Bug 1532688
Summary: | Varying ro/rw in NFS export based on security flavor doesn't work | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Tamas Vincze <tom> |
Component: | nfs-utils | Assignee: | Steve Dickson <steved> |
Status: | CLOSED ERRATA | QA Contact: | Yongcheng Yang <yoyang> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | ajmitchell, jiyin, rhandlin, xzhou, yoyang |
Target Milestone: | rc | Keywords: | Reproducer |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | nfs-utils-1.3.0-0.56.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 11:48:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tamas Vincze
2018-01-09 15:24:40 UTC
Reproduce it with latest nfs-utils version of rhel7: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [root@rhel7 ~]# rpm -q nfs-utils nfs-utils-1.3.0-0.53.el7.x86_64 [root@rhel7 ~]# cat /etc/exports /export_rhel7 127.0.0.1(sec=sys,ro,all_squash,sec=krb5,no_all_squash,sec=krb5i,rw,root_squash,sec=krb5p,rw,no_root_squash) [root@rhel7 ~]# systemctl restart nfs [root@rhel7 ~]# exportfs -s /export_rhel7 127.0.0.1(rw,sync,wdelay,hide,no_subtree_check,sec=sys,secure,root_squash,all_squash,sec=krb5:krb5i,secure,root_squash,no_all_squash,sec=krb5p,secure,no_root_squash,no_all_squash) [root@rhel7 ~]# exportfs -s 2>/dev/null | sed 's/sec=/\nsec=/g' /export_rhel7 127.0.0.1(rw,sync,wdelay,hide,no_subtree_check, sec=sys,secure,root_squash,all_squash, <<<<<<<<<<<< sec=krb5:krb5i,secure,root_squash,no_all_squash, <<<<<<<<<<<< sec=krb5p,secure,no_root_squash,no_all_squash) <<<<<<<<<<<< [root@rhel7 ~]# Compared with fedora-26 which has the same problem: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [root@fedora26 ~]# rpm -q nfs-utils nfs-utils-2.2.1-3.rc2.fc26.x86_64 [root@fedora26 ~]# cat /etc/exports /export_fedora 127.0.0.1(sec=sys,ro,all_squash,sec=krb5,no_all_squash,sec=krb5i,rw,root_squash,sec=krb5p,rw,no_root_squash) [root@fedora26 ~]# systemctl restart nfs [root@fedora26 ~]# exportfs -v /export_fedora 127.0.0.1(rw,sync,wdelay,hide,no_subtree_check,sec=sys,secure,root_squash,all_squash,sec=krb5:krb5i,secure,root_squash,no_all_squash,sec=krb5p,secure,no_root_squash,no_all_squash) [root@fedora26 ~]# exportfs -v 2>/dev/null | sed 's/sec=/\nsec=/g' /export_fedora 127.0.0.1(rw,sync,wdelay,hide,no_subtree_check, sec=sys,secure,root_squash,all_squash, <<<<<<<<<<<< sec=krb5:krb5i,secure,root_squash,no_all_squash, <<<<<<<<<<<< sec=krb5p,secure,no_root_squash,no_all_squash) <<<<<<<<<<<< [root@fedora26 ~]# Looks like it acts correct in RHEL 6: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [root@rhel6 ~]# rpm -q nfs-utils nfs-utils-1.2.3-75.el6.x86_64 [root@rhel6 ~]# cat /etc/exports /export_test 127.0.0.1(sec=sys,ro,all_squash,sec=krb5,no_all_squash,sec=krb5i,rw,root_squash,sec=krb5p,rw,no_root_squash) [root@rhel6 ~]# service nfs restart Shutting down NFS daemon: [ OK ] Shutting down NFS mountd: [ OK ] Shutting down NFS quotas: [ OK ] Shutting down NFS services: [ OK ] Shutting down RPC idmapd: [ OK ] Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS mountd: [ OK ] Starting NFS daemon: [ OK ] Starting RPC idmapd: [ OK ] [root@rhel6 ~]# exportfs -v /export_test 127.0.0.1(rw,wdelay,no_root_squash,no_subtree_check,sec=sys,ro,root_squash,all_squash,sec=krb5,ro,root_squash,no_all_squash,sec=krb5i,rw,root_squash,no_all_squash,sec=krb5p,rw,no_root_squash,no_all_squash) [root@rhel6 ~]# exportfs -v 2>/dev/null | sed 's/sec=/\nsec=/g' /export_test 127.0.0.1(rw,wdelay,no_root_squash,no_subtree_check, sec=sys,ro,root_squash,all_squash, <<<<<<<<<<<<<<<<<< sec=krb5,ro,root_squash,no_all_squash, <<<<<<<<<<<<<<<<<< sec=krb5i,rw,root_squash,no_all_squash, <<<<<<<<<<<<<<<<<< sec=krb5p,rw,no_root_squash,no_all_squash) <<<<<<<<<<<<<<<<<< [root@rhel6 ~]# Caused by http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=37c07fa0b74a29dea18d359068e9189c5159c49d which attempted to squash duplicated options in the exports output, but alas it is too naive and does not know that both rw and ro can validly appear in the same options string, as in this case. (In reply to Justin Mitchell from comment #3) > Caused by > http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff; > h=37c07fa0b74a29dea18d359068e9189c5159c49d Thanks for the investigation. This issue is introduced into RHEL-7.4 via Bug 1396402 (adding "see also"). upstream patch: https://patchwork.kernel.org/patch/10159615/ Verified in nfs-utils-1.3.0-0.57.el7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ https://beaker.engineering.redhat.com/recipes/5410558#task75906498 ------------------------------------------------------------------ [07:28:56 root@ ~~]# echo '/expdir-exportfs *(sec=sys,ro,all_squash,sec=krb5,no_all_squash,sec=krb5i,rw,root_squash,sec=krb5p,rw,no_root_squash)' > /etc/exports [07:28:56 root@ ~~]# service_nfs restart Redirecting to /bin/systemctl restart nfs.service [07:28:56 root@ ~~]# exportfs -v /expdir-exportfs <world>(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,all_squash,sec=krb5,ro,secure,root_squash,no_all_squash,sec=krb5i,rw,secure,root_squash,no_all_squash,sec=krb5p,rw,secure,no_root_squash,no_all_squash) [07:28:56 root@ ~~]# exportfs -v 2>/dev/null | sed 's/sec=/\nsec=/g' /expdir-exportfs <world>(sync,wdelay,hide,no_subtree_check, sec=sys,ro,secure,root_squash,all_squash, ^^^ sec=krb5,ro,secure,root_squash,no_all_squash, ^^^ sec=krb5i,rw,secure,root_squash,no_all_squash, ^^^ sec=krb5p,rw,secure,no_root_squash,no_all_squash) ^^^ Compared with previous nfs-utils-1.3.0-0.55.el7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ https://beaker.engineering.redhat.com/recipes/5311085#task74348293 ------------------------------------------------------------------ [18:12:17 root@ ~~]# exportfs -v /expdir-exportfs <world>(rw,sync,wdelay,hide,no_subtree_check,sec=sys,secure,root_squash,all_squash,sec=krb5:krb5i,secure,root_squash,no_all_squash,sec=krb5p,secure,no_root_squash,no_all_squash) [18:12:17 root@ ~~]# exportfs -v 2>/dev/null | sed 's/sec=/\nsec=/g' /expdir-exportfs <world>(rw,sync,wdelay,hide,no_subtree_check, sec=sys,secure,root_squash,all_squash, sec=krb5:krb5i,secure,root_squash,no_all_squash, sec=krb5p,secure,no_root_squash,no_all_squash) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3311 |