[NFS-Ganesha-Devel] Re: Seeking assistance with Ganesha PROXY FSAL / libntirpc issues

Interesting discussion. If you’re able to join us in IRC, we hang out on Freenode #ganesha It might make sense to break up nfs_Init_svc so whatever is needed by the PROXY FSALs can be set up before loading exports but prevents the server from opening up to connections before the exports are processed. Frank From: Jo Seaton [mailto:jo@petagene.com] Sent: Friday, September 18, 2020 9:56 AM To: Solomon Boulos <boulos(a)google.com&gt; Cc: Matt Benjamin <mbenjami(a)redhat.com>; Ganesha-devel <devel(a)lists.nfs-ganesha.org&gt; Subject: [NFS-Ganesha-Devel] Re: Seeking assistance with Ganesha PROXY FSAL / libntirpc issues Aha! Yes, I've been reading the V4 code so I totally missed this, but this is exactly the same error! It went away as soon as I managed to delay the clnt stuff till after nfs_Init_svc. The actual method I use is pretty horrible - I make the FSAL export init fail, and then later (inside nfs_rpc_cb_init_ccache, yuck!) trigger re-parsing the relevant bit of config file, so reloading the export after all the init I need has happened. Obviously at the very least I'd like to contain this nastiness to the FSAL. Any prettier ideas very welcome because just urgh. Anyway, I'm happy to share code + try stuff out for you, but that will have to wait a week! Thanks for getting back to me about this, it's nice to not be alone in this code :) Jo On Fri, Sep 18, 2020 at 5:29 PM Solomon Boulos <boulos(a)google.com <mailto:boulos@google.com> > wrote: Absolutely. I didn't want to write it :). From the review on https://review.gerrithub.io/c/ffilz/nfs-ganesha/+/487439 I'm surprised your rpc->clnt = clnt_vc_ncreatef works around it. Can you try the same for NLM / PORTMAP / whatever? I can't find the simple example I went back and forth with folks on that code, but it was basically "No, I can't even issue a MNT_NULL with clnt_call / rpc_call". My comment on proxyv3_call though describes the error: /* * NOTE(boulos): proxyv3_call is basically rpc_call redone by hand, because * ganesha's NFSD hijacks the RPC setup to the point where we can't issue our * own NFS-related rpcs as a simple client via clnt_ncreate (internally, * svc_exprt_lookup explodes saying "fd %d max_connections 0 exceeded"). */ Are you saying you did something else either for the FSAL loading / similar to wait until later such that clnt_ncreate will succeed? (so that max_connections can be >0). Either way, I intentionally left the proxy_v3 code ready though to rip out and look just like clnt_call / rpc_call, so that it can all be replaced if we can fix this :). On Fri, Sep 18, 2020 at 9:14 AM Jo Seaton <jo(a)petagene.com <mailto:jo@petagene.com> > wrote: Hi both, thanks for the responses, Solomon - I had a hell of a time initially with the client functions that turned out to be because some libntirpc initialisation hadn't been done yet. I have an unpleasant hack to delay PROXY exports until that's happened that solves the issue for me - maybe you had the same? Concerning use of client functions, here's my initialisation (rpc_sock has already been opened): rpc->clnt = clnt_vc_ncreatef(rpc->rpc_sock, &raddr, proxyv4_exp->info.srv_prognum, (rpcvers_t) 4, proxyv4_exp->info.srv_sendsize, proxyv4_exp->info.srv_recvsize, 0); rpc->auth = authgss_ncreate_default(rpc->clnt, &quot;nfs(a)nfs-storage.blah.net <mailto:nfs@nfs-storage.blah.net> ", &rpcsec_gss_data); and here's the RPC calls: struct clnt_req *cc; enum clnt_stat stat; cc = gsh_malloc(sizeof(*cc)); clnt_req_fill(cc, clnt, au, CB_COMPOUND, (xdrproc_t) xdr_COMPOUND4args, (caddr_t)args, (xdrproc_t) xdr_COMPOUND4res, (caddr_t)res); stat = clnt_req_setup(cc, tout); if (stat == RPC_SUCCESS) { cc->cc_refreshes = 1; stat = CLNT_CALL_WAIT(cc); } clnt_req_release(cc); This appears to roughly work - I have some issues but I'm not done yet. My auth_gss.c hack is just this: (in authgss_verify:) maj_stat = gss_verify_mic(&min_stat, gd->ctx, &signbuf, &checksum, &qop_state); if (maj_stat != GSS_S_COMPLETE || qop_state != gd->sec.qop) { gss_log_status("gss_verify_mic", maj_stat, min_stat); if (maj_stat == GSS_S_CONTEXT_EXPIRED) { gd->established = false; authgss_destroy_context(auth); } /* return (false); */ // here (in authgss_refresh:) maj_stat = gss_verify_mic(&min_stat, gd->ctx, &bufin, &bufout, &qop_state); maj_stat = GSS_S_COMPLETE; // and here I'm happy to post my entire code when I get back, but I'm away for the next week (sorry!). Solomon - does this mean you'd be happy with an approach like the above if it works? I'm not opposed to using the existing PROXY approach, but writing an equivalent of the libntirpc GSS code just for PROXY sounds like a good way to make bugs. Many thanks, Jo On Thu, Sep 17, 2020 at 8:11 PM Matt Benjamin <mbenjami(a)redhat.com <mailto:mbenjami@redhat.com> > wrote: Hi, It's really not the case (at least, unless we recently broke something) that libntirpc cannot act as clients. There might be some specific issue with GSS, though. Matt On Thu, Sep 17, 2020 at 1:47 PM Solomon Boulos via Devel <devel(a)lists.nfs-ganesha.org <mailto:devel@lists.nfs-ganesha.org> > wrote: -- Matt Benjamin Red Hat, Inc. 315 West Huron Street, Suite 140A Ann Arbor, Michigan 48103 http://www.redhat.com/en/technologies/storage tel. 734-821-5101 <tel:(734)%20821-5101> fax. 734-769-8938 <tel:(734)%20769-8938> cel. 734-216-5309 <tel:(734)%20216-5309>