Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sharenfs and IPv6 on Ubuntu 12.04 #1894

Closed
sjthespian opened this issue Nov 22, 2013 · 15 comments · Fixed by #11939
Closed

sharenfs and IPv6 on Ubuntu 12.04 #1894

sjthespian opened this issue Nov 22, 2013 · 15 comments · Fixed by #11939
Labels
Component: Share "zfs share" feature Type: Feature Feature request or new feature

Comments

@sjthespian
Copy link

I am trying to share a zfs filesystem over both IPv4 and IPv6 but just cannot get it to work. I know the support is there in native NFS, as it works fine for non-zfs filesystems.

Here is an example:

sudo zfs set sharenfs='rw=@10.0.0.0/24,rw=@[1234:567:8🔡:0]/64,root_squash' disk1/home
sudo exportfs -a
showmount -e
/home 8
/home 567
/home 10.0.0.0/24
/home [1234
/home

I have tried the address both with and w/o square brackets, it doesn't make any difference.

Any ideas if there is a magic syntax for IPv6 addresses? Or is this just a bug/

@behlendorf
Copy link
Contributor

@sjthespian Just a bug I suspect. Can you successfully export ZFS via IPv6 is you do it the usual way in Linux and not via the sharenfs property?

@sjthespian
Copy link
Author

You're right, it looks like a zfs sharenfs bug. I just verified that it works fine if set sharenfs=off and just put the filesystem in /etc/exports.

@tuxis-ie
Copy link

The plot thickens. I was under the impression that it worked perfectly. And it seems to do so, for IPv4. However:

zfs get sharenfs export/host01-www
NAME               PROPERTY  VALUE              SOURCE
export/host01-www  sharenfs  rw=fc00::10:0:0:3  local

Effectively gets:

showmount -e | grep host01-www
/export/host01-www                 (everyone)

So I THOUGHT I had everything locked down, but in practice, I don't.

@sjthespian I don't know why you're using the @-sign in the sharenfs-command, I can set it withouth, and without any brackets. Although it gets exported to the whole world..

@tuxis-ie
Copy link

 zfs set sharenfs=rw=2a03:7900::/64 localdisk/nfstest

Becomes:

execve("/usr/sbin/exportfs", ["/usr/sbin/exportfs", "-i", "-o", "sec=sys,rw,no_subtree_check,no_root_squash,mountpoint", "/64:/localdisk/nfstest"], [/* 28 vars */])

So ZoL breaks on the IPv6-address-part. But that's not all. exportfs complains about this being broken, but converts it to 'just share to *'.

So, two issues here:
1: ZoL breaks the IPv6-address (Probably here: https://github.com/zfsonlinux/zfs/blob/master/lib/libshare/nfs.c#L240)
2: exportfs does not support IPv6-addresses whatsoever (https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1032704)

@sjthespian
Copy link
Author

The '@' was one of a large number of things I had tried. I found it in one of the assortment of howtos I stumbled across while I was trying to get this working.

I don't understand your #2 above however, IPv6 is working perfectly for me with exportfs (Ubuntu 12.04 server). I have the following in my /etc/exports file (not my real IPs of course):

/home   10.0.0.0/24(rw,sync,no_subtree_check,root_squash,insecure) 1234:56:78::/64(rw,sync,no_subtree_check,root_squash,insecure)```

After running exportfs -a I get the expected results with showmount -e from my macbook:

> showmount -e morpheus-new
Exports list on morpheus-new:
/srv/www                            *
/home                               1234:56:78::/64 10.0.0.0/24

The /srv/www filesystem was shared out with zfs set sharifs, /home is set with sharenfs off and only listed in /etc/exports.

@tuxis-ie
Copy link

@sjthespian Yes. While the editing of /etc/exportfs and exporting that does work, that is not what ZoL seems to be doing. ZoL runs exportfs directly, with 'client:/path' as final argument. An IPv6-address there isn't supported:

/usr/sbin/exportfs -i -o sec=sys,rw,no_subtree_check,no_root_squash,mountpoint 2a03:7900::/64:/localdisk/nfstest
exportfs: Invalid exporting option: 2a03

But you can export with an IPv4-address there..

@behlendorf behlendorf removed this from the 0.6.5 milestone Oct 29, 2014
@behlendorf behlendorf added the Component: Share "zfs share" feature label Oct 29, 2014
@pdf
Copy link

pdf commented Feb 28, 2015

@behlendorf has this been pushed back? No IPv6 support in 2015 is a bit embarrassing, and I imagine it's a moderately trivial parsing issue?

@prakashsurya
Copy link
Member

Patches are welcomed. :)

@behlendorf
Copy link
Contributor

@pdf It's just a matter of someone having time and motivation to write the patches. The file systems can be shared over IPv6 today through the normal Linux mechanisms.

@pdf
Copy link

pdf commented Mar 2, 2015

I'd do it myself if my C skills were sharper 😟, maybe I'll have a crack at it anyway.

Even though you may create IPv6 shares in the traditional manner, this is still problematic because it makes it hard to document procedures; it means that either configuration needs to live in two places (confusing, not maintainable), or sharenfs just can't be used in environments with IPv6; and shares cannot be synchronized via ZFS send/receive, so there has to be some sort of extra process to make replication work.

@AwesomePatrol
Copy link

Can confirm.
The easiest solution is to add IPv6 address to /etc/hosts and use hostname in sharenfs arguments.

@devZer0
Copy link

devZer0 commented Sep 18, 2019

duplicate/related: #380

@vidister
Copy link

I have requested a CVE number for this as it is a security bug by my understanding. (IPv6 restrictions from the config are not applied).

@vidister
Copy link

MITRE assigned CVE-2013-20001 to this.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-20001

felixdoerre added a commit to felixdoerre/zfs that referenced this issue Apr 25, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue Apr 26, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue Apr 26, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue Apr 26, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue May 15, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue May 15, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue May 15, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue May 16, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue May 16, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue May 17, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue Jul 3, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue Jul 18, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue Oct 14, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue Oct 18, 2021
felixdoerre added a commit to felixdoerre/zfs that referenced this issue Oct 20, 2021
behlendorf pushed a commit that referenced this issue Oct 20, 2021
Recognize when the host part of a sharenfs attribute is an ipv6
Literal and pass that through without modification.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Felix Dörre <felix@dogcraft.de>
Closes: #11171
Closes #11939
Closes: #1894
@genbtc
Copy link

genbtc commented Aug 17, 2022

hello!
Can someone please confirm the CVE-2013-20001 is now mitigated as a result of this commit 6cb5e1e after closing issue #1894 mentioned in the CVE Advisory ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component: Share "zfs share" feature Type: Feature Feature request or new feature
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants