Bug 448797

Summary: Files created in eCryptfs overlay atop NFS disappear
Product: Red Hat Enterprise Linux 5 Reporter: Jarod Wilson <jarod>
Component: kernelAssignee: Eric Sandeen <esandeen>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.3CC: e, jlayton, lwang, mgahagan, mhalcrow, sluskyb
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-09 22:03:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 533192    

Description Jarod Wilson 2008-05-28 20:33:01 UTC 
Description of problem:
File created in an ecryptfs overlay atop an nfs share disappear.

Two machines involved: "server" is an nfs server, sharing out "/data", "client"
is a workstation mounting /data from server.

The client has /data mounted from the server, and now creates a directory
/data/encrypted, and proceeds to mount an ecryptfs overlay atop /data/encrypted
(using selinux xattr work-around in bug 448787):

[client]# mount -t ecryptfs /data/encrypted /data/encrypted -o
context=system_u:object_r:user_home_t:s0
Select key type to use for newly created files: 
 1) openssl
 2) passphrase
Selection: 2
Passphrase: 
Verify Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 2
Enable plaintext passthrough (y/n): n
Attempting to mount with the following options:
  ecryptfs_key_bytes=32
  ecryptfs_cipher=aes
  ecryptfs_sig=92868a6a72b0202e
Mounted eCryptfs

[client]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5              41G  1.6G   37G   5% /
/dev/sda1             190M   29M  152M  16% /boot
tmpfs                 437M     0  437M   0% /dev/shm
xenon:/data           101G   41G   55G  43% /data
/data/encrypted       101G   41G   55G  43% /data/encrypted

[client]# echo "wasabi" > /data/encrypted/foo

[client]# ll
total 12
-rw-r--r-- 1 root root 7 May 28 15:57 foo

----WAIT A MINUTE OR TWO----

[client]# ll
total 0

???

At this point, an ll on the server side works just fine, shows the encrypted
file and everything. Oddly enough, trying to cat the file client-side actually
still works.

Unmounting the ecryptfs overlay reveals the file to ls again. Re-mounting the
ecryptfs overlay results in the file being there for one ls iteration, then
disappearing again.


Version-Release number of selected component (if applicable):
kernel-2.6.18-92.el5
ecryptfs-utils-41-1.el5
Comment 1 Jarod Wilson 2008-05-28 20:38:16 UTC 
Whoops, this should be against kernel, not ecryptfs-utils.
Comment 2 Eric Sandeen 2008-06-03 17:30:23 UTC 
Mike has an nfs-related patch that I have rolled into my 2.6.26 ecryptfs
backport for 5.3; testing it now.   So far this simple test seems ok.
Comment 3 Jarod Wilson 2008-06-03 18:45:15 UTC 
Yep, looking much better here now too.
Comment 4 Eric Sandeen 2008-06-03 21:03:46 UTC 
copying a kernel tree onto ecryptfs-over-nfs-client-mount worked, but "make
clean" exploded.  We still have nfs problems, though apparently not this
specific one.
Comment 5 Jarod Wilson 2008-06-04 21:46:32 UTC 
I've successfully copied a kernel source tree onto an ecryptfs-on-nfs mount w/o
a problem so far, now doing a kernel build. First thing that jumps out is
constant spew about files having modification times some random amount of time
between 2.5 and 11 seconds in the future. Will give a make clean a try once the
kernel build is done. For the record, the nfs server in this case is another
rhel5 box.
Comment 6 Jarod Wilson 2008-06-06 15:31:45 UTC 
The 'make clean' exploded here too, filed bug 450144 for that problem. Still
need to poke at the modification time thing, may just have been a generic nfs
thing, since the clocks on the server and client weren't in sync.
Comment 7 Jarod Wilson 2008-06-13 19:47:14 UTC 
Yep, chalk up the modification time thing to the server and client having clocks
a ways out of sync. All's well on this front if they're both keeping time correctly.
Comment 8 Eric Sandeen 2008-08-27 17:20:23 UTC 
Moving this to 5.4; still no fix upstream and I've not been able to resolve it.  We'll need to release-note ecryptfs in 5.3 with caveats about NFS, I think?
Comment 9 RHEL Program Management 2008-08-27 17:33:28 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 Eric Sandeen 2008-08-27 19:19:07 UTC 
Note, RHEL5.3 will have a patch to disallow mounts on NFS due to the severity
of the problems.
Comment 11 RHEL Program Management 2009-02-16 15:44:17 UTC 
Updating PM score.
Comment 12 Eric Sandeen 2009-03-12 16:47:23 UTC 
Moving this off to 5.5.  AFAIK it's still broken upstream, and we have patches to prevent nfs mounts, so customers won't see this (with the restricted ability to use nfs, that is)
Comment 13 e 2009-08-30 23:17:55 UTC 
Still broken in Fedora 11 (2.6.29.6-217.2.16.fc11.x86_64)