Bug#985000: nfs-common: auth-rpcgss-module.service fails inside Linux containers (LXC)

Thu, 11 Mar 2021 10:39:15 -0800 

Package: nfs-common
Version: 1:1.3.4-5
Severity: important
Tags: patch
X-Debbugs-Cc: joachim.f...@gmx.de, felix.lech...@lease-up.com

To fix this problem, the auth_rpcgss kernel module must only be loaded
if it is not already loaded. Otherwise, the auth-rpcgss-module service
will fail inside a Linux container as the loading of kernel modules is
forbidden for the container. Thus, the "/sbin/modprobe -q auth_rpcgss"
call will fail even if the auth_rpcgss kernel module was already loaded.
This has been testesd with kmod up to version 28-1 (current in bullseye
as of 2021-03-11). This situation occurs when the container host already
loaded the auth_rpcgss kernel module to enable kerberized NFS service
for its containers.

-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp  40401  mountd
    100005    1   tcp  58455  mountd
    100005    2   udp  49124  mountd
    100005    2   tcp  60609  mountd
    100005    3   udp  47861  mountd
    100005    3   tcp  51113  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049
    100003    3   udp   2049  nfs
    100227    3   udp   2049
    100021    1   udp  47640  nlockmgr
    100021    3   udp  47640  nlockmgr
    100021    4   udp  47640  nlockmgr
    100021    1   tcp  33781  nlockmgr
    100021    3   tcp  33781  nlockmgr
    100021    4   tcp  33781  nlockmgr
-- /etc/default/nfs-common --
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
RPCGSSDOPTS=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = jfalk.de
Local-Realms = JFAD.JFALK.DE
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --
nfs.jfalk.de:/home      /home           nfs4            
sec=krb5p,nodev,nosuid,noatime,async    0       0
nfs.jfalk.de:/local     /local          nfs4            
sec=krb5p,nodev,nosuid,noatime,async    0       0
nfs.jfalk.de:/opt       /opt            nfs4            
sec=krb5p,nodev,nosuid,noatime,async    0       0
nfs.jfalk.de:/bulk-data /bulk-data      nfs4            
sec=krb5p,nodev,nosuid,noatime,async    0       0

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (520, 'testing'), (500, 'testing-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-14-amd64 (SMP w/16 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nfs-common depends on:
ii  adduser             3.118
ii  keyutils            1.6.1-2
ii  libc6               2.31-9
ii  libcap2             1:2.44-1
ii  libcom-err2         1.46.1-1
ii  libdevmapper1.02.1  2:1.02.175-2.1
ii  libevent-2.1-7      2.1.12-stable-1
ii  libgssapi-krb5-2    1.18.3-4
ii  libkeyutils1        1.6.1-2
ii  libkrb5-3           1.18.3-4
ii  libmount1           2.36.1-7
ii  libnfsidmap2        0.25-6
ii  libtirpc3           1.3.1-1
ii  libwrap0            7.6.q-31
ii  lsb-base            11.1.0
ii  rpcbind             1.2.5-9
ii  ucf                 3.0043

Versions of packages nfs-common recommends:
pn  python  <none>

Versions of packages nfs-common suggests:
pn  open-iscsi  <none>
pn  watchdog    <none>

Versions of packages nfs-kernel-server depends on:
ii  keyutils      1.6.1-2
ii  libblkid1     2.36.1-7
ii  libc6         2.31-9
ii  libcap2       1:2.44-1
ii  libsqlite3-0  3.34.1-3
ii  libtirpc3     1.3.1-1
ii  libwrap0      7.6.q-31
ii  lsb-base      11.1.0
ii  netbase       6.2
ii  ucf           3.0043

-- no debconf information

Description: Only try to load the auth_rpcgss kernel module if it is not
 already loaded. Otherwise, the auth-rpcgss-module service might fail inside a
 Linux container where the loading of kernel modules is forbidden for the
 container. In this case, the "/sbin/modprobe -q auth_rpcgss" call will fail
 even if the auth_rpcgss kernel module was already loaded. This has been testesd
 with kmod up to version 27+20200310-2. This situation occurs when the container
 host already loaded the auth_rpcgss kernel module to enable kerberized NFS
 service for its containers.
Author: Joachim Falk <joachim.f...@gmx.de>

--- a/systemd/auth-rpcgss-module.service.orig   2020-08-26 19:17:27.761451866 
+0200
+++ b/systemd/auth-rpcgss-module.service        2020-08-26 19:18:16.988795354 
+0200
@@ -13,4 +13,4 @@

 [Service]
 Type=oneshot
-ExecStart=/sbin/modprobe -q auth_rpcgss
+ExecStart=/bin/sh -c '( /sbin/lsmod | grep -q "^auth_rpcgss\\>" ) || 
/sbin/modprobe -q auth_rpcgss'

Description: Only try to load the auth_rpcgss kernel module if it is not
 already loaded. Otherwise, the auth-rpcgss-module service might fail inside a
 Linux container where the loading of kernel modules is forbidden for the
 container. In this case, the "/sbin/modprobe -q auth_rpcgss" call will fail
 even if the auth_rpcgss kernel module was already loaded. This has been testesd
 with kmod up to version 27+20200310-2. This situation occurs when the container
 host already loaded the auth_rpcgss kernel module to enable kerberized NFS
 service for its containers.
Author: Joachim Falk <joachim.f...@gmx.de>

--- a/systemd/auth-rpcgss-module.service.orig   2020-08-26 19:17:27.761451866 
+0200
+++ b/systemd/auth-rpcgss-module.service        2020-08-26 19:18:16.988795354 
+0200
@@ -13,4 +13,4 @@

 [Service]
 Type=oneshot
-ExecStart=/sbin/modprobe -q auth_rpcgss
+ExecStart=/bin/sh -c '( /sbin/lsmod | grep -q "^auth_rpcgss\\>" ) || 
/sbin/modprobe -q auth_rpcgss'

Reply via email to