From: Steve Dickson <steved@redhat.com>
To: Jeff Layton <jlayton@kernel.org>, Chuck Lever <cel@kernel.org>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH v1 0/4] nfs-utils changes for RPC-with-TLS server
Date: Thu, 23 Mar 2023 13:57:08 -0400 [thread overview]
Message-ID: <da936d7d-a864-a2ff-64a4-a295653a6aa7@redhat.com> (raw)
In-Reply-To: <d5c93e97f10a8ae803efaad02559dd118e9b9b6f.camel@kernel.org>
On 3/21/23 7:52 AM, Jeff Layton wrote:
> On Mon, 2023-03-20 at 10:35 -0400, Chuck Lever wrote:
>> Hi Steve-
>>
>> This is server-side support for RPC-with-TLS, to accompany similar
>> support in the Linux NFS client. This implementation can support
>> both the opportunistic use of transport layer security (it will be
>> used if the client cares to) and the required use of transport
>> layer security (the server requires the client to use it to access
>> a particular export).
>>
>> Without any other user space componentry, this implementation will
>> be able to handle clients that request the use of RPC-with-TLS. To
>> support security policies that restrict access to exports based on
>> the client's use of TLS, modifications to exportfs and mountd are
>> needed. These can be found here:
>>
>> git://git.linux-nfs.org/projects/cel/nfs-utils.git
>>
>> They include an update to exports(5) explaining how to use the new
>> "xprtsec=" export option.
>>
>> The kernel patches, along with the the handshake upcall, are carried
>> in the topic-rpc-with-tls-upcall branch available from:
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git
>>
>> This was posted under separate cover.
>>
>> ---
>>
>> Chuck Lever (4):
>> libexports: Fix whitespace damage in support/nfs/exports.c
>> exports: Add an xprtsec= export option
>> exportfs: Push xprtsec settings to the kernel
>> exports.man: Add description of xprtsec= to exports(5)
>>
>>
>> support/export/cache.c | 15 ++++++
>> support/include/nfs/export.h | 6 +++
>> support/include/nfslib.h | 14 +++++
>> support/nfs/exports.c | 100 ++++++++++++++++++++++++++++++++---
>> utils/exportfs/exportfs.c | 1 +
>> utils/exportfs/exports.man | 45 +++++++++++++++-
>> 6 files changed, 172 insertions(+), 9 deletions(-)
>>
>
> Nice work, Chuck! This all looks pretty straightforward. I have a
> (minor) concern about potentially blocking nfsd threads for up to 20s in
> a handshake, but this seems like a good place to start.
Yes! But Will here be a V2 with the suggested changes?
It would be good to get a new release with these patches
in before the upcoming Bakeathon.
steved.
next prev parent reply other threads:[~2023-03-23 17:57 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-20 14:35 [PATCH v1 0/4] nfs-utils changes for RPC-with-TLS server Chuck Lever
2023-03-20 14:35 ` [PATCH v1 1/4] libexports: Fix whitespace damage in support/nfs/exports.c Chuck Lever
2023-03-20 14:35 ` [PATCH v1 2/4] exports: Add an xprtsec= export option Chuck Lever
2023-03-21 11:55 ` Jeff Layton
2023-03-21 18:08 ` Chuck Lever III
2023-03-21 18:58 ` Jeff Layton
2023-03-23 17:53 ` Steve Dickson
2023-03-23 17:55 ` Chuck Lever III
2023-03-20 14:35 ` [PATCH v1 3/4] exportfs: Push xprtsec settings to the kernel Chuck Lever
2023-03-20 14:35 ` [PATCH v1 4/4] exports.man: Add description of xprtsec= to exports(5) Chuck Lever
2023-03-21 12:06 ` Jeff Layton
2023-03-21 14:08 ` Chuck Lever III
2023-03-21 15:11 ` Jeff Layton
2023-03-21 11:52 ` [PATCH v1 0/4] nfs-utils changes for RPC-with-TLS server Jeff Layton
2023-03-23 17:57 ` Steve Dickson [this message]
2023-03-23 18:01 ` Chuck Lever III
2023-03-24 18:35 ` Steve Dickson
2023-03-24 19:50 ` Chuck Lever III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=da936d7d-a864-a2ff-64a4-a295653a6aa7@redhat.com \
--to=steved@redhat.com \
--cc=cel@kernel.org \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox