Return-Path: linux-nfs-owner@vger.kernel.org Received: from mx1.redhat.com ([209.132.183.28]:14691 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752598Ab1KCXre (ORCPT ); Thu, 3 Nov 2011 19:47:34 -0400 Subject: RE: GSSAPI Proxy initiative From: Simo Sorce To: "Myklebust, Trond" Cc: Nico Williams , dhowells , linux-nfs@vger.kernel.org, krbdev In-Reply-To: <2E1EB2CF9ED1CB4AA966F0EB76EAB4430BFA90EE@SACMVEXC2-PRD.hq.netapp.com> References: <1320269170.7734.585.camel@willson.li.ssimo.org> <1320332310.7734.643.camel@willson.li.ssimo.org> <1320337903.7734.670.camel@willson.li.ssimo.org> <1320352784.18396.109.camel@lade.trondhjem.org> <1320355818.7734.685.camel@willson.li.ssimo.org> <1320356806.18396.149.camel@lade.trondhjem.org> <1320357606.7734.697.camel@willson.li.ssimo.org> <2E1EB2CF9ED1CB4AA966F0EB76EAB4430BFA90EE@SACMVEXC2-PRD.hq.netapp.com> Content-Type: text/plain; charset="UTF-8" Date: Thu, 03 Nov 2011 19:47:04 -0400 Message-ID: <1320364024.7734.705.camel@willson.li.ssimo.org> Mime-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org List-ID: On Thu, 2011-11-03 at 15:16 -0700, Myklebust, Trond wrote: [..] > No, but we still need to be able to do recovery of rpcsec_gss contexts > once they are broken, and right now we have a major flaw due to the > fact that recovery depends on a lot of small processes and data that > is allowed to be swapped out at the moment when we need them the most > (i.e. in a memory reclaim situation). > > If the server reboots while our client is in the middle of writing > back a file (or several files), then the client needs to recover those > rpcsec_gss contexts that authenticate the processes which own any > dirty pages that remain to be written out. > Key security is an irrelevant concern once your kernel deadlocks in an > OOM state. [..] > > Currently credential caches are stored in files, is there a problem > > with that model ? Do you need access to credential caches from the > > kernel when under memory pressure ? > Yes, there is a major problem with that model, and yes we do > potentially need access to credential caches when in a recovery > situation (which is a situation when we are usually under memory > pressure). This sounds like a catch 22 situation. Even if the keys are pinned in kernel memory you still need the GSSAPI Proxy daemon in order to re-establish the security context, and that process could have been swapped off too. I am not sure I see a way out here. Simo. -- Simo Sorce * Red Hat, Inc * New York