Bug#985000: nfs-common: auth-rpcgss-module.service fails inside Linux containers (LXC)
Package: nfs-common
Version: 1:1.3.4-5
Severity: important
Tags: patch
X-Debbugs-Cc: joachim.falk@gmx.de, felix.lechner@lease-up.com
To fix this problem, the auth_rpcgss kernel module must only be loaded
if it is not already loaded. Otherwise, the auth-rpcgss-module service
will fail inside a Linux container as the loading of kernel modules is
forbidden for the container. Thus, the "/sbin/modprobe -q auth_rpcgss"
call will fail even if the auth_rpcgss kernel module was already loaded.
This has been testesd with kmod up to version 28-1 (current in bullseye
as of 2021-03-11). This situation occurs when the container host already
loaded the auth_rpcgss kernel module to enable kerberized NFS service
for its containers.
-- Package-specific info:
-- rpcinfo --
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 40401 mountd
100005 1 tcp 58455 mountd
100005 2 udp 49124 mountd
100005 2 tcp 60609 mountd
100005 3 udp 47861 mountd
100005 3 tcp 51113 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049
100003 3 udp 2049 nfs
100227 3 udp 2049
100021 1 udp 47640 nlockmgr
100021 3 udp 47640 nlockmgr
100021 4 udp 47640 nlockmgr
100021 1 tcp 33781 nlockmgr
100021 3 tcp 33781 nlockmgr
100021 4 tcp 33781 nlockmgr
-- /etc/default/nfs-common --
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = jfalk.de
Local-Realms = JFAD.JFALK.DE
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
nfs.jfalk.de:/home /home nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
nfs.jfalk.de:/local /local nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
nfs.jfalk.de:/opt /opt nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
nfs.jfalk.de:/bulk-data /bulk-data nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (520, 'testing'), (500, 'testing-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-14-amd64 (SMP w/16 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages nfs-common depends on:
ii adduser 3.118
ii keyutils 1.6.1-2
ii libc6 2.31-9
ii libcap2 1:2.44-1
ii libcom-err2 1.46.1-1
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libevent-2.1-7 2.1.12-stable-1
ii libgssapi-krb5-2 1.18.3-4
ii libkeyutils1 1.6.1-2
ii libkrb5-3 1.18.3-4
ii libmount1 2.36.1-7
ii libnfsidmap2 0.25-6
ii libtirpc3 1.3.1-1
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii rpcbind 1.2.5-9
ii ucf 3.0043
Versions of packages nfs-common recommends:
pn python <none>
Versions of packages nfs-common suggests:
pn open-iscsi <none>
pn watchdog <none>
Versions of packages nfs-kernel-server depends on:
ii keyutils 1.6.1-2
ii libblkid1 2.36.1-7
ii libc6 2.31-9
ii libcap2 1:2.44-1
ii libsqlite3-0 3.34.1-3
ii libtirpc3 1.3.1-1
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii netbase 6.2
ii ucf 3.0043
-- no debconf information
Description: Only try to load the auth_rpcgss kernel module if it is not
already loaded. Otherwise, the auth-rpcgss-module service might fail inside a
Linux container where the loading of kernel modules is forbidden for the
container. In this case, the "/sbin/modprobe -q auth_rpcgss" call will fail
even if the auth_rpcgss kernel module was already loaded. This has been testesd
with kmod up to version 27+20200310-2. This situation occurs when the container
host already loaded the auth_rpcgss kernel module to enable kerberized NFS
service for its containers.
Author: Joachim Falk <joachim.falk@gmx.de>
--- a/systemd/auth-rpcgss-module.service.orig 2020-08-26 19:17:27.761451866 +0200
+++ b/systemd/auth-rpcgss-module.service 2020-08-26 19:18:16.988795354 +0200
@@ -13,4 +13,4 @@
[Service]
Type=oneshot
-ExecStart=/sbin/modprobe -q auth_rpcgss
+ExecStart=/bin/sh -c '( /sbin/lsmod | grep -q "^auth_rpcgss\\>" ) || /sbin/modprobe -q auth_rpcgss'
Description: Only try to load the auth_rpcgss kernel module if it is not
already loaded. Otherwise, the auth-rpcgss-module service might fail inside a
Linux container where the loading of kernel modules is forbidden for the
container. In this case, the "/sbin/modprobe -q auth_rpcgss" call will fail
even if the auth_rpcgss kernel module was already loaded. This has been testesd
with kmod up to version 27+20200310-2. This situation occurs when the container
host already loaded the auth_rpcgss kernel module to enable kerberized NFS
service for its containers.
Author: Joachim Falk <joachim.falk@gmx.de>
--- a/systemd/auth-rpcgss-module.service.orig 2020-08-26 19:17:27.761451866 +0200
+++ b/systemd/auth-rpcgss-module.service 2020-08-26 19:18:16.988795354 +0200
@@ -13,4 +13,4 @@
[Service]
Type=oneshot
-ExecStart=/sbin/modprobe -q auth_rpcgss
+ExecStart=/bin/sh -c '( /sbin/lsmod | grep -q "^auth_rpcgss\\>" ) || /sbin/modprobe -q auth_rpcgss'
Reply to: