IETF Logo Mail Archive

[nfsv4] Preventing an NFSv4.1 client from destroying a migrated lease after TSM

Chuck Lever <chuck.lever@oracle.com> Wed, 08 March 2017 21:19 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 853D21295CD for <nfsv4@ietfa.amsl.com>; Wed, 8 Mar 2017 13:19:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.702
X-Spam-Level:
X-Spam-Status: No, score=-3.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TawoV_dduzpR for <nfsv4@ietfa.amsl.com>; Wed, 8 Mar 2017 13:19:43 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 418331295C2 for <nfsv4@ietf.org>; Wed, 8 Mar 2017 13:19:43 -0800 (PST)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v28LJfOG011364 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <nfsv4@ietf.org>; Wed, 8 Mar 2017 21:19:41 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0021.oracle.com (8.13.8/8.14.4) with ESMTP id v28LJfmT010162 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <nfsv4@ietf.org>; Wed, 8 Mar 2017 21:19:41 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id v28LJddp005556 for <nfsv4@ietf.org>; Wed, 8 Mar 2017 21:19:40 GMT
Received: from anon-dhcp-171.1015granger.net (/68.46.169.226) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 08 Mar 2017 13:19:38 -0800
From: Chuck Lever <chuck.lever@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <ED0D48EE-4618-4E07-B97F-8320C77CF1EC@oracle.com>
Date: Wed, 08 Mar 2017 16:19:37 -0500
To: NFSv4 <nfsv4@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/5UI2m3UdR4dn3DRn7uOcutP1Aj0>
Subject: [nfsv4] Preventing an NFSv4.1 client from destroying a migrated lease after TSM
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 21:19:44 -0000

One of Oracle's engineers, Xuan Qi, has been experimenting
with NFSv4.1 Transparent State Migration. The
implementations under test are a Solaris-based prototype
NFS server, and a recent vintage migration-capable Linux
NFS client. Xuan observed the following:

+ While a simple workload is running, there is an FS
  migration event from server A to server B. Transparent
  State Migration is done as part of this migration. The
  session that had been established between the client and
  server A is NOT migrated.

+ The client has never interacted with server B before the
  migration event. After the client retrieves fs_locations
  from server A, it begins trunking discovery with server B.

+ In the initial EXCHANGE_ID request with server B, the
  client presents the same client owner and boot verifier
  it previously presented to server A.

+ In the initial EXCHANGE_ID reply, server B reports the
  presence of the migrated lease by returning the same
  clientID the client got from server A and asserting
  EXCHGID4_FLAG_CONFIRMED_R.

+ The client thus believes this lease is an old one it
  forgot to clean up. It purges the migrated lease by
  sending a second EXCHANGE_ID with the same client owner
  but an arbitrary boot verifier. Server B returns a
  second distinct client ID.

+ The client issues a CREATE_SESSION with the second
  client ID. This client ID and session is not used for
  subsequent operations.

+ The client issues a DESTROY_SESSION and DESTROY_CLIENTID
  to server A, using the original session and client ID.
  How polite!

+ The client then establishes a fresh lease with server
  B by sending a third EXCHANGE_ID with the same client
  owner and the original boot verifier. Server B returns
  a third distinct client ID. The client then uses this
  new client ID for a CREATE_SESSION. This session is used
  to issue RECLAIM_COMPLETE with no OPEN state recovery.

+ The first WRITE operation to server B fails with
  NFS4ERR_BAD_STATEID. The client performs no-grace
  stateid recovery, and the workload continues normally.

+ Both servers report the same server scope, but different
  server owners. The scope string is

    "Solaris NFSv4.1 Server Scope"

RFC 5661 and draft-ietf-nfsv4-migration-issues are not
clear about how servers and clients are supposed to
interact after Transparent State Migration. For instance:

1. Since the client has had no previous contact with
server B, should the migrated lease be considered
confirmed or not confirmed on server B?

2. How should the client determine whether or not
Transparent State Migration has occurred?

3. If the session was migrated (which is not the case
in the current example), how should the client determine
it must perform BIND_CONN_TO_SESSION instead of
CREATE_SESSION? (I guess just try BC2S first?)

4. If TSM is detected, the client performs no state
recovery. Should it avoid sending RECLAIM_COMPLETE in
this case?


--
Chuck Lever

v2.23.0 | Report a Bug | By Email