Puma: SELinux policy and listening on TCP and sockets
Hello, this is probably a request for explanation (or documentation), but let's see what you guys tell. I am working on SELinux policy for our app, the goal is to create fine-grained rules of what the process can do and cannot do (SELinux 101 in once sentence). We launch it from systemd via Rails helper:
# cat /usr/lib/systemd/system/foreman.service
[Unit]
Description=Foreman
Documentation=https://theforeman.org
After=network.target remote-fs.target nss-lookup.target
Requires=foreman.socket
[Service]
Type=simple
User=foreman
TimeoutSec=300
WorkingDirectory=/usr/share/foreman
ExecStart=/usr/share/foreman/bin/rails server --environment $FOREMAN_ENV --port $FOREMAN_PORT --binding $FOREMAN_BIND
Environment=FOREMAN_ENV=production FOREMAN_PORT=3000 FOREMAN_BIND=0.0.0.0
SyslogIdentifier=foreman
[Install]
WantedBy=multi-user.target
Now, in my policy (https://github.com/theforeman/foreman-selinux/pull/100) I allow the app to bind and listen on TCP port 3000. That does work indeed, however SELinux reports that the process (or subprocesses - workers) do bind additional TCP and UDP (or sockets). I will explain later, but just for those who can read SELinux these rules are:
allow foreman_rails_t self:netlink_route_socket { bind create getattr nlmsg_read };
allow foreman_rails_t self:tcp_socket { connect create getattr setopt };
allow foreman_rails_t self:udp_socket { connect create getattr };
allow foreman_rails_t unconfined_service_t:tcp_socket { accept getattr getopt setopt };
I've researched all the documentation you have on github about deployment and architecture, yet I cannot find why Puma opens up these channels. On my setup, I have two workers:
# ps axuZ | grep puma
system_u:system_r:foreman_rails_t:s0 foreman 8074 5.7 3.8 1014624 500256 ? Ssl 16:00 0:46 puma 4.3.3 (tcp://127.0.0.1:3000) [foreman]
system_u:system_r:foreman_rails_t:s0 foreman 8119 0.2 3.9 1896360 510068 ? Sl 16:01 0:01 puma: cluster worker 0: 8074 [foreman]
system_u:system_r:foreman_rails_t:s0 foreman 8126 0.0 3.8 1753996 498224 ? Sl 16:01 0:00 puma: cluster worker 1: 8074 [foreman]
These are sockets and files for the master process:
# lsof -p 8074
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ruby 8074 foreman cwd DIR 253,4 4096 71303302 /usr/share/foreman
ruby 8074 foreman rtd DIR 253,4 245 64 /
ruby 8074 foreman txt REG 253,4 7192 167772328 /opt/rh/rh-ruby25/root/usr/bin/ruby
ruby 8074 foreman mem REG 253,4 42488 71307749 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/puma-4.3.3/puma/puma_http11.so
ruby 8074 foreman mem REG 253,4 83872 201343655 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nio4r-2.5.2/nio4r_ext.so
ruby 8074 foreman mem REG 253,4 61560 297955 /usr/lib64/libnss_files-2.17.so
ruby 8074 foreman mem REG 253,4 68192 90789 /usr/lib64/libbz2.so.1.0.6
ruby 8074 foreman mem REG 253,4 99952 396332 /usr/lib64/libelf-0.176.so
ruby 8074 foreman mem REG 253,4 32392 100141 /usr/lib64/libffi.so.6.0.1
ruby 8074 foreman mem REG 253,4 19384 100144 /usr/lib64/libgpg-error.so.0.10.0
ruby 8074 foreman mem REG 253,4 535064 100152 /usr/lib64/libgcrypt.so.11.8.2
ruby 8074 foreman mem REG 253,4 86024 100398 /usr/lib64/liblz4.so.1.7.5
ruby 8074 foreman mem REG 253,4 338672 496642 /usr/lib64/libdw-0.176.so
ruby 8074 foreman mem REG 253,4 20048 100166 /usr/lib64/libcap.so.2.22
ruby 8074 foreman mem REG 253,4 352584 460273 /usr/lib64/libldap-2.4.so.2.10.7
ruby 8074 foreman mem REG 253,4 186728 448237 /usr/lib64/libssh2.so.1.0.1
ruby 8074 foreman mem REG 253,4 208928 100379 /usr/lib64/libidn.so.11.6.11
ruby 8074 foreman mem REG 253,4 495720 297816 /usr/lib64/libgmp.so.10.2.0
ruby 8074 foreman mem REG 253,4 160736 6358263 /usr/lib64/libhogweed.so.2.5
ruby 8074 foreman mem REG 253,4 201280 6358265 /usr/lib64/libnettle.so.4.7
ruby 8074 foreman mem REG 253,4 78056 297847 /usr/lib64/libtasn1.so.6.5.3
ruby 8074 foreman mem REG 253,4 1261848 100305 /usr/lib64/libp11-kit.so.0.3.0
ruby 8074 foreman mem REG 253,4 203680 382584 /usr/lib64/libsystemd.so.0.6.0
ruby 8074 foreman mem REG 253,4 19896 100165 /usr/lib64/libattr.so.1.1.0
ruby 8074 foreman mem REG 253,4 91024 382588 /usr/lib64/libudev.so.1.6.2
ruby 8074 foreman mem REG 253,4 660208 298063 /usr/lib64/libsepol.so.1
ruby 8074 foreman mem REG 253,4 88776 85 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
ruby 8074 foreman mem REG 253,4 14424 87567 /usr/lib64/libutil-2.17.so
ruby 8074 foreman mem REG 253,4 439320 395578 /usr/lib64/libcurl.so.4.3.0
ruby 8074 foreman mem REG 253,4 1300504 6358270 /usr/lib64/libgnutls.so.28.43.3
ruby 8074 foreman mem REG 253,4 333384 496660 /usr/lib64/libdbus-1.so.3.14.14
ruby 8074 foreman mem REG 253,4 69968 82229 /usr/lib64/libavahi-client.so.3.2.9
ruby 8074 foreman mem REG 253,4 53856 82231 /usr/lib64/libavahi-common.so.3.5.3
ruby 8074 foreman mem REG 253,4 1509584 382590 /usr/lib64/libxml2.so.2.9.1
ruby 8074 foreman mem REG 253,4 37064 100172 /usr/lib64/libacl.so.1.1.0
ruby 8074 foreman mem REG 253,4 50696 297838 /usr/lib64/libnuma.so.1.0.0
ruby 8074 foreman mem REG 253,4 360224 464479 /usr/lib64/libdevmapper.so.1.02
ruby 8074 foreman mem REG 253,4 127112 100161 /usr/lib64/libaudit.so.1.0.0
ruby 8074 foreman mem REG 253,4 139016 100247 /usr/lib64/libnl-3.so.200.23.0
ruby 8074 foreman mem REG 253,4 444832 100255 /usr/lib64/libnl-route-3.so.200.23.0
ruby 8074 foreman mem REG 253,4 40600 6358254 /usr/lib64/libyajl.so.2.0.4
ruby 8074 foreman mem REG 253,4 23968 100159 /usr/lib64/libcap-ng.so.0.0.0
ruby 8074 foreman mem REG 253,4 4109448 806393 /usr/lib64/libvirt.so.0.4005.0
ruby 8074 foreman mem REG 253,4 15224 806390 /usr/lib64/libvirt-qemu.so.0.4005.0
ruby 8074 foreman mem REG 253,4 15208 806387 /usr/lib64/libvirt-lxc.so.0.4005.0
ruby 8074 foreman mem REG 253,4 232328 54532297 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ruby-libvirt-0.7.0/_libvirt.so
ruby 8074 foreman mem REG 253,4 11120 96469136 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/iso_8859_1.so
ruby 8074 foreman mem REG 253,4 6928 84294142 /opt/rh/rh-ruby25/root/usr/lib64/ruby/fcntl.so
ruby 8074 foreman mem REG 253,4 43712 87563 /usr/lib64/librt-2.17.so
ruby 8074 foreman mem REG 253,4 251888 298017 /usr/lib64/libnspr4.so
ruby 8074 foreman mem REG 253,4 20096 297983 /usr/lib64/libplc4.so
ruby 8074 foreman mem REG 253,4 15800 298018 /usr/lib64/libplds4.so
ruby 8074 foreman mem REG 253,4 198968 87578 /usr/lib64/libnssutil3.so
ruby 8074 foreman mem REG 253,4 1257808 395574 /usr/lib64/libnss3.so
ruby 8074 foreman mem REG 253,4 168336 395575 /usr/lib64/libsmime3.so
ruby 8074 foreman mem REG 253,4 370584 395576 /usr/lib64/libssl3.so
ruby 8074 foreman mem REG 253,4 121208 403560 /usr/lib64/libsasl2.so.3.0.0
ruby 8074 foreman mem REG 253,4 61952 460271 /usr/lib64/liblber-2.4.so.2.10.7
ruby 8074 foreman mem REG 253,4 381408 460275 /usr/lib64/libldap_r-2.4.so.2.10.7
ruby 8074 foreman mem REG 253,4 197568 515783 /usr/lib64/libpq.so.5.5
ruby 8074 foreman mem REG 253,4 189544 151020885 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/pg-1.1.4/pg_ext.so
ruby 8074 foreman mem REG 253,4 27912 134227300 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/bcrypt-3.1.12/bcrypt_ext.so
ruby 8074 foreman mem REG 253,4 19936 84294163 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/io-console-0.4.6/io/console.so
ruby 8074 foreman mem REG 253,4 15712 84294157 /opt/rh/rh-ruby25/root/usr/lib64/ruby/syslog.so
ruby 8074 foreman mem REG 253,4 15360 96469130 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/euc_jp.so
ruby 8074 foreman mem REG 253,4 15376 96469164 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/windows_31j.so
ruby 8074 foreman mem REG 253,4 11160 96469154 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/utf_16be.so
ruby 8074 foreman mem REG 253,4 11160 96469155 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/utf_16le.so
ruby 8074 foreman mem REG 253,4 6984 92274985 /opt/rh/rh-ruby25/root/usr/lib64/ruby/digest/sha1.so
ruby 8074 foreman mem REG 253,4 98928 12621217 /usr/lib64/gconv/CP932.so
ruby 8074 foreman mem REG 253,4 157400 90759 /usr/lib64/liblzma.so.5.2.2
ruby 8074 foreman mem REG 253,4 2289040 75539165 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.10.9/nokogiri/nokogiri.so
ruby 8074 foreman mem REG 253,4 6976 92274983 /opt/rh/rh-ruby25/root/usr/lib64/ruby/digest/md5.so
ruby 8074 foreman mem REG 253,4 11232 104857817 /opt/rh/rh-ruby25/root/usr/lib64/ruby/io/wait.so
ruby 8074 foreman mem REG 253,4 179608 84294154 /opt/rh/rh-ruby25/root/usr/lib64/ruby/socket.so
ruby 8074 foreman mem REG 253,4 19720 109052116 /opt/rh/rh-ruby25/root/usr/lib64/ruby/racc/cparse.so
ruby 8074 foreman mem REG 253,4 62880 84294158 /opt/rh/rh-ruby25/root/usr/lib64/ruby/zlib.so
ruby 8074 foreman mem REG 253,4 36728 247464082 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/json-2.1.0/json/ext/generator.so
ruby 8074 foreman mem REG 253,4 27968 247464083 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/json-2.1.0/json/ext/parser.so
ruby 8074 foreman mem REG 253,4 78536 134217906 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/bigdecimal-1.3.4/bigdecimal.so
ruby 8074 foreman mem REG 253,4 203832 84294138 /opt/rh/rh-ruby25/root/usr/lib64/ruby/date_core.so
ruby 8074 foreman mem REG 253,4 11128 92274986 /opt/rh/rh-ruby25/root/usr/lib64/ruby/digest/sha2.so
ruby 8074 foreman mem REG 253,4 11160 104857816 /opt/rh/rh-ruby25/root/usr/lib64/ruby/io/nonblock.so
ruby 8074 foreman mem REG 253,4 15752 84294140 /opt/rh/rh-ruby25/root/usr/lib64/ruby/digest.so
ruby 8074 foreman mem REG 253,4 402384 298067 /usr/lib64/libpcre.so.1.2.0
ruby 8074 foreman mem REG 253,4 155752 87576 /usr/lib64/libselinux.so.1
ruby 8074 foreman mem REG 253,4 109976 87561 /usr/lib64/libresolv-2.17.so
ruby 8074 foreman mem REG 253,4 15688 105943 /usr/lib64/libkeyutils.so.1.5
ruby 8074 foreman mem REG 253,4 67104 396327 /usr/lib64/libkrb5support.so.0.1
ruby 8074 foreman mem REG 253,4 90248 298079 /usr/lib64/libz.so.1.2.7
ruby 8074 foreman mem REG 253,4 210784 367420 /usr/lib64/libk5crypto.so.3.1
ruby 8074 foreman mem REG 253,4 15856 87596 /usr/lib64/libcom_err.so.2.1
ruby 8074 foreman mem REG 253,4 967776 396325 /usr/lib64/libkrb5.so.3.3
ruby 8074 foreman mem REG 253,4 320720 367416 /usr/lib64/libgssapi_krb5.so.2.2
ruby 8074 foreman mem REG 253,4 2521008 367397 /usr/lib64/libcrypto.so.1.0.2k
ruby 8074 foreman mem REG 253,4 470360 367399 /usr/lib64/libssl.so.1.0.2k
ruby 8074 foreman mem REG 253,4 365440 138412179 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/openssl-2.1.2/openssl.so
ruby 8074 foreman mem REG 253,4 24288 84294156 /opt/rh/rh-ruby25/root/usr/lib64/ruby/strscan.so
ruby 8074 foreman mem REG 253,4 131096 460257 /usr/lib64/libyaml-0.so.2.0.4
ruby 8074 foreman mem REG 253,4 32688 104857827 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/psych-3.0.2/psych.so
ruby 8074 foreman mem REG 253,4 32608 84294148 /opt/rh/rh-ruby25/root/usr/lib64/ruby/pathname.so
ruby 8074 foreman mem REG 253,4 6816 84294143 /opt/rh/rh-ruby25/root/usr/lib64/ruby/fiber.so
ruby 8074 foreman mem REG 253,4 28232 84294141 /opt/rh/rh-ruby25/root/usr/lib64/ruby/etc.so
ruby 8074 foreman mem REG 253,4 15376 88080586 /opt/rh/rh-ruby25/root/usr/lib64/ruby/cgi/escape.so
ruby 8074 foreman mem REG 253,4 32816 84294155 /opt/rh/rh-ruby25/root/usr/lib64/ruby/stringio.so
ruby 8074 foreman mem REG 253,4 15112 100663449 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/trans/transdb.so
ruby 8074 foreman mem REG 253,4 11064 96469129 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/encdb.so
ruby 8074 foreman mem REG 253,4 106176928 298055 /usr/lib/locale/locale-archive
ruby 8074 foreman mem REG 253,4 11392 81932 /usr/lib64/libfreebl3.so
ruby 8074 foreman mem REG 253,4 2156240 297937 /usr/lib64/libc-2.17.so
ruby 8074 foreman mem REG 253,4 1136944 297940 /usr/lib64/libm-2.17.so
ruby 8074 foreman mem REG 253,4 40600 298060 /usr/lib64/libcrypt-2.17.so
ruby 8074 foreman mem REG 253,4 19248 298062 /usr/lib64/libdl-2.17.so
ruby 8074 foreman mem REG 253,4 142144 87559 /usr/lib64/libpthread-2.17.so
ruby 8074 foreman mem REG 253,4 2901808 188743821 /opt/rh/rh-ruby25/root/usr/lib64/libruby.so.2.5.5
ruby 8074 foreman mem REG 253,4 163312 297929 /usr/lib64/ld-2.17.so
ruby 8074 foreman mem REG 253,4 26970 12586471 /usr/lib64/gconv/gconv-modules.cache
ruby 8074 foreman 0r CHR 1,3 0t0 1028 /dev/null
ruby 8074 foreman 1u unix 0xffff958a5840c000 0t0 179018 socket
ruby 8074 foreman 2u unix 0xffff958a5840c000 0t0 179018 socket
ruby 8074 foreman 3u IPv4 15118 0t0 TCP sat68.nat.lan:hbci (LISTEN)
ruby 8074 foreman 4r FIFO 0,9 0t0 179087 pipe
ruby 8074 foreman 5w FIFO 0,9 0t0 179087 pipe
ruby 8074 foreman 6r FIFO 0,9 0t0 179088 pipe
ruby 8074 foreman 7w FIFO 0,9 0t0 179088 pipe
ruby 8074 foreman 8r CHR 1,3 0t0 1028 /dev/null
ruby 8074 foreman 9w CHR 1,3 0t0 1028 /dev/null
ruby 8074 foreman 10r CHR 1,9 0t0 1033 /dev/urandom
ruby 8074 foreman 11w REG 253,4 2716989 244930302 /var/log/foreman/production.log
ruby 8074 foreman 12u unix 0xffff958a5840d980 0t0 179073 socket
ruby 8074 foreman 13r FIFO 0,9 0t0 187803 pipe
ruby 8074 foreman 14w FIFO 0,9 0t0 187803 pipe
ruby 8074 foreman 15r FIFO 0,9 0t0 187804 pipe
ruby 8074 foreman 16w FIFO 0,9 0t0 187804 pipe
And here is one of the children:
# lsof -p 8119
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ruby 8119 foreman cwd DIR 253,4 4096 71303302 /usr/share/foreman
ruby 8119 foreman rtd DIR 253,4 245 64 /
ruby 8119 foreman txt REG 253,4 7192 167772328 /opt/rh/rh-ruby25/root/usr/bin/ruby
ruby 8119 foreman mem REG 253,4 42488 71307749 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/puma-4.3.3/puma/puma_http11.so
ruby 8119 foreman mem REG 253,4 83872 201343655 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nio4r-2.5.2/nio4r_ext.so
ruby 8119 foreman mem REG 253,4 61560 297955 /usr/lib64/libnss_files-2.17.so
ruby 8119 foreman mem REG 253,4 68192 90789 /usr/lib64/libbz2.so.1.0.6
ruby 8119 foreman mem REG 253,4 99952 396332 /usr/lib64/libelf-0.176.so
ruby 8119 foreman mem REG 253,4 32392 100141 /usr/lib64/libffi.so.6.0.1
ruby 8119 foreman mem REG 253,4 19384 100144 /usr/lib64/libgpg-error.so.0.10.0
ruby 8119 foreman mem REG 253,4 535064 100152 /usr/lib64/libgcrypt.so.11.8.2
ruby 8119 foreman mem REG 253,4 86024 100398 /usr/lib64/liblz4.so.1.7.5
ruby 8119 foreman mem REG 253,4 338672 496642 /usr/lib64/libdw-0.176.so
ruby 8119 foreman mem REG 253,4 20048 100166 /usr/lib64/libcap.so.2.22
ruby 8119 foreman mem REG 253,4 352584 460273 /usr/lib64/libldap-2.4.so.2.10.7
ruby 8119 foreman mem REG 253,4 186728 448237 /usr/lib64/libssh2.so.1.0.1
ruby 8119 foreman mem REG 253,4 208928 100379 /usr/lib64/libidn.so.11.6.11
ruby 8119 foreman mem REG 253,4 495720 297816 /usr/lib64/libgmp.so.10.2.0
ruby 8119 foreman mem REG 253,4 160736 6358263 /usr/lib64/libhogweed.so.2.5
ruby 8119 foreman mem REG 253,4 201280 6358265 /usr/lib64/libnettle.so.4.7
ruby 8119 foreman mem REG 253,4 78056 297847 /usr/lib64/libtasn1.so.6.5.3
ruby 8119 foreman mem REG 253,4 1261848 100305 /usr/lib64/libp11-kit.so.0.3.0
ruby 8119 foreman mem REG 253,4 203680 382584 /usr/lib64/libsystemd.so.0.6.0
ruby 8119 foreman mem REG 253,4 19896 100165 /usr/lib64/libattr.so.1.1.0
ruby 8119 foreman mem REG 253,4 91024 382588 /usr/lib64/libudev.so.1.6.2
ruby 8119 foreman mem REG 253,4 660208 298063 /usr/lib64/libsepol.so.1
ruby 8119 foreman mem REG 253,4 88776 85 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
ruby 8119 foreman mem REG 253,4 14424 87567 /usr/lib64/libutil-2.17.so
ruby 8119 foreman mem REG 253,4 439320 395578 /usr/lib64/libcurl.so.4.3.0
ruby 8119 foreman mem REG 253,4 1300504 6358270 /usr/lib64/libgnutls.so.28.43.3
ruby 8119 foreman mem REG 253,4 333384 496660 /usr/lib64/libdbus-1.so.3.14.14
ruby 8119 foreman mem REG 253,4 69968 82229 /usr/lib64/libavahi-client.so.3.2.9
ruby 8119 foreman mem REG 253,4 53856 82231 /usr/lib64/libavahi-common.so.3.5.3
ruby 8119 foreman mem REG 253,4 1509584 382590 /usr/lib64/libxml2.so.2.9.1
ruby 8119 foreman mem REG 253,4 37064 100172 /usr/lib64/libacl.so.1.1.0
ruby 8119 foreman mem REG 253,4 50696 297838 /usr/lib64/libnuma.so.1.0.0
ruby 8119 foreman mem REG 253,4 360224 464479 /usr/lib64/libdevmapper.so.1.02
ruby 8119 foreman mem REG 253,4 127112 100161 /usr/lib64/libaudit.so.1.0.0
ruby 8119 foreman mem REG 253,4 139016 100247 /usr/lib64/libnl-3.so.200.23.0
ruby 8119 foreman mem REG 253,4 444832 100255 /usr/lib64/libnl-route-3.so.200.23.0
ruby 8119 foreman mem REG 253,4 40600 6358254 /usr/lib64/libyajl.so.2.0.4
ruby 8119 foreman mem REG 253,4 23968 100159 /usr/lib64/libcap-ng.so.0.0.0
ruby 8119 foreman mem REG 253,4 4109448 806393 /usr/lib64/libvirt.so.0.4005.0
ruby 8119 foreman mem REG 253,4 15224 806390 /usr/lib64/libvirt-qemu.so.0.4005.0
ruby 8119 foreman mem REG 253,4 15208 806387 /usr/lib64/libvirt-lxc.so.0.4005.0
ruby 8119 foreman mem REG 253,4 232328 54532297 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/ruby-libvirt-0.7.0/_libvirt.so
ruby 8119 foreman mem REG 253,4 11120 96469136 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/iso_8859_1.so
ruby 8119 foreman mem REG 253,4 6928 84294142 /opt/rh/rh-ruby25/root/usr/lib64/ruby/fcntl.so
ruby 8119 foreman mem REG 253,4 43712 87563 /usr/lib64/librt-2.17.so
ruby 8119 foreman mem REG 253,4 251888 298017 /usr/lib64/libnspr4.so
ruby 8119 foreman mem REG 253,4 20096 297983 /usr/lib64/libplc4.so
ruby 8119 foreman mem REG 253,4 15800 298018 /usr/lib64/libplds4.so
ruby 8119 foreman mem REG 253,4 198968 87578 /usr/lib64/libnssutil3.so
ruby 8119 foreman mem REG 253,4 1257808 395574 /usr/lib64/libnss3.so
ruby 8119 foreman mem REG 253,4 168336 395575 /usr/lib64/libsmime3.so
ruby 8119 foreman mem REG 253,4 370584 395576 /usr/lib64/libssl3.so
ruby 8119 foreman mem REG 253,4 121208 403560 /usr/lib64/libsasl2.so.3.0.0
ruby 8119 foreman mem REG 253,4 61952 460271 /usr/lib64/liblber-2.4.so.2.10.7
ruby 8119 foreman mem REG 253,4 381408 460275 /usr/lib64/libldap_r-2.4.so.2.10.7
ruby 8119 foreman mem REG 253,4 197568 515783 /usr/lib64/libpq.so.5.5
ruby 8119 foreman mem REG 253,4 189544 151020885 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/pg-1.1.4/pg_ext.so
ruby 8119 foreman mem REG 253,4 27912 134227300 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/bcrypt-3.1.12/bcrypt_ext.so
ruby 8119 foreman mem REG 253,4 19936 84294163 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/io-console-0.4.6/io/console.so
ruby 8119 foreman mem REG 253,4 15712 84294157 /opt/rh/rh-ruby25/root/usr/lib64/ruby/syslog.so
ruby 8119 foreman mem REG 253,4 15360 96469130 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/euc_jp.so
ruby 8119 foreman mem REG 253,4 15376 96469164 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/windows_31j.so
ruby 8119 foreman mem REG 253,4 11160 96469154 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/utf_16be.so
ruby 8119 foreman mem REG 253,4 11160 96469155 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/utf_16le.so
ruby 8119 foreman mem REG 253,4 6984 92274985 /opt/rh/rh-ruby25/root/usr/lib64/ruby/digest/sha1.so
ruby 8119 foreman mem REG 253,4 98928 12621217 /usr/lib64/gconv/CP932.so
ruby 8119 foreman mem REG 253,4 157400 90759 /usr/lib64/liblzma.so.5.2.2
ruby 8119 foreman mem REG 253,4 2289040 75539165 /opt/theforeman/tfm/root/usr/lib64/gems/ruby/nokogiri-1.10.9/nokogiri/nokogiri.so
ruby 8119 foreman mem REG 253,4 6976 92274983 /opt/rh/rh-ruby25/root/usr/lib64/ruby/digest/md5.so
ruby 8119 foreman mem REG 253,4 11232 104857817 /opt/rh/rh-ruby25/root/usr/lib64/ruby/io/wait.so
ruby 8119 foreman mem REG 253,4 179608 84294154 /opt/rh/rh-ruby25/root/usr/lib64/ruby/socket.so
ruby 8119 foreman mem REG 253,4 19720 109052116 /opt/rh/rh-ruby25/root/usr/lib64/ruby/racc/cparse.so
ruby 8119 foreman mem REG 253,4 62880 84294158 /opt/rh/rh-ruby25/root/usr/lib64/ruby/zlib.so
ruby 8119 foreman mem REG 253,4 36728 247464082 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/json-2.1.0/json/ext/generator.so
ruby 8119 foreman mem REG 253,4 27968 247464083 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/json-2.1.0/json/ext/parser.so
ruby 8119 foreman mem REG 253,4 78536 134217906 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/bigdecimal-1.3.4/bigdecimal.so
ruby 8119 foreman mem REG 253,4 203832 84294138 /opt/rh/rh-ruby25/root/usr/lib64/ruby/date_core.so
ruby 8119 foreman mem REG 253,4 11128 92274986 /opt/rh/rh-ruby25/root/usr/lib64/ruby/digest/sha2.so
ruby 8119 foreman mem REG 253,4 11160 104857816 /opt/rh/rh-ruby25/root/usr/lib64/ruby/io/nonblock.so
ruby 8119 foreman mem REG 253,4 15752 84294140 /opt/rh/rh-ruby25/root/usr/lib64/ruby/digest.so
ruby 8119 foreman mem REG 253,4 402384 298067 /usr/lib64/libpcre.so.1.2.0
ruby 8119 foreman mem REG 253,4 155752 87576 /usr/lib64/libselinux.so.1
ruby 8119 foreman mem REG 253,4 109976 87561 /usr/lib64/libresolv-2.17.so
ruby 8119 foreman mem REG 253,4 15688 105943 /usr/lib64/libkeyutils.so.1.5
ruby 8119 foreman mem REG 253,4 67104 396327 /usr/lib64/libkrb5support.so.0.1
ruby 8119 foreman mem REG 253,4 90248 298079 /usr/lib64/libz.so.1.2.7
ruby 8119 foreman mem REG 253,4 210784 367420 /usr/lib64/libk5crypto.so.3.1
ruby 8119 foreman mem REG 253,4 15856 87596 /usr/lib64/libcom_err.so.2.1
ruby 8119 foreman mem REG 253,4 967776 396325 /usr/lib64/libkrb5.so.3.3
ruby 8119 foreman mem REG 253,4 320720 367416 /usr/lib64/libgssapi_krb5.so.2.2
ruby 8119 foreman mem REG 253,4 2521008 367397 /usr/lib64/libcrypto.so.1.0.2k
ruby 8119 foreman mem REG 253,4 470360 367399 /usr/lib64/libssl.so.1.0.2k
ruby 8119 foreman mem REG 253,4 365440 138412179 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/openssl-2.1.2/openssl.so
ruby 8119 foreman mem REG 253,4 24288 84294156 /opt/rh/rh-ruby25/root/usr/lib64/ruby/strscan.so
ruby 8119 foreman mem REG 253,4 131096 460257 /usr/lib64/libyaml-0.so.2.0.4
ruby 8119 foreman mem REG 253,4 32688 104857827 /opt/rh/rh-ruby25/root/usr/lib64/gems/ruby/psych-3.0.2/psych.so
ruby 8119 foreman mem REG 253,4 32608 84294148 /opt/rh/rh-ruby25/root/usr/lib64/ruby/pathname.so
ruby 8119 foreman mem REG 253,4 6816 84294143 /opt/rh/rh-ruby25/root/usr/lib64/ruby/fiber.so
ruby 8119 foreman mem REG 253,4 28232 84294141 /opt/rh/rh-ruby25/root/usr/lib64/ruby/etc.so
ruby 8119 foreman mem REG 253,4 15376 88080586 /opt/rh/rh-ruby25/root/usr/lib64/ruby/cgi/escape.so
ruby 8119 foreman mem REG 253,4 32816 84294155 /opt/rh/rh-ruby25/root/usr/lib64/ruby/stringio.so
ruby 8119 foreman mem REG 253,4 15112 100663449 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/trans/transdb.so
ruby 8119 foreman mem REG 253,4 11064 96469129 /opt/rh/rh-ruby25/root/usr/lib64/ruby/enc/encdb.so
ruby 8119 foreman mem REG 253,4 106176928 298055 /usr/lib/locale/locale-archive
ruby 8119 foreman mem REG 253,4 11392 81932 /usr/lib64/libfreebl3.so
ruby 8119 foreman mem REG 253,4 2156240 297937 /usr/lib64/libc-2.17.so
ruby 8119 foreman mem REG 253,4 1136944 297940 /usr/lib64/libm-2.17.so
ruby 8119 foreman mem REG 253,4 40600 298060 /usr/lib64/libcrypt-2.17.so
ruby 8119 foreman mem REG 253,4 19248 298062 /usr/lib64/libdl-2.17.so
ruby 8119 foreman mem REG 253,4 142144 87559 /usr/lib64/libpthread-2.17.so
ruby 8119 foreman mem REG 253,4 2901808 188743821 /opt/rh/rh-ruby25/root/usr/lib64/libruby.so.2.5.5
ruby 8119 foreman mem REG 253,4 163312 297929 /usr/lib64/ld-2.17.so
ruby 8119 foreman mem REG 253,4 26970 12586471 /usr/lib64/gconv/gconv-modules.cache
ruby 8119 foreman 0r CHR 1,3 0t0 1028 /dev/null
ruby 8119 foreman 1u unix 0xffff958a5840c000 0t0 179018 socket
ruby 8119 foreman 2u unix 0xffff958a5840c000 0t0 179018 socket
ruby 8119 foreman 3u IPv4 15118 0t0 TCP sat68.nat.lan:hbci (LISTEN)
ruby 8119 foreman 4r FIFO 0,9 0t0 187805 pipe
ruby 8119 foreman 5w FIFO 0,9 0t0 187805 pipe
ruby 8119 foreman 6r FIFO 0,9 0t0 187806 pipe
ruby 8119 foreman 7w FIFO 0,9 0t0 187806 pipe
ruby 8119 foreman 8r CHR 1,3 0t0 1028 /dev/null
ruby 8119 foreman 9w CHR 1,3 0t0 1028 /dev/null
ruby 8119 foreman 10r CHR 1,9 0t0 1033 /dev/urandom
ruby 8119 foreman 11w REG 253,4 2716989 244930302 /var/log/foreman/production.log
ruby 8119 foreman 12u CHR 1,3 0t0 1028 /dev/null
ruby 8119 foreman 13u unix 0xffff958a5c1e5dc0 0t0 187817 socket
ruby 8119 foreman 14w FIFO 0,9 0t0 187803 pipe
ruby 8119 foreman 15r FIFO 0,9 0t0 187804 pipe
ruby 8119 foreman 16r DIR 253,4 4096 88107488 /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.4.4/lib/dynflow/persistence_adapters/sequel_migrations
ruby 8119 foreman 17r DIR 253,4 4096 88107488 /opt/theforeman/tfm/root/usr/share/gems/gems/dynflow-1.4.4/lib/dynflow/persistence_adapters/sequel_migrations
ruby 8119 foreman 18u unix 0xffff958a5c1e7300 0t0 187828 socket
ruby 8119 foreman 19u unix 0xffff958a5c1e7b80 0t0 187835 socket
ruby 8119 foreman 20r FIFO 0,9 0t0 179116 pipe
ruby 8119 foreman 21w FIFO 0,9 0t0 179116 pipe
ruby 8119 foreman 22u a_inode 0,10 0 6397 [eventpoll]
ruby 8119 foreman 23r FIFO 0,9 0t0 179117 pipe
ruby 8119 foreman 24w FIFO 0,9 0t0 179117 pipe
ruby 8119 foreman 25r FIFO 0,9 0t0 187850 pipe
ruby 8119 foreman 26w FIFO 0,9 0t0 187850 pipe
ruby 8119 foreman 29u unix 0xffff958a5840d540 0t0 179120 socket
ruby 8119 foreman 31r REG 0,20 0 28474 /run/foreman/katello_event_daemon.lock
ruby 8119 foreman 32r REG 0,20 0 28474 /run/foreman/katello_event_daemon.lock
ruby 8119 foreman 33u IPv4 179133 0t0 TCP sat68.nat.lan:50848->sat68.nat.lan:61613 (ESTABLISHED)
ruby 8119 foreman 34r REG 0,20 0 28474 /run/foreman/katello_event_daemon.lock
Questions:
I also noticed several unnamed sockets (e.g. 0xffff958a5840c000), can you confirm this is some IPC implemented in the architecture?
Can you give me more details about the IPC in more general? Maybe some documentation links?
Chances are there is some gem we have in the app which is creating those sockets, I just want to warn in advance.
Thanks
question
lzap
All 4 comments
Chances are there is some gem we have in the app which is creating those sockets
Can you find out? Try the same as above but just with vanilla Puma/Rails?
dentarg
on 18 May 2020
👍1
Can you give me more details about the IPC in more general? Maybe some documentation links?
There's definitely a lot of IPC going on in Puma. Check out Puma::Util.pipe or just search the code for pipe.
The other sockets are probably related to your app code, unless you can repro with Puma and a hello-world Rack app (see test/rackup folder for example).
nateberkopec
on 19 May 2020
Thanks for confirmation, that's what I need to investigate now. I can confirm that only pipes are being created for IPC for a simple app.
bundle 23338 lzap 0u CHR 136,2 0t0 5 /dev/pts/2
bundle 23338 lzap 1u CHR 136,2 0t0 5 /dev/pts/2
bundle 23338 lzap 2u CHR 136,2 0t0 5 /dev/pts/2
bundle 23338 lzap 3u a_inode 0,13 0 16676 [eventfd]
bundle 23338 lzap 4u a_inode 0,13 0 16676 [eventfd]
bundle 23338 lzap 5r FIFO 0,12 0t0 115644 pipe
bundle 23338 lzap 6w FIFO 0,12 0t0 115644 pipe
bundle 23338 lzap 7u IPv4 117543 0t0 TCP *:8000 (LISTEN)
bundle 23338 lzap 8r FIFO 0,12 0t0 115645 pipe
bundle 23338 lzap 9w FIFO 0,12 0t0 117544 pipe
bundle 23338 lzap 10r FIFO 0,12 0t0 117545 pipe
bundle 23338 lzap 11w FIFO 0,12 0t0 115645 pipe
bundle 23338 lzap 12u a_inode 0,13 0 16676 [eventpoll]
bundle 23338 lzap 13r FIFO 0,12 0t0 115646 pipe
bundle 23338 lzap 14w FIFO 0,12 0t0 115646 pipe
For the records, I haven't realized we have already upgraded our unit to socket activation. Actually it was Puma! :-)
ENV.each do |k,v|
if k =~ /PUMA_INHERIT_\d+/
fd, url = v.split(":", 2)
@inherited_fds[url] = fd.to_i
remove << k
elsif k == 'LISTEN_FDS' && ENV['LISTEN_PID'].to_i == $$
v.to_i.times do |num|
fd = num + 3
sock = TCPServer.for_fd(fd)
begin
key = [ :unix, Socket.unpack_sockaddr_un(sock.getsockname) ]
rescue ArgumentError
port, addr = Socket.unpack_sockaddr_in(sock.getsockname)
if addr =~ /\:/
addr = "[#{addr}]"
end
key = [ :tcp, addr, port ]
end
@activated_sockets[key] = sock
@events.debug "Registered #{key.join ':'} for activation from LISTEN_FDS"
end
remove << k << 'LISTEN_PID'
end
end
👍1
Was this page helpful?
0 / 5 - 0 ratings
Related issues
F4Ke
路
4Comments
anon987654321
路
4Comments
knzudgt
路
4Comments
LimeBlast
路
3Comments
edmz
路
3Comments