Re: [PATCH v2 0/3] sunrpc/nfs: more reliable detection of running gssd

["J. Bruce Fields" <bfields@fieldses.org>]

On Wed, Nov 13, 2013 at 09:30:50AM -0500, Jeff Layton wrote:
> v2:
> - change name of toplevel pipefs dir from "dummy" to "gssd" (per
>   Trond's suggestion)
> 
> - when gssd isn't running, don't bother to upcall (per Neil B.'s
>   suggestion)
> 
> - fix lifecycle of rpc_pipe data. Previously it would have leaked
>   after umount. With this set, it's created and destroyed along with
>   the netns, and just attached to the pipe inode on mount/unmount
>   of rpc_pipefs.
> 
> - patch has been added to skip attempting setclientid with krb5i
>   if gssd isn't running. This avoids the "AUTH_GSS upcall timed out"
>   message when gssd isn't running and you mount with sec=sys. It also
>   shortens the delay when gssd isn't up.
> 
> The original cover letter from the v1 posting follows. Note that this
> set does address the warnings about the AUTH_GSS upcall timing out.
> 
> -------------------------[snip]-----------------------------
> 
> We've gotten a lot of complaints recently about the 15s delay when
> doing a sec=sys mount without gssd running.
> 
> A large part of the problem is that the kernel isn't able to reliably
> detect when rpc.gssd is running. What we currently have is a
> gssd_running flag that is initially set to 1. When an upcall times out,
> that gets set to 0, and subsequent upcalls get a much shorter timeout
> (1/4s instead of 15s). It's reset back to '1' when a pipe is reopened.
> 
> The approach of using a flag like this is pretty inadequate. First, it
> doesn't eliminate the long delay on the initial upcall attempt. Also,
> if gssd spontaneously dies, then the flag will still be set to 1 until
> the next upcall attempt times out. Finally, it currently requires that
> the pipe be reopened in order to reset the flag back to true.
> 
> This patchset replaces that flag with a more reliable mechanism for
> detecting when gssd is running. When rpc_pipefs is mounted, it creates a
> new "dummy" pipe that gssd will naturally find and hold open. We'll
> never send an upcall down this pipe, and writing to it always fails.
> But, since we can detect when something is holding it open, we can use
> that to determine whether gssd is running.

I think this might have been addressed before, I don't remember: does
the init system currently have a way to wait till gssd has gotten as far
as scanning pipefs before allowing mounts?

(To avoid the race where a krb5 mount fails because gssd is still in the
process of being started.)

--b.

> 
> The current patch just uses this mechanism to replace the gssd_running
> flag with this new mechanism. This shortens the long delay when mounting
> without gssd running, but does not silence these warnings:
> 
>     RPC: AUTH_GSS upcall timed out.
>     Please check user daemon is running.
> 
> I'm willing to add a patch to do that, but I'm a little unclear on the
> best way to do so. Those messages are generated by the auth_gss code. We
> probably do want to print them if someone mounted with sec=krb5, but
> suppress them when mounting with sec=sys.
> 
> Do we need to somehow pass down that intent to auth_gss? Another idea
> would be to call gssd_running() from the nfs mount code and use that to
> determine whether to try and use krb5 at all...
> 
> Discuss!
> 
> Jeff Layton (3):
>   sunrpc: create a new dummy pipe for gssd to hold open
>   sunrpc: replace sunrpc_net->gssd_running flag with a more reliable
>     check
>   nfs: check if gssd is running before attempting to use krb5i auth in
>     SETCLIENTID call
> 
>  fs/nfs/client.c                    |   5 +-
>  fs/nfs/internal.h                  |   4 +-
>  fs/nfs/nfs4client.c                |   8 ++-
>  include/linux/nfs_xdr.h            |   2 +-
>  include/linux/sunrpc/auth_gss.h    |  10 ++++
>  include/linux/sunrpc/rpc_pipe_fs.h |   7 ++-
>  net/sunrpc/auth_gss/auth_gss.c     |  19 +++++--
>  net/sunrpc/netns.h                 |   3 +-
>  net/sunrpc/rpc_pipe.c              | 104 ++++++++++++++++++++++++++++++++++---
>  net/sunrpc/sunrpc_syms.c           |   8 ++-
>  10 files changed, 147 insertions(+), 23 deletions(-)
> 
> -- 
> 1.8.3.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html