Hi,
When booting the 6.1.82 kernel on an EL9 system, the gssproxy daemon
started to consume a lot of cpu, and clients using krb5 NFS could no
longer connect. When comparing the kernel config between these two
kernels, it seemed like the following config items were not set in the
6.1 kernel:
CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1=y
CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA=y
CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2=y
I'm not 100% sure, but I assume this is why the clients can no longer
connect.
Looking at the net/sunrpc/Kconfig file, these entries don't exist yet in
the 6.1 series, but according to
https://www.kernelconfig.io/config_rpcsec_gss_krb5_enctypes_aes_sha2?q=&kernelversion=4.19.310&arch=x86
they do exist in some older long-term kernels?
Looking at CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2, it seems it exists
for 4.19.310, 5.4.272, 5.15.152, but not for 5.10.213 or 6.1.82.
I assume it was backported to some older kernels, but not 6.1? Would it
be possible to backport these config items to the 6.1 series?
Regards,
Rik
--
Rik Theys
System Engineer
KU Leuven - Dept. Elektrotechniek (ESAT)
Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee
+32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>
> On Mar 21, 2024, at 2:28 AM, Rik Theys <[email protected]> wrote:
>
> Hi,
>
> When booting the 6.1.82 kernel on an EL9 system, the gssproxy daemon started to consume a lot of cpu, and clients using krb5 NFS could no longer connect. When comparing the kernel config between these two kernels, it seemed like the following config items were not set in the 6.1 kernel:
>
> CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1=y
> CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA=y
> CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2=y
>
> I'm not 100% sure, but I assume this is why the clients can no longer connect.
gssd is supposed to work fine on kernels that don't have AES_SHA2;
for one thing, AES_SHA1 is always enabled in those kernels. For
another, the kernel exports a list of supported enctypes to user
space, so gssd should be able to detect and adapt.
Can you dig into this a little more? The connection here is tenuous
at best.
> Looking at the net/sunrpc/Kconfig file, these entries don't exist yet in the 6.1 series, but according to https://www.kernelconfig.io/config_rpcsec_gss_krb5_enctypes_aes_sha2?q=&kernelversion=4.19.310&arch=x86 they do exist in some older long-term kernels?
>
> Looking at CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2, it seems it exists for 4.19.310, 5.4.272, 5.15.152, but not for 5.10.213 or 6.1.82.
>
> I assume it was backported to some older kernels, but not 6.1? Would it be possible to backport these config items to the 6.1 series?
I don't understand why AES_SHA2 would have been backported to
those earlier kernels in the first place. I'll have to look
into it.
--
Chuck Lever
Hi,
On 3/21/24 14:33, Chuck Lever III wrote:
>
>> On Mar 21, 2024, at 2:28 AM, Rik Theys<[email protected]> wrote:
>>
>> Hi,
>>
>> When booting the 6.1.82 kernel on an EL9 system, the gssproxy daemon started to consume a lot of cpu, and clients using krb5 NFS could no longer connect. When comparing the kernel config between these two kernels, it seemed like the following config items were not set in the 6.1 kernel:
>>
>> CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1=y
>> CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA=y
>> CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2=y
>>
>> I'm not 100% sure, but I assume this is why the clients can no longer connect.
> gssd is supposed to work fine on kernels that don't have AES_SHA2;
> for one thing, AES_SHA1 is always enabled in those kernels. For
> another, the kernel exports a list of supported enctypes to user
> space, so gssd should be able to detect and adapt.
>
> Can you dig into this a little more? The connection here is tenuous
> at best.
I'm trying to reproduce it on two test systems, but for some reason I
can't reproduce it yet.
I will let you know when I can reproduce it.
>> Looking at the net/sunrpc/Kconfig file, these entries don't exist yet in the 6.1 series, but according tohttps://www.kernelconfig.io/config_rpcsec_gss_krb5_enctypes_aes_sha2?q=&kernelversion=4.19.310&arch=x86 they do exist in some older long-term kernels?
>>
>> Looking at CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2, it seems it exists for 4.19.310, 5.4.272, 5.15.152, but not for 5.10.213 or 6.1.82.
>>
>> I assume it was backported to some older kernels, but not 6.1? Would it be possible to backport these config items to the 6.1 series?
> I don't understand why AES_SHA2 would have been backported to
> those earlier kernels in the first place. I'll have to look
> into it.
Thanks.
Regards,
Rik
--
Rik Theys
System Engineer
KU Leuven - Dept. Elektrotechniek (ESAT)
Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee
+32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>
> On Mar 22, 2024, at 5:53 AM, Rik Theys <[email protected]> wrote:
>
> Hi,
>
> On 3/21/24 14:33, Chuck Lever III wrote:
>
>>> Looking at the net/sunrpc/Kconfig file, these entries don't exist yet in the 6.1 series, but according tohttps://www.kernelconfig.io/config_rpcsec_gss_krb5_enctypes_aes_sha2?q=&kernelversion=4.19.310&arch=x86 they do exist in some older long-term kernels?
>>>
>>> Looking at CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2, it seems it exists for 4.19.310, 5.4.272, 5.15.152, but not for 5.10.213 or 6.1.82.
>>>
>>> I assume it was backported to some older kernels, but not 6.1? Would it be possible to backport these config items to the 6.1 series?
>> I don't understand why AES_SHA2 would have been backported to
>> those earlier kernels in the first place. I'll have to look
>> into it.
>
> Thanks.
I don't see those new enctypes in my copies of 6.1.82, 5.15.152,
or 5.10.213, nor do I see those commits in the history of 5.4.y.
Can you check again?
--
Chuck Lever
Hi,
On 3/22/24 20:06, Chuck Lever III wrote:
>
>> On Mar 22, 2024, at 5:53 AM, Rik Theys <[email protected]> wrote:
>>
>> Hi,
>>
>> On 3/21/24 14:33, Chuck Lever III wrote:
>>
>>>> Looking at the net/sunrpc/Kconfig file, these entries don't exist yet in the 6.1 series, but according tohttps://www.kernelconfig.io/config_rpcsec_gss_krb5_enctypes_aes_sha2?q=&kernelversion=4.19.310&arch=x86 they do exist in some older long-term kernels?
>>>>
>>>> Looking at CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2, it seems it exists for 4.19.310, 5.4.272, 5.15.152, but not for 5.10.213 or 6.1.82.
>>>>
>>>> I assume it was backported to some older kernels, but not 6.1? Would it be possible to backport these config items to the 6.1 series?
>>> I don't understand why AES_SHA2 would have been backported to
>>> those earlier kernels in the first place. I'll have to look
>>> into it.
>> Thanks.
> I don't see those new enctypes in my copies of 6.1.82, 5.15.152,
> or 5.10.213, nor do I see those commits in the history of 5.4.y.
>
> Can you check again?
I came across this website where it indicated that the Kconfig option
was available in those kernel versions:
https://www.kernelconfig.io/config_rpcsec_gss_krb5_enctypes_aes_sha2?q=&kernelversion=4.19.310&arch=x86
But I've now checked the actual source and it doesn't seem to be present
in those versions.
Apologies, I should have checked the actual source first.
Regards,
Rik
--
Rik Theys
System Engineer
KU Leuven - Dept. Elektrotechniek (ESAT)
Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee
+32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>