View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001433 | channel: kernel/el9 | kernel-lt | public | 2024-03-20 17:16 | 2024-04-09 19:42 |
| Reporter | rik | Assigned To | toracat | ||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | resolved | Resolution | no change required | ||
| Summary | 0001433: GSS encryption types | ||||
| Description | Hi, After switching to the kernel-lt (6.1.82) on a Rocky 9 machine, the gssproxy process on this NFS server started to consume a lot of cpu, and clients using krb5 NFS could not longer connect. When comparing the config of the 5.14 EL9 kernel with the 6.1.82 elrepo kernel, I've noticed the following config items are not set in the 6.1 kernel: CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1=y CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA=y CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2=y I assume this may be the cause of my issue. Would it be possible to include these settings in the 6.1 kernel? The 6.1 kernel does set CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES=y, which I couldn't find in the 5.14 kernel config, but maybe it's too new for that. Regards, Rik | ||||
| Steps To Reproduce | 1. Boot kernel-lt 6.1.82 on an NFS server that uses krb NFS. 2. Try to mount the server using krb5 nfs 3. Client can no longer mount share, works with default EL9 kernel. | ||||
| Tags | No tags attached. | ||||
|
|
Acknowledged. |
|
|
I looked at the kernel source config file ( net/sunrpc/Kconfig ) . In linux-6.1.82: $ grep RPCSEC_GSS_KRB5 net/sunrpc/Kconfig config RPCSEC_GSS_KRB5 depends on RPCSEC_GSS_KRB5 In the disro kernel: $ grep RPCSEC_GSS_KRB5 /usr/src/kernels/5.14.0-362.24.1.el9_3.x86_64/net/sunrpc/Kconfig config RPCSEC_GSS_KRB5 config RPCSEC_GSS_KRB5_SIMPLIFIED depends on RPCSEC_GSS_KRB5 config RPCSEC_GSS_KRB5_CRYPTOSYSTEM depends on RPCSEC_GSS_KRB5 config RPCSEC_GSS_KRB5_ENCTYPES_DES depends on RPCSEC_GSS_KRB5 select RPCSEC_GSS_KRB5_SIMPLIFIED config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1 depends on RPCSEC_GSS_KRB5 select RPCSEC_GSS_KRB5_CRYPTOSYSTEM config RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA depends on RPCSEC_GSS_KRB5 select RPCSEC_GSS_KRB5_CRYPTOSYSTEM config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 depends on RPCSEC_GSS_KRB5 select RPCSEC_GSS_KRB5_CRYPTOSYSTEM config RPCSEC_GSS_KRB5_KUNIT_TEST depends on RPCSEC_GSS_KRB5 && KUNIT As you can see, linux-6.1.82 does not have config values RPCSEC_GSS_KRB5_ENCTYPES_*. Therefore we are unable to add those kernel configs to kernel-lt for el9. |
|
|
Hi, Thanks for looking into this. I believe these Kconfig entries were backported to some older kernels, but it seems not to the 6.1 series. According to https://www.kernelconfig.io/config_rpcsec_gss_krb5_enctypes_aes_sha1?q=&kernelversion=5.4.272&arch=x86 the CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1 is in 5.4.272, 4.19.310. But not in 5.10.213 or 6.1.82. Similar for RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 and RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA. I will ask the linux-nfs mailinglist if it's possible to add it to 6.1 series. Rik |
|
|
Looks like there is no plan/need to change the kernel options in 6.1.82. I'm closing the ticket as 'no change required'. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-03-20 17:16 | rik | New Issue | |
| 2024-03-20 17:16 | rik | Status | new => assigned |
| 2024-03-20 17:16 | rik | Assigned To | => toracat |
| 2024-03-20 17:38 | toracat | Status | assigned => acknowledged |
| 2024-03-20 17:38 | toracat | Note Added: 0009617 | |
| 2024-03-20 19:27 | toracat | Note Added: 0009618 | |
| 2024-03-21 02:20 | rik | Note Added: 0009621 | |
| 2024-03-21 13:07 | toracat | Status | acknowledged => assigned |
| 2024-04-09 19:42 | toracat | Status | assigned => resolved |
| 2024-04-09 19:42 | toracat | Resolution | open => no change required |
| 2024-04-09 19:42 | toracat | Note Added: 0009666 |
