Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 11 Oct 2020 02:18:51 +0000
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>
Cc:        Meowthink <meowthink@gmail.com>
Subject:   RFC: gssd needs /usr mounted to start up
Message-ID:  <YTBPR01MB3966D99D48BA5F72D14F6CB9DD060@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help 

Meowthink reported a problem on freebsd-hackers@ where the
gssd would not start up because /usr was not yet mounted.
(I moved the discussion here, hoping to catch more comments.)

He has a separately mounted /usr and, recently, gssd was failing
to start since /usr was not yet mounted when /etc/rc.d/gssd was
executed.
Looking at /etc/rc.d/gssd, this is not surprising, since the REQUIRED
line only lists "root" as a requirement.
I can see a couple of things that can be done, but no obvious ideal
solution:
(A) - Add "mountcritlocal" to the REQUIRED line, which is what
        Meowthink has done.
        This seems harmless and works for the case of a local filesystem
         /usr, but does not work if /usr is an NFS mounted file system.

(B) - Add both "mountcritlocal" and "mountcritremote" to the
        REQUIRED line.
        This would also fix the case of an NFS mounted /usr, but it also
        implies that all NFS entries in /etc/fstab that uses "sec=krb5[ip]"
        would also need the "late" option specified.

I am thinking that (A) can be done and MFC'd, since it shouldn't
break anything (or cause a POLA violation).
Maybe (B) can be done for head/FreeBSD13 with an entry in the
Release notes, indicating the need for "late" on NFS entries using
"sec=krb5[ip]" in /etc/fstab. (It would result in a POLA violation if
MFC'd, since "sec=krb5[ip]" entries in /etc/fstab would break until
"late" is added.)

I am interested in a solution for this, in part, because the daemons
for NFS over TLS have the same problem.

Any ideas/suggestions, rick
ps: I thought of moving gssd to /sbin, but it uses several libraries,
      including Kerberos ones, that are in /usr/lib.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB3966D99D48BA5F72D14F6CB9DD060>