Date: Sun 10 Mar 2002 - 04:15:16 GMT
This change is causing problems.
You have some common services used by vservers, e.g. dns cache/resolver, database backend
etc.., listening on 127.0.0.1 on the same machine.
Starting from ctx-8, vservers are unable to connect and use such services,
because when they try to connect to 127.0.0.1 it is remapped to their pubic IP addresses.
Usually when application needs to create a "private" service it binds to localhost.
With previous kernels, it would fail. With ctx-8, it succeeds but instead of listening
on localhost, it opens up a port on public interface, which is not what application
expects. This could have dire security consequences. I'd rather it failed than
succeeded with unexpected result.
Could you make this particular bits, i.e. remapping bind and route of 127.0.0.1 optional?
Either at kernel build time or at runtime?
I understand that it solved some problems for people running samba, but at what expense?
On Tuesday, 26 February 2002 at 14:39, Jacques Gelinas wrote:
> 1.4. kernel ctx-8
> + Using 127.0.0.1 in a vserver.
> Note, this is unrelated to the multi-IP-per-vserver concept. A
> vserver normally use a single IP to listen and talk. In general,
> this is not a problem. But it breaks a little semantic. Most
> services out there simply do a bind on IP 0.0.0.0. This way, they
> expect to grab any incoming traffic. They also expect that talking
> to 127.0.0.1 is a good way (configuration less) to talk to
> themselves. Some services are using localhost (which is redirect to
> the ipv4root of the vserver) and some are using 127.0.0.1 directly.
> The ctx-8 kernel now maps 127.0.0.1 to the ipv4root of the vserver
> on the fly. This solves some issues with samba and should also (not
> tested) solve the issue with PostgreSQL.