Commit Graph

179 Commits

Author SHA1 Message Date
pluknet
7700ebe3ff Check if the -sec option is given without an argument.
PR:		bin/170413
Submitted by:	Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
MFC after:	1 week
2013-02-20 12:40:26 +00:00
rmacklem
c9aa765acd Attempt to clarify that for ZFS, all file systems under
the NFSv4 root must be exported. This is because ZFS
checks exports itself.
This is a content change.

MFC after:	2 weeks
2012-12-25 22:34:43 +00:00
kevlo
804c67a486 Fix socket calls on error post-r243965.
Submitted by:	Garrett Cooper
2012-12-21 15:54:13 +00:00
rmacklem
3fc142df50 Add a description for the '-S' option to the mountd man page.
This is a content change.

Reviewed by:	kib
MFC after:	2 weeks
2012-10-15 00:24:23 +00:00
rmacklem
3b6779863a Add a new '-S' option to mountd, which tells it to suspend
execution of the nfsd threads while it is reloading the exports.
This avoids clients from getting intermittent access errors
when the exports are being reloaded non-atomically.
It is not an ideal solution, since requests will back up while
the nfsd threads are suspended. Also, when this option is used,
if mountd crashes while reloading exports, mountd will have to
be restarted to get the nfsd threads to resume execution.
This has been tested by Vincent Hoffman (vince at unsane.co.uk)
and John Hickey (jh at deterlab.net).
The nfse patch offers a more comprehensive solution for this issue.

PR:		kern/9619, kern/131342
Reviewed by:	kib
MFC after:	2 weeks
2012-10-15 00:17:16 +00:00
joel
e9b754bcb5 Minor mdoc fixes. 2012-10-07 19:53:04 +00:00
rmacklem
b434c519bd Attila Bogar reported a bug in mountd when multiple export
entries with different security flavors are in the exports(5)
file. For that case, mountd replies with the security flavors
of the last entry and not the correct one for the client host.
This patch fixes that by storing separate copies of the flavors
for each host/net case, plus a default one for the case where
no hosts/nets are specified on an entry in the exports(5) file.
Unlike the patch in the PR, it replies with the security flavors
for the entry instead of merging the security flavors for all
the entries and replying with that.

Tested by:	attila.bogar at linguamatics.com
PR:		kern/164933
MFC after:	2 weeks
2012-09-24 23:57:16 +00:00
delphij
79315336c5 Show error messages if nmount() failed.
MFC after:	1 month
2012-08-27 19:08:47 +00:00
eadler
1ef5fe44d3 Remove trailing whitespace per mdoc lint warning
Disussed with:	gavin
No objection from:	doc
Approved by:	joel
MFC after:	3 days
2012-03-29 05:02:12 +00:00
eadler
c33328dca5 Fix warning when compiling with gcc46:
error: variable 'dirp' set but not used
	error: variable 'dirplen' set but not used

Approved by:	dim, cperciva (mentor, blanket for pre-mentorship already-approved commits)
MFC after:	3 days
2012-01-20 01:38:12 +00:00
uqs
415a3a9b96 Spelling fixes for usr.sbin/ 2011-12-30 10:58:14 +00:00
delphij
ab777938ae Use calloc() instead of an explicit memset.
MFC after:	2 weeks
2011-07-14 07:35:28 +00:00
rmacklem
95c07f14f8 Try and fix the exports.5 man page so that it clarifies how
NFSv4 exports are handled. Improved by informal review comments from
mckusick, kudak at mit.edu and bde.
This is a content change.

MFC after:	2 weeks
2011-07-12 14:04:36 +00:00
rmacklem
c0db2e6ab9 Fix the nfs related daemons so that they don't intermittently
fail with "bind: address already in use". This problem was reported
to the freebsd-stable@ mailing list on Feb. 19 under the subject
heading "statd/lockd startup failure" by george+freebsd at m5p dot com.
The problem is that the first combination of {udp,tcp X ipv4,ipv6}
would select a port# dynamically, but one of the other three combinations
would have that port# already in use. The patch is somewhat involved
because it was requested by dougb@ that the four combinations use the
same port# wherever possible. The patch splits the create_service()
function into two functions. The first goes as far as bind(2) in a
loop for up to GETPORT_MAXTRY - 1 times, attempting to use the same port#
for all four cases. If these attempts fail, the last attempt allows
the 4 cases to use different port #s. After this function has succeeded,
the second function, called complete_service(), does the rest of what
create_service() did.
The three daemons mountd, rpc.lockd and rpc.statd all have a
create_service() function that is patched in a similar way. However,
create_service() has non-trivial differences for the three daemons
that made it impractical to share the same functions between them.

Reviewed by:	jhb
MFC after:	2 weeks
2011-06-02 19:33:33 +00:00
rmacklem
57afc00cc3 Patch the mountd and nfsd man pages to reflect the recent changes
done by r220980 to deprecate the -e option and add the -o option.
This is a content change for both man pages.
2011-04-24 01:11:28 +00:00
rmacklem
9ed5d7279c This patch changes the default NFS server to the new one, which was
referred to as the experimental server. It also adds a new command
line option "-o" to both mountd and nfsd that forces them to use the
old/regular NFS server. The "-e" option for these commands is now
a no-op, since the new server is the default. I will be committing rc
script and man changes soon. Discussed on freebsd-fs@.
2011-04-24 00:06:56 +00:00
ru
9bdd2cd5a9 Fixed conversion of prefix length to a netmask. 2011-03-01 11:47:16 +00:00
charnier
c30b6f1bc3 Add __unused. Ansi prototypes. 2010-12-20 09:28:28 +00:00
maxim
33e025b3ec o Fix typo: sepcify -> specify.
PR:		docs/148499
Submitted by:	Warren Block
MFC after:	1 week
2010-07-12 04:21:50 +00:00
rmacklem
7ae7bc4035 If the "-alldirs" export option was used for the V4: line, mountd
would crash in check_options() since dp == NULL for the V4: line.
This patch moves the check for options allowed on the V4: line to
ahead of where dp is used to avoid this crash.

Reported by:	mamalos AT eng.auth.gr
MFC after:	1 week
2010-05-06 00:24:08 +00:00
trasz
3f333f5ca2 Description of steps required to setup NFSv4 server is in nfsv4(4);
add reference to exports(5), since that's the obvious starting point
for searching for this.
2009-12-03 19:16:40 +00:00
dfr
ec9ddec04c Don't use sys/nfs/rpcv2.h - it is part of the old kernel RPC implementation
and will be removed.
2009-06-24 18:42:21 +00:00
rmacklem
4a22bb75d2 When mountd.c parses the nfsv4 root line(s) in /etc/exports, it
allocates data structures that are never linked into the tree or free'd.
As such, mountd would leak memory every time it parsed an nfsv4 root line.
This patch frees up those structures to plug the leak.

Approved by:	kib (mentor)
2009-06-23 21:48:04 +00:00
brooks
f53c1c309d Rework the credential code to support larger values of NGROUPS and
NGROUPS_MAX, eliminate ABI dependencies on them, and raise the to 1024
and 1023 respectively.  (Previously they were equal, but under a close
reading of POSIX, NGROUPS_MAX was defined to be too large by 1 since it
is the number of supplemental groups, not total number of groups.)

The bulk of the change consists of converting the struct ucred member
cr_groups from a static array to a pointer.  Do the equivalent in
kinfo_proc.

Introduce new interfaces crcopysafe() and crsetgroups() for duplicating
a process credential before modifying it and for setting group lists
respectively.  Both interfaces take care for the details of allocating
groups array. crsetgroups() takes care of truncating the group list
to the current maximum (NGROUPS) if necessary.  In the future,
crsetgroups() may be responsible for insuring invariants such as sorting
the supplemental groups to allow groupmember() to be implemented as a
binary search.

Because we can not change struct xucred without breaking application
ABIs, we leave it alone and introduce a new XU_NGROUPS value which is
always 16 and is to be used or NGRPS as appropriate for things such as
NFS which need to use no more than 16 groups.  When feasible, truncate
the group list rather than generating an error.

Minor changes:
  - Reduce the number of hand rolled versions of groupmember().
  - Do not assign to both cr_gid and cr_groups[0].
  - Modify ipfw to cache ucreds instead of part of their contents since
    they are immutable once referenced by more than one entity.

Submitted by:	Isilon Systems (initial implementation)
X-MFC after:	never
PR:		bin/113398 kern/133867
2009-06-19 17:10:35 +00:00
kan
ee4de3e44a Re-do r192913 in less intrusive way. Only do IP_RECVDSTADDR/IP_SENDSRCADDR
dace for UPDv4 sockets bound to INADDR_ANY. Move the code to set
IP_RECVDSTADDR/IP_SENDSRCADDR into svc_dg.c, so that both TLI and non-TLI
users will be using it.

Back out my previous commit to mountd. Turns out the problem was affecting
more than one binary so it needs to me addressed in generic rpc code in
libc in order to fix them all.

Reported by:	lstewart
Tested by:	lstewart
2009-06-18 17:10:43 +00:00
kan
d928fef9ce The change r192913 has added dependency on IP_RECVDSTADDR being
set for RPC UDP sockets. Mountd uses internal libc fuctions
directly and bypasses generic socket initialization completely,
so we need to set IP_RECVDSTADDR here to match the libc behavior.
2009-06-08 03:15:27 +00:00
rmacklem
8bb7f959a6 Change the "-4" argument for nfsd and mountd to "-e" to avoid
confusion, since it does not refer to IPv4 nor NFSv4, but to
running the experimental server instead of the regular one.

Approved by:	kib (mentor)
2009-05-28 20:28:13 +00:00
rmacklem
8ca86cdf06 Modify mountd to handle the experimental nfs server as well as the
regular one. It now takes a "-4" command line argument to force it
to use the experimental server. Otherwise it will use the regular
server unless the experimental server is the only one linked into
the kernel. A third kind of line has been added to /etc/exports,
which is specific to NFSv4 and defines where the NFSv4 tree root is
and can be used to limit access to NFSv4 state handling operations
that do not use any file handle.

Approved by:	kib (mentor)
2009-05-27 22:02:54 +00:00
dfr
2fb03513fc Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager.  I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.

The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.

To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.

As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.

Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.

The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.

Sponsored by:	Isilon Systems
MFC after:	1 month
2008-11-03 10:38:00 +00:00
danger
cfe07c5d69 - more mark-up fixes
Submitted by:	ru
2008-07-01 19:54:02 +00:00
danger
10977336ce - add some missing words
- we don't have ne(4), replace it with re(4)
- fix markup
- bump date

Submitted by:	ru
MFC after:	3 days
2008-06-30 08:29:02 +00:00
danger
2bc96effdd - markup fixes
- advise to use rc script to SIGHUP mountd
- add information about possiblity of using /prefix network notation [1]

PR:		docs/124373
Reviewed by:	jhb
Obtained from:	NetBSD [1]
MFC after:	3 days
2008-06-27 16:32:04 +00:00
rodrigc
7b00b88e8b Remove hacks which filter out MNT_ROOTFS.
They are no longer needed now that we filter out MNT_ROOTFS
inside the nmount() call in revision 1.267 of vfs_mount.c.

Reviewed by:	rink
2008-03-05 07:55:07 +00:00
simon
f96314870d Use the correct variable to check for a malloc failing. This fixes a
case where mountd would fail to start with "out of memory" logged to
syslog.
2007-10-27 12:24:47 +00:00
matteo
d3d824bbff Add the -h <bindip> option to mountd, similar to the one in nfsd(8)
-h bindip
Specify specific IP addresses to bind to for TCP and UDP requests.
This option may be specified multiple times.  If no -h option is
specified, mountd will bind to INADDR_ANY.  Note that when specifying
IP addresses with -h, mountd will automatically add 127.0.0.1 and if
IPv6 is enabled, ::1 to the list.

PR:		bin/114097
Reviewed by:	pjd (an eariler version of the patch)
MFC after:	1 week
2007-10-20 11:25:34 +00:00
pjd
1a9b4ef000 Fatal error is only when cannot open any of the given exports files. 2007-04-13 10:25:49 +00:00
pjd
3910945fa0 Grr, committed manual page without the last change - make the comment a bit
prettier.
2007-02-03 00:15:46 +00:00
pjd
8d0230d761 Add support for multiple exports files. This will be useful for example for
ZFS, where we have automatically generated /etc/zfs/exports file, which
should not be edited directly.

Discussed with:	rwatson
2007-02-03 00:12:18 +00:00
rodrigc
6204a21149 If nmount() fails to export a directory, in the syslog() error message,
add the errmsg string returned by nmount().
2007-01-26 13:26:43 +00:00
rodrigc
7a2a030c15 Ignore SIGPIPE, instead of terminating process.
PR:		81230
Submitted by:	Dmitrij Tejblum <tejblum yandex-team ru>
MFC after:	1 month
2006-11-18 22:43:20 +00:00
rink
e1c2e84f50 My previous commit made it impossible to export / over NFS; this small
change fixes this.

Reported by:	Lin Jui-Nan Eric < ericlin dot jnlin at gmail dot com >
Submitted by:	Erik Trulsson < ertr1013 at student dot uu dot se > (commit is inspired by a patch from Erik)
Pointyhat to:	me
Reviewed by:	stable@
Approved by:	imp (mentor)
MFC after:	3 days
2006-10-19 19:46:49 +00:00
rink
048d5cc4aa Prevent mountd(8) from resetting mount options when exporting a filesystem.
Approved by:		imp (mentor)
Sponsored by:		Quality Service Provider BV
MFC after:		3 days
2006-10-09 17:38:18 +00:00
rodrigc
42f2307385 In get_exportlist(), properly loop over mounted filesystems.
PR:	bin/99873
Submitted by:	Danny Braniss <danny at cs dot huji dot ac dot il>
2006-07-08 13:49:24 +00:00
rodrigc
88f89f303f For network filesystems (NFS, samba, etc.), do not pass "export" nmount()
parameter to try to delete an NFS export.  It won't work, and will log
a spurious warning to syslog.

Tested by:	Arno J. Klaassen <arno at heho dot snv dot jussieu dot fr>
MFC after:	3 days
2006-06-06 21:56:49 +00:00
rodrigc
f5f4b77a10 Do not log "can't delete export" messages if nmount() returns ENOTSUP.
This eliminates spurious log entries for trying to delete exports
for filesystems like devfs and procfs.
2006-05-28 18:59:28 +00:00
rodrigc
155325e141 Convert to nmount() and remove hardcoded checks for ufs, msdosfs, ntfs,
and cd9660.

PR:	bin/97642
2006-05-24 11:49:39 +00:00
rodrigc
04be51fc90 Convert mountd to nmount(). Remove some hardcoded dependencies
on ufs, cd9660, msdosfs, and ntfs, but not all dependencies.
2006-05-23 17:10:17 +00:00
keramida
9474672d95 Note that when -d flag is used, mountd(8) will not detach from the
controlling terminal.

PR:		docs/96660
Submitted by:	Jeff Ito <ijk@speakeasy.net>
MFC after:	1 week
2006-05-02 21:00:43 +00:00
jkoshy
e67c2fab9c Use ".Pa" for path names.
MFC after:	3 days
2006-01-29 08:44:05 +00:00
pjd
c71407b589 Pidfiles should be created with permission preventing users from opening
them for reading. When user can open file for reading, he can also
flock(2) it, which can lead to confusions.

Pointed out by:	green
2005-09-16 11:24:28 +00:00