Steve Dickson [Sun, 2 Jul 2006 23:52:00 +0000 (09:52 +1000)]
Allow rpc.nfsd to suppress tcp or udp, and listen on a specific address.
-T - will suppressing listening for TCP connection.
-U - will suppress UDP
-H host - will only listen on that local address
-p port - will listen on that port.
This requires kernel patches which will hopefully be in 2.6.19 and possibly some
earlier test and vendor kernels.
Greg Banks [Tue, 27 Jun 2006 11:22:59 +0000 (21:22 +1000)]
Comment out the decades-old SCCS id strings from the original Sun
distribution. They cause compile warnings, there is no longer any
reason to try to build them into the binaries, and gcc seems to be
eliding some of them anyway.
Neil Brown [Fri, 23 Jun 2006 03:37:08 +0000 (13:37 +1000)]
Try to make sure that clientid used for NFSv4 is reliable.
We need to give an IP address to identify this client to the
server.
The current code does a gethostbyname of the hostname. One
some systems this returns 127.0.0.1 or similar, which is not useful.
Instead, use getsockname of the sock used to connect to the server
to confirm that the server is working. This gives the address on the
interface that was chosen to talk to that server, which is the
best address we can find (if there is a NAT in the way, it might
still not work, but in that case there is nothing we can do).
Greg Banks [Wed, 14 Jun 2006 12:48:10 +0000 (22:48 +1000)]
multiple threads for mountd
How about the attached patch against nfs-utils tot? It
adds a -t option to set the number of forked workers.
Default is 1 thread, i.e. the old behaviour.
I've verified that showmount -e, the Ogata mount client,
and a real mount from Linux and IRIX boxes work with and
without the new option.
I've verified that you can manually kill any of the workers
without the portmap registration going away, that killing
all the workers causes the manager process to wake up and
unregister, and killing the manager process causes the
workers to be killed and portmap unregistered.
I've verified that all the workers have file descriptors
for the udp socket and the tcp rendezvous socket, that
connections are balanced across all the workers if service
times are sufficiently long, and that performance is
improved by that parallelism, at least for small numbers
of threads. For example, with 60 parallel MOUNT calls
and a testing patch to make DNS lookups take 100 milliseconds
time to perform all mounts (averaged over 5 runs) is:
Neil Brown [Mon, 5 Jun 2006 02:47:00 +0000 (12:47 +1000)]
fix nhfsrun signal
nhfsrun is supposed to be able to be signalled with SIGUSR1, but
the signal trapped is number 30, which is something else
entirely (SIGPWR). This patch simply changes it to say "USR1",
which gets it right no matter what the value is.
"Steinar H. Gunderson" <sesse@debian.org>
Neil Brown [Mon, 5 Jun 2006 02:45:01 +0000 (12:45 +1000)]
mountd state directory
Let the user select (via a new parameter) the path to the NFS
state directory for mountd, to match the statd functionality.
"Steinar H. Gunderson" <sesse@debian.org>
Neil Brown [Mon, 5 Jun 2006 02:39:07 +0000 (12:39 +1000)]
document sync option:
Document the 'sync' option in the exports(5) man page -- ATM
only the 'async' option is documented, which is not very
symmetric. :-) "Steinar H. Gunderson" <sesse@debian.org>
Neil Brown [Mon, 5 Jun 2006 02:27:35 +0000 (12:27 +1000)]
escape hashes in exports
Makes sure any # signs in the printed-out exports file are
escaped (as with quotes, spaces, etc.), so they won't be treated
as a comment when they're read back in again.
"Steinar H. Gunderson" <sesse@debian.org>
Neil Brown [Mon, 5 Jun 2006 02:16:20 +0000 (12:16 +1000)]
fix exportfs with multiple matches
Fixes a problem with exportfs -o
and multiple entries of the same type for the same patch that matches
a given client. The entire rationale and problem description can be found
at http://bugs.debian.org/245449 (fumihiko kakuma <kakmy@mvh.biglobe.ne.jp>)
Neil Brown [Mon, 17 Apr 2006 07:07:39 +0000 (17:07 +1000)]
Remove **/Makefile.in, aclocal.m4, configure, and
support/include/config.h.in from source control
These are auto autogenerated by
aclocal -I aclocal ; autoheader ; automake ; autoconf
2006-04-10 NeilBrown <neilb@suse.de>
Various paranoia checks:
gssd_proc.c: pass max_field sizes to sscanf to avoid buffer
overflow
svcgssd_proc.c: range_check name.length, to ensure name.length+1
doesn't wrap
idmapd.c(nfsdcb): make sure at least one byte is read before
zeroing the last byte that was read, otherwise memory corruption
is possible.
neilbrown [Tue, 28 Mar 2006 00:53:30 +0000 (00:53 +0000)]
Use PKGCONFIG to locate gssapi and rpcsecgss header files
Instead of having separate copies of the gssapi and rpcsecgss
header files, or depending on the Kerberos gssapi header,
locate the headers now installed with the libgssapi and librpcsecgss
libraries.
Remove local copies of the gssapi and rpcsecgss header files.
This depends on the configure_use_autotools patch.
neilbrown [Tue, 28 Mar 2006 00:51:14 +0000 (00:51 +0000)]
Add debugging to better detect negotiation of enctype not supported by kernel
Print debugging message indicating the type of encryption keys being sent
down to the kernel. This should make it easier to detect cases where
unsupported encryption types are being negotiated.
(really this time)
neilbrown [Tue, 28 Mar 2006 00:50:44 +0000 (00:50 +0000)]
Don't close and reopen all pipes on every DNOTIFY signal.
From: Vince Busam <vbusam@google.com> Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Don't unnecessarily close and re-open all pipes after every DNOTIFY
signal. These unnecessary closes were triggering a kernel Oops.
Original patch modified to correct segfault when unmounting last
NFSv4 mount.
neilbrown [Tue, 28 Mar 2006 00:50:03 +0000 (00:50 +0000)]
Add option to specify directory to search for credentials cache files
From: Vince Busam <vbusam@google.com> Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Add command line option to specify which directory should be searched
to find credentials caches.
(really this time)
neilbrown [Tue, 28 Mar 2006 00:49:29 +0000 (00:49 +0000)]
Must still use knowledge of the glue context for pre-1.4 versions of MIT krb5
We need to get access to the internal krb5 context pointer for
older (pre-1.4) versions of MIT Kerberos. We get a pointer to
the gss glue's context. Get the right pointer before accessing
the context information.
(really this time)
neilbrown [Tue, 28 Mar 2006 00:48:27 +0000 (00:48 +0000)]
Update krb5 code to use glue routine lucid context functions
The gssd code should not know about the glue layer's context structure.
A previous patch added gss_export_lucid_sec_context() and
gss_free_lucid_sec_context() functions to the gssapi glue layer.
Use these functions rather than calling directly to the Kerberos
gssapi code (which requires the Kerberos context handle rather
than the glue's context handle).
neilbrown [Sun, 26 Mar 2006 23:58:51 +0000 (23:58 +0000)]
Add debugging to better detect negotiation of enctype not supported by kernel
Print debugging message indicating the type of encryption keys being sent
down to the kernel. This should make it easier to detect cases where
unsupported encryption types are being negotiated.
neilbrown [Sun, 26 Mar 2006 23:58:31 +0000 (23:58 +0000)]
Don't close and reopen all pipes on every DNOTIFY signal.
Don't unnecessarily close and re-open all pipes after every DNOTIFY
signal. These unnecessary closes were triggering a kernel Oops.
Original patch modified to correct segfault when unmounting last
NFSv4 mount.
neilbrown [Sun, 26 Mar 2006 23:57:47 +0000 (23:57 +0000)]
Must still use knowledge of the glue context for pre-1.4 versions of MIT krb5
We need to get access to the internal krb5 context pointer for
older (pre-1.4) versions of MIT Kerberos. We get a pointer to
the gss glue's context. Get the right pointer before accessing
the context information.
neilbrown [Sun, 26 Mar 2006 23:57:00 +0000 (23:57 +0000)]
Update krb5 code to use glue routine lucid context functions
The gssd code should not know about the glue layer's context structure.
A previous patch added gss_export_lucid_sec_context() and
gss_free_lucid_sec_context() functions to the gssapi glue layer.
Use these functions rather than calling directly to the Kerberos
gssapi code (which requires the Kerberos context handle rather
than the glue's context handle).
neilbrown [Sun, 26 Mar 2006 23:56:03 +0000 (23:56 +0000)]
Consolidate gssd and svcgssd since they share much code
Remove directory svcgssd which was only created because the old
build system could not handle building two daemons in the same
directory. This eliminates build complications since gssd and
svcgssd also share many source files.
This patch effectively removes the utils/svcgssd directory, moving
all its files to the utils/gssd directory. File utils/gssd/Makefile.am
is modified with directions to build both gssd and svcgssd.
neilbrown [Sun, 26 Mar 2006 23:55:32 +0000 (23:55 +0000)]
Use PKGCONFIG to locate gssapi and rpcsecgss header files
Instead of having separate copies of the gssapi and rpcsecgss
header files, or depending on the Kerberos gssapi header,
locate the headers now installed with the libgssapi and librpcsecgss
libraries.
Remove local copies of the gssapi and rpcsecgss header files.
This depends on the configure_use_autotools patch.
neilbrown [Sun, 26 Mar 2006 23:54:16 +0000 (23:54 +0000)]
Set libnfsidmap library debugging level and logging function.
This patch adds a call to the new libnfsidmap library function
nfs4_set_debug(), which defines the verbosity level libnfsidmap
should use as well as the logging function.
neilbrown [Fri, 26 Aug 2005 02:04:40 +0000 (02:04 +0000)]
Add option to set rpcsec_gss debugging level (if available)
Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos
libraries. Note that there are still run-time issues preventing
this from working when shared libraries for libgssapi and librpcsecgss
are used.
neilbrown [Fri, 26 Aug 2005 01:36:14 +0000 (01:36 +0000)]
2005-08-26 Kevin Coffman <kwc@citi.umich.edu>
*utils/mountd/mountd.c:
mountd currently always returns AUTH_NULL and AUTH_SYS as the
allowable flavors in mount replies. We want it to also return gss
flavors when appropriate. For now as a hack we just have it always
return the KRB5 flavors as well.
*utils/mountd/cache.c:
When attempting to mount an NFSv4 pseudofilesystem (fsid=0) and the
actual exported directory does not exist on the server, rpc.mountd
doesn't check the directory exists (when fsidtype=1, i.e. using fsid,
but does check for fsidtype=0, i.e. using dev/ino). The non-existent
exported directory path with fsid=0 is written to the kernel via
/proc/net/rpc/nfsd.export/channel, which leads to path_lookup() to
return ENOENT (seems appropriate). Unfortunately, the new_cache
approach ignores errors returned when writing via the channel file so
that particular error is lost and the mount request is silently ignored.
Assuming it doesn't make sense to revamp the new_cache/up-call method to
not ignore returned errors, it seems appropriate to fix the case where
rpc.mountd doesn't check for the existence of an exported directory with
fsid= semantics. The following patch does this by moving the stat() up
so it is done for both fsidtype's. I'm not certain whether the other
tests need to be executed for fsidtype=1, but it doesn't appear to hurt
[Not exactly true: the comparison of inode numbers caused problems so
now it's kept for fsidtype=0 only].
Would it be also desirable to log a warning for every error, if any,
returned by a write to any of the /proc/net/rpc/*/channel files which
would otherwise be ignored (maybe under a debug flag)?
* gssd/mountd/svcgssd: Changes gssd, svcgssd, and mountd to ignore a
SIGHUP rather than dying.
* many: Remove the gssapi code and rely on an external library instead.