Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide remote-control over Unix domain socket #633

Closed
michael-o opened this issue Feb 25, 2022 · 11 comments
Closed

Provide remote-control over Unix domain socket #633

michael-o opened this issue Feb 25, 2022 · 11 comments

Comments

@michael-o
Copy link

Currently, remote control forces users to fiddle with certificates to make transport and authentication secure even if it is listening on localhost. Proposal is to utilize Unix domain sockets as an alternative to TCP sockets.

Benefits:

  • No fiddling with certificates
  • No open TCP socket for all users on the system
  • UDS can be protected by OS/FS means, e.g., unbound:wheel and everyone in wheel can communicate with the process
  • and likely others

Note: UDS is now also available on Windows as well.

Default path could be /var/run/unbound-remote-control.sock. Ideally configured in a way that it does not need to be passed constantly to unbound-control(8) (read from config file, like -s).

New option could be -u /path/to/socket.
@DavidOsipov
Copy link

DavidOsipov commented Feb 27, 2022
edited
Loading

Moreover, Unix domain sockets are quite fast. I've already asked Adguard home team, providing the pros and cons, to implement it in their software

@michael-o
Copy link
Author

Moreover, Unix domain sockets are quite fast. I've already asked Adguard home team, providing the pros and cons, to implement it in their software

Oh man, you stunned me. I thought my father to my Unbound ticket, then I realized you share the same name.

@wcawijngaards
Copy link
Member

The feature already exists. Set the control-interface to the absolute path to the unix domain socket. If you enable that in the default config file, then also unbound-control picks that up from the config file and uses the file.

With control-interface: "/var/run/unbound-remote-control.sock" in the remote-control section. Set control-enable: yes to turn it on. With control-use-cert: no as an additional setting, you do not need to have the certificates, since the communication is limited to the local host.

@michael-o
Copy link
Author

michael-o commented Feb 28, 2022
edited
Loading

Indeed, that seems truly like an issue in the docs. Read it multiple times:

If you set it to an absolute path, a local socket is used.

It obviously shoud mention Unix domain socket, local socket is just totally overlooked. It can be simply misunderstood with a TCP socket listening on localhost.

@michael-o
Copy link
Author

Works for me now:

# sockstat -u -l | grep unbound
unbound  unbound    62539 19 stream /var/run/unbound-remote-control.sock

and denied:

$ unbound-control stats
[1646037267] unbound-control[62576:0] error: connect: Permission denied for /var/run/unbound-remote-control.sock

@wcawijngaards Should I open a followup ticket for docs?

@wcawijngaards
Copy link
Member

Does the unbound-control process have the privileges to access the file in the /var/run directory? Perhaps you need to sudo that, or set the permissions on the socket the way you like it.

I can update the docs :-)

@michael-o
Copy link
Author

Does the unbound-control process have the privileges to access the file in the /var/run directory? Perhaps you need to sudo that, or set the permissions on the socket the way you like it.

The error is just fine since I tried to access the socket as an unpriviledged user. As root I am perfectly able to access it:

root@deblndw011x:~
# unbound-control status
version: 1.14.0
verbosity: 1
threads: 8
modules: 2 [ validator iterator ]
uptime: 319 seconds
options: reuseport control(namedpipe)
unbound (pid 62539) is running...

@wcawijngaards
Copy link
Member

Added a commit to fix the documentation issue that you talked about. Is that something that fixes the text you think?

Good to see that it is working for you.

@michael-o
Copy link
Author

Added a commit to fix the documentation issue that you talked about. Is that something that fixes the text you think?

Good to see that it is working for you.

Almost, I would even make it in the first sentence:

If you set it to an absolute path, a unix domain socket is used. This socket
does not use the certificates and keys, so those files need not be present.

@michael-o
Copy link
Author

michael-o commented Feb 28, 2022
edited
Loading

Dank u

wcawijngaards added a commit that referenced this issue Feb 28, 2022
@wcawijngaards
- Fix for #633: updated fix with new text.
6e64356
@wcawijngaards
Copy link
Member

Okay, I updated to the new text in the commit. Good to fix the documentation!

jedisct1 added a commit to jedisct1/unbound that referenced this issue Mar 14, 2022
@jedisct1
Merge remote-tracking branch 'nlnet/master'
c5ad632 
* nlnet/master: (27 commits)
  Changelog note for NLnetLabs#644, move commands together for library binary.
  Make `install-lib` make target install the pkg-config file.
  - Fix configure for python to use sysutils, because distutils is   deprecated. It uses sysutils when available, distutils otherwise.
  - Fix for NLnetLabs#637: fix integer overflow checks in sldns_str2period.
  - Fix NLnetLabs#637: Integer Overflow in sldns_str2period function.
  - Fix compile warnings for printf ll format on mingw compile.
  - Various fixes for NLnetLabs#632: variable initialisation, convert the qinfo   to str once, accept trailing dot in the local-zone ipset option.
  Changelog entry for NLnetLabs#632 - Merge PR NLnetLabs#632 from scottrw93: Match cnames in ipset.
  - Added tests for ipset.
  - Fix pythonmod for change in iter_dp_is_useless function prototype.
  - Fix for edns client subnet option add fix in removal code, from review.
  - Fix edns client subnet to add the option based on the option list,   so that it is not state dependent, after the state fix of NLnetLabs#605 for   double EDNS options.
  Changelog entry for NLnetLabs#623: - Merge NLnetLabs#623 from rex4539: Fix typos.
  - Fix NLnetLabs#630: Unify the RPZ log messages.
  - Fix for NLnetLabs#633: updated fix with new text.
  - Fix NLnetLabs#633: Document unix domain socket support for unbound-control.
  - Fix check interface existence for support detection in remote lookup.
  - update Makefile dependencies.
  - Fix to detect that no IPv6 support means that IPv6 addresses are   useless for delegation point lookups.
  Match cnames in ipset
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michael-o @wcawijngaards @DavidOsipov