On Mon, Mar 01 2021, J. Bruce Fields wrote: > I've gotten requests for similar functionality, and intended to > implement it using directory notifications on /proc/fs/nfsd/clients. Interesting idea. That could report successful mounts and unmounts but wouldn't report failed mount attempts or (I think) which export point is being mounted. If we could reliably correlate the entry in 'clients' with each auth request, we could filter out multiple auth refresh requests for the same client+filesystem. The only field we could do that on would be IP address, and that wouldn't be seamless.. Might be worth pursuing if only to report "mount" and "unmount" events for a client identified by IP, and leave it to the admin to see any connection between 'mount' events and 'auth' events. Thanks, NeilBrown > > But this is another way to do it that I hadn't thought of. That's > interesting. I haven't thought about the relative advantages or > disadvantages. > > --b. > > On Mon, Mar 01, 2021 at 01:17:15PM +1100, NeilBrown wrote: >> V1 of this series didn't update the usage() message for mountd, >> and omited the required ':' after the 'T' sort-option. This >> series fixes those two omissions. >> >> Original series comment: >> >> When NFSv3 is used mountd provides logs of successful and failed mount >> attempts which can be used for auditing. >> When NFSv4 is used there are no such logs as NFSv4 does not have a >> distinct "mount" request. >> >> However mountd still knows about which filesysytems are being accessed >> from which clients, and can actually provide more reliable logs than it >> currently does, though they must be more verbose - with periodic "is >> being accessed" message replacing a single "was mounted" message. >> >> This series adds support for that logging, and adds some related >> improvements to make the logs as useful as possible. >> >> NeilBrown >> >> --- >> >> NeilBrown (5): >> mountd: reject unknown client IP when !use_ipaddr. >> mountd: Don't proactively add export info when fh info is requested. >> mountd: add logging for authentication results for accesses. >> mountd: add --cache-use-ipaddr option to force use_ipaddr >> mountd: make default ttl settable by option >> >> >> support/export/auth.c | 4 +++ >> support/export/cache.c | 32 +++++++++++------ >> support/export/v4root.c | 3 +- >> support/include/exportfs.h | 3 +- >> support/nfs/exports.c | 4 ++- >> utils/mountd/mountd.c | 30 +++++++++++++++- >> utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++ >> 7 files changed, 131 insertions(+), 15 deletions(-) >> >> -- >> Signature
Attachment:
signature.asc
Description: PGP signature
