17c478bd9Sstevel@tonic-gate#!/sbin/sh 27c478bd9Sstevel@tonic-gate# 37c478bd9Sstevel@tonic-gate# CDDL HEADER START 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 66927f468Sdp# Common Development and Distribution License (the "License"). 76927f468Sdp# You may not use this file except in compliance with the License. 87c478bd9Sstevel@tonic-gate# 97c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate# and limitations under the License. 137c478bd9Sstevel@tonic-gate# 147c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate# 207c478bd9Sstevel@tonic-gate# CDDL HEADER END 217c478bd9Sstevel@tonic-gate# 225ae59b69SMarcel Telka 237c478bd9Sstevel@tonic-gate# 24dd51520eSPavan Mettu - Oracle Corporation - Menlo Park United States# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 25*940c61f2SHans Rosenfeld# Copyright 2015 Nexenta Systems, Inc. All rights reserved. 26*940c61f2SHans Rosenfeld# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> 277c478bd9Sstevel@tonic-gate# 287c478bd9Sstevel@tonic-gate 297c478bd9Sstevel@tonic-gate# Start/stop processes required for server NFS 307c478bd9Sstevel@tonic-gate 317c478bd9Sstevel@tonic-gate. /lib/svc/share/smf_include.sh 32eb1a3463STruong Nguyen. /lib/svc/share/ipf_include.sh 336927f468Sdpzone=`smf_zonename` 347c478bd9Sstevel@tonic-gate 35eb1a3463STruong Nguyen# 36eb1a3463STruong Nguyen# Handling a corner case here. If we were in offline state due to an 37eb1a3463STruong Nguyen# unsatisfied dependency, the ipf_method process wouldn't have generated 38eb1a3463STruong Nguyen# the ipfilter configuration. When we transition to online because the 39eb1a3463STruong Nguyen# dependency is satisfied, the start method will have to generate the 40eb1a3463STruong Nguyen# ipfilter configuration. To avoid all possible deadlock scenarios, 41eb1a3463STruong Nguyen# we restart ipfilter which will regenerate the ipfilter configuration 42eb1a3463STruong Nguyen# for the entire system. 43eb1a3463STruong Nguyen# 44eb1a3463STruong Nguyen# The ipf_method process signals that it didn't generate ipf rules by 45eb1a3463STruong Nguyen# removing the service's ipf file. Thus we only restart network/ipfilter 46eb1a3463STruong Nguyen# when the file is missing. 47eb1a3463STruong Nguyen# 48eb1a3463STruong Nguyenconfigure_ipfilter() 49eb1a3463STruong Nguyen{ 50eb1a3463STruong Nguyen ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX` 51*940c61f2SHans Rosenfeld ip6file=`fmri_to_file $SMF_FMRI $IPF6_SUFFIX` 52*940c61f2SHans Rosenfeld [ -f "$ipfile" -a -f "$ip6file" ] && return 0 53eb1a3463STruong Nguyen 54eb1a3463STruong Nguyen # 55eb1a3463STruong Nguyen # Nothing to do if: 56eb1a3463STruong Nguyen # - ipfilter isn't online 57eb1a3463STruong Nguyen # - global policy is 'custom' 58eb1a3463STruong Nguyen # - service's policy is 'use_global' 59eb1a3463STruong Nguyen # 60eb1a3463STruong Nguyen service_check_state $IPF_FMRI $SMF_ONLINE || return 0 61eb1a3463STruong Nguyen [ "`get_global_def_policy`" = "custom" ] && return 0 62eb1a3463STruong Nguyen [ "`get_policy $SMF_FMRI`" = "use_global" ] && return 0 63eb1a3463STruong Nguyen 64eb1a3463STruong Nguyen svcadm restart $IPF_FMRI 65eb1a3463STruong Nguyen} 66eb1a3463STruong Nguyen 677c478bd9Sstevel@tonic-gatecase "$1" in 687c478bd9Sstevel@tonic-gate'start') 697c478bd9Sstevel@tonic-gate # The NFS server is not supported in a local zone 706927f468Sdp if smf_is_nonglobalzone; then 713fd3a04aSthurlow /usr/sbin/svcadm disable -t svc:/network/nfs/server 727c478bd9Sstevel@tonic-gate echo "The NFS server is not supported in a local zone" 737c478bd9Sstevel@tonic-gate sleep 5 & 747c478bd9Sstevel@tonic-gate exit $SMF_EXIT_OK 757c478bd9Sstevel@tonic-gate fi 767c478bd9Sstevel@tonic-gate 776185db85Sdougm # Share all file systems enabled for sharing. sharemgr understands 786185db85Sdougm # regular shares and ZFS shares and will handle both. Technically, 796185db85Sdougm # the shares would have been started long before getting here since 806185db85Sdougm # nfsd has a dependency on them. 817c478bd9Sstevel@tonic-gate 826185db85Sdougm # restart stopped shares from the repository 836185db85Sdougm /usr/sbin/sharemgr start -P nfs -a 84fa9e4066Sahrens 85dd51520eSPavan Mettu - Oracle Corporation - Menlo Park United States # Options for nfsd are now set in SMF 865ae59b69SMarcel Telka 877c478bd9Sstevel@tonic-gate /usr/lib/nfs/mountd 88250a0733Sth199096 rc=$? 89250a0733Sth199096 if [ $rc != 0 ]; then 90250a0733Sth199096 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server 91250a0733Sth199096 echo "$0: mountd failed with $rc" 92250a0733Sth199096 sleep 5 & 93250a0733Sth199096 exit $SMF_EXIT_ERR_FATAL 94250a0733Sth199096 fi 95250a0733Sth199096 967c478bd9Sstevel@tonic-gate /usr/lib/nfs/nfsd 97250a0733Sth199096 rc=$? 98250a0733Sth199096 if [ $rc != 0 ]; then 99250a0733Sth199096 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server 100250a0733Sth199096 echo "$0: nfsd failed with $rc" 101250a0733Sth199096 sleep 5 & 102250a0733Sth199096 exit $SMF_EXIT_ERR_FATAL 103250a0733Sth199096 fi 104eb1a3463STruong Nguyen 105eb1a3463STruong Nguyen configure_ipfilter 1067c478bd9Sstevel@tonic-gate ;; 1077c478bd9Sstevel@tonic-gate 1083fd3a04aSthurlow'refresh') 1096185db85Sdougm /usr/sbin/sharemgr start -P nfs -a 1103fd3a04aSthurlow ;; 1113fd3a04aSthurlow 1127c478bd9Sstevel@tonic-gate'stop') 1137c478bd9Sstevel@tonic-gate /usr/bin/pkill -x -u 0,1 -z $zone '(nfsd|mountd)' 1147c478bd9Sstevel@tonic-gate 1156185db85Sdougm # Unshare all shared file systems using NFS 116fa9e4066Sahrens 1176185db85Sdougm /usr/sbin/sharemgr stop -P nfs -a 1187c478bd9Sstevel@tonic-gate 1197c478bd9Sstevel@tonic-gate # Kill any processes left in service contract 1207c478bd9Sstevel@tonic-gate smf_kill_contract $2 TERM 1 1217c478bd9Sstevel@tonic-gate [ $? -ne 0 ] && exit 1 1227c478bd9Sstevel@tonic-gate ;; 1233fd3a04aSthurlow 124eb1a3463STruong Nguyen'ipfilter') 125eb1a3463STruong Nguyen # 126eb1a3463STruong Nguyen # NFS related services are RPC. nfs/server has nfsd which has 127eb1a3463STruong Nguyen # well-defined port number but mountd is an RPC daemon. 128eb1a3463STruong Nguyen # 129eb1a3463STruong Nguyen # Essentially, we generate rules for the following "services" 130eb1a3463STruong Nguyen # - nfs/server which has nfsd and mountd 131eb1a3463STruong Nguyen # - nfs/rquota 132eb1a3463STruong Nguyen # 133eb1a3463STruong Nguyen # The following services are enabled for both nfs client and 134*940c61f2SHans Rosenfeld # server, if nfs/client is enabled we'll treat them as client 135*940c61f2SHans Rosenfeld # services and simply allow incoming traffic. 136eb1a3463STruong Nguyen # - nfs/status 137eb1a3463STruong Nguyen # - nfs/nlockmgr 138eb1a3463STruong Nguyen # - nfs/cbd 139eb1a3463STruong Nguyen # 140eb1a3463STruong Nguyen NFS_FMRI="svc:/network/nfs/server:default" 141*940c61f2SHans Rosenfeld NFSCLI_FMRI="svc:/network/nfs/client:default" 142eb1a3463STruong Nguyen RQUOTA_FMRI="svc:/network/nfs/rquota:default" 143eb1a3463STruong Nguyen FMRI=$2 144eb1a3463STruong Nguyen 145eb1a3463STruong Nguyen file=`fmri_to_file $FMRI $IPF_SUFFIX` 146*940c61f2SHans Rosenfeld file6=`fmri_to_file $FMRI $IPF6_SUFFIX` 147eb1a3463STruong Nguyen echo "# $FMRI" >$file 148*940c61f2SHans Rosenfeld echo "# $FMRI" >$file6 149eb1a3463STruong Nguyen policy=`get_policy $NFS_FMRI` 150eb1a3463STruong Nguyen 151eb1a3463STruong Nguyen # 152eb1a3463STruong Nguyen # nfs/server configuration is processed in the start method. 153eb1a3463STruong Nguyen # 154eb1a3463STruong Nguyen if [ "$FMRI" = "$NFS_FMRI" ]; then 155eb1a3463STruong Nguyen service_check_state $FMRI $SMF_ONLINE 156eb1a3463STruong Nguyen if [ $? -ne 0 ]; then 157eb1a3463STruong Nguyen rm $file 158eb1a3463STruong Nguyen exit $SMF_EXIT_OK 159eb1a3463STruong Nguyen fi 160eb1a3463STruong Nguyen 161eb1a3463STruong Nguyen nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null` 162eb1a3463STruong Nguyen tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null` 163eb1a3463STruong Nguyen if [ -n "$tport" ]; then 164*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "tcp" $tport $file 165*940c61f2SHans Rosenfeld fi 166*940c61f2SHans Rosenfeld 167*940c61f2SHans Rosenfeld tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null` 168*940c61f2SHans Rosenfeld if [ -n "$tport6" ]; then 169*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 170eb1a3463STruong Nguyen fi 171eb1a3463STruong Nguyen 172eb1a3463STruong Nguyen uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null` 173eb1a3463STruong Nguyen if [ -n "$uport" ]; then 174*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "udp" $uport $file 175eb1a3463STruong Nguyen fi 176eb1a3463STruong Nguyen 177*940c61f2SHans Rosenfeld uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null` 178*940c61f2SHans Rosenfeld if [ -n "$uport6" ]; then 179*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "udp" $uport6 $file6 _6 180*940c61f2SHans Rosenfeld fi 181*940c61f2SHans Rosenfeld 182*940c61f2SHans Rosenfeld # mountd IPv6 ports are also reachable through IPv4, so include 183*940c61f2SHans Rosenfeld # them when generating IPv4 rules. 184eb1a3463STruong Nguyen tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null` 185*940c61f2SHans Rosenfeld tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null` 186*940c61f2SHans Rosenfeld if [ -n "$tports" -o -n "$tports6" ]; then 187*940c61f2SHans Rosenfeld tports=`unique_ports $tports $tports6` 188eb1a3463STruong Nguyen for tport in $tports; do 189*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "tcp" \ 190eb1a3463STruong Nguyen $tport $file 191eb1a3463STruong Nguyen done 192eb1a3463STruong Nguyen fi 193eb1a3463STruong Nguyen 194*940c61f2SHans Rosenfeld if [ -n "$tports6" ]; then 195*940c61f2SHans Rosenfeld for tport6 in $tports6; do 196*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "tcp" \ 197*940c61f2SHans Rosenfeld $tport6 $file6 _6 198*940c61f2SHans Rosenfeld done 199*940c61f2SHans Rosenfeld fi 200*940c61f2SHans Rosenfeld 201eb1a3463STruong Nguyen uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null` 202*940c61f2SHans Rosenfeld uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null` 203*940c61f2SHans Rosenfeld if [ -n "$uports" -o -n "$uports6" ]; then 204*940c61f2SHans Rosenfeld uports=`unique_ports $uports $uports6` 205eb1a3463STruong Nguyen for uport in $uports; do 206*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "udp" \ 207eb1a3463STruong Nguyen $uport $file 208eb1a3463STruong Nguyen done 209eb1a3463STruong Nguyen fi 210eb1a3463STruong Nguyen 211*940c61f2SHans Rosenfeld if [ -n "$uports6" ]; then 212*940c61f2SHans Rosenfeld for uport6 in $uports6; do 213*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "udp" \ 214*940c61f2SHans Rosenfeld $uport6 $file6 _6 215*940c61f2SHans Rosenfeld done 216*940c61f2SHans Rosenfeld fi 217*940c61f2SHans Rosenfeld 218eb1a3463STruong Nguyen elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then 219eb1a3463STruong Nguyen iana_name=`svcprop -p inetd/name $FMRI` 220eb1a3463STruong Nguyen 221*940c61f2SHans Rosenfeld # rquota IPv6 ports are also reachable through IPv4, so include 222*940c61f2SHans Rosenfeld # them when generating IPv4 rules. 223eb1a3463STruong Nguyen tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` 224*940c61f2SHans Rosenfeld tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` 225*940c61f2SHans Rosenfeld if [ -n "$tports" -o -n "$tports6" ]; then 226*940c61f2SHans Rosenfeld tports=`unique_ports $tports $tports6` 227eb1a3463STruong Nguyen for tport in $tports; do 228eb1a3463STruong Nguyen generate_rules $NFS_FMRI $policy "tcp" \ 229*940c61f2SHans Rosenfeld $tport $file 230*940c61f2SHans Rosenfeld done 231*940c61f2SHans Rosenfeld fi 232*940c61f2SHans Rosenfeld 233*940c61f2SHans Rosenfeld if [ -n "$tports6" ]; then 234*940c61f2SHans Rosenfeld for tport6 in $tports6; do 235*940c61f2SHans Rosenfeld generate_rules $NFS_FMRI $policy "tcp" \ 236*940c61f2SHans Rosenfeld $tport6 $file6 _6 237eb1a3463STruong Nguyen done 238eb1a3463STruong Nguyen fi 239eb1a3463STruong Nguyen 240eb1a3463STruong Nguyen uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` 241*940c61f2SHans Rosenfeld uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` 242*940c61f2SHans Rosenfeld if [ -n "$uports" -o -n "$uports6" ]; then 243*940c61f2SHans Rosenfeld uports=`unique_ports $uports $uports6` 244eb1a3463STruong Nguyen for uport in $uports; do 245eb1a3463STruong Nguyen generate_rules $NFS_FMRI $policy "udp" \ 246*940c61f2SHans Rosenfeld $uport $file 247*940c61f2SHans Rosenfeld done 248*940c61f2SHans Rosenfeld fi 249*940c61f2SHans Rosenfeld 250*940c61f2SHans Rosenfeld if [ -n "$uports6" ]; then 251*940c61f2SHans Rosenfeld for uport6 in $uports6; do 252*940c61f2SHans Rosenfeld generate_rules $NFS_FMRI $policy "udp" \ 253*940c61f2SHans Rosenfeld $uport6 $file6 _6 254eb1a3463STruong Nguyen done 255eb1a3463STruong Nguyen fi 256eb1a3463STruong Nguyen else 257eb1a3463STruong Nguyen # 258eb1a3463STruong Nguyen # Handle the client services here 259eb1a3463STruong Nguyen # 260*940c61f2SHans Rosenfeld if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then 261*940c61f2SHans Rosenfeld policy=none 262*940c61f2SHans Rosenfeld ip=any 263*940c61f2SHans Rosenfeld fi 264*940c61f2SHans Rosenfeld 265eb1a3463STruong Nguyen restarter=`svcprop -p general/restarter $FMRI 2>/dev/null` 266eb1a3463STruong Nguyen if [ "$restarter" = "$INETDFMRI" ]; then 267eb1a3463STruong Nguyen iana_name=`svcprop -p inetd/name $FMRI` 268eb1a3463STruong Nguyen isrpc=`svcprop -p inetd/isrpc $FMRI` 269eb1a3463STruong Nguyen else 270eb1a3463STruong Nguyen iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` 271eb1a3463STruong Nguyen isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $FMRI` 272eb1a3463STruong Nguyen fi 273eb1a3463STruong Nguyen 274eb1a3463STruong Nguyen if [ "$isrpc" = "true" ]; then 275eb1a3463STruong Nguyen tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` 276*940c61f2SHans Rosenfeld tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` 277eb1a3463STruong Nguyen uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` 278*940c61f2SHans Rosenfeld uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` 279eb1a3463STruong Nguyen else 280eb1a3463STruong Nguyen tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null` 281*940c61f2SHans Rosenfeld tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null` 282eb1a3463STruong Nguyen uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null` 283*940c61f2SHans Rosenfeld uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null` 284eb1a3463STruong Nguyen fi 285eb1a3463STruong Nguyen 286*940c61f2SHans Rosenfeld # IPv6 ports are also reachable through IPv4, so include 287*940c61f2SHans Rosenfeld # them when generating IPv4 rules. 288*940c61f2SHans Rosenfeld if [ -n "$tports" -o -n "$tports6" ]; then 289*940c61f2SHans Rosenfeld tports=`unique_ports $tports $tports6` 290eb1a3463STruong Nguyen for tport in $tports; do 291*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "tcp" $tport $file 292eb1a3463STruong Nguyen done 293eb1a3463STruong Nguyen fi 294eb1a3463STruong Nguyen 295*940c61f2SHans Rosenfeld if [ -n "$tports6" ]; then 296*940c61f2SHans Rosenfeld for tport6 in $tports6; do 297*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 298*940c61f2SHans Rosenfeld done 299*940c61f2SHans Rosenfeld fi 300*940c61f2SHans Rosenfeld 301*940c61f2SHans Rosenfeld if [ -n "$uports" -o -n "$uports6" ]; then 302*940c61f2SHans Rosenfeld uports=`unique_ports $uports $uports6` 303eb1a3463STruong Nguyen for uport in $uports; do 304*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "udp" $uport $file 305*940c61f2SHans Rosenfeld done 306*940c61f2SHans Rosenfeld fi 307*940c61f2SHans Rosenfeld 308*940c61f2SHans Rosenfeld if [ -n "$uports6" ]; then 309*940c61f2SHans Rosenfeld for uport6 in $uports6; do 310*940c61f2SHans Rosenfeld generate_rules $FMRI $policy "udp" $uport6 $file6 _6 311eb1a3463STruong Nguyen done 312eb1a3463STruong Nguyen fi 313eb1a3463STruong Nguyen fi 314eb1a3463STruong Nguyen 315eb1a3463STruong Nguyen ;; 316eb1a3463STruong Nguyen 3177c478bd9Sstevel@tonic-gate*) 3183fd3a04aSthurlow echo "Usage: $0 { start | stop | refresh }" 3197c478bd9Sstevel@tonic-gate exit 1 3207c478bd9Sstevel@tonic-gate ;; 3217c478bd9Sstevel@tonic-gateesac 3227c478bd9Sstevel@tonic-gateexit $SMF_EXIT_OK 323