1544 Commits

Author SHA1 Message Date
dfr
2fb03513fc Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager.  I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.

The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.

To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.

As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.

Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.

The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.

Sponsored by:	Isilon Systems
MFC after:	1 month
2008-11-03 10:38:00 +00:00
sam
dcbe57056a o unbreak ani stat display
o improve some labels
2008-10-29 20:19:54 +00:00
sam
09af0f0e33 sync w/ driver updates; this also brings in ani stats 2008-10-27 18:50:46 +00:00
sam
00a664330b add regdomain knob 2008-10-27 18:47:48 +00:00
des
87e3b3e46d #ifdef out the lock-against-self test. I'm not sure it makes sense, and
it relies on non-portable flock(2) semantics.  Not only is flock(2) not
portable, but on some OSes that do have it, it is implemented in terms
of fcntl(2) locks, which are per-process rather than per-descriptor.
2008-10-20 17:26:30 +00:00
sam
f0bd6304a2 add -n option to suppress clearing the build tree and add -DNO_CLEAN
to buildworld and/or buildkernel
2008-10-19 06:58:31 +00:00
n_hibma
9dcc9c2cd5 Avoid failing if the directory already exists (when restarting at customize).
MFC after:	2 days
2008-10-09 18:06:28 +00:00
rwatson
b2babfa539 Update udpzerobyte to understand that passing 0 as a length to recv(2)
will cause it to return 0, not EAGAIN.

Add UNIX domain socket support to udpzerobyte, which suggests this
regression test should be moved to the general sockets test area rather
than netinet.
2008-10-07 21:01:23 +00:00
rwatson
914c87276b Add IPv6 support to zero-size UDP transmit/receive test. 2008-10-07 14:13:59 +00:00
rwatson
a9a8df42d1 Regression test for the loopback handling of zero-length UDP packets, which
should be delivered but without payload.
2008-10-07 10:31:55 +00:00
rwatson
870d67a11e Add very simple regression test for fstat(2) on sockets: make sure it
returns success for various socket types.  It's easy to imagine this
being enhanced to validate the returned data, but...
2008-10-06 19:42:03 +00:00
simon
b416ba242b In cust_install_files() we ignore CVS directories. In a similar way now
also ignore .svn directories.
2008-09-23 18:54:56 +00:00
simon
cb0445a846 - Change all "echo #..." into using a progress print function to make it
possible to make NanoBSD output more quite or verbose.  The default
  output should remain mostly unchanged. [1]
- Add missing shift for -i.
- Clean up usage() so it's now (mostly) sorted alphabetically.
- Make command line argument handling more consistent in the code and
  remove redundant semicolons.

Reviwed by:	phk [1]
2008-09-23 18:42:35 +00:00
sam
535b586e4a add missing options 2008-09-23 16:15:42 +00:00
sam
8d8eb7dc9c add missing options 2008-09-23 16:11:15 +00:00
bms
4b627377fc * Add USB boot support.
* Allow the image name to be renamed via NANO_IMGNAME.
* Propagate TARGET_ARCH into src top level make targets
  explicitly to support cross-building.
* Increase the default size of NanoBSD media from 488MB to
  584MB to accomodate a -CURRENT world.

Reviewed by:	phk
2008-09-22 23:56:36 +00:00
bms
849a6bf2d2 Mark the first slice of a NanoBSD image 'active' by default.
This fixes USB boot (not yet merged to HEAD) with 3 flavours
of BIOS I've seen.

Approved by:	phk
2008-09-22 20:21:39 +00:00
sam
9c3d2ffcdf add new build knobs and jigger some existing controls to improve
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd

Reviewed by:	various (posted to arch)
MFC after:	1 month
2008-09-21 22:02:26 +00:00
simon
0cc76d7678 Include $NANO_NAME in the completed message. This is nice if you are
building multiple NanoBSD images at once to keep track of what is
running and what isn't.
2008-09-21 18:02:00 +00:00
sam
d151c8281b eliminate hardwired lists; use the media type to autoconfig 2008-09-21 00:26:13 +00:00
antoine
a7c4611926 Add files to remove when WITHOUT_HESIOD is set.
This fixes "make check-old" when WITH_HESIOD is set.

PR:		122406
MFC after:	1 month
2008-09-13 17:29:49 +00:00
maxim
2473c0ee1e o Correct a comment: a test file size is a four pages not three. 2008-09-10 09:32:25 +00:00
simon
f8ec3c9c15 Change space -> tab in printed usage output to make it look consistent. 2008-09-07 14:32:03 +00:00
das
ca999bfaa6 Regression tests for bugs in gdtoa. 2008-09-03 07:35:14 +00:00
thomas
97e4608fa8 Fix typo in comment. 2008-09-02 21:27:19 +00:00
rik
affcc995ea Add simple cd to dvd conversion script. 2008-08-31 22:08:39 +00:00
rwatson
59f71b4d71 Update README to reflect removal of netatm/harp test parts some time ago.
MFC after:	3 days
2008-08-31 11:41:31 +00:00
jkim
15b99cdb14 Connect a forgotten test case to Makefile. 2008-08-29 20:58:01 +00:00
jkim
7d24618f3d Do not pass validatation level since all issues are fixed now. 2008-08-29 20:20:30 +00:00
jkim
4b913d6bb8 Merge local copy of bpf_validate() with bpf_filter.c. 2008-08-29 20:07:02 +00:00
pjd
eb18064487 By default backup geli metadata to a file. It is quite critical 512 bytes,
once it is lost, all data is gone.

Option '-B none' can by used to prevent backup. Option '-B path' can be
used to backup metadata to a different file than the default, which is
/var/backups/<prov>.eli.

The 'geli init' command also prints backup file location and gives short
procedure how to restore metadata.

The 'geli setkey' command now warns that even after passphrase change or keys
update there could be version of the master key encrypted with old
keys/passphrase in the backup file.

Add regression tests to verify that new functionality works as expected.

Update other regression tests so they don't create backup files.

Reviewed by:	keramida, rink
Dedicated to:	a friend who lost 400GB of his live by accidentally overwritting geli metadata
MFC after:	2 weeks
2008-08-29 18:10:18 +00:00
jkim
a85de0848e Merge bpf_filter.c r182425 and add test cases for jump range checks.
While I am here, fix stupid typos in test0080.h and make it JIT compiler only.
2008-08-29 02:12:45 +00:00
jkim
1d9644cd19 Move comments to the right places. 2008-08-28 22:41:31 +00:00
jkim
4eb765aaef Merge bpf_filter.c r182412 and remove additional local checks.
While I am here, use more realistic value for illegal code test case.
2008-08-28 22:19:57 +00:00
jkim
b8209dfb17 Fix style consistencies and a comment. 2008-08-28 18:38:55 +00:00
jkim
4e5f663031 Merge bpf_filter.c r182380 and remove additional local checks
for BPF_STX and BPF_LDX|BPF_MEM instructions.
2008-08-28 17:59:16 +00:00
jkim
c22e2b30b2 Add a test case for uninitialized scratch memory (for JIT compiler). 2008-08-28 16:58:30 +00:00
stefanf
f8e575b9ca Add a test for r182300. 2008-08-27 20:26:34 +00:00
jkim
2efee2eeaa Add a test case for null filter. 2008-08-26 21:54:47 +00:00
jkim
72e5b4d251 Add more test cases for invalid instructions and add comments
about bpf_validate(9) issues.
2008-08-26 19:24:58 +00:00
jkim
12fb66e68a Remove some hacks from regression test since bpf_filter.c builds fine now. 2008-08-26 00:35:04 +00:00
jkim
a70ab99712 Add a trivial bpf filter benchmark. 2008-08-25 23:36:24 +00:00
jkim
7226acfb72 Use sys/net/bpf_jitter.c instead of rolling our own version
since it is compilable on user land now.
2008-08-25 22:45:18 +00:00
jkim
dddb7ff151 Reflect sys/net/bpf_jitter.h changes to regression test. 2008-08-25 21:33:12 +00:00
raj
5524587165 Increase cryptotest tool initialization vector (IV) size.
This fixes potential out-of-bound accesses when testing ciphers with block size
greater than 8 bytes (e.g. AES).

Submitted by:	Bartlomiej Sieka tur ! semihalf dot com
Discussed with:	pjd, sam
2008-08-21 16:49:57 +00:00
jkim
95cf51a304 Add test case for 'divide by 0' with BPF_ALU|BPF_DIV|BPF_X instruction. 2008-08-18 23:05:19 +00:00
jkim
62966b1d9f Fix two test cases on 32-bit architectures. 2008-08-18 21:40:03 +00:00
jkim
2e51cd9be9 Add simple bpf(9) regression tests and test cases. 2008-08-18 19:01:58 +00:00
phk
2c4b93bf04 Accept tty[ud]0 for console device 2008-08-15 08:28:15 +00:00
antoine
044437abb4 Use expr -e instead of expr to compute NANO_MEDIASIZE for Flash devices
larger than 2GB to prevent an overflow [1].
Make case-insensitive comparison work for siliconsystems, soekris and
transcend devices.

PR:		conf/126386 [1]
Submitted by:	Mark A [1]
MFC after:	1 month
2008-08-12 16:59:23 +00:00