[Csync2] Csync failing with xinetd, working in standalone mode

Lars Ellenberg lars.ellenberg at linbit.com
Mon Sep 19 14:34:36 CEST 2016 

On Tue, Jun 21, 2016 at 04:17:24AM +0000, Hamish Currie wrote:
> Hi,
> 
> I'm having a problem with csync2 failing if the server is being run
> via xinetd (csync2 -i), but is working in stand-alone mode (csync2 -ii).
> 
> This is only happening on a pair of RHEL7 servers . Its working fine on our centos7 servers.
> 
> I've provided information from my attempts to debug the problem below,
> Any suggestions you can provide would be appreciated.

Your xinetd seems to fail to even spawn csync2.  See below.
If so, that cannot possibly be fixed in csync2.

> The csync software was compiled from the current latest release.

see http://git.linbit.com/csync2.git
    http://github.com/LINBIT/csync2.git

> /etc/xinetd.d/csync2 contains:
> service csync2
> {
>         disable = no
>         protocol = tcp
>         socket_type = stream
>         wait = no
>         user = root
>         group = root
>         server = /usr/local/sbin/csync2
>         server_args = -i
>         log_type = FILE /tmp/data_csync2.log
>         log_on_failure  += USERID
> }
> 
> When running the server in standalone mode, I run it as root.
> 
> I found this stack overflow question
> http://stackoverflow.com/questions/30235086/error-in-csync2-two-server-data-using-csync2-tools

That would be (x)inetd mixing stderr of csync2 into stdout,
thereby "corrupting" the csync2 protocol.

add "-l" to the inetd invocation.  as in
/etc/inetd.conf:
-csync2          stream  tcp     nowait  root    /usr/sbin/csync2 csync2 -i
+csync2          stream  tcp     nowait  root    /usr/sbin/csync2 csync2 -i -l

xinetd: server_args = -i -l

or add up to two -v (the third -v will break protocol again,
when run from inetd, see below).

currently csync2 defaults to using syslog when run from inetd
when "-v" is present only.

Back in May 2016, I pushed workarounds for defaulting to syslog
when run from inetd, disregarding the debug level.

Csync2 may still use stderr (or even stdout!) directly in some cases.
This optional "debug" logging of csync2 is badly grown
$swearword_of_choice; not sure if I eliminated all of it yet.

> - but adding -l to the server_args did not solve the problem for me.

Too bad :(

> I ran strace on the client side and diffed the 2 scenarios.
> When connecting to the xinetd version of the server I get:
> write(5, "CONFIG \n", 8)                = 8
> read(5, 0x631f60, 512)                  = -1 ECONNRESET (Connection reset by peer)
> write(2, "Config command failed.\n", 23) = 23
> 
> When connecting to the standalone server I get:
> write(5, "CONFIG \n", 8)                = 8
> read(5, "OK (cmd_finished).\n", 512)    = 19
> lstat("/var/data/www/a.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
> write(5, "HELLO wfe01\n", 15)        = 15
> read(5, "OK (cmd_finished).\n", 512)    = 19
> 
> I did an strace on the server - when running standalone the config file is read almost immediately, but in xinetd mode the server fails before attempting to read the config file.

> 13:43:30.709033 connect(3, {sa_family=AF_LOCAL, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1 ENOENT (No such file or directory)
> 13:43:30.709113 close(3)                = 0
> 13:43:30.709177 setgroups(1, [0])       = 0
> 13:43:30.709239 setuid(0)               = 0
> 13:43:30.709292 umask(02)               = 022
> 13:43:30.709441 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2197, ...}) = 0
> 13:43:30.709493 write(6, "16/6/21 at 13:43:30: FAIL: csync2 a"..., 56) = 56

Now, what did xinetd complain about there?
That truncated log message might have been the key :-/
This looks like xinetd did not even want to spawn csync2.
Possibly be because some problem with your auth setup,
but that's speculation now.

> 13:43:30.709695 exit_group(0)           = ?
> 13:43:30.709888 +++ exited with 0 +++
> 
> 
> SELinux is set to permissive.
> 
> # sestatus -v
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             targeted
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Max kernel policy version:      28
> 
> Process contexts:
> Current context:                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> Init context:                   system_u:system_r:init_t:s0
> /usr/sbin/sshd                  system_u:system_r:sshd_t:s0-s0:c0.c1023
> 
> File contexts:
> Controlling terminal:           unconfined_u:object_r:user_devpts_t:s0
> /etc/passwd                     system_u:object_r:passwd_file_t:s0
> /etc/shadow                     system_u:object_r:shadow_t:s0
> /bin/bash                       system_u:object_r:shell_exec_t:s0
> /bin/login                      system_u:object_r:login_exec_t:s0
> /bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
> /sbin/agetty                    system_u:object_r:getty_exec_t:s0
> /sbin/init                      system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
> /usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0
> /lib/libc.so.6                  system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0
> /lib/ld-linux.so.2              system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0


-- 
: Lars Ellenberg
: LINBIT | Keeping the Digital World Running
: DRBD -- Heartbeat -- Corosync -- Pacemaker
: R&D, Integration, Ops, Consulting, Support

DRBD® and LINBIT® are registered trademarks of LINBIT

More information about the Csync2 mailing list