Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf
On 04/11/2015 00:32, Robert Edmonds via Unbound-users wrote:
Paul Wouters via Unbound-users wrote:
FYI:
rhbz#1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in
/etc/sysctl.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1231946
Paul
Hi, Paul:
I'm a bit confused. unbound-anchor is an ordinary program that uses the
sockets API, so it should have no reason to read Linux kernel specific
sysctl's or change behavior based on their values, since sysctl's are
parameters for the kernel.
Agreed. What's happening here is a user-space attempt to open an
AF_INET6 socket is causing a modprobe, likely because the reporter has
blocked the IPv6 kernel module from loading ("I don't trust IPv6").
They erroneously believe the sysctl would stop this, when all it does is
disable IPv6 on all interfaces - it's nothing to do with application
behaviour or module loading control.
If there's a bug anywhere here, it's in the SELinux policy blocking the
module_request, but I doubt even that.
Trying to force IPv6 to not load on a Linux system causes all sorts of
subtle errors these days, and should not IMHO be a supported use-case.
Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf
On 04.11.2015 12:35, Phil Mayers via Unbound-users wrote:
> On 04/11/2015 00:32, Robert Edmonds via Unbound-users wrote:
> > Paul Wouters via Unbound-users wrote:
> >> FYI:
> >>
> >> rhbz#1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in
> >> /etc/sysctl.conf
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
> >>
> >> Paul
> >
> > Hi, Paul:
> >
> > I'm a bit confused. unbound-anchor is an ordinary program that uses the
> > sockets API, so it should have no reason to read Linux kernel specific
> > sysctl's or change behavior based on their values, since sysctl's are
> > parameters for the kernel.
>
> Agreed. What's happening here is a user-space attempt to open an AF_INET6
> socket is causing a modprobe, likely because the reporter has blocked the
> IPv6 kernel module from loading ("I don't trust IPv6").
>
> They erroneously believe the sysctl would stop this, when all it does is
> disable IPv6 on all interfaces - it's nothing to do with application
> behaviour or module loading control.
>
> If there's a bug anywhere here, it's in the SELinux policy blocking the
> module_request, but I doubt even that.
>
> Trying to force IPv6 to not load on a Linux system causes all sorts of subtle
> errors these days, and should not IMHO be a supported use-case.
Believe it or not, there are users who are doing it and think it is the right
thing to do [1]. I think it is good that SELinux is not allowing the module to
be loaded, because it is exactly what SELinux is for - another level of defense.
If you have some strong technical argument for this behavior I would be more
than glad to hear it. The reason is that similar people will fight hard against
having Unbound as the default DNS resolver in Fedora, which is our ultimate
plan. Ability to spare hundreds of emails arguing with them would be great :)
Note that we have the same bug report for dnssec-trigger, too.
[1] https://lists.fedoraproject.org/pipermail/devel/2015-November/216417.html
Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
UTC+2 (CEST)
Red Hat Inc. http://cz.redhat.com
Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf
On 04/11/2015 15:49, Tomas Hozza wrote: If you have some strong technical argument for this behavior I would be more than glad to hear it. The reason is that similar people will fight hard against having Unbound as the default DNS resolver in Fedora, which is our ultimate plan. Ability to spare hundreds of emails arguing with them would be great :) Which "behaviour"? I'm honestly confused. As far as I can tell, everything is working as designed here. The code tries to open an IPv6 socket, the kernel tries to load the module, SELinux denies and logs this. Each of these items is by design. Which are you suggesting should change? Is it the audit log that is annoying people? If so, the SELinux policy should be a dontaudit. Can we agree that unbound-anchor should not be reading sysctls to change it's behaviour?
Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf
Hi, Phil Mayers via Unbound-users wrote: > On 04/11/2015 15:49, Tomas Hozza wrote: > > >If you have some strong technical argument for this behavior I would > >be more than glad to hear it. The reason is that similar people will > >fight hard against having Unbound as the default DNS resolver in > >Fedora, which is our ultimate plan. Ability to spare hundreds of > >emails arguing with them would be great :) > > Which "behaviour"? > > I'm honestly confused. As far as I can tell, everything is working as > designed here. > > The code tries to open an IPv6 socket, the kernel tries to load the module, > SELinux denies and logs this. Each of these items is by design. Which are > you suggesting should change? If I understand correctly, there is no ipv6.ko module on the kernel in question that can be autoloaded; at least on my Fedora 20 and CentOS 7 machines, the kernels are built with CONFIG_IPV6=y. When "ipv6.disable=1" is set on the kernel command line, it looks like the (built-in) IPv6 code bails out without registering the IPv6 TCP, UDP, etc. protocols: https://github.com/torvalds/linux/blob/v4.3/net/ipv6/af_inet6.c#L839-L850 So, IIUC, when a userspace program tries to create an AF_INET6 socket, the kernel sees that the requested protocol isn't available (due to this early bail out from the ipv6 module), and tries to load the "net-pf-10" module, even though this would have been provided by code statically compiled into the kernel. Is the problem perhaps that "ipv6.disable=1" on the kernel command line should be accompanied by "alias net-pf-10 off" in the modprobe configuration in order to prevent useless autoloading attempts? > Is it the audit log that is annoying people? If so, the SELinux policy > should be a dontaudit. I can't see how this audit message wouldn't be triggered by basically any program that creates an IPv6 socket, which should be close to any program that uses the network by now? > Can we agree that unbound-anchor should not be reading sysctls to change > it's behaviour? I do, that's just crazy :-) The userspace interface for detecting the lack of IPv6 support is: if the call to socket() fails (probably with EAFNOSUPPORT or EPROTONOSUPPORT), then it's not supported. And any sane userspace program already checks for socket() failures. -- Robert Edmonds edmo...@debian.org
Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf
Phil Mayers via Unbound-users wrote: > On 04/11/2015 17:21, Robert Edmonds wrote: > >Is the problem perhaps that "ipv6.disable=1" on the kernel command line > >should be accompanied by "alias net-pf-10 off" in the modprobe > >configuration in order to prevent useless autoloading attempts? > > Is that config read by modprobe after the kernel has called it? In which > case it'll still trigger (and deny) the probe. It's been so long since I > looked at module loading I can't remember. I don't know that much about SELinux. Are these "module_request" denials triggered at the point where the kernel is about to perform the upcall into userspace to invoke modprobe, or are they triggered after the modprobe runs and calls back into the kernel to request the module load? (If the former, then "alias net-pf-10 off" won't help, of course.) > >I can't see how this audit message wouldn't be triggered by basically > >any program that creates an IPv6 socket, which should be close to any > >program that uses the network by now? > > They might be running under SELinux contexts which either permit or > dontaudit the module load I suppose? But I agree, almost everything is going > to be v6-aware at this point. Right, so this looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=641836, and wow that bug has a lot of dupes. So this isn't an Unbound problem at all. According to a blog post (http://danwalsh.livejournal.com/47118.html), it would appear the better option is to disable IPv6 addressing. Or figure out how to get the system to deny the request without logging it if it bothers you so much, I guess. -- Robert Edmonds edmo...@debian.org
Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf
On 04/11/2015 17:21, Robert Edmonds wrote: If I understand correctly, there is no ipv6.ko module on the kernel in question that can be autoloaded; at least on my Fedora 20 and CentOS 7 machines, the kernels are built with CONFIG_IPV6=y. Good point; that's what I see too (and an entirely sensible default it is). Is the problem perhaps that "ipv6.disable=1" on the kernel command line should be accompanied by "alias net-pf-10 off" in the modprobe configuration in order to prevent useless autoloading attempts? Is that config read by modprobe after the kernel has called it? In which case it'll still trigger (and deny) the probe. It's been so long since I looked at module loading I can't remember. I can't see how this audit message wouldn't be triggered by basically any program that creates an IPv6 socket, which should be close to any program that uses the network by now? They might be running under SELinux contexts which either permit or dontaudit the module load I suppose? But I agree, almost everything is going to be v6-aware at this point. Can we agree that unbound-anchor should not be reading sysctls to change it's behaviour? I do, that's just crazy :-) The userspace interface for detecting the lack of IPv6 support is: if the call to socket() fails (probably with EAFNOSUPPORT or EPROTONOSUPPORT), then it's not supported. And any sane userspace program already checks for socket() failures. That's my understanding too. Most apps won't even end up that low-level, having probably used getaddrinfo() to iterate across a list of sockets, and glibc having filtered out unavailable address families before then.
