diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix index e0e8bb1f03d..ddcc0ed8f5a 100644 --- a/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixos/modules/tasks/filesystems/nfs.nix @@ -25,6 +25,9 @@ let ''; nfsConfFile = pkgs.writeText "nfs.conf" cfg.extraConfig; + requestKeyConfFile = pkgs.writeText "request-key.conf" '' + create id_resolver * * ${pkgs.nfs-utils}/bin/nfsidmap -t 600 %k %d + ''; cfg = config.services.nfs; @@ -57,9 +60,12 @@ in systemd.packages = [ pkgs.nfs-utils ]; + environment.systemPackages = [ pkgs.keyutils ]; + environment.etc = { "idmapd.conf".source = idmapdConfFile; "nfs.conf".source = nfsConfFile; + "request-key.conf".source = requestKeyConfFile; }; systemd.services.nfs-blkmap = diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 678ce3c2880..ca9c6f9a7f9 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -120,8 +120,8 @@ in rec { (all nixos.tests.networking.scripted.macvlan) (all nixos.tests.networking.scripted.sit) (all nixos.tests.networking.scripted.vlan) - (all nixos.tests.nfs3) - (all nixos.tests.nfs4) + (all nixos.tests.nfs3.simple) + (all nixos.tests.nfs4.simple) (all nixos.tests.openssh) (all nixos.tests.php-pcre) (all nixos.tests.predictable-interface-names.predictable) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 23ad22ee5a1..7ef48589de4 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -189,8 +189,9 @@ in networkingProxy = handleTest ./networking-proxy.nix {}; nextcloud = handleTest ./nextcloud {}; nexus = handleTest ./nexus.nix {}; - nfs3 = handleTest ./nfs.nix { version = 3; }; - nfs4 = handleTest ./nfs.nix { version = 4; }; + # TODO: Test nfsv3 + Kerberos + nfs3 = handleTest ./nfs { version = 3; }; + nfs4 = handleTest ./nfs { version = 4; }; nghttpx = handleTest ./nghttpx.nix {}; nginx = handleTest ./nginx.nix {}; nginx-sso = handleTest ./nginx-sso.nix {}; diff --git a/nixos/tests/nfs.nix b/nixos/tests/nfs.nix deleted file mode 100644 index 2f655336e75..00000000000 --- a/nixos/tests/nfs.nix +++ /dev/null @@ -1,90 +0,0 @@ -import ./make-test.nix ({ pkgs, version ? 4, ... }: - -let - - client = - { pkgs, ... }: - { fileSystems = pkgs.lib.mkVMOverride - [ { mountPoint = "/data"; - # nfs4 exports the export with fsid=0 as a virtual root directory - device = if (version == 4) then "server:/" else "server:/data"; - fsType = "nfs"; - options = [ "vers=${toString version}" ]; - } - ]; - networking.firewall.enable = false; # FIXME: only open statd - }; - -in - -{ - name = "nfs"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ eelco ]; - }; - - nodes = - { client1 = client; - client2 = client; - - server = - { ... }: - { services.nfs.server.enable = true; - services.nfs.server.exports = - '' - /data 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0) - ''; - services.nfs.server.createMountPoints = true; - networking.firewall.enable = false; # FIXME: figure out what ports need to be allowed - }; - }; - - testScript = - '' - $server->waitForUnit("nfs-server"); - $server->succeed("systemctl start network-online.target"); - $server->waitForUnit("network-online.target"); - - startAll; - - $client1->waitForUnit("data.mount"); - $client1->succeed("echo bla > /data/foo"); - $server->succeed("test -e /data/foo"); - - $client2->waitForUnit("data.mount"); - $client2->succeed("echo bla > /data/bar"); - $server->succeed("test -e /data/bar"); - - # Test whether restarting ‘nfs-server’ works correctly. - $server->succeed("systemctl restart nfs-server"); - $client2->succeed("echo bla >> /data/bar"); # will take 90 seconds due to the NFS grace period - - # Test whether we can get a lock. - $client2->succeed("time flock -n -s /data/lock true"); - - # Test locking: client 1 acquires an exclusive lock, so client 2 - # should then fail to acquire a shared lock. - $client1->succeed("flock -x /data/lock -c 'touch locked; sleep 100000' &"); - $client1->waitForFile("locked"); - $client2->fail("flock -n -s /data/lock true"); - - # Test whether client 2 obtains the lock if we reset client 1. - $client2->succeed("flock -x /data/lock -c 'echo acquired; touch locked; sleep 100000' >&2 &"); - $client1->crash; - $client1->start; - $client2->waitForFile("locked"); - - # Test whether locks survive a reboot of the server. - $client1->waitForUnit("data.mount"); - $server->shutdown; - $server->start; - $client1->succeed("touch /data/xyzzy"); - $client1->fail("time flock -n -s /data/lock true"); - - # Test whether unmounting during shutdown happens quickly. - my $t1 = time; - $client1->shutdown; - my $duration = time - $t1; - die "shutdown took too long ($duration seconds)" if $duration > 30; - ''; -}) diff --git a/nixos/tests/nfs/default.nix b/nixos/tests/nfs/default.nix new file mode 100644 index 00000000000..6bc803c91b4 --- /dev/null +++ b/nixos/tests/nfs/default.nix @@ -0,0 +1,9 @@ +{ version ? 4 +, system ? builtins.currentSystem +, pkgs ? import ../../.. { inherit system; } +}: { + simple = import ./simple.nix { inherit version system pkgs; }; +} // pkgs.lib.optionalAttrs (version == 4) { + # TODO: Test kerberos + nfsv3 + kerberos = import ./kerberos.nix { inherit version system pkgs; }; +} diff --git a/nixos/tests/nfs/kerberos.nix b/nixos/tests/nfs/kerberos.nix new file mode 100644 index 00000000000..1f2d0d453ea --- /dev/null +++ b/nixos/tests/nfs/kerberos.nix @@ -0,0 +1,133 @@ +import ../make-test-python.nix ({ pkgs, lib, ... }: + +with lib; + +let + krb5 = + { enable = true; + domain_realm."nfs.test" = "NFS.TEST"; + libdefaults.default_realm = "NFS.TEST"; + realms."NFS.TEST" = + { admin_server = "server.nfs.test"; + kdc = "server.nfs.test"; + }; + }; + + hosts = + '' + 192.168.1.1 client.nfs.test + 192.168.1.2 server.nfs.test + ''; + + users = { + users.alice = { + isNormalUser = true; + name = "alice"; + uid = 1000; + }; + }; + +in + +{ + name = "nfsv4-with-kerberos"; + + nodes = { + client = { lib, ... }: + { inherit krb5 users; + + networking.extraHosts = hosts; + networking.domain = "nfs.test"; + networking.hostName = "client"; + + fileSystems = lib.mkVMOverride + { "/data" = { + device = "server.nfs.test:/"; + fsType = "nfs"; + options = [ "nfsvers=4" "sec=krb5p" "noauto" ]; + }; + }; + }; + + server = { lib, ...}: + { inherit krb5 users; + + networking.extraHosts = hosts; + networking.domain = "nfs.test"; + networking.hostName = "server"; + + networking.firewall.allowedTCPPorts = [ + 111 # rpc + 2049 # nfs + 88 # kerberos + 749 # kerberos admin + ]; + + services.kerberos_server.enable = true; + services.kerberos_server.realms = + { "NFS.TEST".acl = + [ { access = "all"; principal = "admin/admin"; } ]; + }; + + services.nfs.server.enable = true; + services.nfs.server.createMountPoints = true; + services.nfs.server.exports = + '' + /data *(rw,no_root_squash,fsid=0,sec=krb5p) + ''; + }; + }; + + testScript = + '' + server.succeed("mkdir -p /data/alice") + server.succeed("chown alice:users /data/alice") + + # set up kerberos database + server.succeed( + "kdb5_util create -s -r NFS.TEST -P master_key", + "systemctl restart kadmind.service kdc.service", + ) + server.wait_for_unit(f"kadmind.service") + server.wait_for_unit(f"kdc.service") + + # create principals + server.succeed( + "kadmin.local add_principal -randkey nfs/server.nfs.test", + "kadmin.local add_principal -randkey nfs/client.nfs.test", + "kadmin.local add_principal -pw admin_pw admin/admin", + "kadmin.local add_principal -pw alice_pw alice", + ) + + # add principals to server keytab + server.succeed("kadmin.local ktadd nfs/server.nfs.test") + server.succeed("systemctl start rpc-gssd.service rpc-svcgssd.service") + server.wait_for_unit(f"rpc-gssd.service") + server.wait_for_unit(f"rpc-svcgssd.service") + + client.wait_for_unit("network-online.target") + + # add principals to client keytab + client.succeed("echo admin_pw | kadmin -p admin/admin ktadd nfs/client.nfs.test") + client.succeed("systemctl start rpc-gssd.service") + client.wait_for_unit("rpc-gssd.service") + + with subtest("nfs share mounts"): + client.succeed("systemctl restart data.mount") + client.wait_for_unit("data.mount") + + with subtest("permissions on nfs share are enforced"): + client.fail("su alice -c 'ls /data'") + client.succeed("su alice -c 'echo alice_pw | kinit'") + client.succeed("su alice -c 'ls /data'") + + client.fail("su alice -c 'echo bla >> /data/foo'") + client.succeed("su alice -c 'echo bla >> /data/alice/foo'") + server.succeed("test -e /data/alice/foo") + + with subtest("uids/gids are mapped correctly on nfs share"): + ids = client.succeed("stat -c '%U %G' /data/alice").split() + expected = ["alice", "users"] + assert ids == expected, f"ids incorrect: got {ids} expected {expected}" + ''; +}) diff --git a/nixos/tests/nfs/simple.nix b/nixos/tests/nfs/simple.nix new file mode 100644 index 00000000000..a1a09ee0f45 --- /dev/null +++ b/nixos/tests/nfs/simple.nix @@ -0,0 +1,94 @@ +import ../make-test-python.nix ({ pkgs, version ? 4, ... }: + +let + + client = + { pkgs, ... }: + { fileSystems = pkgs.lib.mkVMOverride + [ { mountPoint = "/data"; + # nfs4 exports the export with fsid=0 as a virtual root directory + device = if (version == 4) then "server:/" else "server:/data"; + fsType = "nfs"; + options = [ "vers=${toString version}" ]; + } + ]; + networking.firewall.enable = false; # FIXME: only open statd + }; + +in + +{ + name = "nfs"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ eelco ]; + }; + + nodes = + { client1 = client; + client2 = client; + + server = + { ... }: + { services.nfs.server.enable = true; + services.nfs.server.exports = + '' + /data 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0) + ''; + services.nfs.server.createMountPoints = true; + networking.firewall.enable = false; # FIXME: figure out what ports need to be allowed + }; + }; + + testScript = + '' + import time + + server.wait_for_unit("nfs-server") + server.succeed("systemctl start network-online.target") + server.wait_for_unit("network-online.target") + + start_all() + + client1.wait_for_unit("data.mount") + client1.succeed("echo bla > /data/foo") + server.succeed("test -e /data/foo") + + client2.wait_for_unit("data.mount") + client2.succeed("echo bla > /data/bar") + server.succeed("test -e /data/bar") + + with subtest("restarting 'nfs-server' works correctly"): + server.succeed("systemctl restart nfs-server") + # will take 90 seconds due to the NFS grace period + client2.succeed("echo bla >> /data/bar") + + with subtest("can get a lock"): + client2.succeed("time flock -n -s /data/lock true") + + with subtest("client 2 fails to acquire lock held by client 1"): + client1.succeed("flock -x /data/lock -c 'touch locked; sleep 100000' &") + client1.wait_for_file("locked") + client2.fail("flock -n -s /data/lock true") + + with subtest("client 2 obtains lock after resetting client 1"): + client2.succeed( + "flock -x /data/lock -c 'echo acquired; touch locked; sleep 100000' >&2 &" + ) + client1.crash() + client1.start() + client2.wait_for_file("locked") + + with subtest("locks survive server reboot"): + client1.wait_for_unit("data.mount") + server.shutdown() + server.start() + client1.succeed("touch /data/xyzzy") + client1.fail("time flock -n -s /data/lock true") + + with subtest("unmounting during shutdown happens quickly"): + t1 = time.monotonic() + client1.shutdown() + duration = time.monotonic() - t1 + assert duration < 30, f"shutdown took too long ({duration} seconds)" + ''; +}) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index fa5b168389b..4ec232d6255 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -6,6 +6,11 @@ patch = ./bridge-stp-helper.patch; }; + request_key_helper = + { name = "request-key-helper"; + patch = ./request-key-helper.patch; + }; + p9_fixes = { name = "p9-fixes"; patch = ./p9-fixes.patch; diff --git a/pkgs/os-specific/linux/kernel/request-key-helper.patch b/pkgs/os-specific/linux/kernel/request-key-helper.patch new file mode 100644 index 00000000000..8264e265aed --- /dev/null +++ b/pkgs/os-specific/linux/kernel/request-key-helper.patch @@ -0,0 +1,13 @@ +diff --git a/security/keys/request_key.c b/security/keys/request_key.c +index 957b9e3e1492..5436a0d8b81d 100644 +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -114,7 +114,7 @@ static int call_usermodehelper_keys(const char *path, char **argv, char **envp, + */ + static int call_sbin_request_key(struct key *authkey, void *aux) + { +- static char const request_key[] = "/sbin/request-key"; ++ static char const request_key[] = "/run/current-system/sw/bin/request-key"; + struct request_key_auth *rka = get_request_key_auth(authkey); + const struct cred *cred = current_cred(); + key_serial_t prkey, sskey; diff --git a/pkgs/os-specific/linux/keyutils/conf-symlink.patch b/pkgs/os-specific/linux/keyutils/conf-symlink.patch new file mode 100644 index 00000000000..02762e857a8 --- /dev/null +++ b/pkgs/os-specific/linux/keyutils/conf-symlink.patch @@ -0,0 +1,13 @@ +diff --git a/request-key.c b/request-key.c +index bf47c0a..105fee8 100644 +--- a/request-key.c ++++ b/request-key.c +@@ -313,7 +313,7 @@ static void scan_conf_dir(struct parameters *params, const char *confdir) + while ((d = readdir(dir))) { + if (d->d_name[0] == '.') + continue; +- if (d->d_type != DT_UNKNOWN && d->d_type != DT_REG) ++ if (d->d_type != DT_UNKNOWN && d->d_type != DT_REG && d->d_type != DT_LNK) + continue; + l = strlen(d->d_name); + if (l < 5) diff --git a/pkgs/os-specific/linux/keyutils/default.nix b/pkgs/os-specific/linux/keyutils/default.nix index 792cd32d654..887aee45aa8 100644 --- a/pkgs/os-specific/linux/keyutils/default.nix +++ b/pkgs/os-specific/linux/keyutils/default.nix @@ -15,6 +15,7 @@ stdenv.mkDerivation rec { url = "https://salsa.debian.org/debian/keyutils/raw/4cecffcb8e2a2aa4ef41777ed40e4e4bcfb2e5bf/debian/patches/Make-build-reproducible.patch"; sha256 = "0wnvbjfrbk7rghd032z684l7vk7mhy3bd41zvhkrhgp3cd5id0bm"; }) + ./conf-symlink.patch ]; BUILDDATE = "1970-01-01"; diff --git a/pkgs/os-specific/linux/nfs-utils/default.nix b/pkgs/os-specific/linux/nfs-utils/default.nix index 3f53c0f5817..74363be47f4 100644 --- a/pkgs/os-specific/linux/nfs-utils/default.nix +++ b/pkgs/os-specific/linux/nfs-utils/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, fetchpatch, lib, pkgconfig, utillinux, libcap, libtirpc, libevent , sqlite, kerberos, kmod, libuuid, keyutils, lvm2, systemd, coreutils, tcp_wrappers -, python3, buildPackages +, python3, buildPackages, nixosTests }: let @@ -39,6 +39,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--enable-gss" + "--enable-svcgss" "--with-statedir=/var/lib/nfs" "--with-krb5=${lib.getLib kerberos}" "--with-systemd=${placeholder "out"}/etc/systemd/system" @@ -104,6 +105,12 @@ stdenv.mkDerivation rec { disallowedReferences = [ (lib.getDev kerberos) ]; + passthru.tests = { + nfs3-simple = nixosTests.nfs3.simple; + nfs4-simple = nixosTests.nfs4.simple; + nfs4-kerberos = nixosTests.nfs4.kerberos; + }; + meta = with stdenv.lib; { description = "Linux user-space NFS utilities"; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 959ddd34890..afb9feec329 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -16145,6 +16145,7 @@ in linux_mptcp_94 = callPackage ../os-specific/linux/kernel/linux-mptcp-94.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.request_key_helper kernelPatches.cpu-cgroup-v2."4.11" kernelPatches.modinst_arg_list_too_long ] @@ -16162,6 +16163,7 @@ in linux_rpi1 = callPackage ../os-specific/linux/kernel/linux-rpi.nix { kernelPatches = with kernelPatches; [ bridge_stp_helper + request_key_helper ]; rpiVersion = 1; }; @@ -16169,6 +16171,7 @@ in linux_rpi2 = callPackage ../os-specific/linux/kernel/linux-rpi.nix { kernelPatches = with kernelPatches; [ bridge_stp_helper + request_key_helper ]; rpiVersion = 2; }; @@ -16176,6 +16179,7 @@ in linux_rpi3 = callPackage ../os-specific/linux/kernel/linux-rpi.nix { kernelPatches = with kernelPatches; [ bridge_stp_helper + request_key_helper ]; rpiVersion = 3; }; @@ -16183,6 +16187,7 @@ in linux_rpi4 = callPackage ../os-specific/linux/kernel/linux-rpi.nix { kernelPatches = with kernelPatches; [ bridge_stp_helper + request_key_helper ]; rpiVersion = 4; }; @@ -16190,6 +16195,7 @@ in linux_4_4 = callPackage ../os-specific/linux/kernel/linux-4.4.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.request_key_helper kernelPatches.cpu-cgroup-v2."4.4" kernelPatches.modinst_arg_list_too_long # https://github.com/NixOS/nixpkgs/issues/42755 @@ -16203,6 +16209,7 @@ in linux_4_9 = callPackage ../os-specific/linux/kernel/linux-4.9.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.request_key_helper kernelPatches.cpu-cgroup-v2."4.9" kernelPatches.modinst_arg_list_too_long ]; @@ -16211,6 +16218,7 @@ in linux_4_14 = callPackage ../os-specific/linux/kernel/linux-4.14.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.request_key_helper # See pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/README.md # when adding a new linux version kernelPatches.cpu-cgroup-v2."4.11" @@ -16222,6 +16230,7 @@ in linux_4_19 = callPackage ../os-specific/linux/kernel/linux-4.19.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.request_key_helper kernelPatches.modinst_arg_list_too_long kernelPatches.export_kernel_fpu_functions."4.14" ]; @@ -16230,6 +16239,7 @@ in linux_5_3 = callPackage ../os-specific/linux/kernel/linux-5.3.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.request_key_helper kernelPatches.export_kernel_fpu_functions."5.3" ]; }; @@ -16237,18 +16247,21 @@ in linux_5_4 = callPackage ../os-specific/linux/kernel/linux-5.4.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.request_key_helper ]; }; linux_testing = callPackage ../os-specific/linux/kernel/linux-testing.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.request_key_helper ]; }; linux_testing_bcachefs = callPackage ../os-specific/linux/kernel/linux-testing-bcachefs.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.request_key_helper kernelPatches.modinst_arg_list_too_long ]; }; @@ -16256,6 +16269,7 @@ in linux_hardkernel_4_14 = callPackage ../os-specific/linux/kernel/linux-hardkernel-4.14.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.request_key_helper kernelPatches.modinst_arg_list_too_long ]; };