From owner-svn-src-projects@freebsd.org Fri Aug 28 02:20:26 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3F9EB3CA916 for ; Fri, 28 Aug 2020 02:20:26 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Bd3Gf0wnSz3bKD; Fri, 28 Aug 2020 02:20:26 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 031FFDCA9; Fri, 28 Aug 2020 02:20:26 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 07S2KP7v027571; Fri, 28 Aug 2020 02:20:25 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 07S2KPto027570; Fri, 28 Aug 2020 02:20:25 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202008280220.07S2KPto027570@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 28 Aug 2020 02:20:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r364900 - projects/nfs-over-tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls X-SVN-Commit-Revision: 364900 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2020 02:20:26 -0000 Author: rmacklem Date: Fri Aug 28 02:20:25 2020 New Revision: 364900 URL: https://svnweb.freebsd.org/changeset/base/364900 Log: Update nfs-over-tls-setup.txt since the head kernel can now be used. Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt ============================================================================== --- projects/nfs-over-tls/nfs-over-tls-setup.txt Fri Aug 28 02:09:10 2020 (r364899) +++ projects/nfs-over-tls/nfs-over-tls-setup.txt Fri Aug 28 02:20:25 2020 (r364900) @@ -16,8 +16,10 @@ awkward, but hopefully this lists all the steps. burned onto a DVD. (I haven't done other types of installs, but there are several others.) - Burn the iso onto a DVD (or whatever). - - Install it on a 64bit x86 system. When it asks, include installation - of src. + - Install it on a 64bit x86 system. +If the 6digit number is 364898 or higher, the kernel sources and /usr/include +should be sufficiently up to date. If not, you will need to get newer sources +via "svn" and symbolically link the directories into /usr/include. (For here on, you might as well login as root.) Now, you will need a subversion client on some machine. If you do not @@ -25,7 +27,8 @@ already have one, log into the newly installed FreeBSD # pkg install subversion - It will probably ask you to install "pkg" first and then it should work. -If you don't yet have /usr/src, you can use "svn" to get it: +If your version is less than 364898 or if you do not already have them, +you will need to get up-to-date sources via "svn": # cd /usr/src # svn checkout http://svn.freebsd.org/base/head . @@ -35,28 +38,30 @@ Use "svn" to download the modified sources into /usr/n # cd nfs-over-tls # svn checkout http://svn.freebsd.org/base/projects/nfs-over-tls . -Now, you can build/install the modified kernel. Here's the "cheater" way -I do it. +Now, you can build/install the modified kernel. If the src.*.mk files are missing from /usr/share/mk... # cd /usr/share/mk # tar xf /usr/nfs-over-tls/sharemk.tar Set up the kernel source tree. +# cd /usr/src/sys/amd64/conf +- edit GENERIC and add a line +options KERN_TLS +to it. # cd /usr/src -# mv sys sys.old -# ln -s /usr/nfs-over-tls/sys sys # make buildkernel # make installkernel Fix the include files. Here's my "cheat" way of doing this. +(This is needed if your installed system is prior to 364898.) # cd /usr/include # mv sys sys.old -# ln -s /usr/nfs-over-tls/sys/sys sys +# ln -s /usr/src/sys/sys sys # mv fs fs.old -# ln -s /usr/nfs-over-tls/sys/fs fs +# ln -s /usr/src/sys/fs fs # mv netinet netinet.old -# ln -s /usr/nfs-over-tls/sys/netinet netinet +# ln -s /usr/src/sys/netinet netinet - This should be enough to allow userspace building. Now, you need jhb@'s patched openssl3 source tree, so you can build it. @@ -104,14 +109,15 @@ And now you should be able to build/install the utilit # cp mountd /usr/sbin # cp exports.5.gz /usr/share/man/man5 +You can copy the rc.d scripts as follows: +# cd /usr/nfs-over-tls/rc.d +# cp rpctlscd rpctlssd /etc/rc.d + Almost done. Here's a few more things you need to do: # cd /etc - edit sysctl.conf and add these two lines kern.ipc.tls.enable=1 kern.ipc.mb_use_ext_pgs=1 -- edit rc.conf and add this line (if you already have a line for ldconfig_paths, - add /usr/ktls/lib to the line) -ldconfig_paths="/usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/ktls/lib" Then reboot the system. You should now be finally ready to configure and run a TLS mount. @@ -343,3 +349,14 @@ If you use either the "-m" and/or "-v" options, you pr modify your /etc/syslog.conf so that "LOG_INFO | LOG_DAEMON" goes somewhere. For "-m" it will log failed certificate verifications there and for "-v" it will log a lot of other stuff, as well. + +Once you have set things up, you can add line(s) to your /etc/rc.conf +for the daemon(s): +For the client: +rpctlscd_enable="YES" + +For the server: +rpctlssd_enable="YES" + +- plus rpctlscd_flags and/or rpctlssd_flags if you are using command line + options for these (see below).