On Tue, 23 Sep 2014 11:20:00 -0400 "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote: > On Tue, Sep 23, 2014 at 08:48:54AM -0400, Simo Sorce wrote: > > On Tue, 23 Sep 2014 12:08:04 +1000 > > NeilBrown <neilb@xxxxxxx> wrote: > > > I don't think you want an install section. That means the service > > > has to be explicitly enabled, which is a pain. > > > I think nfs-server.service should Want= this. > > > I also think > > > > > > ConditionPathExists=/etc/krb5.keytab > > > > > > would be appropriate. > > > > If GSS-Proxy is in use the administrator may choose to use a keytab > > in a different location, so I am not entirely sure we should depend > > on /etc/krb5.keytab, however it is also ok to decide that if the > > admin wants to use a different place that they create a custom unit > > file. Up to you. > > Note we're already using the same line in rpc-gssd.service and > rpc-svcgssd.service. > > Can you suggest a better "does this host have krb5 configured?" test? > > I think false positives are OK, but not false negatives. > > (So, if we run those daemons unnecessarily it may annoy some people, > but if we fail to run them when they're needed then things really > don't work.) I would simply not test for presence of a keytab if it were my call. If the admin decided to start nfs-secure I assume he already got the proper key material, ie I am not so sure that double-checking the admin in the unit files is right for gssproxy, because gssproxy has directives that allow the admin to put the keytab elsewhere. Simo. -- Simo Sorce * Red Hat, Inc * New York -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
