Re: [nfsv4] The nfs-ganesha server keeps responding with NFS4ERR_SEQ_MISORDERED, and the client's business is stuck and cannot be recovered.
David Noveck <davenoveck@gmail.com> Wed, 24 May 2023 17:04 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F30C3C1519AB for <nfsv4@ietfa.amsl.com>; Wed, 24 May 2023 10:04:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bmmdCv_LMPwb for <nfsv4@ietfa.amsl.com>; Wed, 24 May 2023 10:04:52 -0700 (PDT)
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3076C1519A5 for <nfsv4@ietf.org>; Wed, 24 May 2023 10:04:51 -0700 (PDT)
Received: by mail-qv1-xf2c.google.com with SMTP id 6a1803df08f44-62577da77d0so6716746d6.2 for <nfsv4@ietf.org>; Wed, 24 May 2023 10:04:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684947890; x=1687539890; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4f0FniaIn2WDIa/WtlUd3se/1FyI908UG9dKAlXeTYM=; b=LfD47xx1w2GqhF0IM4rcE1lRMJV1Ph/KHKy8xxah3WW2TUyi5OJ+IBWLVp9JlKY8ww O7mDTESVdKZmHpzSYvY3oL+/GrcgigEQyLNgLV3899JNKqQT70aIjG4POPPXeBuEOV4y i9ShtaXpKn25PskotsR5rGZ5ZEU3SMSunWkjBpgVkM22Z6AitLhTW9o5JmCG+btqJnJQ f9n3Fxf9U9Xs6KCuO09nDhk4ej7ek2N0L/7qlobRzCQF0sDFjNWb6mQspzamtW+OquGA 8ByIobYk9IZA53/lPJxM2mj46d5f/Bnn6p7JQ9utIqSGlmthz0+n7534wLcGmvMKZkq4 mkbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684947890; x=1687539890; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4f0FniaIn2WDIa/WtlUd3se/1FyI908UG9dKAlXeTYM=; b=ERFwEkkgyycSGyWIR5fiXRGRCmnnKwCa6qneDSaNcaYYt/MunNyvkmHSXeXdmZIi7N zbh1oCfMPMszvRKanTZP+r56e6ppjAPH8t7HUPUbfW5NW5ymxSVAxh1SQvtdA+w+Ta9t WXJMkpkWLTu5JCaA2lzfBcs5nKSm4TsbBUPUDQ1zGzB+8qjK7qKf2QE8qOgfQfVeEzvx GsxO4txznBa6HlFlMyoF6G03uKuuo1MoruTsDMAzY4yqfSpY0ExlmT+qBOhGSsoYYfll P2P7Zux5SrGDhLZu7BeI/2zUnuZ/cgdFW7PkrqoTZxZ4lob/oYQiN9K3OCk60IeyiyRV DTEA==
X-Gm-Message-State: AC+VfDxNQyr5AViJfzQuKgl+slfg30C7lrHlxGl26LXlOjRVirRmNC0x k+YcvJkmhzCS1t/uPgVhoPe5fDwrVEr/I2vD4yA2mX23
X-Google-Smtp-Source: ACHHUZ63GUwaHAlXv6ItaDpXXRsK41X5nzM2VLvl5QljnR1NYrlF21WZFGqpWds+GsUahCzYL/M3W88xDFq4mJKela4=
X-Received: by 2002:a05:6214:d8a:b0:625:7802:f382 with SMTP id e10-20020a0562140d8a00b006257802f382mr12485492qve.50.1684947890580; Wed, 24 May 2023 10:04:50 -0700 (PDT)
MIME-Version: 1.0
References: <SEZPR02MB57587890A46C9E0F8821EFE3E4409@SEZPR02MB5758.apcprd02.prod.outlook.com>
In-Reply-To: <SEZPR02MB57587890A46C9E0F8821EFE3E4409@SEZPR02MB5758.apcprd02.prod.outlook.com>
From: David Noveck <davenoveck@gmail.com>
Date: Wed, 24 May 2023 13:04:39 -0400
Message-ID: <CADaq8jfPPq=jsupHiA_D-OMFuAMpvs9OHVQqGyzNjNjvfnhK0Q@mail.gmail.com>
To: 飞虎 郑 <zhengfeihu1@outlook.com>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007bb37c05fc7380cc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/IVC1_JE9fYaC-SGZN4Vp-vJOWYY>
Subject: Re: [nfsv4] The nfs-ganesha server keeps responding with NFS4ERR_SEQ_MISORDERED, and the client's business is stuck and cannot be recovered.
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 17:04:53 -0000
On Tue, May 23, 2023, 7:03 PM 飞虎 郑 <zhengfeihu1@outlook.com> wrote: > Issue: > The nfs-ganesha server keeps responding with NFS4ERR_SEQ_MISORDERED, and > the client's business is stuck and cannot be recovered. > Whether there is a problem with the protocol or the server depends on how this unfortunate situation arose. See below. > > Background: > We use nfs-ganesha as the server and Linux kernel as the client. > We conducted the following test: > The NFS server is a three-node environment, and the client accesses the > NFS server through a virtual IP. After the NFS client was mounted, files > were read and written to the NFS server via vdbench. > On the NFS server node, we simulated memory sub-health through a script > (memory continues to increase, and the server node performs a hard reboot > after it exceeds the set critical value), and the virtual IP would migrate > to another node after the node reboot. After the node reboot, the client's > business was always stuck at 0, and accessing the mount point also caused > it to hang. > If I understand your description correctly, the client is not noticing the server reboot and establishing a new clientid and session id. Is that right? If this doesn’t happen, why does the server accept the old session used by the client to access the old (pre-reboot) server instance. By capturing packets via Wireshark, we found that the client kept sending > requests in the SEQUENCE, PUTFH, WRITE, GETATTR combination (or other types > of requests) to the server, while the NFS server kept responding with > NFS4ERR_SEQ_MISORDERED. > That implies it is accepting the session as valid. The question is "Why?". We have conducted this kind of memory sub-health test many times, but this > problem only occurred in this particular instance. > Client kernel version: 4.18.0-193.14.2.el8_2.x86_64 (mockbuild@10-75-9-128 > ). > It seems ro me you have a reboot recovery bug. It would help to have a packet trace from the server to which failover occurred. > > Analysis: > In order to verify whether the NFS server's reply of > NFS4ERR_SEQ_MISORDERED would cause the client's business to drop to 0, I > modified the code of ganesha: when the value of the sequence_id > corresponding to the session_id and slot_id is set, I added 10 to the > sequence_id cached on the server to simulate a request sequence mutation, > which would only occur once (subsequent sequence_id values for other > slot_ids. > When an extension proposal for a new op to aid recovery was made, the question was raised as to why such recovery would be needed since the protocol described in rfc5661 seemed to be bulletproof in handling sequence values and was important in providing exactly-once-semantics. Although there seemed to be an implication that such problems did in fact happen, so far only the following have been cited: - What appears to be a reboot recovery bug. - A case where you force a mismatch by hacking the server. Is there a case in which this misordering happens without essentially forcing it to happen? One possibility to be considered is that the protocol described by rfc5661 is not, in fact, implemented. Note that the fourth paragraph of Section 2.10.6.2 of rfc5661 contains a "MUST" which is not adhered to and never will be because of rpc requests terminated by control-C. Does anyone have experience with sequence misordering due to this issue? In any case, rfc5661bis will have to address the issue of this incorrect "MUST" somehow. I would appreciate it if people read and commented on the discussion in Appendix C.1.2 (followed up on in C.2.1 and C.2.2) of draft-ietf-nfsv4-rfc5661bis-00. I would like to make progress on these issues in -01. After the request sequence mutation, the client's business kept dropping > to 0 and could not recover. > That seems to me to be an expected consequence of forcing a request sequence mutation. The client is not designed to be impervious to server hacking that breaks the protocol. Even if it is bulletproof, it has no protection against high-energy anti-tank shells. By dynamically enabling ganesha's logs and using wireshark to capture > packets, it can be seen that ganesha replied NFS4ERR_SEQ_MISORDERED to the > client. Afterwards, the client used a new slot_id to send a request with > the main request of GETATTR(SEQUENCE, PUTFH, GETATTR), and the server > processed it normally and replied to the client. In addition, the client > kept sending combination requests with the main request of LOOKUP(SEQUENCE, > PUTFH, LOOKUP, GETFH, GETATTR) using the old slot_id and corresponding > request sequence number, and ganesha directly replied > NFS4ERR_SEQ_MISORDERED after detecting the loss of the SEQUENCE request > sequence number. From the results, it seems that the client kept using the > request sequence number corresponding to the old slot_id to send some op > requests to the server, and the server kept replying > NFS4ERR_SEQ_MISORDERED, causing the client's business to drop to 0. > The client could prevent this by avoiding use of the compromised slot but it is not obliged to do so. Rfc5661bis might advise this non-normatively. I noticed that if there is a request sequence disorder, there is no > interface to query the server's request sequence number. > The question is whether we should provide one. I think Clear and Convincing Evidence is required but so far we haven’t even seen Probable Cause yet. If there is a request sequence mutation, the client cannot obtain the > request sequence number. It seems meaningless for the client to keep > querying. > If it hurts when you do that, don't do that :-). In addition, I modified the ganesha code so that if the request sequence > number is out of order for a period of time, ganesha replies > NFS4ERR_BADSESSION or if the request sequence number returns to normal, the > client's business can be restored and completed. > > If NFS-Ganesha responds with NFS4ERR_BADSESSION after the request sequence > becomes disordered, does it modify the protocol > It would. and I wonder if this is appropriate? > It is a hack and violates the protocol but the ietf has no enforcement powers. It appears to me better to focus on returning bad session when the protocol actually requires it. I have already provided feedback on this issue to the nfs-ganesha > community, please visit: > https://github.com/nfs-ganesha/nfs-ganesha/issues/941. > > 获取Outlook for Android <https://aka.ms/AAb9ysg> > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 >