From: Chuck Lever <[email protected]>
More information about RPC-with-TLS and some brief set-up guidance
are to be provided in a separate man page in Section 7.
Signed-off-by: Chuck Lever <[email protected]>
---
utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)
diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
index d9f34df36b42..dfc31a5dad26 100644
--- a/utils/mount/nfs.man
+++ b/utils/mount/nfs.man
@@ -574,7 +574,43 @@ The
.B sloppy
option is an alternative to specifying
.BR mount.nfs " -s " option.
-
+.TP 1.5i
+.BI xprtsec= policy
+Specifies the use of transport layer security to protect NFS network
+traffic on behalf of this mount point.
+.I policy
+can be one of
+.BR none ,
+.BR tls ,
+or
+.BR mtls .
+.IP
+If
+.B none
+is specified,
+transport layer security is forced off, even if the NFS server supports
+transport layer security.
+If
+.B tls
+is specified, the client uses RPC-with-TLS to provide in-transit
+confidentiality.
+If
+.B mtls
+is specified, the client uses RPC-with-TLS to authenticate itself and
+to provide in-transit confidentiality.
+If either
+.B tls
+or
+.B mtls
+is specified and the server does not support RPC-with-TLS or peer
+authentication fails, the mount attempt fails.
+.IP
+If the
+.B xprtsec=
+option is not specified,
+the default behavior depends on the kernel version,
+but is usually equivalent to
+.BR "xprtsec=none" .
.SS "Options for NFS versions 2 and 3 only"
Use these options, along with the options in the above subsection,
for NFS versions 2 and 3 only.
Hey!
On 7/14/23 2:36 PM, Chuck Lever wrote:
> From: Chuck Lever <[email protected]>
>
> More information about RPC-with-TLS and some brief set-up guidance
> are to be provided in a separate man page in Section 7.
>
> Signed-off-by: Chuck Lever <[email protected]>
Question: commit b5e4539f already add this RPC-with-TLS
update to the man page. So do you want me to revert b5e4539f
and replace it with this patch?
steved.
> ---
> utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++-
> 1 file changed, 37 insertions(+), 1 deletion(-)
>
> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> index d9f34df36b42..dfc31a5dad26 100644
> --- a/utils/mount/nfs.man
> +++ b/utils/mount/nfs.man
> @@ -574,7 +574,43 @@ The
> .B sloppy
> option is an alternative to specifying
> .BR mount.nfs " -s " option.
> -
> +.TP 1.5i
> +.BI xprtsec= policy
> +Specifies the use of transport layer security to protect NFS network
> +traffic on behalf of this mount point.
> +.I policy
> +can be one of
> +.BR none ,
> +.BR tls ,
> +or
> +.BR mtls .
> +.IP
> +If
> +.B none
> +is specified,
> +transport layer security is forced off, even if the NFS server supports
> +transport layer security.
> +If
> +.B tls
> +is specified, the client uses RPC-with-TLS to provide in-transit
> +confidentiality.
> +If
> +.B mtls
> +is specified, the client uses RPC-with-TLS to authenticate itself and
> +to provide in-transit confidentiality.
> +If either
> +.B tls
> +or
> +.B mtls
> +is specified and the server does not support RPC-with-TLS or peer
> +authentication fails, the mount attempt fails.
> +.IP
> +If the
> +.B xprtsec=
> +option is not specified,
> +the default behavior depends on the kernel version,
> +but is usually equivalent to
> +.BR "xprtsec=none" .
> .SS "Options for NFS versions 2 and 3 only"
> Use these options, along with the options in the above subsection,
> for NFS versions 2 and 3 only.
>
>
> On Jul 15, 2023, at 2:07 PM, Steve Dickson <[email protected]> wrote:
>
> Hey!
>
> On 7/14/23 2:36 PM, Chuck Lever wrote:
>> From: Chuck Lever <[email protected]>
>> More information about RPC-with-TLS and some brief set-up guidance
>> are to be provided in a separate man page in Section 7.
>> Signed-off-by: Chuck Lever <[email protected]>
> Question: commit b5e4539f already add this RPC-with-TLS
> update to the man page. So do you want me to revert b5e4539f
> and replace it with this patch?
Hrm, I didn't remember sending you a client-side man page update.
I thought I was waiting for the in-kernel parts of the client
TLS work to land, which they've done now in v6.5-rc.
If it's no trouble, go ahead and replace that one.
> steved.
>
>> ---
>> utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++-
>> 1 file changed, 37 insertions(+), 1 deletion(-)
>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
>> index d9f34df36b42..dfc31a5dad26 100644
>> --- a/utils/mount/nfs.man
>> +++ b/utils/mount/nfs.man
>> @@ -574,7 +574,43 @@ The
>> .B sloppy
>> option is an alternative to specifying
>> .BR mount.nfs " -s " option.
>> -
>> +.TP 1.5i
>> +.BI xprtsec= policy
>> +Specifies the use of transport layer security to protect NFS network
>> +traffic on behalf of this mount point.
>> +.I policy
>> +can be one of
>> +.BR none ,
>> +.BR tls ,
>> +or
>> +.BR mtls .
>> +.IP
>> +If
>> +.B none
>> +is specified,
>> +transport layer security is forced off, even if the NFS server supports
>> +transport layer security.
>> +If
>> +.B tls
>> +is specified, the client uses RPC-with-TLS to provide in-transit
>> +confidentiality.
>> +If
>> +.B mtls
>> +is specified, the client uses RPC-with-TLS to authenticate itself and
>> +to provide in-transit confidentiality.
>> +If either
>> +.B tls
>> +or
>> +.B mtls
>> +is specified and the server does not support RPC-with-TLS or peer
>> +authentication fails, the mount attempt fails.
>> +.IP
>> +If the
>> +.B xprtsec=
>> +option is not specified,
>> +the default behavior depends on the kernel version,
>> +but is usually equivalent to
>> +.BR "xprtsec=none" .
>> .SS "Options for NFS versions 2 and 3 only"
>> Use these options, along with the options in the above subsection,
>> for NFS versions 2 and 3 only.
>
>
--
Chuck Lever
On 7/15/23 2:53 PM, Chuck Lever III wrote:
>
>
>> On Jul 15, 2023, at 2:07 PM, Steve Dickson <[email protected]> wrote:
>>
>> Hey!
>>
>> On 7/14/23 2:36 PM, Chuck Lever wrote:
>>> From: Chuck Lever <[email protected]>
>>> More information about RPC-with-TLS and some brief set-up guidance
>>> are to be provided in a separate man page in Section 7.
>>> Signed-off-by: Chuck Lever <[email protected]>
>> Question: commit b5e4539f already add this RPC-with-TLS
>> update to the man page. So do you want me to revert b5e4539f
>> and replace it with this patch?
>
> Hrm, I didn't remember sending you a client-side man page update.
> I thought I was waiting for the in-kernel parts of the client
> TLS work to land, which they've done now in v6.5-rc.
>
> If it's no trouble, go ahead and replace that one.
Not a problem... I'll make it work....
steved.
>
>
>> steved.
>>
>>> ---
>>> utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++-
>>> 1 file changed, 37 insertions(+), 1 deletion(-)
>>> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
>>> index d9f34df36b42..dfc31a5dad26 100644
>>> --- a/utils/mount/nfs.man
>>> +++ b/utils/mount/nfs.man
>>> @@ -574,7 +574,43 @@ The
>>> .B sloppy
>>> option is an alternative to specifying
>>> .BR mount.nfs " -s " option.
>>> -
>>> +.TP 1.5i
>>> +.BI xprtsec= policy
>>> +Specifies the use of transport layer security to protect NFS network
>>> +traffic on behalf of this mount point.
>>> +.I policy
>>> +can be one of
>>> +.BR none ,
>>> +.BR tls ,
>>> +or
>>> +.BR mtls .
>>> +.IP
>>> +If
>>> +.B none
>>> +is specified,
>>> +transport layer security is forced off, even if the NFS server supports
>>> +transport layer security.
>>> +If
>>> +.B tls
>>> +is specified, the client uses RPC-with-TLS to provide in-transit
>>> +confidentiality.
>>> +If
>>> +.B mtls
>>> +is specified, the client uses RPC-with-TLS to authenticate itself and
>>> +to provide in-transit confidentiality.
>>> +If either
>>> +.B tls
>>> +or
>>> +.B mtls
>>> +is specified and the server does not support RPC-with-TLS or peer
>>> +authentication fails, the mount attempt fails.
>>> +.IP
>>> +If the
>>> +.B xprtsec=
>>> +option is not specified,
>>> +the default behavior depends on the kernel version,
>>> +but is usually equivalent to
>>> +.BR "xprtsec=none" .
>>> .SS "Options for NFS versions 2 and 3 only"
>>> Use these options, along with the options in the above subsection,
>>> for NFS versions 2 and 3 only.
>>
>>
>
> --
> Chuck Lever
>
>
On 7/14/23 2:36 PM, Chuck Lever wrote:
> From: Chuck Lever <[email protected]>
>
> More information about RPC-with-TLS and some brief set-up guidance
> are to be provided in a separate man page in Section 7.
>
> Signed-off-by: Chuck Lever <[email protected]>
Committed... (tag: nfs-utils-2-6-4-rc3)
steved.
> ---
> utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++-
> 1 file changed, 37 insertions(+), 1 deletion(-)
>
> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> index d9f34df36b42..dfc31a5dad26 100644
> --- a/utils/mount/nfs.man
> +++ b/utils/mount/nfs.man
> @@ -574,7 +574,43 @@ The
> .B sloppy
> option is an alternative to specifying
> .BR mount.nfs " -s " option.
> -
> +.TP 1.5i
> +.BI xprtsec= policy
> +Specifies the use of transport layer security to protect NFS network
> +traffic on behalf of this mount point.
> +.I policy
> +can be one of
> +.BR none ,
> +.BR tls ,
> +or
> +.BR mtls .
> +.IP
> +If
> +.B none
> +is specified,
> +transport layer security is forced off, even if the NFS server supports
> +transport layer security.
> +If
> +.B tls
> +is specified, the client uses RPC-with-TLS to provide in-transit
> +confidentiality.
> +If
> +.B mtls
> +is specified, the client uses RPC-with-TLS to authenticate itself and
> +to provide in-transit confidentiality.
> +If either
> +.B tls
> +or
> +.B mtls
> +is specified and the server does not support RPC-with-TLS or peer
> +authentication fails, the mount attempt fails.
> +.IP
> +If the
> +.B xprtsec=
> +option is not specified,
> +the default behavior depends on the kernel version,
> +but is usually equivalent to
> +.BR "xprtsec=none" .
> .SS "Options for NFS versions 2 and 3 only"
> Use these options, along with the options in the above subsection,
> for NFS versions 2 and 3 only.
>
>
On 7/14/23 2:36 PM, Chuck Lever wrote:
> From: Chuck Lever <[email protected]>
>
> More information about RPC-with-TLS and some brief set-up guidance
> are to be provided in a separate man page in Section 7.
>
> Signed-off-by: Chuck Lever <[email protected]>
I think I got it right... I also added a couple .IP
to make the section a bit more readable...
steved.
> ---
> utils/mount/nfs.man | 38 +++++++++++++++++++++++++++++++++++++-
> 1 file changed, 37 insertions(+), 1 deletion(-)
>
> diff --git a/utils/mount/nfs.man b/utils/mount/nfs.man
> index d9f34df36b42..dfc31a5dad26 100644
> --- a/utils/mount/nfs.man
> +++ b/utils/mount/nfs.man
> @@ -574,7 +574,43 @@ The
> .B sloppy
> option is an alternative to specifying
> .BR mount.nfs " -s " option.
> -
> +.TP 1.5i
> +.BI xprtsec= policy
> +Specifies the use of transport layer security to protect NFS network
> +traffic on behalf of this mount point.
> +.I policy
> +can be one of
> +.BR none ,
> +.BR tls ,
> +or
> +.BR mtls .
> +.IP
> +If
> +.B none
> +is specified,
> +transport layer security is forced off, even if the NFS server supports
> +transport layer security.
> +If
> +.B tls
> +is specified, the client uses RPC-with-TLS to provide in-transit
> +confidentiality.
> +If
> +.B mtls
> +is specified, the client uses RPC-with-TLS to authenticate itself and
> +to provide in-transit confidentiality.
> +If either
> +.B tls
> +or
> +.B mtls
> +is specified and the server does not support RPC-with-TLS or peer
> +authentication fails, the mount attempt fails.
> +.IP
> +If the
> +.B xprtsec=
> +option is not specified,
> +the default behavior depends on the kernel version,
> +but is usually equivalent to
> +.BR "xprtsec=none" .
> .SS "Options for NFS versions 2 and 3 only"
> Use these options, along with the options in the above subsection,
> for NFS versions 2 and 3 only.
>
>