[Bug 1616123] Re: rpc-svcgssd.service uses incorrrect variable SVCGSSDARGS

Andreas Hasenack andreas at canonical.com
Thu Apr 25 20:29:12 UTC 2019 

** Changed in: nfs-utils (Ubuntu Xenial)
       Status: Confirmed => In Progress

** Changed in: nfs-utils (Ubuntu Bionic)
       Status: Confirmed => In Progress

** Changed in: nfs-utils (Ubuntu Cosmic)
       Status: Confirmed => In Progress

** Description changed:

- In /etc/default/nfs-kernel-server you can specify parameters for
- rpc.svcgssd:
+ [Impact]
+ 
+  * An explanation of the effects of the bug on users and
+ 
+  * justification for backporting the fix to the stable release.
+ 
+  * In addition, it is helpful, but not required, to include an
+    explanation of how the upload fixes this bug.
+ 
+ [Test Case]
+ * install nfs-server and a kerberos server. Use "EXAMPLE.LOCAL" for the realm, and "localhost" for the servers, when prompted:
+ sudo apt install nfs-server krb5-kdc krb5-user krb5-admin-server
+ 
+ * create the EXAMPLE.LOCAL realm. Use any password you want for the database master key, it won't be requested again:
+ sudo krb5_newrealm
+ 
+ * create a principal for the nfs service:
+ sudo kadmin.local -q "addprinc -randkey nfs/$(hostname -f)"
+ 
+ * extract the key into the system wide keytab:
+ sudo kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/$(hostname -f)"
+ 
+ * edit /etc/default/nfs-common and enable gssd:
+ NEED_GSSD=y
+ 
+ * edit /etc/default/nfs-kernel-server and add an option to RPCSVCGSSDOPTS:
+ RPCSVCGSSDOPTS="-v"
+ 
+ * restart nfs-server
+ sudo systemctl restart nfs-server
+ 
+ * verify if /run/sysconfig/nfs-utils has the option we added above:
+ $ cat /run/sysconfig/nfs-utils
+ PIPEFS_MOUNTPOINT=/run/rpc_pipefs
+ RPCNFSDARGS=" 8"
+ RPCMOUNTDARGS="--manage-gids"
+ STATDARGS=""
+ RPCSVCGSSDARGS="-v"
+ 
+ * Verify the running rpc.gssd process. Without the fix, it won't have the "-v" option:
+ ps axw|grep svcgssd|grep -v grep
+  4285 ? Ss 0:00 /usr/sbin/rpc.svcgssd
+ 
+ With the fix, right after installing the udpated packages, the option we added to /etc/default/nfs-kernel-server will show up:
+ ps axw|grep svcgssd|grep -v grep
+  5656 ? Ss 0:00 /usr/sbin/rpc.svcgssd -v
+ 
+ [Regression Potential]
+ 
+  * discussion of how regressions are most likely to manifest as a result
+ of this change.
+ 
+  * It is assumed that any SRU candidate patch is well-tested before
+    upload and has a low overall risk of regression, but it's important
+    to make the effort to think about what ''could'' happen in the
+    event of a regression.
+ 
+  * This both shows the SRU team that the risks have been considered,
+    and provides guidance to testers in regression-testing the SRU.
+ 
+ [Other Info]
+  
+  * Anything else you think is useful to include
+  * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
+  * and address these questions in advance
+ 
+ [Original Description]
+ In /etc/default/nfs-kernel-server you can specify parameters for rpc.svcgssd:
  
  # Options for rpc.svcgssd.
  RPCSVCGSSDOPTS="-n"
  
  But the variable is named incorrectly in /lib/systemd/system/rpc-
  svcgssd.service:
  
  ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS

** Description changed:

  [Impact]
- 
-  * An explanation of the effects of the bug on users and
- 
-  * justification for backporting the fix to the stable release.
- 
-  * In addition, it is helpful, but not required, to include an
-    explanation of how the upload fixes this bug.
+ Command line options set for rpc.svcgssd in the /etc/default/nfs-kernel-server file are not passed on to the service, being ignored.
  
  [Test Case]
  * install nfs-server and a kerberos server. Use "EXAMPLE.LOCAL" for the realm, and "localhost" for the servers, when prompted:
  sudo apt install nfs-server krb5-kdc krb5-user krb5-admin-server
  
  * create the EXAMPLE.LOCAL realm. Use any password you want for the database master key, it won't be requested again:
  sudo krb5_newrealm
  
  * create a principal for the nfs service:
  sudo kadmin.local -q "addprinc -randkey nfs/$(hostname -f)"
  
  * extract the key into the system wide keytab:
  sudo kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/$(hostname -f)"
  
  * edit /etc/default/nfs-common and enable gssd:
  NEED_GSSD=y
  
  * edit /etc/default/nfs-kernel-server and add an option to RPCSVCGSSDOPTS:
  RPCSVCGSSDOPTS="-v"
  
  * restart nfs-server
  sudo systemctl restart nfs-server
  
  * verify if /run/sysconfig/nfs-utils has the option we added above:
  $ cat /run/sysconfig/nfs-utils
  PIPEFS_MOUNTPOINT=/run/rpc_pipefs
  RPCNFSDARGS=" 8"
  RPCMOUNTDARGS="--manage-gids"
  STATDARGS=""
  RPCSVCGSSDARGS="-v"
  
  * Verify the running rpc.gssd process. Without the fix, it won't have the "-v" option:
  ps axw|grep svcgssd|grep -v grep
-  4285 ? Ss 0:00 /usr/sbin/rpc.svcgssd
+  4285 ? Ss 0:00 /usr/sbin/rpc.svcgssd
  
  With the fix, right after installing the udpated packages, the option we added to /etc/default/nfs-kernel-server will show up:
  ps axw|grep svcgssd|grep -v grep
-  5656 ? Ss 0:00 /usr/sbin/rpc.svcgssd -v
+  5656 ? Ss 0:00 /usr/sbin/rpc.svcgssd -v
  
  [Regression Potential]
- 
-  * discussion of how regressions are most likely to manifest as a result
- of this change.
- 
-  * It is assumed that any SRU candidate patch is well-tested before
-    upload and has a low overall risk of regression, but it's important
-    to make the effort to think about what ''could'' happen in the
-    event of a regression.
- 
-  * This both shows the SRU team that the risks have been considered,
-    and provides guidance to testers in regression-testing the SRU.
+ This is an old bug and whoever was affected by it probably worked around the problem by now. I tried to cope with one such scenario by not just renaming the variable we export, but exporting the correct one in addition to the old incorrect one, but that's it. I hope this, and the explanation added to the shell script wrapper nfs-utils.sh, is enough to help people with corner cases.
+ idance to testers in regression-testing the SRU.
  
  [Other Info]
-  
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
-  * and address these questions in advance
+ This patch was accepted in debian: https://salsa.debian.org/debian/nfs-utils/merge_requests/2
  
  [Original Description]
  In /etc/default/nfs-kernel-server you can specify parameters for rpc.svcgssd:
  
  # Options for rpc.svcgssd.
  RPCSVCGSSDOPTS="-n"
  
  But the variable is named incorrectly in /lib/systemd/system/rpc-
  svcgssd.service:
  
  ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1616123

Title:
  rpc-svcgssd.service uses incorrrect variable SVCGSSDARGS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1616123/+subscriptions

More information about the Ubuntu-server-bugs mailing list