> On Apr 5, 2023, at 12:40 PM, Steve Dickson <steved@xxxxxxxxxx> wrote: > > Hey Chuck, > > On 3/29/23 10:08 AM, Chuck Lever wrote: >> Hi Steve- >> This is client- and server-side nfs-utils support for RPC-with-TLS. >> The client side support at this point is only a man page update >> since the kernel handles mount option processing itself. >> The server implementation can support both the opportunistic use of >> transport layer security (it will be used if the client cares to), >> and the required use of transport layer security (the server >> requires the client to use it to access a particular export). >> Without any other user space componentry, this implementation is >> able to handle clients that request the use of RPC-with-TLS. To >> support security policies that restrict access to exports based on >> the client's use of TLS, modifications to exportfs and mountd are >> needed. These are contained in this post, and can also be found >> here: >> git://git.linux-nfs.org/projects/cel/nfs-utils.git >> The kernel patches, along with the handshake upcall, are carried in >> the topic-rpc-with-tls-upcall branch available from: >> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git > > Just wondering if these patch should wait until the kernel > patches reach mainline (aka rawhide)? The kernel changes do not require these, they add more features. Thus I don't think it's harmful to let them wait for the kernel patches. For testing, Jeff has set up a Fedora COPR with these, the ktls-utils package, and an updated kernel. What could be checked now is whether these nfs-utils changes will break something on pre-TLS kernels. > steved. > >> Soon I hope to compose a new man page in Section 7 that will provide >> an overview and quick set-up guidance for NFS's use of RPC-with-TLS. >> Changes since v1: >> - Addressed Jeff's review comments >> - Updated nfs.man as well >> --- >> Chuck Lever (4): >> libexports: Fix whitespace damage in support/nfs/exports.c >> exports: Add an xprtsec= export option >> exports(5): Describe the xprtsec= export option >> nfs(5): Document the new "xprtsec=" mount option >> support/export/cache.c | 15 ++++++ >> support/include/nfs/export.h | 14 +++++ >> support/include/nfslib.h | 14 +++++ >> support/nfs/exports.c | 100 ++++++++++++++++++++++++++++++++--- >> utils/exportfs/exportfs.c | 1 + >> utils/exportfs/exports.man | 51 +++++++++++++++++- >> utils/mount/nfs.man | 34 +++++++++++- >> 7 files changed, 219 insertions(+), 10 deletions(-) >> -- >> Chuck Lever -- Chuck Lever
