that was the easy part. From here you can switch to ssh.

Power usage is pretty low. That's under full CPU load. 5W

Now, I've been using nfs for all my network file sharing needs. And to have some sort of user and host authentication I set up a kerberos on my spinning rust nas. Which I now want to move onto this thing of course. And this is where the fun begins. Kerberos itself works all nicely, however after much fiddling about I found out that the openWRT guys omitted the needed svcgssd and gssd daemons from their nfs package. Without them, nfs cannot use kerberos.

I tried switching to samba, however that has it's own can of problems in that something needed to use it with ext4 (acl?) seems to be missing from the kernel. It just doesn't work right. At all.

Setting up the build environment for openWRT is fairly straight forward:

git clone https://git.openwrt.org/openwrt/openwrt.git source
cd source
git checkout v22.03.3
make distclean
./noscripts/feeds update -a
./noscripts/feeds install -a

From here do

make menuconfig

and select your target system and profile, in my case that's Marvell Kirkwood and ZyXEL NSA325.
Then kick off make

make -j42

I will be using this build environment only to modify packages or compile new ones and transfer them onto the already running system individually.

If you are working on an individual package, say the nfs-kernel-server, you can build it directly using

make package/feeds/packages/nfs-kernel-server/{clean,compile} -j42

If you want to have output during the build process:

make package/feeds/packages/nfs-kernel-server/{clean,compile} -j1 V=sc

Now, to get gssd and svcgssd included with the nfs-kernerl-server package you need to ...

.. edit feeds/packages/libs/libtirpc/Makefile:

@@ -24,18 +24,19 @@
   CATEGORY:=Libraries
   TITLE:=Library TI RPC for RPC bindings
   URL:=http://libtirpc.sourceforge.net/
-  DEPENDS:=+libpthread
+  DEPENDS:=+libpthread +krb5-libs
 endef
 
-CONFIGURE_ARGS += --disable-gssapi
+CONFIGURE_ARGS += --enable-gssapi
 HOST_CONFIGURE_ARGS += --disable-gssapi
 
 ifeq ($(HOST_OS),Darwin)
 HOST_CONFIGURE_ARGS += --disable-symvers
 endif
 
-TARGET_CFLAGS += -DGQ
-HOST_CFLAGS += -DGQ
+
+TARGET_CFLAGS += -DGQ -I$(STAGING_DIR)/usr/include
+HOST_CFLAGS += -DGQ 
 
 define Package/libtirpc/install
        $(INSTALL_DIR) $(1)/usr/lib

as well as feeds/packages/net/nfs-kernel-server/Makefile:

@@ -40,7 +40,7 @@
 define Package/nfs-kernel-server
        $(call Package/nfs-kernel-server/Default)
        TITLE:=Kernel NFS server support
-       DEPENDS+= +kmod-fs-nfsd +kmod-fs-nfs +NFS_KERNEL_SERVER_V4:kmod-fs-nfs-v4 +rpcbind +NFS_KERNEL_SERVER_V4:nfs-utils-libs +NFS_KERNEL_SERVER_V4:libkeyutils +NFS_KERNEL_SERVER_V4:libdevmapper
+       DEPENDS+= +kmod-fs-nfsd +kmod-fs-nfs +NFS_KERNEL_SERVER_V4:kmod-fs-nfs-v4 +rpcbind +NFS_KERNEL_SERVER_V4:nfs-utils-libs +NFS_KERNEL_SERVER_V4:libkeyutils +NFS_KERNEL_SERVER_V4:libdevmapper +NFS_KERNEL_SERVER_V4:libevent2-core
        USERID:=nfs:nfs
 endef
 
@@ -104,12 +104,14 @@
 
 CONFIGURE_ARGS += \
        --disable-caps \
-       --disable-gss \
+       --enable-gss \
+       --enable-svcgss \
        --disable-nfsdcld \
        --disable-nfsdcltrack \
        --enable-shared \
        --enable-static \
        --with-rpcgen=internal \
+       --with-krb5=$(STAGING_DIR)/usr \
        $(if $(CONFIG_NFS_KERNEL_SERVER_V4),--enable,--disable)-nfsv4 \
        $(if $(CONFIG_NFS_KERNEL_SERVER_V4),--enable,--disable)-nfsv41
 
@@ -136,10 +138,10 @@
 
 HOST_CONFIGURE_ARGS += \
        --disable-gss \
-       --disable-nfsv4 \
-       --disable-nfsv41 \
+       --enable-nfsv4 \
+       --enable-nfsv41 \
        --without-tcp-wrappers \
-       --with-rpcgen=internal
+       --with-rpcgen=internal 
 
 HOST_CONFIGURE_VARS += \
        ac_cv_lib_event_event_dispatch=yes \
@@ -165,6 +167,11 @@
        $(INSTALL_DIR) $(STAGING_DIR_HOSTPKG)/bin
        $(INSTALL_BIN) $(HOST_BUILD_DIR)/tools/rpcgen/rpcgen $(STAGING_DIR_HOSTPKG)/bin/rpcgen
 endef
+# 
+# define Build/Compile
+#      $(call Build/Compile/Default)
+#      $(PKG_BUILD_DIR)/utils/gssd/svcgssd
+# endef
 
 define Package/nfs-kernel-server/install
        $(INSTALL_DIR) $(1)/etc/init.d $(1)/usr/sbin
@@ -174,6 +181,8 @@
        $(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/statd/statd $(1)/usr/sbin/rpc.statd
        $(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/nfsd/nfsd $(1)/usr/sbin/rpc.nfsd
        $(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/mountd/mountd $(1)/usr/sbin/rpc.mountd
+       $(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/gssd/gssd $(1)/usr/sbin/rpc.gssd
+       $(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/gssd/.libs/svcgssd $(1)/usr/sbin/rpc.svcgssd
        $(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/exportfs/exportfs $(1)/usr/sbin/
 endef

In make menuconfig you also need to enable:

Libraries ->
libevent2-core [M]
Database -> libsqlite3 [M]

Filesystem ->
nfs-kernel-server [M]

krb5-client [M]
krb5-libs [M]
krb5-server [M]
krb5-sever-extras [M]

Hit make, transfer the needed packages over from staging_dir/packages/kirkwood to your device:

libtirpc_1.3.2-1_arm_xscale.ipk
nfs-utils-libs_2.5.4-4_arm_xscale.ipk
nfs-kernel-server_2.5.4-4_arm_xscale.ipk
libevent2-core7_2.1.12-1_arm_xscale.ipk

And install them using a forced a reinstall.

And here are the two needed init noscripts. Make sure to enable them.

/etc/init.d/rpc.gssd
--------------------------------------------------------------------------------
#!/bin/sh /etc/rc.common

# the enabled init noscripts are sorted alphabetically, so 990 starts after 99
START=990
STOP=59
           
USE_PROCD=1
                                      
# /var is a symlink to /tmp on openWRT
PIPEFS_D=/tmp/lib/nfs/rpc_pipefs
                 
start_service() {         
        mkdir -p $PIPEFS_D                 
        grep -q $PIPEFS_D /proc/mounts || \       
          mount -t rpc_pipefs rpc_pipefs $PIPEFS_D
                           
        procd_open_instance                                       
        procd_set_param command /usr/sbin/rpc.gssd -f -p $PIPEFS_D
        procd_close_instance
}
                   
service_stopped() {
                                           
        grep -q $PIPEFS_D /proc/mounts && \
          umount $PIPEFS_D
}


 
 
/etc/init.d/rpc.svcgssd
--------------------------------------------------------------------------------
#!/bin/sh /etc/rc.common

# the enabled init noscripts are sorted alphabetically, so 990 starts after 99
START=990
STOP=59

USE_PROCD=1

start_service() {                     
        procd_open_instance     
        procd_set_param command /usr/sbin/rpc.svcgssd -f          
        procd_close_instance                                      
}

So what do we learn from all of this? openWRT is a router OS. Use Debian instead

Alright. So I wasn't able to write to my kerberized nfsv4 share. Guess why? Because even more things weren't included in openWRT's build of nfs. With nfsv4 and kerberos, no_all_squash has no effect, there is always some user ID mapping going on with the help of libnfsidmap and the rpc.idmapd daemon. After including those in the package, I'm now stuck here ..

Here are the modified Makefiles and the needed init noscripts. Except it doesn't work because of that bad binary.

Okay, I have given up on openWRT (as you probably guessed already). Time to install Gentoo Debian

There is a ready made rootfs and kernel available here:
https://forum.doozan.com/read.php?2,12096
Which includes a patch set that provides device trees for various NAS devices as well as the odd code patch needed to get things going on this or that device. This is being maintained by Tony Dinh (bodhi).

However, I'll build my own kernel.

Since I already have a working openWRT system, I'll build from there.

In the openWRT build environment, I do:

make menuconfig

    Administration ->
        [M] debian-archive-keyring
        [M] debootstrap
    Utilities ->
        Encryption ->
            [M] gpgv

That should pull in those dependencies:
Development ->
[M] ar
Utilities ->
Compression ->
[M] xz-utils
[M] coreutils ->
[M] coreutils-chroot
[M] coreutils-sha1sum
gpgv should be a requirement and pulled in automatically, but it isn't. openWRT things.

I also enabled:
Utilities ->
Compression ->
[M] bzip2
[M] gzip

Hit make -j$((2*$(nproc))). The package files can then be found in build_dir/target-arm_xscale_musl_eabi/openwrt-imagebuilder-kirkwood.Linux-x86_64/packages:

scp debian-archive-keyring* xz* liblzma* base-files* libbfd* ar* coretuils* debootstrap* libbz2* bzip2* gzip* libexpat* libarchive* libdevmapper* libreadline* gpgv* root@mininas:/root

and then just do an

opkg install *ipk

I left space on my SSD (had a hunch I gonna need it). While formatting make sure you disable lazy initialization (I heard it can throw off uboot):

mkfs.ext4 -E lazy_itable_init=0 -L rootfs /dev/sda2

The Marvell 88F6282 SoC in this NAS has an ARMv5TE CPU core. Debian still supports 5T with its ARM EABI (armel) port.

Mount the new file system somewhere

mkdir /mnt/rootfs
mount /dev/sda2 /mnt/rootfs

And kick off the bootstrap

debootstrap --verbose --arch armel bullseye /mnt/rootfs/ http://ftp.de.debian.org/debian

You don't need to bootstrap from within an ARM system. You could also crossbootstrap, when you mount the partition with a PC. See https://wiki.debian.org/EmDebian/CrossDebootstrap

Now, enter the chroot environment:
mount -t proc none /mnt/rootfs/proc/
mount -o bind /dev /mnt/rootfs/dev
mount -t devpts devpts /mnt/rootfs/dev/pts

chroot /mnt/rootfs /bin/bash --login

Set your local, install your needed goodies, set the root password, install ssh and enable root login.

apt install locales
dpkg-reconfigure locales

apt install vim zsh screen
apt install ssh

vim /etc/ssh/sshd_config:
    PermitRootLogin yes

passwd
systemctl enable ssh

You can exit the chroot by hitting CTRL+D or with exit

boot strap goes brr

I promise once that's done I'll go back to electronics and fixing stuff

Now, we need a kernel. On a Debian/Ubuntu PC do
apt install fakeroot git kernel-wedge quilt ccache flex bison libssl-dev dh-exec rsync libelf-dev bc crossbuild-essential-armel

Fetch the kernel sources:
wget https://deb.debian.org/debian/pool/main/l/linux/linux_6.1.12.orig.tar.xz
tar xf linux_6.1.12.orig.tar.xz
cd linux-6.1.12
The vanilla kernel sources have the ability to spit out .deb files.

Place my files in your work folder. (See below)

Someone removed the nvidia framebuffer devices but forgot to also remove them from the Kconfig and Makefile. This patch I wrote fixes that.
patch -p1 < ../linux-6.1.12-fbdev.patch

Apply bodhi's patch. It has the necessary device tree files, as well as changes to some code. Looks save to me.

patch -p1 < ../linux-6.1.7-kirkwood-tld-1.patch

And migrate the old config. You'll be prompted only for new configuration options

cp ../config-6.1.7--tld-1 .config
make ARCH=arm oldconfig

For me, a particular device driver was broken, that I had to disable:
make ARCH=arm menuconfig
Device Drivers ->
Multimedia support ->
Media drivers ->
Media USB Adapters ->
[ ] Afatech AF9005 DVB-T USB1.1 support



noscripts/config --disable SYSTEM_TRUSTED_KEYS
noscripts/config --disable SYSTEM_REVOCATION_KEYS

Disable debugging

noscripts/config --disable DEBUG_INFO
noscripts/config --enable DEBUG_INFO_NONE

And finally kick off the compilation process

make ARCH=arm CROSS_COMPILE=/usr/bin/arm-linux-gnueabi- -j$((2*$(nproc))) deb-pkg

For some reason, my Ubuntu host decided to compress the .deb contents using zstd, which the dpkg of my Debian installation doesn't support. Even setting DPKG_FLAGS=-Zgzip didn't help.

If that happens to you, run my repackage.sh noscript on the .deb files.

Note: the config file contains a huge amount of unnecessary bloat. So if you feel like you have the patience, go ahead and trim it down. Then send me your config please.
And I mean, huge amount of bloat:

% grep -i 3dfx .config 
CONFIG_FB_3DFX=m
# CONFIG_FB_3DFX_ACCEL is not set
CONFIG_FB_3DFX_I2C=y

Good to know, my ARM box supports framebuffer devices on 3dfx cards. That will come in handy.