Re: [PATCH] cifs: invalidate dns resolver keys after use

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Dec 20, 2021 at 3:55 AM Enzo Matsumiya <ematsumiya@xxxxxxx> wrote:
>
> Hi Shyam,
>
> On 12/18, Shyam Prasad N wrote:
> >Hi Steve/Paulo/David,
> >
> >Please review the attached patch.
> >
> >I noticed that DNS resolution did not always upcall to userspace when
> >the IP address changed. This addresses the fix for it.
> >
> >I would even recommend CC:stable for this one.
>
> (I'm pasting the patch here so I can comment inline)
>
> > From 604ab4c350c2552daa8e77f861a54032b49bc706 Mon Sep 17 00:00:00 2001
> > From: Shyam Prasad N <sprasad@xxxxxxxxxxxxx>
> > Date: Sat, 18 Dec 2021 17:28:10 +0000
> > Subject: [PATCH] cifs: invalidate dns resolver keys after use
> >
> > We rely on dns resolver module to upcall to userspace
> > using request_key and get us the DNS mapping.
> > However, the invalidate arg for dns_query was set
> > to false, which meant that the key created during the
> > first call for a hostname would continue to be cached
> > till it expires. This expiration period depends on
> > how the dns_resolver is configured.
>
> Ok.
>
> >
> > Fixing this by setting invalidate=true during dns_query.
> > This means that the key will be cleaned up by dns_resolver
> > soon after it returns the data. This also means that
> > the dns_resolver subsystem will not cache the key for
> > an interval indicated by the DNS records TTL.
>
> This is ok too, which is an approach that I did try before, but
> didn't work (see below).
>
> > But this is
> > okay since we use the TTL value returned to schedule the
> > next lookup.
>
> This is an incorrect assumption. keyutils' key.dns_resolve uses
> getaddrinfo() for A/AAAA queries, which doesn't contain DNS TTL
> information.
>
> Meaning that the TTL returned to dns_resolve_server_name_to_ip() is
> actually either key.dns_resolve.conf's default_ttl value, or the default
> key_expiry value (5).
>
> I have a patch ready (working, but still testing) for keyutils that implements
> a "common" DNS interface, and the caller only specifies the query type,
> which is then resolved via res_nquery(). This way, all returned records
> have generic their metadata (TTL included), along with type-specific
> metadata (e.g. AFSDB or SRV specifics) as well.
>

Hi Enzo,
This would actually be very useful, if you can get it to work.

> Another option/suggestion would be to:
> 1. decrease SMB_DNS_RESOLVE_INTERVAL_DEFAULT
> 2. and/or make it user-configurable via sysfs
> 3. call dns_query() with expiry=NULL and invalidate=true
>
> So we'd use keyutils exclusively for kernel-userspace communication, and
> handle the expiration checking/configuration on cifs side.

Having such an option is useful. Although, getting the right TTL is
important. Especially for Azure workloads.

>
> >
> > Cc: David Howells <dhowells@xxxxxxxxxx>
> > Signed-off-by: Shyam Prasad N <sprasad@xxxxxxxxxxxxx>
> > ---
> >  fs/cifs/dns_resolve.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/fs/cifs/dns_resolve.c b/fs/cifs/dns_resolve.c
> > index 0458d28d71aa..8890af1537ef 100644
> > --- a/fs/cifs/dns_resolve.c
> > +++ b/fs/cifs/dns_resolve.c
> > @@ -66,7 +66,7 @@ dns_resolve_server_name_to_ip(const char *unc, char **ip_addr, time64_t *expiry)
> >
> >       /* Perform the upcall */
> >       rc = dns_query(current->nsproxy->net_ns, NULL, hostname, len,
> > -                    NULL, ip_addr, expiry, false);
> > +                    NULL, ip_addr, expiry, true);
> >       if (rc < 0)
> >               cifs_dbg(FYI, "%s: unable to resolve: %*.*s\n",
> >                        __func__, len, len, hostname);
>
>
> Cheers,
>
> Enzo



-- 
Regards,
Shyam



[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux