glusterfs.git/rpc/rpc-transport/socket/src, branch release-3.5 socket: disallow CBC cipher modes 2014-10-28T15:49:41+00:00 Niels de Vos ndevos@redhat.com 2014-10-27T12:57:44+00:00 027d38cf6ba838cd015886207d3c265ef6446757 This is related to CVE-2014-3566 a.k.a. POODLE. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 POODLE is specific to CBC cipher modes in SSLv3. Because there is no way to prevent SSLv3 fallback on a system with an unpatched version of OpenSSL, users of such systems can only be protected by disallowing CBC modes. The default cipher-mode specification in our code has been changed accordingly. Users can still set their own cipher modes if they wish. To support them, the ssl-authz.t test script provides an example of how to combine the CBC exclusion with other criteria in a script. Cherry picked from commit 378a0a19d95e552220d71b13be685f4772c576cd: > Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5 > BUG: 1155328 > Signed-off-by: Jeff Darcy <jdarcy@redhat.com> > Reviewed-on: http://review.gluster.org/8962 > Tested-by: Gluster Build System <jenkins@build.gluster.com> > Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com> > Reviewed-by: Vijay Bellur <vbellur@redhat.com> ssl-auth.t has been modified to not set the auth.ssl-allow option. This option is not available in the 3.5 branch. Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5 BUG: 1157661 Signed-off-by: Niels de Vos <ndevos@redhat.com> Reviewed-on: http://review.gluster.org/8979 Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com> Reviewed-by: Jeff Darcy <jdarcy@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> 
This is related to CVE-2014-3566 a.k.a. POODLE.

	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

POODLE is specific to CBC cipher modes in SSLv3.  Because there is no
way to prevent SSLv3 fallback on a system with an unpatched version of
OpenSSL, users of such systems can only be protected by disallowing CBC
modes.  The default cipher-mode specification in our code has been
changed accordingly.  Users can still set their own cipher modes if they
wish.  To support them, the ssl-authz.t test script provides an example
of how to combine the CBC exclusion with other criteria in a script.

Cherry picked from commit 378a0a19d95e552220d71b13be685f4772c576cd:
> Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5
> BUG: 1155328
> Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
> Reviewed-on: http://review.gluster.org/8962
> Tested-by: Gluster Build System <jenkins@build.gluster.com>
> Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
> Reviewed-by: Vijay Bellur <vbellur@redhat.com>

ssl-auth.t has been modified to not set the auth.ssl-allow option. This
option is not available in the 3.5 branch.

Change-Id: Ib1fa547082fbb7de9df94ffd182b1800d6e354e5
BUG: 1157661
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Reviewed-on: http://review.gluster.org/8979
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
socket: Fixed parsing RPC records containing multi fragments 2014-09-25T11:28:17+00:00 Niels de Vos ndevos@redhat.com 2014-09-25T09:40:08+00:00 f206732faafa44b9224f21e6e959b6c3f54e5b34 In __socket_proto_state_machine(), when parsing RPC records containing multi fragments, just change the state of parsing process, had not processed the memory to coalesce the multi fragments. Cherry picked from commit fb6702b7f8ba19333b7ba4af543d908e3f5e1923: > Change-Id: I5583e578603bd7290814a5d26885b31759c73115 > BUG: 1139598 > Signed-off-by: Gu Feng <flygoast@126.com> > Reviewed-on: http://review.gluster.org/8662 > Tested-by: Gluster Build System <jenkins@build.gluster.com> > Reviewed-by: Niels de Vos <ndevos@redhat.com> > Reviewed-by: Raghavendra G <rgowdapp@redhat.com> > Tested-by: Raghavendra G <rgowdapp@redhat.com> Change-Id: I5583e578603bd7290814a5d26885b31759c73115 BUG: 1136221 Signed-off-by: Niels de Vos <ndevos@redhat.com> Reviewed-on: http://review.gluster.org/8848 Tested-by: Gluster Build System <jenkins@build.gluster.com> 
In __socket_proto_state_machine(), when parsing RPC records containing
multi fragments, just change the state of parsing process, had not
processed the memory to coalesce the multi fragments.

Cherry picked from commit fb6702b7f8ba19333b7ba4af543d908e3f5e1923:
> Change-Id: I5583e578603bd7290814a5d26885b31759c73115
> BUG: 1139598
> Signed-off-by: Gu Feng <flygoast@126.com>
> Reviewed-on: http://review.gluster.org/8662
> Tested-by: Gluster Build System <jenkins@build.gluster.com>
> Reviewed-by: Niels de Vos <ndevos@redhat.com>
> Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
> Tested-by: Raghavendra G <rgowdapp@redhat.com>

Change-Id: I5583e578603bd7290814a5d26885b31759c73115
BUG: 1136221
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Reviewed-on: http://review.gluster.org/8848
Tested-by: Gluster Build System <jenkins@build.gluster.com>
mgmt/glusterd: make sure quota enforcer has established connection with quotad before marking quota as enabled. 2014-01-29T06:46:35+00:00 Raghavendra G rgowdapp@redhat.com 2013-12-23T09:24:05+00:00 bae348ef599463a974781083a5999991dbb8ecbb without this patch there is a window of time when quota is marked as enabled in quota-enforcer, but connection to quotad wouldn't have been established. Any checklimit done during this period can result in a failed fop because of unavailability of quotad. Change-Id: I0d509fabc434dd55ce9ec59157123524197fcc80 Signed-off-by: Raghavendra G <rgowdapp@redhat.com> BUG: 969461 Signed-off-by: Raghavendra G <rgowdapp@redhat.com> Reviewed-on: http://review.gluster.org/6572 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> Reviewed-on: http://review.gluster.org/6820 
without this patch there is a window of time when quota is marked as
enabled in quota-enforcer, but connection to quotad wouldn't have been
established. Any checklimit done during this period can result in a
failed fop because of unavailability of quotad.

Change-Id: I0d509fabc434dd55ce9ec59157123524197fcc80
Signed-off-by: Raghavendra G <rgowdapp@redhat.com>
BUG: 969461
Signed-off-by: Raghavendra G <rgowdapp@redhat.com>
Reviewed-on: http://review.gluster.org/6572
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Reviewed-on: http://review.gluster.org/6820
socket: limit vector count to IOV_MAX 2013-11-26T18:31:04+00:00 Anand Avati avati@redhat.com 2013-11-25T18:28:56+00:00 9da4958b7853f36a137c80493bec932b79d85e84 IOV_MAX is the maximum supported vector count on a given platform. Limit the count to IOV_MAX if higher. As we are performing non-blocking IO getting a smaller return value is handled naturally. Change-Id: I94ef67a03ed0e10da67a776af2b55506bf721611 BUG: 1034398 Signed-off-by: Anand Avati <avati@redhat.com> Reviewed-on: http://review.gluster.org/6354 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Amar Tumballi <amarts@gmail.com> 
IOV_MAX is the maximum supported vector count on a given platform.
Limit the count to IOV_MAX if higher. As we are performing non-blocking
IO getting a smaller return value is handled naturally.

Change-Id: I94ef67a03ed0e10da67a776af2b55506bf721611
BUG: 1034398
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.org/6354
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Amar Tumballi <amarts@gmail.com>
rpcsvc: implement per-client RPC throttling 2013-10-28T07:33:19+00:00 Anand Avati avati@redhat.com 2013-10-20T15:45:18+00:00 a4056292528db49a666422c7f8e0c032441cc83f Implement a limit on the total number of outstanding RPC requests from a given cient. Once the limit is reached the client socket is removed from POLL-IN event polling. Change-Id: I8071b8c89b78d02e830e6af5a540308199d6bdcd BUG: 1008301 Signed-off-by: Anand Avati <avati@redhat.com> Reviewed-on: http://review.gluster.org/6114 Reviewed-by: Santosh Pradhan <spradhan@redhat.com> Reviewed-by: Rajesh Joseph <rjoseph@redhat.com> Reviewed-by: Harshavardhana <harsha@harshavardhana.net> Reviewed-by: Vijay Bellur <vbellur@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> 
Implement a limit on the total number of outstanding RPC requests
from a given cient. Once the limit is reached the client socket
is removed from POLL-IN event polling.

Change-Id: I8071b8c89b78d02e830e6af5a540308199d6bdcd
BUG: 1008301
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.org/6114
Reviewed-by: Santosh Pradhan <spradhan@redhat.com>
Reviewed-by: Rajesh Joseph <rjoseph@redhat.com>
Reviewed-by: Harshavardhana <harsha@harshavardhana.net>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
transport/socket: don't try to set TCP_DELAY on unix domain sockets 2013-10-12T07:42:12+00:00 Raghavendra G rgowdapp@redhat.com 2013-09-17T06:14:34+00:00 9da2cb37834db98596dae8f7fb6d8f6abb513687 Change-Id: I290cd983bd0dff2e32e5ee90a12e888a3b31c6fd BUG: 969461 Signed-off-by: Raghavendra G <rgowdapp@redhat.com> Reviewed-on: http://review.gluster.org/5954 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Anand Avati <avati@redhat.com> 
Change-Id: I290cd983bd0dff2e32e5ee90a12e888a3b31c6fd
BUG: 969461
Signed-off-by: Raghavendra G <rgowdapp@redhat.com>
Reviewed-on: http://review.gluster.org/5954
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Anand Avati <avati@redhat.com>
core: block unused signals in created threads 2013-09-25T08:33:16+00:00 Anand Avati avati@redhat.com 2013-09-24T16:45:08+00:00 84fa8af38d2eab0f72349abb8136811bd3e96570 Block all signal except those which are set for explicit handling in glusterfs_signals_setup(). Since thread spawning code in libglusterfs and xlators can get called from application threads when used through libgfapi, it is necessary to do this blocking. Change-Id: Ia320f80521a83d2edcda50b9ad414583a0175281 BUG: 1011662 Signed-off-by: Anand Avati <avati@redhat.com> Reviewed-on: http://review.gluster.org/5995 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Amar Tumballi <amarts@redhat.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> 
Block all signal except those which are set for explicit handling
in glusterfs_signals_setup(). Since thread spawning code in
libglusterfs and xlators can get called from application threads
when used through libgfapi, it is necessary to do this blocking.

Change-Id: Ia320f80521a83d2edcda50b9ad414583a0175281
BUG: 1011662
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.org/5995
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Amar Tumballi <amarts@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
glusterfsd: Round robin DNS should not be relied upon with 2013-09-06T22:56:34+00:00 Harshavardhana harsha@harshavardhana.net 2013-07-24T20:16:08+00:00 b610f1be7cd71b8f3e51c224c8b6fe0e7366c8cf config service availability for clients. Backupvolfile server as it stands is slow and prone to errors with mount script and its combination with RRDNS. Instead in theory it should use all the available nodes in 'trusted pool' by default (Right now we don't have a mechanism in place for this) Nevertheless this patch provides a scenario where a list of volfile-server can be provided on command as shown below ----------------------------------------------------------------- $ glusterfs -s server1 .. -s serverN --volfile-id=<volname> \ <mount_point> ----------------------------------------------------------------- OR ----------------------------------------------------------------- $ mount -t glusterfs -obackup-volfile-servers=<server2>: \ <server3>:...:<serverN> <server1>:/<volname> <mount_point> ----------------------------------------------------------------- Here ':' is used as a separator for mount script parsing Now these will be remembered and recursively attempted for fetching vol-file until exhausted. This would ensure that the clients get 'volume' configs in a consistent manner avoiding the need to poll through RRDNS. Change-Id: If808bb8a52e6034c61574cdae3ac4e7e83513a40 BUG: 986429 Signed-off-by: Harshavardhana <harsha@harshavardhana.net> Reviewed-on: http://review.gluster.org/5400 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Anand Avati <avati@redhat.com> 
config service availability for clients.

Backupvolfile server as it stands is slow and prone to errors
with mount script and its combination with RRDNS. Instead in
theory it should use all the available nodes in 'trusted pool'
by default (Right now we don't have a mechanism in place for
this)

Nevertheless this patch provides a scenario where a list of
volfile-server can be provided on command as shown below

-----------------------------------------------------------------
$ glusterfs -s server1 .. -s serverN --volfile-id=<volname> \
      <mount_point>
-----------------------------------------------------------------
                   OR
-----------------------------------------------------------------
$ mount -t glusterfs -obackup-volfile-servers=<server2>: \
      <server3>:...:<serverN> <server1>:/<volname> <mount_point>
-----------------------------------------------------------------

Here ':' is used as a separator for mount script parsing

Now these will be remembered and recursively attempted for
fetching vol-file until exhausted. This would ensure that the
clients get 'volume' configs in a consistent manner avoiding the
need to poll through RRDNS.

Change-Id: If808bb8a52e6034c61574cdae3ac4e7e83513a40
BUG: 986429
Signed-off-by: Harshavardhana <harsha@harshavardhana.net>
Reviewed-on: http://review.gluster.org/5400
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Anand Avati <avati@redhat.com>
mgmt/glusterd, socket: Change logging for brick disconnects 2013-06-11T14:52:16+00:00 Pranith Kumar K pkarampu@redhat.com 2013-05-15T09:16:57+00:00 328ea4b16a276b0e65ca719f60b82ce851dda848 For unix path based sockets, the socket path is cryptic (md5sum of path) and may not be useful for the user in debugging so log it in DEBUG. Changed logging in brick_rpc_notify to log brickinfo for disconnects. Change-Id: I69174bbbbde8352d38837723e950ad8fc15232aa BUG: 963153 Signed-off-by: Pranith Kumar K <pkarampu@redhat.com> Reviewed-on: http://review.gluster.org/5009 Reviewed-by: Niels de Vos <ndevos@redhat.com> Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com> 
For unix path based sockets, the socket path is
cryptic (md5sum of path) and may not be useful for
the user in debugging so log it in DEBUG.

Changed logging in brick_rpc_notify to log brickinfo
for disconnects.

Change-Id: I69174bbbbde8352d38837723e950ad8fc15232aa
BUG: 963153
Signed-off-by: Pranith Kumar K <pkarampu@redhat.com>
Reviewed-on: http://review.gluster.org/5009
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
transport/socket: fix connect/disconnect races 2013-06-04T22:37:54+00:00 Jeff Darcy jdarcy@redhat.com 2013-06-04T19:20:45+00:00 5c1710ed60ccb151ccd7a2890b24bb99518d36da We might receive a connect request while a disconnect is still in progress, requiring more states and (the return of) poller generation numbers to avoid redundant pollers. We might also get either kind of request from within our own rpc_transport_notify upcall, so we have to avoid locking and use the PLEASE_DIE state instead. Change-Id: Icbaacf96c516b607a79ff62c90b74d42b241780f BUG: 970194 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/5137 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Anand Avati <avati@redhat.com> 
We might receive a connect request while a disconnect is still in
progress, requiring more states and (the return of) poller generation
numbers to avoid redundant pollers.  We might also get either kind of
request from within our own rpc_transport_notify upcall, so we have to
avoid locking and use the PLEASE_DIE state instead.

Change-Id: Icbaacf96c516b607a79ff62c90b74d42b241780f
BUG: 970194
Signed-off-by: Jeff Darcy <jdarcy@redhat.com>
Reviewed-on: http://review.gluster.org/5137
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Anand Avati <avati@redhat.com>