Hi,
On 3/21/24 14:33, Chuck Lever III wrote:
On Mar 21, 2024, at 2:28 AM, Rik Theys<Rik.Theys@xxxxxxxxxxxxxxxx> wrote:
Hi,
When booting the 6.1.82 kernel on an EL9 system, the gssproxy daemon started to consume a lot of cpu, and clients using krb5 NFS could no longer connect. When comparing the kernel config between these two kernels, it seemed like the following config items were not set in the 6.1 kernel:
CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1=y
CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA=y
CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2=y
I'm not 100% sure, but I assume this is why the clients can no longer connect.
gssd is supposed to work fine on kernels that don't have AES_SHA2;
for one thing, AES_SHA1 is always enabled in those kernels. For
another, the kernel exports a list of supported enctypes to user
space, so gssd should be able to detect and adapt.
Can you dig into this a little more? The connection here is tenuous
at best.
I'm trying to reproduce it on two test systems, but for some reason I
can't reproduce it yet.
I will let you know when I can reproduce it.
Looking at the net/sunrpc/Kconfig file, these entries don't exist yet in the 6.1 series, but according tohttps://www.kernelconfig.io/config_rpcsec_gss_krb5_enctypes_aes_sha2?q=&kernelversion=4.19.310&arch=x86 they do exist in some older long-term kernels?
Looking at CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2, it seems it exists for 4.19.310, 5.4.272, 5.15.152, but not for 5.10.213 or 6.1.82.
I assume it was backported to some older kernels, but not 6.1? Would it be possible to backport these config items to the 6.1 series?
I don't understand why AES_SHA2 would have been backported to
those earlier kernels in the first place. I'll have to look
into it.
Thanks.
Regards,
Rik
--
Rik Theys
System Engineer
KU Leuven - Dept. Elektrotechniek (ESAT)
Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee
+32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>
