Description of problem: We have a NFS mount in Fedora infra, this is fstab: ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_taskotron_dev /srv/taskotron/ nfs rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4 0 0 And this is how it looks in /proc/mounts: ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_taskotron_dev /srv/taskotron nfs4 rw,nosuid,nodev,noatime,vers=4.0,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.5.124.181,local_lock=none,addr=10.5.88.41 0 0 With nfs-utils-2.1.1-5.rc3.fc25.x86_64, everything works fine: [buildmaster@taskotron-dev01 ~][PROD]$ ls -ld /srv/taskotron drwxrwxr-x. 3 buildmaster buildmaster 4096 Aug 10 16:09 /srv/taskotron [buildmaster@taskotron-dev01 ~][PROD]$ touch /srv/taskotron/test [buildmaster@taskotron-dev01 ~][PROD]$ ls -l /srv/taskotron/test -rw-rw-r--. 1 buildmaster buildmaster 0 Aug 10 16:22 /srv/taskotron/test However, once we update to nfs-utils-2.1.1-5.rc4.fc25, the NFS share can't be written, only read. This is how it looks in /proc/mounts (notice that "sec=sys" changed to "sec=null"): ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_taskotron_dev /srv/taskotron nfs4 rw,nosuid,nodev,noatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=null,clientaddr=10.5.124.181,local_lock=none,addr=10.5.88.41 0 0 And this happens when I try to write a file: [buildmaster@taskotron-dev01 ~][PROD]$ ls -ld /srv/taskotron drwxrwxr-x. 3 buildmaster buildmaster 4096 Aug 10 16:09 /srv/taskotron [buildmaster@taskotron-dev01 ~][PROD]$ touch /srv/taskotron/test touch: cannot touch '/srv/taskotron/test': Permission denied I see this in journal when I restart nfs-server.service in selinux permissive mode: Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopping NFS server and services... Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting Kernel Module supporting RPCSEC_GSS... Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org kernel: nfsd: last server has exited, flushing export cache Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auth-rpcgss-module comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auth-rpcgss-module comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[2153]: AVC avc: denied { write } for pid=2153 comm="rpc.mountd" name="rpcbind.sock" dev="tmpfs" ino=16984 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1 Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-idmapd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-mountd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started Kernel Module supporting RPCSEC_GSS. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.mountd[2153]: Caught signal 15, un-registering and exiting. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopped NFS server and services. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopping NFSv4 ID-name mapping service... Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopping NFS Mount Daemon... Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopped NFSv4 ID-name mapping service. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopped NFS Mount Daemon. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: rpcbind.socket: Socket service rpcbind.service already active, refusing. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Failed to listen on RPCbind Server Activation Socket. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Dependency failed for NFS status monitor for NFSv2/3 locking.. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: rpc-statd.service: Job rpc-statd.service/start failed with result 'dependency'. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting Preprocess NFS configuration... Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started Preprocess NFS configuration. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting NFS Mount Daemon... Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting NFSv4 ID-name mapping service... Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.idmapd[2279]: rpc.idmapd: conf_reinit: open ("(null)", O_RDONLY) failed Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.idmapd[2279]: rpc.idmapd: conf_reinit: open ("(null)", O_RDONLY) failed Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started NFSv4 ID-name mapping service. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-idmapd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-mountd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.mountd[2281]: Version 2.1.1 starting Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started NFS Mount Daemon. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting NFS server and services... Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org kernel: NFSD: starting 90-second grace period (net ffffffffa4f35d00) Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started NFS server and services. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting Notify NFS peers of a restart... Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org sm-notify[2298]: Version 2.1.1 starting Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org sm-notify[2298]: Already notifying clients; Exiting! Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started Notify NFS peers of a restart. Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd-notify comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd-notify comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 10 16:44:25 taskotron-dev01.qa.fedoraproject.org audit[1958]: AVC avc: denied { name_connect } for pid=1958 comm="gssproxy" dest=443 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1 When I mount the dir do the touch command (which fails), there's nothing else printed into the journal. Version-Release number of selected component (if applicable): nfs-utils-2.1.1-5.rc4.fc25.x86_64 How reproducible: always, in my particular setup Additional info: I suspect the bug is related to the "sec=" mount option. With rc4, it uses sec=null.
If I add "sec=sys" to fstab, everything works again even with rc4. So it seems that the sec= autodetection broke (or changed).
(In reply to Kamil Páral from comment #1) > If I add "sec=sys" to fstab, everything works again even with rc4. So it > seems that the sec= autodetection broke (or changed). I'm thinking this is a kernel thing... was the kernel also updated?
Kernel update might have been performed together with updating nfs-utils, when we first spotted this. However, downgrading just nfs-utils and using the same kernel made the bug disappear. So I guess the bug is more likely to be relevant to nfs-utils.
is kerberos set up with rpcgssd running?
Kerberos? Is it somehow related? I can't say what was the state when I reported this bug, but rpc-gssd.service is running on that server at the moment, yes.
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.