From: Steve Dickson <steved@redhat.com>
To: Chuck Lever III <chuck.lever@oracle.com>
Cc: Chuck Lever <cel@kernel.org>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
"kernel-tls-handshake@lists.linux.dev"
<kernel-tls-handshake@lists.linux.dev>
Subject: Re: [PATCH v1] nfs(5): Document the new "xprtsec=" mount option
Date: Sat, 15 Jul 2023 16:04:50 -0400 [thread overview]
Message-ID: <f656bc22-caf6-1068-b284-91da258227c0@redhat.com> (raw)
In-Reply-To: <697F49D8-938A-426D-A4DF-8077247AE90E@oracle.com>
On 7/15/23 2:53 PM, Chuck Lever III wrote:
>
>
>> On Jul 15, 2023, at 2:07 PM, Steve Dickson <SteveD@redhat.com> wrote:
>>
>> Hey!
>>
>> On 7/14/23 2:36 PM, Chuck Lever wrote:
>>> From: Chuck Lever <chuck.lever@oracle.com>
>>> More information about RPC-with-TLS and some brief set-up guidance
>>> are to be provided in a separate man page in Section 7.
>>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>> Question: commit b5e4539f already add this RPC-with-TLS
>> update to the man page. So do you want me to revert b5e4539f
>> and replace it with this patch?
>
> Hrm, I didn't remember sending you a client-side man page update.
> I thought I was waiting for the in-kernel parts of the client
> TLS work to land, which they've done now in v6.5-rc.
>
> If it's no trouble, go ahead and replace that one.
Not a problem... I'll make it work....
steved.
>
>
>> steved.
>>
>>> ---
>>> utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++-
>>> 1 file changed, 37 insertions(+), 1 deletion(-)
>>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
>>> index d9f34df36b42..dfc31a5dad26 100644
>>> --- a/utils/mount/nfs.man
>>> +++ b/utils/mount/nfs.man
>>> @@ -574,7 +574,43 @@ The
>>> .B sloppy
>>> option is an alternative to specifying
>>> .BR mount.nfs " -s " option.
>>> -
>>> +.TP 1.5i
>>> +.BI xprtsec= policy
>>> +Specifies the use of transport layer security to protect NFS network
>>> +traffic on behalf of this mount point.
>>> +.I policy
>>> +can be one of
>>> +.BR none ,
>>> +.BR tls ,
>>> +or
>>> +.BR mtls .
>>> +.IP
>>> +If
>>> +.B none
>>> +is specified,
>>> +transport layer security is forced off, even if the NFS server supports
>>> +transport layer security.
>>> +If
>>> +.B tls
>>> +is specified, the client uses RPC-with-TLS to provide in-transit
>>> +confidentiality.
>>> +If
>>> +.B mtls
>>> +is specified, the client uses RPC-with-TLS to authenticate itself and
>>> +to provide in-transit confidentiality.
>>> +If either
>>> +.B tls
>>> +or
>>> +.B mtls
>>> +is specified and the server does not support RPC-with-TLS or peer
>>> +authentication fails, the mount attempt fails.
>>> +.IP
>>> +If the
>>> +.B xprtsec=
>>> +option is not specified,
>>> +the default behavior depends on the kernel version,
>>> +but is usually equivalent to
>>> +.BR "xprtsec=none" .
>>> .SS "Options for NFS versions 2 and 3 only"
>>> Use these options, along with the options in the above subsection,
>>> for NFS versions 2 and 3 only.
>>
>>
>
> --
> Chuck Lever
>
>
next prev parent reply other threads:[~2023-07-15 20:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-14 18:36 [PATCH v1] nfs(5): Document the new "xprtsec=" mount option Chuck Lever
2023-07-15 18:07 ` Steve Dickson
2023-07-15 18:53 ` Chuck Lever III
2023-07-15 20:04 ` Steve Dickson [this message]
2023-07-17 21:49 ` Steve Dickson
2023-07-30 12:26 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f656bc22-caf6-1068-b284-91da258227c0@redhat.com \
--to=steved@redhat.com \
--cc=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).