Merge branch 'develop'

Author: ehough

CHANGELOG.md

@@ -4,7 +4,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## [2.1.0] - 2019-10-31
+## [2.2.0] - 2019-03-08
+## Added
+* Enhanced debugging via environment variable: `NFS_LOG_LEVEL=DEBUG`. This also produces less cluttered log output
+during regular, non-debug operation.
+## Fixed
+* `idmapd` would not start when `NFS_VERSION=3`
+* allow Kerberos without `idmapd`. Most users will probably want to run them together, but 
+it isn't required.
+* `NFS_VERSION` environment variable sanity check allowed invalid values
+* status code of `rpc.svcgssd` was not properly checked
+* `idmapd` debug output was invisible
+
+## [2.1.0] - 2019-01-31
 ### Added
 * Ability to automatically load kernel modules. ([#18](https://github.com/ehough/docker-nfs-server/issues/18)). Credit to [@andyneff](https://github.com/andyneff).
 ### Fixed
@@ -48,4 +60,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 * Fixed detection of built-in kernel modules ([#4](https://github.com/ehough/docker-nfs-server/pull/4))
 
 ## [1.0.0] - 2018-02-05
-Initial release.
+Initial release.

README.md

@@ -11,7 +11,7 @@ This is the only containerized NFS server that offers **all** of the following f
 - clean teardown of services upon termination (no lingering `nfsd` processes on Docker host)
 - flexible construction of `/etc/exports`
 - extensive server configuration via environment variables
-- helpful, human-readable logging
+- human-readable logging (with a helpful [debug mode](doc/feature/logging.md))
 - *optional* bonus features
   - [Kerberos security](doc/feature/kerberos.md)
   - [NFSv4 user ID mapping](doc/feature/nfs4-user-id-mapping.md) via [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html)
@@ -24,6 +24,7 @@ This is the only containerized NFS server that offers **all** of the following f
   * [Starting the server](#starting-the-server)
   * [Mounting filesystems from a client](#mounting-filesystems-from-a-client)
 * Optional features
+  * [Debug logging](doc/feature/logging.md)
   * [Kerberos security](doc/feature/kerberos.md)
   * [NFSv4 user ID mapping](doc/feature/nfsv4-user-id-mapping.md)
   * [AppArmor integration](doc/feature/apparmor.md)
@@ -144,6 +145,7 @@ If you pay close attention to each of the items in this section, the server shou
 
 ## Optional Features
 
+  * [Debug logging](doc/feature/logging.md)
   * [Kerberos security](doc/feature/kerberos.md)
   * [NFSv4 user ID mapping](doc/feature/nfs4-user-id-mapping.md)
   * [AppArmor integration](doc/feature/apparmor.md)

doc/feature/kerberos.md

@@ -6,8 +6,6 @@ You can enable Kerberos security for your NFS server with the following steps.
 1. set the server's hostname via the `--hostname` flag
 1. provide `/etc/krb5.keytab` which contains a principal of the form `nfs/<hostname>`, where `<hostname>` is the hostname you supplied in the previous step.
 1. provide [`/etc/krb5.conf`](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html)
-1. provide [`/etc/idmapd.conf`](https://linux.die.net/man/5/idmapd.conf)
-1. provide `/etc/passwd` containing your NFS client users
 
 Here's an example:
 
@@ -18,8 +16,6 @@ Here's an example:
       --hostname my-nfs-server.com                        \
       -v /host/path/to/server.keytab:/etc/krb5.keytab:ro  \
       -v /host/path/to/server.krb5conf:/etc/krb5.conf:ro  \
-      -v /host/path/to/idmapd.conf:/etc/idmapd.conf:ro    \
-      -v /etc/passwd:/etc/passwd:ro                       \
       --cap-add SYS_ADMIN                                 \
       -p 2049:2049                                        \
       erichough/nfs-server

doc/feature/logging.md

@@ -0,0 +1,157 @@
+# Logging
+
+By default, the image will output a reasonable level of logging information so you can see verify that the server is operating as expected.
+
+You can bump up the log level via the `NFS_LOG_LEVEL` environment variable. Currently, the only acceptable value is `DEBUG`.
+
+In your `docker-run` command:
+```
+docker run -e NFS_LOG_LEVEL=DEBUG ... erichough/nfs-server
+```
+or in `docker-compose.yml`:
+```YAML
+version: 3
+services:
+  nfs:
+    image: erichough/nfs-server
+    ...
+    environment:
+      - LOG_LEVEL: DEBUG
+```
+   
+### Normal log output
+
+Normal, non-debug logging will look something like this:
+
+```
+==================================================================
+      SETTING UP ...
+==================================================================
+----> building /etc/exports from environment variables
+----> collected 4 valid export(s) from NFS_EXPORT_* environment variables
+----> kernel module nfs is loaded
+----> kernel module nfsd is loaded
+----> kernel module rpcsec_gss_krb5 is loaded
+----> setup complete
+
+==================================================================
+      STARTING SERVICES ...
+==================================================================
+----> mounting rpc_pipefs filesystem onto /var/lib/nfs/rpc_pipefs
+----> mounting nfsd filesystem onto /proc/fs/nfsd
+----> starting rpcbind
+----> exporting filesystem(s)
+----> starting rpc.mountd on port 32767
+----> starting statd on port 32765 (outgoing from port 32766)
+----> starting idmapd
+----> starting rpc.nfsd on port 2049 with 16 server thread(s)
+----> starting rpc.svcgssd
+----> all services started normally
+
+==================================================================
+      SERVER STARTUP COMPLETE
+==================================================================
+----> list of enabled NFS protocol versions: 3
+----> list of container exports:
+---->   /nfs/htpc-media *(ro,no_subtree_check,insecure,async)
+---->   /nfs/homes/staff *(rw,no_subtree_check,insecure,sec=krb5p)
+---->   /nfs/homes/ehough *(rw,no_subtree_check,insecure,no_root_squash,sec=krb5p)
+---->   /nfs/backup/duplicacy *(rw,no_subtree_check,insecure,sec=krb5p,all_squash,anonuid=0,anongid=0)
+----> list of container ports that should be exposed:
+---->   111 (TCP and UDP)
+---->   2049 (TCP and UDP)
+---->   32765 (TCP and UDP)
+---->   32767 (TCP and UDP)
+
+==================================================================
+      READY AND WAITING FOR NFS CLIENT CONNECTIONS
+==================================================================
+
+```
+
+### Debug output
+
+Debug output will look something like this:
+
+```
+==================================================================
+      SETTING UP ...
+==================================================================
+----> /etc/exports is baked into the image
+----> kernel module nfs is loaded
+----> kernel module nfsd is loaded
+----> kernel module rpcsec_gss_krb5 is loaded
+----> setup complete
+
+==================================================================
+      STARTING SERVICES ...
+==================================================================
+----> mounting rpc_pipefs filesystem onto /var/lib/nfs/rpc_pipefs
+mount: mount('rpc_pipefs','/var/lib/nfs/rpc_pipefs','rpc_pipefs',0x00008000,'(null)'):0
+----> mounting nfsd filesystem onto /proc/fs/nfsd
+mount: mount('nfsd','/proc/fs/nfsd','nfsd',0x00008000,'(null)'):0
+----> starting rpcbind
+----> exporting filesystem(s)
+exporting *:/nfs/backup/duplicacy
+exporting *:/nfs/homes/ehough
+exporting *:/nfs/homes/staff
+exporting *:/nfs/htpc-media
+----> starting rpc.mountd on port 32767
+----> starting statd on port 32765 (outgoing from port 32766)
+----> starting idmapd
+rpc.idmapd: Setting log level to 11
+
+rpc.idmapd: libnfsidmap: using domain: hough.matis
+rpc.idmapd: libnfsidmap: Realms list: 'HOUGH.MATIS' 
+rpc.idmapd: libnfsidmap: processing 'Method' list
+rpc.idmapd: static_getpwnam: name 'nfs/blue@HOUGH.MATIS' mapped to 'root'
+rpc.idmapd: static_getpwnam: localname 'melissa' for 'melissa@HOUGH.MATIS' not found
+rpc.idmapd: static_getpwnam: name 'ehough@HOUGH.MATIS' mapped to 'ehough'
+rpc.idmapd: static_getgrnam: group 'nfs/blue@HOUGH.MATIS' mapped to 'root'
+rpc.idmapd: static_getgrnam: local group 'melissa' for 'melissa@HOUGH.MATIS' not found
+rpc.idmapd: static_getgrnam: group 'ehough@HOUGH.MATIS' mapped to 'ehough'
+rpc.idmapd: libnfsidmap: loaded plugin /usr/lib/libnfsidmap/static.so for method static
+rpc.idmapd: Expiration time is 600 seconds.
+rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
+rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
+----> starting rpc.nfsd on port 2049 with 16 server thread(s)
+rpc.nfsd: knfsd is currently down
+rpc.nfsd: Writing version string to kernel: -2 +3 +4 +4.1 +4.2
+rpc.nfsd: Created AF_INET TCP socket.
+rpc.nfsd: Created AF_INET UDP socket.
+rpc.nfsd: Created AF_INET6 TCP socket.
+rpc.nfsd: Created AF_INET6 UDP socket.
+----> starting rpc.svcgssd
+entering poll
+----> all services started normally
+
+==================================================================
+      SERVER STARTUP COMPLETE
+==================================================================
+----> list of enabled NFS protocol versions: 4.2, 4.1, 4, 3
+----> list of container exports:
+---->   /nfs/backup/duplicacy   *(rw,sync,wdelay,hide,nocrossmnt,insecure,root_squash,all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=0,anongid=0,sec=krb5p,rw,insecure,root_squash,all_squash)
+---->   /nfs/homes/ehough       *(rw,sync,wdelay,hide,nocrossmnt,insecure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=krb5p,rw,insecure,no_root_squash,no_all_squash)
+---->   /nfs/homes/staff        *(rw,sync,wdelay,hide,nocrossmnt,insecure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=krb5p,rw,insecure,root_squash,no_all_squash)
+---->   /nfs/htpc-media *(ro,async,wdelay,hide,nocrossmnt,insecure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,ro,insecure,root_squash,no_all_squash)
+----> list of container ports that should be exposed:
+---->   111 (TCP and UDP)
+---->   2049 (TCP and UDP)
+---->   32765 (TCP and UDP)
+---->   32767 (TCP and UDP)
+
+==================================================================
+      READY AND WAITING FOR NFS CLIENT CONNECTIONS
+==================================================================
+leaving poll
+handling null request
+svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
+sname = nfs/blue@HOUGH.MATIS
+doing downcall
+mech: krb5, hndl len: 4, ctx len 52, timeout: 1552111964 (31564 from now), clnt: nfs@blue, uid: 0, gid: 0, num aux grps: 1:
+  (   1) 0
+sending null reply
+writing message: \x \x6082024606092a864886f71201020201006e82023530820231a003020105a10302010ea20703050020000000a38201306182012c30820128a003020105a10d1b0b484f5547482e4d41544953a2153013a003020103a10c300a1b036e66731b036e6173a381fa3081f7a003020113a103020106a281ea0481e79cf640041a02f97332a25760a707a3f039f61301d07b2dfbb8bf9448cbfd168d0958c7717b535f7799c87390469c94045a6cd3f54c91ddeda9274b1ea492a43e6b17dec3ad17aaa94b9e61cdd4f4c8e7a35d8e84d56c7657e63536358e1316e2e8362922b47b465dd57aa29cb743128432decee09c3a06e6b4d5f6cebcd0978ee37bf0155a01a6ed623dc7b3068163fedaadec1e1509788db701c5308c703aa0e3196188e40c22afc361d2d9762750627c091516f05059a1f965df187dc981f4ac59bf3f424f23e676109a8c93af93b66f704f78703e1ef642fddf5b01d7deb40db26642e9f4f0a481e73081e4a003020111a281dc0481d9299c7ea474abf5d08a5f4f977254552e712f783f89bf40eb2cbd0082614593e377ec8cfe1c1ffb1bc0fad366382258f63857928240933914478fbceadc3b3bfe2e1f9a477c601d6b20c19898813878f45cea78ae601a342f000faf89c2e0e4c37fdb5db7937ac327ac0470c1f97dd421a112a6739467132d598db38ff99f9a88a8ac44e72f5cd088bd4d6159e15be75a7447d556134bda4fa0a96e64e3350d3a198e0635e4e7fb4900962aed3912fe0f316a1fa27121133232816b1177c707c0c37b396add3b347be38db756f05815ca3de5b3874782d80bf9 1552080460 0 0 \x01000000 \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020111a271046fdfb95cbe1237d785691a0ca14b4f7443142dda2b2a1b2845499bdb69b538719fbfc99b71d72ae61d7bd9966c106b2381fd08690082de26da5b8f521081035b5d7b8bf6c6eda85fd73c1c76ff03bec7693695e0b3d9e72069ec3772f93c4dbc5e8ce698a0854b494714bd5801204af3 
+finished handling null request
+entering poll
+```

doc/feature/nfs4-user-id-mapping.md

@@ -1,12 +1,11 @@
 # NFSv4 User ID Mapping
 
-If you'd like to run [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html) to map between NFSv4 IDs (e.g. `foo@bar.com`) and local users, simply provide [`idmapd.conf`](https://linux.die.net/man/5/idmapd.conf) and `/etc/passwd` to the container. This step is required for [Kerberos](kerberos.md).
+If you'd like to run [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html) to map between NFSv4 IDs (e.g. `foo@bar.com`) and local users, simply provide [`idmapd.conf`](https://linux.die.net/man/5/idmapd.conf) to the container.
 
     docker run                                          \
       -v /host/path/to/exports.txt:/etc/exports:ro      \
       -v /host/files:/nfs                               \
       -v /host/path/to/idmapd.conf:/etc/idmapd.conf:ro  \
-      -v /etc/passwd:/etc/passwd:ro                     \
       --cap-add SYS_ADMIN                               \
       -p 2049:2049                                      \
       erichough/nfs-server