MEIDUM: unix sock: use my_socketat to create bind socket
As UNIX Domain sockets could be attached to Linux namespaces (see more details about it from the Linux kernel patch set below: https://lore.kernel.org/netdev/m1hbl7hxo3.fsf@fess.ebiederm.org), it is better to use my_socket_at() in order to create UNIX listener's socket. my_socket_at() takes in account a network namespace, that may be configured for a frontend in the bind line: frontend fe_foo ... bind uxst@frontend.sock user haproxy group haproxy mode 660 namespace frontend Like this, namespace aware applications as netstat for example, will see this listening socket in its 'frontend' namespace and not in the root namespace as it was before. It is important to mention, that fixes in Linux kernel referenced above allow to connect to this listener's socket from the root and from any other namespace. UNIX Domain socket is protected by its permission set, which must be set with caution on its inode.
This commit is contained in:
Valentine Krasnobaeva
Willy Tarreau
parent
84babc93ce
commit
d602d568e0
@ -255,8 +255,8 @@ int sock_unix_bind_receiver(struct receiver *rx, char **errmsg)
|
||||
}
|
||||
addr.sun_family = AF_UNIX;
|
||||
|
||||
/* WT: shouldn't we use my_socketat(rx->netns) here instead ? */
|
||||
fd = socket(rx->proto->fam->sock_domain, rx->proto->sock_type, rx->proto->sock_prot);
|
||||
fd = my_socketat(rx->settings->netns, rx->proto->fam->sock_domain,
|
||||
rx->proto->sock_type, rx->proto->sock_prot);
|
||||
if (fd < 0) {
|
||||
err |= ERR_FATAL | ERR_ALERT;
|
||||
memprintf(errmsg, "cannot create receiving socket (%s)", strerror(errno));
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user