Closed linuxsmiths closed 4 months ago
Very nice. I will review this over the weekend. Until then, can you add a licence boilerplate to the two new files? LGPLv2.1 or compatible. I am fine with BSD licence too.
On Thu, 25 Apr 2024 at 19:58, linuxsmiths @.***> wrote:
This PR adds RPC-with-TLS (RFC 9289) support to libnfs. It depends on the following:
- GnuTLS version 3.4.6+
- Linux kernel 5.10+
I've currently enabled it only on Linux since that's what my target system is. BSD should be easy to make work if someone has a system they can try out. Also, this change only adds client support. I've only made changes to the CMake build files.
Tested to make sure it works fine with reconnects.
You can view, comment on, or merge this pull request online at:
https://github.com/sahlberg/libnfs/pull/457 Commit Summary
- 810ef61 https://github.com/sahlberg/libnfs/pull/457/commits/810ef615eac7b5e8c8da9619016e0d8cc18c81ea Add RPC-with-TLS support
File Changes
(19 files https://github.com/sahlberg/libnfs/pull/457/files)
- M CMakeLists.txt https://github.com/sahlberg/libnfs/pull/457/files#diff-1e7de1ae2d059d21e1dd75d5812d5a34b0222cef273b7c3a2af62eb747f9d20a (37)
- M README https://github.com/sahlberg/libnfs/pull/457/files#diff-2b7814d3fca2e99e56c51b6ff2aa313ea6e9da6424804240aa8ad891fdfe0900 (27)
- M cmake/ConfigureChecks.cmake https://github.com/sahlberg/libnfs/pull/457/files#diff-006e8c8d2d57972929172e75409fa31c4345b6442231ba1db71e3910ce6ee1f3 (14)
- M cmake/Macros.cmake https://github.com/sahlberg/libnfs/pull/457/files#diff-5abab6689b64d865aa825522d3227d2ba7f3d44490181e7594bd97fcff37d293 (1)
- M cmake/config.h.cmake https://github.com/sahlberg/libnfs/pull/457/files#diff-da63592abdecbb51b5653cc82158c04d219f5f55fef0d3db542cda3b4654f553 (6)
- M include/libnfs-private.h https://github.com/sahlberg/libnfs/pull/457/files#diff-1c12354cb346fdf2e5f9d519d94b39cbcec7e28788b3179c1c5790cc97356cd1 (99)
- M include/nfsc/libnfs-raw.h https://github.com/sahlberg/libnfs/pull/457/files#diff-3a0ac8a73d28ac8e11124930b8f8b29fe3ed2e4fbd73fe0c18181ffcf6579a19 (36)
- M include/nfsc/libnfs-zdr.h https://github.com/sahlberg/libnfs/pull/457/files#diff-d7ce1995b1bef11607f95faa99700f8093cbdfec4253ebe8a9f2700672f82fc1 (4)
- M include/nfsc/libnfs.h https://github.com/sahlberg/libnfs/pull/457/files#diff-550639701cf0d2987e86284d4da653266611785cfc4a874ba428692542c2ad49 (23)
- M lib/init.c https://github.com/sahlberg/libnfs/pull/457/files#diff-5118f71d571894cbf2db3f4d7f316184bffba8eb5178bce2e6d4324787236505 (3)
- M lib/libnfs.c https://github.com/sahlberg/libnfs/pull/457/files#diff-a0cde8a058e424e78b34dcb2ca88383a33ccdb8e1225bc74c929fe23e92eb8c0 (198)
- M lib/nfs_v3.c https://github.com/sahlberg/libnfs/pull/457/files#diff-600fb30fc953744027c42c2e6ac60a7f2d138168d468e2fc5b82d2324b5ce839 (6)
- M lib/nfs_v4.c https://github.com/sahlberg/libnfs/pull/457/files#diff-177544f00495c13c8de756ee9505850959f1f40aa1265e96f353bce976ef5cf1 (5)
- M lib/pdu.c https://github.com/sahlberg/libnfs/pull/457/files#diff-189aabff6bebfbf273694fa193c77d9cd66f0d4784182f5da1e7bb3a0901f7f0 (108)
- M lib/socket.c https://github.com/sahlberg/libnfs/pull/457/files#diff-7350ca72c2f7612d81361a34d9ef3c57ab7c2d7b6f31b71b320286cabf0ec611 (157)
- A tls/CMakeLists.txt https://github.com/sahlberg/libnfs/pull/457/files#diff-864789b1aef1b1cdb4c42a9f0b707c26b509f119a8f4a9326500317ec6727a28 (4)
- A tls/handshake.c https://github.com/sahlberg/libnfs/pull/457/files#diff-a905ddc8e3ca88e3e44d0a0a3df6f30b8a43c0e7fcddd26e7efe6ae6c634cde3 (457)
- A tls/ktls.c https://github.com/sahlberg/libnfs/pull/457/files#diff-b82bf07268509505f31f56bd85b955a38870adcf25adbfffe0dbb12c2c97c5dc (229)
- A tls/tls-private.h https://github.com/sahlberg/libnfs/pull/457/files#diff-e87dda2d01066912476c1079b69697ff2d9025db1fae3a7b9f374d2a4a1640fd (30)
Patch Links:
— Reply to this email directly, view it on GitHub https://github.com/sahlberg/libnfs/pull/457, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADY3EGEST5SMGTB3IBY5DDY7DHTRAVCNFSM6AAAAABGYRHAT2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGI3DGMJXG4YDSNY . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Please have a look at the build failures too. OSX and Windows look like they might just be unrelated environmental issues since they shouldn't be using TLS anyway (and the compile would fail if they did).
Please check the linux failure though.
Please have a look at the build failures too. OSX and Windows look like they might just be unrelated environmental issues since they shouldn't be using TLS anyway (and the compile would fail if they did).
Please check the linux failure though.
I don't see this failure when I try locally.. could it be transient? Have you seen it fail before?
/home/linuxsmiths_libnfs/tls-change1/libnfs# sudo bash -c "cd build/tests;./test_0100_ls_basic.sh" basic ls test Testing nfs-ls on root of export ... [OK] Create a file and verify nfs-ls can see it ... [OK]
Please have a look at the build failures too. OSX and Windows look like they might just be unrelated environmental issues since they shouldn't be using TLS anyway (and the compile would fail if they did).
Please check the linux failure though.
Btw, did you notice that I haven't update the autobuild files as I'm not familiar with that. Do we plan to support both or just the cmake?
Please have a look at the build failures too. OSX and Windows look like they might just be unrelated environmental issues since they shouldn't be using TLS anyway (and the compile would fail if they did). Please check the linux failure though.
Please have a look at the build failures too. OSX and Windows look like they might just be unrelated environmental issues since they shouldn't be using TLS anyway (and the compile would fail if they did). Please check the linux failure though.
I don't see this failure when I try locally.. could it be transient? Have you seen it fail before?
/home/linuxsmiths_libnfs/tls-change1/libnfs# sudo bash -c "cd build/tests;./test_0100_ls_basic.sh" basic ls test Testing nfs-ls on root of export ... [OK] Create a file and verify nfs-ls can see it ... [OK]
I have not seen this failure before but I accept it might be environmental or transient. If it returns I will debug it and fix it.
Clicked the wrong button. I meant to resolve the discussion, not close the pull request. Sorry.
It is merged now. Thank you a lot for this contribution. This is great.
On Fri, 26 Apr 2024 at 18:40, linuxsmiths @.***> wrote:
Please have a look at the build failures too. OSX and Windows look like they might just be unrelated environmental issues since they shouldn't be using TLS anyway (and the compile would fail if they did).
Please check the linux failure though.
Btw, did you notice that I haven't update the autobuild files as I'm not familiar with that. Do we plan to support both or just the cmake?
I didn't actually go back and check. Don't worry about it. I am much more familiar with autotools than CMake so I can easily add autotool support to it later. No problem. Thankyou a lot for this contribution!
—
Reply to this email directly, view it on GitHub https://github.com/sahlberg/libnfs/pull/457#issuecomment-2078918014, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADY3EAJ2AUF62VTQDQUO6DY7IHJJAVCNFSM6AAAAABGYRHAT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZYHEYTQMBRGQ . You are receiving this because you commented.Message ID: @.***>
This PR adds RPC-with-TLS (RFC 9289) support to libnfs. It depends on the following:
It adds a new mount option - xprtsec=[none,tls,mtls] (similar to Linux NFS client)
I've currently enabled it only on Linux since that's what my target system is. BSD should be easy to make work if someone has a system they can try out. Also, this change only adds client support. I've only made changes to the CMake build files.
Tested to make sure it works fine with reconnects.
Sample command:
./examples/nfs-writefile /mnt/random 'nfs://nfsserver/mnt/testfile?version=3&xprtsec=tls&debug=1'
Performance testing: With AES-128-GCM there's almost no overhead and I could get ~1GBps/core which is same as w/o TLS. This is because kTLS does the encryption while copying data from user to kernel (so there's no extra copy) and encryption is accelerated by the CPU.