Hi Wouter, * Wouter Verhelst <wou...@debian.org> [2018-01-17; 18:33]: > On Wed, Jan 17, 2018 at 06:12:59PM +0100, Gregor Zattler wrote: >> There is a nbd server version 1:3.16.2-1 running on a debian >> testing/buster server with amongst others this definition of an >> export in /etc/nbd-server/config: >> >> [server-media] >> exportname = /dev/sda5 > > If you're doing that, you need to ensure that the NBD server has access > to /dev/sda5, at least read access (but possibly write access, too). Out > of the box, this is not possible (you can export files too). > > In order to do so, you have two options: > > - Either tell udev to change ownership and/or permissions of /dev/sda5 > so that a process running as the "nbd" user and/or group can read (and > possibly write) to the device; > - Or comment out or change the "user" and/or "group" setting in the > configuration file, so that the user and/or group are no longer set to > "nbd" but instead to "disk" or left as "root". > > If you don't do either of those, then the nbd-server will not have > access to the partitions and cannot possibly export it. > >> flush = true >> fua = true >> >> When I connect to this export with nbd-client version 1:3.15.2-3 >> from a debian stretch system I get: >> >> $ sudo nbd-client -name server-media shi /dev/nbd1 >> Negotiation: ..Error: Read failed: End of file >> Exiting. > > This is the normal error message you get when the server cannot access > the device in question.
IMHO this is not a permissions problem, as shown with this log of my actions: on server (shi): $ egrep "user|group" /etc/nbd-server/config # If you want to run everything as root rather than the nbd user, you user = nbd group = nbd $ sudo systemctl restart nbd-server.service $ ls -l /dev/sda*|grep nbd brw-rw---- 1 root nbd 8, 5 Jan 17 23:44 /dev/sda5 brw-rw---- 1 root nbd 8, 6 Jan 17 17:48 /dev/sda6 on client (len): $ sudo nbd-client -l shi Negotiation: .. crypt-server-backup shi-media $ sudo nbd-client -name "shi-media" shi /dev/nbd1 Negotiation: ..size = 921600MB bs=1024, sz=966367641600 bytes now on server again: $ sudo sed -i -e "s/shi-media/server-media/" /etc/nbd-server/config $ sudo systemctl restart nbd-server.service $ ls -l /dev/sda*|grep nbd brw-rw---- 1 root nbd 8, 5 Jan 17 23:50 /dev/sda5 brw-rw---- 1 root nbd 8, 6 Jan 17 17:48 /dev/sda6 back to client: $ sudo nbd-client -l shi Negotiation: .. crypt-server-backup server-media $ sudo nbd-client -name "server-media" shi /dev/nbd1 Negotiation: ..Error: Read failed: End of file Exiting. what happened to the permissions on the server?: $ ls -l /dev/sda*|grep nbd brw-rw---- 1 root nbd 8, 5 Jan 17 23:50 /dev/sda5 brw-rw---- 1 root nbd 8, 6 Jan 17 17:48 /dev/sda6 Now on server I change my nbd-server config not to use nbd as user/group: $ egrep "user|group" /etc/nbd-server/config # If you want to run everything as root rather than the nbd user, you # user = nbd # group = nbd $ sudo chgrp disk /dev/sda5 $ ls -l /dev/sda5 brw-rw---- 1 root disk 8, 5 Jan 17 23:50 /dev/sda5 $ sudo systemctl restart nbd-server.service and back to client: $ sudo nbd-client -l shi Negotiation: .. crypt-server-backup server-media $ sudo nbd-client -c /dev/nbd1 || echo not connected not connected $ sudo nbd-client -name "server-media" shi /dev/nbd1 Negotiation: ..Error: Read failed: End of file Exiting. Changing the exports name helps while changing the user/group does not help with this problem. >> When I rename this export on the server to "shi-media", restart the >> nbd-server.service and do: >> >> $ sudo nbd-client -name shi-media shi /dev/nbd1 >> Negotiation: ..size = 921600MB >> bs=1024, sz=966367641600 bytes > > I suspect that something changed related to permissions in between the > two runs, and that that, rather than the name change, is responsible for > it succeeding the second time. > >> I would assume this bug applies to all export names beginning >> with "server-". >> >> It should be possible to use export names beginning with >> "server-" or at least this restriction should be documented. > > There is no such restriction. The only restrictions existing for export > names are one of length (4096 bytes maximum, although "only" 256 should > be used if one desires to remain compatible with other implementations) > and a practical one of legal characters for section headers implemented > by glib's GKeyFile API. Thanks for looking into this. Ciao; Gregor -- -... --- .-. . -.. ..--.. ...-.-
