From: Nico Williams <nico@cryptonector.com>
To: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Simo Sorce <simo@redhat.com>, dhowells <dhowells@redhat.com>,
linux-nfs@vger.kernel.org, krbdev <krbdev@mit.edu>
Subject: Re: GSSAPI Proxy initiative
Date: Fri, 4 Nov 2011 09:51:20 -0500 [thread overview]
Message-ID: <CAK3OfOgPaXfrSkf6GtBNX3Gw3+mr1h+dNEuBMpGKL4ok=QLBUQ@mail.gmail.com> (raw)
In-Reply-To: <1320356806.18396.149.camel@lade.trondhjem.org>
On Thu, Nov 3, 2011 at 4:46 PM, Trond Myklebust
<Trond.Myklebust@netapp.com> wrote:
> On Thu, 2011-11-03 at 17:30 -0400, Simo Sorce wrote:
>> I have discussed use of the keyring in a private discussion before
>> starting the thread, and it turns out the keyring has a number of
>> limitations that makes it probably unsuitable for this project.
>>
>> As an upcall mechanism it has some limitations on the size of the
>> payloads, IIRC limited to a page, and that means that you cannot pass
>> blobs carrying big kerberos tickets.
I never meant storing the ccache, or even the TGTs in the keyring.
>> As a storage mechanism for credential caches it also has size limits.
>> Currently the limit is 20k per user which is not even enough to hold a
>> single ticket in some cases. This limit can be increased of course, but
>> then you end keeping around a huge amount of unswappable ram depending
>> on the number of users.
>
> Allowing keys to be swapped out is a really really really really really
> really bad idea when your kernel depends upon them being available as
> part of the memory reclaim process, as would be the case when you are
> talking about NFS, CIFS or AFS dirty page writebacks.
If you have local swap you'll be fine. Of course, the text for the
gssd had better be in-core. Diskless over NFS doesn't work all that
well, IMO.
Obviously you'll need to be able to block the triggering
process/syscall, and you'll need to make sure there's no deadlock, but
the first is a given (since we're talking about NFS) and the second
should be possible if gssd does not stray into any NFS mounts (see my
comment about disklessness over NFS).
But even if you want diskless over NFS with RPCSEC_GSS (you'll want
RPCSEC_GSSv3) you can make this work by ensuring that all of the text
of gssd and its libraries and plugins and... are pinned in-core, and
by not swapping over NFS. The way Linux boot works this is quite
feasible. You'll want ccaches stored in tmpfs, of course.
>> So for long term storage of credentials we will probably not rely on
>> kernel keyrings, nor as an upcall mechanism.
>
> So this would be an argument for scrapping keyrings from the kernel? If
> they're not good for kerberos tickets, why would we want to keep them at
> all?
> What would you replace them with, given the above requirements
> concerning swapping?
No, I don't think it's an argument for scrapping keyrings, just for
not storing actual credentials in them (store references to them
instead).
I like to think that my CPG proposal for Solaris from a few years ago
is much cleaner than keyrings. But keyrings could be made to do.
Nico
--
next prev parent reply other threads:[~2011-11-04 14:51 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-02 21:26 GSSAPI Proxy initiative Simo Sorce
2011-11-02 23:05 ` Simo Sorce
2011-11-03 3:24 ` Nico Williams
2011-11-03 14:58 ` Simo Sorce
2011-11-03 16:05 ` Nico Williams
2011-11-03 16:31 ` Simo Sorce
2011-11-03 18:57 ` Nico Williams
2011-11-03 20:39 ` Trond Myklebust
2011-11-03 20:53 ` Nico Williams
2011-11-03 21:30 ` Simo Sorce
2011-11-03 21:46 ` Trond Myklebust
2011-11-03 22:00 ` Simo Sorce
2011-11-03 22:16 ` Myklebust, Trond
2011-11-03 23:47 ` Simo Sorce
2011-11-04 14:34 ` J. Bruce Fields
2011-11-04 15:13 ` Nico Williams
2011-11-04 15:36 ` Nico Williams
2011-11-04 15:55 ` Adamson, Andy
2011-11-04 16:20 ` Nico Williams
2011-11-04 16:25 ` Simo Sorce
2011-11-04 16:43 ` Nico Williams
2011-11-04 16:30 ` Adamson, Andy
2011-11-04 16:42 ` Nico Williams
2011-11-04 14:51 ` Nico Williams [this message]
2011-11-03 21:58 ` Tom Yu
2011-11-03 15:42 ` Nico Williams
2011-11-03 16:10 ` Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAK3OfOgPaXfrSkf6GtBNX3Gw3+mr1h+dNEuBMpGKL4ok=QLBUQ@mail.gmail.com' \
--to=nico@cryptonector.com \
--cc=Trond.Myklebust@netapp.com \
--cc=dhowells@redhat.com \
--cc=krbdev@mit.edu \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).