Date: Sun, 11 Oct 2020 02:18:51 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Cc: Meowthink <meowthink@gmail.com> Subject: RFC: gssd needs /usr mounted to start up Message-ID: <YTBPR01MB3966D99D48BA5F72D14F6CB9DD060@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help
Meowthink reported a problem on freebsd-hackers@ where the=0A=
gssd would not start up because /usr was not yet mounted.=0A=
(I moved the discussion here, hoping to catch more comments.)=0A=
=0A=
He has a separately mounted /usr and, recently, gssd was failing=0A=
to start since /usr was not yet mounted when /etc/rc.d/gssd was=0A=
executed.=0A=
Looking at /etc/rc.d/gssd, this is not surprising, since the REQUIRED=0A=
line only lists "root" as a requirement.=0A=
I can see a couple of things that can be done, but no obvious ideal=0A=
solution:=0A=
(A) - Add "mountcritlocal" to the REQUIRED line, which is what=0A=
Meowthink has done.=0A=
This seems harmless and works for the case of a local filesystem=0A=
/usr, but does not work if /usr is an NFS mounted file system.=0A=
=0A=
(B) - Add both "mountcritlocal" and "mountcritremote" to the=0A=
REQUIRED line.=0A=
This would also fix the case of an NFS mounted /usr, but it also=0A=
implies that all NFS entries in /etc/fstab that uses "sec=3Dkrb5[ip=
]"=0A=
would also need the "late" option specified.=0A=
=0A=
I am thinking that (A) can be done and MFC'd, since it shouldn't=0A=
break anything (or cause a POLA violation).=0A=
Maybe (B) can be done for head/FreeBSD13 with an entry in the=0A=
Release notes, indicating the need for "late" on NFS entries using=0A=
"sec=3Dkrb5[ip]" in /etc/fstab. (It would result in a POLA violation if=0A=
MFC'd, since "sec=3Dkrb5[ip]" entries in /etc/fstab would break until=0A=
"late" is added.)=0A=
=0A=
I am interested in a solution for this, in part, because the daemons=0A=
for NFS over TLS have the same problem.=0A=
=0A=
Any ideas/suggestions, rick=0A=
ps: I thought of moving gssd to /sbin, but it uses several libraries,=0A=
including Kerberos ones, that are in /usr/lib.=0A=
=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB3966D99D48BA5F72D14F6CB9DD060>