Re: [nfsv4] Review of draft-ietf-nfsv4-rfc5667bis-09

> Would "recommend" be enough for this section?

I agree that what we want here is implementation advice but I would prefer
something stronger than "recommend".  Note that I don't consider the
normative "SHOULD" strong enough, particularly in the context "SHOULD
be prepared to provide".

How about:

Given that there are existing servers with quite restrictive limits, there
will

be situations in which such limits will be exceeded, making it necessary

for clients to provide reporting mechanisms that will bring these
situations
to the attention of those in a position to prevent further occurrences.
One
important way of allowing effective adaptation to such client limitations
would be to provide configuration options to limit the complexity of NFS
version 4 COMPOUNDs,  limit the number of elements in scatter-gather
operations, and to avoid other  possible sources of RPC-over-RDMA chunk
overruns at the peer.

On Thu, Apr 27, 2017 at 11:44 AM, Chuck Lever <chuck.lever@oracle.com>
wrote:

>
> > On Apr 27, 2017, at 7:20 AM, Tom Talpey <tom@talpey.com> wrote:
> >
> > >snip:
> > >    Such implementation limits can constrain the complexity of NFS
> > >    version 4 COMPOUNDs, limit the number of elements in scatter-gather
> > >    operations, or prevent the use of Kerberos integrity or privacy
> > >    services.
> >
> > I like the approach, and the lead-in language looks good. The text
> > quoted above is just a little bit dark, especially that bit about
> > preventing krb5i/krb5p. I'd suggest a more active statement to replace
> > the above, including the more prescriptive SHOULD rather than "can".
> > How about:
> >
> > "Client implementations SHOULD be prepared to provide mechanisms for
> >  reporting the above errors, and optionally provide configuration to
> >  limit the complexity of NFS version 4 COMPOUNDs, limit the number
> >  of elements in scatter-gather operations, and to avoid other possible
> >  sources of RPC-over-RDMA chunk overruns at the peer.
> >
> >  These become especially important when Kerberos integrity or privacy
> >  is in place for the RPC connection. These facilities add payload to
> >  the RPC headers, potentially increasing the complexity of the chunk
> >  manipulation, independent of the upper layer NFS operation. The
> >  implementation SHOULD consider such RPC payload requirements in
> >  addition to the NFS considerations."
>
> Sure, I can work this in.
>
> When you say "Client implementations SHOULD ... [report] the above
> errors" you are talking about reporting them to administrators
> and/or RPC consumers? I don't think we can use SHOULD in that case.
> This feels like implementation advice, not protocol.
>
> Would "recommend" be enough for this section?
>
>
> > Feel free to wordsmith further.
> >
> > Tom.
> >
> >
> > On 4/26/2017 12:18 PM, Chuck Lever wrote:
> >>
> >>> On Apr 24, 2017, at 7:30 AM, Chuck Lever <chuck.lever@oracle.com>
> wrote:
> >>>
> >>>>
> >>>> On Apr 24, 2017, at 7:56 AM, Tom Talpey <tom@talpey.com> wrote:
> >>>>
> >>>> On 4/21/2017 10:43 AM, Chuck Lever wrote:
> >>>>> I agree that SHOULD/MAY makes things cloudier, and does not
> >>>>> seem to align with well-defined RFC2119 usage.
> >>>>>
> >>>>> Another way we've dealt with similar disagreements between
> >>>>> specification and implementation is to decide that one of
> >>>>> the implementations is incorrect.
> >>>>>
> >>>>> Can we agree that:
> >>>>>
> >>>>> - GARBAGE_ARGS is a bit of a layering violation, though it's
> >>>>> understandable why it might be returned
> >>>>>
> >>>>> - RPC clients are already prepared for GARBAGE_ARGS
> >>>>
> >>>> Are you certain of this?
> >>>
> >>> GARBAGE_ARGS has been part of the RPC protocol for decades.
> >>> The two Unix-flavored clients that have NFS/RDMA support can
> >>> both handle this error.
> >>
> >> I've confirmed that the only other known NFS/RDMA client
> >> (Oracle dNFS) properly recognizes GARBAGE_ARGS.
> >>
> >>
> >>>> And out of curiosity, what is returned
> >>>> to the consumer for GARBAGE_ARGS versus ERR_CHUNK?
> >>>
> >>> RFC 5531:
> >>>> GARBAGE_ARGS  = 4, /* procedure can’t decode params   */
> >>>
> >>>
> >>> GARBAGE_ARGS is an RPC-level error. The reply is "accepted"
> >>> with accept_stat GARBAGE_ARGS. An XID is available in the
> >>> header.
> >>>
> >>> rfc5666bis:
> >>>> If the rdma_vers field contains a recognized value, but an
> >>>> XDR parsing error occurs, the responder MUST reply with an
> >>>> RDMA_ERROR procedure and set the rdma_err value to ERR_CHUNK.
> >>>
> >>>
> >>> ERR_CHUNK is a transport level error. An XID is available
> >>> in the header.
> >>>
> >>> The difference is that the RPC layer v. the transport layer
> >>> are reporting they don't understand the contents of the
> >>> message (Call). There is nothing more in either type of
> >>> message.
> >>>
> >>>
> >>>>> - In RPC-over-RDMA Version One, we are not trying to recover
> >>>>> (in the sense of resending a simpler COMPOUND) but are rather
> >>>>> trying to ensure the offending RPC is properly terminated on
> >>>>> the client, and does not further block other RPCs or deadlock
> >>>>> the transport
> >>>>>
> >>>>> Thus I claim it is harmless if a server returns GARBAGE_ARGS
> >>>>> instead of ERR_CHUNK.
> >>>>
> >>>> "Harmless" is a bit relative. The operation fails, through no fault
> >>>> of the consumer. And, frankly, in a very mysterious way.
> >>>
> >>> We have no richer way of communicating failure in RPC-over-RDMA
> >>> Version One. We are not looking for recovery here, so I don't
> >>> believe any more information would be useful. If the server
> >>> wishes, it can log the failure with a message explaining what
> >>> went wrong.
> >>>
> >>>
> >>>> Again, I think there is more to say here. It's a limitation of the
> >>>> protocol whose implications should be made clear (contraining the
> >>>> complexity of COMPOUNDs, limiting scatter/gather lengths, etc).
> >>>
> >>> I'd welcome any suggested text.
> >>>
> >>> Honestly, I'm not sure what can be said. Neither NFSv4.0 nor
> >>> RPC-over-RDMA have a sophisticated mechanism to communicate this
> >>> kind of limitation. The best an NFSv4 server can do is return
> >>> NFS4ERR_RESOURCE, which also carries little extra information
> >>> about what a client should do to recover.
> >>>
> >>> So are you comfortable with eliminating GARBAGE_ARGS if we can
> >>> come up with more detail about the impact of not knowing how
> >>> complex a COMPOUND can be?
> >>
> >> I've come up with some possible replacement text for
> >> the final two paragraphs of S5.4.1 in an attempt to
> >> address comments from Tom, David, and Karen. The
> >> normative requirements have been removed, and a (brief)
> >> discussion of the consequences of not handling complex
> >> COMPOUNDs was introduced.
> >>
> >>
> >> 5.4.2.  Complexity Considerations
> >>
> >>   As mentioned above, an NFS version 4 COMPOUND procedure can contain
> >>   more than one operation that carries a DDP-eligible data item.  The
> >>   RPC-over-RDMA Version One protocol does not place any limit on the
> >>   number of chunks that may appear in the Read or Write lists.
> >>   Therefore an NFS version 4 client MAY construct an RPC-over-RDMA
> >>   Version One message containing more than one Read chunk or Write
> >>   chunk.
> >>
> >>   However, implementations have practical limits on the number of
> >>   chunks or segments they are prepared to process in one of these
> >>   lists.  There are several ways an NFS Version 4 server might indicate
> >>   that an RPC Call message constructed by a client is valid but cannot
> >>   be processed because of implementation limitations:
> >>
> >>   o  If the problem is detected in the upper layer (i.e., by the NFS
> >>      version 4 implementation), the server returns an NFS status of
> >>      NFS4ERR_RESOURCE.
> >>
> >>   o  If the problem is detected during XDR decoding of the request
> >>      (e.g., during re-assembly of the Call message by the RPC layer),
> >>      the server returns an RPC accept_stat of GARBAGE_ARGS.
> >>
> >>   o  If the problem is detected at the transport layer (i.e., during
> >>      transport header processing), the server returns an RDMA_ERROR
> >>      message with the err_code field set to ERR_CHUNK.
> >>
> >>   Such implementation limits can constrain the complexity of NFS
> >>   version 4 COMPOUNDs, limit the number of elements in scatter-gather
> >>   operations, or prevent the use of Kerberos integrity or privacy
> >>   services.
> >>
> >>
> >> Comments, opinions on this approach?
> >>
> >>
> >>>> Tom.
> >>>>
> >>>>
> >>>>>
> >>>>> As a result, I can change the Read list text in S5.4.1 to be
> >>>>> the same as the Write list text, removing the mention of
> >>>>> GARBAGE_ARGS.
> >>>>>
> >>>>> Would that sit comfortably with everyone?
> >>>>>
> >>>>>
> >>>>>> On Apr 20, 2017, at 7:21 PM, David Noveck <davenoveck@gmail.com>
> wrote:
> >>>>>>
> >>>>>>> The "or" is a similar situation, it prescribes a choice, which
> >>>>>>> does not define a protocol.
> >>>>>>
> >>>>>> Fair enough, but the point that needs to be made is that, with
> >>>>>> regard to Version One, Chuck and  the working group is not
> >>>>>> free to define a protocol.  As a result we have the kind of
> >>>>>> ugliness you object to, but it is inherent in the choice to try to
> >>>>>> revive Version One as-is.
> >>>>>>
> >>>>>>> If an NFS version 4 client sends an RPC Call with a Read list that
> >>>>>>> contains more chunks than an NFS version 4 server is prepared to
> >>>>>>> process, the server SHOULD reject the request by responding with an
> >>>>>>> RDMA_ERROR message with the rdma_err value set to ERR_CHUNK. The
> >>>>>>> server MAY reject the RPC with an RDMA_MSG message containing an
> RPC
> >>>>>>> Reply with an accept status of GARBAGE_ARGS.
> >>>>>>
> >>>>>> I think I know what you intend here and I've seen stuff like this
> in RFCs but I don't
> >>>>>> wthink e can do this because this is not in line with the
> definitions of "SHOULD"
> >>>>>> and "MAY" that appear in RFC2119.
> >>>>>>
> >>>>>> "SHOULD" means that you are supposed to do something but can avoid
> it if
> >>>>>> you have a good reason and are aware of the consequences of not
> doing it.
> >>>>>> In this case the "good" reason is that someone coded the
> implementation
> >>>>>> to do something else, which is not all that good a reason.  The
> consequences of
> >>>>>> returning the GARBAGEARGS are exactly zero, since the client has to
> be prepared
> >>>>>> for either it or ERR_CHUNK.
> >>>>>>
> >>>>>> "MAY" means the implementation can choose to do the action or not,
> which is line
> >>>>>> with the reality here but essentially contradicts the SHOULD.
> >>>>>>
> >>>>>>> This at least makes it clear which response is "preferred".
> >>>>>>
> >>>>>> But it is isn't really the job of the RFC2119 terms to say which is
> "preferred" or
> >>>>>> "'preferred'".  These terms are supposed to describe
> interoperability and the
> >>>>>> interoperability situation is that the server MUST return ERR_CHUNK
> or
> >>>>>> GARBAGEARGS and the client needs to be prepared for either.  That
> is the
> >>>>>> unpleasant reality.  If you want to indicate a preference, you can
> say something
> >>>>>> like:
> >>>>>>  • Returning ERR_CHUNK is preferrable.
> >>>>>>  • Returinng ERR_CHUNK is more in line with the appropriate
> protocol layering since this issue relates to a limitation of the transport
> implementation.
> >>>>>>  • Use of GARBAGEARGS is an unfortunate artifact of inappropriately
> layered implementations and is only allowed for reasons of compatibility
> with existing implementations.  It is desirable to avoid it.
> >>>>>>> And one would hope a future draft would decide.
> >>>>>>
> >>>>>> Not sure what draft you are thinking of.  I don't see us doing an
> rfc5667bisbis (rfc5667tris).
> >>>>>>
> >>>>>> By the time we did that, the implementations with these
> restrictions will probably be gone.
> >>>>>>
> >>>>>>> I have a second question though. How does the client determine
> what is
> >>>>>>> the actual error? As in, how many chunks were allowed?
> >>>>>>
> >>>>>> This is not fixable in Version One.  It would be in Version Two,
> but by then
> >>>>>> the need will probably be gone.
> >>>>>>
> >>>>>>> Does the upper
> >>>>>>> layer have to recover, and if so what are the implications?
> >>>>>>
> >>>>>> I think something could be put in to indicate that clients should
> break up COMPOUNDS
> >>>>>> so the only have a single chunk each.
> >>>>>>
> >>>>>>> Yes, I know 5667 did not explore this very well.
> >>>>>>
> >>>>>> It didn't explore it at all.  And 5666's error reporting facilities
> were extremely limited.
> >>>>>>
> >>>>>>> Mea culpa.
> >>>>>>
> >>>>>> I don'tt think you have anything to apologize for.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Thu, Apr 20, 2017 at 5:28 PM, Tom Talpey <tom@talpey.com> wrote:
> >>>>>>
> >>>>>>
> >>>>>> On 4/19/2017 11:14 AM, Chuck Lever wrote:
> >>>>>> Hi Tom-
> >>>>>>
> >>>>>> On Apr 18, 2017, at 11:08 PM, Tom Talpey <tom@talpey.com> wrote:
> >>>>>>
> >>>>>> I noticed the same thing, and I'll add that the MUST reject
> condition
> >>>>>> is very confusing because it allows an "or". In my opinion a MUST is
> >>>>>> always a single requirement, never ambiguous.
> >>>>>>
> >>>>>> I agree this kind of thing is tricky. I wrote it as "the server MUST
> >>>>>> reject the RPC". That's the single requirement. The choice is how
> the
> >>>>>> rejection is conveyed to the client.
> >>>>>>
> >>>>>> The statement "MUST reject" is not testable. So, while it may be
> >>>>>> understood what is intended, there is nothing implementable in the
> >>>>>> MUST. The "or" is a similar situation, it prescribes a choice, which
> >>>>>> does not define a protocol.
> >>>>>>
> >>>>>> Is there some reason you want to allow such a choice? I think you'll
> >>>>>> find that, worded properly, it becomes actually much less
> implementable
> >>>>>> and interoperable than you may think.
> >>>>>>
> >>>>>> The Solaris server can return an RPC-level error in cases like this.
> >>>>>>
> >>>>>> Well, this is happening because the Solaris server is (probably)
> just
> >>>>>> handing the chunk list up to the RPC layer, and it's the RPC (XDR)
> >>>>>> processing that detects any problem.
> >>>>>>
> >>>>>> On the other hand, an implementation could do the opposite, it could
> >>>>>> process the chunks at the lower layer, before ever invoking RPC
> >>>>>> processing. This would naturally lead to a non-RPC error.
> >>>>>>
> >>>>>> The challenge in defining the protocol is to hide these
> possibilities.
> >>>>>>
> >>>>>> I think there are similar choices allowed in rfc5666bis. Let's say
> >>>>>> that in a perfect world, I would go with only ERR_CHUNK, but I'm
> >>>>>> documenting existing implementation behavior here.
> >>>>>>
> >>>>>> I'm not sure it matters to the client: both errors are permanent and
> >>>>>> the RPC is terminated on the client.
> >>>>>>
> >>>>>> I'm open to alternatives.
> >>>>>>
> >>>>>> The icky way to do this is to split into two weak requirements.
> >>>>>>
> >>>>>> If an NFS version 4 client sends an RPC Call with a Read list that
> >>>>>> contains more chunks than an NFS version 4 server is prepared to
> >>>>>> process, the server SHOULD reject the request by responding with an
> >>>>>> RDMA_ERROR message with the rdma_err value set to ERR_CHUNK. The
> >>>>>> server MAY reject the RPC with an RDMA_MSG message containing an RPC
> >>>>>> Reply with an accept status of GARBAGE_ARGS.
> >>>>>>
> >>>>>> This at least makes it clear which response is "preferred". And one
> >>>>>> would hope a future draft would decide.
> >>>>>>
> >>>>>> I have a second question though. How does the client determine what
> is
> >>>>>> the actual error? As in, how many chunks were allowed? Does the
> upper
> >>>>>> layer have to recover, and if so what are the implications?
> >>>>>>
> >>>>>> Yes, I know 5667 did not explore this very well. Mea culpa.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Tom.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 4/18/2017 6:32 PM, karen deitke wrote:
> >>>>>> Hi Chuck, its unclear what you mean by "is prepared to process" in
> the text below.
> >>>>>> Other than that, looks good.
> >>>>>>
> >>>>>> Karen
> >>>>>>
> >>>>>> 5.4.1
> >>>>>> If an NFS version 4 client sends an RPC Call with a Write list that
> >>>>>> contains more chunks than an NFS version 4 server is prepared to
> >>>>>> process, the server MUST reject the RPC by responding with an
> >>>>>> RDMA_ERROR message with the rdma_err value set to ERR_CHUNK.
> >>>>>>
> >>>>>>
> >>>>>> If an NFS version 4 client sends an RPC Call with a Read list that
> >>>>>> contains more chunks than an NFS version 4 server is prepared to
> >>>>>> process, the server MUST reject the RPC by responding with an
> >>>>>> RDMA_MSG message containing an RPC Reply with an accept status of
> >>>>>> GARBAGE_ARGS, or with an RDMA_ERROR message with the rdma_err value
> >>>>>> set to ERR_CHUNK.
> >>>>>>
> >>>>>>
> >>>>>> On 4/18/2017 1:21 PM, David Noveck wrote:
> >>>>>> *Overall Evaluation*
> >>>>>> *
> >>>>>> *
> >>>>>> Major improvement over RFC5667.  Almost ready to ship.  No technical
> >>>>>> issues.
> >>>>>>
> >>>>>> A lot of my comments are basically editorial and are offered on a
> >>>>>> take-it-or-lease-it basis.
> >>>>>>
> >>>>>> I think some clarification in Section 5.4.1 is needed although not
> >>>>>> necessarily in the ways suggested below,
> >>>>>>
> >>>>>> *Comments by Section*
> >>>>>> *5.4.1. Multiple DDP-eligible Data Items*
> >>>>>> Giventhat READ_PLUS no longer has any DDP-eligible data items, the
> >>>>>> situation described in the fifth bullet can no longer arise. I
> suggest
> >>>>>> deleting the bullet.
> >>>>>> The penultimate paragraph can be read as applying to some situations
> >>>>>> in which it shouldn't and where the extra chunks would very
> naturally
> >>>>>> ignored. For example, if you had on write chunk together with a READ
> >>>>>> operation which failed, the server would have more chunks (i.e. one)
> >>>>>> than the number it is prepared to process (i.e. zero). Suggest, as a
> >>>>>> possible replacement:
> >>>>>>
> >>>>>> Normally, when an NFS version 4 client sends an RPC Call with a
> >>>>>> Write list that contains multiple chunks. each such, when matched
> >>>>>> with a DDP-eligible data item in the response, directs the
> >>>>>> placement of the data item as specified by
> >>>>>> [I.D.-nfsv4-rfc5666bis]. When there are DDP-eligible data items
> >>>>>> matched to write chunks that an NFS version 4 server is not
> >>>>>> prepared to process, the server MUST reject the RPC by responding
> >>>>>> with an RDMA_ERROR message with the rdma_err value set to ERR_CHUNK.
> >>>>>>
> >>>>>> With regard to the last paragraph, I am curious that this paragraph,
> >>>>>> unlike the previous one, allows GARBGEARGS. Is this so because that
> >>>>>> would be allowed if the chunks in question had offsets other than
> >>>>>> those that correspond to DDP-eligible data items? If so, please
> >>>>>> consider the following possible replacement.
> >>>>>>
> >>>>>> Normally, when an NFS version 4 client sends an RPC Call with a
> >>>>>> Read list that contains multiple chunks, each such, when properly
> >>>>>> matched with a DDP-eliigible data item in the request, directs the
> >>>>>> fetching of the the data item as specified by
> >>>>>> [I.D.-nfsv4-rfc5666bis]. When there are DDP-eligible data items
> >>>>>> matched to read chunks that an NFS version 4 server is not
> >>>>>> prepared to process, the server MUST reject the RPC by responding
> >>>>>> with an RDMA_ERROR message with the rdma_err value set to ERR_CHUNK.
> >>>>>>
> >>>>>> *5.6. Session-Related Considerations*
> >>>>>> In the third sentence of the second paragraph, suggest replacing "no
> >>>>>> different" by "not different".
> >>>>>> In the last sentence of the last paragraph, suggest replacing "is
> not"
> >>>>>> by "were not"
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> nfsv4 mailing list
> >>>>>> nfsv4@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> nfsv4 mailing list
> >>>>>> nfsv4@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> nfsv4 mailing list
> >>>>>> nfsv4@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>>>>>
> >>>>>> --
> >>>>>> Chuck Lever
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> nfsv4 mailing list
> >>>>>> nfsv4@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> nfsv4 mailing list
> >>>>>> nfsv4@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> nfsv4 mailing list
> >>>>>> nfsv4@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>>>>
> >>>>> --
> >>>>> Chuck Lever
> >>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> nfsv4 mailing list
> >>>>> nfsv4@ietf.org
> >>>>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> nfsv4 mailing list
> >>>> nfsv4@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>>
> >>> --
> >>> Chuck Lever
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> nfsv4 mailing list
> >>> nfsv4@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/nfsv4
> >>
> >> --
> >> Chuck Lever
> >>
> >>
> >>
> >> _______________________________________________
> >> nfsv4 mailing list
> >> nfsv4@ietf.org
> >> https://www.ietf.org/mailman/listinfo/nfsv4
> >>
> >
> > _______________________________________________
> > nfsv4 mailing list
> > nfsv4@ietf.org
> > https://www.ietf.org/mailman/listinfo/nfsv4
>
> --
> Chuck Lever
>
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>