nixos/nfs: Allow Kerberized NFS

[kwohlfahrt]

Motivation for this change

Currently, NFS mounts secured with Kerberos do not work (see #72722).

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

Notify maintainers

cc @tfc - regarding the Perl -> Python test port
cc @edolstra as maintainer of the previous nfs test

[rnhmjoj]

You have to update nixos/tests/all-tests.nix to build the nfs/ directory, instead of nfs.nix.

[rnhmjoj]

Maybe use wait_for_file here

[kwohlfahrt]

test -e is what the plain NFS test uses, I assume because NFS should be synchronous here (i.e. by the time the file is visible on the client, it has been created on the server).

[kwohlfahrt]

As noted in the issue, there are two remaining problems:

1. file uid/gids are all messed up. This can be fixed by running nfs-idmapd on the client, but docs suggest that this is no longer necessary as it is replaced by the nfsidmap binary. Indeed, the service is masked if services.nfs.server.enable = false. EDIT: This is nfs4 idmapd fails to operate without additional configuration (clone of #34638 for nfs4) #68106
2. It is not possible to write to files as root, even if the corresponding kerberos principal exists. This may be intended behavior.

[kwohlfahrt]

I appear to have CI errors, but the message in details is not very clear to me: attribute 'x86_64-linux' missing, at /var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/mr-est/eval-0-gleber.ewr1.nix.ci/nixos/release-combined.nix:50:43. How do I fix this?

[kwohlfahrt]

This PR has expanded in scope a bit - there is now a kernel patch to fix the hard-coded ID request-key path. This touches a few other issues, namely #68106 and #34638, though those still need a bit of module work to ensure keyutils is present for example.

[tfc]

the comments here that tell what happens on a higher level could all be subtests, so this information even appears in the log.

[tfc]

Oh sorry i already stated this in another comment in the same PR and didn't remember.

[kwohlfahrt]

I've changed most of the other ones. Here, this is really set-up code that is not related to the functionality under test. Is subtest intended for this use as well?

[rnhmjoj]

This PR has expanded in scope a bit - there is now a kernel patch to fix the hard-coded ID request-key path. This touches a few other issues, namely #68106 and #34638, though those still need a bit of module work to ensure keyutils is present for example.

I had no idea this could get this complicated. Thanks for all the work you've done, keep it up!

[rnhmjoj]

I appear to have CI errors, but the message in details is not very clear to me: attribute 'x86_64-linux' missing, at /var/lib/ofborg/checkout/repo/38dca4e3aa6bca43ea96d2fcc04e8229/mr-est/eval-0-gleber.ewr1.nix.ci/nixos/release-combined.nix:50:43. How do I fix this?

I can't try right now because I don't have nearly ram to run an evaluation but you could try to rebase your branch with current master. Maybe at the point you did a checkout master itself was broken.

ofBorg runs something like this

$ nix-instantiate nixos/release-combined.nix -A tested

[kwohlfahrt]

I figured out the build failure - I copied the test structure from the kerberos tests, which I wrote last year. It turns out they were never enabled in release-combined.nix, because I didn't know this was a necessary step, and the way I'd been calling them doesn't work.

[kwohlfahrt]

All of the tests here are OK now. Remaining question are:

• How should /etc/request-key.conf be generated? The issues linked above require different lines in this file.
• should keyutils be part of the default systemPackages?

[rnhmjoj]

should keyutils be part of the default systemPackages?

If it's only needed for kerberos I would say to install it behind a guard like krb5.enable.

[kwohlfahrt]

@rnhmjoj - no, its needed for id-mapping in general. This is not turned on by default for sec=sys (i.e. not kerberos), but such a configuration is possible, see here. I assume this is the reason for #68106 as it doesn't mention kerberos anywhere.

It is also needed for CIFS, at least with kerberos, see #34638. I'm not familiar enough with it to know if this can also be necessary without kerberos - the man page doesn't mention it so it seems likely.

We can test for the presence of a NFS/CIFS filesystem before installing it, which seems sensible.

[Mic92]

nitpick: same lines of code / easier to read:

Suggested change

	server.wait_for_unit(f"{unit}.service")
	server.wait_for_unit("kadmind.service")
	server.wait_for_unit("kdc.service")

[kwohlfahrt]

Nits picked. Anything left blocking merging?

[Mic92]

@GrahamcOfBorg test nfs

[Mic92]

@GrahamcOfBorg test nfs.simple nfs.kerberos

[Mic92]

@GrahamcOfBorg test nfs3.simple nfs4.simple nfs4.kerberos