Hello community,
here is the log from the commit of package nfs-utils.2847 for openSUSE:12.3:Update checked in at 2014-06-03 11:39:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/nfs-utils.2847 (Old)
and /work/SRC/openSUSE:12.3:Update/.nfs-utils.2847.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nfs-utils.2847"
Changes:
--------
New Changes file:
--- /dev/null 2014-05-19 01:51:27.372033255 +0200
+++ /work/SRC/openSUSE:12.3:Update/.nfs-utils.2847.new/nfs-utils.changes 2014-06-03 11:39:04.000000000 +0200
@@ -0,0 +1,1368 @@
+-------------------------------------------------------------------
+Tue May 6 00:15:04 UTC 2014 - nfbrown@suse.com
+
+- udp-fallback-fix.patch: Fix fallback from tcp to udp
+ (bnc#863749)
+
+-------------------------------------------------------------------
+Sun Nov 17 23:25:34 UTC 2013 - nfbrown@suse.com
+
+- gssd-mount-hang-fix: An nfs mount will hang
+ indefinitely if mounted by IP address and there
+ is no reverse mapping available. This is
+ caused by a bug in gssd.
+ (bnc#833543)
+- mountd-fix-bug-affecting-exports-of-dirs-with-64bit-.patch
+ allow NFS export to work for XFS filesystems with INODE64
+ (bnc#841971)
+
+-------------------------------------------------------------------
+Wed Aug 14 01:55:11 UTC 2013 - nfbrown@suse.com
+
+- Include also nfsv2,nfsv3,nfsv4.ko in initrd (bnc#815738)
+- Include also mount.nfs4
+
+
+-------------------------------------------------------------------
+Mon Jun 17 00:14:45 UTC 2013 - nfbrown@suse.com
+
+- nfsserver.init. Guard against blank lines in
+ /run/nfs/bind.mounts causing all filesystems
+ from being unmounted (bnc#825150)
+
+-------------------------------------------------------------------
+Mon Jun 3 01:35:48 UTC 2013 - nfbrown@suse.com
+
+- gssd-reverse-dns-fix: Allow DNS lookups to be
+ avoided when determining kerberos identity of
+ server. The GSSD_OPTIONS sysconfig
+ variable is added so that use of DNS can
+ be enforced for sites that need it.
+ (bnc#813464 CVE-2013-1923)
+
+- gssd-n.fix: linux-3.7 changed behaviour of gssd
+ lookups so that "gssd -n" isn't sufficient to stop
+ the use of "machine credentials". This patch
+ add "-N" which stops the new use as well.
+ Also add GSSD_OPTIONS to sysconfig so these flags
+ can be set more easily. (bnc#817651)
+
+- mountd-fix-exporting-of-with-sec-setting.patch
+ Fix bug when exporting root filesystem with
+ gss security. (bnc#809226)
+
+-------------------------------------------------------------------
+Mon Apr 29 06:56:39 UTC 2013 - nfbrown@suse.com
+
+- mountd-fix-error-check.patch: check for errors
+ with exporting filesystems correctly (bnc#809226)
+
+-------------------------------------------------------------------
+Mon Apr 29 06:39:02 UTC 2013 - nfbrown@suse.com
+
+- nfsserver.init: make sure warning about bind=
+ being deprecated goes to terminal and not into
+ /run/nfs/bind.mounts (bnc#809226)
+
+-------------------------------------------------------------------
+Wed Nov 28 00:08:55 UTC 2012 - nfbrown@suse.com
+
+- New upstream release 1.2.7. Adds FedFD support
+ to mounted and replaces nfsdcld with
+ nfsdcltrack. This is used to manage client state
+ on NFSv4 servers.
+ Incorporates more local patches.
+
+- Replace "/var/run" with "/run" in various scripts.
+
+- nfsserver.init: Generate message that "bind=" is deprecated
+ if it is used.
+
+-------------------------------------------------------------------
+Wed Oct 17 23:55:27 UTC 2012 - nfbrown@suse.com
+
+- Add dependency on "netcfg" to ensure /etc/services
+ is present (bnc#779851)
+
+-------------------------------------------------------------------
+Thu Sep 27 02:10:53 UTC 2012 - nfbrown@suse.com
+
+- nfs4-no-umount: does send MOUNT_UMNT rpcs
+ when unmounting an 'nfs4' filesystem. They
+ are only required for nfs2,3. (bnc#772534)
+
+-------------------------------------------------------------------
+Thu Jul 19 06:26:10 UTC 2012 - nfbrown@suse.com
+
+- mount-exit-code.fix: Correct exit code from
+ unmount when fs is busy - allows autofs to work
+ correctly. (bnc#770962)
+
+-------------------------------------------------------------------
+Thu May 17 07:04:58 UTC 2012 - nfbrown@suse.com
+
+- nfs upstream version 1.2.5. Lots of bug fixes
+ and improved support for pNFS.
+ Adds nfsdcld daemon on osd_login script.
+ Removed some very out-of-date documentation.
+
+-------------------------------------------------------------------
+Wed May 2 01:42:23 UTC 2012 - nfbrown@suse.com
+
+- nfsserver.init: remove VERSION_LIST. This is
+ unnecessary duplication of VERSION_PARAMS
+
+-------------------------------------------------------------------
+Wed May 2 01:34:51 UTC 2012 - nfbrown@suse.com
+
+- nfsserver.init: Don't depend on "mount" preserving
+ unknown options - it doesn't any more. This can
+ confuse nfsd_unbind_mounts (bnc#754805)
+
+-------------------------------------------------------------------
+Sun Nov 20 06:47:14 UTC 2011 - coolo@suse.com
+
+- add libtool as buildrequire to avoid implicit dependency
+
+-------------------------------------------------------------------
+Sun Nov 6 11:43:39 UTC 2011 - puzel@suse.com
+
+- do not strip the binaries
+
+-------------------------------------------------------------------
+Wed Oct 12 05:18:17 UTC 2011 - nfbrown@suse.com
+
+- nfs.init: handle case where kernel adds trailing
+ slash to name in /proc/mounts.
+ (bnc#722431 bnc#720376)
+
+-------------------------------------------------------------------
+Sat Oct 1 15:24:33 UTC 2011 - crrodriguez@opensuse.org
+
+- Fix build in arm, portability bug, applications MUST
+ use sysconf(_SC_PAGESIZE) instead of constant PAGE_SIZE
+
+-------------------------------------------------------------------
+Sun Sep 25 08:28:53 UTC 2011 - nfbrown@suse.com
+
+- New upstream version 1.2.5 - This adds a new binary
+ blkmapd with man page, This is part of PNFS support.
+
+-------------------------------------------------------------------
+Thu Aug 18 07:48:27 UTC 2011 - nfbrown@novell.com
+
+- New upstream version 1.2.4 - plus a few important
+ patches from git. This adds a new binary nfsidmap,
+ with man page. Also: build with libmount enabled
+ to correctly handle /etc/mtab being linked to
+ /proc/self/mounts. (bnc#681106)
+
+-------------------------------------------------------------------
+Thu Jun 23 05:41:25 UTC 2011 - nfbrown@novell.com
+
+- nfs.init,nfsserver.init,sysconfig.nfs - Add support
+ for configuring NFS for a fail-over configuration
+ with shared state. (bnc#689622)
+- rpc.mountd-segfault-fix; fix possible segfault caused
+ by "showmount -e" usage. (bnc#693189)
+- do-not-error-when-address-family-not-supported -
+ suppress socket error when IPv6 is not loaded
+ (bnc#670449)
+- addmntent.fix - error check writes to /etc/mtab and
+ cope accordingly. (bnc#689799)
+- mount-catch-signals - don't abort on SIGXSFZ or other
+ signals while mtab is locked (bnc#689799)
+- mountd-auth-fix - fix bug that could give away incorrect
+ access to NFS exported filesystems. (bnc#701702)
+
+-------------------------------------------------------------------
+Fri Jun 17 14:12:19 UTC 2011 - aj@suse.de
+
+- Fix URLs.
+
+-------------------------------------------------------------------
+Thu Jun 2 06:48:03 UTC 2011 - nfbrown@novell.com
+
+- nfsserver.init, sysconfig.nfs: add NFSV4LEASETIME
+ parameter to allow lease time to be set.
+ bnc#681510
+
+-------------------------------------------------------------------
+Tue May 31 11:43:41 UTC 2011 - lnussel@suse.de
+
+- use /var/run/nfs instead of /var/lock/subsys
+
+-------------------------------------------------------------------
+Tue May 31 01:41:58 UTC 2011 - nfbrown@novell.com
+
++++ 1171 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.3:Update/.nfs-utils.2847.new/nfs-utils.changes
New:
----
README.NFSv4
fw-client
fw-server
gssd-mount-hang-fix
gssd-n.fix
gssd-reverse-dns-fix
idmapd.conf
mkinitrd-boot.sh
mkinitrd-setup.sh
mountd-fix-bug-affecting-exports-of-dirs-with-64bit-.patch
mountd-fix-error-check.patch
mountd-fix-exporting-of-with-sec-setting.patch
nfs-kernel-server.xml
nfs-utils-1.0.7-bind-syntax.patch
nfs-utils-1.2.7.tar.bz2
nfs-utils.changes
nfs-utils.rpmlintrc
nfs-utils.spec
nfs.doc.tar.bz2
nfs.init
nfsserver.init
start-statd
sysconfig.nfs
udp-fallback-fix.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nfs-utils.spec ++++++
#
# spec file for package nfs-utils
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: nfs-utils
BuildRequires: device-mapper-devel
BuildRequires: e2fsprogs-devel
BuildRequires: gcc-c++
BuildRequires: krb5-devel
BuildRequires: libevent-devel
BuildRequires: libgssglue-devel >= 0.3
BuildRequires: libmount-devel
BuildRequires: librpcsecgss
BuildRequires: libtirpc-devel
BuildRequires: libtool
BuildRequires: nfsidmap-devel >= 0.24
BuildRequires: pkgconfig
BuildRequires: sqlite3-devel
BuildRequires: tcpd-devel
Url: http://kernel.org/pub/linux/utils/nfs-utils/
Summary: Support Utilities for Kernel nfsd
License: GPL-2.0+
Group: Productivity/Networking/NFS
Version: 1.2.7
Release: 0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %fillup_prereq %insserv_prereq
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Source0: http://kernel.org/pub/linux/utils/nfs-utils/%{version}/nfs-utils-%{version}.tar.bz2
# Download does not work:
# Source1: ftp://nfs.sourceforge.net/pub/nfs/nfs.doc.tar.bz2
Source1: nfs.doc.tar.bz2
Source2: nfs.init
Source3: nfsserver.init
Source4: sysconfig.nfs
Source5: nfs-kernel-server.xml
Source6: README.NFSv4
Source7: fw-client
Source8: fw-server
Source9: mkinitrd-setup.sh
Source10: mkinitrd-boot.sh
Source11: idmapd.conf
Source12: start-statd
Source13: nfs-utils.rpmlintrc
Patch0: nfs-utils-1.0.7-bind-syntax.patch
#PATCH-FIX-UPSTREAM bnc#809226 neilb@suse.de -- mountd: fix checking for errors when exporting filesystems.
Patch1: mountd-fix-error-check.patch
#PATCH-FIX-UPSTREAM bnc#813464 neilb@suse.de - Allow DNS lookup to be avoid in security sensitive situation
Patch2: gssd-reverse-dns-fix
#PATCH-FIX-UPSTREAM bnc#817651 neilb@suse.de - Add -N option to gssd to supplement -n
Patch3: gssd-n.fix
#PATCH-FIX-UPSTREAM bnc#809226 neilb@suse.de - Fix bug when exporting root filesystem with gss security
Patch4: mountd-fix-exporting-of-with-sec-setting.patch
#PATCH-FIX-UPSTREAM bnc#833543 neilb@suse.de - gssd-mount-hang-fix
Patch5: gssd-mount-hang-fix
#PATCH-FIX-UPSTREAM bnc#841971 neilb@suse.de - mountd-fix-bug-affecting-exports-of-dirs-with-64bit-.patch
Patch6: mountd-fix-bug-affecting-exports-of-dirs-with-64bit-.patch
#PATCH-FIX-UPSTREAM udp-fallback.fix bnc#863749 nfbrown@suse.de
Patch7: udp-fallback-fix.patch
Suggests: python-base
%description
This package contains the NFS utilities. You can tune the number of
server threads via the sysconfig variable USE_KERNEL_NFSD_NUMBER. For
quota over NFS support, install the quota package.
Authors:
--------
Olaf Kirch
H.J. Lu
%package -n nfs-client
Summary: Support Utilities for NFS
Group: Productivity/Networking/NFS
Obsoletes: nfs-utils < 1.1.0
Requires: netcfg
Requires: rpcbind
PreReq: %fillup_prereq %insserv_prereq
PreReq: permissions sysvinit(portmap) sysvinit(network)
Provides: aaa_base:/etc/init.d/nfs
%description -n nfs-client
This package contains common NFS utilities which are needed for client
and kernel based server.
Authors:
--------
Olaf Kirch
H.J. Lu
%package -n nfs-kernel-server
Summary: Support Utilities for Kernel nfsd
Group: Productivity/Networking/NFS
Provides: nfs-utils = %{version}
Obsoletes: nfs-utils < 1.1.0
Conflicts: nfs-server
Requires: netcfg
Requires: nfs-client = %{version}
Requires: rpcbind
PreReq: %fillup_prereq %insserv_prereq
%description -n nfs-kernel-server
This package contains support for the kernel based NFS server. You can
tune the number of server threads via the sysconfig variable
USE_KERNEL_NFSD_NUMBER. For quota over NFS support, install the quota
package.
Authors:
--------
Olaf Kirch
H.J. Lu
%package -n nfs-doc
Summary: Support Utilities for NFS
Group: Productivity/Networking/NFS
Obsoletes: nfs-utils < 1.1.0
Requires: latex2html-pngicons
%description -n nfs-doc
This package contains additional NFS documentation.
Authors:
--------
Olaf Kirch
H.J. Lu
%prep
%setup -q -n nfs-utils-%{version} -a 1
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
cp %{S:6} .
%build
rm -f configure; autoreconf -fi
CFLAGS="$RPM_OPT_FLAGS -fPIE -fno-strict-aliasing" LDFLAGS="-pie" ./configure \
--mandir=%{_mandir} \
--disable-rquotad \
--enable-nfsv4 \
--enable-gss \
--enable-ipv6 \
--enable-nfsdcltrack \
--enable-mount \
--enable-libmount-mount \
--enable-mountconfig \
--with-krb5=/usr/lib/mit
make
cd nfs
for i in *.html ; do
sed -i \
-e "s@/usr/lib/latex2html/icons.png/next_motif.png@/usr/share/latex2html/icons/next.png@" \
-e "s@/usr/lib/latex2html/icons.png/up_motif_gr.png@/usr/share/latex2html/icons/up.png@" \
-e "s@/usr/lib/latex2html/icons.png/previous_motif_gr.png@/usr/share/latex2html/icons/prev.png@" \
$i
done
%install
make install DESTDIR=$RPM_BUILD_ROOT
rm -f linux-nfs/Makefile*
# rc-script
install -d $RPM_BUILD_ROOT/etc/init.d
install -m 744 %{SOURCE3} $RPM_BUILD_ROOT/etc/init.d/nfsserver
install -m 744 %{SOURCE2} $RPM_BUILD_ROOT/etc/init.d/nfs
ln -sf ../../etc/init.d/nfsserver $RPM_BUILD_ROOT/usr/sbin/rcnfsserver
ln -sf ../../etc/init.d/nfs $RPM_BUILD_ROOT/usr/sbin/rcnfs
# sysconfig-data
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/var/adm/fillup-templates
# idmapd setup
install -m 644 %{S:11} $RPM_BUILD_ROOT/etc/idmapd.conf
mkdir -p -m 755 $RPM_BUILD_ROOT/var/lib/nfs/rpc_pipefs
mkdir -p -m 755 $RPM_BUILD_ROOT/var/lib/nfs/v4recovery
mkdir -p -m 755 $RPM_BUILD_ROOT/usr/share/omc/svcinfo.d
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/usr/share/omc/svcinfo.d
# sm-notify state
mkdir -p -m 755 $RPM_BUILD_ROOT/var/lib/nfs/sm
mkdir -p -m 755 $RPM_BUILD_ROOT/var/lib/nfs/sm.bak
touch $RPM_BUILD_ROOT/var/lib/nfs/state
mkdir -p $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services
install -m 0644 %{SOURCE7} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/nfs-client
install -m 0644 %{SOURCE8} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server
install -d $RPM_BUILD_ROOT/lib/mkinitrd/scripts
install -m 755 %{S:9} $RPM_BUILD_ROOT/lib/mkinitrd/scripts/setup-nfs.sh
install -m 755 %{S:10} $RPM_BUILD_ROOT/lib/mkinitrd/scripts/boot-nfs.sh
install -m 755 %{S:12} $RPM_BUILD_ROOT/usr/sbin/start-statd
install -m 644 utils/mount/nfsmount.conf $RPM_BUILD_ROOT/etc/nfsmount.conf
#
# hack to avoid automatic python dependency
chmod 644 $RPM_BUILD_ROOT%{_sbindir}/{mountstats,nfsiostat}
%clean
rm -rf $RPM_BUILD_ROOT
%pre -n nfs-client
useradd -r -c 'NFS statd daemon' \
-s /sbin/nologin -d /var/lib/nfs -g nogroup statd &> /dev/null || :
%post -n nfs-client
chown statd:nogroup /var/lib/nfs
chown -R statd /var/lib/nfs/{state,sm,sm.bak} >& /dev/null || :
### migrate from /var/lock/subsys
[ -d /run/nfs ] || mkdir /run/nfs
if [ -f /var/lock/subsys/nfs-rpc.idmapd ]; then
mv /var/lock/subsys/nfs-rpc.idmapd /run/nfs
fi
if [ -f /var/lock/subsys/nfsserver-rpc.idmapd ]; then
mv /var/lock/subsys/nfsserver-rpc.idmapd /run/nfs
fi
###
[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup
%{fillup_and_insserv -n nfs nfs}
#
%set_permissions /sbin/mount.nfs
%preun -n nfs-client
%stop_on_removal nfs
%postun -n nfs-client
%restart_on_update nfs
[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup
%insserv_cleanup
%verifyscript -n nfs-client
%verify_permissions -e /sbin/mount.nfs
%preun -n nfs-kernel-server
%stop_on_removal nfsserver
%post -n nfs-kernel-server
### migrate from /var/lock/subsys
[ -d /run/nfs ] || mkdir /run/nfs
if [ -f /var/lock/subsys/nfs-rpc.idmapd ]; then
mv /var/lock/subsys/nfs-rpc.idmapd /run/nfs
fi
if [ -f /var/lock/subsys/nfsserver-rpc.idmapd ]; then
mv /var/lock/subsys/nfsserver-rpc.idmapd /run/nfs
fi
###
%{fillup_and_insserv nfsserver}
%postun -n nfs-kernel-server
%restart_on_update nfsserver
%insserv_cleanup
%files -n nfs-client
%defattr(-,root,root)
%config /etc/init.d/nfs
%config /etc/idmapd.conf
%config /etc/nfsmount.conf
%dir /lib/mkinitrd
%dir /lib/mkinitrd/scripts
/lib/mkinitrd/scripts/setup-nfs.sh
/lib/mkinitrd/scripts/boot-nfs.sh
%verify(not mode) %attr(0755,root,root) /sbin/mount.nfs
/sbin/mount.nfs4
/sbin/umount.nfs
/sbin/umount.nfs4
/sbin/osd_login
/usr/sbin/gss_clnt_send_err
/usr/sbin/gss_destroy_creds
%attr(0755,root,root) /usr/sbin/mountstats
%attr(0755,root,root) /usr/sbin/nfsiostat
/usr/sbin/nfsidmap
/usr/sbin/nfsstat
/usr/sbin/rcnfs
/usr/sbin/rpc.gssd
/usr/sbin/rpc.idmapd
/usr/sbin/rpc.statd
/usr/sbin/rpcdebug
/usr/sbin/showmount
/usr/sbin/sm-notify
/usr/sbin/start-statd
/usr/sbin/blkmapd
%{_mandir}/man5/nfsmount.conf.5.gz
%{_mandir}/man5/nfs.5.gz
%{_mandir}/man8/mount.nfs.8.gz
%{_mandir}/man8/nfsidmap.8.gz
%{_mandir}/man8/nfsstat.8.gz
%{_mandir}/man8/rpc.sm-notify.8.gz
%{_mandir}/man8/showmount.8.gz
%{_mandir}/man8/sm-notify.8.gz
%{_mandir}/man8/umount.nfs.8.gz
%{_mandir}/man8/rpc.gssd.8.gz
%{_mandir}/man8/rpc.idmapd.8.gz
%{_mandir}/man8/gssd.8.gz
%{_mandir}/man8/idmapd.8.gz
%{_mandir}/man8/svcgssd.8.gz
%{_mandir}/man8/rpc.statd.8.gz
%{_mandir}/man8/rpcdebug.8.gz
%{_mandir}/man8/statd.8.gz
%{_mandir}/man8/mountstats.8.gz
%{_mandir}/man8/nfsiostat.8.gz
%{_mandir}/man8/blkmapd.8.gz
/var/adm/fillup-templates/sysconfig.nfs
%attr(0711,statd,nogroup) %dir /var/lib/nfs
%dir /var/lib/nfs/rpc_pipefs
%dir /var/lib/nfs/v4recovery
%attr(0700,statd,nogroup) %dir /var/lib/nfs/sm
%attr(0700,statd,nogroup) %dir /var/lib/nfs/sm.bak
%attr(0700,statd,nogroup) %ghost /var/lib/nfs/state
%config %attr(0644,root,root) /etc/sysconfig/SuSEfirewall2.d/services/nfs-client
%files -n nfs-kernel-server
%defattr(-,root,root)
%config /etc/init.d/nfsserver
/usr/sbin/exportfs
/usr/sbin/rcnfsserver
/usr/sbin/rpc.mountd
/usr/sbin/rpc.nfsd
/usr/sbin/rpc.svcgssd
/usr/sbin/nfsdcltrack
%{_mandir}/man5/exports.5.gz
%{_mandir}/man7/nfsd.7.gz
%{_mandir}/man8/exportfs.8.gz
%{_mandir}/man8/mountd.8.gz
%{_mandir}/man8/nfsd.8.gz
%{_mandir}/man8/rpc.mountd.8.gz
%{_mandir}/man8/rpc.nfsd.8.gz
%{_mandir}/man8/rpc.svcgssd.8.gz
%{_mandir}/man8/nfsdcltrack.8.gz
/usr/share/omc/svcinfo.d/nfs-kernel-server.xml
%config(noreplace) /var/lib/nfs/xtab
%config(noreplace) /var/lib/nfs/etab
%config(noreplace) /var/lib/nfs/rmtab
%config %attr(0644,root,root) /etc/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server
%files -n nfs-doc
%defattr(-,root,root)
%doc nfs/*.html nfs/*.ps README.NFSv4
%changelog
++++++ README.NFSv4 ++++++
NFSv4 README
Last updated: 17 May 2012
0. Contents:
-----------
1. Overview.
\___ 1.1 Purpose of this document
2. Quick start
3. Idmapd Configuration on both NFS server and client
4. Setting up NFSv4 server and client
\___ 4.1 Configuring Server
| \___ 4.1.1 /etc/exports
| \___ 4.1.2 Coexisting NFSv4 and NFSv3
| \___ 4.1.3 /etc/sysconfig/nfs
\___ 4.2 Starting services on server and client
\___ 4.3 Mounting the remote exported directories from client
5.Setting up kerberized NFSv4 server and client
\___ 5.1 Prerequisites
\___ 5.2 Configuring kerberized NFS server and client
| \___ 5.2.1 Configuring kerberos
| \___ 5.2.2 Create machine credentials
| \___ 5.2.3 Configure /etc/gssapi_mech.conf
| \___ 5.2.4 /etc/exports entries for kerberised server.
\___ 5.3 Starting services on server and client
\___ 5.4 Mounting the remote exported directories
\___ 5.5 A known issue using NFSv4 with kerberos
6.Troubleshooting
\___ 6.1 Checklist to ensure NFSv4 is up and running
\___ 6.2 Checklist to ensure NFSv4 Kerberos is working properly
1. Overview:
------------
The Network File System Version 4 (NFSv4) is a distributed file system
similar to previous versions of NFS in its straightforward design, and
independence of transport protocols and operating systems for file access in a
heterogeneous network. Unlike earlier versions of NFS, the new protocol
integrates file locking, strong security, Compound RPCs (combining relevant
operations), and delegation capabilities to enhance client performance for
narrow data sharing applications on high-bandwidth networks. NFSv4
implementations are backward compatible with NFSv2 and NFSv3.
Note: NFSv4 ACLs and krb5p (Kerberos Privacy) are currently not supported
1.1 The Purpose of this document
________________________________
This document is intended as a step-by-step guide to setup NFSv4 on
openSUSE 12.
It discusses NFSv4 server and client configuration.
2. Quickstart
-------------
For NFSv4 server:
1) /etc/exports does not require any special entries to work with
NFSv4. Earlier SUSE releases required 'fsid=0' on precisely one
entry, and 'bind=' annotations on others. This is no longer required
and should be removed. It is still supported, so there is no need
to change /etc/exports when upgrading to openSUSE 12.
2) Edit /etc/idmapd.conf to modify the default "Domain" to contain your
DNS domain name.
3) Execute the following commands to start idmapd and nfsserver
#/etc/init.d/idmapd start
#/etc/init.d/nfsserver start
For NFSv4 client:
1) Edit /etc/idmapd.conf to modify the default "Domain" to contain your
DNS domain name.
2) Execute the following command to start idmapd.
#/etc/init.d/idmapd start
3) Mount the exported file system using the following command:
#mount -t nfs4 <servername>:/ <mntpath>
Observe that only "/" is given instead of the actual exported path
name.
3. Idmapd Configuration on client and server
--------------------------------------------
idmapd.conf - configuration file for idmapd (idmapping daemon), which does
NFSV4<=>name mapping. Here dns domain (Domain) name has to be configured in
both client and server.
Sample Configuration file:
==========================================================================
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = mydomain.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
==========================================================================
4. Setting up NFSv4 server and client
-------------------------------------
4.1 Configuring Server
___________________________
There are three main configuration files you will need to edit to set up an
NFSv4 server:
/etc/sysconfig/nfs and /etc/idmapd.conf.
we will describe the first here as idmapd.conf is done in previous section.
4.1.1 /etc/sysconfig/nfs
=========================
/etc/sysconfig/nfs is another NFS server configuration file. Here the number
of kernel threads, NFSv4 support and GSS security (kerberos) for NFS can be
configured (kerberos set up is explained in Section 5.)
4.2 Starting services on server and client
__________________________________________
We need to start idmapd and nfsserver on the NFSv4 server.
#/etc/init.d/idmapd start
#/etc/init.d/nfsserver start
and start idmapd alone on the client.
If the machines that are being used as client and server are just meant for
that, the daemons can be enabled during bootup as shown below.
Use insserv to do this
#insserv -d idmapd
#insserv -d nfsserver
and idmapd alone on the client.
4.3 Mounting remote exported directories
________________________________________
One main difference between previous versions of NFS and NFSv4 is the way in
which mount is invoked. With regard to the pseudofilesystem concept
sketched above, mount is done as follows:
#mount -t nfs4 <servername>:/ <mntpath>
Observe that only '/' is given after the servername.
5. Setting up kerberized NFSv4 server and client
------------------------------------------------
5.1 Prerequisites
_________________
o Key Distribution Center (KDC) must already be set up on the network.
o krb5-1.4.x must be installed on both NFS server and NFS client.
o krb5-client-1.4.x must be installed on both NFS server and NFS client.
o NFS server, client and the KDC server must have their time synchronized.
o NFS_SECURITY_GSS has to be set to "yes" in /etc/sysconfig/nfs in both
server and client.
5.2 Configuring Kerberized NFSv4 server and client
__________________________________________________
All the following configuration steps except 5.2.4 are for both NFSv4
client and server.
5.2.1 Configure kerberos
========================
Edit krb5.conf.
Sample configuration
==========================================================================
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MYDOMAIN.COM = {
kdc = kdcserver.mydomain.com
admin_server = adminserver.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
mydomain.com = MYDOMAIN.COM
.mydomain.com = MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
==========================================================================
Replace MYDOMAIN.COM with your REALM, kdcserver.mydomain.com with your KDC
server, adminserver.mydomain.com with your Admin server & mydomain.com with
your DNS domain name.
5.2.2 Create machine credentials
================================
This means creating a Kerberos V5 principal/instance name of the form
nfs/<hostname>@REALM, and either adding a key for this principal to
an existing /etc/krb5.keytab or creating an /etc/krb5.keytab.
Note: only the encryption type of des-cbc-crc is functional so far in the
kernel, so add only this type of key.
kadmin: addprinc -e des-cbc-crc:normal nfs/<hostname>@REALM
kadmin: ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/<hostname>@REALM
5.2.3 Configure /etc/gssapi_mech.conf
=====================================
This configuration file determines which GSS-API mechanisms the gssd code
should use. Usually no need to modify this file in 32 bit machines because
the libraries are installed in /usr/lib.
Note:
In case of 64 bit machines this has to be modified to /usr/lib64. This is
a workaround and will be fixed later.
Sample configuration
==========================================================================
# GSSAPI Mechanism Definitions
#
# This configuration file determines which GSS-API mechanisms
# the gssd code should use
#
# NOTE:
# The initialization function "mechglue_internal_krb5_init"
# is used for the MIT krb5 gssapi mechanism. This special
# function name indicates that an internal function should
# be used to determine the entry points for the MIT gssapi
# mechanism functions.
#
# library initialization function
# ================================ ==========================
# The MIT K5 gssapi library, use special function for initialization.
/usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init
#
# The SPKM3 gssapi library function. Use the function spkm3_gss_initialize.
# /usr/local/gss_mechs/spkm/spkm3/libgssapi_spkm3.so spkm3_gss_initialize
==========================================================================
5.2.4 /etc/exports entries for a kerberized server
==================================================
Typical entries for kerberos security mode looks like these:
/export gss/krb5(rw,insecure,no_subtree_check,sync,no_root_squash)
/export gss/krb5i(rw,insecure,no_subtree_check,sync,no_root_squash)
Note:
i) option 'insecure' - The insecure option in this entry also allows clients
with NFS implementations that don't use a reserved port for NFS. So it is
advisable *NOT* to use this option unless you have a kerberised set up or
you know what you are doing.
5.3 Starting the services on server and client
______________________________________________
On NFSv4 server, svcgssd needs to be started too. So,
#/etc/init.d/idmapd start
#/etc/init.d/svcgssd start
#/etc/init.d/nfsserver start
On NFSv4 client, gssd needs to be started too. So,
#/etc/init.d/idmapd start
#/etc/init.d/gssd start
Or
To avoid starting manually, enable service during bootup using insserv as
mentioned in 4.2
5.4 Mounting exported directories with kerberos
_______________________________________________
To mount a filesystem using krb5, provide the "-osec=krb5" option to mount.
#mount -tnfs4 -osec=<secmode> nfsserver:/ /mntpoint
<secmode> can be krb5(Autentication) or krb5i (Integrity).
5.5 A known issue using NFSv4 with kerberos
___________________________________________
Even if "no_root_squash" option is used, while exporting a filesystem at the
server, root on the client gets a "Permission denied" error when creating
files on the mount point.
This is because there is no proper mapping between root and the GSSAuthName.
Note: Trying to set 777 permission is not correct as it is not secure. Also,
any file created on the mountpoint will have "nobody" as owner.
There is a work around for this if both NFS server and client use ldap_umich
methods to authenticate. If the idmapd on both server and client is configured
to use ldap_umich modules then having GSSAuthName ()
parameter map to root user, on the ldap server will solve this problem.
A proper fix for this issue is being worked upon.
6. Troubleshooting
-------------------
6.1 Checklist to ensure NFSV4 is up and running
_______________________________________________
1. ps -ef | grep nfsd
ps -ef | grep idmapd
ps -ef | grep svcgssd
to check server side daemons are up and running.
2. ps -ef | grep idmapd
ps -ef | grep gssd
to check client side daemons are up and running
3. rpcinfo -p
to check all registered RPC programs (nfs, portmapper, mountd) & versions
4. Check firewall is enabled on server/client from YAST.
Yast -> Security and Users -> Firewall.
Make sure NFS service is enabled.
5. showmount -e <server name>
to check mount information on NFS server
6. If users are not mapped properly check whether idmapd is running in both
server & client and dns domain name is properly configured.
7. If you unable to mount, check for the correctness of the exports file entry.
6.2 Check list to ensure kerberos is working properly
_____________________________________________________
There are many reasons this could be failing.
1. Verify that rpc.gssd is running on the client and rpc.svcgssd is running
on the server.
2. Verify that your hostnames are correct. The hostname command should return
a fully-qualified hostname that has a correct DNS reverse-mapping (either
through DNS or the /etc/hosts file).
3. Verify there is a keytab entry for nfs/<hostname>@REALM in your keytab file
(/etc/krb5.keytab).
4. Verify your Kerberos configuration file has the proper mapping from the DNS
hostname to the correct realm. The [domain_realm] section of the
/etc/krb5.conf needs to have a mapping from the DNS domain to the correct
REALM.
For example, if your nfs server's hostname is 'foo.abc.org' and your Kerberos
realm name is 'ALPHABET.ORG', then you need an entry like the following in
/etc/krb5.conf on the nfs client machine:
[domain_realm]
.abc.org = ALPHABET.ORG
5. Verify whether your ticket is not expired or not on the client using klist. If
it is expired renew using kinit. This must be checked when you find
"I/O Error" or "Permission denied" while doing file operations.
++++++ fw-client ++++++
## Description: Firewall Configuration for NFS client.
#
# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
# More may be supported in the future.
#
# For a more detailed description of the individual variables see
# the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2
#
## Name: NFS Client
## Description: Opens ports for NFS client to allow connection to an NFS server.
# space separated list of allowed TCP ports
TCP=""
# space separated list of allowed UDP ports
UDP=""
# space separated list of allowed RPC services
RPC="portmap status nlockmgr"
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""
++++++ fw-server ++++++
## Description: Firewall Configuration for NFS kernel server.
#
# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
# More may be supported in the future.
#
# For a more detailed description of the individual variables see
# the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2
#
## Name: NFS Server Service
## Description: Opens ports for NFS to allow other hosts to connect.
# space separated list of allowed TCP ports
TCP=""
# space separated list of allowed UDP ports
UDP=""
# space separated list of allowed RPC services
RPC="portmap status nlockmgr mountd nfs nfs_acl"
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""
++++++ gssd-mount-hang-fix ++++++
From: Neil Brown
Date: Thu, 14 Nov 2013 11:50:38 +1100
Subject: [PATCH] gssd: always reply to rpc-pipe requests from kernel.
References: bnc#833543
Sometimes gssd will open a new rpc-pipe but never read requests from it
or reply to them. This causes the kernel to wait forever for a reply.
In particular, if a filesystem is mounted by IP, and the IP has no
hostname recorded in /etc/hosts or DNS, then gssd will not listen to
requests and the mount will hang indefinitely.
The comment in process_clnt_dir() for the "fail_keep_client:" branch
suggests that it is for the case where we couldn't open some
subdirectories. However it is currently also taken if reverse DNS
lookup fails (as well as some other lookup failures). Those failures
should not be treated the same as failure-to-open directories.
So this patch causes a failure from read_service_info() to *not* be
reported by process_clnt_dir_files. This ensures that insert_clnt_poll()
will be called and requests will be handled.
In handle_gssd_upcall, the current error path (taken when the mech is
not "krb5") does not reply to the upcall. This is wrong. A reply is
always appropriate. The only replies which aren't treated as
transient errors are EACCES and EKEYEXPIRED, so we return the former.
If read_service_info() fails then ->servicename will be NULL which will
cause process_krb5_upcall() (quite reasonably) to become confused. So
in that case we don't even try to process the up-call but just reply
with EACCES.
As clp->servicename==NULL is no longer treated as fatal, it is not
appropraite to use it to test if read_service_info() has been already
called on a client. Instread test clp->prog.
Finally, the error path of read_service_info() will close 'fd' if it
isn't -1, so when we close it, we should set fd to -1.
Signed-off-by: NeilBrown
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index b48d1637cd36..00b4bc779b7c 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -256,6 +256,7 @@ read_service_info(char *info_file_name, char **servicename, char **servername,
if ((nbytes = read(fd, buf, INFOBUFLEN)) == -1)
goto fail;
close(fd);
+ fd = -1;
buf[nbytes] = '\0';
numfields = sscanf(buf,"RPC server: %127s\n"
@@ -403,11 +404,10 @@ process_clnt_dir_files(struct clnt_info * clp)
return -1;
snprintf(info_file_name, sizeof(info_file_name), "%s/info",
clp->dirname);
- if ((clp->servicename == NULL) &&
- read_service_info(info_file_name, &clp->servicename,
- &clp->servername, &clp->prog, &clp->vers,
- &clp->protocol, (struct sockaddr *) &clp->addr))
- return -1;
+ if (clp->prog == 0)
+ read_service_info(info_file_name, &clp->servicename,
+ &clp->servername, &clp->prog, &clp->vers,
+ &clp->protocol, (struct sockaddr *) &clp->addr);
return 0;
}
@@ -1320,11 +1320,14 @@ handle_gssd_upcall(struct clnt_info *clp)
}
}
- if (strcmp(mech, "krb5") == 0)
+ if (strcmp(mech, "krb5") == 0 && clp->servername)
process_krb5_upcall(clp, uid, clp->gssd_fd, target, service);
- else
- printerr(0, "WARNING: handle_gssd_upcall: "
- "received unknown gss mech '%s'\n", mech);
+ else {
+ if (clp->servername)
+ printerr(0, "WARNING: handle_gssd_upcall: "
+ "received unknown gss mech '%s'\n", mech);
+ do_error_downcall(clp->gssd_fd, uid, -EACCES);
+ }
out:
free(lbuf);
++++++ gssd-n.fix ++++++
---
utils/gssd/gssd.c | 9 ++++++---
utils/gssd/gssd.h | 1 +
utils/gssd/gssd.man | 13 ++++++++++++-
utils/gssd/gssd_proc.c | 12 +++++++-----
utils/gssd/krb5_util.c | 6 ++++--
5 files changed, 30 insertions(+), 11 deletions(-)
--- nfs-utils-1.2.7.orig/utils/gssd/gssd.c
+++ nfs-utils-1.2.7/utils/gssd/gssd.c
@@ -61,6 +61,7 @@ char ccachedir[PATH_MAX] = GSSD_DEFAULT_
char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
int use_memcache = 0;
int root_uses_machine_creds = 1;
+int machine_uses_root_creds = 0;
unsigned int context_timeout = 0;
char *preferred_realm = NULL;
@@ -68,8 +69,7 @@ void
sig_die(int signal)
{
/* destroy krb5 machine creds */
- if (root_uses_machine_creds)
- gssd_destroy_krb5_machine_creds();
+ gssd_destroy_krb5_machine_creds();
printerr(1, "exiting on signal %d\n", signal);
exit(0);
}
@@ -102,7 +102,7 @@ main(int argc, char *argv[])
char *progname;
memset(ccachesearch, 0, sizeof(ccachesearch));
- while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:R")) != -1) {
+ while ((opt = getopt(argc, argv, "DfvrlmNnMp:k:d:t:R")) != -1) {
switch (opt) {
case 'f':
fg = 1;
@@ -116,6 +116,9 @@ main(int argc, char *argv[])
case 'n':
root_uses_machine_creds = 0;
break;
+ case 'N':
+ machine_uses_root_creds = 1;
+ break;
case 'v':
verbosity++;
break;
--- nfs-utils-1.2.7.orig/utils/gssd/gssd.h
+++ nfs-utils-1.2.7/utils/gssd/gssd.h
@@ -65,6 +65,7 @@ extern char keytabfile[PATH_MAX];
extern char *ccachesearch[];
extern int use_memcache;
extern int root_uses_machine_creds;
+extern int machine_uses_root_creds;
extern unsigned int context_timeout;
extern char *preferred_realm;
--- nfs-utils-1.2.7.orig/utils/gssd/gssd.man
+++ nfs-utils-1.2.7/utils/gssd/gssd.man
@@ -6,7 +6,7 @@
.SH NAME
rpc.gssd \- rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.gssd [-f] [-n] [-D] [-k keytab] [-l] [-p pipefsdir] [-v] [-r] [-d ccachedir]"
+.B "rpc.gssd [-f] [-n] [-N] [-D] [-k keytab] [-l] [-p pipefsdir] [-v] [-r] [-d ccachedir]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
@@ -38,6 +38,17 @@ manually like all other users. Use of t
attempting to mount an nfs filesystem requiring Kerberos
authentication.
.TP
+.B -N
+With NFSv4, some requests to the server need to authenticated
+as coming from "the machine" rather than from any particular user.
+These requests will normally be authenticated using the "machine
+credentials" even if
+.B -n
+is set. Adding
+.B -N
+causes these requests to use the credentials of UID 0 in place of the
+machine credentials.
+.TP
.B -k keytab
Tells
.B rpc.gssd
--- nfs-utils-1.2.7.orig/utils/gssd/gssd_proc.c
+++ nfs-utils-1.2.7/utils/gssd/gssd_proc.c
@@ -1000,7 +1000,8 @@ process_krb5_upcall(struct clnt_info *cl
/*
* If "service" is specified, then the kernel is indicating that
* we must use machine credentials for this request. (Regardless
- * of the uid value or the setting of root_uses_machine_creds.)
+ * of the uid value or the setting of root_uses_machine_creds,
+ * so setting machine_uses_root_creds can override this)
* If the service value is "*", then any service name can be used.
* Otherwise, it specifies the service name that should be used.
* (For now, the values of service will only be "*" or "nfs".)
@@ -1020,8 +1021,9 @@ process_krb5_upcall(struct clnt_info *cl
*/
printerr(2, "%s: service is '%s'\n", __func__,
service ? service : "<null>");
- if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0 &&
- service == NULL)) {
+ if (uid != 0 ||
+ (!root_uses_machine_creds && !service) ||
+ ( machine_uses_root_creds && service)) {
/* Tell krb5 gss which credentials cache to use */
for (dirname = ccachesearch; *dirname != NULL; dirname++) {
err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname);
@@ -1035,8 +1037,8 @@ process_krb5_upcall(struct clnt_info *cl
}
}
if (create_resp != 0) {
- if (uid == 0 && (root_uses_machine_creds == 1 ||
- service != NULL)) {
+ if ((uid == 0 && root_uses_machine_creds) ||
+ (service != NULL && !machine_uses_root_creds)) {
int nocache = 0;
int success = 0;
do {
--- nfs-utils-1.2.7.orig/utils/gssd/krb5_util.c
+++ nfs-utils-1.2.7/utils/gssd/krb5_util.c
@@ -817,7 +817,7 @@ find_keytab_entry(krb5_context context,
retval = get_full_hostname(myhostname, myhostname, sizeof(myhostname));
if (retval)
- goto out;
+ myhostname[0] = 0;
code = krb5_get_default_realm(context, &default_realm);
if (code) {
@@ -874,6 +874,8 @@ find_keytab_entry(krb5_context context,
myhostad,
NULL);
} else {
+ if (!myhostname[0])
+ continue;
snprintf(spn, sizeof(spn), "%s/%s@%s",
svcnames[j], myhostname, realm);
code = krb5_build_principal_ext(context, &princ,
@@ -1226,7 +1228,7 @@ gssd_refresh_krb5_machine_credential(cha
krb5_keytab kt = NULL;;
int retval = 0;
char *k5err = NULL;
- const char *svcnames[5] = { "$", "root", "nfs", "host", NULL };
+ const char *svcnames[] = { "$", "root", "nfs", "host", NULL };
/*
* If a specific service name was specified, use it.
++++++ gssd-reverse-dns-fix ++++++
---
utils/gssd/gss_util.h | 2 ++
utils/gssd/gssd.c | 7 +++++--
utils/gssd/gssd.man | 25 ++++++++++++++++++++++++-
utils/gssd/gssd_proc.c | 33 +++++++++++++++++++++++++++++----
4 files changed, 60 insertions(+), 7 deletions(-)
--- nfs-utils-1.2.7.orig/utils/gssd/gss_util.h
+++ nfs-utils-1.2.7/utils/gssd/gss_util.h
@@ -42,4 +42,6 @@ void pgsserr(char *msg, u_int32_t maj_st
const gss_OID mech);
int gssd_check_mechs(void);
+extern int avoid_dns;
+
#endif /* _GSS_UTIL_H_ */
--- nfs-utils-1.2.7.orig/utils/gssd/gssd.c
+++ nfs-utils-1.2.7/utils/gssd/gssd.c
@@ -85,7 +85,7 @@ sig_hup(int signal)
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm]\n",
+ fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-D] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm]\n",
progname);
exit(1);
}
@@ -102,7 +102,7 @@ main(int argc, char *argv[])
char *progname;
memset(ccachesearch, 0, sizeof(ccachesearch));
- while ((opt = getopt(argc, argv, "fvrlmnMp:k:d:t:R")) != -1) {
+ while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:R")) != -1) {
switch (opt) {
case 'f':
fg = 1;
@@ -150,6 +150,9 @@ main(int argc, char *argv[])
errx(1, "Setting encryption type not support by Kerberos libraries.");
#endif
break;
+ case 'D':
+ avoid_dns = 0;
+ break;
default:
usage(argv[0]);
break;
--- nfs-utils-1.2.7.orig/utils/gssd/gssd.man
+++ nfs-utils-1.2.7/utils/gssd/gssd.man
@@ -6,7 +6,7 @@
.SH NAME
rpc.gssd \- rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.gssd [-f] [-n] [-k keytab] [-l] [-p pipefsdir] [-v] [-r] [-d ccachedir]"
+.B "rpc.gssd [-f] [-n] [-D] [-k keytab] [-l] [-p pipefsdir] [-v] [-r] [-d ccachedir]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
@@ -119,6 +119,29 @@ Increases the verbosity of the output (c
If the rpcsec_gss library supports setting debug level,
increases the verbosity of the output (can be specified multiple times).
.TP
+.B \-D
+The server name passed to GSSAPI for authentication is normally the
+name exactly as requested. e.g. for NFS
+it is the server name in the "servername:/path" mount request. Only if this
+servername appears to be an IP address or an
+unqualified name (no dots) will a reverse DNS lookup
+will be performed to get the canoncial server name.
+
+If
+.B \-D
+is present, a reverse DNS lookup will
+.I always
+be used, even if the server name looks like a canonical name. So it
+is needed if partially qualified, or non canonical names are regularly
+used.
+
+Using
+.B \-D
+can introduce a security vulnerability, so it is recommended that
+.B \-D
+not be used, and that canonical names always be used when requesting
+services.
+.TP
.B -R realm
Kerberos tickets from this
.I realm
--- nfs-utils-1.2.7.orig/utils/gssd/gssd_proc.c
+++ nfs-utils-1.2.7/utils/gssd/gssd_proc.c
@@ -106,6 +106,9 @@ struct pollfd * pollarray;
unsigned long pollsize; /* the size of pollaray (in pollfd's) */
+/* Avoid DNS reverse lookups on server names if possible */
+int avoid_dns = 1;
+
/*
* convert a presentation address string to a sockaddr_storage struct. Returns
* true on success or false on failure.
@@ -164,12 +167,34 @@ addrstr_to_sockaddr(struct sockaddr *sa,
* convert a sockaddr to a hostname
*/
static char *
-sockaddr_to_hostname(const struct sockaddr *sa, const char *addr)
+get_servername(const char *name, const struct sockaddr *sa, const char *addr)
{
socklen_t addrlen;
int err;
char *hostname;
char hbuf[NI_MAXHOST];
+ unsigned char buf[sizeof(struct in6_addr)];
+
+ if (avoid_dns) {
+ /*
+ * Determine if this is a server name, or an IP address.
+ * If it is an IP address, do the DNS lookup otherwise
+ * skip the DNS lookup.
+ */
+ int is_fqdn = 1;
+ if (strchr(name, '.') == NULL)
+ is_fqdn = 0; /* local name */
+ else if (inet_pton(AF_INET, name, buf) == 1)
+ is_fqdn = 0; /* IPv4 address */
+ else if (inet_pton(AF_INET6, name, buf) == 1)
+ is_fqdn = 0; /* IPv6 addrss */
+
+ if (is_fqdn) {
+ return strdup(name);
+ }
+ /* Sorry, cannot avoid dns after all */
+ }
+
switch (sa->sa_family) {
case AF_INET:
@@ -207,7 +232,7 @@ read_service_info(char *info_file_name,
struct sockaddr *addr) {
#define INFOBUFLEN 256
char buf[INFOBUFLEN + 1];
- static char dummy[128];
+ static char server[128];
int nbytes;
static char service[128];
static char address[128];
@@ -235,7 +260,7 @@ read_service_info(char *info_file_name,
"service: %127s %15s version %15s\n"
"address: %127s\n"
"protocol: %15s\n",
- dummy,
+ server,
service, program, version,
address,
protoname);
@@ -268,7 +293,7 @@ read_service_info(char *info_file_name,
if (!addrstr_to_sockaddr(addr, address, port))
goto fail;
- *servername = sockaddr_to_hostname(addr, address);
+ *servername = get_servername(server, addr, address);
if (*servername == NULL)
goto fail;
++++++ idmapd.conf ++++++
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
++++++ mkinitrd-boot.sh ++++++
#!/bin/bash
#%stage: block
#%modules: nfs nfsv2 nfsv3 nfsv4
#%programs: /sbin/mount.nfs /sbin/mount.nfs4
#%if: "$rootfstype" = "nfs" -o "$need_nfs"
#
##### Network FileSystem
##
## This is where NFS gets mounted.
## If no root= option was given, the root device will be taken from the DHCP-server.
##
## Command line parameters
## -----------------------
##
## root=<server>:/<folder> the nfs root path
##
# Prefer NFS root setting via DHCP the fallback provided in config/*.
# So at first, consider the command line (that's why we check for "$cmd_root"
# being empty here. Then consider the DHCP setting. And finally consider the
# fallback via config/*.
if [ -n "$ROOTPATH" -a -z "$cmd_root" ] ; then
case "$ROOTPATH" in
iscsi:*)
;;
*:*)
rootfstype="nfs"
rootdev="$ROOTPATH" ;;
*)
if [ -n "$DHCPSIADDR" ]; then
rootdev="$DHCPSIADDR:$ROOTPATH"
rootfstype="nfs"
elif [ -n "$DHCPSNAME" ]; then
rootdev="$DHCPSNAME:$ROOTPATH"
rootfstype="nfs"
fi ;;
esac
if [ -n "$rootdev" ] ; then
echo >&2 "Using root device ($rootdev) provided via DHCP"
fi
fi
if [ "$rootfstype" = "nfs" ]; then
# load the nfs module before using it
load_modules
if [ -z "$rootdev" ]; then
echo "no local root= kernel option given and no root server set by the dhcp server."
echo "exiting to /bin/sh"
cd /
PATH=$PATH PS1='$ ' /bin/sh -i
fi
rootfsmod=
if [ -n "$rootflags" ] ; then
rootflags="${rootflags},nolock"
else
rootflags="nolock"
fi
# tell boot.rootfsck to skip warning
ROOTFS_FSCK=0
export ROOTFS_FSCK
else
dont_load_modules
fi
# Absolutely required for networking to function
ip link set dev lo up
++++++ mkinitrd-setup.sh ++++++
#!/bin/bash
#
#%stage: device
#
if [ "$rootfstype" = "nfs" ]; then
interface=${interface:-default}
save_var rootfstype
fi
++++++ mountd-fix-bug-affecting-exports-of-dirs-with-64bit-.patch ++++++
Git-commit: b3a156fe96c6645ca5dbf4b75e9cff710218d920
From: Neil Brown
Date: Mon, 21 Oct 2013 16:27:32 +1100
Subject: [PATCH 1/2] mountd: fix bug affecting exports of dirs with 64bit
inode number.
References: bnc#841971
parse_fsid is currently truncating all inode numbers to
32bits, and assumes that 'int' is 32 bits (which it probably is,
but we shouldn't assume).
So make the 'inode' field in 'struct parsed_fsid' a 64 bit field.
and only memcpy into variables or fields that have been declared
to a specific bit size.
Signed-off-by: NeilBrown
---
utils/mountd/cache.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
--- nfs-utils-1.2.8.orig/utils/mountd/cache.c
+++ nfs-utils-1.2.8/utils/mountd/cache.c
@@ -388,10 +388,10 @@ struct parsed_fsid {
int fsidtype;
/* We could use a union for this, but it would be more
* complicated; why bother? */
- unsigned int inode;
+ uint64_t inode;
unsigned int minor;
unsigned int major;
- unsigned int fsidnum;
+ uint32_t fsidnum;
size_t uuidlen;
char *fhuuid;
};
@@ -399,8 +399,8 @@ struct parsed_fsid {
static int parse_fsid(int fsidtype, int fsidlen, char *fsid,
struct parsed_fsid *parsed)
{
- unsigned int dev;
- unsigned long long inode64;
+ uint32_t dev;
+ uint32_t inode32;
memset(parsed, 0, sizeof(*parsed));
parsed->fsidtype = fsidtype;
@@ -409,7 +409,8 @@ static int parse_fsid(int fsidtype, int
if (fsidlen != 8)
return -1;
memcpy(&dev, fsid, 4);
- memcpy(&parsed->inode, fsid+4, 4);
+ memcpy(&inode32, fsid+4, 4);
+ parsed->inode = inode32;
parsed->major = ntohl(dev)>>16;
parsed->minor = ntohl(dev) & 0xFFFF;
break;
@@ -420,7 +421,7 @@ static int parse_fsid(int fsidtype, int
memcpy(&parsed->fsidnum, fsid, 4);
break;
- case FSID_MAJOR_MINOR: /* 12 bytes: 4 major, 4 minor, 4 inode
+ case FSID_MAJOR_MINOR: /* 12 bytes: 4 major, 4 minor, 4 inode
* This format is never actually used but was
* an historical accident
*/
@@ -430,7 +431,8 @@ static int parse_fsid(int fsidtype, int
parsed->major = ntohl(dev);
memcpy(&dev, fsid+4, 4);
parsed->minor = ntohl(dev);
- memcpy(&parsed->inode, fsid+8, 4);
+ memcpy(&inode32, fsid+8, 4);
+ parsed->inode = inode32;
break;
case FSID_ENCODE_DEV: /* 8 bytes: 4 byte packed device number, 4 inode */
@@ -440,7 +442,8 @@ static int parse_fsid(int fsidtype, int
if (fsidlen != 8)
return -1;
memcpy(&dev, fsid, 4);
- memcpy(&parsed->inode, fsid+4, 4);
+ memcpy(&inode32, fsid+4, 4);
+ parsed->inode = inode32;
parsed->major = (dev & 0xfff00) >> 8;
parsed->minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
break;
@@ -448,7 +451,8 @@ static int parse_fsid(int fsidtype, int
case FSID_UUID4_INUM: /* 4 byte inode number and 4 byte uuid */
if (fsidlen != 8)
return -1;
- memcpy(&parsed->inode, fsid, 4);
+ memcpy(&inode32, fsid, 4);
+ parsed->inode = inode32;
parsed->uuidlen = 4;
parsed->fhuuid = fsid+4;
break;
@@ -467,8 +471,7 @@ static int parse_fsid(int fsidtype, int
case FSID_UUID16_INUM: /* 8 byte inode number and 16 byte uuid */
if (fsidlen != 24)
return -1;
- memcpy(&inode64, fsid, 8);
- parsed->inode = inode64;
+ memcpy(&parsed->inode, fsid, 8);
parsed->uuidlen = 16;
parsed->fhuuid = fsid+8;
break;
++++++ mountd-fix-error-check.patch ++++++
From f21fe104a91988bd38637ab8daa93d7b170a92fd Mon Sep 17 00:00:00 2001
From: Neil Brown
Date: Thu, 13 Dec 2012 11:20:32 +1100
Subject: [PATCH] mountd: fix checking for errors when exporting filesystems.
commit 5604b35a61e22930873ffc4e9971002f578e7978
nfs-utils: Increase the stdio file buffer size for procfs files
changed writes to some sysfs files to be line buffered (_IOLBF) where
they weren't before. While this probably makes sense, it introduced a bug.
With fully buffered streams, you don't expect to get an error until you
call fflush().
With line buffered streams you can get the error from fprintf() et al.
qword_eol() only tests the return from fflush, not from fprintf. Consequently
errors were not noticed.
One result of this is that if you export, with crossmnt, a filesystem underneath
which are mounted non-exportable filesystems (e.g. /proc) then an 'ls -l' on the
client will block indefinitely waiting for a meaningful 'yes' or 'no' from the
server, but will never get one.
This patch changes qword_eol to test both fprintf and fflush.
Signed-off-by: NeilBrown
diff --git a/support/nfs/cacheio.c b/support/nfs/cacheio.c
index e641c45..61e07a8 100644
--- a/support/nfs/cacheio.c
+++ b/support/nfs/cacheio.c
@@ -162,11 +162,16 @@ int qword_eol(FILE *f)
{
int err;
- fprintf(f,"\n");
- err = fflush(f);
- if (err) {
- xlog_warn("qword_eol: fflush failed: errno %d (%s)",
+ err = fprintf(f,"\n");
+ if (err < 0) {
+ xlog_warn("qword_eol: fprintf failed: errno %d (%s)",
errno, strerror(errno));
+ } else {
+ err = fflush(f);
+ if (err) {
+ xlog_warn("qword_eol: fflush failed: errno %d (%s)",
+ errno, strerror(errno));
+ }
}
/*
* We must send one line (and one line only) in a single write
++++++ mountd-fix-exporting-of-with-sec-setting.patch ++++++
From 6eba4e22ce2b10bcfb19fbb253f7e235afbaa406 Mon Sep 17 00:00:00 2001
From: NeilBrown
Date: Fri, 19 Apr 2013 13:09:27 -0400
Subject: [PATCH] mountd: fix exporting of "/" with sec= setting.
Commit 91bb95f2689e84856ecdf6fac365489d36709cf9
4set_root: force "fsid=0" for all exports of '/'
set NFSEXP_FSID for the export of "/" if nothing else had any fsid set,
however it didn't also set the flag for all security flavours. So the
kernel complains that the flags on the security flavours don't match and
it rejects the export.
So call fix_pseudoflavor_flags() in write_secinfo() to make sure that
any fiddling that has been done to e_flags gets copied to e_secinfo.
Signed-off-by: NeilBrown
Signed-off-by: Steve Dickson
---
support/include/exportfs.h | 1 +
support/nfs/exports.c | 2 +-
utils/mountd/cache.c | 1 +
3 files changed, 3 insertions(+), 1 deletion(-)
--- nfs-utils-1.2.7.orig/support/include/exportfs.h
+++ nfs-utils-1.2.7/support/include/exportfs.h
@@ -177,6 +177,7 @@ struct export_features {
};
struct export_features *get_export_features(void);
+void fix_pseudoflavor_flags(struct exportent *ep);
/* Record export error. */
extern int export_errno;
--- nfs-utils-1.2.7.orig/support/nfs/exports.c
+++ nfs-utils-1.2.7/support/nfs/exports.c
@@ -469,7 +469,7 @@ static void clearflags(int mask, unsigne
* ensure that the export flags agree with the flags on each
* pseudoflavor:
*/
-static void fix_pseudoflavor_flags(struct exportent *ep)
+void fix_pseudoflavor_flags(struct exportent *ep)
{
struct export_features *ef;
struct sec_entry *p;
--- nfs-utils-1.2.7.orig/utils/mountd/cache.c
+++ nfs-utils-1.2.7/utils/mountd/cache.c
@@ -715,6 +715,7 @@ static void write_secinfo(FILE *f, struc
/* There was no sec= option */
return;
}
+ fix_pseudoflavor_flags(ep);
qword_print(f, "secinfo");
qword_printint(f, p - ep->e_secinfo);
for (p = ep->e_secinfo; p->flav; p++) {
++++++ nfs-utils-1.0.7-bind-syntax.patch ++++++
support/export/export.c | 2
support/include/misc.h | 3
support/include/nfslib.h | 1
================================================================================
---
support/nfs/exports.c | 2 ++
1 file changed, 2 insertions(+)
--- nfs-utils-1.2.7.orig/support/nfs/exports.c
+++ nfs-utils-1.2.7/support/nfs/exports.c
@@ -628,6 +628,8 @@ bad_option:
} else if (strncmp(opt, "replicas=", 9) == 0) {
ep->e_fslocmethod = FSLOC_REPLICA;
ep->e_fslocdata = strdup(opt+9);
+ } else if (strncmp(opt, "bind=/", 6) == 0) {
+ /* ignore this for now */
} else if (strncmp(opt, "sec=", 4) == 0) {
active = parse_flavors(opt+4, ep);
if (!active)
++++++ nfs-utils.rpmlintrc ++++++
# /var/lib/nfs/sm.bak is a valid directory needed by sm-notify
addFilter("suse-filelist-forbidden-backup-file.*sm.bak")
++++++ nfs.init ++++++
#! /bin/bash
# Copyright (c) 1996-2002 SuSE Linux AG, Nuernberg, Germany.
# Copyright (c) 2008 SuSE LINUX Products GmbH, Nuernberg, Germany.
# All rights reserved.
#
# Author: Florian La Roche, 1996
# Werner Fink , 1996,2008
# Burchard Steinbild, 1996
#
# Please send feedback to http://www.suse.de/feedback
#
# /etc/init.d/nfs
#
### BEGIN INIT INFO
# Provides: nfs
# Required-Start: $network $portmap
# Required-Stop: $network $portmap
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: NFS client services
# Description: All necessary services for NFS clients
### END INIT INFO
. /etc/rc.status
. /etc/sysconfig/nfs
# XXX: there should be separate init scripts for these really
IDMAPD_BIN=/usr/sbin/rpc.idmapd
GSSD_BIN=/usr/sbin/rpc.gssd
STATD_BIN=/usr/sbin/rpc.statd
IDMAPD_CLIENT_STATE=/run/nfs/nfs-rpc.idmapd
IDMAPD_SERVER_STATE=/run/nfs/nfsserver-rpc.idmapd
if [ -z "$RPC_PIPEFS_DIR" ]; then
RPC_PIPEFS_DIR=/var/lib/nfs/rpc_pipefs
fi
NEED_IDMAPD=no
NEED_GSSD=no
NEED_LDCONFIG=no
state=0
usr=""
opt=""
mnt=""
nfs=$NFS_START_SERVICES
if [ "x$nfs" != "xyes" ]
then nfs=no
fi
while read -r what where type options rest ; do
case "$what" in
\#*|"") continue ;;
esac
case ",$options," in
*,noauto,*) continue ;;
esac
case "$type" in
nfs|nfs4) ;;
*) continue ;;
esac
nfs=yes
if test "$1" = status ; then
grep -qF "$what $where nfs
$what/ $where nfs" /proc/mounts && continue
state=3
continue
fi
case "$where" in
/usr*)
usr="${usr:+$usr }$where"
NEED_LDCONFIG=yes
;;
/opt*)
opt="${opt:+$opt }$where"
NEED_LDCONFIG=yes
;;
*)
mnt="${mnt:+$mnt }$where"
test "$NEED_LDCONFIG" = yes && continue
grep -qE "^$where" /etc/ld.so.conf || continue
NEED_LDCONFIG=yes
;;
esac
done < /etc/fstab
unset what where type options rest
case $NFS_SECURITY_GSS in
[Nn]*) flavors="";;
[Yy]*) flavors=krb5;;
*) flavors="$NFS_SECURITY_GSS";;
esac
if test -n "$flavors" ; then
NEED_GSSD=yes
fi
if test -n "$GSSD_OPTIONS"; then
NEED_GSSD=yes
fi
if test "$NFS4_SUPPORT" = yes ; then
NEED_IDMAPD=yes
fi
if grep -E '^(sunrpc|fs.nfs)' /etc/sysctl.conf > /dev/null 2>&1 ; then
nfs=yes
fi
check_portmap() {
# check if either portmap or rpcbind is running
if test -x /sbin/portmap && checkproc /sbin/portmap
then true
elif test -x /sbin/rpcbind && checkproc /sbin/rpcbind
then true
else false
fi
}
if ! test "$nfs" = no -o -x /sbin/portmap -o -x /sbin/rpcbind; then
echo "portmap/rpcbind is missing"
rc_failed 3
rc_status -v
rc_exit
fi
mount_rpc_pipefs() {
# See if the file system is there yet
case `stat -c "%t" -f "$RPC_PIPEFS_DIR"` in
*67596969*)
return 0;;
esac
mount -t rpc_pipefs rpc_pipefs "$RPC_PIPEFS_DIR"
}
umount_rpc_pipefs() {
# See if the file system is there
case `stat -c "%t" -f "$RPC_PIPEFS_DIR"` in
*67596969*)
umount "$RPC_PIPEFS_DIR"
esac
}
mount_usr() {
test -n "$usr" -o -n "$opt" || return
local where
for where in $usr $opt ; do
mount -o nolock $where || {
# maybe network device hasn't appeared yet.
udevadm settle
mount -o nolock $where
}
done
}
do_start_gssd() {
for flavor in $flavors; do
/sbin/modprobe rpcsec_gss_$flavor
done
mount_rpc_pipefs
startproc $GSSD_BIN $GSSD_OPTIONS
return $?
}
do_start_idmapd() {
mount_rpc_pipefs
# as idmapd needs to be run by server and client
# check if there is already a idmapd running
if checkproc $IDMAPD_BIN && test -f $IDMAPD_SERVER_STATE; then
killproc -HUP $IDMAPD_BIN
else
startproc $IDMAPD_BIN
return $?
fi
}
rc_reset
case "$1-$nfs" in
start-no|reload-no)
# Always run smnotify, even if no mounts are listed in fstab.
# If there is nothing to do, it will exit quickly, and if there
# is something to do, the sooner it is done, the better.
/usr/sbin/sm-notify $SM_NOTIFY_OPTIONS
echo -n "Not starting NFS client services - no NFS found in /etc/fstab:"
rc_status -u
;;
start-yes|force-start-*)
echo -n "Starting NFS client services:"
if ! check_portmap ; then
echo "portmap/rpcbind is not running"
rc_failed 3
rc_status -v
rc_exit
fi
# explicit modprobe so we can set some sysctl values
# before any daemons (e.g. lockd) start.
# When modprobe allows this to be moved to modprobe.d
# without breaking --show-depends, this can be removed.
modprobe nfs
grep -E '^(sunrpc|fs.nfs)' /etc/sysctl.conf | sysctl -q -e -n -p -
# in case we need /usr and/or /opt via nfs
mount_usr
# sm-notify
echo -n " sm-notify"
/usr/sbin/sm-notify $SM_NOTIFY_OPTIONS
# start gssd
if test "$NEED_GSSD" = yes ; then
echo -n " gssd"
do_start_gssd || {
rc_status -v
rc_exit
}
fi
# start idmapd
if test "$NEED_IDMAPD" = yes ; then
echo -n " idmapd"
do_start_idmapd || {
rc_status -v
rc_exit
}
[ -d /run/nfs ] || mkdir /run/nfs
echo $IDMAPD_BIN > $IDMAPD_CLIENT_STATE
fi
rc_status -v
# remark: statd is started when needed by mount.nfs
# Mount all auto NFS devices (-> nfs(5) and mount(8) )
# NFS-Server sometime not reachable during boot phase.
# It's sometime usefull to mount NFS devices in
# background with an ampersand (&) and a sleep time of
# two or more seconds, e.g:
#
# sleep 2 && mount -at nfs,nfs4 &
# sleep 2
#
if test -n "$mnt" ; then
# If network devices are not yet discovered, mounts
# might fail, so we might need to 'udevadm settle' to
# wait for the interfaces.
# We cannot try the mount and on failure: 'settle' and try again
# as if there are 'bg' mounts, we could get multiple copies
# of them. So always 'settle' if there is any mounting to do.
echo -n "Mounting network file systems ..."
udevadm settle
mount -at nfs,nfs4 || rc_failed 1
rc_status -v
fi
#
# generate new list of available shared libraries
#
if test "$NEED_LDCONFIG" = yes; then
# check if ld.so.cache needs to be refreshed
/etc/init.d/boot.ldconfig start
fi
#
;;
stop* )
echo -n "Shutting down NFS client services:"
rootfs=`awk '$2 == "/" && $1 != "rootfs" {print $3}' /proc/mounts`
if test x$rootfs = xnfs ; then
echo -n " root filesystem is on NFS"
rc_status -s
else
# kill process to maximise chance that umount succeeds
mnt=`awk '$3 ~ /^nfs4*$/ {print $2}' /proc/mounts`
runlevel=`runlevel | awk '{print $2}'`
if test "$runlevel" -eq 0 -o "$runlevel" -eq 6; then
if test -n "$mnt" ; then
/sbin/mkill -TERM $mnt
fi
fi
# if filesystems are not busy, wait for unmount to complete..
umount -at nfs,nfs4
# if they are still busy, do a lazy unmount anyway.
umount -alt nfs,nfs4
# stop gssd
if checkproc $GSSD_BIN; then
echo -n " gssd"
killproc $GSSD_BIN
fi
# stop idmapd
if test -f $IDMAPD_CLIENT_STATE; then
# only stop idmapd if it is not needed by server
if test ! -f $IDMAPD_SERVER_STATE ; then
echo -n " idmapd"
killproc $IDMAPD_BIN
fi
rm -f $IDMAPD_CLIENT_STATE
fi
# stop rpc.statd if not needed by server
if checkproc $STATD_BIN ; then
if [ `cat /proc/fs/nfsd/threads 2> /dev/null`0 -eq 0 ]; then
echo -n " rpc.statd"
killproc $STATD_BIN
fi
fi
umount_rpc_pipefs
rc_status -v
fi
;;
reload*|force-reload*)
# only IDMAP has any sense in which 'reload' makes sense.
if checkproc $IDMAPD_BIN; then
killproc -HUP $IDMAPD_BIN
fi
rc_status
;;
restart*)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 force-start
rc_status
;;
status*)
echo -n "Checking for mounted nfs shares (from /etc/fstab):"
if test "$nfs" = yes ; then
rc_failed $state
else
rc_failed 3
fi
#
if test "$NEED_GSSD" = yes && ! checkproc $GSSD_BIN; then
echo "gssd not running"
rc_failed 3
fi
#
if test "$NEED_IDMAPD" = yes && ! checkproc $IDMAPD_BIN; then
echo "idmapd not running"
rc_failed 3
fi
if ! check_portmap; then
echo "Warning: portmap/rpcbind not running - nfs may not work well"
fi
rc_status -v
;;
try-restart*|condrestart*)
# This restart is not only conditional on the services already
# running, but is also gentler in that NFS filesystems are
# not unmounted or remounted.
# It is possible that the programs have been reinstalled so
# we pass a basename rather than a full path to checkproc and killproc
echo -n "Restarting NFS services:"
if checkproc ${GSSD_BIN##*/}; then
echo -n " gssd"
killproc ${GSSD_BIN##*/}
startproc $GSSD_BIN $GSSD_OPTIONS
fi
if checkproc ${IDMAPD_BIN##*/}; then
echo -n " idmapd"
killproc ${IDMAPD_BIN##*/}
startproc $IDMAPD_BIN
fi
if checkproc ${STATD_BIN##*/}; then
echo -n " statd"
killproc ${STATD_BIN##*/}
/usr/sbin/start-statd
fi
rc_status -v
;;
*)
echo "Usage: $0 {start|stop|status|reload|force-reload|restart|try-restart}"
exit 1
esac
rc_exit
++++++ nfsserver.init ++++++
#! /bin/sh
# Copyright (c) 1996 - 2007 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Florian La Roche , 1996
# Werner Fink , 1996,98
# Burchard Steinbild , 1997
# Thorsten Kukuk , 2000,01
#
# /etc/init.d/nfsserver
#
### BEGIN INIT INFO
# Provides: nfsserver
# Required-Start: $network $named $portmap
# Required-Stop: $network $portmap
# Should-Start: ypbind krb5kdc
# Should-Stop: ypbind krb5kdc
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: Start the kernel based NFS daemon
### END INIT INFO
. /etc/sysconfig/nfs
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num><num>
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
. /etc/rc.status
# First reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signalling is not supported) are
# considered a success.
# XXX: there should be separate init scripts for these really
SVCGSSD_BIN=/usr/sbin/rpc.svcgssd
IDMAPD_BIN=/usr/sbin/rpc.idmapd
NFSD_BIN=/usr/sbin/rpc.nfsd
IDMAPD_CLIENT_STATE=/run/nfs/nfs-rpc.idmapd
IDMAPD_SERVER_STATE=/run/nfs/nfsserver-rpc.idmapd
NFSD_BIND_MOUNTS=/run/nfs/bind.mounts
NEED_SVCGSSD=no
NEED_IDMPAPD=no
case `uname -r` in
0.*|1.*|2.0.*) exit 3
esac
case $NFS_SECURITY_GSS in
[Nn]*) flavors="";;
[Yy]*) flavors=krb5;;
*) flavors="$NFS_SECURITY_GSS";;
esac
if [ "$flavors" ]; then
NEED_SVCGSSD=yes
fi
if [ "$NFS4_SUPPORT" = yes ]; then
NEED_IDMAPD=yes
fi
if [ -z "$RPC_PIPEFS_DIR" ]; then
RPC_PIPEFS_DIR=/var/lib/nfs/rpc_pipefs
fi
check_for_nfsdfs() {
HAVE_NFSDFS="no"
while read dummy type ; do
if [ "$type" = "nfsd" ] ; then
HAVE_NFSDFS="yes"
fi
done < /proc/filesystems
}
nfs4_bind_mounts() {
[ -d /run/nfs ] || mkdir /run/nfs
warned=no
# In case of doubt, try "man sed" :-)
cat /etc/exports |
sed -n 'H;g;s/\\$//;h;t;s/^\n//;s/\n[[:space:]]*//g;s/#.*//;p;s/.*//;h' |
sed 's/^\([^[:space:]]*\).*bind=\([^,)]*\).*/\1 \2/;t;d' |
sort |
while read export dir; do
if [ $warned = no ] ; then
echo
echo "NFS: The usage of 'bind=' in /etc/exports is deprecated."
echo "NFS: Is it no longer needed and may cease to work."
echo "NFS: Please remove these settings."
warned=yes
fi >&2
test -d "$export" || mkdir -p "$export"
mount -o bind "$dir" "$export"
echo "$dir" "$export"
done > $NFSD_BIND_MOUNTS
}
nfs4_unbind_mounts() {
sort -r -k2 $NFSD_BIND_MOUNTS |
while read src mountpoint crap; do
[ -n "$mountpoint" ] && umount -l "$mountpoint"
done
> $NFSD_BIND_MOUNTS
}
mount_rpc_pipefs() {
# See if the file system is there yet
case `stat -c "%t" -f "$RPC_PIPEFS_DIR"` in
*67596969*)
return 0;;
esac
mount -t rpc_pipefs rpc_pipefs "$RPC_PIPEFS_DIR"
}
umount_rpc_pipefs() {
case `stat -c "%t" -f "$RPC_PIPEFS_DIR"` in
*67596969*)
umount "$RPC_PIPEFS_DIR";;
esac
}
do_start_svcgssd() {
for flavor in $flavors; do
/sbin/modprobe rpcsec_gss_$flavor
done
mount_rpc_pipefs
startproc $SVCGSSD_BIN $SVCGSSD_OPTIONS
return $?
}
do_start_idmapd() {
mount_rpc_pipefs
if checkproc $IDMAPD_BIN && test -f $IDMAPD_CLIENT_STATE; then
killproc -HUP $IDMAPD_BIN
else
startproc $IDMAPD_BIN
return $?
fi
}
case "$1" in
start)
PARAMS=3
test "$USE_KERNEL_NFSD_NUMBER" -gt 0 && PARAMS="$USE_KERNEL_NFSD_NUMBER"
echo -n "Starting kernel based NFS server:"
modprobe nfsd
# this can be removed when modprobe allows the sysctl to be
# moved to modprobe.d without breaking --show-depends
grep '^fs.nfs.n[sl]m' /etc/sysctl.conf | sysctl -q -e -n -p -
# mount nfsd filesystem
check_for_nfsdfs
if [ "$HAVE_NFSDFS" = "yes" -a ! -f /proc/fs/nfsd/exports ] ; then
mount -t nfsd nfsd /proc/fs/nfsd
rc_status
fi
VERSION_PARAMS=
if [ "$NFS3_SERVER_SUPPORT" == "no" ]; then
VERSION_PARAMS="--no-nfs-version 2 --no-nfs-version 3"
fi
if [ "$NFS4_SUPPORT" != "yes" ]; then
VERSION_PARAMS="--no-nfs-version 4"
fi
if [ -n "$NFSV4LEASETIME" -a -f /proc/fs/nfsd/nfsv4leasetime ]; then
echo "$NFSV4LEASETIME" > /proc/fs/nfsd/nfsv4leasetime
fi
nfs4_bind_mounts
# svcgssd; idmapd
if [ "$NEED_SVCGSSD" = yes ]; then
echo -n " svcgssd"
do_start_svcgssd || {
rc_status -v
rc_exit
}
fi
if [ "$NEED_IDMAPD" = yes ]; then
echo -n " idmapd"
do_start_idmapd || {
rc_status -v
rc_exit
}
[ -d /run/nfs ] || mkdir /run/nfs
echo $IDMAPD_BIN > $IDMAPD_SERVER_STATE
fi
# exportfs
/usr/sbin/exportfs -r
# rpc.mountd
echo -n " mountd"
if [ -n "$MOUNTD_PORT" ] ; then
startproc /usr/sbin/rpc.mountd -p $MOUNTD_PORT $VERSION_PARAMS
else
startproc /usr/sbin/rpc.mountd $VERSION_PARAMS
fi || {
rc_status -v
rc_exit
}
# rpc.statd
if [ "$NFS3_SERVER_SUPPORT" != "no" ]; then
echo -n " statd"
startproc /usr/sbin/rpc.statd --no-notify $STATD_OPTIONS || {
rc_status -v
rc_exit
}
fi
# rpc.nfsd
echo -n " nfsd"
$NFSD_BIN $NFSD_OPTIONS $PARAMS $VERSION_PARAMS || {
rc_status -v
rc_exit
}
# sm-notify needs to be run last
echo -n " sm-notify"
/usr/sbin/sm-notify $SM_NOTIFY_OPTIONS
#
rc_status -v
;;
stop)
echo -n "Shutting down kernel based NFS server:"
# rpc.nfsd
echo -n " nfsd"
killproc -n -KILL nfsd || {
rc_status -v
rc_exit
}
# rpc.statd
if ! checkproc -n lockd; then
echo -n " statd"
killproc rpc.statd
else
# tell lockd to drop all client locks
killproc -n -KILL lockd
fi
# make sure sm-notify is run on restart, as we have dropped some locks
rm -f /run/sm-notify.pid
#
# rpc.mountd
echo -n " mountd"
killproc -TERM /usr/sbin/rpc.mountd || {
rc_status -v
rc_exit
}
# svcgssd
if [ "$NEED_SVCGSSD" = yes ]; then
echo -n " svcgssd"
killproc $SVCGSSD_BIN || {
rc_status -v
rc_exit
}
fi
# idmap
if [ "$NEED_IDMAPD" = yes ]; then
# kill only if not needed by client anymore
if [ ! -f $IDMAPD_CLIENT_STATE ]; then
echo -n " idmapd"
killproc $IDMAPD_BIN
fi
rm -f $IDMAPD_SERVER_STATE
fi
# umount nfsd fs
check_for_nfsdfs
if [ "$HAVE_NFSDFS" = "yes" -a -f /proc/fs/nfsd/exports ] ; then
umount /proc/fs/nfsd
rc_status
fi
nfs4_unbind_mounts
#
rc_status -v
;;
try-restart)
## Stop the service and if this succeeds (i.e. the
## service was running before), start it again.
$0 status >/dev/null && $0 restart
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
reload|force-reload)
echo -n "Reload kernel based NFS server"
# Unfortunately, there's no sane way of doing this:
nfs4_unbind_mounts; nfs4_bind_mounts
/usr/sbin/exportfs -r
rc_status -v
;;
status)
echo -n "Checking for kernel based NFS server:"
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Status has a slightly different for the status command:
# 0 - service running
# 1 - service dead, but /run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running
# NOTE: checkproc returns LSB compliant status values.
if [ "$NEED_SVCGSSD" = yes ]; then
echo -n " svcgssd"
checkproc $SVCGSSD_BIN
rc_status -v
fi
if [ "$NEED_IDMAPD" = yes ]; then
echo -n " idmapd"
checkproc $IDMAPD_BIN
rc_status -v
fi
echo -n " mountd"
checkproc /usr/sbin/rpc.mountd
rc_status -v
echo -n " statd"
checkproc /usr/sbin/rpc.statd
rc_status -v
echo -n " nfsd"
checkproc -n nfsd
rc_status -v
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}"
exit 1
;;
esac
rc_exit
++++++ start-statd ++++++
#!/bin/sh -p
# nfsmount calls this script when mounting a filesystem with locking
# enabled, but when statd does not seem to be running (based on
# /run/rpc.statd.pid).
# It should run run statd with whatever flags are apropriate for this
# site.
PATH=/sbin:/usr/sbin:/bin:/usr/bin
checkproc /usr/sbin/rpc.statd && exit 0
. /etc/rc.status
. /etc/sysconfig/nfs
rc_reset
echo -n "Starting rpc.statd ..."
if ! rpcinfo -p localhost >/dev/null 2>/dev/null; then
echo -n " ${extd}portmapper not running${norm}"
rc_failed 1
rc_status -v
rc_exit
fi
# TODO: write init script and call that one via /sbin/service instead
start_daemon /usr/sbin/rpc.statd --no-notify $STATD_OPTIONS
rc_status -v
++++++ sysconfig.nfs ++++++
## Path: Network/File systems/NFS server
## Description: number of threads for kernel nfs server
## Type: integer
## Default: 4
## ServiceRestart: nfsserver
#
# the kernel nfs-server supports multiple server threads
#
USE_KERNEL_NFSD_NUMBER="4"
## Path: Network/File systems/NFS server
## Description: use fixed port number for mountd
## Type: integer
## Default: ""
## ServiceRestart: nfsserver
#
# Only set this if you want to start mountd on a fixed
# port instead of the port assigned by rpc. Only for use
# to export nfs-filesystems through firewalls.
#
MOUNTD_PORT=""
## Path: Network/File systems/NFS server
## Description: GSS security for NFS
## Type: yesno
## Default: yes
## ServiceRestart: nfs nfsserver
#
# Enable RPCSEC_GSS security for NFS (yes/no)
#
NFS_SECURITY_GSS="no"
## Path: Network/File systems/NFS server
## Description: NFSv3 server support
## Type: yesno
## Default: yes
## ServiceRestart: nfsserver
#
# Enable NFSv3 server support (yes/no)
# This causes the NFS server to respond to
# NFSv2 and NFSv3 requests. Only disable this
# if you want to ensure only NFSv4 is used.
#
NFS3_SERVER_SUPPORT="yes"
## Path: Network/File systems/NFS server
## Description: NFSv4 protocol support
## Type: yesno
## Default: yes
## ServiceRestart: nfs nfsserver
#
# Enable NFSv4 support (yes/no)
#
NFS4_SUPPORT="yes"
## Path: Network/File systems/NFS server
## Description: Network Status Monitor options
## Type: string
## Default: ""
#
#
SM_NOTIFY_OPTIONS=""
## Path: Network/File systems/NFS server
## Description: Always start NFS services
## Type: yesno
## Default: yes
## ServiceRestart nfs
#
# Always start NFS services (gssd, idmapd), not only if
# there are nfs mounts in /etc/fstab. This is likely to be
# needed if you use an automounter for NFS.
# Note that the nfs service is no longer enabled by default
# and the command "chkconfig nfs on" is needed to fully enable
# NFS.
#
NFS_START_SERVICES="yes"
## Path: Network/File systems/NFS server
## Description: Command line parameters for rpc.statd
## Type: string
## Default: ""
#
# Custom parameters for rpc.statd daemon. Typically this will
# be used to set the port number (-p).
#
STATD_OPTIONS=""
## Path: Network/File systems/NFS server
## Description: Lease time for NFSv4 leases
## Type: integer
## Default: ""
#
# Set the lease time for the NFSv4 server. This allows new locks
# to be taken sooner after a server restart, so it is useful for
# servers which need to recover quickly after a failure, particularly
# in fail-over configurations. Reducing the lease time can be a
# problem is some clients connect over high latency networks.
# The default is 90 seconds. A number like 15 might be appropriate
# in a fail-over configuration with all clients on well connected
# low latency links.
NFSV4LEASETIME=""
## Path: Network/File systems/NFS server
## Description: Alternate mount point for rpc_pipefs filesystem
## Type: string
## Default: ""
#
# In a high-availabilty configuration it is possible that /var/lib/nfs
# is redirected so some shared storage and so it is not convenient to
# mount the rpc_pipefs filesystem at /var/lib/nfs/rpc_pipefs. In that
# case an alternate mount point can be given here.
RPC_PIPEFS_DIR=""
## Path: Network/File systems/NFS server
## Description: Options for svcgssd
## Type: string
## Default: ""
#
# Normally svcgssd does not require any option. However in a
# high-availabilty configuration it can be useful to pass "-n"
# to guide the choice of default credential. To allow for that
# case or any other requiring options ot svcgssd, they can
# be specified here.
SVCGSSD_OPTIONS=""
## Path: Network/File systems/NFS server
## Description: Extra options for nfsd
## Type: string
## Default: ""
#
# This setting allows extra options to be specified for NFSD, such as
# -H in a high-availability configuration.
NFSD_OPTIONS=""
## Path: Network/File systems/NFS server
## Description: Extra options for gssd
## Type: string
## Default: ""
#
# Normally gssd does not require any options. In some circumstances,
# -n, -l, -N or other options might be useful. See "man 8 rpc.gssd" for
# details. Those options can be set here.
GSSD_OPTIONS=""
++++++ udp-fallback-fix.patch ++++++
From: NeilBrown
Subject: Fix fallback from tcp to udp
References: bnc#863749
Protocol negotiation in mount.nfs does not correctly negotiate with a
server which only support NFSv3 and UDP.
When mount.nfs attempts an NFSv4 mount and fails with ECONNREFUSED
it does not fall back to NFSv3, as this is not recognised as a
"does not support NFSv4" error.
However ECONNREFUSED is a clear indication that the server doesn't
support TCP, and ipso facto does not support NFSv4.
So ECONNREFUSED should trigger a fallback from v4 to v2/3.
Once we allow that error, NFSv3 is attempted and mount.nfs talks to
rpcbind and discovers that UDP should be used for v3 and the mount
succeeds.
Signed-off-by: NeilBrown
Reported-by: Carsten Ziepke
---
utils/mount/stropts.c | 3 +++
1 file changed, 3 insertions(+)
--- nfs-utils-1.2.8.orig/utils/mount/stropts.c
+++ nfs-utils-1.2.8/utils/mount/stropts.c
@@ -807,6 +807,9 @@ static int nfs_autonegotiate(struct nfsm
/* Linux servers prior to 2.6.25 may return
* EPERM when NFS version 4 is not supported. */
goto fall_back;
+ case ECONNREFUSED:
+ /* UDP-Only server won't support v4 */
+ goto fall_back;
default:
return result;
}
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org