diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c7392c..c6659a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [1.1.1] - 2018-08-21 + +### Fixed + +* baked-in `/etc/exports` is not properly recognized ([#9](https://github.com/ehough/docker-nfs-server/issues/9)) + ## [1.1.0] - 2018-06-06 ### Added diff --git a/Dockerfile b/Dockerfile index 231f23c..e0b59ab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,8 +12,8 @@ RUN apt-get update apt-get clean && \ rm -rf /var/lib/apt/lists && \ \ - # remove the default idmapd.conf - rm -v /etc/idmapd.conf + # remove the default config files + rm -v /etc/idmapd.conf /etc/exports # http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration RUN mkdir -p /var/lib/nfs/rpc_pipefs && \ diff --git a/README.md b/README.md index af59728..6f7469a 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,31 @@ A lightweight, robust, flexible, and containerized NFS server. This is the only containerized NFS server that offers **all** of the following features: - NFS versions 3, 4, or both simultaneously -- optional Kerberos security -- optional name/ID mapping via [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html) -- clean teardown of services upon `SIGTERM` or `SIGKILL` (no lingering `nfsd` processes on Docker host) -- flexible construction of `/etc/exports` via a Docker bind mount *or* environment variables +- clean teardown of services upon termination (no lingering `nfsd` processes on Docker host) +- flexible construction of `/etc/exports` - extensive server configuration via environment variables +- *optional* bonus features + - [Kerberos security](doc/feature/kerberos.md) + - [NFSv4 user ID mapping](doc/feature/nfs4-user-id-mapping.md) via [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html) + - [AppArmor](doc/feature/apparmor.md) compatibility + +## Table of Contents + +* [Requirements](#requirements) +* Usage + * [Starting the server](#starting-the-server) + * [Mounting filesystems from a client](#mounting-filesystems-from-a-client) +* Optional features + * [Kerberos security](doc/feature/kerberos.md) + * [NFSv4 user ID mapping](doc/feature/nfsv4-user-id-mapping.md) + * [AppArmor integration](doc/feature/apparmor.md) +* Advanced + * [custom server ports](doc/advanced/ports.md) + * [custom NFS versions offered](doc/advanced/nfs-versions.md) + * [performance tuning](doc/advanced/performance-tuning.md) +* [Help!](#help!) +* [Remaining tasks](#remaining-tasks) +* [Acknowledgements](#acknowledgements) ## Requirements @@ -22,142 +42,124 @@ This is the only containerized NFS server that offers **all** of the following f Usually you can enable these modules with: `modprobe {nfs,nfsd,rpcsec_gss_krb5}` 1. The container will need to run with `CAP_SYS_ADMIN` (or `--privileged`). This is necessary as the server needs to mount several filesystems inside the container to support its operation, and performing mounts from inside a container is impossible without these capabilities. -1. The container will need local access to the files you'd like to serve via NFS. You can use Docker volumes, bind mounts, or files baked into a custom image. e.g. - - - `-v some_volume:/some/container/path` (Docker volume) - - `-v /some/path/on/host:/some/container/path` (bind mount) - - `ADD /some/path/on/host /some/container/path` (Dockerfile) +1. The container will need local access to the files you'd like to serve via NFS. You can use Docker volumes, bind mounts, files baked into a custom image, or virtually any other means of supplying files to a Docker container. ## Usage -### Hello, World! - -You will need to provide your desired [NFS exports](https://linux.die.net/man/5/exports) (`/etc/exports`) upon container startup. You have **three choices** for doing this: - -1. **Bind mount `/etc/exports` into the container** +### Starting the server - docker run \ - -v /host/path/to/exports.txt:/etc/exports:ro \ - -v /host/files:/nfs \ - --cap-add SYS_ADMIN \ - -p 2049:2049 \ - erichough/nfs-server:latest - -1. **Provide each line of `/etc/exports` as an environment variable**. +Starting the `erichough/nfs-server` image will launch an NFS server. You'll need to supply some information upon container startup, which we'll cover below, but briefly speaking your `docker run` command might look something like this: - The container will look for environment variables that start with `NFS_EXPORT_` and end with an integer. e.g. `NFS_EXPORT_0`, `NFS_EXPORT_1`, etc. + docker run \ + -v /host/path/to/shared/files:/nfs \ + -v /host/path/to/exports.txt:/etc/exports:ro \ + --cap-add SYS_ADMIN \ + -p 2049:2049 \ + erichough/nfs-server + +Let's break that command down into its individual pieces to see what's required for a successful server startup. - docker run \ - -e NFS_EXPORT_0='/nfs/foo 192.168.1.0/24(ro,no_subtree_check)' \ - -e NFS_EXPORT_1='/nfs/bar 123.123.123.123/32(rw,no_subtree_check)' \ - -v /host/path/foo:/nfs/foo \ - -v /host/path/bar:/nfs/bar \ - --cap-add SYS_ADMIN \ - -p 2049:2049 \ - erichough/nfs-server:latest +1. **Provide the files to be shared over NFS** -1. **Bake `/etc/exports` into a custom image** + As noted in the [requirements](#requirements), the container will need local access to the files you'd like to share over NFS. Some ideas for supplying these files: + + * [bind mounts](https://docs.docker.com/storage/bind-mounts/) (`-v /host/path/to/shared/files:/nfs`) + * [volumes](https://docs.docker.com/storage/volumes/) (`-v some_volume:/nfs`) + * files [baked into](https://docs.docker.com/engine/reference/builder/#copy) custom image (e.g. in a `Dockerfile`: `COPY /host/files /nfs`) - e.g. in a `Dockerfile`: + You may use any combination of the above, or any other means to supply files to the container. - FROM ehough/nfs-server:latest - ADD /host/path/to/exports.txt /etc/exports +1. **Provide your desired [NFS exports](https://linux.die.net/man/5/exports) (`/etc/exports`)** -### (Optional) User ID Mapping + You'll need to tell the server which container directories to export. You have *three options* for this; choose whichever one you prefer: -If you'd like to run [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html) to map between NFSv4 IDs (e.g. `foo@bar.com`) and local users, simply provide [`idmapd.conf`](https://linux.die.net/man/5/idmapd.conf) and `/etc/passwd` to the container. This step is required for Kerberos. + 1. bind mount `/etc/exports` into the container - docker run \ - -v /host/path/to/exports.txt:/etc/exports:ro \ - -v /host/files:/nfs \ - -v /host/path/to/idmapd.conf:/etc/idmapd.conf:ro \ - -v /etc/passwd:/etc/passwd:ro \ - --cap-add SYS_ADMIN \ - -p 2049:2049 \ - erichough/nfs-server:latest + docker run \ + -v /host/path/to/exports.txt:/etc/exports:ro \ + ... \ + erichough/nfs-server -### (Optional) Kerberos - -You can enable Kerberos security by performing the following additional actions: - -1. set the environment variable `NFS_ENABLE_KERBEROS` to a non-empty value (e.g. `NFS_ENABLE_KERBEROS=1`) -1. set the server's hostname via the `--hostname` flag -1. provide `/etc/krb5.keytab` which contains a principal of the form `nfs/`, where `` is the hostname you supplied in the previous step. -1. provide [`/etc/krb5.conf`](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html) -1. provide [`/etc/idmapd.conf`](https://linux.die.net/man/5/idmapd.conf) -1. provide `/etc/passwd` that contains your NFS client users - -Here's an example: - - docker run \ - -v /host/path/to/exports.txt:/etc/exports:ro \ - -v /host/files:/nfs \ - -e NFS_ENABLE_KERBEROS=1 \ - --hostname my-nfs-server.com \ - -v /host/path/to/server.keytab:/etc/krb5.keytab:ro \ - -v /host/path/to/server.krb5conf:/etc/krb5.conf:ro \ - -v /host/path/to/idmapd.conf:/etc/idmapd.conf:ro \ - -v /etc/passwd:/etc/passwd:ro \ - --cap-add SYS_ADMIN \ - -p 2049:2049 \ - erichough/nfs-server:latest - -### Environment Variables - -The following optional environment variables allow you to adjust the server settings to your needs. - -- **`NFS_VERSION`** (default is `4.2`) + 1. provide each line of `/etc/exports` as an environment variable - Set to `3`, `4`, `4.1`, or `4.2` to fine tune the NFS protocol version. Enabling any version will also enable any lesser versions. e.g. `4.2` will enable versions 4.2, 4.1, 4, **and** 3. + The container will look for environment variables that start with `NFS_EXPORT_` and end with an integer. e.g. `NFS_EXPORT_0`, `NFS_EXPORT_1`, etc. -- **`NFS_DISABLE_VERSION_3`** (*not set by default*) + docker run \ + -e NFS_EXPORT_0='/nfs/foo *(ro,no_subtree_check)' \ + -e NFS_EXPORT_1='/nfs/bar 123.123.123.123/32(rw,no_subtree_check)' \ + ... \ + erichough/nfs-server - Set to a non-empty value (e.g. `NFS_DISABLE_VERSION_3=1`) to disable NFS version 3 and run a version-4-only server. This setting is not compatible with `NFS_VERSION=3`. + 1. bake `/etc/exports` into a custom image -- **`NFS_PORT`** (default is `2049`) + e.g. in a `Dockerfile`: - Set this to any valid port number (`1` - `65535` inclusive) to change `rpc.nfsd`'s listening port. - -- **`NFS_SERVER_THREAD_COUNT`** (default is *CPU core count*) - - Set this to a positive integer to control how many server threads `rpc.nfsd` will use. A good minimum is one thread per CPU core, but 4 or 8 threads per core is probably better. - -- **`NFS_PORT_MOUNTD`** (default is `32767`) + ```Dockerfile + FROM erichough/nfs-server + ADD /host/path/to/exports.txt /etc/exports + ``` - *Only needed for NFS 3*. Set this to any valid port number (`1` - `65535` inclusive) to change `rpc.mountd`'s listening port. +1. **Use `--cap-add SYS_ADMIN` or `--privileged`** -- **`NFS_PORT_STATD_IN`** (default is `32765`) + As noted in the [requirements](#requirements), the container will need additional privileges. So your `run` command will need *either*: + + docker run --cap-add SYS_ADMIN ... erichough/nfs-server + + or + + docker run --privileged ... erichough/nfs-server + + Not sure which to use? Go for `--cap-add SYS_ADMIN` as it's the lesser of two evils. + +1. **Expose the server ports** + + You'll need to open up at least one server port for your client connections. The ports listed in the examples below are the defaults used by this image and most can be [customized](doc/ports.md). + + * If your clients connect via **NFSv4 only**, you can get by with just TCP port `2049`: + + docker run -p 2049:2049 ... erichough/nfs-server + + * If you'd like to support **NFSv3**, you'll need to expose a lot more ports: + + docker run \ + -p 2049:2049 -p 2049:2049/udp \ + -p 111:111 -p 111:111/udp \ + -p 32765:32765 -p 32765:32765/udp \ + -p 32767:32767 -p 32767:32767/udp \ + ... \ + erichough/nfs-server + +If you pay close attention to each of the items in this section, the server should start quickly and be ready to accept your NFS clients. + +### Mounting filesystems from a client - *Only needed for NFS 3*. Set this to any valid port number (`1` - `65535` inclusive) to change `rpc.statd`'s listening port. + # mount :/some/export /some/local/path -- **`NFS_PORT_STATD_OUT`** (default is `32766`) +## Optional Features - *Only needed for NFS 3*. Set this to any valid port number (`1` - `65535` inclusive) to change `rpc.statd`'s outgoing connection port. + * [Kerberos security](doc/feature/kerberos.md) + * [NFSv4 user ID mapping](doc/feature/nfs4-user-id-mapping.md) + * [AppArmor integration](doc/feature/apparmor.md) -- **`NFS_ENABLE_KERBEROS`** (*not set by default*) - - Set to a non-empty value (e.g. `NFS_ENABLE_KERBEROS=1`) to enable Kerberos on this server. See "Kerberos" section above for further details. - -### Mounting filesystems from a client - - # mount -o nfsvers=4 :/some/export /some/local/path - -### Connecting to the running container +## Advanced - # docker exec -it bash + * [customizing which ports are used](doc/advanced/ports.md) + * [customizing NFS versions offered](doc/advanced/nfs-versions.md) + * [performance tuning](doc/advanced/performance-tuning.md) -## Performance considerations +## Help! -- Running the container with `--network host` *might* improve network performance by 10% - 20% [[1](https://jtway.co/docker-network-performance-b95bce32b4b9),[2](https://www.percona.com/blog/2016/08/03/testing-docker-multi-host-network-performance/)], though this hasn't been tested. +Please [open an issue](https://github.com/ehough/docker-nfs-server/issues) if you have any questions, constructive criticism, or can't get something to work. ## Remaining tasks -- switch back to Alpine Linux once [this bug](https://bugs.alpinelinux.org/issues/8470) in `nfs-utils` is fixed +- switch to Alpine Linux once [this bug](https://bugs.alpinelinux.org/issues/8470) in `nfs-utils` is fixed - figure out why `rpc.nfsd` takes 5 minutes to startup/timeout unless `rpcbind` is running +- add more examples, including Docker Compose ## Acknowledgements -This work was based heavily on prior projects: +This work was based on prior projects: - [f-u-z-z-l-e/docker-nfs-server](https://github.com/f-u-z-z-l-e/docker-nfs-server) -- [sjiveson/nfs-server-alpine](https://github.com/sjiveson/nfs-server-alpine) \ No newline at end of file +- [sjiveson/nfs-server-alpine](https://github.com/sjiveson/nfs-server-alpine) diff --git a/doc/advanced/nfs-versions.md b/doc/advanced/nfs-versions.md new file mode 100644 index 0000000..dda752f --- /dev/null +++ b/doc/advanced/nfs-versions.md @@ -0,0 +1,8 @@ +# Customize NFS versions offered + +By default, this image provides NFS versions 3 and 4 simultaneously. Using the following environment variables, you can fine-tune which versions are offered. + +| Environment variable | Description | Default | +|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------| +| `NFS_VERSION` | Set to `3`, `4`, `4.1`, or `4.2` to fine tune the NFS protocol version. Enabling any version will also enable any lesser versions. e.g. `4.2` will enable versions 4.2, 4.1, 4, **and** 3. | `4.2` | +| `NFS_DISABLE_VERSION_3` | Set to a non-empty value (e.g. `NFS_DISABLE_VERSION_3=1`) to disable NFS version 3 and run a version-4-only server. This setting is not compatible with `NFS_VERSION=3` | *not set* | \ No newline at end of file diff --git a/doc/advanced/performance-tuning.md b/doc/advanced/performance-tuning.md new file mode 100644 index 0000000..78971ea --- /dev/null +++ b/doc/advanced/performance-tuning.md @@ -0,0 +1,7 @@ +# Performance tuning + +The following tips might improve your NFS server's performance. + +* Set the **`NFS_SERVER_THREAD_COUNT`** environment variable to control how many server threads `rpc.nfsd` will use. A good minimum is one thread per CPU core, but 4 or 8 threads per core is probably better. The default is one thread per CPU core. + +* Running the container with `--network host` *might* improve network performance by 10% - 20% [[1](https://jtway.co/docker-network-performance-b95bce32b4b9),[2](https://www.percona.com/blog/2016/08/03/testing-docker-multi-host-network-performance/)], though this hasn't been tested. \ No newline at end of file diff --git a/doc/advanced/ports.md b/doc/advanced/ports.md new file mode 100644 index 0000000..126f649 --- /dev/null +++ b/doc/advanced/ports.md @@ -0,0 +1,10 @@ +# Customizing ports + +You can customize the ports used by the NFS server via the environment variables listed below. Each environment variable can be set to an integer between `1` and `65535`. + +| Environment variable | Description | Default | +|----------------------|---------------------------------------------|---------| +| `NFS_PORT` | `rpc.nfsd`'s listening port. | `2049` | +| `NFS_PORT_MOUNTD` | *NFSv3 only*. `rpc.mountd'` listening port. | `32767` | +| `NFS_PORT_STATD_IN` | *NFSv3 only*. `rpc.statd`'s listening port. | `32765` | +| `NFS_PORT_STATD_OUT` | *NFSv3 only*. `rpc.statd`'s outgoing port. | `32766` | \ No newline at end of file diff --git a/doc/feature/apparmor.md b/doc/feature/apparmor.md new file mode 100644 index 0000000..f41490e --- /dev/null +++ b/doc/feature/apparmor.md @@ -0,0 +1,48 @@ +# AppArmor + +If your Docker host has [AppArmor](https://wiki.ubuntu.com/AppArmor) activated, you'll need to perform additional steps to allow the container to start an NFS server. + +1. Ensure you have the `apparmor-utils` installed package installed on the Docker host. e.g. for Debian or Ubuntu: + + $ sudo apt-get install apparmor-utils + +1. Create a file on the Docker host with the following contents: + + #include + profile erichough-nfs flags=(attach_disconnected,mediate_deleted) { + #include + mount fstype=nfs*, + mount fstype=rpc_pipefs, + } + +1. Load this profile into the kernel with [`apparmor_parser`](http://manpages.ubuntu.com/manpages/xenial/man8/apparmor_parser.8.html): + + $ sudo apparmor_parser -r -W /path/to/file/from/previous/step + +1. Add `--security-opt apparmor=erichough-nfs` to your `docker run` command. e.g. + + docker run \ + -v /path/to/share:/nfs \ + -v /path/to/exports.txt:/etc/exports:ro \ + --cap-add SYS_ADMIN \ + -p 2049:2049 \ + --security-opt apparmor=erichough-nfs \ + erichough/nfs-server + + or in `docker-compose.yml`: + + ```YAML + version: 3 + services: + nfs: + image: erichough/nfs-server + volumes: + - /path/to/share:/nfs + - /path/to/exports.txt:/etc/exports:ro + cap_add: + - SYS_ADMIN + ports: + - 2049:2049 + security_opt: + - apparmor=erichough-nfs + ``` \ No newline at end of file diff --git a/doc/feature/kerberos.md b/doc/feature/kerberos.md new file mode 100644 index 0000000..cc363ae --- /dev/null +++ b/doc/feature/kerberos.md @@ -0,0 +1,25 @@ +# Kerberos + +You can enable Kerberos security for your NFS server with the following steps. + +1. set the environment variable `NFS_ENABLE_KERBEROS` to a non-empty value (e.g. `NFS_ENABLE_KERBEROS=1`) +1. set the server's hostname via the `--hostname` flag +1. provide `/etc/krb5.keytab` which contains a principal of the form `nfs/`, where `` is the hostname you supplied in the previous step. +1. provide [`/etc/krb5.conf`](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html) +1. provide [`/etc/idmapd.conf`](https://linux.die.net/man/5/idmapd.conf) +1. provide `/etc/passwd` containing your NFS client users + +Here's an example: + + docker run \ + -v /host/path/to/exports.txt:/etc/exports:ro \ + -v /host/files:/nfs \ + -e NFS_ENABLE_KERBEROS=1 \ + --hostname my-nfs-server.com \ + -v /host/path/to/server.keytab:/etc/krb5.keytab:ro \ + -v /host/path/to/server.krb5conf:/etc/krb5.conf:ro \ + -v /host/path/to/idmapd.conf:/etc/idmapd.conf:ro \ + -v /etc/passwd:/etc/passwd:ro \ + --cap-add SYS_ADMIN \ + -p 2049:2049 \ + erichough/nfs-server diff --git a/doc/feature/nfs4-user-id-mapping.md b/doc/feature/nfs4-user-id-mapping.md new file mode 100644 index 0000000..5a84e87 --- /dev/null +++ b/doc/feature/nfs4-user-id-mapping.md @@ -0,0 +1,13 @@ +# NFSv4 User ID Mapping + +If you'd like to run [`idmapd`](http://man7.org/linux/man-pages/man8/idmapd.8.html) to map between NFSv4 IDs (e.g. `foo@bar.com`) and local users, simply provide [`idmapd.conf`](https://linux.die.net/man/5/idmapd.conf) and `/etc/passwd` to the container. This step is required for [Kerberos](kerberos.md). + + docker run \ + -v /host/path/to/exports.txt:/etc/exports:ro \ + -v /host/files:/nfs \ + -v /host/path/to/idmapd.conf:/etc/idmapd.conf:ro \ + -v /etc/passwd:/etc/passwd:ro \ + --cap-add SYS_ADMIN \ + -p 2049:2049 \ + erichough/nfs-server + \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 3249979..8e4c785 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -53,6 +53,7 @@ readonly PATH_FILE_ETC_KRB5_KEYTAB='/etc/krb5.keytab' readonly MOUNT_PATH_NFSD='/proc/fs/nfsd' readonly MOUNT_PATH_RPC_PIPEFS='/var/lib/nfs/rpc_pipefs' + ###################################################################################### ### general purpose utilities ###################################################################################### @@ -70,8 +71,15 @@ logHeader() { echo '==================================================================' } +bail() { + + log "ERROR: $1" + exit 1 +} + warn_on_failure() { + # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then log "WARNING: $1" fi @@ -79,9 +87,9 @@ warn_on_failure() { exit_on_failure() { + # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then - log "$1" - exit 1 + bail "$1" fi } @@ -153,6 +161,7 @@ stop() { stop_on_failure() { + # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then log "$1" stop @@ -220,6 +229,13 @@ is_nfs4_enabled() { ### runtime configuration assertions ###################################################################################### +assert_file_provided() { + + if [[ ! -f "$1" ]]; then + bail "please provide $1 to the container" + fi +} + assert_kernel_mod() { local -r moduleName=$1 @@ -237,8 +253,7 @@ assert_port() { local -r value=${!envName} if [[ -n "$value" && ( "$value" -lt 1 || "$value" -gt 65535 ) ]]; then - log "Please set $1 to a value between 1 and 65535 inclusive" - exit 1 + bail "please set $1 to a value between 1 and 65535 inclusive" fi } @@ -251,8 +266,7 @@ assert_nfs_version() { assert_disabled_nfs3() { if [[ -z "$(is_nfs3_enabled)" && "$(get_reqd_nfs_version)" == '3' ]]; then - log 'you cannot simultaneously enable and disable NFS version 3' - exit 1 + bail 'you cannot simultaneously enable and disable NFS version 3' fi } @@ -261,33 +275,20 @@ assert_nfsd_threads() { local -r requested=$(get_reqd_nfsd_threads) if [[ "$requested" -lt 1 ]]; then - log "Please set $ENV_VAR_NFS_SERVER_THREAD_COUNT to a positive value" - exit 1 + bail "please set $ENV_VAR_NFS_SERVER_THREAD_COUNT to a positive value" fi } assert_kerberos_requirements() { - if [[ -z "$(is_kerberos_enabled)" ]]; then - return - fi - - if [[ ! -f "$PATH_FILE_ETC_IDMAPD_CONF" ]]; then - log "Please provide $PATH_FILE_ETC_IDMAPD_CONF to the container" - exit 1 - fi + if [[ -n "$(is_kerberos_enabled)" ]]; then - if [[ ! -f "$PATH_FILE_ETC_KRB5_KEYTAB" ]]; then - log "Please provide $PATH_FILE_ETC_KRB5_KEYTAB to the container" - exit 1 - fi + assert_file_provided "$PATH_FILE_ETC_IDMAPD_CONF" + assert_file_provided "$PATH_FILE_ETC_KRB5_KEYTAB" + assert_file_provided "$PATH_FILE_ETC_KRB5_CONF" - if [[ ! -f "$PATH_FILE_ETC_KRB5_CONF" ]]; then - log "Please provide $PATH_FILE_ETC_KRB5_CONF to the container" - exit 1 + assert_kernel_mod rpcsec_gss_krb5 fi - - assert_kernel_mod rpcsec_gss_krb5 } @@ -302,8 +303,15 @@ init_trap() { init_exports() { + # first, see if it's bind-mounted if mount | grep -Eq "^[^ ]+ on $PATH_FILE_ETC_EXPORTS type "; then - log "$PATH_FILE_ETC_EXPORTS already exists in the container" + log "$PATH_FILE_ETC_EXPORTS is bind-mounted" + return + fi + + # maybe it's baked-in to the image + if [[ -f $PATH_FILE_ETC_EXPORTS && -r $PATH_FILE_ETC_EXPORTS && -s $PATH_FILE_ETC_EXPORTS ]]; then + log "$PATH_FILE_ETC_EXPORTS is baked into the image" return fi @@ -341,8 +349,7 @@ init_exports() { done if [[ $collected -eq 0 ]]; then - log 'no valid exports' - exit 1 + bail 'no valid exports' fi log "will export $collected filesystem(s)" @@ -447,7 +454,7 @@ boot_main_mountd() { boot_main_rpcbind() { # rpcbind isn't required for NFSv4, but if it's not running then nfsd takes over 5 minutes to start up. - # it's a bug in either nfs-utils on the kernel, and the code of both is over my head. + # it's a bug in either nfs-utils or the kernel, and the code of both is over my head. # so as a workaround we start rpcbind now and (in v4-only scenarios) kill it after nfsd starts up log 'starting rpcbind' $PATH_BIN_RPCBIND -ds @@ -514,6 +521,7 @@ boot_main_print_ready_message() { cat $PATH_FILE_ETC_EXPORTS } + ###################################################################################### ### main routines ######################################################################################