On Sat, Nov 18, 2023 at 8:09 AM Rick Macklem <rick.mack...@gmail.com> wrote: > > On Fri, Nov 17, 2023 at 8:19 PM Mike Karels <m...@karels.net> wrote: > > > > On 17 Nov 2023, at 22:14, Mike Karels wrote: > > > > > On 17 Nov 2023, at 21:24, Rick Macklem wrote: > > > > > >> Most of the changes in stable/13 that are not in releng/13.2 > > >> are the "make it work in a jail" stuff. Unfortunately, they are > > >> a large # of changes (mostly trivial edits adding vnet macros), > > >> but it also includes export check changes. > > >> > > >> I have attached a trivial patch that I think disables the export > > >> checks for jails. If either of you can try it and see if it fixes > > >> the problem, that would be great. > > >> (Note that this is only for testing, although it probably does not > > >> matter unless you are running nfsd(8) in vnet jails.) > > > > > > Yes, I can see snapshots with the patch. This system is just a test > > > system that doesn't normally run ZFS or NFS, so no problem messing > > > with permissions. It's a bhyve VM, so I just added a small disk and > > > enabled ZFS for testing. > > > > btw, you might try to get mm@ or maybe mav@ to help out from the ZFS > > side. It must be doing something differently inside a snapshot than > > outside, maybe with file handles or something like that. > Yes. I've added freebsd-current@ (although Garrett is not on it, he is > cc'd) and these guys specifically... > > So, here's what appears to be the problem... > Commit 88175af (in main and stable/13, but not 13.2) added checks for > nfsd(8) running in jails by filling in mnt_exjail with a reference to the cred > used when the file system is exported. > When mnt_exjail is found NULL, the current nfsd code assumes that there > is no access allowed for the mount. > > My vague understanding is that when a ZFS snapshot is accessed, it is > "pseudo-mounted" by zfsctl_snapdir_lookup() and I am guessing that > mnt_exjail is NULL as a result. > Since I do not know the ZFS code and don't even have an easy way to > test this (thankfully Mike can test easily), I do not know what to do from > here? > > Is there a "struct mount" constructed for this pseudo mount > (or it actually appears to be the lookup of ".." that fails, so it > might be the parent of the snapshot subdir?)? > > One thought is that I can check to see if the mount pointer is in the > mountlist (I don't think the snapshot's mount is in the mountlist) and > avoid the jail test for this case. This would assume that snapshots are > always within the file system(s) exported via that jail (which includes > the case of prison0, of course), so that they do not need a separate > jail check. > > If this doesn't work, there will need to be some sort of messing about > in ZFS to set mnt_exjail for these. Ok, so now onto the hard part... Thanks to Mike and others, I did create a snapshot under .zfs and I can see the problem. It is that mnt_exjail == NULL. Now, is there a way that this "struct mount" can be recognized as "special" for snapshots, so I can avoid the mnt_exjail == NULL test? (I had hoped that "mp->mnt_list.tqe_prev" would be NULL, but that is not the case.)
Do I need to search mountlist for it? rick ps: The hack patch attached should fix the problem, but can only be safely used if mountd/nfsd are not run in any jails. > > I will try and get a test setup going here, which leads me to.. > how do I create a ZFS snapshot? (I do have a simple ZFS pool running > on a test machine, but I've never done a snapshot.) > > Although this problem is not in 13.2, it will have shipped in 14.0. > > Any help with be appreciated, rick > > > > > Mike > > > > > >> rick > > >> > > >> On Fri, Nov 17, 2023 at 6:14 PM Mike Karels <m...@karels.net> wrote: > > >>> > > >>> CAUTION: This email originated from outside of the University of > > >>> Guelph. Do not click links or open attachments unless you recognize the > > >>> sender and know the content is safe. If in doubt, forward suspicious > > >>> emails to ith...@uoguelph.ca. > > >>> > > >>> > > >>> Rick, have you been following this thread on freebsd-stable? I have > > >>> been able > > >>> to reproduce this using a 13-stable server from Oct 7 and a 15-current > > >>> system > > >>> that is up to date using NFSv3. I did not reproduce with a 13.2 > > >>> server. The > > >>> client was running 13.2. Any ideas? A full bisect seems fairly > > >>> painful, but > > >>> maybe you have an idea of points to try. Fortunately, these are all > > >>> test > > >>> systems that I can reboot at will. > > >>> > > >>> Mike > > >>> > > >>> Forwarded message: > > >>> > > >>>> From: Garrett Wollman <woll...@bimajority.org> > > >>>> To: Mike Karels <m...@karels.net> > > >>>> Cc: freebsd-sta...@freebsd.org > > >>>> Subject: Re: NFS exports of ZFS snapshots broken > > >>>> Date: Fri, 17 Nov 2023 17:35:04 -0500 > > >>>> > > >>>> <<On Fri, 17 Nov 2023 15:57:42 -0600, Mike Karels <m...@karels.net> > > >>>> said: > > >>>> > > >>>>> I have not run into this, so I tried it just now. I had no problem. > > >>>>> The server is 13.2, fully patched, the client is up-to-date -current, > > >>>>> and the mount is v4. > > >>>> > > >>>> On my 13.2 client and 13-stable server, I see: > > >>>> > > >>>> 25034 ls CALL > > >>>> open(0x237d32f9a000,0x120004<O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC>) > > >>>> 25034 ls NAMI "/mnt/tools/.zfs/snapshot/weekly-2023-45" > > >>>> 25034 ls RET open 4 > > >>>> 25034 ls CALL fcntl(0x4,F_ISUNIONSTACK,0x0) > > >>>> 25034 ls RET fcntl 0 > > >>>> 25034 ls CALL > > >>>> getdirentries(0x4,0x237d32faa000,0x1000,0x237d32fa7028) > > >>>> 25034 ls RET getdirentries -1 errno 5 Input/output error > > >>>> 25034 ls CALL close(0x4) > > >>>> 25034 ls RET close 0 > > >>>> 25034 ls CALL exit(0) > > >>>> > > >>>> Certainly a libc bug here that getdirentries(2) returning [EIO] > > >>>> results in ls(1) returning EXIT_SUCCESS, but the [EIO] error is > > >>>> consistent across both FreeBSD and Linux clients. > > >>>> > > >>>> Looking at this from the RPC side: > > >>>> > > >>>> (PUTFH, GETATTR, LOOKUP(snapshotname), GETFH, GETATTR) > > >>>> [NFS4_OK for all ops] > > >>>> (PUTFH, GETATTR) > > >>>> [NFS4_OK, NFS4_OK] > > >>>> (PUTFH, ACCESS(0x3f), GETATTR) > > >>>> [NFS4_OK, NFS4_OK, rights = 0x03, NFS4_OK] > > >>>> (PUTFH, GETATTR, LOOKUPP, GETFH, GETATTR) > > >>>> [NFS4_OK, NFS4_OK, NFS4ERR_NOFILEHANDLE] > > >>>> > > >>>> and at this point the [EIO] is returned. > > >>>> > > >>>> It seems that clients always do a LOOKUPP before calling READDIR, and > > >>>> this is failing when the subject file handle is the snapshot. The > > >>>> client is perfectly able to *traverse into* the snapshot: if I try to > > >>>> list a subdirectory I know exists in the snapshot, the client is able > > >>>> to > > >>>> LOOKUP(dirname) just fine, but LOOKUPP still fails with > > >>>> NFS4ERR_NOFILEHANDLE *on the subndirectory*. > > >>>> > > >>>> -GAWollman > > >>>
zfsjail.patch
Description: Binary data