12:18 p.m.
I created this bug, now changed to an enhancement request:
https://issues.jboss.org/browse/JBAS-9373
to deal with the tm layer binding to an anonymous port on the 127.0.0.1
interface as a means to obtain a system wide unique number. How this is
done is not exposed via the domain model, and when running in an selinux
(secured linux) environment we need control over what interfaces/ports
are bound to, where files are written, etc. to be able to write the
correct selinux policy.
Do we need, or already have a id service that can be leveraged here? It
looks like the arjuna Uid class that is used generates a 28 byte/224 bit
value.
The main issue is that any subsystem has to express what privileged
resources it is making use of through the domain model.
12:33 p.m.
I have a feeling this is a 1 line fix; give me a minute. It's pulling
the port from the socket config, just not the address.
On 4/21/11 12:18 PM, Scott Stark wrote:
I created this bug, now changed to an enhancement request:
https://issues.jboss.org/browse/JBAS-9373
to deal with the tm layer binding to an anonymous port on the 127.0.0.1
interface as a means to obtain a system wide unique number. How this is
done is not exposed via the domain model, and when running in an selinux
(secured linux) environment we need control over what interfaces/ports
are bound to, where files are written, etc. to be able to write the
correct selinux policy.
Do we need, or already have a id service that can be leveraged here? It
looks like the arjuna Uid class that is used generates a 28 byte/224 bit
value.
The main issue is that any subsystem has to express what privileged
resources it is making use of through the domain model.
_______________________________________________
jboss-as7-dev mailing list
jboss-as7-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
--
Brian Stansberry
Principal Software Engineer
JBoss by Red Hat
12:40 p.m.
Nope I misread and was wrong; the address is not configurable, it's hard
coded:
return new ServerSocket(port, 0, InetAddress.getByName(null));
Which makes sense, the whole intent of that class is to ensure
uniqueness on the machine and that's impossible if different processes
use different addresses. Finding a better way to do this is a
long-standing issue.
On 4/21/11 12:33 PM, Brian Stansberry wrote:
I have a feeling this is a 1 line fix; give me a minute. It's
pulling
the port from the socket config, just not the address.
On 4/21/11 12:18 PM, Scott Stark wrote:
> I created this bug, now changed to an enhancement request:
> https://issues.jboss.org/browse/JBAS-9373
>
> to deal with the tm layer binding to an anonymous port on the 127.0.0.1
> interface as a means to obtain a system wide unique number. How this is
> done is not exposed via the domain model, and when running in an selinux
> (secured linux) environment we need control over what interfaces/ports
> are bound to, where files are written, etc. to be able to write the
> correct selinux policy.
>
> Do we need, or already have a id service that can be leveraged here? It
> looks like the arjuna Uid class that is used generates a 28 byte/224 bit
> value.
>
> The main issue is that any subsystem has to express what privileged
> resources it is making use of through the domain model.
>
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
--
Brian Stansberry
Principal Software Engineer
JBoss by Red Hat
4:54 p.m.
Yes, that is the impression I got from Jonathan. He says it is
configurable, or at least the implementation can be changed, but I don't
see how looking at the code associated with the stack trace in JBAS-9373.
On 4/21/11 10:40 AM, Brian Stansberry wrote:
Nope I misread and was wrong; the address is not configurable,
it's hard
coded:
return new ServerSocket(port, 0, InetAddress.getByName(null));
Which makes sense, the whole intent of that class is to ensure
uniqueness on the machine and that's impossible if different processes
use different addresses. Finding a better way to do this is a
long-standing issue.
On 4/21/11 12:33 PM, Brian Stansberry wrote:
> I have a feeling this is a 1 line fix; give me a minute. It's pulling
> the port from the socket config, just not the address.
>
> On 4/21/11 12:18 PM, Scott Stark wrote:
>> I created this bug, now changed to an enhancement request:
>> https://issues.jboss.org/browse/JBAS-9373
>>
>> to deal with the tm layer binding to an anonymous port on the 127.0.0.1
>> interface as a means to obtain a system wide unique number. How this is
>> done is not exposed via the domain model, and when running in an selinux
>> (secured linux) environment we need control over what interfaces/ports
>> are bound to, where files are written, etc. to be able to write the
>> correct selinux policy.
>>
>> Do we need, or already have a id service that can be leveraged here? It
>> looks like the arjuna Uid class that is used generates a 28 byte/224 bit
>> value.
>>
>> The main issue is that any subsystem has to express what privileged
>> resources it is making use of through the domain model.
>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> jboss-as7-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
4:18 p.m.
He's probably referring to the different implementations of the
com.arjuna.ats.arjuna.utils.Process interface that can be used, where
SocketProcessId is just a default. The domain configuration model should
expose a mechanism (probably an attribute with an enumerated value) to
select something else. But last I looked into this (pretty long ago),
none of the other options were a good default choice. Jonathan, is that
still the case?
On 4/21/11 4:54 PM, Scott Stark wrote:
Yes, that is the impression I got from Jonathan. He says it is
configurable, or at least the implementation can be changed, but I don't
see how looking at the code associated with the stack trace in JBAS-9373.
On 4/21/11 10:40 AM, Brian Stansberry wrote:
> Nope I misread and was wrong; the address is not configurable, it's hard
> coded:
>
> return new ServerSocket(port, 0, InetAddress.getByName(null));
>
> Which makes sense, the whole intent of that class is to ensure
> uniqueness on the machine and that's impossible if different processes
> use different addresses. Finding a better way to do this is a
> long-standing issue.
>
> On 4/21/11 12:33 PM, Brian Stansberry wrote:
>> I have a feeling this is a 1 line fix; give me a minute. It's pulling
>> the port from the socket config, just not the address.
>>
>> On 4/21/11 12:18 PM, Scott Stark wrote:
>>> I created this bug, now changed to an enhancement request:
>>> https://issues.jboss.org/browse/JBAS-9373
>>>
>>> to deal with the tm layer binding to an anonymous port on the 127.0.0.1
>>> interface as a means to obtain a system wide unique number. How this is
>>> done is not exposed via the domain model, and when running in an selinux
>>> (secured linux) environment we need control over what interfaces/ports
>>> are bound to, where files are written, etc. to be able to write the
>>> correct selinux policy.
>>>
>>> Do we need, or already have a id service that can be leveraged here? It
>>> looks like the arjuna Uid class that is used generates a 28 byte/224 bit
>>> value.
>>>
>>> The main issue is that any subsystem has to express what privileged
>>> resources it is making use of through the domain model.
>>>
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> jboss-as7-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
>
_______________________________________________
jboss-as7-dev mailing list
jboss-as7-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
--
Brian Stansberry
Principal Software Engineer
JBoss by Red Hat
5:54 p.m.
IMO the domain model should not expose it as a config option, per my
comment on the JIRA. Using different implementations concurrently on
the same host O/S is just as invalid as using different interfaces and
should remain impossible.
And yes, I've already explained to Scott: 'We do ship alternative
implementaitons of the process-id interface... None are as heavily
tested as the socket based one and none are as likely to work in all
environments: O/S, filesystem, JVM, etc. Therefore I consider it
debatable if any will actually be an overall improvement on the socket
based one'.
Just write a policy file that allows binding to the appropriate
interface. You don't need control over the interface used, just an
awareness of which one it is.
Jonathan.
On 04/25/2011 10:18 PM, Brian Stansberry wrote:
He's probably referring to the different implementations of the
com.arjuna.ats.arjuna.utils.Process interface that can be used, where
SocketProcessId is just a default. The domain configuration model should
expose a mechanism (probably an attribute with an enumerated value) to
select something else. But last I looked into this (pretty long ago),
none of the other options were a good default choice. Jonathan, is that
still the case?
On 4/21/11 4:54 PM, Scott Stark wrote:
> Yes, that is the impression I got from Jonathan. He says it is
> configurable, or at least the implementation can be changed, but I don't
> see how looking at the code associated with the stack trace in JBAS-9373.
>
> On 4/21/11 10:40 AM, Brian Stansberry wrote:
>> Nope I misread and was wrong; the address is not configurable, it's hard
>> coded:
>>
>> return new ServerSocket(port, 0, InetAddress.getByName(null));
>>
>> Which makes sense, the whole intent of that class is to ensure
>> uniqueness on the machine and that's impossible if different processes
>> use different addresses. Finding a better way to do this is a
>> long-standing issue.
>>
>> On 4/21/11 12:33 PM, Brian Stansberry wrote:
>>> I have a feeling this is a 1 line fix; give me a minute. It's pulling
>>> the port from the socket config, just not the address.
>>>
>>> On 4/21/11 12:18 PM, Scott Stark wrote:
>>>> I created this bug, now changed to an enhancement request:
>>>> https://issues.jboss.org/browse/JBAS-9373
>>>>
>>>> to deal with the tm layer binding to an anonymous port on the
>>>> 127.0.0.1
>>>> interface as a means to obtain a system wide unique number. How
>>>> this is
>>>> done is not exposed via the domain model, and when running in an
>>>> selinux
>>>> (secured linux) environment we need control over what interfaces/ports
>>>> are bound to, where files are written, etc. to be able to write the
>>>> correct selinux policy.
>>>>
>>>> Do we need, or already have a id service that can be leveraged
>>>> here? It
>>>> looks like the arjuna Uid class that is used generates a 28
>>>> byte/224 bit
>>>> value.
>>>>
>>>> The main issue is that any subsystem has to express what privileged
>>>> resources it is making use of through the domain model.
>>>>
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> jboss-as7-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>>
>
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
--
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SI4 1TE, United Kingdom.
Registered in UK and Wales under Company Registration No. 3798903
Directors: Michael Cunningham (USA), Charlie Peters (USA), Matt Parsons
(USA) and Brendan Lane (Ireland).
5010
days inactive
5014
days old
5 comments
3 participants
participants (3)
-
Brian Stansberry -
Jonathan Halliday -
Scott Stark