[OpenAFS-devel] linux keyrings, PAGs and KEY_ALLOC_IN_QUOTA

Tue, 16 Mar 2010 14:50:53 +0100

Ok, thanks.

However that patch only addresses the case where the session keyring can still 
be created, and the AFS pag cannot.

What we run into is already the session keyring creation runs out-of-quota.

Here, the question is really whether we should create all of them 
out-of-quota, or just those created by root. For a minimum change and I vote 
for the latter. However I actually do not see anybody clogging up the keyring 
memory by a pagsh loop without being caught by other limits, such as number of 
processes. Hence one might also create all of them out-of-quota.

Simon Wilkinson schrieb:
> On 16 Mar 2010, at 13:01, Rainer Toebbicke wrote:
> 
>> In 1.4.11, under Linux >= 2.6.18, the setpag() routine allocates a new session keyring and afs pag with the KEY_ALLOC_IN_QUOTA flag.
> 
> I think Marc has partially addressed this with a3812f211a56c0d6e0a7ff8a97f157707d3d8c28 - this missed the 1.4.12 merges, but should go into 1.4.13. As the review comments on that change note, we still need to think further about session keyrings.
> 
> The issue with a session keyring is that it's correct to create it with the user's quota - providing that setpag() is called as the user who's eventually going to use it. The problem is that some PAM modules run setpag() as root, and so use up root's quota, rather than that of the end user.
> 
>> Besides the problematic debugging (this fails silently when over key-quota)
> 
> This is RT 126230, and is fixed by 0caf14224a9153bb488be9e52d67892a2c441a5a (again, this was committed after 1.4.12 was cut)
> 
> S.
> 
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
> 

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985       Fax: +41 22 767 7155