[Bugs] [Bug 1426842] New: GlusterFS systemd unit requires rpcbind

bugzilla at redhat.com bugzilla at redhat.com
Sat Feb 25 15:30:11 UTC 2017 

https://bugzilla.redhat.com/show_bug.cgi?id=1426842

            Bug ID: 1426842
           Summary: GlusterFS systemd unit requires rpcbind
           Product: GlusterFS
           Version: 3.9
         Component: packaging
          Assignee: bugs at gluster.org
          Reporter: nh2-redhatbugzilla at deditus.de
                CC: bugs at gluster.org



Description of problem:

In https://bugzilla.redhat.com/show_bug.cgi?id=1282915, the systemd unit for
glusterd was changed so that it `Requires=` rpcbind. That is, glusterd cannot
run without rpcbind running.

rpcbind is only required to use the NFS functionality of gluster.
Because of this, rpcbind is an optional dependency of many glusterfs packages,
e.g. of glusterfs-server on Debian/Ubuntu.

rpcbind by default listens on all interfaces.

An rpcbind running on the open Internet can be easily abused for DNS
amplification attacks (see e.g.
https://www.theregister.co.uk/2015/08/19/portmap_ddos_threat/).

As a result, as a system administrator that does not use Gluster's NFS feature
I would typically prefer to NOT have rpcbind running.

I also cannot quite follow why this was added in the first place - for optional
dependencies, having only `After=` seems to be the exactly right configuration.
In my understanding, the solution to the problem of the original poster in
https://bugzilla.redhat.com/show_bug.cgi?id=1282915 is to run `systemctl enable
rpcbind` to have it start at boot, not to change glusterfs to require it. Once
done so, `After=` will ensure that the two services are started in the correct
order.

Thus I suggest that to provide safer defaults, and to reflect how systemd
recommends handling optional dependencies, the default systemd unit for
glusterd should not `Requires=` rpcbind.

Instead, I suggest that we update the docs, mentioning that if you want the NFS
feature to be available at boot, you should use `systemctl enable rpcbind`.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the Bugs mailing list