Re: [PATCH/RFC: nfs-utils] Common systemd unit files for nfs-utils.

[NeilBrown <neilb@suse.de>]

[-- Attachment #1: Type: text/plain, Size: 2523 bytes --]

On Mon, 10 Feb 2014 15:50:41 -0500 Steve Dickson <SteveD@redhat.com> wrote:

> On 02/06/2014 11:19 AM, J. Bruce Fields wrote:
> > On Thu, Feb 06, 2014 at 11:09:58AM -0500, Chuck Lever wrote:
> >>
> >> On Feb 5, 2014, at 8:27 PM, NeilBrown <neilb@suse.de> wrote:
> >>> I certainly agree with making things simple.  If we can make a configuration
> >>> irrelevant, e.g. by gets nfsd to auto-tune the number of threads so the
> >>> setting becomes pointless, then I've very happy to remove that sort of
> >>> configuration.  But if a configuration option actually means something I
> >>> certainly don't want to remove it.
> >>>
> >>> So I'm leaning towards having "systemctl {un,}mask rpc-gssd" be the
> >>> configuration tool for rpc.gssd.
> >>
> >> I like that better than the “off-until-requested” behavior we have currently.  IMO folks who want to disable rpc.gssd will be in the increasing minority and the rest of the world will take scant notice of the extra daemon, as long as we ensure it speaks only when necessary.
> > 
> > I'd also prefer running the gssd's by default: one less (confusing) step
> > to set up kerberos, and I'm not seeing a realistic security risk.
> I'm not for starting daemon that are not needed or necessary. I
> just think that is a bad design. 
>  
> > 
> > If we can easily provide a way to turn it off for people that want a
> > really stripped-down system for whatever reason, fine, let's provide
> > that.
> I'm thinking just the opposite... Have a way to easily (or even
> automatically) way to enabled NFS security....  when needed...
> 
> Would it make it easier if we combined the gssd daemon? That goes
> both ways (server and client)... That way we could just enable 
> nfs security and the daemon would started regardless on what side
> its on... 
> 
> steved.

By "combine" do you mean "rewrite the code so there is only one process" or
"have a systemd unit which starts both"?  The former seems like a lot of
pointless work and the later contradicts your stated preference for not
starting daemons that are not needed.

What do you think of the suggestion to start rpc.gssd when Wanted
if /etc/krb5.conf exists, and document that it can be disabled with

  systemctl mask rpc-gssd

(I like your idea of clearly documenting the important systemd units).
That way it is running when needed, probably not when not, and if you happen
to have kerberos installed but don't want rpc.gssd, it is easy to achieve
that.

NeilBrown

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]