search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
16.96k stars 13.33k forks source link

Newer kernels (6.1.53, 6.5.3, probably more) break NFSv4 mounts #257188

Closed nitro322 closed 10 months ago

nitro322 commented 10 months ago

Describe the bug

Linux kernel 6.1.53 includes an selinux-related change to how it mounts NFS exports:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a8d3a6e285f6bc92b37ffd30028869642b1d2682

This change causes mounting an nfs4 mount to fail, with the following appearing in dmesg:

SELinux: Unable to set superblock options before the security server is initialized

This took me quite a while to track down because this is my first NixOS install and I thought I must be configuring something incorrectly, but I found the same issue reported in Gentoo:

https://bugs.gentoo.org/914204

NixOS doesn't seem to support selinux at the OS level, but it must be enabled in the kernel to some extent as adding "selinux=0" to boot.kernelParams "fixed" the problem. Presumably this would be a problem for anyone running NixOS mounting NFSv4 exports, at least with sec=sys. I'm not sure if sec=krb5 and other options are affected.

According to the same Gentoo bug report this patch is supposed to fix it:

https://www.spinics.net/lists/linux-fsdevel/msg249428.html

But it doesn't seem to be merged in 6.1.54 and I'm unsure of upstream's plans to backport it.

Is it possible to include this patch in NixOS's kernel package to resolve this issue without requiring selinux=0?

Steps To Reproduce

Steps to reproduce the behavior:

  1. Install NixOS with kernel 6.1.53 or 6.1.54
  2. Try to mount an NFSv4 partition with sec=sys
  3. Note the failure. Check dmesg for "SELinux: Unable to set superblock options before the security server is initialized"

Expected behavior

I'd expect the NFSv4 system to mount successfully.

Additional context

My currently working (with selinux=0) nfs config. Without selinux=0 this failed with every set of options I could think to try.

fileSystems."/home/data" = { device = "server:/home/data"; fsType = "nfs4"; options = [ "sec=sys" "x-systemd.automount" "x-systemd.idle-timeout=600" "noauto" ]; };

Notify maintainers

I don't see meta.maintainers documented for the kernel (https://github.com/NixOS/nixpkgs/tree/nixos-23.05/pkgs/os-specific/linux/kernel), but this is my first time searching and may be looking in the wrong place.

Metadata

# nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.54, NixOS, 23.05 (Stoat), 23.05.3725.715d72e967ec`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.13.5`
 - channels(root): `"nixos-23.05"`
 - channels(user): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
bjornfor commented 10 months ago

According to the same Gentoo bug report this patch is supposed to fix it:

https://www.spinics.net/lists/linux-fsdevel/msg249428.html

But it doesn't seem to be merged in 6.1.54 and I'm unsure of upstream's plans to backport it.

That patch is part of linux 6.1.55 (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.55&id=978b86fbdb2acf69a3630931f0c4f07a30734f2f) which is in NixOS 23.05 now.

vcunat commented 10 months ago

The supported NixOS versions/channels have updated past the fix, so I'll consider this solved.