Re: [PATCH v2 0/4] nfs-utils changes for RPC-with-TLS

From: Steve Dickson <steved@redhat.com>
To: Chuck Lever III <chuck.lever@oracle.com>
Cc: Chuck Lever <cel@kernel.org>,
	Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
	Rick Macklem <rick.macklem@gmail.com>,
	"kernel-tls-handshake@lists.linux.dev"
	<kernel-tls-handshake@lists.linux.dev>
Subject: Re: [PATCH v2 0/4] nfs-utils changes for RPC-with-TLS
Date: Wed, 5 Apr 2023 16:09:57 -0400	[thread overview]
Message-ID: <7c3b9f3e-e40a-1389-d03a-eb9f9a505c17@redhat.com> (raw)
In-Reply-To: <AC76C4AB-F5DE-40B2-8A0D-4BADC7EFD918@oracle.com>


On 4/5/23 12:45 PM, Chuck Lever III wrote:
> 
> 
>> On Apr 5, 2023, at 12:40 PM, Steve Dickson <steved@redhat.com> wrote:
>>
>> Hey Chuck,
>>
>> On 3/29/23 10:08 AM, Chuck Lever wrote:
>>> Hi Steve-
>>> This is client- and server-side nfs-utils support for RPC-with-TLS.
>>> The client side support at this point is only a man page update
>>> since the kernel handles mount option processing itself.
>>> The server implementation can support both the opportunistic use of
>>> transport layer security (it will be used if the client cares to),
>>> and the required use of transport layer security (the server
>>> requires the client to use it to access a particular export).
>>> Without any other user space componentry, this implementation is
>>> able to handle clients that request the use of RPC-with-TLS. To
>>> support security policies that restrict access to exports based on
>>> the client's use of TLS, modifications to exportfs and mountd are
>>> needed. These are contained in this post, and can also be found
>>> here:
>>> git://git.linux-nfs.org/projects/cel/nfs-utils.git
>>> The kernel patches, along with the handshake upcall, are carried in
>>> the topic-rpc-with-tls-upcall branch available from:
>>> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git
>>
>> Just wondering if these patch should wait until the kernel
>> patches reach mainline (aka rawhide)?
> 
> The kernel changes do not require these, they add more
> features. Thus I don't think it's harmful to let them
> wait for the kernel patches.
> 
> For testing, Jeff has set up a Fedora COPR with these,
> the ktls-utils package, and an updated kernel.
> 
> What could be checked now is whether these nfs-utils
> changes will break something on pre-TLS kernels.
Fair enough... I'll have a release ready for the
up coming Bakeathon...

steved.
> 
> 
>> steved.
>>
>>> Soon I hope to compose a new man page in Section 7 that will provide
>>> an overview and quick set-up guidance for NFS's use of RPC-with-TLS.
>>> Changes since v1:
>>> - Addressed Jeff's review comments
>>> - Updated nfs.man as well
>>> ---
>>> Chuck Lever (4):
>>>        libexports: Fix whitespace damage in support/nfs/exports.c
>>>        exports: Add an xprtsec= export option
>>>        exports(5): Describe the xprtsec= export option
>>>        nfs(5): Document the new "xprtsec=" mount option
>>>   support/export/cache.c       |  15 ++++++
>>>   support/include/nfs/export.h |  14 +++++
>>>   support/include/nfslib.h     |  14 +++++
>>>   support/nfs/exports.c        | 100 ++++++++++++++++++++++++++++++++---
>>>   utils/exportfs/exportfs.c    |   1 +
>>>   utils/exportfs/exports.man   |  51 +++++++++++++++++-
>>>   utils/mount/nfs.man          |  34 +++++++++++-
>>>   7 files changed, 219 insertions(+), 10 deletions(-)
>>> --
>>> Chuck Lever
> 
> 
> --
> Chuck Lever
> 
>