Discussion:
Setting up pkgsrc over NFS
(too old to reply)
Roy Marples
2018-11-12 13:11:58 UTC
Permalink
I have this in /etc/exports:
/usr/src -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/xsrc -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/pkgsrc -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/obj.aarch64 -network 10.73.0.0 -mask 255.255.0.0
-maproot=nobody
/usr/obj.pkgsrc.aarch64 -network 10.73.0.0 -mask 255.255.0.0
-maproot=nobody
/var/bulk.aarch64 -network 10.73.0.0 -mask 255.255.0.0
-maproot=root

The last directory requires root writeable as it will be used for a chroot.
However, it doesn't show up in showmount -e on the host and trying to
mount it on the client prints:
mount_nfs: can't access /var/bulk.aarch64: Permission denied.

What did I do wrong here, or does root mapping just not work?

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2018-11-12 14:08:48 UTC
Permalink
Post by Roy Marples
/usr/src -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/xsrc -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/pkgsrc -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/obj.aarch64 -network 10.73.0.0 -mask 255.255.0.0
-maproot=nobody
/usr/obj.pkgsrc.aarch64 -network 10.73.0.0 -mask 255.255.0.0
-maproot=nobody
/var/bulk.aarch64 -network 10.73.0.0 -mask 255.255.0.0
-maproot=root
The last directory requires root writeable as it will be used for a chroot.
However, it doesn't show up in showmount -e on the host and trying to
mount_nfs: can't access /var/bulk.aarch64: Permission denied.
What did I do wrong here, or does root mapping just not work?
I also have the -alldirs option for the export on my NFS server. I don't
think I need this though as I just have src, xsrc and pkgsrc as top
level directories on one filesystem and use symbolic links on client
machines.
Adding this does not resolve the two errors noted above.
What filesystems do those directories map onto on the local machine ?
ffs.

I should note that changing -maproot=root to -maproot=nobody allows the
mount to show and become mounted, but then i can't actually use it as a
chroot.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Jason Thorpe
2018-11-12 14:32:55 UTC
Permalink
What filesystems do those directories map onto on the local machine ?
ffs.
I guess he means "which mount points"?
I should note that changing -maproot=root to -maproot=nobody allows the mount to show and become mounted, but then i can't actually use it as a chroot.
I suggest: top mountd, and run "mountd -d" from the command line -- seems like it's having some trouble with that specific line, and the debug messages should help determine what that is.

-- thorpej


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Jason Thorpe
2018-11-12 14:35:07 UTC
Permalink
Post by Jason Thorpe
top mountd
"stop"

-- thorpej


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Swindells
2018-11-12 13:24:54 UTC
Permalink
Post by Roy Marples
/usr/src -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/xsrc -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/pkgsrc -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/obj.aarch64 -network 10.73.0.0 -mask 255.255.0.0
-maproot=nobody
/usr/obj.pkgsrc.aarch64 -network 10.73.0.0 -mask 255.255.0.0
-maproot=nobody
/var/bulk.aarch64 -network 10.73.0.0 -mask 255.255.0.0
-maproot=root
The last directory requires root writeable as it will be used for a chroot.
However, it doesn't show up in showmount -e on the host and trying to
mount_nfs: can't access /var/bulk.aarch64: Permission denied.
What did I do wrong here, or does root mapping just not work?
I also have the -alldirs option for the export on my NFS server. I don't
think I need this though as I just have src, xsrc and pkgsrc as top
level directories on one filesystem and use symbolic links on client
machines.

What filesystems do those directories map onto on the local machine ?


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2018-11-12 14:50:35 UTC
Permalink
Post by Jason Thorpe
What filesystems do those directories map onto on the local machine ?
ffs.
I guess he means "which mount points"?
So in this case, I'm mounting /var/bulk.aarch64 from the server as
/var/bulk on the client.
Post by Jason Thorpe
I should note that changing -maproot=root to -maproot=nobody allows the mount to show and become mounted, but then i can't actually use it as a chroot.
I suggest: top mountd, and run "mountd -d" from the command line -- seems like it's having some trouble with that specific line, and the debug messages should help determine what that is.
Here's the relevant output:

Got line /var/bulk.aarch64 -network 10.73.0.0 -mask 255.255.0.0
-maproot=root -alldirs
Found ep fs=0x8e00,0x78b
doing opt -network 10.73.0.0 -mask 255.255.0.0 -maproot=root -alldirs
get_net: '10.73.0.0' v4 addr 490a
doing opt -mask 255.255.0.0 -maproot=root -alldirs
get_net: '255.255.0.0' v4 addr ffff
doing opt -maproot=root -alldirs
doing opt -alldirs
mountd[17234]: "/var/bulk.aarch64 -network 10.73.0.0 -mask
255.255.0.0 -maproot", line 6: Can't change attributes for
/var/bulk.aarch64 to 10.73.0.0: Operation not permitted
Getting mount list.
Here we go.

# ls -l /var | grep bulk.aarch64
drwxr-xr-x 2 root wheel 512 Nov 11 17:20 bulk.aarch64

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Swindells
2018-11-12 14:55:53 UTC
Permalink
Post by Roy Marples
Post by Jason Thorpe
What filesystems do those directories map onto on the local machine ?
ffs.
I guess he means "which mount points"?
So in this case, I'm mounting /var/bulk.aarch64 from the server as
/var/bulk on the client.
That still doesn't tell us how /var/bulk.aarch64 maps to a mounted
filesystem on your server.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2018-11-12 14:58:28 UTC
Permalink
Post by Robert Swindells
Post by Roy Marples
Post by Jason Thorpe
What filesystems do those directories map onto on the local machine ?
ffs.
I guess he means "which mount points"?
So in this case, I'm mounting /var/bulk.aarch64 from the server as
/var/bulk on the client.
That still doesn't tell us how /var/bulk.aarch64 maps to a mounted
filesystem on your server.
/var or /var/bulk.aarch64 aren't mounted, so they are on /.

/dev/xbd0a on / type ffs (log, NFS exported, local)

Is that enough information?

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Swindells
2018-11-12 15:16:29 UTC
Permalink
Post by Roy Marples
Post by Robert Swindells
Post by Roy Marples
Post by Jason Thorpe
What filesystems do those directories map onto on the local machine ?
ffs.
I guess he means "which mount points"?
So in this case, I'm mounting /var/bulk.aarch64 from the server as
/var/bulk on the client.
That still doesn't tell us how /var/bulk.aarch64 maps to a mounted
filesystem on your server.
/var or /var/bulk.aarch64 aren't mounted, so they are on /.
/dev/xbd0a on / type ffs (log, NFS exported, local)
Ok.
Post by Roy Marples
Is that enough information?
Yes.

If you are already exporting / you don't need to export subdirectories
as well. What else is in your /etc/exports ?

I'm guessing that the error you get is because / is exported with less
restrictions than those you are trying to enforce on the subdirectory
exports.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Jason Thorpe
2018-11-12 15:12:53 UTC
Permalink
Post by Roy Marples
Post by Robert Swindells
That still doesn't tell us how /var/bulk.aarch64 maps to a mounted
filesystem on your server.
/var or /var/bulk.aarch64 aren't mounted, so they are on /.
/dev/xbd0a on / type ffs (log, NFS exported, local)
Is that enough information?
Well, combined with your other debug output:

"""
Got line /var/bulk.aarch64 -network 10.73.0.0 -mask 255.255.0.0 -maproot=root -alldirs
Found ep fs=0x8e00,0x78b
doing opt -network 10.73.0.0 -mask 255.255.0.0 -maproot=root -alldirs
get_net: '10.73.0.0' v4 addr 490a
doing opt -mask 255.255.0.0 -maproot=root -alldirs
get_net: '255.255.0.0' v4 addr ffff
doing opt -maproot=root -alldirs
doing opt -alldirs
mountd[17234]: "/var/bulk.aarch64 -network 10.73.0.0 -mask 255.255.0.0 -maproot", line 6: Can't change attributes for /var/bulk.aarch64 to 10.73.0.0: Operation not permitted
Getting mount list.
Here we go.
"""

...my guess is that something else in your exports file resulted in the server's / becoming exported (note the "NFS exported" line you pasted above), and that's tripping up the /var/bulk.aarch64 entry because the user mapping attributes conflict.

Can you provide the entirety of the output of "mount" on the server?

-- thorpej


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2018-11-12 15:14:34 UTC
Permalink
Post by Jason Thorpe
Post by Roy Marples
Post by Robert Swindells
That still doesn't tell us how /var/bulk.aarch64 maps to a mounted
filesystem on your server.
/var or /var/bulk.aarch64 aren't mounted, so they are on /.
/dev/xbd0a on / type ffs (log, NFS exported, local)
Is that enough information?
"""
Got line /var/bulk.aarch64 -network 10.73.0.0 -mask 255.255.0.0 -maproot=root -alldirs
Found ep fs=0x8e00,0x78b
doing opt -network 10.73.0.0 -mask 255.255.0.0 -maproot=root -alldirs
get_net: '10.73.0.0' v4 addr 490a
doing opt -mask 255.255.0.0 -maproot=root -alldirs
get_net: '255.255.0.0' v4 addr ffff
doing opt -maproot=root -alldirs
doing opt -alldirs
mountd[17234]: "/var/bulk.aarch64 -network 10.73.0.0 -mask 255.255.0.0 -maproot", line 6: Can't change attributes for /var/bulk.aarch64 to 10.73.0.0: Operation not permitted
Getting mount list.
Here we go.
"""
...my guess is that something else in your exports file resulted in the server's / becoming exported (note the "NFS exported" line you pasted above), and that's tripping up the /var/bulk.aarch64 entry because the user mapping attributes conflict.
Can you provide the entirety of the output of "mount" on the server?
netbsd# mount
/dev/xbd0a on / type ffs (log, NFS exported, local)
kernfs on /kern type kernfs (local)
ptyfs on /dev/pts type ptyfs (local)
procfs on /proc type procfs (local)
tmpfs on /var/shm type tmpfs (local)
/home/roy/src/pkgsrc/packages on /var/spool/ftp/pub/pkgsrc/packages type
null (read-only, local)
netbsd#



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Jason Thorpe
2018-11-12 15:18:36 UTC
Permalink
Post by Roy Marples
Post by Jason Thorpe
Post by Roy Marples
Post by Robert Swindells
That still doesn't tell us how /var/bulk.aarch64 maps to a mounted
filesystem on your server.
/var or /var/bulk.aarch64 aren't mounted, so they are on /.
/dev/xbd0a on / type ffs (log, NFS exported, local)
Is that enough information?
"""
Got line /var/bulk.aarch64 -network 10.73.0.0 -mask 255.255.0.0 -maproot=root -alldirs
Found ep fs=0x8e00,0x78b
doing opt -network 10.73.0.0 -mask 255.255.0.0 -maproot=root -alldirs
get_net: '10.73.0.0' v4 addr 490a
doing opt -mask 255.255.0.0 -maproot=root -alldirs
get_net: '255.255.0.0' v4 addr ffff
doing opt -maproot=root -alldirs
doing opt -alldirs
mountd[17234]: "/var/bulk.aarch64 -network 10.73.0.0 -mask 255.255.0.0 -maproot", line 6: Can't change attributes for /var/bulk.aarch64 to 10.73.0.0: Operation not permitted
Getting mount list.
Here we go.
"""
...my guess is that something else in your exports file resulted in the server's / becoming exported (note the "NFS exported" line you pasted above), and that's tripping up the /var/bulk.aarch64 entry because the user mapping attributes conflict.
Can you provide the entirety of the output of "mount" on the server?
netbsd# mount
/dev/xbd0a on / type ffs (log, NFS exported, local)
kernfs on /kern type kernfs (local)
ptyfs on /dev/pts type ptyfs (local)
procfs on /proc type procfs (local)
tmpfs on /var/shm type tmpfs (local)
/home/roy/src/pkgsrc/packages on /var/spool/ftp/pub/pkgsrc/packages type null (read-only, local)
netbsd#
Yup, ok, so that's the problem.

Export information is scoped to the mount point for the file system being exported. All of these entries in your exports file are basically redundant:

/usr/src -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/xsrc -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/pkgsrc -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/obj.aarch64 -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody
/usr/obj.pkgsrc.aarch64 -network 10.73.0.0 -mask 255.255.0.0 -maproot=nobody

...because they all are exporting the "/" file system. This is allowed because all of the export attributes are the same.

To do what you want, you need to have a completely separate file system / mount point for /var/bulk.aarch64.

-- thorpej


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Hauke Fath
2018-11-12 19:22:37 UTC
Permalink
Post by Jason Thorpe
To do what you want, you need to have a completely separate file system /
mount point for /var/bulk.aarch64.
I use null mounts for exporting with differing credentials from the same
partition, but have been told it does not add to security.

Cheerio,
hauke


--
"It's never straight up and down" (DEVO)



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Edgar Fuß
2018-11-12 15:15:07 UTC
Permalink
Post by Roy Marples
/var or /var/bulk.aarch64 aren't mounted, so they are on /.
So in fact, you are exporting / several times, and the last of these
instances has conflicting options.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...