The usual reason for an NFSv4 server replying NFSERR_WRONGSEC
to an operation is that a Kerberos credential is required.
This patch replaces a cryptic "err=10016" with a message
suggesting that a Kerberos TGT is probably needed.
MFC after: 2 weeks
It turns out that the underlying problem that caused
a Kerberized NFS mount with the "gssname" option to
fail was that the kernel upcall to the gssd(8) daemon
would time out prematurely after 25 seconds. The
gss_acquire_cred() GSSAPI library call
takes about 27 seconds for the case where a desired_name
argument is specified. A similarly long delay occurs
when the gss_init_sec_context() call is made and the
user principal's TGT has expired.
Once the upcall timed out, the kernel code assumed that
the gssd(8) daemon had died and closed the socket.
Ironically, closing the socket did cause the gssd(8)
daemon to terminate via a SIGPIPE signal.
This patch increases the timeout to 5 minutes. Since
a timeout should only occur when the gssd(8) daemon
has died, a long timeout should be ok and seems to fix this
problem.
I still think that commit c33509d49a should remain in the
system, since it allows the mount to complete quickly
and not take nearly 30 seconds.
PR: 268823
MFC after: 2 weeks
Virtio operates with physical addresses, while busdma is designed to
map these to produce bus addresses. On most supported platforms,
these two are interchangeable; on powerpc platforms, they are not.
When on powerpc, set an IOMMU of NULL, which causes the powerpc busdma
code to bypass the iommu mapping; this leaves us with the physical
buffer addresses which the virtio host expects to see.
Tested by: alfredo
Fixes: 782105f7c8 ("vtblk: Use busdma")
Sponsored by: https://www.patreon.com/cperciva
Differential Revision: https://reviews.freebsd.org/D37891
When RACK and BBR were added to the kernel, they were put
behind 'WITH_EXTRA_TCP_STACKS=1'. Unfortunately that was
never added to any NOTES file, so RACK & BBR were not compiled
with the various LINT-NOINET, LINT-NOINET6, and LINT-NOIP kernels.
This lead to the stacks sometimes being broken.
This change:
- Fixes RACK so that it compiles with the various LINT-NO* kernels
- Adds WITH_EXTRA_TCP_STACKS=1 to all NOTES kernels so that
RACK and BBR are compile tested regularly
Sponsored by: Netflix
Reviewed by: rrs
Differential Revision: https://reviews.freebsd.org/D37903
* Replay 2010[acflm] which had been merged but not recorded.
* Merge 2010n.
* Reorganize (unsplit) the code to match the upstream layout.
* Merge 2022[cdefg].
MFC after: 1 week
Sponsored by: Klara, Inc.
Summary:
A common pattern has been to:
if (foo)
caps = IFCAP_FOO;
ifp->if_capenable &= ~IFCAP_FOO;
ifp->if_capenable |= caps;
which in the new order of things would be:
if (foo)
caps = IF_FOO;
if_setcapenablebits(ifp, 0, IFCAP_FOO);
if_setcapenablebits(ifp, caps, 0);
This change streamlines this into:
if (foo)
caps = IF_FOO;
if_setcapenablebits(ifp, caps, IFCAP_FOO);
Reviewed by: melifaro
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D37993
Older, supported FreeBSD versions lack bit_ntest() so hoist the boostrap
installation out of the OS!=FreeBSD case and always install it. A more
precise criteria is possible, but would add little value.
This fixes bootstrapping makefs as a build tool on 13.1.
Reviewed by: jrtc27, emaste
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D37951
If "ifconfig create" tries to load a kernel module, and the module
exists but can't be loaded, fail the command with a useful error
message. This is helpful, for example, when trying to create a cloned
interface in a vnet jail. But ignore ENOENT, because sometimes ifconfig
can't correctly guess the name of the required kernel module.
MFC after: 2 weeks
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D37873
These architectures fail to handle this special case, and will cause the
corresponding setjmp/_setjmp to return 0 rather than 1. Fix this and add
regression tests (also committed upstream).
PR: 268684
Reviewed by: arichardson, jhb
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D29363
sanity_check_currdev returns true if it found a kernel or a sane loader
config file. A better name for this would be 'bootable' rather than 'rv'
which connotes in other places an errno value or similar.
Sponsored by: Netflix
The previous code would skip as many entries at the end of the
array as there were zombies in the list. While here fix type
of cnt.
Submitted by: Ali Abdallah <ali.abdallah suse.com>
PR: 232702
MFC After: 2 weeks
Have liby and libcompat share *-dev and *-lib32_dev rules, and share
*-man rule for libcompat and libelftc. Also correct name substitution
and description for man rules.
Reviewed by: manu
Fixes: 5391bcf0f7 ("pkgbase: Do not record dependency on...")
Fixes: 65fa2fd23b ("pkgbase: Do record dependency on non-...")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37964
Pass in 'true' if you'd like to search this device's partitions or
'false' if you should just search the device. EFI and (in the future)
kboot have discrete partitions that aren't accessed via the full disk
device. Weird things happen if you try to search in these cases.
Sponsored by: Netflix
If an NFS mount using "sec=krb5[ip],gssname=<name>" is
done, the gssd daemon fails. There is a long delay
(several seconds) in the gss_acquire_cred() call and then
it returns success, but the credentials returned are
junk.
I have no idea how long this has been broken, due to some
change in the Heimdal gssapi library call, but I suspect
it has been quite some time.
Anyhow, it turns out that replacing the "desired_name"
argument with GSS_C_NO_NAME fixes the problem.
Replacing the argument should not be a problem, since the
TGT for the host based initiator credential in the default
keytab file should be the only TGT in the gssd'd credential
cache (which is not the one for uid 0).
I will try and determine if FreeBSD13 and/or FreeBSD12
needs this same fix and will MFC if they need the fix.
This problem only affected Kerberized NFS mounts when the
"gssname" mount option was used. Other Kerberized NFS
mount cases already used GSS_C_NO_NAME and work ok.
A workaround if you do not have this patch is to do a
"kinit -k host/FQDN" as root on the machine, followed by
the Kerberized NFS mount without the "gssname" mount
option.
MFC after: 1 month
ZFS uses a lot of memory. The old minimal allocations won't work when
ZFS support is added. Most environments this will be used (or will
liekly be used) have >> 256MB, 128MB should be safe everywhere and allow
examination of a fair number of ZFS pools to boot from.
Sponsored by: Netflix
Add the familiar macros for file types for stat's st_mode
member. Prepend HOST_ to the start of these. Make sure all the values
match the linux nolibc and uapi headers. These values are the same as
native values since they appear to be required by POSIX. Define anyway
to allow the reader of the code to know that they are in the 'host (eg
Linux)' namespace rather than the 'loader' namespace.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D37967
Linux pre-boot environments will often have a number of psuedo disks
that are small, all smaller than a few MB. 16MB is a good cutoff since
it's big enough to filter these devices, yet small enough to allow a
super-minimal partition through (the smallest I've been able to make
that's useful lately is around 20MB).
Sponsored by: Netflix
