Re: [PATCH] nfsidmap: use multiple child keyrings

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Dickson <SteveD@redhat.com>
To: Benjamin Coddington <bcodding@uvm.edu>
Cc: linux-nfs@vger.kernel.org, David Howells <dhowells@redhat.com>
Subject: Re: [PATCH] nfsidmap: use multiple child keyrings
Date: Mon, 24 Mar 2014 19:57:15 -0400	[thread overview]
Message-ID: <5330C65B.6010904@RedHat.com> (raw)
In-Reply-To: <53308CD4.9020307@RedHat.com>


On 03/24/2014 03:51 PM, Steve Dickson wrote:
> 
> 
> On 03/24/2014 02:00 PM, Benjamin Coddington wrote:
>>
>> On Mar 24, 2014, at 1:00 PM, Steve Dickson <SteveD@redhat.com> wrote:
>>
>>> On 03/21/2014 05:08 PM, Benjamin Coddington wrote:
>>>> The kernel keyring has a max of ~508 entries on 64-bit systems.
>>>> For installations with more distict users than this limit, create
>>>> a specified number of child keyrings and fill them evenly.
>>> A couple things... 
>>>
>>> 1) no Signed-off-by: line
>>>
>>> 2) Its seems you can create key rings but can't delete them.
>>>   Here is what I'm doing:
>>>   in /etc/request-key.d/id_resolver.conf I have
>>>    create    id_resolver * *    /usr/sbin/nfsidmap -n 10 %k %d
>>> but when I tried to delete the keys
>>>    # nfsidmap -vc
>>>    nfsidmap: clearing '08aa156c I--Q---     1perm 3f010000     0     0 keyring   .id_resolver_child_10: empty'
>>>    nfsidmap: keyctl_clear(0x8aa156c) failed: Permission denied
>>
>> This mess works on my fleet of RHEL6 boxes which is where I was trying to fix this.  They create the child keyrings with
>>
>> perm 3b3f0000
>>
>> Instead of yours which appears to be
>>
>> perm 3f010000
>>
>> Are you testing on a later kernel?  Likely this behavior has changed.
> Yes... Much later... 
> 
>>
>>>> #define PROCKEYS "/proc/keys"
>>>> #ifndef DEFAULT_KEYRING
>>>> -#define DEFAULT_KEYRING "id_resolver"
>>>> +#define DEFAULT_KEYRING ".id_resolver"
>>> 3) Why is changing the default needed?
>>
>> The default is wrong.  I think that's the first thing I changed when 
>> trying to fix this problem, since it looked like id_lookup() should 
>> gracefully recover in the case that the keyring was full 
>> (but it still doesn't). 
> I'm think the "id_resolver" default can from the face 
> the entry /etc/request-key.d/id_resolver.conf 
> which tells nfsidmap put the keys on the id_resolver
> key ring... so I'm not really sure where the
> .id_resolver is coming from... CC-ing David Howells
> maybe he knows... 
To translate in king's English... 

The reason the default is "id_resolver" is because the
is the name of the key ring defined in id_resolver.conf
is id_resolver. Now how that is translated into ".id_resolver"
in /proc/keys is not clear.... 

steved.

next prev parent reply	other threads:[~2014-03-24 23:57 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-21 21:08 [PATCH] nfsidmap: use multiple child keyrings Benjamin Coddington
2014-03-24 17:00 ` Steve Dickson
2014-03-24 18:00   ` Benjamin Coddington
2014-03-24 19:51     ` Steve Dickson
2014-03-24 21:03       ` Benjamin Coddington
2014-03-24 21:22         ` Steve Dickson
2014-03-24 22:10           ` Anna Schumaker
2014-03-24 23:57       ` Steve Dickson [this message]
2014-03-25  0:15         ` Benjamin Coddington
2014-03-25  9:35           ` David Howells
2014-03-25 12:49             ` Benjamin Coddington
2014-03-25  9:29         ` David Howells
2014-03-25 10:41           ` Steve Dickson
2014-03-25  9:34       ` David Howells
2014-03-25 12:56         ` Benjamin Coddington
2014-03-25 13:30           ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5330C65B.6010904@RedHat.com \
    --to=steved@redhat.com \
    --cc=bcodding@uvm.edu \
    --cc=dhowells@redhat.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.