lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Dec 2023 13:03:16 +0000
From: Shachar Kagan <skagan@...dia.com>
To: Eric Dumazet <edumazet@...gle.com>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>, "kuba@...nel.org"
	<kuba@...nel.org>, Jason Gunthorpe <jgg@...dia.com>, Yishai Hadas
	<yishaih@...dia.com>, Ido Kalir <idok@...dia.com>, Topaz Uliel
	<topazu@...dia.com>, Shirly Ohnona <shirlyo@...dia.com>, Ziyad Atiyyeh
	<ziyadat@...dia.com>
Subject: RE: Bug report connect to VM with Vagrant


>> On Thu, Nov 30, 2023 at 2:55 PM Shachar Kagan <skagan@...dia.com> wrote:
>>
>> Hi Eric,
>>
>> I have an issue that bisection pointed at this patch:
>> commit 0a8de364ff7a14558e9676f424283148110384d6
>> tcp: no longer abort SYN_SENT when receiving some ICMP
>>
>
> Please provide tcpdump/pcap captures.
>
>  It is hard to say what is going on just by looking at some application logs.
>

I managed to capture the tcpdump of ‘Vagrant up’ step over old kernel and new kernel where this step fails. Both captures are attached.
The tcpdump is filtered by given IP of the nested VM.

Let me know if there is any other information that I can provide to assist with the investigation.

>> Full commit message at [1].
>>
>> The issue appears while using Vagrant to manage nested VMs.
>> The steps are:
>> * create vagrant file
>> * vagrant up
>> * vagrant halt (VM is created but shut down)
>> * vagrant up - fail
>>
>> Turn on a VM with ‘Vagrant up’ fails when the VM is in halt state. When the VM hasn't been created yet, 'Vagrant up' passes.
>> The failure occurs in the Net-SSH connection to the VM step.
>> Vagrant error is ‘Guest communication could not be established! This is usually because SSH is not running, the authentication information was changed, or some other networking issue.'
>> We use a new version of vagrant-libvirt.
>> Turn on the VM with virsh instead of vagrant works.
>>
>> Stdout[2] bellow.
>>
>> Any idea what may cause the error with your patch?
>>
>> Thanks,
>> Shachar Kagan
>>
>> [1]
>> commit 0a8de364ff7a14558e9676f424283148110384d6
>> Author: Eric Dumazet <edumazet@...gle.com>
>> Date:   Tue Nov 14 17:23:41 2023 +0000
>>
>>     tcp: no longer abort SYN_SENT when receiving some ICMP
>>
>>     Currently, non fatal ICMP messages received on behalf
>>     of SYN_SENT sockets do call tcp_ld_RTO_revert()
>>     to implement RFC 6069, but immediately call tcp_done(),
>>     thus aborting the connect() attempt.
>>
>>     This violates RFC 1122 following requirement:
>>
>>     4.2.3.9  ICMP Messages
>>     ...
>>               o    Destination Unreachable -- codes 0, 1, 5
>>
>>                      Since these Unreachable messages indicate soft error
>>                      conditions, TCP MUST NOT abort the connection, and it
>>                      SHOULD make the information available to the
>>                      application.
>>
>>     This patch makes sure non 'fatal' ICMP[v6] messages do not
>>     abort the connection attempt.
>>
>>     It enables RFC 6069 for SYN_SENT sockets as a result.
>>
>>     Signed-off-by: Eric Dumazet <edumazet@...gle.com>
>>     Cc: David Morley <morleyd@...gle.com>
>>     Cc: Neal Cardwell <ncardwell@...gle.com>
>>     Cc: Yuchung Cheng <ycheng@...gle.com>
>>     Signed-off-by: David S. Miller <davem@...emloft.net>
>>
>> [2]
>> Vagrant up stdout:
>> Bringing machine 'player1' up with 'libvirt' provider...
>> ==> player1: Creating shared folders metadata...
>> ==> player1: Starting domain.
>> ==> player1: Domain launching with graphics connection settings...
>> ==> player1:  -- Graphics Port:      5900
>> ==> player1:  -- Graphics IP:        127.0.0.1
>> ==> player1:  -- Graphics Password:  Not defined ==> player1:  -- 
>> Graphics Websocket: 5700 ==> player1: Waiting for domain to get an IP 
>> address...
>> ==> player1: Waiting for machine to boot. This may take a few minutes...
>>     player1: SSH address: 192.168.123.61:22
>>     player1: SSH username: vagrant
>>     player1: SSH auth method: private key ==> player1: Attempting 
>> graceful shutdown of VM...
>> ==> player1: Attempting graceful shutdown of VM...
>> ==> player1: Attempting graceful shutdown of VM...
>>     player1: Guest communication could not be established! This is usually because
>>     player1: SSH is not running, the authentication information was changed,
>>     player1: or some other networking issue. Vagrant will force halt, if
>>     player1: capable.
>> ==> player1: Attempting direct shutdown of domain...
>>
>>

Download attachment "new_kernel_guest_vm_ip_filter.pcap" of type "application/octet-stream" (63718 bytes)

Download attachment "old_kernel_guest_vm_ip_filter.pcap" of type "application/octet-stream" (1651529 bytes)

Powered by blists - more mailing lists