本文详细介绍了NFS服务器中的RPC上调用机制,包括传统机制和新机制,以及它们的优缺点。同时,文章讨论了上下调用机制的谈判过程,提供了兼容性解决方案,并说明了如何在不同场景下选择合适的机制。
Chinese translated version of Documentation/namespaces/resource-control.txt
If you have any comment or update to the content, please contact the
original document maintainer directly. However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help. Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.
Chinese maintainer: 田雨 479103577@qq.com
---------------------------------------------------------------------
Documentation/namespaces/resource-control.txt 的中文翻译
如果想评论或更新本文的内容,请直接联系原文档的维护者。如果你使用英文
交流有困难的话,也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题,请联系中文版维护者。
中文版维护者: 田雨 479103577@qq.com
中文版翻译者: 田雨 479103577@qq.com
中文版校译者: 田雨 479103577@qq.com
rpcsec_gss support for kernel RPC servers
3 =========================================
4 RPCSEC_GSS内核RPC服务器支持
5 This document gives references to the standards and protocols used to
6 implement RPCGSS authentication in kernel RPC servers such as the NFS
7 server and the NFS client's NFSv4.0 callback server. (But note that
8 NFSv4.1 and higher don't require the client to act as a server for the
9 purposes of authentication.)
10 本文给出了参考的标准和协议,用于
实施RPCGSS验证在内核如NFS RPC服务器
服务器和NFS客户端的NFSv4.0回调服务器。 (但请注意
的NFSv4.1和较高的不要求客户端作为一个为服务器
认证目的的。)
11 RPCGSS is specified in a few IETF documents:
12 - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
13 - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
14 and there is a 3rd version being proposed:
15 - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
16 (At draft n. 02 at the time of writing)
17 RPCGSS几个IETF文档中指定:
- RFC2203 V1:http://tools.ietf.org/rfc/rfc2203.txt
- RFC5403 V2:http://tools.ietf.org/rfc/rfc5403.txt
,有一个第三版本的建议:
- http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
(草案在N。02在写作的时候)
17
18 Background
19 背景----------
20
21 The RPCGSS Authentication method describes a way to perform GSSAPI
22 Authentication for NFS. Although GSSAPI is itself completely mechanism
23 agnostic, in many cases only the KRB5 mechanism is supported by NFS
24 implementations.
25 的RPCGSS验证方法描述的方式来执行GSSAPI
验证NFS。尽管GSSAPI机制本身是完全
无关,在许多情况下,只有KRB5机制得到NFS
实现。
26 The Linux kernel, at the moment, supports only the KRB5 mechanism, and
27 depends on GSSAPI extensions that are KRB5 specific.
28 Linux内核的那一刻,只支持KRB5机制,
KRB5特定于的GSSAPI扩展,取决于。
29 GSSAPI is a complex library, and implementing it completely in kernel is
30 unwarranted. However GSSAPI operations are fundementally separable in 2
31 parts:
32 - initial context establishment
33 - integrity/privacy protection (signing and encrypting of individual
34 packets)
35 GSSAPI是一个复杂的库,完全实现它在内核
莫须有。然而GSSAPI操作fundementally可分离2
份:
- 初始上下文建立
- 诚信/隐私保护(个人的签名和加密
34包)
36 The former is more complex and policy-independent, but less
37 performance-sensitive. The latter is simpler and needs to be very fast.
38 前者是更为复杂和政策无关,但较少
性能敏感。后者则是简单的,并需要是非常快的。
39 Therefore, we perform per-packet integrity and privacy protection in the
40 kernel, but leave the initial context establishment to userspace. We
41 need upcalls to request userspace to perform context establishment.
42 因此,我们在执行每个数据包的完整性和私密性保护
内核,但离开初始上下文建立到用户空间。我们
需要的向上调用要求用户空间执行上下文建立。
43 NFS Server Legacy Upcall Mechanism
44 -NFS服务器传统的upcall机制---------------------------------
45
46 The classic upcall mechanism uses a custom text based upcall mechanism
47 to talk to a custom daemon called rpc.svcgssd that is provide by the
48 nfs-utils package.
49 经典的向上调用机制使用一个自定义的文本为基础的向上调用机制
谈论到一个自定义的守护程序rpc.svcgssd提供
NFS-utils软件包。
50 This upcall mechanism has 2 limitations:
51 这种向上调用机制有2个限制:
52 A) It can handle tokens that are no bigger than 2KiB
53 它可以处理令牌不大于2KiB
54 In some Kerberos deployment GSSAPI tokens can be quite big, up and
55 beyond 64KiB in size due to various authorization extensions attacked to
56 the Kerberos tickets, that needs to be sent through the GSS layer in
57 order to perform context establishment.
58 在一些Kerberos部署GSSAPI令牌可以相当大,和
的大小因不同的授权扩展超越64KiB袭击
Kerberos票证,需要通过的GSS层在要发送
为了执行上下文建立。
59 B) It does not properly handle creds where the user is member of more
60 than a few housand groups (the current hard limit in the kernel is 65K
61 groups) due to limitation on the size of the buffer that can be send
62 back to the kernel (4KiB).
63 B)不正确处理用户的信任状,更多的成员
比几housand组(目前在内核中的硬限制是65K
个组),由于限制的缓冲区的大小,可以向其发送
回内核(4KiB)。
64 NFS Server New RPC Upcall Mechanism
65 NFS服务器RPC向上调用机制-----------------------------------
66
67 The newer upcall mechanism uses RPC over a unix socket to a daemon
68 called gss-proxy, implemented by a userspace program called Gssproxy.
69 新的upcall机制UNIX套接字使用RPC over守护
所谓的GSS-代理,由一个用户空间程序称为Gssproxy的实施。
70 The gss_proxy RPC protocol is currently documented here:
71 RPC协议gss_proxy目前记录在这里:
72 https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
73
74 This upcall mechanism uses the kernel rpc client and connects to the gssproxy
75 userspace program over a regular unix socket. The gssproxy protocol does not
76 suffer from the size limitations of the legacy protocol.
77 种向上调用机制使用内核RPC客户端和连接到gssproxy的
的程序比普通的Unix套接字。 gssproxy协议不
遭受遗留协议的大小限制。
78 Negotiating Upcall Mechanisms
79 谈判的upcall机制 -----------------------------
80
81 To provide backward compatibility, the kernel defaults to using the
82 legacy mechanism. To switch to the new mechanism, gss-proxy must bind
83 to /var/run/gssproxy.sock and then write "1" to
84 /proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both
85 steps.
86 以提供向后兼容性,内核默认使用
传统机制。要切换到新的机制,GSS-代理必须绑定
到/ var /运行/ gssproxy.sock,然后写“1”
的/ proc/ NET/ RPC/使用GSS代理的。如果GSS代理死亡,都必须重复
步骤。
87
If you have any comment or update to the content, please contact the
original document maintainer directly. However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help. Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.
Chinese maintainer: 田雨 479103577@qq.com
---------------------------------------------------------------------
Documentation/namespaces/resource-control.txt 的中文翻译
如果想评论或更新本文的内容,请直接联系原文档的维护者。如果你使用英文
交流有困难的话,也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题,请联系中文版维护者。
中文版维护者: 田雨 479103577@qq.com
中文版翻译者: 田雨 479103577@qq.com
中文版校译者: 田雨 479103577@qq.com
rpcsec_gss support for kernel RPC servers
3 =========================================
4 RPCSEC_GSS内核RPC服务器支持
5 This document gives references to the standards and protocols used to
6 implement RPCGSS authentication in kernel RPC servers such as the NFS
7 server and the NFS client's NFSv4.0 callback server. (But note that
8 NFSv4.1 and higher don't require the client to act as a server for the
9 purposes of authentication.)
10 本文给出了参考的标准和协议,用于
实施RPCGSS验证在内核如NFS RPC服务器
服务器和NFS客户端的NFSv4.0回调服务器。 (但请注意
的NFSv4.1和较高的不要求客户端作为一个为服务器
认证目的的。)
11 RPCGSS is specified in a few IETF documents:
12 - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
13 - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
14 and there is a 3rd version being proposed:
15 - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
16 (At draft n. 02 at the time of writing)
17 RPCGSS几个IETF文档中指定:
- RFC2203 V1:http://tools.ietf.org/rfc/rfc2203.txt
- RFC5403 V2:http://tools.ietf.org/rfc/rfc5403.txt
,有一个第三版本的建议:
- http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
(草案在N。02在写作的时候)
17
18 Background
19 背景----------
20
21 The RPCGSS Authentication method describes a way to perform GSSAPI
22 Authentication for NFS. Although GSSAPI is itself completely mechanism
23 agnostic, in many cases only the KRB5 mechanism is supported by NFS
24 implementations.
25 的RPCGSS验证方法描述的方式来执行GSSAPI
验证NFS。尽管GSSAPI机制本身是完全
无关,在许多情况下,只有KRB5机制得到NFS
实现。
26 The Linux kernel, at the moment, supports only the KRB5 mechanism, and
27 depends on GSSAPI extensions that are KRB5 specific.
28 Linux内核的那一刻,只支持KRB5机制,
KRB5特定于的GSSAPI扩展,取决于。
29 GSSAPI is a complex library, and implementing it completely in kernel is
30 unwarranted. However GSSAPI operations are fundementally separable in 2
31 parts:
32 - initial context establishment
33 - integrity/privacy protection (signing and encrypting of individual
34 packets)
35 GSSAPI是一个复杂的库,完全实现它在内核
莫须有。然而GSSAPI操作fundementally可分离2
份:
- 初始上下文建立
- 诚信/隐私保护(个人的签名和加密
34包)
36 The former is more complex and policy-independent, but less
37 performance-sensitive. The latter is simpler and needs to be very fast.
38 前者是更为复杂和政策无关,但较少
性能敏感。后者则是简单的,并需要是非常快的。
39 Therefore, we perform per-packet integrity and privacy protection in the
40 kernel, but leave the initial context establishment to userspace. We
41 need upcalls to request userspace to perform context establishment.
42 因此,我们在执行每个数据包的完整性和私密性保护
内核,但离开初始上下文建立到用户空间。我们
需要的向上调用要求用户空间执行上下文建立。
43 NFS Server Legacy Upcall Mechanism
44 -NFS服务器传统的upcall机制---------------------------------
45
46 The classic upcall mechanism uses a custom text based upcall mechanism
47 to talk to a custom daemon called rpc.svcgssd that is provide by the
48 nfs-utils package.
49 经典的向上调用机制使用一个自定义的文本为基础的向上调用机制
谈论到一个自定义的守护程序rpc.svcgssd提供
NFS-utils软件包。
50 This upcall mechanism has 2 limitations:
51 这种向上调用机制有2个限制:
52 A) It can handle tokens that are no bigger than 2KiB
53 它可以处理令牌不大于2KiB
54 In some Kerberos deployment GSSAPI tokens can be quite big, up and
55 beyond 64KiB in size due to various authorization extensions attacked to
56 the Kerberos tickets, that needs to be sent through the GSS layer in
57 order to perform context establishment.
58 在一些Kerberos部署GSSAPI令牌可以相当大,和
的大小因不同的授权扩展超越64KiB袭击
Kerberos票证,需要通过的GSS层在要发送
为了执行上下文建立。
59 B) It does not properly handle creds where the user is member of more
60 than a few housand groups (the current hard limit in the kernel is 65K
61 groups) due to limitation on the size of the buffer that can be send
62 back to the kernel (4KiB).
63 B)不正确处理用户的信任状,更多的成员
比几housand组(目前在内核中的硬限制是65K
个组),由于限制的缓冲区的大小,可以向其发送
回内核(4KiB)。
64 NFS Server New RPC Upcall Mechanism
65 NFS服务器RPC向上调用机制-----------------------------------
66
67 The newer upcall mechanism uses RPC over a unix socket to a daemon
68 called gss-proxy, implemented by a userspace program called Gssproxy.
69 新的upcall机制UNIX套接字使用RPC over守护
所谓的GSS-代理,由一个用户空间程序称为Gssproxy的实施。
70 The gss_proxy RPC protocol is currently documented here:
71 RPC协议gss_proxy目前记录在这里:
72 https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
73
74 This upcall mechanism uses the kernel rpc client and connects to the gssproxy
75 userspace program over a regular unix socket. The gssproxy protocol does not
76 suffer from the size limitations of the legacy protocol.
77 种向上调用机制使用内核RPC客户端和连接到gssproxy的
的程序比普通的Unix套接字。 gssproxy协议不
遭受遗留协议的大小限制。
78 Negotiating Upcall Mechanisms
79 谈判的upcall机制 -----------------------------
80
81 To provide backward compatibility, the kernel defaults to using the
82 legacy mechanism. To switch to the new mechanism, gss-proxy must bind
83 to /var/run/gssproxy.sock and then write "1" to
84 /proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both
85 steps.
86 以提供向后兼容性,内核默认使用
传统机制。要切换到新的机制,GSS-代理必须绑定
到/ var /运行/ gssproxy.sock,然后写“1”
的/ proc/ NET/ RPC/使用GSS代理的。如果GSS代理死亡,都必须重复
步骤。
87
扫一扫
836
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
