On Sun, 23 Jul 2017, NeilBrown wrote: > On Sat, Jul 22 2017, Scott Mayhew wrote: > > > On Sat, 22 Jul 2017, NeilBrown wrote: > > > >> On Thu, Jul 20 2017, Scott Mayhew wrote: > >> > >> > We've had several users complain about gssd automatically starting. Not > >> > everyone who has a krb5.keytab want to use secure NFS; the instructions > >> > for disabling gssd ought to be on the man page in addition to the README > >> > (which may not even be included in a distro's nfs-utils package). > >> > > >> > Signed-off-by: Scott Mayhew <smayhew@xxxxxxxxxx> > >> > --- > >> > systemd/nfs.systemd.man | 17 ++++++++++++++++- > >> > 1 file changed, 16 insertions(+), 1 deletion(-) > >> > > >> > diff --git a/systemd/nfs.systemd.man b/systemd/nfs.systemd.man > >> > index 01801eb..7675320 100644 > >> > --- a/systemd/nfs.systemd.man > >> > +++ b/systemd/nfs.systemd.man > >> > @@ -79,11 +79,26 @@ unit should be enabled. > >> > Several other units which might be considered to be optional, such as > >> > .I rpc-gssd.service > >> > are careful to only start if the required configuration file exists. > >> > -.I rpc-gsdd.service > >> > +.I rpc-gssd.service > >> > will not start if the > >> > .I krb5.keytab > >> > file does not exist (typically in > >> > .IR /etc ). > >> > +.B rpc.gssd > >> > +is assumed to be needed if the > >> > +.I krb5.keytab > >> > +file is present. If a site needs this file present but does not want > >> > +.B rpc.gssd > >> > +running, it should create > >> > +.B /etc/systemd/system/rpc-gssd.service.d/01-disable.conf > >> > >> A substantially simpler approach would be to recommend > >> > >> systemctl mask rpc-gssd.service > > > > Thanks, Neil. I had actually tried that a while back, but it doesn't seem > > to work in RHEL. It works fine for rpcbind, so I thought that maybe the > > Condition clause in the unit file took precedence over masking or > > something. I see now that masking rpc-gssd works in Fedora, so I'll go > > digging in systemd to see if there's a bug fix that might need to be > > backported to RHEL. > > > > Anyways, any objection to listing both methods in the man page? > > It depends on why "mask" doesn't work in RHEL. > If the reason is specific to RHEL, then I don't think it should be > documented in upstream nfs-utils. > If the reason is specific to some version(s) of systemd, then > Maybe document it as "use using systemd prior to XXXX, do this instead". It turns out that we have rpc-gssd.service symlinked to nfs-secure.service in both RHEL and Fedora for backward compatibility purposes, so it's necessary to mask both. I'll send a patch documenting masking just the rpc-gssd.service. -Scott > > NeilBrown > > > > > > -Scott > >> > >> "mask" is also useful for disabling rpcbind if you use NFSv4 only and > >> don't want the extra service. > >> > >> NeilBrown > >> > >> > >> > +containing > >> > +.RS > >> > +.nf > >> > +[Unit] > >> > +ConditionNull=false > >> > +.fi > >> > +.RE > >> > + > >> > .SS Restarting NFS services > >> > Most NFS daemons can be restarted at any time. They will reload any > >> > state that they need, and continue servicing requests. This is rarely > >> > -- > >> > 2.9.4 > >> > > >> > -- > >> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > >> > the body of a message to majordomo@xxxxxxxxxxxxxxx > >> > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html