crossbow discuss - May 2007 - How to find TCP connection endpoints with IP Instances

When I try to run the ident daemon (pident) on build 62, it complains:

Apr 29 11:24:09 wasat in.identd[12208]: [ID 950913 daemon.error] getbuf:
can''t get needed symbols

It''s looking for the kernel symbols "ipcl_conn_fanout" and
"ipcl_conn_fanout_size".  These are no
longer global variables.  The ident daemon knows the remote end of a TCP
connection, but needs
to find the local endpoint of that connection, in order to identify the UID of
the local process.  Is there
an official way to do this?  Utilities like `lsof'' have a similar
requirement.  I don''t think that `pfiles'' has
this ability.  `netstat'' seems to use the MIB interface to list TCP
connections.  Could that be used by
the ident daemon?
 
 
This message posted from opensolaris.org

Gary Mills writes:
> When I try to run the ident daemon (pident) on build 62, it complains:
> 
> Apr 29 11:24:09 wasat in.identd[12208]: [ID 950913 daemon.error] getbuf:
can''t get needed symbols
> 
> It''s looking for the kernel symbols "ipcl_conn_fanout"
and "ipcl_conn_fanout_size".  These are no
> longer global variables.
As I mentioned on netnews, this software now needs to use the netstack
list to find those pointers.

Better still, it needs to integrate into ON itself, where these
private interfaces can be used safely.
>  The ident daemon knows the remote end of a TCP connection, but needs
> to find the local endpoint of that connection, in order to identify the UID
of the local process.  Is there
> an official way to do this?  Utilities like `lsof'' have a similar
requirement.  I don''t think that `pfiles'' has
> this ability.  `netstat'' seems to use the MIB interface to list
TCP connections.  Could that be used by
> the ident daemon?
No, because that interface tells you nothing about which process(es)
are using a given socket, which is exactly the information needed.

(One of the obvious difficulties here is that it''s not just a simple
1-1 mapping, so the usual RFE to provide a function to get "the" PID
for a socket won''t work.  A given socket may be open in multiple
processes due to fork() and descriptor passing.)

I believe lsof would need a lot of surgery to pass by our usual design
and architectural reviews.  Not sure about pident, but the same may
well be true.

-- 
James Carlson, Solaris Networking              <james.d.carlson at
sun.com>
Sun Microsystems / 1 Network Drive         71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677

Would it not be better to have an API that could be used by many different
commands or
services to find TCP connection endpoints?  That would mean that Solaris would
not have
to maintain its own versions of pident and lsof, to cite two examples.
 
 
This message posted from opensolaris.org

James Carlson wrote:

<SNIP>
>>  The ident daemon knows the remote end of a TCP connection, but needs
>> to find the local endpoint of that connection, in order to identify the
UID of the local process.  Is there
>> an official way to do this?  Utilities like `lsof'' have a
similar requirement.  I don''t think that `pfiles'' has
>> this ability.  `netstat'' seems to use the MIB interface to
list TCP connections.  Could that be used by
>> the ident daemon?
>>     
>
> No, because that interface tells you nothing about which process(es)
> are using a given socket, which is exactly the information needed.
>   
There is some limited information that can be extracted from the MIBs. 
You can find out the PID of the process that _created_ a particular 
TCP/UDP endpoint, however, it does not necessarily reflect who is 
currently using the socket (as pointed out below).

Anders
> (One of the obvious difficulties here is that it''s not just a
simple
> 1-1 mapping, so the usual RFE to provide a function to get "the"
PID
> for a socket won''t work.  A given socket may be open in multiple
> processes due to fork() and descriptor passing.)
>
> I believe lsof would need a lot of surgery to pass by our usual design
> and architectural reviews.  Not sure about pident, but the same may
> well be true.
>
>

> Would it not be better to have an API that could be used by many different
> commands or services to find TCP connection endpoints?  That would mean
that
> Solaris would not have to maintain its own versions of pident and lsof, to
> cite two examples.
That would certainly be awesome and make programs like identd much easier to
maintain.  In 2004 I filed a RFE to get a RFC1413 identification server (identd)
included in Solaris.  I am certainly willing to help (mainly documentation,
requirements, testing, less coding) to make this happen, maye we can generate
enough momentum now that pidentd no longer works on Solaris 10 08/07 ?

Cheers
pwo at pwo.de
Peter W. Osel
http://pwo.de/
 
 
This message posted from opensolaris.org