From: Chuck Lever <cel@kernel.org>
To: SteveD@redhat.com
Cc: linux-nfs@vger.kernel.org, rick.macklem@gmail.com,
kernel-tls-handshake@lists.linux.dev
Subject: [PATCH v2 4/4] nfs(5): Document the new "xprtsec=" mount option
Date: Wed, 29 Mar 2023 10:08:31 -0400 [thread overview]
Message-ID: <168009891187.2522.6811718417615257679.stgit@manet.1015granger.net> (raw)
In-Reply-To: <168009806320.2522.10415374334827613451.stgit@manet.1015granger.net>
From: Chuck Lever <chuck.lever@oracle.com>
More information about RPC-with-TLS and some brief set-up guidance
are to be provided in a separate man page in Section 7.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
utils/mount/nfs.man | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
index d9f34df36b42..7a410422897c 100644
--- a/utils/mount/nfs.man
+++ b/utils/mount/nfs.man
@@ -574,7 +574,39 @@ The
.B sloppy
option is an alternative to specifying
.BR mount.nfs " -s " option.
-
+.TP 1.5i
+.BI xprtsec= policy
+Specifies the use of transport layer security to protect NFS network
+traffic on behalf of this mount point.
+.I policy
+can be one of
+.BR none ,
+.BR tls ,
+or
+.BR mtls .
+.IP
+If
+.B none
+is specified,
+transport layer security is forced off, even if the NFS server supports
+transport layer security.
+If
+.B tls
+is specified, the client uses RPC-with-TLS to provide in-transit
+confidentiality.
+If
+.B mtls
+is specified, the client uses RPC-with-TLS to authenticate itself and
+to provide in-transit confidentiality.
+If the server does not support RPC-with-TLS or peer authentication
+fails, the mount attempt fails.
+.IP
+If the
+.B xprtsec=
+option is not specified,
+the default behavior depends on the kernel,
+but is usually equivalent to
+.BR "xprtsec=none" .
.SS "Options for NFS versions 2 and 3 only"
Use these options, along with the options in the above subsection,
for NFS versions 2 and 3 only.
next prev parent reply other threads:[~2023-03-29 14:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-29 14:08 [PATCH v2 0/4] nfs-utils changes for RPC-with-TLS Chuck Lever
2023-03-29 14:08 ` [PATCH v2 1/4] libexports: Fix whitespace damage in support/nfs/exports.c Chuck Lever
2023-03-29 14:08 ` [PATCH v2 2/4] exports: Add an xprtsec= export option Chuck Lever
2023-03-29 14:08 ` [PATCH v2 3/4] exports(5): Describe the " Chuck Lever
2023-03-29 14:08 ` Chuck Lever [this message]
2023-04-05 16:40 ` [PATCH v2 0/4] nfs-utils changes for RPC-with-TLS Steve Dickson
2023-04-05 16:45 ` Chuck Lever III
2023-04-05 20:09 ` Steve Dickson
2023-04-15 17:57 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=168009891187.2522.6811718417615257679.stgit@manet.1015granger.net \
--to=cel@kernel.org \
--cc=SteveD@redhat.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=linux-nfs@vger.kernel.org \
--cc=rick.macklem@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox