[Bug 1616123] Re: rpc-svcgssd.service uses incorrrect variable SVCGSSDARGS

Andreas Hasenack andreas at canonical.com
Fri Apr 26 16:53:27 UTC 2019


** Description changed:

  [Impact]
  Command line options set for rpc.svcgssd in the /etc/default/nfs-kernel-server file are not passed on to the service, being ignored.
  
  [Test Case]
- * install nfs-server and a kerberos server. Use "EXAMPLE.LOCAL" for the realm, and "localhost" for the servers, when prompted:
+ * In a VM (LXD won't work), install nfs-server and a kerberos server. Use "EXAMPLE.LOCAL" for the realm, and "localhost" for the servers, when prompted:
  sudo apt install nfs-server krb5-kdc krb5-user krb5-admin-server
  
  * create the EXAMPLE.LOCAL realm. Use any password you want for the database master key, it won't be requested again:
  sudo krb5_newrealm
  
  * create a principal for the nfs service:
  sudo kadmin.local -q "addprinc -randkey nfs/$(hostname -f)"
  
  * extract the key into the system wide keytab:
  sudo kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/$(hostname -f)"
  
  * edit /etc/default/nfs-common and enable gssd:
  NEED_GSSD=y
  
  * edit /etc/default/nfs-kernel-server and add an option to RPCSVCGSSDOPTS:
  RPCSVCGSSDOPTS="-v"
  
  * restart nfs-server
  sudo systemctl restart nfs-server
  
  * verify if /run/sysconfig/nfs-utils has the option we added above:
  $ cat /run/sysconfig/nfs-utils
  PIPEFS_MOUNTPOINT=/run/rpc_pipefs
  RPCNFSDARGS=" 8"
  RPCMOUNTDARGS="--manage-gids"
  STATDARGS=""
  RPCSVCGSSDARGS="-v"
  
  * Verify the running rpc.gssd process. Without the fix, it won't have the "-v" option:
  ps axw|grep svcgssd|grep -v grep
   4285 ? Ss 0:00 /usr/sbin/rpc.svcgssd
  
  With the fix, right after installing the udpated packages, the option we added to /etc/default/nfs-kernel-server will show up:
  ps axw|grep svcgssd|grep -v grep
   5656 ? Ss 0:00 /usr/sbin/rpc.svcgssd -v
  
  [Regression Potential]
  This is an old bug and whoever was affected by it probably worked around the problem by now. I tried to cope with one such scenario by not just renaming the variable we export, but exporting the correct one in addition to the old incorrect one, but that's it. I hope this, and the explanation added to the shell script wrapper nfs-utils.sh, is enough to help people with corner cases.
  idance to testers in regression-testing the SRU.
  
  [Other Info]
  This patch was accepted in debian: https://salsa.debian.org/debian/nfs-utils/merge_requests/2
  
  [Original Description]
  In /etc/default/nfs-kernel-server you can specify parameters for rpc.svcgssd:
  
  # Options for rpc.svcgssd.
  RPCSVCGSSDOPTS="-n"
  
  But the variable is named incorrectly in /lib/systemd/system/rpc-
  svcgssd.service:
  
  ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS

** Description changed:

  [Impact]
  Command line options set for rpc.svcgssd in the /etc/default/nfs-kernel-server file are not passed on to the service, being ignored.
  
  [Test Case]
  * In a VM (LXD won't work), install nfs-server and a kerberos server. Use "EXAMPLE.LOCAL" for the realm, and "localhost" for the servers, when prompted:
  sudo apt install nfs-server krb5-kdc krb5-user krb5-admin-server
  
  * create the EXAMPLE.LOCAL realm. Use any password you want for the database master key, it won't be requested again:
  sudo krb5_newrealm
  
  * create a principal for the nfs service:
  sudo kadmin.local -q "addprinc -randkey nfs/$(hostname -f)"
  
  * extract the key into the system wide keytab:
  sudo kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/$(hostname -f)"
  
  * edit /etc/default/nfs-common and enable gssd:
  NEED_GSSD=y
  
  * edit /etc/default/nfs-kernel-server and add an option to RPCSVCGSSDOPTS:
  RPCSVCGSSDOPTS="-v"
  
  * restart nfs-server
  sudo systemctl restart nfs-server
+ 
+ * on xenial, you also have to restart nfs-config:
+ sudo systemctl restart nfs-config
  
  * verify if /run/sysconfig/nfs-utils has the option we added above:
  $ cat /run/sysconfig/nfs-utils
  PIPEFS_MOUNTPOINT=/run/rpc_pipefs
  RPCNFSDARGS=" 8"
  RPCMOUNTDARGS="--manage-gids"
  STATDARGS=""
  RPCSVCGSSDARGS="-v"
  
  * Verify the running rpc.gssd process. Without the fix, it won't have the "-v" option:
  ps axw|grep svcgssd|grep -v grep
   4285 ? Ss 0:00 /usr/sbin/rpc.svcgssd
  
  With the fix, right after installing the udpated packages, the option we added to /etc/default/nfs-kernel-server will show up:
  ps axw|grep svcgssd|grep -v grep
   5656 ? Ss 0:00 /usr/sbin/rpc.svcgssd -v
  
  [Regression Potential]
  This is an old bug and whoever was affected by it probably worked around the problem by now. I tried to cope with one such scenario by not just renaming the variable we export, but exporting the correct one in addition to the old incorrect one, but that's it. I hope this, and the explanation added to the shell script wrapper nfs-utils.sh, is enough to help people with corner cases.
  idance to testers in regression-testing the SRU.
  
  [Other Info]
  This patch was accepted in debian: https://salsa.debian.org/debian/nfs-utils/merge_requests/2
  
  [Original Description]
  In /etc/default/nfs-kernel-server you can specify parameters for rpc.svcgssd:
  
  # Options for rpc.svcgssd.
  RPCSVCGSSDOPTS="-n"
  
  But the variable is named incorrectly in /lib/systemd/system/rpc-
  svcgssd.service:
  
  ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1616123

Title:
  rpc-svcgssd.service uses incorrrect variable SVCGSSDARGS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1616123/+subscriptions



More information about the Ubuntu-server-bugs mailing list