* [PATCH] auth-rpcgss-module.service: Don't fail inside linux container.
@ 2022-11-26 9:55 Joachim Falk
2022-12-06 13:32 ` Steve Dickson
0 siblings, 1 reply; 2+ messages in thread
From: Joachim Falk @ 2022-11-26 9:55 UTC (permalink / raw)
To: linux-nfs; +Cc: Joachim Falk, NeilBrown, Steve Dickson, Salvatore Bonaccorso
Only try to load the auth_rpcgss kernel module if we are not executing
inside a Linux container. Otherwise, the auth-rpcgss-module service will
fail inside a Linux container as the loading of kernel modules is
forbidden for the container. Thus, the "/sbin/modprobe -q auth_rpcgss"
call will fail even if the auth_rpcgss kernel module is already loaded.
This situation occurs when the container host has already loaded the
auth_rpcgss kernel module to enable kerberized NFS service for its
containers. This behavior has been tested with kmod up to version
30+20220630-3 (current in bookworm as of 2022-09-20).
Bug-Debian: http://bugs.debian.org/985000
Discussion-Debian: https://salsa.debian.org/kernel-team/nfs-utils/-/merge_requests/7
Signed-off-by: Joachim Falk <joachim.falk@gmx.de>
---
systemd/auth-rpcgss-module.service | 1 +
1 file changed, 1 insertion(+)
diff --git a/systemd/auth-rpcgss-module.service b/systemd/auth-rpcgss-module.service
index 45482833..25c9de80 100644
--- a/systemd/auth-rpcgss-module.service
+++ b/systemd/auth-rpcgss-module.service
@@ -10,6 +10,7 @@ DefaultDependencies=no
Before=gssproxy.service rpc-svcgssd.service rpc-gssd.service
Wants=gssproxy.service rpc-svcgssd.service rpc-gssd.service
ConditionPathExists=/etc/krb5.keytab
+ConditionVirtualization=!container
[Service]
Type=oneshot
--
2.35.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] auth-rpcgss-module.service: Don't fail inside linux container.
2022-11-26 9:55 [PATCH] auth-rpcgss-module.service: Don't fail inside linux container Joachim Falk
@ 2022-12-06 13:32 ` Steve Dickson
0 siblings, 0 replies; 2+ messages in thread
From: Steve Dickson @ 2022-12-06 13:32 UTC (permalink / raw)
To: Joachim Falk, linux-nfs; +Cc: NeilBrown, Salvatore Bonaccorso
On 11/26/22 4:55 AM, Joachim Falk wrote:
> Only try to load the auth_rpcgss kernel module if we are not executing
> inside a Linux container. Otherwise, the auth-rpcgss-module service will
> fail inside a Linux container as the loading of kernel modules is
> forbidden for the container. Thus, the "/sbin/modprobe -q auth_rpcgss"
> call will fail even if the auth_rpcgss kernel module is already loaded.
> This situation occurs when the container host has already loaded the
> auth_rpcgss kernel module to enable kerberized NFS service for its
> containers. This behavior has been tested with kmod up to version
> 30+20220630-3 (current in bookworm as of 2022-09-20).
>
> Bug-Debian: http://bugs.debian.org/985000
> Discussion-Debian: https://salsa.debian.org/kernel-team/nfs-utils/-/merge_requests/7
>
> Signed-off-by: Joachim Falk <joachim.falk@gmx.de>
Committed... (tag: nfs-utils-2-6-3-rc5)
steved.
> ---
> systemd/auth-rpcgss-module.service | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/systemd/auth-rpcgss-module.service b/systemd/auth-rpcgss-module.service
> index 45482833..25c9de80 100644
> --- a/systemd/auth-rpcgss-module.service
> +++ b/systemd/auth-rpcgss-module.service
> @@ -10,6 +10,7 @@ DefaultDependencies=no
> Before=gssproxy.service rpc-svcgssd.service rpc-gssd.service
> Wants=gssproxy.service rpc-svcgssd.service rpc-gssd.service
> ConditionPathExists=/etc/krb5.keytab
> +ConditionVirtualization=!container
>
> [Service]
> Type=oneshot
> --
> 2.35.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-12-06 13:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-26 9:55 [PATCH] auth-rpcgss-module.service: Don't fail inside linux container Joachim Falk
2022-12-06 13:32 ` Steve Dickson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.