[libvirt] RFC: spice-server default listen behaviour change
Hi, I learned few things about ipv6 lately. Most importantly about dual-socket that means that a process that opens ::0 automatically listens on both ipv4 _and_ ipv6 unless it sets IPV6_ONLY option of setsockopt() to 0. This is pretty important wrt dual-stack configurations because they can be implemented with just slight changes to spice server (unlike the old RFE requesting listening on multiple addresses): * when no addr= or ipvx options are set, listen on ::0 * when ipv4 and no addr= option is set, listen on 0.0.0.0 * when ipv6 is set, set IPV6_ONLY to 1 to make sure that spice server won't listen on ipv4 * when conflicting ipvx and addr= options are set, error out (this already works fine) This will affect upper layers though, given bugs like https://bugzilla.redhat.com/show_bug.cgi?id=832121 , but it seems to me like the step in the right direction. Any thoughts/comments before I file this as a bug? David -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
Hi,
This is pretty important wrt dual-stack configurations because they can be implemented with just slight changes to spice server (unlike the old RFE requesting listening on multiple addresses):
* when no addr= or ipvx options are set, listen on ::0
spice-server sets "ai.ai_flags = AI_PASSIVE | AI_ADDRCONFIG", which should make getaddrinfo() pick something reasonable, specifically listen on ipv6 only if the machine actually has ipv6 connectivity. I think this is the behavior we want here.
* when ipv4 and no addr= option is set, listen on 0.0.0.0
Works today.
* when ipv6 is set, set IPV6_ONLY to 1 to make sure that spice server won't listen on ipv4
Trivially to add, see patch.
* when conflicting ipvx and addr= options are set, error out (this already works fine)
Works today indeed. cheers, Gerd
Gerd Hoffmann píše v Pá 15. 06. 2012 v 10:36 +0200:
Hi,
This is pretty important wrt dual-stack configurations because they can be implemented with just slight changes to spice server (unlike the old RFE requesting listening on multiple addresses):
* when no addr= or ipvx options are set, listen on ::0
spice-server sets "ai.ai_flags = AI_PASSIVE | AI_ADDRCONFIG", which should make getaddrinfo() pick something reasonable, specifically listen on ipv6 only if the machine actually has ipv6 connectivity.
I don't think that listening on IPv6 exclusively is good when the host has both IPv4 and IPv6 connectivity. Think about dual stack setups where the spice-server host is defined by host name that can resolve to both IPv6 and IPv4 addresses. David
I think this is the behavior we want here.
* when ipv4 and no addr= option is set, listen on 0.0.0.0
Works today.
* when ipv6 is set, set IPV6_ONLY to 1 to make sure that spice server won't listen on ipv4
Trivially to add, see patch.
* when conflicting ipvx and addr= options are set, error out (this already works fine)
Works today indeed.
cheers, Gerd _______________________________________________ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
-- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
On 06/15/12 11:02, David Jaša wrote:
Gerd Hoffmann píše v Pá 15. 06. 2012 v 10:36 +0200:
Hi,
This is pretty important wrt dual-stack configurations because they can be implemented with just slight changes to spice server (unlike the old RFE requesting listening on multiple addresses):
* when no addr= or ipvx options are set, listen on ::0
spice-server sets "ai.ai_flags = AI_PASSIVE | AI_ADDRCONFIG", which should make getaddrinfo() pick something reasonable, specifically listen on ipv6 only if the machine actually has ipv6 connectivity.
I don't think that listening on IPv6 exclusively is good when the host has both IPv4 and IPv6 connectivity.
Huh? Oh, I see you can read the sentence two ways: (1) specifically listen on ipv6 only, if the machine actually has ipv6 connectivity (2) specifically listen on ipv6, only if the machine actually has ipv6 connectivity I mean (2), i.e. do not create a ipv6 socket if the machine has no ipv6 connectivity. When creating a ipv6 socket IPV6_ONLY should be clear by default indeed, so both ipv4 and ipv6 will work. cheers, Gerd
(I missed engine-devel@ previously because of typo :() just two additions I missed yesterday: David Jaša píše v Čt 14. 06. 2012 v 17:32 +0200:
Hi,
I learned few things about ipv6 lately. Most importantly about dual-socket that means that a process that opens ::0 automatically listens on both ipv4 _and_ ipv6 unless it sets IPV6_ONLY option of setsockopt() to 0.
This is pretty important wrt dual-stack configurations because they can be implemented with just slight changes to spice server (unlike the old RFE requesting listening on multiple addresses):
* when no addr= or ipvx options are set, listen on ::0
* when ipv4 and no addr= option is set, listen on 0.0.0.0
* when ipv6 is set, set IPV6_ONLY to 1 to make sure that spice server won't listen on ipv4
* when conflicting ipvx and addr= options are set, error out (this already works fine)
* new spice-server feature: add option to bind to a selected interface regardless of its addresses
This will affect upper layers though, given bugs like https://bugzilla.redhat.com/show_bug.cgi?id=832121 , but it seems to me like the step in the right direction. Any thoughts/comments before I file this as a bug?
oVirt could leverage the last bullet to add dual-stack support pretty much transparently if the display network is defined by dns name. Is there an interest in this?
David
-- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
On Fri, Jun 15, 2012 at 11:48:28AM +0200, Gerd Hoffmann wrote:
Hi,
* new spice-server feature: add option to bind to a selected interface regardless of its addresses
How does that work?
I presume the client app would request listen=eth0, and the QEMU would have to call getifaddrs() to determine what IP addresses currently correspond to eth0. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 06/15/12 12:00, Daniel P. Berrange wrote:
On Fri, Jun 15, 2012 at 11:48:28AM +0200, Gerd Hoffmann wrote:
Hi,
* new spice-server feature: add option to bind to a selected interface regardless of its addresses
How does that work?
I presume the client app would request listen=eth0, and the QEMU would have to call getifaddrs() to determine what IP addresses currently correspond to eth0.
Ah, so there isn't a direct way I'm not aware of, you still bind to a specific ip address (or multiple), just specified in a different way ;) Note that supporting this isn't going to work with a single listening socket. Having ipv6 sockets accept ipv4 connects too works for wildcard sockets only. If you want listening on all ip{v4,v6} addresses of an interface you'll need a listening socket for each. cheers, Gerd
On Fri, Jun 15, 2012 at 12:44:04PM +0200, Gerd Hoffmann wrote:
On 06/15/12 12:00, Daniel P. Berrange wrote:
On Fri, Jun 15, 2012 at 11:48:28AM +0200, Gerd Hoffmann wrote:
Hi,
* new spice-server feature: add option to bind to a selected interface regardless of its addresses
How does that work?
I presume the client app would request listen=eth0, and the QEMU would have to call getifaddrs() to determine what IP addresses currently correspond to eth0.
Ah, so there isn't a direct way I'm not aware of, you still bind to a specific ip address (or multiple), just specified in a different way ;)
Note that supporting this isn't going to work with a single listening socket. Having ipv6 sockets accept ipv4 connects too works for wildcard sockets only. If you want listening on all ip{v4,v6} addresses of an interface you'll need a listening socket for each.
Yeah, I'm almost certain you'll need to have multiple listening sockets for this to work Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Daniel P. Berrange píše v Pá 15. 06. 2012 v 11:54 +0100:
On Fri, Jun 15, 2012 at 12:44:04PM +0200, Gerd Hoffmann wrote:
On 06/15/12 12:00, Daniel P. Berrange wrote:
On Fri, Jun 15, 2012 at 11:48:28AM +0200, Gerd Hoffmann wrote:
Hi,
* new spice-server feature: add option to bind to a selected interface regardless of its addresses
How does that work?
I presume the client app would request listen=eth0, and the QEMU would have to call getifaddrs() to determine what IP addresses currently correspond to eth0.
Ah, so there isn't a direct way I'm not aware of, you still bind to a specific ip address (or multiple), just specified in a different way ;)
Note that supporting this isn't going to work with a single listening socket. Having ipv6 sockets accept ipv4 connects too works for wildcard sockets only. If you want listening on all ip{v4,v6} addresses of an interface you'll need a listening socket for each.
Yeah, I'm almost certain you'll need to have multiple listening sockets for this to work
Daniel
Well, I've checked what my local dnsmasq does and it's doing precisely what you say: tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 29426/dnsmasq tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 29426/dnsmasq tcp 0 0 ::1:53 :::* LISTEN 29426/dnsmasq tcp 0 0 fe80::4c03:d0ff:fec2:aa7:53 :::* LISTEN 29426/dnsmasq In other words, dual-socket won't make dual-stack for selected interface possible without implementing https://bugzilla.redhat.com/show_bug.cgi?id=787256 anyway. :( David -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
David Jaša píše v Pá 15. 06. 2012 v 15:10 +0200:
Daniel P. Berrange píše v Pá 15. 06. 2012 v 11:54 +0100:
On Fri, Jun 15, 2012 at 12:44:04PM +0200, Gerd Hoffmann wrote:
On 06/15/12 12:00, Daniel P. Berrange wrote:
On Fri, Jun 15, 2012 at 11:48:28AM +0200, Gerd Hoffmann wrote:
Hi,
* new spice-server feature: add option to bind to a selected interface regardless of its addresses
How does that work?
I presume the client app would request listen=eth0, and the QEMU would have to call getifaddrs() to determine what IP addresses currently correspond to eth0.
Ah, so there isn't a direct way I'm not aware of, you still bind to a specific ip address (or multiple), just specified in a different way ;)
Note that supporting this isn't going to work with a single listening socket. Having ipv6 sockets accept ipv4 connects too works for wildcard sockets only. If you want listening on all ip{v4,v6} addresses of an interface you'll need a listening socket for each.
Yeah, I'm almost certain you'll need to have multiple listening sockets for this to work
Daniel
Well, I've checked what my local dnsmasq does and it's doing precisely what you say: tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 29426/dnsmasq tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 29426/dnsmasq tcp 0 0 ::1:53 :::* LISTEN 29426/dnsmasq tcp 0 0 fe80::4c03:d0ff:fec2:aa7:53 :::* LISTEN 29426/dnsmasq
In other words, dual-socket won't make dual-stack for selected interface possible without implementing https://bugzilla.redhat.com/show_bug.cgi?id=787256 anyway. :(
David
Scratch that. After some more research, I found this in socket (7): SO_BINDTODEVICE Bind this socket to a particular device like "eth0", as speci- fied in the passed interface name. If the name is an empty string or the option length is zero, the socket device binding is removed. The passed option is a variable-length null-termi- nated interface name string with the maximum size of IFNAMSIZ. If a socket is bound to an interface, only packets received from that particular interface are processed by the socket. Note that this only works for some socket types, particularly AF_INET sockets. It is not supported for packet sockets (use normal bind(8) there) So using wildcard address and this socket option should be the least-effort way to support dual-stack display networks if I get it right... David -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
Gerd Hoffmann píše v Pá 15. 06. 2012 v 11:48 +0200:
Hi,
* new spice-server feature: add option to bind to a selected interface regardless of its addresses
How does that work?
I'm aware that for example dnsmasq does this with its --bind-interfaces option. If I'm grepping their repo correctly, it's done like this: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/option.c#l325 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/dhcp.c#l66 David
cheers, Gerd _______________________________________________ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
-- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
participants (3)
-
Daniel P. Berrange -
David Jaša -
Gerd Hoffmann