All of lore.kernel.org
 help / color / mirror / Atom feed
From: "J. Bruce Fields" <bfields@fieldses.org>
To: Simo Sorce <simo@redhat.com>
Cc: "Myklebust, Trond" <Trond.Myklebust@netapp.com>,
	Nico Williams <nico@cryptonector.com>,
	dhowells <dhowells@redhat.com>,
	linux-nfs@vger.kernel.org, krbdev <krbdev@mit.edu>
Subject: Re: GSSAPI Proxy initiative
Date: Fri, 4 Nov 2011 10:34:53 -0400	[thread overview]
Message-ID: <20111104143453.GB31541@fieldses.org> (raw)
In-Reply-To: <1320364024.7734.705.camel@willson.li.ssimo.org>

On Thu, Nov 03, 2011 at 07:47:04PM -0400, Simo Sorce wrote:
> On Thu, 2011-11-03 at 15:16 -0700, Myklebust, Trond wrote:
> 
> [..]
> 
> > No, but we still need to be able to do recovery of rpcsec_gss contexts
> > once they are broken, and right now we have a major flaw due to the
> > fact that recovery depends on a lot of small processes and data that
> > is allowed to be swapped out at the moment when we need them the most
> > (i.e. in a memory reclaim situation).
> > 
> > If the server reboots while our client is in the middle of writing
> > back a file (or several files), then the client needs to recover those
> > rpcsec_gss contexts that authenticate the processes which own any
> > dirty pages that remain to be written out.
> > Key security is an irrelevant concern once your kernel deadlocks in an
> > OOM state.
> 
> [..]
> 
> > > Currently credential caches are stored in files, is there a problem
> > > with that model ? Do you need access to credential caches from the
> > > kernel when under memory pressure ?
> 
> > Yes, there is a major problem with that model, and yes we do
> > potentially need access to credential caches when in a recovery
> > situation (which is a situation when we are usually under memory
> > pressure).
> 
> This sounds like a catch 22 situation.
> Even if the keys are pinned in kernel memory you still need the GSSAPI
> Proxy daemon in order to re-establish the security context, and that
> process could have been swapped off too.

Yes, this has been hashed over before.

You can try to pin it in memory.  And then you'd also need some way the
process could tell the kernel (e.g. when doing a system call that
required allocation) that it was working on behalf of a filesystem.  But
at that point moving context negotiation into the kernel might be more
practical.

Seems like a hard problem, but it would nice to at least have some
long-term plan.

--b.

  reply	other threads:[~2011-11-04 14:34 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-02 21:26 GSSAPI Proxy initiative Simo Sorce
2011-11-02 23:05 ` Simo Sorce
2011-11-03  3:24 ` Nico Williams
2011-11-03 14:58   ` Simo Sorce
2011-11-03 16:05     ` Nico Williams
2011-11-03 16:31       ` Simo Sorce
2011-11-03 18:57         ` Nico Williams
2011-11-03 20:39           ` Trond Myklebust
2011-11-03 20:53             ` Nico Williams
2011-11-03 21:30               ` Simo Sorce
2011-11-03 21:46                 ` Trond Myklebust
2011-11-03 22:00                   ` Simo Sorce
2011-11-03 22:16                     ` Myklebust, Trond
2011-11-03 23:47                       ` Simo Sorce
2011-11-04 14:34                         ` J. Bruce Fields [this message]
2011-11-04 15:13                       ` Nico Williams
2011-11-04 15:36                         ` Nico Williams
2011-11-04 15:55                         ` Adamson, Andy
2011-11-04 16:20                           ` Nico Williams
2011-11-04 16:25                             ` Simo Sorce
2011-11-04 16:43                               ` Nico Williams
2011-11-04 16:30                             ` Adamson, Andy
2011-11-04 16:42                               ` Nico Williams
2011-11-04 14:51                   ` Nico Williams
2011-11-03 21:58             ` Tom Yu
2011-11-03 15:42 ` Nico Williams
2011-11-03 16:10   ` Simo Sorce

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111104143453.GB31541@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=Trond.Myklebust@netapp.com \
    --cc=dhowells@redhat.com \
    --cc=krbdev@mit.edu \
    --cc=linux-nfs@vger.kernel.org \
    --cc=nico@cryptonector.com \
    --cc=simo@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.