[ovs-discuss] Using unix sockets for controller communication
Ben Pfaff
blp at nicira.com
Fri Oct 14 17:19:51 UTC 2011
On Fri, Oct 14, 2011 at 10:58:09AM +0900, Jari Sundell wrote:
> On Fri, Oct 14, 2011 at 2:36 AM, Ben Pfaff <blp at nicira.com> wrote:
> > On Thu, Oct 13, 2011 at 05:50:37PM +0900, Jari Sundell wrote:
> >> In the thread?"ARP Behavior in XenServer Host"
> >> <http://openvswitch.org/pipermail/discuss/2011-September/005624.html>,
> >> an issue similar to what I'm dealing with was discussed. While I get
> >> my setup working using 'disable-in-band' option, that isn't the
> >> optimal solution.
> >>
> >> What I was really hoping to do was to use a unix socket for
> >> communication with the controller, yet this has been disabled due to
> >> the fear of remote exploits.
> >
> > Every OVS bridge already listens automatically to
> > punix:/var/run/openvswitch/<bridge>.mgmt. ?What if we also whitelisted
> > the exact path unix:/var/run/openvswitch/<bridge>.controller? ?Would
> > that solve your problem?
> >
> > (Hmm, seems that we should probably prohibit "/" in bridge names.)
>
> Yes, that would solve my problem.
>
> Since creating a unix socket the permissions, etc, depends on the
> directory, being able to configure the fixed path to use for each
> bridge would be nice. Else the controller will require write
> permission to the openvswitch directory. However getting the above
> whitelist implemented is sufficient for me.
Sounds good.
Here is a patch. Will you test it for me?
Thanks,
Ben.
--8<--------------------------cut here-------------------------->8--
From: Ben Pfaff <blp at nicira.com>
Date: Fri, 14 Oct 2011 10:17:13 -0700
Subject: [PATCH] bridge: Allow specially named "unix:" controllers.
Some users want to use Unix domain socket controllers, so this relaxes the
restriction.
Requested-by: Jari Sundell <sundell.software at gmail.com>
---
vswitchd/bridge.c | 25 +++++++++++++++++++------
1 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index 186f250..b5071e2 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -2035,13 +2035,26 @@ bridge_configure_remotes(struct bridge *br,
if (!strncmp(c->target, "punix:", 6)
|| !strncmp(c->target, "unix:", 5)) {
static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
+ char *whitelist;
+
+ whitelist = xasprintf("unix:%s/%s.controller",
+ ovs_rundir(), br->name);
+ if (strcmp(c->target, whitelist)) {
+ /* Prevent remote ovsdb-server users from accessing arbitrary
+ * Unix domain sockets and overwriting arbitrary local
+ * files. */
+ VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
+ "controller \"%s\" due to possibility for remote "
+ "exploit. Instead, specify whitelisted \"%s\" or "
+ "connect to \"unix:%s/%s.mgmt\" (which is always "
+ "available without special configuration).",
+ br->name, c->target, whitelist,
+ ovs_rundir(), br->name);
+ free(whitelist);
+ continue;
+ }
- /* Prevent remote ovsdb-server users from accessing arbitrary Unix
- * domain sockets and overwriting arbitrary local files. */
- VLOG_ERR_RL(&rl, "bridge %s: not adding Unix domain socket "
- "controller \"%s\" due to possibility for remote "
- "exploit", br->name, c->target);
- continue;
+ free(whitelist);
}
bridge_configure_local_iface_netdev(br, c);
--
1.7.4.4
More information about the discuss
mailing list