Uploaded image for project: 'Lustre Documentation'
  1. Lustre Documentation
  2. LUDOC-197

Complete Lustre Manual updates for IU Shared Secret Key authentication and encryption

Details

    • Story
    • Resolution: Fixed
    • Minor
    • None
    • None
    • 11343

    Description

      This is for the Lustre Manual updates for IU Shared Secret Key authentication and encryption feature.

      Attachments

        Issue Links

          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. LUDOC-321 Operations manual PDF does not build if 2+ chapters have condition fields

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is related to

          New Feature - A new feature of the product, which has yet to be developed. LU-3289 IU Shared Secret Key authentication and encryption

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            [LUDOC-197] Complete Lustre Manual updates for IU Shared Secret Key authentication and encryption
            jgmitter Joseph Gmitter (Inactive) added a comment -

            Patch has landed

            jgmitter Joseph Gmitter (Inactive) added a comment - Patch has landed
            gerrit Gerrit Updater added a comment -

            Joseph Gmitter (joseph.gmitter@intel.com) merged in patch https://review.whamcloud.com/23673/
            Subject: LUDOC-197 sk: Shared-Secret Key Security
            Project: doc/manual
            Branch: master
            Current Patch Set:
            Commit: ea26a5ef83dd090d431f5c39b54bc928e9b0d822

            gerrit Gerrit Updater added a comment - Joseph Gmitter (joseph.gmitter@intel.com) merged in patch https://review.whamcloud.com/23673/ Subject: LUDOC-197 sk: Shared-Secret Key Security Project: doc/manual Branch: master Current Patch Set: Commit: ea26a5ef83dd090d431f5c39b54bc928e9b0d822
            gerrit Gerrit Updater added a comment -

            Nathan Lavender (nblavend@iu.edu) uploaded a new patch: http://review.whamcloud.com/23673
            Subject: LUDOC-197 sk: Shared-Secret Key Security
            Project: doc/manual
            Branch: master
            Current Patch Set: 1
            Commit: 433a40dc6bbfa196739401b70620f9de00cb6d6a

            gerrit Gerrit Updater added a comment - Nathan Lavender (nblavend@iu.edu) uploaded a new patch: http://review.whamcloud.com/23673 Subject: LUDOC-197 sk: Shared-Secret Key Security Project: doc/manual Branch: master Current Patch Set: 1 Commit: 433a40dc6bbfa196739401b70620f9de00cb6d6a
            nblavend Nathan Lavender (Inactive) added a comment -

            In order to build Lustre with the Shared Key patches you must install the following packages on your build server: libgssglue libgssglue­-devel krb5-libs krb5-devel openssl-devel. These dependencies are in addition to those listed in the build document here:

            https://wiki.hpdd.intel.com/pages/viewpage.action?pageId=8126821

            Then pass option '--enable-gss' when configuring the patched Lustre source:

            1. cd ~/lustre-release/
            2. ./configure --with-linux=/path/to/kernel/source/ --enable-gss [other options]
            nblavend Nathan Lavender (Inactive) added a comment - In order to build Lustre with the Shared Key patches you must install the following packages on your build server: libgssglue libgssglue­-devel krb5-libs krb5-devel openssl-devel. These dependencies are in addition to those listed in the build document here: https://wiki.hpdd.intel.com/pages/viewpage.action?pageId=8126821 Then pass option '--enable-gss' when configuring the patched Lustre source: cd ~/lustre-release/ ./configure --with-linux=/path/to/kernel/source/ --enable-gss [other options]
            jfilizetti Jeremy Filizetti added a comment -

            It exists in the shared key code that has not been pushed yet.

            jfilizetti Jeremy Filizetti added a comment - It exists in the shared key code that has not been pushed yet.
            jhammond John Hammond added a comment -

            Does lgss_sk exist somewhere?

            jhammond John Hammond added a comment - Does lgss_sk exist somewhere?
            nrutman Nathan Rutman added a comment -

            • lctl conf_param fsname.srpc.flavor.default=flavor

              should be set_param -p I think, although I long ago gave up tracking this...

            • ● <lnd:lnd>num

              this NID section looks wrong - it's not really a NID anyhow, it's a "network" only.

            • The /etc/request­key.d/lgssc.conf for Lustre should look like the following

              Can we just add this file to the Lustre RPMs?

            • Future versions of Lustre will support an init script to run this as a service

              Is there a bug filed?

            • In the "generating keys" section you introduce nodemap term without defining or explaining it.
            • There are two algorithms numbered "0". That can't be right. And you don't show how to choose them.
            • Please add examples of the mount command with --skpath, and maybe add paths to the lgss_sk examples:

              lgss_sk ­-­w /etc/lustre_keys/tank.biology.key

            • Please add a section on building Lustre with shared-key support. Prerequisites, build flags, etc.
            nrutman Nathan Rutman added a comment - lctl conf_param fsname.srpc.flavor.default=flavor should be set_param -p I think, although I long ago gave up tracking this... ● <lnd:lnd>num this NID section looks wrong - it's not really a NID anyhow, it's a "network" only. The /etc/request­key.d/lgssc.conf for Lustre should look like the following Can we just add this file to the Lustre RPMs? Future versions of Lustre will support an init script to run this as a service Is there a bug filed? In the "generating keys" section you introduce nodemap term without defining or explaining it. There are two algorithms numbered "0". That can't be right. And you don't show how to choose them. Please add examples of the mount command with --skpath, and maybe add paths to the lgss_sk examples: lgss_sk ­-­w /etc/lustre_keys/tank.biology.key Please add a section on building Lustre with shared-key support. Prerequisites, build flags, etc.
            adilger Andreas Dilger added a comment -

            The expiration here is actually for the sptlrpc context tied to a session. The intention is to force connections to generate new Diffie-Hellman sessions keys which offer perfect forward secrecy (PFS) minimizing the amount of data used with a particular key.

            In that case, it would be useful to make this intent clear in the documentation that this timeout is for the session keys. It also would be better to use an default session key timeout that actually makes this functionality useful out of the box (e.g. 1 day or 1 week, rather than 60+ years). Is there any harm from expiring the session keys regularly?

            adilger Andreas Dilger added a comment - The expiration here is actually for the sptlrpc context tied to a session. The intention is to force connections to generate new Diffie-Hellman sessions keys which offer perfect forward secrecy (PFS) minimizing the amount of data used with a particular key. In that case, it would be useful to make this intent clear in the documentation that this timeout is for the session keys. It also would be better to use an default session key timeout that actually makes this functionality useful out of the box (e.g. 1 day or 1 week, rather than 60+ years). Is there any harm from expiring the session keys regularly?

            People

              LM-Triage Lustre Manual Triage
              jlevi Jodi Levi (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              17 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: