rpc: define client port range

Problem: when bind-insecure is 'off', all the clients bind to secure ports, if incase all the secure ports exhaust the client will no more bind to secure ports and tries gets a random port which is obviously insecure. we have seen the client obtaining a port number in the range 49152-65535 which are actually reserved as part of glusterd's pmap_registry for bricks, hence this will lead to port clashes between client and brick processes. Solution: If we can define different port ranges for clients incase where secure ports exhaust, we can avoid the maximum port clashes with in gluster processes. Still we are prone to have clashes with other non-gluster processes, but the chances being very low, but that's a different story on its own, which will be handled in upcoming patches. > Change-Id: Ib5ce05991aa1290ccb17f6f04ffd65caf411feaf > BUG: 1322805 > Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com> > Reviewed-on: http://review.gluster.org/13998 > Smoke: Gluster Build System <jenkins@build.gluster.com> > NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org> > CentOS-regression: Gluster Build System <jenkins@build.gluster.com> > Reviewed-by: Atin Mukherjee <amukherj@redhat.com> > Reviewed-by: Raghavendra G <rgowdapp@redhat.com> > Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com> Change-Id: I712676d3e79145d78a17f2c361525e6ef82a4732 BUG: 1323564 Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com> Reviewed-on: http://review.gluster.org/14205 Tested-by: Prasanna Kumar Kalever <pkalever@redhat.com> Smoke: Gluster Build System <jenkins@build.gluster.com> CentOS-regression: Gluster Build System <jenkins@build.gluster.com> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org> Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
author: Prasanna Kumar Kalever <prasanna.kalever@redhat.com> 2016-05-04 13:25:06 +0530
committer: Raghavendra G <rgowdapp@redhat.com> 2016-05-04 20:24:42 -0700
commit: 0b7631b44b829f44c2ebb3a2f2d01d97987e1fd7 (patch)
tree: 860c8f186895edabead8b6a5c1eed3b9babf19fe /rpc
parent: 8f6ab172c9817638f9032ed4436423efd8f8c56c (diff)
2 files changed, 39 insertions, 2 deletions
diff --git a/rpc/rpc-transport/rdma/src/name.c b/rpc/rpc-transport/rdma/src/name.c
index d4502e766bf..d5de6f8f5bc 100644
--- a/rpc/rpc-transport/rdma/src/name.c
+++ b/rpc/rpc-transport/rdma/src/name.c
@@ -57,10 +57,17 @@ af_inet_bind_to_port_lt_ceiling (struct rdma_cm_id *cm_id,
         int32_t        ret        = -1;
         uint16_t      port        = ceiling - 1;
         gf_boolean_t  ports[GF_PORT_MAX];
+        int           i           = 0;
 
+loop:
         ret = gf_process_reserved_ports (ports, ceiling);
 
         while (port) {
+                if (port == GF_CLIENT_PORT_CEILING) {
+                        ret = -1;
+                        break;
+                }
+
                 /* ignore the reserved ports */
                 if (ports[port] == _gf_true) {
                         port--;
@@ -80,6 +87,18 @@ af_inet_bind_to_port_lt_ceiling (struct rdma_cm_id *cm_id,
                 port--;
         }
 
+        /* Incase if all the secure ports are exhausted, we are no more
+         * binding to secure ports, hence instead of getting a random
+         * port, lets define the range to restrict it from getting from
+         * ports reserved for bricks i.e from range of 49152 - 65535
+         * which further may lead to port clash */
+        if (!port) {
+                ceiling = port = GF_CLNT_INSECURE_PORT_CEILING;
+                for (i = 0; i <= ceiling; i++)
+                        ports[i] = _gf_false;
+                goto loop;
+        }
+
         return ret;
 }
 
diff --git a/rpc/rpc-transport/socket/src/name.c b/rpc/rpc-transport/socket/src/name.c
index aa43006785f..3f85b9f7d60 100644
--- a/rpc/rpc-transport/socket/src/name.c
+++ b/rpc/rpc-transport/socket/src/name.c
@@ -45,11 +45,17 @@ af_inet_bind_to_port_lt_ceiling (int fd, struct sockaddr *sockaddr,
         int32_t        ret        = -1;
         uint16_t      port        = ceiling - 1;
         gf_boolean_t  ports[GF_PORT_MAX];
+        int           i           = 0;
 
+loop:
         ret = gf_process_reserved_ports (ports, ceiling);
 
-        while (port)
-        {
+        while (port) {
+                if (port == GF_CLIENT_PORT_CEILING) {
+                        ret = -1;
+                        break;
+                }
+
                 /* ignore the reserved ports */
                 if (ports[port] == _gf_true) {
                         port--;
@@ -69,6 +75,18 @@ af_inet_bind_to_port_lt_ceiling (int fd, struct sockaddr *sockaddr,
                 port--;
         }
 
+        /* Incase if all the secure ports are exhausted, we are no more
+         * binding to secure ports, hence instead of getting a random
+         * port, lets define the range to restrict it from getting from
+         * ports reserved for bricks i.e from range of 49152 - 65535
+         * which further may lead to port clash */
+        if (!port) {
+                ceiling = port = GF_CLNT_INSECURE_PORT_CEILING;
+                for (i = 0; i <= ceiling; i++)
+                        ports[i] = _gf_false;
+                goto loop;
+        }
+
         return ret;
 }
author	Prasanna Kumar Kalever <prasanna.kalever@redhat.com>	2016-05-04 13:25:06 +0530
committer	Raghavendra G <rgowdapp@redhat.com>	2016-05-04 20:24:42 -0700
commit	0b7631b44b829f44c2ebb3a2f2d01d97987e1fd7 (patch)
tree	860c8f186895edabead8b6a5c1eed3b9babf19fe /rpc
parent	8f6ab172c9817638f9032ed4436423efd8f8c56c (diff)