LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (https://www.linuxquestions.org/questions/debian-26/)
-   -   installing CFS in SQUEEZE (stable) (https://www.linuxquestions.org/questions/debian-26/installing-cfs-in-squeeze-stable-863006/)

Barry1 02-16-2011 04:16 AM

installing CFS in SQUEEZE (stable)
 
Hi group,

I'm running a debian (stable=squeeze) server. There resides an encrypted directory (which a produced with cfs some time ago).
I'd like to access these files - but cfs is not available for debian - not even unstable für x86 or so (see http://packages.debian.org/cfs).
Are there any hints howto install - maybe with apt would be fine?
I have not found any backports or so?

Thanks in advance

Barry1

mostlyharmless 02-16-2011 03:33 PM

You'd probably find it easiest to load a virtual machine with am older version of Linux that supports cfs and access the data from there, then re-encrypt it using something more modern. I haven't had any luck compiling cfs on anything remotely modern.

marculix 04-25-2011 05:04 AM

Quote:

Originally Posted by mostlyharmless (Post 4260697)
You'd probably find it easiest to load a virtual machine with am older version of Linux that supports cfs and access the data from there, then re-encrypt it using something more modern. I haven't had any luck compiling cfs on anything remotely modern.


Hy Barry, Mostlyharmless, Group members

I think there is a persistent maintenance problem with CFS. Most of the CFS packages out there are not supported officially or they are branched out or orphaned as nobody maintains a central svn or cvs repository to merge back all the invididual forks (from distributions) back to a main repository. From my perspective, all attempts failed (e.g. cfsnfs project on sourceforge and some others).

I'm using different CFS versions since 15 years under 3 different architectures (Sparc, i386, PPC) all under the Debian Operating System on Servers, MacBook's and PowerBook's. For me, it's still the most reliable solution for protecting my large private datastore (25 GB).

Last weekend, I installed a small Debian 6.0 personal server which holds my personal daily /home commit of my MacBook's svn-repository. The entire svn replica is now stored within the CFS tree and I'm testing in the next few days whether the combination of Subversion and CFS works reliable.

Barry to your problem:
On Debian squeeze, I've built my own CFS 1.4.1 binary from scratch yesterday without any problem using a simple 'make cfs' followed by a 'make_install cfs', that's it. Here it comes: It is my own branch of CFS which I backpatched against all the relevant CFS fixes which were contributed over the last 15 years. I gathered them from everywhere, in particular from Suse, Debian, Ubuntu, the BSD repository, Mailinglists and Boards, but I not applied every patch e.g. a patch to replace the required 16 char cmkdir password with a 8 char one (?!). If you want me to mirror my current CFS branch on my website, let me know. It contains a fully productional and functional CFS engine supporting the latest crypthography algorithms. You can compare then my version against the latest official version published by Matt Blaze in order to verify the changes (trustworthiness).

cheers
Marc

Barry1 04-26-2011 02:13 AM

Quote:

Originally Posted by marculix (Post 4335292)
Barry to your problem:
On Debian squeeze, I've built my own CFS 1.4.1 binary from scratch yesterday without any problem using a simple 'make cfs' followed by a 'make_install cfs', that's it. Here it comes: It is my own branch of CFS which I backpatched against all the relevant CFS fixes which were contributed over the last 15 years. I gathered them from everywhere, in particular from Suse, Debian, Ubuntu, the BSD repository, Mailinglists and Boards, but I not applied every patch e.g. a patch to replace the required 16 char cmkdir password with a 8 char one (?!). If you want me to mirror my current CFS branch on my website, let me know. It contains a fully productional and functional CFS engine supporting the latest crypthography algorithms. You can compare then my version against the latest official version published by Matt Blaze in order to verify the changes (trustworthiness).

Hi Marc,
thank you for your sources. I read the differences and compiled... they did fine...
Strange - on using 'cattach cryptdir name' it ask for my passphrase - and returns with 'no such encrypted directory' - do you have an idea?
Thanks in advance
Barry1

marculix 04-27-2011 01:23 AM

Quote:

Originally Posted by Barry1 (Post 4336406)
Hi Marc,
thank you for your sources. I read the differences and compiled... they did fine...
Strange - on unsing 'cattach cryptdir name' it ask for my passphrase - and returns with 'no such encrypted directory' - do you have an idea?
Thanks in advance
Barry1

Generally CFS requires these things:
1. A fully working NFS (which you have already with squeeze)
2. A running CFS daemon (which you just compiled)
3. A CFS mounted diretory through NFS (see below)
4. Attaching the crypted directory (to make it virtually unecrypted via CFS, see below)

As you're also using Debian, here's the Debian specific instructions to get CFS working:

as root:
-mkdir /root/.cfs
-chmod 000 /root/.cfs
-Make sure the loopback device is in portmap:
add to /etc/hosts.allow: portmap: 127.0.0.1
-add to /etc/exports: '/root/.cfs localhost(rw)'
-restart your NFS subsystem by doing either:
'/etc/rc2.d/S15... restart' and '/etc/rc2.d/S16... restart'
(assuming that NFS init scripts are S15.. and S16... and you're also running the NFS-kernel-server and not the NFS daemon)
-Run 'cfsd 3049' (which starts the CFS daemon on port 3049)
-Then you can mount your CFS-mountpoint:
mount -t nfs -o port=3049,intr,sync,nfsvers=2,udp localhost:/root/.cfs /home/yourdir/test/ (assuming that 'test' is a simple empty directory which exists in your homedir)
-and finally attach your encyrypted dir:
cattach /your-encyrypted-dir/ test (test is here the reference to the mountpoint above)

That's it. My general debugging experience is:

bring up CFS order: cfsd start - mount - cattach
shutdown CFS order: cdetach - umount - cfsd stop

Hope it helps.
Marc

Barry1 04-27-2011 03:35 AM

Hi marculix,

thanks for you help..
I forgot your step
Quote:

Originally Posted by marculix (Post 4337612)
Generally CFS requires these things:
-Make sure the loopback device is in portmap:
add to /etc/hosts.allow: portmap: 127.0.0.1

but now - I get another problem...
Code:

ebeling@gammaray:~$ cattach /home/ebeling/ebeling_privat/ /home/ebeling/cfsdir/
Key:
cattach: badly formed name

I also tried without trailing slashes...
Any ideas?

Thanks in advance and greets

Barry1

marculix 04-28-2011 07:08 AM

Quote:

Originally Posted by Barry1 (Post 4337727)
Hi marculix,
but now - I get another problem...
Code:

ebeling@gammaray:~$ cattach /home/ebeling/ebeling_privat/ /home/ebeling/cfsdir/
Key:
cattach: badly formed name

I also tried without trailing slashes...
Any ideas?
Barry1

Uuuuhhhh.... no clue... Never got this msg before... Maybe you encrypted the folder using an early 1.3.3 version of CFS? I you need, I also have the modified and blowfish patched 1.3.3 sources if you think it's an incompatibility issue... Let me know...

Marc

Barry1 04-28-2011 07:24 AM

Quote:

Originally Posted by marculix (Post 4339149)
Uuuuhhhh.... no clue... Never got this msg before... Maybe you encrypted the folder using an early 1.3.3 version of CFS? I you need, I also have the modified and blowfish patched 1.3.3 sources if you think it's an incompatibility issue... Let me know...
Marc

Hi Marc,
maybe... Last working use was on 2008-11-18... I have no idea which version was used...
I'd like to give the older one a try.
Thanks in advance

Bastian

Barry1 04-28-2011 08:42 AM

Hi marculix,

thanks - I compiled... but the problem remains...
Trying the cattach-command with a strace show the following maybe interesting line (within many others)
Code:

bind(3, {sa_family=AF_INET, sin_port=htons(710), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
Do you have an explanation?
Greets
Bastian

mostlyharmless 04-29-2011 09:58 AM

@marculix I've got a dumb question: where are the sources for this newly parched up version of cfs? Could you provide a link?

marculix 05-07-2011 12:55 AM

Quote:

Originally Posted by mostlyharmless (Post 4340655)
@marculix I've got a dumb question: where are the sources for this newly parched up version of cfs? Could you provide a link?

Here's my update (work in progress):
The CFS Test on my Debian environment was not a success.

I ran all my test cases on this environment:

Code:

lsb_release -d:                    Debian GNU/Linux 6.0.1 (squeeze)
uname -a:                          kernel 2.6.32-5-686
apt-cache policy nfs-kernel-server: 1:1.2.2-4
gcc -v:                            gcc version 4.4.5 (Debian 4.4.5-8)
cfs version:                        1.4.1

Compiling and installing CFS works perfectly fine using my own backpatched branch of CFS 1.4.1 but the CFS functionality is clearly broken with recent Linux kernels, that's my final conclusion after a week investigation.

After I straced and analyzed a 'touch foo' within my CFS attached dir, I found that the latest implementation of NFS in newer linux kernels must be the reason that (anciently maintained) CFS 1.4.1 doesn't work anymore. It's a tragedy but a Debian bug report [1] two years ago ended with the closure of this issue (no solution provided), the bug remained unfixed and CFS subsequently orphaned in Debian.

Some deeper research brought me to the essential 3 years old kernel mailing list thread [2]. Based on the research work driven by Gianluca Alberici which insisted to find a solution for this issue, it was found, that after a NFS fix was contributed against linux kernel 2.6.22, CFS wasn't working anymore afterwards with all later kernels. It was concluded, that it wasn't the NFS maintainer's fault but due to the lack of CFS maintenance.

According Gianluca's post [3], he coded a 'working patch' against CFSD which makes CFS working with newer kernels. I contacted him today by e-mail for sending me the patch as I haven't found it somewhere else. Once I'll receive it, I'll run the patch against my CFS branch and re-run my tests again.

Should I manage to get CFS running on my recent Linux environment, then I'll mirror my entire backpatched CFS branch on my website.

I'll keep you up-to-date.
Marc


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516568
[2] http://www.mail-archive.com/linux-nf.../msg01248.html
[3] http://www.mail-archive.com/linux-nf.../msg01396.html

marculix 05-15-2011 09:18 AM

Quote:

Originally Posted by marculix (Post 4348945)
Here's my update (work in progress):
Should I manage to get CFS running on my recent Linux environment, then I'll mirror my entire backpatched CFS branch on my website.
I'll keep you up-to-date.

Hi guys

I never received an answer from Gianluca by e-mail and I haven't found his working patch somewhere else, imho his fix was never committed into a public CFS repository. I checked every single google reference and repo in the last 7 days.

I'm highly under pressure with a research project thus, I have no time to fix this CFS bug. If someone else may have a look into it, feel free. For those which are interested to fix this CFS bug, I uploaded an incremental diff of my own maintained CFS branch to my website: http://pubwww.fhzh.ch/~mgloor/patch.html. Any feedback appreciated.

However, I'm using eCryptfs with Subversion now. The performance is great.

cheers
Marc


All times are GMT -5. The time now is 04:46 PM.