[LUNA] NFS on unprivileged ports ....
Branden Harper
bharper at chaosweb.us
Tue Aug 26 14:51:05 CDT 2014
Well, that option was _right below_ the options I pasted and I missed
it. I need to learn to read. :)
On Tue, Aug 26, 2014 at 2:43 PM, William A. Mahaffey III <wam at hiwaay.net> wrote:
>
> & we have a winner .... actual changes:
>
>
> in /etc/rc.conf:
>
> weak_mountd_authentication="yes"
>
> followed by:
>
> # service mountd forcerestart
>
> & I am off to the races !!!! *Booooyah* !!!!
>
>
> On 08/26/14 14:16, Branden Harper wrote:
>>
>> According to /etc/defaults/rc.conf , you can set the mountd_flags option.
>>
>> defaults:
>> mountd_enable="NO" # Run mountd (or NO).
>> mountd_flags="-r" # Flags to mountd (if NFS server enabled).
>>
>>
>> On Tue, Aug 26, 2014 at 2:16 PM, William A. Mahaffey III <wam at hiwaay.net>
>> wrote:
>>>
>>>
>>> '-n' is indeed an option, I could (easily) edit the rc.d/mountd file, but
>>> then I would have to remember to redo that every upgrade .... There
>>> doesn't
>>> seem to be any way to pass that option in .... I could try to 'correct'
>>> the
>>> other box, but it is a VM running on an FC14 box, I think that has
>>> something
>>> to do w/ it ....
>>>
>>>
>>> The linux boxen seem to allow it automatically, have for years now (at
>>> least
>>> on my LAN, all w/ *old* distros, FC14 era ....)
>>>
>>>
>>>
>>> On 08/26/14 10:05, Bob Nance wrote:
>>>>
>>>> Go look at your “mountd” options and see if there is one that allows
>>>> connections from an unprivileged port (a port higher that 1024, as all
>>>> ports
>>>> under 1024 can only be opened by a “root” level account/process). It’s
>>>> likely that it is NOT an option. I think at least one BSD build of
>>>> mountd
>>>> offered a “-n” option, but I don’t think it’s there in any of the Linux
>>>> distros.
>>>>
>>>> The real fix would be to get the offending connection to use the right
>>>> port. Can you make it a system-based mount instead of a user-environment
>>>> mount? That might fix it by allowing the NFS mount program to use a port
>>>> lower than 1024.
>>>>
>>>> -Bob
>>>>
>>>>
>>>>
>>>> ---
>>>> Bob Nance
>>>> Novation Systems
>>>> bob.nance at novationsys.com
>>>> 256-534-4620
>>>>
>>>> On Aug 26, 2014, at 9:30 AM, William A. Mahaffey III <wam at HiWAAY.net>
>>>> wrote:
>>>>
>>>>> .... I have nfsd running on my FBSD 9.3 desktop, exporting /home (~3.6
>>>>> TiB). I can mount/see/use it from all other machines on my LAN (all
>>>>> Linux
>>>>> boxen) *except* for a CentOS 5.n VM running on one of the other boxen.
>>>>> When
>>>>> the VM tries to (auto)mount the exported partition on the FBSD box
>>>>> ('jaguar'), I get the following (from earlier this A.M.):
>>>>>
>>>>>
>>>>> [root at centos-5:/etc, Tue Aug 26, 06:28 AM] 1008 # lf /net/jaguar/home/
>>>>> /net/q6600/home/ /net/opty165a/work/ /net/opty165a/home/
>>>>> /net/cube/home/
>>>>> ls: /net/jaguar/home/: No such file or directory
>>>>> /net/cube/home/:
>>>>> Opty165A/ Q6600/ VMs/ archive/ lost+found/ makedepend* pub/ wam/
>>>>>
>>>>> /net/opty165a/home/:
>>>>> FTP/ RPMs/ SGI/ archive/ lost+found/ rsync/ wam/
>>>>>
>>>>> /net/opty165a/work/:
>>>>> FTP/ ISOs/ RPMs/ VMs/ archive/ lost+found/ vmware/ wam/
>>>>>
>>>>> /net/q6600/home/:
>>>>> FTP/ ISOs/ VMs/ archive/ lost+found/ rsync/ wam/ work/
>>>>> [root at centos-5:/etc, Tue Aug 26, 06:29 AM] 1009 # df ; w ; /sbin/swapon
>>>>> -s ; free -m ; uname -a ; hwclock -r; date
>>>>> Filesystem Type 1K-blocks Used Available Use% Mounted on
>>>>> /dev/mapper/VolGroup00-LogVol00
>>>>> ext3 46691248 7505344 36775820 17% /
>>>>> /dev/hda1 ext3 101086 26854 69013 29% /boot
>>>>> tmpfs tmpfs 1029372 0 1029372 0% /dev/shm
>>>>> q6600:/home nfs 1906370560 1025951744 783581184 57%
>>>>> /net/q6600/home
>>>>> opty165a:/work nfs 480719104 410868736 45431040 91%
>>>>> /net/opty165a/work
>>>>> opty165a:/home nfs 473086208 351912192 96754944 79%
>>>>> /net/opty165a/home
>>>>> cube:/home nfs 155794432 143113728 4638976 97% /net/cube/home
>>>>> 06:29:20 up 121 days, 12:12, 3 users, load average: 0.04, 0.02, 0.00
>>>>> USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
>>>>> wam pts/0 192.168.122.1 Thu07 46:20m 1.96s 1.96s -tcsh
>>>>> root pts/1 192.168.122.1 Sun08 46:11m 0.09s 0.09s -bash
>>>>> root pts/2 192.168.122.1 Sun08 0.00s 0.09s 0.08s -bash
>>>>> Filename Type Size Used
>>>>> Priority
>>>>> /dev/mapper/VolGroup00-LogVol01 partition 4095992 76
>>>>> -1
>>>>> total used free shared buffers cached
>>>>> Mem: 2010 1891 118 0 327 943
>>>>> -/+ buffers/cache: 620 1389
>>>>> Swap: 3999 0 3999
>>>>> Linux centos-5.6-vm 2.6.18-371.8.1.el5.centos.plus #1 SMP Thu Apr 24
>>>>> 18:32:18 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>> Tue Aug 26 06:29:28 2014 -1.008094 seconds
>>>>> Tue Aug 26 06:29:21 CDT 2014
>>>>> [root at centos-5:/etc, Tue Aug 26, 06:29 AM] 1010 #
>>>>>
>>>>>
>>>>> i.e., it can see all other exported partitions except the FBSD
>>>>> (jaguar).
>>>>> On the FBSD box, I get the following:
>>>>>
>>>>>
>>>>>
>>>>> [root at kabini1, /etc, 6:24:31am] 708 % grep vfs LIST.sysctl-A.txt |
>>>>> grep
>>>>> nfs | grep priv
>>>>> vfs.nfsd.nfs_privport: 0
>>>>> [root at kabini1, /etc, 6:24:50am] 709 % service mountd status
>>>>> Cannot 'status' mountd. Set mountd_enable to YES in /etc/rc.conf or use
>>>>> 'onestatus' instead of 'status'.
>>>>> [root at kabini1, /etc, 6:26:08am] 710 % service mountd onestatus
>>>>> mountd is running as pid 718.
>>>>> [root at kabini1, /etc, 6:26:16am] 711 % ps -aux | grep mountd
>>>>> root 718 0.0 0.0 16180 3836 ?? Is 15Aug14 0:00.03
>>>>> /usr/sbin/mountd -r
>>>>> root 51859 0.0 0.0 16332 2024 10 S+ 6:26AM 0:00.00 grep
>>>>> mountd
>>>>> wam 51820 0.0 0.0 14544 2428 17 I+ 6:22AM 0:00.01
>>>>> /bin/sh
>>>>> /usr/bin/man mountd
>>>>> [root at kabini1, /etc, 6:26:35am] 712 % grep -i mountd rc.d/*
>>>>> rc.d/mountd:# $FreeBSD: releng/9.3/etc/rc.d/mountd 231792 2012-02-15
>>>>> 22:59:15Z dougb $
>>>>> rc.d/mountd:# PROVIDE: mountd
>>>>> rc.d/mountd:name="mountd"
>>>>> rc.d/mountd:rcvar="mountd_enable"
>>>>> rc.d/mountd:start_precmd="mountd_precmd"
>>>>> rc.d/mountd:mountd_precmd()
>>>>> rc.d/mountd: # mountd flags will differ depending on rc.conf
>>>>> settings
>>>>> rc.d/mountd: if checkyesno weak_mountd_authentication; then
>>>>> rc.d/mountd: rc_flags="${mountd_flags} -n"
>>>>> rc.d/mountd: if checkyesno mountd_enable; then
>>>>> rc.d/mountd: checkyesno weak_mountd_authentication
>>>>> &&
>>>>> rc_flags="-n"
>>>>> rc.d/mountd: rm -f /var/db/mountdtab
>>>>> rc.d/mountd: ( umask 022 ; > /var/db/mountdtab ) ||
>>>>> rc.d/mountd: err 1 'Cannot create /var/db/mountdtab'
>>>>> rc.d/nfsd:# REQUIRE: mountd hostname gssd nfsuserd
>>>>> rc.d/nfsd: force_depend mountd || return 1
>>>>> [root at kabini1, /etc, 6:27:19am] 713 % (tail -10 /var/log/messages ;
>>>>> date)
>>>>> Aug 24 08:09:44 kabini1 mountd[718]: mount request from 192.168.0.9
>>>>> from
>>>>> unprivileged port
>>>>> Aug 24 08:18:12 kabini1 mountd[718]: mount request from 192.168.0.9
>>>>> from
>>>>> unprivileged port
>>>>> Aug 24 08:18:51 kabini1 su: wam to root on /dev/pts/19
>>>>> Aug 24 08:52:04 kabini1 mountd[718]: mount request from 192.168.0.9
>>>>> from
>>>>> unprivileged port
>>>>> Aug 24 09:10:23 kabini1 ntpd[804]: time reset +0.186836 s
>>>>> Aug 24 11:37:21 kabini1 dbus[738]: [system] Failed to activate service
>>>>> 'org.freedesktop.Avahi': timed out
>>>>> Aug 24 11:38:57 kabini1 dbus[738]: [system] Failed to activate service
>>>>> 'org.freedesktop.Avahi': timed out
>>>>> Aug 24 11:40:21 kabini1 dbus[738]: [system] Failed to activate service
>>>>> 'org.freedesktop.Avahi': timed out
>>>>> Aug 24 11:48:49 kabini1 last message repeated 7 times
>>>>> Aug 26 06:29:25 kabini1 mountd[718]: mount request from 192.168.0.9
>>>>> from
>>>>> unprivileged port
>>>>> Tue Aug 26 06:30:14 CDT 2014
>>>>> [root at kabini1, /etc, 6:30:14am] 714 %
>>>>>
>>>>>
>>>>> i.e., the mount request from the VM is apparently coming in on an
>>>>> unprivileged port & the FBSD box's mountd is dropping/ignoring it. The
>>>>> other
>>>>> boxen handle it OK. I have ipfw dropping all such traffic *not*
>>>>> originating
>>>>> on my LAN, so I don't mind using the unprivileged port (I don't think
>>>>> there
>>>>> are any security issues). How do I get FBSD's nfsd/mountd to
>>>>> allow/handle
>>>>> the mount request on unprivileged ports ? TIA ....
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> William A. Mahaffey III
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>> "The M1 Garand is without doubt the finest implement of war
>>>>> ever devised by man."
>>>>> -- Gen. George S. Patton Jr.
>>>>>
>>>>> _______________________________________________
>>>>> LUNA mailing list
>>>>> LUNA at lunagroup.us
>>>>> http://lunagroup.us/mailman/listinfo/luna
>>>>
>>>> _______________________________________________
>>>> LUNA mailing list
>>>> LUNA at lunagroup.us
>>>> http://lunagroup.us/mailman/listinfo/luna
>>>>
>>> --
>>>
>>> William A. Mahaffey III
>>>
>>> ----------------------------------------------------------------------
>>>
>>> "The M1 Garand is without doubt the finest implement of war
>>> ever devised by man."
>>> -- Gen. George S. Patton Jr.
>>>
>>> _______________________________________________
>>> LUNA mailing list
>>> LUNA at lunagroup.us
>>> http://lunagroup.us/mailman/listinfo/luna
>>
>> _______________________________________________
>> LUNA mailing list
>> LUNA at lunagroup.us
>> http://lunagroup.us/mailman/listinfo/luna
>>
>
> --
>
> William A. Mahaffey III
>
> ----------------------------------------------------------------------
>
> "The M1 Garand is without doubt the finest implement of war
> ever devised by man."
> -- Gen. George S. Patton Jr.
>
> _______________________________________________
> LUNA mailing list
> LUNA at lunagroup.us
> http://lunagroup.us/mailman/listinfo/luna
More information about the LUNA
mailing list