> On Mar 21, 2024, at 2:28 AM, Rik Theys <Rik.Theys@xxxxxxxxxxxxxxxx> wrote: > > Hi, > > When booting the 6.1.82 kernel on an EL9 system, the gssproxy daemon started to consume a lot of cpu, and clients using krb5 NFS could no longer connect. When comparing the kernel config between these two kernels, it seemed like the following config items were not set in the 6.1 kernel: > > CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1=y > CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA=y > CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2=y > > I'm not 100% sure, but I assume this is why the clients can no longer connect. gssd is supposed to work fine on kernels that don't have AES_SHA2; for one thing, AES_SHA1 is always enabled in those kernels. For another, the kernel exports a list of supported enctypes to user space, so gssd should be able to detect and adapt. Can you dig into this a little more? The connection here is tenuous at best. > Looking at the net/sunrpc/Kconfig file, these entries don't exist yet in the 6.1 series, but according to https://www.kernelconfig.io/config_rpcsec_gss_krb5_enctypes_aes_sha2?q=&kernelversion=4.19.310&arch=x86 they do exist in some older long-term kernels? > > Looking at CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2, it seems it exists for 4.19.310, 5.4.272, 5.15.152, but not for 5.10.213 or 6.1.82. > > I assume it was backported to some older kernels, but not 6.1? Would it be possible to backport these config items to the 6.1 series? I don't understand why AES_SHA2 would have been backported to those earlier kernels in the first place. I'll have to look into it. -- Chuck Lever
