| Message ID | 168009806320.2522.10415374334827613451.stgit@manet.1015granger.net (mailing list archive) |
|---|---|
| Headers | show |
| Series | nfs-utils changes for RPC-with-TLS | expand |
Hey Chuck, On 3/29/23 10:08 AM, Chuck Lever wrote: > Hi Steve- > > This is client- and server-side nfs-utils support for RPC-with-TLS. > The client side support at this point is only a man page update > since the kernel handles mount option processing itself. > > The server implementation can support both the opportunistic use of > transport layer security (it will be used if the client cares to), > and the required use of transport layer security (the server > requires the client to use it to access a particular export). > > Without any other user space componentry, this implementation is > able to handle clients that request the use of RPC-with-TLS. To > support security policies that restrict access to exports based on > the client's use of TLS, modifications to exportfs and mountd are > needed. These are contained in this post, and can also be found > here: > > git://git.linux-nfs.org/projects/cel/nfs-utils.git > > The kernel patches, along with the handshake upcall, are carried in > the topic-rpc-with-tls-upcall branch available from: > > https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git Just wondering if these patch should wait until the kernel patches reach mainline (aka rawhide)? steved. > > Soon I hope to compose a new man page in Section 7 that will provide > an overview and quick set-up guidance for NFS's use of RPC-with-TLS. > > > Changes since v1: > - Addressed Jeff's review comments > - Updated nfs.man as well > > --- > > Chuck Lever (4): > libexports: Fix whitespace damage in support/nfs/exports.c > exports: Add an xprtsec= export option > exports(5): Describe the xprtsec= export option > nfs(5): Document the new "xprtsec=" mount option > > > support/export/cache.c | 15 ++++++ > support/include/nfs/export.h | 14 +++++ > support/include/nfslib.h | 14 +++++ > support/nfs/exports.c | 100 ++++++++++++++++++++++++++++++++--- > utils/exportfs/exportfs.c | 1 + > utils/exportfs/exports.man | 51 +++++++++++++++++- > utils/mount/nfs.man | 34 +++++++++++- > 7 files changed, 219 insertions(+), 10 deletions(-) > > -- > Chuck Lever >
> On Apr 5, 2023, at 12:40 PM, Steve Dickson <steved@redhat.com> wrote: > > Hey Chuck, > > On 3/29/23 10:08 AM, Chuck Lever wrote: >> Hi Steve- >> This is client- and server-side nfs-utils support for RPC-with-TLS. >> The client side support at this point is only a man page update >> since the kernel handles mount option processing itself. >> The server implementation can support both the opportunistic use of >> transport layer security (it will be used if the client cares to), >> and the required use of transport layer security (the server >> requires the client to use it to access a particular export). >> Without any other user space componentry, this implementation is >> able to handle clients that request the use of RPC-with-TLS. To >> support security policies that restrict access to exports based on >> the client's use of TLS, modifications to exportfs and mountd are >> needed. These are contained in this post, and can also be found >> here: >> git://git.linux-nfs.org/projects/cel/nfs-utils.git >> The kernel patches, along with the handshake upcall, are carried in >> the topic-rpc-with-tls-upcall branch available from: >> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git > > Just wondering if these patch should wait until the kernel > patches reach mainline (aka rawhide)? The kernel changes do not require these, they add more features. Thus I don't think it's harmful to let them wait for the kernel patches. For testing, Jeff has set up a Fedora COPR with these, the ktls-utils package, and an updated kernel. What could be checked now is whether these nfs-utils changes will break something on pre-TLS kernels. > steved. > >> Soon I hope to compose a new man page in Section 7 that will provide >> an overview and quick set-up guidance for NFS's use of RPC-with-TLS. >> Changes since v1: >> - Addressed Jeff's review comments >> - Updated nfs.man as well >> --- >> Chuck Lever (4): >> libexports: Fix whitespace damage in support/nfs/exports.c >> exports: Add an xprtsec= export option >> exports(5): Describe the xprtsec= export option >> nfs(5): Document the new "xprtsec=" mount option >> support/export/cache.c | 15 ++++++ >> support/include/nfs/export.h | 14 +++++ >> support/include/nfslib.h | 14 +++++ >> support/nfs/exports.c | 100 ++++++++++++++++++++++++++++++++--- >> utils/exportfs/exportfs.c | 1 + >> utils/exportfs/exports.man | 51 +++++++++++++++++- >> utils/mount/nfs.man | 34 +++++++++++- >> 7 files changed, 219 insertions(+), 10 deletions(-) >> -- >> Chuck Lever -- Chuck Lever
On 4/5/23 12:45 PM, Chuck Lever III wrote: > > >> On Apr 5, 2023, at 12:40 PM, Steve Dickson <steved@redhat.com> wrote: >> >> Hey Chuck, >> >> On 3/29/23 10:08 AM, Chuck Lever wrote: >>> Hi Steve- >>> This is client- and server-side nfs-utils support for RPC-with-TLS. >>> The client side support at this point is only a man page update >>> since the kernel handles mount option processing itself. >>> The server implementation can support both the opportunistic use of >>> transport layer security (it will be used if the client cares to), >>> and the required use of transport layer security (the server >>> requires the client to use it to access a particular export). >>> Without any other user space componentry, this implementation is >>> able to handle clients that request the use of RPC-with-TLS. To >>> support security policies that restrict access to exports based on >>> the client's use of TLS, modifications to exportfs and mountd are >>> needed. These are contained in this post, and can also be found >>> here: >>> git://git.linux-nfs.org/projects/cel/nfs-utils.git >>> The kernel patches, along with the handshake upcall, are carried in >>> the topic-rpc-with-tls-upcall branch available from: >>> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git >> >> Just wondering if these patch should wait until the kernel >> patches reach mainline (aka rawhide)? > > The kernel changes do not require these, they add more > features. Thus I don't think it's harmful to let them > wait for the kernel patches. > > For testing, Jeff has set up a Fedora COPR with these, > the ktls-utils package, and an updated kernel. > > What could be checked now is whether these nfs-utils > changes will break something on pre-TLS kernels. Fair enough... I'll have a release ready for the up coming Bakeathon... steved. > > >> steved. >> >>> Soon I hope to compose a new man page in Section 7 that will provide >>> an overview and quick set-up guidance for NFS's use of RPC-with-TLS. >>> Changes since v1: >>> - Addressed Jeff's review comments >>> - Updated nfs.man as well >>> --- >>> Chuck Lever (4): >>> libexports: Fix whitespace damage in support/nfs/exports.c >>> exports: Add an xprtsec= export option >>> exports(5): Describe the xprtsec= export option >>> nfs(5): Document the new "xprtsec=" mount option >>> support/export/cache.c | 15 ++++++ >>> support/include/nfs/export.h | 14 +++++ >>> support/include/nfslib.h | 14 +++++ >>> support/nfs/exports.c | 100 ++++++++++++++++++++++++++++++++--- >>> utils/exportfs/exportfs.c | 1 + >>> utils/exportfs/exports.man | 51 +++++++++++++++++- >>> utils/mount/nfs.man | 34 +++++++++++- >>> 7 files changed, 219 insertions(+), 10 deletions(-) >>> -- >>> Chuck Lever > > > -- > Chuck Lever > >
On 3/29/23 10:08 AM, Chuck Lever wrote: > Hi Steve- > > This is client- and server-side nfs-utils support for RPC-with-TLS. > The client side support at this point is only a man page update > since the kernel handles mount option processing itself. > > The server implementation can support both the opportunistic use of > transport layer security (it will be used if the client cares to), > and the required use of transport layer security (the server > requires the client to use it to access a particular export). > > Without any other user space componentry, this implementation is > able to handle clients that request the use of RPC-with-TLS. To > support security policies that restrict access to exports based on > the client's use of TLS, modifications to exportfs and mountd are > needed. These are contained in this post, and can also be found > here: > > git://git.linux-nfs.org/projects/cel/nfs-utils.git > > The kernel patches, along with the handshake upcall, are carried in > the topic-rpc-with-tls-upcall branch available from: > > https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git > > Soon I hope to compose a new man page in Section 7 that will provide > an overview and quick set-up guidance for NFS's use of RPC-with-TLS. > > > Changes since v1: > - Addressed Jeff's review comments > - Updated nfs.man as well > > --- > > Chuck Lever (4): > libexports: Fix whitespace damage in support/nfs/exports.c > exports: Add an xprtsec= export option > exports(5): Describe the xprtsec= export option > nfs(5): Document the new "xprtsec=" mount option Committed... (tag: nfs-utils-2-6-3-rc8) Thank you this work!!! steved. > > > support/export/cache.c | 15 ++++++ > support/include/nfs/export.h | 14 +++++ > support/include/nfslib.h | 14 +++++ > support/nfs/exports.c | 100 ++++++++++++++++++++++++++++++++--- > utils/exportfs/exportfs.c | 1 + > utils/exportfs/exports.man | 51 +++++++++++++++++- > utils/mount/nfs.man | 34 +++++++++++- > 7 files changed, 219 insertions(+), 10 deletions(-) > > -- > Chuck Lever >
Hi Steve- This is client- and server-side nfs-utils support for RPC-with-TLS. The client side support at this point is only a man page update since the kernel handles mount option processing itself. The server implementation can support both the opportunistic use of transport layer security (it will be used if the client cares to), and the required use of transport layer security (the server requires the client to use it to access a particular export). Without any other user space componentry, this implementation is able to handle clients that request the use of RPC-with-TLS. To support security policies that restrict access to exports based on the client's use of TLS, modifications to exportfs and mountd are needed. These are contained in this post, and can also be found here: git://git.linux-nfs.org/projects/cel/nfs-utils.git The kernel patches, along with the handshake upcall, are carried in the topic-rpc-with-tls-upcall branch available from: https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git Soon I hope to compose a new man page in Section 7 that will provide an overview and quick set-up guidance for NFS's use of RPC-with-TLS. Changes since v1: - Addressed Jeff's review comments - Updated nfs.man as well --- Chuck Lever (4): libexports: Fix whitespace damage in support/nfs/exports.c exports: Add an xprtsec= export option exports(5): Describe the xprtsec= export option nfs(5): Document the new "xprtsec=" mount option support/export/cache.c | 15 ++++++ support/include/nfs/export.h | 14 +++++ support/include/nfslib.h | 14 +++++ support/nfs/exports.c | 100 ++++++++++++++++++++++++++++++++--- utils/exportfs/exportfs.c | 1 + utils/exportfs/exports.man | 51 +++++++++++++++++- utils/mount/nfs.man | 34 +++++++++++- 7 files changed, 219 insertions(+), 10 deletions(-) -- Chuck Lever