Bug 1480319 - nfs-utils-2.1.1-5.rc4.fc25 breaks sec= option autodetection
nfs-utils-2.1.1-5.rc4.fc25 breaks sec= option autodetection
Status: NEW
Product: Fedora
Classification: Fedora
Component: nfs-utils (Show other bugs)
25
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Steve Dickson
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-10 12:49 EDT by Kamil Páral
Modified: 2017-08-10 12:59 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kamil Páral 2017-08-10 12:49:49 EDT
Description of problem:
We have a NFS mount in Fedora infra, this is fstab:
ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_taskotron_dev /srv/taskotron/ nfs rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4 0 0


And this is how it looks in /proc/mounts:

ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_taskotron_dev /srv/taskotron nfs4 rw,nosuid,nodev,noatime,vers=4.0,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.5.124.181,local_lock=none,addr=10.5.88.41 0 0

With nfs-utils-2.1.1-5.rc3.fc25.x86_64, everything works fine:

[buildmaster@taskotron-dev01 ~][PROD]$ ls -ld /srv/taskotron
drwxrwxr-x. 3 buildmaster buildmaster 4096 Aug 10 16:09 /srv/taskotron
[buildmaster@taskotron-dev01 ~][PROD]$ touch /srv/taskotron/test
[buildmaster@taskotron-dev01 ~][PROD]$ ls -l /srv/taskotron/test
-rw-rw-r--. 1 buildmaster buildmaster 0 Aug 10 16:22 /srv/taskotron/test


However, once we update to nfs-utils-2.1.1-5.rc4.fc25, the NFS share can't be written, only read. This is how it looks in /proc/mounts (notice that "sec=sys" changed to "sec=null"):

ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_taskotron_dev /srv/taskotron nfs4 rw,nosuid,nodev,noatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=null,clientaddr=10.5.124.181,local_lock=none,addr=10.5.88.41 0 0

And this happens when I try to write a file:

[buildmaster@taskotron-dev01 ~][PROD]$ ls -ld /srv/taskotron
drwxrwxr-x. 3 buildmaster buildmaster 4096 Aug 10 16:09 /srv/taskotron
[buildmaster@taskotron-dev01 ~][PROD]$ touch /srv/taskotron/test
touch: cannot touch '/srv/taskotron/test': Permission denied



I see this in journal when I restart nfs-server.service in selinux permissive mode:

Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopping NFS server and services...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting Kernel Module supporting RPCSEC_GSS...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org kernel: nfsd: last server has exited, flushing export cache
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auth-rpcgss-module comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auth-rpcgss-module comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[2153]: AVC avc:  denied  { write } for  pid=2153 comm="rpc.mountd" name="rpcbind.sock" dev="tmpfs" ino=16984 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-idmapd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-mountd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started Kernel Module supporting RPCSEC_GSS.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.mountd[2153]: Caught signal 15, un-registering and exiting.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopped NFS server and services.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopping NFSv4 ID-name mapping service...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopping NFS Mount Daemon...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopped NFSv4 ID-name mapping service.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Stopped NFS Mount Daemon.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: rpcbind.socket: Socket service rpcbind.service already active, refusing.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Failed to listen on RPCbind Server Activation Socket.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Dependency failed for NFS status monitor for NFSv2/3 locking..
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: rpc-statd.service: Job rpc-statd.service/start failed with result 'dependency'.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting Preprocess NFS configuration...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started Preprocess NFS configuration.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting NFS Mount Daemon...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting NFSv4 ID-name mapping service...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.idmapd[2279]: rpc.idmapd: conf_reinit: open ("(null)", O_RDONLY) failed
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.idmapd[2279]: rpc.idmapd: conf_reinit: open ("(null)", O_RDONLY) failed
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started NFSv4 ID-name mapping service.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-idmapd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-mountd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org rpc.mountd[2281]: Version 2.1.1 starting
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started NFS Mount Daemon.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting NFS server and services...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org kernel: NFSD: starting 90-second grace period (net ffffffffa4f35d00)
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started NFS server and services.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Starting Notify NFS peers of a restart...
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org sm-notify[2298]: Version 2.1.1 starting
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org sm-notify[2298]: Already notifying clients; Exiting!
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org systemd[1]: Started Notify NFS peers of a restart.
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd-notify comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:43:54 taskotron-dev01.qa.fedoraproject.org audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd-notify comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 10 16:44:25 taskotron-dev01.qa.fedoraproject.org audit[1958]: AVC avc:  denied  { name_connect } for  pid=1958 comm="gssproxy" dest=443 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1

When I mount the dir do the touch command (which fails), there's nothing else printed into the journal.



Version-Release number of selected component (if applicable):
nfs-utils-2.1.1-5.rc4.fc25.x86_64

How reproducible:
always, in my particular setup

Additional info:

I suspect the bug is related to the "sec=" mount option. With rc4, it uses sec=null.
Comment 1 Kamil Páral 2017-08-10 12:59:48 EDT
If I add "sec=sys" to fstab, everything works again even with rc4. So it seems that the sec= autodetection broke (or changed).

Note You need to log in before you can comment on or make changes to this bug.