Project

General

Profile

Bug #24039

Avatar?id=14398&size=22x22

Only start nfsuserd if GIDS > 16

Added by Scott W almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Critical
Assignee:
Kris Moore
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

The setting "NFSv3 ownership model for NFSv4" does not work in 9.10-STABLE. It has no effect.

Doing some research on this setting, history tells us that it works by stopping (or not starting) the nfsuserd service and setting the sysctl vfs.nfsd.enable_stringtouid to 1. See here for details:

https://bugs.pcbsd.org/issues/13225

It looks like the problem is caused by line 50 in /etc/rc.d/nfsd. This line is requiring nfsuserd is NFSv4 is used at all, which goes counter to this whole setting. I'm not sure when that changed, but I found this bug that maybe is related:

https://bugs.pcbsd.org/issues/12593

In any case, simply changing that if block to the following solves the issue:

50                 if checkyesno nfs_server_managegids; then
51 force_depend nfsuserd || err 1 "Cannot run nfsuserd"
52 fi

It could probably also be:

50                 if checkyesno nfsv4_server_enable && \
51 checkyesno nfs_server_managegids; then
52 force_depend nfsuserd || err 1 "Cannot run nfsuserd"
53 fi

but I haven't tested that.

Associated revisions

Revision 828e782a (diff)
Added by Kris Moore over 3 years ago

Only start nfsuserd if GIDS > 16 Ticket: #24039

Revision b0806951 (diff)
Added by Kris Moore over 3 years ago

Only start nfsuserd if GIDS > 16 Ticket: #24039

Revision 0497d4b7 (diff)
Added by Kris Moore over 3 years ago

Only start nfsuserd if GIDS > 16 Ticket: #24039

History

#1 Updated by Ash Gokhale almost 4 years ago

  • Status changed from Unscreened to Screened
  • Priority changed from No priority to Important

This change looks correct; we have seen the need to forcefully stop nfsuserd. I'll make the change on a system here and make a recommendation on a patch for the start script.

#2 Updated by Scott W almost 4 years ago

Just to note, I tested the following with 9.10.2-U4 and it operates as expected; nfsuserd is not started since I have "NFSv3 ownership model..." enabled.

     50                 if checkyesno nfsv4_server_enable && \
     51                     checkyesno nfs_server_managegids; then
     52                         force_depend nfsuserd || err 1 "Cannot run nfsuserd" 
     53                 fi

#3 Updated by Joshua Sirrine over 3 years ago

I can confirm that a TrueNAS HA user is having this problem on TrueNAS 9.10.2-U5.

#4 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Priority changed from Important to Critical
  • Target version set to 11.0-U3

#5 Updated by Ash Gokhale over 3 years ago

This patch actually seems much like the one that just went into freebsd head:
https://freshbsd.org/commit/freebsd/r321665
Modify /etc/rc.d/nfsd so it doesn't force a startup of nfsuserd for NFSv4.

Given that RFC7530 allows uid/gids to be placed in owner/owner_group
strings directly, many NFSv4 environments don't need the nfsuserd.
This small patch modified /etc/rc.d/nfsd so that it does not force
startup of the nfsuserd daemon unless nfs_server_managegids is enabled.
This implies that nfsuserd_enable="YES" must be added to /etc/rc.conf
for NFSv4 server environments that use Kerberos mounts or clients that
do not support the uid/gid in string capability.
Since this could be considered a POLA violation, it will not be MFC'd.

#6 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

+ Mav
+ William

Guys, Ash has pointed out in previous comment that a fix went into HEAD recently. It won't be MFC'd there due to POLA concerns, but do you have any objections to us pulling this into 11?

#7 Updated by William Grzybowski over 3 years ago

No objections but we might have to make sure your rc.conf can handle that. IIRC we use manage gids for > 16 groups and nfsuserd wont be started with that base change.

#8 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Assignee changed from Ash Gokhale to Kris Moore

Cool. Ash, I'll take a look at MFC of this patch tomorrow.

#10 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Status changed from Screened to Reviewed by Developer

RE:

Here's the two pull requests to merge for this ticket:

https://github.com/freenas/freenas/pull/255

https://github.com/freenas/os/pull/32

#11 Updated by Vaibhav Chauhan over 3 years ago

  • Status changed from Reviewed by Developer to 47

#12 Updated by Dru Lavigne over 3 years ago

  • Subject changed from "NFSv3 ownership model for NFSv4" doesn't work to Only start nfsuserd if GIDS > 16

#13 Updated by Joe Maloney over 3 years ago

  • Status changed from 47 to Ready For Release
  • Needs QA changed from Yes to No
  • QA Status Test Passes added
  • QA Status deleted (Not Tested)

I believe this is working. I can confirm the nfsuserd process does not get started until I join an AD which has a user that is a member of more than 16 groups.

#14 Updated by Vaibhav Chauhan over 3 years ago

  • Status changed from Ready For Release to Resolved

Also available in: Atom PDF