rob and I see two solutions here: >> >> 1) Don't complicate this and limit our user handholding (my favorite) - >> just tell him what ports he should open before proceeding with the >> installation. If he doesn't, the installation will fail later. The >> problem is when the installation hangs - its hard to detect. This is the >> easy way. >> >> 2) Implement and register a mod_wsgi application on a master server and >> let it test remotely if the ports on the replica are open. We would have >> to open and listen them in ipa-replica-install as we cannot tell if port >> is not-yet-opened or firewalled just from the network error code. If the >> application would report a firewalled port, we would throw an error in >> the ipa-replica-install. >> >> However, as Rob pointed out, it would open a possible security hole as >> we would basically behave as port scanner. > It may also create SELinux issues as I think apache is not allowed to > contact random ports normally. > >> Any opinions, suggestions, ideas on this? > I think a much better solution is to create a simple program pair one > for the master and one for the wannabe replica. > > The one on the replica opens all relevant ports. > The one to be run on the master tries to connect to all these ports. > Each side will report port,service name,success/failure > > Bonus points if we create the replica program so that it can use admin > credentials to ssh into the master and run the master side automatically > properly merging the output of that side. > > Simo. > I think Simo has a point but it is too much for now. IMO it is Ok to fail and report a meaningful error message on either side. Installation hanging is what we should address here in the scope of 2.1. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ticket #1107 - firewall troubles
On 05/19/2011 10:41 PM, Simo Sorce wrote: > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: >> Hello, >> >> I am working on ticket #1107 and I am looking for some ideas hot to deal >> with it. >> >> The problem is that when we are installing a replica and have firewall >> on, the installation may fail or (even worse) hang. There question is >> how to deal with this situation since we cannot test if the ports are >> not blocked locally. It must be done from the remote master. >> >> I discussed this with Rob and I see two solutions here: >> >> 1) Don't complicate this and limit our user handholding (my favorite) - >> just tell him what ports he should open before proceeding with the >> installation. If he doesn't, the installation will fail later. The >> problem is when the installation hangs - its hard to detect. This is the >> easy way. >> >> 2) Implement and register a mod_wsgi application on a master server and >> let it test remotely if the ports on the replica are open. We would have >> to open and listen them in ipa-replica-install as we cannot tell if port >> is not-yet-opened or firewalled just from the network error code. If the >> application would report a firewalled port, we would throw an error in >> the ipa-replica-install. >> >> However, as Rob pointed out, it would open a possible security hole as >> we would basically behave as port scanner. > > It may also create SELinux issues as I think apache is not allowed to > contact random ports normally. > >> Any opinions, suggestions, ideas on this? > > I think a much better solution is to create a simple program pair one > for the master and one for the wannabe replica. > > The one on the replica opens all relevant ports. > The one to be run on the master tries to connect to all these ports. > Each side will report port,service name,success/failure > > Bonus points if we create the replica program so that it can use admin > credentials to ssh into the master and run the master side automatically > properly merging the output of that side. > And even more bonus points if we write a simple SELinux policy that only allows the listening program to just bind to the set of ports and nothing else. signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ticket #1107 - firewall troubles
On Thu, 2011-05-19 at 16:41 -0400, Simo Sorce wrote: > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: > > Hello, > > > > I am working on ticket #1107 and I am looking for some ideas hot to deal > > with it. > > > > The problem is that when we are installing a replica and have firewall > > on, the installation may fail or (even worse) hang. There question is > > how to deal with this situation since we cannot test if the ports are > > not blocked locally. It must be done from the remote master. > > > > I discussed this with Rob and I see two solutions here: > > > > 1) Don't complicate this and limit our user handholding (my favorite) - > > just tell him what ports he should open before proceeding with the > > installation. If he doesn't, the installation will fail later. The > > problem is when the installation hangs - its hard to detect. This is the > > easy way. > > > > 2) Implement and register a mod_wsgi application on a master server and > > let it test remotely if the ports on the replica are open. We would have > > to open and listen them in ipa-replica-install as we cannot tell if port > > is not-yet-opened or firewalled just from the network error code. If the > > application would report a firewalled port, we would throw an error in > > the ipa-replica-install. > > > > However, as Rob pointed out, it would open a possible security hole as > > we would basically behave as port scanner. > > It may also create SELinux issues as I think apache is not allowed to > contact random ports normally. > > > Any opinions, suggestions, ideas on this? > > I think a much better solution is to create a simple program pair one > for the master and one for the wannabe replica. > > The one on the replica opens all relevant ports. > The one to be run on the master tries to connect to all these ports. > Each side will report port,service name,success/failure So you are saying this program would be optional and user could run it if he would be unsure if firewall setting is OK? Like running for example: $ ipa-replica-check-connection --on-replica on the replica which would listen on our set of ports (and as Jakub said, it may be secured by SELinux policy) and then he would run $ ipa-replica-check-connection --on-master on the master server which would test the ports and print a result. > > Bonus points if we create the replica program so that it can use admin > credentials to ssh into the master and run the master side automatically > properly merging the output of that side. I am not sure if we can count on having admin credentials for ssh or even ssh connection at all. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ticket #1107 - firewall troubles
On Thu, 2011-05-19 at 18:32 -0400, Dmitri Pal wrote: > On 05/19/2011 04:41 PM, Simo Sorce wrote: > > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: > >> Hello, > >> > >> I am working on ticket #1107 and I am looking for some ideas hot to deal > >> with it. > >> > >> The problem is that when we are installing a replica and have firewall > >> on, the installation may fail or (even worse) hang. There question is > >> how to deal with this situation since we cannot test if the ports are > >> not blocked locally. It must be done from the remote master. > >> > >> I discussed this with Rob and I see two solutions here: > >> > >> 1) Don't complicate this and limit our user handholding (my favorite) - > >> just tell him what ports he should open before proceeding with the > >> installation. If he doesn't, the installation will fail later. The > >> problem is when the installation hangs - its hard to detect. This is the > >> easy way. > >> > >> 2) Implement and register a mod_wsgi application on a master server and > >> let it test remotely if the ports on the replica are open. We would have > >> to open and listen them in ipa-replica-install as we cannot tell if port > >> is not-yet-opened or firewalled just from the network error code. If the > >> application would report a firewalled port, we would throw an error in > >> the ipa-replica-install. > >> > >> However, as Rob pointed out, it would open a possible security hole as > >> we would basically behave as port scanner. > > It may also create SELinux issues as I think apache is not allowed to > > contact random ports normally. > > > >> Any opinions, suggestions, ideas on this? > > I think a much better solution is to create a simple program pair one > > for the master and one for the wannabe replica. > > > > The one on the replica opens all relevant ports. > > The one to be run on the master tries to connect to all these ports. > > Each side will report port,service name,success/failure > > > > Bonus points if we create the replica program so that it can use admin > > credentials to ssh into the master and run the master side automatically > > properly merging the output of that side. > > > > Simo. > > > I think Simo has a point but it is too much for now. > IMO it is Ok to fail and report a meaningful error message on either > side. Installation hanging is what we should address here in the scope > of 2.1. > I am thinking about implementing a watchdog for this critical installation step (`/usr/bin/pkisilent ConfigureCA`), where replica is known to hang. We could set a safe timeout, say 5-10 minutes for the pkisilent process and if it doesn't finish in given time, we would kill the process and inform the user + ask him to check the if the ports are opened. The list of our ports to check could be printed to user almost every time the installation fails so that he would have a hint where to investigate. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ticket #1107 - firewall troubles
On Fri, 2011-05-20 at 09:36 +0200, Martin Kosek wrote: > On Thu, 2011-05-19 at 16:41 -0400, Simo Sorce wrote: > > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: > > > Hello, > > > > > > I am working on ticket #1107 and I am looking for some ideas hot to deal > > > with it. > > > > > > The problem is that when we are installing a replica and have firewall > > > on, the installation may fail or (even worse) hang. There question is > > > how to deal with this situation since we cannot test if the ports are > > > not blocked locally. It must be done from the remote master. > > > > > > I discussed this with Rob and I see two solutions here: > > > > > > 1) Don't complicate this and limit our user handholding (my favorite) - > > > just tell him what ports he should open before proceeding with the > > > installation. If he doesn't, the installation will fail later. The > > > problem is when the installation hangs - its hard to detect. This is the > > > easy way. > > > > > > 2) Implement and register a mod_wsgi application on a master server and > > > let it test remotely if the ports on the replica are open. We would have > > > to open and listen them in ipa-replica-install as we cannot tell if port > > > is not-yet-opened or firewalled just from the network error code. If the > > > application would report a firewalled port, we would throw an error in > > > the ipa-replica-install. > > > > > > However, as Rob pointed out, it would open a possible security hole as > > > we would basically behave as port scanner. > > > > It may also create SELinux issues as I think apache is not allowed to > > contact random ports normally. > > > > > Any opinions, suggestions, ideas on this? > > > > I think a much better solution is to create a simple program pair one > > for the master and one for the wannabe replica. > > > > The one on the replica opens all relevant ports. > > The one to be run on the master tries to connect to all these ports. > > Each side will report port,service name,success/failure > > So you are saying this program would be optional and user could run it > if he would be unsure if firewall setting is OK? Like running for > example: > > $ ipa-replica-check-connection --on-replica > > on the replica which would listen on our set of ports (and as Jakub > said, it may be secured by SELinux policy) and then he would run > > $ ipa-replica-check-connection --on-master This one would actually be : $ ipa-replica-check-connection --on-master fqdn.of.replica > on the master server which would test the ports and print a result. Yes. > > > > Bonus points if we create the replica program so that it can use admin > > credentials to ssh into the master and run the master side automatically > > properly merging the output of that side. > > I am not sure if we can count on having admin credentials for ssh or > even ssh connection at all. We certainly create the admin account by default, it is available as a user account on the server and ssh is configured to accept gssapi credentials or password authentication through pam. It is quite unlikely that the user running the replica install doesn't know those credentials but know directory manager credentials, if that's the case we could provide for parameters to tell which user to use instead of admin as an optional set of arguments. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ticket #1107 - firewall troubles
Dmitri Pal wrote: I think Simo has a point but it is too much for now. IMO it is Ok to fail and report a meaningful error message on either side. Installation hanging is what we should address here in the scope of 2.1. The problem is we currently have no way of telling if the master can talk to the replica on a given port. When replication begins a connection is made from the master to the replica and this is what is failing. replication is rather robust so it assumes this is a temporary condition and waits for things to change (they won't). From the user's perspective the installation has hung. Without doing active port checking from the master side we have no way of knowing this may happen (because it can be a firewall somewhere in between too). So there is no way to fail and report a meaningful error message. If we could we would catch it up front. We can't even put a timeout on this because whatever number we choose will be wrong (640k anyone?) Simo's idea of ssh'ing to the master may be our only real alternative. I don't think admin credentials are required though, any user should be able to run the remote command. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
