Asset ID:	1-72-1006045.1
Update Date:	2011-06-06
Keywords:

---

Solution Type  Problem Resolution Sure

Solution  1006045.1 :   Sun Fire[TM] 12K/15K/E20K/E25K: Incomplete removal of dynamic reconfiguration (DR) capability may lead to network hangs  


PreviouslyPublishedAs
208431

Applies to:

Sun Fire 12K Server
Sun Fire 15K Server
Sun Fire E20K Server
Sun Fire E25K Server
All Platforms

Symptoms

There are potential problems when removing the 'sun-dr' entries in /etc/inet/inetd.conf. These removals are usually the results of hardening (securing) a system or when using a "general" /etc/inet/inetd.conf file. The goal of such modifications is to remove or disable unused/unwanted services from inetd.

Cause

Special care needs to be taken when removing the 'sun-dr' entries from /etc/inet/inetd.conf.

The sun-dr entries:


Make inetd listen to port 665 for any remote dynamic reconfiguration request. inetd starts the dcs daemon on demand.

The dcs(1M) daemon handles remote requests from the system controller to allow dynamic reconfiguration on a domain. These sun-dr entries are added when installing the package SUNWdcsr. SUNWdcsr is part of the "Entire Distribution" installation on Sun Fire 15k.

From the dcs(1M) manpage:

[...]
server using the TCP transport. The entries for the DCS in the /etc/inet/inetd.conf file are as follows:
sun-dr stream tcp wait root /usr/lib/dcs dcs
sun-dr stream tcp6 wait root /usr/lib/dcs dcs
These entries enable remote DR operations. Removing them does not negatively impact the server; however, all DR operations initiated from a remote host would fail.
[...]

However, removing these entries has some consequences. The man page of dcs(1M) does not include a pointer to the related package SUNWsckmr which includes the Sun Fire 15K key management daemon sckmd(1M). The SUNWsckmr package is also part of the "Entire Distribution" installation and provides IPsec support for the cvcd(1M) and dcs(1M) services.

From the sckmd(1M) manpage:

[...]
Package SUNWsckmr configures default system-wide policies for cvcd(1M) and dcs(1M) by adding the following entries in /etc/inet/ipsecinit.conf:
{ dport sun-dr ulp tcp } permit { auth_alg md5 }
{ sport sun-dr ulp tcp } apply { auth_alg md5 sa unique }
{ dport cvc_hostd ulp tcp } permit { auth_alg md5 }
{ sport cvc_hostd ulp tcp } apply { auth_alg md5 sa unique }
[...]

Removal of the dcs(1M) command from inetd.conf also requires removal of the corresponding entries in the IPsec configuration. Otherwise the port 665 might be used by other services where the IPsec configuration will get enforced (thus traffic gets blocked).

If the IPsec configuration is not updated after removal of the dcs service, then arbitrary network problems/hang might be the result.

Solution

To disable dynamic reconfiguration the following steps are necessary:

       e.g:
       # ipsecconf -d 1
       # ipsecconf -d 2

Removal of the packages SUNWsckmr and SUNWdcsr is another option.

Product
Sun Fire 15K Server
Sun Fire 12K Server
Sun Fire E25K Server
Sun Fire E20K Server

Internal Section

Incomplete removal of the sun-dr services might lead to arbitrary hangs in other network services (e.g., NFS hangs or NIS hangs). Using snoop for network analysis will only reveal that there is no outgoing traffic from the affected ports seen and that incoming traffic to these ports will not get delivered to the corresponding service.

See bug 4288028 for details on such hangs.

The dynamic reconfiguration documentation has been changed in document 816-7723-10 to address this issue (see footnote on page 6).

Keywords: sun-dr, sundr, dcs, 665, 209799, nfs, hang

Previously Published As 47741

Product_uuid
29e4659c-0a18-11d6-9fa1-e67bbc033df8|Sun Fire 15K Server
077fd4c5-df8f-4320-ad69-7d01603a674d|Sun Fire 12K Server
d842dd03-059b-11d8-84cb-080020a9ed93|Sun Fire E25K Server
1404a2d3-059a-11d8-84cb-080020a9ed93|Sun Fire E20K Server



Attachments

This solution has no attachment