Fixes for bugs #985000 and #985002
[ Joachim Falk ]
-
Fix kerberized NFS service inside Linux containers when the container host loads the auth_rpcgss kernel module to enable kerberized NFS service for its containers. (Closes: #985000)
To fix this problem, the auth_rpcgss kernel module must only be loaded if it is not already loaded. Otherwise, the auth-rpcgss-module service will fail inside a Linux container as the loading of kernel modules is forbidden for the container. Thus, the "/sbin/modprobe -q auth_rpcgss" call will fail even if the auth_rpcgss kernel module was already loaded. This has been testesd with kmod up to version 28-1 (current in bullseye as of 2021-03-11). This situation occurs when the container host already loaded the auth_rpcgss kernel module to enable kerberized NFS service for its containers.
-
Fix degraded system state if nfs-common installed and /etc/krb5.keytab present. (Closes: #985002)
The nfs-client.target requires the auth-rpcgss-module.service, which in turn requires rpc-svcgssd.service. However, the rpc.svcgssd daemon is not needed for an NFS client, even when using Kerberos security. Moreover, starting this daemon with its default configuration will fail when no nfs/@REALM principal is in the kerberos keytab. Thus, resulting in a degraded system state for NFS client configurations without nfs/@REALM principal in the kerberos keytab. However, this is a perfectly valid NFS client configuration as the nfs/@REALM principal is not required for mounting NFS file systems. This is even the case when Kerberos security is enabled for the mount!
To fix this problem, we move the request of rpc-svcgssd.service from auth-rpcgss-module.service to nfs-server.service.
This is the first part of the split merge request Fixes for bugs #846950, #849942, #849608. You can find the second part in Fixes for bugs #849942 and #849608. Meanwhile, bug #846950 has been fixed by Propagate $RPCGSSDOPTS from /etc/default to systemd service script.