2023-03-28 15:29:26

by Chuck Lever III

[permalink] [raw]
Subject: Re: [PATCH] NFSv4: Fix NFS_V4 select RPCSEC_GSS_KRB5



> On Mar 28, 2023, at 11:02 AM, Trond Myklebust <[email protected]> wrote:
>
>
>
>> On Mar 28, 2023, at 09:40, Chuck Lever III <[email protected]> wrote:
>>
>>
>>
>>> On Mar 28, 2023, at 3:25 AM, Geert Uytterhoeven <[email protected]> wrote:
>>>
>>> If CONFIG_CRYPTO=n (e.g. arm/shmobile_defconfig):
>>>
>>> WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
>>> Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
>>> Selected by [y]:
>>> - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
>>>
>>> As NFSv4 can work without crypto enabled, fix this by making the
>>> selection of RPCSEC_GSS_KRB5 conditional on CRYPTO.
>>>
>>> Fixes: e57d065277387980 ("NFS & NFSD: Update GSS dependencies")
>>> Reported-by: kernel test robot <[email protected]>
>>> Link: https://lore.kernel.org/oe-kbuild-all/[email protected]/
>>> Reported-by: Niklas Söderlund <[email protected]>
>>> Link: https://lore.kernel.org/r/[email protected]
>>> Signed-off-by: Geert Uytterhoeven <[email protected]>
>>> ---
>>> Nfsroot ("root=/dev/nfs rw nfsroot=aaa.bbb.ccc.ddd:/path/to/fs,tcp,v4")
>>> works fine without CRYPTO and RPCSEC_GSS_KRB5.
>>> CONFIG_NFSD_V4 selects CRYPTO, so was not affected by the similar change.
>>
>> Makes sense to me.
>>
>> I can quickly take this through nfsd-fixes if the NFS maintainers
>> can send me an Acked-by.
>>
>>
>>> ---
>>> fs/nfs/Kconfig | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
>>> index 450d6c3bc05e27dd..f05c13ce0155bd69 100644
>>> --- a/fs/nfs/Kconfig
>>> +++ b/fs/nfs/Kconfig
>>> @@ -75,7 +75,7 @@ config NFS_V3_ACL
>>> config NFS_V4
>>> tristate "NFS client support for NFS version 4"
>>> depends on NFS_FS
>>> - select RPCSEC_GSS_KRB5
>>> + select RPCSEC_GSS_KRB5 if CRYPTO
>>> select KEYS
>>> help
>>> This option enables support for version 4 of the NFS protocol
>>> --
>>> 2.34.1
>>>
>
> Hmm… Perhaps it is time to just remove the above RPCSEC_GSS_KRB5 dependency altogether?

This is the other reason I was hesitating to address this
issue immediately: we might want to take a different
approach to dealing with these dependencies, and that
new approach might take some time to develop and test.

I agree that removing the "select" clause is a good
thing to try.


> It is possible to use the NFSv4.1 client with just AUTH_SYS, and in fact there are plenty of people out there using only that. The fact that RFC5661 gets its knickers in a twist about RPCSEC_GSS support is largely irrelevant to those people.
>
> The other issue is that ’select’ enforces the strict dependency that if the NFS client is compiled into the kernel, then the RPCSEC_GSS and kerberos code needs to be compiled in as well: they cannot exist as modules.



--
Chuck Lever