From 8697fcad57c580134233480f48c63b2620ce85cf Mon Sep 17 00:00:00 2001 From: Philip O'Toole Date: Sat, 6 Aug 2022 09:53:34 -0400 Subject: [PATCH 1/3] Terminate if any advertised address is unroutable --- cmd/rqlited/flags.go | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/cmd/rqlited/flags.go b/cmd/rqlited/flags.go index 8eb1990b..f4ef7312 100644 --- a/cmd/rqlited/flags.go +++ b/cmd/rqlited/flags.go @@ -20,6 +20,11 @@ const ( DiscoModeEtcdKV = "etcd-kv" DiscoModeDNS = "dns" DiscoModeDNSSRV = "dns-srv" + + HTTPAddrFlag = "http-addr" + HTTPAdvAddrFlag = "http-adv-addr" + RaftAddrFlag = "raft-addr" + RaftAdvAddrFlag = "raft-adv-addr" ) // Config represents the configuration as set by command-line flags. @@ -223,15 +228,28 @@ func (c *Config) Validate() error { if _, _, err := net.SplitHostPort(c.HTTPAddr); err != nil { return errors.New("HTTP bind address not valid") } - if _, _, err := net.SplitHostPort(c.HTTPAdv); err != nil { - return errors.New("HTTP advertised address not valid") + + hadv, _, err := net.SplitHostPort(c.HTTPAdv) + if err != nil { + return errors.New("HTTP advertised HTTP address not valid") + } + if addr := net.ParseIP(hadv); addr != nil && addr.IsUnspecified() { + return fmt.Errorf("advertised HTTP address is not routable, specify it via -%s or -%s", + HTTPAddrFlag, HTTPAdvAddrFlag) } + if _, _, err := net.SplitHostPort(c.RaftAddr); err != nil { return errors.New("raft bind address not valid") } - if _, _, err := net.SplitHostPort(c.RaftAdv); err != nil { + + radv, _, err := net.SplitHostPort(c.RaftAdv) + if err != nil { return errors.New("raft advertised address not valid") } + if addr := net.ParseIP(radv); addr != nil && addr.IsUnspecified() { + return fmt.Errorf("advertised Raft address is not routable, specify it via -%s or -%s", + RaftAddrFlag, RaftAdvAddrFlag) + } // Enforce bootstrapping policies if c.BootstrapExpect > 0 && c.RaftNonVoter { @@ -327,8 +345,8 @@ func ParseFlags(name, desc string, build *BuildInfo) (*Config, error) { showVersion := false flag.StringVar(&config.NodeID, "node-id", "", "Unique name for node. If not set, set to advertised Raft address") - flag.StringVar(&config.HTTPAddr, "http-addr", "localhost:4001", "HTTP server bind address. To enable HTTPS, set X.509 cert and key") - flag.StringVar(&config.HTTPAdv, "http-adv-addr", "", "Advertised HTTP address. If not set, same as HTTP server bind") + flag.StringVar(&config.HTTPAddr, HTTPAddrFlag, "localhost:4001", "HTTP server bind address. To enable HTTPS, set X.509 cert and key") + flag.StringVar(&config.HTTPAdv, HTTPAdvAddrFlag, "", "Advertised HTTP address. If not set, same as HTTP server bind") flag.BoolVar(&config.TLS1011, "tls1011", false, "Support deprecated TLS versions 1.0 and 1.1") flag.StringVar(&config.X509CACert, "http-ca-cert", "", "Path to root X.509 certificate for HTTP endpoint") flag.StringVar(&config.X509Cert, "http-cert", "", "Path to X.509 certificate for HTTP endpoint") @@ -340,8 +358,8 @@ func ParseFlags(name, desc string, build *BuildInfo) (*Config, error) { flag.StringVar(&config.NodeX509Key, "node-key", "key.pem", "Path to X.509 private key for node-to-node encryption") flag.BoolVar(&config.NoNodeVerify, "node-no-verify", false, "Skip verification of a remote node cert") flag.StringVar(&config.AuthFile, "auth", "", "Path to authentication and authorization file. If not set, not enabled") - flag.StringVar(&config.RaftAddr, "raft-addr", "localhost:4002", "Raft communication bind address") - flag.StringVar(&config.RaftAdv, "raft-adv-addr", "", "Advertised Raft communication address. If not set, same as Raft bind") + flag.StringVar(&config.RaftAddr, RaftAddrFlag, "localhost:4002", "Raft communication bind address") + flag.StringVar(&config.RaftAdv, RaftAdvAddrFlag, "", "Advertised Raft communication address. If not set, same as Raft bind") flag.StringVar(&config.JoinSrcIP, "join-source-ip", "", "Set source IP address during Join request") flag.StringVar(&config.JoinAddr, "join", "", "Comma-delimited list of nodes, through which a cluster can be joined (proto://host:port)") flag.StringVar(&config.JoinAs, "join-as", "", "Username in authentication file to join as. If not set, joins anonymously") From 1ca5ce2cd0c0dcc94b8e940c9d8833c6f932deae Mon Sep 17 00:00:00 2001 From: Philip O'Toole Date: Sat, 6 Aug 2022 09:56:41 -0400 Subject: [PATCH 2/3] Better error message --- cmd/rqlited/flags.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/rqlited/flags.go b/cmd/rqlited/flags.go index f4ef7312..a40f4c2e 100644 --- a/cmd/rqlited/flags.go +++ b/cmd/rqlited/flags.go @@ -234,8 +234,8 @@ func (c *Config) Validate() error { return errors.New("HTTP advertised HTTP address not valid") } if addr := net.ParseIP(hadv); addr != nil && addr.IsUnspecified() { - return fmt.Errorf("advertised HTTP address is not routable, specify it via -%s or -%s", - HTTPAddrFlag, HTTPAdvAddrFlag) + return fmt.Errorf("advertised HTTP address is not routable (%s), specify it via -%s or -%s", + hadv, HTTPAddrFlag, HTTPAdvAddrFlag) } if _, _, err := net.SplitHostPort(c.RaftAddr); err != nil { @@ -247,8 +247,8 @@ func (c *Config) Validate() error { return errors.New("raft advertised address not valid") } if addr := net.ParseIP(radv); addr != nil && addr.IsUnspecified() { - return fmt.Errorf("advertised Raft address is not routable, specify it via -%s or -%s", - RaftAddrFlag, RaftAdvAddrFlag) + return fmt.Errorf("advertised Raft address is not routable (%s), specify it via -%s or -%s", + radv, RaftAddrFlag, RaftAdvAddrFlag) } // Enforce bootstrapping policies From 9c38903bb445f3fffe498cc13931eab65de11657 Mon Sep 17 00:00:00 2001 From: Philip O'Toole Date: Sat, 6 Aug 2022 09:59:08 -0400 Subject: [PATCH 3/3] CHANGELOG --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6d7951d..795502a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +## 7.6.1 (unreleased) + +### Implementation changes and bug fixes +- [PR #1058](https://github.com/rqlite/rqlite/pull/1058): `rqlited` terminates if passed unroutable advertised Raft or HTTP addresses. + ## 7.6.0 (July 19th 2022) ### New features - [PR #1055](https://github.com/rqlite/rqlite/pull/1055): Add new `join-read-only` permission.