Bug 1159941 - Add nss-altfiles to rpcbind user lookup path
Summary: Add nss-altfiles to rpcbind user lookup path
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rpcbind
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Steve Dickson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-03 16:18 UTC by Sami Wagiaalla
Modified: 2016-06-07 22:46 UTC (History)
6 users (show)

Fixed In Version: rpcbind-0.2.1-4.0.fc21 rpcbind-0.2.3-0.4.fc23 rpcbind-0.2.3-0.3.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1171291 (view as bug list)
Environment:
Last Closed: 2015-11-08 06:51:33 UTC


Attachments (Terms of Use)
A proper patch (1.68 KB, patch)
2014-11-03 16:35 UTC, Sami Wagiaalla
no flags Details | Diff
use --with-nss-modules to add 'altfiles' (1.21 KB, patch)
2014-11-10 18:54 UTC, Sami Wagiaalla
no flags Details | Diff
0001-build-sys-Reintroduce-check-for-nss.h.patch (1.62 KB, patch)
2014-12-05 20:06 UTC, Colin Walters
no flags Details | Diff

Description Sami Wagiaalla 2014-11-03 16:18:39 UTC
Hi,

I was having trouble setting up NFS on atomic host (http://www.projectatomic.io/). It turns out that there is a problem when rpcbind is trying to find the uid of the rpc user. OSTree based operating systems store user information for systems users such as the rpc user in /usr/lib/passwd and leaves /etc/passwd for humans users. This is achieved by the use the nss module nss-altfiles (https://apps.fedoraproject.org/packages/nss-altfiles) which allows one to specify additional files to be added the the passwd database. rpcbind however overrides the rule added to /etc/nsswitch.conf and removes altfiles by doing the following:
 
    __nss_configure_lookup("passwd", "files");

This is done presumably to avoid checking remote users, but I was wondering if its possible to add altfiles as follows:

~~~~~~
--- src/rpcbind.c
+++ src/rpcbind.c
@@ -226,7 +226,7 @@ main(int argc, char *argv[])
 		 * Make sure we use the local password file
 		 * for these lookups.
 		 */
-		__nss_configure_lookup("passwd", "files");
+		__nss_configure_lookup("passwd", "files altfiles");
 
 		if((p = getpwnam(id)) == NULL) {
 			syslog(LOG_ERR, "cannot get uid of '%s': %m", id);

~~~~~~

If altfiles is not present it is simply ignored

WDYT ?

Comment 1 Sami Wagiaalla 2014-11-03 16:35:42 UTC
Created attachment 953168 [details]
A proper patch

Comment 2 Steve Dickson 2014-11-06 16:04:28 UTC
(In reply to Sami Wagiaalla from comment #1)
> Created attachment 953168 [details]
> A proper patch

Could please post the patch (minus the spec file changes) 
to libtirpc-devel@lists.sourceforge.net and linux-nfs@vger.kernel.org
mailing lists, using the correct patch formats which is defined in 
https://www.kernel.org/doc/Documentation/SubmittingPatches

Comment 3 Colin Walters 2014-11-07 15:58:37 UTC
Another approach would be a build-time configure option that would be usable by the distribution.  For example:

./configure --with-nss-modules="files altfiles" could be used in Fedora, and would allow any other OS vendor who has custom NSS configuration.

Note due to the way NSS works it's fine for Fedora to add altfiles, it will be harmless if nss-altfiles is not installed.

Comment 4 Sami Wagiaalla 2014-11-07 17:02:36 UTC
(In reply to Steve Dickson from comment #2)
> (In reply to Sami Wagiaalla from comment #1)
> > Created attachment 953168 [details]
> > A proper patch
> 
> Could please post the patch (minus the spec file changes) 
> to libtirpc-devel@lists.sourceforge.net and linux-nfs@vger.kernel.org
> mailing lists, using the correct patch formats which is defined in 
> https://www.kernel.org/doc/Documentation/SubmittingPatches

Thanks for the pointers! I will post a patch upstream.

(In reply to Colin Walters from comment #3)
> Another approach would be a build-time configure option that would be usable
> by the distribution.  For example:
> 
> ./configure --with-nss-modules="files altfiles" could be used in Fedora, and
> would allow any other OS vendor who has custom NSS configuration.
> 

Ah! that would be more applicable upstream than hard-coding in altfiles. I will post a patch to that effect upstream as Steve suggested

Comment 5 Sami Wagiaalla 2014-11-10 15:07:43 UTC
Patch posted upstream:

https://sourceforge.net/p/libtirpc/mailman/message/33015641/

Comment 6 Fedora Update System 2014-11-10 17:57:42 UTC
rpcbind-0.2.1-4.0.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/rpcbind-0.2.1-4.0.fc21

Comment 7 Sami Wagiaalla 2014-11-10 18:54:41 UTC
Created attachment 955950 [details]
use --with-nss-modules to add 'altfiles'

Now that the configuration option is upstream this patch uses the option to enable the altfiles modules

Comment 8 Fedora Update System 2014-11-12 02:44:54 UTC
Package rpcbind-0.2.1-4.0.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rpcbind-0.2.1-4.0.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-14782/rpcbind-0.2.1-4.0.fc21
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2014-11-18 12:08:41 UTC
rpcbind-0.2.1-4.0.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Sami Wagiaalla 2014-12-01 16:35:53 UTC
Hmmm.. the bug was closed by the Fedora Update System but the issue is not quite addressed yet.
The updated rpm contains the configuration option for adding nss modules but the configuration in the specfile must be updated to include altfiles as per  attachment 955950 [details]

Comment 11 Colin Walters 2014-12-05 19:50:31 UTC
So, it actually works in rawhide, due to a chain of *other* bugs =)

The history here is pretty funny actually.  First, we have:

http://git.infradead.org/users/steved/rpcbind.git/commit/8d7a0708f14b22df100d64bcadfb66598052a950

A patch from a Gentoo developer to clean up the autotools, and notably drops the HAVE_NSS_H check.

Next we have:

http://git.infradead.org/users/steved/rpcbind.git/commitdiff/c4814d539434391df4dfa61551e5e2e96947326d?hp=86036582c001e99075f4d74cb3829df39f2a9ddf

A patch from a different Gentoo developer which relies on the HAVE_NSS_H check that was removed a little more than two years (!) earlier.  Of course, in between there were a grand total of 9 commits.

About a half a year later, we have the commit for this bug:

http://git.infradead.org/users/steved/rpcbind.git/commit/d30515b11bea3171b2ba0373f0eda132992538b7

I'm sure Sami tested it, and noticed it worked, but because he was forward-porting a patch, didn't notice it worked *without* his patch too.

Anyways so, two action items:

1) Reintroduce the HAVE_NSS_H check in configure.ac
2) Fix the Fedora spec file as Sami says in comment #10

Comment 12 Colin Walters 2014-12-05 20:06:52 UTC
Created attachment 965215 [details]
0001-build-sys-Reintroduce-check-for-nss.h.patch

Comment 13 Sami Wagiaalla 2014-12-22 16:25:10 UTC
> I'm sure Sami tested it, and noticed it worked, but because he was
> forward-porting a patch, didn't notice it worked *without* his patch too.
> 

Hmm.. I tested this agian to make sure. Unless I am missing something rpcbind only starts with the patch to the specfile adding altfiles. As far as I can tell HAVE_NSS is only used to decide whether to define the __nss_configure_lookup function prototype if the header is not available to define it.

So the only patch which is needed is attachment 955950 [details]

Comment 15 Jaroslav Reznik 2015-03-03 17:16:36 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 16 Reto Gantenbein 2015-10-18 22:13:18 UTC
I just stepped over this problem when trying to setup a container using NFS on the latest Fedora 22 Atomic image which is using rpcbind-0.2.3-0.1.fc22.x86_64.

A quick look into the Koji build [1] logs reveals that the mentioned configure option is still missing.

I would appreciate when this bug could be fixed, as it makes the Fedora Atomic image currently useless for containers requiring persistent storage via NFS.

[1]: https://kojipkgs.fedoraproject.org//packages/rpcbind/0.2.3/0.1.fc22/data/logs/x86_64/build.log

Comment 17 Dusty Mabe 2015-10-26 22:21:51 UTC
FYI this isn't fixed yet in either rawhide or F23 [1]:

[1] - http://pkgs.fedoraproject.org/cgit/rpcbind.git/tree/rpcbind.spec?h=f23

Comment 18 Fedora Update System 2015-11-02 16:19:20 UTC
rpcbind-0.2.3-0.3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-9eee2fbc78

Comment 19 Fedora Update System 2015-11-02 23:21:35 UTC
rpcbind-0.2.3-0.3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update rpcbind'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-9eee2fbc78

Comment 20 Fedora Update System 2015-11-03 00:23:46 UTC
rpcbind-0.2.3-0.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update rpcbind'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-36b145bd37

Comment 21 Fedora Update System 2015-11-08 06:51:28 UTC
rpcbind-0.2.3-0.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2015-11-19 12:23:14 UTC
rpcbind-0.2.3-0.3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.