[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#409271: initramfs-tools: NFSv4 not supported

I've played around a bit with this and although I don't have anything that
works yet, here's some ideas on how it could be implemented:

I assume that DHCP and ip config is already taken care of (as the nfs
support has that code already). I also assume that most people will be
using NFSv4 with Kerberos authentication (it seems to be the most common

The following files would need to be added to the initramfs:
Config files for kerberos and the two rpc daemons
Kernel modules (nfs and rpcsec_gss_krb5)
nfs4 capable mount program

Since it would probably be a bad thing to store the kerberos keytab inside
the initramfs image, my idea was to use kadmin to get the nfs principal
(usually nfs/host.domain@REALM) from the kdc, so /usr/sbin/kadmin would be
added as well.

A initramfs config file can hold the principal to use for nfs and the realm.

Then the setup would be:

1. Setup networking
2. Use kadmin to get nfs/host.domain@REALM and store to /etc/krb5.keytab:
   kadmin -r REALM -p userprincipal -q "ktadd -k /etc/krb5.keytab
   (note: userprincipal defaults to root/admin)
3. Mount rpc_pipefs on /var/lib/nfs/rpc_pipefs
4. Load kernel modules
5. Start rpc.gssd and rpc.idmapd
6. Mount NFS root

When initramfs is done, it will nuke the contents of the initramfs
(including the keytab) from memory. The keytab to use thereafter is
expected to be found in /etc/krb5.keytab after pivot_root as usual.

The main problems seem to be:

o How and when should the rpc daemons be restarted so that the ones from
the nfs-root-fs are used instead of the ones from initramfs? This is
especially important if some of the hacks below are used...

o All these programs make for a quite fat initramfs and little use of
klibc (libc6 and a bunch of other libraries will be pulled in). A hacked
version of idmapd could possibly be written (the real one is about 1k
lines of code) which always maps everything to root (since we are running
in the initramfs context anyway), but I'm not so sure about the other
tools. Changes to the klibc nfsmount also seem doable, but that leaves
rpc.gssd and the kerberos tools. rpc.gssd might be simplified by the fact
that for the root user it uses the machine credentials, but there is still
a lot of code...

David Härdeman

Reply to: