Merge ~ahasenack/ubuntu/+source/nfs-utils:kinetic-nfsutils-merge into ubuntu/+source/nfs-utils:debian/sid

Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Andreas Hasenack
Merged at revision: 8f44dbe5f2f7977501808232f715af33c4bacc44
Proposed branch: ~ahasenack/ubuntu/+source/nfs-utils:kinetic-nfsutils-merge
Merge into: ubuntu/+source/nfs-utils:debian/sid
Diff against target: 2013 lines (+1660/-8)
22 files modified
debian/README.Ubuntu (+30/-0)
debian/changelog (+1229/-0)
debian/control (+17/-6)
debian/libnfsidmap-regex.install (+1/-0)
debian/libnfsidmap1.docs (+1/-0)
debian/libnfsidmap1.install (+3/-1)
debian/nfs-common.dirs (+1/-0)
debian/nfs-common.docs (+1/-0)
debian/nfs-common.postrm (+1/-0)
debian/not-installed (+3/-0)
debian/patches/nfs-conf-manpage-missing-svcgssd-options.patch (+19/-0)
debian/patches/series (+5/-0)
debian/patches/svcgssd-display-principal-if-set.patch (+37/-0)
debian/patches/svcgssd-document-missing-options.patch (+44/-0)
debian/patches/svcgssd-fix-use-after-free.patch (+45/-0)
debian/patches/ubuntu-idmapd-manpage-update-regex-other-package.patch (+12/-0)
debian/rules (+7/-1)
debian/source.apport (+32/-0)
debian/tests/control (+11/-0)
debian/tests/kerberos-mount (+38/-0)
debian/tests/util (+89/-0)
debian/tests/v3-mount (+34/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Christian Ehrhardt  (community) Approve
Canonical Server Reporter Pending
Review via email: mp+425667@code.staging.launchpad.net

Description of the change

Merge from Debian.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/nfs-utils-merge/

I had to make changes to our delta, and I thought it best to first apply logical, and then make the changes and list them as "added changes", but in the next upload/merge they can be squashed.

Of note is that now we have to build the regex module from the nfs-utils source, since src:libnfsidmap-regex is gone from the archive. This is an unavoidable delta until the src:libnfsidmap-regex MIR[1] is started and done. This will be a NEW package and will go straight to Universe.

I'm also closing bug #1977745, which is committed upstream, so that bit of delta will disappear in the next upstream release.

I looked into bug #1971935, which at first seemed to have a clear and obvious fix, but when getting into the details I couldn't reproduce it nor understand why it was happening, and I'm wary of making that change without first understanding why these two users hit the problem.

I also dropped our d/NEWS file, because debian now has per-package news files of their own, up-to-date wrt the changes in nfs 2.6.x. Instead I moved some of the content to a d/README.Ubuntu file which I think is more appropriate long term. This can also be squashed in the next upload, as d/README.Ubuntu is already a delta we have. I could merge our now-gone NEWS file with Debian's, but it would look odd to say more or less the same thing in different versions of the package in that NEWS file.

I sent these delta pieces to debian:
- small packaging fixes: https://salsa.debian.org/kernel-team/nfs-utils/-/merge_requests/16
- dep8: https://salsa.debian.org/kernel-team/nfs-utils/-/merge_requests/15

1. https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1960824

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (3.4 KiB)

- Logical matches what is in kinetic
- $ git range-diff pkg/import/1%2.6.1-1..ahasenack/logical/1%2.6.1-1ubuntu1 pkg/import/1%2.6.1-2..ahasenack/kinetic-nfsutils-merge

 2: 4083b817 < -: -------- - d/NEWS: explain some of the major changes in 2.6.x
- we have dropped d/NEWS , but upgrades need to go through Jammy and there it is.
Also this is now present per pkg

 3: a45a1920 ! 2: b9332ea6 - Don't install the regex module, as it's built by src:libnfsidmap-regex which is in Universe (MIR: #1960824) + d/control: don't conflict/break/e
- regex only context noise

 4: 92113f8f ! 3: da56db7d - Update README files: + d/README.Ubuntu: explains some of the packaging decisions + d/README.Debian.nfsv4: removed as the content is out of date
- Readme.Ubuntu lost some content to be added later as moved from NEWS - seems ok

 5: adc7845e < -: -------- - d/nfsconvert.py: add short "u" option for mountd's no-udp
present in Debian

 8: 3bdc8b3d < -: -------- - d/nfs-*.bug-script: update to also include /etc/nfs.conf and /etc/nfs.conf.d/*.conf

That far it is ok, the last section are all new changes which I'll also review one by one ...

565a151b * Dropped: - d/nfsconvert.py: add short "u" option for mountd's no-udp [Included in 1:2.6.1-2]
d22206d0 - d/NEWS: explain some of the major changes in 2.6.x [Obsoleted by Debian's update to the per-package NEWS files]
2b54f858 - d/nfs-*.bug-script: update to also include /etc/nfs.conf and /etc/nfs.conf.d/*.conf [Included in 1:2.6.1-2]

^^ ok, just for changelog generation

9b5dd4e4 * Added changes: - New binary package libnfsidmap-regex (LP: #1974067): + d/control: new package + d/libnfsidmap-regex.install: install the plugin file + d/not-installed: remove the plugin from the not-installed list + d/p/remove-regex-from-docs.patch: deleted + d/p/ubuntu-idmapd-manpage-update-regex-other-package.patch: note that the regex plugin is in another package

Just to ensure I got this right, we are adding regex, not moving it.
I checked regex.so wasn't present, so no need for breaks/replaces due to reorg.
Well it wasn't present from this source. But the binary pkg is removed in kinetic and this upload should thereby not conflict. It should upgrade the former version just fine.

78f3ad56 - rpc.svcgssd fixes and improvements (LP: #1977745): + d/p/svcgssd-fix-use-after-free.patch: fix use-after-free which was preventing svcgssd options set in /etc/nfs.conf from being used

ok

30ff1d49 + d/p/svcgssd-display-principal-if-set.patch: improve logging, showing the expected principal name if it was set in the config
2bb1bc06 + d/p/svcgssd-document-missing-options.patch: add missing options to the svcgssd manpage
1591ebd6 + d/p/nfs-conf-manpage-missing-svcgssd-options.patch: also document the missing svcgssd options to the nfs.conf(5) manpage

all good changes, upstream refs ok

a6477222 - d/README.Ubuntu: updated with the content of the previous d/NEWS file

Ok, this indeed carries the info formerly present in other places.

a14d8...

Read more...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Review is ok, but testing is not entirely clean.

Updating a Kinetic system to your PPA gave me:

Setting up nfs-kernel-server (1:2.6.1-2ubuntu1~ppa5) ...
nfs-mountd.service is a disabled or a static unit not running, not starting it.
nfsdcld.service is a disabled or a static unit not running, not starting it.
Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145.
A dependency job for nfs-server.service failed. See 'journalctl -xe' for details.
invoke-rc.d: initscript nfs-kernel-server, action "restart" failed.
○ nfs-server.service - NFS server and services
     Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
     Active: inactive (dead)

Jun 28 12:42:40 k systemd[1]: Dependency failed for NFS server and services.
Jun 28 12:42:40 k systemd[1]: nfs-server.service: Job nfs-server.service/start failed with result 'dependency'.
Jun 28 12:42:40 k systemd[1]: Dependency failed for NFS server and services.
Jun 28 12:42:40 k systemd[1]: nfs-server.service: Job nfs-server.service/start failed with result 'dependency'.
Jun 28 12:53:09 k systemd[1]: Dependency failed for NFS server and services.
Jun 28 12:53:09 k systemd[1]: nfs-server.service: Job nfs-server.service/start failed with result 'dependency'.
Jun 28 12:53:09 k systemd[1]: Dependency failed for NFS server and services.
Jun 28 12:53:09 k systemd[1]: nfs-server.service: Job nfs-server.service/start failed with result 'dependency'.
Failed to restart nfs-kernel-server, ignoring.

That didn't happen in all environments.
And it is rather obvious.
It is due to nfsd failing

root@k:~# systemctl status proc-fs-nfsd.mount
× proc-fs-nfsd.mount - NFSD configuration filesystem
     Loaded: loaded (/lib/systemd/system/proc-fs-nfsd.mount; static)
     Active: failed (Result: exit-code) since Tue 2022-06-28 12:53:09 UTC; 4min 6s ago
      Where: /proc/fs/nfsd
       What: nfsd

Jun 28 12:53:09 k mount[133913]: mount: /proc/fs/nfsd: permission denied.

As it is in a LXD container

I wonder if we should add a Condition or some other softening hint to make this less complaining.
OTOH - this will almost never work in a container unless you seriously modify its isolation, so since it is not fatal it might be right to complain a bit on install/upgrade.

Up to you to decide

Review complete LGTM +1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> Jun 28 12:53:09 k mount[133913]: mount: /proc/fs/nfsd: permission denied.

NFS server never worked in a (lxd or otherwise) container out of the box.

If NFS were a single service, we could add a condition to it. But I'm unsure how to do it with so many intertwined services.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I found out we lost the hardening flags in the libnfsidmap*->nfs-utils transition (so did Debian), and filed a bug and reintroduced the flags.

DEP8 re-ran locally:
autopkgtest [14:20:59]: @@@@@@@@@@@@@@@@@@@@ summary
local-server-client PASS
kerberos-mount PASS
v3-mount PASS

In the meantime the ppa dep8 run also finished: https://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-ahasenack-nfs-utils-merge/kinetic/amd64/n/nfs-utils/20220628_171746_3c10e@/log.gz

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.9 KiB)

Lintian this time only complains about libnfsidmap-regex being built without fortify:
I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]

But the build log has -D_FORTIFY_SOURCE=2:
/bin/bash ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../support/include -I/usr/include/tirpc -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -pipe -Wall -Wextra -Werror=strict-prototypes -Werror=missing-prototypes -Werror=missing-declarations -Werror=format=2 -Werror=undef -Werror=missing-include-dirs -Werror=strict-aliasing=2 -Werror=init-self -Werror=implicit-function-declaration -Werror=return-type -Werror=switch -Werror=overflow -Werror=parentheses -Werror=aggregate-return -Werror=unused-result -fno-strict-aliasing -Werror=format-overflow=2 -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Wno-cast-function-type -g -O2 -ffile-prefix-map=/home/ubuntu/git/packages/nfs-utils/nfs-utils=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -c -o regex.lo regex.c

then
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../support/include -I/usr/include/tirpc -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -pipe -Wall -Wextra -Werror=strict-prototypes -Werror=missing-prototypes -Werror=missing-declarations -Werror=format=2 -Werror=undef -Werror=missing-include-dirs -Werror=strict-aliasing=2 -Werror=init-self -Werror=implicit-function-declaration -Werror=return-type -Werror=switch -Werror=overflow -Werror=parentheses -Werror=aggregate-return -Werror=unused-result -fno-strict-aliasing -Werror=format-overflow=2 -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Wno-cast-function-type -g -O2 -ffile-prefix-map=/home/ubuntu/git/packages/nfs-utils/nfs-utils=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -c regex.c -fPIC -DPIC -o .libs/regex.o

and
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../support/include -I/usr/include/tirpc -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -pipe -Wall -Wextra -Werror=strict-prototypes -Werror=missing-prototypes -Werror=missing-declarations -Werror=format=2 -Werror=undef -Werror=missing-include-dirs -Werror=strict-aliasing=2 -Werror=init-self -Werror=implicit-function-declaration -Werror=return-type -Werror=switch -Werror=overflow -Werror=parentheses -Werror=aggregate-return -Werror=unused-result -fno-strict-aliasing -Werror=format-overflow=2 -Werror=int-conversion -Werror=incompatible-pointer-types -Werror=misleading-indentation -Wno-cast-function-type -g -O2 -ffile-prefix-map=/home/ubuntu/git/packages/nfs-utils/nfs-utils=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -c regex.c -o regex.o >/dev/null 2>&1

But not in the linker state (expected I think):/bin/bash ../../libtool --tag=CC --mode=link gcc -pipe -Wall -Wextra -Werror=strict-prototypes -Werror=missing-prototypes -Werror=missing-declarations -Werror=format=2 -Werror=undef -Werror=missing-include-d...

Read more...

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, paelzer
Uploaders: ahasenack, paelzer
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Salsa PR for reintroducing the hardening flags: https://salsa.debian.org/kernel-team/nfs-utils/-/merge_requests/17

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

New:
d530207 - d/rules: re-add hardening option lost from the src:libnfsidmap

Change ... LGTM
Check build ... there is no cc call left without hardning -> LGTM

+1 (for the added delta)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded
Uploading nfs-utils_2.6.1-2ubuntu1.dsc
Uploading nfs-utils_2.6.1-2ubuntu1.debian.tar.xz
Uploading nfs-utils_2.6.1-2ubuntu1_source.buildinfo
Uploading nfs-utils_2.6.1-2ubuntu1_source.changes

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This built and migrated.

There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches