Description of problem: Current version of kernel and ecryptfs-utils in Fedora 9 make ecryptfs feature useless when mounting with openssl keys. There are problems in ecryptfs userspace utilities (ecryptfsd) which use kernel netlink interface. This bug is to track progress of inclusion of patches for ecryptfs-utils. Another bugzilla will be created to track kernel side. Version-Release number of selected component (if applicable): kernel 2.6.25.6-55.fc9 ecryptfs-utils-40-0.fc9 How reproducible: as root run ecryptfsd daemon and check /var/log/messages Steps to Reproduce: 1. # su - 2. # tail -f /var/log/messages & 3. # ecryptfsd Actual results: Jul 8 11:26:53 dhcp-lab-206 ecryptfsd: Starting eCryptfs userspace netlink daemon [4193] Jul 8 11:26:53 dhcp-lab-206 ecryptfsd: Failed to send eCryptfs netlink message: Connection refused Jul 8 11:26:53 dhcp-lab-206 ecryptfsd: Failed to register netlink daemon with the eCryptfs kernel module Jul 8 11:26:53 dhcp-lab-206 ecryptfsd: Failed to send eCryptfs netlink message: Connection refused Jul 8 11:26:53 dhcp-lab-206 ecryptfsd: ecryptfsd_exit: Failed to unregister netlink daemon with the eCryptfs kernel module Jul 8 11:26:53 dhcp-lab-206 ecryptfsd: ecryptfsd_exit: Closing eCryptfs userspace netlink daemon [4193] Expected results: ecryptfsd starts, no errors on startup Additional info:
The netlink interface for communications between the kernel and the userspace daemon has been buggy from day 1. Buggy in the sense that the kernel may oops if the netlink feature is used at all. Thus, current versions of the kernel have had the netlink interace disabled by default, in favor of the miscellaneous device file, which replaces the netlink interface. Versions of ecryptfs-utils since 44 support this miscellaneous device file interface. For any version of Fedora shipping versions of the kernel and/or eCryptfs userspace utilities that use the netlink interface, any mode of operation other than passphrase is invalid and should be entirely disabled (for instance, by not installing ecryptfsd and the key module shared object files other than the passphrase module). The netlink interface may have worked by happenstance in prior kernel versions, but, given the numerous problems in subsequent kernel releases, I consider the netlink code to be hopelessly buggy and dangerous to use at this point. Mike
Mike, so, we should push -44 or later to F9 right. Would you like to do that or shall I? Thanks, -Eric
Actually, Jan, ecryptfs-utils-46 is already in F9 updates. Can you get the latest & re-test? Thanks, -Eric
Eric, -46 is part of 'updates-testing' not 'updates' repo at the moment. Anyway I have tried that and these are the results. # modprobe ecryptfs # ecryptfsd -d miscdev # tail /var/log/messages Jul 9 15:48:46 proliant02 ecryptfsd: ecryptfs_init_miscdev: Error whilst attempting to open [/dev/ecryptfs] or [/dev/misc/ecryptfs]; errno msg = [No such file or directory] Jul 9 15:48:46 proliant02 ecryptfsd: main: Failed to initialize messaging; rc = [-5] Jul 9 15:48:46 proliant02 ecryptfsd: Failed to send eCryptfs miscdev message; errno msg = [Bad file descriptor] Jul 9 15:48:46 proliant02 ecryptfsd: ecryptfs_send_message: Failed to register miscdev daemon with the eCryptfs kernel module; rc = [-5] Jul 9 15:48:46 proliant02 ecryptfsd: ecryptfsd_exit: Error attempting to send quit message to kernel; rc = [-5] Jul 9 15:48:46 proliant02 ecryptfsd: ecryptfsd_exit: Closing eCryptfs userspace netlink daemon [2198] Mike, the misc device you talk about should be created when ecryptfs module is loaded, right? I guess this is not yet included in kernel 2.6.25.6-55.fc9 (tried 2.6.25.9-76.fc9, too). The problem is that current kernel in Fedora does not have the patch that introduces miscdev interface.
Jan Tluka wrote: > The problem is that current kernel in Fedora does not have the patch > that introduces miscdev interface. Either the miscdev patchset needs to be included in the kernel, or ecryptfsd (and, hence, any key module other than passphrase) must be an unavailable feature in the current release. If we go with the later, then ecryptfsd and the non-passphrase key modules need to be removed from the SPEC file so that users do not expect to be able to use that part of eCryptfs in Fedora 9. Mike
Sorry Jan, I was confused about which parts were in which versions of which piece. When F9 gets 2.6.26 all should be well, or, we could backport the upstream ecryptsf to the current kernel...
Works in Fedora 9 now. kernel-2.6.26.5-45.fc9 ecryptfs-utils-46-0.fc9