Bug#633526: vserver kernel breaks ssh public_key authentication on NFS
On Tue, Dec 13, 2011 at 07:03:45AM +, Ben Hutchings wrote: On Thu, 2011-12-01 at 14:52 +0100, Mirco Bauer wrote: tags 633526 + patch retitle 633526 NFS client uid/gid cache broken on VServer kernels thanks Herbert Poetzl wrote: we now understand the problem, and it was fixed for 3.0.4 with the following patch: http://vserver.13thfloor.at/ExperimentalT/delta-nfs-fix02.diff I can confirm that this patch is fixing the issue. I have tested the patch on top of linux-2.6 2.6.32-37 on a production server and we no longer experience the NFS uid/gid issue. The issue can easily be tested by doing ls -l $file on a NFS mount. The values will show up correctly. After cat $file /dev/null; ls -l $file it will suddenly show wrong uid/gid values of: 4294967294/4294967294 (-2/-2) Waiting for about 20 seconds ls -l $file will show again correct values. So the client cached values are clearly the problem. I strongly recommend to include the patch into the next stable point release as this is major NFS regression from Debian Lenny. I'll update to vs2.6.32.48-vs2.3.0.36.29.8 which includes the above and one other NFS fix http://vserver.13thfloor.at/ExperimentalT/delta-nfs-fix01.diff. Herbert, if you could briefly explain what the two changes are doing that would be helpful. well, the first one fixes a long outstanding bug, which was caused by using the wrong macros INOTAG_* instead of TAGINO_*, which, depending on the tagging and actual uid/gid/tag will result in funny numbers ... the second one doesn't fix any real issue, but it is a more defensive solution for the potentially possible case where NFS_ATTR_FATTR_OWNER is set but the group nfs attribute is not (or the other way round) HTH, Herbert Ben. -- Ben Hutchings Computers are not intelligent.They only think they are. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#633526: vserver kernel breaks ssh public_key authentication on NFS
On Thu, 2011-12-01 at 14:52 +0100, Mirco Bauer wrote: tags 633526 + patch retitle 633526 NFS client uid/gid cache broken on VServer kernels thanks Herbert Poetzl wrote: we now understand the problem, and it was fixed for 3.0.4 with the following patch: http://vserver.13thfloor.at/ExperimentalT/delta-nfs-fix02.diff I can confirm that this patch is fixing the issue. I have tested the patch on top of linux-2.6 2.6.32-37 on a production server and we no longer experience the NFS uid/gid issue. The issue can easily be tested by doing ls -l $file on a NFS mount. The values will show up correctly. After cat $file /dev/null; ls -l $file it will suddenly show wrong uid/gid values of: 4294967294/4294967294 (-2/-2) Waiting for about 20 seconds ls -l $file will show again correct values. So the client cached values are clearly the problem. I strongly recommend to include the patch into the next stable point release as this is major NFS regression from Debian Lenny. I'll update to vs2.6.32.48-vs2.3.0.36.29.8 which includes the above and one other NFS fix http://vserver.13thfloor.at/ExperimentalT/delta-nfs-fix01.diff. Herbert, if you could briefly explain what the two changes are doing that would be helpful. Ben. -- Ben Hutchings Computers are not intelligent. They only think they are. signature.asc Description: This is a digitally signed message part
Bug#633526: vserver kernel breaks ssh public_key authentication on NFS
tags 633526 + patch retitle 633526 NFS client uid/gid cache broken on VServer kernels thanks Herbert Poetzl wrote: we now understand the problem, and it was fixed for 3.0.4 with the following patch: http://vserver.13thfloor.at/ExperimentalT/delta-nfs-fix02.diff I can confirm that this patch is fixing the issue. I have tested the patch on top of linux-2.6 2.6.32-37 on a production server and we no longer experience the NFS uid/gid issue. The issue can easily be tested by doing ls -l $file on a NFS mount. The values will show up correctly. After cat $file /dev/null; ls -l $file it will suddenly show wrong uid/gid values of: 4294967294/4294967294 (-2/-2) Waiting for about 20 seconds ls -l $file will show again correct values. So the client cached values are clearly the problem. I strongly recommend to include the patch into the next stable point release as this is major NFS regression from Debian Lenny. Regards, Mirco 'meebey' Bauer PGP-Key ID: 0xEEF946C8 FOSS Developermee...@meebey.net http://www.meebey.net/ PEAR Developermee...@php.net http://pear.php.net/ Debian Developer mee...@debian.org http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#633526: [vserver] Bug#633526: vserver kernel breaks ssh public_key authentication on NFS
On Tue, Jul 12, 2011 at 04:27:55AM +0100, Ben Hutchings wrote: Does anyone understand this problem or have an idea of how to investigate it? we now understand the problem, and it was fixed for 3.0.4 with the following patch: http://vserver.13thfloor.at/ExperimentalT/delta-nfs-fix02.diff I'll try to provide similar patches for older kernels in the following days ... best, Herbert Ben. Forwarded Message From: Harald Dunkel harald.dun...@aixigo.de Reply-to: Harald Dunkel harald.dun...@aixigo.de, 633...@bugs.debian.org To: sub...@bugs.debian.org Subject: Bug#633526: vserver kernel breaks ssh public_key authentication on NFS Date: Mon, 11 Jul 2011 09:19:24 +0200 Package: linux-image-2.6-vserver-amd64 Version: 2.6.32+29 If I use the vserver kernel on a remote host, then I cannot login via ssh and public_key authentication. AFAICS the access rights to my authorized_keys file get corrupted. Before I try to login it shows on the remote host: # ls -l /home/hdunkel/.ssh/authorized_keys -rw--- 1 hdunkel users 1406 Jun 15 14:34 authorized_keys When I try to login I am asked for a password (although authorized_keys is set correctly). After this attempt I see on the remote host: # ls -al /home/hdunkel/.ssh/authorized_keys -rw--- 1 4294967294 4294967294 1406 Jun 15 14:34 authorized_keys sshd -d shows that sshd doesn't like this. Using the regular Squeeze kernel without vserver patch there is no such problem. /home is mounted via NFS: # cat /proc/mounts | grep /home nfs-home:/space/home /home nfs4 rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.19.96.103,minorversion=0,addr=172.19.96.215 0 0 The NFS server runs Squeeze, too. Regards Harri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#633526: [vserver] Bug#633526: vserver kernel breaks ssh public_key authentication on NFS
On Tue, Jul 12, 2011 at 11:04:53PM +0200, Herbert Poetzl wrote: On Tue, Jul 12, 2011 at 04:27:55AM +0100, Ben Hutchings wrote: Does anyone understand this problem or have an idea of how to investigate it? I do not really understand the problem (yet) here are some questions: - NFS server is Linux-VServer patched? (yes, no) if so then: + NFS server has NFS tagging enabled? (yes, no) + filesystem exported is tagged? (yes, no) if so then: * what tagging and what filesystem is used? - NFS client is Linux-VServer patched? (yes, no) + if so then NFS client has NFS tagging enabled? (yes, no) Harald, did you see the followup questions? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#633526: vserver kernel breaks ssh public_key authentication on NFS
On Mon, Jul 11, 2011 at 09:19:24AM +0200, Harald Dunkel wrote: When I try to login I am asked for a password (although authorized_keys is set correctly). After this attempt I see on the remote host: # ls -al /home/hdunkel/.ssh/authorized_keys -rw--- 1 4294967294 4294967294 1406 Jun 15 14:34 authorized_keys You use NFSv4? This means that the id mapping got wrong. Bastian -- The heart is not a logical organ. -- Dr. Janet Wallace, The Deadly Years, stardate 3479.4 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#633526: [vserver] Bug#633526: vserver kernel breaks ssh public_key authentication on NFS
On Tue, Jul 12, 2011 at 04:27:55AM +0100, Ben Hutchings wrote: Does anyone understand this problem or have an idea of how to investigate it? I do not really understand the problem (yet) here are some questions: - NFS server is Linux-VServer patched? (yes, no) if so then: + NFS server has NFS tagging enabled? (yes, no) + filesystem exported is tagged? (yes, no) if so then: * what tagging and what filesystem is used? - NFS client is Linux-VServer patched? (yes, no) + if so then NFS client has NFS tagging enabled? (yes, no) thanks in advance, Herbert Ben. Forwarded Message From: Harald Dunkel harald.dun...@aixigo.de Reply-to: Harald Dunkel harald.dun...@aixigo.de, 633...@bugs.debian.org To: sub...@bugs.debian.org Subject: Bug#633526: vserver kernel breaks ssh public_key authentication on NFS Date: Mon, 11 Jul 2011 09:19:24 +0200 Package: linux-image-2.6-vserver-amd64 Version: 2.6.32+29 If I use the vserver kernel on a remote host, then I cannot login via ssh and public_key authentication. AFAICS the access rights to my authorized_keys file get corrupted. Before I try to login it shows on the remote host: # ls -l /home/hdunkel/.ssh/authorized_keys -rw--- 1 hdunkel users 1406 Jun 15 14:34 authorized_keys When I try to login I am asked for a password (although authorized_keys is set correctly). After this attempt I see on the remote host: # ls -al /home/hdunkel/.ssh/authorized_keys -rw--- 1 4294967294 4294967294 1406 Jun 15 14:34 authorized_keys sshd -d shows that sshd doesn't like this. Using the regular Squeeze kernel without vserver patch there is no such problem. /home is mounted via NFS: # cat /proc/mounts | grep /home nfs-home:/space/home /home nfs4 rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.19.96.103,minorversion=0,addr=172.19.96.215 0 0 The NFS server runs Squeeze, too. Regards Harri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#633526: vserver kernel breaks ssh public_key authentication on NFS
Package: linux-image-2.6-vserver-amd64 Version: 2.6.32+29 If I use the vserver kernel on a remote host, then I cannot login via ssh and public_key authentication. AFAICS the access rights to my authorized_keys file get corrupted. Before I try to login it shows on the remote host: # ls -l /home/hdunkel/.ssh/authorized_keys -rw--- 1 hdunkel users 1406 Jun 15 14:34 authorized_keys When I try to login I am asked for a password (although authorized_keys is set correctly). After this attempt I see on the remote host: # ls -al /home/hdunkel/.ssh/authorized_keys -rw--- 1 4294967294 4294967294 1406 Jun 15 14:34 authorized_keys sshd -d shows that sshd doesn't like this. Using the regular Squeeze kernel without vserver patch there is no such problem. /home is mounted via NFS: # cat /proc/mounts | grep /home nfs-home:/space/home /home nfs4 rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.19.96.103,minorversion=0,addr=172.19.96.215 0 0 The NFS server runs Squeeze, too. Regards Harri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#633526: vserver kernel breaks ssh public_key authentication on NFS
Does anyone understand this problem or have an idea of how to investigate it? Ben. Forwarded Message From: Harald Dunkel harald.dun...@aixigo.de Reply-to: Harald Dunkel harald.dun...@aixigo.de, 633...@bugs.debian.org To: sub...@bugs.debian.org Subject: Bug#633526: vserver kernel breaks ssh public_key authentication on NFS Date: Mon, 11 Jul 2011 09:19:24 +0200 Package: linux-image-2.6-vserver-amd64 Version: 2.6.32+29 If I use the vserver kernel on a remote host, then I cannot login via ssh and public_key authentication. AFAICS the access rights to my authorized_keys file get corrupted. Before I try to login it shows on the remote host: # ls -l /home/hdunkel/.ssh/authorized_keys -rw--- 1 hdunkel users 1406 Jun 15 14:34 authorized_keys When I try to login I am asked for a password (although authorized_keys is set correctly). After this attempt I see on the remote host: # ls -al /home/hdunkel/.ssh/authorized_keys -rw--- 1 4294967294 4294967294 1406 Jun 15 14:34 authorized_keys sshd -d shows that sshd doesn't like this. Using the regular Squeeze kernel without vserver patch there is no such problem. /home is mounted via NFS: # cat /proc/mounts | grep /home nfs-home:/space/home /home nfs4 rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.19.96.103,minorversion=0,addr=172.19.96.215 0 0 The NFS server runs Squeeze, too. Regards Harri signature.asc Description: This is a digitally signed message part
