Hello,
I have a cluster of machines running BIND that is chrooted on an NFS =
mounted partition.
I recently upgraded both my NFS server and clients to 2.4.23 due to the =
security issues. I was running 2.4.20 for my NFS server.
After doing this I found I could no longer start BIND, I would get the =
following error in syslog.
Dec 12 18:28:17 rs0 named[409]: errno2result.c:109: unexpected error:
Dec 12 18:28:17 rs0 named[409]: unable to convert errno to isc_result: =
116: Stale NFS file handle
Dec 12 18:28:17 rs0 named[409]: none:0: open: /etc/named.conf: =
unexpected error
Dec 12 18:28:17 rs0 named[409]: loading configuration: unexpected error
Dec 12 18:28:17 rs0 named[409]: exiting (due to fatal error)
If I was cded into the chrooted etc directory I would get the following =
error after doing an ls
/bin/ls: .: Stale NFS file handle
If I cd out and back into the etc directory all works as expected, until =
I try to start bind again.
I tried downgrading my NFS server back to 2.4.20 and I was able to start =
bind as expected. Next I tried 2.4.22 and got the same stale NFS handle =
problem. I then tried 2.4.21 and I was able to start bind as expected.
So there must have been some change between 2.4.21 and 2.4.22 that broke =
this functionality. Any ideas?
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
> So there must have been some change between 2.4.21 and 2.4.22=20
> that broke this functionality. Any ideas?
I've done some more digging, apparently things broke with 2.4.22-pre1
In the kernel changelogs, the only NFS changes I see for pre1 are:
Neil Brown <[email protected]>:
o Handle concurrent failure of two drives in raid5
o Fix bug in /proc/mdstat
o Fix the check for execute permissions of parent directories in NFSd
o kNFSd: SVC sockets don't disable Nagle
o kNFSd: TCP nfsd connection hangs when partial record header is =
received
o kNFSd: Make sure an early close on a nfs/tcp connection is handled =
properly
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
> I've done some more digging, apparently things broke with 2.4.22-pre1
Okay, I've found the diff that causes this problem. I removed it from =
the pre1 patch, and I was able to start named. That's about all I can =
do, no idea how to fix it:
diff -Naur -X /home/marcelo/lib/dontdiff linux-2.4.21/fs/nfsd/nfsfh.c =
linux-2.4.22-pre1/fs/nfsd/nfsfh.c
--- linux-2.4.21/fs/nfsd/nfsfh.c 2003-06-20 21:57:02.000000000 =
+0000
+++ linux-2.4.22-pre1/fs/nfsd/nfsfh.c 2003-06-20 21:59:08.000000000 =
+0000
@@ -697,33 +697,23 @@
error =3D 0;
if (!(exp->ex_flags & NFSEXP_NOSUBTREECHECK)) {
- if (exp->ex_dentry !=3D dentry) {
- struct dentry *tdentry =3D dentry;
+ struct dentry *tdentry =3D dentry;
- do {
- tdentry =3D tdentry->d_parent;
- if (exp->ex_dentry =3D=3D tdentry)
- break;
- /* executable only by root and we can't =
be root */
- if (current->fsuid
- && (exp->ex_flags & =
NFSEXP_ROOTSQUASH)
- && !(tdentry->d_inode->i_uid
- && (tdentry->d_inode->i_mode & =
S_IXUSR))
- && !(tdentry->d_inode->i_gid
- && (tdentry->d_inode->i_mode & =
S_IXGRP))
- && !(tdentry->d_inode->i_mode & =
S_IXOTH)
- ) {
- error =3D nfserr_stale;
- dprintk("fh_verify: no =
root_squashed access.\n");
- }
- } while ((tdentry !=3D tdentry->d_parent));
- if (exp->ex_dentry !=3D tdentry) {
- error =3D nfserr_stale;
- printk("nfsd Security: %s/%s bad =
export.\n",
- dentry->d_parent->d_name.name,
- dentry->d_name.name);
- goto out;
- }
+ while (tdentry !=3D exp->ex_dentry && !IS_ROOT(tdentry)) =
{
+ struct dentry *parent =3D tdentry->d_parent;
+
+ /* make sure parents give x permission to user =
*/
+ error =3D permission(parent->d_inode, MAY_EXEC);
+ if (error)
+ break;
+ tdentry =3D parent;
+ }
+ if (exp->ex_dentry !=3D tdentry) {
+ error =3D nfserr_stale;
+ printk("fh_verify: no root_squashed access at =
%s/%s.\n",
+ dentry->d_parent->d_name.name,
+ dentry->d_name.name);
+ goto out;
}
}
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
> if (!(exp->ex_flags & NFSEXP_NOSUBTREECHECK)) {
So giving 'no_subtree_check' as export option (man exports) should work as
well, shouldn't it? Due to the problems already described on this list, I
recently set this option to all rw-exported filesystems.
Cheers,
Bernd
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Thanks, that did the trick!
On a higher level, should this be part of the How-to's trouble shooting =
guide?
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Sunday, December 14, 2003 9:46 AM
> To: Jeremy Kusnetz; [email protected]
> Subject: Re: [NFS] RE: Chrooted BIND broke on NFS server=20
> between kernel
> 2.4.21 and 2.4.22
>=20
>=20
> > if (!(exp->ex_flags & NFSEXP_NOSUBTREECHECK)) {
>=20
> So giving 'no_subtree_check' as export option (man exports)=20
> should work as=20
> well, shouldn't it? Due to the problems already described on=20
> this list, I=20
> recently set this option to all rw-exported filesystems.
>=20
> Cheers,
> Bernd
>=20
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs