Re: [PATCH nfs-utils/systemd] systemd: convert secure services to start without explicit configuration.

public inbox for linux-nfs@vger.kernel.org
 help / color / mirror / Atom feed

From: Steve Dickson <SteveD@redhat.com>
To: NeilBrown <neilb@suse.de>
Cc: NFS <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH nfs-utils/systemd] systemd: convert secure services to start without explicit configuration.
Date: Thu, 13 Feb 2014 14:42:15 -0500	[thread overview]
Message-ID: <52FD2017.4050403@RedHat.com> (raw)
In-Reply-To: <20140205141836.5fc941a9@notabene.brown>



On 02/04/2014 10:18 PM, NeilBrown wrote:
> 
> 
> This patch removes nfs-secure.target.
> Instead, rpc.gssd and rpc.svcgssd start started if they appear to be needed.
> 
> For rpc.gssd, this means if the file /etc/krb5.keytab exists.
> As the only security mechanism supported is krb5, that file must exist
> for rpc.gssd to be useful.  Conversely, if it does exist, it seems very
> likely that krb5 is configured on the system an may be used for NFS.
> 
> For rpc.svcgssd, it also means checking if gss-proxy might be performing
> the equivalent task instead.  So we check if it is running, and if the kernel
> is able to talk to it.
> 
> Signed-off-by: NeilBrown <neilb@suse.de>
Committed to the systemd branch of my git tree...

I would like to more testing before I move them on
to the master branch...

steved.

> 
> diff --git a/systemd/README b/systemd/README
> index 00d3e415092e..d697cefbe229 100644
> --- a/systemd/README
> +++ b/systemd/README
> @@ -24,11 +24,6 @@ by a suitable 'preset' setting:
>      is started by /usr/sbin/start-statd which mount.nfs will run
>      if statd is needed.
>  
> - nfs-secure.target
> -    If enabled, then rpc.gssd will be run when either -client or
> -    -server is started, and rpc.svcgssd will be run when -server
> -    is started
> -
>   nfs-blkmap.target
>      If enabled, then blkmapd will be run when nfs-client.target is
>      started.
> @@ -52,3 +47,15 @@ This should write /run/sysconfig/nfs-utils based on configuration
>  information such as in /etc/sysconfig/nfs or /etc/defaults/nfs.
>  It should write to a tmp file and rename to the target to
>  avoid parallel units seeing incomplete copies of the file.
> +
> +rpc.gssd and rpc.svcgssd are assumed to be needed if /etc/krb5.keytab
> +is present.
> +If a site needs this file present but does not want the gss daemons
> +running, it should create
> +   /etc/systemd/system/rpc-gssd.service.d/01-disable.conf
> +and
> +   /etc/systemd/system/rpc-svcgssd.service.d/01-disable.conf
> +
> +containing
> +   [Unit]
> +   ConditionNull=false
> diff --git a/systemd/nfs-secure.target b/systemd/nfs-secure.target
> deleted file mode 100644
> index 0127fdb07dbd..000000000000
> --- a/systemd/nfs-secure.target
> +++ /dev/null
> @@ -1,8 +0,0 @@
> -[Unit]
> -Description=Secure NFS client/server services
> -# If this target is enabled, then rpc.gssd and rpc.svcgssd will be started
> -# as required.  If it is not enabled they won't.
> -
> -[Install]
> -WantedBy=remote-fs.target
> -WantedBy=multi-user.target
> \ No newline at end of file
> diff --git a/systemd/rpc-gssd.service b/systemd/rpc-gssd.service
> index f0fef007d480..8778c3ef651b 100644
> --- a/systemd/rpc-gssd.service
> +++ b/systemd/rpc-gssd.service
> @@ -3,8 +3,7 @@ Description=RPC security service for NFS client and server
>  Requires=var-lib-nfs-rpc_pipefs.mount
>  After=var-lib-nfs-rpc_pipefs.mount
>  
> -Requisite=nfs-secure.target
> -After=nfs-secure.target
> +ConditionPathExists=/etc/krb5.keytab
>  
>  [Service]
>  EnvironmentFile=-/run/sysconfig/nfs-utils
> diff --git a/systemd/rpc-svcgssd.service b/systemd/rpc-svcgssd.service
> index f024d40a8f41..036ec579bfc1 100644
> --- a/systemd/rpc-svcgssd.service
> +++ b/systemd/rpc-svcgssd.service
> @@ -4,8 +4,10 @@ Requires=var-lib-nfs-rpc_pipefs.mount
>  After=var-lib-nfs-rpc_pipefs.mount
>  PartOf=nfs-server.service
>  
> -Requisite=nfs-secure.target
> -After=nfs-secure.target
> +After=gssproxy.service
> +ConditionPathExists=|!@localstatedir@/run/gssproxy.pid
> +ConditionPathExists=|!/proc/net/rpc/use-gss-proxy
> +ConditionPathExists=/etc/krb5.keytab
>  
>  [Service]
>  EnvironmentFile=-/run/sysconfig/nfs-utils
>

next prev parent reply	other threads:[~2014-02-13 19:42 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-05  3:18 [PATCH nfs-utils/systemd] systemd: convert secure services to start without explicit configuration NeilBrown
2014-02-13 19:42 ` Steve Dickson [this message]
2014-02-13 21:52   ` NeilBrown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52FD2017.4050403@RedHat.com \
    --to=steved@redhat.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=neilb@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox