Skip to content

Commit

Permalink
Merge branch 'develop'
Browse files Browse the repository at this point in the history
  • Loading branch information
ehough committed Mar 8, 2019
2 parents 3919a98 + 5a4de87 commit 3d7a3c5
Show file tree
Hide file tree
Showing 6 changed files with 308 additions and 53 deletions.
16 changes: 14 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,19 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [2.1.0] - 2019-10-31
## [2.2.0] - 2019-03-08
## Added
* Enhanced debugging via environment variable: `NFS_LOG_LEVEL=DEBUG`. This also produces less cluttered log output
during regular, non-debug operation.
## Fixed
* `idmapd` would not start when `NFS_VERSION=3`
* allow Kerberos without `idmapd`. Most users will probably want to run them together, but
it isn't required.
* `NFS_VERSION` environment variable sanity check allowed invalid values
* status code of `rpc.svcgssd` was not properly checked
* `idmapd` debug output was invisible

## [2.1.0] - 2019-01-31
### Added
* Ability to automatically load kernel modules. ([#18](https://github.com/ehough/docker-nfs-server/issues/18)). Credit to [@andyneff](https://github.com/andyneff).
### Fixed
Expand Down Expand Up @@ -48,4 +60,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
* Fixed detection of built-in kernel modules ([#4](https://github.com/ehough/docker-nfs-server/pull/4))

## [1.0.0] - 2018-02-05
Initial release.
Initial release.
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ This is the only containerized NFS server that offers **all** of the following f
- clean teardown of services upon termination (no lingering `nfsd` processes on Docker host)
- flexible construction of `/etc/exports`
- extensive server configuration via environment variables
- helpful, human-readable logging
- human-readable logging (with a helpful [debug mode](doc/feature/logging.md))
- *optional* bonus features
- [Kerberos security](doc/feature/kerberos.md)
- [NFSv4 user ID mapping](doc/feature/nfs4-user-id-mapping.md) via [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html)
Expand All @@ -24,6 +24,7 @@ This is the only containerized NFS server that offers **all** of the following f
* [Starting the server](#starting-the-server)
* [Mounting filesystems from a client](#mounting-filesystems-from-a-client)
* Optional features
* [Debug logging](doc/feature/logging.md)
* [Kerberos security](doc/feature/kerberos.md)
* [NFSv4 user ID mapping](doc/feature/nfsv4-user-id-mapping.md)
* [AppArmor integration](doc/feature/apparmor.md)
Expand Down Expand Up @@ -144,6 +145,7 @@ If you pay close attention to each of the items in this section, the server shou

## Optional Features

* [Debug logging](doc/feature/logging.md)
* [Kerberos security](doc/feature/kerberos.md)
* [NFSv4 user ID mapping](doc/feature/nfs4-user-id-mapping.md)
* [AppArmor integration](doc/feature/apparmor.md)
Expand Down
4 changes: 0 additions & 4 deletions doc/feature/kerberos.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ You can enable Kerberos security for your NFS server with the following steps.
1. set the server's hostname via the `--hostname` flag
1. provide `/etc/krb5.keytab` which contains a principal of the form `nfs/<hostname>`, where `<hostname>` is the hostname you supplied in the previous step.
1. provide [`/etc/krb5.conf`](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html)
1. provide [`/etc/idmapd.conf`](https://linux.die.net/man/5/idmapd.conf)
1. provide `/etc/passwd` containing your NFS client users

Here's an example:

Expand All @@ -18,8 +16,6 @@ Here's an example:
--hostname my-nfs-server.com \
-v /host/path/to/server.keytab:/etc/krb5.keytab:ro \
-v /host/path/to/server.krb5conf:/etc/krb5.conf:ro \
-v /host/path/to/idmapd.conf:/etc/idmapd.conf:ro \
-v /etc/passwd:/etc/passwd:ro \
--cap-add SYS_ADMIN \
-p 2049:2049 \
erichough/nfs-server
157 changes: 157 additions & 0 deletions doc/feature/logging.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
# Logging

By default, the image will output a reasonable level of logging information so you can see verify that the server is operating as expected.

You can bump up the log level via the `NFS_LOG_LEVEL` environment variable. Currently, the only acceptable value is `DEBUG`.

In your `docker-run` command:
```
docker run -e NFS_LOG_LEVEL=DEBUG ... erichough/nfs-server
```
or in `docker-compose.yml`:
```YAML
version: 3
services:
nfs:
image: erichough/nfs-server
...
environment:
- LOG_LEVEL: DEBUG
```
### Normal log output
Normal, non-debug logging will look something like this:
```
==================================================================
SETTING UP ...
==================================================================
----> building /etc/exports from environment variables
----> collected 4 valid export(s) from NFS_EXPORT_* environment variables
----> kernel module nfs is loaded
----> kernel module nfsd is loaded
----> kernel module rpcsec_gss_krb5 is loaded
----> setup complete

==================================================================
STARTING SERVICES ...
==================================================================
----> mounting rpc_pipefs filesystem onto /var/lib/nfs/rpc_pipefs
----> mounting nfsd filesystem onto /proc/fs/nfsd
----> starting rpcbind
----> exporting filesystem(s)
----> starting rpc.mountd on port 32767
----> starting statd on port 32765 (outgoing from port 32766)
----> starting idmapd
----> starting rpc.nfsd on port 2049 with 16 server thread(s)
----> starting rpc.svcgssd
----> all services started normally

==================================================================
SERVER STARTUP COMPLETE
==================================================================
----> list of enabled NFS protocol versions: 3
----> list of container exports:
----> /nfs/htpc-media *(ro,no_subtree_check,insecure,async)
----> /nfs/homes/staff *(rw,no_subtree_check,insecure,sec=krb5p)
----> /nfs/homes/ehough *(rw,no_subtree_check,insecure,no_root_squash,sec=krb5p)
----> /nfs/backup/duplicacy *(rw,no_subtree_check,insecure,sec=krb5p,all_squash,anonuid=0,anongid=0)
----> list of container ports that should be exposed:
----> 111 (TCP and UDP)
----> 2049 (TCP and UDP)
----> 32765 (TCP and UDP)
----> 32767 (TCP and UDP)

==================================================================
READY AND WAITING FOR NFS CLIENT CONNECTIONS
==================================================================

```

### Debug output

Debug output will look something like this:

```
==================================================================
SETTING UP ...
==================================================================
----> /etc/exports is baked into the image
----> kernel module nfs is loaded
----> kernel module nfsd is loaded
----> kernel module rpcsec_gss_krb5 is loaded
----> setup complete
==================================================================
STARTING SERVICES ...
==================================================================
----> mounting rpc_pipefs filesystem onto /var/lib/nfs/rpc_pipefs
mount: mount('rpc_pipefs','/var/lib/nfs/rpc_pipefs','rpc_pipefs',0x00008000,'(null)'):0
----> mounting nfsd filesystem onto /proc/fs/nfsd
mount: mount('nfsd','/proc/fs/nfsd','nfsd',0x00008000,'(null)'):0
----> starting rpcbind
----> exporting filesystem(s)
exporting *:/nfs/backup/duplicacy
exporting *:/nfs/homes/ehough
exporting *:/nfs/homes/staff
exporting *:/nfs/htpc-media
----> starting rpc.mountd on port 32767
----> starting statd on port 32765 (outgoing from port 32766)
----> starting idmapd
rpc.idmapd: Setting log level to 11
rpc.idmapd: libnfsidmap: using domain: hough.matis
rpc.idmapd: libnfsidmap: Realms list: 'HOUGH.MATIS'
rpc.idmapd: libnfsidmap: processing 'Method' list
rpc.idmapd: static_getpwnam: name 'nfs/[email protected]' mapped to 'root'
rpc.idmapd: static_getpwnam: localname 'melissa' for '[email protected]' not found
rpc.idmapd: static_getpwnam: name '[email protected]' mapped to 'ehough'
rpc.idmapd: static_getgrnam: group 'nfs/[email protected]' mapped to 'root'
rpc.idmapd: static_getgrnam: local group 'melissa' for '[email protected]' not found
rpc.idmapd: static_getgrnam: group '[email protected]' mapped to 'ehough'
rpc.idmapd: libnfsidmap: loaded plugin /usr/lib/libnfsidmap/static.so for method static
rpc.idmapd: Expiration time is 600 seconds.
rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
----> starting rpc.nfsd on port 2049 with 16 server thread(s)
rpc.nfsd: knfsd is currently down
rpc.nfsd: Writing version string to kernel: -2 +3 +4 +4.1 +4.2
rpc.nfsd: Created AF_INET TCP socket.
rpc.nfsd: Created AF_INET UDP socket.
rpc.nfsd: Created AF_INET6 TCP socket.
rpc.nfsd: Created AF_INET6 UDP socket.
----> starting rpc.svcgssd
entering poll
----> all services started normally
==================================================================
SERVER STARTUP COMPLETE
==================================================================
----> list of enabled NFS protocol versions: 4.2, 4.1, 4, 3
----> list of container exports:
----> /nfs/backup/duplicacy *(rw,sync,wdelay,hide,nocrossmnt,insecure,root_squash,all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=0,anongid=0,sec=krb5p,rw,insecure,root_squash,all_squash)
----> /nfs/homes/ehough *(rw,sync,wdelay,hide,nocrossmnt,insecure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=krb5p,rw,insecure,no_root_squash,no_all_squash)
----> /nfs/homes/staff *(rw,sync,wdelay,hide,nocrossmnt,insecure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=krb5p,rw,insecure,root_squash,no_all_squash)
----> /nfs/htpc-media *(ro,async,wdelay,hide,nocrossmnt,insecure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,ro,insecure,root_squash,no_all_squash)
----> list of container ports that should be exposed:
----> 111 (TCP and UDP)
----> 2049 (TCP and UDP)
----> 32765 (TCP and UDP)
----> 32767 (TCP and UDP)
==================================================================
READY AND WAITING FOR NFS CLIENT CONNECTIONS
==================================================================
leaving poll
handling null request
svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
sname = nfs/[email protected]
doing downcall
mech: krb5, hndl len: 4, ctx len 52, timeout: 1552111964 (31564 from now), clnt: nfs@blue, uid: 0, gid: 0, num aux grps: 1:
( 1) 0
sending null reply
writing message: \x \x6082024606092a864886f71201020201006e82023530820231a003020105a10302010ea20703050020000000a38201306182012c30820128a003020105a10d1b0b484f5547482e4d41544953a2153013a003020103a10c300a1b036e66731b036e6173a381fa3081f7a003020113a103020106a281ea0481e79cf640041a02f97332a25760a707a3f039f61301d07b2dfbb8bf9448cbfd168d0958c7717b535f7799c87390469c94045a6cd3f54c91ddeda9274b1ea492a43e6b17dec3ad17aaa94b9e61cdd4f4c8e7a35d8e84d56c7657e63536358e1316e2e8362922b47b465dd57aa29cb743128432decee09c3a06e6b4d5f6cebcd0978ee37bf0155a01a6ed623dc7b3068163fedaadec1e1509788db701c5308c703aa0e3196188e40c22afc361d2d9762750627c091516f05059a1f965df187dc981f4ac59bf3f424f23e676109a8c93af93b66f704f78703e1ef642fddf5b01d7deb40db26642e9f4f0a481e73081e4a003020111a281dc0481d9299c7ea474abf5d08a5f4f977254552e712f783f89bf40eb2cbd0082614593e377ec8cfe1c1ffb1bc0fad366382258f63857928240933914478fbceadc3b3bfe2e1f9a477c601d6b20c19898813878f45cea78ae601a342f000faf89c2e0e4c37fdb5db7937ac327ac0470c1f97dd421a112a6739467132d598db38ff99f9a88a8ac44e72f5cd088bd4d6159e15be75a7447d556134bda4fa0a96e64e3350d3a198e0635e4e7fb4900962aed3912fe0f316a1fa27121133232816b1177c707c0c37b396add3b347be38db756f05815ca3de5b3874782d80bf9 1552080460 0 0 \x01000000 \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020111a271046fdfb95cbe1237d785691a0ca14b4f7443142dda2b2a1b2845499bdb69b538719fbfc99b71d72ae61d7bd9966c106b2381fd08690082de26da5b8f521081035b5d7b8bf6c6eda85fd73c1c76ff03bec7693695e0b3d9e72069ec3772f93c4dbc5e8ce698a0854b494714bd5801204af3
finished handling null request
entering poll
```
3 changes: 1 addition & 2 deletions doc/feature/nfs4-user-id-mapping.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
# NFSv4 User ID Mapping

If you'd like to run [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html) to map between NFSv4 IDs (e.g. `[email protected]`) and local users, simply provide [`idmapd.conf`](https://linux.die.net/man/5/idmapd.conf) and `/etc/passwd` to the container. This step is required for [Kerberos](kerberos.md).
If you'd like to run [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html) to map between NFSv4 IDs (e.g. `[email protected]`) and local users, simply provide [`idmapd.conf`](https://linux.die.net/man/5/idmapd.conf) to the container.

docker run \
-v /host/path/to/exports.txt:/etc/exports:ro \
-v /host/files:/nfs \
-v /host/path/to/idmapd.conf:/etc/idmapd.conf:ro \
-v /etc/passwd:/etc/passwd:ro \
--cap-add SYS_ADMIN \
-p 2049:2049 \
erichough/nfs-server
Expand Down
Loading

0 comments on commit 3d7a3c5

Please sign in to comment.