The gssproxy(8) daemon is now how the managing of GSSAPI
credentials should be done.
These to patches has the nfs-server systemd script start
gssproxy instead of rpc.svcgssd and removes the building
and installation of rpc.svcgssd.
For now I'm leaving the source files... Just in case... ;-)
Steve Dickson (2):
nfs-server: Replace rpc.svcgssd with gssproxy
svcgssd: Remove rules from the Makefile.am
systemd/nfs-server.service | 4 ++--
systemd/rpc-svcgssd.service | 19 -------------------
utils/gssd/Makefile.am | 25 ++-----------------------
3 files changed, 4 insertions(+), 44 deletions(-)
delete mode 100644 systemd/rpc-svcgssd.service
--
1.9.3
On Fri, Sep 19, 2014 at 12:31:17PM -0400, Steve Dickson wrote:
>
>
> On 09/19/2014 11:57 AM, J. Bruce Fields wrote:
> > On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
> >> The gssproxy(8) daemon is now how the managing of GSSAPI
> >> credentials should be done.
> >>
> >> These to patches has the nfs-server systemd script start
> >> gssproxy instead of rpc.svcgssd and removes the building
> >> and installation of rpc.svcgssd.
> >>
> >> For now I'm leaving the source files... Just in case... ;-)
> >
> > If nothing else, we'd like to keep support for older kernels for a
> > while.
> Good point... I should probably make this a configurable...
> something like --enable_svcgssd and have it off by default...
Sounds fine.
--b.
On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
> The gssproxy(8) daemon is now how the managing of GSSAPI
> credentials should be done.
>
> These to patches has the nfs-server systemd script start
> gssproxy instead of rpc.svcgssd and removes the building
> and installation of rpc.svcgssd.
>
> For now I'm leaving the source files... Just in case... ;-)
If nothing else, we'd like to keep support for older kernels for a
while.
--b.
>
> Steve Dickson (2):
> nfs-server: Replace rpc.svcgssd with gssproxy
> svcgssd: Remove rules from the Makefile.am
>
> systemd/nfs-server.service | 4 ++--
> systemd/rpc-svcgssd.service | 19 -------------------
> utils/gssd/Makefile.am | 25 ++-----------------------
> 3 files changed, 4 insertions(+), 44 deletions(-)
> delete mode 100644 systemd/rpc-svcgssd.service
>
> --
> 1.9.3
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
The managing of GSSAPI credentials is now done
with the gssproxy(8) daemon so svcgssd no longer
needs to be build or installed.
Signed-off-by: Steve Dickson <[email protected]>
---
utils/gssd/Makefile.am | 25 ++-----------------------
1 file changed, 2 insertions(+), 23 deletions(-)
diff --git a/utils/gssd/Makefile.am b/utils/gssd/Makefile.am
index af59791..716dd0b 100644
--- a/utils/gssd/Makefile.am
+++ b/utils/gssd/Makefile.am
@@ -1,10 +1,10 @@
## Process this file with automake to produce Makefile.in
-man8_MANS = gssd.man svcgssd.man
+man8_MANS = gssd.man
RPCPREFIX = rpc.
KPREFIX = @kprefix@
-sbin_PREFIXED = gssd svcgssd
+sbin_PREFIXED = gssd
sbin_PROGRAMS = $(sbin_PREFIXED)
EXTRA_DIST = \
@@ -45,27 +45,6 @@ gssd_LDFLAGS = $(KRBLDFLAGS) $(LIBTIRPC)
gssd_CFLAGS = $(AM_CFLAGS) $(CFLAGS) \
$(RPCSECGSS_CFLAGS) $(KRBCFLAGS) $(GSSAPI_CFLAGS)
-svcgssd_SOURCES = \
- $(COMMON_SRCS) \
- svcgssd.c \
- svcgssd_main_loop.c \
- svcgssd_mech2file.c \
- svcgssd_proc.c \
- svcgssd_krb5.c \
- \
- svcgssd_krb5.h \
- svcgssd.h
-
-svcgssd_LDADD = \
- ../../support/nfs/libnfs.a \
- $(RPCSECGSS_LIBS) $(LIBNFSIDMAP) \
- $(KRBLIBS) $(GSSAPI_LIBS) $(LIBTIRPC)
-
-svcgssd_LDFLAGS = $(KRBLDFLAGS)
-
-svcgssd_CFLAGS = $(AM_CFLAGS) $(CFLAGS) \
- $(RPCSECGSS_CFLAGS) $(KRBCFLAGS) $(GSSAPI_CFLAGS)
-
MAINTAINERCLEANFILES = Makefile.in
#######################################################################
--
1.9.3
On Fri, 19 Sep 2014 12:36:17 -0400
"J. Bruce Fields" <[email protected]> wrote:
> On Fri, Sep 19, 2014 at 12:31:17PM -0400, Steve Dickson wrote:
> >
> >
> > On 09/19/2014 11:57 AM, J. Bruce Fields wrote:
> > > On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
> > >> The gssproxy(8) daemon is now how the managing of GSSAPI
> > >> credentials should be done.
> > >>
> > >> These to patches has the nfs-server systemd script start
> > >> gssproxy instead of rpc.svcgssd and removes the building
> > >> and installation of rpc.svcgssd.
> > >>
> > >> For now I'm leaving the source files... Just in case... ;-)
> > >
> > > If nothing else, we'd like to keep support for older kernels for a
> > > while.
> > Good point... I should probably make this a configurable...
> > something like --enable_svcgssd and have it off by default...
>
> Sounds fine.
+1, it will be very useful for transitions in distributions, not all of
them will align identically I guess.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
Make the nfs-server depend on the gssproxy
daemon running instead of svcgssd to manage
GSSAPI credentials
Signed-off-by: Steve Dickson <[email protected]>
---
systemd/nfs-server.service | 4 ++--
systemd/rpc-svcgssd.service | 19 -------------------
2 files changed, 2 insertions(+), 21 deletions(-)
delete mode 100644 systemd/rpc-svcgssd.service
diff --git a/systemd/nfs-server.service b/systemd/nfs-server.service
index 2fa7387..3b04f84 100644
--- a/systemd/nfs-server.service
+++ b/systemd/nfs-server.service
@@ -2,12 +2,12 @@
Description=NFS server and services
Requires= network.target proc-fs-nfsd.mount rpcbind.target
Requires= nfs-mountd.service
-Wants=rpc-statd.service nfs-idmapd.service rpc-gssd.service rpc-svcgssd.service
+Wants=rpc-statd.service nfs-idmapd.service rpc-gssd.service gssproxy.service
Wants=rpc-statd-notify.service
After= network.target proc-fs-nfsd.mount rpcbind.target nfs-mountd.service
After= nfs-idmapd.service rpc-statd.service
-After= rpc-gssd.service rpc-svcgssd.service
+After= rpc-gssd.service gssproxy.service
Before= rpc-statd-notify.service
Wants=nfs-config.service
diff --git a/systemd/rpc-svcgssd.service b/systemd/rpc-svcgssd.service
deleted file mode 100644
index f7424b0..0000000
--- a/systemd/rpc-svcgssd.service
+++ /dev/null
@@ -1,19 +0,0 @@
-[Unit]
-Description=RPC security service for NFS server
-Requires=var-lib-nfs-rpc_pipefs.mount
-After=var-lib-nfs-rpc_pipefs.mount
-PartOf=nfs-server.service
-PartOf=nfs-utils.service
-
-After=gssproxy.service
-ConditionPathExists=|!/run/gssproxy.pid
-ConditionPathExists=|!/proc/net/rpc/use-gss-proxy
-ConditionPathExists=/etc/krb5.keytab
-
-Wants=nfs-config.service
-After=nfs-config.service
-
-[Service]
-EnvironmentFile=-/run/sysconfig/nfs-utils
-Type=forking
-ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS
--
1.9.3
On Fri, Sep 19, 2014 at 01:07:52PM -0400, Simo Sorce wrote:
> On Fri, 19 Sep 2014 12:36:17 -0400
> "J. Bruce Fields" <[email protected]> wrote:
>
> > On Fri, Sep 19, 2014 at 12:31:17PM -0400, Steve Dickson wrote:
> > >
> > >
> > > On 09/19/2014 11:57 AM, J. Bruce Fields wrote:
> > > > On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
> > > >> The gssproxy(8) daemon is now how the managing of GSSAPI
> > > >> credentials should be done.
> > > >>
> > > >> These to patches has the nfs-server systemd script start
> > > >> gssproxy instead of rpc.svcgssd and removes the building
> > > >> and installation of rpc.svcgssd.
> > > >>
> > > >> For now I'm leaving the source files... Just in case... ;-)
> > > >
> > > > If nothing else, we'd like to keep support for older kernels for a
> > > > while.
> > > Good point... I should probably make this a configurable...
> > > something like --enable_svcgssd and have it off by default...
> >
> > Sounds fine.
>
> +1, it will be very useful for transitions in distributions, not all of
> them will align identically I guess.
If we wanted to be *very* nice, we could try to detect and run one or
the other at run-time. It's nice for people trying to boot old kernels
to track down (probably unrelated) regressions. But I think it would be
too complicated.
It might be simple enough for gss-proxy to log some kind of warning when
it starts up on an old kernel.
--b.
On Fri, 19 Sep 2014 14:11:22 -0400
"J. Bruce Fields" <[email protected]> wrote:
> On Fri, Sep 19, 2014 at 01:07:52PM -0400, Simo Sorce wrote:
> > On Fri, 19 Sep 2014 12:36:17 -0400
> > "J. Bruce Fields" <[email protected]> wrote:
> >
> > > On Fri, Sep 19, 2014 at 12:31:17PM -0400, Steve Dickson wrote:
> > > >
> > > >
> > > > On 09/19/2014 11:57 AM, J. Bruce Fields wrote:
> > > > > On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
> > > > >> The gssproxy(8) daemon is now how the managing of GSSAPI
> > > > >> credentials should be done.
> > > > >>
> > > > >> These to patches has the nfs-server systemd script start
> > > > >> gssproxy instead of rpc.svcgssd and removes the building
> > > > >> and installation of rpc.svcgssd.
> > > > >>
> > > > >> For now I'm leaving the source files... Just in case... ;-)
> > > > >
> > > > > If nothing else, we'd like to keep support for older kernels
> > > > > for a while.
> > > > Good point... I should probably make this a configurable...
> > > > something like --enable_svcgssd and have it off by default...
> > >
> > > Sounds fine.
> >
> > +1, it will be very useful for transitions in distributions, not
> > all of them will align identically I guess.
>
> If we wanted to be *very* nice, we could try to detect and run one or
> the other at run-time. It's nice for people trying to boot old
> kernels to track down (probably unrelated) regressions. But I think
> it would be too complicated.
>
> It might be simple enough for gss-proxy to log some kind of warning
> when it starts up on an old kernel.
Excellent idea, I opened a ticket to track that:
https://fedorahosted.org/gss-proxy/ticket/126
Simo.
--
Simo Sorce * Red Hat, Inc * New York
On 09/19/2014 11:57 AM, J. Bruce Fields wrote:
> On Fri, Sep 19, 2014 at 08:51:41AM -0400, Steve Dickson wrote:
>> The gssproxy(8) daemon is now how the managing of GSSAPI
>> credentials should be done.
>>
>> These to patches has the nfs-server systemd script start
>> gssproxy instead of rpc.svcgssd and removes the building
>> and installation of rpc.svcgssd.
>>
>> For now I'm leaving the source files... Just in case... ;-)
>
> If nothing else, we'd like to keep support for older kernels for a
> while.
Good point... I should probably make this a configurable...
something like --enable_svcgssd and have it off by default...
steved.
>
> --b.
>
>>
>> Steve Dickson (2):
>> nfs-server: Replace rpc.svcgssd with gssproxy
>> svcgssd: Remove rules from the Makefile.am
>>
>> systemd/nfs-server.service | 4 ++--
>> systemd/rpc-svcgssd.service | 19 -------------------
>> utils/gssd/Makefile.am | 25 ++-----------------------
>> 3 files changed, 4 insertions(+), 44 deletions(-)
>> delete mode 100644 systemd/rpc-svcgssd.service
>>
>> --
>> 1.9.3
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to [email protected]
>> More majordomo info at http://vger.kernel.org/majordomo-info.html