Re: [nfsv4] more re: admin revoke and edge conditions

Spencer Shepler <> Mon, 04 October 2004 04:39 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id AAA03852 for <>; Mon, 4 Oct 2004 00:39:32 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.33) id 1CEKmK-0007IE-Pj for; Mon, 04 Oct 2004 00:48:54 -0400
Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1CEKO6-0005EC-Ji; Mon, 04 Oct 2004 00:23:50 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1CEKEx-0006D9-9D for; Mon, 04 Oct 2004 00:14:23 -0400
Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id AAA27116 for <>; Mon, 4 Oct 2004 00:14:19 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.33) id 1CE1Si-00069W-LC for; Sun, 03 Oct 2004 04:11:23 -0400
Received: from centralmail1brm.Central.Sun.COM ([]) by (8.12.10/8.12.9) with ESMTP id i9381u53001994 for <>; Sun, 3 Oct 2004 02:01:56 -0600 (MDT)
Received: from (nfsclient.Central.Sun.COM []) by centralmail1brm.Central.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL, v2.2) with ESMTP id i9381ujW012810 for <>; Sun, 3 Oct 2004 02:01:56 -0600 (MDT)
Received: from (localhost []) by (8.13.1+Sun/8.13.1) with ESMTP id i9381t7o026317 for <>; Sun, 3 Oct 2004 03:01:55 -0500 (CDT)
Received: (from shepler@localhost) by (8.13.1+Sun/8.13.1/Submit) id i9381tj2026316 for; Sun, 3 Oct 2004 03:01:55 -0500 (CDT)
Date: Sun, 03 Oct 2004 03:01:55 -0500
From: Spencer Shepler <>
Subject: Re: [nfsv4] more re: admin revoke and edge conditions
Message-ID: <>
Mail-Followup-To: Spencer Shepler <>,
References: <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.4.1i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b22590c27682ace61775ee7b453b40d3
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b1c41982e167b872076d0018e4e1dc3c

On Sat, wrote:
> [Spencer's good stuff snipped, which helped clarify some of my confusion]
> > In these cases, not all client state would be removed ot need to be
> > removed.  However, the client should be told of the revocation and
> > hence the NFS4ERR_ADMIN_REVOKED.  The reason for returning this error
> > on RENEW is similar to the NFS4ERR_CB_PATH_DOWN such that the client
> > is active on other parts of the server's resources but not the part
> > where the state has been revoked.  The client could be told earlier of
> > the ADMIN_REVOKED than later and it could then in turn notify the
> > client environment as per its policies.  The idea was that the client
> > could "check" its state to determine what had been revoked; no clear
> > guidance was obviously given but something like a zero length read on
> > open files may suffice.
> Ok, so Renew should return NFS4ERR_ADMIN_REVOKED whenever any of the state
> (doesn't have to be all of it) has been revoked?
> And, it sounds like this Renew Op that returns NFS4ERR_ADMIN_REVOKED does
> Renew the client's lease. Is that correct?

Yes. It does renew; again, similarly as with the CB_PATH_DOWN error.

> > If the server has rebooted, it just needs to return things like
> > not required because all state has been removed for the client.
> I did my usual crappy job of explaining what my concern was, so I think
> Spencer didn't follow it. I'll try again with an example.
> (Dave might have understood or he might be thinking
> of something else. I haven't looked at it closely enough to see what
> effect sessions might have on this. I have a hunch that they will help,
> but it's just a hunch.)
> For example:
> 1 - client A has lock on xxx
> 2 - administrator revokes this lock on xxx for client A
> 3 - client B gets lock on xxx that would have conflicted with (1)
> 4 - server crashes/reboots
> 5 - both clients see STALECLIENTID or STALESTALEID and start reclaiming locks
> 6 - client A requests reclaim of lock on xxx
> 7 - client B requests reclaim of lock on xxx, that would conflict with (6)
> Since, if (1)->(4) occurs in less than a lease time (or client A is network
> partitioned until (5)), it did not see NFS4ERR_ADMIN_REVOKED.
> Now, the question is, what is the server's correct response to (6) and (7)?
> If the server doesn't keep anything about the revoke at (2) in stable storage,
> it would be:
> (6) - NFS4_OK
> and this doesn't seem correct to me.
> It seems to me that the server needs to use stable storage such that, after
> reboot, it would reply:
> (6) - NFS4ERR_xxx
> (7) - NFS4_OK
> which then leads to what NFS4ERR_xxx should be? I was thinking NFS4ERR_NOGRACE,
> but will a client expect that error for only some of the reclaims and not all
> of them?

Example good.  Agreed, the server should record something in its
stable storage with respect to the occurance of ADMIN_REVOKED and upon
reboot, the client should be treated as though it did not hold state
prior to the reboot and therefore receive NOGRACE.

> I was also thinking that I would handle admin revoke using the same stable
> storage mechanism as for lease expiry (essentially as described in 8.6.3), but
> that has a couple of negative implications:
> a) - client A can't reclaim any of its state for the above scenario
> b) - once I note admin revoke has happenned to client A in stable storage,
>      I can't come up with a way, short of the client doing a new SetClientID
>      of recognizing that it is ok to let client A do reclaims and this doesn't
>      seem like a good thing. (This was what I was trying to ask about in
>      the last post, believe it or not:-)
>      For example:
>      1 - client A has lock on xxx
>      2 - administrator revokes that lock, which is noted in stable storage
>      3 - client A sees NFS4ERR_ADMIN_REVOKED, but doesn't do a SetClientID,
>          since it doesn't see NFS4ERR_EXPIRED
> 	 (this assumes that some Op is renewing the lease, even though
> 	  the lock has been admin revoked. If no Op can renew the lease,
> 	  then everything will expire and you might as well just revoke all
> 	  the state for a clientid at once, because it will expire soon
> 	  anyhow.)
>      4 - client A chugs merrily along for weeks and has lots of other valid
>          state
>      5 - server crashes/reboots
>      6 - client A sees STALECLIENTID or STALESTATEID
>      7 - client A tries to reclaim state and gets NFS4ERR_NOGRACE for all of
>          it
> The more I look at it, it seems that there are only two alternatives (at
> least until sessions are in place, which I haven't looked at closely
> enough yet, to understand how they might help).
> 1 - forget about the cases where not all of the clientid's state is admin
>     revoked and just revoke it all at once, then let the lease expire.
> OR
> 2 - figure out a more sophisticated stable storage structure that handles
>     the edge cases, so that the NFS4ERR_xxx replied to A's reclaim above,
>     can be ADMIN_REVOKED.

Given what we have to work with and the fact that the ADMIN_REVOKED is
supposed to represent a rare intervention by the administrator, a simple
recording in stable storage that the revocation occurred and NO_GRACE
error on reboot is sufficient.  Obviously a server tool that allows
for revocation is a power tool and should come with the appropriate
warnings about its use (e.g., the sys admin should see about "resetting"
the client in a way to have it generate a new SETCLIENTID sequence).

> > In the case of server reboot, all of this is moot.  The server doesn't
> > need to worry about partial revocation before the reboot because all
> > of it is gone now.
> But, only if the client knows the state was revoked and doesn't try to reclaim
> it, right?
> Am I making sense or still out in left field? rick

As you have demonstrated with your example, the server, if it supports
administrative revocation, needs to record revocations such that
the client will not be subject to potential reclaim conflicts.


nfsv4 mailing list