Add teleport networking subprocess for port/agent/x11 forwarding
#43756
Conversation
Joerger
changed the title
teleport networkingsubprocess for port/agent/x11 forwardingteleport networking subprocess for port/agent/x11 forwarding
Joerger
changed the title
teleport networking subprocess for port/agent/x11 forwardingteleport networking subprocess for port/agent/x11 forwarding
Joerger
force-pushed
the
joerger/teleport-networking-subprocess
branch
from
ed31990 to
a58d9cb
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
Joerger
added
the
no-changelog
Joerger
force-pushed
the
joerger/teleport-networking-subprocess
branch
2 times, most recently
from
0a5d488 to
7d965f1
Compare
lib/srv/reexec.go
Outdated
| var err error | ||
| err2 := conn.Control(func(descriptor uintptr) { | ||
| // Disable address reuse to prevent socket replacement. | ||
| err = syscall.SetsockoptInt(int(descriptor), syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 0) |
There was a problem hiding this comment.
Is SO_REUSEADDR ever enabled by default?
There was a problem hiding this comment.
Re-tested this and it seems it's only enabled by default for tcp listeners.
There was a problem hiding this comment.
Is this necessary? If so, for what? SO_REUSEADDR allows listeners to be opened on top of sockets in TIME_WAIT state, opening multiple listeners on the same bind address at the same time is done with SO_REUSEPORT.
There was a problem hiding this comment.
I'm not sure, I've preserved this from the remote port forwarding implementation. @atburke is this check necessary for some purpose or can it be removed?
There was a problem hiding this comment.
I believe SO_REUSEADDR was added here to prevent some malicious process from being able to hijack the address. You'd probably be able to get a more complete answer from @jentfoo.
Joerger
force-pushed
the
joerger/teleport-networking-subprocess
branch
3 times, most recently
from
d374507 to
8bad5d5
Compare
lib/srv/reexec.go
Outdated
| var err error | ||
| err2 := conn.Control(func(descriptor uintptr) { | ||
| // Disable address reuse to prevent socket replacement. | ||
| err = syscall.SetsockoptInt(int(descriptor), syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 0) |
There was a problem hiding this comment.
Is this necessary? If so, for what? SO_REUSEADDR allows listeners to be opened on top of sockets in TIME_WAIT state, opening multiple listeners on the same bind address at the same time is done with SO_REUSEPORT.
| // direct-streamlocal@openssh.com extension, we should revisit this multithreading limitation | ||
| // to prevent performance degradation. |
There was a problem hiding this comment.
for future readers: possible options are:
- doing manual async operations with nonblocking
connectandselect/epoll - opening some amount of goroutines that lock the OS thread and open a pam context, and fanning out operations to be done in one of these PAM-enabled threads
lib/srv/reexec.go
Outdated
| // There are currently no known issues with tcp listen/dial in a multithreaded PAM context. | ||
| go handleNetworkingRequest(ctx, controlConn, req) |
There was a problem hiding this comment.
Until someone comes along and really wants to use a random pam module that does network namespacing 😬
lib/srv/reexec.go
Outdated
| var err error | ||
| err2 := conn.Control(func(descriptor uintptr) { | ||
| // Disable address reuse to prevent socket replacement. | ||
| err = syscall.SetsockoptInt(int(descriptor), syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 0) |
There was a problem hiding this comment.
I believe SO_REUSEADDR was added here to prevent some malicious process from being able to hijack the address. You'd probably be able to get a more complete answer from @jentfoo.
Joerger
force-pushed
the
joerger/teleport-networking-subprocess
branch
from
701712b to
dabdd1c
Compare
Joerger
force-pushed
the
joerger/teleport-networking-subprocess
branch
from
dabdd1c to
57fba88
Compare
Joerger
force-pushed
the
joerger/teleport-networking-subprocess
branch
from
b9062c7 to
d697c84
Compare
Joerger
force-pushed
the
joerger/teleport-networking-subprocess
branch
from
c6b5534 to
386ac4f
Compare
Joerger
force-pushed
the
joerger/teleport-networking-subprocess
branch
from
386ac4f to
9070a43
Compare
…) on reading from the closed process.
|
@rosstimothy All tests are passing, just needs a flaky test skip. I double checked that |
|
/excludeflake * |
|
This PR was not backported because it introduces a lot of changes. It may be backported later, assuming the v17 test plan doesn't surface any issues with the new functionality. |
Add a unified networking subprocess to handle port/agent/x11 forwarding requests. This subprocess is designed to run as the local user being connected to, including any modifications done to that user via the node's PAM stack.
Fixes #17029
Note: this also fixes agent/port forwarding on new auto-provisioned users, which previously failed on the first attempt (or always with
insecure-drop). This worked with X11 forwarding before with a more intricate solution, which has been replaced with the simpler "run-as-user" method.Closes #44479
Closes #43623