Bug 208181

Summary: [new port] devel/libqb: High performance logging, tracing, ipc, and polling library
Product: Ports & Packages Reporter: David Shane Holden <dpejesh>
Component: Individual Port(s)Assignee: Tijl Coosemans <tijl>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Bug Depends on:    
Bug Blocks: 208182    
Attachments:
Description Flags
libqb.shar
none
poudriere testport none

Description David Shane Holden 2016-03-21 15:47:48 UTC
Created attachment 168456 [details]
libqb.shar

All patches have been committed upstream and will be part of the next release.
Comment 1 David Shane Holden 2016-03-21 15:48:26 UTC
Created attachment 168457 [details]
poudriere testport
Comment 2 Tijl Coosemans freebsd_committer freebsd_triage 2016-03-21 21:34:29 UTC
Are there multiple sockets in /var/run/qb?  Because if not, the default /var/run would be fine.
Comment 3 David Shane Holden 2016-03-21 23:42:19 UTC
Yeah, there's a ton of sockets in /var/run/qb.  It also needs to be a separate directory because if /var/run is used then corosync/pacemaker and any user allowed to talk to them will need r/w access to /var/run which isn't ideal.  An example of my socket directory looks like:

# ls -l /var/run/qb
total 16640
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 attrd
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 cfg
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 cib_ro
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 cib_rw
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 cib_shm
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 cmap
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 cpg
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 crmd
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 lrmd
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 pacemakerd
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 pengine
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-attrd-29498-0-16-event
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-attrd-29498-0-16-event-tx
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-attrd-29498-0-16-request
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-attrd-29498-0-16-response
-rw-rw----  1 hacluster  haclient       24 Mar 20 22:57 qb-attrd-control-29498-0-16
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cfg-20363-0-18-event
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cfg-20363-0-18-event-tx
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cfg-20363-0-18-request
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cfg-20363-0-18-response
-rw-------  1 root       wheel          24 Mar 20 22:57 qb-cfg-control-20363-0-18
srw-rw----  1 root       haclient        0 Mar 21 23:11 qb-cib_ro-27609-0-24-event
srw-rw----  1 root       haclient        0 Mar 21 23:11 qb-cib_ro-27609-0-24-response
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-18-event
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cib_rw-27609-0-18-event-tx
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cib_rw-27609-0-18-request
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-18-response
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-19-event
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-19-event-tx
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-19-request
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-19-response
srw-rw----  1 root       haclient        0 Mar 20 22:55 qb-cib_rw-27609-0-24-event
srw-rw----  1 root       haclient        0 Mar 20 22:55 qb-cib_rw-27609-0-24-response
-rw-------  1 hacluster  wheel          24 Mar 20 22:57 qb-cib_rw-control-27609-0-18
-rw-rw----  1 hacluster  haclient       24 Mar 20 22:57 qb-cib_rw-control-27609-0-19
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_shm-27609-0-15-event
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_shm-27609-0-15-event-tx
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_shm-27609-0-15-request
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_shm-27609-0-15-response
-rw-rw----  1 hacluster  haclient       24 Mar 21 23:28 qb-cib_shm-control-27609-0-15
-rw-------  1 root       wheel     8392704 Mar 20 22:33 qb-corosync-20058-blackbox-data
-rw-------  1 root       wheel        2088 Mar 20 22:57 qb-corosync-20058-blackbox-header
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-21-event
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-21-event-tx
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-21-request
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-21-response
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-27-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-27-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-27-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-27-response
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-30-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-30-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-30-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-30-response
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-31-event
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-31-event-tx
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-31-request
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-31-response
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-36-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-36-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-36-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-36-response
-rw-------  1 root       wheel          24 Mar 20 22:57 qb-cpg-control-20363-0-21
-rw-------  1 hacluster  haclient       24 Mar 20 22:57 qb-cpg-control-20363-0-27
-rw-------  1 hacluster  haclient       24 Mar 20 22:57 qb-cpg-control-20363-0-30
-rw-------  1 root       wheel          24 Mar 20 22:57 qb-cpg-control-20363-0-31
-rw-------  1 hacluster  haclient       24 Mar 20 22:57 qb-cpg-control-20363-0-36
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-lrmd-28562-0-9-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-lrmd-28562-0-9-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-lrmd-28562-0-9-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-lrmd-28562-0-9-response
-rw-rw----  1 hacluster  haclient       24 Mar 20 22:57 qb-lrmd-control-28562-0-9
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-pengine-30464-0-9-event
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-pengine-30464-0-9-event-tx
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-pengine-30464-0-9-request
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-pengine-30464-0-9-response
-rw-rw----  1 hacluster  haclient       24 Mar 21 23:28 qb-pengine-control-30464-0-9
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-quorum-20363-0-24-event
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-quorum-20363-0-24-event-tx
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-quorum-20363-0-24-request
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-quorum-20363-0-24-response
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-quorum-20363-0-39-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-quorum-20363-0-39-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-quorum-20363-0-39-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-quorum-20363-0-39-response
-rw-------  1 root       wheel          24 Mar 20 22:57 qb-quorum-control-20363-0-24
-rw-------  1 hacluster  haclient       24 Mar 20 22:57 qb-quorum-control-20363-0-39
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-stonith-ng-28212-0-16-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-stonith-ng-28212-0-16-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-stonith-ng-28212-0-16-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-stonith-ng-28212-0-16-response
-rw-rw----  1 hacluster  haclient       24 Mar 20 22:33 qb-stonith-ng-control-28212-0-16
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 quorum
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 stonith-ng
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 votequorum
Comment 4 Tijl Coosemans freebsd_committer freebsd_triage 2016-03-22 08:38:04 UTC
I'm a bit reluctant to create a 1777 directory.  Would it be ok if the directory was owned by hacluster:haclient with mode 770 or 775?
Comment 5 David Shane Holden 2016-03-22 16:06:11 UTC
It should be fine to make it to @dir(root,haclient,1770).  The one drawback of that though is corosync can be configured to allow non-privileged users to communicate with it by checking getpeereid().  With the socket directory set to 1770 that means those users will also have to be part of the haclient group in order to create the client sockets in /var/run/qb.
Comment 6 Tijl Coosemans freebsd_committer freebsd_triage 2016-03-22 18:18:09 UTC
So I looked at how Gentoo and Debian deal with this, but they don't do anything special.  Looking at the code it seems libqb doesn't use the file system on Linux but an abstract namespace that allows any user to bind and connect sockets.  That would map to a directory with mode 1777 for us, but all of the names you listed above are predictable so I don't think this is secure.  I wonder how secure this is on Linux.

Reading http://clusterlabs.org/doc/acls.html it seems to be the intention that users have to be a member of haclient, so I think using root:haclient with mode 1770 is best, at least by default.  Admins can always change this of course.
Comment 7 David Shane Holden 2016-03-22 21:03:10 UTC
Correct.  libqb on Linux uses abstract namespace sockets so there isn't any file permissions to deal with, which is why I initially went with 1777.  I agree though, it's a safer default to use root:haclient 1770.
Comment 8 commit-hook freebsd_committer freebsd_triage 2016-03-23 10:50:14 UTC
A commit references this bug:

Author: tijl
Date: Wed Mar 23 10:49:18 UTC 2016
New revision: 411695
URL: https://svnweb.freebsd.org/changeset/ports/411695

Log:
  Add devel/libqb.

  libqb is a library with the primary purpose of providing high performance
  client server reusable features. It provides high performance logging, tracing,
  ipc, and poll.

  PR:		208181
  Submitted by:	David Shane Holden <dpejesh@yahoo.com>

Changes:
  head/devel/Makefile
  head/devel/libqb/
  head/devel/libqb/Makefile
  head/devel/libqb/distinfo
  head/devel/libqb/files/
  head/devel/libqb/files/patch-lib-ipc_int.h
  head/devel/libqb/files/patch-lib-ipc_setup.c
  head/devel/libqb/files/patch-lib-ipc_socket.c
  head/devel/libqb/files/patch-lib-log.c
  head/devel/libqb/files/patch-lib-unix.c
  head/devel/libqb/pkg-descr
  head/devel/libqb/pkg-plist