1655880 – 'rpm --verify nfs-utils' fail as mode on /etc/nfs.conf differ after nfsconvert executed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1655880 - 'rpm --verify nfs-utils' fail as mode on /etc/nfs.conf differ after nfsconvert executed

Summary: 'rpm --verify nfs-utils' fail as mode on /etc/nfs.conf differ after nfsconver...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	nfs-utils
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.1
Assignee:	Steve Dickson
QA Contact:	Yongcheng Yang
Docs Contact:
URL:
Whiteboard:
Depends On:	1653927 1681972
Blocks:	1690266
TreeView+	depends on / blocked

Reported:	2018-12-04 07:38 UTC by Yongcheng Yang
Modified:	2020-11-14 12:45 UTC (History)
CC List:	6 users (show)
Fixed In Version:	nfs-utils-2.3.3-17.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1690266 (view as bug list)
Environment:
Last Closed:	2019-11-05 22:18:26 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:3579	0	None	None	None	2019-11-05 22:19:43 UTC

Internal Links: 1665536

Description Yongcheng Yang 2018-12-04 07:38:37 UTC

Description of problem:

As Bug 1646626 (Use systemd scripts to convert NFS configurations) tracks, we'are using a new nfs-convert.service to convert the obsolete /etc/sysconfig/nfs to /etc/nfs.conf now.

On a freshly installed rhel8, looks like the converting doesn't execute (don't know if it's designed to this) until we call it explicitly, e.g. "systemctl start nfs-convert", "./usr/libexec/nfs-utils/nfsconvert.sh", "./usr/sbin/nfsconvert", or just "yum reinstall nfs-utils". And then we can find "rpm -V nfs-utils" emits warnings as both config files are modified. Especially the mode of nfs.conf is changed from "644" to "600"!

I just file a separate bug here as maybe this warning is as expected. And we may need release note or some others to explain when asked.


Version-Release number of selected component (if applicable):
since nfs-utils-2.3.3-7.el8

How reproducible:
always

Steps to Reproduce:
1. yum reinstall -y nfs-utils
2. rpm -V nfs-utils

Actual results:
[root ~]# grep DISTRO /etc/motd
                           DISTRO=RHEL-8.0-20181120.0
[root ~]# rpm -q nfs-utils
nfs-utils-2.3.3-7.el8.x86_64
[root ~]# rpm -V nfs-utils
[root ~]# ls -l /etc/sysconfig/nfs /etc/nfs.conf
-rw-r--r--. 1 root root 968 Nov  6 18:49 /etc/nfs.conf    <<<<<<<<<<
-rw-r--r--. 1 root root 885 Nov  6 18:49 /etc/sysconfig/nfs
[root ~]# lsattr /etc/sysconfig/nfs /etc/nfs.conf
------------------ /etc/sysconfig/nfs
------------------ /etc/nfs.conf
[root ~]# systemctl status nfs-convert
● nfs-convert.service - Preprocess NFS configuration convertion
   Loaded: loaded (/usr/lib/systemd/system/nfs-convert.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
[root ~]# 
[root ~]# yum reinstall -y nfs-utils >/dev/null
[root ~]# rpm -V nfs-utils
SM5....T.  c /etc/nfs.conf         <<<<<<<<<<<<<<<<<<<
S.5....T.  c /etc/sysconfig/nfs    <<<<<<<<<<<<<<<<<<<
[root ~]# echo $?
1
[root ~]# ls -l /etc/sysconfig/nfs /etc/nfs.conf
-rw-------. 1 root root 972 Dec  4 02:11 /etc/nfs.conf    <<<<<<<<<<
-rw-r--r--. 1 root root 203 Dec  4 02:11 /etc/sysconfig/nfs
[root ~]# lsattr /etc/sysconfig/nfs /etc/nfs.conf
------------------ /etc/sysconfig/nfs
------------------ /etc/nfs.conf
[root ~]# systemctl status nfs-convert
● nfs-convert.service - Preprocess NFS configuration convertion
   Loaded: loaded (/usr/lib/systemd/system/nfs-convert.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

Dec 04 02:11:46 rhel-8.0.rhts.eng.pek2.redhat.com systemd[1]: Starting Preprocess NFS configuration convertion...
Dec 04 02:11:46 rhel-8.0.rhts.eng.pek2.redhat.com systemd[1]: Started Preprocess NFS configuration convertion.
[root ~]# 


Expected results:
No warning of "rpm -V nfs-utils"

Additional info:
N/A

Comment 1 Yongcheng Yang 2018-12-05 01:29:06 UTC

(In reply to Yongcheng Yang from comment #0)

Maybe only the "Mode differs" should be resolved.

> [root ~]# yum reinstall -y nfs-utils >/dev/null
> [root ~]# rpm -V nfs-utils
> SM5....T.  c /etc/nfs.conf         <<<<<<<<<<<<<<<<<<<
> S.5....T.  c /etc/sysconfig/nfs    <<<<<<<<<<<<<<<<<<<
^^^^^^^^^^^^^^^^
JFYI. from rpm(8) manpage:
       S file Size differs
       M Mode differs (includes permissions and file type)
       5 digest (formerly MD5 sum) differs
       ...
       T mTime differs

Comment 2 RobbieTheK 2019-01-14 03:28:45 UTC

I created https://bugzilla.redhat.com/show_bug.cgi?id=1665536 with a similar issue except the nfs-convert.service is missing.

Comment 3 Steve Dickson 2019-01-14 14:37:26 UTC

(In reply to Yongcheng Yang from comment #0)
> Description of problem:
> 
> As Bug 1646626 (Use systemd scripts to convert NFS configurations) tracks,
> we'are using a new nfs-convert.service to convert the obsolete
> /etc/sysconfig/nfs to /etc/nfs.conf now.
> 
> On a freshly installed rhel8, looks like the converting doesn't execute
> (don't know if it's designed to this) until we call it explicitly, e.g.
> "systemctl start nfs-convert", "./usr/libexec/nfs-utils/nfsconvert.sh",
> "./usr/sbin/nfsconvert", or just "yum reinstall nfs-utils". And then we can
> find "rpm -V nfs-utils" emits warnings as both config files are modified.
> Especially the mode of nfs.conf is changed from "644" to "600"!
> 
> I just file a separate bug here as maybe this warning is as expected. And we
> may need release note or some others to explain when asked.
> 
> 
> Version-Release number of selected component (if applicable):
> since nfs-utils-2.3.3-7.el8
Please try  nfs-utils-2.3.3-8.el8 which is the latest version

Comment 5 Yongcheng Yang 2019-01-17 05:40:01 UTC

(In reply to Steve Dickson from comment #3)

The problem still exists in the nfs-utils-2.3.3-8.el8:
~~~~~~~~~~~~~~~~~~~~~~~~~
[root~]# rpm -q nfs-utils
nfs-utils-2.3.3-8.el8.x86_64
[root~]# rpm -V nfs-utils
[root~]# ls -l /etc/sysconfig/nfs /etc/nfs.conf
-rw-r--r--. 1 root root 968 Dec 12 14:14 /etc/nfs.conf
-rw-r--r--. 1 root root 885 Dec 12 14:14 /etc/sysconfig/nfs
[root~]# lsattr /etc/sysconfig/nfs /etc/nfs.conf
------------------ /etc/sysconfig/nfs
------------------ /etc/nfs.conf
[root~]# systemctl restart nfs-convert
	 ^^^^^^^^^^^^^^^^^^^^^^^ executing the conversion script
[root~]# rpm -V nfs-utils
SM5....T.  c /etc/nfs.conf
S.5....T.  c /etc/sysconfig/nfs
[root~]# ls -l /etc/sysconfig/nfs /etc/nfs.conf
-rw-------. 1 root root 972 Jan 17 00:29 /etc/nfs.conf
-rw-r--r--. 1 root root 203 Jan 17 00:29 /etc/sysconfig/nfs
[root~]# lsattr /etc/sysconfig/nfs /etc/nfs.conf
----i------------- /etc/sysconfig/nfs
------------------ /etc/nfs.conf
[root~]# 

Changing to request RHEL 8.1 as this may not make 8.0 for now.

Comment 6 Alice Mitchell 2019-01-17 09:40:29 UTC

The S and 5 are unavoidable, the purpose of the script is to modify those files.
The +i on /etc/sysconfig/nfs is intentional, the end of nfsconvert.sh says:
# If successful, make the file immutable.
# This is to ensure that configuration management
# software gets an error trying to modify it.

The mode on /etc/nfs.conf is probably best fixed by adding a chmod onto nfsconvert.sh when it does the chattr.

Comment 7 Yongcheng Yang 2019-02-15 05:36:56 UTC

As Bug 1673685 fixed, file /etc/sysconfig/nfs is dropped (together
with its immutable bits) after nfs-utils version -12.el8

So the only thing we need to update is mode changing of /etc/nfs.conf

Here is the latest testing log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root~]# rpm -q nfs-utils
nfs-utils-2.3.3-13.el8.x86_64
[root~]# rpm -V nfs-utils
[root~]# ls -l /etc/sysconfig/nfs /etc/nfs.conf
ls: cannot access '/etc/sysconfig/nfs': No such file or directory
-rw-r--r--. 1 root root 968 Feb 12 10:28 /etc/nfs.conf
^^^^^^^^^^^
[root~]# lsattr /etc/nfs.conf
------------------ /etc/nfs.conf
[root~]# echo 'RPCNFSDARGS="-N4"' > /etc/sysconfig/nfs
[root~]# systemctl restart nfs-server <---- will call nfsconvert script
[root~]# systemctl status nfs-convert
● nfs-convert.service - Preprocess NFS configuration convertion
   Loaded: loaded (/usr/lib/systemd/system/nfs-convert.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Fri 2019-02-15 00:15:10 EST; 5s ago
  Process: 20141 ExecStart=/usr/libexec/nfs-utils/nfsconvert.sh (code=exited, status=0/SUCCESS)
 Main PID: 20141 (code=exited, status=0/SUCCESS)

Feb 15 00:15:10 hp-dl388g8-03.rhts.eng.pek2.redhat.com systemd[1]: Starting Preprocess NFS configuration convertion...
Feb 15 00:15:10 hp-dl388g8-03.rhts.eng.pek2.redhat.com systemd[1]: Started Preprocess NFS configuration convertion.
[root~]# ls -l /etc/sysconfig/nfs /etc/nfs.conf
ls: cannot access '/etc/sysconfig/nfs': No such file or directory
-rw-------. 1 root root 978 Feb 15 00:15 /etc/nfs.conf
^^^^^^^^^^^
[root~]# lsattr /etc/nfs.conf
------------------ /etc/nfs.conf
[root~]# rpm -V nfs-utils
SM5....T.  c /etc/nfs.conf
 ^                  <--- M Mode differs (includes permissions and file type)
.....UG..  g /var/lib/nfs/statd/state
[root~]# 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks for the explanation.
(In reply to Justin Mitchell from comment #6)
> The S and 5 are unavoidable, the purpose of the script is to modify those
> files.
> The +i on /etc/sysconfig/nfs is intentional, the end of nfsconvert.sh says:
> # If successful, make the file immutable.
> # This is to ensure that configuration management
> # software gets an error trying to modify it.
> 
> The mode on /etc/nfs.conf is probably best fixed by adding a chmod onto
> nfsconvert.sh when it does the chattr.

Looks like it's an issue we can fix, I'm updating summary now.

P.s. The testcase won't cover this issue as nfsconvert only be
triggered when appropriate (Bug 1673685). Will test it by hand.

Comment 8 Steve Dickson 2019-02-25 15:45:37 UTC

Is this still a problem?

Comment 9 Yongcheng Yang 2019-02-26 02:58:44 UTC

(In reply to Steve Dickson from comment #8)
> Is this still a problem?

Yes! After nfsconvert, mode of file "/etc/nfs.conf" has been changed
from 644 (rw-r--r--) to 600 (rw-------):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root~]# rpm -q nfs-utils
nfs-utils-2.3.3-14.el8.x86_64
[root~]# ls -l /etc/nfs.conf 
-rw-r--r--. 1 root root 968 Feb 15 09:39 /etc/nfs.conf
[root~]# echo 'RPCNFSDARGS="-N4"' > /etc/sysconfig/nfs
[root~]# /usr/sbin/nfsconvert 
[root~]# ls -l /etc/nfs.conf 
-rw-------. 1 root root 978 Feb 25 21:50 /etc/nfs.conf
[root~]# 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I cannot find out where the modification takes effect. However, maybe
we can just change it back using chmod as Justin says.

(In reply to Justin Mitchell from comment #6)
> 
> The mode on /etc/nfs.conf is probably best fixed by adding a chmod
> onto nfsconvert.sh when it does the chattr.

Comment 10 Steve Dickson 2019-02-26 16:13:05 UTC

(In reply to Yongcheng Yang from comment #9)
> (In reply to Steve Dickson from comment #8)
> > Is this still a problem?
> 
> Yes! After nfsconvert, mode of file "/etc/nfs.conf" has been changed
> from 644 (rw-r--r--) to 600 (rw-------):
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OK... It appears most of the files under /etc are have 644 mods.

> 
> I cannot find out where the modification takes effect. However, maybe
> we can just change it back using chmod as Justin says.
Its probably happen when root creates the file since root's
default modes are 600.

> 
> (In reply to Justin Mitchell from comment #6)
> > 
> > The mode on /etc/nfs.conf is probably best fixed by adding a chmod
> > onto nfsconvert.sh when it does the chattr.
Sounds reasonable.

Comment 15 Yongcheng Yang 2019-04-08 09:25:48 UTC

(In reply to Yongcheng Yang from comment #7)
> ...
> P.s. The testcase won't cover this issue as nfsconvert only be
> triggered when appropriate (Bug 1673685). Will test it by hand.

Now have found a suitable place for this check. Re-cover it again.

Comment 17 Yongcheng Yang 2019-09-05 08:52:38 UTC

Please note this bug was fixed in nfs-utils-2.3.3-17.el8 by correcting the mode manually.

But later, policy changes to "Modify nfs.conf in-place instead of replacing the file (bz 1687496)".

However I'm verifying it as this problem gets resolved:

https://beaker.engineering.redhat.com/recipes/7311457
-----------------------------------------------------
[00:57:43 root@ ~~]# ls -l /etc/nfs.conf
-rw-r--r--. 1 root root 0 Sep  4 00:57 /etc/nfs.conf
[00:57:43 root@ ~~]# service_nfs restart
Redirecting to /bin/systemctl restart nfs-server.service
[00:57:43 root@ ~~]# ls -l /etc/nfs.conf
-rw-r--r--. 1 root root 47 Sep  4 00:57 /etc/nfs.conf
[00:57:43 root@ ~~]# test '644' == '644'   <<< PASS: The access permission should keep unchanged

Comment 19 errata-xmlrpc 2019-11-05 22:18:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3579

Note You need to log in before you can comment on or make changes to this bug.