[LU-6356] Kerberos revival Created: 11/Mar/15  Updated: 16/May/17  Resolved: 16/Sep/15

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.7.0
Fix Version/s: Lustre 2.8.0

Type: Bug Priority: Major
Reporter: Sebastien Buisson (Inactive) Assignee: Dmitry Eremin (Inactive)
Resolution: Fixed Votes: 0
Labels: patch

Attachments: PDF File enc_pool_issue.pdf     PDF File kerberos_test_plan_v2.pdf    
Issue Links:
Related
is related to LU-7051 Remove code duplication in ptlrpc_che... Open
is related to LU-9414 LBUG and Hung on -ENOMEM in LNetMDAttach Open
is related to LU-6490 builds on 3.12 fail in gss Resolved
is related to LU-3289 IU Shared Secret Key authentication a... Resolved
is related to LU-3778 GSS doesn't know about proxy subsystems Resolved
Severity: 3
Rank (Obsolete): 17800

 Description   

Hi,

In current master branch, Kerberos support is not functional. Apart from issue described in LU-3778, a number of areas in the code need to be fixed. The aim of this ticket is to gather information about the patches I made to revive Kerberos support in Lustre.

Sebastien.

 Comments   
Comment by Gerrit Updater [ 11/Mar/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/14041
Subject: LU-6356 tgt: handle sec context requests properly
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 1e28304574d31c8572a9a8e8e4fc531989389c86

Comment by Gerrit Updater [ 11/Mar/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/14042
Subject: LU-6356 gss: call out info must include 'self nid'
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 9c3bb15914e2c95c260074a66bcd3a78188d56b7

Comment by Gerrit Updater [ 11/Mar/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/14043
Subject: LU-6356 ptlrpc: ret -ECONNREFUSED if not context found in req
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: b70c99d7185321d5580d1c73d45fcc0fc2174086

Comment by Gerrit Updater [ 11/Mar/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/14044
Subject: LU-6356 target: all bulk IO must be (un)wrapped if necessary
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 2880d4d14479adffcf66deca9fc104144e7c9a52

Comment by Jodi Levi (Inactive) [ 13/Mar/15 ]

Dmitry,
Could you complete reviews on these patches?
Thank you!

Comment by Gerrit Updater [ 26/Mar/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14043/
Subject: LU-6356 ptlrpc: ret -ECONNREFUSED if not context found in req
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: acd3cea50d0f43b5b0fc99aee54f0a71ccb2cacb

Comment by Gerrit Updater [ 03/Apr/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/14349
Subject: LU-6356 mgs: fix security flavor setting for connection to mgs
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: b4da8c64dd6c5442a0d14dd9a140200d8b15f9ce

Comment by Gerrit Updater [ 08/Apr/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/14404
Subject: LU-6356 ptlrpc: dont take unwrap in req_waittime calculation
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: cfc9e2cc32672673d90badbee69820998c5a1748

Comment by Gerrit Updater [ 28/Apr/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14404/
Subject: LU-6356 ptlrpc: dont take unwrap in req_waittime calculation
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: d9233853ae5a1c0a1a4fe150275df2c3d660ebb7

Comment by Gerrit Updater [ 28/Apr/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14042/
Subject: LU-6356 gss: call out info must include 'self nid'
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 0d88b3296cf28c8222359f9a19e42e423e2e3b28

Comment by Andreas Dilger [ 07/May/15 ]

Does the Kerberos code also depend on http://review.whamcloud.com/14040 ? If yes, that bug should be linked here so that it is clear it needs to land for Kerberos to work.

Comment by Sebastien Buisson (Inactive) [ 29/May/15 ]

Hi,

In order to address the deadlock issue with the encoding pool we discussed at last Lustre Developer Day in Denver, I have decided to implement solutions a) and c) (see PDF extract from Lustre Dev Day):
a) make epp_max_pages tunable via a ptlrpc kernel module parameter
c) prevent thread to enter wait queue if encoding pool has already reached its maximum capacity, instead return -ENOMEM and put request back in request queue

I will push the patches in Gerrit right now.

Sebastien.

Comment by Gerrit Updater [ 29/May/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/15069
Subject: LU-6356 ptlrpc: add a 'enc_pool_max_memory_mb' module param
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 37f2e23428db37e848c0723ed7550c839a998af5

Comment by Gerrit Updater [ 29/May/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/15070
Subject: LU-6356 ptlrpc: do not sleep if encpool reached max capacity
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: d8328c2a2162bd700a443a5c1df1945fea1920ee

Comment by Gerrit Updater [ 04/Jun/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/15138
Subject: LU-6356 tgt: handle sec context requests properly
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 03c911a0f5dff0311d98f4f384390da428c95f27

Comment by Gerrit Updater [ 16/Jun/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14041/
Subject: LU-6356 tgt: handle sec context requests properly
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 6a0d6dd10e3ddcc5eafef07df4330a613b539c5f

Comment by Gerrit Updater [ 01/Jul/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14349/
Subject: LU-6356 mgs: fix security flavor setting for connection to mgs
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 63de9170d13d63187b03c48271a72ac7b27e54ba

Comment by Sebastien Buisson (Inactive) [ 09/Jul/15 ]

Hi,

Please find attached the Test Plan for Kerberos.
Patches will be submitted soon to address some of the problems found with sanity-krb5.

Sebastien.

Comment by Gerrit Updater [ 10/Jul/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/15552
Subject: LU-6356 sptlrpc: notify OSP and LWP for sptlrpc conf change
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 8aba4049bbee736ce5cd8f41c1258a9c24491d2a

Comment by Gerrit Updater [ 10/Jul/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/15556
Subject: LU-6356 tests: fix sanity-krb5
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: fe0f9c4e77e9455238a47a4e7c7cd711442b2172

Comment by Gerrit Updater [ 24/Jul/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/15708
Subject: LU-6356 ptlrpc: do not switch out-of-date context
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 909df252ab2fe1055560ad9330f051005545bda9

Comment by Gerrit Updater [ 24/Jul/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/15709
Subject: LU-6356 tests: add delay in tgt_handle_request0 for ctx init
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 8d45fc7a1c9edaa35417d6decaef9ba460e518b7

Comment by Sebastien Buisson (Inactive) [ 24/Jul/15 ]

Updated Test Plan for Kerberos.

Comment by Gerrit Updater [ 03/Aug/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/15069/
Subject: LU-6356 ptlrpc: add a 'enc_pool_max_memory_mb' module param
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 78add6cb8aad0dda0528423dc930fec54ed36259

Comment by Gerrit Updater [ 26/Aug/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/15070/
Subject: LU-6356 ptlrpc: do not sleep if encpool reached max capacity
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 7571f2b4ef59d8ec42c320e08d346cd9c6447f4b

Comment by Gerrit Updater [ 28/Aug/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/16124
Subject: LU-6356 tgt: add handlers for SEC_CTX_* requests
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 9fc69454defc3f9fbedf5dcc11af8a4a7c6b4b15

Comment by Sebastien Buisson (Inactive) [ 28/Aug/15 ]

A problem with security context refresh requests has been found during Kerberos tests at IU.
When the ticket of the client node expires before the ticket of the server nodes, the servers receive a context refresh request for which they have no handler (an export is associated to this request). The context refresh cannot happen, and the client keeps on retrying.

I have uploaded patch at http://review.whamcloud.com/16124 to address this issue.

Comment by Gerrit Updater [ 01/Sep/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/15708/
Subject: LU-6356 ptlrpc: do not switch out-of-date context
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 09e5f8ad23a880cb12fdf521b46a30e1f0a11d03

Comment by Gerrit Updater [ 10/Sep/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/15552/
Subject: LU-6356 sptlrpc: notify OSP and LWP for sptlrpc conf change
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: c27bfc3b78c13a164440f50c5de82aa4493235a9

Comment by Gerrit Updater [ 15/Sep/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/15556/
Subject: LU-6356 tests: fix sanity-krb5
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 6a5963882db22e7516b666b651247e0090767e30

Comment by Gerrit Updater [ 15/Sep/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/15709/
Subject: LU-6356 tests: add delay in tgt_handle_request0 for ctx init
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 3a7d56b3078906f66e59a96f03d1e36fc27c7460

Comment by Gerrit Updater [ 16/Sep/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/16124/
Subject: LU-6356 tgt: add handlers for SEC_CTX_* requests
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: b33e22c4b4c6411af51805da21b741367c72ec71

Comment by Joseph Gmitter (Inactive) [ 16/Sep/15 ]

All patches have landed for 2.8.

Comment by Andrew Perepechko [ 03/Nov/15 ]

Subject: LU-6356 tests: fix sanity-krb5

Question: Isn't the test still expected to fail when using a combined mgs+mds setup? tgt_connect_check_sptlrpc() has a "== LOLND" check, and if the check is successful the function authorizes usage of any flavour, so the test should not see the expected mds mount failure.

Generated at Sat Feb 10 01:59:30 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.