Hi,
we got a strange security issue when connecting a Solaris NFS client to
Gluster volumes
Initially, we tried to share a volume between a Linux Client (10.1.99.200)
and a Solaris Client (10.1.99.201)
We create this volume
[root at llsmagfs001a glusterfs]# gluster volume info vol1
Volume Name: vol1
Type: Distribute
Volume ID: 4abcee08-6172-441a-851b-53becb77c281
Status: Started
Number of Bricks: 1
Transport-type: tcp
Bricks:
Brick1: llsmagfs001a.cloud.testsc.sc:/export/vol1
Options Reconfigured:
diagnostics.client-log-level: DEBUG
diagnostics.brick-log-level: DEBUG
auth.allow: 10.1.99.200
nfs.rpc-auth-allow: 10.1.99.201
diagnostics.client-sys-log-level: WARNING
diagnostics.brick-sys-log-level: WARNING
The volume is exported only for the Solaris client (via
nfs.rpc-auth-allow)
[root at llsmagfs001a glusterfs]# showmount -e 10.1.99.202
Export list for 10.1.99.202:
/vol1 10.1.99.201
If we try to mount this volume via NFS from the Linux client, we receive
an access denied as expected
[root at llsmaofr001a mnt]# ifconfig eth0 | grep "inet addr"
inet addr:10.1.99.200 Bcast:10.1.99.255 Mask:255.255.254.0
[root at llsmaofr001a mnt]# mount -t nfs -o vers=3 10.1.99.202:/vol1
/mnt/vol1
mount.nfs: access denied by server while mounting 10.1.99.202:/vol1
But if we try to mount this volume from another Solaris Client
(10.1.98.66), we do not receive an access denied
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.1.98.66 netmask fffffe00 broadcast 10.1.99.255
ether 0:14:4f:5e:32:aa
# mount -o vers=3 nfs://10.1.99.202/vol1 /mnt
# mount | grep nfs
/mnt on nfs://10.1.99.202/vol1
remote/read/write/setuid/devices/vers=3/xattr/dev=594001d on Thu Oct 10
11:48:15 2013
# echo "test from solaris" > /mnt/test.solaris
# ls /mnt
test.solaris
Tested with
- Solaris 10 and Solaris 11
- RHEL6
- GlusterFS 3.3.1-1, GlusterFS 3.4.0-2 and GlusterFS 3.4.1-2
Do we have to set another option to enforce rpc auth for Solaris Client ?
Debug message (when trying to mount the volume from the linux client via
NFS)
[2013-10-10 10:14:07.578302] D [socket.c:463:__socket_rwv]
0-socket.nfs-server: would have passed zero length to read/write
[2013-10-10 10:14:07.579045] D [socket.c:486:__socket_rwv]
0-socket.nfs-server: EOF on socket
[2013-10-10 10:14:07.579078] D [socket.c:2236:socket_event_handler]
0-transport: disconnecting now
[2013-10-10 10:14:07.587459] D [socket.c:463:__socket_rwv]
0-socket.nfs-server: would have passed zero length to read/write
[2013-10-10 10:14:07.588021] D [socket.c:486:__socket_rwv]
0-socket.nfs-server: EOF on socket
[2013-10-10 10:14:07.588076] D [socket.c:2236:socket_event_handler]
0-transport: disconnecting now
[2013-10-10 10:14:07.589570] D [socket.c:463:__socket_rwv]
0-socket.nfs-server: would have passed zero length to read/write
[2013-10-10 10:14:07.590260] D [mount3.c:912:mnt3svc_mnt] 0-nfs-mount:
dirpath: /vol1
[2013-10-10 10:14:07.590293] D [mount3.c:855:mnt3_find_export]
0-nfs-mount: dirpath: /vol1
[2013-10-10 10:14:07.590309] D [mount3.c:749:mnt3_mntpath_to_export]
0-nfs-mount: Found export volume: vol1
[2013-10-10 10:14:07.590339] I [mount3.c:787:mnt3_check_client_net]
0-nfs-mount: Peer 10.1.99.200:860 not allowed
[2013-10-10 10:14:07.590353] D [mount3.c:934:mnt3svc_mnt] 0-nfs-mount:
Client mount not allowed
[2013-10-10 10:14:07.591104] D [socket.c:486:__socket_rwv]
0-socket.nfs-server: EOF on socket
[2013-10-10 10:14:07.591171] D [socket.c:2236:socket_event_handler]
0-transport: disconnecting now
Debug message (when trying to mount the volume from the solaris client via
NFS)
[2013-10-10 10:17:15.444951] D
[nfs3-helpers.c:1641:nfs3_log_fh_entry_call] 0-nfs-nfsv3: XID: 5250f479,
LOOKUP: args: FH: exportid 00000000-0000-0000-0000-000000000000, gfid
00000000-0000-0000-0000-000000000000, name: vol1
[2013-10-10 10:17:15.446010] D [nfs3-helpers.c:3458:nfs3_log_newfh_res]
0-nfs-nfsv3: XID: 5250f479, LOOKUP: NFS: 0(Call completed successfully.),
POSIX: 117(Structure needs cleaning), FH: exportid
4abcee08-6172-441a-851b-53becb77c281, gfid
00000000-0000-0000-0000-000000000001
[2013-10-10 10:17:15.446539] D
[nfs3-helpers.c:1641:nfs3_log_fh_entry_call] 0-nfs-nfsv3: XID: 5250f478,
LOOKUP: args: FH: exportid 00000000-0000-0000-0000-000000000000, gfid
00000000-0000-0000-0000-000000000000, name: vol1
[2013-10-10 10:17:15.447234] D [nfs3-helpers.c:3458:nfs3_log_newfh_res]
0-nfs-nfsv3: XID: 5250f478, LOOKUP: NFS: 0(Call completed successfully.),
POSIX: 117(Structure needs cleaning), FH: exportid
4abcee08-6172-441a-851b-53becb77c281, gfid
00000000-0000-0000-0000-000000000001
[2013-10-10 10:17:15.448077] D [socket.c:486:__socket_rwv]
0-socket.nfs-server: EOF on socket
[2013-10-10 10:17:15.448133] D [socket.c:2236:socket_event_handler]
0-transport: disconnecting now
[2013-10-10 10:17:15.469271] D [nfs3-helpers.c:1627:nfs3_log_common_call]
0-nfs-nfsv3: XID: 5ed48474, FSINFO: args: FH: exportid
4abcee08-6172-441a-851b-53becb77c281, gfid
00000000-0000-0000-0000-000000000001
[2013-10-10 10:17:15.469601] D [nfs3-helpers.c:3389:nfs3_log_common_res]
0-nfs-nfsv3: XID: 5ed48474, FSINFO: NFS: 0(Call completed successfully.),
POSIX: 117(Structure needs cleaning)
[2013-10-10 10:17:15.470341] D [nfs3-helpers.c:1627:nfs3_log_common_call]
0-nfs-nfsv3: XID: 5ed48475, FSSTAT: args: FH: exportid
4abcee08-6172-441a-851b-53becb77c281, gfid
00000000-0000-0000-0000-000000000001
[2013-10-10 10:17:15.471159] D [nfs3-helpers.c:3389:nfs3_log_common_res]
0-nfs-nfsv3: XID: 5ed48475, FSSTAT: NFS: 0(Call completed successfully.),
POSIX: 117(Structure needs cleaning)
Regards,
Olivier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://supercolony.gluster.org/pipermail/gluster-users/attachments/20131010/1e818bc6/attachment.html>
