1 #!/sbin/sh
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22
23 #
24 # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
25 # Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
26 # Copyright 2018 Nexenta Systems, Inc.
27 #
28
29 # Start/stop processes required for server NFS
30
31 . /lib/svc/share/smf_include.sh
32 . /lib/svc/share/ipf_include.sh
33 zone=`smf_zonename`
34
35 #
36 # Handling a corner case here. If we were in offline state due to an
37 # unsatisfied dependency, the ipf_method process wouldn't have generated
38 # the ipfilter configuration. When we transition to online because the
39 # dependency is satisfied, the start method will have to generate the
40 # ipfilter configuration. To avoid all possible deadlock scenarios,
41 # we restart ipfilter which will regenerate the ipfilter configuration
42 # for the entire system.
43 #
44 # The ipf_method process signals that it didn't generate ipf rules by
45 # removing the service's ipf file. Thus we only restart network/ipfilter
46 # when the file is missing.
47 #
48 configure_ipfilter()
49 {
50 ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX`
51 ip6file=`fmri_to_file $SMF_FMRI $IPF6_SUFFIX`
52 [ -f "$ipfile" -a -f "$ip6file" ] && return 0
53
54 #
55 # Nothing to do if:
56 # - ipfilter isn't online
57 # - global policy is 'custom'
58 # - service's policy is 'use_global'
59 #
60 service_check_state $IPF_FMRI $SMF_ONLINE || return 0
61 [ "`get_global_def_policy`" = "custom" ] && return 0
62 [ "`get_policy $SMF_FMRI`" = "use_global" ] && return 0
63
64 svcadm restart $IPF_FMRI
65 }
66
67 case "$1" in
68 'start')
69 # Share all file systems enabled for sharing. sharemgr understands
70 # regular shares and ZFS shares and will handle both. Technically,
71 # the shares would have been started long before getting here since
72 # nfsd has a dependency on them.
73
74 # restart stopped shares from the repository
75 /usr/sbin/sharemgr start -P nfs -a
76
77 # Options for nfsd are now set in SMF
78
79 /usr/lib/nfs/mountd
80 rc=$?
81 if [ $rc != 0 ]; then
82 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server
83 echo "$0: mountd failed with $rc"
84 sleep 5 &
85 exit $SMF_EXIT_ERR_FATAL
86 fi
87
88 NFS_OPTS=
89 if [ -f /opt/HAC/bin/rsf.sh ]; then
90 . /opt/HAC/bin/rsf.sh
91
92 if [ -f "$PRODUCT_CONFIG" ]; then
93 RSF_MNTS=$(/usr/bin/grep MOUNT_POINT "$PRODUCT_CONFIG" |\
94 /usr/bin/sed -e 's/^.*MOUNT_POINT.*\"\(.*\)\"$/\1/')
95
96 for RSF_MNT in $RSF_MNTS; do
97 MATCH=$(/usr/bin/cat /etc/mnttab |\
98 /usr/bin/awk '{print $2}' |\
99 /usr/bin/egrep "^$RSF_MNT\$")
100
101 if [ -n "$MATCH" ]; then
102 /usr/bin/mkdir -p "$RSF_MNT/.nfs"
103 /usr/bin/chown daemon:daemon "$RSF_MNT/.nfs"
104 NFS_OPTS="$NFS_OPTS -s $RSF_MNT/.nfs"
105 fi
106 done
107 fi
108 fi
109
110 /usr/lib/nfs/nfsd $NFS_OPTS
111 rc=$?
112 if [ $rc != 0 ]; then
113 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server
114 echo "$0: nfsd failed with $rc"
115 sleep 5 &
116 exit $SMF_EXIT_ERR_FATAL
117 fi
118
119 configure_ipfilter
120 ;;
121
122 'refresh')
123 /usr/sbin/sharemgr start -P nfs -a
124 ;;
125
126 'stop')
127 /usr/bin/pkill -x -u 0,1 -z $zone '(nfsd|mountd)'
128
129 # Unshare all shared file systems using NFS
130
131 /usr/sbin/sharemgr stop -P nfs -a
132
133 # Kill any processes left in service contract
134 smf_kill_contract $2 TERM 1
135 [ $? -ne 0 ] && exit 1
136 ;;
137
138 'ipfilter')
139 #
140 # NFS related services are RPC. nfs/server has nfsd which has
141 # well-defined port number but mountd is an RPC daemon.
142 #
143 # Essentially, we generate rules for the following "services"
144 # - nfs/server which has nfsd and mountd
145 # - nfs/rquota
146 #
147 # The following services are enabled for both nfs client and
148 # server, if nfs/client is enabled we'll treat them as client
149 # services and simply allow incoming traffic.
150 # - nfs/status
151 # - nfs/nlockmgr
152 # - nfs/cbd
153 #
154 NFS_FMRI="svc:/network/nfs/server:default"
155 NFSCLI_FMRI="svc:/network/nfs/client:default"
156 RQUOTA_FMRI="svc:/network/nfs/rquota:default"
157 FMRI=$2
158
159 file=`fmri_to_file $FMRI $IPF_SUFFIX`
160 file6=`fmri_to_file $FMRI $IPF6_SUFFIX`
161 echo "# $FMRI" >$file
162 echo "# $FMRI" >$file6
163 policy=`get_policy $NFS_FMRI`
164
165 #
166 # nfs/server configuration is processed in the start method.
167 #
168 if [ "$FMRI" = "$NFS_FMRI" ]; then
169 service_check_state $FMRI $SMF_ONLINE
170 if [ $? -ne 0 ]; then
171 rm $file
172 exit $SMF_EXIT_OK
173 fi
174
175 nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null`
176 tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null`
177 if [ -n "$tport" ]; then
178 generate_rules $FMRI $policy "tcp" $tport $file
179 fi
180
181 tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null`
182 if [ -n "$tport6" ]; then
183 generate_rules $FMRI $policy "tcp" $tport6 $file6 _6
184 fi
185
186 uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null`
187 if [ -n "$uport" ]; then
188 generate_rules $FMRI $policy "udp" $uport $file
189 fi
190
191 uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null`
192 if [ -n "$uport6" ]; then
193 generate_rules $FMRI $policy "udp" $uport6 $file6 _6
194 fi
195
196 # mountd IPv6 ports are also reachable through IPv4, so include
197 # them when generating IPv4 rules.
198 tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null`
199 tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null`
200 if [ -n "$tports" -o -n "$tports6" ]; then
201 tports=`unique_ports $tports $tports6`
202 for tport in $tports; do
203 generate_rules $FMRI $policy "tcp" \
204 $tport $file
205 done
206 fi
207
208 if [ -n "$tports6" ]; then
209 for tport6 in $tports6; do
210 generate_rules $FMRI $policy "tcp" \
211 $tport6 $file6 _6
212 done
213 fi
214
215 uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null`
216 uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null`
217 if [ -n "$uports" -o -n "$uports6" ]; then
218 uports=`unique_ports $uports $uports6`
219 for uport in $uports; do
220 generate_rules $FMRI $policy "udp" \
221 $uport $file
222 done
223 fi
224
225 if [ -n "$uports6" ]; then
226 for uport6 in $uports6; do
227 generate_rules $FMRI $policy "udp" \
228 $uport6 $file6 _6
229 done
230 fi
231
232 elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then
233 iana_name=`svcprop -p inetd/name $FMRI`
234
235 # rquota IPv6 ports are also reachable through IPv4, so include
236 # them when generating IPv4 rules.
237 tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
238 tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
239 if [ -n "$tports" -o -n "$tports6" ]; then
240 tports=`unique_ports $tports $tports6`
241 for tport in $tports; do
242 generate_rules $NFS_FMRI $policy "tcp" \
243 $tport $file
244 done
245 fi
246
247 if [ -n "$tports6" ]; then
248 for tport6 in $tports6; do
249 generate_rules $NFS_FMRI $policy "tcp" \
250 $tport6 $file6 _6
251 done
252 fi
253
254 uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
255 uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
256 if [ -n "$uports" -o -n "$uports6" ]; then
257 uports=`unique_ports $uports $uports6`
258 for uport in $uports; do
259 generate_rules $NFS_FMRI $policy "udp" \
260 $uport $file
261 done
262 fi
263
264 if [ -n "$uports6" ]; then
265 for uport6 in $uports6; do
266 generate_rules $NFS_FMRI $policy "udp" \
267 $uport6 $file6 _6
268 done
269 fi
270 else
271 #
272 # Handle the client services here
273 #
274 if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then
275 policy=none
276 ip=any
277 fi
278
279 restarter=`svcprop -p general/restarter $FMRI 2>/dev/null`
280 if [ "$restarter" = "$INETDFMRI" ]; then
281 iana_name=`svcprop -p inetd/name $FMRI`
282 isrpc=`svcprop -p inetd/isrpc $FMRI`
283 else
284 iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI`
285 isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $FMRI`
286 fi
287
288 if [ "$isrpc" = "true" ]; then
289 tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
290 tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
291 uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
292 uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
293 else
294 tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null`
295 tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null`
296 uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null`
297 uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null`
298 fi
299
300 # IPv6 ports are also reachable through IPv4, so include
301 # them when generating IPv4 rules.
302 if [ -n "$tports" -o -n "$tports6" ]; then
303 tports=`unique_ports $tports $tports6`
304 for tport in $tports; do
305 generate_rules $FMRI $policy "tcp" $tport $file
306 done
307 fi
308
309 if [ -n "$tports6" ]; then
310 for tport6 in $tports6; do
311 generate_rules $FMRI $policy "tcp" $tport6 $file6 _6
312 done
313 fi
314
315 if [ -n "$uports" -o -n "$uports6" ]; then
316 uports=`unique_ports $uports $uports6`
317 for uport in $uports; do
318 generate_rules $FMRI $policy "udp" $uport $file
319 done
320 fi
321
322 if [ -n "$uports6" ]; then
323 for uport6 in $uports6; do
324 generate_rules $FMRI $policy "udp" $uport6 $file6 _6
325 done
326 fi
327 fi
328
329 ;;
330
331 *)
332 echo "Usage: $0 { start | stop | refresh }"
333 exit 1
334 ;;
335 esac
336 exit $SMF_EXIT_OK