Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1985936ybh;
        Fri, 17 Jul 2020 06:41:20 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzYlcUejc3WXPePK04X4pBPRg9/q4rHmRY3PKW299ZOucvPqWtpr7OZzBBljhDmojarJXkR
X-Received: by 2002:a17:906:38d6:: with SMTP id r22mr6129199ejd.219.1594993280076;
        Fri, 17 Jul 2020 06:41:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1594993280; cv=none;
        d=google.com; s=arc-20160816;
        b=wQEEqEEpnvtEtG0DnQn1NvCvyfH8MVzZVgALPN7Lj/aEwrfHbqb4v4tpoD/CguHeeN
         BfcC9XkFmfy+wxeFS4XtF1NUrPdY7Yk73QmpPmBtRzuqOH9ExbEOu6SdnyVrkUQTfqq9
         Mk/Dy1b4MLCw5hOTuUZXuQ/XEui7wQy4Sj3D8Mn7FOVbyxqbZwkN1P8SlEJLDrxNfFSm
         HoA6nrCRDfv/gjX7aLG0U+3m2b89kkhH68F14r3vlwwCxAXxY3POiBwDTakv5OYnVZFq
         r9eEOnbap/DhgGvAZyRGO9bePqlnfYABjlbPCu7B8AVPybjkv8ql4XQF4UHHqZ2Ubeze
         Y2Jg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:dkim-signature;
        bh=/QQ6seKoHDr/t9Gus6fvcXLCgt7ZnFXLYs2Ja8VrxvA=;
        b=IRWaE/j2ZakpSwBhdmnikhVPR+VOc7DmFYn4+/CNYqcrqZk1HMka/YaLAmMsBY9ugb
         t0QaOT1IndwE2mpDzQufrmwgahyNLrZH05ZJGniyljyol3pOkDweEF0UKKDLC01tRldm
         KU9F1PneXW3siOq9TeJmzze2QAwH8IfeaH1AOMneQbsyxZdyFAA1NSL4budrSdgp+gpe
         eDlzBuaudmoOLhJtJJMIbspgqNyCfnUSfpfbT9B2Y9C5w0wDMLF+ARc5+1hL6XEVrmIc
         frKjTpCCM8m1P8/RN+xoT+2bAEiCUQ5OVJ7Fp+fWtDEbQvcdsm6V39iNPPuJBwkecGBG
         5ZrA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="IGrjaV/T";
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z11si5206508ejm.102.2020.07.17.06.40.44;
        Fri, 17 Jul 2020 06:41:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="IGrjaV/T";
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726812AbgGQNkQ (ORCPT <rfc822;siggins@gmail.com> + 99 others);
        Fri, 17 Jul 2020 09:40:16 -0400
Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:40675 "EHLO
        us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1726079AbgGQNkQ (ORCPT
        <rfc822;linux-nfs@vger.kernel.org>); Fri, 17 Jul 2020 09:40:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1594993214;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=/QQ6seKoHDr/t9Gus6fvcXLCgt7ZnFXLYs2Ja8VrxvA=;
        b=IGrjaV/Tq1L1uP05a8Hg5BaLykA9jY5qhpn1V4lz9Pt5J1fn1KJuf48MKSj4bX6ySoyuFX
        kErow2YNm++1+g4ifqh6RBYOvIMFOiwO5+fe2EXXabRMW5nZWwBOKrFzXUOwP0KJsdrNmg
        WpdCYtWJZCLtQY5jpA5y680vxjh+twc=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-21-FHWSz-JpO9ibA53_Pt6iSA-1; Fri, 17 Jul 2020 09:40:11 -0400
X-MC-Unique: FHWSz-JpO9ibA53_Pt6iSA-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EFFC480046E;
        Fri, 17 Jul 2020 13:40:06 +0000 (UTC)
Received: from madhat.boston.devel.redhat.com (ovpn-113-147.phx2.redhat.com [10.3.113.147])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 6E27578A50;
        Fri, 17 Jul 2020 13:40:06 +0000 (UTC)
Subject: Re: [PATCH 4/4] nfs-utils: Update nfs4_unique_id module parameter
 from the nfs.conf value
To:     Patrick Goetz <pgoetz@math.utexas.edu>,
        Alice Mitchell <ajmitchell@redhat.com>,
        Linux NFS Mailing list <linux-nfs@vger.kernel.org>
References: <5a84777afb9ed8c866841471a1a7e3c9b295604d.camel@redhat.com>
 <115d8b45e84f3cecc9f5623e39f5078315d3ebbd.camel@redhat.com>
 <a49c78c1-1419-409b-2386-25d94afb7ca7@RedHat.com>
 <5b67708a-f31c-249c-6405-43fdd278037c@math.utexas.edu>
From:   Steve Dickson <SteveD@RedHat.com>
Message-ID: <8bd2a626-cef7-b639-72c9-9de999bc56e3@RedHat.com>
Date:   Fri, 17 Jul 2020 09:40:05 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <5b67708a-f31c-249c-6405-43fdd278037c@math.utexas.edu>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org



On 7/16/20 11:52 AM, Patrick Goetz wrote:
> Speaking of which, it would be great if the distros (or whomever) stopped setting up the unit files so that rpcbind is a required service. This is a headache for me, as our security group flags machines running rpcbind and it's entirely useless if you only use NFSv4.
Why do you see rpcbind as such a security risk?

> 
> In fact, isn't it about time to EOL NFSv3?  <:)
You are not the first to suggest this... No so much
of EOLing v3... more of a V4only client.

Personally I don't see EOL-ing v3 anytime soon.

steved.
> 
> On 7/15/20 12:44 PM, Steve Dickson wrote:
>> Hello,
>>
>> On 7/10/20 12:44 PM, Alice Mitchell wrote:
>>> systemd service to grab the config value and feed it to the kernel module
>> Again, I'm wondering if the systemd/README should be updated to explain
>> this new script...
>>
>> steved.
>>
>>> ---
>>>   nfs.conf                      |  1 +
>>>   systemd/Makefile.am           |  3 +++
>>>   systemd/nfs-conf-export.sh    | 28 ++++++++++++++++++++++++++++
>>>   systemd/nfs-config.service.in | 17 +++++++++++++++++
>>>   4 files changed, 49 insertions(+)
>>>   create mode 100755 systemd/nfs-conf-export.sh
>>>   create mode 100644 systemd/nfs-config.service.in
>>>
>>> diff --git a/nfs.conf b/nfs.conf
>>> index 186a5b19..8bb41227 100644
>>> --- a/nfs.conf
>>> +++ b/nfs.conf
>>> @@ -4,6 +4,7 @@
>>>   #
>>>   [general]
>>>   # pipefs-directory=/var/lib/nfs/rpc_pipefs
>>> +# nfs4_unique_id = ${machine-id}
>>>   #
>>>   [exports]
>>>   # rootdir=/export
>>> diff --git a/systemd/Makefile.am b/systemd/Makefile.am
>>> index 75cdd9f5..51acdc3f 100644
>>> --- a/systemd/Makefile.am
>>> +++ b/systemd/Makefile.am
>>> @@ -9,6 +9,7 @@ unit_files =  \
>>>       nfs-mountd.service \
>>>       nfs-server.service \
>>>       nfs-utils.service \
>>> +    nfs-config.service \
>>>       rpc-statd-notify.service \
>>>       rpc-statd.service \
>>>       \
>>> @@ -69,4 +70,6 @@ genexec_PROGRAMS = nfs-server-generator rpc-pipefs-generator
>>>   install-data-hook: $(unit_files)
>>>       mkdir -p $(DESTDIR)/$(unitdir)
>>>       cp $(unit_files) $(DESTDIR)/$(unitdir)
>>> +    mkdir -p $(DESTDIR)/$(libexecdir)/nfs-utils
>>> +    install  nfs-conf-export.sh $(DESTDIR)/$(libexecdir)/nfs-utils/
>>>   endif
>>> diff --git a/systemd/nfs-conf-export.sh b/systemd/nfs-conf-export.sh
>>> new file mode 100755
>>> index 00000000..486e8df9
>>> --- /dev/null
>>> +++ b/systemd/nfs-conf-export.sh
>>> @@ -0,0 +1,28 @@
>>> +#!/bin/bash
>>> +#
>>> +# This script pulls values out of /etc/nfs.conf and configures
>>> +# the appropriate kernel modules which cannot read it directly
>>> +
>>> +NFSMOD=/sys/module/nfs/parameters/nfs4_unique_id
>>> +NFSPROBE=/etc/modprobe.d/nfs.conf
>>> +
>>> +# Now read the values from nfs.conf
>>> +MACHINEID=`nfsconf --get general nfs4_unique_id`
>>> +if [ $? -ne 0 ] || [ "$MACHINEID" == "" ]
>>> +then
>>> +# No config vaue found, assume blank
>>> +MACHINEID=""
>>> +fi
>>> +
>>> +# Kernel module is already loaded, update the live one
>>> +if [ -e $NFSMOD ]; then
>>> +echo -n "$MACHINEID" >> $NFSMOD
>>> +fi
>>> +
>>> +# Rewrite the modprobe file for next reboot
>>> +echo "# This file is overwritten by systemd nfs-config.service" > $NFSPROBE
>>> +echo "# with values taken from /etc/nfs.conf" >> $NFSPROBE
>>> +echo "# Do not hand modify" >> $NFSPROBE
>>> +echo "options nfs nfs4_unique_id=\"$MACHINEID\"" >> $NFSPROBE
>>> +
>>> +echo "Set to: $MACHINEID"
>>> diff --git a/systemd/nfs-config.service.in b/systemd/nfs-config.service.in
>>> new file mode 100644
>>> index 00000000..c5ef1024
>>> --- /dev/null
>>> +++ b/systemd/nfs-config.service.in
>>> @@ -0,0 +1,17 @@
>>> +[Unit]
>>> +Description=Preprocess NFS configuration
>>> +PartOf=nfs-client.target
>>> +After=nfs-client.target
>>> +DefaultDependencies=no
>>> +
>>> +[Service]
>>> +Type=oneshot
>>> +# This service needs to run any time any nfs service
>>> +# is started, so changes to local config files get
>>> +# incorporated.  Having "RemainAfterExit=no" (the default)
>>> +# ensures this happens.
>>> +RemainAfterExit=no
>>> +ExecStart=@_libexecdir@/nfs-utils/nfs-conf-export.sh
>>> +
>>> +[Install]
>>> +WantedBy=nfs-client.target
>>>
>>
>