| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two global "struct stat_paths" structures: etab and rmtab.
They are currently needed by some library code so any program which is
linked with that library code needs to declare the structures even if it
doesn't use the functionality. This is clumsy and error-prone.
Instead: have the library declare the structure and put the definition
in a header file. Now programs only need to know about these structures
if they use the functionality.
'rmtab' is now declared in libnfs.a (rmtab.c). 'etab' is declared in
export.a (xtab.c).
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since v4.17 the timestamp written to 'flush' is ignored,
so there isn't much point choosing too precisely.
For kernels since v4.3-rc3-13-g778620364ef5 it is safe
to write 1 second beyond the current time.
For earlier kernels, nothing is really safe (even the current
behaviour), but writing one second beyond the current time isn't too bad
in the unlikely case the people use a new nfs-utils on a 5 year old
kernel.
This remove a dependency for libnfs.a on 'etab' being declare,
so svcgssd no longer needs to declare it.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some filesystems cannot be exported without an fsid or uuid.
tmpfs is the main example.
When mountd (or exportd) creates nfsv4 pseudo-root exports for the path
leading down to an export point it exports each directory without any
fsid or uuid. If one of these directories is on tmpfs, that will fail.
The net result is that exporting a subdirectory of a tmpfs filesystem
will not work over NFSv4 as the parents within the filesystem cannot be
exported. It will either fail, or fall-back to NFSv3 (depending on the
version of the mount.nfs program).
To fix this we need to provide an fsid or uuid for these pseudo-root
exports. This patch does that by creating an RFC-4122 V5 compatible
UUID based on an arbitrary seed and the path to the export.
To check if an export needs a uuid, text_export() is moved from exportfs
to libexport.a, modified slightly and renamed to export_test().
Reported-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The decrement of the "ple" refcount is not protected so it can race with
increments or decrements from other threads. An increment could be lost
and then the ple would be freed early, leading to memory corruption.
So use the mutex to protect decrements (increments are already
protected).
As gssd_destroy_krb5_principals() calls release_ple() while holding the
mutex, we need a "release_pte_locked()" which doesn't take the mutex.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
FHS 3.0 deprecated /var/run in favour of /run.
FHS 3.0 was released over 5 years ago.
I think it is time for nfs-utils to catch up.
Note that some places, particularly systemd unit files, already use just
"/run".
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Yongcheng Yang <yongcheng.yang@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code that has been added to strip trailing slashes from path in
unexportfs_parsed() forgot to account for the case of the root
directory, which is simply '/'. In that case it accesses path[-1] and
reduces the path to an empty string, which then fails to match any
export.
Fix it by stopping the stripping when the path is just a single
character - it doesn't matter if it's a '/' or not, we want to keep it
either way in that case.
Reproducer:
exportfs localhost:/
exportfs -u localhost:/
Without this patch, the unexport step fails with "exportfs: Could not
find 'localhost:/' to unexport."
Fixes: a9a7728d8743 ("exportfs: Deal with path's trailing "/" in unexportfs_parsed()")
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1941171
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFSv4 does not have a MOUNT request like NFSv3 does (via the MOUNT
protocol). So these cannot be logged.
NFSv4 does have SETCLIENTID and EXCHANGE_ID. These are indirectly
visible though changes in /proc/fs/nfsd/clients.
When a new client attaches, a directory appears. When the client
detaches, through a timeout (v4.0) or DESTROY_SESSION (v4.1+)
the directory disappears.
This patch adds tracking of these changes using inotify, with log
messages when a client attaches or detaches.
Unfortuantely clients are created in two steps, the second being a
confirmation. This results in a temporary client appearing and
disappearing. It is not possible (in Linux 5.10) to detect the
unconfirmed client, so extra attach/detach messages are generated.
This patch also moves some cache* function declarations into a header
file, and makes a few related changes to #includes.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The DEFAULT_TTL affects the rate at which authentication messages are
logged. So it is useful to make it settable.
Add "-ttl" and "-T", and add clear statement in the documentation of
both the benefits and the possible negative effects of choosing a larger
value
Signed-off-by: NeilBrown <neil@brown.name>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When logging authentication requests, it can be easier to read the logs
if clients are always identified by IP address, not intermediate names
like netgroups or subnets.
To allow this, add --cache-use-ipaddr or -i which tell mountd to always
enable use_ipaddr.
Signed-off-by: NeilBrown <neil@brown.name>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When NFSv3 is used to mount a filesystem, success/failure messages are
logged by mountd and can be used for auditing. When NFSv4 is used,
there is no distinct "MOUNT" request, and nothing is logged.
We can instead log authentication requests from the kernel. These will
happen regularly - typically every 15 minutes of ongoing access - so
they may be too noisy, or might be more useful. As they might not be
wanted, make them selectable with the "AUTH" facility in xlog().
Add a "-l" to enable these logs. Alternately "debug = auth" will have
the same effect.
The same changes are made to both rpc.mountd and nfsv4.exportd.
Signed-off-by: NeilBrown <neil@brown.name>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The text in the manpages about the export table is a bit outdated, and
doesn't mention the in-kernel cache which is an import part of
that table.
As a future patch will enable logging of updates to that cache, it is
important to have the caching behaviour documented. So update that
section of both man pages, and make a few other minor improvements.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit 2f682f25c642fcfe7c511d04bc9d67e732282348 $HOME
has been set to '/' to avoid a deadlock when accessing
Kerberized NFS shares. While this works for most use cases,
users who depend on the use of $HOME/.k5identity files are
negatively impacted by this commit. This patch allows for
users to use their $HOME/.k5identity to access subsequent
Kerberized resources based on the credentials in said file.
The default set by commit 2f682f25c still remains the same,
but a user can pass '-H' to change rpc.gssd behavior to not
set $HOME to '/'. Setting 'set-home=0' in /etc/nfs.conf
has the same effect as passing '-H' directly to rpc.gssd.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1868087
Signed-off-by: Jacob Shivers <jshivers@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Ported manage-gids option from mountd
Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Added the --enable-nfsv4server configuration flag
that will compile/install nfsv4.exportd and
install the systemd unit files.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Moved the junction support from mountd to libexport.a
so both exportd and mountd can use the code.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
| |
Ported state-directory-path option from mountd (commit a15bd948)
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
| |
Ported the multiple thread code from mountd (commit 11d34d11)
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Move the cache management code into libexport.a
so both mountd and exportd can use it.
Introduce cache_proccess_loop() which will
be used by exportd, instead of my_svc_run().
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Standardized how config setting are set as
well as the rename
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent patch to change configfile.c to use parse_opt.c contained code
which was intended to remove all "default*" options from the list before
that could be passed to the kernel. This code didn't work, so default*
options WERE passed to the kernel, and the kernel complained and failed
the mount attempt.
A more recent patch attempted to fix this by not including the
"default*" options in the option list at all. This resulting in
global-default defaults over-riding per-mount or per-server defaults.
This patch reverse the "more recent" patch, and fixes the original patch
by providing correct code to remove all "default*" options before the
kernel can see them.
Fixes: 88c22f924f1b ("mount: convert configfile.c to use parse_opt.c")
Fixes: 8142542bda28 ("mount: parse default values correctly")
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 88c22f92 converted the configfile.c routines
to use the parse_opt interfaces which broke how
default values from nfsmount.conf are managed.
Default values can not be added to the mount string
handed to the kernel. They must be interpreted into
the correct mount options then passed to the kernel.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1912877
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As with security flavors and "secure" ports, we tried to code this so
that pseudofs directories would inherit root squashing from their
children, but it doesn't really work as coded and I'm not sure it's
useful.
Let's just not root squash. The risk is pretty low since the pseudofs
is readonly, and we'd rather not risk failing a mount unnecessarily.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We originally tried to grant permissions on the v4 pseudoroot filesystem
that were the absolute minimum required for a client to reach a given
export. This turns out to be complicated, and we've never gotten it
quite right. Also, the tradition from the MNT protocol was to allow
anyone to browse the list of exports.
So, do as we already did with security flavors and just allow clients
from high ports to access the whole pseudofilesystem.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Multiple changes including:
- using \[dq] for double quotes rather than \(lq and \(rq.
In almost every case, a regular ASCII double quote is being
referred to, so that is what we should use.
- clean up indenting in examples.
- be explicit about case-insensitive matching.
- give more details about permitted options, including the
need to use =true and =false for flags
- explain Backgroud, Forground and Sloppy
- remain trailing white space
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If there is already an option specifying the protocol version, whether
from the command line or from an earlier config section, don't add new
version options.
There are multiple different version options, so they need to be handled
differently from other options. There could in the future be more
options that start "v4.", e.g. "v4.3" might happen one day. So rather
than list possible "v4.x" options, handle "v4." separately.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When reading from the config file, we already ignore options that exist
on the command line, or that were already found earlier in the config
file. However this only works for exact matches of options.
e.g. if "noac" is on the command line and "ac=true" is in the config file,
then "ac" will be added, and this will be used.
Add tests for the "no" prefix, and also for "fg" vs "bg", so that if
"fg" is set on the command line, a "bg" or "background" setting in the
config file does not over-ride it.
Note that this *doesn't* handle the different protocol version
specifiers. That will come later.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
configfile.c contains some ad-hoc parsing of the comma-separated option
list, which uses a simple 'strstr' and can find options that don't
really match the searched-for option (the found options might have a
prefix).
It also has a list of options which duplicates the functionality in
parse_opt.
This can be simplified by using parse_opt directly. We split the
original arguments, optionally append new arguments if they don't
already exist, then recombine.
"defaultfoo" config options require special handling. The
default_value() call is now made as soon as the option has been parsed.
It is left on the options list so that new instances of the value are
ignored. Then all "defaultfoo" options are remove from the list at the
end.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 8110103404b35d9e86057ef0764f8aa87585f455.
Using mnt_alias_tab[] to handle options which are synonyms isn't really
a good fit. This sort-of works, but in part only because 'strstr()'
is used for matching so "vers=" is found when "nfsvers=" is present.
This doesn't handle other version-setting options like v2, v3, v4.x.
So remove this commit to make room for a better solution.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The NFS version can be requested with multiple different options:
v2 v3 v4 v4.x vers=x nfsvers=
If multiple versions are given with different options, the choice of
which wins is quite ideosyncratic. It certainly isn't simple "last one
wins" as with some other options.
Rather than providing a coherent rule, simply make multiple version
specifiers illegal.
This requires enhancing po_contains_prefix() to be able to look beyond
the first match, it see if there are multiple matches with the same
prefix, as well as checking all prefixes to see if more than one
matches.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
While space at end of line is ugly.. especially when your editor is
configured to show it in RED.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Presumably by mistake in commit [1] the unknown option 'i' slipped in together
with a duplicated 't', so remove them from the optstring.
[1] fbd7623dd8d5 ("nfsd: don't enable a UDP socket by default")
Signed-off-by: Ulrich Olmann <u.oelmann@pengutronix.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Years ago, commit 6a7d90cea765 removed the warning
this verbiage was talking about, but was never
removed from the man page.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Update the man pages to explain how the config.d
directories will be use.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
After updating to nfs-utils-2.5.2 I noticed extra output on the console
when exporting mounts. Apparently commit 482e72ba04 forgot to remove some
debugging messages and accidentally committed them.
Signed-off-by: Holger Hoffst?tte <holger@applied-asynchrony.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Added the missing v3-only mount option to
list that should cause v4 mount to fail.
Found-by: Kenneth D'souza <kdsouza@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Unfortunately the nfsdcld man page wasn't told.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If the mount point check in nfsd_export fails due to a transient error,
then ignore it to avoid spurious NFSERR_STALE errors being returned by
knfsd.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Return ENOENT if the UID/GID attributes are not found in ldap response.
Signed-off-by: Srikrishan Malik <srikrishanmalik@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit 93e8f092e added a conf_cleanup() call to clean
up memory after the config file was parsed. It turns
out that memory still needed and it is not very much
so the call is removed.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1873965
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Removed an errant call to gss_release_oid()
to try and deal with memory leaks
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an export is freshly mounted, /proc/self/mountstats displays age = 0.
This causes nfs-iostat to divide by zero throwing an error.
When we have age = 0, other stats are greater than 0, so we'll set age = 1 and
print the relevant stats.
This will prevent a backtrace like this from occurring if nfsiostat is run.
nfsiostat -s 1
Traceback (most recent call last):
File "/usr/sbin/nfsiostat", line 662, in <module>
iostat_command(prog)
File "/usr/sbin/nfsiostat", line 644, in iostat_command
print_iostat_summary(old_mountstats, mountstats, devices, sample_time, options)
File "/usr/sbin/nfsiostat", line 490, in print_iostat_summary
devicelist.sort(key=lambda x: stats[x].ops(time), reverse=True)
File "/usr/sbin/nfsiostat", line 490, in <lambda>
devicelist.sort(key=lambda x: stats[x].ops(time), reverse=True)
File "/usr/sbin/nfsiostat", line 383, in ops
return (sends / sample_time)
ZeroDivisionError: float division by zero
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
-v means only error
-vv errors and informational messages
-vvv all debugging messages will be displayed
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit 27a8e146 introduce a debugging message
that was not cover by a check if verbose
is set, which cause a large number of message
to be logged on every kerberos mount
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1867172
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The inotify event was never rearmed, so we wouldn't get any notice
after the first event. Even if it had been re-added, we never read
the pending events so it would continously fire. Fix this by
moving to persistent events and reading any pending inotify events.
Effect was we'd leak any clients that existed after the first event.
Switch from dnotify to inotify on the client dir if the idmap file
isn't available yet.
Signed-off-by: Doug Nazar <nazard@nazar.ca>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Doug Nazar <nazard@nazar.ca>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
