Re: [naviserver-devel] NaviServer does not bind to port 80 or 8000 on hardened Ubuntu 5.0.0

Sun, 29 Mar 2020 20:49:09 -0700 

Dear Ben

Not sure, what is going on these Google Cloud platforms.
With Ubuntu 18.04.4 LTS + Linux 5.3.0, i see no problems.
Maybe, some of the Kernel hardening parameters [1] are set?

-gn

$ uname -a
Linux cigoos 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 
2020 x86_64 x86_64 x86_64 GNU/Linux

$ sudo /usr/local/ns/bin/nsd -f -u nsadmin -g nsadmin -t 
/usr/local/ns/conf/nsd-config.tcl
...
[30/Mar/2020:03:25:11][32118.7f376effd700][-driver:nssock:0-] Notice: nssock:0: 
listening on [0.0.0.0]:8080
[30/Mar/2020:03:25:11][32118.7f377a268740][-main-] Notice: nsmain: 
NaviServer/4.99.19 (tar-4.99.19) running


[1] 
https://www.kmotoko.com/articles/linux-hardening-kernel-parameters-with-sysctl/

On 30.03.20 00:33, Ben Brink via naviserver-devel wrote:

Hi,
With vTPM and monitoring turned off (and server rebooted), nsd still doesn't boot due to same error for both ports and either a specific ip number or 0.0.0.0.
I suspect this is some overzealous latent TPM/monitoring or related permissions as I had a similar issue earlier this year running VMs in GNS3 on linux 5.0.0+ which I worked around instead of resolving, because there seemed to be a bunch of upstream changes in that area of the kernel that may have fixed the GNS3 issue if I could wait for them to reach standard Linux releases. 

cheers,
Ben

On 3/29/20 3:17 PM, Ben Brink via naviserver-devel wrote:

Hi,
Also, GCP says that vTPM and integrity monitoring options are enabled by default, but that Secure Boot is not.[1]
1. https://cloud.google.com/compute/docs/instances/modifying-shielded-vm#modify-shielded-vm-instance 

I'm going to turn off vTPM, and see if that's enough to get nsd to bind.




On 3/29/20 2:59 PM, Ben Brink via naviserver-devel wrote:

Hi,
NaviServer fails to bind on start up to port 8000 or 80 and a specific ip number or as 0.0.0.0. 

The errors are identical. See log snip below.

For diagnostic purposes, I tried apache2 on 80. It works with:

# systemctl start apache2

# systemctl start oacs-5-9-1
Job for oacs-5-9-1.service failed because the control process exited with error code. See "systemctl status oacs-5-9-1.service" and "journalctl -xe" for details. # uname -a Linux harvesp-agah 5.0.0-1033-gcp #34-Ubuntu SMP Tue Mar 3 04:36:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 

The first error in the log occurs after startup.
[29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nssock:0: adding virtual host entry for host <private.biz:80> location: http://private.biz:80 mapped to server: oacs-5-9-1 [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice: starting [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice: bind operation on sock 15 lead to error: Cannot assign requested address [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Warning: bind on: SockAddr family AF_INET, ip x.x.x.x, port 80 [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error: Ns_SockBinderListen: sendmsg() failed: sent 53 bytes, 'Cannot assign requested address' [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error: nssock:0: failed to listen on [x.x.x.x]:80: Cannot assign requested address [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Warning: could no bind any of the following addresses, stopping this driver: x.x.x.x [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain: NaviServer/4.99.19 (tar-4.99.19) running [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain: security info: uid=1002, euid=1002, gid=1003, egid=1003 [29/Mar/2020:05:50:33][2926.7fad6d353700][-sched-] Notice: sched: starting [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Fatal: nsmain: can't communicate with parent process, nwrite -1, error: Broken pipe (parent process was probably killed) 

This is on an ubuntu image on GCP:

ubuntu-minimal-1804-bionic-v20200317
Description
Canonical, Ubuntu, 18.04 LTS Minimal, amd64 bionic minimal image built on 2020-03-17, supports Shielded VM features
I'm guessing it's some kind of vTPM/kernel security issue, since extra security features were added to the linux kernel at version5.0.0.
Any suggestions on how to get NaviServer to bind / pass the security challenge? 

kind regards,
Ben



_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel



_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel



_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel

_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel






















					Reply via email to