Re: Ideas on NSS vs fork? - Tommi Virtanen

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tommi Virtanen <tommi.virtanen@dreamhost.com>
To: Colin Patrick McCabe <colin.mccabe@dreamhost.com>
Cc: ceph-devel@vger.kernel.org
Subject: Re: Ideas on NSS vs fork?
Date: Fri, 29 Apr 2011 09:14:24 -0700	[thread overview]
Message-ID: <20110429161424.GA30051@dreamer> (raw)
In-Reply-To: <BANLkTimF1sLvLuw3tztW8Ee6eLV6vP1-8w@mail.gmail.com>

On Thu, Apr 28, 2011 at 11:02:57PM -0700, Colin Patrick McCabe wrote:
> The question we need to answer is really whether forking somehow
> destroys the state of the parent process, even if the child thread
> never runs any libNSS code. If the answer is no, which is very likely,
> then essentially our situation is unchanged.

For NSS, only the pid that ran ceph::crypto::init() has a working
crypto library.

1. If you init before forking, any forked processes will have their
   NSS return errors, with no way to fix that. The parent keeps
   working.

2. If you init after forking, the parent never even tries to init crypto,
   the child does and gets a perfectly working crypto library.

2b. As an extension of above, the parent *could* init crypto after it
    has already forked off the child. We just have no need for that.

None of these make it possible for the child to wreck the NSS state in
the parent.

(The Ceph daemons before commit c9825f08 follow #1, that commits makes
them follow #2.)

-- 
:(){ :|:&};:

next prev parent reply	other threads:[~2011-04-29 16:14 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-04-28 21:29 Ideas on NSS vs fork? Tommi Virtanen
2011-04-29  6:02 ` Colin Patrick McCabe
2011-04-29 15:49   ` Sage Weil
2011-04-29 16:14   ` Tommi Virtanen [this message]
2011-04-29 16:15     ` Tommi Virtanen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110429161424.GA30051@dreamer \
    --to=tommi.virtanen@dreamhost.com \
    --cc=ceph-devel@vger.kernel.org \
    --cc=colin.mccabe@dreamhost.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.