208181 – [new port] devel/libqb: High performance logging, tracing, ipc, and polling library

Bug 208181 - [new port] devel/libqb: High performance logging, tracing, ipc, and polling library

Summary: [new port] devel/libqb: High performance logging, tracing, ipc, and polling l...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Tijl Coosemans

URL:
Keywords:

Depends on:
Blocks:	208182
	Show dependency tree / graph

Reported:	2016-03-21 15:47 UTC by David Shane Holden
Modified:	2016-03-23 11:07 UTC (History)
CC List:	0 users

See Also:

Attachments
libqb.shar (19.18 KB, application/x-shar) 2016-03-21 15:47 UTC, David Shane Holden	no flags	Details
poudriere testport (37.12 KB, text/x-log) 2016-03-21 15:48 UTC, David Shane Holden	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Shane Holden 2016-03-21 15:47:48 UTC

Created attachment 168456 [details]
libqb.shar

All patches have been committed upstream and will be part of the next release.

Comment 1 David Shane Holden 2016-03-21 15:48:26 UTC

Created attachment 168457 [details]
poudriere testport

Comment 2 Tijl Coosemans freebsd_committer

2016-03-21 21:34:29 UTC

Are there multiple sockets in /var/run/qb?  Because if not, the default /var/run would be fine.

Comment 3 David Shane Holden 2016-03-21 23:42:19 UTC

Yeah, there's a ton of sockets in /var/run/qb.  It also needs to be a separate directory because if /var/run is used then corosync/pacemaker and any user allowed to talk to them will need r/w access to /var/run which isn't ideal.  An example of my socket directory looks like:

# ls -l /var/run/qb
total 16640
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 attrd
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 cfg
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 cib_ro
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 cib_rw
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 cib_shm
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 cmap
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 cpg
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 crmd
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 lrmd
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 pacemakerd
srwxrwxrwx  1 hacluster  wheel           0 Mar 20 22:33 pengine
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-attrd-29498-0-16-event
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-attrd-29498-0-16-event-tx
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-attrd-29498-0-16-request
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-attrd-29498-0-16-response
-rw-rw----  1 hacluster  haclient       24 Mar 20 22:57 qb-attrd-control-29498-0-16
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cfg-20363-0-18-event
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cfg-20363-0-18-event-tx
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cfg-20363-0-18-request
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cfg-20363-0-18-response
-rw-------  1 root       wheel          24 Mar 20 22:57 qb-cfg-control-20363-0-18
srw-rw----  1 root       haclient        0 Mar 21 23:11 qb-cib_ro-27609-0-24-event
srw-rw----  1 root       haclient        0 Mar 21 23:11 qb-cib_ro-27609-0-24-response
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-18-event
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cib_rw-27609-0-18-event-tx
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cib_rw-27609-0-18-request
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-18-response
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-19-event
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-19-event-tx
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-19-request
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_rw-27609-0-19-response
srw-rw----  1 root       haclient        0 Mar 20 22:55 qb-cib_rw-27609-0-24-event
srw-rw----  1 root       haclient        0 Mar 20 22:55 qb-cib_rw-27609-0-24-response
-rw-------  1 hacluster  wheel          24 Mar 20 22:57 qb-cib_rw-control-27609-0-18
-rw-rw----  1 hacluster  haclient       24 Mar 20 22:57 qb-cib_rw-control-27609-0-19
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_shm-27609-0-15-event
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_shm-27609-0-15-event-tx
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_shm-27609-0-15-request
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-cib_shm-27609-0-15-response
-rw-rw----  1 hacluster  haclient       24 Mar 21 23:28 qb-cib_shm-control-27609-0-15
-rw-------  1 root       wheel     8392704 Mar 20 22:33 qb-corosync-20058-blackbox-data
-rw-------  1 root       wheel        2088 Mar 20 22:57 qb-corosync-20058-blackbox-header
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-21-event
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-21-event-tx
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-21-request
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-21-response
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-27-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-27-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-27-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-27-response
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-30-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-30-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-30-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-30-response
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-31-event
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-31-event-tx
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-31-request
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-cpg-20363-0-31-response
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-36-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-36-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-cpg-20363-0-36-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-cpg-20363-0-36-response
-rw-------  1 root       wheel          24 Mar 20 22:57 qb-cpg-control-20363-0-21
-rw-------  1 hacluster  haclient       24 Mar 20 22:57 qb-cpg-control-20363-0-27
-rw-------  1 hacluster  haclient       24 Mar 20 22:57 qb-cpg-control-20363-0-30
-rw-------  1 root       wheel          24 Mar 20 22:57 qb-cpg-control-20363-0-31
-rw-------  1 hacluster  haclient       24 Mar 20 22:57 qb-cpg-control-20363-0-36
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-lrmd-28562-0-9-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-lrmd-28562-0-9-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-lrmd-28562-0-9-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-lrmd-28562-0-9-response
-rw-rw----  1 hacluster  haclient       24 Mar 20 22:57 qb-lrmd-control-28562-0-9
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-pengine-30464-0-9-event
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-pengine-30464-0-9-event-tx
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-pengine-30464-0-9-request
srw-rw----  1 hacluster  haclient        0 Mar 20 22:33 qb-pengine-30464-0-9-response
-rw-rw----  1 hacluster  haclient       24 Mar 21 23:28 qb-pengine-control-30464-0-9
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-quorum-20363-0-24-event
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-quorum-20363-0-24-event-tx
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-quorum-20363-0-24-request
srw-rw----  1 root       wheel           0 Mar 20 22:33 qb-quorum-20363-0-24-response
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-quorum-20363-0-39-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-quorum-20363-0-39-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-quorum-20363-0-39-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-quorum-20363-0-39-response
-rw-------  1 root       wheel          24 Mar 20 22:57 qb-quorum-control-20363-0-24
-rw-------  1 hacluster  haclient       24 Mar 20 22:57 qb-quorum-control-20363-0-39
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-stonith-ng-28212-0-16-event
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-stonith-ng-28212-0-16-event-tx
srw-rw----  1 root       haclient        0 Mar 20 22:33 qb-stonith-ng-28212-0-16-request
srw-rw----  1 hacluster  wheel           0 Mar 20 22:33 qb-stonith-ng-28212-0-16-response
-rw-rw----  1 hacluster  haclient       24 Mar 20 22:33 qb-stonith-ng-control-28212-0-16
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 quorum
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 stonith-ng
srwxrwxrwx  1 root       wheel           0 Mar 20 22:33 votequorum

Comment 4 Tijl Coosemans freebsd_committer

2016-03-22 08:38:04 UTC

I'm a bit reluctant to create a 1777 directory.  Would it be ok if the directory was owned by hacluster:haclient with mode 770 or 775?

Comment 5 David Shane Holden 2016-03-22 16:06:11 UTC

It should be fine to make it to @dir(root,haclient,1770).  The one drawback of that though is corosync can be configured to allow non-privileged users to communicate with it by checking getpeereid().  With the socket directory set to 1770 that means those users will also have to be part of the haclient group in order to create the client sockets in /var/run/qb.

Comment 6 Tijl Coosemans freebsd_committer

2016-03-22 18:18:09 UTC

So I looked at how Gentoo and Debian deal with this, but they don't do anything special.  Looking at the code it seems libqb doesn't use the file system on Linux but an abstract namespace that allows any user to bind and connect sockets.  That would map to a directory with mode 1777 for us, but all of the names you listed above are predictable so I don't think this is secure.  I wonder how secure this is on Linux.

Reading http://clusterlabs.org/doc/acls.html it seems to be the intention that users have to be a member of haclient, so I think using root:haclient with mode 1770 is best, at least by default.  Admins can always change this of course.

Comment 7 David Shane Holden 2016-03-22 21:03:10 UTC

Correct.  libqb on Linux uses abstract namespace sockets so there isn't any file permissions to deal with, which is why I initially went with 1777.  I agree though, it's a safer default to use root:haclient 1770.

Comment 8 commit-hook freebsd_committer

2016-03-23 10:50:14 UTC

A commit references this bug:

Author: tijl
Date: Wed Mar 23 10:49:18 UTC 2016
New revision: 411695
URL: https://svnweb.freebsd.org/changeset/ports/411695

Log:
  Add devel/libqb.

  libqb is a library with the primary purpose of providing high performance
  client server reusable features. It provides high performance logging, tracing,
  ipc, and poll.

  PR:		208181
  Submitted by:	David Shane Holden <dpejesh@yahoo.com>

Changes:
  head/devel/Makefile
  head/devel/libqb/
  head/devel/libqb/Makefile
  head/devel/libqb/distinfo
  head/devel/libqb/files/
  head/devel/libqb/files/patch-lib-ipc_int.h
  head/devel/libqb/files/patch-lib-ipc_setup.c
  head/devel/libqb/files/patch-lib-ipc_socket.c
  head/devel/libqb/files/patch-lib-log.c
  head/devel/libqb/files/patch-lib-unix.c
  head/devel/libqb/pkg-descr
  head/devel/libqb/pkg-plist