[Bug 193953] vlan(4) on LACP lagg(4) do not update if_baudrate value and thus SNMP daemons do not provide high capacity counters

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193953

--- Comment #16 from Marek Zarychta  ---
Thank you for the MFC[1] to stable/13 Wojciech. I am not the reporter, but it's
probably time to close this almost 8 years old bug.

[1] https://cgit.freebsd.org/src/commit/?id=067a4b656b9b

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.

Re: NFSv4 on MacOS Monterey

[Rick Macklem]

Adonis Peralta  wrote:
> Rick Macklem  wrote:
> > Yep, as noted above, they aren't supported and will not work. FreeBSD uses 
> > the Linux style extended
> > attribute model, not the resource fork/subfile one that Mac OSX and Solaris 
> > use.
> >
>
> Is this still the case if the shares are on ZFS?
Yes.

> Is there any info on when or if FreeBSD will get namedattr support?
It has been discussed and I have seen no indication that namedattr/
resource forks will ever be implemented. The same appears to be
true of Linux. I recall that there were significant issues related to userspace
things like archivers, etc. There would also be significant changes needed
to the VOP/VFS, since resource forks (or whatever you call them) are really
files in a different namespace.

rick


--
Adonis

Re: NFSv4 on MacOS Monterey

[Adonis Peralta]

>> mountd_enable="YES"
> Since you have specified nfsv4_server_only, mountd will be configured 
> correctly (using the -R),
> so this line is not needed (although I don't thing it will cause trouble).

Got it.

>> My configuration is as follows:
>>
>> SERVER CONFIGURATION
>>
>> OS: FreeBSD 13.1
>>
>> ===
>> /etc/rc.conf
>> # NFS Configuration
>> nfs_server_enable="YES"
>> nfs_server_flags="-u -t -n 4"
> 4 is very small, although that will only be a performance issue.

Increased to 12.

>> ===
>> /etc/sysctl.conf
>> # Asks nfsd to convert remote uids/gid encoded as numeric strings to be 
>> mapped to an actual uid/gid
>> vfs.nfsd.enable_stringtouid=1
> You probably do not want this. Since you are running nfsuserd, it will be 
> mapping between
> the client uid/gid <-> the names for the Getattr/Setattr.
> If the Mac OSX client does not have "adonis" in its password database, that 
> will be a problem.
> (These mappings have nothing to do with the uid/gids in the RPC header. The 
> latter is used
>  to set the credentials for the RPC against the server. In your case, 
> completely ignored.
>  The name<->uid/gid mappings are used for Setattr/Getattr. Things like 
> "chmod", "stat"...)
>

Ok got it. So by default /etc/passwd doesn't have my user "adonis" but 
/etc/passwd on MacOS states:

===
##
# User Database
#
# Note that this file is consulted directly only when the system is running
# in single-user mode.  At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
===

I believe there shouldn't be a problem because as I state a little down below 
MacOS is sending the uid/gid as names as per below:

>> /etc/sysctl.conf
>> # Asks nfsd to convert remote uids/gid encoded as numeric strings to be 
>> mapped to an actual uid/gid
>> vfs.nfsd.enable_stringtouid=1
> You probably do not want this. Since you are running nfsuserd, it will be 
> mapping between
> the client uid/gid <-> the names for the Getattr/Setattr.
> If the Mac OSX client does not have "adonis" in its password database, that 
> will be a problem.
> (These mappings have nothing to do with the uid/gids in the RPC header. The 
> latter is used
>  to set the credentials for the RPC against the server. In your case, 
> completely ignored.
>  The name<->uid/gid mappings are used for Setattr/Getattr. Things like 
> "chmod", "stat"...)
>
>> # Applies to both nfs server and client. Asks client/server to send numeric 
>> strings for uid/gid.
>> ### vfs.nfs.enable_uidtostring=0
> For a server, you either set both of the above to 1 and do not run the 
> nfsuserd or set both of the
> above to 0 and set them both to 0. I do not know if Mac OSX knows how to do 
> the "uid/gid" in
> the string for Getattr/Setattr, That is what you are doing when the above are 
> set to 1 and is the
> default for Linux, plus works for FreeBSD so long as you are not using 
> Kerberized mounts.
> (To know, you would need to look a Setattr RPC done by the Mac OSX client in 
> wireshark for
>  either "chgrp" or "chown" and see how the Owner/Owner_Group string is 
> formatted. A number
>  or a "name@domain".)
>

I inspected the packet trace for what MacOS sends for setattr when doing 
something like "chown adonis:wheel on a file" and indeed it does send name 
strings for OWNER and OWNER_GROUP in the following format "ado...@rambo.lan for 
OWNER" and "wh...@rambo.lan for OWNER_GROUP".

Given that, I set vfs.nfsd.enable_stringtouid back to 0.

>> 2. Extended attributes don't work at all. Here is the result:
>> ===
>> $ cd /Volumes/media
>> $ touch test.txt
>> $ xattr -w com.example.color blue test.txt
>>
>> # Result: xattr: [Errno 1] Operation not permitted: 'test.txt' #
>> ===
> Yep, as noted above, they aren't supported and will not work. FreeBSD uses 
> the Linux style extended
> attribute model, not the resource fork/subfile one that Mac OSX and Solaris 
> use.
>

Is this still the case if the shares are on ZFS? Is there any info on when or 
if FreeBSD will get namedattr support?

-- 
Adonis

Re: NFSv4 on MacOS Monterey

[Rick Macklem]

Rick Macklem  wrote:
> Adonis Peralta  wrote:
[stuff snipped]
> > OS: FreeBSD 13.1
[more stuff snipped]

> > RESULTS
> >
> > What I see when I connect via finder is the following:
> >
> > 1. I am able to read/write to the shares since /etc/exports contains the 
> > -mapall line, yet inspecting a packet > trace shows me:
> >
> > ===
> > packet #1
> > ---
> > client ip -> server ip Operations (count: 3): PUTFH, ACCESS, GETATTR
> > Opcode: PUTFH (22)
> > Opcode: ACCESS (3), [Check: RD LU MD XT DL XE]
> > Opcode: GETATTR (9)
> >
> > packet #2
> > ---
> > server ip -> client ip Operations (count: 3)
> > Opcode: PUTFH (22)
> > Opcode: ACCESS (3), [NOT Supported: XE], [Access Denied: MD XT DL], 
> > [Allowed: RD LU]
> > Status: NFS4_OK (0)
> > Supported types (of requested): 0x1f
> >Access rights (of requested): 0x03
> > ...1 = 0x001 READ: allowed
> > ..1. = 0x002 LOOKUP: allowed
> > .0.. = 0x004 MODIFY: *Access Denied*
> > 0... = 0x008 EXTEND: *Access Denied*
> >...0  = 0x010 DELETE: *Access Denied*
> This is saying that the uid for "adonis" on the server does not have write 
> access to the file.
> 
> > Opcode: GETATTR (9)
> > ===
> >
> > Why is MD, XT, DL coming up as Access Denied if I can read/write to the > 
> > share?
> Hmm, not sure. If you were to show all the reply fields for the Getattr, then 
> > I could probably guess.
> It might be Owner (is it "ado...@rambo.lan"). it could be ACLs. To check 
> those, you should be able to
> do whatever the Mac OSX equivalent to getfacl is.
I suspect this might be caused by what is called OwnerOverride.
It is a long standing tradition in NFS servers to allow the owner of a
file to read/write the file despite what the file mode/ACL says.

Why?
Well, because unlike POSIX, NFS servers check permissions on every
Read/Write instead of only upon the POSIX open(2).
Without this, POSIX applications that first open(2) a file and then chmod(2)
the file to a mode that does not allow further open(2)s of the same type,
will break badly on NFS mounts. (NFS is not and will never be a POSIX
compliant file system, due to the protocol.)

This "cheat" of allowing the Owner access regardless, allows most of these
POSIX programs to work over NFS. (And since the owner of the file
can chmod/Setattr of mode at any time, it is not considered a security hole.)

Now, for NFSv4, there is an Open (a form of Windows lock, not a POSIX
open).  It should fail for the case where it is not doing a Create and the
permissions are not allowed. (This check was only added to the FreeBSD
server recently, when it was identified as not doing the check, unlike
Linux and Solaris. However, this check is in 13.1.)

I can only conjecture that the NFSv4 Open specified Create in this case
and, as such, the check was not applied.

NFSv4 clients are expected to use the reply to Access to decide whether
or not to permit the POSIX open(2). It appears that the Mac OSX client
may not be doing this?

rick

> I have a feeling this is because UID/GID mapping is not happening correctly. 
> I can see in the packet trace >that FreeBSD's `nfsd` is sending some 
> credentials as `ado...@rambo.lan`, but MacOS's nfs client is sending uid 501 
> and gid 20 for my user in the RPC credentials. I don't see how `nfsd` will be 
> able to map uid 501, gid 20 to the server's uid and gid and instead I was 
> expecting `ado...@rambo.lan` to be sent for credentials from the client side.
As noted above, with "-mapall" the uid/gids in the RPC header are completely 
ignored.

> The link below tells me that this is an inherent issue with NFSv4?
> https://dfusion.com.au/wiki/tiki-index.php?page=Why+NFSv4+UID+mapping+breaks+with+AUTH_UNIX
>
> 2. Extended attributes don't work at all. Here is the result:
> ===
> $ cd /Volumes/media
> $ touch test.txt
> $ xattr -w com.example.color blue test.txt
>
> # Result: xattr: [Errno 1] Operation not permitted: 'test.txt' #
> ===
Yep, as noted above, they aren't supported and will not work. FreeBSD uses the 
Linux style extended
attribute model, not the resource fork/subfile one that Mac OSX and Solaris use.

rick

--
Adonis

[Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264193

Kristof Provost  changed:

   What|Removed |Added

 CC||k...@freebsd.org

--- Comment #1 from Kristof Provost  ---
Created attachment 234397
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=234397=edit
Teset case

I can't seem to reproduce this here. The attached test cases passes on main and
stable/13 for me.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Re: make NFSv3 default now on diskless

[Konstantin Belousov]

On Thu, Jun 02, 2022 at 08:03:05PM +, Rick Macklem wrote:
> John-Mark Gurney  wrote:
> > Rick Macklem wrote this message on Thu, Jun 02, 2022 at 14:44 +:
> > > John-Mark Gurney  wrote:
> > > > I just booted FreeBSD-current diskless, using NFS root, and I ended
> > > > up having issues because by default, NFS root is only v2.
> > > >
> > > > One of things that happened was disk space available was listed as
> > > > -138G, or -144830429K.  I assume this is because the server is reporting
> > > > TBs instead.
> > > Yes. NFSv2 uses 32bit sizes.
> > 
> > Should we make the NFS server clamp various sizes then?  instead of 
> > reporting
> > negative numbers?  (Sorry if this is already done on newer versions of
> > FreeBSD, my server is a bit old.)
> My recollection (from long ago) is that, although the RFC defined them as 
> 32bit signed,
> some implementations choose to mid-interpret them as unsigned, so that 4G was 
> supported
> instead of 2G.
> 
> Having said that, I agree with you that you should just use NFSv3 now. (Many 
> servers are
> dropping NFSv2 support entirely.)
> 
> > > > If I mount via mount_nfs, the sizes are normal/correct because it mounts
> > > > v3.
> > > I believe most specify "nfsv3" in the "/" mount line of /etc/fstab on the
> > > remote root fs. Then, when the system does a "mount -u" to make it
> > > read/write it gets toggled to NFSv3.
> > 
> > well, I tried doing a:
> > mount -u -o nfsv3 /
> It used to work when it was in /etc/fstab, when going from read-only to 
> read-write,
> from what I recall.
> 
> > on the system and this didn't work switch over to v3, it was still on
> > v2..
> >
> > I haven't specified nfsv3 in /etc/fstab, but IMO, this should be the
> > default..
> Since NFSv3 is the default, it might not need to be explicit. I can't recall.
> 
> > 
> > Also, I'm right now booting single user mode, because I'm -mapall to
> > a user, and lots of FreeBSD breaks when files aren't uid 0, and there
> > doesn't appear to be a way to remap the uid to root (that I have found)..
> Yep. It would take effect when going multi-user.
> 
> "-mapall=root", although that is not a recommended security setting.
> Why don't you just allow the client to use whatever uid it  would normally
> use instead of "-mapall"?
> 
> > > > The other issue that I ran into is that NFSv2 can't access >4GB files
> > > > (or create them).
> > > As above, NFSv2 uses 32bit sizes.
> > >
> > > > Anyone object to adding BOOTP_NFSV3 to GENERIC?
> > > Well, that option only works when used with BOOTP_NFSROOT.
> > > The GENERIC configs for amd64, arm64,... use the other way.
> > > (Just to make it confusing, there are two different ways an NFS root
> > >  fs is set up.)
> > > See below.
> > >
> > > >  Or maybe making it a
> > > > tunable that defaults to set, because it seems a bit crazy to default
> > > > to v2 these days.
> > > I don't think changing the default to NFSv3 will be a problem.
> > > The reason it was NFSv2 was that,
> > > for some non-FreeBSD NFS servers, the NFSv3 file handle is different
> > > than the NFSv2 one.
> > >
> > > I added NFSv3 support to stand/libsa/nfs.c about 15years ago, so every
> > > system should be running the newer NFS code in the loader and be able
> > > to do NFSv3 booting.
> > >
> > > > This option was added in 432aad0e in 1997 so that the nfs_diskless
> > > > structure didn't need to be filled out.  Does anything even
> > > > populate/fill it out anymore?  I saw code in i386/i386/locore.s that
> > > > does this, but it doesn't appear anywhere else.
> > > Yes. For "options NFS_ROOT" (the other way), the loader uses
> > > "stand/libsa/nfs.c" to acquire the remote file system's root file handle
> > > and fills it in. (See nfs_setup_diskless() in sys/nfs/nfs_diskless.c.)
> > > Looking at it, it appears to enable NFSv3 so long as it finds
> > > "boot.nfsroot.nfshandlelen" set.
> >
> > Well, I'm not seeing that, and this system is booting via
> > pxeboot+loader, so maybe something is broken?
> If it's an up to date (within last 10+ years then, yes, it sounds like it
> might be broken. However, I'm not a loader guy...
> 
> You can set it manually at the loader prompt to "28" and then see if it
> boots are is running NFSv3.
> 
> I have no way of testing/debugging this. Maybe you can figure out why the
> loader isn't setting "boot.nfsroot.nfshandlelen" to 28?

I have did several (> 5) lab setups with NFS booting, and it was always
like you described:

kernel config:
options NFS_ROOT

/boot/loader.conf
boot.nfsroot.options="nolockd"
nfscl_load="YES"
(yes, my nfscl.ko is a module)

/etc/fstab (an example)
192.168.130.1:/usr/home/netboot/zoo/r-freeb44   /   nfs rw,nolockd  
0   0

and in dhcpd.conf
host r-freeb44.zoo {
  hardware ethernet 28:80:23:a2:37:bc;
  fixed-address r-freeb44.zoo;
  next-server rott.zoo;
  filename "pxeboot";
#  filename "loader.efi";
  option root-path "192.168.130.1:/usr/home/netboot/zoo/r-freeb44";
}
You need pxeboot (or loader.efi) 

Re: make NFSv3 default now on diskless

[Rick Macklem]

John-Mark Gurney  wrote:
> Rick Macklem wrote this message on Thu, Jun 02, 2022 at 14:44 +:
> > John-Mark Gurney  wrote:
> > > I just booted FreeBSD-current diskless, using NFS root, and I ended
> > > up having issues because by default, NFS root is only v2.
> > >
> > > One of things that happened was disk space available was listed as
> > > -138G, or -144830429K.  I assume this is because the server is reporting
> > > TBs instead.
> > Yes. NFSv2 uses 32bit sizes.
> 
> Should we make the NFS server clamp various sizes then?  instead of reporting
> negative numbers?  (Sorry if this is already done on newer versions of
> FreeBSD, my server is a bit old.)
My recollection (from long ago) is that, although the RFC defined them as 32bit 
signed,
some implementations choose to mid-interpret them as unsigned, so that 4G was 
supported
instead of 2G.

Having said that, I agree with you that you should just use NFSv3 now. (Many 
servers are
dropping NFSv2 support entirely.)

> > > If I mount via mount_nfs, the sizes are normal/correct because it mounts
> > > v3.
> > I believe most specify "nfsv3" in the "/" mount line of /etc/fstab on the
> > remote root fs. Then, when the system does a "mount -u" to make it
> > read/write it gets toggled to NFSv3.
> 
> well, I tried doing a:
> mount -u -o nfsv3 /
It used to work when it was in /etc/fstab, when going from read-only to 
read-write,
from what I recall.

> on the system and this didn't work switch over to v3, it was still on
> v2..
>
> I haven't specified nfsv3 in /etc/fstab, but IMO, this should be the
> default..
Since NFSv3 is the default, it might not need to be explicit. I can't recall.

> 
> Also, I'm right now booting single user mode, because I'm -mapall to
> a user, and lots of FreeBSD breaks when files aren't uid 0, and there
> doesn't appear to be a way to remap the uid to root (that I have found)..
Yep. It would take effect when going multi-user.

"-mapall=root", although that is not a recommended security setting.
Why don't you just allow the client to use whatever uid it  would normally
use instead of "-mapall"?

> > > The other issue that I ran into is that NFSv2 can't access >4GB files
> > > (or create them).
> > As above, NFSv2 uses 32bit sizes.
> >
> > > Anyone object to adding BOOTP_NFSV3 to GENERIC?
> > Well, that option only works when used with BOOTP_NFSROOT.
> > The GENERIC configs for amd64, arm64,... use the other way.
> > (Just to make it confusing, there are two different ways an NFS root
> >  fs is set up.)
> > See below.
> >
> > >  Or maybe making it a
> > > tunable that defaults to set, because it seems a bit crazy to default
> > > to v2 these days.
> > I don't think changing the default to NFSv3 will be a problem.
> > The reason it was NFSv2 was that,
> > for some non-FreeBSD NFS servers, the NFSv3 file handle is different
> > than the NFSv2 one.
> >
> > I added NFSv3 support to stand/libsa/nfs.c about 15years ago, so every
> > system should be running the newer NFS code in the loader and be able
> > to do NFSv3 booting.
> >
> > > This option was added in 432aad0e in 1997 so that the nfs_diskless
> > > structure didn't need to be filled out.  Does anything even
> > > populate/fill it out anymore?  I saw code in i386/i386/locore.s that
> > > does this, but it doesn't appear anywhere else.
> > Yes. For "options NFS_ROOT" (the other way), the loader uses
> > "stand/libsa/nfs.c" to acquire the remote file system's root file handle
> > and fills it in. (See nfs_setup_diskless() in sys/nfs/nfs_diskless.c.)
> > Looking at it, it appears to enable NFSv3 so long as it finds
> > "boot.nfsroot.nfshandlelen" set.
>
> Well, I'm not seeing that, and this system is booting via
> pxeboot+loader, so maybe something is broken?
If it's an up to date (within last 10+ years then, yes, it sounds like it
might be broken. However, I'm not a loader guy...

You can set it manually at the loader prompt to "28" and then see if it
boots are is running NFSv3.

I have no way of testing/debugging this. Maybe you can figure out why the
loader isn't setting "boot.nfsroot.nfshandlelen" to 28?

> > > There also appears to possibly be a way via mount options, but I can't
> > > see where it's documented to set them.
> > I think you just specify "nfsv3" as a mount option in the root fs
> > line in /etc/fstab on the root fs on the NFS server.
>
> See above, this doesn't appear to work, or doesn't work the way I think
> it should...
Well, maybe I just don't recall correctly.

>
> > I don't think changing the default to NFSv3 will be a problem.
> > The hassle is testing the various cases, to make sure nothing
> > breaks. I have no diskless setup to do testing and I don't even know
> > when installs/upgrades actually replace the loader?
>
> Well, this diskless was easier to setup than I expected, partly
> because I already had most of the infrastructure together (from
> netbooting another machine).  Put pxeboot on a tftp server, configure
> the dhcp server to send the correct 

Re: NFSv4 on MacOS Monterey

[Rick Macklem]

Adonis Peralta  wrote:
> I have some NFSv4 (sec=sys) shares on FreeBSD 13.1 which I'm trying to 
> connect correctly with MacOS 12.4 > Monterey.
> I got the basics down but don't think I have permissions and extended 
> attributes working correctly.
Well, here are a few comments. Note that I haven't used Mac OSX in over a 
decade, so I don't remember
much of anything about it.

> My configuration is as follows:
> 
> SERVER CONFIGURATION
>
> OS: FreeBSD 13.1
>
> ===
> /etc/rc.conf
> # NFS Configuration
> nfs_server_enable="YES"
> nfs_server_flags="-u -t -n 4"
4 is very small, although that will only be a performance issue.

> mountd_enable="YES"
Since you have specified nfsv4_server_only, mountd will be configured correctly 
(using the -R),
so this line is not needed (although I don't thing it will cause trouble).

> ### mountd_flags="-R"
> ### rpcbind_enable="YES"
> ### rpc_lockd_enable="YES"
>### rpc_statd_enable="YES"
> # Enable NFSv4
> nfsv4_server_enable="YES"
> nfsv4_server_only="YES"
> nfsuserd_enable="YES"
> nfsuserd_flags="-domain rambo.lan"
> ===
> 
> ===
> /etc/exports
> # Exports Configuration
> /drivepool/backups -alldirs -mapall=adonis:wheel
> /drivepool/media -alldirs -mapall=adonis:wheel
> /drivepool/home/adonis -alldirs -mapall=adonis:wheel
> /drivepool/public -mapall=adonis:wheel
These lines mean that the uid/gids in the RPC headers will be ignored and all
RPCs will be done as whatever uid is assigned to "adonis" in the server's 
password database.

> V4: /drivepool adonis-mbp adonis-pc
> ===
> 
> ===
> /etc/sysctl.conf
> # Asks nfsd to convert remote uids/gid encoded as numeric strings to be 
> mapped to an actual uid/gid
> vfs.nfsd.enable_stringtouid=1
You probably do not want this. Since you are running nfsuserd, it will be 
mapping between
the client uid/gid <-> the names for the Getattr/Setattr.
If the Mac OSX client does not have "adonis" in its password database, that 
will be a problem.
(These mappings have nothing to do with the uid/gids in the RPC header. The 
latter is used
 to set the credentials for the RPC against the server. In your case, 
completely ignored.
 The name<->uid/gid mappings are used for Setattr/Getattr. Things like "chmod", 
"stat"...)

> # Applies to both nfs server and client. Asks client/server to send numeric 
> strings for uid/gid.
> ### vfs.nfs.enable_uidtostring=0
For a server, you either set both of the above to 1 and do not run the nfsuserd 
or set both of the
above to 0 and set them both to 0. I do not know if Mac OSX knows how to do the 
"uid/gid" in
the string for Getattr/Setattr, That is what you are doing when the above are 
set to 1 and is the
default for Linux, plus works for FreeBSD so long as you are not using 
Kerberized mounts.
(To know, you would need to look a Setattr RPC done by the Mac OSX client in 
wireshark for
 either "chgrp" or "chown" and see how the Owner/Owner_Group string is 
formatted. A number
 or a "name@domain".)

> vfs.nfsd.debuglevel=3
> ===
>
> The directories above are hosted on ZFS and nfs4 acls support is turned on.
>
> CLIENT CONFIGURATION
>
> OS: MacOS 12.4 Monterey
>
> ===
> nfs.client.mount.options=vers=4.0,intr,namedattr
Named attributes are not supported by the FreeBSD server and won't work.

> nfs.client.default_nfs4domain = rambo.lan
> ===
>
> Note: above I'm using namedattr to try to get the client to connect with 
> named attributes support.
As above, named attributes won't work.

> RESULTS
>
> What I see when I connect via finder is the following:
> 
> 1. I am able to read/write to the shares since /etc/exports contains the 
> -mapall line, yet inspecting a packet > trace shows me:
> 
> ===
> packet #1
> ---
> client ip -> server ip Operations (count: 3): PUTFH, ACCESS, GETATTR
> Opcode: PUTFH (22)
> Opcode: ACCESS (3), [Check: RD LU MD XT DL XE]
> Opcode: GETATTR (9)
>
> packet #2
> ---
> server ip -> client ip Operations (count: 3)
> Opcode: PUTFH (22)
> Opcode: ACCESS (3), [NOT Supported: XE], [Access Denied: MD XT DL], [Allowed: 
> RD LU]
> Status: NFS4_OK (0)
> Supported types (of requested): 0x1f
>Access rights (of requested): 0x03
> ...1 = 0x001 READ: allowed
> ..1. = 0x002 LOOKUP: allowed
> .0.. = 0x004 MODIFY: *Access Denied*
> 0... = 0x008 EXTEND: *Access Denied*
>...0  = 0x010 DELETE: *Access Denied*
This is saying that the uid for "adonis" on the server does not have write 
access to the file.

> Opcode: GETATTR (9)
> ===
>
> Why is MD, XT, DL coming up as Access Denied if I can read/write to the share?
Hmm, not sure. If you were to show all the reply fields for the Getattr, then I 
could probably guess.
It might be Owner (is it "ado...@rambo.lan"). it could be ACLs. To check those, 
you should be able to
do whatever the Mac OSX equivalent to getfacl is.

> I have a feeling this is because UID/GID mapping is not happening correctly. 
> I can see in the packet trace >that FreeBSD's `nfsd` is sending some 
> credentials as 

NFSv4 on MacOS Monterey

[Adonis Peralta]

I have some NFSv4 (sec=sys) shares on FreeBSD 13.1 which I'm trying to connect 
correctly with MacOS 12.4 Monterey.
I got the basics down but don't think I have permissions and extended 
attributes working correctly.

My configuration is as follows:

SERVER CONFIGURATION

OS: FreeBSD 13.1

===
/etc/rc.conf
# NFS Configuration
nfs_server_enable="YES"
nfs_server_flags="-u -t -n 4"
mountd_enable="YES"
### mountd_flags="-R"
### rpcbind_enable="YES"
### rpc_lockd_enable="YES"
### rpc_statd_enable="YES"
# Enable NFSv4
nfsv4_server_enable="YES"
nfsv4_server_only="YES"
nfsuserd_enable="YES"
nfsuserd_flags="-domain rambo.lan"
===

===
/etc/exports
# Exports Configuration
/drivepool/backups -alldirs -mapall=adonis:wheel
/drivepool/media -alldirs -mapall=adonis:wheel
/drivepool/home/adonis -alldirs -mapall=adonis:wheel
/drivepool/public -mapall=adonis:wheel
V4: /drivepool adonis-mbp adonis-pc
===

===
/etc/sysctl.conf
# Asks nfsd to convert remote uids/gid encoded as numeric strings to be mapped 
to an actual uid/gid
vfs.nfsd.enable_stringtouid=1
# Applies to both nfs server and client. Asks client/server to send numeric 
strings for uid/gid.
### vfs.nfs.enable_uidtostring=0
vfs.nfsd.debuglevel=3
===

The directories above are hosted on ZFS and nfs4 acls support is turned on.

CLIENT CONFIGURATION

OS: MacOS 12.4 Monterey

===
nfs.client.mount.options=vers=4.0,intr,namedattr
nfs.client.default_nfs4domain = rambo.lan
===

Note: above I'm using namedattr to try to get the client to connect with named 
attributes support.

RESULTS

What I see when I connect via finder is the following:

1. I am able to read/write to the shares since /etc/exports contains the 
-mapall line, yet inspecting a packet trace shows me:

===
packet #1
---
client ip -> server ip Operations (count: 3): PUTFH, ACCESS, GETATTR
Opcode: PUTFH (22)
Opcode: ACCESS (3), [Check: RD LU MD XT DL XE]
Opcode: GETATTR (9)

packet #2
---
server ip -> client ip Operations (count: 3)
Opcode: PUTFH (22)
Opcode: ACCESS (3), [NOT Supported: XE], [Access Denied: MD XT DL], [Allowed: 
RD LU]
Status: NFS4_OK (0)
Supported types (of requested): 0x1f
Access rights (of requested): 0x03
 ...1 = 0x001 READ: allowed
 ..1. = 0x002 LOOKUP: allowed
 .0.. = 0x004 MODIFY: *Access Denied*
 0... = 0x008 EXTEND: *Access Denied*
...0  = 0x010 DELETE: *Access Denied*
Opcode: GETATTR (9)
===

Why is MD, XT, DL coming up as Access Denied if I can read/write to the share?

I have a feeling this is because UID/GID mapping is not happening correctly. I 
can see in the packet trace that FreeBSD's `nfsd` is sending some credentials 
as `ado...@rambo.lan`, but MacOS's nfs client is sending uid 501 and gid 20 for 
my user in the RPC credentials. I don't see how `nfsd` will be able to map uid 
501, gid 20 to the server's uid and gid and instead I was expecting 
`ado...@rambo.lan` to be sent for credentials from the client side.

The link below tells me that this is an inherent issue with NFSv4?
https://dfusion.com.au/wiki/tiki-index.php?page=Why+NFSv4+UID+mapping+breaks+with+AUTH_UNIX

2. Extended attributes don't work at all. Here is the result:
===
$ cd /Volumes/media
$ touch test.txt
$ xattr -w com.example.color blue test.txt

# Result: xattr: [Errno 1] Operation not permitted: 'test.txt' #
===

-- 
Adonis

Re: make NFSv3 default now on diskless

[John-Mark Gurney]

Rick Macklem wrote this message on Thu, Jun 02, 2022 at 14:44 +:
> John-Mark Gurney  wrote:
> > I just booted FreeBSD-current diskless, using NFS root, and I ended
> > up having issues because by default, NFS root is only v2.
> >
> > One of things that happened was disk space available was listed as
> > -138G, or -144830429K.  I assume this is because the server is reporting
> > TBs instead.
> Yes. NFSv2 uses 32bit sizes.

Should we make the NFS server clamp various sizes then?  instead of reporting
negative numbers?  (Sorry if this is already done on newer versions of
FreeBSD, my server is a bit old.)

> > If I mount via mount_nfs, the sizes are normal/correct because it mounts
> > v3.
> I believe most specify "nfsv3" in the "/" mount line of /etc/fstab on the
> remote root fs. Then, when the system does a "mount -u" to make it
> read/write it gets toggled to NFSv3.

well, I tried doing a:
mount -u -o nfsv3 /

on the system and this didn't work switch over to v3, it was still on
v2..

I haven't specified nfsv3 in /etc/fstab, but IMO, this should be the
default..

Also, I'm right now booting single user mode, because I'm -mapall to
a user, and lots of FreeBSD breaks when files aren't uid 0, and there
doesn't appear to be a way to remap the uid to root (that I have found)..

> > The other issue that I ran into is that NFSv2 can't access >4GB files
> > (or create them).
> As above, NFSv2 uses 32bit sizes.
> 
> > Anyone object to adding BOOTP_NFSV3 to GENERIC?
> Well, that option only works when used with BOOTP_NFSROOT.
> The GENERIC configs for amd64, arm64,... use the other way.
> (Just to make it confusing, there are two different ways an NFS root
>  fs is set up.)
> See below.
> 
> >  Or maybe making it a
> > tunable that defaults to set, because it seems a bit crazy to default
> > to v2 these days.
> I don't think changing the default to NFSv3 will be a problem.
> The reason it was NFSv2 was that,
> for some non-FreeBSD NFS servers, the NFSv3 file handle is different
> than the NFSv2 one.
> 
> I added NFSv3 support to stand/libsa/nfs.c about 15years ago, so every
> system should be running the newer NFS code in the loader and be able
> to do NFSv3 booting.
> 
> > This option was added in 432aad0e in 1997 so that the nfs_diskless
> > structure didn't need to be filled out.  Does anything even
> > populate/fill it out anymore?  I saw code in i386/i386/locore.s that
> > does this, but it doesn't appear anywhere else.
> Yes. For "options NFS_ROOT" (the other way), the loader uses
> "stand/libsa/nfs.c" to acquire the remote file system's root file handle
> and fills it in. (See nfs_setup_diskless() in sys/nfs/nfs_diskless.c.)
> Looking at it, it appears to enable NFSv3 so long as it finds
> "boot.nfsroot.nfshandlelen" set.

Well, I'm not seeing that, and this system is booting via
pxeboot+loader, so maybe something is broken?

> > There also appears to possibly be a way via mount options, but I can't
> > see where it's documented to set them.
> I think you just specify "nfsv3" as a mount option in the root fs
> line in /etc/fstab on the root fs on the NFS server.

See above, this doesn't appear to work, or doesn't work the way I think
it should...

> I don't think changing the default to NFSv3 will be a problem.
> The hassle is testing the various cases, to make sure nothing
> breaks. I have no diskless setup to do testing and I don't even know
> when installs/upgrades actually replace the loader?

Well, this diskless was easier to setup than I expected, partly
because I already had most of the infrastructure together (from
netbooting another machine).  Put pxeboot on a tftp server, configure
the dhcp server to send the correct options, extract base.txz to a
directory, export it, and it worked.  I assume that I'm getting loader
from that install since I don't specify it in the dhcp server.

As for testing, we have the CI system for that, right? ;p

/me needs to get back to work on the lab.

I guess we'd need to list the configurations that we care about, the
only ones I can think of, off the top of my head are pxeboot (which I'm
testing now), and u-boot..  For servers, are there any servers that
are NFSv2 only that are in common use today?  If you're running an
ancient server that is NFSv2 only, I think you deserve to have to
rebuild kernels or something instead of making 99% of the rest of us
do it..

-- 
  John-Mark Gurney  Voice: +1 415 225 5579

 "All that I will do, has been done, All that I have, has not."

[Bug 263445] [tcp] Fatal trap 12: page fault while in kernel mode // supervisor read data, page not present // 13.1-RC3

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263445

--- Comment #11 from Michael Tuexen  ---
(In reply to Igor A. Valkov from comment #6)
Hi Igor,
we discussed this bug on todays transport call. Two questions:
1. Can you make also core files against 13.1 RELEASE available?
2. Would you be willing to and able to run a custom kernel? We might want to
provide a kernel which allows to get more data on the situation under which the
problem occurs.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 263445] [tcp] Fatal trap 12: page fault while in kernel mode // supervisor read data, page not present // 13.1-RC3

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263445

--- Comment #10 from Michael Tuexen  ---
(In reply to Michael Tuexen from comment #9)
The confusion was on my part by using a 13.1 RELEASE kernel instead of a 13.1R3
kernel.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Re: make NFSv3 default now on diskless

[Rick Macklem]

Rick Macklem  wrote:
> John-Mark Gurney  wrote:
> > I just booted FreeBSD-current diskless, using NFS root, and I ended
> > up having issues because by default, NFS root is only v2.
> >
> > One of things that happened was disk space available was listed as
> > -138G, or -144830429K.  I assume this is because the server is reporting
> > TBs instead.
> Yes. NFSv2 uses 32bit sizes.
> 
> > If I mount via mount_nfs, the sizes are normal/correct because it mounts
> > v3.
> I believe most specify "nfsv3" in the "/" mount line of /etc/fstab on the
> remote root fs. Then, when the system does a "mount -u" to make it
> read/write it gets toggled to NFSv3.
> 
> > The other issue that I ran into is that NFSv2 can't access >4GB files
> > (or create them).
> As above, NFSv2 uses 32bit sizes.
>
> > Anyone object to adding BOOTP_NFSV3 to GENERIC?
> Well, that option only works when used with BOOTP_NFSROOT.
> The GENERIC configs for amd64, arm64,... use the other way.
> (Just to make it confusing, there are two different ways an NFS root
>  fs is set up.)
> See below.
>
> >  Or maybe making it a
> > tunable that defaults to set, because it seems a bit crazy to default
> > to v2 these days.
> I don't think changing the default to NFSv3 will be a problem.
> The reason it was NFSv2 was that,
> for some non-FreeBSD NFS servers, the NFSv3 file handle is different
> than the NFSv2 one.
>
> I added NFSv3 support to stand/libsa/nfs.c about 15years ago, so every
> system should be running the newer NFS code in the loader and be able
> to do NFSv3 booting.
> 
> > This option was added in 432aad0e in 1997 so that the nfs_diskless
> > structure didn't need to be filled out.  Does anything even
> > populate/fill it out anymore?  I saw code in i386/i386/locore.s that
> > does this, but it doesn't appear anywhere else.
> Yes. For "options NFS_ROOT" (the other way), the loader uses
> "stand/libsa/nfs.c" to acquire the remote file system's root file handle
> and fills it in. (See nfs_setup_diskless() in sys/nfs/nfs_diskless.c.)
> Looking at it, it appears to enable NFSv3 so long as it finds
> "boot.nfsroot.nfshandlelen" set.
Just to give you a little more on how these two methods work
(from my vague recollection..):
options NFS_ROOT
- Something (usually PXEBOOT) loaded the loader.
- The loader filled in some environment variables using the code in
   stand/libsa/nfs.c.
   boot.nfsroot.nfshandle - The root fs file handle
   boot.nfsroot.nfshandlelen - The length of above (if not set, use NFSv2)
   - plus some others to set up the network interface
- The kernel uses these environment variables to fill in nfs_diskless or
  nfsv3_diskless. This is done by the function called nfs_setup_diskless(),
  found in sys/nfs/nfs_diskless.c.

options BOOTP_NFSROOT
- Kernel gets loaded somehow.
- Kernel uses code in sys/nfs/bootp_subr.c to get the information
  needed (such as the root fs file handle) via BOOTP/DHCP.
  For this one, it will use NFSv2 unless "options BOOTP_NFSV3" was
  specified along with "options BOOTP_NFSROOT" in the kernel config.

If you are using the "NFS_ROOT" approach, I am surprised that you
get NFSv2, since the code in stand/libsa/nfs.c appears to do NFSv3 now
and sets "boot.nfsroot.nfshandlelen", unless I am mis-reading it?
- Maybe you can pop out into the loader and look at the environment
  variables with "show"?

rick

> There also appears to possibly be a way via mount options, but I can't
> see where it's documented to set them.
I think you just specify "nfsv3" as a mount option in the root fs
line in /etc/fstab on the root fs on the NFS server.

I don't think changing the default to NFSv3 will be a problem.
The hassle is testing the various cases, to make sure nothing
breaks. I have no diskless setup to do testing and I don't even know
when installs/upgrades actually replace the loader?

rick

--
  John-Mark Gurney  Voice: +1 415 225 5579

 "All that I will do, has been done, All that I have, has not."

Re: make NFSv3 default now on diskless

[Rick Macklem]

John-Mark Gurney  wrote:
> I just booted FreeBSD-current diskless, using NFS root, and I ended
> up having issues because by default, NFS root is only v2.
>
> One of things that happened was disk space available was listed as
> -138G, or -144830429K.  I assume this is because the server is reporting
> TBs instead.
Yes. NFSv2 uses 32bit sizes.

> If I mount via mount_nfs, the sizes are normal/correct because it mounts
> v3.
I believe most specify "nfsv3" in the "/" mount line of /etc/fstab on the
remote root fs. Then, when the system does a "mount -u" to make it
read/write it gets toggled to NFSv3.

> The other issue that I ran into is that NFSv2 can't access >4GB files
> (or create them).
As above, NFSv2 uses 32bit sizes.

> Anyone object to adding BOOTP_NFSV3 to GENERIC?
Well, that option only works when used with BOOTP_NFSROOT.
The GENERIC configs for amd64, arm64,... use the other way.
(Just to make it confusing, there are two different ways an NFS root
 fs is set up.)
See below.

>  Or maybe making it a
> tunable that defaults to set, because it seems a bit crazy to default
> to v2 these days.
I don't think changing the default to NFSv3 will be a problem.
The reason it was NFSv2 was that,
for some non-FreeBSD NFS servers, the NFSv3 file handle is different
than the NFSv2 one.

I added NFSv3 support to stand/libsa/nfs.c about 15years ago, so every
system should be running the newer NFS code in the loader and be able
to do NFSv3 booting.

> This option was added in 432aad0e in 1997 so that the nfs_diskless
> structure didn't need to be filled out.  Does anything even
> populate/fill it out anymore?  I saw code in i386/i386/locore.s that
> does this, but it doesn't appear anywhere else.
Yes. For "options NFS_ROOT" (the other way), the loader uses
"stand/libsa/nfs.c" to acquire the remote file system's root file handle
and fills it in. (See nfs_setup_diskless() in sys/nfs/nfs_diskless.c.)
Looking at it, it appears to enable NFSv3 so long as it finds
"boot.nfsroot.nfshandlelen" set.

> There also appears to possibly be a way via mount options, but I can't
> see where it's documented to set them.
I think you just specify "nfsv3" as a mount option in the root fs
line in /etc/fstab on the root fs on the NFS server.

I don't think changing the default to NFSv3 will be a problem.
The hassle is testing the various cases, to make sure nothing
breaks. I have no diskless setup to do testing and I don't even know
when installs/upgrades actually replace the loader?

rick

--
  John-Mark Gurney  Voice: +1 415 225 5579

 "All that I will do, has been done, All that I have, has not."

[Bug 263445] [tcp] Fatal trap 12: page fault while in kernel mode // supervisor read data, page not present // 13.1-RC3

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263445

--- Comment #9 from Michael Tuexen  ---
(In reply to Richard Scheffenegger from comment #8)
Hi Richard,

I'm looking at the tracefile provided by Igor and see:

(kgdb) f 10
#10 0x80dd7eed in tcp_do_segment (m=, th=, so=, tp=0xfe025fb86518, drop_hdrlen=52,
tlen=, iptos=0 '\000') at
/usr/src/sys/netinet/tcp_input.c:2637
2637(void)
tp->t_fb->tfb_tcp_output(tp);
(kgdb) p tp->t_state
$10 = 6
(kgdb) p *tp->sackhint.nexthole
$11 = {start = 1529400226, end = 1529409856, rxmit = 1529409855, scblink =
{tqe_next = 0x0, tqe_prev = 0xfe025fb86658}}
(kgdb)

Do you really see 8 as the state (which is TCPS_LAST_ACK)? I see 6 (which is
TCPS_FIN_WAIT_1).

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 263445] [tcp] Fatal trap 12: page fault while in kernel mode // supervisor read data, page not present // 13.1-RC3

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263445

Michael Tuexen  changed:

   What|Removed |Added

Summary|Fatal trap 12: page fault   |[tcp] Fatal trap 12: page
   |while in kernel mode // |fault while in kernel mode
   |supervisor read data, page  |// supervisor read data,
   |not present // 13.1-RC3 |page not present //
   ||13.1-RC3

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 260393] [tcp] Page Fault tcp_output/tcp_input

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260393

Michael Tuexen  changed:

   What|Removed |Added

Summary|Page Fault  |[tcp] Page Fault
   |tcp_output/tcp_input|tcp_output/tcp_input

-- 
You are receiving this mail because:
You are the assignee for the bug.