Skip to content

webserver: implement support for Linux abstract namespace sockets #16613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bjacquin wants to merge 3 commits into
base: master
Choose a base branch
from
Open

webserver: implement support for Linux abstract namespace sockets #16613

bjacquin wants to merge 3 commits into from
+25 −10

Conversation

@bjacquin
Copy link
Contributor

@bjacquin bjacquin commented Dec 6, 2025

Short description

Abstract namespace is a Linux specific feature to bind a UNIX domain
socket without the need for any filesystem access, which is particularly
interesting to allow a process running in a chroot or with limited
privileges to access the webserver socket over UNIX domain socket.

The main difference from regular UNIX domain socket is that the first
byte of sun_path is set to zero.

Abstract namespace are defined by prefixing value with abns@.

  $ cat pdns.conf
  ..
  webserver=yes
  [email protected]

  $ curl -sD - -o /dev/null --abstract-unix-socket pdns.http http://localhost/metrics
  *   Trying :0...
  * Established connection to localhost ( port 0) from  port 0
  * using HTTP/1.x
  > GET /metrics HTTP/1.1
  > Host: localhost
  > User-Agent: curl/8.16.0
  > Accept: */*
  >
  * Request completely sent off
  < HTTP/1.1 200 OK
  < Connection: close
  < Content-Length: 15040
  < Content-Type: text/plain; version=0.0.4
  <
  { [15040 bytes data]
  * shutting down connection #0

Checklist

I have:

  • read the CONTRIBUTING.md document
  • read and accepted the Developer Certificate of Origin document, including the AI Policy, and added a "Signed-off-by" to my commits
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@bjacquin
unix: copy exact path length when creating UNIX socket
78d56b6 
ret is first initialized to zero, and verification is performed to
ensure path length is not greater than size of sockaddr_un->sun_path,
thus we can reduce amount of data copied to actual size of path.

Signed-off-by: Bertrand Jacquin <[email protected]>
@bjacquin
unix: use path length to determine bind socket size
9414e16 
Returning sizeof(struct sockaddr_un) from SockaddrWrapper bind the
socket to full length of struct sockaddr_un

  bind(4, {sa_family=AF_UNIX, sun_path="/tmp/pdns.controlsocket"}, 110) = 0

This change now return a size relative to the actual content of sun_path
as specified in unix(7).

  bind(4, {sa_family=AF_UNIX, sun_path="/tmp/pdns.controlsocket"}, 25) = 0

Signed-off-by: Bertrand Jacquin <[email protected]>
@bjacquin bjacquin force-pushed the dev/beber/abns branch 5 times, most recently from 55b3330 to 07d56d5 Compare December 6, 2025 14:23
@bjacquin
webserver: implement support for Linux abstract namespace sockets
50913ad 
Abstract namespace is a Linux specific feature to bind a UNIX domain
socket without the need for any filesystem access, which is particularly
interesting to allow a process running in a chroot or with limited
privileges to access the webserver socket over UNIX domain socket.

The main difference from regular UNIX domain socket is that the first
byte of sun_path is set to zero.

Abstract namespace are defined by prefixing value with `abns@`.

  $ cat pdns.conf
  ..
  webserver=yes
  [email protected]

  $ curl -sv --abstract-unix-socket pdns.http http://localhost/metrics
  *   Trying :0...
  * Established connection to localhost ( port 0) from  port 0
  * using HTTP/1.x
  > GET /metrics HTTP/1.1
  > Host: localhost
  > User-Agent: curl/8.16.0
  > Accept: */*
  >
  * Request completely sent off
  < HTTP/1.1 200 OK
  < Connection: close
  < Content-Length: 15033
  < Content-Type: text/plain; version=0.0.4
  <
  { [15033 bytes data]
  * shutting down connection #0

Signed-off-by: Bertrand Jacquin <[email protected]>
@coveralls
Copy link

coveralls commented Dec 6, 2025
edited
Loading

Pull Request Test Coverage Report for Build 19989803359

Details

  • 6 of 15 (40.0%) changed or added relevant lines in 4 files are covered.
  • 65 unchanged lines in 13 files lost coverage.
  • Overall coverage decreased (-0.02%) to 73.298%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pdns/misc.cc 4 5 80.0%
pdns/iputils.hh 0 8 0.0%
Files with Coverage Reduction New Missed Lines %
pdns/dnsdistdist/dnsdist-healthchecks.cc 2 59.64%
pdns/recursordist/sortlist.cc 2 72.94%
modules/gpgsqlbackend/spgsql.cc 3 68.18%
pdns/iputils.cc 3 59.73%
pdns/misc.hh 3 85.03%
pdns/opensslsigners.cc 3 61.34%
pdns/recursordist/test-syncres_cc2.cc 3 89.12%
pdns/dnsdistdist/dnsdist-tcp.cc 4 77.4%
pdns/signingpipe.cc 5 85.52%
pdns/recursordist/syncres.cc 6 80.99%
Totals Coverage Status
Change from base Build 19969176468: -0.02%
Covered Lines: 128701
Relevant Lines: 164812
💛 - Coveralls

@bjacquin
Copy link
Contributor Author

bjacquin commented Dec 6, 2025

I see that spell check is failing for this PR, I have tried a number of alternative to ignore abns, but I'm not able to find exactly what is wrong here. Could you please guide me ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bjacquin @coveralls