| Message ID | 168935977873.1850.8214830433103692090.stgit@bazille.1015granger.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v1] nfs(5): Document the new "xprtsec=" mount option | expand |
Hey! On 7/14/23 2:36 PM, Chuck Lever wrote: > From: Chuck Lever <chuck.lever@oracle.com> > > More information about RPC-with-TLS and some brief set-up guidance > are to be provided in a separate man page in Section 7. > > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Question: commit b5e4539f already add this RPC-with-TLS update to the man page. So do you want me to revert b5e4539f and replace it with this patch? steved. > --- > utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++- > 1 file changed, 37 insertions(+), 1 deletion(-) > > diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man > index d9f34df36b42..dfc31a5dad26 100644 > --- a/utils/mount/nfs.man > +++ b/utils/mount/nfs.man > @@ -574,7 +574,43 @@ The > .B sloppy > option is an alternative to specifying > .BR mount.nfs " -s " option. > - > +.TP 1.5i > +.BI xprtsec= policy > +Specifies the use of transport layer security to protect NFS network > +traffic on behalf of this mount point. > +.I policy > +can be one of > +.BR none , > +.BR tls , > +or > +.BR mtls . > +.IP > +If > +.B none > +is specified, > +transport layer security is forced off, even if the NFS server supports > +transport layer security. > +If > +.B tls > +is specified, the client uses RPC-with-TLS to provide in-transit > +confidentiality. > +If > +.B mtls > +is specified, the client uses RPC-with-TLS to authenticate itself and > +to provide in-transit confidentiality. > +If either > +.B tls > +or > +.B mtls > +is specified and the server does not support RPC-with-TLS or peer > +authentication fails, the mount attempt fails. > +.IP > +If the > +.B xprtsec= > +option is not specified, > +the default behavior depends on the kernel version, > +but is usually equivalent to > +.BR "xprtsec=none" . > .SS "Options for NFS versions 2 and 3 only" > Use these options, along with the options in the above subsection, > for NFS versions 2 and 3 only. > >
> On Jul 15, 2023, at 2:07 PM, Steve Dickson <SteveD@redhat.com> wrote: > > Hey! > > On 7/14/23 2:36 PM, Chuck Lever wrote: >> From: Chuck Lever <chuck.lever@oracle.com> >> More information about RPC-with-TLS and some brief set-up guidance >> are to be provided in a separate man page in Section 7. >> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> > Question: commit b5e4539f already add this RPC-with-TLS > update to the man page. So do you want me to revert b5e4539f > and replace it with this patch? Hrm, I didn't remember sending you a client-side man page update. I thought I was waiting for the in-kernel parts of the client TLS work to land, which they've done now in v6.5-rc. If it's no trouble, go ahead and replace that one. > steved. > >> --- >> utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++- >> 1 file changed, 37 insertions(+), 1 deletion(-) >> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man >> index d9f34df36b42..dfc31a5dad26 100644 >> --- a/utils/mount/nfs.man >> +++ b/utils/mount/nfs.man >> @@ -574,7 +574,43 @@ The >> .B sloppy >> option is an alternative to specifying >> .BR mount.nfs " -s " option. >> - >> +.TP 1.5i >> +.BI xprtsec= policy >> +Specifies the use of transport layer security to protect NFS network >> +traffic on behalf of this mount point. >> +.I policy >> +can be one of >> +.BR none , >> +.BR tls , >> +or >> +.BR mtls . >> +.IP >> +If >> +.B none >> +is specified, >> +transport layer security is forced off, even if the NFS server supports >> +transport layer security. >> +If >> +.B tls >> +is specified, the client uses RPC-with-TLS to provide in-transit >> +confidentiality. >> +If >> +.B mtls >> +is specified, the client uses RPC-with-TLS to authenticate itself and >> +to provide in-transit confidentiality. >> +If either >> +.B tls >> +or >> +.B mtls >> +is specified and the server does not support RPC-with-TLS or peer >> +authentication fails, the mount attempt fails. >> +.IP >> +If the >> +.B xprtsec= >> +option is not specified, >> +the default behavior depends on the kernel version, >> +but is usually equivalent to >> +.BR "xprtsec=none" . >> .SS "Options for NFS versions 2 and 3 only" >> Use these options, along with the options in the above subsection, >> for NFS versions 2 and 3 only. > > -- Chuck Lever
On 7/15/23 2:53 PM, Chuck Lever III wrote: > > >> On Jul 15, 2023, at 2:07 PM, Steve Dickson <SteveD@redhat.com> wrote: >> >> Hey! >> >> On 7/14/23 2:36 PM, Chuck Lever wrote: >>> From: Chuck Lever <chuck.lever@oracle.com> >>> More information about RPC-with-TLS and some brief set-up guidance >>> are to be provided in a separate man page in Section 7. >>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> >> Question: commit b5e4539f already add this RPC-with-TLS >> update to the man page. So do you want me to revert b5e4539f >> and replace it with this patch? > > Hrm, I didn't remember sending you a client-side man page update. > I thought I was waiting for the in-kernel parts of the client > TLS work to land, which they've done now in v6.5-rc. > > If it's no trouble, go ahead and replace that one. Not a problem... I'll make it work.... steved. > > >> steved. >> >>> --- >>> utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++- >>> 1 file changed, 37 insertions(+), 1 deletion(-) >>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man >>> index d9f34df36b42..dfc31a5dad26 100644 >>> --- a/utils/mount/nfs.man >>> +++ b/utils/mount/nfs.man >>> @@ -574,7 +574,43 @@ The >>> .B sloppy >>> option is an alternative to specifying >>> .BR mount.nfs " -s " option. >>> - >>> +.TP 1.5i >>> +.BI xprtsec= policy >>> +Specifies the use of transport layer security to protect NFS network >>> +traffic on behalf of this mount point. >>> +.I policy >>> +can be one of >>> +.BR none , >>> +.BR tls , >>> +or >>> +.BR mtls . >>> +.IP >>> +If >>> +.B none >>> +is specified, >>> +transport layer security is forced off, even if the NFS server supports >>> +transport layer security. >>> +If >>> +.B tls >>> +is specified, the client uses RPC-with-TLS to provide in-transit >>> +confidentiality. >>> +If >>> +.B mtls >>> +is specified, the client uses RPC-with-TLS to authenticate itself and >>> +to provide in-transit confidentiality. >>> +If either >>> +.B tls >>> +or >>> +.B mtls >>> +is specified and the server does not support RPC-with-TLS or peer >>> +authentication fails, the mount attempt fails. >>> +.IP >>> +If the >>> +.B xprtsec= >>> +option is not specified, >>> +the default behavior depends on the kernel version, >>> +but is usually equivalent to >>> +.BR "xprtsec=none" . >>> .SS "Options for NFS versions 2 and 3 only" >>> Use these options, along with the options in the above subsection, >>> for NFS versions 2 and 3 only. >> >> > > -- > Chuck Lever > >
On 7/14/23 2:36 PM, Chuck Lever wrote: > From: Chuck Lever <chuck.lever@oracle.com> > > More information about RPC-with-TLS and some brief set-up guidance > are to be provided in a separate man page in Section 7. > > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Committed... (tag: nfs-utils-2-6-4-rc3) steved. > --- > utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++- > 1 file changed, 37 insertions(+), 1 deletion(-) > > diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man > index d9f34df36b42..dfc31a5dad26 100644 > --- a/utils/mount/nfs.man > +++ b/utils/mount/nfs.man > @@ -574,7 +574,43 @@ The > .B sloppy > option is an alternative to specifying > .BR mount.nfs " -s " option. > - > +.TP 1.5i > +.BI xprtsec= policy > +Specifies the use of transport layer security to protect NFS network > +traffic on behalf of this mount point. > +.I policy > +can be one of > +.BR none , > +.BR tls , > +or > +.BR mtls . > +.IP > +If > +.B none > +is specified, > +transport layer security is forced off, even if the NFS server supports > +transport layer security. > +If > +.B tls > +is specified, the client uses RPC-with-TLS to provide in-transit > +confidentiality. > +If > +.B mtls > +is specified, the client uses RPC-with-TLS to authenticate itself and > +to provide in-transit confidentiality. > +If either > +.B tls > +or > +.B mtls > +is specified and the server does not support RPC-with-TLS or peer > +authentication fails, the mount attempt fails. > +.IP > +If the > +.B xprtsec= > +option is not specified, > +the default behavior depends on the kernel version, > +but is usually equivalent to > +.BR "xprtsec=none" . > .SS "Options for NFS versions 2 and 3 only" > Use these options, along with the options in the above subsection, > for NFS versions 2 and 3 only. > >
On 7/14/23 2:36 PM, Chuck Lever wrote: > From: Chuck Lever <chuck.lever@oracle.com> > > More information about RPC-with-TLS and some brief set-up guidance > are to be provided in a separate man page in Section 7. > > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> I think I got it right... I also added a couple .IP to make the section a bit more readable... steved. > --- > utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++- > 1 file changed, 37 insertions(+), 1 deletion(-) > > diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man > index d9f34df36b42..dfc31a5dad26 100644 > --- a/utils/mount/nfs.man > +++ b/utils/mount/nfs.man > @@ -574,7 +574,43 @@ The > .B sloppy > option is an alternative to specifying > .BR mount.nfs " -s " option. > - > +.TP 1.5i > +.BI xprtsec= policy > +Specifies the use of transport layer security to protect NFS network > +traffic on behalf of this mount point. > +.I policy > +can be one of > +.BR none , > +.BR tls , > +or > +.BR mtls . > +.IP > +If > +.B none > +is specified, > +transport layer security is forced off, even if the NFS server supports > +transport layer security. > +If > +.B tls > +is specified, the client uses RPC-with-TLS to provide in-transit > +confidentiality. > +If > +.B mtls > +is specified, the client uses RPC-with-TLS to authenticate itself and > +to provide in-transit confidentiality. > +If either > +.B tls > +or > +.B mtls > +is specified and the server does not support RPC-with-TLS or peer > +authentication fails, the mount attempt fails. > +.IP > +If the > +.B xprtsec= > +option is not specified, > +the default behavior depends on the kernel version, > +but is usually equivalent to > +.BR "xprtsec=none" . > .SS "Options for NFS versions 2 and 3 only" > Use these options, along with the options in the above subsection, > for NFS versions 2 and 3 only. > >
diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man index d9f34df36b42..dfc31a5dad26 100644 --- a/utils/mount/nfs.man +++ b/utils/mount/nfs.man @@ -574,7 +574,43 @@ The .B sloppy option is an alternative to specifying .BR mount.nfs " -s " option. - +.TP 1.5i +.BI xprtsec= policy +Specifies the use of transport layer security to protect NFS network +traffic on behalf of this mount point. +.I policy +can be one of +.BR none , +.BR tls , +or +.BR mtls . +.IP +If +.B none +is specified, +transport layer security is forced off, even if the NFS server supports +transport layer security. +If +.B tls +is specified, the client uses RPC-with-TLS to provide in-transit +confidentiality. +If +.B mtls +is specified, the client uses RPC-with-TLS to authenticate itself and +to provide in-transit confidentiality. +If either +.B tls +or +.B mtls +is specified and the server does not support RPC-with-TLS or peer +authentication fails, the mount attempt fails. +.IP +If the +.B xprtsec= +option is not specified, +the default behavior depends on the kernel version, +but is usually equivalent to +.BR "xprtsec=none" . .SS "Options for NFS versions 2 and 3 only" Use these options, along with the options in the above subsection, for NFS versions 2 and 3 only.