From: Hannes Reinecke <hare@suse.de>
To: Sagi Grimberg <sagi@grimberg.me>, Daniel Wagner <dwagner@suse.de>
Cc: Christoph Hellwig <hch@lst.de>, Keith Busch <kbusch@kernel.org>,
James Smart <james.smart@broadcom.com>,
linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 1/6] nvme: authentication error are always non-retryable
Date: Wed, 10 Apr 2024 14:05:46 +0200 [thread overview]
Message-ID: <03370383-d8d1-4b43-89f4-e9a3985c96e9@suse.de> (raw)
In-Reply-To: <8c9a980f-4885-479c-9078-7f87dc92175c@grimberg.me>
On 4/10/24 12:21, Sagi Grimberg wrote:
>
>
> On 10/04/2024 9:52, Daniel Wagner wrote:
>> On Tue, Apr 09, 2024 at 11:26:00PM +0300, Sagi Grimberg wrote:
>>>
>>> On 09/04/2024 12:35, Daniel Wagner wrote:
>>>> From: Hannes Reinecke <hare@suse.de>
>>>>
>>>> Any authentication errors which are generated internally are always
>>>> non-retryable, so use negative error codes to ensure they are not
>>>> retried.
>>> The patch title says that any authentication error is not retryable, and
>>> the patch body says "authentication errors which are generated locally
>>> are non-retryable" so which one is it?
>> Forgot to update the commit message. What about:
>>
>> All authentication errors are non-retryable, so use negative error
>> codes to ensure they are not retried.
>>
>> ?
>
> I have a question, what happens if nvmet updated its credentials (by the
> admin) and in the period until the host got his credentials updated, it
> happens to disconnect/reconnect. It will see an authentication
> error, so it will not retry and remove the controller altogether?
>
> Sounds like an issue to me.
Usual thing: we cannot differentiate (on the host side) whether the
current PSK is _about_ to be replaced; how should the kernel
know that the admin will replace the PSK in the next minutes?
But that really is an issue with the standard. Currently there is no
way how a target could inform the initiator that the credentials have
been updated.
We would need to define a new status code for this.
In the meantime the safe operations model is to set a lifetime
for each PSK, and ensure that the PSK is updated on both sides
during the lifetime. With that there is a timeframe during which
both PSKs are available (on the target), and the older will expire
automatically once the lifetime limit is reached.
Cheers,
Hannes
next prev parent reply other threads:[~2024-04-10 12:06 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-09 9:35 [PATCH v5 0/6] nvme-fabrics: short-circuit connect retries Daniel Wagner
2024-04-09 9:35 ` [PATCH v5 1/6] nvme: authentication error are always non-retryable Daniel Wagner
2024-04-09 13:59 ` Christoph Hellwig
2024-04-09 20:16 ` Sagi Grimberg
2024-04-09 20:26 ` Sagi Grimberg
2024-04-10 6:52 ` Daniel Wagner
2024-04-10 10:21 ` Sagi Grimberg
2024-04-10 12:05 ` Hannes Reinecke [this message]
2024-04-10 13:50 ` Sagi Grimberg
2024-04-11 7:11 ` Hannes Reinecke
2024-04-11 8:37 ` Sagi Grimberg
2024-04-09 9:35 ` [PATCH v5 2/6] nvmet: lock config semaphore when accessing DH-HMAC-CHAP key Daniel Wagner
2024-04-09 9:35 ` [PATCH v5 3/6] nvme-tcp: short-circuit reconnect retries Daniel Wagner
2024-04-09 13:59 ` Christoph Hellwig
2024-04-09 20:20 ` Sagi Grimberg
2024-04-10 6:01 ` Hannes Reinecke
2024-04-09 20:40 ` Sagi Grimberg
2024-04-10 10:06 ` Daniel Wagner
2024-04-09 9:35 ` [PATCH v5 4/6] nvme-rdma: " Daniel Wagner
2024-04-09 14:00 ` Christoph Hellwig
2024-04-09 14:19 ` Keith Busch
2024-04-09 20:21 ` Sagi Grimberg
2024-04-09 20:28 ` Sagi Grimberg
2024-04-12 2:50 ` Keith Busch
2024-04-09 9:35 ` [PATCH v5 5/6] nvme-fc: use nvme_ctrl_reconnect to decide reconnect attempts Daniel Wagner
2024-04-09 14:01 ` Christoph Hellwig
2024-04-09 9:35 ` [PATCH v5 6/6] nvmet: return DHCHAP status codes from nvmet_setup_auth() Daniel Wagner
2024-04-09 14:03 ` Christoph Hellwig
2024-04-09 20:23 ` Sagi Grimberg
2024-04-10 6:45 ` Hannes Reinecke
2024-04-12 0:35 ` [PATCH v5 0/6] nvme-fabrics: short-circuit connect retries Keith Busch
2024-04-12 7:24 ` Daniel Wagner
2024-04-12 15:24 ` Keith Busch
2024-04-14 8:34 ` Sagi Grimberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03370383-d8d1-4b43-89f4-e9a3985c96e9@suse.de \
--to=hare@suse.de \
--cc=dwagner@suse.de \
--cc=hch@lst.de \
--cc=james.smart@broadcom.com \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox