Apply default TTL to records obtained from getaddrinfo()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keyutils (Ubuntu) |
Fix Released
|
Undecided
|
Utkarsh Gupta | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
========
There's a strong dependency for cifs.ko (and nfs.ko) on keyutils for DNS resolution. The keyutils package contains the userspace utility to update the kernel keyring with the DNS mapping to IP address. Prior to 1.6.2, this utility may erroneously set unlimited lifetime for this keyring in the kernel.
[Test plan]
===========
1. Create a file share on an SMB server (can be a samba server) with two IP addresses. Make sure that FQDN of the server resolves to one of these addresses.
2. mount the created share on the cifs client using the FQDN for the server. Make sure that the mount point is accessible.
3. Using the ss command on the client, to kill the sockets that connect to the server: sudo ss -K dport :445
4. Now update the DNS entry to make sure that the server FQDN now resolves to the second IP address of the server. Make sure that nslookup on the client now resolves to the new IP address.
5. Repeat step 3 to kill the sockets that connect to server to force re-connection again.
Without the fix, after step 5, with the "ss -t" command, you'll see that the client has reconnected to the old IP address, even when DNS lookups return the new IP.
With the fix (after a reboot of the client machine to make sure that kernel keys are refreshed), you'll see that the client reconnects to the new IP address.
The bug is due to unlimited lifetime set by key.dns_resolver (which is part of keyutils package). As a result, even if IP address for the DNS entries change, the kernel filesystems would continue to use old IP address, due to the cached keys. This issue causes clients to misbehave when Azure Files service endpoints move to a different cluster.
[Where problems could occur]
=======
Address records obtained from getaddrinfo() don't come with any TTL information, even if they're obtained from the DNS, so if someone is relying on this particularly, might face some problem/regression but I don't think they would face that as it would still be highly configurable.
[Other information]
===================
This request is essentially from one of our cloud partners and they're highly affected by this.
Related branches
- Miriam España Acebal (community): Needs Information
- Robie Basak: Needs Information
- Chris Newcomer: Pending requested
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 81 lines (+59/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+50/-0)
debian/patches/series (+1/-0)
- Utkarsh Gupta: Pending requested
- Chris Newcomer: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 553 lines (+531/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+522/-0)
debian/patches/series (+1/-0)
- Chris Newcomer: Pending requested
- Utkarsh Gupta: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 553 lines (+531/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+522/-0)
debian/patches/series (+1/-0)
- Utkarsh Gupta: Pending requested
- Chris Newcomer: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 553 lines (+531/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+522/-0)
debian/patches/series (+1/-0)
Changed in keyutils (Ubuntu Impish): | |
status: | New → Incomplete |
Changed in keyutils (Ubuntu Focal): | |
status: | New → Incomplete |
This bug was fixed in the package keyutils - 1.6.1-2ubuntu3
---------------
keyutils (1.6.1-2ubuntu3) jammy; urgency=medium
* d/p/apply- default- ttl-to- records. patch: Add patch
to apply default TTL to records obtained from
getaddrinfo(). (LP: #1962453)
-- Utkarsh Gupta <email address hidden> Mon, 28 Feb 2022 15:14:45 +0530