Hello community,
here is the log from the commit of package nfs-utils.13845 for
openSUSE:Leap:15.1:Update checked in at 2020-09-04 14:24:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.1:Update/nfs-utils.13845 (Old)
and /work/SRC/openSUSE:Leap:15.1:Update/.nfs-utils.13845.new.3399 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nfs-utils.13845"
Fri Sep 4 14:24:10 2020 rev:1 rq:831102 version:2.1.1
Changes:
--------
New Changes file:
--- /dev/null 2020-08-06 00:20:10.149648038 +0200
+++
/work/SRC/openSUSE:Leap:15.1:Update/.nfs-utils.13845.new.3399/nfs-utils.changes
2020-09-04 14:24:18.638711475 +0200
@@ -0,0 +1,1848 @@
+-------------------------------------------------------------------
+Thu Jul 9 02:20:11 UTC 2020 - Neil Brown <nfbr...@suse.com>
+
+- 0008-gssd-replace-non-thread-safe-strtok-with-strsep.patch
+ Fix bug with concurrent gssd requests arriving from kernel.
+ (bsc#1174260)
+
+-------------------------------------------------------------------
+Mon Sep 30 01:27:15 UTC 2019 - Neil Brown <nfbr...@suse.com>
+
+- Don't make /var/lib/nfs owned by statd.
+ Only sm and sm.bak need to be accessible by
+ statd or sm-notify after they drop privs.
+ Providing they get created, the parent
+ directory can be root-owned.
+- 0007-statd-user-from-sm
+ Change rpc.statd and sm-notify to take uid from the sm
+ directory.
+ (bsc#1150733 CVE-2019-3689)
+
+-------------------------------------------------------------------
+Mon Dec 3 03:50:48 UTC 2018 - Neil Brown <nfbr...@suse.com>
+
+- 0002-Let-systemd-know-when-rpc.statd-is-needed.patch
+ 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch
+ Fixes for systemd integration
+ (bsc#1116221)
+- nfs.conf: spell NFSV4LEASETIME correctly.
+ (bsc#1098532)
+
+-------------------------------------------------------------------
+Fri Jul 6 15:02:49 CEST 2018 - ku...@suse.de
+
+- Create files in /var/lib/nfs via tmpfiles.d [bsc#1100404],
+ [FATE#325524]
+
+-------------------------------------------------------------------
+Thu Nov 23 13:40:51 UTC 2017 - rbr...@suse.com
+
+- Replace references to /var/adm/fillup-templates with new
+ %_fillupdir macro (boo#1069468)
+
+-------------------------------------------------------------------
+Fri Oct 6 04:23:19 UTC 2017 - nfbr...@suse.com
+
+- fix incorrect dependency in
+ /usr/lib/systemd/system/nfs-client.target.d/nfs.conf
+ When yast restarts "nfs" it should propagate to nfs-client,
+ but doesn't.
+ (boo#1053691)
+
+-------------------------------------------------------------------
+Wed Jul 5 11:02:51 UTC 2017 - sch...@suse.de
+
+- nsm-headers.patch: add missing <stdint.h>
+
+-------------------------------------------------------------------
+Tue May 2 13:51:27 CEST 2017 - ku...@suse.de
+
+- Prerequire needed group "nogroup"
+
+-------------------------------------------------------------------
+Wed Feb 8 02:32:37 UTC 2017 - nfbr...@suse.com
+
+- update upstream version from 1.3.4 to 2.1.1
+ The significant update is that configuration can
+ now be read from a central /etc/nfs.conf file, and
+ it can include other files such as /etc/sysconfig/nfs
+ This means that the old nfs-config.service systemd
+ unit is no longer needed.
+- /etc/nfs.conf file created to import all sysconfig
+ settings except *_OPTIONS directly into running code.
+- dropins created to pass *_OPTIONS sysconfig setting to
+ the various daemons.
+- various specfile improvements, such as using "-D" in
+ "install" commands, and adding "verify_permissions".
+- "xtab" has not been needed for years and has now been remove.
+- sysconfig.nfs updated, particular the ServiceRestart
+ declarations have been tuned for systemd units.
+- 0003-nfs-server-generator-handle-noauto-mounts-correctly.patch
+ Fix the nfs-server-generator so that mounts marked "noauto"
+ are not automatically mounted when NFS exported.
+ (bsc#1019211)
+- 0001-conffile-ignore-empty-environment-variables.patch
+ 0002-mount-call-setgroups-before-setuid.patch
+ Other minor fixes found during testing.
+- REMOVED 0001-Make-location-of-nfs-utils_env.sh-configurable.patch
+ now included upstream
+
+-------------------------------------------------------------------
+Thu Jan 19 10:17:03 UTC 2017 - jeng...@inai.de
+
+- Check for existence of "statd" user before creating it,
+ and do not suppress errors about it.
+- Ensure units passed to %service_* are full filenames.
+- Pass all units (non-templated) to %service_*.
+
+-------------------------------------------------------------------
+Mon Nov 14 14:51:30 UTC 2016 - dims...@opensuse.org
+
+- Also ignore errors on the first chown call: this can happen
+ especially in the build system when shadow is not present and
+ the user has not been generated in the %pre phase.
+
+-------------------------------------------------------------------
+Fri Oct 21 00:09:04 UTC 2016 - nfbr...@suse.com
+
+- move rpc.svcgssd and corresponding man page from
+ nfs-client package to nfs-kernel-server.
+ For NFSv4.0 this is needed on client as well as
+ the server to support the back-channel.
+ (bsc#1005609)
+
+-------------------------------------------------------------------
+Sun Aug 21 06:16:27 UTC 2016 - nfbr...@suse.com
+
+- 0001-Make-location-of-nfs-utils_env.sh-configurable.patch
+ 1.3.4 moved the config script location to somewhere
+ that doesn't exist on openSUSE. Move it somewhere
+ better and install it there.
+ (bsc#990356)
+
+-------------------------------------------------------------------
+Wed Aug 10 02:57:57 UTC 2016 - nfbr...@suse.com
+
+- nfs-utils-1.3.4.tar.xz
+ New upstream release. Lots of bugfixes, no significant
+ functionality changes
+
+- delete 0001-Fix-protocol-minor-version-fall-back.patch
+ delete 0001-close-the-syslog-fd-in-daemon_init.patch
+ delete 0001-mount-run-START_STATD-fully-as-root.patch
+ delete 0001-mount.nfs-hide-EBUSY-errors.patch
+ delete 0001-mount.nfs-trust-the-exit-status-of-start_statd.patch
+ delete 0001-systemd-Decouple-the-starting-and-stopping-of-rpcbin.patch
+ delete 0002-systemd-unit-files-fix-up-dependencies-on-rpcbind.patch
+ delete nfs-utils-no-svcgss.service
+ delete nfs-utils-uninit-mem.patch
+ All patches are included in 1.3.4
+
+
+-------------------------------------------------------------------
+Tue Aug 9 23:32:10 UTC 2016 - nfbr...@suse.com
+
+- nfs-utils_env.sh
+ Fix some problems with version_params.
+ Various misspellings and remove the possiblity
+ that V4 is both disabled and enabled.
+ (bsc#990356)
+
+-------------------------------------------------------------------
+Mon Aug 8 08:39:54 UTC 2016 - tchva...@suse.com
+
+- Drop OMC svcinfo file, nowdays useless
+
+-------------------------------------------------------------------
+Mon Aug 8 08:38:16 UTC 2016 - tchva...@suse.com
+
+- Sort a bit with spec-cleaner to get uptodate spec
+- Convert deps from regular devels to pkgconfig style
+
+-------------------------------------------------------------------
+Tue May 24 22:27:14 UTC 2016 - nfbr...@suse.com
+
+- 0001-systemd-Decouple-the-starting-and-stopping-of-rpcbin.patch
+ 0002-systemd-unit-files-fix-up-dependencies-on-rpcbind.patch
+ Fix systemd dependencies to ensure rpcbind is started when needed.
+ (bsc#975265)
+
+-------------------------------------------------------------------
+Thu Apr 21 23:40:59 UTC 2016 - ne...@suse.com
+
+- 0001-close-the-syslog-fd-in-daemon_init.patch
+ Without this, tracing doesn't work
+- 0001-mount.nfs-trust-the-exit-status-of-start_statd.patch
+ (bsc#945937)
+- 0001-mount-run-START_STATD-fully-as-root.patch
+ (bsc#969152)
+
+-------------------------------------------------------------------
+Mon Apr 4 13:56:38 CEST 2016 - ku...@suse.de
+
+- Drop unused BuildRequires for libgssglue, not used with tirpc
+
+-------------------------------------------------------------------
+Mon Apr 4 10:16:32 CEST 2016 - ku...@suse.de
+
+- Drop unused BuildRequires for librpcsecgss, tirpc version is used
+
+-------------------------------------------------------------------
+Wed Mar 2 03:53:26 UTC 2016 - ne...@suse.com
+
+- 0001-mount.nfs-hide-EBUSY-errors.patch
+ Stop "mount -a -t nfs" from complaining if filesystem
+ already mounted (bsc#950340)
+
+-------------------------------------------------------------------
++++ 1651 more lines (skipped)
++++ between /dev/null
++++ and
/work/SRC/openSUSE:Leap:15.1:Update/.nfs-utils.13845.new.3399/nfs-utils.changes
New:
----
0001-conffile-ignore-empty-environment-variables.patch
0002-Let-systemd-know-when-rpc.statd-is-needed.patch
0002-mount-call-setgroups-before-setuid.patch
0003-nfs-server-generator-handle-noauto-mounts-correctly.patch
0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch
0007-statd-user-from-sm
0008-gssd-replace-non-thread-safe-strtok-with-strsep.patch
README.NFSv4
fw-client
fw-server
idmapd.conf
nfs-client.nfs.conf
nfs-kernel-server.tmpfiles.conf
nfs-mountd.options.conf
nfs-server.nfsserver.conf
nfs-server.options.conf
nfs-utils-1.0.7-bind-syntax.patch
nfs-utils-2.1.1.tar.xz
nfs-utils.changes
nfs-utils.rpmlintrc
nfs-utils.spec
nfs.conf
nfs.doc.tar.bz2
nfs.service
nfsserver.service
nsm-headers.patch
rpc-gssd.options.conf
rpc-statd-notify.options.conf
rpc-statd.options.conf
rpc-svcgssd.options.conf
sysconfig.nfs
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nfs-utils.spec ++++++
#
# spec file for package nfs-utils
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates
%endif
Name: nfs-utils
Version: 2.1.1
Release: 0
Summary: Support Utilities for Kernel nfsd
License: GPL-2.0-or-later
Group: Productivity/Networking/NFS
Url: http://kernel.org/pub/linux/utils/nfs-utils/
Source0:
http://kernel.org/pub/linux/utils/nfs-utils/%{version}/nfs-utils-%{version}.tar.xz
# Download does not work:
# Source1: ftp://nfs.sourceforge.net/pub/nfs/nfs.doc.tar.bz2
Source1: nfs.doc.tar.bz2
Source4: sysconfig.nfs
Source6: README.NFSv4
Source7: fw-client
Source8: fw-server
Source11: idmapd.conf
Source13: nfs-utils.rpmlintrc
Source15: nfsserver.service
Source16: nfs.service
Source17: nfs-server.nfsserver.conf
Source18: nfs-client.nfs.conf
Source20: nfs-mountd.options.conf
Source21: nfs-server.options.conf
Source22: rpc-gssd.options.conf
Source23: rpc-statd.options.conf
Source24: rpc-statd-notify.options.conf
Source25: rpc-svcgssd.options.conf
Source26: nfs.conf
Source27: nfs-kernel-server.tmpfiles.conf
Patch0: nfs-utils-1.0.7-bind-syntax.patch
Patch1: 0001-conffile-ignore-empty-environment-variables.patch
Patch2: 0002-mount-call-setgroups-before-setuid.patch
Patch3: 0003-nfs-server-generator-handle-noauto-mounts-correctly.patch
Patch4: nsm-headers.patch
Patch5: 0002-Let-systemd-know-when-rpc.statd-is-needed.patch
Patch6: 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch
Patch7: 0007-statd-user-from-sm
Patch8: 0008-gssd-replace-non-thread-safe-strtok-with-strsep.patch
BuildRequires: e2fsprogs-devel
BuildRequires: fedfs-utils-devel
BuildRequires: gcc-c++
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: systemd-rpm-macros
BuildRequires: tcpd-devel
BuildRequires: pkgconfig(devmapper)
BuildRequires: pkgconfig(kdb)
BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(libevent)
BuildRequires: pkgconfig(libnfsidmap) >= 0.24
BuildRequires: pkgconfig(libtirpc)
BuildRequires: pkgconfig(mount)
BuildRequires: pkgconfig(sqlite3)
Suggests: python-base
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%{?systemd_requires}
%description
This package contains the NFS utilities. You can tune the number of
server threads via the sysconfig variable USE_KERNEL_NFSD_NUMBER. For
quota over NFS support, install the quota package.
%package -n nfs-client
Summary: Support Utilities for NFS
Group: Productivity/Networking/NFS
Requires: keyutils
Requires: netcfg
Requires: rpcbind
Requires(post): %fillup_prereq
Requires(pre): permissions
Requires(pre): shadow
%if 0%{?suse_version} >= 1330
Requires(pre): group(nogroup)
%endif
Obsoletes: nfs-utils < 1.1.0
%description -n nfs-client
This package contains common NFS utilities which are needed for client
and kernel based server.
%package -n nfs-kernel-server
Summary: Support Utilities for Kernel nfsd
Group: Productivity/Networking/NFS
Requires: netcfg
Requires: nfs-client = %{version}
Requires: rpcbind
Conflicts: nfs-server
Provides: nfs-utils = %{version}
Obsoletes: nfs-utils < 1.1.0
PreReq: permissions
%description -n nfs-kernel-server
This package contains support for the kernel based NFS server. You can
tune the number of server threads via the sysconfig variable
USE_KERNEL_NFSD_NUMBER. For quota over NFS support, install the quota
package.
%package -n nfs-doc
Summary: Support Utilities for NFS
Group: Productivity/Networking/NFS
Requires: latex2html-pngicons
Obsoletes: nfs-utils < 1.1.0
%description -n nfs-doc
This package contains additional NFS documentation.
%prep
%setup -q -a 1
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
cp %{SOURCE6} .
%build
autoreconf -fvi
export CFLAGS="%{optflags} -fPIE"
export LDFLAGS="-pie"
%configure \
--with-systemd \
--enable-nfsv4 \
--enable-gss \
--enable-svcgss \
--enable-ipv6 \
--enable-nfsdcltrack \
--enable-mount \
--enable-libmount-mount \
--enable-mountconfig
make %{?_smp_mflags}
cd nfs
for i in *.html ; do
sed -i \
-e
"s@%{_prefix}/lib/latex2html/icons.png/next_motif.png@%{_datadir}/latex2html/icons/next.png@"
\
-e
"s@%{_prefix}/lib/latex2html/icons.png/up_motif_gr.png@%{_datadir}/latex2html/icons/up.png@"
\
-e
"s@%{_prefix}/lib/latex2html/icons.png/previous_motif_gr.png@%{_datadir}/latex2html/icons/prev.png@"
\
$i
done
%install
make %{?_smp_mflags} DESTDIR=%{buildroot} install
install -D -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/nfsserver.service
install -D -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/nfs.service
install -D -m 644 %{SOURCE17}
%{buildroot}%{_unitdir}/nfs-server.service.d/nfsserver.conf
install -D -m 644 %{SOURCE18}
%{buildroot}%{_unitdir}/nfs-client.target.d/nfs.conf
install -D -m 644 %{SOURCE20}
%{buildroot}%{_unitdir}/nfs-mountd.service.d/options.conf
install -D -m 644 %{SOURCE21}
%{buildroot}%{_unitdir}/nfs-server.service.d/options.conf
install -D -m 644 %{SOURCE22}
%{buildroot}%{_unitdir}/rpc-gssd.service.d/options.conf
install -D -m 644 %{SOURCE23}
%{buildroot}%{_unitdir}/rpc-statd.service.d/options.conf
install -D -m 644 %{SOURCE24}
%{buildroot}%{_unitdir}/rpc-statd-notify.service.d/options.conf
install -D -m 644 %{SOURCE25}
%{buildroot}%{_unitdir}/rpc-svcgssd.service.d/options.conf
install -D -m 644 %{SOURCE26} %{buildroot}%{_sysconfdir}/nfs.conf
install -D -m 644 %{SOURCE27}
%{buildroot}%{_prefix}/lib/tmpfiles.d/nfs-kernel-server.conf
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcnfsserver
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcnfs-server
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcnfs
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcnfs-client
# sysconfig-data
mkdir -p %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}
# idmapd setup
install -D -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/idmapd.conf
mkdir -p -m 755 %{buildroot}%{_localstatedir}/lib/nfs/rpc_pipefs
mkdir -p -m 755 %{buildroot}%{_localstatedir}/lib/nfs/v4recovery
# sm-notify state
mkdir -p -m 755 %{buildroot}%{_localstatedir}/lib/nfs/sm
mkdir -p -m 755 %{buildroot}%{_localstatedir}/lib/nfs/sm.bak
touch %{buildroot}%{_localstatedir}/lib/nfs/state
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
install -m 0644 %{SOURCE7}
%{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/nfs-client
install -m 0644 %{SOURCE8}
%{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server
install -m 644 utils/mount/nfsmount.conf
%{buildroot}%{_sysconfdir}/nfsmount.conf
#
# hack to avoid automatic python dependency
chmod 644 %{buildroot}%{_sbindir}/{mountstats,nfsiostat}
%pre -n nfs-client
/usr/bin/getent passwd statd >/dev/null || \
/usr/sbin/useradd -r -c 'NFS statd daemon' \
-s /sbin/nologin -d %{_localstatedir}/lib/nfs -g nogroup statd
%service_add_pre nfs.service auth-rpcgss-module.service nfs-idmapd.service
nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service
rpc-svcgssd.service
%post -n nfs-client
chown root:root %{_localstatedir}/lib/nfs > /dev/null 2>&1 || :
for i in sm sm.bak; do
chown -R statd:nogroup %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 ||
:
done
### migrate from /var/lock/subsys
[ -d /run/nfs ] || mkdir /run/nfs
if [ -f %{_localstatedir}/lock/subsys/nfs-rpc.idmapd ]; then
mv %{_localstatedir}/lock/subsys/nfs-rpc.idmapd /run/nfs
fi
if [ -f %{_localstatedir}/lock/subsys/nfsserver-rpc.idmapd ]; then
mv %{_localstatedir}/lock/subsys/nfsserver-rpc.idmapd /run/nfs
fi
###
%{fillup_only -n nfs nfs}
#
%set_permissions /sbin/mount.nfs
%service_add_post nfs.service auth-rpcgss-module.service nfs-idmapd.service
nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service
rpc-svcgssd.service
%preun -n nfs-client
%service_del_preun nfs.service auth-rpcgss-module.service nfs-idmapd.service
nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service
rpc-svcgssd.service
%postun -n nfs-client
%service_del_postun nfs.service auth-rpcgss-module.service nfs-idmapd.service
nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service
rpc-svcgssd.service
%verifyscript -n nfs-client
%verify_permissions -e /sbin/mount.nfs
%pre -n nfs-kernel-server
%service_add_pre nfsserver.service nfs-svcgssd.service nfs-mountd.service
nfs-server.service
%preun -n nfs-kernel-server
%service_del_preun nfsserver.service nfs-svcgssd.service nfs-mountd.service
nfs-server.service
%post -n nfs-kernel-server
### migrate from /var/lock/subsys
[ -d /run/nfs ] || mkdir /run/nfs
if [ -f %{_localstatedir}/lock/subsys/nfs-rpc.idmapd ]; then
mv %{_localstatedir}/lock/subsys/nfs-rpc.idmapd /run/nfs
fi
if [ -f %{_localstatedir}/lock/subsys/nfsserver-rpc.idmapd ]; then
mv %{_localstatedir}/lock/subsys/nfsserver-rpc.idmapd /run/nfs
fi
###
%service_add_post nfsserver.service nfs-mountd.service nfs-server.service
%tmpfiles_create nfs-kernel-server.conf
%set_permissions /var/lib/nfs/rmtab
%postun -n nfs-kernel-server
%service_del_postun nfsserver.service nfs-mountd.service nfs-server.service
%verifyscript -n nfs-kernel-server
%verify_permissions -e /var/lib/nfs/rmtab
%files -n nfs-client
%defattr(-,root,root)
%config %{_sysconfdir}/idmapd.conf
%config %{_sysconfdir}/nfsmount.conf
%config %{_sysconfdir}/nfs.conf
%verify(not mode) %attr(0755,root,root) /sbin/mount.nfs
/sbin/mount.nfs4
/sbin/umount.nfs
/sbin/umount.nfs4
/sbin/osd_login
%attr(0755,root,root) %{_sbindir}/mountstats
%attr(0755,root,root) %{_sbindir}/nfsiostat
%{_sbindir}/nfsidmap
%{_sbindir}/nfsstat
%{_sbindir}/rcnfs
%{_sbindir}/rcnfs-client
%{_sbindir}/rpc.gssd
%{_sbindir}/rpc.idmapd
%{_sbindir}/rpc.statd
%{_sbindir}/rpcdebug
%{_sbindir}/showmount
%{_sbindir}/sm-notify
%{_sbindir}/start-statd
%{_sbindir}/blkmapd
%{_sbindir}/rpc.svcgssd
%{_unitdir}/auth-rpcgss-module.service
%{_unitdir}/nfs-blkmap.service
%{_unitdir}/nfs-client.target
%{_unitdir}/nfs-idmapd.service
%{_unitdir}/nfs-utils.service
%{_unitdir}/rpc-gssd.service
%{_unitdir}/rpc-gssd.service.d
%{_unitdir}/rpc-gssd.service.d/options.conf
%{_unitdir}/rpc-statd-notify.service
%{_unitdir}/rpc-statd-notify.service.d
%{_unitdir}/rpc-statd-notify.service.d/options.conf
%{_unitdir}/rpc-statd.service
%{_unitdir}/rpc-statd.service.d
%{_unitdir}/rpc-statd.service.d/options.conf
%{_unitdir}/rpc-svcgssd.service
%{_unitdir}/rpc-svcgssd.service.d
%{_unitdir}/rpc-svcgssd.service.d/options.conf
%{_unitdir}/var-lib-nfs-rpc_pipefs.mount
%{_unitdir}/nfs.service
%dir %{_unitdir}/nfs-client.target.d
%{_unitdir}/nfs-client.target.d/nfs.conf
%dir /usr/lib/systemd/system-generators
/usr/lib/systemd/system-generators/nfs-server-generator
%{_mandir}/man5/nfsmount.conf.5%{ext_man}
%{_mandir}/man5/nfs.conf.5%{ext_man}
%{_mandir}/man5/nfs.5%{ext_man}
%{_mandir}/man7/nfs.systemd.7%{ext_man}
%{_mandir}/man8/mount.nfs.8%{ext_man}
%{_mandir}/man8/nfsidmap.8%{ext_man}
%{_mandir}/man8/nfsstat.8%{ext_man}
%{_mandir}/man8/rpc.sm-notify.8%{ext_man}
%{_mandir}/man8/showmount.8%{ext_man}
%{_mandir}/man8/sm-notify.8%{ext_man}
%{_mandir}/man8/umount.nfs.8%{ext_man}
%{_mandir}/man8/rpc.gssd.8%{ext_man}
%{_mandir}/man8/rpc.idmapd.8%{ext_man}
%{_mandir}/man8/gssd.8%{ext_man}
%{_mandir}/man8/idmapd.8%{ext_man}
%{_mandir}/man8/svcgssd.8%{ext_man}
%{_mandir}/man8/rpc.statd.8%{ext_man}
%{_mandir}/man8/rpcdebug.8%{ext_man}
%{_mandir}/man8/statd.8%{ext_man}
%{_mandir}/man8/mountstats.8%{ext_man}
%{_mandir}/man8/nfsiostat.8%{ext_man}
%{_mandir}/man8/blkmapd.8%{ext_man}
%{_mandir}/man8/rpc.svcgssd.8%{ext_man}
%{_fillupdir}/sysconfig.nfs
%dir %{_localstatedir}/lib/nfs
%dir %{_localstatedir}/lib/nfs/rpc_pipefs
%dir %{_localstatedir}/lib/nfs/v4recovery
%attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm
%attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm.bak
%ghost %{_localstatedir}/lib/nfs/state
%config %attr(0644,root,root)
%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/nfs-client
%files -n nfs-kernel-server
%defattr(-,root,root)
%{_unitdir}/nfs-mountd.service
%{_unitdir}/nfs-mountd.service.d
%{_unitdir}/nfs-mountd.service.d/options.conf
%{_unitdir}/nfs-server.service
%{_unitdir}/nfs-server.service.d
%{_unitdir}/nfs-server.service.d/options.conf
%{_unitdir}/proc-fs-nfsd.mount
%{_unitdir}/nfsserver.service
%{_unitdir}/nfs-server.service.d/nfsserver.conf
%{_prefix}/lib/tmpfiles.d/nfs-kernel-server.conf
%{_sbindir}/exportfs
%{_sbindir}/rcnfsserver
%{_sbindir}/rcnfs-server
%{_sbindir}/rpc.mountd
%{_sbindir}/rpc.nfsd
/sbin/nfsdcltrack
%{_mandir}/man5/exports.5%{ext_man}
%{_mandir}/man7/nfsd.7%{ext_man}
%{_mandir}/man8/exportfs.8%{ext_man}
%{_mandir}/man8/mountd.8%{ext_man}
%{_mandir}/man8/nfsd.8%{ext_man}
%{_mandir}/man8/rpc.mountd.8%{ext_man}
%{_mandir}/man8/rpc.nfsd.8%{ext_man}
%{_mandir}/man8/nfsdcltrack.8%{ext_man}
%config(noreplace) %{_localstatedir}/lib/nfs/etab
%config(noreplace) %{_localstatedir}/lib/nfs/rmtab
%config %attr(0644,root,root)
%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server
%files -n nfs-doc
%defattr(-,root,root)
%doc nfs/*.html nfs/*.ps README.NFSv4
%changelog
++++++ 0001-conffile-ignore-empty-environment-variables.patch ++++++
>From 5ec9d9034650ae4372dc1bd44d33a1e8768e3409 Mon Sep 17 00:00:00 2001
From: NeilBrown <ne...@suse.com>
Date: Wed, 8 Feb 2017 08:18:34 +1100
Subject: [PATCH] conffile: ignore empty environment variables.
conf_set() already refuses to set an empty value, so if
foo=
appear in the config file, it will be ignored.
This patch extends the policy to environment variables, so empty
environment variables are treats as though they didn't exist.
This means that a separate environment file (e.g. /etc/sysconfig/nfs)
will be treated the same way whether it is:
- included in the [environment] section of /etc/nfs.conf
- sourced by the shell before running code
- sourced by the systemd EnvironmentFile directive.
Signed-off-by: NeilBrown <ne...@suse.com>
---
support/nfs/conffile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/support/nfs/conffile.c b/support/nfs/conffile.c
index e717c1e39bab..203efd2aa602 100644
--- a/support/nfs/conffile.c
+++ b/support/nfs/conffile.c
@@ -533,7 +533,7 @@ retry:
* or from environment
*/
char *env = getenv(cb->value+1);
- if (env)
+ if (env && *env)
return env;
section = "environment";
tag = cb->value + 1;
--
2.11.0
++++++ 0002-Let-systemd-know-when-rpc.statd-is-needed.patch ++++++
>From b468dda439a02c4d1b7f85a0be6c0a227d16c2de Mon Sep 17 00:00:00 2001
From: NeilBrown <ne...@suse.com>
Date: Fri, 30 Nov 2018 16:38:45 +1100
Subject: [PATCH] Let systemd know when rpc.statd is needed.
A recent change to set IgnoreOnIsolate for rpc-statd
isn't quite sufficient (though it doesn't hurt).
While rpc-statd does remain when
systemctl isolate multi-user
is run, its dependencies don't remain, so rpcbind might
get killed, which makes rpc.statd rather useless.
The reason this is all an issue is that systemd doesn't know that
rpc-statd is needed - mount.nfs explicitly starts it rather than
having a dependency start it.
This can be rectified by explicitly telling systemd about the
dependency using "systemctl add-wants". This can be done in the
start-statd script, at the same time that rpc-statd is started.
As --runtime dependency is used so that it doesn't persist across
reboots. A new dependency will be created on next boot if an NFSv3
filesystem is mounted.
With this in place, both rpc.statd and rpcbind remain.
Actually, rpcbind.service is stopped, but rpcbind.socket remains,
and when anything tries to contact rpcbind, rpcbind.service
is automatically started and it re-reads its saved state.
Signed-off-by: NeilBrown <ne...@suse.com>
---
utils/statd/start-statd | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/utils/statd/start-statd
+++ b/utils/statd/start-statd
@@ -20,7 +20,12 @@ fi
# First try systemd if it's installed.
if [ -d /run/systemd/system ]; then
# Quit only if the call worked.
- systemctl start rpc-statd.service && exit
+ if systemctl start rpc-statd.service; then
+ # Ensure systemd knows not to stop rpc.statd or its dependencies
+ # on 'systemctl isolate ..'
+ systemctl add-wants --runtime remote-fs.target rpc-statd.service
+ exit 0
+ fi
fi
cd /
++++++ 0002-mount-call-setgroups-before-setuid.patch ++++++
>From 5b7da9d70261583e67e114b36cb19973de15606d Mon Sep 17 00:00:00 2001
From: NeilBrown <ne...@suse.com>
Date: Wed, 8 Feb 2017 08:22:36 +1100
Subject: [PATCH] mount: call setgroups() before setuid()
It is generally wise to call setgroups() (and setgid()) before calling
setuid() to ensure no unexpected permission leaks happen.
SUSE's build system check all binaries for conformance with this
and generates a warning for mountd.
As we set setting the uid to 0, there is no risk that the group list
will provide extra permissions, so there is no real risk here.
But it is nice to silence warnings, and including a setgroups()
call is probably a good practice to encourage.
Signed-off-by: NeilBrown <ne...@suse.com>
---
utils/mount/network.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/utils/mount/network.c b/utils/mount/network.c
index d1c8fec75174..281e9354a7fa 100644
--- a/utils/mount/network.c
+++ b/utils/mount/network.c
@@ -33,6 +33,7 @@
#include <errno.h>
#include <netdb.h>
#include <time.h>
+#include <grp.h>
#include <sys/types.h>
#include <sys/socket.h>
@@ -804,6 +805,7 @@ int start_statd(void)
pid_t pid = fork();
switch (pid) {
case 0: /* child */
+ setgroups(0, NULL);
setgid(0);
setuid(0);
execle(START_STATD, START_STATD, NULL, envp);
--
2.11.0
++++++ 0003-nfs-server-generator-handle-noauto-mounts-correctly.patch ++++++
>From 93b39628e0a2053d9b37cab7a60d78f782cb88ea Mon Sep 17 00:00:00 2001
From: NeilBrown <ne...@suse.com>
Date: Wed, 8 Feb 2017 12:56:38 +1100
Subject: [PATCH] nfs-server-generator: handle 'noauto' mounts correctly.
When this code was written the systemd documentation stated
that "RequiresMountsFor" ignored mountpoints marked as "noauto".
Unfortunately this is incorrect. Consquently a filesystem marked
as noauto that is also NFS exported will currently be mounted when
the NFS server is started. This is not what people expect.
So add a check for the noauto flag. If any ancestor of a given
export point has the noauto flag, no RequiresMountsFor will be
generated for that point.
Also skip RequiresMountsFor for exports marked 'mountpoint', as their
absence is, theoretically, already handled by mountd.
URL: https://github.com/systemd/systemd/issues/5249
Signed-off-by: NeilBrown <ne...@suse.com>
---
systemd/nfs-server-generator.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/systemd/nfs-server-generator.c b/systemd/nfs-server-generator.c
index cc99969e9922..4aa65094ca07 100644
--- a/systemd/nfs-server-generator.c
+++ b/systemd/nfs-server-generator.c
@@ -84,6 +84,28 @@ static void systemd_escape(FILE *f, char *path)
}
}
+static int has_noauto_flag(char *path)
+{
+ FILE *fstab;
+ struct mntent *mnt;
+
+ fstab = setmntent("/etc/fstab", "r");
+ if (!fstab)
+ return 0;
+
+ while ((mnt = getmntent(fstab)) != NULL) {
+ int l = strlen(mnt->mnt_dir);
+ if (strncmp(mnt->mnt_dir, path, l) != 0)
+ continue;
+ if (path[l] && path[l] != '/')
+ continue;
+ if (hasmntopt(mnt, "noauto"))
+ break;
+ }
+ fclose(fstab);
+ return mnt != NULL;
+}
+
int main(int argc, char *argv[])
{
char *path;
@@ -124,6 +146,10 @@ int main(int argc, char *argv[])
for (exp = exportlist[i].p_head; exp; exp = exp->m_next) {
if (!is_unique(&list, exp->m_export.e_path))
continue;
+ if (exp->m_export.e_mountpoint)
+ continue;
+ if (has_noauto_flag(exp->m_export.e_path))
+ continue;
if (strchr(exp->m_export.e_path, ' '))
fprintf(f, "RequiresMountsFor=\"%s\"\n",
exp->m_export.e_path);
--
2.11.0
++++++ 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch ++++++
>From 415dea8db90785c3063bbd74fff34cb6a4830f06 Mon Sep 17 00:00:00 2001
From: NeilBrown <ne...@suse.com>
Date: Fri, 30 Nov 2018 16:44:29 +1100
Subject: [PATCH] systemd: run statd-notify even when nfs-client isn't enabled.
When NFS filesytems are mounted, nfs-client.target really should
be enabled. However it is possible to mount NFS filesystems
without this (providing gss isn't used) and it mostly works.
One aspect that doesn't work is that sm-notify isn't run, so the server
isn't told to drop any locks from the previous client instance.
This can result in confusing failures: if a client crashes while
holding a lock, it won't be able to get the same lock after a reboot.
While this isn't a complete solution (nfs-client really should be
enabled), adding a dependency from rpc-statd to rpc-statd-notify is
easy, has no down sides, and could help avoid confusion.
Signed-off-by: NeilBrown <ne...@suse.com>
---
systemd/rpc-statd.service | 1 +
1 file changed, 1 insertion(+)
--- a/systemd/rpc-statd.service
+++ b/systemd/rpc-statd.service
@@ -3,6 +3,7 @@ Description=NFS status monitor for NFSv2
DefaultDependencies=no
Conflicts=umount.target
Requires=nss-lookup.target rpcbind.socket
+Wants=rpc-statd-notify.service
After=network.target nss-lookup.target rpcbind.socket
PartOf=nfs-utils.service
++++++ 0007-statd-user-from-sm ++++++
statd: take user-id from /var/lib/nfs/sm
Having /var/lib/nfs writeable by statd is not ideal
as there are files in there that statd doesn't need
to access.
Aftger dropping privs, statd and sm-notify only need to
access files in the directories sm and sm.bak.
So take the uid for these deamons from 'sm'.
Signed-off-by: NeilBrown <ne...@suse.com>
---
support/nsm/file.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
--- a/support/nsm/file.c
+++ b/support/nsm/file.c
@@ -426,23 +426,17 @@ nsm_drop_privileges(const int pidfd)
(void)umask(S_IRWXO);
- /*
- * XXX: If we can't stat dirname, or if dirname is owned by
- * root, we should use "statduser" instead, which is set up
- * by configure.ac. Nothing in nfs-utils seems to use
- * "statduser," though.
- */
- if (lstat(nsm_base_dirname, &st) == -1) {
- xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname);
- return false;
- }
-
if (chdir(nsm_base_dirname) == -1) {
xlog(L_ERROR, "Failed to change working directory to %s: %m",
nsm_base_dirname);
return false;
}
+ if (lstat(NSM_MONITOR_DIR, &st) == -1) {
+ xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname,
NSM_MONITOR_DIR);
+ return false;
+ }
+
if (!prune_bounding_set())
return false;
++++++ 0008-gssd-replace-non-thread-safe-strtok-with-strsep.patch ++++++
>From 5ae8be8b6af1a0fdf2fa26051a05d4c04d028849 Mon Sep 17 00:00:00 2001
From: Frank Sorenson <soren...@redhat.com>
Date: Wed, 15 Feb 2017 10:36:47 -0500
Subject: [PATCH] gssd: replace non-thread-safe strtok with strsep
gssd uses the non-thread-safe strtok() function, which
can lead to incorrect program behavior.
Replace strtok() with the thread-safe strsep().
Signed-off-by: Frank Sorenson <soren...@redhat.com>
Signed-off-by: Steve Dickson <ste...@redhat.com>
---
utils/gssd/gssd_proc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -729,10 +729,11 @@ handle_gssd_upcall(struct clnt_upcall_in
char *target = NULL;
char *service = NULL;
char *enctypes = NULL;
+ char *pbuf = info->lbuf;
printerr(2, "\n%s: '%s' (%s)\n", __func__, info->lbuf, clp->relpath);
- for (p = strtok(info->lbuf, " "); p; p = strtok(NULL, " ")) {
+ while ((p = strsep(&pbuf, " "))) {
if (!strncmp(p, "mech=", strlen("mech=")))
mech = p + strlen("mech=");
else if (!strncmp(p, "uid=", strlen("uid=")))
++++++ README.NFSv4 ++++++
NFSv4 README
Last updated: 17 May 2012
0. Contents:
-----------
1. Overview.
\___ 1.1 Purpose of this document
2. Quick start
3. Idmapd Configuration on both NFS server and client
4. Setting up NFSv4 server and client
\___ 4.1 Configuring Server
| \___ 4.1.1 /etc/exports
| \___ 4.1.2 Coexisting NFSv4 and NFSv3
| \___ 4.1.3 /etc/sysconfig/nfs
\___ 4.2 Starting services on server and client
\___ 4.3 Mounting the remote exported directories from client
5.Setting up kerberized NFSv4 server and client
\___ 5.1 Prerequisites
\___ 5.2 Configuring kerberized NFS server and client
| \___ 5.2.1 Configuring kerberos
| \___ 5.2.2 Create machine credentials
| \___ 5.2.3 Configure /etc/gssapi_mech.conf
| \___ 5.2.4 /etc/exports entries for kerberised server.
\___ 5.3 Starting services on server and client
\___ 5.4 Mounting the remote exported directories
\___ 5.5 A known issue using NFSv4 with kerberos
6.Troubleshooting
\___ 6.1 Checklist to ensure NFSv4 is up and running
\___ 6.2 Checklist to ensure NFSv4 Kerberos is working properly
1. Overview:
------------
The Network File System Version 4 (NFSv4) is a distributed file system
similar to previous versions of NFS in its straightforward design, and
independence of transport protocols and operating systems for file access in a
heterogeneous network. Unlike earlier versions of NFS, the new protocol
integrates file locking, strong security, Compound RPCs (combining relevant
operations), and delegation capabilities to enhance client performance for
narrow data sharing applications on high-bandwidth networks. NFSv4
implementations are backward compatible with NFSv2 and NFSv3.
Note: NFSv4 ACLs and krb5p (Kerberos Privacy) are currently not supported
1.1 The Purpose of this document
________________________________
This document is intended as a step-by-step guide to setup NFSv4 on
openSUSE 12.
It discusses NFSv4 server and client configuration.
2. Quickstart
-------------
For NFSv4 server:
1) /etc/exports does not require any special entries to work with
NFSv4. Earlier SUSE releases required 'fsid=0' on precisely one
entry, and 'bind=' annotations on others. This is no longer required
and should be removed. It is still supported, so there is no need
to change /etc/exports when upgrading to openSUSE 12.
2) Edit /etc/idmapd.conf to modify the default "Domain" to contain your
DNS domain name.
3) Execute the following commands to start idmapd and nfsserver
#/etc/init.d/idmapd start
#/etc/init.d/nfsserver start
For NFSv4 client:
1) Edit /etc/idmapd.conf to modify the default "Domain" to contain your
DNS domain name.
2) Execute the following command to start idmapd.
#/etc/init.d/idmapd start
3) Mount the exported file system using the following command:
#mount -t nfs4 <servername>:/ <mntpath>
Observe that only "/" is given instead of the actual exported path
name.
3. Idmapd Configuration on client and server
--------------------------------------------
idmapd.conf - configuration file for idmapd (idmapping daemon), which does
NFSV4<=>name mapping. Here dns domain (Domain) name has to be configured in
both client and server.
Sample Configuration file:
==========================================================================
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = mydomain.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
==========================================================================
4. Setting up NFSv4 server and client
-------------------------------------
4.1 Configuring Server
___________________________
There are three main configuration files you will need to edit to set up an
NFSv4 server:
/etc/sysconfig/nfs and /etc/idmapd.conf.
we will describe the first here as idmapd.conf is done in previous section.
4.1.1 /etc/sysconfig/nfs
=========================
/etc/sysconfig/nfs is another NFS server configuration file. Here the number
of kernel threads, NFSv4 support and GSS security (kerberos) for NFS can be
configured (kerberos set up is explained in Section 5.)
4.2 Starting services on server and client
__________________________________________
We need to start idmapd and nfsserver on the NFSv4 server.
#/etc/init.d/idmapd start
#/etc/init.d/nfsserver start
and start idmapd alone on the client.
If the machines that are being used as client and server are just meant for
that, the daemons can be enabled during bootup as shown below.
Use insserv to do this
#insserv -d idmapd
#insserv -d nfsserver
and idmapd alone on the client.
4.3 Mounting remote exported directories
________________________________________
One main difference between previous versions of NFS and NFSv4 is the way in
which mount is invoked. With regard to the pseudofilesystem concept
sketched above, mount is done as follows:
#mount -t nfs4 <servername>:/ <mntpath>
Observe that only '/' is given after the servername.
5. Setting up kerberized NFSv4 server and client
------------------------------------------------
5.1 Prerequisites
_________________
o Key Distribution Center (KDC) must already be set up on the network.
o krb5-1.4.x must be installed on both NFS server and NFS client.
o krb5-client-1.4.x must be installed on both NFS server and NFS client.
o NFS server, client and the KDC server must have their time synchronized.
o NFS_SECURITY_GSS has to be set to "yes" in /etc/sysconfig/nfs in both
server and client.
5.2 Configuring Kerberized NFSv4 server and client
__________________________________________________
All the following configuration steps except 5.2.4 are for both NFSv4
client and server.
5.2.1 Configure kerberos
========================
Edit krb5.conf.
Sample configuration
==========================================================================
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MYDOMAIN.COM = {
kdc = kdcserver.mydomain.com
admin_server = adminserver.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
mydomain.com = MYDOMAIN.COM
.mydomain.com = MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
==========================================================================
Replace MYDOMAIN.COM with your REALM, kdcserver.mydomain.com with your KDC
server, adminserver.mydomain.com with your Admin server & mydomain.com with
your DNS domain name.
5.2.2 Create machine credentials
================================
This means creating a Kerberos V5 principal/instance name of the form
nfs/<hostname>@REALM, and either adding a key for this principal to
an existing /etc/krb5.keytab or creating an /etc/krb5.keytab.
Note: only the encryption type of des-cbc-crc is functional so far in the
kernel, so add only this type of key.
kadmin: addprinc -e des-cbc-crc:normal nfs/<hostname>@REALM
kadmin: ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/<hostname>@REALM
5.2.3 Configure /etc/gssapi_mech.conf
=====================================
This configuration file determines which GSS-API mechanisms the gssd code
should use. Usually no need to modify this file in 32 bit machines because
the libraries are installed in /usr/lib.
Note:
In case of 64 bit machines this has to be modified to /usr/lib64. This is
a workaround and will be fixed later.
Sample configuration
==========================================================================
# GSSAPI Mechanism Definitions
#
# This configuration file determines which GSS-API mechanisms
# the gssd code should use
#
# NOTE:
# The initialization function "mechglue_internal_krb5_init"
# is used for the MIT krb5 gssapi mechanism. This special
# function name indicates that an internal function should
# be used to determine the entry points for the MIT gssapi
# mechanism functions.
#
# library initialization function
# ================================ ==========================
# The MIT K5 gssapi library, use special function for initialization.
/usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init
#
# The SPKM3 gssapi library function. Use the function spkm3_gss_initialize.
# /usr/local/gss_mechs/spkm/spkm3/libgssapi_spkm3.so spkm3_gss_initialize
==========================================================================
5.2.4 /etc/exports entries for a kerberized server
==================================================
Typical entries for kerberos security mode looks like these:
/export gss/krb5(rw,insecure,no_subtree_check,sync,no_root_squash)
/export gss/krb5i(rw,insecure,no_subtree_check,sync,no_root_squash)
Note:
i) option 'insecure' - The insecure option in this entry also allows clients
with NFS implementations that don't use a reserved port for NFS. So it is
advisable *NOT* to use this option unless you have a kerberised set up or
you know what you are doing.
5.3 Starting the services on server and client
______________________________________________
On NFSv4 server, svcgssd needs to be started too. So,
#/etc/init.d/idmapd start
#/etc/init.d/svcgssd start
#/etc/init.d/nfsserver start
On NFSv4 client, gssd needs to be started too. So,
#/etc/init.d/idmapd start
#/etc/init.d/gssd start
Or
To avoid starting manually, enable service during bootup using insserv as
mentioned in 4.2
5.4 Mounting exported directories with kerberos
_______________________________________________
To mount a filesystem using krb5, provide the "-osec=krb5" option to mount.
#mount -tnfs4 -osec=<secmode> nfsserver:/ /mntpoint
<secmode> can be krb5(Autentication) or krb5i (Integrity).
5.5 A known issue using NFSv4 with kerberos
___________________________________________
Even if "no_root_squash" option is used, while exporting a filesystem at the
server, root on the client gets a "Permission denied" error when creating
files on the mount point.
This is because there is no proper mapping between root and the GSSAuthName.
Note: Trying to set 777 permission is not correct as it is not secure. Also,
any file created on the mountpoint will have "nobody" as owner.
There is a work around for this if both NFS server and client use ldap_umich
methods to authenticate. If the idmapd on both server and client is configured
to use ldap_umich modules then having GSSAuthName (<nfs/hostname@realm>)
parameter map to root user, on the ldap server will solve this problem.
A proper fix for this issue is being worked upon.
6. Troubleshooting
-------------------
6.1 Checklist to ensure NFSV4 is up and running
_______________________________________________
1. ps -ef | grep nfsd
ps -ef | grep idmapd
ps -ef | grep svcgssd
to check server side daemons are up and running.
2. ps -ef | grep idmapd
ps -ef | grep gssd
to check client side daemons are up and running
3. rpcinfo -p
to check all registered RPC programs (nfs, portmapper, mountd) & versions
4. Check firewall is enabled on server/client from YAST.
Yast -> Security and Users -> Firewall.
Make sure NFS service is enabled.
5. showmount -e <server name>
to check mount information on NFS server
6. If users are not mapped properly check whether idmapd is running in both
server & client and dns domain name is properly configured.
7. If you unable to mount, check for the correctness of the exports file entry.
6.2 Check list to ensure kerberos is working properly
_____________________________________________________
There are many reasons this could be failing.
1. Verify that rpc.gssd is running on the client and rpc.svcgssd is running
on the server.
2. Verify that your hostnames are correct. The hostname command should return
a fully-qualified hostname that has a correct DNS reverse-mapping (either
through DNS or the /etc/hosts file).
3. Verify there is a keytab entry for nfs/<hostname>@REALM in your keytab file
(/etc/krb5.keytab).
4. Verify your Kerberos configuration file has the proper mapping from the DNS
hostname to the correct realm. The [domain_realm] section of the
/etc/krb5.conf needs to have a mapping from the DNS domain to the correct
REALM.
For example, if your nfs server's hostname is 'foo.abc.org' and your
Kerberos
realm name is 'ALPHABET.ORG', then you need an entry like the following in
/etc/krb5.conf on the nfs client machine:
[domain_realm]
.abc.org = ALPHABET.ORG
5. Verify whether your ticket is not expired or not on the client using klist.
If
it is expired renew using kinit. This must be checked when you find
"I/O Error" or "Permission denied" while doing file operations.
++++++ fw-client ++++++
## Description: Firewall Configuration for NFS client.
#
# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
# More may be supported in the future.
#
# For a more detailed description of the individual variables see
# the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2
#
## Name: NFS Client
## Description: Opens ports for NFS client to allow connection to an NFS server.
# space separated list of allowed TCP ports
TCP=""
# space separated list of allowed UDP ports
UDP=""
# space separated list of allowed RPC services
RPC="portmap status nlockmgr"
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""
++++++ fw-server ++++++
## Description: Firewall Configuration for NFS kernel server.
#
# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
# More may be supported in the future.
#
# For a more detailed description of the individual variables see
# the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2
#
## Name: NFS Server Service
## Description: Opens ports for NFS to allow other hosts to connect.
# space separated list of allowed TCP ports
TCP=""
# space separated list of allowed UDP ports
UDP=""
# space separated list of allowed RPC services
RPC="portmap status nlockmgr mountd nfs nfs_acl"
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""
++++++ idmapd.conf ++++++
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
++++++ nfs-client.nfs.conf ++++++
# When nfs is stopped or restarted, nfs-client must too.
[Unit]
PartOf=nfs.service
++++++ nfs-kernel-server.tmpfiles.conf ++++++
# See tmpfiles.d(5) for details
#Type Path Mode UID GID Age Argument
d /var/lib/nfs
f /var/lib/nfs/etab
f /var/lib/nfs/rmtab
++++++ nfs-mountd.options.conf ++++++
[Service]
EnvironmentFile=-/etc/sysconfig/nfs
ExecStart=
ExecStart=-/usr/sbin/rpc.mountd $MOUNTD_OPTIONS
++++++ nfs-server.nfsserver.conf ++++++
# When nfsserver is stopped or restarted, nfs-server must too.
[Unit]
PartOf=nfsserver.service
++++++ nfs-server.options.conf ++++++
[Service]
EnvironmentFile=-/etc/sysconfig/nfs
ExecStart=
ExecStart=-/usr/sbin/rpc.nfsd $NFSD_OPTIONS
++++++ nfs-utils-1.0.7-bind-syntax.patch ++++++
support/export/export.c | 2
support/include/misc.h | 3
support/include/nfslib.h | 1
================================================================================
---
support/nfs/exports.c | 2 ++
1 file changed, 2 insertions(+)
--- nfs-utils-1.3.1.orig/support/nfs/exports.c
+++ nfs-utils-1.3.1/support/nfs/exports.c
@@ -649,6 +649,8 @@ bad_option:
} else if (strncmp(opt, "replicas=", 9) == 0) {
ep->e_fslocmethod = FSLOC_REPLICA;
ep->e_fslocdata = strdup(opt+9);
+ } else if (strncmp(opt, "bind=/", 6) == 0) {
+ /* ignore this for now */
} else if (strncmp(opt, "sec=", 4) == 0) {
active = parse_flavors(opt+4, ep);
if (!active)
++++++ nfs-utils.rpmlintrc ++++++
# /var/lib/nfs/sm.bak is a valid directory needed by sm-notify
addFilter("suse-filelist-forbidden-backup-file.*sm.bak")
++++++ nfs.conf ++++++
#
# This is a general configuration for the
# NFS daemons and tools
# DO NOT MAKE CHANGES TO THIS FILE as they will
# be lost on the next software update. Make changes
# to /etc/sysconfig/nfs or /etc/nfs.conf.local instead.
# /etc/nfs.conf.local can include multiple sections, just
# like this file.
[environment]
include = /etc/sysconfig/nfs
include = /etc/nfs.conf.local
[general]
pipefs-directory=$RPC_PIPEFS_DIR
#
#[exportfs]
# debug=0
#
#[gssd]
# use-memcache=0
# use-machine-creds=1
avoid-dns=$NFS_GSSD_AVOID_DNS
# limit-to-legacy-enctypes=0
# context-timeout=0
# rpc-timeout=5
# keytab-file=/etc/krb5.keytab
# cred-cache-directory=
# preferred-realm=
#
[lockd]
port=$LOCKD_TCPPORT
udp-port=$LOCKD_UDPPORT
#
[mountd]
# debug=0
# manage_gids=n
# descriptors=0
port= $MOUNTD_PORT
# threads=1
# reverse-lookup=n
# state-directory-path=/var/lib/nfs
# ha-callout=
#
#[nfsdcltrack]
# debug=0
# storagedir=/var/lib/nfs/nfsdcltrack
#
[nfsd]
# debug=0
threads= $USE_KERNEL_NFSD_NUMBER
# host=
# port=0
# grace-time=90
lease-time=$NFSV4LEASETIME
# udp=y
# tcp=y
# vers2=n
vers3=$NFS3_SERVER_SUPPORT
vers4=$NFS4_SUPPORT
# vers4.0=y
# vers4.1=y
# vers4.2=y
# rdma=n
#
[statd]
# debug=0
port=$STATD_PORT
# outgoing-port=0
name=$STATD_HOSTNAME
# state-directory-path=/var/lib/nfs/statd
# ha-callout=
#
#[sm-notify]
# debug=0
# retry-time=900
# outgoing-port=
# outgoing-addr=
#
#[svcgssd]
# principal=
++++++ nfs.service ++++++
[Unit]
Description=Alias for NFS client
# The systemd alias mechanism (using symlinks) isn't rich enough.
# If you "systemctl enable" an alias, it doesn't enable the
# target.
# This service file creates a sufficiently rich alias for nfs-client
# (which is the canonical upstream name)
# "start", "stop", "restart", "reload" on this will do the same to nfs-client.
# "enable" on this will only enable this service, but when it starts, that
# starts nfs-client, so it is effectively enabled.
# nfs-server.d/nfsserver.conf is part of this service.
Requires= nfs-client.target
PropagatesReloadTo=nfs-client.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
[Install]
WantedBy=multi-user.target
++++++ nfsserver.service ++++++
[Unit]
Description=Alias for NFS server
# The systemd alias mechanism (using symlinks) isn't rich enough.
# If you "systemctl enable" an alias, it doesn't enable the
# target.
# This service file creates a sufficiently rich alias for nfs-server
# (which is the canonical upstream name)
# "start", "stop", "restart", "reload" on this will do the same to nfs-server.
# "enable" on this will only enable this service, but when it starts, that
# starts nfs-server, so it is effectively enabled.
# nfs-server.d/nfsserver.conf is part of this service.
Requires= nfs-server.service
[Service]
Type=oneshot
ExecStart=/bin/true
RemainAfterExit=yes
# Can't just PropagatesReloadTo to nfs-server.service
# as reload fails if we don't have our own ExecReload
# So copy that from nfs-server.service
ExecReload=/usr/sbin/exportfs -r
[Install]
WantedBy=multi-user.target
++++++ nsm-headers.patch ++++++
Index: nfs-utils-2.1.1/support/nsm/rpc.c
===================================================================
--- nfs-utils-2.1.1.orig/support/nsm/rpc.c
+++ nfs-utils-2.1.1/support/nsm/rpc.c
@@ -41,6 +41,7 @@
#include <time.h>
#include <stdbool.h>
#include <string.h>
+#include <stdint.h>
#include <unistd.h>
#include <fcntl.h>
++++++ rpc-gssd.options.conf ++++++
[Service]
EnvironmentFile=-/etc/sysconfig/nfs
ExecStart=
ExecStart=-/usr/sbin/rpc.gssd $GSSD_OPTIONS
++++++ rpc-statd-notify.options.conf ++++++
[Service]
ExecStart=
EnvironmentFile=-/etc/sysconfig/nfs
ExecStart=-/usr/sbin/sm-notify $SM_NOTIFY_OPTIONS
++++++ rpc-statd.options.conf ++++++
[Service]
EnvironmentFile=-/etc/sysconfig/nfs
ExecStart=
ExecStart=-/usr/sbin/rpc.statd $STATD_OPTIONS
++++++ rpc-svcgssd.options.conf ++++++
[Service]
EnvironmentFile=-/etc/sysconfig/nfs
ExecStart=
ExecStart=-/usr/sbin/rpc.svcgssd $SVCGSSD_OPTIONS
++++++ sysconfig.nfs ++++++
## Path: Network/File systems/NFS server
## Description: number of threads for kernel nfs server
## Type: integer
## Default: 4
## ServiceRestart: nfs-server
#
# the kernel nfs-server supports multiple server threads
#
USE_KERNEL_NFSD_NUMBER="4"
## Path: Network/File systems/NFS server
## Description: use fixed port number for mountd
## Type: integer
## Default: ""
## ServiceRestart: nfs-mountd
#
# Only set this if you want to start mountd on a fixed
# port instead of the port assigned by rpc. Only for use
# to export nfs-filesystems through firewalls.
#
MOUNTD_PORT=""
## Path: Network/File systems/NFS server
## Description: NFSv3 server support
## Type: yesno
## Default: yes
## ServiceRestart: nfs-server
#
# Enable NFSv3 server support (yes/no)
# This causes the NFS server to respond to
# NFSv2 and NFSv3 requests. Only disable this
# if you want to ensure only NFSv4 is used.
#
NFS3_SERVER_SUPPORT="yes"
## Path: Network/File systems/NFS server
## Description: NFSv4 protocol support
## Type: yesno
## Default: yes
## ServiceRestart: nfs-server
#
# Enable NFSv4 support (server and/or client) (yes/no)
#
NFS4_SUPPORT="yes"
## Path: Network/File systems/NFS server
## Description: Network Status Monitor options
## Type: string
## Default: ""
#
# If a fixed port should be used to send reboot notification
# messages to other systems, that port should be given
# here as "-p portnumber".
#
SM_NOTIFY_OPTIONS=""
## Path: Network/File systems/NFS server
## Description: Port rpc.statd should listen on
## Type: integer
## Default: ""
## ServiceRestart: rpc-statd
#
# Statd will normally choose a random port to listen on and
# SuSE-Firewall is able to detect which port and allow for it.
# If you have another firewall, you may want to set a fixed
# port number which can then be opened in that firewall.
STATD_PORT=""
## Path: Network/File systems/NFS server
## Description: Hostname used by rpc.statd
## Type: string
## Default: ""
## ServiceRestart: rpc-statd
#
# statd will normally use the system hostname in status
# monitoring conversations with other hosts. If a different
# host name should be used, as can be useful with fail-over
# configurations, that name should be given here.
#
STATD_HOSTNAME=""
## Path: Network/File systems/NFS server
## Description: TCP Port that lockd should listen on
## Type: integer
## Default: ""
## ServiceRestart: nfs-server
#
# Lockd will normally choose a random port to listen on and
# SuSE-Firewall is able to detect which port and allow for it.
# If you have another firewall, you may want to set a fixed
# port number which can then be opened in that firewall.
# lockd opens a UDP and a TCP port. This setting only affect
# the TCP port.
LOCKD_TCPPORT=""
## Path: Network/File systems/NFS server
## Description: UDP Port that lockd should listen on
## Type: integer
## Default: ""
## ServiceRestart: nfs-server
#
# Lockd will normally choose a random port to listen on and
# SuSE-Firewall is able to detect which port and allow for it.
# If you have another firewall, you may want to set a fixed
# port number which can then be opened in that firewall.
# lockd opens a UDP and a TCP port. This setting only affect
# the UDP port.
LOCKD_UDPPORT=""
## Path: Network/File systems/NFS server
## Description: Command line parameters for rpc.statd
## Type: string
## Default: ""
## ServiceRestart: rpc-statd
#
# Custom parameters for rpc.statd daemon. Typically this will
# be used to set the port number (-p).
#
STATD_OPTIONS=""
## Path: Network/File systems/NFS server
## Description: Lease time for NFSv4 leases
## Type: integer
## Default: ""
#
# Set the lease time for the NFSv4 server. This allows new locks
# to be taken sooner after a server restart, so it is useful for
# servers which need to recover quickly after a failure, particularly
# in fail-over configurations. Reducing the lease time can be a
# problem is some clients connect over high latency networks.
# The default is 90 seconds. A number like 15 might be appropriate
# in a fail-over configuration with all clients on well connected
# low latency links.
NFSV4LEASETIME=""
## Path: Network/File systems/NFS server
## Description: Alternate mount point for rpc_pipefs filesystem
## Type: string
## Default: ""
## ServiceRestart: nfs-utils
#
# In a high-availabilty configuration it is possible that /var/lib/nfs
# is redirected so some shared storage and so it is not convenient to
# mount the rpc_pipefs filesystem at /var/lib/nfs/rpc_pipefs. In that
# case an alternate mount point can be given here.
RPC_PIPEFS_DIR=""
## Path: Network/File systems/NFS server
## Description: Options for svcgssd
## Type: string
## Default: ""
## ServiceRestart: rpc-svcgssd
#
# Normally svcgssd does not require any option. However in a
# high-availabilty configuration it can be useful to pass "-n"
# to guide the choice of default credential. To allow for that
# case or any other requiring options ot svcgssd, they can
# be specified here.
SVCGSSD_OPTIONS=""
## Path: Network/File systems/NFS server
## Description: Extra options for nfsd
## Type: string
## Default: ""
## ServiceRestart nfs-server
#
# This setting allows extra options to be specified for NFSD, such as
# -H <shared_hostname> in a high-availability configuration.
NFSD_OPTIONS=""
## Path: Network/File systems/NFS server
## Description: Extra options for gssd
## Type: string
## Default: ""
## ServiceRestart: rpc-gssd
#
# Normally gssd does not require any options. In some circumstances,
# -n, -l or other options might be useful. See "man 8 rpc.gssd" for
# details. Those options can be set here.
GSSD_OPTIONS=""
## Path: Network/File systems/NFS server
## Description: Extra options for mountd
## Type: string
## Default: ""
## ServiceRestart nfs-mountd
#
# Normally mountd does not require any options. In some circumstances,
# -n, -t, -g or other options might be useful. See "man 8 rpc.mountd" for
# details. Those options can be set here.
# -p or -N should be set using MOUNTD_PORT or NFS4_SUPPORT rather than
# this option.
MOUNTD_OPTIONS=""
## Path: Network/File systems/NFS server
## Description: Avoid DNS lookups for kerberos principal
## Type: yesno
## Default: no
## ServiceRestart: rpc-gssd
#
# Avoid DNS lookups when determining kerberos identity
# of NFS server (yes/no)
# "yes" is safest, but "no" might be needed to preserve
# correct behaviour at sites that don't use
# Fully Qualified Domain Names when mounting NFS Shares.
#
NFS_GSSD_AVOID_DNS="no"
