Bug 1480319 - nfs-utils-2.1.1-5.rc4.fc25 breaks sec= option autodetection
nfs-utils-2.1.1-5.rc4.fc25 breaks sec= option autodetection
Status: NEW
Product: Fedora
Classification: Fedora
Component: nfs-utils (Show other bugs)
25
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Steve Dickson
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-10 12:49 EDT by Kamil Páral
Modified: 2017-11-16 13:37 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kamil Páral 2017-08-10 12:49:49 EDT
Description of problem:
We have a NFS mount in Fedora infra, this is fstab:
ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_taskotron_dev /srv/taskotron/ nfs rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4 0 0


And this is how it looks in /proc/mounts:

ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_taskotron_dev /srv/taskotron nfs4 rw,nosuid,nodev,noatime,vers=4.0,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.5.124.181,local_lock=none,addr=10.5.88.41 0 0

With nfs-utils-2.1.1-5.rc3.fc25.x86_64, everything works fine:

[buildmaster@taskotron-dev01 ~][PROD]$ ls -ld /srv/taskotron
drwxrwxr-x. 3 buildmaster buildmaster 4096 Aug 10 16:09 /srv/taskotron
[buildmaster@taskotron-dev01 ~][PROD]$ touch /srv/taskotron/test
[buildmaster@taskotron-dev01 ~][PROD]$ ls -l /srv/taskotron/test
-rw-rw-r--. 1 buildmaster buildmaster 0 Aug 10 16:22 /srv/taskotron/test


However, once we update to nfs-utils-2.1.1-5.rc4.fc25, the NFS share can't be written, only read. This is how it looks in /proc/mounts (notice that "sec=sys" changed to "sec=null"):

ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_taskotron_dev /srv/taskotron nfs4 rw,nosuid,nodev,noatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=null,clientaddr=10.5.124.181,local_lock=none,addr=10.5.88.41 0 0

And this happens when I try to write a file:

[buildmaster@taskotron-dev01 ~][PROD]$ ls -ld /srv/taskotron
drwxrwxr-x. 3 buildmaster buildmaster 4096 Aug 10 16:09 /srv/taskotron
[buildmaster@taskotron-dev01 ~][PROD]$ touch /srv/taskotron/test
touch: cannot touch '/srv/taskotron/test': Permission denied



I see this in journal when I restart nfs-server.service in selinux permissive mode:

Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopping NFS server and services...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting Kernel Module supporting RPCSEC_GSS...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org kernel: nfsd: last server has exited, flushing export cache
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auth-rpcgss-module comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auth-rpcgss-module comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[2153]: AVC avc:  denied  { write } for  pid=2153 comm="rpc.mountd" name="rpcbind.sock" dev="tmpfs" ino=16984 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-idmapd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-mountd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started Kernel Module supporting RPCSEC_GSS.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.mountd[2153]: Caught signal 15, un-registering and exiting.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopped NFS server and services.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopping NFSv4 ID-name mapping service...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopping NFS Mount Daemon...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopped NFSv4 ID-name mapping service.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopped NFS Mount Daemon.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: rpcbind.socket: Socket service rpcbind.service already active, refusing.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Failed to listen on RPCbind Server Activation Socket.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Dependency failed for NFS status monitor for NFSv2/3 locking..
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: rpc-statd.service: Job rpc-statd.service/start failed with result 'dependency'.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting Preprocess NFS configuration...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started Preprocess NFS configuration.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting NFS Mount Daemon...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting NFSv4 ID-name mapping service...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.idmapd[2279]: rpc.idmapd: conf_reinit: open ("(null)", O_RDONLY) failed
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.idmapd[2279]: rpc.idmapd: conf_reinit: open ("(null)", O_RDONLY) failed
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started NFSv4 ID-name mapping service.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-idmapd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-mountd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.mountd[2281]: Version 2.1.1 starting
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started NFS Mount Daemon.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting NFS server and services...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org kernel: NFSD: starting 90-second grace period (net ffffffffa4f35d00)
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started NFS server and services.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting Notify NFS peers of a restart...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org sm-notify[2298]: Version 2.1.1 starting
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org sm-notify[2298]: Already notifying clients; Exiting!
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started Notify NFS peers of a restart.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd-notify comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd-notify comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:44:25 taskotron-dev01.qa.fedoraproject.org audit[1958]: AVC avc:  denied  { name_connect } for  pid=1958 comm="gssproxy" dest=443 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1

When I mount the dir do the touch command (which fails), there's nothing else printed into the journal.



Version-Release number of selected component (if applicable):
nfs-utils-2.1.1-5.rc4.fc25.x86_64

How reproducible:
always, in my particular setup

Additional info:

I suspect the bug is related to the "sec=" mount option. With rc4, it uses sec=null.
Comment 1 Kamil Páral 2017-08-10 12:59:48 EDT
If I add "sec=sys" to fstab, everything works again even with rc4. So it seems that the sec= autodetection broke (or changed).
Comment 2 Steve Dickson 2017-10-16 15:13:58 EDT
(In reply to Kamil Páral from comment #1)
> If I add "sec=sys" to fstab, everything works again even with rc4. So it
> seems that the sec= autodetection broke (or changed).

I'm thinking this is a kernel thing... was the kernel also updated?
Comment 3 Kamil Páral 2017-10-17 05:56:52 EDT
Kernel update might have been performed together with updating nfs-utils, when we first spotted this. However, downgrading just nfs-utils and using the same kernel made the bug disappear. So I guess the bug is more likely to be relevant to nfs-utils.
Comment 4 Steve Dickson 2017-10-17 09:37:42 EDT
is kerberos set up with rpcgssd running?
Comment 5 Kamil Páral 2017-10-17 10:59:12 EDT
Kerberos? Is it somehow related?

I can't say what was the state when I reported this bug, but rpc-gssd.service is running on that server at the moment, yes.
Comment 6 Fedora End Of Life 2017-11-16 13:37:23 EST
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Note You need to log in before you can comment on or make changes to this bug.