RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1292607 - Add comment warning inside /etc/sysconfig/nfs stating how to use an alternate keytab rather than the default /etc/krb5.keytab
Summary: Add comment warning inside /etc/sysconfig/nfs stating how to use an alternate...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nfs-utils
Version: 7.2
Hardware: Unspecified
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Steve Dickson
QA Contact: Yongcheng Yang
URL:
Whiteboard:
Depends On:
Blocks: 1203710 1295577 1313485 1364088
TreeView+ depends on / blocked
 
Reported: 2015-12-17 22:13 UTC by Ramandeep Arora
Modified: 2019-12-16 05:12 UTC (History)
6 users (show)

Fixed In Version: nfs-utils-1.3.0-0.24.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 05:02:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2383 0 normal SHIPPED_LIVE nfs-utils bug fix and enhancement update 2016-11-03 13:53:02 UTC

Description Ramandeep Arora 2015-12-17 22:13:27 UTC 
Description of problem:  (in customer's exact words)

When I set the keytab for rpc.gssd by adding "-k <path to keytab>" to "RPCGSSDARGS=" in /etc/sysconfig/nfs I can no longer start the service rpcgssd. The systemd service file has a hardcoded "ConditionPathExists=/etc/krb5.keytab". If I change this manually to the new path I can start the service. Since I have to reload the nfs config with "systemctl restart nfs-config" it would be nice if this parameter was updated as well (or if it was a variable).


Version-Release number of selected component (if applicable):

Tested on Fully updated RHEL7.2

How reproducible:
100%
Comment 2 Dave Wysochanski 2016-01-12 16:24:32 UTC 
Since this is reproducible it seems a good candidate for consideration in RHEL7.3
Comment 3 Dave Wysochanski 2016-01-12 17:01:56 UTC 
Steve D - what do you think?
Comment 4 Steve Dickson 2016-01-13 15:52:20 UTC 
(In reply to Dave Wysochanski from comment #3)
> Steve D - what do you think?

I just sent email to the systemd-devel mailing list
to see if this is possible.
Comment 6 Steve Dickson 2016-01-23 14:44:44 UTC 
Here is the thread I started with the systemd folks
   http://lists.freedesktop.org/archives/systemd-devel/2016-January/035559.h

In short, the answer is no, its not possible to add a 
variable to the ConditionPathExists= clause.

any ideas?
Comment 8 Dave Wysochanski 2016-02-08 14:42:17 UTC 
(In reply to Steve Dickson from comment #6)
> Here is the thread I started with the systemd folks
>    http://lists.freedesktop.org/archives/systemd-devel/2016-January/035559.h
> 
> In short, the answer is no, its not possible to add a 
> variable to the ConditionPathExists= clause.
> 
> any ideas?

Is there some reason you're not using EnvironmentFile in cases where there's an env var inside /etc/sysconfig/nfs?
Comment 9 Steve Dickson 2016-02-10 16:08:04 UTC 
(In reply to Dave Wysochanski from comment #8)
> (In reply to Steve Dickson from comment #6)
> > Here is the thread I started with the systemd folks
> >    http://lists.freedesktop.org/archives/systemd-devel/2016-January/035559.h
> > 
> > In short, the answer is no, its not possible to add a 
> > variable to the ConditionPathExists= clause.
> > 
> > any ideas?
> 
> Is there some reason you're not using EnvironmentFile in cases where there's
> an env var inside /etc/sysconfig/nfs?
It is being used.... 
rpc-gssd.service:

[Unit]
Description=RPC security service for NFS client and server
DefaultDependencies=no
Conflicts=umount.target
Requires=var-lib-nfs-rpc_pipefs.mount
After=var-lib-nfs-rpc_pipefs.mount

ConditionPathExists=/etc/krb5.keytab 
^^^^^ the problem is this has to be a hard coded path and the 
      systemd people do not want to change that. 

PartOf=nfs-utils.service

Wants=nfs-config.service
After=nfs-config.service

[Service]
EnvironmentFile=-/run/sysconfig/nfs-utils

Type=forking
ExecStart=/usr/sbin/rpc.gssd $GSSDARGS
Comment 10 Joseph Kachuck 2016-04-25 14:17:35 UTC 
Hello Steve,
If this wont be able to be fixed. Would we be able to have a warning message added?

Thank You
Joe Kachuck
Comment 11 Steve Dickson 2016-04-26 16:50:27 UTC 
(In reply to Joseph Kachuck from comment #10)
> Hello Steve,
> If this wont be able to be fixed. Would we be able to have a warning message
> added?
> 
What would the warning message say?
Comment 12 Joseph Kachuck 2016-04-26 17:20:20 UTC 
Hello,
Might put a comment warning inside /etc/sysconfig/nfs. Stating ConditionPathExists=/etc/krb5.keytab can not be changed?

Thank You
Joe Kachuck
Comment 13 Steve Dickson 2016-04-26 17:39:33 UTC 
Its not the easiest things to explain :-) but here goes


Warning: The keytab is now statically define in the
         rpc-gssd.service systemd script. The 
         ConditionPathExists= variable in that 
         script must point the existing keytab
         for the rpc-gssd service to start.

Thoughts?
Comment 14 Steve Dickson 2016-04-26 18:25:50 UTC 
Here is a better read:

The rpc-gssd service will not start unless the 
file /etc/krb5.keytab exists. If an alternate 
keytab is needed, that separate keytab file 
location may be  defined in the rpc-gssd.service's 
systemd unit file under the ConditionPathExists 
parameter
Comment 17 Yongcheng Yang 2016-04-28 02:41:56 UTC 
According to comment 12 and comment 14, only need to add a warning message.

There is no need to generate an automatic case. Will check the Note added or not and verify this bug when available.
Comment 20 Yongcheng Yang 2016-07-05 08:20:01 UTC 
Update the description according to comment 12.
Please correct me if there is any concern.
Comment 21 Yongcheng Yang 2016-09-05 08:58:09 UTC 
Have checked the warning exists in latest compose.
(Only need to add a warning message according to comment 12 and comment 14)

Move to VERIFIED now.

[root@hp-dl585g7-04 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 Beta (Maipo)
[root@hp-dl585g7-04 ~]# rpm -q nfs-utils
nfs-utils-1.3.0-0.33.el7.x86_64
[root@hp-dl585g7-04 ~]# cat /etc/sysconfig/nfs | grep -B8 RPCGSSDARGS
#
# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
# Note: The rpc-gssd service will not start unless the 
#       file /etc/krb5.keytab exists. If an alternate
#       keytab is needed, that separate keytab file
#       location may be defined in the rpc-gssd.service's
#       systemd unit file under the ConditionPathExists
#       parameter
RPCGSSDARGS=""
[root@hp-dl585g7-04 ~]#
Comment 23 errata-xmlrpc 2016-11-04 05:02:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2383.html
Note You need to log in before you can comment on or make changes to this bug.