Stunnel package

.github/workflows/prerelease.yml

@@ -58,7 +58,7 @@ jobs:
           ${{ github.workspace }}/deb/aznfs-${{ github.event.inputs.versionName }}-1_amd64.deb
           ${{ github.workspace }}/rpm/root/rpmbuild/RPMS/x86_64/aznfs-${{ github.event.inputs.versionName }}-1.x86_64.rpm
           ${{ github.workspace }}/suse/root/rpmbuild/RPMS/x86_64/aznfs_sles-${{ github.event.inputs.versionName }}-1.x86_64.rpm
-          ${{ github.workspace }}/mariner/root/rpmbuild/RPMS/x86_64/aznfs_mariner-${{ github.event.inputs.versionName }}-1.x86_64.rpm
+          ${{ github.workspace }}/stunnel/root/rpmbuild/RPMS/x86_64/aznfs_stunnel-${{ github.event.inputs.versionName }}-1.x86_64.rpm
           ${{ github.workspace }}/scripts/aznfs_install.sh
           ${{ github.workspace }}/tarball/aznfs-${{ github.event.inputs.versionName }}-1.x86_64.tar.gz
           ${{ github.workspace }}/tarball/aznfs-${{ github.event.inputs.versionName }}-1.arm64.tar.gz

.github/workflows/release.yml

@@ -75,7 +75,7 @@ jobs:
           ${{ github.workspace }}/deb/aznfs-${{ github.event.inputs.versionName }}-1_amd64.deb
           ${{ github.workspace }}/rpm/root/rpmbuild/RPMS/x86_64/aznfs-${{ github.event.inputs.versionName }}-1.x86_64.rpm
           ${{ github.workspace }}/suse/root/rpmbuild/RPMS/x86_64/aznfs_sles-${{ github.event.inputs.versionName }}-1.x86_64.rpm
-          ${{ github.workspace }}/mariner/root/rpmbuild/RPMS/x86_64/aznfs_mariner-${{ github.event.inputs.versionName }}-1.x86_64.rpm
+          ${{ github.workspace }}/stunnel/root/rpmbuild/RPMS/x86_64/aznfs_stunnel-${{ github.event.inputs.versionName }}-1.x86_64.rpm
           ${{ github.workspace }}/scripts/aznfs_install.sh
           ${{ github.workspace }}/tarball/aznfs-${{ github.event.inputs.versionName }}-1.x86_64.tar.gz
           ${{ github.workspace }}/tarball/aznfs-${{ github.event.inputs.versionName }}-1.arm64.tar.gz

README.md

@@ -29,12 +29,14 @@ The mount helper can be used to provide a secure communication channel for NFSv4
 NFS traffic using stunnel. Stunnel is a proxy designed to add TLS encryption functionality to existing services: [https://www.stunnel.org/](https://www.stunnel.org/)
 
 The aznfs mount helper will be used to mount the NFS shares with TLS support. The mount helper initializes dedicated stunnel client
-process for each storage account. The stunnel client process listens on a local port for inbound traffic, and then stunnel redirects
+process for each storage account's IP address. The stunnel client process listens on a local port for inbound traffic, and then stunnel redirects
 nfs client traffic to the 2049 port where NFS server is listening on.
 
 User has to install AZNFS package and mount the NFSv4 shares using `-t aznfs` flag. During the mounting process, user can decide if
 they want to mount shares with TLS encryption or without it using `notls` option. For a given endpoint, all the mounts should either use TLS encryption or clear-text using `notls` option as they share the same connection.
 
+To ensure security and consistency, it’s strongly recommended to use the mount helper for both TLS and clear-text mounts
+
 The AZNFS package runs a background job called **aznfswatchdog**. It ensures that stunnel processes are running for each storage account
 and cleanup after all shares from the storage account are unmounted. If for some reason a stunnel process is terminated unexpectedly,
 the watchdog process restarts it.
@@ -84,10 +86,14 @@ AZNFS is supported on following Linux distros:
 
 ## Usage Instructions
 
+### NFSv3
+
 - Mount the Azure Blob NFSv3 share using following command:
 	```
 	sudo mount -t aznfs -o vers=3 <account-name>.blob.core.windows.net:/<account-name>/<container-name> /mountpoint
 	```
+### NFSv4
+
 - Mount the Azure File NFSv4 share using following command:
 	```
 	sudo mount -t aznfs -o vers=4.1 <account-name>.file.core.windows.net:/<account-name>/<container-name> /mountpoint
@@ -100,7 +106,15 @@ AZNFS is supported on following Linux distros:
 	```
 	sudo mount -t aznfs -o vers=4.1,notls <account-name>.file.core.windows.net:/<account-name>/<container-name> /mountpoint
 	```
-- Logs generated from AZNFS will be in `/opt/microsoft/aznfs/data/aznfs.log`.
+- Mount Azure File NFSv4 share without TLS with clean option:
+
+	If a TLS mount is terminated, the watchdog may take some time to complete cleanup. If the user attempts a “notls” mount on the same endpoint before this process finishes, the mount will fail. To resolve this, the user should include the “clean” option when mounting:
+	```
+	sudo mount -t aznfs -o vers=4.1,notls,clean <account-name>.file.core.windows.net:/<account-name>/<container-name> /mountpoint
+	```
+### Logs:
+- Logs generated from AZNFS watchdog and mount helper will be in `/opt/microsoft/aznfs/data/aznfs.log`.
+- Logs generated by Stunnel will be in `/etc/stunnel/microsoft/aznfs/nfsv4_fileShare/logs`.
 
 ## Implementation Details
 
@@ -134,8 +148,8 @@ aznfswatchdog service.
 
 ## Troubleshoot
 
-- Check the status of aznfswatchdog service using `systemctl status aznfswatchdog`. If the service is not active, start
-  it using `systemctl start aznfswatchdog`.
+- Check the status of aznfswatchdog and aznfswatchdogv4 service using `systemctl status aznfswatchdog*`. If any of the services are not active, start
+  it using `systemctl start aznfswatchdog` or `systemctl start aznfswatchdogv4`.
 - Enable verbose logs to console by setting `AZNFS_VERBOSE` env variable with `export AZNFS_VERBOSE=1`.
 - Provide the IP prefix in the range which is not in use by the machine by setting `AZNFS_IP_PREFIXES` env variable.
 - If the problem is with assigning local private IP, set `AZNFS_PING_LOCAL_IP_BEFORE_USE` env variable to 1 using

package.sh

@@ -11,17 +11,17 @@ set -e
 generate_rpm_package()
 {
 	rpm_dir=$1
-	is_mariner=0
+	is_stunnel_needed=0
 
 	# Overwrite rpm_pkg_dir in case of SUSE.
 	if [ "$rpm_dir" == "suse" ]; then
 		rpm_pkg_dir="${pkg_name}_sles-${RELEASE_NUMBER}-1.x86_64"
 	fi
 
-	# Overwrite rpm_pkg_dir in case of Mariner.
-	if [ "$rpm_dir" == "mariner" ]; then
-		rpm_pkg_dir="${pkg_name}_mariner-${RELEASE_NUMBER}-1.x86_64"
-		is_mariner=1
+	# Overwrite rpm_pkg_dir in case of Mariner and RedHat7.
+	if [ "$rpm_dir" == "stunnel" ]; then
+		rpm_pkg_dir="${pkg_name}_stunnel-${RELEASE_NUMBER}-1.x86_64"
+		is_stunnel_needed=1
 	fi
 
 	# Create the directory to hold the package spec and data files for RPM package.
@@ -64,13 +64,13 @@ generate_rpm_package()
 		# For SLES, sysvinit-tools provides pidof.
 		sed -i -e "s/PROCPS_PACKAGE_NAME/sysvinit-tools/g" ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
 		sed -i -e "s/DISTRO/suse/g" ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
-	elif [ "$rpm_dir" == "mariner" ]; then
-		sed -i -e "s/AZNFS_PACKAGE_NAME/${pkg_name}_mariner/g" ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
+	elif [ "$rpm_dir" == "stunnel" ]; then
+		sed -i -e "s/AZNFS_PACKAGE_NAME/${pkg_name}_stunnel/g" ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
 		sed -i -e "s/NETCAT_PACKAGE_NAME/nmap-ncat/g" ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
 		# In new versions of Centos/RedHat/Rocky, procps-ng provides pidof. For older versions, it is provided by sysvinit-tools but since it is not
 		# present in new versions, only install procps-ng which exists in all versions.
 		sed -i -e "s/PROCPS_PACKAGE_NAME/procps-ng/g" ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
-		sed -i -e "s/DISTRO/mariner/g" ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
+		sed -i -e "s/DISTRO/stunnel/g" ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
 		sed -i -e "s/INSTALL_CMD/yum/g" ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
 	else
 		sed -i -e "s/AZNFS_PACKAGE_NAME/${pkg_name}/g" ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
@@ -83,7 +83,7 @@ generate_rpm_package()
 	fi
 
 	# Create the rpm package.
-	rpmbuild --define "mariner $is_mariner" --define "_topdir ${STG_DIR}/${rpm_dir}${rpmbuild_dir}" -v -bb ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
+	rpmbuild --define "stunnel $is_stunnel_needed" --define "_topdir ${STG_DIR}/${rpm_dir}${rpmbuild_dir}" -v -bb ${STG_DIR}/${rpm_dir}/tmp/aznfs.spec
 }
 
 generate_tarball_package() {
@@ -196,7 +196,7 @@ dpkg-deb -Zgzip --root-owner-group --build $STG_DIR/deb/$pkg_dir
 
 generate_rpm_package rpm
 generate_rpm_package suse
-generate_rpm_package mariner
+generate_rpm_package stunnel
 
 ##########################################
 # Generating Tarball for amd64 and arm64 #

packaging/aznfs/RPM/aznfs.spec

@@ -4,8 +4,9 @@ Release: 1
 Summary: Mount helper program for correctly handling endpoint IP address changes for Azure Blob NFS mounts and providing a secure communication channel for Azure File NFS mounts
 License: MIT
 URL: https://github.com/Azure/AZNFS-mount/blob/main/README.md
-%if 0%{?mariner}
-Requires: bash, PROCPS_PACKAGE_NAME, conntrack-tools, iptables, bind-utils, iproute, util-linux, nfs-utils, NETCAT_PACKAGE_NAME, newt, net-tools, build-essential, binutils, kernel-headers, openssl, openssl-devel
+%if 0%{?stunnel}
+Requires: bash, PROCPS_PACKAGE_NAME, conntrack-tools, iptables, bind-utils, iproute, util-linux, nfs-utils, NETCAT_PACKAGE_NAME, newt, net-tools, binutils, kernel-headers, openssl, openssl-devel, gcc
+Recommends: build-essential
 %else
 Requires: bash, PROCPS_PACKAGE_NAME, conntrack-tools, iptables, bind-utils, iproute, util-linux, nfs-utils, NETCAT_PACKAGE_NAME, newt, stunnel, net-tools
 %endif
@@ -36,10 +37,11 @@ if [ "$init" != "systemd" ]; then
 	exit 1
 fi
 
-if grep -qi "mariner" /etc/os-release; then
+# Stunnel package is missing in Mariner package repo, and default stunnel package version on RedHat 7 is not compatible with aznfs.
+if grep -qi "mariner" /etc/os-release || [[ "$(grep '^VERSION_ID=' /etc/os-release | cut -d'=' -f2 | tr -d '"' | cut -d'.' -f1)" -eq 7 ]]; then
 	# Check if stunnel is not already installed.
 	if ! command -v stunnel > /dev/null; then
-		# Install stunnel from source on Mariner.
+		# Install stunnel from source.
 		wget https://www.stunnel.org/downloads/stunnel-latest.tar.gz -P /tmp
 		if [ $? -ne 0 ]; then
 			echo "Failed to download stunnel source code. Please install stunnel and try again."

scripts/aznfs_install.sh

@@ -132,8 +132,8 @@ perform_aznfs_update()
         AZNFS_RELEASE_SUSE="aznfs_sles-${RELEASE_NUMBER}-1"
         package_name=${AZNFS_RELEASE_SUSE}.x86_64.rpm
     else
-        if [ "$distro_id" == "mariner" ]; then
-            AZNFS_RELEASE="aznfs_mariner-${RELEASE_NUMBER}-1"
+        if [[ "$distro_id" == "mariner" || ("$distro_id" == "rhel" && $(grep '^VERSION_ID=' /etc/os-release | cut -d'=' -f2 | tr -d '"' | cut -d'.' -f1) == 7) ]] ; then
+            AZNFS_RELEASE="aznfs_stunnel-${RELEASE_NUMBER}-1"
             package_name=${AZNFS_RELEASE}.x86_64.rpm
         else
             AZNFS_RELEASE="aznfs-${RELEASE_NUMBER}-1"