Hi Neil, This seems reasonable. I have a patch somewhere that gets the actual Kerberos expiration that could be used for the rsc timeout. But I think this should be fine for now. (Perhaps at the cost of requiring clients to negotiate a new context every hour?) K.C. On Tue, Dec 2, 2008 at 12:18 AM, Neil Brown <neilb@xxxxxxx> wrote: > > > Hi, > I have a report of an NFS server which runs out of kernel memory when > it gets heave rpcsec_gss traffic (auth_sys doesn't trigger the > problem so it must be gss related). > > From looking at /proc/slab_allocators it seems that the main user of > memory is the rsc and rsi caches. > It appears entries are inserted into these caches with an expiry of > 'forever' so they grow but never shrink. > We should fix this. > > For the rsi (init) cache I assume the entry is only needed once so a > short expiry of (say) one minute should be plenty. > For the rsc (context) cache, the entry could be needed repeatedly > during the lifetime of a 'session'. However eventually it will > become stale and should be allowed to expire. > > I assume that if the kernel requests a particular entry a second > time, an hour later, it will get the same answer - is that correct? > > In that case, setting the expiry to something largish seems > appropriate. > > Hence the following patch (untested yet - but I will get it tested in > due course). > > Does this seem reasonable? > > Thanks, > NeilBrown > > > diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c > index 794c2f4..088a007 100644 > --- a/utils/gssd/svcgssd_proc.c > +++ b/utils/gssd/svcgssd_proc.c > @@ -86,7 +86,9 @@ do_svc_downcall(gss_buffer_desc *out_handle, struct svc_cred *cred, > } > qword_printhex(f, out_handle->value, out_handle->length); > /* XXX are types OK for the rest of this? */ > - qword_printint(f, 0x7fffffff); /*XXX need a better timeout */ > + > + /* 'context' could be needed for a while. */ > + qword_printint(f, time(0) + 60*60); > qword_printint(f, cred->cr_uid); > qword_printint(f, cred->cr_gid); > qword_printint(f, cred->cr_ngroups); > @@ -130,7 +132,8 @@ send_response(FILE *f, gss_buffer_desc *in_handle, gss_buffer_desc *in_token, > > qword_addhex(&bp, &blen, in_handle->value, in_handle->length); > qword_addhex(&bp, &blen, in_token->value, in_token->length); > - qword_addint(&bp, &blen, 0x7fffffff); /*XXX need a better timeout */ > + /* INIT context info will only be needed for a short while */ > + qword_addint(&bp, &blen, time(0) + 60); > qword_adduint(&bp, &blen, maj_stat); > qword_adduint(&bp, &blen, min_stat); > qword_addhex(&bp, &blen, out_handle->value, out_handle->length); > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html