From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: raini@rainiday.com
Cc: Jeff Layton <jlayton@redhat.com>,
Kevin Coffman <kwc@citi.umich.edu>,
linux-nfs@vger.kernel.org
Subject: Re: [NFS] NFS/krb and batch jobs - doable?
Date: Wed, 14 Oct 2009 13:12:55 -0400 [thread overview]
Message-ID: <1255540375.3173.4.camel@heimdal.trondhjem.org> (raw)
In-Reply-To: <4603e94d7a85c40d7252308f394bb6ba.squirrel@webmail.rainiday.com>
On Wed, 2009-10-14 at 09:47 -0700, raini@rainiday.com wrote:
> > On Tue, 13 Oct 2009 13:51:33 -0400
> > Trond Myklebust <trond.myklebust@fys.uio.no> wrote:
> >
> >> On Tue, 2009-10-13 at 13:27 -0400, Jeff Layton wrote:
> >> > Correct...and gssd actually does check the validity of the cache. If
> >> > TGT has expired or it's not valid for some other reason, then it skips
> >> > it and moves on.
> >> >
> >> > The problem comes when you have more than one valid credcache. In that
> >> > case it picks the one with the latest mtime. It seems that it should
> >> > instead pick the one with the latest TGT expiration time.
> >>
> >> So why do you think that is a problem? The result should be that
> >> rpc.gssd always ends up with a valid credential as long as there is at
> >> least one with a valid TGT.
> >> IOW: Who cares if the GSS session isn't going to last as long, as long
> >> as the RPC client can always instantiate a new one.
> >>
> >
> > Hrm...good point. I suppose that as long as gssd can pick a new
> > credcache if the context expires then this patch is superfluous. Wasn't
> > that support only added fairly recently (around a year ago?)? If so, it
> > may just be that raini isn't using a recent enough nfs-utils...
>
> Hm - well I'm stuck on production machines (RHEL5) so currently on
> nfs-utils 1.0.9 which I'm going to take a wild guess may be problematic
> either way. Could someone point me to information on this change (I see
> little in http://www.kernel.org/pub/linux/utils/nfs/)?
>
> The reason I thought the new code would be useful is that if default
> tickets are non-renewable and short lifetime, it seems sensible for gssd
> to spot and use a longer lifetime renewable ticket in another ccache file
> - and say use krenew to keep the job alive (or even cope with the user
> renewing the ticket manually).
>
> Seems to me therefore that in the absence of per-session ccaches, gssd
> should prefer long lifetime, and renewable.
No. That is not a necessary condition.
> Would the newer code you mention cope with this situation already?
Yes. Please reread the thread carefully again.
As long as gssd always select from among the valid (i.e. unexpired)
TGTs, then the actual remaining lifetime of the particular TGT that was
selected doesn't matter; gssd will always be able to renew the resulting
RPCSEC_GSS session when it expires.
Trond
next prev parent reply other threads:[~2009-10-14 17:13 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-09 15:15 [NFS] NFS/krb and batch jobs - doable? raini-9HxftnAiGddWk0Htik3J/w
[not found] ` <c8e974302190b867ad8ea49d8158f1db.squirrel-2RFepEojUI30fF+2cCIZ11aTQe2KTcn/@public.gmane.org>
2009-10-09 16:16 ` Jeff Layton
[not found] ` <20091009121602.5ec86dfb-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2009-10-09 16:53 ` raini-9HxftnAiGddWk0Htik3J/w
[not found] ` <1c358fde92c49215d84129a1bfe2c6ec.squirrel-2RFepEojUI30fF+2cCIZ11aTQe2KTcn/@public.gmane.org>
2009-10-10 13:00 ` Jeff Layton
[not found] ` <20091010090039.4dfd1dfb-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2009-10-13 15:28 ` raini-9HxftnAiGddWk0Htik3J/w
[not found] ` <ee56329e7d86a3e4b15001a39bb7e14a.squirrel-2RFepEojUI30fF+2cCIZ11aTQe2KTcn/@public.gmane.org>
2009-10-13 15:44 ` Jeff Layton
[not found] ` <20091013114441.2882c8b9-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2009-10-13 15:51 ` Kevin Coffman
2009-10-13 16:56 ` Trond Myklebust
2009-10-13 17:27 ` Jeff Layton
[not found] ` <20091013132701.72927b4d-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2009-10-13 17:51 ` Trond Myklebust
2009-10-13 18:03 ` Jeff Layton
2009-10-14 16:47 ` raini
2009-10-14 17:12 ` Trond Myklebust [this message]
2009-10-14 18:19 ` Kevin Coffman
2009-10-13 15:59 ` raini
2009-10-13 17:31 ` Jeff Layton
2009-10-13 17:52 ` Jeff Layton
2009-10-14 17:00 ` raini
2009-10-14 17:21 ` Jeff Layton
[not found] ` <f99e65f7b2fe66fc32dee931fd6bd525.squirrel@webmail.rainiday.com>
[not found] ` <f99e65f7b2fe66fc32dee931fd6bd525.squirrel-2RFepEojUI30fF+2cCIZ11aTQe2KTcn/@public.gmane.org>
2009-10-09 17:05 ` raini-9HxftnAiGddWk0Htik3J/w
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1255540375.3173.4.camel@heimdal.trondhjem.org \
--to=trond.myklebust@fys.uio.no \
--cc=jlayton@redhat.com \
--cc=kwc@citi.umich.edu \
--cc=linux-nfs@vger.kernel.org \
--cc=raini@rainiday.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox