Is BIRD on BSD a second class citizen?
Hello, (reminder: please keep me in CC, the mailing list issue is still unsolved) so far we get the impression that BIRD on BSD appears to be somewhat less supported when compared to Linux based systems. The two main points being so far: - security: no privilege dropping on BSD - performance issue when syncing with kernel routing table? Are there more limitations of BIRD on BSD? Do you actively recommend running BIRD on Linux (and against BSD)? thanks, Christoph
Hello, On jeu. 3 oct. 21:07:00 2019, Christoph wrote:
- security: no privilege dropping on BSD
regis ~ # ps aux | grep bird root 31131 4.2 3.6 607704 602720 ? Ss Apr05 10956:29 /usr/sbin/bird -s /run/bird.ctl -c /etc/bird.conf -P /run/bird.pid root 31209 0.0 0.0 7572 800 pts/3 S+ 23:33 0:00 grep --colour=auto bird regis ~ # uname -a Linux regis.swordarmor.fr 4.14.83-gentoo #2 SMP Sat Feb 2 16:50:41 CET 2019 x86_64 Intel(R) Xeon(R) CPU X3450 @ 2.67GHz GenuineIntel GNU/Linux regis ~ # If you mean running with another user than root, I don’t see it on Linux either. -- Alarig
Hello!
On jeu. 3 oct. 21:07:00 2019, Christoph wrote:
- security: no privilege dropping on BSD
regis ~ # ps aux | grep bird root 31131 4.2 3.6 607704 602720 ? Ss Apr05 10956:29 /usr/sbin/bird -s /run/bird.ctl -c /etc/bird.conf -P /run/bird.pid root 31209 0.0 0.0 7572 800 pts/3 S+ 23:33 0:00 grep --colour=auto bird regis ~ # uname -a Linux regis.swordarmor.fr 4.14.83-gentoo #2 SMP Sat Feb 2 16:50:41 CET 2019 x86_64 Intel(R) Xeon(R) CPU X3450 @ 2.67GHz GenuineIntel GNU/Linux regis ~ #
If you mean running with another user than root, I don’t see it on Linux either.
There is a -u option when running bird: $ bird -s ... -c ... -P ... -u bird It works on Linux and complains on BSD. If anybody were to fix it, you're welcome. Maria
On Thu, Oct 03, 2019 at 11:39:16PM +0200, Alarig Le Lay wrote:
Hello,
On jeu. 3 oct. 21:07:00 2019, Christoph wrote:
- security: no privilege dropping on BSD
regis ~ # ps aux | grep bird root 31131 4.2 3.6 607704 602720 ? Ss Apr05 10956:29 /usr/sbin/bird -s /run/bird.ctl -c /etc/bird.conf -P /run/bird.pid root 31209 0.0 0.0 7572 800 pts/3 S+ 23:33 0:00 grep --colour=auto bird regis ~ # uname -a Linux regis.swordarmor.fr 4.14.83-gentoo #2 SMP Sat Feb 2 16:50:41 CET 2019 x86_64 Intel(R) Xeon(R) CPU X3450 @ 2.67GHz GenuineIntel GNU/Linux regis ~ #
If you mean running with another user than root, I don’t see it on Linux either.
Hello You have to use -u / -g options. Debian packages do that automatically, i don't know about others. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Fri, 04 Oct 2019, Ondrej Zajicek wrote:
You have to use -u / -g options. Debian packages do that automatically, i don't know about others.
The RPM packages for RHEL/CentOS and Fedora shipped by bird.network.cz unfortunately don't do that (but the RPM packages shipped directly by Fedora and EPEL do that); treat this as enhancement suggestion for your RPM packages on bird.network.cz ;-) Regards, Robert
On Thu, 3 Oct 2019, Alarig Le Lay wrote:
If you mean running with another user than root, I don’t see it on Linux either.
This seems to be a "problem" of the distribution: thorsten@obelix:~$ ps aux|grep bird bird 27983 0.0 0.1 15424 2248 ? Ss 22:07 0:00 /usr/sbin/bird -f -u bird -g bird bird 28045 0.0 0.1 15492 2240 ? Ss 22:07 0:00 /usr/sbin/bird6 -f -u bird -g bird thorsten 29098 0.0 0.0 14908 932 pts/0 S+ 22:10 0:00 grep bird thorsten@obelix:~$ cat /etc/debian_version 9.11 Thorsten
Hello! TL;DR: we consider them equal wrt. bugs or feature requests
(reminder: please keep me in CC, the mailing list issue is still unsolved)
so far we get the impression that BIRD on BSD appears to be somewhat less supported when compared to Linux based systems.
Well, honestly, all the current developers are based on Linux and we also know more about Linux than about BSD, regarding the features and specifics. Anyway, we try to use as few Linux-specific things as possible. We also get much more feature requests for Linux-specific things than BSD-specific.
The two main points being so far: - security: no privilege dropping on BSD
This is not so easy when BIRD has to keep its privilege to open sockets on port < 1024. There would be three different implementations for FreeBSD, NetBSD and OpenBSD. And if I google it correctly, OpenBSD still doesn't allow dropping root privileges but keeping the right to open privilege sockets. There has been simply no feature request for this on BSDs so far. If anybody comes with a working fix for this feature that has been there Linux-only since 2011, we'll happily merge it. It's even OK to create the patch without bothering with our system-choosing macros. We'll take care of these.
- performance issue when syncing with kernel routing table?
This is a feature of the BSD's route table dump. It will be solved after implementing parallel execution -- which is currently in heavy development. An optimistic estimation for resolving this is in July 2020 for now. If the method we are using for BSD route table dump is somehow broken, please let us know. We may just not know about better method and then it may be fixed earlier.
Are there more limitations of BIRD on BSD?
The only limitations are as you can see in the sysdep/ subdirectory. These are not documented; probably mostly for lack of time. If anybody documented these, patches to docs are especially welcome.
Do you actively recommend running BIRD on Linux (and against BSD)?
No, why? There is no reason for recommending this or other. There are users running BIRD on FreeBSD for years. We also run some partially automated run tests on FreeBSD, NetBSD and OpenBSD before releases. I even thought about replacing the poll mechanism in BIRD's IO loop by kqueue / epoll with different code for BSD and Linux. (And it still may happen in future.) Maria
On Fri, Oct 04, 2019 at 12:00:16AM +0200, Maria Matejka wrote:
The two main points being so far: - security: no privilege dropping on BSD
This is not so easy when BIRD has to keep its privilege to open sockets on port < 1024. There would be three different implementations for FreeBSD, NetBSD and OpenBSD. And if I google it correctly, OpenBSD still doesn't allow dropping root privileges but keeping the right to open
It is not just ports, BIRD does plenty of privileged operations like using raw sockets and updating kernel routing tables. On Linux, we can just keep appropriate capabilities (like CAP_NET_ADMIN) while dropping to non-root user. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Thu, Oct 03, 2019 at 09:07:00PM +0000, Christoph wrote:
Hello,
(reminder: please keep me in CC, the mailing list issue is still unsolved)
so far we get the impression that BIRD on BSD appears to be somewhat less supported when compared to Linux based systems.
Hello That is true. While we test basic OS-dependent functionality (socket abstraction, iface and kernel sync) and routing protocols also on Free/Net/Open BSDs, and all OS-independent features are available there, advanced OS-dependent features we actively develop for Linux (but we would accept patches for BSD).
The two main points being so far: - security: no privilege dropping on BSD - performance issue when syncing with kernel routing table?
Are there more limitations of BIRD on BSD?
No ECMP, no VRFs, no MPLS (although that is still not much usable with BIRD on Linux). No advanced kernel route attributes. Less safe kernel table sync. Generally worse socket API (No SO_BINDTOIFACE, no IP_PKTINFO / IP_SENDIF, missing SO_DONTROUTE on OpenBSD, no IPv6 TTL security). It is possible that some of these API issues are already fixed on some on some newer BSD versions in some flavors and we just did noticed that. Performance issue when syncing kernel table is also on Linux, although it is AFAIK worse on BSD and simpler to fix on Linux (where we receive routing table dump as data on a socket, while on BSD it is one big slow syscall).
Do you actively recommend running BIRD on Linux (and against BSD)?
If you have no other reason to run BSD or you need some advanced features, then i would recommend Linux. If you want some OS diversity and have some basic setup, then running it on BSD is OK. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
If you have no other reason to run BSD or you need some advanced features, then i would recommend Linux.
thanks for confirming. It would probably be valuable to add this to the documentation so others do not have to go through the same process as we did. thanks, Christoph
participants (6)
-
Alarig Le Lay -
Christoph -
Maria Matejka -
Ondrej Zajicek -
Robert Scheck -
Thorsten Alteholz