Re: [PATCH v2 0/4] nfs-utils changes for RPC-with-TLS

From: Chuck Lever III <chuck.lever@oracle.com>
To: Steve Dickson <steved@redhat.com>
Cc: Chuck Lever <cel@kernel.org>,
	Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
	Rick Macklem <rick.macklem@gmail.com>,
	"kernel-tls-handshake@lists.linux.dev"
	<kernel-tls-handshake@lists.linux.dev>
Subject: Re: [PATCH v2 0/4] nfs-utils changes for RPC-with-TLS
Date: Wed, 5 Apr 2023 16:45:00 +0000	[thread overview]
Message-ID: <AC76C4AB-F5DE-40B2-8A0D-4BADC7EFD918@oracle.com> (raw)
In-Reply-To: <1c59beaf-63b6-ee39-b339-339a0c7e72b9@redhat.com>

> On Apr 5, 2023, at 12:40 PM, Steve Dickson <steved@redhat.com> wrote:
> 
> Hey Chuck,
> 
> On 3/29/23 10:08 AM, Chuck Lever wrote:
>> Hi Steve-
>> This is client- and server-side nfs-utils support for RPC-with-TLS.
>> The client side support at this point is only a man page update
>> since the kernel handles mount option processing itself.
>> The server implementation can support both the opportunistic use of
>> transport layer security (it will be used if the client cares to),
>> and the required use of transport layer security (the server
>> requires the client to use it to access a particular export).
>> Without any other user space componentry, this implementation is
>> able to handle clients that request the use of RPC-with-TLS. To
>> support security policies that restrict access to exports based on
>> the client's use of TLS, modifications to exportfs and mountd are
>> needed. These are contained in this post, and can also be found
>> here:
>> git://git.linux-nfs.org/projects/cel/nfs-utils.git
>> The kernel patches, along with the handshake upcall, are carried in
>> the topic-rpc-with-tls-upcall branch available from:
>> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git
> 
> Just wondering if these patch should wait until the kernel
> patches reach mainline (aka rawhide)?

The kernel changes do not require these, they add more
features. Thus I don't think it's harmful to let them
wait for the kernel patches.

For testing, Jeff has set up a Fedora COPR with these,
the ktls-utils package, and an updated kernel.

What could be checked now is whether these nfs-utils
changes will break something on pre-TLS kernels.

> steved.
> 
>> Soon I hope to compose a new man page in Section 7 that will provide
>> an overview and quick set-up guidance for NFS's use of RPC-with-TLS.
>> Changes since v1:
>> - Addressed Jeff's review comments
>> - Updated nfs.man as well
>> ---
>> Chuck Lever (4):
>>       libexports: Fix whitespace damage in support/nfs/exports.c
>>       exports: Add an xprtsec= export option
>>       exports(5): Describe the xprtsec= export option
>>       nfs(5): Document the new "xprtsec=" mount option
>>  support/export/cache.c       |  15 ++++++
>>  support/include/nfs/export.h |  14 +++++
>>  support/include/nfslib.h     |  14 +++++
>>  support/nfs/exports.c        | 100 ++++++++++++++++++++++++++++++++---
>>  utils/exportfs/exportfs.c    |   1 +
>>  utils/exportfs/exports.man   |  51 +++++++++++++++++-
>>  utils/mount/nfs.man          |  34 +++++++++++-
>>  7 files changed, 219 insertions(+), 10 deletions(-)
>> --
>> Chuck Lever

--
Chuck Lever