From: Trond Myklebust Subject: Re: 'noacl' NFS parameter seems ineffective (Fedora Core 7) Date: Mon, 05 May 2008 16:29:37 -0400 Message-ID: <1210019377.7448.12.camel@localhost> References: <468D6064.3080307@redhat.com> <1183728245.6463.17.camel@heimdal.trondhjem.org> <468E4659.8090209@redhat.com> <1183732066.6463.44.camel@heimdal.trondhjem.org> Mime-Version: 1.0 Content-Type: text/plain Cc: linux-nfs@vger.kernel.org To: Clay McClure Return-path: Received: from pat.uio.no ([129.240.10.15]:38221 "EHLO pat.uio.no" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757228AbYEEU3l (ORCPT ); Mon, 5 May 2008 16:29:41 -0400 In-Reply-To: Sender: linux-nfs-owner@vger.kernel.org List-ID: On Mon, 2008-05-05 at 18:27 +0000, Clay McClure wrote: > Trond Myklebust fys.uio.no> writes: > > > On Fri, 2007-07-06 at 09:40 -0400, Peter Staubach wrote: > > > It was misguided on someone's part to think that no ACLs meant that > > > checking the mode bits for permissions was sufficient. > > > > Yup. > > It seems to me that disabling ACCESS might prevent clients from knowing > whether an operation is allowed, but it would not allow clients to bypass > server ACLs. From a security perspective, then, I would think disabling > ACCESS would not affect the correctness of the protocol. > > In other words, if a client with ACCESS disabled determined (by mode > bits alone) that a read operation was allowed, and issued a READ call, > would the server still determine whether the request was allowed > (according to its ACL and user mapping policy), and return > NFS3ERR_ACCES if not? Yes, but that was never the problem. The problem is that clients can and do cache data, and need to know who is allowed to access that data. > > The correct way to deal with the problem of too many ACCESS calls > > was rather to improve the caching. There should be a vast difference > > between a 2.6.19 kernel or higher and earlier versions when it comes to > > the ability to cache credentials from multiple users and I hope that > > addresses the problems that people were seeing. > > ACCESS calls make up 17% of the NFS ops generated by our application > running on a stock CentOS 5 2.6.18 kernel. We don't use ACLs or root > mapping. One user (root) performs all file access on the NFS volume > in question. > > Would the credential caching you mention in 2.6.19 help us reduce the > number of ACCESS operations we see (even though only one user is > performing file I/O)? Since CentOS 5 is a copy of RHEL-5, I would expect it to already have the patch applied. > Is it safe to apply a patch to eliminate ACCESS altogether? In general? No (see above). That said, you can always find corner cases with peculiar environments. Perhaps in your particular environment where there is only one user, removing access is safe and will actually produce a win, as opposed to generating yet more GETATTR calls in order to revalidate the cached modebit data. It all depends on the underlying reason for why you are seeing such a high number of ACCESS calls. Trond