Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-3289 IU Shared Secret Key authentication and encryption
  3. LU-3778

GSS doesn't know about proxy subsystems

Details

    • Technical task
    • Resolution: Fixed
    • Critical
    • Lustre 2.8.0
    • Lustre 2.4.0
    • 9779

    Description

      Trying to use a GSS-enabled Lustre build with Kerberos authentication with 2.4.0 leads to instand LBUGs on connect because gss_internal.h::import_to_gss_svc() only knows about mgc, mdc, and osc. It bails out as soon as another component like osp or lwp tries to initiate an authenticated connection. It depends on the srpc configuration, which of the components triggers the LBUG first, but the root cause is always the proxies trying to use GSS authentication while the GSS subsystem doesn't known about them.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-8880 sanity test_1: fails w/DNE @@@ faked source MDT

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-6356 Kerberos revival

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. LU-3289 IU Shared Secret Key authentication and encryption

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          mentioned in

          [Whamcloud Community Wiki] Page Page No Confluence page found with the given URL.

          [Whamcloud Community Wiki] Page Page No Confluence page found with the given URL.

          Activity

            [LU-3778] GSS doesn't know about proxy subsystems
            pjones Peter Jones added a comment -

            Landed for 2.8

            pjones Peter Jones added a comment - Landed for 2.8
            gerrit Gerrit Updater added a comment -

            Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14040/
            Subject: LU-3778 sptlrpc: OSP and LWP don't know sptlrpc
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: cf57dfc4c9bf4b9d36e356d6f33550676b21e066

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14040/ Subject: LU-3778 sptlrpc: OSP and LWP don't know sptlrpc Project: fs/lustre-release Branch: master Current Patch Set: Commit: cf57dfc4c9bf4b9d36e356d6f33550676b21e066
            gerrit Gerrit Updater added a comment -

            Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/14040
            Subject: LU-3778 sptlrpc: OSP and LWP don't know sptlrpc
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: fa5a6d591d883c6940179dd09e3288483769bfb6

            gerrit Gerrit Updater added a comment - Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/14040 Subject: LU-3778 sptlrpc: OSP and LWP don't know sptlrpc Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: fa5a6d591d883c6940179dd09e3288483769bfb6
            sebastien.buisson Sebastien Buisson (Inactive) added a comment -

            Hi,

            Following Andreas' advice, I have made a patch that initializes the sptlrpc subsystem for OSP and LWP connections, by calling sptlrpc_lprocfs_cliobd_attach(). I also found that GSS related functions must not return an LBUG when dealing with OSP and LWP OBDs.

            Sebastien.

            sebastien.buisson Sebastien Buisson (Inactive) added a comment - Hi, Following Andreas' advice, I have made a patch that initializes the sptlrpc subsystem for OSP and LWP connections, by calling sptlrpc_lprocfs_cliobd_attach(). I also found that GSS related functions must not return an LBUG when dealing with OSP and LWP OBDs. Sebastien.
            jlevi Jodi Levi (Inactive) added a comment -

            Shared key crypto will not be in the 2.7 Release.

            jlevi Jodi Levi (Inactive) added a comment - Shared key crypto will not be in the 2.7 Release.
            adilger Andreas Dilger added a comment -

            It looks like we need to initialize the sptlrpc subsystem for OSP and LWP connections, presumably using sptlrpc_lprocfs_cliobd_attach(). That will also configure the srpc_info and srpc_contexts files in /proc that test-framework.sh::flvr_cnt_mdt2ost->get_mdtosc_proc_path() needs for sanity-gss.sh to work.

            adilger Andreas Dilger added a comment - It looks like we need to initialize the sptlrpc subsystem for OSP and LWP connections, presumably using sptlrpc_lprocfs_cliobd_attach(). That will also configure the srpc_info and srpc_contexts files in /proc that test-framework.sh::flvr_cnt_mdt2ost->get_mdtosc_proc_path() needs for sanity-gss.sh to work.
            kobras Daniel Kobras (Inactive) added a comment -

            So far, I haven't found a way to avoid this bug when trying to use GSS with 2.4. From my testing, osp and lwp seem to be treated as 'clients' by sptlrpc: The LBUG is hit if krb5p is configured for directions default, cli2mdt, and cli2ost. It might not trigger if only mdt2mdt or mdt2ost are used, but I haven't verified these combinations.

            The easiest reproducer is:

            • Start MGS
            • Run lctl conf_param <fsname>.srpc.flavor.default=krb5p
            • Start MDT -> immediate LBUG.
            kobras Daniel Kobras (Inactive) added a comment - So far, I haven't found a way to avoid this bug when trying to use GSS with 2.4. From my testing, osp and lwp seem to be treated as 'clients' by sptlrpc: The LBUG is hit if krb5p is configured for directions default, cli2mdt, and cli2ost. It might not trigger if only mdt2mdt or mdt2ost are used, but I haven't verified these combinations. The easiest reproducer is: Start MGS Run lctl conf_param <fsname>.srpc.flavor.default=krb5p Start MDT -> immediate LBUG.
            nangelinas Nikitas Angelinas added a comment -

            I remember seeing this LBUG when testing GSS/Kerberos on 2.4; according to my notes, it happened soon after the Kerberos mode was switched to krb5p.

            nangelinas Nikitas Angelinas added a comment - I remember seeing this LBUG when testing GSS/Kerberos on 2.4; according to my notes, it happened soon after the Kerberos mode was switched to krb5p.
            nrutman Nathan Rutman added a comment -

            Is this a problem with any GSS usage in 2.4, or do you need to do something specific?

            nrutman Nathan Rutman added a comment - Is this a problem with any GSS usage in 2.4, or do you need to do something specific?
            jlevi Jodi Levi (Inactive) added a comment -

            Mike,
            Could you please comment on this one?
            Thank you!

            jlevi Jodi Levi (Inactive) added a comment - Mike, Could you please comment on this one? Thank you!

            People

              wc-triage WC Triage
              kobras Daniel Kobras (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              20 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: