Re: [PATCH v1 0/4] nfs-utils changes for RPC-with-TLS server

Linux NFS development
 help / color / mirror / Atom feed

From: Steve Dickson <steved@redhat.com>
To: Chuck Lever III <chuck.lever@oracle.com>
Cc: Jeff Layton <jlayton@kernel.org>, Chuck Lever <cel@kernel.org>,
	Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH v1 0/4] nfs-utils changes for RPC-with-TLS server
Date: Fri, 24 Mar 2023 14:35:26 -0400	[thread overview]
Message-ID: <89a49550-d7f2-22df-5f6d-b9b8c66604de@redhat.com> (raw)
In-Reply-To: <7AC1BDBB-B6E3-49A8-A468-C045F0218495@oracle.com>



On 3/23/23 2:01 PM, Chuck Lever III wrote:
> 
> 
>> On Mar 23, 2023, at 1:57 PM, Steve Dickson <steved@redhat.com> wrote:
>>
>>
>>
>> On 3/21/23 7:52 AM, Jeff Layton wrote:
>>> On Mon, 2023-03-20 at 10:35 -0400, Chuck Lever wrote:
>>>> Hi Steve-
>>>>
>>>> This is server-side support for RPC-with-TLS, to accompany similar
>>>> support in the Linux NFS client. This implementation can support
>>>> both the opportunistic use of transport layer security (it will be
>>>> used if the client cares to) and the required use of transport
>>>> layer security (the server requires the client to use it to access
>>>> a particular export).
>>>>
>>>> Without any other user space componentry, this implementation will
>>>> be able to handle clients that request the use of RPC-with-TLS. To
>>>> support security policies that restrict access to exports based on
>>>> the client's use of TLS, modifications to exportfs and mountd are
>>>> needed. These can be found here:
>>>>
>>>> git://git.linux-nfs.org/projects/cel/nfs-utils.git
>>>>
>>>> They include an update to exports(5) explaining how to use the new
>>>> "xprtsec=" export option.
>>>>
>>>> The kernel patches, along with the the handshake upcall, are carried
>>>> in the topic-rpc-with-tls-upcall branch available from:
>>>>
>>>> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git
>>>>
>>>> This was posted under separate cover.
>>>>
>>>> ---
>>>>
>>>> Chuck Lever (4):
>>>>        libexports: Fix whitespace damage in support/nfs/exports.c
>>>>        exports: Add an xprtsec= export option
>>>>        exportfs: Push xprtsec settings to the kernel
>>>>        exports.man: Add description of xprtsec= to exports(5)
>>>>
>>>>
>>>>   support/export/cache.c       |  15 ++++++
>>>>   support/include/nfs/export.h |   6 +++
>>>>   support/include/nfslib.h     |  14 +++++
>>>>   support/nfs/exports.c        | 100 ++++++++++++++++++++++++++++++++---
>>>>   utils/exportfs/exportfs.c    |   1 +
>>>>   utils/exportfs/exports.man   |  45 +++++++++++++++-
>>>>   6 files changed, 172 insertions(+), 9 deletions(-)
>>>>
>>> Nice work, Chuck! This all looks pretty straightforward. I have a
>>> (minor) concern about potentially blocking nfsd threads for up to 20s in
>>> a handshake, but this seems like a good place to start.
>> Yes! But Will here be a V2 with the suggested changes?
> 
> I've done the suggested updates in my private tree already, so I can post a refresh soon.
Fair enough.
> 
> 
>> It would be good to get a new release with these patches
>> in before the upcoming Bakeathon.
> 
> The concept and operation of xprtsec= is pretty new... would there be a problem if all this were to change significantly after community review?
Not a problem at all! I was just thinking about get the patches into
Fedora rawhide to get some testing...

steved.

> 
> --
> Chuck Lever
> 
>

next prev parent reply	other threads:[~2023-03-24 18:36 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-20 14:35 [PATCH v1 0/4] nfs-utils changes for RPC-with-TLS server Chuck Lever
2023-03-20 14:35 ` [PATCH v1 1/4] libexports: Fix whitespace damage in support/nfs/exports.c Chuck Lever
2023-03-20 14:35 ` [PATCH v1 2/4] exports: Add an xprtsec= export option Chuck Lever
2023-03-21 11:55   ` Jeff Layton
2023-03-21 18:08     ` Chuck Lever III
2023-03-21 18:58       ` Jeff Layton
2023-03-23 17:53         ` Steve Dickson
2023-03-23 17:55           ` Chuck Lever III
2023-03-20 14:35 ` [PATCH v1 3/4] exportfs: Push xprtsec settings to the kernel Chuck Lever
2023-03-20 14:35 ` [PATCH v1 4/4] exports.man: Add description of xprtsec= to exports(5) Chuck Lever
2023-03-21 12:06   ` Jeff Layton
2023-03-21 14:08     ` Chuck Lever III
2023-03-21 15:11       ` Jeff Layton
2023-03-21 11:52 ` [PATCH v1 0/4] nfs-utils changes for RPC-with-TLS server Jeff Layton
2023-03-23 17:57   ` Steve Dickson
2023-03-23 18:01     ` Chuck Lever III
2023-03-24 18:35       ` Steve Dickson [this message]
2023-03-24 19:50         ` Chuck Lever III

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=89a49550-d7f2-22df-5f6d-b9b8c66604de@redhat.com \
    --to=steved@redhat.com \
    --cc=cel@kernel.org \
    --cc=chuck.lever@oracle.com \
    --cc=jlayton@kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox