| Message ID | 20170720202422.14153-1-smayhew@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, Jul 20 2017, Scott Mayhew wrote: > We've had several users complain about gssd automatically starting. Not > everyone who has a krb5.keytab want to use secure NFS; the instructions > for disabling gssd ought to be on the man page in addition to the README > (which may not even be included in a distro's nfs-utils package). > > Signed-off-by: Scott Mayhew <smayhew@redhat.com> > --- > systemd/nfs.systemd.man | 17 ++++++++++++++++- > 1 file changed, 16 insertions(+), 1 deletion(-) > > diff --git a/systemd/nfs.systemd.man b/systemd/nfs.systemd.man > index 01801eb..7675320 100644 > --- a/systemd/nfs.systemd.man > +++ b/systemd/nfs.systemd.man > @@ -79,11 +79,26 @@ unit should be enabled. > Several other units which might be considered to be optional, such as > .I rpc-gssd.service > are careful to only start if the required configuration file exists. > -.I rpc-gsdd.service > +.I rpc-gssd.service > will not start if the > .I krb5.keytab > file does not exist (typically in > .IR /etc ). > +.B rpc.gssd > +is assumed to be needed if the > +.I krb5.keytab > +file is present. If a site needs this file present but does not want > +.B rpc.gssd > +running, it should create > +.B /etc/systemd/system/rpc-gssd.service.d/01-disable.conf A substantially simpler approach would be to recommend systemctl mask rpc-gssd.service "mask" is also useful for disabling rpcbind if you use NFSv4 only and don't want the extra service. NeilBrown > +containing > +.RS > +.nf > +[Unit] > +ConditionNull=false > +.fi > +.RE > + > .SS Restarting NFS services > Most NFS daemons can be restarted at any time. They will reload any > state that they need, and continue servicing requests. This is rarely > -- > 2.9.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, 22 Jul 2017, NeilBrown wrote: > On Thu, Jul 20 2017, Scott Mayhew wrote: > > > We've had several users complain about gssd automatically starting. Not > > everyone who has a krb5.keytab want to use secure NFS; the instructions > > for disabling gssd ought to be on the man page in addition to the README > > (which may not even be included in a distro's nfs-utils package). > > > > Signed-off-by: Scott Mayhew <smayhew@redhat.com> > > --- > > systemd/nfs.systemd.man | 17 ++++++++++++++++- > > 1 file changed, 16 insertions(+), 1 deletion(-) > > > > diff --git a/systemd/nfs.systemd.man b/systemd/nfs.systemd.man > > index 01801eb..7675320 100644 > > --- a/systemd/nfs.systemd.man > > +++ b/systemd/nfs.systemd.man > > @@ -79,11 +79,26 @@ unit should be enabled. > > Several other units which might be considered to be optional, such as > > .I rpc-gssd.service > > are careful to only start if the required configuration file exists. > > -.I rpc-gsdd.service > > +.I rpc-gssd.service > > will not start if the > > .I krb5.keytab > > file does not exist (typically in > > .IR /etc ). > > +.B rpc.gssd > > +is assumed to be needed if the > > +.I krb5.keytab > > +file is present. If a site needs this file present but does not want > > +.B rpc.gssd > > +running, it should create > > +.B /etc/systemd/system/rpc-gssd.service.d/01-disable.conf > > A substantially simpler approach would be to recommend > > systemctl mask rpc-gssd.service Thanks, Neil. I had actually tried that a while back, but it doesn't seem to work in RHEL. It works fine for rpcbind, so I thought that maybe the Condition clause in the unit file took precedence over masking or something. I see now that masking rpc-gssd works in Fedora, so I'll go digging in systemd to see if there's a bug fix that might need to be backported to RHEL. Anyways, any objection to listing both methods in the man page? -Scott > > "mask" is also useful for disabling rpcbind if you use NFSv4 only and > don't want the extra service. > > NeilBrown > > > > +containing > > +.RS > > +.nf > > +[Unit] > > +ConditionNull=false > > +.fi > > +.RE > > + > > .SS Restarting NFS services > > Most NFS daemons can be restarted at any time. They will reload any > > state that they need, and continue servicing requests. This is rarely > > -- > > 2.9.4 > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Jul 22 2017, Scott Mayhew wrote: > On Sat, 22 Jul 2017, NeilBrown wrote: > >> On Thu, Jul 20 2017, Scott Mayhew wrote: >> >> > We've had several users complain about gssd automatically starting. Not >> > everyone who has a krb5.keytab want to use secure NFS; the instructions >> > for disabling gssd ought to be on the man page in addition to the README >> > (which may not even be included in a distro's nfs-utils package). >> > >> > Signed-off-by: Scott Mayhew <smayhew@redhat.com> >> > --- >> > systemd/nfs.systemd.man | 17 ++++++++++++++++- >> > 1 file changed, 16 insertions(+), 1 deletion(-) >> > >> > diff --git a/systemd/nfs.systemd.man b/systemd/nfs.systemd.man >> > index 01801eb..7675320 100644 >> > --- a/systemd/nfs.systemd.man >> > +++ b/systemd/nfs.systemd.man >> > @@ -79,11 +79,26 @@ unit should be enabled. >> > Several other units which might be considered to be optional, such as >> > .I rpc-gssd.service >> > are careful to only start if the required configuration file exists. >> > -.I rpc-gsdd.service >> > +.I rpc-gssd.service >> > will not start if the >> > .I krb5.keytab >> > file does not exist (typically in >> > .IR /etc ). >> > +.B rpc.gssd >> > +is assumed to be needed if the >> > +.I krb5.keytab >> > +file is present. If a site needs this file present but does not want >> > +.B rpc.gssd >> > +running, it should create >> > +.B /etc/systemd/system/rpc-gssd.service.d/01-disable.conf >> >> A substantially simpler approach would be to recommend >> >> systemctl mask rpc-gssd.service > > Thanks, Neil. I had actually tried that a while back, but it doesn't seem > to work in RHEL. It works fine for rpcbind, so I thought that maybe the > Condition clause in the unit file took precedence over masking or > something. I see now that masking rpc-gssd works in Fedora, so I'll go > digging in systemd to see if there's a bug fix that might need to be > backported to RHEL. > > Anyways, any objection to listing both methods in the man page? It depends on why "mask" doesn't work in RHEL. If the reason is specific to RHEL, then I don't think it should be documented in upstream nfs-utils. If the reason is specific to some version(s) of systemd, then Maybe document it as "use using systemd prior to XXXX, do this instead". NeilBrown > > -Scott >> >> "mask" is also useful for disabling rpcbind if you use NFSv4 only and >> don't want the extra service. >> >> NeilBrown >> >> >> > +containing >> > +.RS >> > +.nf >> > +[Unit] >> > +ConditionNull=false >> > +.fi >> > +.RE >> > + >> > .SS Restarting NFS services >> > Most NFS daemons can be restarted at any time. They will reload any >> > state that they need, and continue servicing requests. This is rarely >> > -- >> > 2.9.4 >> > >> > -- >> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> > the body of a message to majordomo@vger.kernel.org >> > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, 23 Jul 2017, NeilBrown wrote: > On Sat, Jul 22 2017, Scott Mayhew wrote: > > > On Sat, 22 Jul 2017, NeilBrown wrote: > > > >> On Thu, Jul 20 2017, Scott Mayhew wrote: > >> > >> > We've had several users complain about gssd automatically starting. Not > >> > everyone who has a krb5.keytab want to use secure NFS; the instructions > >> > for disabling gssd ought to be on the man page in addition to the README > >> > (which may not even be included in a distro's nfs-utils package). > >> > > >> > Signed-off-by: Scott Mayhew <smayhew@redhat.com> > >> > --- > >> > systemd/nfs.systemd.man | 17 ++++++++++++++++- > >> > 1 file changed, 16 insertions(+), 1 deletion(-) > >> > > >> > diff --git a/systemd/nfs.systemd.man b/systemd/nfs.systemd.man > >> > index 01801eb..7675320 100644 > >> > --- a/systemd/nfs.systemd.man > >> > +++ b/systemd/nfs.systemd.man > >> > @@ -79,11 +79,26 @@ unit should be enabled. > >> > Several other units which might be considered to be optional, such as > >> > .I rpc-gssd.service > >> > are careful to only start if the required configuration file exists. > >> > -.I rpc-gsdd.service > >> > +.I rpc-gssd.service > >> > will not start if the > >> > .I krb5.keytab > >> > file does not exist (typically in > >> > .IR /etc ). > >> > +.B rpc.gssd > >> > +is assumed to be needed if the > >> > +.I krb5.keytab > >> > +file is present. If a site needs this file present but does not want > >> > +.B rpc.gssd > >> > +running, it should create > >> > +.B /etc/systemd/system/rpc-gssd.service.d/01-disable.conf > >> > >> A substantially simpler approach would be to recommend > >> > >> systemctl mask rpc-gssd.service > > > > Thanks, Neil. I had actually tried that a while back, but it doesn't seem > > to work in RHEL. It works fine for rpcbind, so I thought that maybe the > > Condition clause in the unit file took precedence over masking or > > something. I see now that masking rpc-gssd works in Fedora, so I'll go > > digging in systemd to see if there's a bug fix that might need to be > > backported to RHEL. > > > > Anyways, any objection to listing both methods in the man page? > > It depends on why "mask" doesn't work in RHEL. > If the reason is specific to RHEL, then I don't think it should be > documented in upstream nfs-utils. > If the reason is specific to some version(s) of systemd, then > Maybe document it as "use using systemd prior to XXXX, do this instead". It turns out that we have rpc-gssd.service symlinked to nfs-secure.service in both RHEL and Fedora for backward compatibility purposes, so it's necessary to mask both. I'll send a patch documenting masking just the rpc-gssd.service. -Scott > > NeilBrown > > > > > > -Scott > >> > >> "mask" is also useful for disabling rpcbind if you use NFSv4 only and > >> don't want the extra service. > >> > >> NeilBrown > >> > >> > >> > +containing > >> > +.RS > >> > +.nf > >> > +[Unit] > >> > +ConditionNull=false > >> > +.fi > >> > +.RE > >> > + > >> > .SS Restarting NFS services > >> > Most NFS daemons can be restarted at any time. They will reload any > >> > state that they need, and continue servicing requests. This is rarely > >> > -- > >> > 2.9.4 > >> > > >> > -- > >> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > >> > the body of a message to majordomo@vger.kernel.org > >> > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Jul 25 2017, Scott Mayhew wrote: > On Sun, 23 Jul 2017, NeilBrown wrote: > >> On Sat, Jul 22 2017, Scott Mayhew wrote: >> >> > On Sat, 22 Jul 2017, NeilBrown wrote: >> > >> >> On Thu, Jul 20 2017, Scott Mayhew wrote: >> >> >> >> > We've had several users complain about gssd automatically starting. Not >> >> > everyone who has a krb5.keytab want to use secure NFS; the instructions >> >> > for disabling gssd ought to be on the man page in addition to the README >> >> > (which may not even be included in a distro's nfs-utils package). >> >> > >> >> > Signed-off-by: Scott Mayhew <smayhew@redhat.com> >> >> > --- >> >> > systemd/nfs.systemd.man | 17 ++++++++++++++++- >> >> > 1 file changed, 16 insertions(+), 1 deletion(-) >> >> > >> >> > diff --git a/systemd/nfs.systemd.man b/systemd/nfs.systemd.man >> >> > index 01801eb..7675320 100644 >> >> > --- a/systemd/nfs.systemd.man >> >> > +++ b/systemd/nfs.systemd.man >> >> > @@ -79,11 +79,26 @@ unit should be enabled. >> >> > Several other units which might be considered to be optional, such as >> >> > .I rpc-gssd.service >> >> > are careful to only start if the required configuration file exists. >> >> > -.I rpc-gsdd.service >> >> > +.I rpc-gssd.service >> >> > will not start if the >> >> > .I krb5.keytab >> >> > file does not exist (typically in >> >> > .IR /etc ). >> >> > +.B rpc.gssd >> >> > +is assumed to be needed if the >> >> > +.I krb5.keytab >> >> > +file is present. If a site needs this file present but does not want >> >> > +.B rpc.gssd >> >> > +running, it should create >> >> > +.B /etc/systemd/system/rpc-gssd.service.d/01-disable.conf >> >> >> >> A substantially simpler approach would be to recommend >> >> >> >> systemctl mask rpc-gssd.service >> > >> > Thanks, Neil. I had actually tried that a while back, but it doesn't seem >> > to work in RHEL. It works fine for rpcbind, so I thought that maybe the >> > Condition clause in the unit file took precedence over masking or >> > something. I see now that masking rpc-gssd works in Fedora, so I'll go >> > digging in systemd to see if there's a bug fix that might need to be >> > backported to RHEL. >> > >> > Anyways, any objection to listing both methods in the man page? >> >> It depends on why "mask" doesn't work in RHEL. >> If the reason is specific to RHEL, then I don't think it should be >> documented in upstream nfs-utils. >> If the reason is specific to some version(s) of systemd, then >> Maybe document it as "use using systemd prior to XXXX, do this instead". > > It turns out that we have rpc-gssd.service symlinked to > nfs-secure.service in both RHEL and Fedora for backward compatibility > purposes, so it's necessary to mask both. That makes sense. I have a similar sort of hack (different specifics) in SUSE to try to provide back-compatibility. It also has problematic failure modes. systemd actually has a fairly robust "alias" mechanism that it uses internally, but it is only available for devices. Every "/dev/..' device unit declares that it "Follows" the corresponding "/sys/devices/..." device unit (which is "Followed-by" the dev units). I would have loved to have the infrastructure for creating compat aliases ... but it isn't available :-( > > I'll send a patch documenting masking just the rpc-gssd.service. Thanks, NeilBrown > > -Scott >> >> NeilBrown >> >> >> > >> > -Scott >> >> >> >> "mask" is also useful for disabling rpcbind if you use NFSv4 only and >> >> don't want the extra service. >> >> >> >> NeilBrown >> >> >> >> >> >> > +containing >> >> > +.RS >> >> > +.nf >> >> > +[Unit] >> >> > +ConditionNull=false >> >> > +.fi >> >> > +.RE >> >> > + >> >> > .SS Restarting NFS services >> >> > Most NFS daemons can be restarted at any time. They will reload any >> >> > state that they need, and continue servicing requests. This is rarely >> >> > -- >> >> > 2.9.4 >> >> > >> >> > -- >> >> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> >> > the body of a message to majordomo@vger.kernel.org >> >> > More majordomo info at http://vger.kernel.org/majordomo-info.html >> > >> > >> > -- >> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> > the body of a message to majordomo@vger.kernel.org >> > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/systemd/nfs.systemd.man b/systemd/nfs.systemd.man index 01801eb..7675320 100644 --- a/systemd/nfs.systemd.man +++ b/systemd/nfs.systemd.man @@ -79,11 +79,26 @@ unit should be enabled. Several other units which might be considered to be optional, such as .I rpc-gssd.service are careful to only start if the required configuration file exists. -.I rpc-gsdd.service +.I rpc-gssd.service will not start if the .I krb5.keytab file does not exist (typically in .IR /etc ). +.B rpc.gssd +is assumed to be needed if the +.I krb5.keytab +file is present. If a site needs this file present but does not want +.B rpc.gssd +running, it should create +.B /etc/systemd/system/rpc-gssd.service.d/01-disable.conf +containing +.RS +.nf +[Unit] +ConditionNull=false +.fi +.RE + .SS Restarting NFS services Most NFS daemons can be restarted at any time. They will reload any state that they need, and continue servicing requests. This is rarely
We've had several users complain about gssd automatically starting. Not everyone who has a krb5.keytab want to use secure NFS; the instructions for disabling gssd ought to be on the man page in addition to the README (which may not even be included in a distro's nfs-utils package). Signed-off-by: Scott Mayhew <smayhew@redhat.com> --- systemd/nfs.systemd.man | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-)