| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Convert the current code to used the NFSCTL_XXX macros
to turn off the TCP listener.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
exportfs currently exits with a non-zero error for some errors,
but not for others.
It does this by having various support routines set the global
variable "export_errno".
Change this to have 'xlog' set export_errno if an ERROR is
reported. That way all errors will be caught.
Note that the exit error code is changed from 22 (EINVAL)
to the more traditional '1'.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Currently if exportfs is asked to unexport something that is not
exported it silently succeeds. This is not ideal, particularly for
scripting situations.
So report an error when the unexport was successful and the -v flag used.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Call gss_inquire_cred after gssd_acquire_krb5_cred check for expired
credentials.
This fixes a recent regression (since 302de786930a2c533068f9d8909a)
that causes the user's ticket cache to grow unbounded with expired
service tickets when the user's credentials expire.
To reproduce this issue:
- mount kerberos nfs export
- kinit for a short lifetime (ie "kinit -l 1m")
- run a job that opens a file and writes for more than the lifetime
- run klist a few times after expiry and see the list grow, ie:
Ticket cache: DIR::/run/user/1749600001/krb5cc/tktYmpGlX
Default principal: dros@APIKIA.FAKE
Valid starting Expires Service principal
10/21/2013 15:39:38 10/21/2013 15:40:35 krbtgt/APIKIA.FAKE@APIKIA.FAKE
10/21/2013 15:39:40 10/21/2013 15:40:35 nfs/zero.apikia.fake@APIKIA.FAKE
Signed-off-by: Weston Andros Adamson <dros@netapp.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I think there was a reason for this many years ago,
but I can not find any evidence that it ever really did
anything useful and it certainly doesn't seem to now.
And the documentation suggests that IP address take precedence over
SUBNETs, and that can only happen if they are treated as MCL_FQDN.
So remove this apparently pointless code.
Reported-and-tested-by: Wangminlan <wangminlan@huawei.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
parse_fsid() is currently truncating all inode numbers to
32bits, and assumes that 'int' is 32 bits (which it probably is,
but we shouldn't assume).
So make the 'inode' field in 'struct parsed_fsid' a 64 bit field.
and only memcpy into variables or fields that have been declared
to a specific bit size.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
exportfs currently exits with a non-zero error for some errors,
but not for others.
It does this by having various support routines set the global
variable "export_errno".
Change this to have 'xlog' set export_errno if an ERROR is
reported. That way all errors will be caught.
Note that the exit error code is changed from 22 (EINVAL)
to the more traditional '1'.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
This reverts commit 956aeff2e24304e938846f81f4b9db34cbf18a32.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To improve error handling when scripting exportfs it's useful
to have non-zero exit codes when the requested operation did not
succeed.
This patch also returns a non-zero exit code if you request to
unexport a non-existant share.
Signed-off-by: Tony Asleson <tasleson@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Currently, mount.nfs returns an error code, but doesn't print anything
when this occurs.
Reported-by: Eric Doutreleau <edoutreleau@genoscope.cns.fr>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The part of process_krb5_upcall that handles non-machine user creds
first tries to query GSSAPI for credentials. If that fails, it then
falls back to trawling through likely credcache locations to find them
and then points $KRB5CCNAME at it before proceeding. There are a number
of bugs in this code that this patch attempts to address.
The code that queries GSSAPI for credentials does it as root which
almost universally fails to do anything useful unless we happen to be
looking for non-machine root creds. Because of this, gssd almost always
falls back to having to search for credcaches "manually". The code that
handles credential switching is in create_auth_rpc_client, so it's too
late to be of any use here.
Worse yet, for historical reasons the MIT krb5 authors used %{uid} in
the default credcache locations which translates to the real uid. Thus
switching the fsuid or even euid is insufficient. You must switch the
real uid in order to be able to find the proper credcache in most cases.
This patch moves the credential switching to occur much earlier in the
process and has it do a much more thorough job of it. It first drops all
supplimentary groups, then determines a gid to use and switches the gids
and uids to the correct ones. If it can't determine the correct gid to
use, it then tries to look up the one for "nobody" and uses that.
Once the credentials are switched, the forked child now no longer tries
to change them back. It does the downcall with the new credentials and
just exits when it's done.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most krb5 installations use credcache locations that contain %{uid},
which expands to the real UID of the current process. In order for
GSSAPI to find those properly, we need to be able to switch the real UID
of the process to the designated one. That however, opens the door to
allowing gssd to be killed or reniced during the window where we've
switched credentials.
To combat this, change gssd to fork before trying to handle each upcall.
The child will do the work to establish the context and the parent task
will just wait for it to exit. It's still possible for the child to be
killed or reniced, but that would only affect a single upcall instead of
the entire daemon. Also, If the process is killed prematurely, then log
an error to tip off the admin that there was a problem.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adds '-s' option which outputs the current exports in a format
suitable for /etc/exports.
Signed-off-by: Tony Asleson <tasleson@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Commit b703eabe converted mountstats to using python3's print()
function, but this doesn't work in python2.x without
importing the print function from __future__.
Signed-off-by: Weston Andros Adamson <dros@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
When the 'timeo' option is specified in multiple sections of
the nfsmount.conf file, each instance is added to the parsing
string. This patch make the first instance override any others.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
When the 'Background' and/or 'Foreground' options are set
in multiple sections of the nfsmount.conf file, each instance
gets added to the parsing string. This patch makes the first
instance of either option override the any others.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As Bruce recently pointed out, gss_clnt_send_err basically does an
unsolicited downcall into the kernel to try and destroy a valid GSS
context. That has been broken however since this kernel commit:
commit 3b68aaeaf54065e5c44583a1d33ffb7793953ba4
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date: Thu Jun 7 10:14:15 2007 -0400
SUNRPC: Always match an upcall message in gss_pipe_downcall()
Downcalls that don't match an in-progress upcall just get back an
-ENOENT error and don't actually do anything. Remove these tools
since they've been useless for the last 6 years.
Reported-by: "J. Bruce Fields" <bfields@fieldses.org>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
From: "J. Bruce Fields" <bfields@redhat.com>
The syntax here is a little convoluted.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
From: "J. Bruce Fields" <bfields@redhat.com>
Some newer kernels are rejecting -1 uid/gid. Actually, worse--they're
silently ignoring any attempt to cache such exports, thus preventing
test_export from getting back the errors it needs.
And -1 wasn't a good choice anyway.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 11ba3b1e01b67b7d19f26fba94fabdb60878e809 (Add a default flavor
to an export's e_secinfo list) breaks the ordering of security flavours
in the secinfo list, by reordering 'sec=sys' to always be the first
secinfo flavour if one fails to set a default 'sec' setting.
An export of the form:
/export -sync,no_subtree_check,mp \
192.168.1.0/24(sec=krb5p:krb5i:krb5,rw,sec=sys,ro)
ends up getting translated by exportfs into the following entry in
/var/lib/nfs/etab:
/export 192.168.1.0/24(ro,sync,wdelay,hide,nocrossmnt,\
secure,root_squash,no_all_squash,\
no_subtree_check,secure_locks,acl,\
mountpoint,anonuid=65534,anongid=65534,\
sec=sys,ro,root_squash,no_all_squash,\
sec=krb5p:krb5i:krb5,rw,root_squash,no_all_squash)
Note how the 'sec=sys' is now listed first...
The fix is to defer adding the default flavour until the call to
secinfo_show, when we can see if it is even needed at all.
With the patch, the above export is now correctly entered in
/var/lib/nfs/etab as:
/export 192.168.1.0/24(ro,sync,wdelay,hide,nocrossmnt,\
secure,root_squash,no_all_squash,\
no_subtree_check,secure_locks,acl,\
mountpoint,anonuid=65534,anongid=65534,\
sec=krb5p:krb5i:krb5,rw,root_squash,no_all_squash,\
sec=sys,ro,root_squash,no_all_squash)
Cc: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From: "J. Bruce Fields" <bfields@redhat.com>
The tgtname is of the form service@hostname. It's not a hostname, and
attempting to look it up here just causes failure of any upcall with a
"target=" field (currently, any upcall on behalf of an nfsv4.0
callback).
I think the theory was that knowning that target= name might help pick
the right keytab, but I don't really know if that's helpful. For now,
just stop trying to do this.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From: "J. Bruce Fields" <bfields@redhat.com>
The tgtname is of the form service@hostname. It's not a hostname, and
attempting to look it up here just causes failure of any upcall with a
"target=" field (currently, any upcall on behalf of an nfsv4.0
callback).
I think the theory was that knowning that target= name might help pick
the right keytab, but I don't really know if that's helpful. For now,
just stop trying to do this.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From: "J. Bruce Fields" <bfields@redhat.com>
Both dirname and pdir are null-terminated strings, so there's no reason
I can see for the strncmp.
And this gives the wrong result when comparing the "nfsd" and "nfsd4_cb"
directories! The results were callback clients being removed
immediately after creation, when lack of a client with the corresponding
name under "nfsd" lead gssd to believe it had disappeared from
"nfsd4_cb".
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
This will make nfs-iostat run on Python 2.6, 2.7 and >= 3.0
Signed-off-by: Bohuslav Kabrda <bkabrda@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
This will make mountstat run on Python 2.6, 2.7 and >= 3.0
Signed-off-by: Bohuslav Kabrda <bkabrda@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In a shell script, when nfsiostat is run in the background with
stdout redirected to a file, flush stdout periodically to ensure
that we do not lose the buffered output if the nfsiostat process
is killed.
Signed-off-by: Harshula Jayasuriya <harshula@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The 'insecure' flag is listed in /proc/fs/nfsd/export_features
in newer kernels as being a secinfo_flag, however it is not
displayed by secinfo_show.
This patch fixes that, and sets up a framework which should make
it easy to add new flags to /proc/fs/nfsd/export_features and have
them be displayed properly.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Jim Rees <rees@umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible for a race to cause a name to appear when an rpc_pipefs
dir is scanned but to no longer be present when we try to open it.
So if the error is ENOENT, don't complain.
This is similar to
commit 5ac9bcfd820f09af4d3f87f1f7346d896f70bc9a
Author: David Jeffery <djeffery@redhat.com>
Date: Wed Jan 16 15:21:55 2013 -0500
rpc.idmapd: Ignore open failures in dirscancb()
which addressed a similar issue in idmapd.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes 2 small improvements to the parsing of the bg, fg, and
sloppy mount options in nfsmount.conf.
1. "bg" and "fg" negate should each other. "Background=True" should
mean "bg" and "Background=False" should mean "fg". The same applies to
"Foreground".
2. Once we see "Sloppy=False" while parsing the configuration file we
should ignore subsequent occurrences of the sloppy option. This will
preserve the "right-most setting wins" behavior for the sloppy mount
option.
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nfsmount.conf file has the following format:
[ section "arg" ]
tag = value
conf_get_tag_list() currently doesn't check the arg field so we wind up
getting all the options that fall under a particular section value,
instead of just the ones that match the specific "arg" field. As a
result, we wind up passing options to the mount syscall from sections
that aren't even relevant to the mount operation that is being
performed.
For example, if we have three different server sections, and each
section has an Nfsvers tag, then the string we pass to the mount syscall
will have two extra occurrences of the nfsvers option. Each option
should appear at most 4 times -- once for the system section, once for
the server-specific section, once for the mount-specific section, and
once for the command line mount options.
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
RH bz 831455 has a report that repeatedly mounting and unmounting over
lo can hit this warning in the EOF case. I suspect that's just
normal--I'm not sure of the details, but probably idmapd gets woken up
to check for an upcall and then the upcall gets yanked away before
idmapd gets a chance to read it.
So just skip the warning in that case. I also can't see a reason to
reopen.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Changed the default protocol versions that rpc.nfsd
register with rpcbind to just 3 and 4. Version 2
can still be enabled with the '-V' flag, but it
will not be on by default.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Commit 1c787f14 [gssd: scan for DIR: ccaches, too] changed the default
prefix for the credential cache files. Update the check to ignore the
machine credential file when running with -n (root ignores machine
credentials).
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
krb5_util tries various different credential names in order to find
the machine credential, not all of them use the full host name of the
current host.
So if getting the full host name fails, don't give up completely,
still try the other options.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent changes to support python 3 changed the output of nfsiostat from:
read: ops/s kB/s kB/op retrans
avg RTT (ms) avg exe (ms)
48.094 2889.133 60.072 0 (0.0%)
177.160 184.833
...
to:
read:
ops/s kB/s kB/op retrans avg RTT (ms) avg exe
(ms)
0.000
0.000
0.000
0 (0.0%)
0.000
0.000
...
Signed-off-by: Weston Andros Adamson <dros@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The current implementation ignores any preferred realm specified on the
command line. Fix this behaviour and make sure the preferred realm is
used as first realm when trying to acquire a keytab entry
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Signed-off-by: Frederik Moellers <frederik.moellers@upb.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When initialising an array there is no need to specify the size as the
size is taken from the initialiser. Having the size there means that
any change to the initialiser needs to change the size to and so is
error-prone.
So just remove the size.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The man page was generated, but this file is intended as the
source to make modifications. So remove all generated comments
and only leave what's needed and easily maintained manually
without changing the appearance of the man page.
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Luk Claes <luk@debian.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The final version for this fix that was committed inverted the test
so makes no change in the important cases.
The documentation didn't really help a naive user know when the new -D
flag should be used.
And the code (once fixed) avoided DNS resolution on non-qualified names too,
which probably isn't a good idea.
This patch fixes all three issues.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was that is_subdirectory() would also succeed if the two
directories were the same. This is needed for path_matches() which
needs to see if the child is same-or-descendant.
So this patch rearranges path_matches() to do the "are they the same"
test itself and only bother with is_subdirectory() if it they are not
the same.
So now is_subdirectory() can be strict, and so can be usable for
subexport(), which needs a strong 'in subdirectory - not the same' test.
Acked-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Moves nfs_probe_statd from mount to nfs support lib to share with statd.
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Weston Andros Adamson <dros@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
After inclusion of NFSv4.1 it seems that now you can specify an NFSv4
mount with either "-tnfs4" or "-overs=4". This patch moves "nfsvers/vers"
from "Options for NFS versions 2 and 3 only" to "Options supported by
all versions".
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A NFS client should be able to work properly even if the DNS Reverse
record for the server is not set. This means a DNS lookup should not be
done on server names at are passed to GSSAPI. This patch changes the default
behavior to no longer do those types of lookups
This change default behavior could negatively impact some current
environments, so the -D option is also being added that will re-enable
the DNS reverse looks on server names, which are passed to GSSAPI.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If we're cross-compiling, we can't do a runtime test of sqlite,
so just assume that the user has a good enough version rather
than falling over.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
