| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
| |
manage-gids to exportd section.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having the default socket name be in the current directory is a poor
choice for a daemon that is expected to run as root.
It is also likely better to use an "abstract" socket name. abstract
names do not exist in the filesystem namespace and are local to a
network namespace. Using an abstract name ensures that the nfsd,
mountd, and fsidd are all in the same network namespace.
This patch:
- uses a single #define for the default socket name, rather than 2;
- allows the socket name to start with '@' which is interpreted to
be a request to use the abstract name space (systemd uses the same
convention).
- changes the default to "@/run/fsid.sock". I don't know of a formal
standard for choosing names in the abstract name space, the defacto
standard (seen in "ss -xa|grep @") is to use a name similar to what
might be used in the filesystem.
Acked-by: Richard Weinberger <richard@nod.at>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
assert() is not guaranteed to evaluate its arg. When compiled with
-DNDEBUG, the evaluation is skipped. We don't currently compile with
-DNDEBUG, but relying on that is poor form, particularly as this is
described as "sample code" in the git log.
So introduce assert_safe() and use that when there are side-effects.
Acked-by: Richard Weinberger <richard@nod.at>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If /etc/krb5.keytab does not exist, then krb5 cannot work, so
advertising it as an option for v4root is pointless.
Since linux commit 676e4ebd5f2c ("NFSD: SECINFO doesn't handle
unsupported pseudoflavors correctly") this can result in an unhelpful
warning if the krb5 code is not built, or built as a module which is not
installed.
[ 161.668635] NFS: SECINFO: security flavor 390003 is not supported
[ 161.668655] NFS: SECINFO: security flavor 390004 is not supported
[ 161.668670] NFS: SECINFO: security flavor 390005 is not supported
So avoid advertising krb5 security options when krb5.keytab cannot be
found.
Note that testing for /etc/krb5.keytab is what we already do in a couple
of systemd unit file to determine if krb5 is enabled.
Link: https://lore.kernel.org/linux-nfs/20170104190327.v3wbpcbqtfa5jy7d@codemonkey.org.uk/
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
| |
Co-developed-by: Chris Chilvers <chris.chilvers@appsbroker.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fsidnum daemon offers a local UNIX domain socket interface
for all NFS userspace to query the reexport database.
Currently fsidd just uses the SQlite backend.
fsidd serves also as an example on how to implement more complex
backends for the load balancing use case.
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The reexport database code is designed to support multiple ways
to store the state.
So far only SQlite is implemented.
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a re-exporting NFS server reboots, none of the subvolumes are present.
This is because the NFS client code will mount only upon first access.
So, when we see an NFS handle with an yet unknown fsidnum, lookup in
the reexport database for it.
If one is found, stat the path to trigger the mount.
That way stale NFS handles are avoided after a reboot.
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Detect the case when a NFS share is re-exported and assign an
fsidnum to it.
The fsidnum is read (or created) from the reexport database.
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When re-exporting a NFS volume it is mandatory to specify
either a UUID or numerical fsid= option because nfsd is unable
to derive an identifier on its own.
For NFS cross mounts this becomes a problem because nfsd also
needs an identifier for every crossed mount.
A common workaround is stating every single subvolume in the
exports list too.
But this defeats the purpose of the crossmnt option and is tedious.
This is where the reexport= tries to help.
It offers various strategies to automatically derive a identifier
for NFS volumes and sub volumes.
Currently two strategies are implemented:
1. auto-fsidnum
In this mode mountd/exportd will create a new numerical fsid
for a NFS volume and subvolume. The numbers are stored in a database,
via fsidd, such that the server will always use the same fsid.
The entry in the exports file allowed to skip the fsid= option but
stating a UUID is allowed, if needed.
This mode has the obvious downside that load balancing is by default not
possible since multiple re-exporting NFS servers would generate
different ids.
It is possible if all load balancers use the same database.
This can be achieved by using nfs-utils' fsidd and placing it's sqlit
database on a network share which supports file locks or by implementing
your own fsidd which is able to provide consistent fsids across multiple
re-exporting nfs servers.
2. predefined-fsidnum
This mode works just like auto-fsidnum but does not generate ids
for you. It helps in the load balancing case. A system administrator
has to manually maintain the database and install it on all re-exporting
NFS servers. If you have a massive amount of subvolumes this mode
will help because you don't have to bloat the exports list.
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
Add some helper functions which will be used by the reexport
mechanism to create and find fsidnums for re-exported NFS shares.
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
More information about RPC-with-TLS and some brief set-up guidance
are to be provided in a separate man page in Section 7.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
| |
Cc: Rick Macklem <rick.macklem@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The overall goal is to enable administrators to require the use of
transport layer security when clients access particular exports.
This patch adds support to exportfs to parse, display, and push
into the kernel a new xprtsec= export option.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
Clean up.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
The missing "-" means that "-S" isn't mentioned at all.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you try to mount from a server that is inaccessible you might get an
error like:
mount.nfs: No route to host
This is OK when running "mount" interactively, but hardly useful when
found in system logs.
This patch changes mount_error() to always included at least one of
mount_point and spec in any error message.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the following setup causes failure:
1. /etc/exports:
/ *(rw,crossmnt,no_subtree_check,fsid=root)
2. /etc/nfs.conf:
[exports]
rootdir=/nfs_srv
3. Mounts:
/root/fs1.ext4 on /nfs_srv type ext4 (rw,relatime)
/root/fs2.ext4 on /nfs_srv/fs2 type ext4 (rw,relatime)
4. On the client:
$ ls /nfs_client/fs2
ls: cannot open directory '/nfs_client/fs2': Stale file handle
The problem is that next_mnt() misses the corner case that
every mount is a sub-mount of "/".
So it fails to see that /nfs_srv/fs2 is a mountpoint when the
client asks for fs2 it and as consequence the crossmnt mechanism
fails.
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Yongcheng Yang <yongcheng.yang@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2176740
Signed-off-by: Zhi Li <yieli@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
but not containing the nfs/<FQDN> principal
The nfs-client.target requires the auth-rpcgss-module.service, which in
turn requires the rpc-svcgssd.service. However, the rpc.svcgssd daemon
is unnecessary for an NFS client, even when using Kerberos security.
Moreover, starting this daemon with its default configuration will fail
when no nfs/<host>@REALM principal is in the Kerberos keytab. Thus,
resulting in a degraded system state for NFS client configurations
without nfs/<host>@REALM principal in the Kerberos keytab. However, this
is a perfectly valid NFS client configuration as the nfs/<host>@REALM
principal is not required for mounting NFS file systems. This is even
the case when Kerberos security is enabled for the mount!
Installing the gssproxy package hides this problem as this disables the
rpc-svcgssd.service.
Link: http://bugs.debian.org/985002
Link: https://salsa.debian.org/kernel-team/nfs-utils/-/merge_requests/23
Signed-off-by: Joachim Falk <joachim.falk@gmx.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
| |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2151971
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
| |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2151966
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
autoconf AC_SYS_LARGEFILE is used by configure to add needed defines
when needed for enabling 64bit off_t, therefore replacing statfs64 with
statfs should be functionally same. Additionally this helps compiling
with latest musl where 64bit LFS functions like statfs64 and friends are
now moved under _LARGEFILE64_SOURCE feature test macro, this works on
glibc systems because _GNU_SOURCE macros also enables
_LARGEFILE64_SOURCE indirectly. This is not case with musl and this
latest issue is exposed.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JianHong reported some strange behavior with automounts on an nfs server
without an explicit pseudoroot. When clients issued a readdir in the
pseudoroot, automounted directories that were not yet mounted would show
up even if they weren't exported, though the clients wouldn't be able to
do anything with them.
The issue was that triggering the automount on a directory would cause
the mountd upcall to time out, which would cause nfsd to include the
automounted dentry in the readdir response. Eventually, the automount
would work and report that it wasn't exported and subsequent attempts to
access the dentry would (properly) fail.
We never want mountd to trigger an automount. The kernel should do that
if it wants to use it. Change the junction checks to do an O_PATH open
and use fstatat with AT_NO_AUTOMOUNT.
Cc: Chuck Lever <chuck.lever@oracle.com>
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2148353
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216777
Reported-by: JianHong Yin <jiyin@redhat.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
Also remove double spaces.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only try to load the auth_rpcgss kernel module if we are not executing
inside a Linux container. Otherwise, the auth-rpcgss-module service will
fail inside a Linux container as the loading of kernel modules is
forbidden for the container. Thus, the "/sbin/modprobe -q auth_rpcgss"
call will fail even if the auth_rpcgss kernel module is already loaded.
This situation occurs when the container host has already loaded the
auth_rpcgss kernel module to enable kerberized NFS service for its
containers. This behavior has been tested with kmod up to version
30+20220630-3 (current in bookworm as of 2022-09-20).
Bug-Debian: http://bugs.debian.org/985000
Discussion-Debian: https://salsa.debian.org/kernel-team/nfs-utils/-/merge_requests/7
Signed-off-by: Joachim Falk <joachim.falk@gmx.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
modules are loaded
sysctl settings (e.g. /etc/sysctl.conf and others) are normally loaded
once at boot. If the module that implements some settings is no yet
loaded, those settings don't get applied.
Various NFS modules support various sysctl settings. If they are loaded
after boot, they miss out.
Add a new udev rule configuration to udev/rules.d/60-nfs.rules to apply
the relevant settings when the modules are loaded.
Placing it in the systemd directory similarly as the choice for the
original commit afc7132dfb21 ("systemd: Apply all sysctl settings when
NFS-related modules are loaded").
Link: https://lore.kernel.org/linux-nfs/Y1KoKwu88PulcokW@eldamar.lan/
Link: https://bugs.debian.org/1022172
Link: https://bugs.debian.org/1024082
Suggested-by: Marco d'Itri <md@linux.it>
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit afc7132dfb212ac1f676a5ac36d29a9e06325645.
The approach caused problems with sysctl from busybox and with kmod as
reported in Debian (https://bugs.debian.org/1024082).
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 5e60e38aa4ba251ef66610514be5f45c41519e0f.
This is part of the full revert of adding support via modprobe.d
configuration to set sysctl settings of NFS-related modules when loading
the modules.
The approach caused problems with sysctl from busybox and with kmod as
reported in Debian (https://bugs.debian.org/1024082).
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 7d76dd2e6f09a141eb6303b7343baa5c4f9c85ad.
This is part of the full revert of adding support via modprobe.d
configuration to set sysctl settings of NFS-related modules when loading
the modules.
The approach caused problems with sysctl from busybox and with kmod as
reported in Debian (https://bugs.debian.org/1024082).
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFSv4.1 and later require the server to report a "scope". Servers with
the same scope are expected to understand each other's state ids etc,
though may not accept them - this ensure there can be no
misunderstanding. This is helpful for migration.
Servers with different scope are known to be different and if a server
appears to change scope on a restart, lock recovery must not be
attempted.
It is important for fail-over configurations to have the same scope for
all server instances. Linux NFSD sets scope to host name. It is common
for fail-over configurations to use different host names on different
server nodes. So the default is not good for these configurations and
must be over-ridden.
As discussed in
https://github.com/ClusterLabs/resource-agents/issues/1644
some HA management tools attempt to address this with calls to "unshare"
and "hostname" before running "rpc.nfsd". This is unnecessarily
cumbersome.
This patch adds a "-S" command-line option and nfsd.scope config value
so that the scope can be set easily for nfsd.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Without device specification, mount tries to mount an entry
from the /etc/fstab file. Hence, specify target "nfsd" to
make this command executable from the command line.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
From: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
Also remove unneeded spaces.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When started nfs-blkmap.service, the PID file can't be opened, The
cause is that the child process does not create the PID file before
the systemd reads the PID file.
Adding "ExecStartPost=/bin/sleep 0.1" to
/usr/lib/systemd/system/nfs-blkmap.service will probably solve this
problem, However, there is no guarantee that the above solutions are
effective under high cpu pressure.So replace the daemon function with
the fork function, and put the behavior of creating the PID file in
the parent process to solve the above problems.
Signed-off-by: zhanchengbin <zhanchengbin1@huawei.com>
Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
| |
Update the man page to explicitly say setting
nfsv4=n turns off all v4 versions
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
| |
Later kernel versions convert NFS readpages to readahead so update
the counts accordingly.
Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
| |
In function nfs_parse_square_bracket, hostname could be NULL,
dereferencing it in free(*hostname) may cause an unexpected segfault.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2136807
Signed-off-by: Zhi Li <yieli@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The serial->data is not malloced separately (just part of
the serial), so it can't be freed. The bl_serial has its
own free function. Use it.
Signed-off-by: Lixiaokeng <lixiaokeng@huawei.com>
Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the example /etc/nfs.conf file, most sections include
a commented-out 'debug = 0' line, suggesting that '0' is
the default. In addition, the manpages for some of the
utilities state that debugging can be enabled by setting
'debug = 1' in the nfs.conf file.
However, neither '0' nor '1' is accepted as a valid option
for 'debug' while parsing the nfs.conf file.
Add '0' and '1' to the valid strings when parsing 'debug',
with '0' not changing any debugging settings, and '1'
enabling all debugging.
Signed-off-by: Frank Sorenson <sorenson@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
regex.c:545:43: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
struct trans_func *libnfsidmap_plugin_init()
^
void
See: 167f2336b06e1bcbf26f45f2ddc4a535fed4d393
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to make libmount not mandatory but depending on nfsrahead
since it only requires it. This is useful when cross-compiling because
in that case we need rpcgen only built for host but not nfsrahead that
also require libmount. So this reduces the dependencies for host
building.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The systemctl stop nfs-blkmap.service will sends the SIGTERM signal
to the nfs-blkmap.service first.If the process fails to be stopped,
it sends the SIGKILL signal again to kill the process.
However, exit(1) is executed in the SIGTERM processing function of
nfs-blkmap.service. As a result, systemd receives an error message
indicating that nfs-blkmap.service failed.
"Active: failed" is displayed when the systemctl status
nfs-blkmap.service command is executed.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: zhanchengbin <zhanchengbin1@huawei.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-lmount must preceed -lblkid and to obtain this let's add in configure.ac:
PKG_CHECK_MODULES([LIBMOUNT], [mount])
and in tools/nfsrahead/Makefile.am let's substitute explicit `-lmount`
with:
$(LIBMOUNT_LIBS)
This way all the required libraries will be present and in the right order
when static linking.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Clang is now erroring out on functions with out parameter types
Fixes errors like
error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|