Dear Ben
Not sure, what is going on these Google Cloud platforms.
With Ubuntu 18.04.4 LTS + Linux 5.3.0, i see no problems.
Maybe, some of the Kernel hardening parameters [1] are set?
-gn
$ uname -a
Linux cigoos 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
$ sudo /usr/local/ns/bin/nsd -f -u nsadmin -g nsadmin -t
/usr/local/ns/conf/nsd-config.tcl
...
[30/Mar/2020:03:25:11][32118.7f376effd700][-driver:nssock:0-] Notice: nssock:0:
listening on [0.0.0.0]:8080
[30/Mar/2020:03:25:11][32118.7f377a268740][-main-] Notice: nsmain:
NaviServer/4.99.19 (tar-4.99.19) running
[1]
https://www.kmotoko.com/articles/linux-hardening-kernel-parameters-with-sysctl/
On 30.03.20 00:33, Ben Brink via naviserver-devel wrote:
Hi,
With vTPM and monitoring turned off (and server rebooted), nsd still
doesn't boot due to same error for both ports and either a specific ip
number or 0.0.0.0.
I suspect this is some overzealous latent TPM/monitoring or related
permissions as I had a similar issue earlier this year running VMs in
GNS3 on linux 5.0.0+ which I worked around instead of resolving,
because there seemed to be a bunch of upstream changes in that area of
the kernel that may have fixed the GNS3 issue if I could wait for them
to reach standard Linux releases.
cheers,
Ben
On 3/29/20 3:17 PM, Ben Brink via naviserver-devel wrote:
Hi,
Also, GCP says that vTPM and integrity monitoring options are enabled
by default, but that Secure Boot is not.[1]
1.
https://cloud.google.com/compute/docs/instances/modifying-shielded-vm#modify-shielded-vm-instance
I'm going to turn off vTPM, and see if that's enough to get nsd to bind.
On 3/29/20 2:59 PM, Ben Brink via naviserver-devel wrote:
Hi,
NaviServer fails to bind on start up to port 8000 or 80 and a
specific ip number or as 0.0.0.0.
The errors are identical. See log snip below.
For diagnostic purposes, I tried apache2 on 80. It works with:
# systemctl start apache2
# systemctl start oacs-5-9-1
Job for oacs-5-9-1.service failed because the control process exited
with error code.
See "systemctl status oacs-5-9-1.service" and "journalctl -xe" for
details.
# uname -a Linux harvesp-agah 5.0.0-1033-gcp #34-Ubuntu SMP Tue Mar
3 04:36:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
The first error in the log occurs after startup.
[29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nssock:0:
adding virtual host entry for host <private.biz:80> location:
http://private.biz:80 mapped to server: oacs-5-9-1
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice:
starting
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice:
bind operation on sock 15 lead to error: Cannot assign requested
address
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-]
Warning: bind on: SockAddr family AF_INET, ip x.x.x.x, port 80
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error:
Ns_SockBinderListen: sendmsg() failed: sent 53 bytes, 'Cannot assign
requested address'
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error:
nssock:0: failed to listen on [x.x.x.x]:80: Cannot assign requested
address
[29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-]
Warning: could no bind any of the following addresses, stopping this
driver: x.x.x.x
[29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain:
NaviServer/4.99.19 (tar-4.99.19) running
[29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain:
security info: uid=1002, euid=1002, gid=1003, egid=1003
[29/Mar/2020:05:50:33][2926.7fad6d353700][-sched-] Notice: sched:
starting
[29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Fatal: nsmain:
can't communicate with parent process, nwrite -1, error: Broken pipe
(parent process was probably killed)
This is on an ubuntu image on GCP:
ubuntu-minimal-1804-bionic-v20200317
Description
Canonical, Ubuntu, 18.04 LTS Minimal, amd64 bionic minimal image
built on 2020-03-17, supports Shielded VM features
I'm guessing it's some kind of vTPM/kernel security issue, since
extra security features were added to the linux kernel at version5.0.0.
Any suggestions on how to get NaviServer to bind / pass the security
challenge?
kind regards,
Ben
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel