Several cleanups required in security related tests.
In sanity-krb5, in order to get proper access to keyrings, use su -
instead of runas to initialize process more completely.
Also fix use of 'lfs flushctx', as some tests do not call it properly.
And in test_8, avoid waiting arbitrarily and change fail_loc to just
sleep once.
In sanity-krb5 and sanity-sec, fix parameters passed to
start_gss_daemons().
Test-Parameters: trivial
Test-Parameters: kerberos=true testlist=sanity-krb5
Test-Parameters: testgroup=review-dne-selinux-ssk-part-2
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I4598ae5a7d28afbc39d7cc2d0afd1096d877d03b
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/53012
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
GSS=true
GSS_KRB5=true
+# Overwrite RUNAS command to use su - instead,
+# to initialize the process more completely.
+# This is required to get proper access to keyrings.
+RUNAS="runas_su $(id -n -u $RUNAS_ID)"
+
check_krb_env() {
which klist || skip "Kerberos env not setup"
which kinit || skip "Kerberos env not setup"
$RUNAS $LFS flushctx -k -r $MOUNT || error "can't flush context"
echo "destroyed credentials/contexs for $RUNAS_ID"
$RUNAS $CHECKSTAT -p 0666 $file && error "checkstat succeed"
- kill -s 10 $OPPID
+ kill -s 10 $(pgrep -u $USER0 $MULTIOP)
wait $OPPID || error "read file data failed"
echo "read file data OK"
# restart lsvcgssd, expect touch succeed
echo "restart $LSVCGSSD and recovering"
- start_gss_daemons $(comma_list $(mdts_nodes)) "$LSVCGSSD -vvv"
+ start_gss_daemons $(comma_list $(mdts_nodes)) $LSVCGSSD "-vvv"
sleep 5
check_gss_daemon_nodes $(comma_list $(mdts_nodes)) $LSVCGSSD
$RUNAS touch $file2 || error "should not fail now"
mkdir -p $DIR/$tdir
chmod a+w $DIR/$tdir
+ $RUNAS ls $DIR/$tdir
+ $RUNAS keyctl show @u
+ echo Flushing gss ctxs
+ $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT"
+ $RUNAS keyctl show @u
+
$LCTL dk > /dev/null
debugsave
stack_trap debugrestore EXIT
# sleep sometime in ctx handle
do_facet $SINGLEMDS $LCTL set_param fail_val=$req_delay
- #define OBD_FAIL_SEC_CTX_HDL_PAUSE 0x1204
- do_facet $SINGLEMDS $LCTL set_param fail_loc=0x1204
-
- $RUNAS $LFS flushctx -k -r $MOUNT ||
- error "can't flush context on $MOUNT"
- restore_krb5_cred
+ #define OBD_FAIL_SEC_CTX_HDL_PAUSE 0x00001204
+ #define CFS_FAIL_ONCE 0x80000000
+ do_facet $SINGLEMDS $LCTL set_param fail_loc=0x80001204
$RUNAS touch $DIR/$tdir/$tfile &
TOUCHPID=$!
echo "waiting for touch (pid $TOUCHPID) to finish..."
- sleep 30 # give it a chance to really trigger context init rpc
- do_facet $SINGLEMDS $LCTL set_param fail_loc=0
wait $TOUCHPID || error "touch should have succeeded"
+ $RUNAS keyctl show @u
$LCTL dk | grep -i "Early reply #" || error "No early reply"
}
stopall
# start gss daemon on mgs node
- combined_mgs_mds || start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv"
+ combined_mgs_mds || start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv"
# start mgs
start mgs $(mgsdevname 1) $MDS_MOUNT_OPTS
error "read before rotation failed"
fi
# store top key identity to ensure rotation has occurred
- SK_IDENTITY_OLD=$(lctl get_param *.*.*srpc* | grep "expire" |
+ SK_IDENTITY_OLD=$(lctl get_param *.*.*srpc* 2>/dev/null | grep "expire"|
head -1 | awk '{print $15}' | cut -c1-8)
do_facet $SINGLEMDS lfs flushctx ||
error "could not run flushctx on $SINGLEMDS"
lfs flushctx || error "could not run flushctx on client"
sleep 5
# verify new key is in place
- SK_IDENTITY_NEW=$(lctl get_param *.*.*srpc* | grep "expire" |
+ SK_IDENTITY_NEW=$(lctl get_param *.*.*srpc* 2>/dev/null | grep "expire"|
head -1 | awk '{print $15}' | cut -c1-8)
if [ $SK_IDENTITY_OLD == $SK_IDENTITY_NEW ]; then
error "key did not rotate correctly"
# re-start gss daemon on MDS if necessary
if combined_mgs_mds ; then
- start_gss_daemons $mds_HOST "$LSVCGSSD -vvv -s -m -o -z"
+ start_gss_daemons $mds_HOST $LSVCGSSD "-vvv -s -m -o -z"
fi
# re-mount client
# start gss daemon on MGS
if combined_mgs_mds ; then
- start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g -m -o -z"
+ start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g -m -o -z"
else
- start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g"
+ start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g"
fi
# add mgs key type and MGS NIDs in key on MGS
# re-start gss daemon on MDS if necessary
if combined_mgs_mds ; then
- start_gss_daemons $mds_HOST "$LSVCGSSD -vvv -s -m -o -z"
+ start_gss_daemons $mds_HOST $LSVCGSSD "-vvv -s -m -o -z"
fi
# re-mount client
# start gss daemon on MGS
if combined_mgs_mds ; then
- start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g -m -o -z"
+ start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g -m -o -z"
else
- start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g"
+ start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g"
fi
# add mgs key type and MGS NIDs in key on MGS
echo -n $size
}
+runas_su() {
+ local user=$1
+ local cmd=$2
+ shift 2
+ local opts="$*"
+
+ if $VERBOSE; then
+ echo Running as $user: $cmd $opts
+ fi
+ cmd=$(which $cmd)
+ su - $user -c "$cmd $opts"
+}
+
check_gss_daemon_nodes() {
local list=$1
local dname=$2
local node
local ret
+ dname=$(basename "$dname" | awk '{print $1}')
do_nodesv $list "num=\\\$(ps -o cmd -C $dname | grep $dname | wc -l);
if [ \\\"\\\$num\\\" -ne 1 ]; then
echo \\\$num instance of $dname;
local facet=$1
local dname=$2
- num=`do_facet $facet ps -o cmd -C $dname | grep $dname | wc -l`
+ dname=$(basename "$dname" | awk '{print $1}')
+ num=$(do_facet $facet ps -o cmd -C $dname | grep $dname | wc -l)
if [ $num -ne 1 ]; then
echo "$num instance of $dname on $facet"
return 1
if [ "$nodes" ] && [ "$daemon" ] ; then
echo "Starting gss daemon on nodes: $nodes"
do_nodes $nodes "$daemon" "$options" || return 8
- check_gss_daemon_nodes $nodes lsvcgssd || return 9
+ check_gss_daemon_nodes $nodes "$daemon" || return 9
return 0
fi
# check daemons are running
#
nodes=$(comma_list $(mdts_nodes) $(osts_nodes))
- check_gss_daemon_nodes $nodes lsvcgssd || return 5
+ check_gss_daemon_nodes $nodes "$LSVCGSSD" || return 5
}
stop_gss_daemons() {
mkdir $DIR/d0_runas_test
chmod 0755 $DIR
chown $myRUNAS_UID:$myRUNAS_GID $DIR/d0_runas_test
- $myRUNAS -u $myRUNAS_UID -g $myRUNAS_GID touch $DIR/d0_runas_test/f$$ ||
- myRC=$?
+ $myRUNAS touch $DIR/d0_runas_test/f$$ || myRC=$?
rm -rf $DIR/d0_runas_test
return $myRC
}