9 a.m.
So, we have tested Ganesha run as a non-root user, and it works, but
with quite a few caveats, most of which you've found already.
First, you cannot use nfsv3 at all, as that uses portmap/rpcbind, which
cannot be used unless you're root. You can turn it off at runtime, as
you've discovered, and nfsv4 will work then. Or, if you're compiling
yourself, you can disable it at compile time with USE_NFS3=OFF
USE_RQUOTA=OFF when you run cmake.
Second, as Frank mentioned, not all FSALs work as non-root.
Specifically, FSAL_VFS doesn't work, since it depends on *_by_handle
APIs that are restricted to root.
Third is that Ganesha uses a number of files for various things. The
conf file is only read, so it's usually okay that it lives in /etc. The
log file is written, so you need write access to the directory it lives
in; log file is configurable, so that's okay. The PID file is written
in /var/run by default, but is settable on the command line with -p.
And the last is the recovery directory. This is read/write, so you need
access to that. As Frank said, this is configurable at runtime, but
only on next.
Everything is changeable at build time by building Ganesha to run in a
prefix. This is how I do my testing, so I know it works. Basically,
you pix a prefix, and set it using CMAKE_INSTALL_PREFIX=/prefix Ganesha
will then be installed in and use:
/prefix/bin
/prefix/etc
/prefix/var
/prefix/run
/prefix/lib
and so on. You can make the entire prefix owned by the user, and then
directory permissions don't matter.
Hope this helps, and feel free to ask questions.
Daniel
On 6/16/21 11:28 PM, Frank Filz wrote:
If you use the next branch the recovery directory is now
configurable.
What FSAL are you using? FSAL_VFS depends on name_to_handle_at and open_by_handle both of
which require a CAP. There may be a few other CAPs necessary. Also, you will have to
squash all users to the user running Ganesha since Ganesha won't be able to
seteuid/setegid to act as other users. These problems are less of an issue for other
FSALs.
Frank
> -----Original Message-----
> From: Tom McLaughlin [mailto:pyro777@gmail.com]
> Sent: Wednesday, June 16, 2021 6:04 PM
> To: support(a)lists.nfs-ganesha.org
> Subject: [NFS-Ganesha-Support] Re: Possible to run NFSv4 server as non-root
> user?
>
> Okay, now I have some real errors:
>
> 16/06/2021 17:58:47 : epoch 60ca9d4a : tom-7590 : ganesha.nfsd-
> 1006530[svc_24] fsal_common_is_referral :FSAL :EVENT :Failed to get attrs for
> referral, handle: 0x7f90bda3cc00, valid_mask: 0, request_mask: 82, supported:
> 0, error: Forbidden action
> 16/06/2021 17:58:47 : epoch 60ca9d4a : tom-7590 : ganesha.nfsd-
> 1006530[svc_24] fsal_common_is_referral :FSAL :EVENT :Failed to get attrs for
> referral, handle: 0x7f90bda3cc00, valid_mask: 0, request_mask: 82, supported:
> 0, error: Forbidden action
> 16/06/2021 17:58:47 : epoch 60ca9d4a : tom-7590 : ganesha.nfsd-
> 1006530[svc_5] fs_rm_revoked_handles :CLIENT ID :EVENT :opendir
> /var/lib/nfs/ganesha/v4recov/node0/::ffff:127.0.0.1-(22:Linux NFSv4.2 tom-
> 7590) failed errno: Permission denied (13)
> 16/06/2021 17:58:47 : epoch 60ca9d4a : tom-7590 : ganesha.nfsd-
> 1006530[svc_5] fs_rm_clid_impl :CLIENT ID :EVENT :Failed to remove client
> recovery dir (/var/lib/nfs/ganesha/v4recov/node0/::ffff:127.0.0.1-(22:Linux
> NFSv4.2 tom-7590)), errno: Permission denied (13)
>
> For the second two errors, it seems I need to change where the client recovery
> dir is kept to something user-accessible. I can't seem to find an option for
this
> though.
>
> Not sure what to do about "Failed to get attrs for referral"?
> _______________________________________________
> Support mailing list -- support(a)lists.nfs-ganesha.org To unsubscribe send an
> email to support-leave(a)lists.nfs-ganesha.org
_______________________________________________
Support mailing list -- support(a)lists.nfs-ganesha.org
To unsubscribe send an email to support-leave(a)lists.nfs-ganesha.org