17c478bd9Sstevel@tonic-gate#!/sbin/sh 27c478bd9Sstevel@tonic-gate# 37c478bd9Sstevel@tonic-gate# CDDL HEADER START 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 66927f468Sdp# Common Development and Distribution License (the "License"). 76927f468Sdp# You may not use this file except in compliance with the License. 87c478bd9Sstevel@tonic-gate# 97c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate# and limitations under the License. 137c478bd9Sstevel@tonic-gate# 147c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate# 207c478bd9Sstevel@tonic-gate# CDDL HEADER END 217c478bd9Sstevel@tonic-gate# 2250b14205SMarcel Telka 237c478bd9Sstevel@tonic-gate# 24dd51520eSPavan Mettu - Oracle Corporation - Menlo Park United States# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 257ddce999SHans Rosenfeld# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> 26*0dfe541eSEvan Layton# Copyright 2018 Nexenta Systems, Inc. All rights reserved. 277c478bd9Sstevel@tonic-gate# 287c478bd9Sstevel@tonic-gate 297c478bd9Sstevel@tonic-gate# Start/stop processes required for server NFS 307c478bd9Sstevel@tonic-gate 317c478bd9Sstevel@tonic-gate. /lib/svc/share/smf_include.sh 32eb1a3463STruong Nguyen. /lib/svc/share/ipf_include.sh 336927f468Sdpzone=`smf_zonename` 347c478bd9Sstevel@tonic-gate 35eb1a3463STruong Nguyen# 36eb1a3463STruong Nguyen# Handling a corner case here. If we were in offline state due to an 37eb1a3463STruong Nguyen# unsatisfied dependency, the ipf_method process wouldn't have generated 38eb1a3463STruong Nguyen# the ipfilter configuration. When we transition to online because the 39eb1a3463STruong Nguyen# dependency is satisfied, the start method will have to generate the 40eb1a3463STruong Nguyen# ipfilter configuration. To avoid all possible deadlock scenarios, 41eb1a3463STruong Nguyen# we restart ipfilter which will regenerate the ipfilter configuration 42eb1a3463STruong Nguyen# for the entire system. 43eb1a3463STruong Nguyen# 44eb1a3463STruong Nguyen# The ipf_method process signals that it didn't generate ipf rules by 45eb1a3463STruong Nguyen# removing the service's ipf file. Thus we only restart network/ipfilter 46eb1a3463STruong Nguyen# when the file is missing. 47eb1a3463STruong Nguyen# 48eb1a3463STruong Nguyenconfigure_ipfilter() 49eb1a3463STruong Nguyen{ 50eb1a3463STruong Nguyen ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX` 517ddce999SHans Rosenfeld ip6file=`fmri_to_file $SMF_FMRI $IPF6_SUFFIX` 527ddce999SHans Rosenfeld [ -f "$ipfile" -a -f "$ip6file" ] && return 0 53eb1a3463STruong Nguyen 54eb1a3463STruong Nguyen # 55eb1a3463STruong Nguyen # Nothing to do if: 56eb1a3463STruong Nguyen # - ipfilter isn't online 57eb1a3463STruong Nguyen # - global policy is 'custom' 58eb1a3463STruong Nguyen # - service's policy is 'use_global' 59eb1a3463STruong Nguyen # 60eb1a3463STruong Nguyen service_check_state $IPF_FMRI $SMF_ONLINE || return 0 61eb1a3463STruong Nguyen [ "`get_global_def_policy`" = "custom" ] && return 0 62eb1a3463STruong Nguyen [ "`get_policy $SMF_FMRI`" = "use_global" ] && return 0 63eb1a3463STruong Nguyen 64eb1a3463STruong Nguyen svcadm restart $IPF_FMRI 65eb1a3463STruong Nguyen} 66eb1a3463STruong Nguyen 677c478bd9Sstevel@tonic-gatecase "$1" in 687c478bd9Sstevel@tonic-gate'start') 696185db85Sdougm # Share all file systems enabled for sharing. sharemgr understands 706185db85Sdougm # regular shares and ZFS shares and will handle both. Technically, 716185db85Sdougm # the shares would have been started long before getting here since 726185db85Sdougm # nfsd has a dependency on them. 737c478bd9Sstevel@tonic-gate 746185db85Sdougm # restart stopped shares from the repository 756185db85Sdougm /usr/sbin/sharemgr start -P nfs -a 76fa9e4066Sahrens 77dd51520eSPavan Mettu - Oracle Corporation - Menlo Park United States # Options for nfsd are now set in SMF 7850b14205SMarcel Telka 797c478bd9Sstevel@tonic-gate /usr/lib/nfs/mountd 80250a0733Sth199096 rc=$? 81250a0733Sth199096 if [ $rc != 0 ]; then 82250a0733Sth199096 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server 83250a0733Sth199096 echo "$0: mountd failed with $rc" 84250a0733Sth199096 sleep 5 & 85250a0733Sth199096 exit $SMF_EXIT_ERR_FATAL 86250a0733Sth199096 fi 87250a0733Sth199096 887c478bd9Sstevel@tonic-gate /usr/lib/nfs/nfsd 89250a0733Sth199096 rc=$? 90250a0733Sth199096 if [ $rc != 0 ]; then 91250a0733Sth199096 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server 92250a0733Sth199096 echo "$0: nfsd failed with $rc" 93250a0733Sth199096 sleep 5 & 94250a0733Sth199096 exit $SMF_EXIT_ERR_FATAL 95250a0733Sth199096 fi 96eb1a3463STruong Nguyen 97eb1a3463STruong Nguyen configure_ipfilter 987c478bd9Sstevel@tonic-gate ;; 997c478bd9Sstevel@tonic-gate 1003fd3a04aSthurlow'refresh') 1016185db85Sdougm /usr/sbin/sharemgr start -P nfs -a 1023fd3a04aSthurlow ;; 1033fd3a04aSthurlow 1047c478bd9Sstevel@tonic-gate'stop') 1057c478bd9Sstevel@tonic-gate /usr/bin/pkill -x -u 0,1 -z $zone '(nfsd|mountd)' 1067c478bd9Sstevel@tonic-gate 1076185db85Sdougm # Unshare all shared file systems using NFS 108fa9e4066Sahrens 1096185db85Sdougm /usr/sbin/sharemgr stop -P nfs -a 1107c478bd9Sstevel@tonic-gate 1117c478bd9Sstevel@tonic-gate # Kill any processes left in service contract 1127c478bd9Sstevel@tonic-gate smf_kill_contract $2 TERM 1 1137c478bd9Sstevel@tonic-gate [ $? -ne 0 ] && exit 1 1147c478bd9Sstevel@tonic-gate ;; 1153fd3a04aSthurlow 116eb1a3463STruong Nguyen'ipfilter') 117eb1a3463STruong Nguyen # 118eb1a3463STruong Nguyen # NFS related services are RPC. nfs/server has nfsd which has 119eb1a3463STruong Nguyen # well-defined port number but mountd is an RPC daemon. 120eb1a3463STruong Nguyen # 121eb1a3463STruong Nguyen # Essentially, we generate rules for the following "services" 122eb1a3463STruong Nguyen # - nfs/server which has nfsd and mountd 123eb1a3463STruong Nguyen # - nfs/rquota 124eb1a3463STruong Nguyen # 125eb1a3463STruong Nguyen # The following services are enabled for both nfs client and 1267ddce999SHans Rosenfeld # server, if nfs/client is enabled we'll treat them as client 1277ddce999SHans Rosenfeld # services and simply allow incoming traffic. 128eb1a3463STruong Nguyen # - nfs/status 129eb1a3463STruong Nguyen # - nfs/nlockmgr 130eb1a3463STruong Nguyen # - nfs/cbd 131eb1a3463STruong Nguyen # 132eb1a3463STruong Nguyen NFS_FMRI="svc:/network/nfs/server:default" 1337ddce999SHans Rosenfeld NFSCLI_FMRI="svc:/network/nfs/client:default" 134eb1a3463STruong Nguyen RQUOTA_FMRI="svc:/network/nfs/rquota:default" 135eb1a3463STruong Nguyen FMRI=$2 136eb1a3463STruong Nguyen 137eb1a3463STruong Nguyen file=`fmri_to_file $FMRI $IPF_SUFFIX` 1387ddce999SHans Rosenfeld file6=`fmri_to_file $FMRI $IPF6_SUFFIX` 139eb1a3463STruong Nguyen echo "# $FMRI" >$file 1407ddce999SHans Rosenfeld echo "# $FMRI" >$file6 141eb1a3463STruong Nguyen policy=`get_policy $NFS_FMRI` 142eb1a3463STruong Nguyen 143eb1a3463STruong Nguyen # 144eb1a3463STruong Nguyen # nfs/server configuration is processed in the start method. 145eb1a3463STruong Nguyen # 146eb1a3463STruong Nguyen if [ "$FMRI" = "$NFS_FMRI" ]; then 147eb1a3463STruong Nguyen service_check_state $FMRI $SMF_ONLINE 148eb1a3463STruong Nguyen if [ $? -ne 0 ]; then 149eb1a3463STruong Nguyen rm $file 150eb1a3463STruong Nguyen exit $SMF_EXIT_OK 151eb1a3463STruong Nguyen fi 152eb1a3463STruong Nguyen 153eb1a3463STruong Nguyen nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null` 154eb1a3463STruong Nguyen tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null` 155eb1a3463STruong Nguyen if [ -n "$tport" ]; then 1567ddce999SHans Rosenfeld generate_rules $FMRI $policy "tcp" $tport $file 1577ddce999SHans Rosenfeld fi 1587ddce999SHans Rosenfeld 1597ddce999SHans Rosenfeld tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null` 1607ddce999SHans Rosenfeld if [ -n "$tport6" ]; then 1617ddce999SHans Rosenfeld generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 162eb1a3463STruong Nguyen fi 163eb1a3463STruong Nguyen 164eb1a3463STruong Nguyen uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null` 165eb1a3463STruong Nguyen if [ -n "$uport" ]; then 1667ddce999SHans Rosenfeld generate_rules $FMRI $policy "udp" $uport $file 167eb1a3463STruong Nguyen fi 168eb1a3463STruong Nguyen 1697ddce999SHans Rosenfeld uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null` 1707ddce999SHans Rosenfeld if [ -n "$uport6" ]; then 1717ddce999SHans Rosenfeld generate_rules $FMRI $policy "udp" $uport6 $file6 _6 1727ddce999SHans Rosenfeld fi 1737ddce999SHans Rosenfeld 1747ddce999SHans Rosenfeld # mountd IPv6 ports are also reachable through IPv4, so include 1757ddce999SHans Rosenfeld # them when generating IPv4 rules. 176eb1a3463STruong Nguyen tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null` 1777ddce999SHans Rosenfeld tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null` 1787ddce999SHans Rosenfeld if [ -n "$tports" -o -n "$tports6" ]; then 1797ddce999SHans Rosenfeld tports=`unique_ports $tports $tports6` 180eb1a3463STruong Nguyen for tport in $tports; do 1817ddce999SHans Rosenfeld generate_rules $FMRI $policy "tcp" \ 182eb1a3463STruong Nguyen $tport $file 183eb1a3463STruong Nguyen done 184eb1a3463STruong Nguyen fi 185eb1a3463STruong Nguyen 1867ddce999SHans Rosenfeld if [ -n "$tports6" ]; then 1877ddce999SHans Rosenfeld for tport6 in $tports6; do 1887ddce999SHans Rosenfeld generate_rules $FMRI $policy "tcp" \ 1897ddce999SHans Rosenfeld $tport6 $file6 _6 1907ddce999SHans Rosenfeld done 1917ddce999SHans Rosenfeld fi 1927ddce999SHans Rosenfeld 193eb1a3463STruong Nguyen uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null` 1947ddce999SHans Rosenfeld uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null` 1957ddce999SHans Rosenfeld if [ -n "$uports" -o -n "$uports6" ]; then 1967ddce999SHans Rosenfeld uports=`unique_ports $uports $uports6` 197eb1a3463STruong Nguyen for uport in $uports; do 1987ddce999SHans Rosenfeld generate_rules $FMRI $policy "udp" \ 199eb1a3463STruong Nguyen $uport $file 200eb1a3463STruong Nguyen done 201eb1a3463STruong Nguyen fi 202eb1a3463STruong Nguyen 2037ddce999SHans Rosenfeld if [ -n "$uports6" ]; then 2047ddce999SHans Rosenfeld for uport6 in $uports6; do 2057ddce999SHans Rosenfeld generate_rules $FMRI $policy "udp" \ 2067ddce999SHans Rosenfeld $uport6 $file6 _6 2077ddce999SHans Rosenfeld done 2087ddce999SHans Rosenfeld fi 2097ddce999SHans Rosenfeld 210eb1a3463STruong Nguyen elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then 211eb1a3463STruong Nguyen iana_name=`svcprop -p inetd/name $FMRI` 212eb1a3463STruong Nguyen 2137ddce999SHans Rosenfeld # rquota IPv6 ports are also reachable through IPv4, so include 2147ddce999SHans Rosenfeld # them when generating IPv4 rules. 215eb1a3463STruong Nguyen tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` 2167ddce999SHans Rosenfeld tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` 2177ddce999SHans Rosenfeld if [ -n "$tports" -o -n "$tports6" ]; then 2187ddce999SHans Rosenfeld tports=`unique_ports $tports $tports6` 219eb1a3463STruong Nguyen for tport in $tports; do 220eb1a3463STruong Nguyen generate_rules $NFS_FMRI $policy "tcp" \ 2217ddce999SHans Rosenfeld $tport $file 2227ddce999SHans Rosenfeld done 2237ddce999SHans Rosenfeld fi 2247ddce999SHans Rosenfeld 2257ddce999SHans Rosenfeld if [ -n "$tports6" ]; then 2267ddce999SHans Rosenfeld for tport6 in $tports6; do 2277ddce999SHans Rosenfeld generate_rules $NFS_FMRI $policy "tcp" \ 2287ddce999SHans Rosenfeld $tport6 $file6 _6 229eb1a3463STruong Nguyen done 230eb1a3463STruong Nguyen fi 231eb1a3463STruong Nguyen 232eb1a3463STruong Nguyen uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` 2337ddce999SHans Rosenfeld uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` 2347ddce999SHans Rosenfeld if [ -n "$uports" -o -n "$uports6" ]; then 2357ddce999SHans Rosenfeld uports=`unique_ports $uports $uports6` 236eb1a3463STruong Nguyen for uport in $uports; do 237eb1a3463STruong Nguyen generate_rules $NFS_FMRI $policy "udp" \ 2387ddce999SHans Rosenfeld $uport $file 2397ddce999SHans Rosenfeld done 2407ddce999SHans Rosenfeld fi 2417ddce999SHans Rosenfeld 2427ddce999SHans Rosenfeld if [ -n "$uports6" ]; then 2437ddce999SHans Rosenfeld for uport6 in $uports6; do 2447ddce999SHans Rosenfeld generate_rules $NFS_FMRI $policy "udp" \ 2457ddce999SHans Rosenfeld $uport6 $file6 _6 246eb1a3463STruong Nguyen done 247eb1a3463STruong Nguyen fi 248eb1a3463STruong Nguyen else 249eb1a3463STruong Nguyen # 250eb1a3463STruong Nguyen # Handle the client services here 251eb1a3463STruong Nguyen # 2527ddce999SHans Rosenfeld if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then 2537ddce999SHans Rosenfeld policy=none 2547ddce999SHans Rosenfeld ip=any 2557ddce999SHans Rosenfeld fi 2567ddce999SHans Rosenfeld 257eb1a3463STruong Nguyen restarter=`svcprop -p general/restarter $FMRI 2>/dev/null` 258eb1a3463STruong Nguyen if [ "$restarter" = "$INETDFMRI" ]; then 259eb1a3463STruong Nguyen iana_name=`svcprop -p inetd/name $FMRI` 260eb1a3463STruong Nguyen isrpc=`svcprop -p inetd/isrpc $FMRI` 261eb1a3463STruong Nguyen else 262eb1a3463STruong Nguyen iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` 263eb1a3463STruong Nguyen isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $FMRI` 264eb1a3463STruong Nguyen fi 265eb1a3463STruong Nguyen 266eb1a3463STruong Nguyen if [ "$isrpc" = "true" ]; then 267eb1a3463STruong Nguyen tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` 2687ddce999SHans Rosenfeld tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` 269eb1a3463STruong Nguyen uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` 2707ddce999SHans Rosenfeld uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` 271eb1a3463STruong Nguyen else 272eb1a3463STruong Nguyen tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null` 2737ddce999SHans Rosenfeld tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null` 274eb1a3463STruong Nguyen uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null` 2757ddce999SHans Rosenfeld uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null` 276eb1a3463STruong Nguyen fi 277eb1a3463STruong Nguyen 2787ddce999SHans Rosenfeld # IPv6 ports are also reachable through IPv4, so include 2797ddce999SHans Rosenfeld # them when generating IPv4 rules. 2807ddce999SHans Rosenfeld if [ -n "$tports" -o -n "$tports6" ]; then 2817ddce999SHans Rosenfeld tports=`unique_ports $tports $tports6` 282eb1a3463STruong Nguyen for tport in $tports; do 2837ddce999SHans Rosenfeld generate_rules $FMRI $policy "tcp" $tport $file 284eb1a3463STruong Nguyen done 285eb1a3463STruong Nguyen fi 286eb1a3463STruong Nguyen 2877ddce999SHans Rosenfeld if [ -n "$tports6" ]; then 2887ddce999SHans Rosenfeld for tport6 in $tports6; do 2897ddce999SHans Rosenfeld generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 2907ddce999SHans Rosenfeld done 2917ddce999SHans Rosenfeld fi 2927ddce999SHans Rosenfeld 2937ddce999SHans Rosenfeld if [ -n "$uports" -o -n "$uports6" ]; then 2947ddce999SHans Rosenfeld uports=`unique_ports $uports $uports6` 295eb1a3463STruong Nguyen for uport in $uports; do 2967ddce999SHans Rosenfeld generate_rules $FMRI $policy "udp" $uport $file 2977ddce999SHans Rosenfeld done 2987ddce999SHans Rosenfeld fi 2997ddce999SHans Rosenfeld 3007ddce999SHans Rosenfeld if [ -n "$uports6" ]; then 3017ddce999SHans Rosenfeld for uport6 in $uports6; do 3027ddce999SHans Rosenfeld generate_rules $FMRI $policy "udp" $uport6 $file6 _6 303eb1a3463STruong Nguyen done 304eb1a3463STruong Nguyen fi 305eb1a3463STruong Nguyen fi 306eb1a3463STruong Nguyen 307eb1a3463STruong Nguyen ;; 308eb1a3463STruong Nguyen 3097c478bd9Sstevel@tonic-gate*) 3103fd3a04aSthurlow echo "Usage: $0 { start | stop | refresh }" 3117c478bd9Sstevel@tonic-gate exit 1 3127c478bd9Sstevel@tonic-gate ;; 3137c478bd9Sstevel@tonic-gateesac 3147c478bd9Sstevel@tonic-gateexit $SMF_EXIT_OK 315