| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes 2 small improvements to the parsing of the bg, fg, and
sloppy mount options in nfsmount.conf.
1. "bg" and "fg" negate should each other. "Background=True" should
mean "bg" and "Background=False" should mean "fg". The same applies to
"Foreground".
2. Once we see "Sloppy=False" while parsing the configuration file we
should ignore subsequent occurrences of the sloppy option. This will
preserve the "right-most setting wins" behavior for the sloppy mount
option.
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nfsmount.conf file has the following format:
[ section "arg" ]
tag = value
conf_get_tag_list() currently doesn't check the arg field so we wind up
getting all the options that fall under a particular section value,
instead of just the ones that match the specific "arg" field. As a
result, we wind up passing options to the mount syscall from sections
that aren't even relevant to the mount operation that is being
performed.
For example, if we have three different server sections, and each
section has an Nfsvers tag, then the string we pass to the mount syscall
will have two extra occurrences of the nfsvers option. Each option
should appear at most 4 times -- once for the system section, once for
the server-specific section, once for the mount-specific section, and
once for the command line mount options.
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
RH bz 831455 has a report that repeatedly mounting and unmounting over
lo can hit this warning in the EOF case. I suspect that's just
normal--I'm not sure of the details, but probably idmapd gets woken up
to check for an upcall and then the upcall gets yanked away before
idmapd gets a chance to read it.
So just skip the warning in that case. I also can't see a reason to
reopen.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Changed the default protocol versions that rpc.nfsd
register with rpcbind to just 3 and 4. Version 2
can still be enabled with the '-V' flag, but it
will not be on by default.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Commit 1c787f14 [gssd: scan for DIR: ccaches, too] changed the default
prefix for the credential cache files. Update the check to ignore the
machine credential file when running with -n (root ignores machine
credentials).
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
krb5_util tries various different credential names in order to find
the machine credential, not all of them use the full host name of the
current host.
So if getting the full host name fails, don't give up completely,
still try the other options.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent changes to support python 3 changed the output of nfsiostat from:
read: ops/s kB/s kB/op retrans
avg RTT (ms) avg exe (ms)
48.094 2889.133 60.072 0 (0.0%)
177.160 184.833
...
to:
read:
ops/s kB/s kB/op retrans avg RTT (ms) avg exe
(ms)
0.000
0.000
0.000
0 (0.0%)
0.000
0.000
...
Signed-off-by: Weston Andros Adamson <dros@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The current implementation ignores any preferred realm specified on the
command line. Fix this behaviour and make sure the preferred realm is
used as first realm when trying to acquire a keytab entry
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Signed-off-by: Frederik Moellers <frederik.moellers@upb.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When initialising an array there is no need to specify the size as the
size is taken from the initialiser. Having the size there means that
any change to the initialiser needs to change the size to and so is
error-prone.
So just remove the size.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The man page was generated, but this file is intended as the
source to make modifications. So remove all generated comments
and only leave what's needed and easily maintained manually
without changing the appearance of the man page.
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Luk Claes <luk@debian.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The final version for this fix that was committed inverted the test
so makes no change in the important cases.
The documentation didn't really help a naive user know when the new -D
flag should be used.
And the code (once fixed) avoided DNS resolution on non-qualified names too,
which probably isn't a good idea.
This patch fixes all three issues.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was that is_subdirectory() would also succeed if the two
directories were the same. This is needed for path_matches() which
needs to see if the child is same-or-descendant.
So this patch rearranges path_matches() to do the "are they the same"
test itself and only bother with is_subdirectory() if it they are not
the same.
So now is_subdirectory() can be strict, and so can be usable for
subexport(), which needs a strong 'in subdirectory - not the same' test.
Acked-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Moves nfs_probe_statd from mount to nfs support lib to share with statd.
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Weston Andros Adamson <dros@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
After inclusion of NFSv4.1 it seems that now you can specify an NFSv4
mount with either "-tnfs4" or "-overs=4". This patch moves "nfsvers/vers"
from "Options for NFS versions 2 and 3 only" to "Options supported by
all versions".
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A NFS client should be able to work properly even if the DNS Reverse
record for the server is not set. This means a DNS lookup should not be
done on server names at are passed to GSSAPI. This patch changes the default
behavior to no longer do those types of lookups
This change default behavior could negatively impact some current
environments, so the -D option is also being added that will re-enable
the DNS reverse looks on server names, which are passed to GSSAPI.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If we're cross-compiling, we can't do a runtime test of sqlite,
so just assume that the user has a good enough version rather
than falling over.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Marc Eshel reports that using the -v command line option on the
sm-notify command stopped working after nfs-utils 1.2.2, when IPv6
support was added. If nfs-utils is built without IPv6 support, it
still works. Marc specified a hostname with a single A record.
smn_bind_address() must construct a bind address with the same
family as the RPC socket's protocol family. Add an AI_V4MAPPED hint
so an appropriate IPv6 bind address is constructed even if -v
specifies an IPv4 presentation address, or a hostname with only IPv4
mappings.
We still use an IPv4 bind address if IPv6 support is compiled out or
the host does not support IPv6.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
Cc: Marc Eshel <eshel@us.ibm.com>
|
| |
|
|
|
|
|
|
|
| |
This patch remove the ability of negotiating to the v2
protocol. Explicitly setting the version on the command
line will be the only way to use v2.
Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 91bb95f2689e84856ecdf6fac365489d36709cf9
4set_root: force "fsid=0" for all exports of '/'
set NFSEXP_FSID for the export of "/" if nothing else had any fsid set,
however it didn't also set the flag for all security flavours. So the
kernel complains that the flags on the security flavours don't match and
it rejects the export.
So call fix_pseudoflavor_flags() in write_secinfo() to make sure that
any fiddling that has been done to e_flags gets copied to e_secinfo.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GSSAPI can be given a uid number as a special name, and then
gss_acquire_cred() can use the name to try to find credentials for
the user.
Give GSSAPI a chance to do it on its own, then fallback to the classic
method of trolling through the file system to find a credential cache.
This patch uses a little know feature of GSSAPI that permits to acquire
crdentials specifying the user's UID. Normally GSSAPI will simply
perform a getpwuid() call and use the user name to generate a principal name and
then see if it can find a TGT for that principal in the local ccache.
This feature is vital to allow the GSS-Proxy to be able to initiate
crdentials on behalf of rpc.gssd using client keytabs stored in the filsystem.
GSS-Proxy works through an interposer-type plugin (new feature in MIT 1.11)
that allows to intercept all GSSAPI requestes and relay them to a system
daemon via a socket. This daemon (GSS-Proxy) then can perform operations
on behalf of other applications with additional logic.
In the rpc.gssd case the GSS-Proxy daemon allows applications running as
system users to properly access krb5 protected shares by creating a
credential cache on the fly when necessary.
This way all applications that need access to krb5 protected shares do not need
to be taught how to initiate crdentials on their own, nor they need to be
wrapped in additional init scripts like k5start or use wasteful cronjobs to
keep credentials fresh. All is needed is to drop a keytab with the right keys
in a special location on the system and gss-proxy will do the rest.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We found this problem because NFS clients to a RHEL6 NFS server were
experiencing periods of ESTALE errors after being mounted and initially
working successfully. Tests were run which snapshotted the nfs/sunrpc
caches before and after the issue, and it was found that the '$'
character
at the beginning of the ID strings, used when in use_ipaddr mode, was
getting
lost:
GOOD, while mount was working:
nfsd 1.2.3.4 $1.2.3.4
BAD, after mount started returning ESTALE:
nfsd 1.2.3.4 1.2.3.4
This would then cause the export checks to fail by passing '1.2.3.4'
instead of '$1.2.3.4' up to rpc.mountd.
The problem appears to be in the auth_unix_ip() function when renewing
the auth.unix.ip cache entry. It would fail to add the '$' character
back to the beginning of the string used for the domain string,
breaking the use_ipaddr mode.
Signed-off-by: Jose Castillo <jcastillo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bryan recently added SECINFO support, and I've beefed up the NFSv3
MNT processing in kernel to do some security flavor negotiation.
Thus the kernel can perform additional security flavor negotiation
now. Update the description of the sec= mount option and the
SECURITY CONSIDERATIONS section to reflect this change.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When using GSSAPI's gss_krb5_export_lucid_context the context passed
into the function is actually deleted during the export (to avoid
reuse as the context contains state that depends on its usage).
Change the code to pass in a pointer to the context so that it can be
properly NULLed if we are using the GSSAPI context and following calls to
gss_delete_sec_context will not cause double free errors and segfaults.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
The getopt string did not add : after the R option resulting in a
sefgault whenever -R was used as optarg is NULL and it is dereferenced.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Make libgssglue configurable still but disabled by default.
There is no reason to use libgssglue anymore, and modern gssapi
supports all needed features for nfs-utils.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: GÃnther Deschner <gdeschner@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add command line options to enable those NFS versions that are
currently disabled by default. We choose to use the options '-V'
and '--nfs-version' for compatibility with rpc.mountd.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The rpcdebug program gets installed, so we don't want to use the build
toolchain to compile it. I can't find any scripts in the build system
that try to execute it, so this shouldn't be a problem.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
On some systems (like uClibc), there isn't a libio.h header. But it
isn't also needed on them. So check for the header first.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
It clearly doesn't get maintained, so punt it.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Simple fixes here to work with python 2 & 3:
- use print() everywhere
- dict.iteritems() -> dict.items()
- file() -> open()
- sys.maxint -> sys.maxsize
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 8e2fb3fc cause a regression in mount export
that are on different local file system.
Exports like (all on different filesystems)
/home *(rw,fsid=0,crossmnt)
/home/fs1 *(rw,crossmnt)
/home/fs1/fs2/fs3 *(rw,nohide)
and then a mount of the root 'mount /home /mnt'
would end up mounting /home/fs1/fs2/fs3 not /home
Reverting the logic of commit 8e2fb3fc until
a better solution can be found for the original
problem.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The list of security flavors that mountd allows for the NFSv4
pseudo-fs is constructed from the union of flavors of all current
exports.
exports(5) documents that the default security flavor for an
export, if "sec=" is not specified, is "sys". Suppose
/etc/exports contains:
/a *(rw)
/b *(rw,sec=krb5:krb5i:krb5p)
The resulting security flavor list for the pseudo-fs is missing
"sec=sys". /proc/net/rpc/nfsd.export/content contains:
/a *(rw,root_squash,sync,wdelay,no_subtree_check,
uuid=095c95bc:08e4407a:91ab8601:05fe0bbf)
/b *(rw,root_squash,sync,wdelay,no_subtree_check,
uuid=2a6fe811:0cf044a7:8fc75ebe:65180068,
sec=390003:390004:390005)
/ *(ro,root_squash,sync,no_wdelay,v4root,fsid=0,
uuid=2a6fe811:0cf044a7:8fc75ebe:65180068,
sec=390003:390004:390005)
The root entry is not correct, as there does exist an export whose
unspecified default security flavor is "sys". The security settings
on the root cause sec=sys mount attempts to be incorrectly rejected.
The reason is that when the line in /etc/exports for "/a" is parsed,
the e_secinfo list for that exportent is left empty. Thus the union
of e_secinfo lists created by set_pseudofs_security() is
"krb5:krb5i:krb5p".
I fixed this by ensuring that if no "sec=" option is specified for
an export, its e_secinfo list gets at least an entry for AUTH_UNIX.
[ Yes, we could make the security flavors allowed for the pseudo-fs
a fixed list of all flavors the server supports. That becomes
complicated by the special meaning of AUTH_NULL, and we still have
to check /etc/exports for whether Kerberos flavors should be listed.
I opted for a simple approach for now. ]
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
NFS man page patch that moves nordirplus/rdirplus from "Options for NFS
versions 2 and 3 only" to "Options supported by all versions". Its a
better fit here since this option is also needed for some NFSv4 servers.
Signed-off-by: Chris Vogan <cvogan@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
According to "man gethostname," gssd is handling the return value of
gethostname(3) incorrectly. It looks like other gethostname(3) call
sites in nfs-utils are already correct.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
| |
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove a contradictory portion of the block comment documenting
gssd_find_existing_krb5_ccache(). This should have been removed by
commit 289ad31e, which reversed the meaning of the function's return
values.
Note that, in user space, typically errno's are positive. But here
we follow the kernel convention of using negative values to return
error codes. Make the documenting comments explicit about the sign
of an error return -- it will never be positive in the case of an
error.
And a nit: At the last return statement in
gssd_setup_krb5_user_gss_ccache(), "err" always contains zero, as
far as I can tell. Make it explicit (to human readers) that when
execution reaches this point, gssd_setup_krb5_user_gss_ccache() is
going to return "success."
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move most of the text in the description of the "-l" option up to
the DESCRIPTION section, to match what was done for "-n" and "-k".
The discussion is then less restricted by formatting, and we can
take the space to introduce a few concepts before describing the
behavior of rpc.gssd.
Fix a few misspellings and grammar issues while here.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our NFSv4 implementation uses machine credentials for operations
that manage state on behalf of the whole client (for example,
SETCLIENTID or RENEW). The rpc.gssd man page is missing a
description of this usage, especially in the discussion of the "-n"
option.
The issue is that rpc.gssd's "-n" option requires root to acquire a
user credential. In the absense of a system keytab (for instance,
if the system is diskless) root's credential is not to be used as
the machine credential that manages NFSv4 state.
Group the discussion of machine credentials and UID 0 in one place
to help clarify the discussion and simplify the description of
several of these options.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's good practice in user documentation to define terms before they
are used. Add an INTRODUCTION section that defines important terms
that are used in the DESCRIPTION and OPTIONS sections. The key
concepts are GSS context, user credential, machine credential, and
keytab.
The RFCs I looked at capitalize both "gss" and "rpcsec_gss". For
consistency I changed this throughout the man page.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
| |
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Clean up: The usual convention for the values of command line
options and for pathnames is for them to appear italicized,
rather than emboldened or in double quotes.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Clean up. set_pseudofs_security() and pseudofs_update() have no
call sites outside of v4root.c, and there are no header declarations
for either function. Define both as static.
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Making all in mountd
cache.c: In function 'subexport':
cache.c:374:9: warning: unused variable 'l2' [-Wunused-variable]
Commit 8e2fb3fc removed the last use of "l2" in the subexport()
function.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
I noticed that there is a problem with expired credentials if NFS
client's time is even few seconds behind KDC's or NFS server's time.
Client's kernel requests new GSS context but rpc.gssd is happy with
existing krb cache as it valid according to local time.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
