nanomq
auth option causes Segmentation fault
Describe the bug
When define --auth with default etc/nanomq_auth_username.conf Segmentation fault happens
Expected behavior Run nanomq
Actual Behavior Segmentation fault
To Reproduce
root@mqtt-test:~# docker run --rm -it -e NANOMQ_CONF_PATH=/etc/nanomq/nanomq.conf -v /docker/nanomq/etc:/etc/nanomq --name nanomq --entrypoint /bin/sh emqx/nanomq:0.10.8-alpine
/usr/local/nanomq # ./nanomq start --auth /etc/nanomq/nanomq_auth_username.conf
Segmentation fault (core dumped)
Environment Details
- NanoMQ version: dockerized
emqx/nanomq:0.10.8-alpine - Operating system and version
Ubuntu 20.04.4 LTS - Compiler and language used: NA
- testing scenario: NA
Thank you for reporting issue! But I fail to reproduce this bug here.
Could you please share your 'nanomq_auth_username.conf' file? Because this is highly possible caused by unexpected file content.
Hi @JaylinYu , that's interesting I use the default one(s) from the repo:
root@mqtt-test:~# cat /docker/nanomq/etc/nanomq.conf
## NanoMQ Configuration 0.10.5
## MQTT Broker Config Params
## url
## Connect with the host and port
##
## Value: nmq-tcp://host:port
url=nmq-tcp://0.0.0.0:1883
## daemon
## Run the NanoMQ broker in a daemon mode
##
## Value: true | false
daemon=false
## num_taskq_thread
## Use a specified number of taskq threads
##
## Value: 1-255
num_taskq_thread=4
## max_taskq_thread
## Use a specified maximunm number of taskq threads
##
## Value: 1-255
max_taskq_thread=4
## parallel
## Handle a specified maximum number of outstanding requests
##
## Value: 1-infinity
parallel=32
## Property_size
## The max size for a MQTT user property
##
## Value: 1-infinity
property_size=32
## The max packet size of NanoMQ (Kbytes)
## Defines the max size of a packet that NanoMQ could accept
##
## Value: 1 Byte-260 Mb
max_packet_size=1024
## The default max packet size of each client (Kbytes)
## Defines the default max size limit of sending packet to each client
## Will be overwrite if client set its own max size limit
##
## Value: 1 Byte-260 Mb
client_max_packet_size=1024
## msq_len
## The queue length in-flight window
## This is essential for performance and memory consumption
##
## Value: 1-infinity
msq_len=256
## qos_duration
## The nano qos duration which also controls timer interval of each pipe
##
## Value: 1-infinity
qos_duration=60
## The backoff for MQTT keepalive timeout.
## broker will discolse client when there is no activity for
## 'Keepalive * backoff * timeout.
##
## Value: Float > 0.5
keepalive_backoff=1250
## anonymous
## allow anonymous login
##
## Value: true | false
allow_anonymous=true
## SQLite Config ##
## Enable sqlite cache
## Whether to enable sqlite
##
## Value: boolean
sqlite.enable=false
## Max message limitation for caching
## ( 0 means ineffective )
## Value: 1-infinity
sqlite.disk_cache_size=102400
## Mounted file path
##
## Value: path
#sqlite.mounted_file_path=/tmp/
## The threshold of flushing messages to flash.
##
## Value: 1-infinity
sqlite.flush_mem_threshold=100
## Resend interval (ms)
## The interval for resending the messages after failure recovered. (not related to trigger)
##
## Value: 1-infinity
sqlite.resend_interval=5000
## tls config ##
## enable tls
##
## Value: true | false
tls.enable=false
## tls url
##
## Value: "tls+nmq-tcp://host:port"
tls.url=tls+nmq-tcp://0.0.0.0:8883
## tls key password
## String containing the user's password. Only used if the private keyfile
## is password-protected.
##
## Value: String
## tls.key_password=yourpass
## tls keyfile
## Path to the file containing the user's private PEM-encoded key.
##
## Value: File
tls.keyfile=/etc/certs/key.pem
## tls cert file
## Path to a file containing the user certificate.
##
## Value: File
tls.certfile=/etc/certs/cert.pem
## tls ca cert file
## Path to the file containing PEM-encoded CA certificates. The CA certificates
## are used during server authentication and when building the client certificate chain.
##
## Value: File
tls.cacertfile=/etc/certs/cacert.pem
## A server only does x509-path validation in mode verify_peer,
## as it then sends a certificate request to the client (this
## message is not sent if the verify option is verify_none).
## You can then also want to specify option fail_if_no_peer_cert.
##
## Value: true: verify_peer | false: verify_none
tls.verify_peer=false
## Used together with {verify, verify_peer} by an SSL server. If set to true,
## the server fails if the client does not have a certificate to send, that is,
## sends an empty certificate.
##
## Value: true | false
tls.fail_if_no_peer_cert=false
## websocket config ##
## allow websocket
##
## Value: true | false
websocket.enable=true
## websocket url
##
## Value: "nmq-ws://host:port/path"
websocket.url=nmq-ws://0.0.0.0:8083/mqtt
## websocket tls url
##
## Value: "nmq-wss://host:port/path"
websocket.tls_url=nmq-wss://0.0.0.0:8084/mqtt
## http server config ##
## allow http server
##
## Value: true | false
http_server.enable=false
## http server port
##
## Value: 0 - 65535
http_server.port=8081
## parallel for http server
## Handle a specified maximum number of outstanding requests
##
## Value: 1-infinity
http_server.parallel=32
## http server username
##
## Value: String
http_server.username=admin
## http server password
##
## Value: String
http_server.password=public
## http server auth type
## If set auth_type=jwt, make sure you have built JWT dependency with `-DENABLE_JWT=ON` first.
##
## Value: basic | jwt
http_server.auth_type=basic
## http server jwt public key file
## Used together with 'http_server.auth_type=jwt',
## Path to the file containing the user's private key.
##
## Value: File
http_server.jwt.public.keyfile=/etc/certs/jwt/jwtRS256.key.pub
## http server jwt private key file
## Used together with 'http_server.auth_type=jwt',
## Path to the file containing the user's publick key.
##
## Value: File
http_server.jwt.private.keyfile=/etc/certs/jwt/jwtRS256.key
## Rule engine option, when persistence with
## rule engine, this option is must be ON.
##
## Value: ON | OFF
rule_engine_option=ON
## Rule engine database option
## Choose a database to persistence data
##
## Value: sqlite | fdb (foundationdb)
rule_engine_option.db=sqlite
## Rule engine option database sqlite path
## Sqlite db path, default is exec path.
##
## Value: File
rule_engine_option.db.sqlite_path=rule_engine.db
root@mqtt-test:~# cat /docker/nanomq/etc/nanomq_auth_username.conf
## NanoMQ username/password
## The first group of authentication data
##auth.1.login = admin
##auth.1.password = public
## The second group of authentication data
##auth.2.login = client
##auth.2.password = public
In fact you can define anything and it is crashing
root@mqtt-test:~# docker run --rm -it --name nanomq --entrypoint /bin/sh emqx/nanomq:0.10.8-alpine
/usr/local/nanomq # ./nanomq start --auth /etc/passwd
Segmentation fault (core dumped)
tested on another box, fresh
root@router:~# docker run --rm -it --name nanomq --entrypoint /bin/sh emqx/nanomq:0.10.8-alpine
Unable to find image 'emqx/nanomq:0.10.8-alpine' locally
0.10.8-alpine: Pulling from emqx/nanomq
79e9f2f55bf5: Pull complete
81d8f69890e9: Pull complete
a3f8446cd5b6: Pull complete
7cdae0367787: Pull complete
4f4fb700ef54: Pull complete
379f95e32009: Pull complete
Digest: sha256:f6528f6cf44291a8bf8742a5b52e05957bef34f5b835154dbf15ac2d51c4d92d
Status: Downloaded newer image for emqx/nanomq:0.10.8-alpine
/usr/local/nanomq # ./nanomq start --auth /etc/passwd
Segmentation fault (core dumped)
And also found it does WORK with non alpine image
root@router:~# docker run --rm -it --name nanomq --entrypoint /bin/sh emqx/nanomq:0.10.8-slim
Unable to find image 'emqx/nanomq:0.10.8-slim' locally
0.10.8-slim: Pulling from emqx/nanomq
7e6a53d1988f: Already exists
bde1e5da12c2: Pull complete
1d0b86a4b64c: Pull complete
4f4fb700ef54: Pull complete
45ba86e0d15b: Pull complete
b558ca38fa49: Pull complete
Digest: sha256:11760418302bbe976fcadb7fed59166e32259638d54195b46a6324960bd34b94
Status: Downloaded newer image for emqx/nanomq:0.10.8-slim
# bash
root@d2068fce3da7:/usr/local/nanomq# ./nanomq start --auth /etc/passwd
^C
root@d2068fce3da7:/usr/local/nanomq# cat /etc/issue
Debian GNU/Linux 10 \n \l
Yes, NanoMQ cannot open the file then will stop. Apologize it didn't return any readable errors. So could you verify is your docker image able to get access to the config file?
Will return errors when the config file is not available.
tested on another box, fresh
root@router:~# docker run --rm -it --name nanomq --entrypoint /bin/sh emqx/nanomq:0.10.8-alpine Unable to find image 'emqx/nanomq:0.10.8-alpine' locally 0.10.8-alpine: Pulling from emqx/nanomq 79e9f2f55bf5: Pull complete 81d8f69890e9: Pull complete a3f8446cd5b6: Pull complete 7cdae0367787: Pull complete 4f4fb700ef54: Pull complete 379f95e32009: Pull complete Digest: sha256:f6528f6cf44291a8bf8742a5b52e05957bef34f5b835154dbf15ac2d51c4d92d Status: Downloaded newer image for emqx/nanomq:0.10.8-alpine /usr/local/nanomq # ./nanomq start --auth /etc/passwd Segmentation fault (core dumped)
Will investigate this further, seems like a bug only exist with alpine image
hi, we gonna merge all the config files into one unified file in next ver. So this issue would be obsoleted.
@sooslaca Hi Could you kindly check if this issue still there with 0.11 ver? we merged all conf file as one.
Hi @JaylinYu , I'm not sure its working as expected.
docker command to start:
docker run --rm -it -e NANOMQ_CONF_PATH=/etc/nanomq/nanomq.conf -v /docker/nanomq/etc:/etc/nanomq --name nanomq --entrypoint /bin/sh emqx/nanomq:0.11.3-alpine
/usr/local/nanomq # nanomq --version
Usage: nanomq { start | stop | restart } [--help]
NanoMQ Messaging Engine for Edge Computing & Messaging bus v0.11.0-0
Copyright 2022 EMQ Edge Computing Team
/usr/local/nanomq # nanomq start --conf /etc/nanomq/nanomq.conf --log_level debug --log_stdout true
I made these changes in the config:
[nanomq]/usr/local/nanomq# cat /etc/nanomq/nanomq.conf |grep "auth\.1"
auth.1.login = admin
auth.1.password = admin
[nanomq]/usr/local/nanomq# cat /etc/nanomq/nanomq.conf | grep anon | egrep -v "^#"
allow_anonymous=false
Still after this I can connect as anonymous and or any username/password.
What is also weird the binary is still giving --auth as a possible option to configure. Should I use that?
/usr/local/nanomq # ./nanomq start --help |grep -i auth
[--aws_bridge <path>] [--webhook <path>] [--auth <path>] [--auth_http <path>]
--auth <path> The path of a specified authorize configuration file
--auth_http <path> The path of a specified http authorize configuration file
Hi @sooslaca , I just double-checked with 0.11.8, and the authentication system is working fine. But I didn't try with docker. So I highly suspect that this is an issue that the conf file of docker is not being set correctly. will try with docker later.
BTW, the help info is not updated yet in 0.11.0. Just ignore it.
Hi @JaylinYu , I doubt, the same conf file works with non-alpine docker image. There's something wrong with the alpine based version.
Ok sure, will investigate the issue on the alpine-docker. Could you also try the binary package? just to make sure this is an issue only exists with the Docker image.
Hi @sooslaca , We have already tested docker image emqx/nanomq:0.11.3-alpine, the Authorization config does not work as expected, But emqx/nanomq:0.12.1-alpine is going well;
Please kindly update you docker image version;
