On Tue, Jul 25 2017, Scott Mayhew wrote: > On Sun, 23 Jul 2017, NeilBrown wrote: > >> On Sat, Jul 22 2017, Scott Mayhew wrote: >> >> > On Sat, 22 Jul 2017, NeilBrown wrote: >> > >> >> On Thu, Jul 20 2017, Scott Mayhew wrote: >> >> >> >> > We've had several users complain about gssd automatically starting. Not >> >> > everyone who has a krb5.keytab want to use secure NFS; the instructions >> >> > for disabling gssd ought to be on the man page in addition to the README >> >> > (which may not even be included in a distro's nfs-utils package). >> >> > >> >> > Signed-off-by: Scott Mayhew <smayhew@xxxxxxxxxx> >> >> > --- >> >> > systemd/nfs.systemd.man | 17 ++++++++++++++++- >> >> > 1 file changed, 16 insertions(+), 1 deletion(-) >> >> > >> >> > diff --git a/systemd/nfs.systemd.man b/systemd/nfs.systemd.man >> >> > index 01801eb..7675320 100644 >> >> > --- a/systemd/nfs.systemd.man >> >> > +++ b/systemd/nfs.systemd.man >> >> > @@ -79,11 +79,26 @@ unit should be enabled. >> >> > Several other units which might be considered to be optional, such as >> >> > .I rpc-gssd.service >> >> > are careful to only start if the required configuration file exists. >> >> > -.I rpc-gsdd.service >> >> > +.I rpc-gssd.service >> >> > will not start if the >> >> > .I krb5.keytab >> >> > file does not exist (typically in >> >> > .IR /etc ). >> >> > +.B rpc.gssd >> >> > +is assumed to be needed if the >> >> > +.I krb5.keytab >> >> > +file is present. If a site needs this file present but does not want >> >> > +.B rpc.gssd >> >> > +running, it should create >> >> > +.B /etc/systemd/system/rpc-gssd.service.d/01-disable.conf >> >> >> >> A substantially simpler approach would be to recommend >> >> >> >> systemctl mask rpc-gssd.service >> > >> > Thanks, Neil. I had actually tried that a while back, but it doesn't seem >> > to work in RHEL. It works fine for rpcbind, so I thought that maybe the >> > Condition clause in the unit file took precedence over masking or >> > something. I see now that masking rpc-gssd works in Fedora, so I'll go >> > digging in systemd to see if there's a bug fix that might need to be >> > backported to RHEL. >> > >> > Anyways, any objection to listing both methods in the man page? >> >> It depends on why "mask" doesn't work in RHEL. >> If the reason is specific to RHEL, then I don't think it should be >> documented in upstream nfs-utils. >> If the reason is specific to some version(s) of systemd, then >> Maybe document it as "use using systemd prior to XXXX, do this instead". > > It turns out that we have rpc-gssd.service symlinked to > nfs-secure.service in both RHEL and Fedora for backward compatibility > purposes, so it's necessary to mask both. That makes sense. I have a similar sort of hack (different specifics) in SUSE to try to provide back-compatibility. It also has problematic failure modes. systemd actually has a fairly robust "alias" mechanism that it uses internally, but it is only available for devices. Every "/dev/..' device unit declares that it "Follows" the corresponding "/sys/devices/..." device unit (which is "Followed-by" the dev units). I would have loved to have the infrastructure for creating compat aliases ... but it isn't available :-( > > I'll send a patch documenting masking just the rpc-gssd.service. Thanks, NeilBrown > > -Scott >> >> NeilBrown >> >> >> > >> > -Scott >> >> >> >> "mask" is also useful for disabling rpcbind if you use NFSv4 only and >> >> don't want the extra service. >> >> >> >> NeilBrown >> >> >> >> >> >> > +containing >> >> > +.RS >> >> > +.nf >> >> > +[Unit] >> >> > +ConditionNull=false >> >> > +.fi >> >> > +.RE >> >> > + >> >> > .SS Restarting NFS services >> >> > Most NFS daemons can be restarted at any time. They will reload any >> >> > state that they need, and continue servicing requests. This is rarely >> >> > -- >> >> > 2.9.4 >> >> > >> >> > -- >> >> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> >> > the body of a message to majordomo@xxxxxxxxxxxxxxx >> >> > More majordomo info at http://vger.kernel.org/majordomo-info.html >> > >> > >> > -- >> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> > the body of a message to majordomo@xxxxxxxxxxxxxxx >> > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html
Attachment:
signature.asc
Description: PGP signature
