Jeff Layton [Wed, 22 Jun 2011 18:51:38 +0000 (14:51 -0400)]
nfs: fix host_reliable_addrinfo
According to Neil Brown:
The point of the word 'reliable' is to check that the name we get
really does belong to the host in question - ie that both the
forward and reverse maps agree.
But the new code doesn't do that check at all. Rather it simply
maps the address to a name, then discards the address and maps the
name back to a list of addresses and uses that list of addresses as
"where the request came from" for permission checking.
This bug is exploitable via the following scenario and could allow an
attacker access to data that they shouldn't be able to access.
Suppose you export a filesystem to some subnet or FQDN and also to a
wildcard or netgroup, and I know the details of this (maybe
showmount -e tells me) Suppose further that I can get IP packets to
your server..
Then I create a reverse mapping for my ipaddress to a domain that I
own, say "black.hat.org", and a forward mapping from that domain to
my IP address, and one of your IP addresses.
Then I try to mount your filesystem. The IP address gets correctly
mapped to "black.hat.org" and then mapped to both my IP address and
your IP address.
Then you search through all of your exports and find that one of the
addresses: yours - is allowed to access the filesystem.
So you create an export based on the addrinfo you have which allows
my IP address the same access as your IP address.
Fix this by instead using the forward lookup of the hostname just to
verify that the original address is in the list. Then do a numeric
lookup using the address and stick the hostname in the ai_canonname.
Reviewed-by: NeilBrown <neilb@suse.de> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Pavel Shilovsky [Tue, 7 Jun 2011 17:18:13 +0000 (13:18 -0400)]
mountd: Fix missing varialble assignment in auth_unix_gid
When we get into auth_unix_gid at the second time, groups_len
is not 0 and ngroups variable leave as 0. Then we use ngroups
in getgrouplist that fails in this case. This patch fixes it.
Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Mon, 23 May 2011 12:23:51 +0000 (08:23 -0400)]
supress socket error when address family is not supported
From: Suresh Jayaraman <sjayaraman@suse.de>
It was observed that when ipv6 module was not loaded and cannot be auto-loaded,
when starting NFS server, the following error occurs:
"rpc.nfsd: unable to create inet6 TCP socket: errno 97 (Address
family not supported by protocol)"
This is obviously a true message, but does not represent an "error" when ipv6
is not enabled. Rather, it is an expected condition. As such, it can be
confusing / misleading / distracting to display it in this scenario.
This patch instead of throwing error when a socket call fails with
EAFNOSUPPORT, makes it as a NOTICE.
Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Mon, 23 May 2011 12:19:57 +0000 (08:19 -0400)]
Remove risk of nfs_addmntent corrupting mtab
nfs_addmntent is used to append directly to /etc/mtab.
If the write partially fail, e.g. due to RLIMIT_FSIZE,
truncate back to original size and return an error.
See also https://bugzilla.redhat.com/show_bug.cgi?id=697975
(CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Ben Myers [Mon, 23 May 2011 12:07:00 +0000 (08:07 -0400)]
exportfs: getexportent interprets -test-client- as default options
With commit 1374c3861abdc66f3a1410e26cc85f86760b51dd Neil added a
-test-client- export to test the exportability of filesystems when exportfs
is run. When using the old cache controls (i.e. /proc/fs/nfsd is not
mounted) exportfs will read /proc/fs/nfs/exports to process existing
exports and find these test client entries. The dash at the beginning of
-test-client- will be cause getexportent to look for default options in the
rest of the string, which test-client- will not match:
This patch resolves that problem (as Steve suggested) by not processing any
default options if we are reading the list of existing exports from the
kernel. Default options are converted to individual exports by exportfs so
the kernel won't have any regardless.
Signed-off-by: Ben Myers <bpm@sgi.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Sean Finney [Tue, 19 Apr 2011 15:04:35 +0000 (11:04 -0400)]
nfs-utils: Increase the stdio file buffer size for procfs files
Previously, when writing to /proc/net/rpc/*/channel, if a cache line
were larger than the default buffer size (likely 1024 bytes), mountd
and svcgssd would split writes into a number of buffer-sized writes.
Each of these writes would get an EINVAL error back from the kernel
procfs handle (it expects line-oriented input and does not account for
multiple/split writes), and no cache update would occur.
When such behavior occurs, NFS clients depending on mountd to finish
the cache operation would block/hang, or receive EPERM, depending on
the context of the operation. This is likely to happen if a user is a
member of a large (~100-200) number of groups.
Instead, every fopen() on the procfs files in question is followed by
a call to setvbuf(), using a per-file dedicated buffer of
RPC_CHAN_BUF_SIZE length.
Really, mountd should not be using stdio-style buffered file operations
on files in /proc to begin with. A better solution would be to use
internally managed buffers and calls to write() instead of these stdio
calls, but that would be a more extensive change; so this is proposed
as a quick and not-so-dirty fix in the meantime.
Signed-off-by: Sean Finney <sean.finney@sonyericsson.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Sean Finney [Tue, 19 Apr 2011 15:05:47 +0000 (11:05 -0400)]
mountd: Use a dynamic buffer for storing lists of gid's
Previously, in auth_unix_gid, group lists were stored in an array of
hard-coded length 100, and in the situation that the group lists for a
particular call were too large, the array was swapped with a dynamically
allocated/freed buffer. For environments where users are commonly in
a large number of groups, this isn't an ideal approach.
Instead, use malloc/realloc to grow the list on an as-needed basis.
Signed-off-by: Sean Finney <sean.finney@sonyericsson.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Karel Zak [Wed, 6 Apr 2011 16:39:21 +0000 (12:39 -0400)]
mount: add --enable-libmount-mount
This patch allows to link mount.nfs with libmount from util-linux >=
v2.19. The new libmount based code is enabled by CONFIG_LIBMOUNT and
is stored in mount_libmount.c. The old code is not affected by this
change.
The libmount does not have officially stable API yet, so the
--enable-libmount-mount is marked as experimental in the configure
help output.
The ./configure option is the same as we use in util-linux to enable
support for libmount in mount(8).
The addr= (and some other options necessary for remount/umount) are
stored to /etc/mtab or to /dev/.mount/utab. The utab file is *private*
libmount file. It's possible that some mount options (for example
user=) will be moved to kernel, so the utab will not be necessary.
About libmount:
* supports systems without and with regular /etc/mtab
* does not store VFS and FS mount options in userspace
* manages user= option and evaluate permissions
* parses VFS mount options and generate MS_* flags
* parses /etc/{fstab,mtab}, /proc/mounts or /proc/self/mountinfo
* long-term goal is to use the same code in all mount.<type> helpers
Note, use
LIBMOUNT_DEBUG=0xffff mount.nfs foo:/path /path
to debug the library.
On systems with util-linux v2.19 the findmnt(8) command uses libmount
to list all/selected mount points:
$ findmnt /path
$ findmnt --mtab /path
the --mtab appends userspace mount options (e.g. user=) to the output.
CC: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Karel Zak <kzak@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Kevin Coffman [Wed, 6 Apr 2011 15:25:03 +0000 (11:25 -0400)]
nfs-utils: Add support to svcgssd to limit the negotiated enctypes
Recent versions of Kerberos libraries negotiate and use
an "acceptor subkey". This negotiation does not consider
that a service may have limited the encryption keys in its
keytab. A patch (http://src.mit.edu/fisheye/changelog/krb5/?cs=24603)
has been added to the MIT Kerberos code to allow an application
to indicate that it wants to limit the encryption types negotiated.
(This functionality has been available on the client/initiator
side for a while. The new patch adds this support to the
server/acceptor side.)
This patch adds support to read a recently added nfsd
proc file to determine the encryption types supported by
the kernel and calls the function to limit encryption
types negotiated for the acceptor subkey.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com>
Masatake YAMATO [Mon, 7 Mar 2011 13:18:51 +0000 (08:18 -0500)]
Read /etc/exports.d/*.export as extra export files
This patch adding a capability to read /etc/exports.d/*.exports as
extra export files to exportfs.
If one wants to add or remove an export entry in a script, currently
one may have to use sed or something tool for adding or removing the
line for the entry in /etc/exports file.
With the patch, adding and removing an entry from a script is much
easier.
cat<<EOF... or mv can be used for adding. rm can be used for removing.
Signed-off-by: Masatake YAMATO <yamato@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 3 Mar 2011 22:26:33 +0000 (17:26 -0500)]
mount: Recognize zero as a valid value for the port= option
While zero is not a valid IP port number, zero does represent a valid
value for "port=". It means "query rpcbind to discover the actual
non-zero port number to use". So the parsing functions that handle
"port=" should not flag zero as an invalid value.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Jason Gunthorpe [Wed, 9 Feb 2011 16:27:19 +0000 (11:27 -0500)]
Support AD style kerberos automatically in rpc.gss
An Active Directory KDC will only grant a TGT for UPNs, getting
a TGT for SPNs is not possible:
$ kinit -k host/ib5@ADS.ORCORP.CA
kinit: Client not found in Kerberos database while getting initial
credentials
The correct thing to do for machine credentials is to get a TGT
for the computer UPN <HOSTNAME>$@REALM:
$ kinit -k IB5\$
$ klist
12/22/10 11:43:47 12/22/10 21:43:47 krbtgt/ADS.ORCORP.CA@ADS.ORCORP.CA
Samba automatically creates /etc/krb5.keytab entry for the computer UPN,
this patch makes gssd_refresh_krb5_machine_credential prefer it above
the SPNs if it is present.
The net result is that nfs client works automatically out of the box
if samba has been used to setup kerberos via 'net ads join' 'net ads
keytab create'
Tested using Windows Server 2003 R2 as the AD server.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Wed, 26 Jan 2011 12:49:19 +0000 (07:49 -0500)]
Fixed segfault in rpc.mountd
A unallocated piece of memory, instead of a NULL point, was being
used to initialize a ->next point in the mount link list which
caused a segfault after a few remote accesses via the showmount
command.
Steve Dickson [Fri, 14 Jan 2011 15:12:28 +0000 (10:12 -0500)]
Improve debugging in svcgssd
Added in gss_display_error() which translates the GSS error into the
actual GSS macro name. Currently only the translation of these errors
are logged. Since those translations are buried deep in the kerberos
library code, having the actual GSS macro name makes it easier to
follow the code.
Moved the nfs4_init_name_mapping() call into main() so if debug is
enabled the DNS name and realms will be logged during start up.
Chuck Lever [Mon, 13 Dec 2010 19:50:45 +0000 (14:50 -0500)]
libnsm.a: sm-notify sometimes ignores monitored hosts
Monitored host information is stored in files under /var/lib/nfs.
When visiting entries in the monitored hosts directory, libnsm.a
examines the value of dirent.d_type to determine if an entry is a
regular file.
According to readdir(3), the d_type field is not supported by all
file system types. My root file system happens to be one where d_type
isn't supported. Typical installations that use an ext-derived root
file system are not exposed to this issue, but those who use xfs, for
instance, are.
On such file systems, not only are remote peers not notified of
reboots, but the NSM state number is never incremented. A statd warm
restart would not re-monitor any hosts that were monitored before
the restart.
When writing support/nsm/file.c, I copied the use of d_type from the
original statd code, so this has likely been an issue for some time.
Replace the use of d_type in support/nsm/file.c with a call to
lstat(2). It's extra code, but is guaranteed to work on all file
system types.
Note there is a usage of d_type in gssd. I'll let gssd and rpcpipefs
experts decide whether that's worth changing.
Chuck Lever [Mon, 13 Dec 2010 19:47:42 +0000 (14:47 -0500)]
libnsm.a: Replace __attribute_noinline__
Replace the __attribute_noinline__ form with
__attribute__((__noinline__)).
Even though the compiler didn't complain about __attribute_malloc__,
also replace those in order to maintain consistent style throughout the
source file.
Chuck Lever [Mon, 13 Dec 2010 19:36:15 +0000 (14:36 -0500)]
sm-notify: Make use of AI_NUMERICSERV conditional
Gabor Papp reports nfs-utils-1.2.3 doesn't build on his system that
uses glibc-2.2.5:
make[3]: Entering directory
`/home/gzp/src/nfs-utils-1.2.3/utils/statd'
gcc -DHAVE_CONFIG_H -I. -I../../support/include -D_GNU_SOURCE -Wall
-Wextra -Wstrict-prototypes -pipe -g -O2 -MT sm-notify.o -MD
-MP -MF .deps/sm-notify.Tpo -c -o sm-notify.o sm-notify.c
sm-notify.c: In function 'smn_bind_address':
sm-notify.c:247: error: 'AI_NUMERICSERV' undeclared (first use in this
function)
sm-notify.c:247: error: (Each undeclared identifier is reported only
once
sm-notify.c:247: error: for each function it appears in.)
make[3]: *** [sm-notify.o] Error 1
According to the getaddrinfo(3) man page, AI_NUMERICSERV is available
only since glibc 2.3.4. getaddrinfo(3) seems to convert strings
containing a number to the right port value without the use of
AI_NUMERICSERV, so I think we can survive on older glibc's without it.
It will allow admins to specify service names as well as port numbers
on those versions.
There are uses of AI_NUMERICSERV in gssd and in nfs_svc_create(). The
one in nfs_svc_create() is behind HAVE_LIBTIRPC, and the other is a
issue only for those who want to deploy Kerberos -- likely in both
cases, a more modern glibc will be present. I'm going to leave those
two.
nfs-utils: nfsstat: has_stats() does not function correctly for NFSv4 client stats
The NFSv4 client procs/ops in "struct rpc_procinfo nfs4_procedures" is
used to generate the NFS client stats interface:
------------------------------------------------------------
net 0 0 0 0
rpc 15 0 0
proc2 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
proc3 22 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 1 0
proc4 42 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0
0 0 0
0 0 0 0 0 0 0
------------------------------------------------------------
Note, for proc4, the number 42. That is the number of stats that follow
on the same line. Currently nfsstat's has_stats() relies on this number
to be equal to CLTPROC4_SZ. Unfortunately this is not the case. I have
changed has_stats() not to rely on these two values being equal. This
should also allow nfsstat to work with different kernel versions that
expose a different number of NFS client ops.
* Fix has_stats()
* Stop print_clnt_list() printing server stats!
* Describe the option -3 and -4 completely in the nfsstat manpage.
Signed-off-by: Harshula Jayasuriya <harshula@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Bryan Schumaker [Fri, 19 Nov 2010 17:01:10 +0000 (12:01 -0500)]
Add the new nfsidmap program
This patch adds the nfsidmap program to nfs-utils. This program is
called by the nfs idmapper through request-keys to map between
uid / user name and gid / group name.
Chuck Lever [Fri, 29 Oct 2010 16:56:21 +0000 (12:56 -0400)]
nfs(5): Document remount behavior
It appears that, for a long while, NFS "remount" mounts have
completely wiped the existing mount options in /etc/mtab for a given
mount point. This is a problem for umount.nfs, since it reads its
options out of /etc/mtab to find out how to do the unmount.
The mount(8) command provides the NFS mount subcommand with the mount
options to perform the remount. There are four cases to consider:
1. Both the device and mount directory are specified on the
command line, and the target mount point is in /etc/fstab
2. Only one of the device and mount directory is specified on
the command line, and the target mount point is in
/etc/fstab
3. Both the device and mount directory are specified on the
command line, and the target mount point is not in /etc/fstab
4. Only one of the device and mount directory is specified on
the command line, and the target mount point is not in
/etc/fstab
Currently only case 4 works correctly. In that case, mount(8)
provides the correct set of mount options to the mount.nfs
subcommand and it can update /etc/mtab correctly.
Cases 1 and 3 replace all mount options in /etc/mtab with the options
provided on the command line during a remount. Case 2 replaces the
mount options in /etc/mtab with a mix of options from /etc/fstab and
/etc/mtab.
Cases 1 and 3 are historical behavior. Basically this is a formal
interface to allow administrators to replace the mount options in
/etc/mtab completely, instead of merging in new ones. The present
patch documents that behavior in nfs(5), and provides best practice
for remounting NFS mount points.
There are near-term plans to address case 2 by fixing mount(8)
(provided by utils-linux-ng in most distributions).
Chuck Lever [Thu, 28 Oct 2010 17:13:19 +0000 (13:13 -0400)]
mount.nfs: mnt_freq and mnt_pass are always zero
Clean up.
No need to pass constant zeros to add_mtab() from its only call site.
Ensure that initialization of a struct mntent is consistent in both
places that it is done.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 28 Oct 2010 16:12:12 +0000 (12:12 -0400)]
nfs-utils: Remove all uses of AI_ADDRCONFIG
It was reported that, if only "lo" is up,
mount.nfs 127.0.0.1:/export /mount
fails with "Name or service not known".
"man 3 getaddrinfo" says this:
If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4
addresses are returned in the list pointed to by res only if the
local system has at least one IPv4 address configured, and IPv6
addresses are only returned if the local system has at least
one IPv6 address configured.
The man page oversimplifies here. A review of glibc shows that
getaddrinfo(3) explicitly ignores loopback addresses when deciding
whether an IPv4 or IPv6 address is configured.
This behavior around loopback is a problem not just for mount.nfs,
but also for RPC daemons that have to start up before a system's
networking is fully configured and started. Given the history of
other problems with AI_ADDRCONFIG and the unpredictable behavior it
introduces, let's just remove it everywhere in nfs-utils.
Jeff Layton [Thu, 28 Oct 2010 13:18:33 +0000 (09:18 -0400)]
nfs-utils: fix default value for --enable-tirpc
We need $enable_tirpc to be a tristate. 'yes' means that someone
explicitly requested building with tirpc. 'no' means that it was
explicitly disabled. Anything else means that no one specified a value.
Fix it by setting the value to a blank string so that the default is
properly undefined.
Reported-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Wed, 13 Oct 2010 17:57:52 +0000 (13:57 -0400)]
behavior as file systems that use the monolithic /sbin/mount command.
See the MS_NOMTAB macro in utils-linux-ng/mount/mount.c.
Note that mount(8) has MS_USERS and MS_USER in the "nomtab" category
as well, but mount.nfs needs to record those values so that unmounting
a user-mounted NFS file system can work.
While we're here, fix some white space damage in fix_opts_string().
Chuck Lever [Wed, 13 Oct 2010 17:55:10 +0000 (13:55 -0400)]
umount.nfs: Distinguish between nfs4 and nfs mounts
Neil Brown reports that umount.nfs is still confused by "-t nfs -o
vers=4" mounts.
/etc/mtab can be confused. /proc/mounts is authoritative on the
fstype of a mount. Have umount.nfs consult it to determine which
mechanism to use for unmounting. The code to read /proc/mounts was
lifted from the nfsstat command.
The code introduced by this patch may look like belt-n-suspenders, but
we have two use cases to consider:
1. Old kernels don't support the "vers=4" mount option, so
umount.nfs must look for the "nfs4" fstype
2. Upcoming kernels may eliminate support the "nfs4" fstype, so
umount.nfs must look for the "vers=4" mount option
Thus this logic checks for "nfs4" first then looks for the NFS version
setting.
Note that we could handle unmounting entirely in the kernel, but that
won't help older kernels that have this issue.
Chuck Lever [Wed, 13 Oct 2010 17:01:51 +0000 (13:01 -0400)]
mount.nfs: mountproto does not support RDMA
Clean up. Our client does not support the MNT protocol on RDMA.
nfs_mount_protocol() isn't invoked for RDMA mounts (they are shunted
off before nfs_options2pmap() is invoked). But in case it ever is,
it should return the expected response.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Wed, 13 Oct 2010 15:54:49 +0000 (11:54 -0400)]
mount.nfs: Eliminate compiler warnings in utils/mount/mount.c
Clean up.
mount.c: In function parse_opt:
mount.c:354: warning: conversion to size_t from int may change the
sign of the result
mount.c:354: warning: conversion to int from size_t may change the
sign of the result
mount.c:359: warning: conversion to size_t from int may change the
sign of the result
mount.c:359: warning: conversion to int from size_t may change the
sign of the result
mount.c: In function parse_opts:
mount.c:374: warning: conversion to int from size_t may change the
sign of the result
mount.c:377: warning: conversion to size_t from int may change the
sign of the result
Character string lengths are usually size_t anyway. We can easily
avoid the implicit type cast here.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Wed, 13 Oct 2010 15:50:57 +0000 (11:50 -0400)]
mount.nfs: Eliminate compiler warnings in utils/mount/version.h
Clean up.
In file included from mount.c:50:
version.h: In function linux_version_code:
version.h:48: warning: conversion to unsigned int from int may
change the sign of the result
version.h:48: warning: conversion to unsigned int from int may
change the sign of the result
version.h:48: warning: conversion to unsigned int from int may
change the sign of the result
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Wed, 13 Oct 2010 15:38:22 +0000 (11:38 -0400)]
mount.nfs: Eliminate compiler warnings
Clean up.
fstab.c: In function ?lock_mtab?:
fstab.c:385: warning: declaration of ?errsv? shadows a previous local
fstab.c:367: warning: shadowed declaration is here
fstab.c:407: warning: declaration of ?errsv? shadows a previous local
fstab.c:367: warning: shadowed declaration is here
fstab.c:417: warning: declaration of ?tries? shadows a previous local
fstab.c:325: warning: shadowed declaration is here
fstab.c:422: warning: declaration of ?errsv? shadows a previous local
fstab.c:367: warning: shadowed declaration is here
These are probably harmless. Reusing a variable name, however, is a
little confusing to follow when reading the code.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Wed, 13 Oct 2010 15:22:07 +0000 (11:22 -0400)]
libnfs.a: Allow multiple RPC listeners to share listener port number
Normally, when "-p" is not specified on the mountd command line, the
TI-RPC library chooses random port numbers for each listener. If a
port number _is_ specified on the command line, all the listeners
will get the same port number, so SO_REUSEADDR needs to be set on
each socket.
Thus we can't let TI-RPC create the listener sockets for us in this
case; we must create them ourselves and then set SO_REUSEADDR (and
other socket options) by hand.
Different versions of the same RPC program have to share the same
listener and SVCXPRT, so we have to cache xprts we create, and re-use
them when additional requests for registration come from the
application.
Though it doesn't look like it, this fix was "copied" from the legacy
rpc_init() function. It's more complicated for TI-RPC, of course,
since a TI-RPC application can set up listeners with a nearly
arbitrary number of address families and socket types, not just the
two listeners that legacy RPC applications can set up (one for AF_INET
UDP and one for AF_INET TCP).
Steve Dickson [Wed, 13 Oct 2010 14:09:53 +0000 (10:09 -0400)]
nfs-utils: Move common code into support
There are several source files and headers present in the ./utils/idmapd
directory which are also usable in a doimapd daemon. Because of this we
move that support into the support directory such that it can be shared by
both daemons.
Signed-off-by: Jim Rees <rees@umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com>
Allow the principal that is used to get the machines creds definable
on the command like with the new '-p <principal>'. This is useful
in cluster environments.
Signed-off-by: Eberhard Kuemmerle <E.Kuemmerle@fz-juelich.de> Signed-off-by: Steve Dickson <steved@redhat.com>
David Lecorfe [Mon, 27 Sep 2010 17:29:31 +0000 (13:29 -0400)]
nfs-iostat.py: don't wait for an extra interval when given a count
If I invoke the tool with an interval of 10 and a count of 2, it will:
- show the summary
- sleep 10s
- show the stats for the last 10s
- sleep 10s
- exit
Signed-off-by: David Lecorfe <dlecorfec@gmail.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 27 Sep 2010 14:14:34 +0000 (10:14 -0400)]
mountd: Update mountd/exportfs man pages to reflect IPv6 changes
Document IPv6 support in rpc.mountd and exportfs, and clarify existing
language in the man page.
Clean up: Use bold consistently for program names, and italics
consistently for file names. Use "rpc.mountd" consistently as the
name of the mountd daemon.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 27 Sep 2010 14:13:39 +0000 (10:13 -0400)]
mountd: Use MNT status values instead of NFSERR
Clean up: The MNT protocol has its own enum type defining error
status values. While the values can be the same as the NFSERR enum
type on some systems, it's not guaranteed to be true everywhere.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 27 Sep 2010 14:11:18 +0000 (10:11 -0400)]
mountd: Fix up version and usage messages
Clean up: rpc.mountd is no longer known as kmountd. Use the program's
basename rather than the full pathname for the usage message. Display
a version message at start up similar to statd's.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Jeff Layton [Thu, 16 Sep 2010 18:34:39 +0000 (14:34 -0400)]
rpc.nfsd: mount up nfsdfs is it doesn't appear to be mounted yet
There's a bit of a chicken and egg problem when nfsd is run the first
time. On Fedora/RHEL at least, /proc/fs/nfsd is mounted up whenever nfsd
is plugged in via a modprobe.conf "install" directive.
If someone runs rpc.nfsd without plugging in nfsd.ko first,
/proc/fs/nfsd won't be mounted and rpc.nfsd will end up using the legacy
nfsctl interface. After that, nfsd will be plugged in and subsequent
rpc.nfsd invocations will use that instead.
This is a problem as some nfsd command-line options are ignored when the
legacy interface is used. It'll also be a problem for people who want
IPv6 enabled servers. The upshot is that we really don't want to use the
legacy interface unless there is no other option.
To avoid this situation, have rpc.nfsd check to see if the "threads"
file is already present. If it's not, then make an attempt to mount
/proc/fs/nfsd. This is a "best-effort" sort of thing, however so we
just ignore the return code from the mount attempt and fall back to
using nfsctl() if it fails.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 16 Sep 2010 18:25:52 +0000 (14:25 -0400)]
libexport.a: Enable IPv6 support in hostname.c
If --enable-ipv6 is specified when building nfs-utils, libexport's
host_foo() helpers can now return both IPv4 and IPv6 addresses.
This means IPv6 presentation addresses and IPv6 DNS resolution
results are handled properly in the mountd cache and /etc/exports,
but does not yet enable IPv6 mountd listeners.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 16 Sep 2010 18:19:19 +0000 (14:19 -0400)]
mountd: clean up cache API
Clean up: Squelch compiler warnings and document public parts of
cache API.
cache.c: At top level:
cache.c:67: warning: no previous prototype for auth_unix_ip
cache.c:123: warning: no previous prototype for auth_unix_gid
cache.c:217: warning: no previous prototype for get_uuid
cache.c:247: warning: no previous prototype for uuid_by_path
cache.c:326: warning: no previous prototype for nfsd_fh
cache.c:745: warning: no previous prototype for nfsd_export
cache.c:820: warning: no previous prototype for cache_open
cache.c:832: warning: no previous prototype for cache_set_fd
cache.c:841: warning: no previous prototype for
cache_process_req
cache.c:921: warning: no previous prototype for cache_export
cache.c:953: warning: no previous prototype for
cache_get_filehandle
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 16 Sep 2010 17:44:02 +0000 (13:44 -0400)]
mountd: Support IPv6 in mountd's svc routines
Replace IPv4-specific code with use of our generic hostname helpers
in the routines that handle incoming MNT RPC requests.
These functions will support IPv6 without additional changes, once
IPv6 is enabled in the generic hostname helpers.
As part of this update, I've modified all of mountd's _svc routines
to use a debug message format that is consistent with statd. It may
be overkill for some of these; if so we can pull them out later.
Chuck Lever [Thu, 16 Sep 2010 13:32:52 +0000 (09:32 -0400)]
libnfs.a: Fix API for getfh() & friends
This is more of a clean-up than a behavioral change.
POSIX requires that a "struct sockaddr" is the same size as a "struct
sockaddr_in". Therefore, a variable or field of type "struct sockaddr"
cannot contain an AF_INET6 address. However, "struct sockaddr *" is
often used to reference a generic (ie non-address family specific)
socket address, generating some confusion about this.
The nfsctl_arg struct uses a struct sockaddr (not a pointer) to pass
the client's IP address to the kernel. This means the legacy nfsctl()
kernel API can never support IPv6. Fortunately for us, this legacy
interface was replaced by a text-based cache interface a few years
back. We don't need to support non-AF_INET addresses here.
The getfh() functions in nfs-utils provide a handy C API for the
kernel's nfsctl interface. The getfh() functions still take a struct
sockaddr *, though, and that can imply that a non-IPv4 address can be
passed via this API. To make it abundantly clear that only IPv4
addresses can be used with this interface, change the synopses of
getfh() and friends to take a struct sockaddr_in * instead of a struct
sockaddr * .
This makes these functions conform with other places in mountd and
exportfs that already grok the difference between a struct sockaddr
and a struct sockaddr_in.
While we're here...
Introduce some nice documenting comments for the get_fh() functions,
and...
Since mountd will support IPv6 in the near future, assert that the
family of client addresses passed to this API is indeed AF_INET, in
order to prevent non-AF_INET addresses from ever being passed to the
legacy nfsctl() interface.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 16 Sep 2010 11:26:07 +0000 (07:26 -0400)]
mount.nfs: Refactor mount version and protocol autonegotiation
Clean up.
I'm beginning to agree with Bruce and Steve's assessment that the
fallthrough switch case in nfs_try_mount() is more difficult to read
and understand than it needs to be. The logic that manages
negotiating NFS version and protocol settings is getting more complex
over time anyway.
So let's split the autonegotiation piece out of nfs_try_mount().
We can reduce indenting, and use cleaner switch-based logic. Also,
adding more comments can only help.
Neil also suggested replacing the pre-call "errno = 0" trick. The
lower-level functions may try to mount several times (given a list of
addresses to try). errno could be set by any of those. The mount
request will succeed at some point, and "success" is returned, but
errno is still set to some non-zero value.
The kernel version check in nfs_try_mount() is more or less loop
invariant: it's impossible for the result of that test to change
between retries. So we should be able to safely move it to the logic
that sets the initial value of mi->version.
This patch is not supposed to cause a behavioral change.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>