Re: [PATCH v1] nfs(5): Document the new "xprtsec=" mount option

[Steve Dickson <steved@xxxxxxxxxx>]

On 7/15/23 2:53 PM, Chuck Lever III wrote:
> > On Jul 15, 2023, at 2:07 PM, Steve Dickson <SteveD@xxxxxxxxxx> wrote:
> >
> > Hey!
> >
> > On 7/14/23 2:36 PM, Chuck Lever wrote:
> > > From: Chuck Lever <chuck.lever@xxxxxxxxxx>
> > > More information about RPC-with-TLS and some brief set-up guidance
> > > are to be provided in a separate man page in Section 7.
> > > Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
> > Question: commit b5e4539f already add this RPC-with-TLS
> > update to the man page. So do you want me to revert b5e4539f
> > and replace it with this patch?
>
> Hrm, I didn't remember sending you a client-side man page update.
> I thought I was waiting for the in-kernel parts of the client
> TLS work to land, which they've done now in v6.5-rc.
>
> If it's no trouble, go ahead and replace that one.
Not a problem... I'll make it work....

steved.
> > steved.
> >
> > > ---
> > >   utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
> > >   1 file changed, 37 insertions(+), 1 deletion(-)
> > > diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> > > index d9f34df36b42..dfc31a5dad26 100644
> > > --- a/utils/mount/nfs.man
> > > +++ b/utils/mount/nfs.man
> > > @@ -574,7 +574,43 @@ The
> > >   .B sloppy
> > >   option is an alternative to specifying
> > >   .BR mount.nfs " -s " option.
> > > -
> > > +.TP 1.5i
> > > +.BI xprtsec= policy
> > > +Specifies the use of transport layer security to protect NFS network
> > > +traffic on behalf of this mount point.
> > > +.I policy
> > > +can be one of
> > > +.BR none ,
> > > +.BR tls ,
> > > +or
> > > +.BR mtls .
> > > +.IP
> > > +If
> > > +.B none
> > > +is specified,
> > > +transport layer security is forced off, even if the NFS server supports
> > > +transport layer security.
> > > +If
> > > +.B tls
> > > +is specified, the client uses RPC-with-TLS to provide in-transit
> > > +confidentiality.
> > > +If
> > > +.B mtls
> > > +is specified, the client uses RPC-with-TLS to authenticate itself and
> > > +to provide in-transit confidentiality.
> > > +If either
> > > +.B tls
> > > +or
> > > +.B mtls
> > > +is specified and the server does not support RPC-with-TLS or peer
> > > +authentication fails, the mount attempt fails.
> > > +.IP
> > > +If the
> > > +.B xprtsec=
> > > +option is not specified,
> > > +the default behavior depends on the kernel version,
> > > +but is usually equivalent to
> > > +.BR "xprtsec=none" .
> > >   .SS "Options for NFS versions 2 and 3 only"
> > >   Use these options, along with the options in the above subsection,
> > >   for NFS versions 2 and 3 only.
>
> --
> Chuck Lever