[PATCH v1] nfs(5): Document the new "xprtsec=" mount option

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v1] nfs(5): Document the new "xprtsec=" mount option
@ 2023-07-14 18:36 Chuck Lever
  2023-07-15 18:07 ` Steve Dickson
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Chuck Lever @ 2023-07-14 18:36 UTC (permalink / raw)
  To: SteveD; +Cc: Chuck Lever, linux-nfs, kernel-tls-handshake

From: Chuck Lever <chuck.lever@oracle.com>

More information about RPC-with-TLS and some brief set-up guidance
are to be provided in a separate man page in Section 7.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
index d9f34df36b42..dfc31a5dad26 100644
--- a/utils/mount/nfs.man
+++ b/utils/mount/nfs.man
@@ -574,7 +574,43 @@ The
 .B sloppy
 option is an alternative to specifying
 .BR mount.nfs " -s " option.
-
+.TP 1.5i
+.BI xprtsec= policy
+Specifies the use of transport layer security to protect NFS network
+traffic on behalf of this mount point.
+.I policy
+can be one of
+.BR none ,
+.BR tls ,
+or
+.BR mtls .
+.IP
+If
+.B none
+is specified,
+transport layer security is forced off, even if the NFS server supports
+transport layer security.
+If
+.B tls
+is specified, the client uses RPC-with-TLS to provide in-transit
+confidentiality.
+If
+.B mtls
+is specified, the client uses RPC-with-TLS to authenticate itself and
+to provide in-transit confidentiality.
+If either
+.B tls
+or
+.B mtls
+is specified and the server does not support RPC-with-TLS or peer
+authentication fails, the mount attempt fails.
+.IP
+If the
+.B xprtsec=
+option is not specified,
+the default behavior depends on the kernel version,
+but is usually equivalent to
+.BR "xprtsec=none" .
 .SS "Options for NFS versions 2 and 3 only"
 Use these options, along with the options in the above subsection,
 for NFS versions 2 and 3 only.



^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH v1] nfs(5): Document the new "xprtsec=" mount option
  2023-07-14 18:36 [PATCH v1] nfs(5): Document the new "xprtsec=" mount option Chuck Lever
@ 2023-07-15 18:07 ` Steve Dickson
  2023-07-15 18:53   ` Chuck Lever III
  2023-07-17 21:49 ` Steve Dickson
  2023-07-30 12:26 ` Steve Dickson
  2 siblings, 1 reply; 6+ messages in thread
From: Steve Dickson @ 2023-07-15 18:07 UTC (permalink / raw)
  To: Chuck Lever; +Cc: Chuck Lever, linux-nfs, kernel-tls-handshake

Hey!

On 7/14/23 2:36 PM, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> More information about RPC-with-TLS and some brief set-up guidance
> are to be provided in a separate man page in Section 7.
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Question: commit b5e4539f already add this RPC-with-TLS
update to the man page. So do you want me to revert b5e4539f
and replace it with this patch?

steved.

> ---
>   utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
>   1 file changed, 37 insertions(+), 1 deletion(-)
> 
> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> index d9f34df36b42..dfc31a5dad26 100644
> --- a/utils/mount/nfs.man
> +++ b/utils/mount/nfs.man
> @@ -574,7 +574,43 @@ The
>   .B sloppy
>   option is an alternative to specifying
>   .BR mount.nfs " -s " option.
> -
> +.TP 1.5i
> +.BI xprtsec= policy
> +Specifies the use of transport layer security to protect NFS network
> +traffic on behalf of this mount point.
> +.I policy
> +can be one of
> +.BR none ,
> +.BR tls ,
> +or
> +.BR mtls .
> +.IP
> +If
> +.B none
> +is specified,
> +transport layer security is forced off, even if the NFS server supports
> +transport layer security.
> +If
> +.B tls
> +is specified, the client uses RPC-with-TLS to provide in-transit
> +confidentiality.
> +If
> +.B mtls
> +is specified, the client uses RPC-with-TLS to authenticate itself and
> +to provide in-transit confidentiality.
> +If either
> +.B tls
> +or
> +.B mtls
> +is specified and the server does not support RPC-with-TLS or peer
> +authentication fails, the mount attempt fails.
> +.IP
> +If the
> +.B xprtsec=
> +option is not specified,
> +the default behavior depends on the kernel version,
> +but is usually equivalent to
> +.BR "xprtsec=none" .
>   .SS "Options for NFS versions 2 and 3 only"
>   Use these options, along with the options in the above subsection,
>   for NFS versions 2 and 3 only.
> 
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1] nfs(5): Document the new "xprtsec=" mount option
  2023-07-15 18:07 ` Steve Dickson
@ 2023-07-15 18:53   ` Chuck Lever III
  2023-07-15 20:04     ` Steve Dickson
  0 siblings, 1 reply; 6+ messages in thread
From: Chuck Lever III @ 2023-07-15 18:53 UTC (permalink / raw)
  To: Steve Dickson
  Cc: Chuck Lever, Linux NFS Mailing List,
	kernel-tls-handshake@lists.linux.dev



> On Jul 15, 2023, at 2:07 PM, Steve Dickson <SteveD@redhat.com> wrote:
> 
> Hey!
> 
> On 7/14/23 2:36 PM, Chuck Lever wrote:
>> From: Chuck Lever <chuck.lever@oracle.com>
>> More information about RPC-with-TLS and some brief set-up guidance
>> are to be provided in a separate man page in Section 7.
>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> Question: commit b5e4539f already add this RPC-with-TLS
> update to the man page. So do you want me to revert b5e4539f
> and replace it with this patch?

Hrm, I didn't remember sending you a client-side man page update.
I thought I was waiting for the in-kernel parts of the client
TLS work to land, which they've done now in v6.5-rc.

If it's no trouble, go ahead and replace that one.


> steved.
> 
>> ---
>>  utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
>>  1 file changed, 37 insertions(+), 1 deletion(-)
>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
>> index d9f34df36b42..dfc31a5dad26 100644
>> --- a/utils/mount/nfs.man
>> +++ b/utils/mount/nfs.man
>> @@ -574,7 +574,43 @@ The
>>  .B sloppy
>>  option is an alternative to specifying
>>  .BR mount.nfs " -s " option.
>> -
>> +.TP 1.5i
>> +.BI xprtsec= policy
>> +Specifies the use of transport layer security to protect NFS network
>> +traffic on behalf of this mount point.
>> +.I policy
>> +can be one of
>> +.BR none ,
>> +.BR tls ,
>> +or
>> +.BR mtls .
>> +.IP
>> +If
>> +.B none
>> +is specified,
>> +transport layer security is forced off, even if the NFS server supports
>> +transport layer security.
>> +If
>> +.B tls
>> +is specified, the client uses RPC-with-TLS to provide in-transit
>> +confidentiality.
>> +If
>> +.B mtls
>> +is specified, the client uses RPC-with-TLS to authenticate itself and
>> +to provide in-transit confidentiality.
>> +If either
>> +.B tls
>> +or
>> +.B mtls
>> +is specified and the server does not support RPC-with-TLS or peer
>> +authentication fails, the mount attempt fails.
>> +.IP
>> +If the
>> +.B xprtsec=
>> +option is not specified,
>> +the default behavior depends on the kernel version,
>> +but is usually equivalent to
>> +.BR "xprtsec=none" .
>>  .SS "Options for NFS versions 2 and 3 only"
>>  Use these options, along with the options in the above subsection,
>>  for NFS versions 2 and 3 only.
> 
> 

--
Chuck Lever



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1] nfs(5): Document the new "xprtsec=" mount option
  2023-07-15 18:53   ` Chuck Lever III
@ 2023-07-15 20:04     ` Steve Dickson
  0 siblings, 0 replies; 6+ messages in thread
From: Steve Dickson @ 2023-07-15 20:04 UTC (permalink / raw)
  To: Chuck Lever III
  Cc: Chuck Lever, Linux NFS Mailing List,
	kernel-tls-handshake@lists.linux.dev



On 7/15/23 2:53 PM, Chuck Lever III wrote:
> 
> 
>> On Jul 15, 2023, at 2:07 PM, Steve Dickson <SteveD@redhat.com> wrote:
>>
>> Hey!
>>
>> On 7/14/23 2:36 PM, Chuck Lever wrote:
>>> From: Chuck Lever <chuck.lever@oracle.com>
>>> More information about RPC-with-TLS and some brief set-up guidance
>>> are to be provided in a separate man page in Section 7.
>>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>> Question: commit b5e4539f already add this RPC-with-TLS
>> update to the man page. So do you want me to revert b5e4539f
>> and replace it with this patch?
> 
> Hrm, I didn't remember sending you a client-side man page update.
> I thought I was waiting for the in-kernel parts of the client
> TLS work to land, which they've done now in v6.5-rc.
> 
> If it's no trouble, go ahead and replace that one.
Not a problem... I'll make it work....

steved.
> 
> 
>> steved.
>>
>>> ---
>>>   utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
>>>   1 file changed, 37 insertions(+), 1 deletion(-)
>>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
>>> index d9f34df36b42..dfc31a5dad26 100644
>>> --- a/utils/mount/nfs.man
>>> +++ b/utils/mount/nfs.man
>>> @@ -574,7 +574,43 @@ The
>>>   .B sloppy
>>>   option is an alternative to specifying
>>>   .BR mount.nfs " -s " option.
>>> -
>>> +.TP 1.5i
>>> +.BI xprtsec= policy
>>> +Specifies the use of transport layer security to protect NFS network
>>> +traffic on behalf of this mount point.
>>> +.I policy
>>> +can be one of
>>> +.BR none ,
>>> +.BR tls ,
>>> +or
>>> +.BR mtls .
>>> +.IP
>>> +If
>>> +.B none
>>> +is specified,
>>> +transport layer security is forced off, even if the NFS server supports
>>> +transport layer security.
>>> +If
>>> +.B tls
>>> +is specified, the client uses RPC-with-TLS to provide in-transit
>>> +confidentiality.
>>> +If
>>> +.B mtls
>>> +is specified, the client uses RPC-with-TLS to authenticate itself and
>>> +to provide in-transit confidentiality.
>>> +If either
>>> +.B tls
>>> +or
>>> +.B mtls
>>> +is specified and the server does not support RPC-with-TLS or peer
>>> +authentication fails, the mount attempt fails.
>>> +.IP
>>> +If the
>>> +.B xprtsec=
>>> +option is not specified,
>>> +the default behavior depends on the kernel version,
>>> +but is usually equivalent to
>>> +.BR "xprtsec=none" .
>>>   .SS "Options for NFS versions 2 and 3 only"
>>>   Use these options, along with the options in the above subsection,
>>>   for NFS versions 2 and 3 only.
>>
>>
> 
> --
> Chuck Lever
> 
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1] nfs(5): Document the new "xprtsec=" mount option
  2023-07-14 18:36 [PATCH v1] nfs(5): Document the new "xprtsec=" mount option Chuck Lever
  2023-07-15 18:07 ` Steve Dickson
@ 2023-07-17 21:49 ` Steve Dickson
  2023-07-30 12:26 ` Steve Dickson
  2 siblings, 0 replies; 6+ messages in thread
From: Steve Dickson @ 2023-07-17 21:49 UTC (permalink / raw)
  To: Chuck Lever; +Cc: Chuck Lever, linux-nfs, kernel-tls-handshake



On 7/14/23 2:36 PM, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> More information about RPC-with-TLS and some brief set-up guidance
> are to be provided in a separate man page in Section 7.
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Committed... (tag: nfs-utils-2-6-4-rc3)

steved.
> ---
>   utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
>   1 file changed, 37 insertions(+), 1 deletion(-)
> 
> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> index d9f34df36b42..dfc31a5dad26 100644
> --- a/utils/mount/nfs.man
> +++ b/utils/mount/nfs.man
> @@ -574,7 +574,43 @@ The
>   .B sloppy
>   option is an alternative to specifying
>   .BR mount.nfs " -s " option.
> -
> +.TP 1.5i
> +.BI xprtsec= policy
> +Specifies the use of transport layer security to protect NFS network
> +traffic on behalf of this mount point.
> +.I policy
> +can be one of
> +.BR none ,
> +.BR tls ,
> +or
> +.BR mtls .
> +.IP
> +If
> +.B none
> +is specified,
> +transport layer security is forced off, even if the NFS server supports
> +transport layer security.
> +If
> +.B tls
> +is specified, the client uses RPC-with-TLS to provide in-transit
> +confidentiality.
> +If
> +.B mtls
> +is specified, the client uses RPC-with-TLS to authenticate itself and
> +to provide in-transit confidentiality.
> +If either
> +.B tls
> +or
> +.B mtls
> +is specified and the server does not support RPC-with-TLS or peer
> +authentication fails, the mount attempt fails.
> +.IP
> +If the
> +.B xprtsec=
> +option is not specified,
> +the default behavior depends on the kernel version,
> +but is usually equivalent to
> +.BR "xprtsec=none" .
>   .SS "Options for NFS versions 2 and 3 only"
>   Use these options, along with the options in the above subsection,
>   for NFS versions 2 and 3 only.
> 
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1] nfs(5): Document the new "xprtsec=" mount option
  2023-07-14 18:36 [PATCH v1] nfs(5): Document the new "xprtsec=" mount option Chuck Lever
  2023-07-15 18:07 ` Steve Dickson
  2023-07-17 21:49 ` Steve Dickson
@ 2023-07-30 12:26 ` Steve Dickson
  2 siblings, 0 replies; 6+ messages in thread
From: Steve Dickson @ 2023-07-30 12:26 UTC (permalink / raw)
  To: Chuck Lever; +Cc: Chuck Lever, linux-nfs, kernel-tls-handshake



On 7/14/23 2:36 PM, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> More information about RPC-with-TLS and some brief set-up guidance
> are to be provided in a separate man page in Section 7.
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
I think I got it right... I also added a couple .IP
to make the section a bit more readable...

steved.
> ---
>   utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
>   1 file changed, 37 insertions(+), 1 deletion(-)
> 
> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> index d9f34df36b42..dfc31a5dad26 100644
> --- a/utils/mount/nfs.man
> +++ b/utils/mount/nfs.man
> @@ -574,7 +574,43 @@ The
>   .B sloppy
>   option is an alternative to specifying
>   .BR mount.nfs " -s " option.
> -
> +.TP 1.5i
> +.BI xprtsec= policy
> +Specifies the use of transport layer security to protect NFS network
> +traffic on behalf of this mount point.
> +.I policy
> +can be one of
> +.BR none ,
> +.BR tls ,
> +or
> +.BR mtls .
> +.IP
> +If
> +.B none
> +is specified,
> +transport layer security is forced off, even if the NFS server supports
> +transport layer security.
> +If
> +.B tls
> +is specified, the client uses RPC-with-TLS to provide in-transit
> +confidentiality.
> +If
> +.B mtls
> +is specified, the client uses RPC-with-TLS to authenticate itself and
> +to provide in-transit confidentiality.
> +If either
> +.B tls
> +or
> +.B mtls
> +is specified and the server does not support RPC-with-TLS or peer
> +authentication fails, the mount attempt fails.
> +.IP
> +If the
> +.B xprtsec=
> +option is not specified,
> +the default behavior depends on the kernel version,
> +but is usually equivalent to
> +.BR "xprtsec=none" .
>   .SS "Options for NFS versions 2 and 3 only"
>   Use these options, along with the options in the above subsection,
>   for NFS versions 2 and 3 only.
> 
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2023-07-30 12:27 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-14 18:36 [PATCH v1] nfs(5): Document the new "xprtsec=" mount option Chuck Lever
2023-07-15 18:07 ` Steve Dickson
2023-07-15 18:53   ` Chuck Lever III
2023-07-15 20:04     ` Steve Dickson
2023-07-17 21:49 ` Steve Dickson
2023-07-30 12:26 ` Steve Dickson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).