Re: [Vserver] How do I nfs-mount inside a vserver?

Am Mittwoch, 13. September 2006 20:33 schrieb Herbert Poetzl:
> On Wed, Sep 13, 2006 at 10:22:21AM +0200, Wilhelm Meier wrote:
> > Hi,
> >
> > I googled for a while but I didn't find a solution for nfs-mounting
> > inside the guest from a remote nfs-server.
> >
> > I had to export the dirs on the nfs-server to the guest AND to the
> > host (why?). After that the host answers to the mount request.
>
> as usual, what tools, what host/guest distro?

Host: Gentoo Linux gs 2.6.17-vs2.1.1-rc31-gentoo
Guest: Gentoo

Host-Tools:
sys-cluster/util-vserver-0.30.210-r18

which includes the following patches (according to 000_README):

Numbering scheme
--------------------------------------
FIXES
000_all - 195_all

FEATURES
200_all - 395_all

Patch descriptions:
--------------------------------------

Patch: 000_all_nice.patch
From: Daniel Hokka Zakrisson
Desc: Fix obsolete usage of gnu tools (-1 vs -n 1)

Patch: 005_all_remove-traditional-syscall.patch
From: Herbert Poetzl
Desc: Fix util-vserver breakage with gcc-3.4.* and -pie

Patch: 010_all_bmask.patch
From: Daniel Hokka Zakrisson
Desc: vattribute resets bcaps when setting ccaps (upstream patch #4968)

Patch: 015_all_chcontext-secure.patch
From: Daniel Hokka Zakrisson
Desc: Fix the --secure switch to work as expected

Patch: 020_all_chcontext.8.patch
From: Micah Anderson
Desc: Change the section for the chcontext man-page (upstream #16083)

Patch: 025_all_clone-arch.patch
From: Daniel Hokka Zakrisson
Desc: Various arch-specific clone updates (for sparc/sparc64/s390)

Patch: 030_all_condrestart.patch
From: Daniel Hokka Zakrisson
Desc: Fix the condrestart (upstream #15678)

Patch: 040_all_debootstrap-script.patch
From: Micah Anderson
Desc: Let the vserver-debootstrap wrapper accept options for custom scripts

Patch: 045_all_fc5.patch
From: Daniel Hokka Zakrisson
Desc: Adding repos for Fedora Core 5 based/like distributions

Patch: 050_all_fstab.patch
From: Daniel Hokka Zakrisson
Desc: Implement the opposite of mounting

Patch: 055_all_remove-init-style-gentoo.patch
From: Christian Heim
Desc: Deprecate init-style gentoo in favour of plain

Patch: 060_all_start-vservers.patch
From: Daniel Hokka Zakrisson
Desc: Fix the vserver-start all script

Patch: 065_all_syscall-update.patch
From: Herbert Poetzl
Desc: Updating util-vserver's syscalls

Patch: 070_all_testsuite-fix.patch
From: Daniel Hokka Zakrisson
Desc: Fix some issues within the testsuite

Patch: 075_all_usage.patch
From: Andreas John
Desc: Fix the usage hint for the vserver command (upstream #15551)

Patch: 080_all_vcontext-uid.patch
From: Daniel Hokka Zakrisson
Desc: Better handling of vcontext's --uid option (upstream patch #4966)

Patch: 200_all_sharedportage.patch
From: Benedikt Boehm
Desc: Adding a example on how to setting up a shared portage dir

Patch: 205_all_clone.patch
From: Daniel Hokka Zakrisson
Desc: Adding support for guest cloning

Patch: 215_all_cpuset.patch
From: Jan Rekorajski
Desc: Support for cpuset's

Patch: 220_all_delete.patch
From: Thomas Champagne and Daniel Hokka Zakrisson
Desc: Adding support for the delete command (upstream patch #4899)

Patch: 225_all_gentoo-tools.patch
From: Benedikt Boehm and Christian Heim
Desc: Adding various Gentoo related scripts (vemerge, vdispatch-conf, ...)

Patch: 235_all_namespace-cleanup.patch
From: Bastian Blank and Daniel Hokka Zakrisson
Desc: Adding support for namespace-cleanups (by default)

Patch: 240_all_pkgmgmt-vsomething.patch
From: Daniel Hokka Zakrisson
Desc: Unifying some distribution specific commands

Patch: 245_all_template.patch
From: Daniel Hokka Zakrisson
Desc: Create a vserver from a template archive

Patch: 250_all_vlogin.patch
From: Daniel Hokka Zakrisson / Benedikt Boehm
Desc: Adding support for pts inside vservers (upstream patch #4969)

Patch: 255_all_shell-completion.patch
From: Thomas Champagne and Ben Voui(?)
Desc: Adding bash/zsh completion scripts
gs patches #

The kernel got these additional gentoo kernel patches:

gs ~ # tar jxvf /usr/portage/distfiles/genpatches-2.6.17-9.base.tar.bz2
2.6.17/0000_README
2.6.17/1000_linux-2.6.17.1.patch
2.6.17/1001_linux-2.6.17.2.patch
2.6.17/1002_linux-2.6.17.3.patch
2.6.17/1003_linux-2.6.17.4.patch
2.6.17/1004_linux-2.6.17.5.patch
2.6.17/1005_linux-2.6.17.6.patch
2.6.17/1006_linux-2.6.17.7.patch
2.6.17/1007_linux-2.6.17.8.patch
2.6.17/1008_linux-2.6.17.9.patch
2.6.17/1009_linux-2.6.17.10.patch
2.6.17/1010_linux-2.6.17.11.patch
2.6.17/1700_sparc-obp64-naming.patch
2.6.17/1705_sparc-U1-hme-lockup.patch
2.6.17/1710_alpha-ev56-kconfig.patch
2.6.17/1715_sparc64-pgtable.patch
2.6.17/1900_nfs-stall.patch
2.6.17/2300_usb-insufficient-power.patch
2.6.17/2500_via-irq-quirk-revert.patch
2.6.17/2600_logips2pp.patch
2.6.17/2700_alsa-hda-lenovo-3000.patch
gs ~ # tar jxvf /usr/portage/distfiles/genpatches-2.6.17-9.extras.tar.bz2
2.6.17/4000_deprecate-sk98lin.patch
2.6.17/4005_bcm4319.patch
2.6.17/4010_pcnet-cs-te-cf100.patch
2.6.17/4015_forcedeth-new-ids.patch
2.6.17/4020_asix-88178.patch
2.6.17/4025_r8169-new-id.patch
2.6.17/4030_tg3-5787.patch
2.6.17/4035_sky2-v1.6.patch
2.6.17/4040_e1000-7.1.9-k4.patch
2.6.17/4100_vt8251-sata.patch
2.6.17/4105_dm-bbr.patch
2.6.17/4110_nvidia-mcp61.patch
2.6.17/4115_nvidia-sata-new.patch
2.6.17/4120_ahci-nvidia-mcp65.patch
2.6.17/4125_nvidia-ide-new.patch
2.6.17/4130_jmicron-ahci.patch
2.6.17/4135_promise-pdc2037x.patch
2.6.17/4200_fbsplash-0.9.2-r5.patch
2.6.17/4205_vesafb-tng-1.0-rc2.patch
2.6.17/4206_vesafb-tng-mtrr.patch
2.6.17/4300_squashfs-3.0.patch
2.6.17/4400_speakup-20060618.patch
2.6.17/4401_speakup-serio.patch
2.6.17/4405_alpha-sysctl-uac.patch
gs ~ #

>
> > I gave the guest ccap secure_mount AND binary_mount. But a
> >
> > mount 192.168.39.1:/home /home -o nolock,tcp
> >
> > gives a "permission denied".
>
> should be sufficient with recent kernels to do an nfs mount
> if the portmapper is reachable and working as expected
>
> > If I add CAP_SYS_ADMIN to bcap, it works fine. But that's not what I
> > want.
>
> that's at least interesting, but could be an already fixed
> bug in older kernels
>
> > If I setup fstab.remote, it works (well, I don't know why!). What is
> > the difference?
>
> main difference is that the fstab.remote is executed on the
> host but within the network context, which solves certain
> issues you see, like requiring host and guest ip to be allowed
>
> > I'm using 2.6.17-vs2.1.1-rc26-gentoo.
> >
> > Any ideas?
>
> well, let's do an strace of the actual mount, to see where
> it fails, and check with rpcinfo and showmounts

The remote nfs server has 192.168.39.1, the host (gs) has 192.168.39.10 and
the guest (vs01) has 192.168.39.11.

vs01 / # showmount 192.168.39.1
Hosts on 192.168.39.1:
*
127.0.0.1
192.168.1.12
192.168.39.*
192.168.39.10
192.168.39.11
192.168.39.12
192.168.39.128
192.168.39.129
192.168.39.130
192.168.39.131
192.168.39.132

vs01 / # showmount -e 192.168.39.1
Export list for 192.168.39.1:
/home *
vs01 / #

vs01 / # rpcinfo -p
   program vers proto port
    100000 2 tcp 111 portmapper
    100000 2 udp 111 portmapper
    100024 1 udp 1032 status
    100024 1 tcp 4484 status
vs01 / # rpcinfo -p 192.168.39.1
   program vers proto port
    100000 2 tcp 111 portmapper
    100000 2 udp 111 portmapper
    100024 1 udp 35653 status
    100024 1 tcp 32883 status
    100011 1 udp 4003 rquotad
    100011 2 udp 4003 rquotad
    100011 1 tcp 4003 rquotad
    100011 2 tcp 4003 rquotad
    100003 2 udp 2049 nfs
    100003 3 udp 2049 nfs
    100003 4 udp 2049 nfs
    100003 2 tcp 2049 nfs
    100003 3 tcp 2049 nfs
    100003 4 tcp 2049 nfs
    100021 1 udp 35654 nlockmgr
    100021 3 udp 35654 nlockmgr
    100021 4 udp 35654 nlockmgr
    100021 1 tcp 32884 nlockmgr
    100021 3 tcp 32884 nlockmgr
    100021 4 tcp 32884 nlockmgr
    100005 1 udp 897 mountd
    100005 1 tcp 900 mountd
    100005 2 udp 897 mountd
    100005 2 tcp 900 mountd
    100005 3 udp 897 mountd
    100005 3 tcp 900 mountd
vs01 / #

O.k., here's the strace:

vs01 / # strace mount 192.168.39.1:/home /home -o nolock,tcp
execve("/bin/mount",
["mount", "192.168.39.1:/home", "/home", "-o", "nolock,tcp"], [/* 26 vars
*/]) = 0
uname({sys="Linux", node="vs01", ...}) = 0
brk(0) = 0x8063000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=12117, ...}) = 0
mmap2(NULL, 12117, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fbf000
close(3) = 0
open("/lib/libblkid.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\35\0"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=28764, ...}) = 0
mmap2(NULL, 30740, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xb7fb7000
mmap2(0xb7fbe000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x6) = 0xb7fbe000
close(3) = 0
open("/lib/libuuid.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\n\0"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=9600, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7fb6000
mmap2(NULL, 11544, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xb7fb3000
mmap2(0xb7fb5000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x1) = 0xb7fb5000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240T\1"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1220000, ...}) = 0
mmap2(NULL, 1158452, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xb7e98000
mmap2(0xb7fad000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x115) = 0xb7fad000
mmap2(0xb7fb1000, 7476, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0xb7fb1000
close(3) = 0
mprotect(0xb7fad000, 4096, PROT_READ) = 0
mprotect(0xb7fd5000, 4096, PROT_READ) = 0
munmap(0xb7fbf000, 12117) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "\372\250\323\f", 4) = 4
close(3) = 0
brk(0) = 0x8063000
brk(0x8084000) = 0x8084000
open("/dev/null", O_RDWR|O_LARGEFILE) = 3
close(3) = 0
getuid32() = 0
geteuid32() = 0
getgid32() = 0
getegid32() = 0
prctl(0x3, 0x20, 0xbfe36fd8, 0x5, 0xbfe37194) = 1
open("/etc/blkid.tab", O_RDONLY) = -1 ENOENT (No such file or
directory)
getuid32() = 0
geteuid32() = 0
lstat64("/etc/mtab", {st_mode=S_IFREG|0644, st_size=298, ...}) = 0
stat64("192.168.39.1:/home", 0xbfe36f30) = -1 ENOENT (No such file or
directory)
stat64("/sbin/mount.nfs", 0xbfe36e20) = -1 ENOENT (No such file or
directory)
uname({sys="Linux", node="vs01", ...}) = 0
time(NULL) = 1158161876
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
getpid() = 19113
bind(3, {sa_family=AF_INET, sin_port=htons(633),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
gettimeofday({1158161876, 198813}, NULL) = 0
write(3, "\200\0\0(S\274\240x\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0\2"..., 44) =
44
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(3, "\0\0\1\214S\274\240x\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 500) =
500
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(3, "\0\0\0\2\0\0\0\6\0\0\3\204\0\0\0\1\0\1\206\245\0\0\0\3"..., 500) = 56
close(3) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(634),
sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EADDRINUSE (Address already in use)
bind(3, {sa_family=AF_INET, sin_port=htons(635),
sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EADDRINUSE (Address already in use)
bind(3, {sa_family=AF_INET, sin_port=htons(636),
sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EADDRINUSE (Address already in use)
bind(3, {sa_family=AF_INET, sin_port=htons(637),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(900),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
uname({sys="Linux", node="vs01", ...}) = 0
geteuid32() = 0
getegid32() = 0
getgroups32(0, NULL) = 11
getgroups32(11, [0, 1, 2, 3, 4, 6, 10, 11, 20, 26, 27]) = 11
gettimeofday({1158161876, 215420}, NULL) = 0
write(3, "\200\0\0xgZ\0009\0\0\0\0\0\0\0\2\0\1\206\245\0\0\0\3\0"..., 124) =
124
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 20000) = 1
read(3, "\200\0\0008gZ\0009\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4000) =
60
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(638),
sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EADDRINUSE (Address already in use)
bind(4, {sa_family=AF_INET, sin_port=htons(639),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 5
bind(5, {sa_family=AF_INET, sin_port=htons(640),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(5, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
write(5, "\200\0\0008\20\f\\Y\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0\2"..., 60) =
60
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(5, "\200\0\0\34\20\f\\Y\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 400) =
32
close(5) = 0
uname({sys="Linux", node="vs01", ...}) = 0
close(3) = 0
close(3) = -1 EBADF (Bad file descriptor)
rt_sigprocmask(SIG_BLOCK, ~[TRAP SEGV], NULL, 8) = 0
mount("192.168.39.1:/home", "/home", "nfs", MS_MGC_VAL, "\4") = -1 EPERM
(Operation not permitted)
rt_sigprocmask(SIG_UNBLOCK, ~[TRAP SEGV], NULL, 8) = 0
time(NULL) = 1158161876
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(641),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
write(3, "\200\0\0(\'\367s\375\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0"..., 44) = 44
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(3, "\0\0\1\214\'\367s\375\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 500) =
500
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(3, "\0\0\0\2\0\0\0\6\0\0\3\204\0\0\0\1\0\1\206\245\0\0\0\3"..., 500) = 56
close(3) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(642),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(900),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
uname({sys="Linux", node="vs01", ...}) = 0
geteuid32() = 0
getegid32() = 0
getgroups32(0, NULL) = 11
getgroups32(11, [0, 1, 2, 3, 4, 6, 10, 11, 20, 26, 27]) = 11
gettimeofday({1158161876, 261828}, NULL) = 0
write(3, "\200\0\0x\'\265\332\3\0\0\0\0\0\0\0\2\0\1\206\245\0\0\0"..., 124) =
124
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 20000) = 1
read(3, "\200\0\0<\'\265\332\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4000) =
64
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 5
bind(5, {sa_family=AF_INET, sin_port=htons(643),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
bind(6, {sa_family=AF_INET, sin_port=htons(644),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
connect(6, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.39.1")}, 16) = 0
write(6, "\200\0\0008i2gs\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0\2\0\0"..., 60) =
60
poll([{fd=6, events=POLLIN, revents=POLLIN}], 1, 60000) = 1
read(6, "\200\0\0\34i2gs\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 400) =
32
close(6) = 0
uname({sys="Linux", node="vs01", ...}) = 0
close(3) = 0
close(3) = -1 EBADF (Bad file descriptor)
rt_sigprocmask(SIG_BLOCK, ~[TRAP SEGV], NULL, 8) = 0
mount("192.168.39.1:/home", "/home", "nfs", MS_MGC_VAL, "\3") = -1 EPERM
(Operation not permitted)
rt_sigprocmask(SIG_UNBLOCK, ~[TRAP SEGV], NULL, 8) = 0
geteuid32() = 0
stat64("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
write(2, "mount: permission denied\n", 25mount: permission denied
) = 25
exit_group(32) = ?
Process 19113 detached
vs01 / #

I sniffed the network and the nfs-server says also STATUS_OK.

-- 
Wilhelm Meier
email: wilhelm.meier@fh-kl.de
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver