Add hostname configuration option to choose the hostname/IP to listen on #16
Conversation
|
restest this please |
| @@ -239,6 +247,7 @@ cdp-listend [OPTIONS] | |||
| --fetch_smear=SECONDS fetch run smearing time | |||
| --nch_smear=SECONDS nch run smearing time\n"; | |||
| --facility syslog facility | |||
| --hostname=fqdn hostname/IP to listen on (use 0.0.0.0 to listen on all IPs) | |||
There was a problem hiding this comment.
Listening on 0.0.0.0 is potentially a security risk. I think it was a feature of the old code that it was so restrictive so it was not possible to accidentally start listening on external interfaces. I don't like encoding configuration policy in code (that's what PAN is for!) but I feel reticent about this addition to the help text.
There was a problem hiding this comment.
@ned21 is it sufficient if i remove the 0.0.0.0 from the help text?
the old code would only listen on whatever hostname is set to, external/public or not. only localhost is not allowed (altough that is also not really valid anymore, people could listen on localhost and have some routing/kernel rules in places that pick up the packets from other interfaces.)
wrt security, in order to solve #13 properly, i'll add optional support for encrypting messages, similar to what ccm-fetch uses with TRUST. that way you could listen on 0.0.0.0; but that's for later.
stdweird
force-pushed
the
listen_hostname
branch
from
cca9e47 to
0a7f41a
Compare
|
@ned21 i removed 0.0.0.0 from the help text |
|
LGTM. If @samary can confirm the rpm works as expected its good to merge |
|
@stdweird, @ned21 : I tried and is seems to work. |
|
@samary you cannot do this via the ant task, but if you add routes on the deploy host like (e.g. via quattor 😄 ) it should do the trick for now. |
A new "hostname" option has been introduced by quattor/cdp-listend#16 to specify the interface to bind.
|
@stdweird : I don't know how the ant task is finding the hostname to use, any idea ? Is there a way to change the ant task to read another part in the profile (eg. /software/components/cdp/hostname) to have a 1 to 1 configuration (for coherence purpose) ? |
|
@samary it doesn't. there's nothing the in the profile it can use for that. |
|
@stdweird : Ok, so how notify finds the hostname to use ? |
|
@samary i'd guess the profile name itself is used? |
|
@samary but you could make it use |
|
@stdweird : I tried with the profile name but it not used by notify. Will ask to the mailing list. (Making ant reading the profile is way beyond my current understanding of it). |
A new "hostname" option has been introduced by quattor/cdp-listend#16 to specify the interface to bind.
|
Looks like the profile name from |
|
@jrha : I'm not sure about that. I tried to change by hand the hostname in |
|
@samary what might also work is add the public hostnames with the private ips in /etc/hosts |
|
LGTM and fixes #15, so can it be merged? |
|
Except it does not really fix the reason behind #15. Given it's not usable, do we really want to clutter up our code base with unused code? Or is it a nice to have feature that's worth keeping even if no one is using it? We've deleted a lot of unused code from Quattor over the years... IMHO it seems a shame to add new unused code. |
|
It seems like a basic feature that would be nice to have to me, but I see your point. |
|
@ned21 what is missing to make it usable? it's "only" the notifcation mechanism in the ant task, or is there something else i missed? |
|
I was going off this quote from @samary and did not dive into the details:
So we might fix something else and then discover another problem further down the stack, etc etc. |
|
It's a good point, I'll bump this and think about a top-level issue for the problem. |
Fixes #15