> On May 2, 2017, 12:34 a.m., Benjamin Mahler wrote: > > 3rdparty/libprocess/src/process.cpp > > Lines 2878-2879 (patched) > > <https://reviews.apache.org/r/58224/diff/2/?file=1693806#file1693806line2894> > > > > We could refer to the flag help for examples?
I updated the text a bit. > On May 2, 2017, 12:34 a.m., Benjamin Mahler wrote: > > 3rdparty/libprocess/src/process.cpp > > Lines 2883-2884 (patched) > > <https://reviews.apache.org/r/58224/diff/2/?file=1693806#file1693806line2899> > > > > How about: > > > > UPID IP address validation failed: Message from X was sent from IP Y. This is an improvement, I made this change. - James ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/58224/#review173536 ----------------------------------------------------------- On May 10, 2017, 6:06 p.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/58224/ > ----------------------------------------------------------- > > (Updated May 10, 2017, 6:06 p.m.) > > > Review request for mesos and Benjamin Mahler. > > > Bugs: MESOS-7401 > https://issues.apache.org/jira/browse/MESOS-7401 > > > Repository: mesos > > > Description > ------- > > In general, libprocess is unable to validate that a peer > is a legitimate owner of the UPID it claims in a libprocess > message. This change adds a check that the IP address in the > UPID matches the peer address. This makes spoofing the UPID > harder (eg. to send authenticated messages), but also breaks > some legitimate configurations, particularly on multihomed > hosts. > > > Diffs > ----- > > 3rdparty/libprocess/src/process.cpp > 96ce7dbc486a2f1d55d2238a8a102bf024b12b1c > > > Diff: https://reviews.apache.org/r/58224/diff/8/ > > > Testing > ------- > > make check (Fedora 25). Light manual testing. > > With LIBPROCESS_require_peer_address_ip_match=true, all Mesos tests pass > except ``ExamplesTest.DiskFullFramework``, however enabling this will > definitely break some libprocess APIs (though not in the way that Mesos uses > them) and legitimate multi-homed configurations. Note that setting > LIBPROCESS_ip=127.0.0.1 makes you multihomed for this purpose, which is why > ``ExamplesTest.DiskFullFramework`` breaks. > > > Thanks, > > James Peach > >
