From 7a56a689d4aa588bd003e35fdb93d87cf1e56d1d Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Mon, 18 Dec 2023 14:59:30 +0100 Subject: [PATCH] LU-17374 gss: get rid of rsi cache entries after req handle RPCSEC init requests are kept in the rsi cache. While this is useful during request processing involving upcall/downcall with userspace, rsi entries are never used again once RPCSEC init requests have been handled completely. And keeping entries in the rsi cache has some impact on authentication speed. When a new RPCSEC init request is received, the first step is to check if there is a valid matching entry in the cache. It is never the case, except if an authentication request is replayed, but GSS rejects that anyway. So we spend time browsing a cache from which we expect no match. Even if the upcall cache mechanism takes this lookup opportunity to remove invalid or expired entries, it is even better to remove cache entries as soon as we know they are done. Test-Parameters: kerberos=true testlist=sanity-krb5 Signed-off-by: Sebastien Buisson Change-Id: Ia9946578c3d3149e6235d832df28214ae8984f1e Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/53488 Reviewed-by: Aurelien Degremont Reviewed-by: Andreas Dilger Reviewed-by: Oleg Drokin Tested-by: jenkins Tested-by: Maloo --- lustre/ptlrpc/gss/gss_svc_upcall.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lustre/ptlrpc/gss/gss_svc_upcall.c b/lustre/ptlrpc/gss/gss_svc_upcall.c index 063a5c2..4074f22 100644 --- a/lustre/ptlrpc/gss/gss_svc_upcall.c +++ b/lustre/ptlrpc/gss/gss_svc_upcall.c @@ -931,8 +931,14 @@ int gss_svc_upcall_handle_init(struct ptlrpc_request *req, rc = SECSVC_OK; out: - if (!IS_ERR_OR_NULL(rsip)) + if (!IS_ERR_OR_NULL(rsip)) { + /* After rpcsec init request has been handled, + * no need to keep rsi entry in cache, no matter the result. + * So mark it invalid now. + */ + UC_CACHE_SET_INVALID(rsip->si_uc_entry); rsi_entry_put(rsicache, rsip); + } if (!IS_ERR_OR_NULL(rscp)) { /* if anything went wrong, we don't keep the context too */ if (rc != SECSVC_OK) @@ -1040,7 +1046,7 @@ int __init gss_init_svc_upcall(void) rsicache = upcall_cache_init(RSI_CACHE_NAME, RSI_UPCALL_PATH, UC_RSICACHE_HASH_SIZE, - 3600, /* entry expire: 1 h */ + 600, /* entry expire: 10 mn */ 30, /* acquire expire: 30 s */ false, /* can't replay acquire */ &rsi_upcall_cache_ops); -- 1.8.3.1