Hello community, here is the log from the commit of package nfs-utils.13845 for openSUSE:Leap:15.1:Update checked in at 2020-09-04 14:24:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/nfs-utils.13845 (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.nfs-utils.13845.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nfs-utils.13845" Fri Sep 4 14:24:10 2020 rev:1 rq:831102 version:2.1.1 Changes: -------- New Changes file: --- /dev/null 2020-08-06 00:20:10.149648038 +0200 +++ /work/SRC/openSUSE:Leap:15.1:Update/.nfs-utils.13845.new.3399/nfs-utils.changes 2020-09-04 14:24:18.638711475 +0200 @@ -0,0 +1,1848 @@ +------------------------------------------------------------------- +Thu Jul 9 02:20:11 UTC 2020 - Neil Brown <nfbr...@suse.com> + +- 0008-gssd-replace-non-thread-safe-strtok-with-strsep.patch + Fix bug with concurrent gssd requests arriving from kernel. + (bsc#1174260) + +------------------------------------------------------------------- +Mon Sep 30 01:27:15 UTC 2019 - Neil Brown <nfbr...@suse.com> + +- Don't make /var/lib/nfs owned by statd. + Only sm and sm.bak need to be accessible by + statd or sm-notify after they drop privs. + Providing they get created, the parent + directory can be root-owned. +- 0007-statd-user-from-sm + Change rpc.statd and sm-notify to take uid from the sm + directory. + (bsc#1150733 CVE-2019-3689) + +------------------------------------------------------------------- +Mon Dec 3 03:50:48 UTC 2018 - Neil Brown <nfbr...@suse.com> + +- 0002-Let-systemd-know-when-rpc.statd-is-needed.patch + 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch + Fixes for systemd integration + (bsc#1116221) +- nfs.conf: spell NFSV4LEASETIME correctly. + (bsc#1098532) + +------------------------------------------------------------------- +Fri Jul 6 15:02:49 CEST 2018 - ku...@suse.de + +- Create files in /var/lib/nfs via tmpfiles.d [bsc#1100404], + [FATE#325524] + +------------------------------------------------------------------- +Thu Nov 23 13:40:51 UTC 2017 - rbr...@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Fri Oct 6 04:23:19 UTC 2017 - nfbr...@suse.com + +- fix incorrect dependency in + /usr/lib/systemd/system/nfs-client.target.d/nfs.conf + When yast restarts "nfs" it should propagate to nfs-client, + but doesn't. + (boo#1053691) + +------------------------------------------------------------------- +Wed Jul 5 11:02:51 UTC 2017 - sch...@suse.de + +- nsm-headers.patch: add missing <stdint.h> + +------------------------------------------------------------------- +Tue May 2 13:51:27 CEST 2017 - ku...@suse.de + +- Prerequire needed group "nogroup" + +------------------------------------------------------------------- +Wed Feb 8 02:32:37 UTC 2017 - nfbr...@suse.com + +- update upstream version from 1.3.4 to 2.1.1 + The significant update is that configuration can + now be read from a central /etc/nfs.conf file, and + it can include other files such as /etc/sysconfig/nfs + This means that the old nfs-config.service systemd + unit is no longer needed. +- /etc/nfs.conf file created to import all sysconfig + settings except *_OPTIONS directly into running code. +- dropins created to pass *_OPTIONS sysconfig setting to + the various daemons. +- various specfile improvements, such as using "-D" in + "install" commands, and adding "verify_permissions". +- "xtab" has not been needed for years and has now been remove. +- sysconfig.nfs updated, particular the ServiceRestart + declarations have been tuned for systemd units. +- 0003-nfs-server-generator-handle-noauto-mounts-correctly.patch + Fix the nfs-server-generator so that mounts marked "noauto" + are not automatically mounted when NFS exported. + (bsc#1019211) +- 0001-conffile-ignore-empty-environment-variables.patch + 0002-mount-call-setgroups-before-setuid.patch + Other minor fixes found during testing. +- REMOVED 0001-Make-location-of-nfs-utils_env.sh-configurable.patch + now included upstream + +------------------------------------------------------------------- +Thu Jan 19 10:17:03 UTC 2017 - jeng...@inai.de + +- Check for existence of "statd" user before creating it, + and do not suppress errors about it. +- Ensure units passed to %service_* are full filenames. +- Pass all units (non-templated) to %service_*. + +------------------------------------------------------------------- +Mon Nov 14 14:51:30 UTC 2016 - dims...@opensuse.org + +- Also ignore errors on the first chown call: this can happen + especially in the build system when shadow is not present and + the user has not been generated in the %pre phase. + +------------------------------------------------------------------- +Fri Oct 21 00:09:04 UTC 2016 - nfbr...@suse.com + +- move rpc.svcgssd and corresponding man page from + nfs-client package to nfs-kernel-server. + For NFSv4.0 this is needed on client as well as + the server to support the back-channel. + (bsc#1005609) + +------------------------------------------------------------------- +Sun Aug 21 06:16:27 UTC 2016 - nfbr...@suse.com + +- 0001-Make-location-of-nfs-utils_env.sh-configurable.patch + 1.3.4 moved the config script location to somewhere + that doesn't exist on openSUSE. Move it somewhere + better and install it there. + (bsc#990356) + +------------------------------------------------------------------- +Wed Aug 10 02:57:57 UTC 2016 - nfbr...@suse.com + +- nfs-utils-1.3.4.tar.xz + New upstream release. Lots of bugfixes, no significant + functionality changes + +- delete 0001-Fix-protocol-minor-version-fall-back.patch + delete 0001-close-the-syslog-fd-in-daemon_init.patch + delete 0001-mount-run-START_STATD-fully-as-root.patch + delete 0001-mount.nfs-hide-EBUSY-errors.patch + delete 0001-mount.nfs-trust-the-exit-status-of-start_statd.patch + delete 0001-systemd-Decouple-the-starting-and-stopping-of-rpcbin.patch + delete 0002-systemd-unit-files-fix-up-dependencies-on-rpcbind.patch + delete nfs-utils-no-svcgss.service + delete nfs-utils-uninit-mem.patch + All patches are included in 1.3.4 + + +------------------------------------------------------------------- +Tue Aug 9 23:32:10 UTC 2016 - nfbr...@suse.com + +- nfs-utils_env.sh + Fix some problems with version_params. + Various misspellings and remove the possiblity + that V4 is both disabled and enabled. + (bsc#990356) + +------------------------------------------------------------------- +Mon Aug 8 08:39:54 UTC 2016 - tchva...@suse.com + +- Drop OMC svcinfo file, nowdays useless + +------------------------------------------------------------------- +Mon Aug 8 08:38:16 UTC 2016 - tchva...@suse.com + +- Sort a bit with spec-cleaner to get uptodate spec +- Convert deps from regular devels to pkgconfig style + +------------------------------------------------------------------- +Tue May 24 22:27:14 UTC 2016 - nfbr...@suse.com + +- 0001-systemd-Decouple-the-starting-and-stopping-of-rpcbin.patch + 0002-systemd-unit-files-fix-up-dependencies-on-rpcbind.patch + Fix systemd dependencies to ensure rpcbind is started when needed. + (bsc#975265) + +------------------------------------------------------------------- +Thu Apr 21 23:40:59 UTC 2016 - ne...@suse.com + +- 0001-close-the-syslog-fd-in-daemon_init.patch + Without this, tracing doesn't work +- 0001-mount.nfs-trust-the-exit-status-of-start_statd.patch + (bsc#945937) +- 0001-mount-run-START_STATD-fully-as-root.patch + (bsc#969152) + +------------------------------------------------------------------- +Mon Apr 4 13:56:38 CEST 2016 - ku...@suse.de + +- Drop unused BuildRequires for libgssglue, not used with tirpc + +------------------------------------------------------------------- +Mon Apr 4 10:16:32 CEST 2016 - ku...@suse.de + +- Drop unused BuildRequires for librpcsecgss, tirpc version is used + +------------------------------------------------------------------- +Wed Mar 2 03:53:26 UTC 2016 - ne...@suse.com + +- 0001-mount.nfs-hide-EBUSY-errors.patch + Stop "mount -a -t nfs" from complaining if filesystem + already mounted (bsc#950340) + +------------------------------------------------------------------- ++++ 1651 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.1:Update/.nfs-utils.13845.new.3399/nfs-utils.changes New: ---- 0001-conffile-ignore-empty-environment-variables.patch 0002-Let-systemd-know-when-rpc.statd-is-needed.patch 0002-mount-call-setgroups-before-setuid.patch 0003-nfs-server-generator-handle-noauto-mounts-correctly.patch 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch 0007-statd-user-from-sm 0008-gssd-replace-non-thread-safe-strtok-with-strsep.patch README.NFSv4 fw-client fw-server idmapd.conf nfs-client.nfs.conf nfs-kernel-server.tmpfiles.conf nfs-mountd.options.conf nfs-server.nfsserver.conf nfs-server.options.conf nfs-utils-1.0.7-bind-syntax.patch nfs-utils-2.1.1.tar.xz nfs-utils.changes nfs-utils.rpmlintrc nfs-utils.spec nfs.conf nfs.doc.tar.bz2 nfs.service nfsserver.service nsm-headers.patch rpc-gssd.options.conf rpc-statd-notify.options.conf rpc-statd.options.conf rpc-svcgssd.options.conf sysconfig.nfs ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nfs-utils.spec ++++++ # # spec file for package nfs-utils # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir /var/adm/fillup-templates %endif Name: nfs-utils Version: 2.1.1 Release: 0 Summary: Support Utilities for Kernel nfsd License: GPL-2.0-or-later Group: Productivity/Networking/NFS Url: http://kernel.org/pub/linux/utils/nfs-utils/ Source0: http://kernel.org/pub/linux/utils/nfs-utils/%{version}/nfs-utils-%{version}.tar.xz # Download does not work: # Source1: ftp://nfs.sourceforge.net/pub/nfs/nfs.doc.tar.bz2 Source1: nfs.doc.tar.bz2 Source4: sysconfig.nfs Source6: README.NFSv4 Source7: fw-client Source8: fw-server Source11: idmapd.conf Source13: nfs-utils.rpmlintrc Source15: nfsserver.service Source16: nfs.service Source17: nfs-server.nfsserver.conf Source18: nfs-client.nfs.conf Source20: nfs-mountd.options.conf Source21: nfs-server.options.conf Source22: rpc-gssd.options.conf Source23: rpc-statd.options.conf Source24: rpc-statd-notify.options.conf Source25: rpc-svcgssd.options.conf Source26: nfs.conf Source27: nfs-kernel-server.tmpfiles.conf Patch0: nfs-utils-1.0.7-bind-syntax.patch Patch1: 0001-conffile-ignore-empty-environment-variables.patch Patch2: 0002-mount-call-setgroups-before-setuid.patch Patch3: 0003-nfs-server-generator-handle-noauto-mounts-correctly.patch Patch4: nsm-headers.patch Patch5: 0002-Let-systemd-know-when-rpc.statd-is-needed.patch Patch6: 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch Patch7: 0007-statd-user-from-sm Patch8: 0008-gssd-replace-non-thread-safe-strtok-with-strsep.patch BuildRequires: e2fsprogs-devel BuildRequires: fedfs-utils-devel BuildRequires: gcc-c++ BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: systemd-rpm-macros BuildRequires: tcpd-devel BuildRequires: pkgconfig(devmapper) BuildRequires: pkgconfig(kdb) BuildRequires: pkgconfig(krb5) BuildRequires: pkgconfig(libevent) BuildRequires: pkgconfig(libnfsidmap) >= 0.24 BuildRequires: pkgconfig(libtirpc) BuildRequires: pkgconfig(mount) BuildRequires: pkgconfig(sqlite3) Suggests: python-base BuildRoot: %{_tmppath}/%{name}-%{version}-build %{?systemd_requires} %description This package contains the NFS utilities. You can tune the number of server threads via the sysconfig variable USE_KERNEL_NFSD_NUMBER. For quota over NFS support, install the quota package. %package -n nfs-client Summary: Support Utilities for NFS Group: Productivity/Networking/NFS Requires: keyutils Requires: netcfg Requires: rpcbind Requires(post): %fillup_prereq Requires(pre): permissions Requires(pre): shadow %if 0%{?suse_version} >= 1330 Requires(pre): group(nogroup) %endif Obsoletes: nfs-utils < 1.1.0 %description -n nfs-client This package contains common NFS utilities which are needed for client and kernel based server. %package -n nfs-kernel-server Summary: Support Utilities for Kernel nfsd Group: Productivity/Networking/NFS Requires: netcfg Requires: nfs-client = %{version} Requires: rpcbind Conflicts: nfs-server Provides: nfs-utils = %{version} Obsoletes: nfs-utils < 1.1.0 PreReq: permissions %description -n nfs-kernel-server This package contains support for the kernel based NFS server. You can tune the number of server threads via the sysconfig variable USE_KERNEL_NFSD_NUMBER. For quota over NFS support, install the quota package. %package -n nfs-doc Summary: Support Utilities for NFS Group: Productivity/Networking/NFS Requires: latex2html-pngicons Obsoletes: nfs-utils < 1.1.0 %description -n nfs-doc This package contains additional NFS documentation. %prep %setup -q -a 1 %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 cp %{SOURCE6} . %build autoreconf -fvi export CFLAGS="%{optflags} -fPIE" export LDFLAGS="-pie" %configure \ --with-systemd \ --enable-nfsv4 \ --enable-gss \ --enable-svcgss \ --enable-ipv6 \ --enable-nfsdcltrack \ --enable-mount \ --enable-libmount-mount \ --enable-mountconfig make %{?_smp_mflags} cd nfs for i in *.html ; do sed -i \ -e "s@%{_prefix}/lib/latex2html/icons.png/next_motif.png@%{_datadir}/latex2html/icons/next.png@" \ -e "s@%{_prefix}/lib/latex2html/icons.png/up_motif_gr.png@%{_datadir}/latex2html/icons/up.png@" \ -e "s@%{_prefix}/lib/latex2html/icons.png/previous_motif_gr.png@%{_datadir}/latex2html/icons/prev.png@" \ $i done %install make %{?_smp_mflags} DESTDIR=%{buildroot} install install -D -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/nfsserver.service install -D -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/nfs.service install -D -m 644 %{SOURCE17} %{buildroot}%{_unitdir}/nfs-server.service.d/nfsserver.conf install -D -m 644 %{SOURCE18} %{buildroot}%{_unitdir}/nfs-client.target.d/nfs.conf install -D -m 644 %{SOURCE20} %{buildroot}%{_unitdir}/nfs-mountd.service.d/options.conf install -D -m 644 %{SOURCE21} %{buildroot}%{_unitdir}/nfs-server.service.d/options.conf install -D -m 644 %{SOURCE22} %{buildroot}%{_unitdir}/rpc-gssd.service.d/options.conf install -D -m 644 %{SOURCE23} %{buildroot}%{_unitdir}/rpc-statd.service.d/options.conf install -D -m 644 %{SOURCE24} %{buildroot}%{_unitdir}/rpc-statd-notify.service.d/options.conf install -D -m 644 %{SOURCE25} %{buildroot}%{_unitdir}/rpc-svcgssd.service.d/options.conf install -D -m 644 %{SOURCE26} %{buildroot}%{_sysconfdir}/nfs.conf install -D -m 644 %{SOURCE27} %{buildroot}%{_prefix}/lib/tmpfiles.d/nfs-kernel-server.conf ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcnfsserver ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcnfs-server ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcnfs ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcnfs-client # sysconfig-data mkdir -p %{buildroot}%{_fillupdir} install -m 644 %{SOURCE4} %{buildroot}%{_fillupdir} # idmapd setup install -D -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/idmapd.conf mkdir -p -m 755 %{buildroot}%{_localstatedir}/lib/nfs/rpc_pipefs mkdir -p -m 755 %{buildroot}%{_localstatedir}/lib/nfs/v4recovery # sm-notify state mkdir -p -m 755 %{buildroot}%{_localstatedir}/lib/nfs/sm mkdir -p -m 755 %{buildroot}%{_localstatedir}/lib/nfs/sm.bak touch %{buildroot}%{_localstatedir}/lib/nfs/state mkdir -p %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services install -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/nfs-client install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server install -m 644 utils/mount/nfsmount.conf %{buildroot}%{_sysconfdir}/nfsmount.conf # # hack to avoid automatic python dependency chmod 644 %{buildroot}%{_sbindir}/{mountstats,nfsiostat} %pre -n nfs-client /usr/bin/getent passwd statd >/dev/null || \ /usr/sbin/useradd -r -c 'NFS statd daemon' \ -s /sbin/nologin -d %{_localstatedir}/lib/nfs -g nogroup statd %service_add_pre nfs.service auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service %post -n nfs-client chown root:root %{_localstatedir}/lib/nfs > /dev/null 2>&1 || : for i in sm sm.bak; do chown -R statd:nogroup %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || : done ### migrate from /var/lock/subsys [ -d /run/nfs ] || mkdir /run/nfs if [ -f %{_localstatedir}/lock/subsys/nfs-rpc.idmapd ]; then mv %{_localstatedir}/lock/subsys/nfs-rpc.idmapd /run/nfs fi if [ -f %{_localstatedir}/lock/subsys/nfsserver-rpc.idmapd ]; then mv %{_localstatedir}/lock/subsys/nfsserver-rpc.idmapd /run/nfs fi ### %{fillup_only -n nfs nfs} # %set_permissions /sbin/mount.nfs %service_add_post nfs.service auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service %preun -n nfs-client %service_del_preun nfs.service auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service %postun -n nfs-client %service_del_postun nfs.service auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service %verifyscript -n nfs-client %verify_permissions -e /sbin/mount.nfs %pre -n nfs-kernel-server %service_add_pre nfsserver.service nfs-svcgssd.service nfs-mountd.service nfs-server.service %preun -n nfs-kernel-server %service_del_preun nfsserver.service nfs-svcgssd.service nfs-mountd.service nfs-server.service %post -n nfs-kernel-server ### migrate from /var/lock/subsys [ -d /run/nfs ] || mkdir /run/nfs if [ -f %{_localstatedir}/lock/subsys/nfs-rpc.idmapd ]; then mv %{_localstatedir}/lock/subsys/nfs-rpc.idmapd /run/nfs fi if [ -f %{_localstatedir}/lock/subsys/nfsserver-rpc.idmapd ]; then mv %{_localstatedir}/lock/subsys/nfsserver-rpc.idmapd /run/nfs fi ### %service_add_post nfsserver.service nfs-mountd.service nfs-server.service %tmpfiles_create nfs-kernel-server.conf %set_permissions /var/lib/nfs/rmtab %postun -n nfs-kernel-server %service_del_postun nfsserver.service nfs-mountd.service nfs-server.service %verifyscript -n nfs-kernel-server %verify_permissions -e /var/lib/nfs/rmtab %files -n nfs-client %defattr(-,root,root) %config %{_sysconfdir}/idmapd.conf %config %{_sysconfdir}/nfsmount.conf %config %{_sysconfdir}/nfs.conf %verify(not mode) %attr(0755,root,root) /sbin/mount.nfs /sbin/mount.nfs4 /sbin/umount.nfs /sbin/umount.nfs4 /sbin/osd_login %attr(0755,root,root) %{_sbindir}/mountstats %attr(0755,root,root) %{_sbindir}/nfsiostat %{_sbindir}/nfsidmap %{_sbindir}/nfsstat %{_sbindir}/rcnfs %{_sbindir}/rcnfs-client %{_sbindir}/rpc.gssd %{_sbindir}/rpc.idmapd %{_sbindir}/rpc.statd %{_sbindir}/rpcdebug %{_sbindir}/showmount %{_sbindir}/sm-notify %{_sbindir}/start-statd %{_sbindir}/blkmapd %{_sbindir}/rpc.svcgssd %{_unitdir}/auth-rpcgss-module.service %{_unitdir}/nfs-blkmap.service %{_unitdir}/nfs-client.target %{_unitdir}/nfs-idmapd.service %{_unitdir}/nfs-utils.service %{_unitdir}/rpc-gssd.service %{_unitdir}/rpc-gssd.service.d %{_unitdir}/rpc-gssd.service.d/options.conf %{_unitdir}/rpc-statd-notify.service %{_unitdir}/rpc-statd-notify.service.d %{_unitdir}/rpc-statd-notify.service.d/options.conf %{_unitdir}/rpc-statd.service %{_unitdir}/rpc-statd.service.d %{_unitdir}/rpc-statd.service.d/options.conf %{_unitdir}/rpc-svcgssd.service %{_unitdir}/rpc-svcgssd.service.d %{_unitdir}/rpc-svcgssd.service.d/options.conf %{_unitdir}/var-lib-nfs-rpc_pipefs.mount %{_unitdir}/nfs.service %dir %{_unitdir}/nfs-client.target.d %{_unitdir}/nfs-client.target.d/nfs.conf %dir /usr/lib/systemd/system-generators /usr/lib/systemd/system-generators/nfs-server-generator %{_mandir}/man5/nfsmount.conf.5%{ext_man} %{_mandir}/man5/nfs.conf.5%{ext_man} %{_mandir}/man5/nfs.5%{ext_man} %{_mandir}/man7/nfs.systemd.7%{ext_man} %{_mandir}/man8/mount.nfs.8%{ext_man} %{_mandir}/man8/nfsidmap.8%{ext_man} %{_mandir}/man8/nfsstat.8%{ext_man} %{_mandir}/man8/rpc.sm-notify.8%{ext_man} %{_mandir}/man8/showmount.8%{ext_man} %{_mandir}/man8/sm-notify.8%{ext_man} %{_mandir}/man8/umount.nfs.8%{ext_man} %{_mandir}/man8/rpc.gssd.8%{ext_man} %{_mandir}/man8/rpc.idmapd.8%{ext_man} %{_mandir}/man8/gssd.8%{ext_man} %{_mandir}/man8/idmapd.8%{ext_man} %{_mandir}/man8/svcgssd.8%{ext_man} %{_mandir}/man8/rpc.statd.8%{ext_man} %{_mandir}/man8/rpcdebug.8%{ext_man} %{_mandir}/man8/statd.8%{ext_man} %{_mandir}/man8/mountstats.8%{ext_man} %{_mandir}/man8/nfsiostat.8%{ext_man} %{_mandir}/man8/blkmapd.8%{ext_man} %{_mandir}/man8/rpc.svcgssd.8%{ext_man} %{_fillupdir}/sysconfig.nfs %dir %{_localstatedir}/lib/nfs %dir %{_localstatedir}/lib/nfs/rpc_pipefs %dir %{_localstatedir}/lib/nfs/v4recovery %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm.bak %ghost %{_localstatedir}/lib/nfs/state %config %attr(0644,root,root) %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/nfs-client %files -n nfs-kernel-server %defattr(-,root,root) %{_unitdir}/nfs-mountd.service %{_unitdir}/nfs-mountd.service.d %{_unitdir}/nfs-mountd.service.d/options.conf %{_unitdir}/nfs-server.service %{_unitdir}/nfs-server.service.d %{_unitdir}/nfs-server.service.d/options.conf %{_unitdir}/proc-fs-nfsd.mount %{_unitdir}/nfsserver.service %{_unitdir}/nfs-server.service.d/nfsserver.conf %{_prefix}/lib/tmpfiles.d/nfs-kernel-server.conf %{_sbindir}/exportfs %{_sbindir}/rcnfsserver %{_sbindir}/rcnfs-server %{_sbindir}/rpc.mountd %{_sbindir}/rpc.nfsd /sbin/nfsdcltrack %{_mandir}/man5/exports.5%{ext_man} %{_mandir}/man7/nfsd.7%{ext_man} %{_mandir}/man8/exportfs.8%{ext_man} %{_mandir}/man8/mountd.8%{ext_man} %{_mandir}/man8/nfsd.8%{ext_man} %{_mandir}/man8/rpc.mountd.8%{ext_man} %{_mandir}/man8/rpc.nfsd.8%{ext_man} %{_mandir}/man8/nfsdcltrack.8%{ext_man} %config(noreplace) %{_localstatedir}/lib/nfs/etab %config(noreplace) %{_localstatedir}/lib/nfs/rmtab %config %attr(0644,root,root) %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server %files -n nfs-doc %defattr(-,root,root) %doc nfs/*.html nfs/*.ps README.NFSv4 %changelog ++++++ 0001-conffile-ignore-empty-environment-variables.patch ++++++ >From 5ec9d9034650ae4372dc1bd44d33a1e8768e3409 Mon Sep 17 00:00:00 2001 From: NeilBrown <ne...@suse.com> Date: Wed, 8 Feb 2017 08:18:34 +1100 Subject: [PATCH] conffile: ignore empty environment variables. conf_set() already refuses to set an empty value, so if foo= appear in the config file, it will be ignored. This patch extends the policy to environment variables, so empty environment variables are treats as though they didn't exist. This means that a separate environment file (e.g. /etc/sysconfig/nfs) will be treated the same way whether it is: - included in the [environment] section of /etc/nfs.conf - sourced by the shell before running code - sourced by the systemd EnvironmentFile directive. Signed-off-by: NeilBrown <ne...@suse.com> --- support/nfs/conffile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/nfs/conffile.c b/support/nfs/conffile.c index e717c1e39bab..203efd2aa602 100644 --- a/support/nfs/conffile.c +++ b/support/nfs/conffile.c @@ -533,7 +533,7 @@ retry: * or from environment */ char *env = getenv(cb->value+1); - if (env) + if (env && *env) return env; section = "environment"; tag = cb->value + 1; -- 2.11.0 ++++++ 0002-Let-systemd-know-when-rpc.statd-is-needed.patch ++++++ >From b468dda439a02c4d1b7f85a0be6c0a227d16c2de Mon Sep 17 00:00:00 2001 From: NeilBrown <ne...@suse.com> Date: Fri, 30 Nov 2018 16:38:45 +1100 Subject: [PATCH] Let systemd know when rpc.statd is needed. A recent change to set IgnoreOnIsolate for rpc-statd isn't quite sufficient (though it doesn't hurt). While rpc-statd does remain when systemctl isolate multi-user is run, its dependencies don't remain, so rpcbind might get killed, which makes rpc.statd rather useless. The reason this is all an issue is that systemd doesn't know that rpc-statd is needed - mount.nfs explicitly starts it rather than having a dependency start it. This can be rectified by explicitly telling systemd about the dependency using "systemctl add-wants". This can be done in the start-statd script, at the same time that rpc-statd is started. As --runtime dependency is used so that it doesn't persist across reboots. A new dependency will be created on next boot if an NFSv3 filesystem is mounted. With this in place, both rpc.statd and rpcbind remain. Actually, rpcbind.service is stopped, but rpcbind.socket remains, and when anything tries to contact rpcbind, rpcbind.service is automatically started and it re-reads its saved state. Signed-off-by: NeilBrown <ne...@suse.com> --- utils/statd/start-statd | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/utils/statd/start-statd +++ b/utils/statd/start-statd @@ -20,7 +20,12 @@ fi # First try systemd if it's installed. if [ -d /run/systemd/system ]; then # Quit only if the call worked. - systemctl start rpc-statd.service && exit + if systemctl start rpc-statd.service; then + # Ensure systemd knows not to stop rpc.statd or its dependencies + # on 'systemctl isolate ..' + systemctl add-wants --runtime remote-fs.target rpc-statd.service + exit 0 + fi fi cd / ++++++ 0002-mount-call-setgroups-before-setuid.patch ++++++ >From 5b7da9d70261583e67e114b36cb19973de15606d Mon Sep 17 00:00:00 2001 From: NeilBrown <ne...@suse.com> Date: Wed, 8 Feb 2017 08:22:36 +1100 Subject: [PATCH] mount: call setgroups() before setuid() It is generally wise to call setgroups() (and setgid()) before calling setuid() to ensure no unexpected permission leaks happen. SUSE's build system check all binaries for conformance with this and generates a warning for mountd. As we set setting the uid to 0, there is no risk that the group list will provide extra permissions, so there is no real risk here. But it is nice to silence warnings, and including a setgroups() call is probably a good practice to encourage. Signed-off-by: NeilBrown <ne...@suse.com> --- utils/mount/network.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/utils/mount/network.c b/utils/mount/network.c index d1c8fec75174..281e9354a7fa 100644 --- a/utils/mount/network.c +++ b/utils/mount/network.c @@ -33,6 +33,7 @@ #include <errno.h> #include <netdb.h> #include <time.h> +#include <grp.h> #include <sys/types.h> #include <sys/socket.h> @@ -804,6 +805,7 @@ int start_statd(void) pid_t pid = fork(); switch (pid) { case 0: /* child */ + setgroups(0, NULL); setgid(0); setuid(0); execle(START_STATD, START_STATD, NULL, envp); -- 2.11.0 ++++++ 0003-nfs-server-generator-handle-noauto-mounts-correctly.patch ++++++ >From 93b39628e0a2053d9b37cab7a60d78f782cb88ea Mon Sep 17 00:00:00 2001 From: NeilBrown <ne...@suse.com> Date: Wed, 8 Feb 2017 12:56:38 +1100 Subject: [PATCH] nfs-server-generator: handle 'noauto' mounts correctly. When this code was written the systemd documentation stated that "RequiresMountsFor" ignored mountpoints marked as "noauto". Unfortunately this is incorrect. Consquently a filesystem marked as noauto that is also NFS exported will currently be mounted when the NFS server is started. This is not what people expect. So add a check for the noauto flag. If any ancestor of a given export point has the noauto flag, no RequiresMountsFor will be generated for that point. Also skip RequiresMountsFor for exports marked 'mountpoint', as their absence is, theoretically, already handled by mountd. URL: https://github.com/systemd/systemd/issues/5249 Signed-off-by: NeilBrown <ne...@suse.com> --- systemd/nfs-server-generator.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/systemd/nfs-server-generator.c b/systemd/nfs-server-generator.c index cc99969e9922..4aa65094ca07 100644 --- a/systemd/nfs-server-generator.c +++ b/systemd/nfs-server-generator.c @@ -84,6 +84,28 @@ static void systemd_escape(FILE *f, char *path) } } +static int has_noauto_flag(char *path) +{ + FILE *fstab; + struct mntent *mnt; + + fstab = setmntent("/etc/fstab", "r"); + if (!fstab) + return 0; + + while ((mnt = getmntent(fstab)) != NULL) { + int l = strlen(mnt->mnt_dir); + if (strncmp(mnt->mnt_dir, path, l) != 0) + continue; + if (path[l] && path[l] != '/') + continue; + if (hasmntopt(mnt, "noauto")) + break; + } + fclose(fstab); + return mnt != NULL; +} + int main(int argc, char *argv[]) { char *path; @@ -124,6 +146,10 @@ int main(int argc, char *argv[]) for (exp = exportlist[i].p_head; exp; exp = exp->m_next) { if (!is_unique(&list, exp->m_export.e_path)) continue; + if (exp->m_export.e_mountpoint) + continue; + if (has_noauto_flag(exp->m_export.e_path)) + continue; if (strchr(exp->m_export.e_path, ' ')) fprintf(f, "RequiresMountsFor=\"%s\"\n", exp->m_export.e_path); -- 2.11.0 ++++++ 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch ++++++ >From 415dea8db90785c3063bbd74fff34cb6a4830f06 Mon Sep 17 00:00:00 2001 From: NeilBrown <ne...@suse.com> Date: Fri, 30 Nov 2018 16:44:29 +1100 Subject: [PATCH] systemd: run statd-notify even when nfs-client isn't enabled. When NFS filesytems are mounted, nfs-client.target really should be enabled. However it is possible to mount NFS filesystems without this (providing gss isn't used) and it mostly works. One aspect that doesn't work is that sm-notify isn't run, so the server isn't told to drop any locks from the previous client instance. This can result in confusing failures: if a client crashes while holding a lock, it won't be able to get the same lock after a reboot. While this isn't a complete solution (nfs-client really should be enabled), adding a dependency from rpc-statd to rpc-statd-notify is easy, has no down sides, and could help avoid confusion. Signed-off-by: NeilBrown <ne...@suse.com> --- systemd/rpc-statd.service | 1 + 1 file changed, 1 insertion(+) --- a/systemd/rpc-statd.service +++ b/systemd/rpc-statd.service @@ -3,6 +3,7 @@ Description=NFS status monitor for NFSv2 DefaultDependencies=no Conflicts=umount.target Requires=nss-lookup.target rpcbind.socket +Wants=rpc-statd-notify.service After=network.target nss-lookup.target rpcbind.socket PartOf=nfs-utils.service ++++++ 0007-statd-user-from-sm ++++++ statd: take user-id from /var/lib/nfs/sm Having /var/lib/nfs writeable by statd is not ideal as there are files in there that statd doesn't need to access. Aftger dropping privs, statd and sm-notify only need to access files in the directories sm and sm.bak. So take the uid for these deamons from 'sm'. Signed-off-by: NeilBrown <ne...@suse.com> --- support/nsm/file.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) --- a/support/nsm/file.c +++ b/support/nsm/file.c @@ -426,23 +426,17 @@ nsm_drop_privileges(const int pidfd) (void)umask(S_IRWXO); - /* - * XXX: If we can't stat dirname, or if dirname is owned by - * root, we should use "statduser" instead, which is set up - * by configure.ac. Nothing in nfs-utils seems to use - * "statduser," though. - */ - if (lstat(nsm_base_dirname, &st) == -1) { - xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname); - return false; - } - if (chdir(nsm_base_dirname) == -1) { xlog(L_ERROR, "Failed to change working directory to %s: %m", nsm_base_dirname); return false; } + if (lstat(NSM_MONITOR_DIR, &st) == -1) { + xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR); + return false; + } + if (!prune_bounding_set()) return false; ++++++ 0008-gssd-replace-non-thread-safe-strtok-with-strsep.patch ++++++ >From 5ae8be8b6af1a0fdf2fa26051a05d4c04d028849 Mon Sep 17 00:00:00 2001 From: Frank Sorenson <soren...@redhat.com> Date: Wed, 15 Feb 2017 10:36:47 -0500 Subject: [PATCH] gssd: replace non-thread-safe strtok with strsep gssd uses the non-thread-safe strtok() function, which can lead to incorrect program behavior. Replace strtok() with the thread-safe strsep(). Signed-off-by: Frank Sorenson <soren...@redhat.com> Signed-off-by: Steve Dickson <ste...@redhat.com> --- utils/gssd/gssd_proc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -729,10 +729,11 @@ handle_gssd_upcall(struct clnt_upcall_in char *target = NULL; char *service = NULL; char *enctypes = NULL; + char *pbuf = info->lbuf; printerr(2, "\n%s: '%s' (%s)\n", __func__, info->lbuf, clp->relpath); - for (p = strtok(info->lbuf, " "); p; p = strtok(NULL, " ")) { + while ((p = strsep(&pbuf, " "))) { if (!strncmp(p, "mech=", strlen("mech="))) mech = p + strlen("mech="); else if (!strncmp(p, "uid=", strlen("uid="))) ++++++ README.NFSv4 ++++++ NFSv4 README Last updated: 17 May 2012 0. Contents: ----------- 1. Overview. \___ 1.1 Purpose of this document 2. Quick start 3. Idmapd Configuration on both NFS server and client 4. Setting up NFSv4 server and client \___ 4.1 Configuring Server | \___ 4.1.1 /etc/exports | \___ 4.1.2 Coexisting NFSv4 and NFSv3 | \___ 4.1.3 /etc/sysconfig/nfs \___ 4.2 Starting services on server and client \___ 4.3 Mounting the remote exported directories from client 5.Setting up kerberized NFSv4 server and client \___ 5.1 Prerequisites \___ 5.2 Configuring kerberized NFS server and client | \___ 5.2.1 Configuring kerberos | \___ 5.2.2 Create machine credentials | \___ 5.2.3 Configure /etc/gssapi_mech.conf | \___ 5.2.4 /etc/exports entries for kerberised server. \___ 5.3 Starting services on server and client \___ 5.4 Mounting the remote exported directories \___ 5.5 A known issue using NFSv4 with kerberos 6.Troubleshooting \___ 6.1 Checklist to ensure NFSv4 is up and running \___ 6.2 Checklist to ensure NFSv4 Kerberos is working properly 1. Overview: ------------ The Network File System Version 4 (NFSv4) is a distributed file system similar to previous versions of NFS in its straightforward design, and independence of transport protocols and operating systems for file access in a heterogeneous network. Unlike earlier versions of NFS, the new protocol integrates file locking, strong security, Compound RPCs (combining relevant operations), and delegation capabilities to enhance client performance for narrow data sharing applications on high-bandwidth networks. NFSv4 implementations are backward compatible with NFSv2 and NFSv3. Note: NFSv4 ACLs and krb5p (Kerberos Privacy) are currently not supported 1.1 The Purpose of this document ________________________________ This document is intended as a step-by-step guide to setup NFSv4 on openSUSE 12. It discusses NFSv4 server and client configuration. 2. Quickstart ------------- For NFSv4 server: 1) /etc/exports does not require any special entries to work with NFSv4. Earlier SUSE releases required 'fsid=0' on precisely one entry, and 'bind=' annotations on others. This is no longer required and should be removed. It is still supported, so there is no need to change /etc/exports when upgrading to openSUSE 12. 2) Edit /etc/idmapd.conf to modify the default "Domain" to contain your DNS domain name. 3) Execute the following commands to start idmapd and nfsserver #/etc/init.d/idmapd start #/etc/init.d/nfsserver start For NFSv4 client: 1) Edit /etc/idmapd.conf to modify the default "Domain" to contain your DNS domain name. 2) Execute the following command to start idmapd. #/etc/init.d/idmapd start 3) Mount the exported file system using the following command: #mount -t nfs4 <servername>:/ <mntpath> Observe that only "/" is given instead of the actual exported path name. 3. Idmapd Configuration on client and server -------------------------------------------- idmapd.conf - configuration file for idmapd (idmapping daemon), which does NFSV4<=>name mapping. Here dns domain (Domain) name has to be configured in both client and server. Sample Configuration file: ========================================================================== [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = mydomain.com [Mapping] Nobody-User = nobody Nobody-Group = nobody ========================================================================== 4. Setting up NFSv4 server and client ------------------------------------- 4.1 Configuring Server ___________________________ There are three main configuration files you will need to edit to set up an NFSv4 server: /etc/sysconfig/nfs and /etc/idmapd.conf. we will describe the first here as idmapd.conf is done in previous section. 4.1.1 /etc/sysconfig/nfs ========================= /etc/sysconfig/nfs is another NFS server configuration file. Here the number of kernel threads, NFSv4 support and GSS security (kerberos) for NFS can be configured (kerberos set up is explained in Section 5.) 4.2 Starting services on server and client __________________________________________ We need to start idmapd and nfsserver on the NFSv4 server. #/etc/init.d/idmapd start #/etc/init.d/nfsserver start and start idmapd alone on the client. If the machines that are being used as client and server are just meant for that, the daemons can be enabled during bootup as shown below. Use insserv to do this #insserv -d idmapd #insserv -d nfsserver and idmapd alone on the client. 4.3 Mounting remote exported directories ________________________________________ One main difference between previous versions of NFS and NFSv4 is the way in which mount is invoked. With regard to the pseudofilesystem concept sketched above, mount is done as follows: #mount -t nfs4 <servername>:/ <mntpath> Observe that only '/' is given after the servername. 5. Setting up kerberized NFSv4 server and client ------------------------------------------------ 5.1 Prerequisites _________________ o Key Distribution Center (KDC) must already be set up on the network. o krb5-1.4.x must be installed on both NFS server and NFS client. o krb5-client-1.4.x must be installed on both NFS server and NFS client. o NFS server, client and the KDC server must have their time synchronized. o NFS_SECURITY_GSS has to be set to "yes" in /etc/sysconfig/nfs in both server and client. 5.2 Configuring Kerberized NFSv4 server and client __________________________________________________ All the following configuration steps except 5.2.4 are for both NFSv4 client and server. 5.2.1 Configure kerberos ======================== Edit krb5.conf. Sample configuration ========================================================================== [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true [realms] MYDOMAIN.COM = { kdc = kdcserver.mydomain.com admin_server = adminserver.mydomain.com default_domain = mydomain.com } [domain_realm] mydomain.com = MYDOMAIN.COM .mydomain.com = MYDOMAIN.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log ========================================================================== Replace MYDOMAIN.COM with your REALM, kdcserver.mydomain.com with your KDC server, adminserver.mydomain.com with your Admin server & mydomain.com with your DNS domain name. 5.2.2 Create machine credentials ================================ This means creating a Kerberos V5 principal/instance name of the form nfs/<hostname>@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add only this type of key. kadmin: addprinc -e des-cbc-crc:normal nfs/<hostname>@REALM kadmin: ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/<hostname>@REALM 5.2.3 Configure /etc/gssapi_mech.conf ===================================== This configuration file determines which GSS-API mechanisms the gssd code should use. Usually no need to modify this file in 32 bit machines because the libraries are installed in /usr/lib. Note: In case of 64 bit machines this has to be modified to /usr/lib64. This is a workaround and will be fixed later. Sample configuration ========================================================================== # GSSAPI Mechanism Definitions # # This configuration file determines which GSS-API mechanisms # the gssd code should use # # NOTE: # The initialization function "mechglue_internal_krb5_init" # is used for the MIT krb5 gssapi mechanism. This special # function name indicates that an internal function should # be used to determine the entry points for the MIT gssapi # mechanism functions. # # library initialization function # ================================ ========================== # The MIT K5 gssapi library, use special function for initialization. /usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init # # The SPKM3 gssapi library function. Use the function spkm3_gss_initialize. # /usr/local/gss_mechs/spkm/spkm3/libgssapi_spkm3.so spkm3_gss_initialize ========================================================================== 5.2.4 /etc/exports entries for a kerberized server ================================================== Typical entries for kerberos security mode looks like these: /export gss/krb5(rw,insecure,no_subtree_check,sync,no_root_squash) /export gss/krb5i(rw,insecure,no_subtree_check,sync,no_root_squash) Note: i) option 'insecure' - The insecure option in this entry also allows clients with NFS implementations that don't use a reserved port for NFS. So it is advisable *NOT* to use this option unless you have a kerberised set up or you know what you are doing. 5.3 Starting the services on server and client ______________________________________________ On NFSv4 server, svcgssd needs to be started too. So, #/etc/init.d/idmapd start #/etc/init.d/svcgssd start #/etc/init.d/nfsserver start On NFSv4 client, gssd needs to be started too. So, #/etc/init.d/idmapd start #/etc/init.d/gssd start Or To avoid starting manually, enable service during bootup using insserv as mentioned in 4.2 5.4 Mounting exported directories with kerberos _______________________________________________ To mount a filesystem using krb5, provide the "-osec=krb5" option to mount. #mount -tnfs4 -osec=<secmode> nfsserver:/ /mntpoint <secmode> can be krb5(Autentication) or krb5i (Integrity). 5.5 A known issue using NFSv4 with kerberos ___________________________________________ Even if "no_root_squash" option is used, while exporting a filesystem at the server, root on the client gets a "Permission denied" error when creating files on the mount point. This is because there is no proper mapping between root and the GSSAuthName. Note: Trying to set 777 permission is not correct as it is not secure. Also, any file created on the mountpoint will have "nobody" as owner. There is a work around for this if both NFS server and client use ldap_umich methods to authenticate. If the idmapd on both server and client is configured to use ldap_umich modules then having GSSAuthName (<nfs/hostname@realm>) parameter map to root user, on the ldap server will solve this problem. A proper fix for this issue is being worked upon. 6. Troubleshooting ------------------- 6.1 Checklist to ensure NFSV4 is up and running _______________________________________________ 1. ps -ef | grep nfsd ps -ef | grep idmapd ps -ef | grep svcgssd to check server side daemons are up and running. 2. ps -ef | grep idmapd ps -ef | grep gssd to check client side daemons are up and running 3. rpcinfo -p to check all registered RPC programs (nfs, portmapper, mountd) & versions 4. Check firewall is enabled on server/client from YAST. Yast -> Security and Users -> Firewall. Make sure NFS service is enabled. 5. showmount -e <server name> to check mount information on NFS server 6. If users are not mapped properly check whether idmapd is running in both server & client and dns domain name is properly configured. 7. If you unable to mount, check for the correctness of the exports file entry. 6.2 Check list to ensure kerberos is working properly _____________________________________________________ There are many reasons this could be failing. 1. Verify that rpc.gssd is running on the client and rpc.svcgssd is running on the server. 2. Verify that your hostnames are correct. The hostname command should return a fully-qualified hostname that has a correct DNS reverse-mapping (either through DNS or the /etc/hosts file). 3. Verify there is a keytab entry for nfs/<hostname>@REALM in your keytab file (/etc/krb5.keytab). 4. Verify your Kerberos configuration file has the proper mapping from the DNS hostname to the correct realm. The [domain_realm] section of the /etc/krb5.conf needs to have a mapping from the DNS domain to the correct REALM. For example, if your nfs server's hostname is 'foo.abc.org' and your Kerberos realm name is 'ALPHABET.ORG', then you need an entry like the following in /etc/krb5.conf on the nfs client machine: [domain_realm] .abc.org = ALPHABET.ORG 5. Verify whether your ticket is not expired or not on the client using klist. If it is expired renew using kinit. This must be checked when you find "I/O Error" or "Permission denied" while doing file operations. ++++++ fw-client ++++++ ## Description: Firewall Configuration for NFS client. # # Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed. # More may be supported in the future. # # For a more detailed description of the individual variables see # the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2 # ## Name: NFS Client ## Description: Opens ports for NFS client to allow connection to an NFS server. # space separated list of allowed TCP ports TCP="" # space separated list of allowed UDP ports UDP="" # space separated list of allowed RPC services RPC="portmap status nlockmgr" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP broadcast ports BROADCAST="" ++++++ fw-server ++++++ ## Description: Firewall Configuration for NFS kernel server. # # Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed. # More may be supported in the future. # # For a more detailed description of the individual variables see # the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2 # ## Name: NFS Server Service ## Description: Opens ports for NFS to allow other hosts to connect. # space separated list of allowed TCP ports TCP="" # space separated list of allowed UDP ports UDP="" # space separated list of allowed RPC services RPC="portmap status nlockmgr mountd nfs nfs_acl" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP broadcast ports BROADCAST="" ++++++ idmapd.conf ++++++ [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = localdomain [Mapping] Nobody-User = nobody Nobody-Group = nobody ++++++ nfs-client.nfs.conf ++++++ # When nfs is stopped or restarted, nfs-client must too. [Unit] PartOf=nfs.service ++++++ nfs-kernel-server.tmpfiles.conf ++++++ # See tmpfiles.d(5) for details #Type Path Mode UID GID Age Argument d /var/lib/nfs f /var/lib/nfs/etab f /var/lib/nfs/rmtab ++++++ nfs-mountd.options.conf ++++++ [Service] EnvironmentFile=-/etc/sysconfig/nfs ExecStart= ExecStart=-/usr/sbin/rpc.mountd $MOUNTD_OPTIONS ++++++ nfs-server.nfsserver.conf ++++++ # When nfsserver is stopped or restarted, nfs-server must too. [Unit] PartOf=nfsserver.service ++++++ nfs-server.options.conf ++++++ [Service] EnvironmentFile=-/etc/sysconfig/nfs ExecStart= ExecStart=-/usr/sbin/rpc.nfsd $NFSD_OPTIONS ++++++ nfs-utils-1.0.7-bind-syntax.patch ++++++ support/export/export.c | 2 support/include/misc.h | 3 support/include/nfslib.h | 1 ================================================================================ --- support/nfs/exports.c | 2 ++ 1 file changed, 2 insertions(+) --- nfs-utils-1.3.1.orig/support/nfs/exports.c +++ nfs-utils-1.3.1/support/nfs/exports.c @@ -649,6 +649,8 @@ bad_option: } else if (strncmp(opt, "replicas=", 9) == 0) { ep->e_fslocmethod = FSLOC_REPLICA; ep->e_fslocdata = strdup(opt+9); + } else if (strncmp(opt, "bind=/", 6) == 0) { + /* ignore this for now */ } else if (strncmp(opt, "sec=", 4) == 0) { active = parse_flavors(opt+4, ep); if (!active) ++++++ nfs-utils.rpmlintrc ++++++ # /var/lib/nfs/sm.bak is a valid directory needed by sm-notify addFilter("suse-filelist-forbidden-backup-file.*sm.bak") ++++++ nfs.conf ++++++ # # This is a general configuration for the # NFS daemons and tools # DO NOT MAKE CHANGES TO THIS FILE as they will # be lost on the next software update. Make changes # to /etc/sysconfig/nfs or /etc/nfs.conf.local instead. # /etc/nfs.conf.local can include multiple sections, just # like this file. [environment] include = /etc/sysconfig/nfs include = /etc/nfs.conf.local [general] pipefs-directory=$RPC_PIPEFS_DIR # #[exportfs] # debug=0 # #[gssd] # use-memcache=0 # use-machine-creds=1 avoid-dns=$NFS_GSSD_AVOID_DNS # limit-to-legacy-enctypes=0 # context-timeout=0 # rpc-timeout=5 # keytab-file=/etc/krb5.keytab # cred-cache-directory= # preferred-realm= # [lockd] port=$LOCKD_TCPPORT udp-port=$LOCKD_UDPPORT # [mountd] # debug=0 # manage_gids=n # descriptors=0 port= $MOUNTD_PORT # threads=1 # reverse-lookup=n # state-directory-path=/var/lib/nfs # ha-callout= # #[nfsdcltrack] # debug=0 # storagedir=/var/lib/nfs/nfsdcltrack # [nfsd] # debug=0 threads= $USE_KERNEL_NFSD_NUMBER # host= # port=0 # grace-time=90 lease-time=$NFSV4LEASETIME # udp=y # tcp=y # vers2=n vers3=$NFS3_SERVER_SUPPORT vers4=$NFS4_SUPPORT # vers4.0=y # vers4.1=y # vers4.2=y # rdma=n # [statd] # debug=0 port=$STATD_PORT # outgoing-port=0 name=$STATD_HOSTNAME # state-directory-path=/var/lib/nfs/statd # ha-callout= # #[sm-notify] # debug=0 # retry-time=900 # outgoing-port= # outgoing-addr= # #[svcgssd] # principal= ++++++ nfs.service ++++++ [Unit] Description=Alias for NFS client # The systemd alias mechanism (using symlinks) isn't rich enough. # If you "systemctl enable" an alias, it doesn't enable the # target. # This service file creates a sufficiently rich alias for nfs-client # (which is the canonical upstream name) # "start", "stop", "restart", "reload" on this will do the same to nfs-client. # "enable" on this will only enable this service, but when it starts, that # starts nfs-client, so it is effectively enabled. # nfs-server.d/nfsserver.conf is part of this service. Requires= nfs-client.target PropagatesReloadTo=nfs-client.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true [Install] WantedBy=multi-user.target ++++++ nfsserver.service ++++++ [Unit] Description=Alias for NFS server # The systemd alias mechanism (using symlinks) isn't rich enough. # If you "systemctl enable" an alias, it doesn't enable the # target. # This service file creates a sufficiently rich alias for nfs-server # (which is the canonical upstream name) # "start", "stop", "restart", "reload" on this will do the same to nfs-server. # "enable" on this will only enable this service, but when it starts, that # starts nfs-server, so it is effectively enabled. # nfs-server.d/nfsserver.conf is part of this service. Requires= nfs-server.service [Service] Type=oneshot ExecStart=/bin/true RemainAfterExit=yes # Can't just PropagatesReloadTo to nfs-server.service # as reload fails if we don't have our own ExecReload # So copy that from nfs-server.service ExecReload=/usr/sbin/exportfs -r [Install] WantedBy=multi-user.target ++++++ nsm-headers.patch ++++++ Index: nfs-utils-2.1.1/support/nsm/rpc.c =================================================================== --- nfs-utils-2.1.1.orig/support/nsm/rpc.c +++ nfs-utils-2.1.1/support/nsm/rpc.c @@ -41,6 +41,7 @@ #include <time.h> #include <stdbool.h> #include <string.h> +#include <stdint.h> #include <unistd.h> #include <fcntl.h> ++++++ rpc-gssd.options.conf ++++++ [Service] EnvironmentFile=-/etc/sysconfig/nfs ExecStart= ExecStart=-/usr/sbin/rpc.gssd $GSSD_OPTIONS ++++++ rpc-statd-notify.options.conf ++++++ [Service] ExecStart= EnvironmentFile=-/etc/sysconfig/nfs ExecStart=-/usr/sbin/sm-notify $SM_NOTIFY_OPTIONS ++++++ rpc-statd.options.conf ++++++ [Service] EnvironmentFile=-/etc/sysconfig/nfs ExecStart= ExecStart=-/usr/sbin/rpc.statd $STATD_OPTIONS ++++++ rpc-svcgssd.options.conf ++++++ [Service] EnvironmentFile=-/etc/sysconfig/nfs ExecStart= ExecStart=-/usr/sbin/rpc.svcgssd $SVCGSSD_OPTIONS ++++++ sysconfig.nfs ++++++ ## Path: Network/File systems/NFS server ## Description: number of threads for kernel nfs server ## Type: integer ## Default: 4 ## ServiceRestart: nfs-server # # the kernel nfs-server supports multiple server threads # USE_KERNEL_NFSD_NUMBER="4" ## Path: Network/File systems/NFS server ## Description: use fixed port number for mountd ## Type: integer ## Default: "" ## ServiceRestart: nfs-mountd # # Only set this if you want to start mountd on a fixed # port instead of the port assigned by rpc. Only for use # to export nfs-filesystems through firewalls. # MOUNTD_PORT="" ## Path: Network/File systems/NFS server ## Description: NFSv3 server support ## Type: yesno ## Default: yes ## ServiceRestart: nfs-server # # Enable NFSv3 server support (yes/no) # This causes the NFS server to respond to # NFSv2 and NFSv3 requests. Only disable this # if you want to ensure only NFSv4 is used. # NFS3_SERVER_SUPPORT="yes" ## Path: Network/File systems/NFS server ## Description: NFSv4 protocol support ## Type: yesno ## Default: yes ## ServiceRestart: nfs-server # # Enable NFSv4 support (server and/or client) (yes/no) # NFS4_SUPPORT="yes" ## Path: Network/File systems/NFS server ## Description: Network Status Monitor options ## Type: string ## Default: "" # # If a fixed port should be used to send reboot notification # messages to other systems, that port should be given # here as "-p portnumber". # SM_NOTIFY_OPTIONS="" ## Path: Network/File systems/NFS server ## Description: Port rpc.statd should listen on ## Type: integer ## Default: "" ## ServiceRestart: rpc-statd # # Statd will normally choose a random port to listen on and # SuSE-Firewall is able to detect which port and allow for it. # If you have another firewall, you may want to set a fixed # port number which can then be opened in that firewall. STATD_PORT="" ## Path: Network/File systems/NFS server ## Description: Hostname used by rpc.statd ## Type: string ## Default: "" ## ServiceRestart: rpc-statd # # statd will normally use the system hostname in status # monitoring conversations with other hosts. If a different # host name should be used, as can be useful with fail-over # configurations, that name should be given here. # STATD_HOSTNAME="" ## Path: Network/File systems/NFS server ## Description: TCP Port that lockd should listen on ## Type: integer ## Default: "" ## ServiceRestart: nfs-server # # Lockd will normally choose a random port to listen on and # SuSE-Firewall is able to detect which port and allow for it. # If you have another firewall, you may want to set a fixed # port number which can then be opened in that firewall. # lockd opens a UDP and a TCP port. This setting only affect # the TCP port. LOCKD_TCPPORT="" ## Path: Network/File systems/NFS server ## Description: UDP Port that lockd should listen on ## Type: integer ## Default: "" ## ServiceRestart: nfs-server # # Lockd will normally choose a random port to listen on and # SuSE-Firewall is able to detect which port and allow for it. # If you have another firewall, you may want to set a fixed # port number which can then be opened in that firewall. # lockd opens a UDP and a TCP port. This setting only affect # the UDP port. LOCKD_UDPPORT="" ## Path: Network/File systems/NFS server ## Description: Command line parameters for rpc.statd ## Type: string ## Default: "" ## ServiceRestart: rpc-statd # # Custom parameters for rpc.statd daemon. Typically this will # be used to set the port number (-p). # STATD_OPTIONS="" ## Path: Network/File systems/NFS server ## Description: Lease time for NFSv4 leases ## Type: integer ## Default: "" # # Set the lease time for the NFSv4 server. This allows new locks # to be taken sooner after a server restart, so it is useful for # servers which need to recover quickly after a failure, particularly # in fail-over configurations. Reducing the lease time can be a # problem is some clients connect over high latency networks. # The default is 90 seconds. A number like 15 might be appropriate # in a fail-over configuration with all clients on well connected # low latency links. NFSV4LEASETIME="" ## Path: Network/File systems/NFS server ## Description: Alternate mount point for rpc_pipefs filesystem ## Type: string ## Default: "" ## ServiceRestart: nfs-utils # # In a high-availabilty configuration it is possible that /var/lib/nfs # is redirected so some shared storage and so it is not convenient to # mount the rpc_pipefs filesystem at /var/lib/nfs/rpc_pipefs. In that # case an alternate mount point can be given here. RPC_PIPEFS_DIR="" ## Path: Network/File systems/NFS server ## Description: Options for svcgssd ## Type: string ## Default: "" ## ServiceRestart: rpc-svcgssd # # Normally svcgssd does not require any option. However in a # high-availabilty configuration it can be useful to pass "-n" # to guide the choice of default credential. To allow for that # case or any other requiring options ot svcgssd, they can # be specified here. SVCGSSD_OPTIONS="" ## Path: Network/File systems/NFS server ## Description: Extra options for nfsd ## Type: string ## Default: "" ## ServiceRestart nfs-server # # This setting allows extra options to be specified for NFSD, such as # -H <shared_hostname> in a high-availability configuration. NFSD_OPTIONS="" ## Path: Network/File systems/NFS server ## Description: Extra options for gssd ## Type: string ## Default: "" ## ServiceRestart: rpc-gssd # # Normally gssd does not require any options. In some circumstances, # -n, -l or other options might be useful. See "man 8 rpc.gssd" for # details. Those options can be set here. GSSD_OPTIONS="" ## Path: Network/File systems/NFS server ## Description: Extra options for mountd ## Type: string ## Default: "" ## ServiceRestart nfs-mountd # # Normally mountd does not require any options. In some circumstances, # -n, -t, -g or other options might be useful. See "man 8 rpc.mountd" for # details. Those options can be set here. # -p or -N should be set using MOUNTD_PORT or NFS4_SUPPORT rather than # this option. MOUNTD_OPTIONS="" ## Path: Network/File systems/NFS server ## Description: Avoid DNS lookups for kerberos principal ## Type: yesno ## Default: no ## ServiceRestart: rpc-gssd # # Avoid DNS lookups when determining kerberos identity # of NFS server (yes/no) # "yes" is safest, but "no" might be needed to preserve # correct behaviour at sites that don't use # Fully Qualified Domain Names when mounting NFS Shares. # NFS_GSSD_AVOID_DNS="no"