Re: [naviserver-devel] NaviServer does not bind to port 80 or 8000 on hardened Ubuntu 5.0.0
Hi Gustaf, You're right. The kernel hardening features are set, including: xdcpmer@harvesp-agah:~$ sudo dmesg | grep "Execute Disable" [0.00] NX (Execute Disable) protection: active This particular one appears to be at the BIOS level instead of sysctl. And yet apache2 works. There *should be* some way for this feature to learn about Naviserver, too. I'm guessing nsd needs to be distributed in the OS via regular package distribution in order to work with this feature. I'm talking with GCP about possibility of turning off the feature or offering an unshielded Ubuntu image. All the internal Ubuntu offerings are shielded[2]. I am pivoting to FreeBSD in the interim. Thank you for the link and your time! NaviServer cheers, Ben 2. https://cloud.google.com/shielded-vm On 3/29/20 8:48 PM, Gustaf Neumann wrote: Dear Ben Not sure, what is going on these Google Cloud platforms. With Ubuntu 18.04.4 LTS + Linux 5.3.0, i see no problems. Maybe, some of the Kernel hardening parameters [1] are set? -gn $ uname -a Linux cigoos 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ sudo /usr/local/ns/bin/nsd -f -u nsadmin -g nsadmin -t /usr/local/ns/conf/nsd-config.tcl ... [30/Mar/2020:03:25:11][32118.7f376effd700][-driver:nssock:0-] Notice: nssock:0: listening on [0.0.0.0]:8080 [30/Mar/2020:03:25:11][32118.7f377a268740][-main-] Notice: nsmain: NaviServer/4.99.19 (tar-4.99.19) running [1]https://www.kmotoko.com/articles/linux-hardening-kernel-parameters-with-sysctl/ On 30.03.20 00:33, Ben Brink via naviserver-devel wrote: Hi, With vTPM and monitoring turned off (and server rebooted), nsd still doesn't boot due to same error for both ports and either a specific ip number or 0.0.0.0. I suspect this is some overzealous latent TPM/monitoring or related permissions as I had a similar issue earlier this year running VMs in GNS3 on linux 5.0.0+ which I worked around instead of resolving, because there seemed to be a bunch of upstream changes in that area of the kernel that may have fixed the GNS3 issue if I could wait for them to reach standard Linux releases. cheers, Ben On 3/29/20 3:17 PM, Ben Brink via naviserver-devel wrote: Hi, Also, GCP says that vTPM and integrity monitoring options are enabled by default, but that Secure Boot is not.[1] 1. https://cloud.google.com/compute/docs/instances/modifying-shielded-vm#modify-shielded-vm-instance I'm going to turn off vTPM, and see if that's enough to get nsd to bind. On 3/29/20 2:59 PM, Ben Brink via naviserver-devel wrote: Hi, NaviServer fails to bind on start up to port 8000 or 80 and a specific ip number or as 0.0.0.0. The errors are identical. See log snip below. For diagnostic purposes, I tried apache2 on 80. It works with: # systemctl start apache2 # systemctl start oacs-5-9-1 Job for oacs-5-9-1.service failed because the control process exited with error code. See "systemctl status oacs-5-9-1.service" and "journalctl -xe" for details. # uname -a Linux harvesp-agah 5.0.0-1033-gcp #34-Ubuntu SMP Tue Mar 3 04:36:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The first error in the log occurs after startup. [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nssock:0: adding virtual host entry for host location: http://private.biz:80 mapped to server: oacs-5-9-1 [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice: starting [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice: bind operation on sock 15 lead to error: Cannot assign requested address [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Warning: bind on: SockAddr family AF_INET, ip x.x.x.x, port 80 [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error: Ns_SockBinderListen: sendmsg() failed: sent 53 bytes, 'Cannot assign requested address' [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error: nssock:0: failed to listen on [x.x.x.x]:80: Cannot assign requested address [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Warning: could no bind any of the following addresses, stopping this driver: x.x.x.x [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain: NaviServer/4.99.19 (tar-4.99.19) running [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain: security info: uid=1002, euid=1002, gid=1003, egid=1003 [29/Mar/2020:05:50:33][2926.7fad6d353700][-sched-] Notice: sched: starting [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Fatal: nsmain: can't communicate with parent process, nwrite -1, error: Broken pipe (parent process was probably killed) This is on an ubuntu image on GCP: ubuntu-minimal-1804-bionic-v20200317 Description Canonical, Ubuntu, 18.04 LTS Minimal, amd64 bionic minimal image built on 2020-03-17, supports Shielded VM features I'm guessing it's some kind of vTPM/kernel security issue, since extra security features were added to the linux kernel at
Re: [naviserver-devel] NaviServer does not bind to port 80 or 8000 on hardened Ubuntu 5.0.0
Dear Ben Not sure, what is going on these Google Cloud platforms. With Ubuntu 18.04.4 LTS + Linux 5.3.0, i see no problems. Maybe, some of the Kernel hardening parameters [1] are set? -gn $ uname -a Linux cigoos 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ sudo /usr/local/ns/bin/nsd -f -u nsadmin -g nsadmin -t /usr/local/ns/conf/nsd-config.tcl ... [30/Mar/2020:03:25:11][32118.7f376effd700][-driver:nssock:0-] Notice: nssock:0: listening on [0.0.0.0]:8080 [30/Mar/2020:03:25:11][32118.7f377a268740][-main-] Notice: nsmain: NaviServer/4.99.19 (tar-4.99.19) running [1] https://www.kmotoko.com/articles/linux-hardening-kernel-parameters-with-sysctl/ On 30.03.20 00:33, Ben Brink via naviserver-devel wrote: Hi, With vTPM and monitoring turned off (and server rebooted), nsd still doesn't boot due to same error for both ports and either a specific ip number or 0.0.0.0. I suspect this is some overzealous latent TPM/monitoring or related permissions as I had a similar issue earlier this year running VMs in GNS3 on linux 5.0.0+ which I worked around instead of resolving, because there seemed to be a bunch of upstream changes in that area of the kernel that may have fixed the GNS3 issue if I could wait for them to reach standard Linux releases. cheers, Ben On 3/29/20 3:17 PM, Ben Brink via naviserver-devel wrote: Hi, Also, GCP says that vTPM and integrity monitoring options are enabled by default, but that Secure Boot is not.[1] 1. https://cloud.google.com/compute/docs/instances/modifying-shielded-vm#modify-shielded-vm-instance I'm going to turn off vTPM, and see if that's enough to get nsd to bind. On 3/29/20 2:59 PM, Ben Brink via naviserver-devel wrote: Hi, NaviServer fails to bind on start up to port 8000 or 80 and a specific ip number or as 0.0.0.0. The errors are identical. See log snip below. For diagnostic purposes, I tried apache2 on 80. It works with: # systemctl start apache2 # systemctl start oacs-5-9-1 Job for oacs-5-9-1.service failed because the control process exited with error code. See "systemctl status oacs-5-9-1.service" and "journalctl -xe" for details. # uname -a Linux harvesp-agah 5.0.0-1033-gcp #34-Ubuntu SMP Tue Mar 3 04:36:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The first error in the log occurs after startup. [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nssock:0: adding virtual host entry for host location: http://private.biz:80 mapped to server: oacs-5-9-1 [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice: starting [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice: bind operation on sock 15 lead to error: Cannot assign requested address [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Warning: bind on: SockAddr family AF_INET, ip x.x.x.x, port 80 [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error: Ns_SockBinderListen: sendmsg() failed: sent 53 bytes, 'Cannot assign requested address' [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error: nssock:0: failed to listen on [x.x.x.x]:80: Cannot assign requested address [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Warning: could no bind any of the following addresses, stopping this driver: x.x.x.x [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain: NaviServer/4.99.19 (tar-4.99.19) running [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain: security info: uid=1002, euid=1002, gid=1003, egid=1003 [29/Mar/2020:05:50:33][2926.7fad6d353700][-sched-] Notice: sched: starting [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Fatal: nsmain: can't communicate with parent process, nwrite -1, error: Broken pipe (parent process was probably killed) This is on an ubuntu image on GCP: ubuntu-minimal-1804-bionic-v20200317 Description Canonical, Ubuntu, 18.04 LTS Minimal, amd64 bionic minimal image built on 2020-03-17, supports Shielded VM features I'm guessing it's some kind of vTPM/kernel security issue, since extra security features were added to the linux kernel at version5.0.0. Any suggestions on how to get NaviServer to bind / pass the security challenge? kind regards, Ben ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] NaviServer does not bind to port 80 or 8000 on hardened Ubuntu 5.0.0
Hi, With vTPM and monitoring turned off (and server rebooted), nsd still doesn't boot due to same error for both ports and either a specific ip number or 0.0.0.0. I suspect this is some overzealous latent TPM/monitoring or related permissions as I had a similar issue earlier this year running VMs in GNS3 on linux 5.0.0+ which I worked around instead of resolving, because there seemed to be a bunch of upstream changes in that area of the kernel that may have fixed the GNS3 issue if I could wait for them to reach standard Linux releases. cheers, Ben On 3/29/20 3:17 PM, Ben Brink via naviserver-devel wrote: Hi, Also, GCP says that vTPM and integrity monitoring options are enabled by default, but that Secure Boot is not.[1] 1. https://cloud.google.com/compute/docs/instances/modifying-shielded-vm#modify-shielded-vm-instance I'm going to turn off vTPM, and see if that's enough to get nsd to bind. On 3/29/20 2:59 PM, Ben Brink via naviserver-devel wrote: Hi, NaviServer fails to bind on start up to port 8000 or 80 and a specific ip number or as 0.0.0.0. The errors are identical. See log snip below. For diagnostic purposes, I tried apache2 on 80. It works with: # systemctl start apache2 # systemctl start oacs-5-9-1 Job for oacs-5-9-1.service failed because the control process exited with error code. See "systemctl status oacs-5-9-1.service" and "journalctl -xe" for details. # uname -a Linux harvesp-agah 5.0.0-1033-gcp #34-Ubuntu SMP Tue Mar 3 04:36:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The first error in the log occurs after startup. [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nssock:0: adding virtual host entry for host location: http://private.biz:80 mapped to server: oacs-5-9-1 [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice: starting [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice: bind operation on sock 15 lead to error: Cannot assign requested address [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Warning: bind on: SockAddr family AF_INET, ip x.x.x.x, port 80 [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error: Ns_SockBinderListen: sendmsg() failed: sent 53 bytes, 'Cannot assign requested address' [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error: nssock:0: failed to listen on [x.x.x.x]:80: Cannot assign requested address [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Warning: could no bind any of the following addresses, stopping this driver: x.x.x.x [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain: NaviServer/4.99.19 (tar-4.99.19) running [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain: security info: uid=1002, euid=1002, gid=1003, egid=1003 [29/Mar/2020:05:50:33][2926.7fad6d353700][-sched-] Notice: sched: starting [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Fatal: nsmain: can't communicate with parent process, nwrite -1, error: Broken pipe (parent process was probably killed) This is on an ubuntu image on GCP: ubuntu-minimal-1804-bionic-v20200317 Description Canonical, Ubuntu, 18.04 LTS Minimal, amd64 bionic minimal image built on 2020-03-17, supports Shielded VM features I'm guessing it's some kind of vTPM/kernel security issue, since extra security features were added to the linux kernel at version5.0.0. Any suggestions on how to get NaviServer to bind / pass the security challenge? kind regards, Ben ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] NaviServer does not bind to port 80 or 8000 on hardened Ubuntu 5.0.0
Hi, Also, GCP says that vTPM and integrity monitoring options are enabled by default, but that Secure Boot is not.[1] 1. https://cloud.google.com/compute/docs/instances/modifying-shielded-vm#modify-shielded-vm-instance I'm going to turn off vTPM, and see if that's enough to get nsd to bind. On 3/29/20 2:59 PM, Ben Brink via naviserver-devel wrote: Hi, NaviServer fails to bind on start up to port 8000 or 80 and a specific ip number or as 0.0.0.0. The errors are identical. See log snip below. For diagnostic purposes, I tried apache2 on 80. It works with: # systemctl start apache2 # systemctl start oacs-5-9-1 Job for oacs-5-9-1.service failed because the control process exited with error code. See "systemctl status oacs-5-9-1.service" and "journalctl -xe" for details. # uname -a Linux harvesp-agah 5.0.0-1033-gcp #34-Ubuntu SMP Tue Mar 3 04:36:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The first error in the log occurs after startup. [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nssock:0: adding virtual host entry for host location: http://private.biz:80 mapped to server: oacs-5-9-1 [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice: starting [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Notice: bind operation on sock 15 lead to error: Cannot assign requested address [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Warning: bind on: SockAddr family AF_INET, ip x.x.x.x, port 80 [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error: Ns_SockBinderListen: sendmsg() failed: sent 53 bytes, 'Cannot assign requested address' [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Error: nssock:0: failed to listen on [x.x.x.x]:80: Cannot assign requested address [29/Mar/2020:05:50:33][2926.7fad622be700][-driver:nssock:0-] Warning: could no bind any of the following addresses, stopping this driver: x.x.x.x [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain: NaviServer/4.99.19 (tar-4.99.19) running [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Notice: nsmain: security info: uid=1002, euid=1002, gid=1003, egid=1003 [29/Mar/2020:05:50:33][2926.7fad6d353700][-sched-] Notice: sched: starting [29/Mar/2020:05:50:33][2926.7fad7081c740][-main-] Fatal: nsmain: can't communicate with parent process, nwrite -1, error: Broken pipe (parent process was probably killed) This is on an ubuntu image on GCP: ubuntu-minimal-1804-bionic-v20200317 Description Canonical, Ubuntu, 18.04 LTS Minimal, amd64 bionic minimal image built on 2020-03-17, supports Shielded VM features I'm guessing it's some kind of vTPM/kernel security issue, since extra security features were added to the linux kernel at version5.0.0. Any suggestions on how to get NaviServer to bind / pass the security challenge? kind regards, Ben ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel