Bug 584901 - Using VFS IMA with OpenAFS generates lots of log noise
Using VFS IMA with OpenAFS generates lots of log noise
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Eric Paris
Filesystem QE
: 534113 585286 589760 593329 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2010-04-22 13:06 EDT by Bryn M. Reeves
Modified: 2014-03-27 00:48 EDT (History)
21 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-11-11 10:48:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch which fixes IMA object lifetime thus making it work with AFS (63.36 KB, patch)
2010-04-23 10:31 EDT, Eric Paris
no flags Details | Diff
Same basic fix, hopefully applies to older RHEL6 kernels (65.89 KB, patch)
2010-04-28 16:12 EDT, Eric Paris
no flags Details | Diff

  None (edit)
Description Bryn M. Reeves 2010-04-22 13:06:01 EDT
Description of problem:
IMA seems to cause a ton of kernel messages on every file access due to not understanding the openafs cache. This slows down the client and generates large volumes of log traffic, e.g.:

ima_file_free: V9356 open/free imbalance (r:0 w:-21 o:-21 f:0)

The rate at which these messages are logged when running OpenAFS is excessive leading to disk space utilisation and performance problems.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure OpenAFS with a RHEL6 kernel that enables IMA
2. Access some files
Actual results:
Log spamming of the form:

  ima_file_free: V9356 open/free imbalance (r:0 w:-21 o:-21 f:0)

On every file access.

Expected results:
Upstream has already modified this to limit the volume of log messages.

Additional info:
author	Mimi Zohar <zohar@us.ibm.com>	
committer Eric Paris <eparis@redhat.com>	
	 Wed, 9 Dec 2009 20:58:05 +0000 (15:58 -0500)
commit	632eb15fdd4f87886138ab3511f0b651abffe9df

ima: limit imbalance msg

Limit the number of imbalance messages to once per filesystem type instead of
once per system boot.  (it's actually slightly racy and could give you a
couple per fs, but this isn't a real issue)

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Comment 2 RHEL Product and Program Management 2010-04-22 14:23:53 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
Comment 5 Eric Paris 2010-04-23 10:31:26 EDT
Created attachment 408627 [details]
Patch which fixes IMA object lifetime thus making it work with AFS
Comment 6 Eric Paris 2010-04-23 14:14:20 EDT
*** Bug 585286 has been marked as a duplicate of this bug. ***
Comment 13 Marc Dionne 2010-04-27 21:22:34 EDT
I'm trying to test the attached patch on the kernel source from the 2.6.32-19.el6 SRPM (from ftp.redhat.com/pub/redhat/rhel/beta/6/source/SRPMS/), but it doesn't apply cleanly.  A few hunks fail in fs/namei.c, and it looks like it's based on a different tree than the current SRPM - for instance the context lines have handle_truncate(), which doesn't exist in the version I'm looking at.
I guess you may be working from something more recent than the published SRPM.
Comment 14 Eric Paris 2010-04-28 15:37:06 EDT
Yes I am.  Some of the patches that are needed to make this work are not in the -19 kernel  :(.   I'm going to try to find one of the old versions of the patch for you to test.
Comment 15 Eric Paris 2010-04-28 16:12:14 EDT
Created attachment 409960 [details]
Same basic fix, hopefully applies to older RHEL6 kernels
Comment 16 Marc Dionne 2010-04-29 08:38:48 EDT
That patch does apply cleanly on the -19 kernel, thanks.  I haven't been able to complete the build and test yet, I'll post an update when I have.  It's pretty clear from the code that this should take care of the issue for OpenAFS.
Comment 18 Marc Dionne 2010-04-29 13:13:40 EDT
BTW it would also be very nice to see this fixed in Fedora 12, where it has also been a problem, or a move to 2.6.33.
Comment 19 Marc Dionne 2010-04-29 21:08:04 EDT
I completed some tests and can confirm that as expected, IMA warnings are no longer an issue with the patch applied, tested with the current OpenAFS.

Comment 20 Stephan Wiesand 2010-04-30 10:04:39 EDT
I also had success with this patch and OpenAFS-1.5.74 (the current development release) + http://git.openafs.org/?p=openafs.git;a=commit;h=14195f0f48d52dd3a81c52c4a3bc2078857d0f86 . It even works with SELinux in enforcing mode once all the labels are right.

This will be the basic setup for all further work with the beta here.

Thanks for the patch, and for making this BZ public.
Comment 21 Jason McCormick 2010-05-06 17:08:08 EDT
Is it known yet if this patch will be the released version of EL6?  I want to file a support request through our support account if not.
Comment 22 Eric Paris 2010-05-14 15:55:50 EDT
The patch has been posted for review by the internal Red Hat kernel team.  We have not yet committed to inclusion but we are pursuing the process for inclusion in EL6.  I believe that comment #2 is still the 'official' position.
Comment 24 Marc Dionne 2010-07-01 09:28:25 EDT
Is there any update on the 'official' position on this patch?
Had a look at the beta 2 kernel source and it doesn't look like this has made it in yet.
Comment 25 Aristeu Rozanski 2010-07-01 12:11:25 EDT
Patch(es) available on kernel-2.6.32-42.el6
Comment 28 Eric Paris 2010-07-19 11:16:44 EDT
*** Bug 534113 has been marked as a duplicate of this bug. ***
Comment 29 Raghu Udiyar 2010-08-13 11:24:32 EDT
*** Bug 593329 has been marked as a duplicate of this bug. ***
Comment 30 Marc Dionne 2010-08-28 16:24:11 EDT
Since nobody has confirmed here, I'll just mention that I got a chance to test openafs with kernel-2.6.32-44.2 and I can confirm that the issue is indeed resolved.
Comment 32 releng-rhel@redhat.com 2010-11-11 10:48:41 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.
Comment 33 John Feeney 2011-05-04 18:26:57 EDT
*** Bug 589760 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.