Bug #13329

rpcsec & friends need to be zone-aware

Added by Dan McDonald 5 months ago.

nfs - NFS server and client
Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:


Inspired by this smartos-live filing:, I dove into the source to see why a non-global zone NFS server requires a global zone network/rpc/gss service running.

The answer is summarized in the subject line.

There appear to be four kernel modules we should examine:

1.) kgssapi ===> This module seems to be at least mildly zone-aware. If you look at usr/src/uts/common/gssapi/gssdmod.c you'll see it at least has zone_key_create() and friends. I also am 70% sure this is client code, not server code. I'll note it has the gssd_clnt_stubs.c file, which appears to have entry points called by the below modules. EVERY FUNCTION in that file from what I can tell calls the internal getgssd_handle() which does per-zone lookup, but based on curzone().

2.) rpcsec ===> THIS module is not zone-aware at all. I'm also 70% sure this is the server code. We need to dive into this and make it zone-aware. The init function is in usr/src/uts/common/rpc/sec/secmod.c and it's global-only. :(

3.) rpcsec_gss ===> Same problems as rpcsec. It also launches a single taskq in global-zone context, which is why in kgssapi curzone() is always "global". The init function here is in usr/src/uts/common/rpc/sec_gss/rpcsec_gssmod.c and it's also global-only.

4.) kmech_krb5 ===> This is the Kerberos goodies that GSSAPI in practice uses. I suspect this needs to be rearchitected to reflect any needed changes in rpcsec_gss (since this is a "plugin" to gssapi).

I don't think this is going to be an easy fix, folks. I believe what will need to happen is:

  • rpcsec will need to be a bit more zone aware in general. This module includes the old DES rpcsec, and callouts to rpcsec_gss.
  • The specific bug here requires getting rpcsec_gss as well zone-aware, INCLUDING its plugin architecture.
  • If we do it right, the kmech_krb5 won't have to change ALL that much, but as rpcsec_gss gets zone-aware, so will kmech_krb5.
  • We may have to change interfaces into rpcsec, which means consumers (like nfssrv) may also need to change.

No data to display

Also available in: Atom PDF