Details

    • Technical task
    • Resolution: Fixed
    • Major
    • Lustre 2.5.0
    • Lustre 2.3.0, Lustre 2.4.0, Lustre 2.5.0
    • any
    • 3
    • 8142

    Description

      Lustre's autoconf scripts require Kerberos to be installed when --enable-gss is specified. Currently, only the Kerberos GSSAPI mechanism supported by Lustre, but others are planned in the future, such as those being developed for shared key authentication (project SFS-DEV-001.2). GSSAPI is meant to allow calling code to be mechanism-agnostic, so requiring Kerberos defeats that purpose.

      The definition of the LC_CONFIG_GSS macro in lustre/autoconf/lustre-core.m4 unconditionally calls AC_KERBEROS_V5 from lustre/autoconf/kerberos.m4, which fails when Kerberos isn't found:

      dnl We didn't find a usable Kerberos environment
      if test "x$KRBDIR" = "x"; then
      if test "x$krb5_with" = "x"; then
      AC_MSG_ERROR(Kerberos v5 with GSS support not found: consider --disable-gss or --with-krb5=)
      else
      AC_MSG_ERROR(Kerberos v5 with GSS support not found at $krb5_with)
      fi
      fi
      AC_MSG_RESULT($KRBDIR)

      This macro ought to instead note the location of the Kerberos headers and libraries but not result in a fatal error if they don't exist. I don't know if this approach will result in link-time or runtime errors that would also need to be corrected.

      Ubuntu also needs GSS libraries:

      configure: error: libkeyutils is not found, which is required by gss keyring backend
      

      Attachments

        Issue Links

          Activity

            [LU-3288] Enabling GSSAPI support requires Kerberos libraries to be installed

            Yes, I believe this ticket has been resolved. Thanks!

            ajk Andrew Korty (Inactive) added a comment - Yes, I believe this ticket has been resolved. Thanks!
            mdiep Minh Diep added a comment -

            Andrew,

            Let me know if there's anything else or I can close this ticket. I will close if I don't hear from you by the end of this week.

            mdiep Minh Diep added a comment - Andrew, Let me know if there's anything else or I can close this ticket. I will close if I don't hear from you by the end of this week.

            Sounds good. Probably a good idea, then, to close this ticket and open one specifically for Ubuntu.

            joshua Joshua Kugler (Inactive) added a comment - Sounds good. Probably a good idea, then, to close this ticket and open one specifically for Ubuntu.
            mdiep Minh Diep added a comment -

            afaik, LU-3490 has landed and all issues have been resolved. I am not sure what else needs to be done for this ticket. As for the Ubuntu, similar to sles11, it needs more works to include the proper functions

            mdiep Minh Diep added a comment - afaik, LU-3490 has landed and all issues have been resolved. I am not sure what else needs to be done for this ticket. As for the Ubuntu, similar to sles11, it needs more works to include the proper functions

            Assign-ing to Minh, as I believe he is working on the Ubuntu libs issue.

            joshua Joshua Kugler (Inactive) added a comment - Assign-ing to Minh, as I believe he is working on the Ubuntu libs issue.
            mdiep Minh Diep added a comment - we also need gssapi for ubuntu http://build.whamcloud.com/job/lustre-reviews/18264/arch=x86_64,build_type=client,distro=ubuntu1004,ib_stack=inkernel/consoleFull
            mdiep Minh Diep added a comment -

            seems like we need krb5-libs for suse.

            build on suse failed due to
            checking for Kerberos v5... /usr
            The current KRBDIR is /usr
            checking for gss_krb5_export_lucid_sec_context in -lgssapi_krb5... yes
            checking for gss_krb5_set_allowable_enctypes in -lgssapi_krb5... yes
            checking for gss_krb5_ccache_name in -lgssapi_krb5... yes
            checking for krb5_get_error_message in -lgssapi_krb5... yes
            checking for krb5_get_init_creds_opt_set_addressless in -lgssapi_krb5... no
            checking for krb5int_derive_key in -lgssapi_krb5... no

            http://build.whamcloud.com/job/lustre-reviews/18238/arch=x86_64,build_type=client,distro=sles11,ib_stack=inkernel/consoleFull

            mdiep Minh Diep added a comment - seems like we need krb5-libs for suse. build on suse failed due to checking for Kerberos v5... /usr The current KRBDIR is /usr checking for gss_krb5_export_lucid_sec_context in -lgssapi_krb5... yes checking for gss_krb5_set_allowable_enctypes in -lgssapi_krb5... yes checking for gss_krb5_ccache_name in -lgssapi_krb5... yes checking for krb5_get_error_message in -lgssapi_krb5... yes checking for krb5_get_init_creds_opt_set_addressless in -lgssapi_krb5... no checking for krb5int_derive_key in -lgssapi_krb5... no http://build.whamcloud.com/job/lustre-reviews/18238/arch=x86_64,build_type=client,distro=sles11,ib_stack=inkernel/consoleFull
            spitzcor Cory Spitz added a comment -

            FYI, we caught a problem with GSSAPI prerequisites checking from change #6740 and updated LU-3490.

            spitzcor Cory Spitz added a comment - FYI, we caught a problem with GSSAPI prerequisites checking from change #6740 and updated LU-3490 .

            From the meeting today, it at least looks like the packages are running configure and completing the build.

            At this point, we aren't yet sure if the gssd is actually being built, or if it is missing from the lustre.spec file, but it looks like that needs to be tested locally by Andrew (using "make rpms" on a system with http://review.whamcloud.com/6740/ applied is probably the easiest). Any issues with what gets built will probably be addressed by a patch to the Lustre code.

            adilger Andreas Dilger added a comment - From the meeting today, it at least looks like the packages are running configure and completing the build. At this point, we aren't yet sure if the gssd is actually being built, or if it is missing from the lustre.spec file, but it looks like that needs to be tested locally by Andrew (using " make rpms " on a system with http://review.whamcloud.com/6740/ applied is probably the easiest). Any issues with what gets built will probably be addressed by a patch to the Lustre code.

            Thanks, I'll look through these.

            ajk Andrew Korty (Inactive) added a comment - Thanks, I'll look through these.

            People

              mdiep Minh Diep
              ajk Andrew Korty (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: