[OpenAFS] aklog -setpag results in empty pag in RHEL5, openafs 1.4.11 - keyring gets destroyed

[Simon Wilkinson]

On 5 Feb 2010, at 14:23, Rainer Toebbicke wrote:

> aklog -setpag does not work as expected under Openafs 1.4.11, under =
RHEL 5.

Basically, we've not supported changing the PAG of your parent on Linux =
for a while now. There's no easy way of fiddling with the group =
membership of the parent process without breaking loads of locking =
assumptions, or using things that we aren't allowed to have access to. =
Hence the warning in the manpage. That said, we haven't consciously set =
out to break it either, so if this is something that works in 1.4.x, but =
not in 1.4.11, and is unrelated to a kernel version change, I'd be =
interested to hear more about it.

In 1.4.x, PAG membership is still determined by a processes group list =
(in 1.5.x, we use the keyring as the only source of PAG information) - =
so the existence or not of a keyring shouldn't be a problem. However, it =
does occur to me that we are now using keyrings for PAG garbage =
collection - as walking the process table ceased being an option. It's =
possible that what's happening is that we are, through some fluke, =
succeeding in changing the parent's group ID. However, we can't (on =
kernels of RHEL5 vintage) set the keyring of the parent safely. So only =
the child has a keyring containing that PAG. When the child dies, the =
keyring's reference count hits 0, and so it is garbage collected. This =
triggers garbage collection of the associated tokens, and so the parent =
loses out.

I can't think of any easy way to solve this, though, beyond reiterating =
"-setpag isn't supported on Linux". Ideas are welcome.

Cheers,

Simon.