3 # Run select tests by setting ONLY, or as arguments to the script.
4 # Skip specific tests by setting EXCEPT.
11 LUSTRE=${LUSTRE:-$(dirname $0)/..}
12 . $LUSTRE/tests/test-framework.sh
17 ALWAYS_EXCEPT="$SANITY_SEC_EXCEPT "
18 # bug number for skipped test:
20 # UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
22 [ "$SLOW" = "no" ] && EXCEPT_SLOW="26"
24 NODEMAP_TESTS=$(seq 7 26)
26 if ! check_versions; then
27 echo "It is NOT necessary to test nodemap under interoperation mode"
28 EXCEPT="$EXCEPT $NODEMAP_TESTS"
33 RUNAS_CMD=${RUNAS_CMD:-runas}
35 WTL=${WTL:-"$LUSTRE/tests/write_time_limit"}
38 PERM_CONF=$CONFDIR/perm.conf
40 HOSTNAME_CHECKSUM=$(hostname | sum | awk '{ print $1 }')
41 SUBNET_CHECKSUM=$(expr $HOSTNAME_CHECKSUM % 250 + 1)
43 require_dsh_mds || exit 0
44 require_dsh_ost || exit 0
46 clients=${CLIENTS//,/ }
47 num_clients=$(get_node_count ${clients})
48 clients_arr=($clients)
50 echo "was USER0=$(getent passwd | grep :${ID0:-500}:)"
51 echo "was USER1=$(getent passwd | grep :${ID1:-501}:)"
56 echo "now USER0=$USER0=$ID0:$(id -g $USER0), USER1=$USER1=$ID1:$(id -g $USER1)"
58 if [ "$SLOW" == "yes" ]; then
61 NODEMAP_IPADDR_LIST="1 10 64 128 200 250"
66 NODEMAP_IPADDR_LIST="1 250"
69 NODEMAP_MAX_ID=$((ID0 + NODEMAP_ID_COUNT))
72 skip "need to add user0 ($ID0:$ID0)" && exit 0
75 skip "need to add user1 ($ID1:$ID1)" && exit 0
77 IDBASE=${IDBASE:-60000}
79 # changes to mappings must be reflected in test 23
81 [0]="$((IDBASE+3)):$((IDBASE+0)) $((IDBASE+4)):$((IDBASE+2))"
82 [1]="$((IDBASE+5)):$((IDBASE+1)) $((IDBASE+6)):$((IDBASE+2))"
85 check_and_setup_lustre
90 GSS_REF=$(lsmod | grep ^ptlrpc_gss | awk '{print $3}')
91 if [ ! -z "$GSS_REF" -a "$GSS_REF" != "0" ]; then
93 echo "with GSS support"
96 echo "without GSS support"
99 MDT=$(do_facet $SINGLEMDS lctl get_param -N "mdt.\*MDT0000" |
101 [ -z "$MDT" ] && error "fail to get MDT device" && exit 1
102 do_facet $SINGLEMDS "mkdir -p $CONFDIR"
103 IDENTITY_FLUSH=mdt.$MDT.identity_flush
104 IDENTITY_UPCALL=mdt.$MDT.identity_upcall
113 if ! $RUNAS_CMD -u $user krb5_login.sh; then
114 error "$user login kerberos failed."
118 if ! $RUNAS_CMD -u $user -g $group ls $DIR > /dev/null 2>&1; then
119 $RUNAS_CMD -u $user lfs flushctx -k
120 $RUNAS_CMD -u $user krb5_login.sh
121 if ! $RUNAS_CMD -u$user -g$group ls $DIR > /dev/null 2>&1; then
122 error "init $user $group failed."
128 declare -a identity_old
131 for num in $(seq $MDSCOUNT); do
132 switch_identity $num true || identity_old[$num]=$?
135 if ! $RUNAS_CMD -u $ID0 ls $DIR > /dev/null 2>&1; then
136 sec_login $USER0 $USER0
139 if ! $RUNAS_CMD -u $ID1 ls $DIR > /dev/null 2>&1; then
140 sec_login $USER1 $USER1
145 # run as different user
149 chmod 0755 $DIR || error "chmod (1)"
150 rm -rf $DIR/$tdir || error "rm (1)"
151 mkdir -p $DIR/$tdir || error "mkdir (1)"
152 chown $USER0 $DIR/$tdir || error "chown (2)"
153 $RUNAS_CMD -u $ID0 ls $DIR || error "ls (1)"
154 rm -f $DIR/f0 || error "rm (2)"
155 $RUNAS_CMD -u $ID0 touch $DIR/f0 && error "touch (1)"
156 $RUNAS_CMD -u $ID0 touch $DIR/$tdir/f1 || error "touch (2)"
157 $RUNAS_CMD -u $ID1 touch $DIR/$tdir/f2 && error "touch (3)"
158 touch $DIR/$tdir/f3 || error "touch (4)"
159 chown root $DIR/$tdir || error "chown (3)"
160 chgrp $USER0 $DIR/$tdir || error "chgrp (1)"
161 chmod 0775 $DIR/$tdir || error "chmod (2)"
162 $RUNAS_CMD -u $ID0 touch $DIR/$tdir/f4 || error "touch (5)"
163 $RUNAS_CMD -u $ID1 touch $DIR/$tdir/f5 && error "touch (6)"
164 touch $DIR/$tdir/f6 || error "touch (7)"
165 rm -rf $DIR/$tdir || error "rm (3)"
167 run_test 0 "uid permission ============================="
171 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
174 mkdir_on_mdt0 $DIR/$tdir
176 chown $USER0 $DIR/$tdir || error "chown (1)"
177 $RUNAS_CMD -u $ID1 -v $ID0 touch $DIR/$tdir/f0 && error "touch (2)"
178 echo "enable uid $ID1 setuid"
179 do_facet $SINGLEMDS "echo '* $ID1 setuid' >> $PERM_CONF"
180 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
181 $RUNAS_CMD -u $ID1 -v $ID0 touch $DIR/$tdir/f1 || error "touch (3)"
183 chown root $DIR/$tdir || error "chown (4)"
184 chgrp $USER0 $DIR/$tdir || error "chgrp (5)"
185 chmod 0770 $DIR/$tdir || error "chmod (6)"
186 $RUNAS_CMD -u $ID1 -g $ID1 touch $DIR/$tdir/f2 && error "touch (7)"
187 $RUNAS_CMD -u$ID1 -g$ID1 -j$ID0 touch $DIR/$tdir/f3 && error "touch (8)"
188 echo "enable uid $ID1 setuid,setgid"
189 do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
190 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
191 $RUNAS_CMD -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f4 ||
193 $RUNAS_CMD -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/$tdir/f5 ||
198 do_facet $SINGLEMDS "rm -f $PERM_CONF"
199 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
201 run_test 1 "setuid/gid ============================="
203 # bug 3285 - supplementary group should always succeed.
204 # NB: the supplementary groups are set for local client only,
205 # as for remote client, the groups of the specified uid on MDT
206 # will be obtained by upcall /sbin/l_getidentity and used.
208 [[ "$MDS1_VERSION" -ge $(version_code 2.6.93) ]] ||
209 [[ "$MDS1_VERSION" -ge $(version_code 2.5.35) &&
210 "$MDS1_VERSION" -lt $(version_code 2.5.50) ]] ||
211 skip "Need MDS version at least 2.6.93 or 2.5.35"
215 chmod 0771 $DIR/$tdir
216 chgrp $ID0 $DIR/$tdir
217 $RUNAS_CMD -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
218 do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
219 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
220 $RUNAS_CMD -u $ID1 -G1,2,$ID0 ls $DIR/$tdir ||
221 error "setgroups (2)"
222 $RUNAS_CMD -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
225 do_facet $SINGLEMDS "rm -f $PERM_CONF"
226 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
228 run_test 4 "set supplementary group ==============="
234 squash_id default 99 0
235 wait_nm_sync default squash_uid '' inactive
236 squash_id default 99 1
237 wait_nm_sync default squash_gid '' inactive
238 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
239 local csum=${HOSTNAME_CHECKSUM}_${i}
241 do_facet mgs $LCTL nodemap_add $csum
243 if [ $rc -ne 0 ]; then
244 echo "nodemap_add $csum failed with $rc"
248 wait_update_facet --verbose mgs \
249 "$LCTL get_param nodemap.$csum.id 2>/dev/null | \
250 grep -c $csum || true" 1 30 ||
253 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
254 local csum=${HOSTNAME_CHECKSUM}_${i}
256 wait_nm_sync $csum id '' inactive
264 for ((i = 0; i < NODEMAP_COUNT; i++)); do
265 local csum=${HOSTNAME_CHECKSUM}_${i}
267 if ! do_facet mgs $LCTL nodemap_del $csum; then
268 error "nodemap_del $csum failed with $?"
272 wait_update_facet --verbose mgs \
273 "$LCTL get_param nodemap.$csum.id 2>/dev/null | \
274 grep -c $csum || true" 0 30 ||
277 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
278 local csum=${HOSTNAME_CHECKSUM}_${i}
280 wait_nm_sync $csum id '' inactive
287 local cmd="$LCTL nodemap_add_range"
291 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
292 range="$SUBNET_CHECKSUM.${2}.${j}.[1-253]@tcp"
293 if ! do_facet mgs $cmd --name $1 --range $range; then
302 local cmd="$LCTL nodemap_del_range"
306 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
307 range="$SUBNET_CHECKSUM.${2}.${j}.[1-253]@tcp"
308 if ! do_facet mgs $cmd --name $1 --range $range; then
318 local cmd="$LCTL nodemap_add_idmap"
322 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || do_proj=false
324 echo "Start to add idmaps ..."
325 for ((i = 0; i < NODEMAP_COUNT; i++)); do
328 for ((j = $ID0; j < NODEMAP_MAX_ID; j++)); do
329 local csum=${HOSTNAME_CHECKSUM}_${i}
331 local fs_id=$((j + 1))
333 if ! do_facet mgs $cmd --name $csum --idtype uid \
334 --idmap $client_id:$fs_id; then
337 if ! do_facet mgs $cmd --name $csum --idtype gid \
338 --idmap $client_id:$fs_id; then
342 if ! do_facet mgs $cmd --name $csum \
343 --idtype projid --idmap \
344 $client_id:$fs_id; then
354 update_idmaps() { #LU-10040
355 [ "$MGS_VERSION" -lt $(version_code 2.10.55) ] &&
356 skip "Need MGS >= 2.10.55"
358 local csum=${HOSTNAME_CHECKSUM}_0
359 local old_id_client=$ID0
360 local old_id_fs=$((ID0 + 1))
361 local new_id=$((ID0 + 100))
368 echo "Start to update idmaps ..."
370 #Inserting an existed idmap should return error
371 cmd="$LCTL nodemap_add_idmap --name $csum --idtype uid"
373 $cmd --idmap $old_id_client:$old_id_fs 2>/dev/null; then
374 error "insert idmap {$old_id_client:$old_id_fs} " \
375 "should return error"
380 #Update id_fs and check it
381 if ! do_facet mgs $cmd --idmap $old_id_client:$new_id; then
382 error "$cmd --idmap $old_id_client:$new_id failed"
386 tmp_id=$(do_facet mgs $LCTL get_param -n nodemap.$csum.idmap |
387 awk '{ print $7 }' | sed -n '2p')
388 [ $tmp_id != $new_id ] && { error "new id_fs $tmp_id != $new_id"; \
389 rc=$((rc + 1)); return $rc; }
391 #Update id_client and check it
392 if ! do_facet mgs $cmd --idmap $new_id:$new_id; then
393 error "$cmd --idmap $new_id:$new_id failed"
397 tmp_id=$(do_facet mgs $LCTL get_param -n nodemap.$csum.idmap |
398 awk '{ print $5 }' | sed -n "$((NODEMAP_ID_COUNT + 1)) p")
399 tmp_id=$(echo ${tmp_id%,*}) #e.g. "501,"->"501"
400 [ $tmp_id != $new_id ] && { error "new id_client $tmp_id != $new_id"; \
401 rc=$((rc + 1)); return $rc; }
403 #Delete above updated idmap
404 cmd="$LCTL nodemap_del_idmap --name $csum --idtype uid"
405 if ! do_facet mgs $cmd --idmap $new_id:$new_id; then
406 error "$cmd --idmap $new_id:$new_id failed"
411 #restore the idmaps to make delete_idmaps work well
412 cmd="$LCTL nodemap_add_idmap --name $csum --idtype uid"
413 if ! do_facet mgs $cmd --idmap $old_id_client:$old_id_fs; then
414 error "$cmd --idmap $old_id_client:$old_id_fs failed"
424 local cmd="$LCTL nodemap_del_idmap"
428 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || do_proj=false
430 echo "Start to delete idmaps ..."
431 for ((i = 0; i < NODEMAP_COUNT; i++)); do
434 for ((j = $ID0; j < NODEMAP_MAX_ID; j++)); do
435 local csum=${HOSTNAME_CHECKSUM}_${i}
437 local fs_id=$((j + 1))
439 if ! do_facet mgs $cmd --name $csum --idtype uid \
440 --idmap $client_id:$fs_id; then
443 if ! do_facet mgs $cmd --name $csum --idtype gid \
444 --idmap $client_id:$fs_id; then
448 if ! do_facet mgs $cmd --name $csum \
449 --idtype projid --idmap \
450 $client_id:$fs_id; then
464 local cmd="$LCTL nodemap_modify"
467 proc[0]="admin_nodemap"
468 proc[1]="trusted_nodemap"
472 for ((idx = 0; idx < 2; idx++)); do
473 if ! do_facet mgs $cmd --name $1 --property ${option[$idx]} \
478 if ! do_facet mgs $cmd --name $1 --property ${option[$idx]} \
488 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
489 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
493 cmd[0]="$LCTL nodemap_modify --property squash_uid"
494 cmd[1]="$LCTL nodemap_modify --property squash_gid"
495 cmd[2]="$LCTL nodemap_modify --property squash_projid"
497 if ! do_facet mgs ${cmd[$3]} --name $1 --value $2; then
502 # ensure that the squash defaults are the expected defaults
503 squash_id default 99 0
504 wait_nm_sync default squash_uid '' inactive
505 squash_id default 99 1
506 wait_nm_sync default squash_gid '' inactive
507 if [ "$MDS1_VERSION" -ge $(version_code 2.14.50) ]; then
508 squash_id default 99 2
509 wait_nm_sync default squash_projid '' inactive
515 cmd="$LCTL nodemap_test_nid"
517 nid=$(do_facet mgs $cmd $1)
519 if [ $nid == $2 ]; then
527 # restore activation state
528 do_facet mgs $LCTL nodemap_activate 0
534 local cmd="$LCTL nodemap_test_id"
537 echo "Start to test idmaps ..."
538 ## nodemap deactivated
539 if ! do_facet mgs $LCTL nodemap_activate 0; then
542 for ((id = $ID0; id < NODEMAP_MAX_ID; id++)); do
545 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
546 local nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
547 local fs_id=$(do_facet mgs $cmd --nid $nid \
548 --idtype uid --id $id)
549 if [ $fs_id != $id ]; then
550 echo "expected $id, got $fs_id"
557 if ! do_facet mgs $LCTL nodemap_activate 1; then
561 for ((id = $ID0; id < NODEMAP_MAX_ID; id++)); do
562 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
563 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
564 fs_id=$(do_facet mgs $cmd --nid $nid \
565 --idtype uid --id $id)
566 expected_id=$((id + 1))
567 if [ $fs_id != $expected_id ]; then
568 echo "expected $expected_id, got $fs_id"
575 for ((i = 0; i < NODEMAP_COUNT; i++)); do
576 local csum=${HOSTNAME_CHECKSUM}_${i}
578 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
579 --property trusted --value 1; then
580 error "nodemap_modify $csum failed with $?"
585 for ((id = $ID0; id < NODEMAP_MAX_ID; id++)); do
586 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
587 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
588 fs_id=$(do_facet mgs $cmd --nid $nid \
589 --idtype uid --id $id)
590 if [ $fs_id != $id ]; then
591 echo "expected $id, got $fs_id"
597 ## ensure allow_root_access is enabled
598 for ((i = 0; i < NODEMAP_COUNT; i++)); do
599 local csum=${HOSTNAME_CHECKSUM}_${i}
601 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
602 --property admin --value 1; then
603 error "nodemap_modify $csum failed with $?"
608 ## check that root allowed
609 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
610 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
611 fs_id=$(do_facet mgs $cmd --nid $nid --idtype uid --id 0)
612 if [ $fs_id != 0 ]; then
613 echo "root allowed expected 0, got $fs_id"
618 ## ensure allow_root_access is disabled
619 for ((i = 0; i < NODEMAP_COUNT; i++)); do
620 local csum=${HOSTNAME_CHECKSUM}_${i}
622 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
623 --property admin --value 0; then
624 error "nodemap_modify ${HOSTNAME_CHECKSUM}_${i} "
630 ## check that root is mapped to 99
631 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
632 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
633 fs_id=$(do_facet mgs $cmd --nid $nid --idtype uid --id 0)
634 if [ $fs_id != 99 ]; then
635 error "root squash expected 99, got $fs_id"
640 ## reset client trust to 0
641 for ((i = 0; i < NODEMAP_COUNT; i++)); do
642 if ! do_facet mgs $LCTL nodemap_modify \
643 --name ${HOSTNAME_CHECKSUM}_${i} \
644 --property trusted --value 0; then
645 error "nodemap_modify ${HOSTNAME_CHECKSUM}_${i} "
657 remote_mgs_nodsh && skip "remote MGS with nodsh"
658 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
659 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
663 [[ $rc != 0 ]] && error "nodemap_add failed with $rc"
667 [[ $rc != 0 ]] && error "nodemap_del failed with $rc"
671 run_test 7 "nodemap create and delete"
676 remote_mgs_nodsh && skip "remote MGS with nodsh"
677 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
678 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
684 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
690 [[ $rc == 0 ]] && error "duplicate nodemap_add allowed with $rc" &&
696 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 3
700 run_test 8 "nodemap reject duplicates"
706 remote_mgs_nodsh && skip "remote MGS with nodsh"
707 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
708 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
713 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
716 for ((i = 0; i < NODEMAP_COUNT; i++)); do
717 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
721 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
724 for ((i = 0; i < NODEMAP_COUNT; i++)); do
725 if ! delete_range ${HOSTNAME_CHECKSUM}_${i} $i; then
729 [[ $rc != 0 ]] && error "nodemap_del_range failed with $rc" && return 4
734 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
738 run_test 9 "nodemap range add"
743 remote_mgs_nodsh && skip "remote MGS with nodsh"
744 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
745 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
750 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
753 for ((i = 0; i < NODEMAP_COUNT; i++)); do
754 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
758 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
761 for ((i = 0; i < NODEMAP_COUNT; i++)); do
762 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
766 [[ $rc == 0 ]] && error "nodemap_add_range duplicate add with $rc" &&
771 for ((i = 0; i < NODEMAP_COUNT; i++)); do
772 if ! delete_range ${HOSTNAME_CHECKSUM}_${i} $i; then
776 [[ $rc != 0 ]] && error "nodemap_del_range failed with $rc" && return 4
780 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 5
784 run_test 10a "nodemap reject duplicate ranges"
787 [ "$MGS_VERSION" -lt $(version_code 2.10.53) ] &&
788 skip "Need MGS >= 2.10.53"
792 local nids="192.168.19.[0-255]@o2ib20"
794 do_facet mgs $LCTL nodemap_del $nm1 2>/dev/null
795 do_facet mgs $LCTL nodemap_del $nm2 2>/dev/null
797 do_facet mgs $LCTL nodemap_add $nm1 || error "Add $nm1 failed"
798 do_facet mgs $LCTL nodemap_add $nm2 || error "Add $nm2 failed"
799 do_facet mgs $LCTL nodemap_add_range --name $nm1 --range $nids ||
800 error "Add range $nids to $nm1 failed"
801 [ -n "$(do_facet mgs $LCTL get_param nodemap.$nm1.* |
802 grep start_nid)" ] || error "No range was found"
803 do_facet mgs $LCTL nodemap_del_range --name $nm2 --range $nids &&
804 error "Deleting range $nids from $nm2 should fail"
805 [ -n "$(do_facet mgs $LCTL get_param nodemap.$nm1.* |
806 grep start_nid)" ] || error "Range $nids should be there"
808 do_facet mgs $LCTL nodemap_del $nm1 || error "Delete $nm1 failed"
809 do_facet mgs $LCTL nodemap_del $nm2 || error "Delete $nm2 failed"
812 run_test 10b "delete range from the correct nodemap"
814 test_10c() { #LU-8912
815 [ "$MGS_VERSION" -lt $(version_code 2.10.57) ] &&
816 skip "Need MGS >= 2.10.57"
818 local nm="nodemap_lu8912"
819 local nid_range="10.210.[32-47].[0-255]@o2ib3"
820 local start_nid="10.210.32.0@o2ib3"
821 local end_nid="10.210.47.255@o2ib3"
822 local start_nid_found
825 do_facet mgs $LCTL nodemap_del $nm 2>/dev/null
826 do_facet mgs $LCTL nodemap_add $nm || error "Add $nm failed"
827 do_facet mgs $LCTL nodemap_add_range --name $nm --range $nid_range ||
828 error "Add range $nid_range to $nm failed"
830 start_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
831 awk -F '[,: ]' /start_nid/'{ print $9 }')
832 [ "$start_nid" == "$start_nid_found" ] ||
833 error "start_nid: $start_nid_found != $start_nid"
834 end_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
835 awk -F '[,: ]' /end_nid/'{ print $13 }')
836 [ "$end_nid" == "$end_nid_found" ] ||
837 error "end_nid: $end_nid_found != $end_nid"
839 do_facet mgs $LCTL nodemap_del $nm || error "Delete $nm failed"
842 run_test 10c "verfify contiguous range support"
844 test_10d() { #LU-8913
845 [ "$MGS_VERSION" -lt $(version_code 2.10.59) ] &&
846 skip "Need MGS >= 2.10.59"
848 local nm="nodemap_lu8913"
849 local nid_range="*@o2ib3"
850 local start_nid="0.0.0.0@o2ib3"
851 local end_nid="255.255.255.255@o2ib3"
852 local start_nid_found
855 do_facet mgs $LCTL nodemap_del $nm 2>/dev/null
856 do_facet mgs $LCTL nodemap_add $nm || error "Add $nm failed"
857 do_facet mgs $LCTL nodemap_add_range --name $nm --range $nid_range ||
858 error "Add range $nid_range to $nm failed"
860 start_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
861 awk -F '[,: ]' /start_nid/'{ print $9 }')
862 [ "$start_nid" == "$start_nid_found" ] ||
863 error "start_nid: $start_nid_found != $start_nid"
864 end_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
865 awk -F '[,: ]' /end_nid/'{ print $13 }')
866 [ "$end_nid" == "$end_nid_found" ] ||
867 error "end_nid: $end_nid_found != $end_nid"
869 do_facet mgs $LCTL nodemap_del $nm || error "Delete $nm failed"
872 run_test 10d "verfify nodemap range format '*@<net>' support"
877 remote_mgs_nodsh && skip "remote MGS with nodsh"
878 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
879 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
884 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
887 for ((i = 0; i < NODEMAP_COUNT; i++)); do
888 if ! modify_flags ${HOSTNAME_CHECKSUM}_${i}; then
892 [[ $rc != 0 ]] && error "nodemap_modify with $rc" && return 2
897 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 3
901 run_test 11 "nodemap modify"
906 remote_mgs_nodsh && skip "remote MGS with nodsh"
907 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
908 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
913 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
916 for ((i = 0; i < NODEMAP_COUNT; i++)); do
917 if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 0; then
921 [[ $rc != 0 ]] && error "nodemap squash_uid with $rc" && return 2
924 for ((i = 0; i < NODEMAP_COUNT; i++)); do
925 if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 1; then
929 [[ $rc != 0 ]] && error "nodemap squash_gid with $rc" && return 3
932 if (( $MDS1_VERSION >= $(version_code 2.14.52) )); then
933 for ((i = 0; i < NODEMAP_COUNT; i++)); do
934 if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 2; then
939 [[ $rc != 0 ]] && error "nodemap squash_projid with $rc" && return 5
944 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
948 run_test 12 "nodemap set squash ids"
953 remote_mgs_nodsh && skip "remote MGS with nodsh"
954 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
955 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
960 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
963 for ((i = 0; i < NODEMAP_COUNT; i++)); do
964 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
968 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
971 for ((i = 0; i < NODEMAP_COUNT; i++)); do
972 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
973 for k in $NODEMAP_IPADDR_LIST; do
974 if ! test_nid $SUBNET_CHECKSUM.$i.$j.$k \
975 ${HOSTNAME_CHECKSUM}_${i}; then
981 [[ $rc != 0 ]] && error "nodemap_test_nid failed with $rc" && return 3
986 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
990 run_test 13 "test nids"
995 remote_mgs_nodsh && skip "remote MGS with nodsh"
996 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
997 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1002 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1005 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1006 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
1007 for k in $NODEMAP_IPADDR_LIST; do
1008 if ! test_nid $SUBNET_CHECKSUM.$i.$j.$k \
1015 [[ $rc != 0 ]] && error "nodemap_test_nid failed with $rc" && return 3
1020 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
1024 run_test 14 "test default nodemap nid lookup"
1029 remote_mgs_nodsh && skip "remote MGS with nodsh"
1030 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1031 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1036 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1038 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
1039 local csum=${HOSTNAME_CHECKSUM}_${i}
1041 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
1042 --property admin --value 0; then
1045 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
1046 --property trusted --value 0; then
1050 [[ $rc != 0 ]] && error "nodemap_modify failed with $rc" && return 1
1053 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1054 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
1058 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
1063 [[ $rc != 0 ]] && error "nodemap_add_idmap failed with $rc" && return 3
1065 activedefault=$(do_facet mgs $LCTL get_param -n nodemap.active)
1066 if [[ "$activedefault" != "1" ]]; then
1067 stack_trap cleanup_active EXIT
1073 [[ $rc != 0 ]] && error "nodemap_test_id failed with $rc" && return 4
1078 [[ $rc != 0 ]] && error "update_idmaps failed with $rc" && return 5
1083 [[ $rc != 0 ]] && error "nodemap_del_idmap failed with $rc" && return 6
1088 [[ $rc != 0 ]] && error "nodemap_delete failed with $rc" && return 7
1092 run_test 15 "test id mapping"
1094 create_fops_nodemaps() {
1097 for client in $clients; do
1098 local client_ip=$(host_nids_address $client $NETTYPE)
1099 local client_nid=$(h2nettype $client_ip)
1100 do_facet mgs $LCTL nodemap_add c${i} || return 1
1101 do_facet mgs $LCTL nodemap_add_range \
1102 --name c${i} --range $client_nid || return 1
1103 for map in ${FOPS_IDMAPS[i]}; do
1104 do_facet mgs $LCTL nodemap_add_idmap --name c${i} \
1105 --idtype uid --idmap ${map} || return 1
1106 do_facet mgs $LCTL nodemap_add_idmap --name c${i} \
1107 --idtype gid --idmap ${map} || return 1
1110 wait_nm_sync c$i idmap
1117 delete_fops_nodemaps() {
1120 for client in $clients; do
1121 do_facet mgs $LCTL nodemap_del c${i} || return 1
1129 if [ $MDSCOUNT -le 1 ]; then
1130 do_node ${clients_arr[0]} mkdir -p $DIR/$tdir
1132 # round-robin MDTs to test DNE nodemap support
1133 [ ! -d $DIR ] && do_node ${clients_arr[0]} mkdir -p $DIR
1134 do_node ${clients_arr[0]} $LFS setdirstripe -c 1 -i \
1135 $((fops_mds_index % MDSCOUNT)) $DIR/$tdir
1136 ((fops_mds_index++))
1140 # acl test directory needs to be initialized on a privileged client
1142 local admin=$(do_facet mgs $LCTL get_param -n nodemap.c0.admin_nodemap)
1143 local trust=$(do_facet mgs $LCTL get_param -n \
1144 nodemap.c0.trusted_nodemap)
1146 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1147 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
1149 wait_nm_sync c0 admin_nodemap
1150 wait_nm_sync c0 trusted_nodemap
1152 do_node ${clients_arr[0]} rm -rf $DIR/$tdir
1154 do_node ${clients_arr[0]} chown $user $DIR/$tdir
1156 do_facet mgs $LCTL nodemap_modify --name c0 \
1157 --property admin --value $admin
1158 do_facet mgs $LCTL nodemap_modify --name c0 \
1159 --property trusted --value $trust
1161 # flush MDT locks to make sure they are reacquired before test
1162 do_node ${clients_arr[0]} $LCTL set_param \
1163 ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
1165 wait_nm_sync c0 admin_nodemap
1166 wait_nm_sync c0 trusted_nodemap
1169 # fileset test directory needs to be initialized on a privileged client
1170 fileset_test_setup() {
1173 if [ -n "$FILESET" -a -z "$SKIP_FILESET" ]; then
1174 cleanup_mount $MOUNT
1175 FILESET="" zconf_mount_clients $CLIENTS $MOUNT
1178 local admin=$(do_facet mgs $LCTL get_param -n \
1179 nodemap.${nm}.admin_nodemap)
1180 local trust=$(do_facet mgs $LCTL get_param -n \
1181 nodemap.${nm}.trusted_nodemap)
1183 do_facet mgs $LCTL nodemap_modify --name $nm --property admin --value 1
1184 do_facet mgs $LCTL nodemap_modify --name $nm --property trusted \
1187 wait_nm_sync $nm admin_nodemap
1188 wait_nm_sync $nm trusted_nodemap
1190 # create directory and populate it for subdir mount
1191 do_node ${clients_arr[0]} mkdir $MOUNT/$subdir ||
1192 error "unable to create dir $MOUNT/$subdir"
1193 do_node ${clients_arr[0]} touch $MOUNT/$subdir/this_is_$subdir ||
1194 error "unable to create file $MOUNT/$subdir/this_is_$subdir"
1195 do_node ${clients_arr[0]} mkdir $MOUNT/$subdir/$subsubdir ||
1196 error "unable to create dir $MOUNT/$subdir/$subsubdir"
1197 do_node ${clients_arr[0]} touch \
1198 $MOUNT/$subdir/$subsubdir/this_is_$subsubdir ||
1199 error "unable to create file \
1200 $MOUNT/$subdir/$subsubdir/this_is_$subsubdir"
1202 do_facet mgs $LCTL nodemap_modify --name $nm \
1203 --property admin --value $admin
1204 do_facet mgs $LCTL nodemap_modify --name $nm \
1205 --property trusted --value $trust
1207 # flush MDT locks to make sure they are reacquired before test
1208 do_node ${clients_arr[0]} $LCTL set_param \
1209 ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
1211 wait_nm_sync $nm admin_nodemap
1212 wait_nm_sync $nm trusted_nodemap
1215 # fileset test directory needs to be initialized on a privileged client
1216 fileset_test_cleanup() {
1218 local admin=$(do_facet mgs $LCTL get_param -n \
1219 nodemap.${nm}.admin_nodemap)
1220 local trust=$(do_facet mgs $LCTL get_param -n \
1221 nodemap.${nm}.trusted_nodemap)
1223 do_facet mgs $LCTL nodemap_modify --name $nm --property admin --value 1
1224 do_facet mgs $LCTL nodemap_modify --name $nm --property trusted \
1227 wait_nm_sync $nm admin_nodemap
1228 wait_nm_sync $nm trusted_nodemap
1230 # cleanup directory created for subdir mount
1231 do_node ${clients_arr[0]} rm -rf $MOUNT/$subdir ||
1232 error "unable to remove dir $MOUNT/$subdir"
1234 do_facet mgs $LCTL nodemap_modify --name $nm \
1235 --property admin --value $admin
1236 do_facet mgs $LCTL nodemap_modify --name $nm \
1237 --property trusted --value $trust
1239 # flush MDT locks to make sure they are reacquired before test
1240 do_node ${clients_arr[0]} $LCTL set_param \
1241 ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
1243 wait_nm_sync $nm admin_nodemap
1244 wait_nm_sync $nm trusted_nodemap
1245 if [ -n "$FILESET" -a -z "$SKIP_FILESET" ]; then
1246 cleanup_mount $MOUNT
1247 zconf_mount_clients $CLIENTS $MOUNT
1251 do_create_delete() {
1254 local testfile=$DIR/$tdir/$tfile
1258 if $run_u touch $testfile >& /dev/null; then
1260 $run_u rm $testfile && d=1
1264 local expected=$(get_cr_del_expected $key)
1265 [ "$res" != "$expected" ] &&
1266 error "test $key, wanted $expected, got $res" && rc=$((rc + 1))
1270 nodemap_check_quota() {
1272 $run_u lfs quota -q $DIR | awk '{ print $2; exit; }'
1275 do_fops_quota_test() {
1277 # fuzz quota used to account for possible indirect blocks, etc
1278 local quota_fuzz=$(fs_log_size)
1279 local qused_orig=$(nodemap_check_quota "$run_u")
1280 local qused_high=$((qused_orig + quota_fuzz))
1281 local qused_low=$((qused_orig - quota_fuzz))
1282 local testfile=$DIR/$tdir/$tfile
1283 $run_u dd if=/dev/zero of=$testfile oflag=sync bs=1M count=1 \
1284 >& /dev/null || error "unable to write quota test file"
1285 sync; sync_all_data || true
1287 local qused_new=$(nodemap_check_quota "$run_u")
1288 [ $((qused_new)) -lt $((qused_low + 1024)) -o \
1289 $((qused_new)) -gt $((qused_high + 1024)) ] &&
1290 error "$qused_new != $qused_orig + 1M after write, " \
1291 "fuzz is $quota_fuzz"
1292 $run_u rm $testfile || error "unable to remove quota test file"
1293 wait_delete_completed_mds
1295 qused_new=$(nodemap_check_quota "$run_u")
1296 [ $((qused_new)) -lt $((qused_low)) \
1297 -o $((qused_new)) -gt $((qused_high)) ] &&
1298 error "quota not reclaimed, expect $qused_orig, " \
1299 "got $qused_new, fuzz $quota_fuzz"
1302 get_fops_mapped_user() {
1305 for ((i=0; i < ${#FOPS_IDMAPS[@]}; i++)); do
1306 for map in ${FOPS_IDMAPS[i]}; do
1307 if [ $(cut -d: -f1 <<< "$map") == $cli_user ]; then
1308 cut -d: -f2 <<< "$map"
1316 get_cr_del_expected() {
1318 IFS=":" read -a key <<< "$1"
1319 local mapmode="${key[0]}"
1320 local mds_user="${key[1]}"
1321 local cluster="${key[2]}"
1322 local cli_user="${key[3]}"
1323 local mode="0${key[4]}"
1330 [[ $mapmode == *mapped* ]] && mapped=1
1331 # only c1 is mapped in these test cases
1332 [[ $mapmode == mapped_trusted* ]] && [ "$cluster" == "c0" ] && mapped=0
1333 [[ $mapmode == *noadmin* ]] && noadmin=1
1335 # o+wx works as long as the user isn't mapped
1336 if [ $((mode & 3)) -eq 3 ]; then
1340 # if client user is root, check if root is squashed
1341 if [ "$cli_user" == "0" ]; then
1342 # squash root succeed, if other bit is on
1345 1) [ "$other" == "1" ] && echo $SUCCESS
1346 [ "$other" == "0" ] && echo $FAILURE;;
1350 if [ "$mapped" == "0" ]; then
1351 [ "$other" == "1" ] && echo $SUCCESS
1352 [ "$other" == "0" ] && echo $FAILURE
1356 # if mapped user is mds user, check for u+wx
1357 mapped_user=$(get_fops_mapped_user $cli_user)
1358 [ "$mapped_user" == "-1" ] &&
1359 error "unable to find mapping for client user $cli_user"
1361 if [ "$mapped_user" == "$mds_user" -a \
1362 $(((mode & 0300) == 0300)) -eq 1 ]; then
1366 if [ "$mapped_user" != "$mds_user" -a "$other" == "1" ]; then
1373 test_fops_admin_cli_i=""
1374 test_fops_chmod_dir() {
1375 local current_cli_i=$1
1377 local dir_to_chmod=$3
1378 local new_admin_cli_i=""
1380 # do we need to set up a new admin client?
1381 [ "$current_cli_i" == "0" ] && [ "$test_fops_admin_cli_i" != "1" ] &&
1383 [ "$current_cli_i" != "0" ] && [ "$test_fops_admin_cli_i" != "0" ] &&
1386 # if only one client, and non-admin, need to flip admin everytime
1387 if [ "$num_clients" == "1" ]; then
1388 test_fops_admin_client=$clients
1389 test_fops_admin_val=$(do_facet mgs $LCTL get_param -n \
1390 nodemap.c0.admin_nodemap)
1391 if [ "$test_fops_admin_val" != "1" ]; then
1392 do_facet mgs $LCTL nodemap_modify \
1396 wait_nm_sync c0 admin_nodemap
1398 elif [ "$new_admin_cli_i" != "" ]; then
1399 # restore admin val to old admin client
1400 if [ "$test_fops_admin_cli_i" != "" ] &&
1401 [ "$test_fops_admin_val" != "1" ]; then
1402 do_facet mgs $LCTL nodemap_modify \
1403 --name c${test_fops_admin_cli_i} \
1405 --value $test_fops_admin_val
1406 wait_nm_sync c${test_fops_admin_cli_i} admin_nodemap
1409 test_fops_admin_cli_i=$new_admin_cli_i
1410 test_fops_admin_client=${clients_arr[$new_admin_cli_i]}
1411 test_fops_admin_val=$(do_facet mgs $LCTL get_param -n \
1412 nodemap.c${new_admin_cli_i}.admin_nodemap)
1414 if [ "$test_fops_admin_val" != "1" ]; then
1415 do_facet mgs $LCTL nodemap_modify \
1416 --name c${new_admin_cli_i} \
1419 wait_nm_sync c${new_admin_cli_i} admin_nodemap
1423 do_node $test_fops_admin_client chmod $perm_bits $DIR/$tdir || return 1
1425 # remove admin for single client if originally non-admin
1426 if [ "$num_clients" == "1" ] && [ "$test_fops_admin_val" != "1" ]; then
1427 do_facet mgs $LCTL nodemap_modify --name c0 --property admin \
1429 wait_nm_sync c0 admin_nodemap
1437 local single_client="$2"
1438 local client_user_list=([0]="0 $((IDBASE+3))"
1439 [1]="0 $((IDBASE+5))")
1440 local mds_users="-1 0"
1443 local perm_bit_list="3 $((0300))"
1444 # SLOW tests 000-007, 010-070, 100-700 (octal modes)
1445 if [ "$SLOW" == "yes" ]; then
1446 perm_bit_list="0 $(seq 1 7) $(seq 8 8 63) $(seq 64 64 511) \
1448 client_user_list=([0]="0 $((IDBASE+3)) $((IDBASE+4))"
1449 [1]="0 $((IDBASE+5)) $((IDBASE+6))")
1450 mds_users="-1 0 1 2"
1453 # force single_client to speed up test
1454 [ "$SLOW" == "yes" ] ||
1456 # step through mds users. -1 means root
1457 for mds_i in $mds_users; do
1458 local user=$((mds_i + IDBASE))
1462 [ "$mds_i" == "-1" ] && user=0
1464 echo mkdir -p $DIR/$tdir
1467 for client in $clients; do
1469 for u in ${client_user_list[$cli_i]}; do
1470 local run_u="do_node $client \
1471 $RUNAS_CMD -u$u -g$u -G$u"
1472 for perm_bits in $perm_bit_list; do
1473 local mode=$(printf %03o $perm_bits)
1475 key="$mapmode:$user:c$cli_i:$u:$mode"
1476 test_fops_chmod_dir $cli_i $mode \
1478 error cannot chmod $key
1479 do_create_delete "$run_u" "$key"
1483 test_fops_chmod_dir $cli_i 777 $DIR/$tdir ||
1484 error cannot chmod $key
1485 do_fops_quota_test "$run_u"
1488 cli_i=$((cli_i + 1))
1489 [ "$single_client" == "1" ] && break
1496 nodemap_version_check () {
1497 remote_mgs_nodsh && skip "remote MGS with nodsh" && return 1
1498 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1499 skip "No nodemap on $MGS_VERSION MGS < 2.5.53" &&
1504 nodemap_test_setup() {
1506 local active_nodemap=1
1508 [ "$1" == "0" ] && active_nodemap=0
1510 do_nodes $(comma_list $(all_mdts_nodes)) \
1511 $LCTL set_param mdt.*.identity_upcall=NONE
1514 create_fops_nodemaps
1516 [[ $rc != 0 ]] && error "adding fops nodemaps failed $rc"
1518 do_facet mgs $LCTL nodemap_activate $active_nodemap
1521 do_facet mgs $LCTL nodemap_modify --name default \
1522 --property admin --value 1
1523 wait_nm_sync default admin_nodemap
1524 do_facet mgs $LCTL nodemap_modify --name default \
1525 --property trusted --value 1
1526 wait_nm_sync default trusted_nodemap
1529 nodemap_test_cleanup() {
1531 delete_fops_nodemaps
1533 [[ $rc != 0 ]] && error "removing fops nodemaps failed $rc"
1535 do_facet mgs $LCTL nodemap_modify --name default \
1536 --property admin --value 0
1537 wait_nm_sync default admin_nodemap
1538 do_facet mgs $LCTL nodemap_modify --name default \
1539 --property trusted --value 0
1540 wait_nm_sync default trusted_nodemap
1542 do_facet mgs $LCTL nodemap_activate 0
1543 wait_nm_sync active 0
1545 export SK_UNIQUE_NM=false
1549 nodemap_clients_admin_trusted() {
1553 for client in $clients; do
1554 do_facet mgs $LCTL nodemap_modify --name c0 \
1555 --property admin --value $admin
1556 do_facet mgs $LCTL nodemap_modify --name c0 \
1557 --property trusted --value $tr
1560 wait_nm_sync c$((i - 1)) admin_nodemap
1561 wait_nm_sync c$((i - 1)) trusted_nodemap
1565 nodemap_version_check || return 0
1566 nodemap_test_setup 0
1568 trap nodemap_test_cleanup EXIT
1570 nodemap_test_cleanup
1572 run_test 16 "test nodemap all_off fileops"
1576 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1577 skip "Need MDS >= 2.11.55"
1579 local check_proj=true
1581 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || check_proj=false
1583 nodemap_version_check || return 0
1586 trap nodemap_test_cleanup EXIT
1587 nodemap_clients_admin_trusted 0 1
1588 test_fops trusted_noadmin 1
1589 if $check_proj; then
1590 do_facet mgs $LCTL nodemap_modify --name c0 \
1591 --property map_mode --value projid
1592 wait_nm_sync c0 map_mode
1594 test_fops trusted_noadmin 1
1595 nodemap_test_cleanup
1597 run_test 17 "test nodemap trusted_noadmin fileops"
1601 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1602 skip "Need MDS >= 2.11.55"
1605 nodemap_version_check || return 0
1608 trap nodemap_test_cleanup EXIT
1609 nodemap_clients_admin_trusted 0 0
1610 test_fops mapped_noadmin 1
1611 nodemap_test_cleanup
1613 run_test 18 "test nodemap mapped_noadmin fileops"
1617 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1618 skip "Need MDS >= 2.11.55"
1621 nodemap_version_check || return 0
1624 trap nodemap_test_cleanup EXIT
1625 nodemap_clients_admin_trusted 1 1
1626 test_fops trusted_admin 1
1627 nodemap_test_cleanup
1629 run_test 19 "test nodemap trusted_admin fileops"
1633 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1634 skip "Need MDS >= 2.11.55"
1637 nodemap_version_check || return 0
1640 trap nodemap_test_cleanup EXIT
1641 nodemap_clients_admin_trusted 1 0
1642 test_fops mapped_admin 1
1643 nodemap_test_cleanup
1645 run_test 20 "test nodemap mapped_admin fileops"
1649 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1650 skip "Need MDS >= 2.11.55"
1653 nodemap_version_check || return 0
1656 trap nodemap_test_cleanup EXIT
1659 for client in $clients; do
1660 do_facet mgs $LCTL nodemap_modify --name c${i} \
1661 --property admin --value 0
1662 do_facet mgs $LCTL nodemap_modify --name c${i} \
1663 --property trusted --value $x
1667 wait_nm_sync c$((i - 1)) trusted_nodemap
1669 test_fops mapped_trusted_noadmin
1670 nodemap_test_cleanup
1672 run_test 21 "test nodemap mapped_trusted_noadmin fileops"
1676 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1677 skip "Need MDS >= 2.11.55"
1680 nodemap_version_check || return 0
1683 trap nodemap_test_cleanup EXIT
1686 for client in $clients; do
1687 do_facet mgs $LCTL nodemap_modify --name c${i} \
1688 --property admin --value 1
1689 do_facet mgs $LCTL nodemap_modify --name c${i} \
1690 --property trusted --value $x
1694 wait_nm_sync c$((i - 1)) trusted_nodemap
1696 test_fops mapped_trusted_admin
1697 nodemap_test_cleanup
1699 run_test 22 "test nodemap mapped_trusted_admin fileops"
1701 # acl test directory needs to be initialized on a privileged client
1702 nodemap_acl_test_setup() {
1703 local admin=$(do_facet mgs $LCTL get_param -n \
1704 nodemap.c0.admin_nodemap)
1705 local trust=$(do_facet mgs $LCTL get_param -n \
1706 nodemap.c0.trusted_nodemap)
1708 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1709 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
1711 wait_nm_sync c0 admin_nodemap
1712 wait_nm_sync c0 trusted_nodemap
1714 do_node ${clients_arr[0]} rm -rf $DIR/$tdir
1716 do_node ${clients_arr[0]} chmod a+rwx $DIR/$tdir ||
1717 error unable to chmod a+rwx test dir $DIR/$tdir
1719 do_facet mgs $LCTL nodemap_modify --name c0 \
1720 --property admin --value $admin
1721 do_facet mgs $LCTL nodemap_modify --name c0 \
1722 --property trusted --value $trust
1724 wait_nm_sync c0 trusted_nodemap
1727 # returns 0 if the number of ACLs does not change on the second (mapped) client
1728 # after being set on the first client
1729 nodemap_acl_test() {
1731 local set_client="$2"
1732 local get_client="$3"
1733 local check_setfacl="$4"
1734 local setfacl_error=0
1735 local testfile=$DIR/$tdir/$tfile
1736 local RUNAS_USER="$RUNAS_CMD -u $user"
1738 local acl_count_post=0
1740 nodemap_acl_test_setup
1743 do_node $set_client $RUNAS_USER touch $testfile
1745 # ACL masks aren't filtered by nodemap code, so we ignore them
1746 acl_count=$(do_node $get_client getfacl $testfile | grep -v mask |
1748 do_node $set_client $RUNAS_USER setfacl -m $user:rwx $testfile ||
1751 # if check setfacl is set to 1, then it's supposed to error
1752 if [ "$check_setfacl" == "1" ]; then
1753 [ "$setfacl_error" != "1" ] && return 1
1756 [ "$setfacl_error" == "1" ] && echo "WARNING: unable to setfacl"
1758 acl_count_post=$(do_node $get_client getfacl $testfile | grep -v mask |
1760 [ $acl_count -eq $acl_count_post ] && return 0
1765 [ $num_clients -lt 2 ] && skip "Need 2 clients at least" && return
1766 nodemap_version_check || return 0
1769 trap nodemap_test_cleanup EXIT
1770 # 1 trusted cluster, 1 mapped cluster
1771 local unmapped_fs=$((IDBASE+0))
1772 local unmapped_c1=$((IDBASE+5))
1773 local mapped_fs=$((IDBASE+2))
1774 local mapped_c0=$((IDBASE+4))
1775 local mapped_c1=$((IDBASE+6))
1777 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1778 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
1780 do_facet mgs $LCTL nodemap_modify --name c1 --property admin --value 0
1781 do_facet mgs $LCTL nodemap_modify --name c1 --property trusted --value 0
1783 wait_nm_sync c1 trusted_nodemap
1785 # setfacl on trusted cluster to unmapped user, verify it's not seen
1786 nodemap_acl_test $unmapped_fs ${clients_arr[0]} ${clients_arr[1]} ||
1787 error "acl count (1)"
1789 # setfacl on trusted cluster to mapped user, verify it's seen
1790 nodemap_acl_test $mapped_fs ${clients_arr[0]} ${clients_arr[1]} &&
1791 error "acl count (2)"
1793 # setfacl on mapped cluster to mapped user, verify it's seen
1794 nodemap_acl_test $mapped_c1 ${clients_arr[1]} ${clients_arr[0]} &&
1795 error "acl count (3)"
1797 # setfacl on mapped cluster to unmapped user, verify error
1798 nodemap_acl_test $unmapped_fs ${clients_arr[1]} ${clients_arr[0]} 1 ||
1799 error "acl count (4)"
1802 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 0
1803 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 0
1805 wait_nm_sync c0 trusted_nodemap
1807 # setfacl to mapped user on c1, also mapped to c0, verify it's seen
1808 nodemap_acl_test $mapped_c1 ${clients_arr[1]} ${clients_arr[0]} &&
1809 error "acl count (5)"
1811 # setfacl to mapped user on c1, not mapped to c0, verify not seen
1812 nodemap_acl_test $unmapped_c1 ${clients_arr[1]} ${clients_arr[0]} ||
1813 error "acl count (6)"
1815 nodemap_test_cleanup
1817 run_test 23a "test mapped regular ACLs"
1819 test_23b() { #LU-9929
1820 [ $num_clients -lt 2 ] && skip "Need 2 clients at least"
1821 [ "$MGS_VERSION" -lt $(version_code 2.10.53) ] &&
1822 skip "Need MGS >= 2.10.53"
1824 export SK_UNIQUE_NM=true
1826 trap nodemap_test_cleanup EXIT
1828 local testdir=$DIR/$tdir
1829 local fs_id=$((IDBASE+10))
1834 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1835 wait_nm_sync c0 admin_nodemap
1836 do_facet mgs $LCTL nodemap_modify --name c1 --property admin --value 1
1837 wait_nm_sync c1 admin_nodemap
1838 do_facet mgs $LCTL nodemap_modify --name c1 --property trusted --value 1
1839 wait_nm_sync c1 trusted_nodemap
1841 # Add idmap $ID0:$fs_id (500:60010)
1842 do_facet mgs $LCTL nodemap_add_idmap --name c0 --idtype gid \
1843 --idmap $ID0:$fs_id ||
1844 error "add idmap $ID0:$fs_id to nodemap c0 failed"
1845 wait_nm_sync c0 idmap
1847 # set/getfacl default acl on client 1 (unmapped gid=500)
1848 do_node ${clients_arr[0]} rm -rf $testdir
1849 do_node ${clients_arr[0]} mkdir -p $testdir
1850 # Here, USER0=$(getent passwd | grep :$ID0:$ID0: | cut -d: -f1)
1851 do_node ${clients_arr[0]} setfacl -R -d -m group:$USER0:rwx $testdir ||
1852 error "setfacl $testdir on ${clients_arr[0]} failed"
1853 unmapped_id=$(do_node ${clients_arr[0]} getfacl $testdir |
1854 grep -E "default:group:.*:rwx" | awk -F: '{print $3}')
1855 [ "$unmapped_id" = "$USER0" ] ||
1856 error "gid=$ID0 was not unmapped correctly on ${clients_arr[0]}"
1858 # getfacl default acl on client 2 (mapped gid=60010)
1859 mapped_id=$(do_node ${clients_arr[1]} getfacl $testdir |
1860 grep -E "default:group:.*:rwx" | awk -F: '{print $3}')
1861 fs_user=$(do_node ${clients_arr[1]} getent passwd |
1862 grep :$fs_id:$fs_id: | cut -d: -f1)
1863 [ -z "$fs_user" ] && fs_user=$fs_id
1864 [ $mapped_id -eq $fs_id -o "$mapped_id" = "$fs_user" ] ||
1865 error "Should return gid=$fs_id or $fs_user on client2"
1868 nodemap_test_cleanup
1869 export SK_UNIQUE_NM=false
1871 run_test 23b "test mapped default ACLs"
1876 trap nodemap_test_cleanup EXIT
1877 do_nodes $(comma_list $(all_server_nodes)) $LCTL get_param -R nodemap
1879 nodemap_test_cleanup
1881 run_test 24 "check nodemap proc files for LBUGs and Oopses"
1884 local tmpfile=$(mktemp)
1885 local tmpfile2=$(mktemp)
1886 local tmpfile3=$(mktemp)
1887 local tmpfile4=$(mktemp)
1891 nodemap_version_check || return 0
1893 # stop clients for this test
1894 zconf_umount_clients $CLIENTS $MOUNT ||
1895 error "unable to umount clients $CLIENTS"
1897 export SK_UNIQUE_NM=true
1900 # enable trusted/admin for setquota call in cleanup_and_setup_lustre()
1902 for client in $clients; do
1903 do_facet mgs $LCTL nodemap_modify --name c${i} \
1904 --property admin --value 1
1905 do_facet mgs $LCTL nodemap_modify --name c${i} \
1906 --property trusted --value 1
1909 wait_nm_sync c$((i - 1)) trusted_nodemap
1911 trap nodemap_test_cleanup EXIT
1913 # create a new, empty nodemap, and add fileset info to it
1914 do_facet mgs $LCTL nodemap_add test25 ||
1915 error "unable to create nodemap $testname"
1916 do_facet mgs $LCTL set_param -P nodemap.$testname.fileset=/$subdir ||
1917 error "unable to add fileset info to nodemap test25"
1919 wait_nm_sync test25 id
1921 do_facet mgs $LCTL nodemap_info > $tmpfile
1922 do_facet mds $LCTL nodemap_info > $tmpfile2
1924 if ! $SHARED_KEY; then
1925 # will conflict with SK's nodemaps
1926 cleanup_and_setup_lustre
1928 # stop clients for this test
1929 zconf_umount_clients $CLIENTS $MOUNT ||
1930 error "unable to umount clients $CLIENTS"
1932 do_facet mgs $LCTL nodemap_info > $tmpfile3
1933 diff -q $tmpfile3 $tmpfile >& /dev/null ||
1934 error "nodemap_info diff on MGS after remount"
1936 do_facet mds $LCTL nodemap_info > $tmpfile4
1937 diff -q $tmpfile4 $tmpfile2 >& /dev/null ||
1938 error "nodemap_info diff on MDS after remount"
1941 do_facet mgs $LCTL nodemap_del test25 ||
1942 error "cannot delete nodemap test25 from config"
1943 nodemap_test_cleanup
1944 # restart clients previously stopped
1945 zconf_mount_clients $CLIENTS $MOUNT ||
1946 error "unable to mount clients $CLIENTS"
1948 rm -f $tmpfile $tmpfile2
1949 export SK_UNIQUE_NM=false
1951 run_test 25 "test save and reload nodemap config"
1954 nodemap_version_check || return 0
1958 do_facet mgs "seq -f 'c%g' $large_i | xargs -n1 $LCTL nodemap_add"
1959 wait_nm_sync c$large_i admin_nodemap
1961 do_facet mgs "seq -f 'c%g' $large_i | xargs -n1 $LCTL nodemap_del"
1962 wait_nm_sync c$large_i admin_nodemap
1964 run_test 26 "test transferring very large nodemap"
1966 nodemap_exercise_fileset() {
1969 local check_proj=true
1971 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || check_proj=false
1974 if [ "$nm" == "default" ]; then
1975 do_facet mgs $LCTL nodemap_activate 1
1977 do_facet mgs $LCTL nodemap_modify --name default \
1978 --property admin --value 1
1979 do_facet mgs $LCTL nodemap_modify --name default \
1980 --property trusted --value 1
1981 wait_nm_sync default admin_nodemap
1982 wait_nm_sync default trusted_nodemap
1987 if $SHARED_KEY; then
1988 export SK_UNIQUE_NM=true
1990 # will conflict with SK's nodemaps
1991 trap "fileset_test_cleanup $nm" EXIT
1993 fileset_test_setup "$nm"
1995 # add fileset info to $nm nodemap
1996 if ! combined_mgs_mds; then
1997 do_facet mgs $LCTL set_param nodemap.${nm}.fileset=/$subdir ||
1998 error "unable to add fileset info to $nm nodemap on MGS"
2000 do_facet mgs $LCTL set_param -P nodemap.${nm}.fileset=/$subdir ||
2001 error "unable to add fileset info to $nm nodemap for servers"
2002 wait_nm_sync $nm fileset "nodemap.${nm}.fileset=/$subdir"
2004 if $check_proj; then
2005 do_facet mgs $LCTL nodemap_modify --name $nm \
2006 --property admin --value 1
2007 wait_nm_sync $nm admin_nodemap
2008 do_facet mgs $LCTL nodemap_modify --name $nm \
2009 --property trusted --value 0
2010 wait_nm_sync $nm trusted_nodemap
2011 do_facet mgs $LCTL nodemap_modify --name $nm \
2012 --property map_mode --value projid
2013 wait_nm_sync $nm map_mode
2014 do_facet mgs $LCTL nodemap_add_idmap --name $nm \
2015 --idtype projid --idmap 1:1
2016 do_facet mgs $LCTL nodemap_modify --name $nm \
2017 --property deny_unknown --value 1
2018 wait_nm_sync $nm deny_unknown
2022 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2023 error "unable to umount client ${clients_arr[0]}"
2024 # set some generic fileset to trigger SSK code
2026 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2027 error "unable to remount client ${clients_arr[0]}"
2030 # test mount point content
2031 do_node ${clients_arr[0]} test -f $MOUNT/this_is_$subdir ||
2032 error "fileset not taken into account"
2034 if $check_proj; then
2035 do_node ${clients_arr[0]} $LFS setquota -p 1 -b 10000 -B 11000 \
2036 -i 0 -I 0 $MOUNT || error "setquota -p 1 failed"
2037 do_node ${clients_arr[0]} $LFS setquota -p 2 -b 10000 -B 11000 \
2038 -i 0 -I 0 $MOUNT && error "setquota -p 2 should fail"
2041 # re-mount client with sub-subdir
2042 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2043 error "unable to umount client ${clients_arr[0]}"
2044 export FILESET=/$subsubdir
2045 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2046 error "unable to remount client ${clients_arr[0]}"
2049 # test mount point content
2050 do_node ${clients_arr[0]} test -f $MOUNT/this_is_$subsubdir ||
2051 error "subdir of fileset not taken into account"
2053 # remove fileset info from nodemap
2054 do_facet mgs $LCTL nodemap_set_fileset --name $nm --fileset clear ||
2055 error "unable to delete fileset info on $nm nodemap"
2056 wait_update_facet mgs "$LCTL get_param nodemap.${nm}.fileset" \
2057 "nodemap.${nm}.fileset=" ||
2058 error "fileset info still not cleared on $nm nodemap"
2059 do_facet mgs $LCTL set_param -P nodemap.${nm}.fileset=clear ||
2060 error "unable to reset fileset info on $nm nodemap"
2061 wait_nm_sync $nm fileset "nodemap.${nm}.fileset="
2064 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2065 error "unable to umount client ${clients_arr[0]}"
2066 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2067 error "unable to remount client ${clients_arr[0]}"
2069 # test mount point content
2070 if ! $(do_node ${clients_arr[0]} test -d $MOUNT/$subdir); then
2072 error "fileset not cleared on $nm nodemap"
2075 # back to non-nodemap setup
2076 if $SHARED_KEY; then
2077 export SK_UNIQUE_NM=false
2078 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2079 error "unable to umount client ${clients_arr[0]}"
2081 fileset_test_cleanup "$nm"
2082 if [ "$nm" == "default" ]; then
2083 do_facet mgs $LCTL nodemap_modify --name default \
2084 --property admin --value 0
2085 do_facet mgs $LCTL nodemap_modify --name default \
2086 --property trusted --value 0
2087 wait_nm_sync default admin_nodemap
2088 wait_nm_sync default trusted_nodemap
2089 do_facet mgs $LCTL nodemap_activate 0
2090 wait_nm_sync active 0
2092 export SK_UNIQUE_NM=false
2094 nodemap_test_cleanup
2096 if $SHARED_KEY; then
2097 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2098 error "unable to remount client ${clients_arr[0]}"
2103 [ "$MDS1_VERSION" -lt $(version_code 2.11.50) ] &&
2104 skip "Need MDS >= 2.11.50"
2106 for nm in "default" "c0"; do
2107 local subdir="subdir_${nm}"
2108 local subsubdir="subsubdir_${nm}"
2110 if [ "$nm" == "default" ] && [ "$SHARED_KEY" == "true" ]; then
2111 echo "Skipping nodemap $nm with SHARED_KEY";
2115 echo "Exercising fileset for nodemap $nm"
2116 nodemap_exercise_fileset "$nm"
2119 run_test 27a "test fileset in various nodemaps"
2121 test_27b() { #LU-10703
2122 [ "$MDS1_VERSION" -lt $(version_code 2.11.50) ] &&
2123 skip "Need MDS >= 2.11.50"
2124 [[ $MDSCOUNT -lt 2 ]] && skip "needs >= 2 MDTs"
2127 trap nodemap_test_cleanup EXIT
2129 # Add the nodemaps and set their filesets
2130 for i in $(seq 1 $MDSCOUNT); do
2131 do_facet mgs $LCTL nodemap_del nm$i 2>/dev/null
2132 do_facet mgs $LCTL nodemap_add nm$i ||
2133 error "add nodemap nm$i failed"
2134 wait_nm_sync nm$i "" "" "-N"
2136 if ! combined_mgs_mds; then
2138 $LCTL set_param nodemap.nm$i.fileset=/dir$i ||
2139 error "set nm$i.fileset=/dir$i failed on MGS"
2141 do_facet mgs $LCTL set_param -P nodemap.nm$i.fileset=/dir$i ||
2142 error "set nm$i.fileset=/dir$i failed on servers"
2143 wait_nm_sync nm$i fileset "nodemap.nm$i.fileset=/dir$i"
2146 # Check if all the filesets are correct
2147 for i in $(seq 1 $MDSCOUNT); do
2148 fileset=$(do_facet mds$i \
2149 $LCTL get_param -n nodemap.nm$i.fileset)
2150 [ "$fileset" = "/dir$i" ] ||
2151 error "nm$i.fileset $fileset != /dir$i on mds$i"
2152 do_facet mgs $LCTL nodemap_del nm$i ||
2153 error "delete nodemap nm$i failed"
2156 nodemap_test_cleanup
2158 run_test 27b "The new nodemap won't clear the old nodemap's fileset"
2161 if ! $SHARED_KEY; then
2162 skip "need shared key feature for this test" && return
2164 mkdir -p $DIR/$tdir || error "mkdir failed"
2165 touch $DIR/$tdir/$tdir.out || error "touch failed"
2166 if [ ! -f $DIR/$tdir/$tdir.out ]; then
2167 error "read before rotation failed"
2169 # store top key identity to ensure rotation has occurred
2170 SK_IDENTITY_OLD=$(lctl get_param *.*.*srpc* | grep "expire" |
2171 head -1 | awk '{print $15}' | cut -c1-8)
2172 do_facet $SINGLEMDS lfs flushctx ||
2173 error "could not run flushctx on $SINGLEMDS"
2175 lfs flushctx || error "could not run flushctx on client"
2177 # verify new key is in place
2178 SK_IDENTITY_NEW=$(lctl get_param *.*.*srpc* | grep "expire" |
2179 head -1 | awk '{print $15}' | cut -c1-8)
2180 if [ $SK_IDENTITY_OLD == $SK_IDENTITY_NEW ]; then
2181 error "key did not rotate correctly"
2183 if [ ! -f $DIR/$tdir/$tdir.out ]; then
2184 error "read after rotation failed"
2187 run_test 28 "check shared key rotation method"
2190 if ! $SHARED_KEY; then
2191 skip "need shared key feature for this test" && return
2193 if [ $SK_FLAVOR != "ski" ] && [ $SK_FLAVOR != "skpi" ]; then
2194 skip "test only valid if integrity is active"
2197 mkdir $DIR/$tdir || error "mkdir"
2198 touch $DIR/$tdir/$tfile || error "touch"
2199 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2200 error "unable to umount clients"
2201 do_node ${clients_arr[0]} "keyctl show |
2202 awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
2203 OLD_SK_PATH=$SK_PATH
2204 export SK_PATH=/dev/null
2205 if zconf_mount_clients ${clients_arr[0]} $MOUNT; then
2206 export SK_PATH=$OLD_SK_PATH
2207 do_node ${clients_arr[0]} "ls $DIR/$tdir/$tfile"
2208 if [ $? -eq 0 ]; then
2209 error "able to mount and read without key"
2211 error "able to mount without key"
2214 export SK_PATH=$OLD_SK_PATH
2215 do_node ${clients_arr[0]} "keyctl show |
2216 awk '/lustre/ { print \\\$1 }' |
2217 xargs -IX keyctl unlink X"
2219 zconf_mount_clients ${clients_arr[0]} $MOUNT ||
2220 error "unable to mount clients"
2222 run_test 29 "check for missing shared key"
2225 if ! $SHARED_KEY; then
2226 skip "need shared key feature for this test" && return
2228 if [ $SK_FLAVOR != "ski" ] && [ $SK_FLAVOR != "skpi" ]; then
2229 skip "test only valid if integrity is active"
2231 mkdir -p $DIR/$tdir || error "mkdir failed"
2232 touch $DIR/$tdir/$tdir.out || error "touch failed"
2233 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2234 error "unable to umount clients"
2235 # unload keys from ring
2236 do_node ${clients_arr[0]} "keyctl show |
2237 awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
2238 # generate key with bogus filesystem name
2239 do_node ${clients_arr[0]} "$LGSS_SK -w $SK_PATH/$FSNAME-bogus.key \
2240 -f $FSNAME.bogus -t client -d /dev/urandom" ||
2241 error "lgss_sk failed (1)"
2242 do_facet $SINGLEMDS lfs flushctx || error "could not run flushctx"
2243 OLD_SK_PATH=$SK_PATH
2244 export SK_PATH=$SK_PATH/$FSNAME-bogus.key
2245 if zconf_mount_clients ${clients_arr[0]} $MOUNT; then
2246 SK_PATH=$OLD_SK_PATH
2247 do_node ${clients_arr[0]} "ls $DIR/$tdir/$tdir.out"
2248 if [ $? -eq 0 ]; then
2249 error "mount and read file with invalid key"
2251 error "mount with invalid key"
2254 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2255 error "unable to umount clients"
2256 # unload keys from ring
2257 do_node ${clients_arr[0]} "keyctl show |
2258 awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
2260 SK_PATH=$OLD_SK_PATH
2261 zconf_mount_clients ${clients_arr[0]} $MOUNT ||
2262 error "unable to mount clients"
2264 run_test 30 "check for invalid shared key"
2269 mkdir -p $DIR/$tdir || error "mkdir $flvr"
2270 touch $DIR/$tdir/f0 || error "touch $flvr"
2271 ls $DIR/$tdir || error "ls $flvr"
2272 dd if=/dev/zero of=$DIR/$tdir/f0 conv=fsync bs=1M count=10 \
2273 >& /dev/null || error "dd $flvr"
2274 rm -f $DIR/$tdir/f0 || error "rm $flvr"
2275 rmdir $DIR/$tdir || error "rmdir $flvr"
2278 echo 3 > /proc/sys/vm/drop_caches
2282 local save_flvr=$SK_FLAVOR
2284 if ! $SHARED_KEY; then
2285 skip "need shared key feature for this test"
2288 stack_trap restore_to_default_flavor EXIT
2290 for flvr in skn ska ski skpi; do
2293 restore_to_default_flavor || error "cannot set $flvr flavor"
2294 SK_FLAVOR=$save_flvr
2299 run_test 30b "basic test of all different SSK flavors"
2302 local failover_mds1=$1
2305 zconf_umount $HOSTNAME $MOUNT || error "unable to umount client"
2307 # remove ${NETTYPE}999 network on all nodes
2308 do_nodes $(comma_list $(all_nodes)) \
2309 "$LNETCTL net del --net ${NETTYPE}999 && \
2310 $LNETCTL lnet unconfigure 2>/dev/null || true"
2312 # necessary to do writeconf in order to de-register
2313 # @${NETTYPE}999 nid for targets
2315 export KEEP_ZPOOL="true"
2318 do_facet mds1 $TUNEFS --erase-param failover.node $(mdsdevname 1)
2319 if [ -n "$failover_mds1" ]; then
2320 do_facet mds1 $TUNEFS \
2321 --servicenode=$failover_mds1 $(mdsdevname 1)
2323 # If no service node previously existed, setting one in test_31
2324 # added the no_primnode flag to the target. To remove everything
2325 # and clear the flag, add a meaningless failnode and remove it.
2326 do_facet mds1 $TUNEFS \
2327 --failnode=$(do_facet mds1 $LCTL list_nids | head -1) \
2329 do_facet mds1 $TUNEFS \
2330 --erase-param failover.node $(mdsdevname 1)
2333 export SK_MOUNTED=false
2336 export KEEP_ZPOOL="$KZPOOL"
2340 local nid=$(lctl list_nids | grep ${NETTYPE} | head -n1)
2341 local addr=${nid%@*}
2343 local net2=${NETTYPE}999
2344 local mdsnid=$(do_facet mds1 $LCTL list_nids | head -1)
2345 local addr1=${mdsnid%@*}
2346 local addr2=${addr1%.*}.$(((${addr1##*.} + 11) % 256))
2349 export LNETCTL=$(which lnetctl 2> /dev/null)
2351 [ -z "$LNETCTL" ] && skip "without lnetctl support." && return
2352 local_mode && skip "in local mode."
2354 # save mds failover nids for restore at cleanup
2355 failover_mds1=$(do_facet mds1 $TUNEFS --dryrun $(mdsdevname 1))
2356 if [ -n "$failover_mds1" ]; then
2357 failover_mds1=${failover_mds1##*Parameters:}
2358 failover_mds1=${failover_mds1%%exiting*}
2359 failover_mds1=$(echo $failover_mds1 | tr ' ' '\n' |
2360 grep failover.node | cut -d'=' -f2-)
2362 stack_trap "cleanup_31 $failover_mds1" EXIT
2365 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
2366 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
2368 if $(grep -q $MOUNT' ' /proc/mounts); then
2369 umount_client $MOUNT || error "umount $MOUNT failed"
2372 # check exports on servers are empty for client
2373 do_facet mgs "lctl get_param -n *.MGS*.exports.'$nid'.uuid 2>/dev/null |
2374 grep -q -" && error "export on MGS should be empty"
2375 do_nodes $(comma_list $(mdts_nodes) $(osts_nodes)) \
2376 "lctl get_param -n *.${FSNAME}*.exports.'$nid'.uuid \
2377 2>/dev/null | grep -q -" &&
2378 error "export on servers should be empty"
2380 # add network $net2 on all nodes
2381 do_nodes $(comma_list $(all_nodes)) \
2382 "$LNETCTL lnet configure && $LNETCTL net add --if \
2383 \$($LNETCTL net show --net $net | awk 'BEGIN{inf=0} \
2384 {if (inf==1) print \$2; fi; inf=0} /interfaces/{inf=1}') \
2386 error "unable to configure NID $net2"
2388 # necessary to do writeconf in order to register
2389 # new @$net2 nid for targets
2391 export KEEP_ZPOOL="true"
2393 export SK_MOUNTED=false
2396 nids="${addr1}@$net,${addr1}@$net2:${addr2}@$net,${addr2}@$net2"
2397 do_facet mds1 "$TUNEFS --servicenode="$nids" $(mdsdevname 1)" ||
2398 error "tunefs failed"
2400 setupall server_only || echo 1
2401 export KEEP_ZPOOL="$KZPOOL"
2404 local mgsnid_orig=$MGSNID
2405 # compute new MGSNID
2406 MGSNID=$(do_facet mgs "$LCTL list_nids | grep $net2")
2408 # on client, turn LNet Dynamic Discovery on
2409 lnetctl set discovery 1
2411 # mount client with -o network=$net2 option:
2412 # should fail because of LNet Dynamic Discovery
2413 mount_client $MOUNT ${MOUNT_OPTS},network=$net2 &&
2414 error "client mount with '-o network' option should be refused"
2416 # on client, reconfigure LNet and turn LNet Dynamic Discovery off
2417 $LNETCTL net del --net $net2 && lnetctl lnet unconfigure
2420 lnetctl set discovery 0
2422 $LNETCTL lnet configure && $LNETCTL net add --if \
2423 $($LNETCTL net show --net $net | awk 'BEGIN{inf=0} \
2424 {if (inf==1) print $2; fi; inf=0} /interfaces/{inf=1}') \
2426 error "unable to configure NID $net2 on client"
2428 # mount client with -o network=$net2 option
2429 mount_client $MOUNT ${MOUNT_OPTS},network=$net2 ||
2430 error "unable to remount client"
2435 # check export on MGS
2436 do_facet mgs "lctl get_param -n *.MGS*.exports.'$nid'.uuid 2>/dev/null |
2438 [ $? -ne 0 ] || error "export for $nid on MGS should not exist"
2441 "lctl get_param -n *.MGS*.exports.'${addr}@$net2'.uuid \
2442 2>/dev/null | grep -"
2444 error "export for ${addr}@$net2 on MGS should exist"
2446 # check {mdc,osc} imports
2447 lctl get_param mdc.${FSNAME}-*.import | grep current_connection |
2450 error "import for mdc should use ${addr1}@$net2"
2451 lctl get_param osc.${FSNAME}-*.import | grep current_connection |
2454 error "import for osc should use ${addr1}@$net2"
2456 # no NIDs on other networks should be listed
2457 lctl get_param mdc.${FSNAME}-*.import | grep failover_nids |
2458 grep -w ".*@$net" &&
2459 error "MDC import shouldn't have failnids at @$net"
2461 # failover NIDs on net999 should be listed
2462 lctl get_param mdc.${FSNAME}-*.import | grep failover_nids |
2463 grep ${addr2}@$net2 ||
2464 error "MDC import should have failnid ${addr2}@$net2"
2466 run_test 31 "client mount option '-o network'"
2470 zconf_umount_clients ${clients_arr[0]} $MOUNT
2472 # disable sk flavor enforcement on MGS
2473 set_rule _mgs any any null
2475 # stop gss daemon on MGS
2476 if ! combined_mgs_mds ; then
2477 send_sigint $mgs_HOST lsvcgssd
2481 MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
2484 restore_to_default_flavor
2488 if ! $SHARED_KEY; then
2489 skip "need shared key feature for this test"
2492 stack_trap cleanup_32 EXIT
2494 # restore to default null flavor
2495 save_flvr=$SK_FLAVOR
2497 restore_to_default_flavor || error "cannot set null flavor"
2498 SK_FLAVOR=$save_flvr
2501 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
2502 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
2504 if $(grep -q $MOUNT' ' /proc/mounts); then
2505 umount_client $MOUNT || error "umount $MOUNT failed"
2508 # start gss daemon on MGS
2509 if combined_mgs_mds ; then
2510 send_sigint $mds_HOST lsvcgssd
2512 start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g"
2514 # add mgs key type and MGS NIDs in key on MGS
2515 do_nodes $mgs_HOST "$LGSS_SK -t mgs,server -g $MGSNID -m \
2516 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2517 error "could not modify keyfile on MGS"
2519 # load modified key file on MGS
2520 do_nodes $mgs_HOST "$LGSS_SK -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2521 error "could not load keyfile on MGS"
2523 # add MGS NIDs in key on client
2524 do_nodes ${clients_arr[0]} "$LGSS_SK -g $MGSNID -m \
2525 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2526 error "could not modify keyfile on MGS"
2528 # set perms for per-nodemap keys else permission denied
2529 do_nodes $(comma_list $(all_nodes)) \
2530 "keyctl show | grep lustre | cut -c1-11 |
2532 xargs -IX keyctl setperm X 0x3f3f3f3f"
2534 # re-mount client with mgssec=skn
2535 save_opts=$MOUNT_OPTS
2536 if [ -z "$MOUNT_OPTS" ]; then
2537 MOUNT_OPTS="-o mgssec=skn"
2539 MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
2541 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2542 error "mount ${clients_arr[0]} with mgssec=skn failed"
2543 MOUNT_OPTS=$save_opts
2546 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2547 error "umount ${clients_arr[0]} failed"
2549 # enforce ska flavor on MGS
2550 set_rule _mgs any any ska
2552 # re-mount client without mgssec
2553 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS &&
2554 error "mount ${clients_arr[0]} without mgssec should fail"
2556 # re-mount client with mgssec=skn
2557 save_opts=$MOUNT_OPTS
2558 if [ -z "$MOUNT_OPTS" ]; then
2559 MOUNT_OPTS="-o mgssec=skn"
2561 MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
2563 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS &&
2564 error "mount ${clients_arr[0]} with mgssec=skn should fail"
2565 MOUNT_OPTS=$save_opts
2567 # re-mount client with mgssec=ska
2568 save_opts=$MOUNT_OPTS
2569 if [ -z "$MOUNT_OPTS" ]; then
2570 MOUNT_OPTS="-o mgssec=ska"
2572 MOUNT_OPTS="$MOUNT_OPTS,mgssec=ska"
2574 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2575 error "mount ${clients_arr[0]} with mgssec=ska failed"
2576 MOUNT_OPTS=$save_opts
2580 run_test 32 "check for mgssec"
2583 # disable sk flavor enforcement
2584 set_rule $FSNAME any cli2mdt null
2585 wait_flavor cli2mdt null
2588 zconf_umount_clients ${clients_arr[0]} $MOUNT
2590 # stop gss daemon on MGS
2591 if ! combined_mgs_mds ; then
2592 send_sigint $mgs_HOST lsvcgssd
2596 MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
2599 restore_to_default_flavor
2603 if ! $SHARED_KEY; then
2604 skip "need shared key feature for this test"
2607 stack_trap cleanup_33 EXIT
2609 # restore to default null flavor
2610 save_flvr=$SK_FLAVOR
2612 restore_to_default_flavor || error "cannot set null flavor"
2613 SK_FLAVOR=$save_flvr
2616 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
2617 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
2619 if $(grep -q $MOUNT' ' /proc/mounts); then
2620 umount_client $MOUNT || error "umount $MOUNT failed"
2623 # start gss daemon on MGS
2624 if combined_mgs_mds ; then
2625 send_sigint $mds_HOST lsvcgssd
2627 start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g"
2629 # add mgs key type and MGS NIDs in key on MGS
2630 do_nodes $mgs_HOST "$LGSS_SK -t mgs,server -g $MGSNID -m \
2631 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2632 error "could not modify keyfile on MGS"
2634 # load modified key file on MGS
2635 do_nodes $mgs_HOST "$LGSS_SK -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2636 error "could not load keyfile on MGS"
2638 # add MGS NIDs in key on client
2639 do_nodes ${clients_arr[0]} "$LGSS_SK -g $MGSNID -m \
2640 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2641 error "could not modify keyfile on MGS"
2643 # set perms for per-nodemap keys else permission denied
2644 do_nodes $(comma_list $(all_nodes)) \
2645 "keyctl show | grep lustre | cut -c1-11 |
2647 xargs -IX keyctl setperm X 0x3f3f3f3f"
2649 # re-mount client with mgssec=skn
2650 save_opts=$MOUNT_OPTS
2651 if [ -z "$MOUNT_OPTS" ]; then
2652 MOUNT_OPTS="-o mgssec=skn"
2654 MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
2656 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2657 error "mount ${clients_arr[0]} with mgssec=skn failed"
2658 MOUNT_OPTS=$save_opts
2660 # enforce ska flavor for cli2mdt
2661 set_rule $FSNAME any cli2mdt ska
2662 wait_flavor cli2mdt ska
2664 # check error message
2665 $LCTL dk | grep "faked source" &&
2666 error "MGS connection srpc flags incorrect"
2670 run_test 33 "correct srpc flags for MGS connection"
2673 # restore deny_unknown
2674 do_facet mgs $LCTL nodemap_modify --name default \
2675 --property deny_unknown --value $denydefault
2676 if [ $? -ne 0 ]; then
2677 error_noexit "cannot reset deny_unknown on default nodemap"
2681 wait_nm_sync default deny_unknown
2688 [ $MGS_VERSION -lt $(version_code 2.12.51) ] &&
2689 skip "deny_unknown on default nm not supported before 2.12.51"
2691 activedefault=$(do_facet mgs $LCTL get_param -n nodemap.active)
2693 if [[ "$activedefault" != "1" ]]; then
2694 do_facet mgs $LCTL nodemap_activate 1
2696 stack_trap cleanup_active EXIT
2699 denydefault=$(do_facet mgs $LCTL get_param -n \
2700 nodemap.default.deny_unknown)
2701 [ -z "$denydefault" ] &&
2702 error "cannot get deny_unknown on default nodemap"
2703 if [ "$denydefault" -eq 0 ]; then
2709 do_facet mgs $LCTL nodemap_modify --name default \
2710 --property deny_unknown --value $denynew ||
2711 error "cannot set deny_unknown on default nodemap"
2713 [ "$(do_facet mgs $LCTL get_param -n nodemap.default.deny_unknown)" \
2715 error "setting deny_unknown on default nodemap did not work"
2717 stack_trap cleanup_34_deny EXIT
2719 wait_nm_sync default deny_unknown
2721 run_test 34 "deny_unknown on default nodemap"
2724 (( $MDS1_VERSION >= $(version_code 2.13.50) )) ||
2725 skip "Need MDS >= 2.13.50"
2727 # activate changelogs
2728 changelog_register || error "changelog_register failed"
2729 local cl_user="${CL_USERS[$SINGLEMDS]%% *}"
2730 changelog_users $SINGLEMDS | grep -q $cl_user ||
2731 error "User $cl_user not found in changelog_users"
2732 changelog_chmask ALL
2735 mkdir $DIR/$tdir || error "failed to mkdir $tdir"
2736 touch $DIR/$tdir/$tfile || error "failed to touch $tfile"
2738 # access changelogs with root
2739 changelog_dump || error "failed to dump changelogs"
2740 changelog_clear 0 || error "failed to clear changelogs"
2742 # put clients in non-admin nodemap
2744 stack_trap nodemap_test_cleanup EXIT
2745 for i in $(seq 0 $((num_clients-1))); do
2746 do_facet mgs $LCTL nodemap_modify --name c${i} \
2747 --property admin --value 0
2749 for i in $(seq 0 $((num_clients-1))); do
2750 wait_nm_sync c${i} admin_nodemap
2753 # access with mapped root
2754 changelog_dump && error "dump changelogs should have failed"
2755 changelog_clear 0 && error "clear changelogs should have failed"
2759 run_test 35 "Check permissions when accessing changelogs"
2762 local mode='\x00\x00\x00\x00'
2763 local raw="$(printf ""\\\\x%02x"" {0..63})"
2767 [[ $(lscpu) =~ Byte\ Order.*Little ]] && size='\x40\x00\x00\x00' ||
2768 size='\x00\x00\x00\x40'
2769 key="${mode}${raw}${size}"
2770 echo -n -e "${key}" | keyctl padd logon fscrypt:4242424242424242 @s
2775 sync ; echo 3 > /proc/sys/vm/drop_caches
2782 $LCTL set_param -n ldlm.namespaces.*.lru_size=clear
2783 sync ; echo 3 > /proc/sys/vm/drop_caches
2784 dummy_key=$(keyctl show | awk '$7 ~ "^fscrypt:" {print $1}')
2785 if [ -n "$dummy_key" ]; then
2786 keyctl revoke $dummy_key
2792 # wait for SSK flavor to be applied if necessary
2795 wait_flavor all2all $SK_FLAVOR
2797 wait_flavor cli2mdt $SK_FLAVOR
2798 wait_flavor cli2ost $SK_FLAVOR
2803 remount_client_normally() {
2804 # remount client without dummy encryption key
2805 if is_mounted $MOUNT; then
2806 umount_client $MOUNT || error "umount $MOUNT failed"
2808 mount_client $MOUNT ${MOUNT_OPTS} ||
2809 error "remount failed"
2811 if is_mounted $MOUNT2; then
2812 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
2814 if [ "$MOUNT_2" ]; then
2815 mount_client $MOUNT2 ${MOUNT_OPTS} ||
2816 error "remount failed"
2823 remount_client_dummykey() {
2826 # remount client with dummy encryption key
2827 if is_mounted $MOUNT; then
2828 umount_client $MOUNT || error "umount $MOUNT failed"
2830 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
2831 error "remount failed"
2836 setup_for_enc_tests() {
2837 # remount client with test_dummy_encryption option
2838 if is_mounted $MOUNT; then
2839 umount_client $MOUNT || error "umount $MOUNT failed"
2841 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
2842 error "mount with '-o test_dummy_encryption' failed"
2846 # this directory will be encrypted, because of dummy mode
2850 cleanup_for_enc_tests() {
2851 rm -rf $DIR/$tdir $*
2853 remount_client_normally
2856 cleanup_nodemap_after_enc_tests() {
2857 umount_client $MOUNT || true
2859 if (( MGS_VERSION >= $(version_code 2.13.55) )); then
2860 do_facet mgs $LCTL nodemap_modify --name default \
2861 --property forbid_encryption --value 0
2862 if (( MGS_VERSION >= $(version_code 2.15.51) )); then
2863 do_facet mgs $LCTL nodemap_modify --name default \
2864 --property readonly_mount --value 0
2867 do_facet mgs $LCTL nodemap_modify --name default \
2868 --property trusted --value 0
2869 do_facet mgs $LCTL nodemap_modify --name default \
2870 --property admin --value 0
2871 do_facet mgs $LCTL nodemap_activate 0
2873 if (( MGS_VERSION >= $(version_code 2.13.55) )); then
2874 wait_nm_sync default forbid_encryption '' inactive
2875 if (( MGS_VERSION >= $(version_code 2.15.51) )); then
2876 wait_nm_sync default readonly_mount '' inactive
2879 wait_nm_sync default trusted_nodemap '' inactive
2880 wait_nm_sync default admin_nodemap '' inactive
2883 mount_client $MOUNT ${MOUNT_OPTS} || error "re-mount failed"
2888 $LCTL get_param mdc.*.import | grep -q client_encryption ||
2889 skip "client encryption not supported"
2891 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
2892 skip "need dummy encryption support"
2894 stack_trap cleanup_for_enc_tests EXIT
2896 # first make sure it is possible to enable encryption
2897 # when nodemap is not active
2900 umount_client $MOUNT || error "umount $MOUNT failed (1)"
2902 # then activate nodemap, and retry
2903 # should succeed as encryption is not forbidden on default nodemap
2905 stack_trap cleanup_nodemap_after_enc_tests EXIT
2906 do_facet mgs $LCTL nodemap_activate 1
2908 forbid=$(do_facet mgs lctl get_param -n nodemap.default.forbid_encryption)
2909 [ $forbid -eq 0 ] || error "wrong default value for forbid_encryption"
2910 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
2911 error "mount '-o test_dummy_encryption' failed with default"
2912 umount_client $MOUNT || error "umount $MOUNT failed (2)"
2914 # then forbid encryption, and retry
2915 do_facet mgs $LCTL nodemap_modify --name default \
2916 --property forbid_encryption --value 1
2917 wait_nm_sync default forbid_encryption
2918 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption &&
2919 error "mount '-o test_dummy_encryption' should have failed"
2922 run_test 36 "control if clients can use encryption"
2925 local testfile=$DIR/$tdir/$tfile
2926 local tmpfile=$TMP/abc
2927 local objdump=$TMP/objdump
2929 $LCTL get_param mdc.*.import | grep -q client_encryption ||
2930 skip "client encryption not supported"
2932 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
2933 skip "need dummy encryption support"
2935 [ "$ost1_FSTYPE" = ldiskfs ] || skip "ldiskfs only test (using debugfs)"
2937 stack_trap cleanup_for_enc_tests EXIT
2940 # write a few bytes in file
2941 echo "abc" > $tmpfile
2942 $LFS setstripe -c1 -i0 $testfile
2943 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync
2944 do_facet ost1 "sync; sync"
2946 # check that content on ost is encrypted
2947 local fid=($($LFS getstripe $testfile | grep 0x))
2948 local seq=${fid[3]#0x}
2952 if [ $seq == 0 ]; then
2955 oid_hex=${fid[2]#0x}
2957 do_facet ost1 "$DEBUGFS -c -R 'cat O/$seq/d$(($oid % 32))/$oid_hex' \
2958 $(ostdevname 1)" > $objdump
2959 cmp -s $objdump $tmpfile &&
2960 error "file $testfile is not encrypted on ost"
2962 # check that in-memory representation of file is correct
2963 cmp -bl ${tmpfile} ${testfile} ||
2964 error "file $testfile is corrupted in memory"
2966 cancel_lru_locks osc ; cancel_lru_locks mdc
2968 # check that file read from server is correct
2969 cmp -bl ${tmpfile} ${testfile} ||
2970 error "file $testfile is corrupted on server"
2972 rm -f $tmpfile $objdump
2974 run_test 37 "simple encrypted file"
2977 local testfile=$DIR/$tdir/$tfile
2978 local tmpfile=$TMP/abc
2984 local pagesz=$(getconf PAGE_SIZE)
2986 $LCTL get_param mdc.*.import | grep -q client_encryption ||
2987 skip "client encryption not supported"
2989 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
2990 skip "need dummy encryption support"
2992 stack_trap cleanup_for_enc_tests EXIT
2995 # get block size on ost
2996 blksz=$($LCTL get_param osc.$FSNAME*.import |
2997 awk '/grant_block_size:/ { print $2; exit; }')
2998 # write a few bytes in file at offset $blksz
2999 echo "abc" > $tmpfile
3000 $LFS setstripe -c1 -i0 $testfile
3001 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$blksz \
3002 oflag=seek_bytes conv=fsync
3004 blksz=$(($blksz > $pagesz ? $blksz : $pagesz))
3005 # check that in-memory representation of file is correct
3006 bsize=$(stat --format=%B $testfile)
3007 filesz=$(stat --format=%b $testfile)
3008 filesz=$((filesz*bsize))
3009 [ $filesz -le $blksz ] ||
3010 error "file $testfile is $filesz long in memory"
3012 cancel_lru_locks osc ; cancel_lru_locks mdc
3014 # check that file read from server is correct
3015 bsize=$(stat --format=%B $testfile)
3016 filesz=$(stat --format=%b $testfile)
3017 filesz=$((filesz*bsize))
3018 [ $filesz -le $blksz ] ||
3019 error "file $testfile is $filesz long on server"
3023 run_test 38 "encrypted file with hole"
3026 local testfile=$DIR/$tdir/$tfile
3027 local tmpfile=$TMP/abc
3029 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3030 skip "client encryption not supported"
3032 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3033 skip "need dummy encryption support"
3035 stack_trap cleanup_for_enc_tests EXIT
3038 # write a few bytes in file
3039 echo "abc" > $tmpfile
3040 $LFS setstripe -c1 -i0 $testfile
3041 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync
3043 # write a few more bytes in the same page
3044 dd if=$tmpfile of=$testfile bs=4 count=1 seek=1024 oflag=seek_bytes \
3047 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=1024 oflag=seek_bytes \
3050 # check that in-memory representation of file is correct
3051 cmp -bl $tmpfile $testfile ||
3052 error "file $testfile is corrupted in memory"
3054 cancel_lru_locks osc ; cancel_lru_locks mdc
3056 # check that file read from server is correct
3057 cmp -bl $tmpfile $testfile ||
3058 error "file $testfile is corrupted on server"
3062 run_test 39 "rewrite data in already encrypted page"
3065 local testfile=$DIR/$tdir/$tfile
3066 local tmpfile=$TMP/abc
3067 local tmpfile2=$TMP/abc2
3070 #define LUSTRE_ENCRYPTION_UNIT_SIZE (1 << 12)
3071 local UNIT_SIZE=$((1 << 12))
3074 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3075 skip "client encryption not supported"
3077 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3078 skip "need dummy encryption support"
3080 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
3082 stack_trap cleanup_for_enc_tests EXIT
3085 # write a few bytes in file
3086 echo "abc" > $tmpfile
3087 $LFS setstripe -c1 -i0 $testfile
3088 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync
3090 # check that in-memory representation of file is correct
3091 cmp -bl $tmpfile $testfile ||
3092 error "file $testfile is corrupted in memory (1)"
3094 cancel_lru_locks osc ; cancel_lru_locks mdc
3096 # check that file read from server is correct
3097 cmp -bl $tmpfile $testfile ||
3098 error "file $testfile is corrupted on server (1)"
3100 # write a few other bytes in same page
3101 dd if=$tmpfile of=$testfile bs=4 count=1 seek=256 oflag=seek_bytes \
3104 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=256 oflag=seek_bytes \
3107 # check that in-memory representation of file is correct
3108 cmp -bl $tmpfile $testfile ||
3109 error "file $testfile is corrupted in memory (2)"
3111 cancel_lru_locks osc ; cancel_lru_locks mdc
3113 # check that file read from server is correct
3114 cmp -bl $tmpfile $testfile ||
3115 error "file $testfile is corrupted on server (2)"
3117 rm -f $testfile $tmpfile
3118 cancel_lru_locks osc ; cancel_lru_locks mdc
3120 # write a few bytes in file, at end of first page
3121 echo "abc" > $tmpfile
3122 $LFS setstripe -c1 -i0 $testfile
3123 seek=$(getconf PAGESIZE)
3125 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3128 # write a few other bytes at beginning of first page
3129 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync,notrunc
3131 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3134 # check that in-memory representation of file is correct
3135 cmp -bl $tmpfile $testfile ||
3136 error "file $testfile is corrupted in memory (3)"
3138 cancel_lru_locks osc ; cancel_lru_locks mdc
3140 # check that file read from server is correct
3141 cmp -bl $tmpfile $testfile ||
3142 error "file $testfile is corrupted on server (3)"
3144 rm -f $testfile $tmpfile
3145 cancel_lru_locks osc ; cancel_lru_locks mdc
3147 # write a few bytes in file, at beginning of second page
3148 echo "abc" > $tmpfile
3149 $LFS setstripe -c1 -i0 $testfile
3150 seek=$(getconf PAGESIZE)
3151 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3153 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3156 # write a few other bytes at end of first page
3158 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3160 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3163 # check that in-memory representation of file is correct
3164 cmp -bl $tmpfile2 $testfile ||
3165 error "file $testfile is corrupted in memory (4)"
3167 cancel_lru_locks osc ; cancel_lru_locks mdc
3169 # check that file read from server is correct
3170 cmp -bl $tmpfile2 $testfile ||
3171 error "file $testfile is corrupted on server (4)"
3173 rm -f $testfile $tmpfile $tmpfile2
3174 cancel_lru_locks osc ; cancel_lru_locks mdc
3176 # write a few bytes in file, at beginning of first stripe
3177 echo "abc" > $tmpfile
3178 $LFS setstripe -S 256k -c2 $testfile
3179 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync,notrunc
3181 # write a few other bytes, at beginning of second stripe
3182 dd if=$tmpfile of=$testfile bs=4 count=1 seek=262144 oflag=seek_bytes \
3184 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=262144 oflag=seek_bytes \
3187 # check that in-memory representation of file is correct
3188 cmp -bl $tmpfile $testfile ||
3189 error "file $testfile is corrupted in memory (5)"
3191 cancel_lru_locks osc ; cancel_lru_locks mdc
3193 # check that file read from server is correct
3194 cmp -bl $tmpfile $testfile ||
3195 error "file $testfile is corrupted on server (5)"
3197 filesz=$(stat --format=%s $testfile)
3198 filesz=$(((filesz+UNIT_SIZE-1)/UNIT_SIZE * UNIT_SIZE))
3200 # remount without dummy encryption key
3201 remount_client_normally
3203 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
3204 [ $(stat --format=%s $scrambledfile) -eq $filesz ] ||
3205 error "file size without key should be rounded up"
3209 run_test 40 "exercise size of encrypted file"
3212 local testfile=$DIR/$tdir/$tfile
3213 local tmpfile=$TMP/abc
3214 local tmpfile2=$TMP/abc2
3217 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3218 skip "client encryption not supported"
3220 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3221 skip "need dummy encryption support"
3223 stack_trap cleanup_for_enc_tests EXIT
3226 echo "abc" > $tmpfile
3227 seek=$(getconf PAGESIZE)
3228 seek=$((seek - 204))
3229 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3231 seek=$(getconf PAGESIZE)
3232 seek=$((seek + 1092))
3233 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3236 # write a few bytes in file
3237 $LFS setstripe -c1 -i0 -S 256k $testfile
3238 seek=$(getconf PAGESIZE)
3239 seek=$((seek - 204))
3240 #define OBD_FAIL_OST_WR_ATTR_DELAY 0x250
3241 do_facet ost1 "$LCTL set_param fail_loc=0x250 fail_val=15"
3242 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3246 # write a few other bytes, at a different offset
3247 seek=$(getconf PAGESIZE)
3248 seek=$((seek + 1092))
3249 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3250 conv=fsync,notrunc &
3252 do_facet ost1 "$LCTL set_param fail_loc=0x0"
3254 # check that in-memory representation of file is correct
3255 cmp -bl $tmpfile2 $testfile ||
3256 error "file $testfile is corrupted in memory (1)"
3258 cancel_lru_locks osc ; cancel_lru_locks mdc
3260 # check that file read from server is correct
3261 cmp -bl $tmpfile2 $testfile ||
3262 error "file $testfile is corrupted on server (1)"
3264 rm -f $tmpfile $tmpfile2
3266 run_test 41 "test race on encrypted file size (1)"
3269 local testfile=$DIR/$tdir/$tfile
3270 local testfile2=$DIR2/$tdir/$tfile
3271 local tmpfile=$TMP/abc
3272 local tmpfile2=$TMP/abc2
3273 local pagesz=$(getconf PAGESIZE)
3276 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3277 skip "client encryption not supported"
3279 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3280 skip "need dummy encryption support"
3282 stack_trap cleanup_for_enc_tests EXIT
3285 if is_mounted $MOUNT2; then
3286 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
3288 mount_client $MOUNT2 ${MOUNT_OPTS},test_dummy_encryption ||
3289 error "mount2 with '-o test_dummy_encryption' failed"
3291 # create file by writting one whole page
3292 $LFS setstripe -c1 -i0 -S 256k $testfile
3293 dd if=/dev/zero of=$testfile bs=$pagesz count=1 conv=fsync
3295 # read file from 2nd mount point
3296 cat $testfile2 > /dev/null
3298 echo "abc" > $tmpfile
3299 dd if=/dev/zero of=$tmpfile2 bs=$pagesz count=1 conv=fsync
3300 seek=$((2*pagesz - 204))
3301 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3303 seek=$((2*pagesz + 1092))
3304 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3307 # write a few bytes in file from 1st mount point
3308 seek=$((2*pagesz - 204))
3309 #define OBD_FAIL_OST_WR_ATTR_DELAY 0x250
3310 do_facet ost1 "$LCTL set_param fail_loc=0x250 fail_val=15"
3311 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3312 conv=fsync,notrunc &
3315 # write a few other bytes, at a different offset from 2nd mount point
3316 seek=$((2*pagesz + 1092))
3317 dd if=$tmpfile of=$testfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3318 conv=fsync,notrunc &
3320 do_facet ost1 "$LCTL set_param fail_loc=0x0"
3322 # check that in-memory representation of file is correct
3323 cmp -bl $tmpfile2 $testfile ||
3324 error "file $testfile is corrupted in memory (1)"
3326 # check that in-memory representation of file is correct
3327 cmp -bl $tmpfile2 $testfile2 ||
3328 error "file $testfile is corrupted in memory (2)"
3330 cancel_lru_locks osc ; cancel_lru_locks mdc
3332 # check that file read from server is correct
3333 cmp -bl $tmpfile2 $testfile ||
3334 error "file $testfile is corrupted on server (1)"
3336 rm -f $tmpfile $tmpfile2
3338 run_test 42 "test race on encrypted file size (2)"
3341 local testfile=$DIR/$tdir/$tfile
3342 local testfile2=$DIR2/$tdir/$tfile
3343 local tmpfile=$TMP/abc
3344 local tmpfile2=$TMP/abc2
3345 local resfile=$TMP/res
3346 local pagesz=$(getconf PAGESIZE)
3349 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3350 skip "client encryption not supported"
3352 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3353 skip "need dummy encryption support"
3355 stack_trap cleanup_for_enc_tests EXIT
3358 if is_mounted $MOUNT2; then
3359 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
3361 mount_client $MOUNT2 ${MOUNT_OPTS},test_dummy_encryption ||
3362 error "mount2 with '-o test_dummy_encryption' failed"
3365 tr '\0' '1' < /dev/zero |
3366 dd of=$tmpfile bs=1 count=$pagesz conv=fsync
3367 $LFS setstripe -c1 -i0 -S 256k $testfile
3368 cp $tmpfile $testfile
3370 # read file from 2nd mount point
3371 cat $testfile2 > /dev/null
3373 # write a few bytes in file from 1st mount point
3374 echo "abc" > $tmpfile2
3375 seek=$((2*pagesz - 204))
3376 #define OBD_FAIL_OST_WR_ATTR_DELAY 0x250
3377 do_facet ost1 "$LCTL set_param fail_loc=0x250 fail_val=15"
3378 dd if=$tmpfile2 of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3379 conv=fsync,notrunc &
3382 # read file from 2nd mount point
3383 dd if=$testfile2 of=$resfile bs=$pagesz count=1 conv=fsync,notrunc
3384 cmp -bl $tmpfile $resfile ||
3385 error "file $testfile is corrupted in memory (1)"
3388 do_facet ost1 "$LCTL set_param fail_loc=0x0"
3390 # check that in-memory representation of file is correct
3391 dd if=$tmpfile2 of=$tmpfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3393 cmp -bl $tmpfile $testfile2 ||
3394 error "file $testfile is corrupted in memory (2)"
3396 cancel_lru_locks osc ; cancel_lru_locks mdc
3398 # check that file read from server is correct
3399 cmp -bl $tmpfile $testfile ||
3400 error "file $testfile is corrupted on server (1)"
3402 rm -f $tmpfile $tmpfile2
3404 run_test 43 "test race on encrypted file size (3)"
3407 local testfile=$DIR/$tdir/$tfile
3408 local tmpfile=$TMP/abc
3409 local resfile=$TMP/resfile
3410 local pagesz=$(getconf PAGESIZE)
3413 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3414 skip "client encryption not supported"
3416 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3417 skip "need dummy encryption support"
3419 which vmtouch || skip "This test needs vmtouch utility"
3421 # Direct I/O is now supported on encrypted files.
3423 stack_trap cleanup_for_enc_tests EXIT
3426 $LFS setstripe -c1 -i0 $testfile
3427 dd if=/dev/urandom of=$tmpfile bs=$pagesz count=2 conv=fsync
3428 dd if=$tmpfile of=$testfile bs=$pagesz count=2 oflag=direct ||
3429 error "could not write to file with O_DIRECT (1)"
3431 respage=$(vmtouch $testfile | awk '/Resident Pages:/ {print $3}')
3432 [ "$respage" == "0/2" ] ||
3433 error "write to enc file fell back to buffered IO"
3437 dd if=$testfile of=$resfile bs=$pagesz count=2 iflag=direct ||
3438 error "could not read from file with O_DIRECT (1)"
3440 respage=$(vmtouch $testfile | awk '/Resident Pages:/ {print $3}')
3441 [ "$respage" == "0/2" ] ||
3442 error "read from enc file fell back to buffered IO"
3444 cmp -bl $tmpfile $resfile ||
3445 error "file $testfile is corrupted (1)"
3449 $TRUNCATE $tmpfile $pagesz
3450 dd if=$tmpfile of=$testfile bs=$pagesz count=1 seek=13 oflag=direct ||
3451 error "could not write to file with O_DIRECT (2)"
3455 dd if=$testfile of=$resfile bs=$pagesz count=1 skip=13 iflag=direct ||
3456 error "could not read from file with O_DIRECT (2)"
3457 cmp -bl $tmpfile $resfile ||
3458 error "file $testfile is corrupted (2)"
3460 rm -f $testfile $resfile
3461 $LFS setstripe -c1 -i0 $testfile
3463 $TRUNCATE $tmpfile $((pagesz/2 - 5))
3464 cp $tmpfile $testfile
3468 dd if=$testfile of=$resfile bs=$pagesz count=1 iflag=direct ||
3469 error "could not read from file with O_DIRECT (3)"
3470 cmp -bl $tmpfile $resfile ||
3471 error "file $testfile is corrupted (3)"
3473 rm -f $tmpfile $resfile $testfile
3475 if [ $OSTCOUNT -ge 2 ]; then
3476 dd if=/dev/urandom of=$tmpfile bs=$pagesz count=1 conv=fsync
3477 $LFS setstripe -S 256k -c2 $testfile
3479 # write in file, at beginning of first stripe, buffered IO
3480 dd if=$tmpfile of=$testfile bs=$pagesz count=1 \
3483 # write at beginning of second stripe, direct IO
3484 dd if=$tmpfile of=$testfile bs=$pagesz count=1 seek=256k \
3485 oflag=seek_bytes,direct conv=fsync,notrunc
3489 # read at beginning of first stripe, direct IO
3490 dd if=$testfile of=$resfile bs=$pagesz count=1 \
3491 iflag=direct conv=fsync
3493 cmp -bl $tmpfile $resfile ||
3494 error "file $testfile is corrupted (4)"
3496 # read at beginning of second stripe, buffered IO
3497 dd if=$testfile of=$resfile bs=$pagesz count=1 skip=256k \
3498 iflag=skip_bytes conv=fsync
3500 cmp -bl $tmpfile $resfile ||
3501 error "file $testfile is corrupted (5)"
3503 rm -f $tmpfile $resfile
3506 run_test 44 "encrypted file access semantics: direct IO"
3509 local testfile=$DIR/$tdir/$tfile
3510 local tmpfile=$TMP/junk
3512 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3513 skip "client encryption not supported"
3515 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3516 skip "need dummy encryption support"
3518 stack_trap cleanup_for_enc_tests EXIT
3521 $LFS setstripe -c1 -i0 $testfile
3522 dd if=/dev/zero of=$testfile bs=512K count=1
3523 $MULTIOP $testfile OSMRUc || error "$MULTIOP $testfile failed (1)"
3524 $MULTIOP $testfile OSMWUc || error "$MULTIOP $testfile failed (2)"
3526 dd if=/dev/zero of=$tmpfile bs=512K count=1
3527 $MULTIOP $tmpfile OSMWUc || error "$MULTIOP $tmpfile failed"
3528 $MMAP_CAT $tmpfile > ${tmpfile}2
3532 $MULTIOP $testfile OSMRUc
3533 $MMAP_CAT $testfile > ${testfile}2
3534 cmp -bl ${tmpfile}2 ${testfile}2 ||
3535 error "file $testfile is corrupted"
3537 rm -f $tmpfile ${tmpfile}2
3539 run_test 45 "encrypted file access semantics: MMAP"
3542 local testdir=$DIR/$tdir/mydir
3543 local testfile=$testdir/myfile
3544 local testdir2=$DIR/$tdir/mydirwithaveryverylongnametotestcodebehaviour0
3545 local testfile2=$testdir/myfilewithaveryverylongnametotestcodebehaviour0
3546 # testdir3, testfile3, testhl3 and testsl3 names are 255 bytes long
3547 local testdir3=$testdir2/dir_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz012345678
3548 local testfile3=$testdir2/file_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz01234567
3549 local testhl3=$testdir2/hl_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789
3550 local testsl3=$testdir2/sl_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789
3551 local lsfile=$TMP/lsfile
3556 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3557 skip "client encryption not supported"
3559 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3560 skip "need dummy encryption support"
3562 stack_trap cleanup_for_enc_tests EXIT
3565 touch $DIR/$tdir/$tfile
3567 echo test > $testfile
3568 echo othertest > $testfile2
3569 if [[ $MDSCOUNT -gt 1 ]]; then
3570 $LFS setdirstripe -c1 -i1 $testdir2
3574 inum=$(stat -c %i $testdir2)
3575 if [ "$mds1_FSTYPE" = ldiskfs ]; then
3576 # For now, restrict this part of the test to ldiskfs backend,
3577 # as osd-zfs does not support 255 byte-long encrypted names.
3578 mkdir $testdir3 || error "cannot mkdir $testdir3"
3579 touch $testfile3 || error "cannot touch $testfile3"
3580 ln $testfile3 $testhl3 || error "cannot ln $testhl3"
3581 ln -s $testfile3 $testsl3 || error "cannot ln $testsl3"
3583 sync ; echo 3 > /proc/sys/vm/drop_caches
3585 # remount without dummy encryption key
3586 remount_client_normally
3589 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -inum $inum)
3590 stat $scrambleddir || error "stat $scrambleddir failed"
3591 if [ "$mds1_FSTYPE" = ldiskfs ]; then
3592 stat $scrambleddir/* || error "cannot stat in $scrambleddir"
3593 rm -rf $scrambleddir/* || error "cannot clean in $scrambleddir"
3595 rmdir $scrambleddir || error "rmdir $scrambleddir failed"
3597 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
3598 ls -1 $scrambleddir > $lsfile || error "ls $testdir failed (1)"
3600 scrambledfile=$scrambleddir/$(head -n 1 $lsfile)
3601 stat $scrambledfile || error "stat $scrambledfile failed (1)"
3604 cat $scrambledfile && error "cat $scrambledfile should have failed (1)"
3605 rm -f $scrambledfile || error "rm $scrambledfile failed (1)"
3607 ls -1 $scrambleddir > $lsfile || error "ls $testdir failed (2)"
3608 scrambledfile=$scrambleddir/$(head -n 1 $lsfile)
3609 stat $scrambledfile || error "stat $scrambledfile failed (2)"
3611 cat $scrambledfile && error "cat $scrambledfile should have failed (2)"
3613 touch $scrambleddir/otherfile &&
3614 error "touch otherfile should have failed"
3615 ls $scrambleddir/otherfile && error "otherfile should not exist"
3616 mkdir $scrambleddir/otherdir &&
3617 error "mkdir otherdir should have failed"
3618 ls -d $scrambleddir/otherdir && error "otherdir should not exist"
3621 rm -f $scrambledfile || error "rm $scrambledfile failed (2)"
3622 rmdir $scrambleddir || error "rmdir $scrambleddir failed"
3625 run_test 46 "encrypted file access semantics without key"
3628 local testfile=$DIR/$tdir/$tfile
3629 local testfile2=$DIR/$tdir/${tfile}.2
3630 local tmpfile=$DIR/junk
3635 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3636 skip "client encryption not supported"
3638 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3639 skip "need dummy encryption support"
3641 $LCTL get_param mdc.*.connect_flags | grep -q name_encryption ||
3644 stack_trap cleanup_for_enc_tests EXIT
3647 dd if=/dev/urandom of=$tmpfile bs=512K count=1
3648 mrename $tmpfile $testfile &&
3649 error "rename from unencrypted to encrypted dir should fail"
3651 ln $tmpfile $testfile &&
3652 error "link from encrypted to unencrypted dir should fail"
3654 cp $tmpfile $testfile ||
3655 error "cp from unencrypted to encrypted dir should succeed"
3658 mrename $testfile $testfile2 ||
3659 error "rename from within encrypted dir should succeed"
3661 ln $testfile2 $testfile ||
3662 error "link from within encrypted dir should succeed"
3663 cmp -bl $testfile2 $testfile ||
3664 error "cannot read from hard link (1.1)"
3665 echo a >> $testfile || error "cannot write to hard link (1)"
3667 cmp -bl $testfile2 $testfile ||
3668 error "cannot read from hard link (1.2)"
3671 ln $testfile2 $tmpfile ||
3672 error "link from unencrypted to encrypted dir should succeed"
3674 cmp -bl $testfile2 $tmpfile ||
3675 error "cannot read from hard link (2.1)"
3676 echo a >> $tmpfile || error "cannot write to hard link (2)"
3678 cmp -bl $testfile2 $tmpfile ||
3679 error "cannot read from hard link (2.2)"
3682 if [ $name_enc -eq 1 ]; then
3683 # check we are limited in the number of hard links
3684 # we can create for encrypted files, to what can fit into LinkEA
3685 for i in $(seq 1 160); do
3686 ln $testfile2 ${testfile}_$i || break
3688 [ $i -lt 160 ] || error "hard link $i should fail"
3692 mrename $testfile2 $tmpfile &&
3693 error "rename from encrypted to unencrypted dir should fail"
3695 dd if=/dev/urandom of=$tmpfile bs=512K count=1
3697 dd if=/dev/urandom of=$testfile bs=512K count=1
3698 mkdir $DIR/$tdir/mydir
3700 ln -s $testfile ${testfile}.sym ||
3701 error "symlink from within encrypted dir should succeed"
3703 cmp -bl $testfile ${testfile}.sym ||
3704 error "cannot read from sym link (1.1)"
3705 echo a >> ${testfile}.sym || error "cannot write to sym link (1)"
3707 cmp -bl $testfile ${testfile}.sym ||
3708 error "cannot read from sym link (1.2)"
3709 [ $(stat -c %s ${testfile}.sym) -eq ${#testfile} ] ||
3710 error "wrong symlink size (1)"
3712 ln -s $tmpfile ${testfile}.sl ||
3713 error "symlink from encrypted to unencrypted dir should succeed"
3715 cmp -bl $tmpfile ${testfile}.sl ||
3716 error "cannot read from sym link (2.1)"
3717 echo a >> ${testfile}.sl || error "cannot write to sym link (2)"
3719 cmp -bl $tmpfile ${testfile}.sl ||
3720 error "cannot read from sym link (2.2)"
3721 [ $(stat -c %s ${testfile}.sl) -eq ${#tmpfile} ] ||
3722 error "wrong symlink size (2)"
3723 rm -f ${testfile}.sl
3725 sync ; echo 3 > /proc/sys/vm/drop_caches
3727 # remount without dummy encryption key
3728 remount_client_normally
3730 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
3731 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -type f)
3732 scrambledlink=$(find $DIR/$tdir/ -maxdepth 1 -type l)
3733 ln $scrambledfile $scrambleddir/linkfile &&
3734 error "ln linkfile should have failed"
3735 mrename $scrambledfile $DIR/onefile2 &&
3736 error "mrename from $scrambledfile should have failed"
3738 mrename $DIR/onefile $scrambleddir/otherfile &&
3739 error "mrename to $scrambleddir should have failed"
3740 readlink $scrambledlink ||
3741 error "link should be read without key"
3742 [ $(stat -c %s $scrambledlink) -eq \
3743 $(expr length "$(readlink $scrambledlink)") ] ||
3744 error "wrong symlink size without key"
3745 if [ $name_enc -eq 1 ]; then
3746 readlink -e $scrambledlink &&
3747 error "link should not point to anywhere useful"
3749 ln -s $scrambledfile ${scrambledfile}.sym &&
3750 error "symlink without key should fail (1)"
3751 ln -s $tmpfile ${scrambledfile}.sl &&
3752 error "symlink without key should fail (2)"
3754 rm -f $tmpfile $DIR/onefile
3756 run_test 47 "encrypted file access semantics: rename/link"
3759 local save="$TMP/$TESTSUITE-$TESTNAME.parameters"
3760 local testfile=$DIR/$tdir/$tfile
3761 local tmpfile=$TMP/111
3762 local tmpfile2=$TMP/abc
3763 local pagesz=$(getconf PAGESIZE)
3768 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3769 skip "client encryption not supported"
3771 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3772 skip "need dummy encryption support"
3774 stack_trap cleanup_for_enc_tests EXIT
3777 # create file, 4 x PAGE_SIZE long
3778 tr '\0' '1' < /dev/zero |
3779 dd of=$tmpfile bs=1 count=4x$pagesz conv=fsync
3780 $LFS setstripe -c1 -i0 $testfile
3781 cp $tmpfile $testfile
3782 echo "abc" > $tmpfile2
3784 # decrease size: truncate to PAGE_SIZE
3785 $TRUNCATE $tmpfile $pagesz
3786 $TRUNCATE $testfile $pagesz
3787 cancel_lru_locks osc ; cancel_lru_locks mdc
3788 cmp -bl $tmpfile $testfile ||
3789 error "file $testfile is corrupted (1)"
3791 # increase size: truncate to 2 x PAGE_SIZE
3793 $TRUNCATE $tmpfile $sz
3794 $TRUNCATE $testfile $sz
3795 cancel_lru_locks osc ; cancel_lru_locks mdc
3796 cmp -bl $tmpfile $testfile ||
3797 error "file $testfile is corrupted (2)"
3800 seek=$((pagesz+100))
3801 dd if=$tmpfile2 of=$tmpfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3803 dd if=$tmpfile2 of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3805 cancel_lru_locks osc ; cancel_lru_locks mdc
3806 cmp -bl $tmpfile $testfile ||
3807 error "file $testfile is corrupted (3)"
3809 # truncate to PAGE_SIZE / 2
3811 $TRUNCATE $tmpfile $sz
3812 $TRUNCATE $testfile $sz
3813 cancel_lru_locks osc ; cancel_lru_locks mdc
3814 cmp -bl $tmpfile $testfile ||
3815 error "file $testfile is corrupted (4)"
3817 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16
3819 $TRUNCATE $tmpfile $sz
3820 $TRUNCATE $testfile $sz
3821 cancel_lru_locks osc ; cancel_lru_locks mdc
3822 cmp -bl $tmpfile $testfile ||
3823 error "file $testfile is corrupted (5)"
3825 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16
3827 $TRUNCATE $tmpfile $sz
3828 $TRUNCATE $testfile $sz
3829 cancel_lru_locks osc ; cancel_lru_locks mdc
3830 cmp -bl $tmpfile $testfile ||
3831 error "file $testfile is corrupted (6)"
3833 # truncate to a larger, non-multiple of PAGE_SIZE, in a different page
3834 sz=$((sz+pagesz+30))
3835 $TRUNCATE $tmpfile $sz
3836 $TRUNCATE $testfile $sz
3837 cancel_lru_locks osc ; cancel_lru_locks mdc
3838 cmp -bl $tmpfile $testfile ||
3839 error "file $testfile is corrupted (7)"
3841 sync ; echo 3 > /proc/sys/vm/drop_caches
3843 # remount without dummy encryption key
3844 remount_client_normally
3846 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -type f)
3847 $TRUNCATE $scrambledfile 0 &&
3848 error "truncate $scrambledfile should have failed without key"
3850 rm -f $tmpfile $tmpfile2
3852 run_test 48a "encrypted file access semantics: truncate"
3854 cleanup_for_enc_tests_othercli() {
3857 # remount othercli normally
3858 zconf_umount $othercli $MOUNT ||
3859 error "umount $othercli $MOUNT failed"
3860 zconf_mount $othercli $MOUNT ||
3861 error "remount $othercli $MOUNT failed"
3867 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3868 skip "client encryption not supported"
3870 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3871 skip "need dummy encryption support"
3873 [ "$num_clients" -ge 2 ] || skip "Need at least 2 clients"
3875 if [ "$HOSTNAME" == ${clients_arr[0]} ]; then
3876 othercli=${clients_arr[1]}
3878 othercli=${clients_arr[0]}
3881 stack_trap cleanup_for_enc_tests EXIT
3882 stack_trap "cleanup_for_enc_tests_othercli $othercli" EXIT
3884 zconf_umount $othercli $MOUNT ||
3885 error "umount $othercli $MOUNT failed"
3887 cp /bin/sleep $DIR/$tdir/
3888 cancel_lru_locks osc ; cancel_lru_locks mdc
3889 $DIR/$tdir/sleep 30 &
3890 # mount and IOs must be done in the same shell session, otherwise
3891 # encryption key in session keyring is missing
3892 do_node $othercli "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
3893 $MGSNID:/$FSNAME $MOUNT && \
3894 $TRUNCATE $DIR/$tdir/sleep 7"
3895 wait || error "wait error"
3896 cmp --silent /bin/sleep $DIR/$tdir/sleep ||
3897 error "/bin/sleep and $DIR/$tdir/sleep differ"
3899 run_test 48b "encrypted file: concurrent truncate"
3905 $LCTL set_param debug=+info
3910 [ $? -eq 0 ] || error "$cmd failed"
3912 if [ -z "$MATCHING_STRING" ]; then
3913 $LCTL dk | grep -E "get xattr 'encryption.c'|get xattrs"
3915 $LCTL dk | grep -E "$MATCHING_STRING"
3917 [ $? -ne 0 ] || error "get xattr event was triggered"
3921 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3922 skip "client encryption not supported"
3924 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3925 skip "need dummy encryption support"
3927 stack_trap cleanup_for_enc_tests EXIT
3930 local dirname=$DIR/$tdir/subdir
3934 trace_cmd stat $dirname
3935 trace_cmd echo a > $dirname/f1
3936 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3937 trace_cmd stat $dirname/f1
3938 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3939 trace_cmd cat $dirname/f1
3940 dd if=/dev/zero of=$dirname/f1 bs=1M count=10 conv=fsync
3941 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3942 MATCHING_STRING="get xattr 'encryption.c'" \
3943 trace_cmd $TRUNCATE $dirname/f1 10240
3944 trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
3945 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3946 trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
3948 if [[ $MDSCOUNT -gt 1 ]]; then
3949 trace_cmd $LFS setdirstripe -i 1 $dirname/d2
3950 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3951 trace_cmd $LFS migrate -m 0 $dirname/d2
3952 echo b > $dirname/d2/subf
3953 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3954 if (( "$MDS1_VERSION" > $(version_code 2.14.54.54) )); then
3955 # migrate a non-empty encrypted dir
3956 trace_cmd $LFS migrate -m 1 $dirname/d2
3957 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3958 [ -f $dirname/d2/subf ] || error "migrate failed (1)"
3959 [ $(cat $dirname/d2/subf) == "b" ] ||
3960 error "migrate failed (2)"
3963 $LFS setdirstripe -i 1 -c 1 $dirname/d3
3964 dirname=$dirname/d3/subdir
3966 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3967 trace_cmd stat $dirname
3968 trace_cmd echo c > $dirname/f1
3969 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3970 trace_cmd stat $dirname/f1
3971 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3972 trace_cmd cat $dirname/f1
3973 dd if=/dev/zero of=$dirname/f1 bs=1M count=10 conv=fsync
3974 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3975 MATCHING_STRING="get xattr 'encryption.c'" \
3976 trace_cmd $TRUNCATE $dirname/f1 10240
3977 trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
3978 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
3979 trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
3981 skip_noexit "2nd part needs >= 2 MDTs"
3984 run_test 49 "Avoid getxattr for encryption context"
3987 local testfile=$DIR/$tdir/$tfile
3988 local tmpfile=$TMP/abc
3989 local pagesz=$(getconf PAGESIZE)
3992 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3993 skip "client encryption not supported"
3995 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3996 skip "need dummy encryption support"
3998 stack_trap cleanup_for_enc_tests EXIT
4001 # write small file, data on MDT only
4002 tr '\0' '1' < /dev/zero |
4003 dd of=$tmpfile bs=1 count=5000 conv=fsync
4004 $LFS setstripe -E 1M -L mdt -E EOF $testfile
4005 cp $tmpfile $testfile
4007 # check that in-memory representation of file is correct
4008 cmp -bl $tmpfile $testfile ||
4009 error "file $testfile is corrupted in memory"
4011 remove_enc_key ; insert_enc_key
4013 # check that file read from server is correct
4014 cmp -bl $tmpfile $testfile ||
4015 error "file $testfile is corrupted on server"
4017 # decrease size: truncate to PAGE_SIZE
4018 $TRUNCATE $tmpfile $pagesz
4019 $TRUNCATE $testfile $pagesz
4020 remove_enc_key ; insert_enc_key
4021 cmp -bl $tmpfile $testfile ||
4022 error "file $testfile is corrupted (1)"
4024 # increase size: truncate to 2 x PAGE_SIZE
4026 $TRUNCATE $tmpfile $sz
4027 $TRUNCATE $testfile $sz
4028 remove_enc_key ; insert_enc_key
4029 cmp -bl $tmpfile $testfile ||
4030 error "file $testfile is corrupted (2)"
4032 # truncate to PAGE_SIZE / 2
4034 $TRUNCATE $tmpfile $sz
4035 $TRUNCATE $testfile $sz
4036 remove_enc_key ; insert_enc_key
4037 cmp -bl $tmpfile $testfile ||
4038 error "file $testfile is corrupted (3)"
4040 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16
4042 $TRUNCATE $tmpfile $sz
4043 $TRUNCATE $testfile $sz
4044 remove_enc_key ; insert_enc_key
4045 cmp -bl $tmpfile $testfile ||
4046 error "file $testfile is corrupted (4)"
4048 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16
4050 $TRUNCATE $tmpfile $sz
4051 $TRUNCATE $testfile $sz
4052 remove_enc_key ; insert_enc_key
4053 cmp -bl $tmpfile $testfile ||
4054 error "file $testfile is corrupted (5)"
4056 # truncate to a larger, non-multiple of PAGE_SIZE, in a different page
4057 sz=$((sz+pagesz+30))
4058 $TRUNCATE $tmpfile $sz
4059 $TRUNCATE $testfile $sz
4060 remove_enc_key ; insert_enc_key
4061 cmp -bl $tmpfile $testfile ||
4062 error "file $testfile is corrupted (6)"
4065 remove_enc_key ; insert_enc_key
4067 # write hole in file, data spread on MDT and OST
4068 tr '\0' '2' < /dev/zero |
4069 dd of=$tmpfile bs=1 count=1539 seek=1539074 conv=fsync,notrunc
4070 $LFS setstripe -E 1M -L mdt -E EOF $testfile
4071 cp --sparse=always $tmpfile $testfile
4073 # check that in-memory representation of file is correct
4074 cmp -bl $tmpfile $testfile ||
4075 error "file $testfile is corrupted in memory"
4077 remove_enc_key ; insert_enc_key
4079 # check that file read from server is correct
4080 cmp -bl $tmpfile $testfile ||
4081 error "file $testfile is corrupted on server"
4083 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16,
4084 # inside OST part of data
4085 sz=$((1024*1024+13))
4086 $TRUNCATE $tmpfile $sz
4087 $TRUNCATE $testfile $sz
4088 remove_enc_key ; insert_enc_key
4089 cmp -bl $tmpfile $testfile ||
4090 error "file $testfile is corrupted (7)"
4092 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16,
4093 # inside MDT part of data
4095 $TRUNCATE $tmpfile $sz
4096 $TRUNCATE $testfile $sz
4097 remove_enc_key ; insert_enc_key
4098 cmp -bl $tmpfile $testfile ||
4099 error "file $testfile is corrupted (8)"
4101 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16,
4102 # inside MDT part of data
4103 sz=$((1024*1024-13))
4104 $TRUNCATE $tmpfile $sz
4105 $TRUNCATE $testfile $sz
4106 remove_enc_key ; insert_enc_key
4107 cmp -bl $tmpfile $testfile ||
4108 error "file $testfile is corrupted (9)"
4110 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16,
4111 # inside OST part of data
4113 $TRUNCATE $tmpfile $sz
4114 $TRUNCATE $testfile $sz
4115 remove_enc_key ; insert_enc_key
4116 cmp -bl $tmpfile $testfile ||
4117 error "file $testfile is corrupted (10)"
4121 run_test 50 "DoM encrypted file"
4124 [ "$MDS1_VERSION" -gt $(version_code 2.13.53) ] ||
4125 skip "Need MDS version at least 2.13.53"
4127 mkdir $DIR/$tdir || error "mkdir $tdir"
4129 touch $DIR/$tdir/$tfile || error "touch $tfile"
4130 cp $(which chown) $DIR/$tdir || error "cp chown"
4131 $RUNAS_CMD -u $ID0 $DIR/$tdir/chown $ID0 $DIR/$tdir/$tfile &&
4132 error "chown $tfile should fail"
4133 setcap 'CAP_CHOWN=ep' $DIR/$tdir/chown || error "setcap CAP_CHOWN"
4134 $RUNAS_CMD -u $ID0 $DIR/$tdir/chown $ID0 $DIR/$tdir/$tfile ||
4135 error "chown $tfile"
4136 rm $DIR/$tdir/$tfile || error "rm $tfile"
4138 touch $DIR/$tdir/$tfile || error "touch $tfile"
4139 cp $(which touch) $DIR/$tdir || error "cp touch"
4140 $RUNAS_CMD -u $ID0 $DIR/$tdir/touch $DIR/$tdir/$tfile &&
4141 error "touch should fail"
4142 setcap 'CAP_FOWNER=ep' $DIR/$tdir/touch || error "setcap CAP_FOWNER"
4143 $RUNAS_CMD -u $ID0 $DIR/$tdir/touch $DIR/$tdir/$tfile ||
4144 error "touch $tfile"
4145 rm $DIR/$tdir/$tfile || error "rm $tfile"
4148 for cap in "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH"; do
4149 touch $DIR/$tdir/$tfile || error "touch $tfile"
4150 chmod 600 $DIR/$tdir/$tfile || error "chmod $tfile"
4151 cp $(which cat) $DIR/$tdir || error "cp cat"
4152 $RUNAS_CMD -u $ID0 $DIR/$tdir/cat $DIR/$tdir/$tfile &&
4153 error "cat should fail"
4154 setcap $cap=ep $DIR/$tdir/cat || error "setcap $cap"
4155 $RUNAS_CMD -u $ID0 $DIR/$tdir/cat $DIR/$tdir/$tfile ||
4157 rm $DIR/$tdir/$tfile || error "rm $tfile"
4160 run_test 51 "FS capabilities ==============="
4163 local testfile=$DIR/$tdir/$tfile
4164 local tmpfile=$TMP/$tfile
4165 local mirror1=$TMP/$tfile.mirror1
4166 local mirror2=$TMP/$tfile.mirror2
4168 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4169 skip "client encryption not supported"
4171 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4172 skip "need dummy encryption support"
4174 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
4176 stack_trap "cleanup_for_enc_tests $tmpfile $mirror1 $mirror2" EXIT
4179 dd if=/dev/urandom of=$tmpfile bs=5000 count=1 conv=fsync
4181 $LFS mirror create -N -i0 -N -i1 $testfile ||
4182 error "could not create mirror"
4184 dd if=$tmpfile of=$testfile bs=5000 count=1 conv=fsync ||
4185 error "could not write to $testfile"
4187 $LFS mirror resync $testfile ||
4188 error "could not resync mirror"
4190 $LFS mirror verify -v $testfile ||
4191 error "verify mirror failed"
4193 $LFS mirror read -N 1 -o $mirror1 $testfile ||
4194 error "could not read from mirror 1"
4196 cmp -bl $tmpfile $mirror1 ||
4197 error "mirror 1 is corrupted"
4199 $LFS mirror read -N 2 -o $mirror2 $testfile ||
4200 error "could not read from mirror 2"
4202 cmp -bl $tmpfile $mirror2 ||
4203 error "mirror 2 is corrupted"
4205 tr '\0' '2' < /dev/zero |
4206 dd of=$tmpfile bs=1 count=9000 conv=fsync
4208 $LFS mirror write -N 1 -i $tmpfile $testfile ||
4209 error "could not write to mirror 1"
4211 $LFS mirror verify -v $testfile &&
4212 error "mirrors should be different"
4214 rm -f $testfile $mirror1 $mirror2
4216 $LFS setstripe -c1 -i0 $testfile
4217 dd if=$tmpfile of=$testfile bs=9000 count=1 conv=fsync ||
4218 error "write to $testfile failed"
4219 $LFS getstripe $testfile
4222 $LFS migrate -i1 $testfile ||
4223 error "migrate $testfile failed"
4224 $LFS getstripe $testfile
4225 stripe=$($LFS getstripe -i $testfile)
4226 [ $stripe -eq 1 ] || error "migrate file $testfile failed"
4229 cmp -bl $tmpfile $testfile ||
4230 error "migrated file is corrupted"
4232 $LFS mirror extend -N -i0 $testfile ||
4233 error "mirror extend $testfile failed"
4234 $LFS getstripe $testfile
4235 mirror_count=$($LFS getstripe -N $testfile)
4236 [ $mirror_count -eq 2 ] ||
4237 error "mirror extend file $testfile failed (1)"
4238 stripe=$($LFS getstripe --mirror-id=1 -i $testfile)
4239 [ $stripe -eq 1 ] || error "mirror extend file $testfile failed (2)"
4240 stripe=$($LFS getstripe --mirror-id=2 -i $testfile)
4241 [ $stripe -eq 0 ] || error "mirror extend file $testfile failed (3)"
4244 $LFS mirror verify -v $testfile ||
4245 error "mirror verify failed"
4246 $LFS mirror read -N 1 -o $mirror1 $testfile ||
4247 error "read from mirror 1 failed"
4248 cmp -bl $tmpfile $mirror1 ||
4249 error "corruption of mirror 1"
4250 $LFS mirror read -N 2 -o $mirror2 $testfile ||
4251 error "read from mirror 2 failed"
4252 cmp -bl $tmpfile $mirror2 ||
4253 error "corruption of mirror 2"
4255 $LFS mirror split --mirror-id 1 -f ${testfile}.mirror $testfile &&
4256 error "mirror split -f should fail"
4258 $LFS mirror split --mirror-id 1 $testfile &&
4259 error "mirror split without -d should fail"
4261 $LFS mirror split --mirror-id 1 -d $testfile ||
4262 error "mirror split failed"
4263 $LFS getstripe $testfile
4264 mirror_count=$($LFS getstripe -N $testfile)
4265 [ $mirror_count -eq 1 ] ||
4266 error "mirror split file $testfile failed (1)"
4267 stripe=$($LFS getstripe --mirror-id=1 -i $testfile)
4268 [ -z "$stripe" ] || error "mirror extend file $testfile failed (2)"
4269 stripe=$($LFS getstripe --mirror-id=2 -i $testfile)
4270 [ $stripe -eq 0 ] || error "mirror extend file $testfile failed (3)"
4273 cmp -bl $tmpfile $testfile ||
4274 error "extended/split file is corrupted"
4276 run_test 52 "Mirrored encrypted file"
4279 local testfile=$DIR/$tdir/$tfile
4280 local testfile2=$DIR2/$tdir/$tfile
4281 local tmpfile=$TMP/$tfile.tmp
4282 local resfile=$TMP/$tfile.res
4286 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4287 skip "client encryption not supported"
4289 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4290 skip "need dummy encryption support"
4292 pagesz=$(getconf PAGESIZE)
4293 [[ $pagesz == 65536 ]] || skip "Need 64K PAGE_SIZE client"
4295 do_node $mds1_HOST \
4296 "mount.lustre --help |& grep -q 'test_dummy_encryption:'" ||
4297 skip "need dummy encryption support on MDS client mount"
4299 # this test is probably useless now, but may turn out to be useful when
4300 # Lustre supports servers with PAGE_SIZE != 4KB
4301 pagesz=$(do_node $mds1_HOST getconf PAGESIZE)
4302 [[ $pagesz == 4096 ]] || skip "Need 4K PAGE_SIZE MDS client"
4304 stack_trap cleanup_for_enc_tests EXIT
4305 stack_trap "zconf_umount $mds1_HOST $MOUNT2" EXIT
4308 $LFS setstripe -c1 -i0 $testfile
4310 # write from 1st client
4311 cat /dev/urandom | tr -dc 'a-zA-Z0-9' |
4312 dd of=$tmpfile bs=$((pagesz+3)) count=2 conv=fsync
4313 dd if=$tmpfile of=$testfile bs=$((pagesz+3)) count=2 conv=fsync ||
4314 error "could not write to $testfile (1)"
4316 # read from 2nd client
4317 # mount and IOs must be done in the same shell session, otherwise
4318 # encryption key in session keyring is missing
4319 do_node $mds1_HOST "mkdir -p $MOUNT2"
4320 do_node $mds1_HOST \
4321 "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4322 $MGSNID:/$FSNAME $MOUNT2 && \
4323 dd if=$testfile2 of=$resfile bs=$((pagesz+3)) count=2" ||
4324 error "could not read from $testfile2 (1)"
4327 filemd5=$(do_node $mds1_HOST md5sum $resfile | awk '{print $1}')
4328 [ $filemd5 = $(md5sum $tmpfile | awk '{print $1}') ] ||
4329 error "file is corrupted (1)"
4330 do_node $mds1_HOST rm -f $resfile
4333 # truncate from 2nd client
4334 $TRUNCATE $tmpfile $((pagesz+3))
4335 zconf_umount $mds1_HOST $MOUNT2 ||
4336 error "umount $mds1_HOST $MOUNT2 failed (1)"
4337 do_node $mds1_HOST "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4338 $MGSNID:/$FSNAME $MOUNT2 && \
4339 $TRUNCATE $testfile2 $((pagesz+3))" ||
4340 error "could not truncate $testfile2 (1)"
4343 cmp -bl $tmpfile $testfile ||
4344 error "file is corrupted (2)"
4345 rm -f $tmpfile $testfile
4347 zconf_umount $mds1_HOST $MOUNT2 ||
4348 error "umount $mds1_HOST $MOUNT2 failed (2)"
4351 do_node $mds1_HOST \
4352 dd if=/dev/urandom of=$tmpfile bs=$((pagesz+3)) count=2 conv=fsync
4353 # write from 2nd client
4354 do_node $mds1_HOST \
4355 "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4356 $MGSNID:/$FSNAME $MOUNT2 && \
4357 dd if=$tmpfile of=$testfile2 bs=$((pagesz+3)) count=2 conv=fsync" ||
4358 error "could not write to $testfile2 (2)"
4360 # read from 1st client
4361 dd if=$testfile of=$resfile bs=$((pagesz+3)) count=2 ||
4362 error "could not read from $testfile (2)"
4365 filemd5=$(do_node $mds1_HOST md5sum -b $tmpfile | awk '{print $1}')
4366 [ $filemd5 = $(md5sum -b $resfile | awk '{print $1}') ] ||
4367 error "file is corrupted (3)"
4371 # truncate from 1st client
4372 do_node $mds1_HOST "$TRUNCATE $tmpfile $((pagesz+3))"
4373 $TRUNCATE $testfile $((pagesz+3)) ||
4374 error "could not truncate $testfile (2)"
4377 zconf_umount $mds1_HOST $MOUNT2 ||
4378 error "umount $mds1_HOST $MOUNT2 failed (3)"
4379 do_node $mds1_HOST "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4380 $MGSNID:/$FSNAME $MOUNT2 && \
4381 cmp -bl $tmpfile $testfile2" ||
4382 error "file is corrupted (4)"
4384 do_node $mds1_HOST rm -f $tmpfile
4387 run_test 53 "Mixed PAGE_SIZE clients"
4390 local testdir=$DIR/$tdir/$ID0
4391 local testdir2=$DIR2/$tdir/$ID0
4392 local testfile=$testdir/$tfile
4393 local testfile2=$testdir/${tfile}withveryverylongnametoexercisecode
4394 local testfile3=$testdir/_${tfile}
4395 local tmpfile=$TMP/${tfile}.tmp
4396 local resfile=$TMP/${tfile}.res
4401 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4402 skip "client encryption not supported"
4404 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4405 skip "need dummy encryption support"
4407 which fscrypt || skip "This test needs fscrypt userspace tool"
4409 yes | fscrypt setup --force --verbose ||
4410 error "fscrypt global setup failed"
4411 sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
4413 yes | fscrypt setup --verbose $MOUNT ||
4414 error "fscrypt setup $MOUNT failed"
4416 chown -R $ID0:$ID0 $testdir
4418 echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
4419 --source=custom_passphrase --name=protector $testdir" ||
4420 error "fscrypt encrypt failed"
4422 echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
4423 --source=custom_passphrase --name=protector2 $testdir" &&
4424 error "second fscrypt encrypt should have failed"
4426 mkdir -p ${testdir}2 || error "mkdir ${testdir}2 failed"
4427 touch ${testdir}2/f || error "mkdir ${testdir}2/f failed"
4430 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
4431 --source=custom_passphrase --name=protector3 ${testdir}2 &&
4432 error "fscrypt encrypt on non-empty dir should have failed"
4434 $RUNAS dd if=/dev/urandom of=$testfile bs=127 count=1 conv=fsync ||
4435 error "write to encrypted file $testfile failed"
4436 cp $testfile $tmpfile
4437 $RUNAS dd if=/dev/urandom of=$testfile2 bs=127 count=1 conv=fsync ||
4438 error "write to encrypted file $testfile2 failed"
4439 $RUNAS dd if=/dev/urandom of=$testfile3 bs=127 count=1 conv=fsync ||
4440 error "write to encrypted file $testfile3 failed"
4441 $RUNAS mkdir $testdir/subdir || error "mkdir subdir failed"
4442 $RUNAS touch $testdir/subdir/subfile || error "mkdir subdir failed"
4444 $RUNAS fscrypt lock --verbose $testdir ||
4445 error "fscrypt lock $testdir failed (1)"
4447 $RUNAS ls -R $testdir || error "ls -R $testdir failed"
4448 local filecount=$($RUNAS find $testdir -type f | wc -l)
4449 [ $filecount -eq 4 ] || error "found $filecount files"
4451 # check enable_filename_encryption default value
4452 # tunable only available for client built against embedded llcrypt
4453 $LCTL get_param mdc.*.connect_flags | grep -q name_encryption &&
4454 nameenc=$(lctl get_param -n llite.*.enable_filename_encryption |
4456 # If client is built against in-kernel fscrypt, it is not possible
4457 # to decide to encrypt file names or not: they are always encrypted.
4458 if [ -n "$nameenc" ]; then
4459 [ $nameenc -eq 0 ] ||
4460 error "enable_filename_encryption should be 0 by default"
4462 # $testfile, $testfile2 and $testfile3 should exist because
4463 # names are not encrypted
4465 error "$testfile should exist because name not encrypted"
4466 [ -f $testfile2 ] ||
4467 error "$testfile2 should exist because name not encrypted"
4468 [ -f $testfile3 ] ||
4469 error "$testfile3 should exist because name not encrypted"
4471 [ $? -eq 0 ] || error "cannot stat $testfile3 without key"
4474 scrambledfiles=( $(find $testdir/ -maxdepth 1 -type f) )
4475 $RUNAS hexdump -C ${scrambledfiles[0]} &&
4476 error "reading ${scrambledfiles[0]} should fail without key"
4478 $RUNAS touch ${testfile}.nokey &&
4479 error "touch ${testfile}.nokey should have failed without key"
4481 echo mypass | $RUNAS fscrypt unlock --verbose $testdir ||
4482 error "fscrypt unlock $testdir failed (1)"
4484 $RUNAS cat $testfile > $resfile ||
4485 error "reading $testfile failed"
4487 cmp -bl $tmpfile $resfile || error "file read differs from file written"
4489 [ $? -eq 0 ] || error "cannot stat $testfile3 with key"
4491 $RUNAS fscrypt lock --verbose $testdir ||
4492 error "fscrypt lock $testdir failed (2)"
4494 $RUNAS hexdump -C ${scrambledfiles[1]} &&
4495 error "reading ${scrambledfiles[1]} should fail without key"
4497 # server local client incompatible with SSK keys installed
4498 if [ "$SHARED_KEY" != true ]; then
4500 stack_trap umount_mds_client EXIT
4501 do_facet $SINGLEMDS touch $DIR2/$tdir/newfile
4502 mdsscrambledfile=$(do_facet $SINGLEMDS find $testdir2/ \
4503 -maxdepth 1 -type f | head -n1)
4504 [ -n "$mdsscrambledfile" ] || error "could not find file"
4505 do_facet $SINGLEMDS cat "$mdsscrambledfile" &&
4506 error "reading $mdsscrambledfile should fail on MDS"
4507 do_facet $SINGLEMDS "echo aaa >> \"$mdsscrambledfile\"" &&
4508 error "writing $mdsscrambledfile should fail on MDS"
4509 do_facet $SINGLEMDS $MULTIOP $testdir2/fileA m &&
4510 error "creating $testdir2/fileA should fail on MDS"
4511 do_facet $SINGLEMDS mkdir $testdir2/dirA &&
4512 error "mkdir $testdir2/dirA should fail on MDS"
4513 do_facet $SINGLEMDS ln -s $DIR2/$tdir/newfile $testdir2/sl1 &&
4514 error "ln -s $testdir2/sl1 should fail on MDS"
4515 do_facet $SINGLEMDS ln $DIR2/$tdir/newfile $testdir2/hl1 &&
4516 error "ln $testdir2/hl1 should fail on MDS"
4517 do_facet $SINGLEMDS mv "$mdsscrambledfile" $testdir2/fB &&
4518 error "mv $mdsscrambledfile should fail on MDS"
4519 do_facet $SINGLEMDS mrename "$mdsscrambledfile" $testdir2/fB &&
4520 error "mrename $mdsscrambledfile should fail on MDS"
4521 do_facet $SINGLEMDS rm -f $DIR2/$tdir/newfile
4524 echo mypass | $RUNAS fscrypt unlock --verbose $testdir ||
4525 error "fscrypt unlock $testdir failed (2)"
4528 $RUNAS fscrypt lock --verbose $testdir ||
4529 error "fscrypt lock $testdir failed (3)"
4531 rm -rf $tmpfile $resfile $testdir ${testdir}2 $MOUNT/.fscrypt
4533 # remount client with subdirectory mount
4534 umount_client $MOUNT || error "umount $MOUNT failed (1)"
4535 export FILESET=/$tdir
4536 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed (1)"
4540 # setup encryption from inside this subdir mount
4541 # the .fscrypt directory is going to be created at the real fs root
4542 yes | fscrypt setup --verbose $MOUNT ||
4543 error "fscrypt setup $MOUNT failed (2)"
4544 testdir=$MOUNT/vault
4546 chown -R $ID0:$ID0 $testdir
4547 fid1=$(path2fid $MOUNT/.fscrypt)
4548 echo "With FILESET $tdir, .fscrypt FID is $fid1"
4550 # enable name encryption, only valid if built against embedded llcrypt
4551 if [ -n "$nameenc" ]; then
4552 do_facet mgs $LCTL set_param -P \
4553 llite.*.enable_filename_encryption=1
4555 error "set_param -P \
4556 llite.*.enable_filename_encryption failed"
4558 wait_update_facet --verbose client \
4559 "$LCTL get_param -n llite.*.enable_filename_encryption \
4561 error "enable_filename_encryption not set on client"
4564 # encrypt 'vault' dir inside the subdir mount
4565 echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
4566 --source=custom_passphrase --name=protector $testdir" ||
4567 error "fscrypt encrypt failed"
4571 $RUNAS cp $tmpfile $testdir/encfile
4573 $RUNAS fscrypt lock --verbose $testdir ||
4574 error "fscrypt lock $testdir failed (4)"
4576 # encfile should actually have its name encrypted
4577 if [ -n "$nameenc" ]; then
4578 [ -f $testdir/encfile ] &&
4579 error "encfile name should be encrypted"
4581 filecount=$(find $testdir -type f | wc -l)
4582 [ $filecount -eq 1 ] || error "found $filecount files instead of 1"
4584 # remount client with encrypted dir as subdirectory mount
4585 umount_client $MOUNT || error "umount $MOUNT failed (2)"
4586 export FILESET=/$tdir/vault
4587 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed (2)"
4591 fid2=$(path2fid $MOUNT/.fscrypt)
4592 echo "With FILESET $tdir/vault, .fscrypt FID is $fid2"
4593 [ "$fid1" == "$fid2" ] || error "fid1 $fid1 != fid2 $fid2 (1)"
4595 # all content seen by this mount is encrypted, but .fscrypt is virtually
4596 # presented, letting us call fscrypt lock/unlock
4597 echo mypass | $RUNAS fscrypt unlock --verbose $MOUNT ||
4598 error "fscrypt unlock $MOUNT failed (3)"
4601 [ $(cat $MOUNT/encfile) == "abc" ] || error "cat encfile failed"
4603 # remount client without subdir mount
4604 umount_client $MOUNT || error "umount $MOUNT failed (3)"
4605 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed (3)"
4608 fid2=$(path2fid $MOUNT/.fscrypt)
4609 echo "Without FILESET, .fscrypt FID is $fid2"
4610 [ "$fid1" == "$fid2" ] || error "fid1 $fid1 != fid2 $fid2 (2)"
4612 # because .fscrypt was actually created at the real root of the fs,
4613 # we can call fscrypt lock/unlock on the encrypted dir
4614 echo mypass | $RUNAS fscrypt unlock --verbose $DIR/$tdir/vault ||
4615 error "fscrypt unlock $$DIR/$tdir/vault failed (4)"
4618 echo c >> $DIR/$tdir/vault/encfile || error "write to encfile failed"
4620 rm -rf $DIR/$tdir/vault/*
4621 $RUNAS fscrypt lock --verbose $DIR/$tdir/vault ||
4622 error "fscrypt lock $DIR/$tdir/vault failed (5)"
4624 # disable name encryption, only valid if built against embedded llcrypt
4625 if [ -n "$nameenc" ]; then
4626 do_facet mgs $LCTL set_param -P \
4627 llite.*.enable_filename_encryption=0
4629 error "set_param -P \
4630 llite.*.enable_filename_encryption failed"
4632 wait_update_facet --verbose client \
4633 "$LCTL get_param -n llite.*.enable_filename_encryption \
4635 error "enable_filename_encryption not set back to default"
4638 rm -rf $tmpfile $MOUNT/.fscrypt
4640 run_test 54 "Encryption policies with fscrypt"
4644 if is_mounted $MOUNT; then
4645 umount_client $MOUNT || error "umount $MOUNT failed"
4648 do_facet mgs $LCTL nodemap_del c0
4649 do_facet mgs $LCTL nodemap_modify --name default \
4650 --property admin --value 0
4651 do_facet mgs $LCTL nodemap_modify --name default \
4652 --property trusted --value 0
4653 wait_nm_sync default admin_nodemap
4654 wait_nm_sync default trusted_nodemap
4656 do_facet mgs $LCTL nodemap_activate 0
4657 wait_nm_sync active 0
4659 if $SHARED_KEY; then
4660 export SK_UNIQUE_NM=false
4664 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed"
4665 if [ "$MOUNT_2" ]; then
4666 mount_client $MOUNT2 ${MOUNT_OPTS} || error "remount failed"
4672 (( $MDS1_VERSION > $(version_code 2.12.6.2) )) ||
4673 skip "Need MDS version at least 2.12.6.3"
4678 mkdir -p $DIR/$tdir/$USER0/testdir_groups
4679 chown root:$USER0 $DIR/$tdir/$USER0
4680 chmod 770 $DIR/$tdir/$USER0
4681 chmod g+s $DIR/$tdir/$USER0
4682 chown $USER0:$USER0 $DIR/$tdir/$USER0/testdir_groups
4683 chmod 770 $DIR/$tdir/$USER0/testdir_groups
4684 chmod g+s $DIR/$tdir/$USER0/testdir_groups
4686 # unmount client completely
4687 umount_client $MOUNT || error "umount $MOUNT failed"
4688 if is_mounted $MOUNT2; then
4689 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
4692 do_nodes $(comma_list $(all_mdts_nodes)) \
4693 $LCTL set_param mdt.*.identity_upcall=NONE
4695 stack_trap cleanup_55 EXIT
4697 do_facet mgs $LCTL nodemap_activate 1
4700 do_facet mgs $LCTL nodemap_del c0 || true
4701 wait_nm_sync c0 id ''
4703 do_facet mgs $LCTL nodemap_modify --name default \
4704 --property admin --value 1
4705 do_facet mgs $LCTL nodemap_modify --name default \
4706 --property trusted --value 1
4707 wait_nm_sync default admin_nodemap
4708 wait_nm_sync default trusted_nodemap
4710 client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
4711 client_nid=$(h2nettype $client_ip)
4712 do_facet mgs $LCTL nodemap_add c0
4713 do_facet mgs $LCTL nodemap_add_range \
4714 --name c0 --range $client_nid
4715 do_facet mgs $LCTL nodemap_modify --name c0 \
4716 --property admin --value 0
4717 do_facet mgs $LCTL nodemap_modify --name c0 \
4718 --property trusted --value 1
4719 wait_nm_sync c0 admin_nodemap
4720 wait_nm_sync c0 trusted_nodemap
4722 if $SHARED_KEY; then
4723 export SK_UNIQUE_NM=true
4724 # set some generic fileset to trigger SSK code
4728 # remount client to take nodemap into account
4729 zconf_mount_clients $HOSTNAME $MOUNT $MOUNT_OPTS ||
4730 error "remount failed"
4734 euid_access $USER0 $DIR/$tdir/$USER0/testdir_groups/file
4736 run_test 55 "access with seteuid"
4739 local testfile=$DIR/$tdir/$tfile
4741 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
4743 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4744 skip "client encryption not supported"
4746 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4747 skip "need dummy encryption support"
4749 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
4751 stack_trap cleanup_for_enc_tests EXIT
4754 $LFS setstripe -c1 $testfile
4755 dd if=/dev/urandom of=$testfile bs=1M count=3 conv=fsync
4756 filefrag -v $testfile || error "filefrag $testfile failed"
4757 (( $(filefrag -v $testfile | grep -c encrypted) >= 1 )) ||
4758 error "filefrag $testfile does not show encrypted flag"
4759 (( $(filefrag -v $testfile | grep -c encoded) >= 1 )) ||
4760 error "filefrag $testfile does not show encoded flag"
4762 run_test 56 "FIEMAP on encrypted file"
4765 local testdir=$DIR/$tdir/mytestdir
4766 local testfile=$DIR/$tdir/$tfile
4768 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
4770 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4771 skip "client encryption not supported"
4773 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4774 skip "need dummy encryption support"
4778 setfattr -n security.c -v myval $testdir &&
4779 error "setting xattr on $testdir should have failed (1.1)"
4780 setfattr -n encryption.c -v myval $testdir &&
4781 error "setting xattr on $testdir should have failed (1.2)"
4783 setfattr -n security.c -v myval $testfile &&
4784 error "setting xattr on $testfile should have failed (1.1)"
4785 setfattr -n encryption.c -v myval $testfile &&
4786 error "setting xattr on $testfile should have failed (1.2)"
4790 stack_trap cleanup_for_enc_tests EXIT
4794 if [ $(getfattr -n security.c $testdir 2>&1 |
4795 grep -ci "Operation not permitted") -eq 0 ]; then
4796 error "getting xattr on $testdir should have failed (1.1)"
4798 if [ $(getfattr -n encryption.c $testdir 2>&1 |
4799 grep -ci "Operation not supported") -eq 0 ]; then
4800 error "getting xattr on $testdir should have failed (1.2)"
4802 getfattr -d -m - $testdir 2>&1 | grep security\.c &&
4803 error "listing xattrs on $testdir should not expose security.c"
4804 getfattr -d -m - $testdir 2>&1 | grep encryption\.c &&
4805 error "listing xattrs on $testdir should not expose encryption.c"
4806 if [ $(setfattr -n security.c -v myval $testdir 2>&1 |
4807 grep -ci "Operation not permitted") -eq 0 ]; then
4808 error "setting xattr on $testdir should have failed (2.1)"
4810 if [ $(setfattr -n encryption.c -v myval $testdir 2>&1 |
4811 grep -ci "Operation not supported") -eq 0 ]; then
4812 error "setting xattr on $testdir should have failed (2.2)"
4815 if [ $(getfattr -n security.c $testfile 2>&1 |
4816 grep -ci "Operation not permitted") -eq 0 ]; then
4817 error "getting xattr on $testfile should have failed (1.1)"
4819 if [ $(getfattr -n encryption.c $testfile 2>&1 |
4820 grep -ci "Operation not supported") -eq 0 ]; then
4821 error "getting xattr on $testfile should have failed (1.2)"
4823 getfattr -d -m - $testfile 2>&1 | grep security\.c &&
4824 error "listing xattrs on $testfile should not expose security.c"
4825 getfattr -d -m - $testfile 2>&1 | grep encryption\.c &&
4826 error "listing xattrs on $testfile should not expose encryption.c"
4827 if [ $(setfattr -n security.c -v myval $testfile 2>&1 |
4828 grep -ci "Operation not permitted") -eq 0 ]; then
4829 error "setting xattr on $testfile should have failed (2.1)"
4831 if [ $(setfattr -n encryption.c -v myval $testfile 2>&1 |
4832 grep -ci "Operation not supported") -eq 0 ]; then
4833 error "setting xattr on $testfile should have failed (2.2)"
4837 run_test 57 "security.c/encryption.c xattr protection"
4840 local testdir=$DIR/$tdir/mytestdir
4841 local testfile=$DIR/$tdir/$tfile
4843 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
4845 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4846 skip "client encryption not supported"
4848 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4849 skip "need dummy encryption support"
4851 stack_trap cleanup_for_enc_tests EXIT
4854 touch $DIR/$tdir/$tfile
4855 mkdir $DIR/$tdir/subdir
4859 echo 3 > /proc/sys/vm/drop_caches
4861 ll_decode_linkea $DIR/$tdir/$tfile || error "cannot read $tfile linkea"
4862 ll_decode_linkea $DIR/$tdir/subdir || error "cannot read subdir linkea"
4864 for ((i = 0; i < 1000; i = $((i+1)))); do
4865 mkdir -p $DIR/$tdir/d${i}
4866 touch $DIR/$tdir/f${i}
4867 createmany -m $DIR/$tdir/d${i}/f 5 > /dev/null
4872 echo 3 > /proc/sys/vm/drop_caches
4875 ls -ailR $DIR/$tdir > /dev/null || error "fail to ls"
4877 run_test 58 "access to enc file's xattrs"
4880 local mirror1=$TMP/$tfile.mirror1
4881 local mirror2=$TMP/$tfile.mirror2
4885 $LFS mirror verify -vvv $testfile ||
4886 error "verifying mirror failed (1)"
4887 if [ $($LFS mirror verify -v $testfile 2>&1 |
4888 grep -ci "only valid") -ne 0 ]; then
4889 error "verifying mirror failed (2)"
4892 $LFS mirror read -N 1 -o $mirror1 $testfile ||
4893 error "read from mirror 1 failed"
4894 cmp -bl $reffile $mirror1 ||
4895 error "corruption of mirror 1"
4896 $LFS mirror read -N 2 -o $mirror2 $testfile ||
4897 error "read from mirror 2 failed"
4898 cmp -bl $reffile $mirror2 ||
4899 error "corruption of mirror 2"
4903 local testfile=$DIR/$tdir/$tfile
4904 local tmpfile=$TMP/$tfile
4905 local mirror1=$TMP/$tfile.mirror1
4906 local mirror2=$TMP/$tfile.mirror2
4909 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4910 skip "client encryption not supported"
4912 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4913 skip "need dummy encryption support"
4915 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
4917 stack_trap "cleanup_for_enc_tests $tmpfile $mirror1 $mirror2" EXIT
4920 dd if=/dev/urandom of=$tmpfile bs=5000 count=1 conv=fsync
4922 $LFS mirror create -N -i0 -N -i1 $testfile ||
4923 error "could not create mirror"
4924 dd if=$tmpfile of=$testfile bs=5000 count=1 conv=fsync ||
4925 error "could not write to $testfile"
4926 $LFS getstripe $testfile
4928 # remount without dummy encryption key
4929 remount_client_normally
4931 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
4932 $LFS mirror resync $scrambledfile ||
4933 error "could not resync mirror"
4935 $LFS mirror verify -vvv $scrambledfile ||
4936 error "mirror verify failed (1)"
4937 if [ $($LFS mirror verify -v $scrambledfile 2>&1 |
4938 grep -ci "only valid") -ne 0 ]; then
4939 error "mirror verify failed (2)"
4942 $LFS mirror read -N 1 -o $mirror1 $scrambledfile &&
4943 error "read from mirror should fail"
4946 remount_client_dummykey
4947 verify_mirror $testfile $tmpfile
4949 run_test 59a "mirror resync of encrypted files without key"
4952 local testfile=$DIR/$tdir/$tfile
4953 local tmpfile=$TMP/$tfile
4954 local mirror1=$TMP/$tfile.mirror1
4955 local mirror2=$TMP/$tfile.mirror2
4958 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4959 skip "client encryption not supported"
4961 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4962 skip "need dummy encryption support"
4964 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
4966 stack_trap "cleanup_for_enc_tests $tmpfile $mirror1 $mirror2" EXIT
4969 tr '\0' '2' < /dev/zero |
4970 dd of=$tmpfile bs=1 count=9000 conv=fsync
4972 $LFS setstripe -c1 -i0 $testfile
4973 dd if=$tmpfile of=$testfile bs=9000 count=1 conv=fsync ||
4974 error "write to $testfile failed"
4975 $LFS getstripe $testfile
4977 # remount without dummy encryption key
4978 remount_client_normally
4980 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
4981 $LFS migrate -i1 $scrambledfile ||
4982 error "migrate $scrambledfile failed"
4983 $LFS getstripe $scrambledfile
4984 stripe=$($LFS getstripe -i $scrambledfile)
4985 [ $stripe -eq 1 ] || error "migrate file $scrambledfile failed"
4989 remount_client_dummykey
4990 cmp -bl $tmpfile $testfile ||
4991 error "migrated file is corrupted"
4993 # remount without dummy encryption key
4994 remount_client_normally
4996 $LFS mirror extend -N -i0 $scrambledfile ||
4997 error "mirror extend $scrambledfile failed (1)"
4998 $LFS getstripe $scrambledfile
4999 mirror_count=$($LFS getstripe -N $scrambledfile)
5000 [ $mirror_count -eq 2 ] ||
5001 error "mirror extend file $scrambledfile failed (2)"
5002 stripe=$($LFS getstripe --mirror-id=1 -i $scrambledfile)
5003 [ $stripe -eq 1 ] ||
5004 error "mirror extend file $scrambledfile failed (3)"
5005 stripe=$($LFS getstripe --mirror-id=2 -i $scrambledfile)
5006 [ $stripe -eq 0 ] ||
5007 error "mirror extend file $scrambledfile failed (4)"
5009 $LFS mirror verify -vvv $scrambledfile ||
5010 error "mirror verify failed (1)"
5011 if [ $($LFS mirror verify -v $scrambledfile 2>&1 |
5012 grep -ci "only valid") -ne 0 ]; then
5013 error "mirror verify failed (2)"
5017 remount_client_dummykey
5018 verify_mirror $testfile $tmpfile
5020 # remount without dummy encryption key
5021 remount_client_normally
5023 $LFS mirror split --mirror-id 1 -d $scrambledfile ||
5024 error "mirror split file $scrambledfile failed (1)"
5025 $LFS getstripe $scrambledfile
5026 mirror_count=$($LFS getstripe -N $scrambledfile)
5027 [ $mirror_count -eq 1 ] ||
5028 error "mirror split file $scrambledfile failed (2)"
5029 stripe=$($LFS getstripe --mirror-id=1 -i $scrambledfile)
5030 [ -z "$stripe" ] || error "mirror split file $scrambledfile failed (3)"
5031 stripe=$($LFS getstripe --mirror-id=2 -i $scrambledfile)
5032 [ $stripe -eq 0 ] || error "mirror split file $scrambledfile failed (4)"
5035 remount_client_dummykey
5037 cmp -bl $tmpfile $testfile ||
5038 error "extended/split file is corrupted"
5040 run_test 59b "migrate/extend/split of encrypted files without key"
5043 local dirname=$DIR/$tdir/subdir
5046 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5047 skip "client encryption not supported"
5049 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5050 skip "need dummy encryption support"
5052 [[ $MDSCOUNT -ge 2 ]] || skip_env "needs >= 2 MDTs"
5054 (( "$MDS1_VERSION" > $(version_code 2.14.54.54) )) ||
5055 skip "MDT migration not supported with older server"
5057 stack_trap cleanup_for_enc_tests EXIT
5060 $LFS setdirstripe -i 0 $dirname
5061 echo b > $dirname/subf
5063 # remount without dummy encryption key
5064 remount_client_normally
5066 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
5068 # migrate a non-empty encrypted dir
5069 $LFS migrate -m 1 $scrambleddir ||
5070 error "migrate $scrambleddir between MDTs failed (1)"
5072 stripe=$($LFS getdirstripe -i $scrambleddir)
5073 [ $stripe -eq 1 ] ||
5074 error "migrate $scrambleddir between MDTs failed (2)"
5078 [ -f $dirname/subf ] ||
5079 error "migrate $scrambleddir between MDTs failed (3)"
5080 [ $(cat $dirname/subf) == "b" ] ||
5081 error "migrate $scrambleddir between MDTs failed (4)"
5083 run_test 59c "MDT migrate of encrypted files without key"
5086 local testdir=$DIR/$tdir/mytestdir
5087 local testfile=$DIR/$tdir/$tfile
5089 (( $MDS1_VERSION > $(version_code 2.14.53) )) ||
5090 skip "Need MDS version at least 2.14.53"
5092 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5093 skip "client encryption not supported"
5095 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5096 skip "need dummy encryption support"
5098 stack_trap cleanup_for_enc_tests EXIT
5101 echo a > $DIR/$tdir/file1
5102 mkdir $DIR/$tdir/subdir
5103 echo b > $DIR/$tdir/subdir/subfile1
5106 # unmount client completely
5107 umount_client $MOUNT || error "umount $MOUNT failed"
5108 if is_mounted $MOUNT2; then
5109 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
5112 # remount client with subdirectory mount
5113 export FILESET=/$tdir
5114 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed"
5115 if [ "$MOUNT_2" ]; then
5116 mount_client $MOUNT2 ${MOUNT_OPTS} || error "remount failed"
5120 ls -Rl $DIR || error "ls -Rl $DIR failed (1)"
5123 remount_client_dummykey
5126 ls -Rl $DIR || error "ls -Rl $DIR failed (2)"
5127 cat $DIR/file1 || error "cat $DIR/$tdir/file1 failed"
5128 cat $DIR/subdir/subfile1 ||
5129 error "cat $DIR/$tdir/subdir/subfile1 failed"
5131 run_test 60 "Subdirmount of encrypted dir"
5134 if $SHARED_KEY; then
5135 export SK_UNIQUE_NM=true
5139 do_facet mgs $LCTL nodemap_activate 1
5142 do_facet mgs $LCTL nodemap_del c0 || true
5143 wait_nm_sync c0 id ''
5145 do_facet mgs $LCTL nodemap_modify --name default \
5146 --property admin --value 1
5147 do_facet mgs $LCTL nodemap_modify --name default \
5148 --property trusted --value 1
5149 wait_nm_sync default admin_nodemap
5150 wait_nm_sync default trusted_nodemap
5152 client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
5153 client_nid=$(h2nettype $client_ip)
5154 do_facet mgs $LCTL nodemap_add c0
5155 do_facet mgs $LCTL nodemap_add_range \
5156 --name c0 --range $client_nid
5157 do_facet mgs $LCTL nodemap_modify --name c0 \
5158 --property admin --value 1
5159 do_facet mgs $LCTL nodemap_modify --name c0 \
5160 --property trusted --value 1
5161 wait_nm_sync c0 admin_nodemap
5162 wait_nm_sync c0 trusted_nodemap
5166 do_facet mgs $LCTL nodemap_del c0
5167 do_facet mgs $LCTL nodemap_modify --name default \
5168 --property admin --value 0
5169 do_facet mgs $LCTL nodemap_modify --name default \
5170 --property trusted --value 0
5171 wait_nm_sync default admin_nodemap
5172 wait_nm_sync default trusted_nodemap
5174 do_facet mgs $LCTL nodemap_activate 0
5175 wait_nm_sync active 0
5177 if $SHARED_KEY; then
5179 export SK_UNIQUE_NM=false
5182 mount_client $MOUNT ${MOUNT_OPTS} || error "re-mount failed"
5187 local testfile=$DIR/$tdir/$tfile
5190 readonly=$(do_facet mgs \
5191 lctl get_param -n nodemap.default.readonly_mount)
5192 [ -n "$readonly" ] ||
5193 skip "Server does not have readonly_mount nodemap flag"
5195 stack_trap cleanup_61 EXIT
5196 for idx in $(seq 1 $MDSCOUNT); do
5197 wait_recovery_complete mds$idx
5199 umount_client $MOUNT || error "umount $MOUNT failed (1)"
5201 # Activate nodemap, and mount rw.
5202 # Should succeed as rw mount is not forbidden by default.
5204 readonly=$(do_facet mgs \
5205 lctl get_param -n nodemap.default.readonly_mount)
5206 [ $readonly -eq 0 ] ||
5207 error "wrong default value for readonly_mount on default nodemap"
5208 readonly=$(do_facet mgs \
5209 lctl get_param -n nodemap.c0.readonly_mount)
5210 [ $readonly -eq 0 ] ||
5211 error "wrong default value for readonly_mount on nodemap c0"
5213 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},rw ||
5214 error "mount '-o rw' failed with default"
5216 findmnt $MOUNT --output=options -n -f | grep -q "rw," ||
5217 error "should be rw mount"
5218 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5219 echo a > $testfile || error "write $testfile failed"
5220 umount_client $MOUNT || error "umount $MOUNT failed (2)"
5222 # Now enforce read-only, and retry.
5223 do_facet mgs $LCTL nodemap_modify --name c0 \
5224 --property readonly_mount --value 1
5225 wait_nm_sync c0 readonly_mount
5226 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS} ||
5227 error "mount failed"
5228 findmnt $MOUNT --output=options -n -f | grep -q "ro," ||
5229 error "mount should have been turned into ro"
5230 cat $testfile || error "read $testfile failed (1)"
5231 echo b > $testfile && error "write $testfile should fail (1)"
5232 umount_client $MOUNT || error "umount $MOUNT failed (3)"
5233 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},rw ||
5234 error "mount '-o rw' failed"
5235 findmnt $MOUNT --output=options -n -f | grep -q "ro," ||
5236 error "mount rw should have been turned into ro"
5237 cat $testfile || error "read $testfile failed (2)"
5238 echo b > $testfile && error "write $testfile should fail (2)"
5239 umount_client $MOUNT || error "umount $MOUNT failed (4)"
5240 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},ro ||
5241 error "mount '-o ro' failed"
5243 cat $testfile || error "read $testfile failed (3)"
5244 echo b > $testfile && error "write $testfile should fail (3)"
5245 umount_client $MOUNT || error "umount $MOUNT failed (5)"
5247 run_test 61 "Nodemap enforces read-only mount"
5250 local testdir=$DIR/$tdir/mytestdir
5251 local testfile=$DIR/$tdir/$tfile
5253 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
5255 (( $MDS1_VERSION > $(version_code 2.15.51) )) ||
5256 skip "Need MDS version at least 2.15.51"
5258 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5259 skip "client encryption not supported"
5261 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5262 skip "need dummy encryption support"
5264 stack_trap cleanup_for_enc_tests EXIT
5267 lfs setstripe -c -1 $DIR/$tdir
5268 touch $DIR/$tdir/${tfile}_1 || error "touch ${tfile}_1 failed"
5269 dd if=/dev/zero of=$DIR/$tdir/${tfile}_2 bs=1 count=1 conv=fsync ||
5270 error "dd ${tfile}_2 failed"
5272 # unmount the Lustre filesystem
5273 stopall || error "stopping for e2fsck run"
5275 # run e2fsck on the MDT and OST devices
5276 local mds_host=$(facet_active_host $SINGLEMDS)
5277 local ost_host=$(facet_active_host ost1)
5278 local mds_dev=$(mdsdevname ${SINGLEMDS//mds/})
5279 local ost_dev=$(ostdevname 1)
5281 run_e2fsck $mds_host $mds_dev "-n"
5282 run_e2fsck $ost_host $ost_dev "-n"
5284 # mount the Lustre filesystem
5285 setupall || error "remounting the filesystem failed"
5287 run_test 62 "e2fsck with encrypted files"
5292 for path in "${paths[@]}"; do
5300 for path in "${paths[@]}"; do
5301 fids+=("$(lfs path2fid $path)")
5306 for fid in "${fids[@]}"; do
5308 respath=$(lfs fid2path $MOUNT $fid)
5309 echo -e "\t" $respath
5310 ls -li $respath >/dev/null
5311 [ $? -eq 0 ] || error "fid2path $fid failed"
5318 local vaultdir1=$DIR/$tdir/vault1==dir
5319 local vaultdir2=$DIR/$tdir/vault2==dir
5320 local longfname1="longfilenamewitha=inthemiddletotestbehaviorregardingthedigestedform"
5321 local longdname="longdirectorynamewitha=inthemiddletotestbehaviorregardingthedigestedform"
5322 local longfname2="$longdname/${longfname1}2"
5324 (( $MDS1_VERSION > $(version_code 2.15.53) )) ||
5325 skip "Need MDS version at least 2.15.53"
5327 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5328 skip "client encryption not supported"
5330 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5331 skip "need dummy encryption support"
5333 which fscrypt || skip "This test needs fscrypt userspace tool"
5335 yes | fscrypt setup --force --verbose ||
5336 echo "fscrypt global setup already done"
5337 sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
5339 yes | fscrypt setup --verbose $MOUNT ||
5340 echo "fscrypt setup $MOUNT already done"
5342 # enable_filename_encryption tunable only available for client
5343 # built against embedded llcrypt. If client is built against in-kernel
5344 # fscrypt, file names are always encrypted.
5345 $LCTL get_param mdc.*.connect_flags | grep -q name_encryption &&
5346 nameenc=$(lctl get_param -n llite.*.enable_filename_encryption |
5348 if [ -n "$nameenc" ]; then
5349 do_facet mgs $LCTL set_param -P \
5350 llite.*.enable_filename_encryption=1
5352 error "set_param -P \
5353 llite.*.enable_filename_encryption=1 failed"
5355 wait_update_facet --verbose client \
5356 "$LCTL get_param -n llite.*.enable_filename_encryption \
5358 error "enable_filename_encryption not set on client"
5362 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
5363 --source=custom_passphrase --name=protector_63_1 $vaultdir1 ||
5364 error "fscrypt encrypt $vaultdir1 failed"
5366 mkdir $vaultdir1/dirA
5367 mkdir $vaultdir1/$longdname
5368 paths=("$vaultdir1/fileA")
5369 paths+=("$vaultdir1/dirA/fileB")
5370 paths+=("$vaultdir1/$longfname1")
5371 paths+=("$vaultdir1/$longfname2")
5374 paths+=("$vaultdir1/dirA")
5375 paths+=("$vaultdir1/$longdname")
5380 fscrypt lock --verbose $vaultdir1 ||
5381 error "fscrypt lock $vaultdir1 failed (1)"
5385 if [ -z "$nameenc" ]; then
5386 echo "Rest of the test requires disabling name encryption"
5390 # disable name encryption
5391 do_facet mgs $LCTL set_param -P llite.*.enable_filename_encryption=0
5393 error "set_param -P llite.*.enable_filename_encryption=0 failed"
5395 wait_update_facet --verbose client \
5396 "$LCTL get_param -n llite.*.enable_filename_encryption \
5398 error "enable_filename_encryption not set back to default"
5401 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
5402 --source=custom_passphrase --name=protector_63_2 $vaultdir2 ||
5403 error "fscrypt encrypt $vaultdir2 failed"
5405 mkdir $vaultdir2/dirA
5406 mkdir $vaultdir2/$longdname
5409 paths=("$vaultdir2/fileA")
5410 paths+=("$vaultdir2/dirA/fileB")
5411 paths+=("$vaultdir2/$longfname1")
5412 paths+=("$vaultdir2/$longfname2")
5415 paths+=("$vaultdir2/dirA")
5416 paths+=("$vaultdir2/$longdname")
5421 fscrypt lock --verbose $vaultdir2 ||
5422 error "fscrypt lock $vaultdir2 failed (2)"
5426 rm -rf $MOUNT/.fscrypt
5428 run_test 63 "fid2path with encrypted files"
5431 do_facet mgs $LCTL nodemap_activate 1
5434 do_facet mgs $LCTL nodemap_del c0 || true
5435 wait_nm_sync c0 id ''
5437 do_facet mgs $LCTL nodemap_modify --name default \
5438 --property admin --value 1
5439 do_facet mgs $LCTL nodemap_modify --name default \
5440 --property trusted --value 1
5441 wait_nm_sync default admin_nodemap
5442 wait_nm_sync default trusted_nodemap
5444 client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
5445 client_nid=$(h2nettype $client_ip)
5446 do_facet mgs $LCTL nodemap_add c0
5447 do_facet mgs $LCTL nodemap_add_range \
5448 --name c0 --range $client_nid
5449 do_facet mgs $LCTL nodemap_modify --name c0 \
5450 --property admin --value 1
5451 do_facet mgs $LCTL nodemap_modify --name c0 \
5452 --property trusted --value 1
5453 wait_nm_sync c0 admin_nodemap
5454 wait_nm_sync c0 trusted_nodemap
5458 do_facet mgs $LCTL nodemap_del c0
5459 do_facet mgs $LCTL nodemap_modify --name default \
5460 --property admin --value 0
5461 do_facet mgs $LCTL nodemap_modify --name default \
5462 --property trusted --value 0
5463 wait_nm_sync default admin_nodemap
5464 wait_nm_sync default trusted_nodemap
5466 do_facet mgs $LCTL nodemap_activate 0
5467 wait_nm_sync active 0
5471 local testfile=$DIR/$tdir/$tfile
5474 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5475 skip "Need MDS >= 2.15.54 for role-based controls"
5477 stack_trap cleanup_64 EXIT
5478 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5481 # check default value for rbac is all
5482 rbac=$(do_facet mds $LCTL get_param -n nodemap.c0.rbac)
5483 for role in file_perms \
5491 [[ "$rbac" =~ "$role" ]] ||
5492 error "role '$role' not in default '$rbac'"
5495 do_facet mgs $LCTL nodemap_modify --name c0 \
5496 --property rbac --value file_perms
5497 wait_nm_sync c0 rbac
5499 stack_trap "set +vx"
5501 chmod 777 $testfile || error "chmod failed"
5502 chown $TSTUSR:$TSTUSR $testfile || error "chown failed"
5503 chgrp $TSTUSR $testfile || error "chgrp failed"
5504 $LFS project -p 1000 $testfile || error "setting project failed"
5507 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5508 wait_nm_sync c0 rbac
5511 chmod 777 $testfile && error "chmod should fail"
5512 chown $TSTUSR:$TSTUSR $testfile && error "chown should fail"
5513 chgrp $TSTUSR $testfile && error "chgrp should fail"
5514 $LFS project -p 1000 $testfile && error "setting project should fail"
5517 run_test 64a "Nodemap enforces file_perms RBAC roles"
5520 local testdir=$DIR/$tdir/${tfile}.d
5523 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5524 skip "Need MDS >= 2.15.54 for role-based controls"
5526 (( MDSCOUNT >= 2 )) || skip "mdt count $MDSCOUNT, skipping dne_ops role"
5528 stack_trap cleanup_64 EXIT
5529 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5532 dir_restripe=$(do_node $mds1_HOST \
5533 "$LCTL get_param -n mdt.*MDT0000.enable_dir_restripe")
5534 [ -n "$dir_restripe" ] || dir_restripe=0
5535 do_nodes $(comma_list $(all_mdts_nodes)) \
5536 $LCTL set_param mdt.*.enable_dir_restripe=1 ||
5537 error "enabling dir_restripe failed"
5538 stack_trap "do_nodes $(comma_list $(all_mdts_nodes)) \
5539 $LCTL set_param mdt.*.enable_dir_restripe=$dir_restripe" EXIT
5540 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
5542 wait_nm_sync c0 rbac
5543 $LFS mkdir -i 0 ${testdir}_for_migr ||
5544 error "$LFS mkdir ${testdir}_for_migr failed (1)"
5545 touch ${testdir}_for_migr/file001 ||
5546 error "touch ${testdir}_for_migr/file001 failed (1)"
5547 $LFS mkdir -i 0 ${testdir}_mdt0 ||
5548 error "$LFS mkdir ${testdir}_mdt0 failed (1)"
5549 $LFS mkdir -i 1 ${testdir}_mdt1 ||
5550 error "$LFS mkdir ${testdir}_mdt1 failed (1)"
5552 $LFS mkdir -i 1 $testdir || error "$LFS mkdir failed (1)"
5554 $LFS mkdir -c 2 $testdir || error "$LFS mkdir failed (2)"
5557 $LFS setdirstripe -c 2 $testdir || error "$LFS setdirstripe failed"
5559 $LFS migrate -m 1 ${testdir}_for_migr || error "$LFS migrate failed"
5560 touch ${testdir}_mdt0/fileA || error "touch fileA failed (1)"
5561 mv ${testdir}_mdt0/fileA ${testdir}_mdt1/ || error "mv failed (1)"
5564 $LFS mkdir -i 0 ${testdir}_for_migr ||
5565 error "$LFS mkdir ${testdir}_for_migr failed (2)"
5566 touch ${testdir}_for_migr/file001 ||
5567 error "touch ${testdir}_for_migr/file001 failed (2)"
5568 $LFS mkdir -i 0 ${testdir}_mdt0 ||
5569 error "$LFS mkdir ${testdir}_mdt0 failed (2)"
5570 $LFS mkdir -i 1 ${testdir}_mdt1 ||
5571 error "$LFS mkdir ${testdir}_mdt1 failed (2)"
5573 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5574 wait_nm_sync c0 rbac
5576 $LFS mkdir -i 1 $testdir && error "$LFS mkdir should fail (1)"
5577 $LFS mkdir -c 2 $testdir && error "$LFS mkdir should fail (2)"
5579 $LFS setdirstripe -c 2 $testdir && error "$LFS setdirstripe should fail"
5581 $LFS migrate -m 1 ${testdir}_for_migr &&
5582 error "$LFS migrate should fail"
5583 touch ${testdir}_mdt0/fileA || error "touch fileA failed (2)"
5584 mv ${testdir}_mdt0/fileA ${testdir}_mdt1/ || error "mv failed (2)"
5587 run_test 64b "Nodemap enforces dne_ops RBAC roles"
5590 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5591 skip "Need MDS >= 2.15.54 for role-based controls"
5593 stack_trap cleanup_64 EXIT
5594 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5597 do_facet mgs $LCTL nodemap_modify --name c0 \
5598 --property rbac --value quota_ops
5599 wait_nm_sync c0 rbac
5601 $LFS setquota -u $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT ||
5602 error "lfs setquota -u failed"
5603 $LFS setquota -u $USER0 --delete $MOUNT
5604 $LFS setquota -g $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT ||
5605 error "lfs setquota -g failed"
5606 $LFS setquota -g $USER0 --delete $MOUNT
5607 $LFS setquota -p 1000 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT ||
5608 error "lfs setquota -p failed"
5609 $LFS setquota -p 1000 --delete $MOUNT
5611 $LFS setquota -U -b 10G -B 11G -i 100K -I 105K $MOUNT ||
5612 error "lfs setquota -U failed"
5613 $LFS setquota -U -b 0 -B 0 -i 0 -I 0 $MOUNT
5614 $LFS setquota -G -b 10G -B 11G -i 100K -I 105K $MOUNT ||
5615 error "lfs setquota -G failed"
5616 $LFS setquota -G -b 0 -B 0 -i 0 -I 0 $MOUNT
5617 $LFS setquota -P -b 10G -B 11G -i 100K -I 105K $MOUNT ||
5618 error "lfs setquota -P failed"
5619 $LFS setquota -P -b 0 -B 0 -i 0 -I 0 $MOUNT
5620 $LFS setquota -u $USER0 -D $MOUNT ||
5621 error "lfs setquota -u -D failed"
5622 $LFS setquota -u $USER0 --delete $MOUNT
5623 $LFS setquota -g $USER0 -D $MOUNT ||
5624 error "lfs setquota -g -D failed"
5625 $LFS setquota -g $USER0 --delete $MOUNT
5626 $LFS setquota -p 1000 -D $MOUNT ||
5627 error "lfs setquota -p -D failed"
5628 $LFS setquota -p 1000 --delete $MOUNT
5631 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5632 wait_nm_sync c0 rbac
5635 $LFS setquota -u $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT &&
5636 error "lfs setquota -u should fail"
5637 $LFS setquota -u $USER0 --delete $MOUNT
5638 $LFS setquota -g $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT &&
5639 error "lfs setquota -g should fail"
5640 $LFS setquota -g $USER0 --delete $MOUNT
5641 $LFS setquota -p 1000 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT &&
5642 error "lfs setquota -p should fail"
5643 $LFS setquota -p 1000 --delete $MOUNT
5645 $LFS setquota -U -b 10G -B 11G -i 100K -I 105K $MOUNT &&
5646 error "lfs setquota -U should fail"
5647 $LFS setquota -G -b 10G -B 11G -i 100K -I 105K $MOUNT &&
5648 error "lfs setquota -G should fail"
5649 $LFS setquota -P -b 10G -B 11G -i 100K -I 105K $MOUNT &&
5650 error "lfs setquota -P should fail"
5651 $LFS setquota -u $USER0 -D $MOUNT &&
5652 error "lfs setquota -u -D should fail"
5653 $LFS setquota -u $USER0 --delete $MOUNT
5654 $LFS setquota -g $USER0 -D $MOUNT &&
5655 error "lfs setquota -g -D should fail"
5656 $LFS setquota -g $USER0 --delete $MOUNT
5657 $LFS setquota -p 1000 -D $MOUNT &&
5658 error "lfs setquota -p -D should fail"
5659 $LFS setquota -p 1000 --delete $MOUNT
5662 run_test 64c "Nodemap enforces quota_ops RBAC roles"
5665 local testfile=$DIR/$tdir/$tfile
5668 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5669 skip "Need MDS >= 2.15.54 for role-based controls"
5671 stack_trap cleanup_64 EXIT
5672 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5675 do_facet mgs $LCTL nodemap_modify --name c0 \
5676 --property rbac --value byfid_ops
5677 wait_nm_sync c0 rbac
5680 fid=$(lfs path2fid $testfile)
5682 $LFS fid2path $MOUNT $fid || error "fid2path $fid failed (1)"
5683 cat $MOUNT/.lustre/fid/$fid || error "cat by fid failed"
5684 lfs rmfid $MOUNT $fid || error "lfs rmfid failed"
5687 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5688 wait_nm_sync c0 rbac
5691 fid=$(lfs path2fid $testfile)
5693 $LFS fid2path $MOUNT $fid || error "fid2path $fid failed (2)"
5694 cat $MOUNT/.lustre/fid/$fid && error "cat by fid should fail"
5695 lfs rmfid $MOUNT $fid && error "lfs rmfid should fail"
5699 run_test 64d "Nodemap enforces byfid_ops RBAC roles"
5702 local testfile=$DIR/$tdir/$tfile
5703 local testdir=$DIR/$tdir/${tfile}.d
5705 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5706 skip "Need MDS >= 2.15.54 for role-based controls"
5708 stack_trap cleanup_64 EXIT
5709 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5712 # activate changelogs
5713 changelog_register || error "changelog_register failed"
5714 local cl_user="${CL_USERS[$SINGLEMDS]%% *}"
5715 changelog_users $SINGLEMDS | grep -q $cl_user ||
5716 error "User $cl_user not found in changelog_users"
5717 changelog_chmask ALL
5720 mkdir $testdir || error "failed to mkdir $testdir"
5721 touch $testfile || error "failed to touch $testfile"
5723 do_facet mgs $LCTL nodemap_modify --name c0 \
5724 --property rbac --value chlg_ops
5725 wait_nm_sync c0 rbac
5728 echo "changelogs dump"
5729 changelog_dump || error "failed to dump changelogs"
5730 echo "changelogs clear"
5731 changelog_clear 0 || error "failed to clear changelogs"
5733 rm -rf $testdir $testfile || error "rm -rf $testdir $testfile failed"
5735 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5736 wait_nm_sync c0 rbac
5739 mkdir $testdir || error "failed to mkdir $testdir"
5740 touch $testfile || error "failed to touch $testfile"
5743 echo "changelogs dump"
5744 changelog_dump && error "dump changelogs should fail"
5745 echo "changelogs clear"
5746 changelog_clear 0 && error "clear changelogs should fail"
5747 rm -rf $testdir $testfile
5749 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value all
5750 wait_nm_sync c0 rbac
5752 run_test 64e "Nodemap enforces chlg_ops RBAC roles"
5755 local vaultdir=$DIR/$tdir/vault
5760 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5761 skip "Need MDS >= 2.15.54 for role-based controls"
5763 cli_enc=$($LCTL get_param mdc.*.import | grep client_encryption)
5764 [ -n "$cli_enc" ] || skip "Need enc support, skip fscrypt_admin role"
5765 which fscrypt || skip "Need fscrypt, skip fscrypt_admin role"
5767 stack_trap cleanup_64 EXIT
5768 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5771 yes | fscrypt setup --force --verbose ||
5772 echo "fscrypt global setup already done"
5773 sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
5775 yes | fscrypt setup --verbose $MOUNT ||
5776 echo "fscrypt setup $MOUNT already done"
5777 stack_trap "rm -rf $MOUNT/.fscrypt"
5779 # file_perms is required because fscrypt uses chmod/chown
5780 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
5781 --value fscrypt_admin,file_perms
5782 wait_nm_sync c0 rbac
5786 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
5787 --source=custom_passphrase --name=protector_64 $vaultdir ||
5788 error "fscrypt encrypt $vaultdir failed"
5789 fscrypt lock $vaultdir || error "fscrypt lock $vaultdir failed (1)"
5790 policy=$(fscrypt status $vaultdir | awk '$1 == "Policy:"{print $2}')
5791 [ -n "$policy" ] || error "could not get enc policy"
5792 protector=$(fscrypt status $vaultdir |
5793 awk 'BEGIN {found=0} { if (found == 1) { print $1 }} \
5794 $1 == "PROTECTOR" {found=1}')
5795 [ -n "$protector" ] || error "could not get enc protector"
5799 # file_perms is required because fscrypt uses chmod/chown
5800 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
5802 wait_nm_sync c0 rbac
5805 echo mypass | fscrypt unlock $vaultdir ||
5806 error "fscrypt unlock $vaultdir failed"
5807 fscrypt lock $vaultdir || error "fscrypt lock $vaultdir failed (2)"
5808 fscrypt metadata destroy --protector=$MOUNT:$protector --force &&
5809 error "destroy protector should fail"
5810 fscrypt metadata destroy --policy=$MOUNT:$policy --force &&
5811 error "destroy policy should fail"
5812 mkdir -p ${vaultdir}2
5813 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
5814 --source=custom_passphrase \
5815 --name=protector_64bis ${vaultdir}2 &&
5816 error "fscrypt encrypt ${vaultdir}2 should fail"
5820 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value all
5821 wait_nm_sync c0 rbac
5824 fscrypt metadata destroy --protector=$MOUNT:$protector --force ||
5825 error "destroy protector failed"
5826 fscrypt metadata destroy --policy=$MOUNT:$policy --force ||
5827 error "destroy policy failed"
5832 run_test 64f "Nodemap enforces fscrypt_admin RBAC roles"
5834 log "cleanup: ======================================================"
5837 for num in $(seq $MDSCOUNT); do
5838 if [ "${identity_old[$num]}" = 1 ]; then
5839 switch_identity $num false || identity_old[$num]=$?
5843 $RUNAS_CMD -u $ID0 ls $DIR
5844 $RUNAS_CMD -u $ID1 ls $DIR
5849 check_and_cleanup_lustre