Bug 454425

Summary: ecryptfsd cannot start and makes openssl keys useless
Product: [Fedora] Fedora Reporter: Jan Tluka <jtluka>
Component: ecryptfs-utilsAssignee: Michael Halcrow <mhalcrow>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: esandeen, karsten, kevin, petrosyan
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-24 06:14:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 454426    

Description Jan Tluka 2008-07-08 12:41:56 UTC
Description of problem:
Current version of kernel and ecryptfs-utils in Fedora 9 make ecryptfs feature
useless when mounting with openssl keys. There are problems in ecryptfs
userspace utilities (ecryptfsd) which use kernel netlink interface. This bug is
to track progress of inclusion of patches for ecryptfs-utils. Another bugzilla
will be created to track kernel side.

Version-Release number of selected component (if applicable):
kernel 2.6.25.6-55.fc9
ecryptfs-utils-40-0.fc9

How reproducible:
as root run ecryptfsd daemon and check /var/log/messages

Steps to Reproduce:
1. # su -
2. # tail -f /var/log/messages &
3. # ecryptfsd
  
Actual results:
Jul  8 11:26:53 dhcp-lab-206 ecryptfsd: Starting eCryptfs userspace netlink
daemon [4193]
Jul  8 11:26:53 dhcp-lab-206 ecryptfsd: Failed to send eCryptfs netlink message:
Connection refused
Jul  8 11:26:53 dhcp-lab-206 ecryptfsd: Failed to register netlink daemon with
the eCryptfs kernel module
Jul  8 11:26:53 dhcp-lab-206 ecryptfsd: Failed to send eCryptfs netlink message:
Connection refused
Jul  8 11:26:53 dhcp-lab-206 ecryptfsd: ecryptfsd_exit: Failed to unregister
netlink daemon with the eCryptfs kernel module
Jul  8 11:26:53 dhcp-lab-206 ecryptfsd: ecryptfsd_exit: Closing eCryptfs
userspace netlink daemon [4193]

Expected results:
ecryptfsd starts, no errors on startup

Additional info:

Comment 1 Michael Halcrow 2008-07-08 15:45:37 UTC
The netlink interface for communications between the kernel and the userspace
daemon has been buggy from day 1. Buggy in the sense that the kernel may oops if
the netlink feature is used at all. Thus, current versions of the kernel have
had the netlink interace disabled by default, in favor of the miscellaneous
device file, which replaces the netlink interface. Versions of ecryptfs-utils
since 44 support this miscellaneous device file interface.

For any version of Fedora shipping versions of the kernel and/or eCryptfs
userspace utilities that use the netlink interface, any mode of operation other
than passphrase is invalid and should be entirely disabled (for instance, by not
installing ecryptfsd and the key module shared object files other than the
passphrase module).

The netlink interface may have worked by happenstance in prior kernel versions,
but, given the numerous problems in subsequent kernel releases, I consider the
netlink code to be hopelessly buggy and dangerous to use at this point.

Mike

Comment 2 Eric Sandeen 2008-07-08 15:54:48 UTC
Mike, so, we should push -44 or later to F9 right.  Would you like to do that or
shall I?

Thanks,
-Eric

Comment 3 Eric Sandeen 2008-07-08 16:46:52 UTC
Actually, Jan, ecryptfs-utils-46 is already in F9 updates.

Can you get the latest & re-test?

Thanks,
-Eric

Comment 4 Jan Tluka 2008-07-09 11:57:01 UTC
Eric, -46 is part of 'updates-testing' not 'updates' repo at the moment. Anyway
I have tried that and these are the results.

# modprobe ecryptfs
# ecryptfsd -d miscdev
# tail /var/log/messages
Jul  9 15:48:46 proliant02 ecryptfsd: ecryptfs_init_miscdev: Error whilst
attempting to open [/dev/ecryptfs] or [/dev/misc/ecryptfs]; errno msg = [No such
file or directory]
Jul  9 15:48:46 proliant02 ecryptfsd: main: Failed to initialize messaging; rc =
[-5]
Jul  9 15:48:46 proliant02 ecryptfsd: Failed to send eCryptfs miscdev message;
errno msg = [Bad file descriptor]
Jul  9 15:48:46 proliant02 ecryptfsd: ecryptfs_send_message: Failed to register
miscdev daemon with the eCryptfs kernel module; rc = [-5]
Jul  9 15:48:46 proliant02 ecryptfsd: ecryptfsd_exit: Error attempting to send
quit message to kernel; rc = [-5]
Jul  9 15:48:46 proliant02 ecryptfsd: ecryptfsd_exit: Closing eCryptfs userspace
netlink daemon [2198]

Mike, the misc device you talk about should be created when ecryptfs module is
loaded, right? I guess this is not yet included in kernel 2.6.25.6-55.fc9 (tried
2.6.25.9-76.fc9, too).

The problem is that current kernel in Fedora does not have the patch that
introduces miscdev interface.

Comment 5 Michael Halcrow 2008-07-09 15:22:58 UTC
Jan Tluka wrote:
> The problem is that current kernel in Fedora does not have the patch
> that introduces miscdev interface.

Either the miscdev patchset needs to be included in the kernel, or
ecryptfsd (and, hence, any key module other than passphrase) must be an
unavailable feature in the current release. If we go with the later,
then ecryptfsd and the non-passphrase key modules need to be removed from
the SPEC file so that users do not expect to be able to use that part of
eCryptfs in Fedora 9.

Mike

Comment 6 Eric Sandeen 2008-07-09 16:09:48 UTC
Sorry Jan, I was confused about which parts were in which versions of which piece.

When F9 gets 2.6.26 all should be well, or, we could backport the upstream
ecryptsf to the current kernel...

Comment 7 Jan Tluka 2008-10-09 12:13:06 UTC
Works in Fedora 9 now.

kernel-2.6.26.5-45.fc9
ecryptfs-utils-46-0.fc9