[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#985000: marked as done (nfs-common: auth-rpcgss-module.service fails inside Linux containers (LXC))

Your message dated Tue, 06 Dec 2022 15:50:49 +0000
with message-id <E1p2aDZ-00DTLB-5H@fasolo.debian.org>
and subject line Bug#985000: fixed in nfs-utils 1:2.6.2-3
has caused the Debian Bug report #985000,
regarding nfs-common: auth-rpcgss-module.service fails inside Linux containers (LXC)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
985000: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985000
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: nfs-common
Version: 1:1.3.4-5
Severity: important
Tags: patch
X-Debbugs-Cc: joachim.falk@gmx.de, felix.lechner@lease-up.com

To fix this problem, the auth_rpcgss kernel module must only be loaded
if it is not already loaded. Otherwise, the auth-rpcgss-module service
will fail inside a Linux container as the loading of kernel modules is
forbidden for the container. Thus, the "/sbin/modprobe -q auth_rpcgss"
call will fail even if the auth_rpcgss kernel module was already loaded.
This has been testesd with kmod up to version 28-1 (current in bullseye
as of 2021-03-11). This situation occurs when the container host already
loaded the auth_rpcgss kernel module to enable kerberized NFS service
for its containers.

-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp  40401  mountd
    100005    1   tcp  58455  mountd
    100005    2   udp  49124  mountd
    100005    2   tcp  60609  mountd
    100005    3   udp  47861  mountd
    100005    3   tcp  51113  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049
    100003    3   udp   2049  nfs
    100227    3   udp   2049
    100021    1   udp  47640  nlockmgr
    100021    3   udp  47640  nlockmgr
    100021    4   udp  47640  nlockmgr
    100021    1   tcp  33781  nlockmgr
    100021    3   tcp  33781  nlockmgr
    100021    4   tcp  33781  nlockmgr
-- /etc/default/nfs-common --
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = jfalk.de
Local-Realms = JFAD.JFALK.DE
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
nfs.jfalk.de:/home	/home		nfs4		sec=krb5p,nodev,nosuid,noatime,async	0	0
nfs.jfalk.de:/local	/local		nfs4		sec=krb5p,nodev,nosuid,noatime,async	0	0
nfs.jfalk.de:/opt	/opt		nfs4		sec=krb5p,nodev,nosuid,noatime,async	0	0
nfs.jfalk.de:/bulk-data	/bulk-data	nfs4		sec=krb5p,nodev,nosuid,noatime,async	0	0

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (520, 'testing'), (500, 'testing-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-14-amd64 (SMP w/16 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nfs-common depends on:
ii  adduser             3.118
ii  keyutils            1.6.1-2
ii  libc6               2.31-9
ii  libcap2             1:2.44-1
ii  libcom-err2         1.46.1-1
ii  libdevmapper1.02.1  2:1.02.175-2.1
ii  libevent-2.1-7      2.1.12-stable-1
ii  libgssapi-krb5-2    1.18.3-4
ii  libkeyutils1        1.6.1-2
ii  libkrb5-3           1.18.3-4
ii  libmount1           2.36.1-7
ii  libnfsidmap2        0.25-6
ii  libtirpc3           1.3.1-1
ii  libwrap0            7.6.q-31
ii  lsb-base            11.1.0
ii  rpcbind             1.2.5-9
ii  ucf                 3.0043

Versions of packages nfs-common recommends:
pn  python  <none>

Versions of packages nfs-common suggests:
pn  open-iscsi  <none>
pn  watchdog    <none>

Versions of packages nfs-kernel-server depends on:
ii  keyutils      1.6.1-2
ii  libblkid1     2.36.1-7
ii  libc6         2.31-9
ii  libcap2       1:2.44-1
ii  libsqlite3-0  3.34.1-3
ii  libtirpc3     1.3.1-1
ii  libwrap0      7.6.q-31
ii  lsb-base      11.1.0
ii  netbase       6.2
ii  ucf           3.0043

-- no debconf information

Description: Only try to load the auth_rpcgss kernel module if it is not
 already loaded. Otherwise, the auth-rpcgss-module service might fail inside a
 Linux container where the loading of kernel modules is forbidden for the
 container. In this case, the "/sbin/modprobe -q auth_rpcgss" call will fail
 even if the auth_rpcgss kernel module was already loaded. This has been testesd
 with kmod up to version 27+20200310-2. This situation occurs when the container
 host already loaded the auth_rpcgss kernel module to enable kerberized NFS
 service for its containers.
Author: Joachim Falk <joachim.falk@gmx.de>

--- a/systemd/auth-rpcgss-module.service.orig	2020-08-26 19:17:27.761451866 +0200
+++ b/systemd/auth-rpcgss-module.service	2020-08-26 19:18:16.988795354 +0200
@@ -13,4 +13,4 @@

 [Service]
 Type=oneshot
-ExecStart=/sbin/modprobe -q auth_rpcgss
+ExecStart=/bin/sh -c '( /sbin/lsmod | grep -q "^auth_rpcgss\\>" ) || /sbin/modprobe -q auth_rpcgss'

Description: Only try to load the auth_rpcgss kernel module if it is not
 already loaded. Otherwise, the auth-rpcgss-module service might fail inside a
 Linux container where the loading of kernel modules is forbidden for the
 container. In this case, the "/sbin/modprobe -q auth_rpcgss" call will fail
 even if the auth_rpcgss kernel module was already loaded. This has been testesd
 with kmod up to version 27+20200310-2. This situation occurs when the container
 host already loaded the auth_rpcgss kernel module to enable kerberized NFS
 service for its containers.
Author: Joachim Falk <joachim.falk@gmx.de>

--- a/systemd/auth-rpcgss-module.service.orig	2020-08-26 19:17:27.761451866 +0200
+++ b/systemd/auth-rpcgss-module.service	2020-08-26 19:18:16.988795354 +0200
@@ -13,4 +13,4 @@

 [Service]
 Type=oneshot
-ExecStart=/sbin/modprobe -q auth_rpcgss
+ExecStart=/bin/sh -c '( /sbin/lsmod | grep -q "^auth_rpcgss\\>" ) || /sbin/modprobe -q auth_rpcgss'

--- End Message ---
--- Begin Message --- 
Source: nfs-utils
Source-Version: 1:2.6.2-3
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
nfs-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985000@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated nfs-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 06 Dec 2022 16:38:32 +0100
Source: nfs-utils
Architecture: source
Version: 1:2.6.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 985000 1024082
Changes:
 nfs-utils (1:2.6.2-3) unstable; urgency=medium
 .
   * Revert "Install upstream modprobe configuration file"
   * Revert "configure: make modprobe.d directory configurable."
   * Revert "modprobe: protect against sysctl errors"
   * Revert "systemd: Apply all sysctl settings when NFS-related modules are
     loaded"
   * systemd: Apply all sysctl settings through udev rule when NFS-related
     modules are loaded (Closes: #1024082)
   * nfs-kernel-server: Install upstream udev configuration file
   * auth-rpcgss-module.service: Don't fail inside linux container
     (Closes: #985000)
Checksums-Sha1: 
 01a1863fc3b012defe4065cdd06cc208d40256c4 2554 nfs-utils_2.6.2-3.dsc
 03c7ff8e0f59bc0042a0d370d455faafa5174ef2 52632 nfs-utils_2.6.2-3.debian.tar.xz
Checksums-Sha256: 
 d3b67db5d1137cebdfe94c4bb7f4ac71e638d7a1d1bdf15ddb1230b89ba2d5f3 2554 nfs-utils_2.6.2-3.dsc
 7b65714d906b5a034ff1922d76764fa5028df052055eb90518fd44a3a7436850 52632 nfs-utils_2.6.2-3.debian.tar.xz
Files: 
 e7e7bee0b487c4bab6726b9050d06372 2554 net optional nfs-utils_2.6.2-3.dsc
 a670b2bf51bddb4ca11399c67f368961 52632 net optional nfs-utils_2.6.2-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOPYptfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7JUP/28792vG1W8EkRZeWzDs9AaVuo/7uz+/
uSl8M2jui7yC2GLR5tDEari8xgRVC0nNDuZqCdfa2SYMczw9OAXV6hCpLM2MxRPs
p40KZ/k++rIh62UtW9bW70R9nBxm0En+N3xRBZrg+hwnXjX3anvHtAF6J9wDzZXn
DvGVc1Wkz+MiHg1Y3QuvHILYtOQnjOFNV0WE5NvvdAZo1J5pkrVA5Zw7dmstLDiz
i5SfBPzgEuYAFp+NFGbnS0vdFneBP3stAbpqKQU0Vb2vVmtM0AIkXkO/0fMpXTAI
N9KJcn8UqiDUVMNwyNLSKuQs2LYT1rz9uKGzk4ag2COXF9ica8dX5wG3CvQO6p+e
eJgP70ugH4W3Mu+Hu4IzvgCqVbsoJ+Lad2at6HRBfT2pfXojL9yZq4iAsYOxHHQu
PnPgW+zUU28agW6wIB5dj8GrwiZeHg7jxv8GM/x1khPzeYFRcxAhlQKRpicyW5ZZ
q751lGxdPN8v7OT77B4b2VNTBBZSjha1tdnxOmakTGhkTU+3enQAITtHpBhuUDps
+XSjmBIhn1/rwEQo4KXgCOoDaOZiFoZNrmfWVmCXUUOwKfNkqEWBpTgRyVteABIu
u+buwSoSH+IPumwtdzPVSfDVwA20UiT5l4O6KbHWCJB2FhZo5vzSbJFe+9OSOXEM
GfAqmXRGTfVb
=6/8P
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: