From nobody Tue Nov 26 10:53:00 2024 Received: from smtpbgau2.qq.com (smtpbgau2.qq.com [54.206.34.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 51BC71CC15E; Sat, 19 Oct 2024 07:17:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=54.206.34.216 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729322261; cv=none; b=ov3Q/QA4e8UVTAGnzK+liOkh5HnW5f++O76jnxAvv5/wltfHJ/k6+8ePN9HOMJVnFxH7bKRAo5tfZ2b8zFH5l0dyrG6mYYHBoe7YZ+eeHKSF0tAqwWyTTwfX5HbqyHn2oa/2cnXcF5qktPzHCUVGLZOciSj5eygBi7y2r3mETns= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729322261; c=relaxed/simple; bh=pjx16WCMw/sQrrsCxHRbpEFWf5y2yLaA1KolqpC+Wjc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=FrNcKTKvELEV3uM1FX6x0gKWKo2T4gi/R4E8w8l4Fi4xdqM/v08jZZNDCHlSwNdKIcI7g2TP4jEuVbn3SdjF426cBIG5yM/W9B2Ah5PWKQ5jTm7wYTtw9I668Qoe15nqZCyLZHcvTCEqouKCJMFc2D40dCQ24xGvKjH4kQlKiPE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=chenxiaosong.com; spf=none smtp.mailfrom=chenxiaosong.com; arc=none smtp.client-ip=54.206.34.216 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=chenxiaosong.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=chenxiaosong.com X-QQ-mid: bizesmtpsz10t1729322168tw3qsh X-QQ-Originating-IP: Eh4zX456hZMGcfuxgcpGlK9/0p8Mh8Jxw52RkerpuR4= Received: from sonvhi-TianYi510S-07IMB.. ( [116.128.244.171]) by bizesmtp.qq.com (ESMTP) with id ; Sat, 19 Oct 2024 15:15:48 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 0 X-BIZMAIL-ID: 3942789612294147170 From: chenxiaosong@chenxiaosong.com To: corbet@lwn.net, dhowells@redhat.com, jlayton@kernel.org, brauner@kernel.org, rostedt@goodmis.org, mhiramat@kernel.org, mathieu.desnoyers@efficios.com, trondmy@kernel.org, anna@kernel.org, chuck.lever@oracle.com, neilb@suse.de, okorniev@redhat.com, Dai.Ngo@oracle.com, tom@talpey.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, netfs@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, linux-nfs@vger.kernel.org, ChenXiaoSong Subject: [PATCH 1/3] Documentation: nfs: idmapper: keep consistent with nfsidmap manual Date: Sat, 19 Oct 2024 15:15:37 +0800 Message-Id: <20241019071539.125934-2-chenxiaosong@chenxiaosong.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241019071539.125934-1-chenxiaosong@chenxiaosong.com> References: <20241019071539.125934-1-chenxiaosong@chenxiaosong.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtpsz:chenxiaosong.com:qybglogicsvrsz:qybglogicsvrsz4a-0 X-QQ-XMAILINFO: M3ziZXKDk+iOsjm9mH5d8oiRCkBzKEtIIucugsMBUMQ55Qpcs0Vu5/nF jh380GYPkKGRjKRY+9KiCfo+R6eo86AcouDlMcp9K5VgCvz4eCjNENksuVdC2CRie94Mn9G 5WTszOitSep0BTjrWXb/48bVXlUCXCyycTG1JiXcyU6kYK94m2qVPnaP6UXMi680/2DGMKd 2TExRoJGs1KCkFTO9Q5oXx5x65VVI2cXCi5AUvpGSyVjGTZTpgbMEdakLlW/ypicWcDN9qG edBBTVjdGN+XDVlTTFZAIMpmB5fk9GsxHy+LF7XWohk4TbykhZ43cyNWaAFJGMNLx1lSTZS ULb6wynlDG09NO2fNBR5GXOJr+Lgq68WTC7SOKguspcb5ZkBvS7ocxY/pQBC1WRUfq9IQBf V3Nm+SMY9jJlqWasK/cCMRhHpvwFV3yULijxq7y0Jqns5bC/E+zXsfYQ15+fZfuTVZG7V8F uIOhEEGi0BdtBF7RNwEXIJ7K5DF2NCaR0LKp/gXIgtuTTWy2SCniOeMZV5CncWP3KByQXRT n9y4vLBs70+FPYfkXYvHfFY8ubXPj8t/zxAlu2d2rwIEx/ca+rm5FriKJn0/38xlgvtYX87 nygNGL6q+AQrVJbvw9+FGMvTgxQUmlhbO6Or9PC0cAC+F2WDr8V66TZ/VcaB6KV/kcvixjm yneJ5V2k56faGXsfT0+StU54YmGk4wQs6TDcdNHRKDS9vL0h3NRrbedqjQZumtExacx2NLP a/zgEEdOyx2DZVMdJjtfNlFa90uVu8KufV4cDx653xwFyraHlJO0CV/rjAv9G4QaHliuSZK 85BH3vEfj9qgcCJ9P2/NgoxJSvKG4Z2BSbjyJM161cct7qJhUbw8ayxrjjWCDERjIdcLI4a 4tabA75lY9EW3VLuD6/nIcSfumGnzU/Lem+6miMkkkt6O0Gje0ZDubKmZ+qFHLKoWBeqNx4 zaXmtwCwACQK6LE3+tGYOVswiHtA2V1K5uPc= X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU= X-QQ-RECHKSPAM: 0 Content-Type: text/plain; charset="utf-8" From: ChenXiaoSong The usage of `nfsidmap` has been updated(e.g., use `-t 600` set the expiration timer), keep it consistent with nfsidmap manual (Link[1]). Link[1]: https://git.kernel.org/pub/scm/linux/kernel/git/rw/nfs-utils.git/t= ree/utils/nfsidmap/nfsidmap.man Signed-off-by: ChenXiaoSong --- Documentation/admin-guide/nfs/nfs-idmapper.rst | 59 ++++++++++++++++++++++= ++++++++++--------------------------- 1 file changed, 32 insertions(+), 27 deletions(-) diff --git a/Documentation/admin-guide/nfs/nfs-idmapper.rst b/Documentation= /admin-guide/nfs/nfs-idmapper.rst index 58b8e63412d5..0b72fd3a38af 100644 --- a/Documentation/admin-guide/nfs/nfs-idmapper.rst +++ b/Documentation/admin-guide/nfs/nfs-idmapper.rst @@ -24,55 +24,60 @@ Configuring =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 The file /etc/request-key.conf will need to be modified so /sbin/request-k= ey can -direct the upcall. The following line should be added: +properly direct the upcall. The following line should be added before a ca= ll to +keyctl negate: =20 -``#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...`` -``#=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D`` -``create id_resolver * * /usr/sbin/nfs.idmap %k %d 600`` +.. code-block:: none =20 + #OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ... + #=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + create id_resolver * * /usr/sbin/nfsidmap -t 600 %k %d =20 -This will direct all id_resolver requests to the program /usr/sbin/nfs.idm= ap. -The last parameter, 600, defines how many seconds into the future the key = will -expire. This parameter is optional for /usr/sbin/nfs.idmap. When the tim= eout -is not specified, nfs.idmap will default to 600 seconds. +This will direct all id_resolver requests to the program /usr/sbin/nfsidma= p. +The -t 600 defines how many seconds into the future the key will expire. +This is an optional parameter for /usr/sbin/nfsidmap and will default t= o 600 +seconds when not specified. =20 -id mapper uses for key descriptions:: +The idmapper system uses four key descriptions: =20 - uid: Find the UID for the given user - gid: Find the GID for the given group - user: Find the user name for the given UID - group: Find the group name for the given GID +.. code-block:: none =20 -You can handle any of these individually, rather than using the generic up= call -program. If you would like to use your own program for a uid lookup then = you -would edit your request-key.conf so it look similar to this: + uid: Find the UID for the given user + gid: Find the GID for the given group + user: Find the user name for the given UID + group: Find the group name for the given GID =20 -``#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...`` -``#=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D`` -``create id_resolver uid:* * /some/other/program %k %d 600`` -``create id_resolver * * /usr/sbin/nfs.idmap %k %d 600`` +You can choose to handle any of these individually, rather than using the +generic upcall program. If you would like to use your own program for a u= id +lookup then you would edit your request-key.conf so it looks similar to th= is: =20 +.. code-block:: none + + #OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ... + #=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D + create id_resolver uid:* * /some/other/program %k %d + create id_resolver * * /usr/sbin/nfsidmap %k %d =20 Notice that the new line was added above the line for the generic program. -request-key will find the first matching line and corresponding program. = In -this case, /some/other/program will handle all uid lookups and -/usr/sbin/nfs.idmap will handle gid, user, and group lookups. +request-key will find the first matching line and run the corresponding pr= ogram. +In this case, /some/other/program will handle all uid lookups, +and /usr/sbin/nfsidmap will handle gid, user, and group lookups. =20 See Documentation/security/keys/request-key.rst for more information about the request-key function. =20 =20 -nfs.idmap +nfsidmap =3D=3D=3D=3D=3D=3D=3D=3D=3D =20 -nfs.idmap is designed to be called by request-key, and should not be run "= by +nfsidmap is designed to be called by request-key, and should not be run "by hand". This program takes two arguments, a serialized key and a key description. The serialized key is first converted into a key_serial_t, a= nd then passed as an argument to keyctl_instantiate (both are part of keyutil= s.h). =20 -The actual lookups are performed by functions found in nfsidmap.h. nfs.id= map +The actual lookups are performed by functions found in nfsidmap.h. nfsidm= ap determines the correct function to call by looking at the first part of the description string. For example, a uid lookup description will appear as "uid:user@domain". =20 -nfs.idmap will return 0 if the key was instantiated, and non-zero otherwis= e. +nfsidmap will return 0 if the key was instantiated, and non-zero otherwise. --=20 2.34.1