~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/filesystems/nfs/client-identifier.rst

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/filesystems/nfs/client-identifier.rst (Architecture sparc64) and /Documentation/filesystems/nfs/client-identifier.rst (Architecture ppc)


  1 .. SPDX-License-Identifier: GPL-2.0                 1 .. SPDX-License-Identifier: GPL-2.0
  2                                                     2 
  3 =======================                             3 =======================
  4 NFSv4 client identifier                             4 NFSv4 client identifier
  5 =======================                             5 =======================
  6                                                     6 
  7 This document explains how the NFSv4 protocol       7 This document explains how the NFSv4 protocol identifies client
  8 instances in order to maintain file open and l      8 instances in order to maintain file open and lock state during
  9 system restarts. A special identifier and prin      9 system restarts. A special identifier and principal are maintained
 10 on each client. These can be set by administra     10 on each client. These can be set by administrators, scripts
 11 provided by site administrators, or tools prov     11 provided by site administrators, or tools provided by Linux
 12 distributors.                                      12 distributors.
 13                                                    13 
 14 There are risks if a client's NFSv4 identifier     14 There are risks if a client's NFSv4 identifier and its principal
 15 are not chosen carefully.                          15 are not chosen carefully.
 16                                                    16 
 17                                                    17 
 18 Introduction                                       18 Introduction
 19 ------------                                       19 ------------
 20                                                    20 
 21 The NFSv4 protocol uses "lease-based file lock     21 The NFSv4 protocol uses "lease-based file locking". Leases help
 22 NFSv4 servers provide file lock guarantees and     22 NFSv4 servers provide file lock guarantees and manage their
 23 resources.                                         23 resources.
 24                                                    24 
 25 Simply put, an NFSv4 server creates a lease fo     25 Simply put, an NFSv4 server creates a lease for each NFSv4 client.
 26 The server collects each client's file open an     26 The server collects each client's file open and lock state under
 27 the lease for that client.                         27 the lease for that client.
 28                                                    28 
 29 The client is responsible for periodically ren     29 The client is responsible for periodically renewing its leases.
 30 While a lease remains valid, the server holdin     30 While a lease remains valid, the server holding that lease
 31 guarantees the file locks the client has creat     31 guarantees the file locks the client has created remain in place.
 32                                                    32 
 33 If a client stops renewing its lease (for exam     33 If a client stops renewing its lease (for example, if it crashes),
 34 the NFSv4 protocol allows the server to remove     34 the NFSv4 protocol allows the server to remove the client's open
 35 and lock state after a certain period of time.     35 and lock state after a certain period of time. When a client
 36 restarts, it indicates to servers that open an     36 restarts, it indicates to servers that open and lock state
 37 associated with its previous leases is no long     37 associated with its previous leases is no longer valid and can be
 38 destroyed immediately.                             38 destroyed immediately.
 39                                                    39 
 40 In addition, each NFSv4 server manages a persi     40 In addition, each NFSv4 server manages a persistent list of client
 41 leases. When the server restarts and clients a     41 leases. When the server restarts and clients attempt to recover
 42 their state, the server uses this list to dist     42 their state, the server uses this list to distinguish amongst
 43 clients that held state before the server rest     43 clients that held state before the server restarted and clients
 44 sending fresh OPEN and LOCK requests. This ena     44 sending fresh OPEN and LOCK requests. This enables file locks to
 45 persist safely across server restarts.             45 persist safely across server restarts.
 46                                                    46 
 47 NFSv4 client identifiers                           47 NFSv4 client identifiers
 48 ------------------------                           48 ------------------------
 49                                                    49 
 50 Each NFSv4 client presents an identifier to NF     50 Each NFSv4 client presents an identifier to NFSv4 servers so that
 51 they can associate the client with its lease.      51 they can associate the client with its lease. Each client's
 52 identifier consists of two elements:               52 identifier consists of two elements:
 53                                                    53 
 54   - co_ownerid: An arbitrary but fixed string.     54   - co_ownerid: An arbitrary but fixed string.
 55                                                    55 
 56   - boot verifier: A 64-bit incarnation verifi     56   - boot verifier: A 64-bit incarnation verifier that enables a
 57     server to distinguish successive boot epoc     57     server to distinguish successive boot epochs of the same client.
 58                                                    58 
 59 The NFSv4.0 specification refers to these two      59 The NFSv4.0 specification refers to these two items as an
 60 "nfs_client_id4". The NFSv4.1 specification re     60 "nfs_client_id4". The NFSv4.1 specification refers to these two
 61 items as a "client_owner4".                        61 items as a "client_owner4".
 62                                                    62 
 63 NFSv4 servers tie this identifier to the princ     63 NFSv4 servers tie this identifier to the principal and security
 64 flavor that the client used when presenting it     64 flavor that the client used when presenting it. Servers use this
 65 principal to authorize subsequent lease modifi     65 principal to authorize subsequent lease modification operations
 66 sent by the client. Effectively this principal     66 sent by the client. Effectively this principal is a third element of
 67 the identifier.                                    67 the identifier.
 68                                                    68 
 69 As part of the identity presented to servers,      69 As part of the identity presented to servers, a good
 70 "co_ownerid" string has several important prop     70 "co_ownerid" string has several important properties:
 71                                                    71 
 72   - The "co_ownerid" string identifies the cli     72   - The "co_ownerid" string identifies the client during reboot
 73     recovery, therefore the string is persiste     73     recovery, therefore the string is persistent across client
 74     reboots.                                       74     reboots.
 75   - The "co_ownerid" string helps servers dist     75   - The "co_ownerid" string helps servers distinguish the client
 76     from others, therefore the string is globa     76     from others, therefore the string is globally unique. Note
 77     that there is no central authority that as     77     that there is no central authority that assigns "co_ownerid"
 78     strings.                                       78     strings.
 79   - Because it often appears on the network in     79   - Because it often appears on the network in the clear, the
 80     "co_ownerid" string does not reveal privat     80     "co_ownerid" string does not reveal private information about
 81     the client itself.                             81     the client itself.
 82   - The content of the "co_ownerid" string is      82   - The content of the "co_ownerid" string is set and unchanging
 83     before the client attempts NFSv4 mounts af     83     before the client attempts NFSv4 mounts after a restart.
 84   - The NFSv4 protocol places a 1024-byte limi     84   - The NFSv4 protocol places a 1024-byte limit on the size of the
 85     "co_ownerid" string.                           85     "co_ownerid" string.
 86                                                    86 
 87 Protecting NFSv4 lease state                       87 Protecting NFSv4 lease state
 88 ----------------------------                       88 ----------------------------
 89                                                    89 
 90 NFSv4 servers utilize the "client_owner4" as d     90 NFSv4 servers utilize the "client_owner4" as described above to
 91 assign a unique lease to each client. Under th     91 assign a unique lease to each client. Under this scheme, there are
 92 circumstances where clients can interfere with     92 circumstances where clients can interfere with each other. This is
 93 referred to as "lease stealing".                   93 referred to as "lease stealing".
 94                                                    94 
 95 If distinct clients present the same "co_owner     95 If distinct clients present the same "co_ownerid" string and use
 96 the same principal (for example, AUTH_SYS and      96 the same principal (for example, AUTH_SYS and UID 0), a server is
 97 unable to tell that the clients are not the sa     97 unable to tell that the clients are not the same. Each distinct
 98 client presents a different boot verifier, so      98 client presents a different boot verifier, so it appears to the
 99 server as if there is one client that is reboo     99 server as if there is one client that is rebooting frequently.
100 Neither client can maintain open or lock state    100 Neither client can maintain open or lock state in this scenario.
101                                                   101 
102 If distinct clients present the same "co_owner    102 If distinct clients present the same "co_ownerid" string and use
103 distinct principals, the server is likely to a    103 distinct principals, the server is likely to allow the first client
104 to operate normally but reject subsequent clie    104 to operate normally but reject subsequent clients with the same
105 "co_ownerid" string.                              105 "co_ownerid" string.
106                                                   106 
107 If a client's "co_ownerid" string or principal    107 If a client's "co_ownerid" string or principal are not stable,
108 state recovery after a server or client reboot    108 state recovery after a server or client reboot is not guaranteed.
109 If a client unexpectedly restarts but presents    109 If a client unexpectedly restarts but presents a different
110 "co_ownerid" string or principal to the server    110 "co_ownerid" string or principal to the server, the server orphans
111 the client's previous open and lock state. Thi    111 the client's previous open and lock state. This blocks access to
112 locked files until the server removes the orph    112 locked files until the server removes the orphaned state.
113                                                   113 
114 If the server restarts and a client presents a    114 If the server restarts and a client presents a changed "co_ownerid"
115 string or principal to the server, the server     115 string or principal to the server, the server will not allow the
116 client to reclaim its open and lock state, and    116 client to reclaim its open and lock state, and may give those locks
117 to other clients in the meantime. This is refe    117 to other clients in the meantime. This is referred to as "lock
118 stealing".                                        118 stealing".
119                                                   119 
120 Lease stealing and lock stealing increase the     120 Lease stealing and lock stealing increase the potential for denial
121 of service and in rare cases even data corrupt    121 of service and in rare cases even data corruption.
122                                                   122 
123 Selecting an appropriate client identifier        123 Selecting an appropriate client identifier
124 ------------------------------------------        124 ------------------------------------------
125                                                   125 
126 By default, the Linux NFSv4 client implementat    126 By default, the Linux NFSv4 client implementation constructs its
127 "co_ownerid" string starting with the words "L    127 "co_ownerid" string starting with the words "Linux NFS" followed by
128 the client's UTS node name (the same node name    128 the client's UTS node name (the same node name, incidentally, that
129 is used as the "machine name" in an AUTH_SYS c    129 is used as the "machine name" in an AUTH_SYS credential). In small
130 deployments, this construction is usually adeq    130 deployments, this construction is usually adequate. Often, however,
131 the node name by itself is not adequately uniq    131 the node name by itself is not adequately unique, and can change
132 unexpectedly. Problematic situations include:     132 unexpectedly. Problematic situations include:
133                                                   133 
134   - NFS-root (diskless) clients, where the loc    134   - NFS-root (diskless) clients, where the local DHCP server (or
135     equivalent) does not provide a unique host    135     equivalent) does not provide a unique host name.
136                                                   136 
137   - "Containers" within a single Linux host.      137   - "Containers" within a single Linux host.  If each container has
138     a separate network namespace, but does not    138     a separate network namespace, but does not use the UTS namespace
139     to provide a unique host name, then there     139     to provide a unique host name, then there can be multiple NFS
140     client instances with the same host name.     140     client instances with the same host name.
141                                                   141 
142   - Clients across multiple administrative dom    142   - Clients across multiple administrative domains that access a
143     common NFS server. If hostnames are not as    143     common NFS server. If hostnames are not assigned centrally
144     then uniqueness cannot be guaranteed unles    144     then uniqueness cannot be guaranteed unless a domain name is
145     included in the hostname.                     145     included in the hostname.
146                                                   146 
147 Linux provides two mechanisms to add uniquenes    147 Linux provides two mechanisms to add uniqueness to its "co_ownerid"
148 string:                                           148 string:
149                                                   149 
150     nfs.nfs4_unique_id                            150     nfs.nfs4_unique_id
151       This module parameter can set an arbitra    151       This module parameter can set an arbitrary uniquifier string
152       via the kernel command line, or when the    152       via the kernel command line, or when the "nfs" module is
153       loaded.                                     153       loaded.
154                                                   154 
155     /sys/fs/nfs/net/nfs_client/identifier         155     /sys/fs/nfs/net/nfs_client/identifier
156       This virtual file, available since Linux    156       This virtual file, available since Linux 5.3, is local to the
157       network namespace in which it is accesse    157       network namespace in which it is accessed and so can provide
158       distinction between network namespaces (    158       distinction between network namespaces (containers) when the
159       hostname remains uniform.                   159       hostname remains uniform.
160                                                   160 
161 Note that this file is empty on name-space cre    161 Note that this file is empty on name-space creation. If the
162 container system has access to some sort of pe    162 container system has access to some sort of per-container identity
163 then that uniquifier can be used. For example,    163 then that uniquifier can be used. For example, a uniquifier might
164 be formed at boot using the container's intern    164 be formed at boot using the container's internal identifier:
165                                                   165 
166     sha256sum /etc/machine-id | awk '{print $1    166     sha256sum /etc/machine-id | awk '{print $1}' \\
167         > /sys/fs/nfs/net/nfs_client/identifie    167         > /sys/fs/nfs/net/nfs_client/identifier
168                                                   168 
169 Security considerations                           169 Security considerations
170 -----------------------                           170 -----------------------
171                                                   171 
172 The use of cryptographic security for lease ma    172 The use of cryptographic security for lease management operations
173 is strongly encouraged.                           173 is strongly encouraged.
174                                                   174 
175 If NFS with Kerberos is not configured, a Linu    175 If NFS with Kerberos is not configured, a Linux NFSv4 client uses
176 AUTH_SYS and UID 0 as the principal part of it    176 AUTH_SYS and UID 0 as the principal part of its client identity.
177 This configuration is not only insecure, it in    177 This configuration is not only insecure, it increases the risk of
178 lease and lock stealing. However, it might be     178 lease and lock stealing. However, it might be the only choice for
179 client configurations that have no local persi    179 client configurations that have no local persistent storage.
180 "co_ownerid" string uniqueness and persistence    180 "co_ownerid" string uniqueness and persistence is critical in this
181 case.                                             181 case.
182                                                   182 
183 When a Kerberos keytab is present on a Linux N    183 When a Kerberos keytab is present on a Linux NFS client, the client
184 attempts to use one of the principals in that     184 attempts to use one of the principals in that keytab when
185 identifying itself to servers. The "sec=" moun    185 identifying itself to servers. The "sec=" mount option does not
186 control this behavior. Alternately, a single-u    186 control this behavior. Alternately, a single-user client with a
187 Kerberos principal can use that principal in p    187 Kerberos principal can use that principal in place of the client's
188 host principal.                                   188 host principal.
189                                                   189 
190 Using Kerberos for this purpose enables the cl    190 Using Kerberos for this purpose enables the client and server to
191 use the same lease for operations covered by a    191 use the same lease for operations covered by all "sec=" settings.
192 Additionally, the Linux NFS client uses the RP    192 Additionally, the Linux NFS client uses the RPCSEC_GSS security
193 flavor with Kerberos and the integrity QOS to     193 flavor with Kerberos and the integrity QOS to prevent in-transit
194 modification of lease modification requests.      194 modification of lease modification requests.
195                                                   195 
196 Additional notes                                  196 Additional notes
197 ----------------                                  197 ----------------
198 The Linux NFSv4 client establishes a single le    198 The Linux NFSv4 client establishes a single lease on each NFSv4
199 server it accesses. NFSv4 mounts from a Linux     199 server it accesses. NFSv4 mounts from a Linux NFSv4 client of a
200 particular server then share that lease.          200 particular server then share that lease.
201                                                   201 
202 Once a client establishes open and lock state,    202 Once a client establishes open and lock state, the NFSv4 protocol
203 enables lease state to transition to other ser    203 enables lease state to transition to other servers, following data
204 that has been migrated. This hides data migrat    204 that has been migrated. This hides data migration completely from
205 running applications. The Linux NFSv4 client f    205 running applications. The Linux NFSv4 client facilitates state
206 migration by presenting the same "client_owner    206 migration by presenting the same "client_owner4" to all servers it
207 encounters.                                       207 encounters.
208                                                   208 
209 ========                                          209 ========
210 See Also                                          210 See Also
211 ========                                          211 ========
212                                                   212 
213   - nfs(5)                                        213   - nfs(5)
214   - kerberos(7)                                   214   - kerberos(7)
215   - RFC 7530 for the NFSv4.0 specification        215   - RFC 7530 for the NFSv4.0 specification
216   - RFC 8881 for the NFSv4.1 specification.       216   - RFC 8881 for the NFSv4.1 specification.
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php