--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: nfs-common: auth-rpcgss-module.service fails inside Linux containers (LXC)
- From: Joachim Falk <joachim.falk@gmx.de>
- Date: Thu, 11 Mar 2021 19:37:17 +0100
- Message-id: <161548783793.6456.10220330422320783564.reportbug@xerstin.jfalk.de>
- Reply-to: Joachim Falk <joachim.falk@gmx.de>
Package: nfs-common
Version: 1:1.3.4-5
Severity: important
Tags: patch
X-Debbugs-Cc: joachim.falk@gmx.de, felix.lechner@lease-up.com
To fix this problem, the auth_rpcgss kernel module must only be loaded
if it is not already loaded. Otherwise, the auth-rpcgss-module service
will fail inside a Linux container as the loading of kernel modules is
forbidden for the container. Thus, the "/sbin/modprobe -q auth_rpcgss"
call will fail even if the auth_rpcgss kernel module was already loaded.
This has been testesd with kmod up to version 28-1 (current in bullseye
as of 2021-03-11). This situation occurs when the container host already
loaded the auth_rpcgss kernel module to enable kerberized NFS service
for its containers.
-- Package-specific info:
-- rpcinfo --
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 40401 mountd
100005 1 tcp 58455 mountd
100005 2 udp 49124 mountd
100005 2 tcp 60609 mountd
100005 3 udp 47861 mountd
100005 3 tcp 51113 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049
100003 3 udp 2049 nfs
100227 3 udp 2049
100021 1 udp 47640 nlockmgr
100021 3 udp 47640 nlockmgr
100021 4 udp 47640 nlockmgr
100021 1 tcp 33781 nlockmgr
100021 3 tcp 33781 nlockmgr
100021 4 tcp 33781 nlockmgr
-- /etc/default/nfs-common --
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = jfalk.de
Local-Realms = JFAD.JFALK.DE
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
nfs.jfalk.de:/home /home nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
nfs.jfalk.de:/local /local nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
nfs.jfalk.de:/opt /opt nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
nfs.jfalk.de:/bulk-data /bulk-data nfs4 sec=krb5p,nodev,nosuid,noatime,async 0 0
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (520, 'testing'), (500, 'testing-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-14-amd64 (SMP w/16 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages nfs-common depends on:
ii adduser 3.118
ii keyutils 1.6.1-2
ii libc6 2.31-9
ii libcap2 1:2.44-1
ii libcom-err2 1.46.1-1
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libevent-2.1-7 2.1.12-stable-1
ii libgssapi-krb5-2 1.18.3-4
ii libkeyutils1 1.6.1-2
ii libkrb5-3 1.18.3-4
ii libmount1 2.36.1-7
ii libnfsidmap2 0.25-6
ii libtirpc3 1.3.1-1
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii rpcbind 1.2.5-9
ii ucf 3.0043
Versions of packages nfs-common recommends:
pn python <none>
Versions of packages nfs-common suggests:
pn open-iscsi <none>
pn watchdog <none>
Versions of packages nfs-kernel-server depends on:
ii keyutils 1.6.1-2
ii libblkid1 2.36.1-7
ii libc6 2.31-9
ii libcap2 1:2.44-1
ii libsqlite3-0 3.34.1-3
ii libtirpc3 1.3.1-1
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii netbase 6.2
ii ucf 3.0043
-- no debconf information
Description: Only try to load the auth_rpcgss kernel module if it is not
already loaded. Otherwise, the auth-rpcgss-module service might fail inside a
Linux container where the loading of kernel modules is forbidden for the
container. In this case, the "/sbin/modprobe -q auth_rpcgss" call will fail
even if the auth_rpcgss kernel module was already loaded. This has been testesd
with kmod up to version 27+20200310-2. This situation occurs when the container
host already loaded the auth_rpcgss kernel module to enable kerberized NFS
service for its containers.
Author: Joachim Falk <joachim.falk@gmx.de>
--- a/systemd/auth-rpcgss-module.service.orig 2020-08-26 19:17:27.761451866 +0200
+++ b/systemd/auth-rpcgss-module.service 2020-08-26 19:18:16.988795354 +0200
@@ -13,4 +13,4 @@
[Service]
Type=oneshot
-ExecStart=/sbin/modprobe -q auth_rpcgss
+ExecStart=/bin/sh -c '( /sbin/lsmod | grep -q "^auth_rpcgss\\>" ) || /sbin/modprobe -q auth_rpcgss'
Description: Only try to load the auth_rpcgss kernel module if it is not
already loaded. Otherwise, the auth-rpcgss-module service might fail inside a
Linux container where the loading of kernel modules is forbidden for the
container. In this case, the "/sbin/modprobe -q auth_rpcgss" call will fail
even if the auth_rpcgss kernel module was already loaded. This has been testesd
with kmod up to version 27+20200310-2. This situation occurs when the container
host already loaded the auth_rpcgss kernel module to enable kerberized NFS
service for its containers.
Author: Joachim Falk <joachim.falk@gmx.de>
--- a/systemd/auth-rpcgss-module.service.orig 2020-08-26 19:17:27.761451866 +0200
+++ b/systemd/auth-rpcgss-module.service 2020-08-26 19:18:16.988795354 +0200
@@ -13,4 +13,4 @@
[Service]
Type=oneshot
-ExecStart=/sbin/modprobe -q auth_rpcgss
+ExecStart=/bin/sh -c '( /sbin/lsmod | grep -q "^auth_rpcgss\\>" ) || /sbin/modprobe -q auth_rpcgss'
--- End Message ---
--- Begin Message ---
Source: nfs-utils
Source-Version: 1:2.6.2-3
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
nfs-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 985000@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated nfs-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 06 Dec 2022 16:38:32 +0100
Source: nfs-utils
Architecture: source
Version: 1:2.6.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 985000 1024082
Changes:
nfs-utils (1:2.6.2-3) unstable; urgency=medium
.
* Revert "Install upstream modprobe configuration file"
* Revert "configure: make modprobe.d directory configurable."
* Revert "modprobe: protect against sysctl errors"
* Revert "systemd: Apply all sysctl settings when NFS-related modules are
loaded"
* systemd: Apply all sysctl settings through udev rule when NFS-related
modules are loaded (Closes: #1024082)
* nfs-kernel-server: Install upstream udev configuration file
* auth-rpcgss-module.service: Don't fail inside linux container
(Closes: #985000)
Checksums-Sha1:
01a1863fc3b012defe4065cdd06cc208d40256c4 2554 nfs-utils_2.6.2-3.dsc
03c7ff8e0f59bc0042a0d370d455faafa5174ef2 52632 nfs-utils_2.6.2-3.debian.tar.xz
Checksums-Sha256:
d3b67db5d1137cebdfe94c4bb7f4ac71e638d7a1d1bdf15ddb1230b89ba2d5f3 2554 nfs-utils_2.6.2-3.dsc
7b65714d906b5a034ff1922d76764fa5028df052055eb90518fd44a3a7436850 52632 nfs-utils_2.6.2-3.debian.tar.xz
Files:
e7e7bee0b487c4bab6726b9050d06372 2554 net optional nfs-utils_2.6.2-3.dsc
a670b2bf51bddb4ca11399c67f368961 52632 net optional nfs-utils_2.6.2-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOPYptfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7JUP/28792vG1W8EkRZeWzDs9AaVuo/7uz+/
uSl8M2jui7yC2GLR5tDEari8xgRVC0nNDuZqCdfa2SYMczw9OAXV6hCpLM2MxRPs
p40KZ/k++rIh62UtW9bW70R9nBxm0En+N3xRBZrg+hwnXjX3anvHtAF6J9wDzZXn
DvGVc1Wkz+MiHg1Y3QuvHILYtOQnjOFNV0WE5NvvdAZo1J5pkrVA5Zw7dmstLDiz
i5SfBPzgEuYAFp+NFGbnS0vdFneBP3stAbpqKQU0Vb2vVmtM0AIkXkO/0fMpXTAI
N9KJcn8UqiDUVMNwyNLSKuQs2LYT1rz9uKGzk4ag2COXF9ica8dX5wG3CvQO6p+e
eJgP70ugH4W3Mu+Hu4IzvgCqVbsoJ+Lad2at6HRBfT2pfXojL9yZq4iAsYOxHHQu
PnPgW+zUU28agW6wIB5dj8GrwiZeHg7jxv8GM/x1khPzeYFRcxAhlQKRpicyW5ZZ
q751lGxdPN8v7OT77B4b2VNTBBZSjha1tdnxOmakTGhkTU+3enQAITtHpBhuUDps
+XSjmBIhn1/rwEQo4KXgCOoDaOZiFoZNrmfWVmCXUUOwKfNkqEWBpTgRyVteABIu
u+buwSoSH+IPumwtdzPVSfDVwA20UiT5l4O6KbHWCJB2FhZo5vzSbJFe+9OSOXEM
GfAqmXRGTfVb
=6/8P
-----END PGP SIGNATURE-----
--- End Message ---