Re: "port xxx not secure" errors
2007-05-01 07:49:19
The problem is:
dumper: connect_portrange: connect from 0.0.0.0.585 failed: Operation
timed out
dumper: connect_portrange: connect to 209.123.46.114.10080 failed:
Operation timed out
dumper: stream_client: Could not bind to port in range 512-1023.
Could you try the attached patch?
Jean-Louis
Charles Sprickman wrote:
On Mon, 30 Apr 2007, Jean-Louis Martineau wrote:
Amanda try to use proviledged port in the range 512-1023.
It will not use port reserved for other services, as listed in
/etc/services.
There appear to be very few ports available in that range.
There is less port available for tcp than udp.
In my /etc/services, both tcp and udp are pretty crowded.
This is an /etc/services for 4.11:
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/services?rev=1.62.2.17;content-type=text%2Fx-cvsweb-markup;only_with_tag=RELENG_4_11
And on a slight tangent, I had them reserve a tcp port for amanda as
well:
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/services?rev=1.105;content-type=text%2Fx-cvsweb-markup
Which amanda version are you using?
2.5.1p3
What is your OS?
FreeBSD 4.11
Did it list all port from 512 to 1026 or it jump from 603 to 1026?
There seems to be a big jump. It also tends to go back and try 585
and 601 quite a bit.
How many lines have the "Address already in use" failed message?
In just this one debug file (there are 5), 16 times. In all 5, 258.
This is for 20 hosts with about 5-6 DLEs per host.
How many DLE do you have for 209.123.46.102?
8.
What is the maxdumps setting?
Currently it's set to 1.
Do you configure with --without-reuseaddr? You should probably not.
What is the output of: grep USE_REUSEADDR config/config.h
[devel2]/tmp/amanda/server/DailySet1 # grep REUSEADDR
/usr/ports/misc/amanda-server/work/amanda-2.5.1p3/config/config.h
/* Define to set SO_REUSEADDR on network connections. */
#define USE_REUSEADDR 1
Next time, attach the complete debug file.
bzipped and attached, but it's kind of big unzipped. Trouble is seen
round line 143.
You can try to remove some service from /etc/services.
I've been meaning to look at ssh auth at some point. I'm assuming
that would get rid of this problem or no?
Thanks so much,
Charles
Jean-Louis
Charles Sprickman wrote:
On Sun, 29 Apr 2007, Jean-Louis Martineau wrote:
The dumper must be installed suid root.
[devel2]/tmp/amanda/server/DailySet1 # ls -l
/usr/local/libexec/amanda/dumper
-r-sr-x--- 1 root operator 30344 Mar 14 01:54
/usr/local/libexec/amanda/dumper
What's in the dumper.<timestamps>.debug file?
I've got the following. It looks like it steps through all services
in /etc/services and decides that they are used by other services.
I don't have the same log left around, but in short the sequence of
events in the dumper debug log is this:
-searches through all services in /etc/services, decides most are
already
assigned to another service -
dumper: connect_port: Skip port 597: Owned by ptcnameservice.
dumper: connect_port: Skip port 598: Owned by sco-websrvrmg3.
dumper: connect_port: Skip port 599: Owned by acp.
dumper: connect_port: Skip port 600: Owned by ipcserver.
dumper: connect_port: Try port 601: Available
note that these aren't actually in use, just defined in /etc/services
-it seems to do this on each connect and quite often will try a port
that
it's already using on another dump job -
dumper: connect_portrange: connect from 0.0.0.0.601 failed: Address
already in use
dumper: connect_portrange: connect to 209.123.46.102.10080 failed:
Address already in use
-this goes on and on, with the port number increasing until it reaches
something outside the privileged port range -
security_stream_seterr(0x8086000, EOF)
security_stream_close(0x8086000)
security_stream_seterr(0x806d000, EOF)
security_stream_close(0x806d000)
security_stream_seterr(0x807d000, EOF)
security_stream_close(0x807d000)
dumper: connect_port: Try port 1026: Available -
dumper: connected to 127.0.0.1.4133
dumper: our side is 0.0.0.0.1026
dumper: try_socksize: send buffer size is zu
security_getdriver(name=bsdtcp) returns 0x480c1380
security_handleinit(handle=0x805d100, driver=0x480c1380 (BSDTCP))
security_streaminit(stream=0x8064000, driver=0x480c1380 (BSDTCP))
dumper: connect_port: Try port 585: Available -
dumper: connect_portrange: connect from 0.0.0.0.585 failed: Address
already in use
dumper: connect_portrange: connect to 209.123.46.110.10080 failed:
Address already in use
dumper: connect_port: Skip port 512: Owned by exec.
(repeat - eventually it finds a low port that works)
This process repeats in the debug files, it works it's way down to a
lower port, sees it's in use already, increments up until it gets to
1026 again.
Keep in mind I'm using bsdtcp-auth, which I suppose is somewhat
new. If I had to guess I'd say that there's either some odd problem
in parsing /etc/services as there's always this huge jump from port
603 or so right to 1026 or higher.
What do you folks think?
Thanks,
Charles
Binary files amanda-2.5.1p3/common-src/.stream.c.swp and
amanda-2.5.1p3.ETIMEDOUT/common-src/.stream.c.swp differ
diff -u -r --show-c-function --new-file
--exclude-from=/home/martinea/src.orig/amanda.diff
--ignore-matching-lines='$Id:' amanda-2.5.1p3/common-src/util.c
amanda-2.5.1p3.ETIMEDOUT/common-src/util.c
--- amanda-2.5.1p3/common-src/util.c 2007-02-20 19:08:16.000000000 -0500
+++ amanda-2.5.1p3.ETIMEDOUT/common-src/util.c 2007-05-01 07:29:02.000000000
-0400
@@ -307,8 +307,7 @@ connect_port(
errno = save_errno;
if (save_errno == ECONNREFUSED ||
save_errno == EHOSTUNREACH ||
- save_errno == ENETUNREACH ||
- save_errno == ETIMEDOUT) {
+ save_errno == ENETUNREACH) {
return -2 ;
}
return -1;
|
|
|