From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: berrange@redhat.com, qemu-block@nongnu.org
Subject: [PATCH 0/3] nbd: Try for cleaner TLS shutdown
Date: Fri, 27 Mar 2020 11:19:33 -0500 [thread overview]
Message-ID: <20200327161936.2225989-1-eblake@redhat.com> (raw)
I'm currently trying to debug a hang in 'nbdkit nbd' as a client when
TLS is in use, when dealing with three processes:
nbdkit example1[1] <=tls=> nbdkit nbd[2] <=plain=> qemu-nbd --list[3]
In theory, when process [3] exits, the server side of process [2] is
supposed to disconnect as client from process [1]. But we were
hitting sporadic hangs where process [2] was stuck in a poll() while
in gnutls cleanup code, which appears to be because it did not
recognize a clean shutdown from process [3].
I do not yet have a strong reproducible test case (which might include
adding strategic sleep()s in one-off compilations) to prove that the
problem is an unclean TLS shutdown, but at the same time, the gnutls
documentation is clear that without proper use of gnutls_bye(), a
client cannot distinguish between clean end of communications and a
malicious interruption in service. Shutting down the write side of a
bi-directional socket as soon as possible makes it easier for a client
to begin its own shutdown actions, and can help in avoiding deadlocks
where both sides of a connection are waiting for the other side to
close() the socket first. If I can come up with a reliable test case,
this series may be a candidate for 5.0; but for now, I'm only
proposing it for 5.1 (we've had more than one release where qemu was
not exploiting the full power of gnutls_bye(), and even if that
triggers poor interaction with other endpoints such as nbdkit, going
one more release with the same behavior isn't making things worse).
Eric Blake (3):
crypto: Add qcrypto_tls_shutdown()
io: Support shutdown of TLS channel
nbd: Use shutdown(SHUT_WR) after last item sent
qapi/crypto.json | 15 +++++++++++++++
include/crypto/tlssession.h | 24 ++++++++++++++++++++++++
block/nbd.c | 1 +
crypto/tlssession.c | 27 +++++++++++++++++++++++++++
io/channel-tls.c | 27 ++++++++++++++++++++++++++-
nbd/client.c | 3 ++-
nbd/server.c | 4 ++++
7 files changed, 99 insertions(+), 2 deletions(-)
--
2.26.0.rc2
next reply other threads:[~2020-03-27 16:21 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-27 16:19 Eric Blake [this message]
2020-03-27 16:19 ` [PATCH 1/3] crypto: Add qcrypto_tls_shutdown() Eric Blake
2020-03-31 8:30 ` Markus Armbruster
2020-03-31 15:17 ` Eric Blake
2020-03-31 15:33 ` Daniel P. Berrangé
2020-03-27 16:19 ` [PATCH 2/3] io: Support shutdown of TLS channel Eric Blake
2020-03-27 16:40 ` Daniel P. Berrangé
2020-03-27 17:29 ` Eric Blake
2020-03-27 17:43 ` Daniel P. Berrangé
2020-03-27 18:46 ` Eric Blake
2020-03-27 16:19 ` [PATCH 3/3] nbd: Use shutdown(SHUT_WR) after last item sent Eric Blake
2020-03-27 16:35 ` Daniel P. Berrangé
2020-03-27 17:42 ` Eric Blake
2020-03-27 17:47 ` Daniel P. Berrangé
2020-03-27 18:44 ` [PATCH 0/3] nbd: Try for cleaner TLS shutdown no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200327161936.2225989-1-eblake@redhat.com \
--to=eblake@redhat.com \
--cc=berrange@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).