Project

General

Profile

Bug #6770

Updated by Marcel Telka almost 5 years ago

Some NFS clients have problems with their personal identity over AUTH_SYS.    We encountered cases when VMware ESXi sent NFS requests with uid/gid 0/0 with changing list of supplemental groups.    Sometimes the list of supplemental groups was empty, sometimes the list contained one entry (group 0).    In extreme case such "identity switch" happened many times in every second. 

 The nfsauth_cache_get() implementation is not prepared for such clients.    The current design expects rare credential changes.    Once the user's list of supplemental groups changes, the cached nfsauth information is flushed and the new nfsauth information is retrieved synchronously from mountd using nfsauth_retrieve().    This might have significant performance impact. 

 To fix this we should cache all variants versions of user's identity. 

 *Steps to reproduce* 

 1. Use usr/src/cmd/cmd-inet/usr.sbin/snoop/nfs4_xdr.c from the illumos gate and attached gidschng.c.    Compile them to get the gidschng binary: 

 <pre> 
 gcc -Wall -Wno-switch -lnsl nfs4_xdr.c gidschng.c -o gidschng 
 </pre> 

 The gidschng binary will simulate a client with the changing identity (the changing list of supplemental groups). 

 2. Share root (/) with options that will force the NFS server to ask mountd for the nfsauth info: 

 <pre> 
 share -o rw=foobar / 
 </pre> 

 3. Run the following dtrace script to monitor the nfsauth_retrieve() calls: 

 <pre> 
 dtrace -n 'nfsauth_retrieve:entry{}' & 
 </pre> 

 4. Run gidschng: 

 <pre> 
 ./gidschng 
 </pre> 

 You will see a lot of nfsauth_retrieve hits.

Back