Control: tags -1 + patch
On Sun, 24 May 2015 at 20:41:50 +0100, Toni Mueller wrote:
> I run OpenVSwitch together with apt-cacher-ng, and find that
> irregularly, apt-cacher-ng does not listen on all interfaces where I
> want it to listen (not all - I have a BindAddress statement in my
> config).
If a user of libvirtd (libvirt-bin) has configured acng to listen on
the address of libvirtd's bridge (192.168.122.1 by default) so that
virtual machines can benefit from the proxy cache, then the same thing
will often happen.
I suspect that the same is true for any container/VM framework that
programmatically brings up a bridge to which containers/VMs will be
attached, such as Docker.
On Sun, 24 May 2015 at 22:27:11 +0200, Eduard Bloch wrote:
> Systemd makers recommend extending the particular daemons to react on
> interface creation events and I will consider adding it later... maybe.
Instead of adding that complexity, have you considered using
IP_FREEBIND? This socket option asks the kernel to allow bind() to any IP
address, even if that address is not actually present on any device yet
(in which case there simply won't be anything to accept() from it).
Please consider the attached patch - I suspect that's much simpler than
monitoring device/address creation via netlink! I'm using the patched
version now and it seems to have the desired effect.
The only down side that I can see is that if the user has configured a
wrong BindAddress (perhaps as a result of a typo), they will no longer
get a warning in the log. If you think that's a significant problem, it
would probably be possible to adapt my patch so that it tries without
IP_FREEBIND first, and on failure, logs a warning and falls back to
retrying *with* IP_FREEBIND. I think I prefer the simpler version that
I've proposed, though.
> I used After=network.target in
> /lib/systemd/system/apt-cacher-ng.service but this is only good for the
> default interface handling, i.e. it's triggered as soon as any network
> connectivity is present. This works ok in a regular setup where ifupdown
> sets up everything in one step but not in cases like yours.
Yes, there is no target that you can be After to represent "all services
that might programmatically bring up a bridge have done so", and in
any case it's not clear to me that it would be desirable to delay acng
startup that much - ideally I'd like acng to be already running before
libvirtd has the opportunity to start any virtual machines that might
be relying on it.
smcv
From: Simon McVittie <[email protected]>
Date: Thu, 8 Aug 2024 19:48:11 +0100
Subject: conserver: Configure IP_FREEBIND for TCP sockets
This allows binding to the IP address of a virtual device before the
device has actually been created, which is useful if apt-cacher-ng
should be listening on an interface managed by something like
OpenVSwitch or libvirtd. A typical use-case for this is to provide
an apt proxy to local VMs by configuring apt-cacher-ng to listen
on 192.168.122.1, the address of libvirtd's default bridge.
Closes: #786717
Signed-off-by: Simon McVittie <[email protected]>
---
src/conserver.cc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/conserver.cc b/src/conserver.cc
index b47a548..3a99b55 100644
--- a/src/conserver.cc
+++ b/src/conserver.cc
@@ -255,6 +255,11 @@ unsigned setup_tcp_listeners(LPCSTR addi, uint16_t port)
setsockopt(nSockFd, SOL_IPV6, IPV6_V6ONLY, &yes, sizeof(yes));
#endif
setsockopt(nSockFd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes));
+ // allow binding to IP addresses that might not have been
+ // configured yet (#786717)
+#ifdef IP_FREEBIND
+ setsockopt(nSockFd, IPPROTO_IP, IP_FREEBIND, &yes, sizeof(yes));
+#endif
res += bind_and_listen(nSockFd, p, port);
}
return res;
