On Tue, Oct 31, 2017 at 1:29 PM, Chris Blake <chrisrblake93@xxxxxxxxx> wrote: > On Tue, Oct 31, 2017 at 1:22 PM, Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: >> On 10/31/2017 12:49 PM, Chris Blake wrote: >>> Hello All, >>> >>> I have installed the kernel with the mentioned patch, as well as >>> CONFIG_SECURITY_INFINIBAND enabled. Sadly I am back to the issue where >>> my compute node is reporting: >>> >>> kernel: infiniband mthca0: ib_post_send_mad error >>> >>> As soon as I roll back to a kernel with CONFIG_SECURITY_INFINIBAND >>> disabled, the issue goes away and things work as expected. >>> >>> Regards, >>> Chris Blake >> >> Sounds like the crash is resolved and now you're getting a denial from a security module. I looked in the code, it looks like AppArmor doesn't register any callbacks for the ib_* security hooks, and if no hook is registered it should return 0. Can you tell me more about your setup so I can create a reproducer? What OS are you using? Can you double check that SELinux isn't enabled (see output of sestatus). >> > > Hello, > > I am not using SELinux on my system. I do have apparmor, but it is > only configured for lxc. > > # apparmor_status > apparmor module is loaded. > 5 profiles are loaded. > 5 profiles are in enforce mode. > /usr/bin/lxc-start > lxc-container-default > lxc-container-default-cgns > lxc-container-default-with-mounting > lxc-container-default-with-nesting > 0 profiles are in complain mode. > 0 processes have profiles defined. > 0 processes are in enforce mode. > 0 processes are in complain mode. > 0 processes are unconfined but have a profile defined. > > # sestatus > SELinux status: disabled > > As for the crash issue I was seeing for #2, so far I have not been > able to replicate it with the patch. :) > > Regarding my OS, my "NAS" box is running Debian 9.2 with it's default > distro kernel (currently 4.9.51-1), and my "Compute" nodes are on > Proxmox, which is based on Debian 9.1 and it's kernel is based on > ubuntu-artful and is version 4.13.4. Source is at > https://git.proxmox.com/?p=pve-kernel.git;a=summary. This is the > kernel I have tested the patch on, and have been running with > CONFIG_SECURITY_INFINIBAND disabled to resolve the issue. > > Regards, > Chris Blake Hello, Forgot to mention, on my compute nodes I was testing with mainline kernels, such as 4.14.0-rc5, per my original email. If there are any specific kernels you prefer I test with on my NAS or compute nodes, please let me know. Regards, Chris Blake -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
