On Tue, Sep 23, 2014 at 12:00:54PM -0400, Simo Sorce wrote: > On Tue, 23 Sep 2014 11:20:00 -0400 > "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote: > > > On Tue, Sep 23, 2014 at 08:48:54AM -0400, Simo Sorce wrote: > > > On Tue, 23 Sep 2014 12:08:04 +1000 > > > NeilBrown <neilb@xxxxxxx> wrote: > > > > I don't think you want an install section. That means the service > > > > has to be explicitly enabled, which is a pain. > > > > I think nfs-server.service should Want= this. > > > > I also think > > > > > > > > ConditionPathExists=/etc/krb5.keytab > > > > > > > > would be appropriate. > > > > > > If GSS-Proxy is in use the administrator may choose to use a keytab > > > in a different location, so I am not entirely sure we should depend > > > on /etc/krb5.keytab, however it is also ok to decide that if the > > > admin wants to use a different place that they create a custom unit > > > file. Up to you. > > > > Note we're already using the same line in rpc-gssd.service and > > rpc-svcgssd.service. > > > > Can you suggest a better "does this host have krb5 configured?" test? > > > > I think false positives are OK, but not false negatives. > > > > (So, if we run those daemons unnecessarily it may annoy some people, > > but if we fail to run them when they're needed then things really > > don't work.) > > I would simply not test for presence of a keytab if it were my call. > > If the admin decided to start nfs-secure I assume he already got the > proper key material, ie I am not so sure that double-checking the admin > in the unit files is right for gssproxy, because gssproxy has > directives that allow the admin to put the keytab elsewhere. I believe nfs-secure is being removed (there's none under nfs-utils/systemd). We'd rather not require unnecessary configuration steps. Configuring NFS and krb5 should be enough. So the point is to start the daemons automatically. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
