Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-17382] LNet: allow dynamic setting of "accept" parameter https://jira.whamcloud.com/browse/LU-17382 Lustre <p>By default, LNet is accepting connections only from "secure" (&lt;1024) ports. If there are clients connecting using a wider range of ports, e.g. via NAT, the server is expected to have set lnet module parameter "accept" to "all", otherwise out-of-range connections are rejected with an error similar to the following:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> LNetError: 6508:0:(acceptor.c:430:lnet_acceptor()) Refusing connection from 10.49.76.116: insecure port 60694 </pre> </div></div> <p>Currently to change the value of the "accept" parameter it is required to modify the <tt>/etc/modprobe.d/lustre.conf</tt> file and reload the module. It is proposed to allow setting "accept" parameter dynamically - it is less disruptive to do so compared to having to reload LNet just because a few clients using NAT got added.</p> LU-17382 LNet: allow dynamic setting of "accept" parameter Improvement Minor Open Unresolved WC Triage Serguei Smirnov Thu, 21 Dec 2023 19:45:01 +0000 Fri, 22 Dec 2023 18:32:33 +0000 0 4 <p>Sebastien, it is probably not (easily) possible to accept connections from insecure ports based on a nodemap? That is probably a chicken-and-egg issue where we can't check the nodemap until after the connection is established? I guess for a more secure environment, it is better to have strong authentication (SSK, Kerberos) and then accepting connections from insecure ports is not really a concern...</p> <p>Yes exactly, nodemap operates way above LNet, so I am not even sure we could have access to the LNet port? I do not really know why the ports below 1024 are called secure actually. Maybe it is more that those ports can be assigned to "services", so there is no risk of having the port used by someone else?</p> <p>Ports below 1024 cannot be opened by non-root processes, so in environments where the nodes are secure/trusted this means that services using those ports are also more secure.  With modern systems where any user can install the client and/or run as root this is less useful.</p> Related Development Rank 1|i045nb: Rank (Obsolete) 9223372036854775807 Severity