dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
https://dcache.org
291 stars 136 forks source link

IPV6 address redirection with xrootd Doors #6749

Open vokac opened 2 years ago

vokac commented 2 years ago

I see probably same issue described in #6602 with our dCache 7.2.20. I agree dCache should use hostname instead of IPv6 address, but in case dCache decides to use directly IPv6 address it should create redirection with [2001:718:401:6017:ec4:7aff:fe1e:3e02] instead of just 2001:718:401:6017:ec4:7aff:fe1e:3e02, because otherwise XRootD client is unable to parse passed redirection URL https://github.com/xrootd/xrootd/blob/3756f1b43931e782c4917ab0edc443743893162c/src/XrdCl/XrdClURL.cc#L219-L243

paulmillar commented 2 years ago

Hi @vokac,

Thanks for you comment.

In general, I think you're right: any IPv6 address needs to be distinguished from an IPv4 address. Placing an IPv6 address in square brackets achieves this goal. It is also how this problem is resolved with URLs.

Looking at the kXR_redirect response in the latest version of the xroot spec, it is not obvious (to me) whether or not returning an IP address is valid. The spec describes host as:

ASCII name of the to which the client should connect. [...]

In #6602, Al describes how Andy (informally) told him that host should be a DNS name. However, (I believe) this does not rule out an IP-based response. Moreover, your comments suggest that the XrootD client will accept at least some IP addresses.

My suggestion is that we try to fix the spec, to clarify IP-based redirection. We can then update dCache to conform to the spec.

I've created issue xrootd/xrootd#1762 to track this requested update to the xroot spec.

As a further note: I believe this issue is somewhat independent from #6602. I understand that, with #6602, the problem is that the door is redirecting the client using an IP address. It "should" be redirecting with a DNS-resolvable hostname (for some definition of "should").

alrossi commented 2 years ago

Just to second what @paulmillar said: #6602 was resolved (I think) by either reconfiguring the network stack or by using the dcache.java.options.extra=-Djava.net.preferIPv6Addresses=true ... I am not sure which. The upshot is that the address is resolved inside dCache/JVM to return the hostname, as desired. The hostname is necessary largely because of the way TLS requires addresses to appear in certificate SANs.

Having more clarity on what the client expects is a good idea. Thanks, @paulmillar, for opening the issue at xrootd GitHub.