Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp3918716ybz;
        Mon, 4 May 2020 12:08:04 -0700 (PDT)
X-Google-Smtp-Source: APiQypLoUTNcNLUX2+ifj/FCOYV2l01bqRKQ142sHYCQI2Mks82AO4atWAq5RQyDtJMeSCyJDwS3
X-Received: by 2002:a05:6402:1d89:: with SMTP id dk9mr15687530edb.382.1588619284799;
        Mon, 04 May 2020 12:08:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588619284; cv=none;
        d=google.com; s=arc-20160816;
        b=YHUtBslwgXDUHmyLghTekgcAZgV6xjBGP0DSAkoaB4XgwmTXRTOchCBlL8TMB7PSWd
         +PyaUlQNh2PWYre8n7qGPVzCclIznkAFkCPafYZBIaf8Exmp7iXM/uWSq6nI0JjeX5x8
         60W6+dKc1O/u9zREkSBjmudYOWCs2gSqmDdMlYvhNSug9tFwSVFLZGwrV8a+eMlbB2aY
         LmCioshMo9Sz3A22kIbqgLWpHxfeec7jZ0I+Cm8yMgF/CQU20TEUDMg3kaOYKMw4/NEI
         oBxE6Qz8WIBNBoluefwS/wVg2t9rwbpLB2lwJ93ms2zwupFYsPqMuy63LNydBfE9BQiT
         YItw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:from:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:date;
        bh=T9rDFQzWYYVX1A9gflLMjmH7wrQ40xWSGUecWg8v9bY=;
        b=c1QaAwEL+JhpEpaSafnC3af5/MM0vM9nX4sXmrIGTriPqp/1glElmHrMyr8bl/OpgD
         mpcnOiniKCKasoCtr+pMaRz7caHO8WjFmbytxcLviQUnrB2Dg5Fk7Y6rMsiIBA+vTOyV
         n4AX9ESYXxIPBxP/VKSVSJAkIX3oELUbV38LpUrVOv4Oh7deIy1dtAh9zi0k9ESnypKY
         QNxeLnjcdFoorDn8Lkzz9xvspK37XxZggPjJBN3f4u3vyfw5hZCsYGA3HsD42WHDaivp
         434hupFE77fYmSF/8gHUNEfljof+EJ+OexW1KJXow66YS82KGT45yujRLyypuOrijHuc
         aYCQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id de20si7167039edb.451.2020.05.04.12.07.36;
        Mon, 04 May 2020 12:08:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726469AbgEDTHU (ORCPT <rfc822;zhijun.chen.lk@gmail.com>
        + 99 others); Mon, 4 May 2020 15:07:20 -0400
Received: from fieldses.org ([173.255.197.46]:45372 "EHLO fieldses.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725956AbgEDTHU (ORCPT <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 4 May 2020 15:07:20 -0400
Received: by fieldses.org (Postfix, from userid 2815)
        id 16564ABE; Mon,  4 May 2020 15:07:19 -0400 (EDT)
Date:   Mon, 4 May 2020 15:07:19 -0400
To:     Chuck Lever <chuck.lever@oracle.com>
Cc:     linux-nfs@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: Re: [PATCH RFC] Frequent connection loss using krb5[ip] NFS mounts
Message-ID: <20200504190719.GB2757@fieldses.org>
References: <20200501184301.2324.22719.stgit@klimt.1015granger.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200501184301.2324.22719.stgit@klimt.1015granger.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
From:   bfields@fieldses.org (J. Bruce Fields)
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Fri, May 01, 2020 at 03:04:00PM -0400, Chuck Lever wrote:
> Over the past year or so I've observed that using sec=krb5i or
> sec=krb5p with NFS/RDMA while testing my Linux NFS client and server
> results in frequent connection loss. I've been able to pin this down
> a bit.
> 
> The problem is that SUNRPC's calls into the kernel crypto functions
> can sometimes reschedule. If that happens between the time the
> server receives an RPC Call and the time it has unwrapped the Call's
> GSS sequence number, the number is very likely to have fallen
> outside the GSS context's sequence number window. When that happens,
> the server is required to drop the Call, and therefore also the
> connection.

Does it help to increase GSS_SEQ_WIN?  I think you could even increase
it by a couple orders of magnitudes without getting into higher-order
allocations.

--b.

> 
> I've tested this observation by applying the following naive patch to
> both my client and server, and got the following results.
> 
> I. Is this an effective fix?
> 
> With sec=krb5p,proto=rdma, I ran a 12-thread git regression test
> (cd git/; make -j12 test).
> 
> Without this patch on the server, over 3,000 connection loss events
> are observed. With it, the test runs on a single connection. Clearly
> the server needs to have some kind of mitigation in this area.
> 
> 
> II. Does the fix cause a performance regression?
> 
> Because this patch affects both the client and server paths, I
> tested the performance differences between applying the patch in
> various combinations and with both sec=krb5 (which checksums just
> the RPC message header) and krb5i (which checksums the whole RPC
> message.
> 
> fio 8KiB 70% read, 30% write for 30 seconds, NFSv3 on RDMA.
> 
> -- krb5 --
> 
> unpatched client and server:
> Connect count: 3
> read: IOPS=84.3k, 50.00th=[ 1467], 99.99th=[10028] 
> write: IOPS=36.1k, 50.00th=[ 1565], 99.99th=[20579]
> 
> patched client, unpatched server:
> Connect count: 2
> read: IOPS=75.4k, 50.00th=[ 1647], 99.99th=[ 7111]
> write: IOPS=32.3k, 50.00th=[ 1745], 99.99th=[ 7439]
> 
> unpatched client, patched server:
> Connect count: 1
> read: IOPS=84.1k, 50.00th=[ 1467], 99.99th=[ 8717]
> write: IOPS=36.1k, 50.00th=[ 1582], 99.99th=[ 9241]
> 
> patched client and server:
> Connect count: 1
> read: IOPS=74.9k, 50.00th=[ 1663], 99.99th=[ 7046]
> write: IOPS=31.0k, 50.00th=[ 1762], 99.99th=[ 7242]
> 
> -- krb5i --
> 
> unpatched client and server:
> Connect count: 6
> read: IOPS=35.8k, 50.00th=[ 3228], 99.99th=[49546]
> write: IOPS=15.4k, 50.00th=[ 3294], 99.99th=[50594]
> 
> patched client, unpatched server:
> Connect count: 5
> read: IOPS=36.3k, 50.00th=[ 3228], 99.99th=[14877]
> write: IOPS=15.5k, 50.00th=[ 3294], 99.99th=[15139]
> 
> unpatched client, patched server:
> Connect count: 3
> read: IOPS=35.7k, 50.00th=[ 3228], 99.99th=[15926]
> write: IOPS=15.2k, 50.00th=[ 3294], 99.99th=[15926]
> 
> patched client and server:
> Connect count: 3
> read: IOPS=36.3k, 50.00th=[ 3195], 99.99th=[15139]
> write: IOPS=15.5k, 50.00th=[ 3261], 99.99th=[15270]
> 
> 
> The good news:
> Both results show that I/O tail latency improves significantly when
> either the client or the server has this patch applied.
> 
> The bad news:
> The krb5 performance result shows an IOPS regression when the client
> has this patch applied.
> 
> 
> So now I'm trying to understand how to come up with a solution that
> prevents the rescheduling/connection loss issue without also
> causing a performance regression.
> 
> Any thoughts/comments/advice appreciated.
> 
> ---
> 
> Chuck Lever (1):
>       SUNRPC: crypto calls should never schedule
> 
> --
> Chuck Lever