Ubuntu
keyutils package

Apply default TTL to records obtained from getaddrinfo()

Bug #1962453 reported by Utkarsh Gupta
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
keyutils (Ubuntu)
Fix Released
Undecided
Utkarsh Gupta
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
========

There's a strong dependency for cifs.ko (and nfs.ko) on keyutils for DNS resolution. The keyutils package contains the userspace utility to update the kernel keyring with the DNS mapping to IP address. Prior to 1.6.2, this utility may erroneously set unlimited lifetime for this keyring in the kernel.

[Test plan]
===========

1. Create a file share on an SMB server (can be a samba server) with two IP addresses. Make sure that FQDN of the server resolves to one of these addresses.

2. mount the created share on the cifs client using the FQDN for the server. Make sure that the mount point is accessible.

3. Using the ss command on the client, to kill the sockets that connect to the server: sudo ss -K dport :445

4. Now update the DNS entry to make sure that the server FQDN now resolves to the second IP address of the server. Make sure that nslookup on the client now resolves to the new IP address.

5. Repeat step 3 to kill the sockets that connect to server to force re-connection again.

Without the fix, after step 5, with the "ss -t" command, you'll see that the client has reconnected to the old IP address, even when DNS lookups return the new IP.

With the fix (after a reboot of the client machine to make sure that kernel keys are refreshed), you'll see that the client reconnects to the new IP address.

The bug is due to unlimited lifetime set by key.dns_resolver (which is part of keyutils package). As a result, even if IP address for the DNS entries change, the kernel filesystems would continue to use old IP address, due to the cached keys. This issue causes clients to misbehave when Azure Files service endpoints move to a different cluster.

[Where problems could occur]
============================

Address records obtained from getaddrinfo() don't come with any TTL information, even if they're obtained from the DNS, so if someone is relying on this particularly, might face some problem/regression but I don't think they would face that as it would still be highly configurable.

[Other information]
===================

This request is essentially from one of our cloud partners and they're highly affected by this.

Related branches

~utkarsh/ubuntu/+source/keyutils:apply-default-ttl-to-records-bionic
Miriam España Acebal (community): Needs Information
Robie Basak: Needs Information
Chris Newcomer: Pending requested
Canonical Server packageset reviewers: Pending requested
Canonical Server: Pending requested
git-ubuntu import: Pending requested
Diff: 81 lines (+59/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+50/-0)
debian/patches/series (+1/-0)
~utkarsh/ubuntu/+source/keyutils:apply-default-ttl-to-records-focal
Utkarsh Gupta: Pending requested
Chris Newcomer: Pending requested
git-ubuntu import: Pending requested
Diff: 553 lines (+531/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+522/-0)
debian/patches/series (+1/-0)
~utkarsh/ubuntu/+source/keyutils:apply-default-ttl-to-records-impish
Chris Newcomer: Pending requested
Utkarsh Gupta: Pending requested
git-ubuntu import: Pending requested
Diff: 553 lines (+531/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+522/-0)
debian/patches/series (+1/-0)
~utkarsh/ubuntu/+source/keyutils:apply-default-ttl-to-records
Utkarsh Gupta: Pending requested
Chris Newcomer: Pending requested
git-ubuntu import: Pending requested
Diff: 553 lines (+531/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+522/-0)
debian/patches/series (+1/-0)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package keyutils - 1.6.1-2ubuntu3

---------------
keyutils (1.6.1-2ubuntu3) jammy; urgency=medium

  * d/p/apply-default-ttl-to-records.patch: Add patch
    to apply default TTL to records obtained from
    getaddrinfo(). (LP: #1962453)

 -- Utkarsh Gupta <email address hidden> Mon, 28 Feb 2022 15:14:45 +0530

Changed in keyutils (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

> [Test plan]

Please could you add to the test plan testing to ensure that the new configurable timeout actually works? There's a lot of code being added just to make this configurable, including an entirely new configuration file and extensive by-hand C parsing code. I think we should ensure that this code actually works - otherwise I don't think including it all is justified.

> [Where problems could occur]

Am I right in thinking that it will no longer be possible to set an infinite lifetime, even by configuration? If we can't think of any case where a user would want this then I think it's fine to proceed as-is, but it's worth calling it out as a place where problems might occur.

--

One minor issue that's maybe worth fixing before landing this: the new manpage (including upstream) refers to a different configuration file path than where the code actually looks. Please could you patch to make them match - including in Jammy? Otherwise we rather defeat the point of including the new manpage in this SRU.

Brian Murray (brian-murray)
Changed in keyutils (Ubuntu Impish):
status: New → Incomplete
Changed in keyutils (Ubuntu Focal):
status: New → Incomplete
Revision history for this message
Robie Basak (racb) wrote :

I think we've concluded that we're not going to ship the configuration file parts in the Impish and Focal uploads, so I'll reject them from the queue now. The Bionic queue upload is ready now though.

Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Utkarsh, or anyone else affected,

Accepted keyutils into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/keyutils/1.5.9-9.2ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in keyutils (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Shyam Prasad (sprasad-msft) wrote :

Thanks for the update, Robie.
I'll let you know how our testing goes with this soon.

Revision history for this message
Shyam Prasad (sprasad-msft) wrote :

Just a quick update.
We've hit some issues during the tests, and we're trying to debug and understand if it's an actual bug, or a setup issue.

I will keep this page updated on the results.

Revision history for this message
Shyam Prasad (sprasad-msft) wrote :

We have validated this fix.
The fix works as expected.
We've also run several xfstests using various SMB mount scenarios to see that nothing regressed.

Revision history for this message
Shyam Prasad (sprasad-msft) wrote :

Utkarsh/Robie,
When can we expect similar backports to Ubuntu 20.04 and newer?

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Shyam,

Thank you for testing this out. I'll mark the same.

For 22.04 and 22.10, I was waiting on your tests as your comment #6 had got me worried a bit. I'll start working on the backports now and I'll have some news by the end of the week. TIA.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package keyutils - 1.5.9-9.2ubuntu2.1

---------------
keyutils (1.5.9-9.2ubuntu2.1) bionic; urgency=medium

  * d/p/apply-default-ttl-to-records.patch: Add patch
    to apply default TTL to records obtained from
    getaddrinfo(). (LP: #1962453)

 -- Utkarsh Gupta <email address hidden> Tue, 08 Mar 2022 13:26:12 +0530

Changed in keyutils (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Update Released

The verification of the Stable Release Update for keyutils has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Shyam Prasad (sprasad-msft) wrote :

Thanks Robie.

Revision history for this message
Shyam Prasad (sprasad-msft) wrote :

Hi Robie,
Any progress on the keyutils backports for 22.04 and 22.10?

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Shyam, I am closer to getting this to work on 22.04 (22.10 should be easier once we've sorted out 22.04). I'll be off this week (tomorrow onward!) and will definitely have something for you by the next week. Let me know if you have any questions or concerns. TIA. \o/

Revision history for this message
Shyam Prasad (sprasad-msft) wrote :

Hi Utkarsh,
Is the backport taken for all the above versions as well?

Revision history for this message
Sebastien Bacher (seb128) wrote :

What's the status in 22.04? Wasn't it fixed in https://bugs.launchpad.net/ubuntu/+source/keyutils/1.6.1-2ubuntu3 ? Should we reopen for the current serie?

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Seb,

Fixed that. And yes, it's already fixed in Jammy. See the first comment. :)

Changed in keyutils (Ubuntu Jammy):
status: New → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Utkarsh, or anyone else affected,

Accepted keyutils into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/keyutils/1.6.1-2ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in keyutils (Ubuntu Impish):
status: Incomplete → Fix Committed
tags: added: verification-needed-impish
Changed in keyutils (Ubuntu Focal):
status: Incomplete → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Robie Basak (racb) wrote :

Hello Utkarsh, or anyone else affected,

Accepted keyutils into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/keyutils/1.6-6ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Shyam Prasad (sprasad-msft) wrote :

Thanks Robie/Utkarsh. I will test out the package in the proposed repositories and update here.

Revision history for this message
Shyam Prasad (sprasad-msft) wrote :

Verified in both focal and impish that the bug is fixed with the keyutils package in the proposed repo.
Also ran some sanity tests to make sure that other functionalities are not affected.
You can mark this as verified.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Shyam,

Thank you for testing this out. Marking the same.

tags: added: verification-done-focal verification-done-impish
removed: verification-needed-focal verification-needed-impish
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package keyutils - 1.6.1-2ubuntu2.1

---------------
keyutils (1.6.1-2ubuntu2.1) impish; urgency=medium

  * d/p/apply-default-ttl-to-records.patch: Add patch
    to apply default TTL to records obtained from
    getaddrinfo(). (LP: #1962453)

 -- Utkarsh Gupta <email address hidden> Fri, 27 May 2022 14:54:36 +0530

Changed in keyutils (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package keyutils - 1.6-6ubuntu1.1

---------------
keyutils (1.6-6ubuntu1.1) focal; urgency=medium

  * d/p/apply-default-ttl-to-records.patch: Add patch
    to apply default TTL to records obtained from
    getaddrinfo(). (LP: #1962453)

 -- Utkarsh Gupta <email address hidden> Fri, 27 May 2022 14:33:22 +0530

Changed in keyutils (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.