[OpenAFS] aklog -setpag results in empty pag in RHEL5, openafs 1.4.11 - keyring gets destroyed

Marc Dionne marc.c.dionne@gmail.com
Fri, 5 Feb 2010 12:33:53 -0500


On Fri, Feb 5, 2010 at 12:08 PM, Simon Wilkinson <sxw@inf.ed.ac.uk> wrote:
>
> On 5 Feb 2010, at 14:23, Rainer Toebbicke wrote:
>
>> aklog -setpag does not work as expected under Openafs 1.4.11, under RHEL=
 5.
>
> Basically, we've not supported changing the PAG of your parent on Linux f=
or a while now. There's no easy way of fiddling with the group membership o=
f the parent process without breaking loads of locking assumptions, or usin=
g things that we aren't allowed to have access to. Hence the warning in the=
 manpage. That said, we haven't consciously set out to break it either, so =
if this is something that works in 1.4.x, but not in 1.4.11, and is unrelat=
ed to a kernel version change, I'd be interested to hear more about it.
>
> In 1.4.x, PAG membership is still determined by a processes group list (i=
n 1.5.x, we use the keyring as the only source of PAG information) - so the=
 existence or not of a keyring shouldn't be a problem. However, it does occ=
ur to me that we are now using keyrings for PAG garbage collection - as wal=
king the process table ceased being an option. It's possible that what's ha=
ppening is that we are, through some fluke, succeeding in changing the pare=
nt's group ID. However, we can't (on kernels of RHEL5 vintage) set the keyr=
ing of the parent safely. So only the child has a keyring containing that P=
AG. When the child dies, the keyring's reference count hits 0, and so it is=
 garbage collected. This triggers garbage collection of the associated toke=
ns, and so the parent loses out.
>
> I can't think of any easy way to solve this, though, beyond reiterating "=
-setpag isn't supported on Linux". Ideas are welcome.
>
> Cheers,
>
> Simon.

I'd point out that in very recent kernels (2.6.32+), there is a new
system call that allows a process to copy its session keyring to its
parent, and in the 1.5 branch there's a commit that uses this to make
aklog -setpag work again.  I don't believe that it has been pulled up
to the 1.4 branch.
So on the development branch at least, aklog -setpag should work as
expected for current and future kernels.

Marc