[PATCH 0/2] Use the gssproxy damon for GSSAPI credentials

[PATCH 0/2] Use the gssproxy damon for GSSAPI credentials

[Steve Dickson]

The gssproxy(8) daemon is now how the managing of GSSAPI 
credentials should be done. 

These to patches has the nfs-server systemd script start 
gssproxy instead of rpc.svcgssd and removes the building 
and installation of rpc.svcgssd.

For now I'm leaving the source files... Just in case... ;-)

Steve Dickson (2):
  nfs-server: Replace rpc.svcgssd with gssproxy
  svcgssd: Remove rules from the Makefile.am

 systemd/nfs-server.service  |  4 ++--
 systemd/rpc-svcgssd.service | 19 -------------------
 utils/gssd/Makefile.am      | 25 ++-----------------------
 3 files changed, 4 insertions(+), 44 deletions(-)
 delete mode 100644 systemd/rpc-svcgssd.service

-- 
1.9.3

[PATCH 1/2] nfs-server: Replace rpc.svcgssd with gssproxy

[Steve Dickson]

Make the nfs-server depend on the gssproxy
daemon running instead of svcgssd to manage
GSSAPI credentials

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 systemd/nfs-server.service  |  4 ++--
 systemd/rpc-svcgssd.service | 19 -------------------
 2 files changed, 2 insertions(+), 21 deletions(-)
 delete mode 100644 systemd/rpc-svcgssd.service

diff --git a/systemd/nfs-server.service b/systemd/nfs-server.service
index 2fa7387..3b04f84 100644
--- a/systemd/nfs-server.service
+++ b/systemd/nfs-server.service
@@ -2,12 +2,12 @@
 Description=NFS server and services
 Requires= network.target proc-fs-nfsd.mount rpcbind.target
 Requires= nfs-mountd.service
-Wants=rpc-statd.service nfs-idmapd.service rpc-gssd.service rpc-svcgssd.service
+Wants=rpc-statd.service nfs-idmapd.service rpc-gssd.service gssproxy.service
 Wants=rpc-statd-notify.service
 
 After= network.target proc-fs-nfsd.mount rpcbind.target nfs-mountd.service
 After= nfs-idmapd.service rpc-statd.service
-After= rpc-gssd.service rpc-svcgssd.service
+After= rpc-gssd.service gssproxy.service
 Before= rpc-statd-notify.service
 
 Wants=nfs-config.service
diff --git a/systemd/rpc-svcgssd.service b/systemd/rpc-svcgssd.service
deleted file mode 100644
index f7424b0..0000000
--- a/systemd/rpc-svcgssd.service
+++ /dev/null
@@ -1,19 +0,0 @@
-[Unit]
-Description=RPC security service for NFS server
-Requires=var-lib-nfs-rpc_pipefs.mount
-After=var-lib-nfs-rpc_pipefs.mount
-PartOf=nfs-server.service
-PartOf=nfs-utils.service
-
-After=gssproxy.service
-ConditionPathExists=|!/run/gssproxy.pid
-ConditionPathExists=|!/proc/net/rpc/use-gss-proxy
-ConditionPathExists=/etc/krb5.keytab
-
-Wants=nfs-config.service
-After=nfs-config.service
-
-[Service]
-EnvironmentFile=-/run/sysconfig/nfs-utils
-Type=forking
-ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS
-- 
1.9.3

[PATCH 2/2] svcgssd: Remove rules from the Makefile.am

[Steve Dickson]

The managing of GSSAPI credentials is now done
with the gssproxy(8) daemon so svcgssd no longer
needs to be build or installed.

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 utils/gssd/Makefile.am | 25 ++-----------------------
 1 file changed, 2 insertions(+), 23 deletions(-)

diff --git a/utils/gssd/Makefile.am b/utils/gssd/Makefile.am
index af59791..716dd0b 100644
--- a/utils/gssd/Makefile.am
+++ b/utils/gssd/Makefile.am
@@ -1,10 +1,10 @@
 ## Process this file with automake to produce Makefile.in
 
-man8_MANS	= gssd.man svcgssd.man
+man8_MANS	= gssd.man
 
 RPCPREFIX	= rpc.
 KPREFIX		= @kprefix@
-sbin_PREFIXED	= gssd svcgssd
+sbin_PREFIXED	= gssd
 sbin_PROGRAMS	= $(sbin_PREFIXED)
 
 EXTRA_DIST = \
@@ -45,27 +45,6 @@ gssd_LDFLAGS = $(KRBLDFLAGS) $(LIBTIRPC)
 gssd_CFLAGS = $(AM_CFLAGS) $(CFLAGS) \
 	      $(RPCSECGSS_CFLAGS) $(KRBCFLAGS) $(GSSAPI_CFLAGS)
 
-svcgssd_SOURCES = \
-	$(COMMON_SRCS) \
-	svcgssd.c \
-	svcgssd_main_loop.c \
-	svcgssd_mech2file.c \
-	svcgssd_proc.c \
-	svcgssd_krb5.c \
-	\
-	svcgssd_krb5.h \
-	svcgssd.h
-
-svcgssd_LDADD = \
-	../../support/nfs/libnfs.a \
-	$(RPCSECGSS_LIBS) $(LIBNFSIDMAP) \
-	$(KRBLIBS) $(GSSAPI_LIBS) $(LIBTIRPC)
-
-svcgssd_LDFLAGS = $(KRBLDFLAGS)
-
-svcgssd_CFLAGS = $(AM_CFLAGS) $(CFLAGS) \
-		 $(RPCSECGSS_CFLAGS) $(KRBCFLAGS) $(GSSAPI_CFLAGS)
-
 MAINTAINERCLEANFILES = Makefile.in
 
 #######################################################################
-- 
1.9.3

Re: [PATCH 0/2] Use the gssproxy damon for GSSAPI credentials

[J. Bruce Fields]

On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
> The gssproxy(8) daemon is now how the managing of GSSAPI 
> credentials should be done. 
> 
> These to patches has the nfs-server systemd script start 
> gssproxy instead of rpc.svcgssd and removes the building 
> and installation of rpc.svcgssd.
> 
> For now I'm leaving the source files... Just in case... ;-)

If nothing else, we'd like to keep support for older kernels for a
while.

--b.

> 
> Steve Dickson (2):
>   nfs-server: Replace rpc.svcgssd with gssproxy
>   svcgssd: Remove rules from the Makefile.am
> 
>  systemd/nfs-server.service  |  4 ++--
>  systemd/rpc-svcgssd.service | 19 -------------------
>  utils/gssd/Makefile.am      | 25 ++-----------------------
>  3 files changed, 4 insertions(+), 44 deletions(-)
>  delete mode 100644 systemd/rpc-svcgssd.service
> 
> -- 
> 1.9.3
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2] Use the gssproxy damon for GSSAPI credentials

[Steve Dickson]

On 09/19/2014 11:57 AM, J. Bruce Fields wrote:
> On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
>> The gssproxy(8) daemon is now how the managing of GSSAPI 
>> credentials should be done. 
>>
>> These to patches has the nfs-server systemd script start 
>> gssproxy instead of rpc.svcgssd and removes the building 
>> and installation of rpc.svcgssd.
>>
>> For now I'm leaving the source files... Just in case... ;-)
> 
> If nothing else, we'd like to keep support for older kernels for a
> while.
Good point... I should probably make this a configurable...
something like --enable_svcgssd and have it off by default...

steved.

> 
> --b.
> 
>>
>> Steve Dickson (2):
>>   nfs-server: Replace rpc.svcgssd with gssproxy
>>   svcgssd: Remove rules from the Makefile.am
>>
>>  systemd/nfs-server.service  |  4 ++--
>>  systemd/rpc-svcgssd.service | 19 -------------------
>>  utils/gssd/Makefile.am      | 25 ++-----------------------
>>  3 files changed, 4 insertions(+), 44 deletions(-)
>>  delete mode 100644 systemd/rpc-svcgssd.service
>>
>> -- 
>> 1.9.3
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2] Use the gssproxy damon for GSSAPI credentials

[J. Bruce Fields]

On Fri, Sep 19, 2014 at 12:31:17PM -0400, Steve Dickson wrote:
> 
> 
> On 09/19/2014 11:57 AM, J. Bruce Fields wrote:
> > On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
> >> The gssproxy(8) daemon is now how the managing of GSSAPI 
> >> credentials should be done. 
> >>
> >> These to patches has the nfs-server systemd script start 
> >> gssproxy instead of rpc.svcgssd and removes the building 
> >> and installation of rpc.svcgssd.
> >>
> >> For now I'm leaving the source files... Just in case... ;-)
> > 
> > If nothing else, we'd like to keep support for older kernels for a
> > while.
> Good point... I should probably make this a configurable...
> something like --enable_svcgssd and have it off by default...

Sounds fine.

--b.

Re: [PATCH 0/2] Use the gssproxy damon for GSSAPI credentials

[Simo Sorce]

On Fri, 19 Sep 2014 12:36:17 -0400
"J. Bruce Fields" <bfields@fieldses.org> wrote:

> On Fri, Sep 19, 2014 at 12:31:17PM -0400, Steve Dickson wrote:
> > 
> > 
> > On 09/19/2014 11:57 AM, J. Bruce Fields wrote:
> > > On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
> > >> The gssproxy(8) daemon is now how the managing of GSSAPI 
> > >> credentials should be done. 
> > >>
> > >> These to patches has the nfs-server systemd script start 
> > >> gssproxy instead of rpc.svcgssd and removes the building 
> > >> and installation of rpc.svcgssd.
> > >>
> > >> For now I'm leaving the source files... Just in case... ;-)
> > > 
> > > If nothing else, we'd like to keep support for older kernels for a
> > > while.
> > Good point... I should probably make this a configurable...
> > something like --enable_svcgssd and have it off by default...
> 
> Sounds fine.

+1, it will be very useful for transitions in distributions, not all of
them will align identically I guess.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 0/2] Use the gssproxy damon for GSSAPI credentials

[J. Bruce Fields]

On Fri, Sep 19, 2014 at 01:07:52PM -0400, Simo Sorce wrote:
> On Fri, 19 Sep 2014 12:36:17 -0400
> "J. Bruce Fields" <bfields@fieldses.org> wrote:
> 
> > On Fri, Sep 19, 2014 at 12:31:17PM -0400, Steve Dickson wrote:
> > > 
> > > 
> > > On 09/19/2014 11:57 AM, J. Bruce Fields wrote:
> > > > On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
> > > >> The gssproxy(8) daemon is now how the managing of GSSAPI 
> > > >> credentials should be done. 
> > > >>
> > > >> These to patches has the nfs-server systemd script start 
> > > >> gssproxy instead of rpc.svcgssd and removes the building 
> > > >> and installation of rpc.svcgssd.
> > > >>
> > > >> For now I'm leaving the source files... Just in case... ;-)
> > > > 
> > > > If nothing else, we'd like to keep support for older kernels for a
> > > > while.
> > > Good point... I should probably make this a configurable...
> > > something like --enable_svcgssd and have it off by default...
> > 
> > Sounds fine.
> 
> +1, it will be very useful for transitions in distributions, not all of
> them will align identically I guess.

If we wanted to be *very* nice, we could try to detect and run one or
the other at run-time.  It's nice for people trying to boot old kernels
to track down (probably unrelated) regressions.  But I think it would be
too complicated.

It might be simple enough for gss-proxy to log some kind of warning when
it starts up on an old kernel.

--b.

Re: [PATCH 0/2] Use the gssproxy damon for GSSAPI credentials

[Simo Sorce]

On Fri, 19 Sep 2014 14:11:22 -0400
"J. Bruce Fields" <bfields@fieldses.org> wrote:

> On Fri, Sep 19, 2014 at 01:07:52PM -0400, Simo Sorce wrote:
> > On Fri, 19 Sep 2014 12:36:17 -0400
> > "J. Bruce Fields" <bfields@fieldses.org> wrote:
> > 
> > > On Fri, Sep 19, 2014 at 12:31:17PM -0400, Steve Dickson wrote:
> > > > 
> > > > 
> > > > On 09/19/2014 11:57 AM, J. Bruce Fields wrote:
> > > > > On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
> > > > >> The gssproxy(8) daemon is now how the managing of GSSAPI 
> > > > >> credentials should be done. 
> > > > >>
> > > > >> These to patches has the nfs-server systemd script start 
> > > > >> gssproxy instead of rpc.svcgssd and removes the building 
> > > > >> and installation of rpc.svcgssd.
> > > > >>
> > > > >> For now I'm leaving the source files... Just in case... ;-)
> > > > > 
> > > > > If nothing else, we'd like to keep support for older kernels
> > > > > for a while.
> > > > Good point... I should probably make this a configurable...
> > > > something like --enable_svcgssd and have it off by default...
> > > 
> > > Sounds fine.
> > 
> > +1, it will be very useful for transitions in distributions, not
> > all of them will align identically I guess.
> 
> If we wanted to be *very* nice, we could try to detect and run one or
> the other at run-time.  It's nice for people trying to boot old
> kernels to track down (probably unrelated) regressions.  But I think
> it would be too complicated.
> 
> It might be simple enough for gss-proxy to log some kind of warning
> when it starts up on an old kernel.

Excellent idea, I opened a ticket to track that:
https://fedorahosted.org/gss-proxy/ticket/126

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York