From: Olga Kornievskaia <aglo@umich.edu>
To: Chuck Lever III <chuck.lever@oracle.com>
Cc: "kernel-tls-handshake@lists.linux.dev"
<kernel-tls-handshake@lists.linux.dev>
Subject: Re: advice on kernel configs for NFS with TLS
Date: Tue, 18 Apr 2023 10:07:50 -0400 [thread overview]
Message-ID: <CAN-5tyFN+1nGw9+Q53d+JbwobB2=cyxqszMafh5o0yqjL=SwNQ@mail.gmail.com> (raw)
In-Reply-To: <69C7EFCD-7E5B-483F-B278-6B460D966FE5@oracle.com>
On Mon, Apr 17, 2023 at 5:44 PM Chuck Lever III <chuck.lever@oracle.com> wrote:
>
>
>
> > On Apr 17, 2023, at 4:13 PM, Olga Kornievskaia <aglo@umich.edu> wrote:
> >
> > On Sat, Apr 15, 2023 at 4:09 PM Chuck Lever III <chuck.lever@oracle.com> wrote:
> >>
> >>
> >>> On Apr 14, 2023, at 5:18 PM, Chuck Lever III <chuck.lever@oracle.com> wrote:
> >>>
> >>>> On Apr 14, 2023, at 5:15 PM, Olga Kornievskaia <aglo@umich.edu> wrote:
> >>>>
> >>>> On Fri, Apr 14, 2023 at 4:42 PM Chuck Lever III <chuck.lever@oracle.com> wrote:
> >>>>>
> >>>>>> On Apr 14, 2023, at 4:14 PM, Olga Kornievskaia <aglo@umich.edu> wrote:
> >>>>>>
> >>>>>> Hi folks,
> >>>>>>
> >>>>>> Do we have guidelines for how one were to build a kernel that would
> >>>>>> support NFS with TLS? As in what kernel options are required to be
> >>>>>> turned on (and what off)? I was under the impression that if one were
> >>>>>> to start with a base RHEL9 kernel config that would be sufficient. But
> >>>>>> I believe I'm wrong.
> >>>>>>
> >>>>>> For some reason when CONFIG_KUNIT is enabled it leads to a kernel
> >>>>>> where the upcall doesn't happen. The kernel logs that it did
> >>>>>> handshake_submit() but the tlshd never gets anything. I don't know why
> >>>>>> this kernel options leads to this behavior as I'm at a loss how to
> >>>>>> debug netlink upcall.
> >>>>>
> >>>>> handshake_genl_notify() is a no-op when CONFIG_KUNIT is enabled.
> >>>>>
> >>>>> Not suggesting that's the best long-term arrangement, but
> >>>>> notification is disabled when KUNIT is running so that
> >>>>> the Kunit tests don't depend on having a tlshd running.
> >>>>
> >>>> Thank you for the explanation. Is it fair to say that to have NFS with
> >>>> TLS CONFIG_KUNIT must be off? In that case, Jeff, what will RHEL do as
> >>>> it defines it by default? Or does it mean that handshake_genl_notify()
> >>>> needs to be reimplemented to make sure it's never a no-op?
> >>>
> >>> I didn't realize that distributions build with CONFIG_KUNIT
> >>> enabled. I'll have to figure out another way to disable
> >>> tlshd notification when running Kunit tests.
> >>
> >> Using a disconnected tag didn't seem like a popular idea, so
> >> I've pushed a fix to topic-rpc-with-tls-upcall. You should
> >> now be able to build a working RPC-with-TLS system with
> >> CONFIG_KUNIT set.
> >>
> >> This push also rebases the branch on the latest net-next tree,
> >> and attempts to address the warning about .kunitconfig files
> >> being ignored.
> >
> > I've just gotten a v10 version I believe and built it (with KUNIT on)
> > and I didn't get the upcall.
> >
> > I'm at commit 3cf4924e3d6e69ee42e917007ac9227b1576bc39 (HEAD ->
> > chuck-rpc-with-tls-0417
> > 2023, chuck/topic-rpc-with-tls-upcall)
> >
> > A git log shows the .gitignore patch so I believe I do have the v10 patches.
>
> - Confirm that notification is working if CONFIG_KUNIT is disabled
>
> - Instrument handshake_genl_notify() to see where it is failing
Apologizes, I had a bad system. In v10, I can have CONFIG_KUNIT
enabled and I get the upcall.
>
>
>
> --
> Chuck Lever
>
>
prev parent reply other threads:[~2023-04-18 14:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-14 20:14 advice on kernel configs for NFS with TLS Olga Kornievskaia
2023-04-14 20:42 ` Chuck Lever III
2023-04-14 21:15 ` Olga Kornievskaia
2023-04-14 21:18 ` Chuck Lever III
2023-04-15 20:09 ` Chuck Lever III
2023-04-17 20:13 ` Olga Kornievskaia
2023-04-17 21:44 ` Chuck Lever III
2023-04-18 14:07 ` Olga Kornievskaia [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAN-5tyFN+1nGw9+Q53d+JbwobB2=cyxqszMafh5o0yqjL=SwNQ@mail.gmail.com' \
--to=aglo@umich.edu \
--cc=chuck.lever@oracle.com \
--cc=kernel-tls-handshake@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).