libzmq/ffmpeg: "Address family not supported by protocol (src/ip_resolver.cpp:542) / Aborted" from mpd.service "RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK" #4737
tl;dr: libzmq errors out when RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX is in the mpd systemd unit file when mpd, running as a system service, calls ffmpeg ... zmq:tcp://127.0.0.1:5555 directly (i.e., in the systemd environment). How to get around this while retaining security in the systemd unit?
Issue description
I was able to get ffmpeg's libzmq implementation to work on the cli either using cat /tmp/mpd.fifo | ffmpeg ... -i - ... zmq:tcp://127.0.0.1:5555 pipe as stdin or just using the named pipe as direct input ffmepg ... -i /tmp/mpd.fifo ... zmq:tcp://127.0.0.1:5555 but it kept erroring out when called directly by mpd's pipe output, e.g.,
results in ffmpeg reporting,"Address family not supported by protocol (src/ip_resolver.cpp:542) / Aborted" and mpd just saying it was a broken pipe.
Upon a good bit of investigation and helpful suggestions from #ffmpeg, #bash, and #systemd the offending line in systemd unit file mpd.service was: RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
What is the best way to let libzmq have whatever access it needs without significantly sacrificing security (which is described in the mpd.service unit file as one of the "# more paranoid security settings")?
replacing the RestrictAddressFamlies=... with
IPAddressAllow=localhost
IPAddressDeny=any
does solve the problem so if that's the best solution then this can be closed and left for anyone else looking to solve this problem.
Environment
libzmq version (commit hash if unreleased):
these probably came from apt
ii libzmq3-dev:amd64 4.3.5-1build2 amd64
ii libzmq5:amd64 4.3.5-1build2 amd64
however I also compiled libzmq from source because I wasn't sure if libzmq3-dev would work and:
so when ffmpeg was compiled (after its libzmq was patched) with --enable=libzmq it presumably used the 4.3.6 that pkgconfig displayed. (If it's super duper relevant I'm sure I could recompile ffmpeg again to test.)
OS: Rhino Linux 2024.02
ffmpeg version:
ffmpeg version N-116842-ga87a96105e Copyright (c) 2000-2024 the FFmpeg developers
built with gcc 14 (Ubuntu 14.2.0-4ubuntu1)
configuration: --bindir=/usr/local/bin --prefix=/cache/ffmpeg_build --pkg-config-flags=--static --extra-cflags=-I/cache/ffmpeg_build/include --extra-ldflags=-L/cache/ffmpeg_build/lib --extra-libs='-lpthread -lm' --ld=g++ ... --enable-libzmq
Music Player Daemon 0.24 (v0.23.15-1377-g381215fd7+)
Minimal test code / Steps to reproduce the issue
See above...
run mpd as system service using the default systemd unit file included with mpd source.
I just want ffmpeg to stream music from one machine to the other and I want mpd to be able to use an unnamed pipe so ffmpeg can be called directly from mpd like I've been doing with rtsp instead of some workaround:
audio_output {
name "pipe to ffmpeg - suffix"
enabled "no"
type "pipe"
format "48000:16:2"
command "ffmpeg -loglevel error -hide_banner -y -f s16le -ar 48000 -ac 2 -vn -i - -c libopus -b:a 64k -f rtsp
rtsp://localhost:8554/mpd/mpd.opus"
}
tl;dr: libzmq errors out when
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
is in the mpd systemd unit file when mpd, running as a system service, callsffmpeg ... zmq:tcp://127.0.0.1:5555
directly (i.e., in the systemd environment). How to get around this while retaining security in the systemd unit?Issue description
I was able to get ffmpeg's libzmq implementation to work on the cli either using
cat /tmp/mpd.fifo | ffmpeg ... -i - ... zmq:tcp://127.0.0.1:5555
pipe as stdin or just using the named pipe as direct inputffmepg ... -i /tmp/mpd.fifo ... zmq:tcp://127.0.0.1:5555
but it kept erroring out when called directly by mpd's pipe output, e.g.,results in ffmpeg reporting,"Address family not supported by protocol (src/ip_resolver.cpp:542) / Aborted" and mpd just saying it was a broken pipe.
Upon a good bit of investigation and helpful suggestions from #ffmpeg, #bash, and #systemd the offending line in systemd unit file mpd.service was:
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
What is the best way to let libzmq have whatever access it needs without significantly sacrificing security (which is described in the mpd.service unit file as one of the "# more paranoid security settings")?
replacing the
RestrictAddressFamlies=...
withdoes solve the problem so if that's the best solution then this can be closed and left for anyone else looking to solve this problem.
Environment
ii libzmq5:amd64 4.3.5-1build2 amd64
however I also compiled libzmq from source because I wasn't sure if libzmq3-dev would work and:
so when ffmpeg was compiled (after its libzmq was patched) with
--enable=libzmq
it presumably used the 4.3.6 that pkgconfig displayed. (If it's super duper relevant I'm sure I could recompile ffmpeg again to test.)Minimal test code / Steps to reproduce the issue
command "ffmpeg -hide_banner -f s16le -ar 48000 -ac 2 -i - -f mpegts -acodec libopus -b:a 128k zmq:tcp://127.0.0.1:5555 >> /var/log/mpd/ffmpeg.log 2>&1"
What's the actual result? (include assertion message & call stack if applicable)
What's the expected result?
I just want ffmpeg to stream music from one machine to the other and I want mpd to be able to use an unnamed pipe so ffmpeg can be called directly from mpd like I've been doing with rtsp instead of some workaround: