From: "Myklebust, Trond" <Trond.Myklebust@netapp.com>
To: Steve Dickson <SteveD@redhat.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Adding the nfs4_secure_mounts bool
Date: Sun, 10 Nov 2013 22:45:21 +0000 [thread overview]
Message-ID: <CF19CE53-6F84-4FD2-9A97-69A068ED4A72@netapp.com> (raw)
In-Reply-To: <5280092E.60008@RedHat.com>
On Nov 10, 2013, at 17:31, Steve Dickson <SteveD@redhat.com> wrote:
> Hey Trond,
>
> On 09/11/13 18:12, Myklebust, Trond wrote:
>>
>> On Nov 9, 2013, at 17:47, Steve Dickson <SteveD@redhat.com> wrote:
>>
>>> The nfs4_secure_mounts controls whether security
>>> flavors will be tried during the establishing of
>>> NFSv4 state and the pseudoroot lookups.
>>>
>>> This allows security daemon like rpc.gssd to
>>> tell the kernel that secure mounts should be tried.
>>>
>>> To enable secure mounts:
>>> echo "on" > /proc/fs/nfsfs/secure
>>>
>>> To disable secure mounts:
>>> echo "off" > /proc/fs/nfsfs/secure
>>>
>>> Signed-off-by: Steve Dickson <steved@redhat.com>
>>
>> Hi Steve,
>>
>> So the rpc.gssd would flip the switch to “on” when it starts up and
>> to “off” when it quits?
> Yes that is the idea... rpc.gssd would be the gatekeeper if you will...
> I think its better than a mount option or module parameter since
> they, to used Jeff's words, "tend to live forever!"
>
>> What if someone does a ‘kill -9’?
> Things always break when they are killed with -9... It is what it is... :-)
> I am planning on used the atexit() API to manage this...
>
>>
>> One alternative to the above scheme, which I believe that I’ve
>> suggested before, is to have a permanent entry in rpc_pipefs
>> that rpc.gssd can open and that the kernel can use to detect that
>> it is running. If we make it /var/lib/nfs/rpc_pipefs/gssd/clnt00/gssd,
>> then AFAICS we don’t need to change nfs-utils at all, since all newer
>> versions of rpc.gssd will try to open for read anything of the form
>> /var/lib/nfs/rpc_pipefs/*/clntXX/gssd...
> This seems like this would be reasonable... But from my understanding
> (which is limited in this area) this would not be an easy thing to do.
Actually, it should be very easy. We have all the machinery to create new pipes today, and they already track whether or not there is a gssd daemon listening.
The nice thing about this scheme is that if the gssd daemon dies, then the pipe is automatically closed, and the kernel tracking will immediately notice that.
> So I'm hoping we could used this patch as a bridge from here to there.
> To give the community a seamless way out of this 15 second delay, today!
>
> This patch does not create a API changes like a module parameter or mount
> option would, plus it eliminates needless message being logged whether
> rpc.gssd is or is not running. Since it is seamless, pulling it out
> would will also be seamless…
> At the end of the day... rpc.gssd is going to have to change in the
> short term. I think having rpc.gssd enabling secure mounts, like it
> has since Fedora 2, is still the right path.
I disagree. I think that we can solve this particular problem without changing rpc.gssd or any of the sysinit/systemd start/end scripts.
--
Trond Myklebust
Linux NFS client maintainer
NetApp
Trond.Myklebust@netapp.com
www.netapp.com
next prev parent reply other threads:[~2013-11-10 22:45 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-09 22:47 [PATCH] Adding the nfs4_secure_mounts bool Steve Dickson
2013-11-09 23:12 ` Myklebust, Trond
2013-11-10 22:31 ` Steve Dickson
2013-11-10 22:45 ` Myklebust, Trond [this message]
2013-11-11 13:00 ` Steve Dickson
2013-11-11 18:06 ` Steve Dickson
2013-11-11 18:25 ` Myklebust, Trond
2013-11-11 18:43 ` Steve Dickson
2013-11-11 18:53 ` Myklebust, Trond
2013-11-11 19:05 ` Steve Dickson
2013-11-11 19:21 ` Myklebust, Trond
2013-11-11 18:30 ` Chuck Lever
2013-11-11 18:59 ` Steve Dickson
2013-11-11 20:33 ` Chuck Lever
2013-11-11 21:13 ` Steve Dickson
2013-11-11 21:47 ` Chuck Lever
2013-11-11 23:00 ` Steve Dickson
2013-11-12 16:09 ` Chuck Lever
2013-11-12 16:24 ` Steve Dickson
2013-11-12 16:46 ` Chuck Lever
2013-11-12 16:52 ` Steve Dickson
2013-11-12 16:10 ` J. Bruce Fields
2013-11-12 5:11 ` NeilBrown
2013-11-12 5:29 ` Myklebust, Trond
2013-11-12 16:16 ` J. Bruce Fields
2013-11-13 0:23 ` NeilBrown
2013-11-13 0:30 ` Myklebust, Trond
2013-11-13 1:13 ` NeilBrown
2013-11-13 1:26 ` Myklebust, Trond
2013-11-14 1:05 ` NeilBrown
2013-11-14 1:07 ` [PATCH - nfs-utils] gssd: always reply to rpc-pipe requests from kernel NeilBrown
2013-11-14 13:34 ` Jeff Layton
2013-11-20 21:21 ` Steve Dickson
2013-11-13 3:46 ` [PATCH] Adding the nfs4_secure_mounts bool J. Bruce Fields
2013-11-13 4:15 ` Myklebust, Trond
2013-11-14 1:10 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CF19CE53-6F84-4FD2-9A97-69A068ED4A72@netapp.com \
--to=trond.myklebust@netapp.com \
--cc=SteveD@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.