Details

Reviewers

Commits

rS367423: Add support for the new mountd -R option.

Summary

r376026 added a new "-R" option to mountd, which tells it to
not support the Mount protocol (not used by NFSv4) and not
register with rpcbind.
Rpcbind is considered a security issue by some sites now.

This patch adds a new yes/no variable called nfsv4_server_only.
When that is set, make vfs.nfsd.server_min_vers=4 and set "=R"
for mountd.
Setting vfs.nfsd.server_min_vers=4 tells nfsd to not register with rpcbind.

Test Plan

Tested both nfsv4_server_only set to "NO" and "YES".
When set to "YES" everything seemed to work without
rpcbind running.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

rmacklem created this revision.Oct 25 2020, 12:10 AM

Herald added a subscriber: imp. · View Herald TranscriptOct 25 2020, 12:10 AM

rmacklem requested review of this revision.Oct 25 2020, 12:10 AM

Harbormaster completed remote builds in B34371: Diff 78728.Oct 25 2020, 12:10 AM

pi added a subscriber: pi.Oct 25 2020, 9:41 AM

0mp added a project: rc.Oct 25 2020, 2:39 PM

Seems fine in general, but I've not tested it.

etc/rc.d/mountd
27 ↗	(On Diff #78728)	I was wondering if `required_modules=nfsd` would work instead but required_modules is processed after precmd...

Well, if you are comfortable clicking "reviewed", I've added
you as a Reviewer.

0mp requested changes to this revision.Oct 26 2020, 7:28 AM

0mp added inline comments.

etc/rc.d/mountd
23 ↗	(On Diff #78728)	I wonder if this line is needed. rc_flags seems to be set to ${name}_flags by default. Test program: . /etc/rc.subr name=test rcvar=test_enable test_enable=yes test_flags="1 2 3" start_precmd="precmd" command=/bin/echo precmd() { echo rc_flags: "$rc_flags" } run_rc_command "$1" Results; rc_flags: 1 2 3 Starting test. 1 2 3
48 ↗	(On Diff #78728)	We are overriding rc_flags here. That's probably bad, isn't it?

This revision now requires changes to proceed.Oct 26 2020, 7:28 AM

Deleted the assignment of rc_flags as suggested.
I had assumed that nfs_server_enable would be YES
whenever nfsv4_server_only is YES, but that was not correct.

This version handles the case where nfsv4_server_only is YES
and nfs_server_enable is NO.
It also prints out a message when weak_mountd_authentication
and nfsv4_server_only are both YES, noting that
weak_mountd_authentication is being ignored.

Harbormaster completed remote builds in B34405: Diff 78792.Oct 26 2020, 10:49 PM

Marked inline comments as done and added an inline comment.

etc/rc.d/mountd
53 ↗	(On Diff #78792)	Yes, good point. I had assumed that nfs_server_enable would be YES whenever nfsv4_server_only is YES, but that assumption is not correct. This version checks for this case and also prints out a message if both nfsv4_server_only and weak_mountd_authentication are YES. (weak_mountd_authentication is meaningless if mountd isn't doing the Mount protocol.)

cy added a subscriber: cy.Oct 30 2020, 3:13 AM

0mp added inline comments.Nov 6 2020, 9:34 AM

etc/rc.d/mountd
26 ↗	(On Diff #78792)	Och, BTW, don't we want to exit here if we fail to load? I am not sure if that's already the case.
53 ↗	(On Diff #78792)	Hmm, wait. I might be mistaken, but I think you've addressed a different bug :D Shouldn't we have `rc_flags="${rc_flags} -n"` here to preserve flags set by the user? (But then, this is not part of this revision, so I guess we can address it next time)

Add checks for load_kld failing to both mountd and nfsd.
To be honest, nfsd has never had the check and, since
both /usr/sbin/mountd and /usr/sbin/nfsd do check for
nfsd.ko being loaded, checking in the rc.d script isn't
critical, I think?

Harbormaster completed remote builds in B34667: Diff 79266.Nov 6 2020, 4:07 PM

In D26938#605434, @rmacklem wrote:

Add checks for load_kld failing to both mountd and nfsd.
To be honest, nfsd has never had the check and, since
both /usr/sbin/mountd and /usr/sbin/nfsd do check for
nfsd.ko being loaded, checking in the rc.d script isn't
critical, I think?

True, I didn't know about it. It's probably better to fail as soon as possible anyway.

I think I've got no further comments regarding this revision :)

BTW, we should probably mention in the commit message why we add tlsclntd tlsservd.

This revision is now accepted and ready to land.Nov 6 2020, 4:11 PM

Oops, change specific to NFS over TLS slipped into last version.

This revision now requires review to proceed.Nov 6 2020, 4:14 PM

Harbormaster completed remote builds in B34668: Diff 79267.Nov 6 2020, 4:14 PM

Updated to remove change that is specific to NFS over TLS that
slipped into previous revision.

This revision was not accepted when it landed; it landed in state Needs Review.Nov 6 2020, 4:34 PM

Closed by commit rS367423: Add support for the new mountd -R option. (authored by rmacklem). · Explain Why

This revision was automatically updated to reflect the committed changes.

rmacklem added a commit: rS367423: Add support for the new mountd -R option..

Update mountd and nfsd rc.d scripts to use the "-R" option added by r375026
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 79268

head/libexec/rc/rc.conf

head/libexec/rc/rc.d/mountd

head/libexec/rc/rc.d/nfsd

Update mountd and nfsd rc.d scripts to use the "-R" option added by r375026ClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 79268

head/libexec/rc/rc.conf

head/libexec/rc/rc.d/mountd

head/libexec/rc/rc.d/nfsd

Update mountd and nfsd rc.d scripts to use the "-R" option added by r375026
ClosedPublic
Actions

Revision Contents
Changeset List