diff mbox series

[v1] nfs(5): Document the new "xprtsec=" mount option

Message ID 168935977873.1850.8214830433103692090.stgit@bazille.1015granger.net (mailing list archive)
State New, archived
Headers show
Series [v1] nfs(5): Document the new "xprtsec=" mount option | expand

Commit Message

Chuck Lever July 14, 2023, 6:36 p.m. UTC
From: Chuck Lever <chuck.lever@oracle.com>

More information about RPC-with-TLS and some brief set-up guidance
are to be provided in a separate man page in Section 7.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

Comments

Steve Dickson July 15, 2023, 6:07 p.m. UTC | #1
Hey!

On 7/14/23 2:36 PM, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> More information about RPC-with-TLS and some brief set-up guidance
> are to be provided in a separate man page in Section 7.
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Question: commit b5e4539f already add this RPC-with-TLS
update to the man page. So do you want me to revert b5e4539f
and replace it with this patch?

steved.

> ---
>   utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
>   1 file changed, 37 insertions(+), 1 deletion(-)
> 
> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> index d9f34df36b42..dfc31a5dad26 100644
> --- a/utils/mount/nfs.man
> +++ b/utils/mount/nfs.man
> @@ -574,7 +574,43 @@ The
>   .B sloppy
>   option is an alternative to specifying
>   .BR mount.nfs " -s " option.
> -
> +.TP 1.5i
> +.BI xprtsec= policy
> +Specifies the use of transport layer security to protect NFS network
> +traffic on behalf of this mount point.
> +.I policy
> +can be one of
> +.BR none ,
> +.BR tls ,
> +or
> +.BR mtls .
> +.IP
> +If
> +.B none
> +is specified,
> +transport layer security is forced off, even if the NFS server supports
> +transport layer security.
> +If
> +.B tls
> +is specified, the client uses RPC-with-TLS to provide in-transit
> +confidentiality.
> +If
> +.B mtls
> +is specified, the client uses RPC-with-TLS to authenticate itself and
> +to provide in-transit confidentiality.
> +If either
> +.B tls
> +or
> +.B mtls
> +is specified and the server does not support RPC-with-TLS or peer
> +authentication fails, the mount attempt fails.
> +.IP
> +If the
> +.B xprtsec=
> +option is not specified,
> +the default behavior depends on the kernel version,
> +but is usually equivalent to
> +.BR "xprtsec=none" .
>   .SS "Options for NFS versions 2 and 3 only"
>   Use these options, along with the options in the above subsection,
>   for NFS versions 2 and 3 only.
> 
>
Chuck Lever July 15, 2023, 6:53 p.m. UTC | #2
> On Jul 15, 2023, at 2:07 PM, Steve Dickson <SteveD@redhat.com> wrote:
> 
> Hey!
> 
> On 7/14/23 2:36 PM, Chuck Lever wrote:
>> From: Chuck Lever <chuck.lever@oracle.com>
>> More information about RPC-with-TLS and some brief set-up guidance
>> are to be provided in a separate man page in Section 7.
>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> Question: commit b5e4539f already add this RPC-with-TLS
> update to the man page. So do you want me to revert b5e4539f
> and replace it with this patch?

Hrm, I didn't remember sending you a client-side man page update.
I thought I was waiting for the in-kernel parts of the client
TLS work to land, which they've done now in v6.5-rc.

If it's no trouble, go ahead and replace that one.


> steved.
> 
>> ---
>>  utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
>>  1 file changed, 37 insertions(+), 1 deletion(-)
>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
>> index d9f34df36b42..dfc31a5dad26 100644
>> --- a/utils/mount/nfs.man
>> +++ b/utils/mount/nfs.man
>> @@ -574,7 +574,43 @@ The
>>  .B sloppy
>>  option is an alternative to specifying
>>  .BR mount.nfs " -s " option.
>> -
>> +.TP 1.5i
>> +.BI xprtsec= policy
>> +Specifies the use of transport layer security to protect NFS network
>> +traffic on behalf of this mount point.
>> +.I policy
>> +can be one of
>> +.BR none ,
>> +.BR tls ,
>> +or
>> +.BR mtls .
>> +.IP
>> +If
>> +.B none
>> +is specified,
>> +transport layer security is forced off, even if the NFS server supports
>> +transport layer security.
>> +If
>> +.B tls
>> +is specified, the client uses RPC-with-TLS to provide in-transit
>> +confidentiality.
>> +If
>> +.B mtls
>> +is specified, the client uses RPC-with-TLS to authenticate itself and
>> +to provide in-transit confidentiality.
>> +If either
>> +.B tls
>> +or
>> +.B mtls
>> +is specified and the server does not support RPC-with-TLS or peer
>> +authentication fails, the mount attempt fails.
>> +.IP
>> +If the
>> +.B xprtsec=
>> +option is not specified,
>> +the default behavior depends on the kernel version,
>> +but is usually equivalent to
>> +.BR "xprtsec=none" .
>>  .SS "Options for NFS versions 2 and 3 only"
>>  Use these options, along with the options in the above subsection,
>>  for NFS versions 2 and 3 only.
> 
> 

--
Chuck Lever
Steve Dickson July 15, 2023, 8:04 p.m. UTC | #3
On 7/15/23 2:53 PM, Chuck Lever III wrote:
> 
> 
>> On Jul 15, 2023, at 2:07 PM, Steve Dickson <SteveD@redhat.com> wrote:
>>
>> Hey!
>>
>> On 7/14/23 2:36 PM, Chuck Lever wrote:
>>> From: Chuck Lever <chuck.lever@oracle.com>
>>> More information about RPC-with-TLS and some brief set-up guidance
>>> are to be provided in a separate man page in Section 7.
>>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>> Question: commit b5e4539f already add this RPC-with-TLS
>> update to the man page. So do you want me to revert b5e4539f
>> and replace it with this patch?
> 
> Hrm, I didn't remember sending you a client-side man page update.
> I thought I was waiting for the in-kernel parts of the client
> TLS work to land, which they've done now in v6.5-rc.
> 
> If it's no trouble, go ahead and replace that one.
Not a problem... I'll make it work....

steved.
> 
> 
>> steved.
>>
>>> ---
>>>   utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
>>>   1 file changed, 37 insertions(+), 1 deletion(-)
>>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
>>> index d9f34df36b42..dfc31a5dad26 100644
>>> --- a/utils/mount/nfs.man
>>> +++ b/utils/mount/nfs.man
>>> @@ -574,7 +574,43 @@ The
>>>   .B sloppy
>>>   option is an alternative to specifying
>>>   .BR mount.nfs " -s " option.
>>> -
>>> +.TP 1.5i
>>> +.BI xprtsec= policy
>>> +Specifies the use of transport layer security to protect NFS network
>>> +traffic on behalf of this mount point.
>>> +.I policy
>>> +can be one of
>>> +.BR none ,
>>> +.BR tls ,
>>> +or
>>> +.BR mtls .
>>> +.IP
>>> +If
>>> +.B none
>>> +is specified,
>>> +transport layer security is forced off, even if the NFS server supports
>>> +transport layer security.
>>> +If
>>> +.B tls
>>> +is specified, the client uses RPC-with-TLS to provide in-transit
>>> +confidentiality.
>>> +If
>>> +.B mtls
>>> +is specified, the client uses RPC-with-TLS to authenticate itself and
>>> +to provide in-transit confidentiality.
>>> +If either
>>> +.B tls
>>> +or
>>> +.B mtls
>>> +is specified and the server does not support RPC-with-TLS or peer
>>> +authentication fails, the mount attempt fails.
>>> +.IP
>>> +If the
>>> +.B xprtsec=
>>> +option is not specified,
>>> +the default behavior depends on the kernel version,
>>> +but is usually equivalent to
>>> +.BR "xprtsec=none" .
>>>   .SS "Options for NFS versions 2 and 3 only"
>>>   Use these options, along with the options in the above subsection,
>>>   for NFS versions 2 and 3 only.
>>
>>
> 
> --
> Chuck Lever
> 
>
Steve Dickson July 17, 2023, 9:49 p.m. UTC | #4
On 7/14/23 2:36 PM, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> More information about RPC-with-TLS and some brief set-up guidance
> are to be provided in a separate man page in Section 7.
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Committed... (tag: nfs-utils-2-6-4-rc3)

steved.
> ---
>   utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
>   1 file changed, 37 insertions(+), 1 deletion(-)
> 
> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> index d9f34df36b42..dfc31a5dad26 100644
> --- a/utils/mount/nfs.man
> +++ b/utils/mount/nfs.man
> @@ -574,7 +574,43 @@ The
>   .B sloppy
>   option is an alternative to specifying
>   .BR mount.nfs " -s " option.
> -
> +.TP 1.5i
> +.BI xprtsec= policy
> +Specifies the use of transport layer security to protect NFS network
> +traffic on behalf of this mount point.
> +.I policy
> +can be one of
> +.BR none ,
> +.BR tls ,
> +or
> +.BR mtls .
> +.IP
> +If
> +.B none
> +is specified,
> +transport layer security is forced off, even if the NFS server supports
> +transport layer security.
> +If
> +.B tls
> +is specified, the client uses RPC-with-TLS to provide in-transit
> +confidentiality.
> +If
> +.B mtls
> +is specified, the client uses RPC-with-TLS to authenticate itself and
> +to provide in-transit confidentiality.
> +If either
> +.B tls
> +or
> +.B mtls
> +is specified and the server does not support RPC-with-TLS or peer
> +authentication fails, the mount attempt fails.
> +.IP
> +If the
> +.B xprtsec=
> +option is not specified,
> +the default behavior depends on the kernel version,
> +but is usually equivalent to
> +.BR "xprtsec=none" .
>   .SS "Options for NFS versions 2 and 3 only"
>   Use these options, along with the options in the above subsection,
>   for NFS versions 2 and 3 only.
> 
>
Steve Dickson July 30, 2023, 12:26 p.m. UTC | #5
On 7/14/23 2:36 PM, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> More information about RPC-with-TLS and some brief set-up guidance
> are to be provided in a separate man page in Section 7.
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
I think I got it right... I also added a couple .IP
to make the section a bit more readable...

steved.
> ---
>   utils/mount/nfs.man |   38 +++++++++++++++++++++++++++++++++++++-
>   1 file changed, 37 insertions(+), 1 deletion(-)
> 
> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> index d9f34df36b42..dfc31a5dad26 100644
> --- a/utils/mount/nfs.man
> +++ b/utils/mount/nfs.man
> @@ -574,7 +574,43 @@ The
>   .B sloppy
>   option is an alternative to specifying
>   .BR mount.nfs " -s " option.
> -
> +.TP 1.5i
> +.BI xprtsec= policy
> +Specifies the use of transport layer security to protect NFS network
> +traffic on behalf of this mount point.
> +.I policy
> +can be one of
> +.BR none ,
> +.BR tls ,
> +or
> +.BR mtls .
> +.IP
> +If
> +.B none
> +is specified,
> +transport layer security is forced off, even if the NFS server supports
> +transport layer security.
> +If
> +.B tls
> +is specified, the client uses RPC-with-TLS to provide in-transit
> +confidentiality.
> +If
> +.B mtls
> +is specified, the client uses RPC-with-TLS to authenticate itself and
> +to provide in-transit confidentiality.
> +If either
> +.B tls
> +or
> +.B mtls
> +is specified and the server does not support RPC-with-TLS or peer
> +authentication fails, the mount attempt fails.
> +.IP
> +If the
> +.B xprtsec=
> +option is not specified,
> +the default behavior depends on the kernel version,
> +but is usually equivalent to
> +.BR "xprtsec=none" .
>   .SS "Options for NFS versions 2 and 3 only"
>   Use these options, along with the options in the above subsection,
>   for NFS versions 2 and 3 only.
> 
>
diff mbox series

Patch

diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
index d9f34df36b42..dfc31a5dad26 100644
--- a/utils/mount/nfs.man
+++ b/utils/mount/nfs.man
@@ -574,7 +574,43 @@  The
 .B sloppy
 option is an alternative to specifying
 .BR mount.nfs " -s " option.
-
+.TP 1.5i
+.BI xprtsec= policy
+Specifies the use of transport layer security to protect NFS network
+traffic on behalf of this mount point.
+.I policy
+can be one of
+.BR none ,
+.BR tls ,
+or
+.BR mtls .
+.IP
+If
+.B none
+is specified,
+transport layer security is forced off, even if the NFS server supports
+transport layer security.
+If
+.B tls
+is specified, the client uses RPC-with-TLS to provide in-transit
+confidentiality.
+If
+.B mtls
+is specified, the client uses RPC-with-TLS to authenticate itself and
+to provide in-transit confidentiality.
+If either
+.B tls
+or
+.B mtls
+is specified and the server does not support RPC-with-TLS or peer
+authentication fails, the mount attempt fails.
+.IP
+If the
+.B xprtsec=
+option is not specified,
+the default behavior depends on the kernel version,
+but is usually equivalent to
+.BR "xprtsec=none" .
 .SS "Options for NFS versions 2 and 3 only"
 Use these options, along with the options in the above subsection,
 for NFS versions 2 and 3 only.