Attachment 18498 Details for Bug 15320 – Patch for v4-21-test

[patch] Patch for v4-21-test

BZ15320-v4-21-test.patch (text/plain), 22.74 KB, created by Martin Schwenke on 2024-11-21 01:14:36 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Martin Schwenke

Created: 2024-11-21 01:14:36 UTC

Size: 22.74 KB

patch

obsolete

>From dabae3a6c1ba775b9a09fb8a1b14ea75178cbbb1 Mon Sep 17 00:00:00 2001
>From: Martin Schwenke <mschwenke@ddn.com>
>Date: Thu, 19 Sep 2024 13:52:48 +1000
>Subject: [PATCH 1/9] ctdb-scripts: Don't list connections when not hosting IPs
>
>With an empty IP filter, all incoming connections to port 2049 will be
>listed, not just those to public IP addresses.  This causes error
>messages like the following to be logged:
>
>  ctdb-eventd[...]: 60.nfs: Failed to add 1 tickles
>
>since the connection being added seems to be for a random NFS mount
>that doesn't use a public IP addresses.
>
>This has been a problem for a long time (probably since commit
>04fe9e20749985c71fef1bce7f6e4c439fe11c81 in 2015).  It isn't currently
>a huge deal because it only affects NFS connections.  However, this
>code will soon be used to track connections to public IP addresses on
>all ports.  This would result in a constant stream of log messages,
>since there will always be some active connections.
>
>The theory behind the fix is that if a node hosts no public IPs then
>it should have no relevant connections and has no business changing
>the list of registered tickles.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
>RN: Update CTDB to track all TCP connections to public IP addresses
>
>Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jerry Heyman <jheyman@ddn.com>
>(cherry picked from commit 1a4a6c46f1cdabfea67c264d6576a597a70c3007)
>---
> ctdb/config/functions | 4 ++++
> 1 file changed, 4 insertions(+)
>
>diff --git a/ctdb/config/functions b/ctdb/config/functions
>index ef79dbf2162..697b47c0568 100755
>--- a/ctdb/config/functions
>+++ b/ctdb/config/functions
>@@ -1184,6 +1184,10 @@ update_tickles()
> 	# What public IPs do I hold?
> 	_pnn=$(ctdb_get_pnn)
> 	_ips=$($CTDB -X ip | awk -F'|' -v pnn="$_pnn" '$3 == pnn {print $2}')
>+	# If not hosting any public IPs then can't have any connections...
>+	if [ -z "$_ips" ]; then
>+		return
>+	fi
> 
> 	# IPs and port as ss filters
> 	_ip_filter=""
>-- 
>2.45.2
>
>
>From afdfabaca058bd996010d1eda40962024052680b Mon Sep 17 00:00:00 2001
>From: Martin Schwenke <mschwenke@ddn.com>
>Date: Thu, 19 Sep 2024 14:32:46 +1000
>Subject: [PATCH 2/9] ctdb-scripts: update_tickles() should use the public IPs
> cache
>
>This avoids duplicating logic.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
>RN: Update CTDB to track all TCP connections to public IP addresses
>
>Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jerry Heyman <jheyman@ddn.com>
>(cherry picked from commit b3e2c69ad92c0d20bb10146d2dd6d0d475455298)
>---
> ctdb/config/functions | 13 +++++--------
> 1 file changed, 5 insertions(+), 8 deletions(-)
>
>diff --git a/ctdb/config/functions b/ctdb/config/functions
>index 697b47c0568..5d816d50782 100755
>--- a/ctdb/config/functions
>+++ b/ctdb/config/functions
>@@ -1181,19 +1181,16 @@ update_tickles()
> 	tickledir="${CTDB_SCRIPT_VARDIR}/tickles"
> 	mkdir -p "$tickledir"
> 
>-	# What public IPs do I hold?
>-	_pnn=$(ctdb_get_pnn)
>-	_ips=$($CTDB -X ip | awk -F'|' -v pnn="$_pnn" '$3 == pnn {print $2}')
> 	# If not hosting any public IPs then can't have any connections...
>-	if [ -z "$_ips" ]; then
>+	if [ ! -s "$CTDB_MY_PUBLIC_IPS_CACHE" ]; then
> 		return
> 	fi
> 
> 	# IPs and port as ss filters
> 	_ip_filter=""
>-	for _ip in $_ips; do
>+	while read -r _ip; do
> 		_ip_filter="${_ip_filter}${_ip_filter:+ || }src [${_ip}]"
>-	done
>+	done <"$CTDB_MY_PUBLIC_IPS_CACHE"
> 	_port_filter="sport == :${_port}"
> 
> 	# Record connections to our public IPs in a temporary file.
>@@ -1217,10 +1214,10 @@ update_tickles()
> 
> 	# Record our current tickles in a temporary file
> 	_my_tickles="${tickledir}/${_port}.tickles.$$"
>-	for _i in $_ips; do
>+	while read -r _i; do
> 		$CTDB -X gettickles "$_i" "$_port" |
> 			awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4, $5 }'
>-	done |
>+	done <"$CTDB_MY_PUBLIC_IPS_CACHE" |
> 		sort >"$_my_tickles"
> 
> 	# Add tickles for connections that we haven't already got tickles for
>-- 
>2.45.2
>
>
>From 76931d4cf9b7a4abcd062f94450e1da0eb677592 Mon Sep 17 00:00:00 2001
>From: Martin Schwenke <mschwenke@ddn.com>
>Date: Mon, 23 Oct 2023 14:23:45 +1100
>Subject: [PATCH 3/9] ctdb-scripts: Remove superseded compatibility code
>
>Since commit 224e99804efef960ef4ce2ff2f4f6dced1e74146, square brackets
>have been parsed by daemon and tool code, so drop the compatibility
>code from here.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
>RN: Update CTDB to track all TCP connections to public IP addresses
>
>Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jerry Heyman <jheyman@ddn.com>
>(cherry picked from commit 32e4f786601712e57992ce4c8f46e5d38620a5dd)
>---
> ctdb/config/functions | 6 ------
> 1 file changed, 6 deletions(-)
>
>diff --git a/ctdb/config/functions b/ctdb/config/functions
>index 5d816d50782..a5191eac869 100755
>--- a/ctdb/config/functions
>+++ b/ctdb/config/functions
>@@ -1200,16 +1200,10 @@ update_tickles()
> 	_my_connections="${tickledir}/${_port}.connections.$$"
> 	# Parentheses are needed around the filters for precedence but
> 	# the parentheses can't be empty!
>-	#
>-	# Recent versions of ss print square brackets around IPv6
>-	# addresses.  While it is desirable to update CTDB's address
>-	# parsing and printing code, something needs to be done here
>-	# for backward compatibility, so just delete the brackets.
> 	ss -tn state established \
> 		"${_ip_filter:+( ${_ip_filter} )}" \
> 		"${_port_filter:+( ${_port_filter} )}" |
> 		awk 'NR > 1 {print $4, $3}' |
>-		tr -d '][' |
> 		sort >"$_my_connections"
> 
> 	# Record our current tickles in a temporary file
>-- 
>2.45.2
>
>
>From c5cd31a12e70622d21754b7d1fa374dcc541767c Mon Sep 17 00:00:00 2001
>From: Martin Schwenke <mschwenke@ddn.com>
>Date: Mon, 16 Sep 2024 12:26:53 +1000
>Subject: [PATCH 4/9] ctdb-scripts: Use ss -H option to simplify
>
>This option has been available since ~2018 and has been implemented in
>the stub since then.  I guess we didn't use it because CentOS 7?
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
>RN: Update CTDB to track all TCP connections to public IP addresses
>
>Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jerry Heyman <jheyman@ddn.com>
>(cherry picked from commit 0505d06b12a04a5c5e813fb3f4799278f9e5b7eb)
>---
> ctdb/config/functions | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
>diff --git a/ctdb/config/functions b/ctdb/config/functions
>index a5191eac869..69d44542755 100755
>--- a/ctdb/config/functions
>+++ b/ctdb/config/functions
>@@ -499,7 +499,7 @@ ctdb_check_unix_socket()
> 		return 1
> 	fi
> 
>-	_out=$(ss -l -x "src ${_sockpath}" | tail -n +2)
>+	_out=$(ss -l -xH "src ${_sockpath}")
> 	if [ -z "$_out" ]; then
> 		echo "ERROR: ${service_name} not listening on ${_sockpath}"
> 		return 1
>@@ -602,7 +602,7 @@ get_tcp_connections_for_ip()
> {
> 	_ip="$1"
> 
>-	ss -tn state established "src [$_ip]" | awk 'NR > 1 {print $3, $4}'
>+	ss -tnH state established "src [$_ip]" | awk '{print $3, $4}'
> }
> 
> ########################################################
>@@ -1200,10 +1200,10 @@ update_tickles()
> 	_my_connections="${tickledir}/${_port}.connections.$$"
> 	# Parentheses are needed around the filters for precedence but
> 	# the parentheses can't be empty!
>-	ss -tn state established \
>+	ss -tnH state established \
> 		"${_ip_filter:+( ${_ip_filter} )}" \
> 		"${_port_filter:+( ${_port_filter} )}" |
>-		awk 'NR > 1 {print $4, $3}' |
>+		awk '{print $4, $3}' |
> 		sort >"$_my_connections"
> 
> 	# Record our current tickles in a temporary file
>-- 
>2.45.2
>
>
>From 8b21f9372d6091c63946a87f4f067d45236effec Mon Sep 17 00:00:00 2001
>From: Martin Schwenke <mschwenke@ddn.com>
>Date: Mon, 30 Sep 2024 12:22:46 +1000
>Subject: [PATCH 5/9] ctdb-server: Clean up connection tracking functions
>
>Apply README.Coding, modernise logging, pre-render connection as a
>string for logging, switch terminology from "tickle" to "connection",
>tidy up comments.
>
>No changes in functionality.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
>RN: Update CTDB to track all TCP connections to public IP addresses
>
>Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jerry Heyman <jheyman@ddn.com>
>(cherry picked from commit 3c19c8df778070705485b3c993e695ca1636bfa7)
>---
> ctdb/server/ctdb_takeover.c | 108 ++++++++++++++++++++++--------------
> 1 file changed, 65 insertions(+), 43 deletions(-)
>
>diff --git a/ctdb/server/ctdb_takeover.c b/ctdb/server/ctdb_takeover.c
>index 2176c6ab806..b10107292f3 100644
>--- a/ctdb/server/ctdb_takeover.c
>+++ b/ctdb/server/ctdb_takeover.c
>@@ -1504,27 +1504,40 @@ static struct ctdb_connection *ctdb_tcp_find(struct ctdb_tcp_array *array,
>   clients managing that should tickled with an ACK when IP takeover is
>   done
>  */
>-int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb, TDB_DATA indata, bool tcp_update_needed)
>+int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb,
>+			     TDB_DATA indata,
>+			     bool tcp_update_needed)
> {
> 	struct ctdb_connection *p = (struct ctdb_connection *)indata.dptr;
> 	struct ctdb_tcp_array *tcparray;
> 	struct ctdb_connection tcp;
> 	struct ctdb_vnn *vnn;
>+	char conn_str[132] = { 0, };
>+	int ret;
> 
> 	/* If we don't have public IPs, tickles are useless */
> 	if (ctdb->vnn == NULL) {
> 		return 0;
> 	}
> 
>+	ret = ctdb_connection_to_buf(conn_str,
>+				     sizeof(conn_str),
>+				     p,
>+				     false,
>+				     " -> ");
>+	if (ret != 0) {
>+		strlcpy(conn_str, "UNKNOWN", sizeof(conn_str));
>+	}
>+
> 	vnn = find_public_ip_vnn(ctdb, &p->dst);
> 	if (vnn == NULL) {
>-		DEBUG(DEBUG_INFO,(__location__ " got TCP_ADD control for an address which is not a public address '%s'\n",
>-			ctdb_addr_to_str(&p->dst)));
>+		DBG_INFO("Attempt to add connection %s "
>+			 "but destination is not a public address\n",
>+			 conn_str);
> 
> 		return -1;
> 	}
> 
>-
> 	tcparray = vnn->tcp_array;
> 
> 	/* If this is the first tickle */
>@@ -1534,7 +1547,8 @@ int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb, TDB_DATA indata, bool tc
> 		vnn->tcp_array = tcparray;
> 
> 		tcparray->num = 0;
>-		tcparray->connections = talloc_size(tcparray, sizeof(struct ctdb_connection));
>+		tcparray->connections = talloc_size(tcparray,
>+						    sizeof(struct ctdb_connection));
> 		CTDB_NO_MEMORY(ctdb, tcparray->connections);
> 
> 		tcparray->connections[tcparray->num].src = p->src;
>@@ -1552,27 +1566,22 @@ int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb, TDB_DATA indata, bool tc
> 	tcp.src = p->src;
> 	tcp.dst = p->dst;
> 	if (ctdb_tcp_find(tcparray, &tcp) != NULL) {
>-		DEBUG(DEBUG_DEBUG,("Already had tickle info for %s:%u for vnn:%u\n",
>-			ctdb_addr_to_str(&tcp.dst),
>-			ntohs(tcp.dst.ip.sin_port),
>-			vnn->pnn));
>+		DBG_DEBUG("Already had connection %s\n", conn_str);
> 		return 0;
> 	}
> 
> 	/* A new tickle, we must add it to the array */
>-	tcparray->connections = talloc_realloc(tcparray, tcparray->connections,
>-					struct ctdb_connection,
>-					tcparray->num+1);
>+	tcparray->connections = talloc_realloc(tcparray,
>+					       tcparray->connections,
>+					       struct ctdb_connection,
>+					       tcparray->num + 1);
> 	CTDB_NO_MEMORY(ctdb, tcparray->connections);
> 
> 	tcparray->connections[tcparray->num].src = p->src;
> 	tcparray->connections[tcparray->num].dst = p->dst;
> 	tcparray->num++;
> 
>-	DEBUG(DEBUG_INFO,("Added tickle info for %s:%u from vnn %u\n",
>-		ctdb_addr_to_str(&tcp.dst),
>-		ntohs(tcp.dst.ip.sin_port),
>-		vnn->pnn));
>+	D_INFO("Added connection %s\n", conn_str);
> 
> 	if (tcp_update_needed) {
> 		vnn->tcp_update_needed = true;
>@@ -1582,58 +1591,59 @@ int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb, TDB_DATA indata, bool tc
> }
> 
> 
>-static void ctdb_remove_connection(struct ctdb_vnn *vnn, struct ctdb_connection *conn)
>+static void ctdb_remove_connection(struct ctdb_vnn *vnn,
>+				   struct ctdb_connection *conn)
> {
> 	struct ctdb_connection *tcpp;
>+	char conn_str[132] = { 0, };
>+	int ret;
> 
> 	if (vnn == NULL) {
> 		return;
> 	}
> 
>-	/* if the array is empty we can't remove it
>-	   and we don't need to do anything
>-	 */
>+	ret = ctdb_connection_to_buf(conn_str,
>+				     sizeof(conn_str),
>+				     conn,
>+				     false,
>+				     " -> ");
>+	if (ret != 0) {
>+		strlcpy(conn_str, "UNKNOWN", sizeof(conn_str));
>+	}
>+
>+	/* If the array is empty there is nothing to remove */
> 	if (vnn->tcp_array == NULL) {
>-		DEBUG(DEBUG_INFO,("Trying to remove tickle that doesn't exist (array is empty) %s:%u\n",
>-			ctdb_addr_to_str(&conn->dst),
>-			ntohs(conn->dst.ip.sin_port)));
>+		D_INFO("Attempt to remove untracked connection %s (empty)\n",
>+		       conn_str);
> 		return;
> 	}
> 
> 
>-	/* See if we know this connection
>-	   if we don't know this connection  then we don't need to do anything
>-	 */
> 	tcpp = ctdb_tcp_find(vnn->tcp_array, conn);
> 	if (tcpp == NULL) {
>-		DEBUG(DEBUG_INFO,("Trying to remove tickle that doesn't exist %s:%u\n",
>-			ctdb_addr_to_str(&conn->dst),
>-			ntohs(conn->dst.ip.sin_port)));
>+		D_INFO("Attempt to remove untracked connection %s\n", conn_str);
> 		return;
> 	}
> 
> 
>-	/* We need to remove this entry from the array.
>-           Instead of allocating a new array and copying data to it
>-	   we cheat and just copy the last entry in the existing array
>-	   to the entry that is to be removed and just shring the 
>-	   ->num field
>+	/*
>+	 * We need to remove this entry from the array.  Instead of
>+	 * allocating a new array and copying data to it, cheat and
>+	 * just copy the last entry in the existing array to the entry
>+	 * that is to be removed and just shrink the size.
> 	 */
> 	*tcpp = vnn->tcp_array->connections[vnn->tcp_array->num - 1];
> 	vnn->tcp_array->num--;
> 
>-	/* If we deleted the last entry we also need to remove the entire array
>-	 */
>+	/* Last entry deleted, so remove the entire array */
> 	if (vnn->tcp_array->num == 0) {
> 		talloc_free(vnn->tcp_array);
> 		vnn->tcp_array = NULL;
>-	}		
>+	}
> 
> 	vnn->tcp_update_needed = true;
> 
>-	DEBUG(DEBUG_INFO,("Removed tickle info for %s:%u\n",
>-		ctdb_addr_to_str(&conn->src),
>-		ntohs(conn->src.ip.sin_port)));
>+	D_INFO("Removed connection %s\n", conn_str);
> }
> 
> 
>@@ -1653,9 +1663,21 @@ int32_t ctdb_control_tcp_remove(struct ctdb_context *ctdb, TDB_DATA indata)
> 
> 	vnn = find_public_ip_vnn(ctdb, &conn->dst);
> 	if (vnn == NULL) {
>-		DEBUG(DEBUG_ERR,
>-		      (__location__ " unable to find public address %s\n",
>-		       ctdb_addr_to_str(&conn->dst)));
>+		char conn_str[132] = { 0, };
>+		int ret;
>+
>+		ret = ctdb_connection_to_buf(conn_str,
>+					     sizeof(conn_str),
>+					     conn,
>+					     false,
>+					     " -> ");
>+		if (ret != 0) {
>+			strlcpy(conn_str, "UNKNOWN", sizeof(conn_str));
>+		}
>+
>+		DBG_ERR("Attempt to remove connection %s "
>+			"but destination is not a public address\n",
>+			conn_str);
> 		return 0;
> 	}
> 
>-- 
>2.45.2
>
>
>From d695acebd22413771217b81ec91cd09ac2bb89e7 Mon Sep 17 00:00:00 2001
>From: Martin Schwenke <mschwenke@ddn.com>
>Date: Mon, 30 Sep 2024 12:30:13 +1000
>Subject: [PATCH 6/9] ctdb-server: Drop a log message to DEBUG level
>
>This is harmless, so it doesn't generally need to be logged.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
>RN: Update CTDB to track all TCP connections to public IP addresses
>
>Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jerry Heyman <jheyman@ddn.com>
>(cherry picked from commit f4a8f84328c5e692ce63bec05bb71fcb469a3e9c)
>---
> ctdb/server/ctdb_takeover.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/ctdb/server/ctdb_takeover.c b/ctdb/server/ctdb_takeover.c
>index b10107292f3..ad543452e62 100644
>--- a/ctdb/server/ctdb_takeover.c
>+++ b/ctdb/server/ctdb_takeover.c
>@@ -1621,7 +1621,7 @@ static void ctdb_remove_connection(struct ctdb_vnn *vnn,
> 
> 	tcpp = ctdb_tcp_find(vnn->tcp_array, conn);
> 	if (tcpp == NULL) {
>-		D_INFO("Attempt to remove untracked connection %s\n", conn_str);
>+		D_DEBUG("Attempt to remove untracked connection %s\n", conn_str);
> 		return;
> 	}
> 
>-- 
>2.45.2
>
>
>From df5e118f971262b0dddd44aec55e89c1d06b57dd Mon Sep 17 00:00:00 2001
>From: Martin Schwenke <mschwenke@ddn.com>
>Date: Mon, 23 Oct 2023 14:05:21 +1100
>Subject: [PATCH 7/9] ctdb-scripts: Move connection tracking to 10.interface
>
>This should really be done for all connections to public IP addresses.
>Leave the port number there for now - this is just the first step.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
>RN: Update CTDB to track all TCP connections to public IP addresses
>
>Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jerry Heyman <jheyman@ddn.com>
>(cherry picked from commit 9683bb3ac2bbdf0e83c3be3681f9d1c8ee7cc327)
>---
> ctdb/config/events/legacy/10.interface.script | 2 ++
> ctdb/config/events/legacy/60.nfs.script       | 1 -
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/ctdb/config/events/legacy/10.interface.script b/ctdb/config/events/legacy/10.interface.script
>index fdc559ee1c8..d7c36470306 100755
>--- a/ctdb/config/events/legacy/10.interface.script
>+++ b/ctdb/config/events/legacy/10.interface.script
>@@ -247,6 +247,8 @@ ipreallocated)
> 
> monitor)
> 	monitor_interfaces || exit 1
>+
>+	update_tickles 2049
> 	;;
> esac
> 
>diff --git a/ctdb/config/events/legacy/60.nfs.script b/ctdb/config/events/legacy/60.nfs.script
>index 246a856bca8..7d03a2a50f2 100755
>--- a/ctdb/config/events/legacy/60.nfs.script
>+++ b/ctdb/config/events/legacy/60.nfs.script
>@@ -338,7 +338,6 @@ monitor)
> 			exit $?
> 	fi
> 
>-	update_tickles 2049
> 	nfs_update_lock_info
> 
> 	nfs_check_services
>-- 
>2.45.2
>
>
>From e15fda1b5e7c2a8ea475ab0360adea540cb8f9ba Mon Sep 17 00:00:00 2001
>From: Martin Schwenke <mschwenke@ddn.com>
>Date: Mon, 30 Sep 2024 10:50:00 +1000
>Subject: [PATCH 8/9] ctdb-scripts: Get connections after tickle list
>
>Running ss to get current connections before running ctdb gettickles
>means the ss output might be out of date when the 2 lists are
>compared.  Some tickles might have been added after ss was run by some
>other means (e.g. SMB tickles, added internally) and they would be
>deleted according to the stale ss output.
>
>This isn't currently a problem because update_tickles() is currently
>only called with port 2049, so all tickles are managed by this code.
>That will change in a subsequent commit.
>
>Changing the order means the reverse problem can occur, where
>update_tickles() attempts to delete an already deleted tickle.  That
>may happen occasionally but is harmless because it doesn't result in
>missing information.  It (currently) just causes a message to be
>logged at DEBUG level.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
>RN: Update CTDB to track all TCP connections to public IP addresses
>
>Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jerry Heyman <jheyman@ddn.com>
>(cherry picked from commit c3695722b6316b624aa6c44cad4f44279303d1b1)
>---
> ctdb/config/functions | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
>
>diff --git a/ctdb/config/functions b/ctdb/config/functions
>index 69d44542755..becef7166a8 100755
>--- a/ctdb/config/functions
>+++ b/ctdb/config/functions
>@@ -1193,6 +1193,14 @@ update_tickles()
> 	done <"$CTDB_MY_PUBLIC_IPS_CACHE"
> 	_port_filter="sport == :${_port}"
> 
>+	# Record our current tickles in a temporary file
>+	_my_tickles="${tickledir}/${_port}.tickles.$$"
>+	while read -r _i; do
>+		$CTDB -X gettickles "$_i" "$_port" |
>+			awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4, $5 }'
>+	done <"$CTDB_MY_PUBLIC_IPS_CACHE" |
>+		sort >"$_my_tickles"
>+
> 	# Record connections to our public IPs in a temporary file.
> 	# This temporary file is in CTDB's private state directory and
> 	# $$ is used to avoid a very rare race involving CTDB's script
>@@ -1206,14 +1214,6 @@ update_tickles()
> 		awk '{print $4, $3}' |
> 		sort >"$_my_connections"
> 
>-	# Record our current tickles in a temporary file
>-	_my_tickles="${tickledir}/${_port}.tickles.$$"
>-	while read -r _i; do
>-		$CTDB -X gettickles "$_i" "$_port" |
>-			awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4, $5 }'
>-	done <"$CTDB_MY_PUBLIC_IPS_CACHE" |
>-		sort >"$_my_tickles"
>-
> 	# Add tickles for connections that we haven't already got tickles for
> 	comm -23 "$_my_connections" "$_my_tickles" |
> 		$CTDB addtickle
>-- 
>2.45.2
>
>
>From ed72a16d3ee110e93fa1224a5f191fbe7db616e5 Mon Sep 17 00:00:00 2001
>From: Martin Schwenke <mschwenke@ddn.com>
>Date: Mon, 23 Oct 2023 14:17:36 +1100
>Subject: [PATCH 9/9] ctdb-scripts: Track connections for all ports for public
> IPs
>
>Currently TCP ports like NFS lock manager are not tracked.  It is
>easier to track all connections than to add a configuration system to
>try to track specified ports, so do that.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
>RN: Update CTDB to track all TCP connections to public IP addresses
>
>Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jerry Heyman <jheyman@ddn.com>
>(cherry picked from commit 590a86dbe4adf45ac8d15497934e25ea98148034)
>---
> ctdb/config/events/legacy/10.interface.script |  2 +-
> ctdb/config/functions                         | 17 ++++++-----------
> 2 files changed, 7 insertions(+), 12 deletions(-)
>
>diff --git a/ctdb/config/events/legacy/10.interface.script b/ctdb/config/events/legacy/10.interface.script
>index d7c36470306..dfd796563fd 100755
>--- a/ctdb/config/events/legacy/10.interface.script
>+++ b/ctdb/config/events/legacy/10.interface.script
>@@ -248,7 +248,7 @@ ipreallocated)
> monitor)
> 	monitor_interfaces || exit 1
> 
>-	update_tickles 2049
>+	update_tickles
> 	;;
> esac
> 
>diff --git a/ctdb/config/functions b/ctdb/config/functions
>index becef7166a8..4139059a3d3 100755
>--- a/ctdb/config/functions
>+++ b/ctdb/config/functions
>@@ -1176,8 +1176,6 @@ nfs_callout()
> 
> update_tickles()
> {
>-	_port="$1"
>-
> 	tickledir="${CTDB_SCRIPT_VARDIR}/tickles"
> 	mkdir -p "$tickledir"
> 
>@@ -1186,17 +1184,16 @@ update_tickles()
> 		return
> 	fi
> 
>-	# IPs and port as ss filters
>+	# IPs ss filter
> 	_ip_filter=""
> 	while read -r _ip; do
> 		_ip_filter="${_ip_filter}${_ip_filter:+ || }src [${_ip}]"
> 	done <"$CTDB_MY_PUBLIC_IPS_CACHE"
>-	_port_filter="sport == :${_port}"
> 
> 	# Record our current tickles in a temporary file
>-	_my_tickles="${tickledir}/${_port}.tickles.$$"
>+	_my_tickles="${tickledir}/all.tickles.$$"
> 	while read -r _i; do
>-		$CTDB -X gettickles "$_i" "$_port" |
>+		$CTDB -X gettickles "$_i" |
> 			awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4, $5 }'
> 	done <"$CTDB_MY_PUBLIC_IPS_CACHE" |
> 		sort >"$_my_tickles"
>@@ -1205,12 +1202,10 @@ update_tickles()
> 	# This temporary file is in CTDB's private state directory and
> 	# $$ is used to avoid a very rare race involving CTDB's script
> 	# debugging.  No security issue, nothing to see here...
>-	_my_connections="${tickledir}/${_port}.connections.$$"
>-	# Parentheses are needed around the filters for precedence but
>+	_my_connections="${tickledir}/all.connections.$$"
>+	# Parentheses are needed around the IP filter for precedence but
> 	# the parentheses can't be empty!
>-	ss -tnH state established \
>-		"${_ip_filter:+( ${_ip_filter} )}" \
>-		"${_port_filter:+( ${_port_filter} )}" |
>+	ss -tnH state established "${_ip_filter:+( ${_ip_filter} )}" |
> 		awk '{print $4, $3}' |
> 		sort >"$_my_connections"
> 
>-- 
>2.45.2
>

Flags:

vl: review+

Actions: View

Attachments on bug 15320: 18498 | 18499 | 18500