Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp281662pxb; Mon, 7 Feb 2022 11:10:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJyIFHvEz2pTbYxwmybZF+DQLOYUfx/yuyZfsJ9/QijQFOz/yfMUadjCdEvJPDjPh2MZrGmH X-Received: by 2002:a17:906:9945:: with SMTP id zm5mr849984ejb.543.1644261024166; Mon, 07 Feb 2022 11:10:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644261024; cv=none; d=google.com; s=arc-20160816; b=xVxs9ef5hMsO2y7Xdr+kb3j47w8UfJmREQWySCleAl41GPY0dfCtS5JHceZv4p5GuJ Q4B+Jzn26CXb8cUnnpH9yIq0+g+Up93jwtixMhvRf0hCR1WiUdAdPjaS/Plma1RdligA 0S1LicGFkgujMYQNP6DtE4AvPrVdxd62vaOeDQ4P+J1hyp1pf8+DeI5e7lKkVcMlHio7 PkoLmqLt+m3Bw4XCh8NGOSobzaAj40BKtBW2l+920Ietb+qdJApfpvWEEOXIJggQEmes dTIJjmeWJgXxhl2Dp8FBu2mSsdgfiQ2F1uLRkjZPzIiE7BFLSkJ0ojiL2zu8pewW/A47 r9Bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=56dip43t/OqFBh1S6yh4ZZoextL4wmvFJxojWieo0qM=; b=pOGm4GRYWW1Bf/RB7RfQahMbMFvv7jrh13AlA6Twye9XFEmnV0lBwhulsoOVlfLzkn smt30s8UN5vC1oCgqsHCTKgo+lBCezoNU4+sxe8w5386aQNUWyV8lqS0B7tqVtLNPdu8 01UIYxwoQCGeJGYXBbfR9qlwSV4NKxl4yMmTSmlUu85Dj4VNwO/hFE8/JYRdJCG0nn+T Pw1b/8AKbX+DsYq7vv/i4lLX4nrruo+A+X9IYNVcfTIM7YVNZbIRQYCSm/SCs5La5HH8 +kbJ7Mpih0rBTYsUQs/uaKoE2ZJkRbwWPhQGjEXD5HL6mWKxMMK7OKzc+NKwit3veNql 8BOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=byC4IxcQ; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w19si8372771edc.225.2022.02.07.11.09.54; Mon, 07 Feb 2022 11:10:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=byC4IxcQ; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243157AbiBDPtj (ORCPT + 99 others); Fri, 4 Feb 2022 10:49:39 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:38676 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1359840AbiBDPtj (ORCPT ); Fri, 4 Feb 2022 10:49:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1643989778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=56dip43t/OqFBh1S6yh4ZZoextL4wmvFJxojWieo0qM=; b=byC4IxcQyAcBbHJjtvhCs13Fv2E9RcUEITYPn5WG8GsO4QqQI9cZJjjpRBQ8VOGNxyPpoe EdAsCyN1Y0itBotVC/yvxoCwU7Dr4hQ5nDnM0kw2ECN3HPWAaA34jeJk5KD1n5U1lYKPDB z/H8XvgdiWHADBpb+HxLSMXxiwLgy+o= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-592-KDVyAne2NOuXRHH6pTxSnw-1; Fri, 04 Feb 2022 10:49:37 -0500 X-MC-Unique: KDVyAne2NOuXRHH6pTxSnw-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 393F01898291; Fri, 4 Feb 2022 15:49:36 +0000 (UTC) Received: from [172.16.176.1] (ovpn-64-2.rdu2.redhat.com [10.10.64.2]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CE08A7D3E8; Fri, 4 Feb 2022 15:49:35 +0000 (UTC) From: "Benjamin Coddington" To: "Chuck Lever III" Cc: "Steve Dickson" , "Linux NFS Mailing List" Subject: Re: [nfs-utils PATCH] nfs4id: a tool to create and persist nfs4 client uniquifiers Date: Fri, 04 Feb 2022 10:49:34 -0500 Message-ID: <32889B9A-1293-4050-8131-726042D1EAD9@redhat.com> In-Reply-To: <87EAC6F6-C450-4642-A11A-55247C791D66@oracle.com> References: <87EAC6F6-C450-4642-A11A-55247C791D66@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On 4 Feb 2022, at 10:17, Chuck Lever III wrote: > Hi Ben- > >> On Feb 4, 2022, at 7:56 AM, Benjamin Coddington >> wrote: >> >> The nfs4id program will either create a new UUID from a random source >> or >> derive it from /etc/machine-id, else it returns a UUID that has >> already >> been written to /etc/nfs4-id. This small, lightweight tool is >> suitable for >> execution by systemd-udev in rules to populate the nfs4 client >> uniquifier. > > Glad to see some progress here! > > Regarding the generation of these uniquifiers: > > If you have a UUID generation mechanism, why bother with machine-id at > all? We'd like to deterministically tie our clients to /etc/machine-id for a number of reasons: - it condenses the work of "uniquifying" a machine to a single point in the distro. - the machine-id has a number of ways to handle cases where machines are PXE-booted, cloned, or used as "golden images" for cloud containers (See machine-id(5)). - the machine-id has good documentation and awareness (See sd-id128(3) and friends) > As noted in bugzilla@redhat 1801326, these uniquifiers will appear in > the > clear on open networks (and we all know open network deployments are > common > for NFS). I don't believe that TLS or GSS Kerberos will be available > to > protect every deployment from a network MitM from sniffing these > values and > attempting to make some hay with them. In particular, any deployment > of a > system before we have in-transit NFS encryption implemented will be > vulnerable. Yes. > Some young punk from Tatooine could drop a bomb down our reactor > shaft, > and then where would we be? This little tool isn't attempting to solve any of those problems. > Regarding the storage of these uniquifiers: > > As discussed in earlier threads, we believe that storing multiple > unique-ids > in one file, especially without locking to prevent tearing of data in > the > file, is problematic. Now, it might be that the objection to this was > based > on storing these in a file that can simultaneously be edited by humans > (ie, /etc/nfs.conf). But I would prefer to see a separate file used > for > each uniquifier / network namespace. This tool isn't trying to store uniquifiers for multiple namespaces, or describe how it ought to be used in relation to namespaces. It only attempts to create a fairly persistent unique value that can be generated and consumed from a udev rule. I think the problem of how to create uniquifiers for every net namespace might easily be solved by bind-mounding /etc/nfs4-id into the namespace-specific filesystem, or a number of other ways. That would be an interesting new topic. New sources could be added to this tool in the future that are namespace-aware. Thanks for the look at this! Ben