| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up: Get rid of a false positive compiler warning, seen with
-Wextra.
sm-notify.c: In function ¿record_pid¿:
sm-notify.c:690: warning: comparison between signed and unsigned integer
expressions
Document some ignored return codes while we're here.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
To facilitate code sharing between statd and sm-notify (and with other
components of nfs-utils), replace sm-notify's nsm_log() with xlog().
Since opt_quiet is used in only a handful of insignificant cases, it
is removed.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
To facilitate code sharing between statd and sm-notify (and with other
components of nfs-utils), replace sm-notify's nsm_log() with xlog().
Since opt_quiet is used in only a handful of insignificant cases, it
is removed.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
with the explicit permission of Sun Microsystems
Signed-off-by: Tom "spot" Callaway <tcallawa@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, if getaddrinfo(3) fails when trying to resolve a hostname,
sm-notify gives up immediately on that host. If sm-notify is started
before network service is available on a system, that means it quits
without notifying anyone. Or, if DNS service isn't available due to
a network partition or because the DNS server crashed, sm-notify will
simply remove all of its callback files and exit.
Really, sm-notify should try harder. We know that the hostnames
passed in to notify_host() have already been vetted by statd, which
won't monitor a hostname that it can't resolve. So it's likely that
any DNS failure we meet here is a temporary condition. If it isn't,
then sm-notify will stop trying to notify that host in 15 minutes
anyway.
[ The host's file is left in /var/lib/nfs/sm.bak in this case, but
sm.bak is not read again until the next time sm-notify runs. ]
sm-notify already has retry logic for handling RPC timeouts. We can
co-opt that to drive DNS resolution retries.
We also add AI_ADDRCONFIG because on systems whose network startup is
handled by NetworkManager, there appears to be a bug that causes
processes that started calling getaddinfo(3) before the network came
up to continue getting EAI_AGAIN even after the network is fully
operating.
As I understand it, legacy glibc (before AI_ADDRCONFIG was exposed in
headers) sets AI_ADDRCONFIG by default, although I haven't checked
this. In any event, pre-glibc-2.2 systems probably won't run
NetworkManager anyway, so this may not be much of a problem for them.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sm-notify orphans an addrinfo struct in its address list rotation
logic if only a single result was returned from getaddrinfo(3).
For each host, the first time through notify_host(), we want to
send a PMAP_GETPORT request. ->ai is NULL, and retries is set to 100,
forcing a DNS lookup and an address rotation. If only a single
addrinfo struct is returned, the rotation logic causes a NULL to be
planted in ->ai, copied from the ai_next field of the returned result.
This means that the second time through notify_host() (to perform the
actual SM_NOTIFY call) we do a second DNS lookup, since ->ai is NULL.
The result of the first lookup has been orphaned, and extra network
traffic is generated.
This scenario is actually fairly common. Since we pass
.ai_protocol = IPPROTO_UDP,
to getaddrinfo(3), for most hosts, which have a single forward and
reverse pointer in the DNS database, we get back a single addrinfo
struct as a result.
To address this problem, only perform the address list rotation if
there is more than one element on the list returned by getaddrinfo(3).
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
flag has been set. This cause warnings to be generated when
return values from reads/writes (and other calls) are not
checked. The patch address those warnings.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TI-RPC's version of the svc_getcaller() macro points to a sockaddr_in6,
not a sockaddr_in, though for AF_INET callers, an AF_INET address
resides there. To squelch compiler warnings when the TI-RPC version of
the svc_req structure is used, add inline helpers with appropriate
type casting.
Note that tcp_wrappers support only AF_INET addresses for now.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Statd is not unlinking host files during SM_UNMON and
SM_UNMON_ALL calls because the given host is still on the run-time
notify list (rtnl) and the check flag is set when xunlink() is
called. But the next thing the caller of xunlink() does is
remove the host from the rtnl list which means the
unlink will never happen.
So this patch removes the check flag from xunlink() since
its not needed and correctly allocates and frees memory
used by xunlink().
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The recv_reply() function was referencing host->ai in a freeaddrinfo(3)
call after it had freed @host.
This is not likely to be harmful in a single-threaded user context,
but it's still bad form, and it will get called out if testing
sm-notify with poisoned free memory. The less noise, the better we
are able to see real problems.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
Added curly brackets around the record_pid() check which
stop sm-notify from exiting when a pid file does not
exist.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
user mounts an NFS filesystem.
The first time an NFS filesystem is mounted, we start statd from
/sbin/mount.nfs. If this first time is a non-root user doing the
mount, (thanks to e.g. the 'users' option in /etc/fstab)
then we need to be sure that the 'setuid' status from mount.nfs
is inherited through to rpc.statd so that it runs as root.
There are two places where we loose our setuid status due to the shell
(/bin/sh) discarding.
1/ mount.nfs uses "system" to run /usr/sbin/start-statd. This runs a
shell which is likely to drop privileges. So change that code to use
'fork' and 'execl' explicitly.
2/ start-statd is a shell script. To convince the shell to allow the
program to run in privileged mode, we need to add a "-p" flag.
We could just call setuid(getuid()) at some appropriate time, and it
might be worth doing that as well, however I think that getting
rid of 'system()' is a good idea and once that is done, the
adding of '-p' is trivial and sufficient.
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
there are no hosts to notify. This also decreases
start up time by a few seconds.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Linux kernel's lockd requires that rpc.statd perform notification
callbacks from a privileged source port. To guarantee rpc.statd gets a
privileged source port but runs unprivileged, it calls
statd_get_socket() then drops root privileges before starting it's svc
request processing loop.
Statd's svc request loop is the only caller of the process_foo()
functions in utils/statd/rmtcall.c, but one of them,
process_notify_list() attempts to invoke statd_get_socket() again.
In today's code, this is unneeded because statd_get_socket() is always
invoked before my_svc_run(). However, if it ever succeeded, it would
get an unprivileged source port anyway, causing the kernel to reject
all subsequent requests from statd.
Thus the process_notify_list() function should not ever call
statd_get_socket() because root privileges have been dropped by this
point, and statd_get_socket() wouldn't get a privileged source port,
causing the kernel to reject all subsequent SM_NOTIFY requests.
So all of the process_foo functions in utils/statd/rmtcall.c should use
the global sockfd instead of a local copy, as it already has a
privileged source port.
I've seen some unexplained behavior where statd starts making calls to
the kernel via an unprivileged port. This could be one way that might
occur.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up: The named function in many of the debugging messages in
utils/statd/rmtcall.c is out of date. To prevent this from happening
in the future, replace these with __func__.
Also, note() and dprintf() do not require a terminating '\n' in their
format string. So make all invocations consistent.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Static code checkers flag this kind of thing because it's easy to
confuse with "if (!(foo == rtnl))". In one of these cases, the
combination of evaluation and assignment isn't even necessary.
While we are in the neighborhood, remove an extra argument to note() that is
not called for in the passed-in format string.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up.
The sm-notify command is built from a single source file.
Some of its internal functions are appropriately defined as static.
However, some are declared static, but defined as global. Some are
declared and defined as global. None of them are used outside of
utils/statd/sm-notify.c.
Make all the internal functions in utils/statd/sm-notify.cstatic.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Clean up: replace "typedef struct sockaddr_storage nsm_address" with
standard socket address types. This makes sm-notify.c consistent with other
parts of nfs-utils, and with typical network application coding conventions.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up a few issues with logging in sm-notify.c.
Sometimes in sm-notify, when a system call fails the problem is reported
to stderr but not logged, and then usually sm-notify exits. In cases like
this, there are probably more hosts to notify, but sm-notify dies silently.
Make sure these errors are logged, and that the log messages explain the
nature of the problem.
Also, if sm-notify exits prematurely, make sure this is always reported at
the LOG_ERR level, not at the LOG_WARNING level.
Remove a couple of unnecessary '\n' in the arguments of nsm_log() calls --
nsm_log() already appends an '\n' to the message.
Finally, use exit() consistently in main().
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure the results of getaddrinfo(3) are properly freed in notify().
Note this is a one-time addrinfo allocation that would be automatically
freed when sm-notify exits anyway, so this is more of a nit than a real
bug fix.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
Clean up: Include config.h as other source files do; instead of using
"config.h" use the HAVE_CONFIG_H macro and include <config.h>.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up: Remove RESTRICTED_STATD to help make IPv6 changes simpler.
We keep the code behind RESTRICTED_STATD, and toss anything that is
compiled out when it is set.
RESTRICTED_STATD was added almost 10 years ago in response to CERT
CERT CA-99.05, which addresses exposures in rpc.statd that might allow
an attacker to take advantage of buffer overflows in rpc.statd while it
is running in privileged mode.
These days, I can't think of a reason why anyone would want to run
rpc.statd without setting RESTRICTED_STATD. In addition, I don't
think rpc.statd is ever tested without it.
Removing RESTRICTED_STATD will get rid of some address storage and
comparison issues that will make IPv6 support simpler. Plus it will
make our test matrix smaller!
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Acked-by: Neil Brown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor common logic to check if SM_FOO request is from loopback
address.
We'll have to do something about this for IPv6. On IPv6-capable
systems, there will be only one AF_INET6 listener. The loopback caller
will get either an IPv6 loopback address, or a mapped IPv4 loopback --
either way this will be an AF_INET6 address.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Acked-by: Neil Brown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an NFS server has no network connectivity when it reboots,
it will block in sm-notify waiting for DNS lookup for a potentially
large number of hosts. This is not helpful and just annoys the
sysadmin.
So do the DNS lookup in the backgrounded phase of sm-notify,
before sending off the NOTIFY requests.
Acked-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Update gitignore to ignore some generated files.
Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
| |
Also free dns_name when freeing an 'nlist', so do the unlink before the free.
|
|
|
|
|
| |
statd now passes the 'my_name' from the SM_MON call faithfully to the
ha-callout and records it in the sm/ files.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ports < 1024 are a scarce resource and should not be used
carelessly. Technically they should be not used at all without
registration with IANA, but sometimes we need them despite that.
So: for the socket that RPC services listen on, don't use a <1024 port
by default. There is no need.
For sockets that we send messages on, that are long-lived, and that might
need to appear 'privileged', avoid using a number that is registered in
/etc/services if possible.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both SM_STAT and SM_MON can return the state of an NSM, but it is
unclear which NSM they return the state of, so the value cannot be
used, and lockd doesn't use it.
Document this confusion, and give the current state to the kernel
via a sysctl if that sysctl is available (since about 2.6.19).
This should make is possible for the NFS server to detect a small
class of bad SM_NOTIFY packets and not flush locks in that case.
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
| |
This script is used by mount.nfs to run statd if needed.
It can be locally modified to change arguements if required.
|
|
|
|
|
|
|
| |
When sending an SM_NOTIFY to multi-homed host, try all the addresses
in rotation. After 4 failures on one address, try the next.
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When lockd asks to monitor a host, we find the FQDN from the DNS
and remember that, both internally and in the /var/lib/nfs/sm/*
file.
When we receive an SM_NOTIFY request, we compare both the
mon_name and the source IP address against that DNS name to find
a match.
If a DNS name is not available, we fall back to the name provided by
lockd, which at least is known to map to an IP address via
gethostbyname.
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
|
|
| |
From the point of view of the client (lockd), the 'priv' blob is probably
the most important key, so make sure to not throw away requests with
new 'priv' information.
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
| |
The if contains a while with essentially the same condition.
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The for loop that restarts on SIGUSR or simu_reboot currently includes
several once-only things, that are probably best taken out of the loop.
We also take the unregister/register out of the loop as if statd does
drop privileges, then the second register won't use a privileged port
properly.
On the whole, cleaner code.
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
| |
Make sure that sm-notify really runs only once per reboot.
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If statd dies and is restarted, it forgets what peers the kernel
is interested in monitoring, and so will not forward NOTIFY
requests properly.
With this patch the required information is recorded in the files
in /var/lib/nfs/sm/* so that a kill/restart does what you might
hope.
Signed-off-by: Neil Brown <neilb@suse.de>
|
|
|
|
|
|
|
| |
We need to call statd_get_socket before dropping privileges so that we
have a privileged port. We use to do that when initialising
notification as the same socket was used for reboot notication as for
callbacks to the kernel. Now it is a different socket..
|
| |
|
|
|
|
|
|
| |
The option for set-source-address is '-v', not '-N'.
And only warn about -N if -N was actually used.
|
|
|
|
|
|
| |
try_to_resolve is used to resolve a hostname when sending a notification.
But we now only send notifications to localhost, so name resolution is not
needed.
|
| |
|
|
|
|
|
|
|
| |
Ultimately it makes sense to remove remove rpcgen from the nfs-utils
release as it is already in the glibc release. With this patch
you can use the system rpcgen to make sure it works.
It is not default yet, but it might be in a future release.
|
|
|
|
|
| |
Registering sockets with portmap might require root privs,
so don't drop privs until that has been done.
|
|
|
|
|
| |
With -L (for Listen-only) or --no-notify, statd will not run
sm-notify.
|
|
|
|
|
| |
statd now execs sm-notify to notify peers and only listens to
monitor requests and remote notifications itself.
|
|
|
|
|
| |
Add sm-notify to the compile/install scripts,
(and fix a compile warning).
|