On Sat, Jul 22 2017, Scott Mayhew wrote: > On Sat, 22 Jul 2017, NeilBrown wrote: > >> On Thu, Jul 20 2017, Scott Mayhew wrote: >> >> > We've had several users complain about gssd automatically starting. Not >> > everyone who has a krb5.keytab want to use secure NFS; the instructions >> > for disabling gssd ought to be on the man page in addition to the README >> > (which may not even be included in a distro's nfs-utils package). >> > >> > Signed-off-by: Scott Mayhew <smayhew@xxxxxxxxxx> >> > --- >> > systemd/nfs.systemd.man | 17 ++++++++++++++++- >> > 1 file changed, 16 insertions(+), 1 deletion(-) >> > >> > diff --git a/systemd/nfs.systemd.man b/systemd/nfs.systemd.man >> > index 01801eb..7675320 100644 >> > --- a/systemd/nfs.systemd.man >> > +++ b/systemd/nfs.systemd.man >> > @@ -79,11 +79,26 @@ unit should be enabled. >> > Several other units which might be considered to be optional, such as >> > .I rpc-gssd.service >> > are careful to only start if the required configuration file exists. >> > -.I rpc-gsdd.service >> > +.I rpc-gssd.service >> > will not start if the >> > .I krb5.keytab >> > file does not exist (typically in >> > .IR /etc ). >> > +.B rpc.gssd >> > +is assumed to be needed if the >> > +.I krb5.keytab >> > +file is present. If a site needs this file present but does not want >> > +.B rpc.gssd >> > +running, it should create >> > +.B /etc/systemd/system/rpc-gssd.service.d/01-disable.conf >> >> A substantially simpler approach would be to recommend >> >> systemctl mask rpc-gssd.service > > Thanks, Neil. I had actually tried that a while back, but it doesn't seem > to work in RHEL. It works fine for rpcbind, so I thought that maybe the > Condition clause in the unit file took precedence over masking or > something. I see now that masking rpc-gssd works in Fedora, so I'll go > digging in systemd to see if there's a bug fix that might need to be > backported to RHEL. > > Anyways, any objection to listing both methods in the man page? It depends on why "mask" doesn't work in RHEL. If the reason is specific to RHEL, then I don't think it should be documented in upstream nfs-utils. If the reason is specific to some version(s) of systemd, then Maybe document it as "use using systemd prior to XXXX, do this instead". NeilBrown > > -Scott >> >> "mask" is also useful for disabling rpcbind if you use NFSv4 only and >> don't want the extra service. >> >> NeilBrown >> >> >> > +containing >> > +.RS >> > +.nf >> > +[Unit] >> > +ConditionNull=false >> > +.fi >> > +.RE >> > + >> > .SS Restarting NFS services >> > Most NFS daemons can be restarted at any time. They will reload any >> > state that they need, and continue servicing requests. This is rarely >> > -- >> > 2.9.4 >> > >> > -- >> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> > the body of a message to majordomo@xxxxxxxxxxxxxxx >> > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html
Attachment:
signature.asc
Description: PGP signature
