Bug#887520: nbd-client: does not connect if export is named "server-media"

2018-01-19 Thread Gregor Zattler 
Hi Wouter,
* Wouter Verhelst  [2018-01-18; 23:42]:
> On Thu, Jan 18, 2018 at 12:01:48AM +0100, Gregor Zattler wrote:
>> $ sudo nbd-client  -name "server-media" shi /dev/nbd1
>> Negotiation: ..Error: Read failed: End of file
>> Exiting.
>
> What does your syslog say at that point in time? nbd-server should log
> something when it fails.

I changed the config to "server-media" as name for the export and
did a 'sudo systemctl restart nbd-server.service' on the server and
then I connected from the client via 'sudo nbd-client -name "server-media" shi 
/dev/nbd1': 

Jan 19 11:05:55 shi nbd-server[20236]: Stopping Network Block Device server: 
nbd-server.
Jan 19 11:05:55 shi nbd-server[20239]:  nbd-server.
Jan 19 11:06:13 shi nbd_server[20241]: Spawned a child process
Jan 19 11:06:13 shi nbd_server[20257]: Connection not allowed (unknown by 
parent?!?)
Jan 19 11:06:13 shi nbd_server[20257]: Modern initial negotiation failed
Jan 19 11:06:13 shi nbd_server[20241]: Child exited with 1

Then I changed the name of the export back to "shi-media", did
the same to restart and connected from the client to shi-media:

Jan 19 11:08:16 shi nbd-server[20597]: Stopping Network Block Device server: 
nbd-server.
Jan 19 11:08:16 shi nbd-server[20599]:  nbd-server.
Jan 19 11:08:23 shi nbd_server[20601]: Spawned a child process
Jan 19 11:08:23 shi nbd_server[20615]: virtstyle ipliteral
Jan 19 11:08:23 shi nbd_server[20615]: connect from 192.168.1.22, assigned file 
is /dev/sda5
Jan 19 11:08:23 shi nbd_server[20615]: No authorization file, granting access.
Jan 19 11:08:23 shi nbd_server[20615]: Size of exported file/device is 
966367641600
Jan 19 11:08:23 shi nbd_server[20615]: Starting to serve


In order to get the above excerpt of syslog I did 'sudo grep nbd
/var/log/syslog' on the server.


HTH and thanks for looking into this.  ATM I'm hearing music
thanks to your nbd related efforts.Regards, Gregor

Bug#887520: nbd-client: does not connect if export is named "server-media"

2018-01-18 Thread Wouter Verhelst 
On Thu, Jan 18, 2018 at 12:01:48AM +0100, Gregor Zattler wrote:
> $ sudo nbd-client  -name "server-media" shi /dev/nbd1
> Negotiation: ..Error: Read failed: End of file
> Exiting.

What does your syslog say at that point in time? nbd-server should log
something when it fails.

Thanks,

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
 Hacklab

Bug#887520: nbd-client: does not connect if export is named "server-media"

2018-01-17 Thread Gregor Zattler 
Hi Wouter,
* Wouter Verhelst  [2018-01-17; 18:33]:
> On Wed, Jan 17, 2018 at 06:12:59PM +0100, Gregor Zattler wrote:
>> There is a nbd server version 1:3.16.2-1 running on a debian
>> testing/buster server with amongst others this definition of an
>> export in /etc/nbd-server/config:
>> 
>> [server-media]
>> exportname = /dev/sda5
>
> If you're doing that, you need to ensure that the NBD server has access
> to /dev/sda5, at least read access (but possibly write access, too). Out
> of the box, this is not possible (you can export files too).
>
> In order to do so, you have two options:
>
> - Either tell udev to change ownership and/or permissions of /dev/sda5
>   so that a process running as the "nbd" user and/or group can read (and
>   possibly write) to the device;
> - Or comment out or change the "user" and/or "group" setting in the
>   configuration file, so that the user and/or group are no longer set to
>   "nbd" but instead to "disk" or left as "root".
>
> If you don't do either of those, then the nbd-server will not have
> access to the partitions and cannot possibly export it.
>
>> flush = true
>> fua = true
>> 
>> When I connect to this export with nbd-client version 1:3.15.2-3
>> from a debian stretch system I get:
>> 
>> $ sudo nbd-client  -name server-media shi /dev/nbd1
>> Negotiation: ..Error: Read failed: End of file
>> Exiting.
>
> This is the normal error message you get when the server cannot access
> the device in question.

IMHO this is not a permissions problem, as shown with this log of
my actions:

on server (shi):
$ egrep "user|group" /etc/nbd-server/config
# If you want to run everything as root rather than the nbd user, you
user = nbd
group = nbd
$ sudo systemctl restart nbd-server.service
$ ls -l /dev/sda*|grep nbd
brw-rw 1 root nbd  8, 5 Jan 17 23:44 /dev/sda5
brw-rw 1 root nbd  8, 6 Jan 17 17:48 /dev/sda6

on client (len):
$ sudo nbd-client -l shi
Negotiation: ..
crypt-server-backup
shi-media
$ sudo nbd-client  -name "shi-media" shi /dev/nbd1
Negotiation: ..size = 921600MB
bs=1024, sz=966367641600 bytes

now on server again:
$ sudo sed -i -e "s/shi-media/server-media/" /etc/nbd-server/config
$ sudo systemctl restart nbd-server.service
$ ls -l /dev/sda*|grep nbd
brw-rw 1 root nbd  8, 5 Jan 17 23:50 /dev/sda5
brw-rw 1 root nbd  8, 6 Jan 17 17:48 /dev/sda6

back to client:
$ sudo nbd-client -l shi
Negotiation: ..
crypt-server-backup
server-media
$ sudo nbd-client  -name "server-media" shi /dev/nbd1
Negotiation: ..Error: Read failed: End of file
Exiting.

what happened to the permissions on the server?:
$ ls -l /dev/sda*|grep nbd
brw-rw 1 root nbd  8, 5 Jan 17 23:50 /dev/sda5
brw-rw 1 root nbd  8, 6 Jan 17 17:48 /dev/sda6


Now on server I change my nbd-server config not to use nbd as
user/group:

$ egrep "user|group" /etc/nbd-server/config
# If you want to run everything as root rather than the nbd user, you
#   user = nbd
#   group = nbd
$ sudo chgrp disk /dev/sda5
$ ls -l /dev/sda5
brw-rw 1 root disk 8, 5 Jan 17 23:50 /dev/sda5
$ sudo systemctl restart nbd-server.service

and back to client:
$ sudo nbd-client -l shi
Negotiation: ..
crypt-server-backup
server-media
$ sudo nbd-client -c /dev/nbd1 || echo not connected
not connected
$ sudo nbd-client  -name "server-media" shi /dev/nbd1
Negotiation: ..Error: Read failed: End of file
Exiting.


Changing the exports name helps while changing the user/group does
not help with this problem.


>> When I rename this export on the server to "shi-media", restart the
>> nbd-server.service and do:
>> 
>> $ sudo nbd-client  -name shi-media shi /dev/nbd1
>> Negotiation: ..size = 921600MB
>> bs=1024, sz=966367641600 bytes
>
> I suspect that something changed related to permissions in between the
> two runs, and that that, rather than the name change, is responsible for
> it succeeding the second time.
>
>> I would assume this bug applies to all export names beginning
>> with "server-".
>> 
>> It should be possible to use export names beginning with
>> "server-" or at least this restriction should be documented.
>
> There is no such restriction. The only restrictions existing for export
> names are one of length (4096 bytes maximum, although "only" 256 should
> be used if one desires to remain compatible with other implementations)
> and a practical one of legal characters for section headers implemented
> by glib's GKeyFile API.

Thanks for looking into this.

Ciao; Gregor
-- 
 -... --- .-. . -.. ..--.. ...-.-

Bug#887520: nbd-client: does not connect if export is named "server-media"

2018-01-17 Thread Wouter Verhelst 
Hi Gregor,

On Wed, Jan 17, 2018 at 06:12:59PM +0100, Gregor Zattler wrote:
> Package: nbd-client
> Version: 1:3.15.2-3
> Severity: normal
> 
> Dear Maintainer,
> 
> I do not know if this is a nbd-client or nbd-server related bug:
> 
> There is a nbd server version 1:3.16.2-1 running on a debian
> testing/buster server with amongst others this definition of an
> export in /etc/nbd-server/config:
> 
> [server-media]
> exportname = /dev/sda5

If you're doing that, you need to ensure that the NBD server has access
to /dev/sda5, at least read access (but possibly write access, too). Out
of the box, this is not possible (you can export files too).

In order to do so, you have two options:

- Either tell udev to change ownership and/or permissions of /dev/sda5
  so that a process running as the "nbd" user and/or group can read (and
  possibly write) to the device;
- Or comment out or change the "user" and/or "group" setting in the
  configuration file, so that the user and/or group are no longer set to
  "nbd" but instead to "disk" or left as "root".

If you don't do either of those, then the nbd-server will not have
access to the partitions and cannot possibly export it.

> flush = true
> fua = true
> 
> When I connect to this export with nbd-client version 1:3.15.2-3
> from a debian stretch system I get:
> 
> $ sudo nbd-client  -name server-media shi /dev/nbd1
> Negotiation: ..Error: Read failed: End of file
> Exiting.

This is the normal error message you get when the server cannot access
the device in question.

> When I rename this export on the server to "shi-media", restart the
> nbd-server.service and do:
> 
> $ sudo nbd-client  -name shi-media shi /dev/nbd1
> Negotiation: ..size = 921600MB
> bs=1024, sz=966367641600 bytes

I suspect that something changed related to permissions in between the
two runs, and that that, rather than the name change, is responsible for
it succeeding the second time.

> I would assume this bug applies to all export names beginning
> with "server-".
> 
> It should be possible to use export names beginning with
> "server-" or at least this restriction should be documented.

There is no such restriction. The only restrictions existing for export
names are one of length (4096 bytes maximum, although "only" 256 should
be used if one desires to remain compatible with other implementations)
and a practical one of legal characters for section headers implemented
by glib's GKeyFile API.

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
 Hacklab

Bug#887520: nbd-client: does not connect if export is named "server-media"

2018-01-17 Thread Gregor Zattler 
Package: nbd-client
Version: 1:3.15.2-3
Severity: normal

Dear Maintainer,

I do not know if this is a nbd-client or nbd-server related bug:

There is a nbd server version 1:3.16.2-1 running on a debian
testing/buster server with amongst others this definition of an
export in /etc/nbd-server/config:

[server-media]
exportname = /dev/sda5
flush = true
fua = true

When I connect to this export with nbd-client version 1:3.15.2-3
from a debian stretch system I get:

$ sudo nbd-client  -name server-media shi /dev/nbd1
Negotiation: ..Error: Read failed: End of file
Exiting.

When I rename this export on the server to "shi-media", restart the
nbd-server.service and do:

$ sudo nbd-client  -name shi-media shi /dev/nbd1
Negotiation: ..size = 921600MB
bs=1024, sz=966367641600 bytes

I would assume this bug applies to all export names beginning
with "server-".

It should be possible to use export names beginning with
"server-" or at least this restriction should be documented.

Thanks for providing and maintaining nbd.


Ciao; Gregor 



-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en_US:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nbd-client depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  libc6  2.24-11+deb9u1
ii  libgnutls303.5.8-5+deb9u3

nbd-client recommends no packages.

nbd-client suggests no packages.

-- Configuration Files:
/etc/nbdtab changed:
nbd0 shi crypt-server-backup
nbd1 shi server-media


-- debconf information:
  nbd-client/no-auto-config:
  nbd-client/killall_set: