Ok, thanks.
However that patch only addresses the case where the session keyring can still
be created, and the AFS pag cannot.
What we run into is already the session keyring creation runs out-of-quota.
Here, the question is really whether we should create all of them
out-of-quota, or just those created by root. For a minimum change and I vote
for the latter. However I actually do not see anybody clogging up the keyring
memory by a pagsh loop without being caught by other limits, such as number of
processes. Hence one might also create all of them out-of-quota.
Simon Wilkinson schrieb:
On 16 Mar 2010, at 13:01, Rainer Toebbicke wrote:
In 1.4.11, under Linux >= 2.6.18, the setpag() routine allocates a new session
keyring and afs pag with the KEY_ALLOC_IN_QUOTA flag.
I think Marc has partially addressed this with
a3812f211a56c0d6e0a7ff8a97f157707d3d8c28 - this missed the 1.4.12 merges, but
should go into 1.4.13. As the review comments on that change note, we still
need to think further about session keyrings.
The issue with a session keyring is that it's correct to create it with the
user's quota - providing that setpag() is called as the user who's eventually
going to use it. The problem is that some PAM modules run setpag() as root, and
so use up root's quota, rather than that of the end user.
Besides the problematic debugging (this fails silently when over key-quota)
This is RT 126230, and is fixed by 0caf14224a9153bb488be9e52d67892a2c441a5a
(again, this was committed after 1.4.12 was cut)
S.
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985 Fax: +41 22 767 7155
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
