3 # Run select tests by setting ONLY, or as arguments to the script.
4 # Skip specific tests by setting EXCEPT.
11 LUSTRE=${LUSTRE:-$(dirname $0)/..}
12 . $LUSTRE/tests/test-framework.sh
17 ALWAYS_EXCEPT="$SANITY_SEC_EXCEPT "
18 # bug number for skipped test:
20 # UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
22 [ "$SLOW" = "no" ] && EXCEPT_SLOW="26"
24 NODEMAP_TESTS=$(seq 7 26)
26 if ! check_versions; then
27 echo "It is NOT necessary to test nodemap under interoperation mode"
28 EXCEPT="$EXCEPT $NODEMAP_TESTS"
33 RUNAS_CMD=${RUNAS_CMD:-runas}
35 WTL=${WTL:-"$LUSTRE/tests/write_time_limit"}
38 PERM_CONF=$CONFDIR/perm.conf
40 HOSTNAME_CHECKSUM=$(hostname | sum | awk '{ print $1 }')
41 SUBNET_CHECKSUM=$(expr $HOSTNAME_CHECKSUM % 250 + 1)
43 require_dsh_mds || exit 0
44 require_dsh_ost || exit 0
46 clients=${CLIENTS//,/ }
47 num_clients=$(get_node_count ${clients})
48 clients_arr=($clients)
50 echo "was USER0=$(getent passwd | grep :${ID0:-500}:)"
51 echo "was USER1=$(getent passwd | grep :${ID1:-501}:)"
56 echo "now USER0=$USER0=$ID0:$(id -g $USER0), USER1=$USER1=$ID1:$(id -g $USER1)"
58 if [ "$SLOW" == "yes" ]; then
61 NODEMAP_IPADDR_LIST="1 10 64 128 200 250"
66 NODEMAP_IPADDR_LIST="1 250"
69 NODEMAP_MAX_ID=$((ID0 + NODEMAP_ID_COUNT))
72 skip "need to add user0 ($ID0:$ID0)" && exit 0
75 skip "need to add user1 ($ID1:$ID1)" && exit 0
77 IDBASE=${IDBASE:-60000}
79 # changes to mappings must be reflected in test 23
81 [0]="$((IDBASE+3)):$((IDBASE+0)) $((IDBASE+4)):$((IDBASE+2))"
82 [1]="$((IDBASE+5)):$((IDBASE+1)) $((IDBASE+6)):$((IDBASE+2))"
85 check_and_setup_lustre
90 GSS_REF=$(lsmod | grep ^ptlrpc_gss | awk '{print $3}')
91 if [ ! -z "$GSS_REF" -a "$GSS_REF" != "0" ]; then
93 echo "with GSS support"
96 echo "without GSS support"
99 MDT=$(mdtname_from_index 0 $MOUNT)
100 [[ -z "$MDT" ]] && error "fail to get MDT0000 device name" && exit 1
101 do_facet $SINGLEMDS "mkdir -p $CONFDIR"
102 IDENTITY_FLUSH=mdt.$MDT.identity_flush
111 if ! $RUNAS_CMD -u $user krb5_login.sh; then
112 error "$user login kerberos failed."
116 if ! $RUNAS_CMD -u $user -g $group ls $DIR > /dev/null 2>&1; then
117 $RUNAS_CMD -u $user lfs flushctx -k
118 $RUNAS_CMD -u $user krb5_login.sh
119 if ! $RUNAS_CMD -u$user -g$group ls $DIR > /dev/null 2>&1; then
120 error "init $user $group failed."
126 declare -a identity_old
129 for ((num = 1; num <= $MDSCOUNT; num++)); do
130 switch_identity $num true || identity_old[$num]=$?
133 if ! $RUNAS_CMD -u $ID0 ls $DIR > /dev/null 2>&1; then
134 sec_login $USER0 $USER0
137 if ! $RUNAS_CMD -u $ID1 ls $DIR > /dev/null 2>&1; then
138 sec_login $USER1 $USER1
143 # run as different user
147 chmod 0755 $DIR || error "chmod (1) Failed"
148 rm -rf $DIR/$tdir || error "rm (1) Failed"
149 mkdir -p $DIR/$tdir || error "mkdir (1) Failed"
151 # $DIR/$tdir owner changed to USER0(sanityusr)
152 chown $USER0 $DIR/$tdir || error "chown (2) Failed"
153 chmod 0755 $DIR/$tdir || error "chmod (2) Failed"
155 # Run as ID0 cmd must pass
156 $RUNAS_CMD -u $ID0 ls -ali $DIR || error "ls (1) Failed"
157 # Remove non-existing file f0
158 rm -f $DIR/f0 || error "rm (2) Failed"
160 # It is expected that this cmd should fail
161 # $DIR has only r-x rights for group and other
162 $RUNAS_CMD -u $ID0 touch $DIR/f0
163 (( $? == 0 )) && error "touch (1) should not pass"
165 # This must pass. $DIR/$tdir/ is owned by ID0/USER0
166 $RUNAS_CMD -u $ID0 touch $DIR/$tdir/f1 || error "touch (2) Failed"
168 # It is expected that this cmd should fail
169 # $tdir has rwxr-xr-x rights for $ID0
170 $RUNAS_CMD -u $ID1 touch $DIR/$tdir/f2
171 (( $? == 0 )) && error "touch (3) should not pass"
173 touch $DIR/$tdir/f3 || error "touch (4) Failed"
174 chown root $DIR/$tdir || error "chown (3) Failed"
175 chgrp $USER0 $DIR/$tdir || error "chgrp (1) Failed"
176 chmod 0775 $DIR/$tdir || error "chmod (3) Failed"
178 # Owner is root and group is USER0
179 $RUNAS_CMD -u $USER0 -g $USER0 touch $DIR/$tdir/f4 ||
180 error "touch (5) Failed"
182 # It is expected that this cmd should fail
183 # $tdir has rwxrwxr-x rights for group sanityusr/ID0, ID1 will fail
184 $RUNAS_CMD -u $ID1 -g $ID1 touch $DIR/$tdir/f5
185 (( $? == 0 )) && error "touch (6) should not pass"
187 touch $DIR/$tdir/f6 || error "touch (7) Failed"
188 rm -rf $DIR/$tdir || error "rm (3) Failed"
190 run_test 0 "uid permission ============================="
194 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
197 mkdir_on_mdt0 $DIR/$tdir
199 chown $USER0 $DIR/$tdir || error "chown (1)"
200 $RUNAS_CMD -u $ID1 -v $ID0 touch $DIR/$tdir/f0 && error "touch (2)"
201 echo "enable uid $ID1 setuid"
202 do_facet $SINGLEMDS "echo '* $ID1 setuid' >> $PERM_CONF"
203 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
204 $RUNAS_CMD -u $ID1 -v $ID0 touch $DIR/$tdir/f1 || error "touch (3)"
206 chown root $DIR/$tdir || error "chown (4)"
207 chgrp $USER0 $DIR/$tdir || error "chgrp (5)"
208 chmod 0770 $DIR/$tdir || error "chmod (6)"
209 $RUNAS_CMD -u $ID1 -g $ID1 touch $DIR/$tdir/f2 && error "touch (7)"
210 $RUNAS_CMD -u$ID1 -g$ID1 -j$ID0 touch $DIR/$tdir/f3 && error "touch (8)"
211 echo "enable uid $ID1 setuid,setgid"
212 do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
213 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
214 $RUNAS_CMD -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f4 ||
216 $RUNAS_CMD -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/$tdir/f5 ||
221 do_facet $SINGLEMDS "rm -f $PERM_CONF"
222 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
224 run_test 1 "setuid/gid ============================="
226 # bug 3285 - supplementary group should always succeed.
227 # NB: the supplementary groups are set for local client only,
228 # as for remote client, the groups of the specified uid on MDT
229 # will be obtained by upcall /usr/sbin/l_getidentity and used.
231 [[ "$MDS1_VERSION" -ge $(version_code 2.6.93) ]] ||
232 [[ "$MDS1_VERSION" -ge $(version_code 2.5.35) &&
233 "$MDS1_VERSION" -lt $(version_code 2.5.50) ]] ||
234 skip "Need MDS version at least 2.6.93 or 2.5.35"
237 mkdir_on_mdt0 -p $DIR/$tdir
238 chmod 0771 $DIR/$tdir
239 chgrp $ID0 $DIR/$tdir
240 $RUNAS_CMD -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
241 do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
242 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
243 $RUNAS_CMD -u $ID1 -G1,2,$ID0 ls $DIR/$tdir ||
244 error "setgroups (2)"
245 $RUNAS_CMD -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
248 do_facet $SINGLEMDS "rm -f $PERM_CONF"
249 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
251 run_test 4 "set supplementary group ==============="
257 squash_id default ${NOBODY_UID:-65534} 0
258 wait_nm_sync default squash_uid '' inactive
259 squash_id default ${NOBODY_UID:-65534} 1
260 wait_nm_sync default squash_gid '' inactive
261 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
262 local csum=${HOSTNAME_CHECKSUM}_${i}
264 do_facet mgs $LCTL nodemap_add $csum
266 if [ $rc -ne 0 ]; then
267 echo "nodemap_add $csum failed with $rc"
271 wait_update_facet --verbose mgs \
272 "$LCTL get_param nodemap.$csum.id 2>/dev/null | \
273 grep -c $csum || true" 1 30 ||
276 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
277 local csum=${HOSTNAME_CHECKSUM}_${i}
279 wait_nm_sync $csum id '' inactive
287 for ((i = 0; i < NODEMAP_COUNT; i++)); do
288 local csum=${HOSTNAME_CHECKSUM}_${i}
290 if ! do_facet mgs $LCTL nodemap_del $csum; then
291 error "nodemap_del $csum failed with $?"
295 wait_update_facet --verbose mgs \
296 "$LCTL get_param nodemap.$csum.id 2>/dev/null | \
297 grep -c $csum || true" 0 30 ||
300 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
301 local csum=${HOSTNAME_CHECKSUM}_${i}
303 wait_nm_sync $csum id '' inactive
310 local cmd="$LCTL nodemap_add_range"
314 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
315 range="$SUBNET_CHECKSUM.${2}.${j}.[1-253]@tcp"
316 if ! do_facet mgs $cmd --name $1 --range $range; then
325 local cmd="$LCTL nodemap_del_range"
329 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
330 range="$SUBNET_CHECKSUM.${2}.${j}.[1-253]@tcp"
331 if ! do_facet mgs $cmd --name $1 --range $range; then
341 local cmd="$LCTL nodemap_add_idmap"
345 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || do_proj=false
347 echo "Start to add idmaps ..."
348 for ((i = 0; i < NODEMAP_COUNT; i++)); do
351 for ((j = $ID0; j < NODEMAP_MAX_ID; j++)); do
352 local csum=${HOSTNAME_CHECKSUM}_${i}
354 local fs_id=$((j + 1))
356 if ! do_facet mgs $cmd --name $csum --idtype uid \
357 --idmap $client_id:$fs_id; then
360 if ! do_facet mgs $cmd --name $csum --idtype gid \
361 --idmap $client_id:$fs_id; then
365 if ! do_facet mgs $cmd --name $csum \
366 --idtype projid --idmap \
367 $client_id:$fs_id; then
379 local cmd="$LCTL nodemap_add_idmap"
382 echo "Start to add root idmaps ..."
383 for ((i = 0; i < NODEMAP_COUNT; i++)); do
384 local csum=${HOSTNAME_CHECKSUM}_${i}
386 if ! do_facet mgs $cmd --name $csum --idtype uid \
390 if ! do_facet mgs $cmd --name $csum --idtype gid \
399 update_idmaps() { #LU-10040
400 [ "$MGS_VERSION" -lt $(version_code 2.10.55) ] &&
401 skip "Need MGS >= 2.10.55"
403 local csum=${HOSTNAME_CHECKSUM}_0
404 local old_id_client=$ID0
405 local old_id_fs=$((ID0 + 1))
406 local new_id=$((ID0 + 100))
411 echo "Start to update idmaps ..."
413 #Inserting an existed idmap should return error
414 cmd="$LCTL nodemap_add_idmap --name $csum --idtype uid"
416 $cmd --idmap $old_id_client:$old_id_fs 2>/dev/null; then
417 error "insert idmap {$old_id_client:$old_id_fs} " \
418 "should return error"
423 #Update id_fs and check it
424 if ! do_facet mgs $cmd --idmap $old_id_client:$new_id; then
425 error "$cmd --idmap $old_id_client:$new_id failed"
429 tmp_id=$(do_facet mgs $LCTL get_param -n nodemap.$csum.idmap |
430 awk '{ print $7 }' | sed -n '2p')
431 [ $tmp_id != $new_id ] && { error "new id_fs $tmp_id != $new_id"; \
432 rc=$((rc + 1)); return $rc; }
434 #Update id_client and check it
435 if ! do_facet mgs $cmd --idmap $new_id:$new_id; then
436 error "$cmd --idmap $new_id:$new_id failed"
440 tmp_id=$(do_facet mgs $LCTL get_param -n nodemap.$csum.idmap |
441 awk '{ print $5 }' | sed -n "$((NODEMAP_ID_COUNT + 1)) p")
442 tmp_id=$(echo ${tmp_id%,*}) #e.g. "501,"->"501"
443 [ $tmp_id != $new_id ] && { error "new id_client $tmp_id != $new_id"; \
444 rc=$((rc + 1)); return $rc; }
446 #Delete above updated idmap
447 cmd="$LCTL nodemap_del_idmap --name $csum --idtype uid"
448 if ! do_facet mgs $cmd --idmap $new_id:$new_id; then
449 error "$cmd --idmap $new_id:$new_id failed"
454 #restore the idmaps to make delete_idmaps work well
455 cmd="$LCTL nodemap_add_idmap --name $csum --idtype uid"
456 if ! do_facet mgs $cmd --idmap $old_id_client:$old_id_fs; then
457 error "$cmd --idmap $old_id_client:$old_id_fs failed"
467 local cmd="$LCTL nodemap_del_idmap"
471 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || do_proj=false
473 echo "Start to delete idmaps ..."
474 for ((i = 0; i < NODEMAP_COUNT; i++)); do
477 for ((j = $ID0; j < NODEMAP_MAX_ID; j++)); do
478 local csum=${HOSTNAME_CHECKSUM}_${i}
480 local fs_id=$((j + 1))
482 if ! do_facet mgs $cmd --name $csum --idtype uid \
483 --idmap $client_id:$fs_id; then
486 if ! do_facet mgs $cmd --name $csum --idtype gid \
487 --idmap $client_id:$fs_id; then
491 if ! do_facet mgs $cmd --name $csum \
492 --idtype projid --idmap \
493 $client_id:$fs_id; then
503 delete_root_idmaps() {
505 local cmd="$LCTL nodemap_del_idmap"
508 echo "Start to delete root idmaps ..."
509 for ((i = 0; i < NODEMAP_COUNT; i++)); do
510 local csum=${HOSTNAME_CHECKSUM}_${i}
512 if ! do_facet mgs $cmd --name $csum --idtype uid \
516 if ! do_facet mgs $cmd --name $csum --idtype gid \
529 local cmd="$LCTL nodemap_modify"
532 proc[0]="admin_nodemap"
533 proc[1]="trusted_nodemap"
537 for ((idx = 0; idx < 2; idx++)); do
538 if ! do_facet mgs $cmd --name $1 --property ${option[$idx]} \
543 if ! do_facet mgs $cmd --name $1 --property ${option[$idx]} \
553 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
554 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
558 cmd[0]="$LCTL nodemap_modify --property squash_uid"
559 cmd[1]="$LCTL nodemap_modify --property squash_gid"
560 cmd[2]="$LCTL nodemap_modify --property squash_projid"
562 if ! do_facet mgs ${cmd[$3]} --name $1 --value $2; then
567 # ensure that the squash defaults are the expected defaults
568 squash_id default ${NOBODY_UID:-65534} 0
569 wait_nm_sync default squash_uid '' inactive
570 squash_id default ${NOBODY_UID:-65534} 1
571 wait_nm_sync default squash_gid '' inactive
572 if [ "$MDS1_VERSION" -ge $(version_code 2.14.50) ]; then
573 squash_id default ${NOBODY_UID:-65534} 2
574 wait_nm_sync default squash_projid '' inactive
580 cmd="$LCTL nodemap_test_nid"
582 nid=$(do_facet mgs $cmd $1)
584 if [ $nid == $2 ]; then
592 # restore activation state
593 do_facet mgs $LCTL nodemap_activate 0
599 local cmd="$LCTL nodemap_test_id"
600 local do_root_idmap=true
603 (( $MDS1_VERSION >= $(version_code 2.15.60) )) || do_root_idmap=false
605 echo "Start to test idmaps ..."
606 ## nodemap deactivated
607 if ! do_facet mgs $LCTL nodemap_activate 0; then
610 for ((id = $ID0; id < NODEMAP_MAX_ID; id++)); do
613 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
614 local nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
615 local fs_id=$(do_facet mgs $cmd --nid $nid \
616 --idtype uid --id $id)
617 if [ $fs_id != $id ]; then
618 echo "expected $id, got $fs_id"
625 if ! do_facet mgs $LCTL nodemap_activate 1; then
629 for ((id = $ID0; id < NODEMAP_MAX_ID; id++)); do
630 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
631 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
632 fs_id=$(do_facet mgs $cmd --nid $nid \
633 --idtype uid --id $id)
634 expected_id=$((id + 1))
635 if [ $fs_id != $expected_id ]; then
636 echo "expected $expected_id, got $fs_id"
643 for ((i = 0; i < NODEMAP_COUNT; i++)); do
644 local csum=${HOSTNAME_CHECKSUM}_${i}
646 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
647 --property trusted --value 1; then
648 error "nodemap_modify $csum failed with $?"
653 for ((id = $ID0; id < NODEMAP_MAX_ID; id++)); do
654 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
655 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
656 fs_id=$(do_facet mgs $cmd --nid $nid \
657 --idtype uid --id $id)
658 if [ $fs_id != $id ]; then
659 echo "expected $id, got $fs_id"
665 ## ensure allow_root_access is enabled
666 for ((i = 0; i < NODEMAP_COUNT; i++)); do
667 local csum=${HOSTNAME_CHECKSUM}_${i}
669 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
670 --property admin --value 1; then
671 error "nodemap_modify $csum failed with $?"
676 ## check that root allowed
677 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
678 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
679 fs_id=$(do_facet mgs $cmd --nid $nid --idtype uid --id 0)
680 if [ $fs_id != 0 ]; then
681 echo "root allowed expected 0, got $fs_id"
686 if $do_root_idmap; then
687 ## add mapping for root
690 ## check that root allowed
691 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
692 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
693 fs_id=$(do_facet mgs $cmd --nid $nid \
695 if [ $fs_id != 0 ]; then
696 echo "root allowed expected 0, got $fs_id"
701 ## delete mapping for root
705 ## ensure allow_root_access is disabled
706 for ((i = 0; i < NODEMAP_COUNT; i++)); do
707 local csum=${HOSTNAME_CHECKSUM}_${i}
709 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
710 --property admin --value 0; then
711 error "nodemap_modify ${HOSTNAME_CHECKSUM}_${i} "
717 ## check that root is mapped to NOBODY_UID
718 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
719 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
720 fs_id=$(do_facet mgs $cmd --nid $nid --idtype uid --id 0)
721 if [ $fs_id != ${NOBODY_UID:-65534} ]; then
722 error "root squash expect ${NOBODY_UID:-65534} got $fs_id"
727 if $do_root_idmap; then
728 ## add mapping for root
731 ## check root is mapped
732 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
733 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
734 fs_id=$(do_facet mgs $cmd --nid $nid \
737 if [ $fs_id != $expected_id ]; then
738 echo "expected $expected_id, got $fs_id"
743 ## delete mapping for root
747 ## reset client trust to 0
748 for ((i = 0; i < NODEMAP_COUNT; i++)); do
749 if ! do_facet mgs $LCTL nodemap_modify \
750 --name ${HOSTNAME_CHECKSUM}_${i} \
751 --property trusted --value 0; then
752 error "nodemap_modify ${HOSTNAME_CHECKSUM}_${i} "
764 remote_mgs_nodsh && skip "remote MGS with nodsh"
765 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
766 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
770 [[ $rc != 0 ]] && error "nodemap_add failed with $rc"
774 [[ $rc != 0 ]] && error "nodemap_del failed with $rc"
778 run_test 7 "nodemap create and delete"
783 remote_mgs_nodsh && skip "remote MGS with nodsh"
784 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
785 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
791 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
797 [[ $rc == 0 ]] && error "duplicate nodemap_add allowed with $rc" &&
803 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 3
807 run_test 8 "nodemap reject duplicates"
813 remote_mgs_nodsh && skip "remote MGS with nodsh"
814 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
815 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
820 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
823 for ((i = 0; i < NODEMAP_COUNT; i++)); do
824 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
828 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
831 for ((i = 0; i < NODEMAP_COUNT; i++)); do
832 if ! delete_range ${HOSTNAME_CHECKSUM}_${i} $i; then
836 [[ $rc != 0 ]] && error "nodemap_del_range failed with $rc" && return 4
841 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
845 run_test 9 "nodemap range add"
850 remote_mgs_nodsh && skip "remote MGS with nodsh"
851 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
852 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
857 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
860 for ((i = 0; i < NODEMAP_COUNT; i++)); do
861 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
865 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
868 for ((i = 0; i < NODEMAP_COUNT; i++)); do
869 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
873 [[ $rc == 0 ]] && error "nodemap_add_range duplicate add with $rc" &&
878 for ((i = 0; i < NODEMAP_COUNT; i++)); do
879 if ! delete_range ${HOSTNAME_CHECKSUM}_${i} $i; then
883 [[ $rc != 0 ]] && error "nodemap_del_range failed with $rc" && return 4
887 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 5
891 run_test 10a "nodemap reject duplicate ranges"
894 [ "$MGS_VERSION" -lt $(version_code 2.10.53) ] &&
895 skip "Need MGS >= 2.10.53"
899 local nids="192.168.19.[0-255]@o2ib20"
901 do_facet mgs $LCTL nodemap_del $nm1 2>/dev/null
902 do_facet mgs $LCTL nodemap_del $nm2 2>/dev/null
904 do_facet mgs $LCTL nodemap_add $nm1 || error "Add $nm1 failed"
905 do_facet mgs $LCTL nodemap_add $nm2 || error "Add $nm2 failed"
906 do_facet mgs $LCTL nodemap_add_range --name $nm1 --range $nids ||
907 error "Add range $nids to $nm1 failed"
908 [ -n "$(do_facet mgs $LCTL get_param nodemap.$nm1.* |
909 grep start_nid)" ] || error "No range was found"
910 do_facet mgs $LCTL nodemap_del_range --name $nm2 --range $nids &&
911 error "Deleting range $nids from $nm2 should fail"
912 [ -n "$(do_facet mgs $LCTL get_param nodemap.$nm1.* |
913 grep start_nid)" ] || error "Range $nids should be there"
915 do_facet mgs $LCTL nodemap_del $nm1 || error "Delete $nm1 failed"
916 do_facet mgs $LCTL nodemap_del $nm2 || error "Delete $nm2 failed"
919 run_test 10b "delete range from the correct nodemap"
921 test_10c() { #LU-8912
922 [ "$MGS_VERSION" -lt $(version_code 2.10.57) ] &&
923 skip "Need MGS >= 2.10.57"
925 local nm="nodemap_lu8912"
926 local nid_range="10.210.[32-47].[0-255]@o2ib3"
927 local start_nid="10.210.32.0@o2ib3"
928 local end_nid="10.210.47.255@o2ib3"
929 local start_nid_found
932 do_facet mgs $LCTL nodemap_del $nm 2>/dev/null
933 do_facet mgs $LCTL nodemap_add $nm || error "Add $nm failed"
934 do_facet mgs $LCTL nodemap_add_range --name $nm --range $nid_range ||
935 error "Add range $nid_range to $nm failed"
937 start_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
938 awk -F '[,: ]' /start_nid/'{ print $9 }')
939 [ "$start_nid" == "$start_nid_found" ] ||
940 error "start_nid: $start_nid_found != $start_nid"
941 end_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
942 awk -F '[,: ]' /end_nid/'{ print $13 }')
943 [ "$end_nid" == "$end_nid_found" ] ||
944 error "end_nid: $end_nid_found != $end_nid"
946 do_facet mgs $LCTL nodemap_del $nm || error "Delete $nm failed"
949 run_test 10c "verfify contiguous range support"
951 test_10d() { #LU-8913
952 [ "$MGS_VERSION" -lt $(version_code 2.10.59) ] &&
953 skip "Need MGS >= 2.10.59"
955 local nm="nodemap_lu8913"
956 local nid_range="*@o2ib3"
957 local start_nid="0.0.0.0@o2ib3"
958 local end_nid="255.255.255.255@o2ib3"
959 local start_nid_found
962 do_facet mgs $LCTL nodemap_del $nm 2>/dev/null
963 do_facet mgs $LCTL nodemap_add $nm || error "Add $nm failed"
964 do_facet mgs $LCTL nodemap_add_range --name $nm --range $nid_range ||
965 error "Add range $nid_range to $nm failed"
967 start_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
968 awk -F '[,: ]' /start_nid/'{ print $9 }')
969 [ "$start_nid" == "$start_nid_found" ] ||
970 error "start_nid: $start_nid_found != $start_nid"
971 end_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
972 awk -F '[,: ]' /end_nid/'{ print $13 }')
973 [ "$end_nid" == "$end_nid_found" ] ||
974 error "end_nid: $end_nid_found != $end_nid"
976 do_facet mgs $LCTL nodemap_del $nm || error "Delete $nm failed"
979 run_test 10d "verfify nodemap range format '*@<net>' support"
984 remote_mgs_nodsh && skip "remote MGS with nodsh"
985 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
986 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
991 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
994 for ((i = 0; i < NODEMAP_COUNT; i++)); do
995 if ! modify_flags ${HOSTNAME_CHECKSUM}_${i}; then
999 [[ $rc != 0 ]] && error "nodemap_modify with $rc" && return 2
1004 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 3
1008 run_test 11 "nodemap modify"
1013 remote_mgs_nodsh && skip "remote MGS with nodsh"
1014 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1015 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1020 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1023 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1024 if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 0; then
1028 [[ $rc != 0 ]] && error "nodemap squash_uid with $rc" && return 2
1031 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1032 if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 1; then
1036 [[ $rc != 0 ]] && error "nodemap squash_gid with $rc" && return 3
1039 if (( $MDS1_VERSION >= $(version_code 2.14.52) )); then
1040 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1041 if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 2; then
1046 [[ $rc != 0 ]] && error "nodemap squash_projid with $rc" && return 5
1051 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
1055 run_test 12 "nodemap set squash ids"
1060 remote_mgs_nodsh && skip "remote MGS with nodsh"
1061 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1062 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1067 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1070 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1071 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
1075 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
1078 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1079 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
1080 for k in $NODEMAP_IPADDR_LIST; do
1081 if ! test_nid $SUBNET_CHECKSUM.$i.$j.$k \
1082 ${HOSTNAME_CHECKSUM}_${i}; then
1088 [[ $rc != 0 ]] && error "nodemap_test_nid failed with $rc" && return 3
1093 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
1097 run_test 13 "test nids"
1102 remote_mgs_nodsh && skip "remote MGS with nodsh"
1103 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1104 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1109 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1112 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1113 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
1114 for k in $NODEMAP_IPADDR_LIST; do
1115 if ! test_nid $SUBNET_CHECKSUM.$i.$j.$k \
1122 [[ $rc != 0 ]] && error "nodemap_test_nid failed with $rc" && return 3
1127 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
1131 run_test 14 "test default nodemap nid lookup"
1136 remote_mgs_nodsh && skip "remote MGS with nodsh"
1137 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1138 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1143 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1145 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
1146 local csum=${HOSTNAME_CHECKSUM}_${i}
1148 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
1149 --property admin --value 0; then
1152 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
1153 --property trusted --value 0; then
1157 [[ $rc != 0 ]] && error "nodemap_modify failed with $rc" && return 1
1160 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1161 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
1165 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
1170 [[ $rc != 0 ]] && error "nodemap_add_idmap failed with $rc" && return 3
1172 activedefault=$(do_facet mgs $LCTL get_param -n nodemap.active)
1173 if [[ "$activedefault" != "1" ]]; then
1174 stack_trap cleanup_active EXIT
1180 [[ $rc != 0 ]] && error "nodemap_test_id failed with $rc" && return 4
1185 [[ $rc != 0 ]] && error "update_idmaps failed with $rc" && return 5
1190 [[ $rc != 0 ]] && error "nodemap_del_idmap failed with $rc" && return 6
1195 [[ $rc != 0 ]] && error "nodemap_delete failed with $rc" && return 7
1199 run_test 15 "test id mapping"
1201 create_fops_nodemaps() {
1204 for client in $clients; do
1205 local client_ip=$(host_nids_address $client $NETTYPE)
1206 local client_nid=$(h2nettype $client_ip)
1207 [[ "$client_nid" =~ ":" ]] && client_nid+="/128"
1208 do_facet mgs $LCTL nodemap_add c${i} || return 1
1209 do_facet mgs $LCTL nodemap_add_range \
1210 --name c${i} --range $client_nid || {
1211 do_facet mgs $LCTL nodemap_del c${i}
1214 for map in ${FOPS_IDMAPS[i]}; do
1215 do_facet mgs $LCTL nodemap_add_idmap --name c${i} \
1216 --idtype uid --idmap ${map} || return 1
1217 do_facet mgs $LCTL nodemap_add_idmap --name c${i} \
1218 --idtype gid --idmap ${map} || return 1
1221 wait_nm_sync c$i idmap
1228 delete_fops_nodemaps() {
1231 for client in $clients; do
1232 do_facet mgs $LCTL nodemap_del c${i} || return 1
1240 if [ $MDSCOUNT -le 1 ]; then
1241 do_node ${clients_arr[0]} mkdir -p $DIR/$tdir
1243 # round-robin MDTs to test DNE nodemap support
1244 [ ! -d $DIR ] && do_node ${clients_arr[0]} mkdir -p $DIR
1245 do_node ${clients_arr[0]} $LFS setdirstripe -c 1 -i \
1246 $((fops_mds_index % MDSCOUNT)) $DIR/$tdir
1247 ((fops_mds_index++))
1251 # acl test directory needs to be initialized on a privileged client
1253 local admin=$(do_facet mgs $LCTL get_param -n nodemap.c0.admin_nodemap)
1254 local trust=$(do_facet mgs $LCTL get_param -n \
1255 nodemap.c0.trusted_nodemap)
1257 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1258 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
1260 wait_nm_sync c0 admin_nodemap
1261 wait_nm_sync c0 trusted_nodemap
1263 do_node ${clients_arr[0]} rm -rf $DIR/$tdir
1265 do_node ${clients_arr[0]} chown $user $DIR/$tdir
1267 do_facet mgs $LCTL nodemap_modify --name c0 \
1268 --property admin --value $admin
1269 do_facet mgs $LCTL nodemap_modify --name c0 \
1270 --property trusted --value $trust
1272 # flush MDT locks to make sure they are reacquired before test
1273 do_node ${clients_arr[0]} $LCTL set_param \
1274 ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
1276 wait_nm_sync c0 admin_nodemap
1277 wait_nm_sync c0 trusted_nodemap
1280 # fileset test directory needs to be initialized on a privileged client
1281 fileset_test_setup() {
1284 if [ -n "$FILESET" -a -z "$SKIP_FILESET" ]; then
1285 cleanup_mount $MOUNT
1286 FILESET="" zconf_mount_clients $CLIENTS $MOUNT
1289 local admin=$(do_facet mgs $LCTL get_param -n \
1290 nodemap.${nm}.admin_nodemap)
1291 local trust=$(do_facet mgs $LCTL get_param -n \
1292 nodemap.${nm}.trusted_nodemap)
1294 do_facet mgs $LCTL nodemap_modify --name $nm --property admin --value 1
1295 do_facet mgs $LCTL nodemap_modify --name $nm --property trusted \
1298 wait_nm_sync $nm admin_nodemap
1299 wait_nm_sync $nm trusted_nodemap
1301 # create directory and populate it for subdir mount
1302 do_node ${clients_arr[0]} mkdir $MOUNT/$subdir ||
1303 error "unable to create dir $MOUNT/$subdir"
1304 do_node ${clients_arr[0]} touch $MOUNT/$subdir/this_is_$subdir ||
1305 error "unable to create file $MOUNT/$subdir/this_is_$subdir"
1306 do_node ${clients_arr[0]} mkdir $MOUNT/$subdir/$subsubdir ||
1307 error "unable to create dir $MOUNT/$subdir/$subsubdir"
1308 do_node ${clients_arr[0]} touch \
1309 $MOUNT/$subdir/$subsubdir/this_is_$subsubdir ||
1310 error "unable to create file \
1311 $MOUNT/$subdir/$subsubdir/this_is_$subsubdir"
1313 do_facet mgs $LCTL nodemap_modify --name $nm \
1314 --property admin --value $admin
1315 do_facet mgs $LCTL nodemap_modify --name $nm \
1316 --property trusted --value $trust
1318 # flush MDT locks to make sure they are reacquired before test
1319 do_node ${clients_arr[0]} $LCTL set_param \
1320 ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
1322 wait_nm_sync $nm admin_nodemap
1323 wait_nm_sync $nm trusted_nodemap
1326 # fileset test directory needs to be initialized on a privileged client
1327 fileset_test_cleanup() {
1329 local admin=$(do_facet mgs $LCTL get_param -n \
1330 nodemap.${nm}.admin_nodemap)
1331 local trust=$(do_facet mgs $LCTL get_param -n \
1332 nodemap.${nm}.trusted_nodemap)
1334 do_facet mgs $LCTL nodemap_modify --name $nm --property admin --value 1
1335 do_facet mgs $LCTL nodemap_modify --name $nm --property trusted \
1338 wait_nm_sync $nm admin_nodemap
1339 wait_nm_sync $nm trusted_nodemap
1341 # cleanup directory created for subdir mount
1342 do_node ${clients_arr[0]} rm -rf $MOUNT/$subdir ||
1343 error "unable to remove dir $MOUNT/$subdir"
1345 do_facet mgs $LCTL nodemap_modify --name $nm \
1346 --property admin --value $admin
1347 do_facet mgs $LCTL nodemap_modify --name $nm \
1348 --property trusted --value $trust
1350 # flush MDT locks to make sure they are reacquired before test
1351 do_node ${clients_arr[0]} $LCTL set_param \
1352 ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
1354 wait_nm_sync $nm admin_nodemap
1355 wait_nm_sync $nm trusted_nodemap
1356 if [ -n "$FILESET" -a -z "$SKIP_FILESET" ]; then
1357 cleanup_mount $MOUNT
1358 zconf_mount_clients $CLIENTS $MOUNT
1362 do_create_delete() {
1365 local testfile=$DIR/$tdir/$tfile
1369 if $run_u touch $testfile >& /dev/null; then
1371 $run_u rm $testfile && d=1
1375 local expected=$(get_cr_del_expected $key)
1376 [ "$res" != "$expected" ] &&
1377 error "test $key, wanted $expected, got $res" && rc=$((rc + 1))
1381 nodemap_check_quota() {
1383 $run_u lfs quota -q $DIR | awk '{ print $2; exit; }'
1386 do_fops_quota_test() {
1388 # fuzz quota used to account for possible indirect blocks, etc
1389 local quota_fuzz=$(fs_log_size)
1390 local qused_orig=$(nodemap_check_quota "$run_u")
1391 local qused_high=$((qused_orig + quota_fuzz))
1392 local qused_low=$((qused_orig - quota_fuzz))
1393 local testfile=$DIR/$tdir/$tfile
1394 $run_u dd if=/dev/zero of=$testfile oflag=sync bs=1M count=1 \
1395 >& /dev/null || error "unable to write quota test file"
1396 sync; sync_all_data || true
1398 local qused_new=$(nodemap_check_quota "$run_u")
1399 [ $((qused_new)) -lt $((qused_low + 1024)) -o \
1400 $((qused_new)) -gt $((qused_high + 1024)) ] &&
1401 error "$qused_new != $qused_orig + 1M after write, " \
1402 "fuzz is $quota_fuzz"
1403 $run_u rm $testfile || error "unable to remove quota test file"
1404 wait_delete_completed_mds
1406 qused_new=$(nodemap_check_quota "$run_u")
1407 [ $((qused_new)) -lt $((qused_low)) \
1408 -o $((qused_new)) -gt $((qused_high)) ] &&
1409 error "quota not reclaimed, expect $qused_orig, " \
1410 "got $qused_new, fuzz $quota_fuzz"
1413 get_fops_mapped_user() {
1416 for ((i=0; i < ${#FOPS_IDMAPS[@]}; i++)); do
1417 for map in ${FOPS_IDMAPS[i]}; do
1418 if [ $(cut -d: -f1 <<< "$map") == $cli_user ]; then
1419 cut -d: -f2 <<< "$map"
1427 get_cr_del_expected() {
1429 IFS=":" read -a key <<< "$1"
1430 local mapmode="${key[0]}"
1431 local mds_user="${key[1]}"
1432 local cluster="${key[2]}"
1433 local cli_user="${key[3]}"
1434 local mode="0${key[4]}"
1441 [[ $mapmode == *mapped* ]] && mapped=1
1442 # only c1 is mapped in these test cases
1443 [[ $mapmode == mapped_trusted* ]] && [ "$cluster" == "c0" ] && mapped=0
1444 [[ $mapmode == *noadmin* ]] && noadmin=1
1446 # o+wx works as long as the user isn't mapped
1447 if [ $((mode & 3)) -eq 3 ]; then
1451 # if client user is root, check if root is squashed
1452 if [ "$cli_user" == "0" ]; then
1453 # squash root succeed, if other bit is on
1456 1) [ "$other" == "1" ] && echo $SUCCESS
1457 [ "$other" == "0" ] && echo $FAILURE;;
1461 if [ "$mapped" == "0" ]; then
1462 [ "$other" == "1" ] && echo $SUCCESS
1463 [ "$other" == "0" ] && echo $FAILURE
1467 # if mapped user is mds user, check for u+wx
1468 mapped_user=$(get_fops_mapped_user $cli_user)
1469 [ "$mapped_user" == "-1" ] &&
1470 error "unable to find mapping for client user $cli_user"
1472 if [ "$mapped_user" == "$mds_user" -a \
1473 $(((mode & 0300) == 0300)) -eq 1 ]; then
1477 if [ "$mapped_user" != "$mds_user" -a "$other" == "1" ]; then
1484 test_fops_admin_cli_i=""
1485 test_fops_chmod_dir() {
1486 local current_cli_i=$1
1488 local dir_to_chmod=$3
1489 local new_admin_cli_i=""
1491 # do we need to set up a new admin client?
1492 [ "$current_cli_i" == "0" ] && [ "$test_fops_admin_cli_i" != "1" ] &&
1494 [ "$current_cli_i" != "0" ] && [ "$test_fops_admin_cli_i" != "0" ] &&
1497 # if only one client, and non-admin, need to flip admin everytime
1498 if [ "$num_clients" == "1" ]; then
1499 test_fops_admin_client=$clients
1500 test_fops_admin_val=$(do_facet mgs $LCTL get_param -n \
1501 nodemap.c0.admin_nodemap)
1502 if [ "$test_fops_admin_val" != "1" ]; then
1503 do_facet mgs $LCTL nodemap_modify \
1507 wait_nm_sync c0 admin_nodemap
1509 elif [ "$new_admin_cli_i" != "" ]; then
1510 # restore admin val to old admin client
1511 if [ "$test_fops_admin_cli_i" != "" ] &&
1512 [ "$test_fops_admin_val" != "1" ]; then
1513 do_facet mgs $LCTL nodemap_modify \
1514 --name c${test_fops_admin_cli_i} \
1516 --value $test_fops_admin_val
1517 wait_nm_sync c${test_fops_admin_cli_i} admin_nodemap
1520 test_fops_admin_cli_i=$new_admin_cli_i
1521 test_fops_admin_client=${clients_arr[$new_admin_cli_i]}
1522 test_fops_admin_val=$(do_facet mgs $LCTL get_param -n \
1523 nodemap.c${new_admin_cli_i}.admin_nodemap)
1525 if [ "$test_fops_admin_val" != "1" ]; then
1526 do_facet mgs $LCTL nodemap_modify \
1527 --name c${new_admin_cli_i} \
1530 wait_nm_sync c${new_admin_cli_i} admin_nodemap
1534 do_node $test_fops_admin_client chmod $perm_bits $DIR/$tdir || return 1
1536 # remove admin for single client if originally non-admin
1537 if [ "$num_clients" == "1" ] && [ "$test_fops_admin_val" != "1" ]; then
1538 do_facet mgs $LCTL nodemap_modify --name c0 --property admin \
1540 wait_nm_sync c0 admin_nodemap
1548 local single_client="$2"
1549 local client_user_list=([0]="0 $((IDBASE+3))"
1550 [1]="0 $((IDBASE+5))")
1551 local mds_users="-1 0"
1554 local perm_bit_list="3 $((0300))"
1555 # SLOW tests 000-007, 010-070, 100-700 (octal modes)
1556 if [ "$SLOW" == "yes" ]; then
1557 perm_bit_list="0 $(seq 1 7) $(seq 8 8 63) $(seq 64 64 511) \
1559 client_user_list=([0]="0 $((IDBASE+3)) $((IDBASE+4))"
1560 [1]="0 $((IDBASE+5)) $((IDBASE+6))")
1561 mds_users="-1 0 1 2"
1564 # force single_client to speed up test
1565 [ "$SLOW" == "yes" ] ||
1567 # step through mds users. -1 means root
1568 for mds_i in $mds_users; do
1569 local user=$((mds_i + IDBASE))
1573 [ "$mds_i" == "-1" ] && user=0
1575 echo mkdir -p $DIR/$tdir
1578 for client in $clients; do
1580 for u in ${client_user_list[$cli_i]}; do
1581 local run_u="do_node $client \
1582 $RUNAS_CMD -u$u -g$u -G$u"
1583 for perm_bits in $perm_bit_list; do
1584 local mode=$(printf %03o $perm_bits)
1586 key="$mapmode:$user:c$cli_i:$u:$mode"
1587 test_fops_chmod_dir $cli_i $mode \
1589 error cannot chmod $key
1590 do_create_delete "$run_u" "$key"
1594 test_fops_chmod_dir $cli_i 777 $DIR/$tdir ||
1595 error cannot chmod $key
1596 do_fops_quota_test "$run_u"
1599 cli_i=$((cli_i + 1))
1600 [ "$single_client" == "1" ] && break
1607 nodemap_version_check () {
1608 remote_mgs_nodsh && skip "remote MGS with nodsh" && return 1
1609 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1610 skip "No nodemap on $MGS_VERSION MGS < 2.5.53" &&
1615 nodemap_test_setup() {
1617 local active_nodemap=1
1619 [ "$1" == "0" ] && active_nodemap=0
1621 do_nodes $(comma_list $(all_mdts_nodes)) \
1622 $LCTL set_param mdt.*.identity_upcall=NONE
1625 create_fops_nodemaps
1627 [[ $rc != 0 ]] && error "adding fops nodemaps failed $rc"
1629 do_facet mgs $LCTL nodemap_activate $active_nodemap
1632 do_facet mgs $LCTL nodemap_modify --name default \
1633 --property admin --value 1
1634 wait_nm_sync default admin_nodemap
1635 do_facet mgs $LCTL nodemap_modify --name default \
1636 --property trusted --value 1
1637 wait_nm_sync default trusted_nodemap
1640 nodemap_test_cleanup() {
1642 delete_fops_nodemaps
1644 [[ $rc != 0 ]] && error "removing fops nodemaps failed $rc"
1646 do_facet mgs $LCTL nodemap_modify --name default \
1647 --property admin --value 0
1648 wait_nm_sync default admin_nodemap
1649 do_facet mgs $LCTL nodemap_modify --name default \
1650 --property trusted --value 0
1651 wait_nm_sync default trusted_nodemap
1653 do_facet mgs $LCTL nodemap_activate 0
1654 wait_nm_sync active 0
1656 export SK_UNIQUE_NM=false
1660 nodemap_clients_admin_trusted() {
1664 for client in $clients; do
1665 do_facet mgs $LCTL nodemap_modify --name c0 \
1666 --property admin --value $admin
1667 do_facet mgs $LCTL nodemap_modify --name c0 \
1668 --property trusted --value $tr
1671 wait_nm_sync c$((i - 1)) admin_nodemap
1672 wait_nm_sync c$((i - 1)) trusted_nodemap
1676 nodemap_version_check || return 0
1677 nodemap_test_setup 0
1679 trap nodemap_test_cleanup EXIT
1681 nodemap_test_cleanup
1683 run_test 16 "test nodemap all_off fileops"
1687 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1688 skip "Need MDS >= 2.11.55"
1690 local check_proj=true
1692 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || check_proj=false
1694 nodemap_version_check || return 0
1697 trap nodemap_test_cleanup EXIT
1698 nodemap_clients_admin_trusted 0 1
1699 test_fops trusted_noadmin 1
1700 if $check_proj; then
1701 do_facet mgs $LCTL nodemap_modify --name c0 \
1702 --property map_mode --value projid
1703 wait_nm_sync c0 map_mode
1705 test_fops trusted_noadmin 1
1706 nodemap_test_cleanup
1708 run_test 17 "test nodemap trusted_noadmin fileops"
1712 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1713 skip "Need MDS >= 2.11.55"
1716 nodemap_version_check || return 0
1719 trap nodemap_test_cleanup EXIT
1720 nodemap_clients_admin_trusted 0 0
1721 test_fops mapped_noadmin 1
1722 nodemap_test_cleanup
1724 run_test 18 "test nodemap mapped_noadmin fileops"
1728 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1729 skip "Need MDS >= 2.11.55"
1732 nodemap_version_check || return 0
1735 trap nodemap_test_cleanup EXIT
1736 nodemap_clients_admin_trusted 1 1
1737 test_fops trusted_admin 1
1738 nodemap_test_cleanup
1740 run_test 19 "test nodemap trusted_admin fileops"
1744 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1745 skip "Need MDS >= 2.11.55"
1748 nodemap_version_check || return 0
1751 trap nodemap_test_cleanup EXIT
1752 nodemap_clients_admin_trusted 1 0
1753 test_fops mapped_admin 1
1754 nodemap_test_cleanup
1756 run_test 20 "test nodemap mapped_admin fileops"
1760 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1761 skip "Need MDS >= 2.11.55"
1764 nodemap_version_check || return 0
1767 trap nodemap_test_cleanup EXIT
1770 for client in $clients; do
1771 do_facet mgs $LCTL nodemap_modify --name c${i} \
1772 --property admin --value 0
1773 do_facet mgs $LCTL nodemap_modify --name c${i} \
1774 --property trusted --value $x
1778 wait_nm_sync c$((i - 1)) trusted_nodemap
1780 test_fops mapped_trusted_noadmin
1781 nodemap_test_cleanup
1783 run_test 21 "test nodemap mapped_trusted_noadmin fileops"
1787 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1788 skip "Need MDS >= 2.11.55"
1791 nodemap_version_check || return 0
1794 trap nodemap_test_cleanup EXIT
1797 for client in $clients; do
1798 do_facet mgs $LCTL nodemap_modify --name c${i} \
1799 --property admin --value 1
1800 do_facet mgs $LCTL nodemap_modify --name c${i} \
1801 --property trusted --value $x
1805 wait_nm_sync c$((i - 1)) trusted_nodemap
1807 test_fops mapped_trusted_admin
1808 nodemap_test_cleanup
1810 run_test 22 "test nodemap mapped_trusted_admin fileops"
1812 # acl test directory needs to be initialized on a privileged client
1813 nodemap_acl_test_setup() {
1814 local admin=$(do_facet mgs $LCTL get_param -n \
1815 nodemap.c0.admin_nodemap)
1816 local trust=$(do_facet mgs $LCTL get_param -n \
1817 nodemap.c0.trusted_nodemap)
1819 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1820 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
1822 wait_nm_sync c0 admin_nodemap
1823 wait_nm_sync c0 trusted_nodemap
1825 do_node ${clients_arr[0]} rm -rf $DIR/$tdir
1827 do_node ${clients_arr[0]} chmod a+rwx $DIR/$tdir ||
1828 error unable to chmod a+rwx test dir $DIR/$tdir
1830 do_facet mgs $LCTL nodemap_modify --name c0 \
1831 --property admin --value $admin
1832 do_facet mgs $LCTL nodemap_modify --name c0 \
1833 --property trusted --value $trust
1835 wait_nm_sync c0 trusted_nodemap
1838 # returns 0 if the number of ACLs does not change on the second (mapped) client
1839 # after being set on the first client
1840 nodemap_acl_test() {
1842 local set_client="$2"
1843 local get_client="$3"
1844 local check_setfacl="$4"
1845 local setfacl_error=0
1846 local testfile=$DIR/$tdir/$tfile
1847 local RUNAS_USER="$RUNAS_CMD -u $user"
1849 local acl_count_post=0
1851 nodemap_acl_test_setup
1854 do_node $set_client $RUNAS_USER touch $testfile
1855 # remove from cache, otherwise ACLs will not be fetched from server
1856 do_rpc_nodes $set_client cancel_lru_locks
1857 do_node $set_client "sync ; echo 3 > /proc/sys/vm/drop_caches"
1859 # ACL masks aren't filtered by nodemap code, so we ignore them
1860 acl_count=$(do_node $get_client getfacl $testfile | grep -v mask |
1862 # remove from cache, otherwise ACLs will not be fetched from server
1863 do_rpc_nodes $get_client cancel_lru_locks
1864 do_node $get_client "sync ; echo 3 > /proc/sys/vm/drop_caches"
1865 do_node $set_client $RUNAS_USER setfacl -m $user:rwx $testfile ||
1867 # remove from cache, otherwise ACLs will not be fetched from server
1868 do_rpc_nodes $set_client cancel_lru_locks
1869 do_node $set_client "sync ; echo 3 > /proc/sys/vm/drop_caches"
1871 # if check setfacl is set to 1, then it's supposed to error
1872 if [ "$check_setfacl" == "1" ]; then
1873 [ "$setfacl_error" != "1" ] && return 1
1876 [ "$setfacl_error" == "1" ] && echo "WARNING: unable to setfacl"
1878 acl_count_post=$(do_node $get_client getfacl $testfile | grep -v mask |
1880 # remove from cache, otherwise ACLs will not be fetched from server
1881 do_rpc_nodes $get_client cancel_lru_locks
1882 do_node $get_client "sync ; echo 3 > /proc/sys/vm/drop_caches"
1883 [ $acl_count -eq $acl_count_post ] && return 0
1888 [ $num_clients -lt 2 ] && skip "Need 2 clients at least" && return
1889 nodemap_version_check || return 0
1892 trap nodemap_test_cleanup EXIT
1893 # 1 trusted cluster, 1 mapped cluster
1894 local unmapped_fs=$((IDBASE+0))
1895 local unmapped_c1=$((IDBASE+5))
1896 local mapped_fs=$((IDBASE+2))
1897 local mapped_c0=$((IDBASE+4))
1898 local mapped_c1=$((IDBASE+6))
1900 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1901 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
1903 do_facet mgs $LCTL nodemap_modify --name c1 --property admin --value 0
1904 do_facet mgs $LCTL nodemap_modify --name c1 --property trusted --value 0
1906 wait_nm_sync c1 trusted_nodemap
1908 # setfacl on trusted cluster to unmapped user, verify it's not seen
1909 nodemap_acl_test $unmapped_fs ${clients_arr[0]} ${clients_arr[1]} ||
1910 error "acl count (1)"
1912 # setfacl on trusted cluster to mapped user, verify it's seen
1913 nodemap_acl_test $mapped_fs ${clients_arr[0]} ${clients_arr[1]} &&
1914 error "acl count (2)"
1916 # setfacl on mapped cluster to mapped user, verify it's seen
1917 nodemap_acl_test $mapped_c1 ${clients_arr[1]} ${clients_arr[0]} &&
1918 error "acl count (3)"
1920 # setfacl on mapped cluster to unmapped user, verify error
1921 nodemap_acl_test $unmapped_fs ${clients_arr[1]} ${clients_arr[0]} 1 ||
1922 error "acl count (4)"
1925 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 0
1926 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 0
1928 wait_nm_sync c0 trusted_nodemap
1930 # setfacl to mapped user on c1, also mapped to c0, verify it's seen
1931 nodemap_acl_test $mapped_c1 ${clients_arr[1]} ${clients_arr[0]} &&
1932 error "acl count (5)"
1934 # setfacl to mapped user on c1, not mapped to c0, verify not seen
1935 nodemap_acl_test $unmapped_c1 ${clients_arr[1]} ${clients_arr[0]} ||
1936 error "acl count (6)"
1938 nodemap_test_cleanup
1940 run_test 23a "test mapped regular ACLs"
1942 test_23b() { #LU-9929
1943 [ $num_clients -lt 2 ] && skip "Need 2 clients at least"
1944 [ "$MGS_VERSION" -lt $(version_code 2.10.53) ] &&
1945 skip "Need MGS >= 2.10.53"
1947 export SK_UNIQUE_NM=true
1949 trap nodemap_test_cleanup EXIT
1951 local testdir=$DIR/$tdir
1952 local fs_id=$((IDBASE+10))
1957 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1958 wait_nm_sync c0 admin_nodemap
1959 do_facet mgs $LCTL nodemap_modify --name c1 --property admin --value 1
1960 wait_nm_sync c1 admin_nodemap
1961 do_facet mgs $LCTL nodemap_modify --name c1 --property trusted --value 1
1962 wait_nm_sync c1 trusted_nodemap
1964 # Add idmap $ID0:$fs_id (500:60010)
1965 do_facet mgs $LCTL nodemap_add_idmap --name c0 --idtype gid \
1966 --idmap $ID0:$fs_id ||
1967 error "add idmap $ID0:$fs_id to nodemap c0 failed"
1968 wait_nm_sync c0 idmap
1970 # set/getfacl default acl on client 1 (unmapped gid=500)
1971 do_node ${clients_arr[0]} rm -rf $testdir
1972 do_node ${clients_arr[0]} mkdir -p $testdir
1973 # Here, USER0=$(getent passwd | grep :$ID0:$ID0: | cut -d: -f1)
1974 do_node ${clients_arr[0]} setfacl -R -d -m group:$USER0:rwx $testdir ||
1975 error "setfacl $testdir on ${clients_arr[0]} failed"
1976 unmapped_id=$(do_node ${clients_arr[0]} getfacl $testdir |
1977 grep -E "default:group:.*:rwx" | awk -F: '{print $3}')
1978 [ "$unmapped_id" = "$USER0" ] ||
1979 error "gid=$ID0 was not unmapped correctly on ${clients_arr[0]}"
1981 # getfacl default acl on client 2 (mapped gid=60010)
1982 mapped_id=$(do_node ${clients_arr[1]} getfacl $testdir |
1983 grep -E "default:group:.*:rwx" | awk -F: '{print $3}')
1984 fs_user=$(do_node ${clients_arr[1]} getent passwd |
1985 grep :$fs_id:$fs_id: | cut -d: -f1)
1986 [ -z "$fs_user" ] && fs_user=$fs_id
1987 [ $mapped_id -eq $fs_id -o "$mapped_id" = "$fs_user" ] ||
1988 error "Should return gid=$fs_id or $fs_user on client2"
1991 nodemap_test_cleanup
1992 export SK_UNIQUE_NM=false
1994 run_test 23b "test mapped default ACLs"
1999 trap nodemap_test_cleanup EXIT
2000 do_nodes $(comma_list $(all_server_nodes)) $LCTL get_param -R nodemap
2002 nodemap_test_cleanup
2004 run_test 24 "check nodemap proc files for LBUGs and Oopses"
2007 local tmpfile=$(mktemp)
2008 local tmpfile2=$(mktemp)
2009 local tmpfile3=$(mktemp)
2010 local tmpfile4=$(mktemp)
2014 nodemap_version_check || return 0
2016 # stop clients for this test
2017 zconf_umount_clients $CLIENTS $MOUNT ||
2018 error "unable to umount clients $CLIENTS"
2020 export SK_UNIQUE_NM=true
2023 # enable trusted/admin for setquota call in cleanup_and_setup_lustre()
2025 for client in $clients; do
2026 do_facet mgs $LCTL nodemap_modify --name c${i} \
2027 --property admin --value 1
2028 do_facet mgs $LCTL nodemap_modify --name c${i} \
2029 --property trusted --value 1
2032 wait_nm_sync c$((i - 1)) trusted_nodemap
2034 trap nodemap_test_cleanup EXIT
2036 # create a new, empty nodemap, and add fileset info to it
2037 do_facet mgs $LCTL nodemap_add test25 ||
2038 error "unable to create nodemap $testname"
2039 do_facet mgs $LCTL set_param -P nodemap.$testname.fileset=/$subdir ||
2040 error "unable to add fileset info to nodemap test25"
2042 wait_nm_sync test25 id
2044 do_facet mgs $LCTL nodemap_info > $tmpfile
2045 do_facet mds $LCTL nodemap_info > $tmpfile2
2047 if ! $SHARED_KEY; then
2048 # will conflict with SK's nodemaps
2049 cleanup_and_setup_lustre
2051 # stop clients for this test
2052 zconf_umount_clients $CLIENTS $MOUNT ||
2053 error "unable to umount clients $CLIENTS"
2055 do_facet mgs $LCTL nodemap_info > $tmpfile3
2056 diff -q $tmpfile3 $tmpfile >& /dev/null ||
2057 error "nodemap_info diff on MGS after remount"
2059 do_facet mds $LCTL nodemap_info > $tmpfile4
2060 diff -q $tmpfile4 $tmpfile2 >& /dev/null ||
2061 error "nodemap_info diff on MDS after remount"
2064 do_facet mgs $LCTL nodemap_del test25 ||
2065 error "cannot delete nodemap test25 from config"
2066 nodemap_test_cleanup
2067 # restart clients previously stopped
2068 zconf_mount_clients $CLIENTS $MOUNT ||
2069 error "unable to mount clients $CLIENTS"
2071 rm -f $tmpfile $tmpfile2
2072 export SK_UNIQUE_NM=false
2074 run_test 25 "test save and reload nodemap config"
2077 nodemap_version_check || return 0
2081 do_facet mgs "seq -f 'c%g' $large_i | xargs -n1 $LCTL nodemap_add"
2082 wait_nm_sync c$large_i admin_nodemap
2084 do_facet mgs "seq -f 'c%g' $large_i | xargs -n1 $LCTL nodemap_del"
2085 wait_nm_sync c$large_i admin_nodemap
2087 run_test 26 "test transferring very large nodemap"
2089 nodemap_exercise_fileset() {
2092 local check_proj=true
2094 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || check_proj=false
2097 if [ "$nm" == "default" ]; then
2098 do_facet mgs $LCTL nodemap_activate 1
2100 do_facet mgs $LCTL nodemap_modify --name default \
2101 --property admin --value 1
2102 do_facet mgs $LCTL nodemap_modify --name default \
2103 --property trusted --value 1
2104 wait_nm_sync default admin_nodemap
2105 wait_nm_sync default trusted_nodemap
2110 if $SHARED_KEY; then
2111 export SK_UNIQUE_NM=true
2113 # will conflict with SK's nodemaps
2114 trap "fileset_test_cleanup $nm" EXIT
2116 fileset_test_setup "$nm"
2118 # add fileset info to $nm nodemap
2119 if ! combined_mgs_mds; then
2120 do_facet mgs $LCTL set_param nodemap.${nm}.fileset=/$subdir ||
2121 error "unable to add fileset info to $nm nodemap on MGS"
2123 do_facet mgs $LCTL set_param -P nodemap.${nm}.fileset=/$subdir ||
2124 error "unable to add fileset info to $nm nodemap for servers"
2125 wait_nm_sync $nm fileset "nodemap.${nm}.fileset=/$subdir"
2127 if $check_proj; then
2128 do_facet mgs $LCTL nodemap_modify --name $nm \
2129 --property admin --value 1
2130 wait_nm_sync $nm admin_nodemap
2131 do_facet mgs $LCTL nodemap_modify --name $nm \
2132 --property trusted --value 0
2133 wait_nm_sync $nm trusted_nodemap
2134 do_facet mgs $LCTL nodemap_modify --name $nm \
2135 --property map_mode --value projid
2136 wait_nm_sync $nm map_mode
2137 do_facet mgs $LCTL nodemap_add_idmap --name $nm \
2138 --idtype projid --idmap 1:1
2139 do_facet mgs $LCTL nodemap_modify --name $nm \
2140 --property deny_unknown --value 1
2141 wait_nm_sync $nm deny_unknown
2145 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2146 error "unable to umount client ${clients_arr[0]}"
2147 # set some generic fileset to trigger SSK code
2149 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2150 error "unable to remount client ${clients_arr[0]}"
2153 # test mount point content
2154 do_node ${clients_arr[0]} test -f $MOUNT/this_is_$subdir ||
2155 error "fileset not taken into account"
2157 if $check_proj; then
2158 do_node ${clients_arr[0]} $LFS setquota -p 1 -b 10000 -B 11000 \
2159 -i 0 -I 0 $MOUNT || error "setquota -p 1 failed"
2160 do_node ${clients_arr[0]} $LFS setquota -p 2 -b 10000 -B 11000 \
2161 -i 0 -I 0 $MOUNT && error "setquota -p 2 should fail"
2164 # re-mount client with sub-subdir
2165 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2166 error "unable to umount client ${clients_arr[0]}"
2167 export FILESET=/$subsubdir
2168 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2169 error "unable to remount client ${clients_arr[0]}"
2172 # test mount point content
2173 do_node ${clients_arr[0]} test -f $MOUNT/this_is_$subsubdir ||
2174 error "subdir of fileset not taken into account"
2176 # remove fileset info from nodemap
2177 do_facet mgs $LCTL nodemap_set_fileset --name $nm --fileset clear ||
2178 error "unable to delete fileset info on $nm nodemap"
2179 wait_update_facet mgs "$LCTL get_param nodemap.${nm}.fileset" \
2180 "nodemap.${nm}.fileset=" ||
2181 error "fileset info still not cleared on $nm nodemap"
2182 do_facet mgs $LCTL set_param -P nodemap.${nm}.fileset=clear ||
2183 error "unable to reset fileset info on $nm nodemap"
2184 wait_nm_sync $nm fileset "nodemap.${nm}.fileset="
2185 do_facet mgs $LCTL set_param -P -d nodemap.${nm}.fileset ||
2186 error "unable to remove fileset rule on $nm nodemap"
2189 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2190 error "unable to umount client ${clients_arr[0]}"
2191 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2192 error "unable to remount client ${clients_arr[0]}"
2194 # test mount point content
2195 if ! $(do_node ${clients_arr[0]} test -d $MOUNT/$subdir); then
2197 error "fileset not cleared on $nm nodemap"
2200 # back to non-nodemap setup
2201 if $SHARED_KEY; then
2202 export SK_UNIQUE_NM=false
2203 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2204 error "unable to umount client ${clients_arr[0]}"
2206 fileset_test_cleanup "$nm"
2207 if [ "$nm" == "default" ]; then
2208 do_facet mgs $LCTL nodemap_modify --name default \
2209 --property admin --value 0
2210 do_facet mgs $LCTL nodemap_modify --name default \
2211 --property trusted --value 0
2212 wait_nm_sync default admin_nodemap
2213 wait_nm_sync default trusted_nodemap
2214 do_facet mgs $LCTL nodemap_activate 0
2215 wait_nm_sync active 0
2217 export SK_UNIQUE_NM=false
2219 nodemap_test_cleanup
2221 if $SHARED_KEY; then
2222 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2223 error "unable to remount client ${clients_arr[0]}"
2228 [ "$MDS1_VERSION" -lt $(version_code 2.11.50) ] &&
2229 skip "Need MDS >= 2.11.50"
2231 # if servers run on the same node, it is impossible to tell if they get
2232 # synced with the mgs, so this test needs to be skipped
2233 if [ $(facet_active_host mgs) == $(facet_active_host mds) ] &&
2234 [ $(facet_active_host mgs) == $(facet_active_host ost1) ]; then
2235 skip "local mode not supported"
2238 for nm in "default" "c0"; do
2239 local subdir="subdir_${nm}"
2240 local subsubdir="subsubdir_${nm}"
2242 if [ "$nm" == "default" ] && [ "$SHARED_KEY" == "true" ]; then
2243 echo "Skipping nodemap $nm with SHARED_KEY";
2247 echo "Exercising fileset for nodemap $nm"
2248 nodemap_exercise_fileset "$nm"
2251 run_test 27a "test fileset in various nodemaps"
2253 test_27b() { #LU-10703
2254 [ "$MDS1_VERSION" -lt $(version_code 2.11.50) ] &&
2255 skip "Need MDS >= 2.11.50"
2256 [[ $MDSCOUNT -lt 2 ]] && skip "needs >= 2 MDTs"
2258 # if servers run on the same node, it is impossible to tell if they get
2259 # synced with the mgs, so this test needs to be skipped
2260 if [ $(facet_active_host mgs) == $(facet_active_host mds) ] &&
2261 [ $(facet_active_host mgs) == $(facet_active_host ost1) ]; then
2262 skip "local mode not supported"
2266 trap nodemap_test_cleanup EXIT
2268 # Add the nodemaps and set their filesets
2269 for i in $(seq 1 $MDSCOUNT); do
2270 do_facet mgs $LCTL nodemap_del nm$i 2>/dev/null
2271 do_facet mgs $LCTL nodemap_add nm$i ||
2272 error "add nodemap nm$i failed"
2273 wait_nm_sync nm$i "" "" "-N"
2275 if ! combined_mgs_mds; then
2277 $LCTL set_param nodemap.nm$i.fileset=/dir$i ||
2278 error "set nm$i.fileset=/dir$i failed on MGS"
2280 do_facet mgs $LCTL set_param -P nodemap.nm$i.fileset=/dir$i ||
2281 error "set nm$i.fileset=/dir$i failed on servers"
2282 wait_nm_sync nm$i fileset "nodemap.nm$i.fileset=/dir$i"
2285 # Check if all the filesets are correct
2286 for i in $(seq 1 $MDSCOUNT); do
2287 fileset=$(do_facet mds$i \
2288 $LCTL get_param -n nodemap.nm$i.fileset)
2289 [ "$fileset" = "/dir$i" ] ||
2290 error "nm$i.fileset $fileset != /dir$i on mds$i"
2291 do_facet mgs $LCTL set_param -P -d nodemap.nm$i.fileset ||
2292 error "unable to remove fileset rule for nm$i nodemap"
2293 do_facet mgs $LCTL nodemap_del nm$i ||
2294 error "delete nodemap nm$i failed"
2297 nodemap_test_cleanup
2299 run_test 27b "The new nodemap won't clear the old nodemap's fileset"
2302 if ! $SHARED_KEY; then
2303 skip "need shared key feature for this test" && return
2305 mkdir -p $DIR/$tdir || error "mkdir failed"
2306 touch $DIR/$tdir/$tdir.out || error "touch failed"
2307 if [ ! -f $DIR/$tdir/$tdir.out ]; then
2308 error "read before rotation failed"
2310 # store top key identity to ensure rotation has occurred
2311 SK_IDENTITY_OLD=$($LCTL get_param -n *.*.*srpc_contexts 2>/dev/null |
2312 head -n 1 | awk 'BEGIN{RS=", "} $1=="expire:"{print $2}')
2313 do_facet $SINGLEMDS lfs flushctx ||
2314 error "could not run flushctx on $SINGLEMDS"
2316 lfs flushctx || error "could not run flushctx on client"
2318 # verify new key is in place
2319 SK_IDENTITY_NEW=$($LCTL get_param -n *.*.*srpc_contexts 2>/dev/null |
2320 head -n 1 | awk 'BEGIN{RS=", "} $1=="expire:"{print $2}')
2321 if [ $SK_IDENTITY_OLD == $SK_IDENTITY_NEW ]; then
2322 error "key did not rotate correctly"
2324 if [ ! -f $DIR/$tdir/$tdir.out ]; then
2325 error "read after rotation failed"
2328 run_test 28 "check shared key rotation method"
2331 if ! $SHARED_KEY; then
2332 skip "need shared key feature for this test" && return
2334 if [ $SK_FLAVOR != "ski" ] && [ $SK_FLAVOR != "skpi" ]; then
2335 skip "test only valid if integrity is active"
2338 mkdir $DIR/$tdir || error "mkdir"
2339 touch $DIR/$tdir/$tfile || error "touch"
2340 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2341 error "unable to umount clients"
2342 do_node ${clients_arr[0]} "keyctl show |
2343 awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
2344 OLD_SK_PATH=$SK_PATH
2345 export SK_PATH=/dev/null
2346 if zconf_mount_clients ${clients_arr[0]} $MOUNT; then
2347 export SK_PATH=$OLD_SK_PATH
2348 do_node ${clients_arr[0]} "ls $DIR/$tdir/$tfile"
2349 if [ $? -eq 0 ]; then
2350 error "able to mount and read without key"
2352 error "able to mount without key"
2355 export SK_PATH=$OLD_SK_PATH
2356 do_node ${clients_arr[0]} "keyctl show |
2357 awk '/lustre/ { print \\\$1 }' |
2358 xargs -IX keyctl unlink X"
2360 zconf_mount_clients ${clients_arr[0]} $MOUNT ||
2361 error "unable to mount clients"
2363 run_test 29 "check for missing shared key"
2366 if ! $SHARED_KEY; then
2367 skip "need shared key feature for this test" && return
2369 if [ $SK_FLAVOR != "ski" ] && [ $SK_FLAVOR != "skpi" ]; then
2370 skip "test only valid if integrity is active"
2372 mkdir -p $DIR/$tdir || error "mkdir failed"
2373 touch $DIR/$tdir/$tdir.out || error "touch failed"
2374 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2375 error "unable to umount clients"
2376 # unload keys from ring
2377 do_node ${clients_arr[0]} "keyctl show |
2378 awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
2379 # generate key with bogus filesystem name
2380 do_node ${clients_arr[0]} "$LGSS_SK -w $SK_PATH/$FSNAME-bogus.key \
2381 -f $FSNAME.bogus -t client -d /dev/urandom" ||
2382 error "lgss_sk failed (1)"
2383 do_facet $SINGLEMDS lfs flushctx || error "could not run flushctx"
2384 OLD_SK_PATH=$SK_PATH
2385 export SK_PATH=$SK_PATH/$FSNAME-bogus.key
2386 if zconf_mount_clients ${clients_arr[0]} $MOUNT; then
2387 SK_PATH=$OLD_SK_PATH
2388 do_node ${clients_arr[0]} "ls $DIR/$tdir/$tdir.out"
2389 if [ $? -eq 0 ]; then
2390 error "mount and read file with invalid key"
2392 error "mount with invalid key"
2395 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2396 error "unable to umount clients"
2397 # unload keys from ring
2398 do_node ${clients_arr[0]} "keyctl show |
2399 awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
2401 SK_PATH=$OLD_SK_PATH
2402 zconf_mount_clients ${clients_arr[0]} $MOUNT ||
2403 error "unable to mount clients"
2405 run_test 30 "check for invalid shared key"
2410 mkdir -p $DIR/$tdir || error "mkdir $flvr"
2411 touch $DIR/$tdir/f0 || error "touch $flvr"
2412 ls $DIR/$tdir || error "ls $flvr"
2413 dd if=/dev/zero of=$DIR/$tdir/f0 conv=fsync bs=1M count=10 \
2414 >& /dev/null || error "dd $flvr"
2415 rm -f $DIR/$tdir/f0 || error "rm $flvr"
2416 rmdir $DIR/$tdir || error "rmdir $flvr"
2419 echo 3 > /proc/sys/vm/drop_caches
2423 local save_flvr=$SK_FLAVOR
2425 if ! $SHARED_KEY; then
2426 skip "need shared key feature for this test"
2429 stack_trap restore_to_default_flavor EXIT
2431 for flvr in skn ska ski skpi; do
2434 restore_to_default_flavor || error "cannot set $flvr flavor"
2435 SK_FLAVOR=$save_flvr
2440 run_test 30b "basic test of all different SSK flavors"
2443 local failover_mds1=$1
2446 zconf_umount $HOSTNAME $MOUNT || error "unable to umount client"
2448 # necessary to do writeconf in order to de-register
2449 # @${NETTYPE}999 nid for targets
2451 export KEEP_ZPOOL="true"
2453 LOAD_MODULES_REMOTE=true unload_modules
2454 LOAD_MODULES_REMOTE=true load_modules
2456 do_facet mds1 $TUNEFS --erase-param failover.node $(mdsdevname 1)
2457 if [ -n "$failover_mds1" ]; then
2458 do_facet mds1 $TUNEFS \
2459 --servicenode=$failover_mds1 $(mdsdevname 1)
2461 # If no service node previously existed, setting one in test_31
2462 # added the no_primnode flag to the target. To remove everything
2463 # and clear the flag, add a meaningless failnode and remove it.
2464 do_facet mds1 $TUNEFS \
2465 --failnode=$(do_facet mds1 $LCTL list_nids | head -1) \
2467 do_facet mds1 $TUNEFS \
2468 --erase-param failover.node $(mdsdevname 1)
2471 export SK_MOUNTED=false
2474 export KEEP_ZPOOL="$KZPOOL"
2478 local nid=$(lctl list_nids | grep ${NETTYPE} | head -n1)
2479 local addr=${nid%@*}
2481 local net2=${NETTYPE}999
2482 local mdsnid=$(do_facet mds1 $LCTL list_nids | head -1)
2483 local addr1=${mdsnid%@*}
2484 local addr2 failover_mds1
2486 export LNETCTL=$(which lnetctl 2> /dev/null)
2488 [ -z "$LNETCTL" ] && skip "without lnetctl support." && return
2489 local_mode && skip "in local mode."
2491 if $SHARED_KEY; then
2492 skip "Conflicting test with SSK"
2495 if [[ $addr1 =~ ^([0-9a-f]{0,4}:){2,7}[0-9a-f]{0,4}$ ]]; then
2496 local tmp=$(printf "%x" $(((0x${addr1##*:} + 11) % 65536)))
2498 addr2=${addr1%:*}:${tmp}
2499 elif [[ $addr1 =~ ^([0-9]{1,3}\.){3,3}[0-9]{1,3}$ ]]; then
2500 addr2=${addr1%.*}.$(((${addr1##*.} + 11) % 256))
2501 elif [[ $addr1 =~ ^[0-9]+$ ]]; then
2502 addr2=$((addr1 + 11))
2505 # build list of interface on nodes
2506 for node in $(all_nodes); do
2507 infname=inf_$(echo $node | cut -d'.' -f1 | sed s+-+_+g)
2508 itf=$(do_node $node $LNETCTL net show --net $net |
2510 {if (inf==1) { print $2; exit; } fi} /interfaces/{inf=1}')
2515 local mgsnid_orig=$MGSNID
2516 # compute new MGSNID
2517 local mgsnid_new=${MGSNID%@*}@$net2
2519 # save mds failover nids for restore at cleanup
2520 failover_mds1=$(do_facet mds1 $TUNEFS --dryrun $(mdsdevname 1))
2521 if [ -n "$failover_mds1" ]; then
2522 failover_mds1=${failover_mds1##*Parameters:}
2523 failover_mds1=${failover_mds1%%exiting*}
2524 failover_mds1=$(echo $failover_mds1 | tr ' ' '\n' |
2525 grep failover.node | cut -d'=' -f2-)
2527 stack_trap "cleanup_31 $failover_mds1" EXIT
2530 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
2531 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
2533 if $(grep -q $MOUNT' ' /proc/mounts); then
2534 umount_client $MOUNT || error "umount $MOUNT failed"
2537 # check exports on servers are empty for client
2538 do_facet mgs "lctl get_param *.MGS*.exports.*.export"
2539 do_facet mgs "lctl get_param -n *.MGS*.exports.'$nid'.uuid 2>/dev/null |
2540 grep -q -" && error "export on MGS should be empty"
2541 do_nodes $(comma_list $(mdts_nodes) $(osts_nodes)) \
2542 "lctl get_param -n *.${FSNAME}*.exports.'$nid'.uuid \
2543 2>/dev/null | grep -q -" &&
2544 error "export on servers should be empty"
2547 export KEEP_ZPOOL="true"
2548 stopall || error "stopall failed"
2549 LOAD_MODULES_REMOTE=true unload_modules ||
2550 error "Failed to unload modules"
2552 # add network $net2 on all nodes
2553 do_rpc_nodes $(comma_list $(all_nodes)) load_modules ||
2554 error "unable to load modules on $(all_nodes)"
2555 for node in $(all_nodes); do
2556 infname=inf_$(echo $node | cut -d'.' -f1 | sed s+-+_+g)
2557 do_node $node "$LNETCTL net add --if ${!infname} --net $net2" ||
2558 error "unable to configure NID on $net2 for node $node"
2561 LOAD_MODULES_REMOTE=true load_modules || error "failed to load modules"
2563 # necessary to do writeconf in order to register
2564 # new @$net2 nid for targets
2565 export SK_MOUNTED=false
2566 writeconf_all || error "writeconf failed"
2568 nids="${addr1}@$net,${addr1}@$net2:${addr2}@$net,${addr2}@$net2"
2569 do_facet mds1 "$TUNEFS --servicenode="$nids" $(mdsdevname 1)" ||
2570 error "tunefs failed"
2572 setupall server_only || error "setupall failed"
2573 export KEEP_ZPOOL="$KZPOOL"
2577 stack_trap "MGSNID=$mgsnid_orig" EXIT
2579 # on client, reconfigure LNet and turn LNet Dynamic Discovery off
2580 $LUSTRE_RMMOD || error "$LUSTRE_RMMOD failed (1)"
2581 load_modules || error "Failed to load modules"
2582 $LNETCTL set discovery 0 || error "Failed to disable discovery"
2583 $LNETCTL lnet configure ||
2584 error "unable to configure lnet on client"
2585 infname=inf_$(echo $(hostname -s) | sed s+-+_+g)
2586 $LNETCTL net add --if ${!infname} --net $net2 ||
2587 error "unable to configure NID on $net2 on client (1)"
2589 # mount client with -o network=$net2 option
2590 mount_client $MOUNT ${MOUNT_OPTS},network=$net2 ||
2591 error "unable to remount client"
2593 # check export on MGS
2594 do_facet mgs "lctl get_param *.MGS*.exports.*.export"
2595 do_facet mgs "lctl get_param -n *.MGS*.exports.'$nid'.uuid 2>/dev/null |
2597 [ $? -ne 0 ] || error "export for $nid on MGS should not exist"
2600 "lctl get_param -n *.MGS*.exports.'${addr}@$net2'.uuid \
2601 2>/dev/null | grep -"
2603 error "export for ${addr}@$net2 on MGS should exist"
2605 # check {mdc,osc} imports
2606 lctl get_param mdc.${FSNAME}-*.import | grep current_connection |
2609 error "import for mdc should use ${addr1}@$net2"
2610 lctl get_param osc.${FSNAME}-*.import | grep current_connection |
2613 error "import for osc should use ${addr1}@$net2"
2615 # no NIDs on other networks should be listed
2616 lctl get_param mdc.${FSNAME}-*.import | grep failover_nids |
2617 grep -w ".*@$net" &&
2618 error "MDC import shouldn't have failnids at @$net"
2620 # failover NIDs on net999 should be listed
2621 lctl get_param mdc.${FSNAME}-*.import | grep failover_nids |
2622 grep ${addr2}@$net2 ||
2623 error "MDC import should have failnid ${addr2}@$net2"
2626 zconf_umount $HOSTNAME $MOUNT || error "unable to umount client"
2628 # on client, configure LNet and turn LNet Dynamic Discovery on (default)
2629 $LUSTRE_RMMOD || error "$LUSTRE_RMMOD failed (2)"
2630 load_modules || error "Failed to load modules"
2631 $LNETCTL lnet configure ||
2632 error "unable to configure lnet on client"
2633 infname=inf_$(echo $(hostname -s) | sed s+-+_+g)
2634 $LNETCTL net add --if ${!infname} --net $net2 ||
2635 error "unable to configure NID on $net2 on client (2)"
2637 # mount client with -o network=$net2 option:
2638 # should fail because of LNet Dynamic Discovery
2639 mount_client $MOUNT ${MOUNT_OPTS},network=$net2 &&
2640 error "client mount with '-o network' option should be refused"
2644 run_test 31 "client mount option '-o network'"
2648 zconf_umount_clients ${clients_arr[0]} $MOUNT
2650 # disable sk flavor enforcement on MGS
2651 set_rule _mgs any any null
2653 # stop gss daemon on MGS
2654 send_sigint $mgs_HOST lsvcgssd
2656 # re-start gss daemon on MDS if necessary
2657 if combined_mgs_mds ; then
2658 start_gss_daemons $mds_HOST $LSVCGSSD "-vvv -s -m -o -z"
2661 # restore MGS NIDs in key on MGS
2662 do_nodes $mgs_HOST "$LGSS_SK -g $MGSNID -m \
2663 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2664 error "could not modify keyfile on MGS (3)"
2666 # load modified key file on MGS
2667 do_nodes $mgs_HOST "$LGSS_SK -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2668 error "could not load keyfile on MGS (3)"
2670 # restore MGS NIDs in key on client
2671 do_nodes ${clients_arr[0]} "$LGSS_SK -g $MGSNID -m \
2672 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2673 error "could not modify keyfile on client (3)"
2676 MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
2679 restore_to_default_flavor
2683 local mgsnid2=$(host_nids_address $ost1_HOST $NETTYPE)@${MGSNID#*@}
2684 local mgsorig=$MGSNID
2686 if ! $SHARED_KEY; then
2687 skip "need shared key feature for this test"
2690 stack_trap cleanup_32 EXIT
2692 # restore to default null flavor
2693 save_flvr=$SK_FLAVOR
2695 restore_to_default_flavor || error "cannot set null flavor"
2696 SK_FLAVOR=$save_flvr
2699 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
2700 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
2702 if $(grep -q $MOUNT' ' /proc/mounts); then
2703 umount_client $MOUNT || error "umount $MOUNT failed"
2706 # kill daemon on MGS to start afresh
2707 send_sigint $mgs_HOST lsvcgssd
2709 # start gss daemon on MGS
2710 if combined_mgs_mds ; then
2711 start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g -m -o -z"
2713 start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g"
2716 # add mgs key type and MGS NIDs in key on MGS
2717 do_nodes $mgs_HOST "$LGSS_SK -t mgs,server -g $MGSNID -m \
2718 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2719 error "could not modify keyfile on MGS (1)"
2721 # load modified key file on MGS
2722 do_nodes $mgs_HOST "$LGSS_SK -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2723 error "could not load keyfile on MGS (1)"
2725 # add MGS NIDs in key on client
2726 do_nodes ${clients_arr[0]} "$LGSS_SK -g $MGSNID -m \
2727 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2728 error "could not modify keyfile on client (1)"
2730 # set perms for per-nodemap keys else permission denied
2731 do_nodes $(comma_list $(all_nodes)) \
2732 "keyctl show | grep lustre | cut -c1-11 |
2734 xargs -IX keyctl setperm X 0x3f3f3f3f"
2736 # re-mount client with mgssec=skn
2737 save_opts=$MOUNT_OPTS
2738 stack_trap "MOUNT_OPTS=$save_opts" EXIT
2739 if [ -z "$MOUNT_OPTS" ]; then
2740 MOUNT_OPTS="-o mgssec=skn"
2742 MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
2744 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2745 error "mount ${clients_arr[0]} with mgssec=skn failed"
2746 MOUNT_OPTS=$save_opts
2749 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2750 error "umount ${clients_arr[0]} failed"
2752 # enforce ska flavor on MGS
2753 set_rule _mgs any any ska
2755 # re-mount client without mgssec
2756 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS &&
2757 error "mount ${clients_arr[0]} without mgssec should fail"
2759 # re-mount client with mgssec=skn
2760 save_opts=$MOUNT_OPTS
2761 if [ -z "$MOUNT_OPTS" ]; then
2762 MOUNT_OPTS="-o mgssec=skn"
2764 MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
2766 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS &&
2767 error "mount ${clients_arr[0]} with mgssec=skn should fail"
2768 MOUNT_OPTS=$save_opts
2770 # re-mount client with mgssec=ska
2771 save_opts=$MOUNT_OPTS
2772 if [ -z "$MOUNT_OPTS" ]; then
2773 MOUNT_OPTS="-o mgssec=ska"
2775 MOUNT_OPTS="$MOUNT_OPTS,mgssec=ska"
2777 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2778 error "mount ${clients_arr[0]} with mgssec=ska failed"
2780 MGSNID=$mgsnid2:$mgsorig
2781 stack_trap "MGSNID=$mgsorig" EXIT
2784 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2785 error "umount ${clients_arr[0]} failed"
2787 # add MGS NIDs in key on MGS
2788 do_nodes $mgs_HOST "$LGSS_SK -g ${MGSNID//:/,} -m \
2789 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2790 error "could not modify keyfile on MGS (2)"
2792 # load modified key file on MGS
2793 do_nodes $mgs_HOST "$LGSS_SK -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2794 error "could not load keyfile on MGS (2)"
2796 # add MGS NIDs in key on client
2797 do_nodes ${clients_arr[0]} "$LGSS_SK -g ${MGSNID//:/,} -m \
2798 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2799 error "could not modify keyfile on client (2)"
2801 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2802 error "mount ${clients_arr[0]} with alternate mgsnid failed"
2804 run_test 32 "check for mgssec"
2807 # disable sk flavor enforcement
2808 set_rule $FSNAME any cli2mdt null
2809 wait_flavor cli2mdt null
2812 zconf_umount_clients ${clients_arr[0]} $MOUNT
2814 # stop gss daemon on MGS
2815 send_sigint $mgs_HOST lsvcgssd
2817 # re-start gss daemon on MDS if necessary
2818 if combined_mgs_mds ; then
2819 start_gss_daemons $mds_HOST $LSVCGSSD "-vvv -s -m -o -z"
2823 MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
2826 restore_to_default_flavor
2830 if ! $SHARED_KEY; then
2831 skip "need shared key feature for this test"
2834 stack_trap cleanup_33 EXIT
2836 # restore to default null flavor
2837 save_flvr=$SK_FLAVOR
2839 restore_to_default_flavor || error "cannot set null flavor"
2840 SK_FLAVOR=$save_flvr
2843 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
2844 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
2846 if $(grep -q $MOUNT' ' /proc/mounts); then
2847 umount_client $MOUNT || error "umount $MOUNT failed"
2850 # kill daemon on MGS to start afresh
2851 send_sigint $mgs_HOST lsvcgssd
2853 # start gss daemon on MGS
2854 if combined_mgs_mds ; then
2855 start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g -m -o -z"
2857 start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g"
2860 # add mgs key type and MGS NIDs in key on MGS
2861 do_nodes $mgs_HOST "$LGSS_SK -t mgs,server -g $MGSNID -m \
2862 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2863 error "could not modify keyfile on MGS"
2865 # load modified key file on MGS
2866 do_nodes $mgs_HOST "$LGSS_SK -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2867 error "could not load keyfile on MGS"
2869 # add MGS NIDs in key on client
2870 do_nodes ${clients_arr[0]} "$LGSS_SK -g $MGSNID -m \
2871 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2872 error "could not modify keyfile on MGS"
2874 # set perms for per-nodemap keys else permission denied
2875 do_nodes $(comma_list $(all_nodes)) \
2876 "keyctl show | grep lustre | cut -c1-11 |
2878 xargs -IX keyctl setperm X 0x3f3f3f3f"
2880 # re-mount client with mgssec=skn
2881 save_opts=$MOUNT_OPTS
2882 if [ -z "$MOUNT_OPTS" ]; then
2883 MOUNT_OPTS="-o mgssec=skn"
2885 MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
2887 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2888 error "mount ${clients_arr[0]} with mgssec=skn failed"
2889 MOUNT_OPTS=$save_opts
2891 # enforce ska flavor for cli2mdt
2892 set_rule $FSNAME any cli2mdt ska
2893 wait_flavor cli2mdt ska
2895 # check error message
2896 $LCTL dk | grep "faked source" &&
2897 error "MGS connection srpc flags incorrect"
2901 run_test 33 "correct srpc flags for MGS connection"
2904 # restore deny_unknown
2905 do_facet mgs $LCTL nodemap_modify --name default \
2906 --property deny_unknown --value $denydefault
2907 if [ $? -ne 0 ]; then
2908 error_noexit "cannot reset deny_unknown on default nodemap"
2912 wait_nm_sync default deny_unknown
2919 [ $MGS_VERSION -lt $(version_code 2.12.51) ] &&
2920 skip "deny_unknown on default nm not supported before 2.12.51"
2922 activedefault=$(do_facet mgs $LCTL get_param -n nodemap.active)
2924 if [[ "$activedefault" != "1" ]]; then
2925 do_facet mgs $LCTL nodemap_activate 1
2927 stack_trap cleanup_active EXIT
2930 denydefault=$(do_facet mgs $LCTL get_param -n \
2931 nodemap.default.deny_unknown)
2932 [ -z "$denydefault" ] &&
2933 error "cannot get deny_unknown on default nodemap"
2934 if [ "$denydefault" -eq 0 ]; then
2940 do_facet mgs $LCTL nodemap_modify --name default \
2941 --property deny_unknown --value $denynew ||
2942 error "cannot set deny_unknown on default nodemap"
2944 [ "$(do_facet mgs $LCTL get_param -n nodemap.default.deny_unknown)" \
2946 error "setting deny_unknown on default nodemap did not work"
2948 stack_trap cleanup_34_deny EXIT
2950 wait_nm_sync default deny_unknown
2952 run_test 34 "deny_unknown on default nodemap"
2955 (( $MDS1_VERSION >= $(version_code 2.13.50) )) ||
2956 skip "Need MDS >= 2.13.50"
2958 # activate changelogs
2959 changelog_register || error "changelog_register failed"
2960 local cl_user="${CL_USERS[$SINGLEMDS]%% *}"
2961 changelog_users $SINGLEMDS | grep -q $cl_user ||
2962 error "User $cl_user not found in changelog_users"
2963 changelog_chmask ALL
2966 mkdir $DIR/$tdir || error "failed to mkdir $tdir"
2967 touch $DIR/$tdir/$tfile || error "failed to touch $tfile"
2969 # access changelogs with root
2970 changelog_dump || error "failed to dump changelogs"
2971 changelog_clear 0 || error "failed to clear changelogs"
2973 # put clients in non-admin nodemap
2975 stack_trap nodemap_test_cleanup EXIT
2976 for i in $(seq 0 $((num_clients-1))); do
2977 do_facet mgs $LCTL nodemap_modify --name c${i} \
2978 --property admin --value 0
2980 for i in $(seq 0 $((num_clients-1))); do
2981 wait_nm_sync c${i} admin_nodemap
2984 # access with mapped root
2985 changelog_dump && error "dump changelogs should have failed"
2986 changelog_clear 0 && error "clear changelogs should have failed"
2990 run_test 35 "Check permissions when accessing changelogs"
2993 local mode='\x00\x00\x00\x00'
2994 local raw="$(printf ""\\\\x%02x"" {0..63})"
2998 [[ $(lscpu) =~ Byte\ Order.*Little ]] && size='\x40\x00\x00\x00' ||
2999 size='\x00\x00\x00\x40'
3000 key="${mode}${raw}${size}"
3001 echo -n -e "${key}" | keyctl padd logon fscrypt:4242424242424242 @s
3006 sync ; echo 3 > /proc/sys/vm/drop_caches
3013 $LCTL set_param -n ldlm.namespaces.*.lru_size=clear
3014 sync ; echo 3 > /proc/sys/vm/drop_caches
3015 dummy_key=$(keyctl show | awk '$7 ~ "^fscrypt:" {print $1}')
3016 if [ -n "$dummy_key" ]; then
3017 keyctl revoke $dummy_key
3023 # wait for SSK flavor to be applied if necessary
3026 wait_flavor all2all $SK_FLAVOR
3028 wait_flavor cli2mdt $SK_FLAVOR
3029 wait_flavor cli2ost $SK_FLAVOR
3034 remount_client_normally() {
3035 # remount client without dummy encryption key
3036 if is_mounted $MOUNT; then
3037 umount_client $MOUNT || error "umount $MOUNT failed"
3039 mount_client $MOUNT ${MOUNT_OPTS} ||
3040 error "remount failed"
3042 if is_mounted $MOUNT2; then
3043 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
3045 if [ "$MOUNT_2" ]; then
3046 mount_client $MOUNT2 ${MOUNT_OPTS} ||
3047 error "remount failed"
3054 remount_client_dummykey() {
3057 # remount client with dummy encryption key
3058 if is_mounted $MOUNT; then
3059 umount_client $MOUNT || error "umount $MOUNT failed"
3061 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
3062 error "remount failed"
3067 setup_for_enc_tests() {
3068 # remount client with test_dummy_encryption option
3069 if is_mounted $MOUNT; then
3070 umount_client $MOUNT || error "umount $MOUNT failed"
3072 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
3073 error "mount with '-o test_dummy_encryption' failed"
3077 # this directory will be encrypted, because of dummy mode
3081 cleanup_for_enc_tests() {
3082 rm -rf $DIR/$tdir $*
3084 remount_client_normally
3087 cleanup_nodemap_after_enc_tests() {
3088 umount_client $MOUNT || true
3090 if (( MGS_VERSION >= $(version_code 2.13.55) )); then
3091 do_facet mgs $LCTL nodemap_modify --name default \
3092 --property forbid_encryption --value 0
3093 if (( MGS_VERSION >= $(version_code 2.15.51) )); then
3094 do_facet mgs $LCTL nodemap_modify --name default \
3095 --property readonly_mount --value 0
3098 do_facet mgs $LCTL nodemap_modify --name default \
3099 --property trusted --value 0
3100 do_facet mgs $LCTL nodemap_modify --name default \
3101 --property admin --value 0
3102 do_facet mgs $LCTL nodemap_activate 0
3104 if (( MGS_VERSION >= $(version_code 2.13.55) )); then
3105 wait_nm_sync default forbid_encryption '' inactive
3106 if (( MGS_VERSION >= $(version_code 2.15.51) )); then
3107 wait_nm_sync default readonly_mount '' inactive
3110 wait_nm_sync default trusted_nodemap '' inactive
3111 wait_nm_sync default admin_nodemap '' inactive
3114 mount_client $MOUNT ${MOUNT_OPTS} || error "re-mount failed"
3119 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3120 skip "client encryption not supported"
3122 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3123 skip "need dummy encryption support"
3125 stack_trap cleanup_for_enc_tests EXIT
3127 # first make sure it is possible to enable encryption
3128 # when nodemap is not active
3131 umount_client $MOUNT || error "umount $MOUNT failed (1)"
3133 # then activate nodemap, and retry
3134 # should succeed as encryption is not forbidden on default nodemap
3136 stack_trap cleanup_nodemap_after_enc_tests EXIT
3137 do_facet mgs $LCTL nodemap_activate 1
3139 forbid=$(do_facet mgs lctl get_param -n nodemap.default.forbid_encryption)
3140 [ $forbid -eq 0 ] || error "wrong default value for forbid_encryption"
3141 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
3142 error "mount '-o test_dummy_encryption' failed with default"
3143 umount_client $MOUNT || error "umount $MOUNT failed (2)"
3145 # then forbid encryption, and retry
3146 do_facet mgs $LCTL nodemap_modify --name default \
3147 --property forbid_encryption --value 1
3148 wait_nm_sync default forbid_encryption
3149 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption &&
3150 error "mount '-o test_dummy_encryption' should have failed"
3153 run_test 36 "control if clients can use encryption"
3156 local testfile=$DIR/$tdir/$tfile
3157 local tmpfile=$TMP/abc
3158 local objdump=$TMP/objdump
3160 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3161 skip "client encryption not supported"
3163 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3164 skip "need dummy encryption support"
3166 [ "$ost1_FSTYPE" = ldiskfs ] || skip "ldiskfs only test (using debugfs)"
3168 stack_trap cleanup_for_enc_tests EXIT
3171 # write a few bytes in file
3172 echo "abc" > $tmpfile
3173 $LFS setstripe -c1 -i0 $testfile
3174 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync
3175 do_facet ost1 "sync; sync"
3177 # check that content on ost is encrypted
3178 local fid=($($LFS getstripe $testfile | grep 0x))
3179 local seq=${fid[3]#0x}
3183 if [ $seq == 0 ]; then
3186 oid_hex=${fid[2]#0x}
3188 do_facet ost1 "$DEBUGFS -c -R 'cat O/$seq/d$(($oid % 32))/$oid_hex' \
3189 $(ostdevname 1)" > $objdump
3190 cmp -s $objdump $tmpfile &&
3191 error "file $testfile is not encrypted on ost"
3193 # check that in-memory representation of file is correct
3194 cmp -bl ${tmpfile} ${testfile} ||
3195 error "file $testfile is corrupted in memory"
3197 cancel_lru_locks osc ; cancel_lru_locks mdc
3199 # check that file read from server is correct
3200 cmp -bl ${tmpfile} ${testfile} ||
3201 error "file $testfile is corrupted on server"
3203 rm -f $tmpfile $objdump
3205 run_test 37 "simple encrypted file"
3208 local testfile=$DIR/$tdir/$tfile
3209 local tmpfile=$TMP/abc
3213 local pagesz=$(getconf PAGE_SIZE)
3215 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3216 skip "client encryption not supported"
3218 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3219 skip "need dummy encryption support"
3221 stack_trap cleanup_for_enc_tests EXIT
3224 # get block size on ost
3225 blksz=$($LCTL get_param osc.$FSNAME*.import |
3226 awk '/grant_block_size:/ { print $2; exit; }')
3227 # write a few bytes in file at offset $blksz
3228 echo "abc" > $tmpfile
3229 $LFS setstripe -c1 -i0 $testfile
3230 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$blksz \
3231 oflag=seek_bytes conv=fsync
3233 blksz=$(($blksz > $pagesz ? $blksz : $pagesz))
3234 # check that in-memory representation of file is correct
3235 bsize=$(stat --format=%B $testfile)
3236 filesz=$(stat --format=%b $testfile)
3237 filesz=$((filesz*bsize))
3238 [ $filesz -le $blksz ] ||
3239 error "file $testfile is $filesz long in memory"
3241 cancel_lru_locks osc ; cancel_lru_locks mdc
3243 # check that file read from server is correct
3244 bsize=$(stat --format=%B $testfile)
3245 filesz=$(stat --format=%b $testfile)
3246 filesz=$((filesz*bsize))
3247 [ $filesz -le $blksz ] ||
3248 error "file $testfile is $filesz long on server"
3252 run_test 38 "encrypted file with hole"
3255 local testfile=$DIR/$tdir/$tfile
3256 local tmpfile=$TMP/abc
3258 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3259 skip "client encryption not supported"
3261 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3262 skip "need dummy encryption support"
3264 stack_trap cleanup_for_enc_tests EXIT
3267 # write a few bytes in file
3268 echo "abc" > $tmpfile
3269 $LFS setstripe -c1 -i0 $testfile
3270 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync
3272 # write a few more bytes in the same page
3273 dd if=$tmpfile of=$testfile bs=4 count=1 seek=1024 oflag=seek_bytes \
3276 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=1024 oflag=seek_bytes \
3279 # check that in-memory representation of file is correct
3280 cmp -bl $tmpfile $testfile ||
3281 error "file $testfile is corrupted in memory"
3283 cancel_lru_locks osc ; cancel_lru_locks mdc
3285 # check that file read from server is correct
3286 cmp -bl $tmpfile $testfile ||
3287 error "file $testfile is corrupted on server"
3291 run_test 39 "rewrite data in already encrypted page"
3294 local testfile=$DIR/$tdir/$tfile
3295 local tmpfile=$TMP/abc
3296 local tmpfile2=$TMP/abc2
3299 #define LUSTRE_ENCRYPTION_UNIT_SIZE (1 << 12)
3300 local UNIT_SIZE=$((1 << 12))
3303 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3304 skip "client encryption not supported"
3306 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3307 skip "need dummy encryption support"
3309 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
3311 stack_trap cleanup_for_enc_tests EXIT
3314 # write a few bytes in file
3315 echo "abc" > $tmpfile
3316 $LFS setstripe -c1 -i0 $testfile
3317 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync
3319 # check that in-memory representation of file is correct
3320 cmp -bl $tmpfile $testfile ||
3321 error "file $testfile is corrupted in memory (1)"
3323 cancel_lru_locks osc ; cancel_lru_locks mdc
3325 # check that file read from server is correct
3326 cmp -bl $tmpfile $testfile ||
3327 error "file $testfile is corrupted on server (1)"
3329 # write a few other bytes in same page
3330 dd if=$tmpfile of=$testfile bs=4 count=1 seek=256 oflag=seek_bytes \
3333 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=256 oflag=seek_bytes \
3336 # check that in-memory representation of file is correct
3337 cmp -bl $tmpfile $testfile ||
3338 error "file $testfile is corrupted in memory (2)"
3340 cancel_lru_locks osc ; cancel_lru_locks mdc
3342 # check that file read from server is correct
3343 cmp -bl $tmpfile $testfile ||
3344 error "file $testfile is corrupted on server (2)"
3346 rm -f $testfile $tmpfile
3347 cancel_lru_locks osc ; cancel_lru_locks mdc
3349 # write a few bytes in file, at end of first page
3350 echo "abc" > $tmpfile
3351 $LFS setstripe -c1 -i0 $testfile
3352 seek=$(getconf PAGESIZE)
3354 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3357 # write a few other bytes at beginning of first page
3358 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync,notrunc
3360 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3363 # check that in-memory representation of file is correct
3364 cmp -bl $tmpfile $testfile ||
3365 error "file $testfile is corrupted in memory (3)"
3367 cancel_lru_locks osc ; cancel_lru_locks mdc
3369 # check that file read from server is correct
3370 cmp -bl $tmpfile $testfile ||
3371 error "file $testfile is corrupted on server (3)"
3373 rm -f $testfile $tmpfile
3374 cancel_lru_locks osc ; cancel_lru_locks mdc
3376 # write a few bytes in file, at beginning of second page
3377 echo "abc" > $tmpfile
3378 $LFS setstripe -c1 -i0 $testfile
3379 seek=$(getconf PAGESIZE)
3380 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3382 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3385 # write a few other bytes at end of first page
3387 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3389 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3392 # check that in-memory representation of file is correct
3393 cmp -bl $tmpfile2 $testfile ||
3394 error "file $testfile is corrupted in memory (4)"
3396 cancel_lru_locks osc ; cancel_lru_locks mdc
3398 # check that file read from server is correct
3399 cmp -bl $tmpfile2 $testfile ||
3400 error "file $testfile is corrupted on server (4)"
3402 rm -f $testfile $tmpfile $tmpfile2
3403 cancel_lru_locks osc ; cancel_lru_locks mdc
3405 # write a few bytes in file, at beginning of first stripe
3406 echo "abc" > $tmpfile
3407 $LFS setstripe -S 256k -c2 $testfile
3408 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync,notrunc
3410 # write a few other bytes, at beginning of second stripe
3411 dd if=$tmpfile of=$testfile bs=4 count=1 seek=262144 oflag=seek_bytes \
3413 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=262144 oflag=seek_bytes \
3416 # check that in-memory representation of file is correct
3417 cmp -bl $tmpfile $testfile ||
3418 error "file $testfile is corrupted in memory (5)"
3420 cancel_lru_locks osc ; cancel_lru_locks mdc
3422 # check that file read from server is correct
3423 cmp -bl $tmpfile $testfile ||
3424 error "file $testfile is corrupted on server (5)"
3426 filesz=$(stat --format=%s $testfile)
3427 filesz=$(((filesz+UNIT_SIZE-1)/UNIT_SIZE * UNIT_SIZE))
3429 # remount without dummy encryption key
3430 remount_client_normally
3432 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
3433 [ $(stat --format=%s $scrambledfile) -eq $filesz ] ||
3434 error "file size without key should be rounded up"
3438 run_test 40 "exercise size of encrypted file"
3441 local testfile=$DIR/$tdir/$tfile
3442 local tmpfile=$TMP/abc
3443 local tmpfile2=$TMP/abc2
3446 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3447 skip "client encryption not supported"
3449 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3450 skip "need dummy encryption support"
3452 stack_trap cleanup_for_enc_tests EXIT
3455 echo "abc" > $tmpfile
3456 seek=$(getconf PAGESIZE)
3457 seek=$((seek - 204))
3458 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3460 seek=$(getconf PAGESIZE)
3461 seek=$((seek + 1092))
3462 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3465 # write a few bytes in file
3466 $LFS setstripe -c1 -i0 -S 256k $testfile
3467 seek=$(getconf PAGESIZE)
3468 seek=$((seek - 204))
3469 #define OBD_FAIL_OST_WR_ATTR_DELAY 0x250
3470 do_facet ost1 "$LCTL set_param fail_loc=0x250 fail_val=15"
3471 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3475 # write a few other bytes, at a different offset
3476 seek=$(getconf PAGESIZE)
3477 seek=$((seek + 1092))
3478 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3479 conv=fsync,notrunc &
3481 do_facet ost1 "$LCTL set_param fail_loc=0x0"
3483 # check that in-memory representation of file is correct
3484 cmp -bl $tmpfile2 $testfile ||
3485 error "file $testfile is corrupted in memory (1)"
3487 cancel_lru_locks osc ; cancel_lru_locks mdc
3489 # check that file read from server is correct
3490 cmp -bl $tmpfile2 $testfile ||
3491 error "file $testfile is corrupted on server (1)"
3493 rm -f $tmpfile $tmpfile2
3495 run_test 41 "test race on encrypted file size (1)"
3498 local testfile=$DIR/$tdir/$tfile
3499 local testfile2=$DIR2/$tdir/$tfile
3500 local tmpfile=$TMP/abc
3501 local tmpfile2=$TMP/abc2
3502 local pagesz=$(getconf PAGESIZE)
3505 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3506 skip "client encryption not supported"
3508 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3509 skip "need dummy encryption support"
3511 stack_trap cleanup_for_enc_tests EXIT
3514 if is_mounted $MOUNT2; then
3515 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
3517 mount_client $MOUNT2 ${MOUNT_OPTS},test_dummy_encryption ||
3518 error "mount2 with '-o test_dummy_encryption' failed"
3520 # create file by writting one whole page
3521 $LFS setstripe -c1 -i0 -S 256k $testfile
3522 dd if=/dev/zero of=$testfile bs=$pagesz count=1 conv=fsync
3524 # read file from 2nd mount point
3525 cat $testfile2 > /dev/null
3527 echo "abc" > $tmpfile
3528 dd if=/dev/zero of=$tmpfile2 bs=$pagesz count=1 conv=fsync
3529 seek=$((2*pagesz - 204))
3530 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3532 seek=$((2*pagesz + 1092))
3533 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3536 # write a few bytes in file from 1st mount point
3537 seek=$((2*pagesz - 204))
3538 #define OBD_FAIL_OST_WR_ATTR_DELAY 0x250
3539 do_facet ost1 "$LCTL set_param fail_loc=0x250 fail_val=15"
3540 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3541 conv=fsync,notrunc &
3544 # write a few other bytes, at a different offset from 2nd mount point
3545 seek=$((2*pagesz + 1092))
3546 dd if=$tmpfile of=$testfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3547 conv=fsync,notrunc &
3549 do_facet ost1 "$LCTL set_param fail_loc=0x0"
3551 # check that in-memory representation of file is correct
3552 cmp -bl $tmpfile2 $testfile ||
3553 error "file $testfile is corrupted in memory (1)"
3555 # check that in-memory representation of file is correct
3556 cmp -bl $tmpfile2 $testfile2 ||
3557 error "file $testfile is corrupted in memory (2)"
3559 cancel_lru_locks osc ; cancel_lru_locks mdc
3561 # check that file read from server is correct
3562 cmp -bl $tmpfile2 $testfile ||
3563 error "file $testfile is corrupted on server (1)"
3565 rm -f $tmpfile $tmpfile2
3567 run_test 42 "test race on encrypted file size (2)"
3570 local testfile=$DIR/$tdir/$tfile
3571 local testfile2=$DIR2/$tdir/$tfile
3572 local tmpfile=$TMP/abc
3573 local tmpfile2=$TMP/abc2
3574 local resfile=$TMP/res
3575 local pagesz=$(getconf PAGESIZE)
3578 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3579 skip "client encryption not supported"
3581 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3582 skip "need dummy encryption support"
3584 stack_trap cleanup_for_enc_tests EXIT
3587 if is_mounted $MOUNT2; then
3588 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
3590 mount_client $MOUNT2 ${MOUNT_OPTS},test_dummy_encryption ||
3591 error "mount2 with '-o test_dummy_encryption' failed"
3594 tr '\0' '1' < /dev/zero |
3595 dd of=$tmpfile bs=1 count=$pagesz conv=fsync
3596 $LFS setstripe -c1 -i0 -S 256k $testfile
3597 cp $tmpfile $testfile
3599 # read file from 2nd mount point
3600 cat $testfile2 > /dev/null
3602 # write a few bytes in file from 1st mount point
3603 echo "abc" > $tmpfile2
3604 seek=$((2*pagesz - 204))
3605 #define OBD_FAIL_OST_WR_ATTR_DELAY 0x250
3606 do_facet ost1 "$LCTL set_param fail_loc=0x250 fail_val=15"
3607 dd if=$tmpfile2 of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3608 conv=fsync,notrunc &
3611 # read file from 2nd mount point
3612 dd if=$testfile2 of=$resfile bs=$pagesz count=1 conv=fsync,notrunc
3613 cmp -bl $tmpfile $resfile ||
3614 error "file $testfile is corrupted in memory (1)"
3617 do_facet ost1 "$LCTL set_param fail_loc=0x0"
3619 # check that in-memory representation of file is correct
3620 dd if=$tmpfile2 of=$tmpfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3622 cmp -bl $tmpfile $testfile2 ||
3623 error "file $testfile is corrupted in memory (2)"
3625 cancel_lru_locks osc ; cancel_lru_locks mdc
3627 # check that file read from server is correct
3628 cmp -bl $tmpfile $testfile ||
3629 error "file $testfile is corrupted on server (1)"
3631 rm -f $tmpfile $tmpfile2
3633 run_test 43 "test race on encrypted file size (3)"
3636 local testfile=$DIR/$tdir/$tfile
3637 local tmpfile=$TMP/abc
3638 local resfile=$TMP/resfile
3639 local pagesz=$(getconf PAGESIZE)
3642 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3643 skip "client encryption not supported"
3645 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3646 skip "need dummy encryption support"
3648 which vmtouch || skip "This test needs vmtouch utility"
3650 # Direct I/O is now supported on encrypted files.
3652 stack_trap cleanup_for_enc_tests EXIT
3655 $LFS setstripe -c1 -i0 $testfile
3656 dd if=/dev/urandom of=$tmpfile bs=$pagesz count=2 conv=fsync
3657 dd if=$tmpfile of=$testfile bs=$pagesz count=2 oflag=direct ||
3658 error "could not write to file with O_DIRECT (1)"
3660 respage=$(vmtouch $testfile | awk '/Resident Pages:/ {print $3}')
3661 [ "$respage" == "0/2" ] ||
3662 error "write to enc file fell back to buffered IO"
3666 dd if=$testfile of=$resfile bs=$pagesz count=2 iflag=direct ||
3667 error "could not read from file with O_DIRECT (1)"
3669 respage=$(vmtouch $testfile | awk '/Resident Pages:/ {print $3}')
3670 [ "$respage" == "0/2" ] ||
3671 error "read from enc file fell back to buffered IO"
3673 cmp -bl $tmpfile $resfile ||
3674 error "file $testfile is corrupted (1)"
3678 $TRUNCATE $tmpfile $pagesz
3679 dd if=$tmpfile of=$testfile bs=$pagesz count=1 seek=13 oflag=direct ||
3680 error "could not write to file with O_DIRECT (2)"
3684 dd if=$testfile of=$resfile bs=$pagesz count=1 skip=13 iflag=direct ||
3685 error "could not read from file with O_DIRECT (2)"
3686 cmp -bl $tmpfile $resfile ||
3687 error "file $testfile is corrupted (2)"
3689 rm -f $testfile $resfile
3690 $LFS setstripe -c1 -i0 $testfile
3692 $TRUNCATE $tmpfile $((pagesz/2 - 5))
3693 cp $tmpfile $testfile
3697 dd if=$testfile of=$resfile bs=$pagesz count=1 iflag=direct ||
3698 error "could not read from file with O_DIRECT (3)"
3699 cmp -bl $tmpfile $resfile ||
3700 error "file $testfile is corrupted (3)"
3702 rm -f $tmpfile $resfile $testfile
3704 if [ $OSTCOUNT -ge 2 ]; then
3705 dd if=/dev/urandom of=$tmpfile bs=$pagesz count=1 conv=fsync
3706 $LFS setstripe -S 256k -c2 $testfile
3708 # write in file, at beginning of first stripe, buffered IO
3709 dd if=$tmpfile of=$testfile bs=$pagesz count=1 \
3712 # write at beginning of second stripe, direct IO
3713 dd if=$tmpfile of=$testfile bs=$pagesz count=1 seek=256k \
3714 oflag=seek_bytes,direct conv=fsync,notrunc
3718 # read at beginning of first stripe, direct IO
3719 dd if=$testfile of=$resfile bs=$pagesz count=1 \
3720 iflag=direct conv=fsync
3722 cmp -bl $tmpfile $resfile ||
3723 error "file $testfile is corrupted (4)"
3725 # read at beginning of second stripe, buffered IO
3726 dd if=$testfile of=$resfile bs=$pagesz count=1 skip=256k \
3727 iflag=skip_bytes conv=fsync
3729 cmp -bl $tmpfile $resfile ||
3730 error "file $testfile is corrupted (5)"
3732 rm -f $tmpfile $resfile
3735 run_test 44 "encrypted file access semantics: direct IO"
3738 local testfile=$DIR/$tdir/$tfile
3739 local tmpfile=$TMP/junk
3741 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3742 skip "client encryption not supported"
3744 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3745 skip "need dummy encryption support"
3747 stack_trap cleanup_for_enc_tests EXIT
3750 $LFS setstripe -c1 -i0 $testfile
3751 dd if=/dev/zero of=$testfile bs=512K count=1
3752 $MULTIOP $testfile OSMRUc || error "$MULTIOP $testfile failed (1)"
3753 $MULTIOP $testfile OSMWUc || error "$MULTIOP $testfile failed (2)"
3755 dd if=/dev/zero of=$tmpfile bs=512K count=1
3756 $MULTIOP $tmpfile OSMWUc || error "$MULTIOP $tmpfile failed"
3757 $MMAP_CAT $tmpfile > ${tmpfile}2
3761 $MULTIOP $testfile OSMRUc
3762 $MMAP_CAT $testfile > ${testfile}2
3763 cmp -bl ${tmpfile}2 ${testfile}2 ||
3764 error "file $testfile is corrupted"
3766 rm -f $tmpfile ${tmpfile}2
3768 run_test 45 "encrypted file access semantics: MMAP"
3771 local testdir=$DIR/$tdir/mydir
3772 local testfile=$testdir/myfile
3773 local testdir2=$DIR/$tdir/mydirwithaveryverylongnametotestcodebehaviour0
3774 local testfile2=$testdir/myfilewithaveryverylongnametotestcodebehaviour0
3775 # testdir3, testfile3, testhl3 and testsl3 names are 255 bytes long
3776 local testdir3=$testdir2/dir_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz012345678
3777 local testfile3=$testdir2/file_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz01234567
3778 local testhl3=$testdir2/hl_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789
3779 local testsl3=$testdir2/sl_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789
3780 local lsfile=$TMP/lsfile
3785 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3786 skip "client encryption not supported"
3788 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3789 skip "need dummy encryption support"
3791 stack_trap cleanup_for_enc_tests EXIT
3794 touch $DIR/$tdir/$tfile
3796 echo test > $testfile
3797 echo othertest > $testfile2
3798 if [[ $MDSCOUNT -gt 1 ]]; then
3799 $LFS setdirstripe -c1 -i1 $testdir2
3803 inum=$(stat -c %i $testdir2)
3804 if [ "$mds1_FSTYPE" = ldiskfs ]; then
3805 # For now, restrict this part of the test to ldiskfs backend,
3806 # as osd-zfs does not support 255 byte-long encrypted names.
3807 mkdir $testdir3 || error "cannot mkdir $testdir3"
3808 touch $testfile3 || error "cannot touch $testfile3"
3809 ln $testfile3 $testhl3 || error "cannot ln $testhl3"
3810 ln -s $testfile3 $testsl3 || error "cannot ln $testsl3"
3812 sync ; echo 3 > /proc/sys/vm/drop_caches
3814 # remount without dummy encryption key
3815 remount_client_normally
3818 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -inum $inum)
3819 stat $scrambleddir || error "stat $scrambleddir failed"
3820 if [ "$mds1_FSTYPE" = ldiskfs ]; then
3821 stat $scrambleddir/* || error "cannot stat in $scrambleddir"
3822 rm -rf $scrambleddir/* || error "cannot clean in $scrambleddir"
3824 rmdir $scrambleddir || error "rmdir $scrambleddir failed"
3826 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
3827 ls -1 $scrambleddir > $lsfile || error "ls $testdir failed (1)"
3829 scrambledfile=$scrambleddir/$(head -n 1 $lsfile)
3830 stat $scrambledfile || error "stat $scrambledfile failed (1)"
3833 cat $scrambledfile && error "cat $scrambledfile should have failed (1)"
3834 rm -f $scrambledfile || error "rm $scrambledfile failed (1)"
3836 ls -1 $scrambleddir > $lsfile || error "ls $testdir failed (2)"
3837 scrambledfile=$scrambleddir/$(head -n 1 $lsfile)
3838 stat $scrambledfile || error "stat $scrambledfile failed (2)"
3840 cat $scrambledfile && error "cat $scrambledfile should have failed (2)"
3842 touch $scrambleddir/otherfile &&
3843 error "touch otherfile should have failed"
3844 ls $scrambleddir/otherfile && error "otherfile should not exist"
3845 mkdir $scrambleddir/otherdir &&
3846 error "mkdir otherdir should have failed"
3847 ls -d $scrambleddir/otherdir && error "otherdir should not exist"
3850 rm -f $scrambledfile || error "rm $scrambledfile failed (2)"
3851 rmdir $scrambleddir || error "rmdir $scrambleddir failed"
3854 run_test 46 "encrypted file access semantics without key"
3857 local testfile=$DIR/$tdir/$tfile
3858 local testfile2=$DIR/$tdir/${tfile}.2
3859 local tmpfile=$DIR/junk
3864 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3865 skip "client encryption not supported"
3867 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3868 skip "need dummy encryption support"
3870 $LCTL get_param mdc.*.connect_flags | grep -q name_encryption ||
3873 stack_trap cleanup_for_enc_tests EXIT
3876 dd if=/dev/urandom of=$tmpfile bs=512K count=1
3877 mrename $tmpfile $testfile &&
3878 error "rename from unencrypted to encrypted dir should fail"
3880 ln $tmpfile $testfile &&
3881 error "link from encrypted to unencrypted dir should fail"
3883 cp $tmpfile $testfile ||
3884 error "cp from unencrypted to encrypted dir should succeed"
3887 mrename $testfile $testfile2 ||
3888 error "rename from within encrypted dir should succeed"
3890 ln $testfile2 $testfile ||
3891 error "link from within encrypted dir should succeed"
3892 cmp -bl $testfile2 $testfile ||
3893 error "cannot read from hard link (1.1)"
3894 echo a >> $testfile || error "cannot write to hard link (1)"
3896 cmp -bl $testfile2 $testfile ||
3897 error "cannot read from hard link (1.2)"
3900 ln $testfile2 $tmpfile ||
3901 error "link from unencrypted to encrypted dir should succeed"
3903 cmp -bl $testfile2 $tmpfile ||
3904 error "cannot read from hard link (2.1)"
3905 echo a >> $tmpfile || error "cannot write to hard link (2)"
3907 cmp -bl $testfile2 $tmpfile ||
3908 error "cannot read from hard link (2.2)"
3911 if [ $name_enc -eq 1 ]; then
3912 # check we are limited in the number of hard links
3913 # we can create for encrypted files, to what can fit into LinkEA
3914 for i in $(seq 1 160); do
3915 ln $testfile2 ${testfile}_$i || break
3917 [ $i -lt 160 ] || error "hard link $i should fail"
3921 mrename $testfile2 $tmpfile &&
3922 error "rename from encrypted to unencrypted dir should fail"
3924 dd if=/dev/urandom of=$tmpfile bs=512K count=1
3926 dd if=/dev/urandom of=$testfile bs=512K count=1
3927 mkdir $DIR/$tdir/mydir
3929 ln -s $testfile ${testfile}.sym ||
3930 error "symlink from within encrypted dir should succeed"
3932 cmp -bl $testfile ${testfile}.sym ||
3933 error "cannot read from sym link (1.1)"
3934 echo a >> ${testfile}.sym || error "cannot write to sym link (1)"
3936 cmp -bl $testfile ${testfile}.sym ||
3937 error "cannot read from sym link (1.2)"
3938 [ $(stat -c %s ${testfile}.sym) -eq ${#testfile} ] ||
3939 error "wrong symlink size (1)"
3941 ln -s $tmpfile ${testfile}.sl ||
3942 error "symlink from encrypted to unencrypted dir should succeed"
3944 cmp -bl $tmpfile ${testfile}.sl ||
3945 error "cannot read from sym link (2.1)"
3946 echo a >> ${testfile}.sl || error "cannot write to sym link (2)"
3948 cmp -bl $tmpfile ${testfile}.sl ||
3949 error "cannot read from sym link (2.2)"
3950 [ $(stat -c %s ${testfile}.sl) -eq ${#tmpfile} ] ||
3951 error "wrong symlink size (2)"
3952 rm -f ${testfile}.sl
3954 sync ; echo 3 > /proc/sys/vm/drop_caches
3956 # remount without dummy encryption key
3957 remount_client_normally
3959 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
3960 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -type f)
3961 scrambledlink=$(find $DIR/$tdir/ -maxdepth 1 -type l)
3962 ln $scrambledfile $scrambleddir/linkfile &&
3963 error "ln linkfile should have failed"
3964 mrename $scrambledfile $DIR/onefile2 &&
3965 error "mrename from $scrambledfile should have failed"
3967 mrename $DIR/onefile $scrambleddir/otherfile &&
3968 error "mrename to $scrambleddir should have failed"
3969 readlink $scrambledlink ||
3970 error "link should be read without key"
3971 [ $(stat -c %s $scrambledlink) -eq \
3972 $(expr length "$(readlink $scrambledlink)") ] ||
3973 error "wrong symlink size without key"
3974 if [ $name_enc -eq 1 ]; then
3975 readlink -e $scrambledlink &&
3976 error "link should not point to anywhere useful"
3978 ln -s $scrambledfile ${scrambledfile}.sym &&
3979 error "symlink without key should fail (1)"
3980 ln -s $tmpfile ${scrambledfile}.sl &&
3981 error "symlink without key should fail (2)"
3983 rm -f $tmpfile $DIR/onefile
3985 run_test 47 "encrypted file access semantics: rename/link"
3988 local save="$TMP/$TESTSUITE-$TESTNAME.parameters"
3989 local testfile=$DIR/$tdir/$tfile
3990 local tmpfile=$TMP/111
3991 local tmpfile2=$TMP/abc
3992 local pagesz=$(getconf PAGESIZE)
3997 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3998 skip "client encryption not supported"
4000 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4001 skip "need dummy encryption support"
4003 stack_trap cleanup_for_enc_tests EXIT
4006 # create file, 4 x PAGE_SIZE long
4007 tr '\0' '1' < /dev/zero |
4008 dd of=$tmpfile bs=1 count=4x$pagesz conv=fsync
4009 $LFS setstripe -c1 -i0 $testfile
4010 cp $tmpfile $testfile
4011 echo "abc" > $tmpfile2
4013 # decrease size: truncate to PAGE_SIZE
4014 $TRUNCATE $tmpfile $pagesz
4015 $TRUNCATE $testfile $pagesz
4016 cancel_lru_locks osc ; cancel_lru_locks mdc
4017 cmp -bl $tmpfile $testfile ||
4018 error "file $testfile is corrupted (1)"
4020 # increase size: truncate to 2 x PAGE_SIZE
4022 $TRUNCATE $tmpfile $sz
4023 $TRUNCATE $testfile $sz
4024 cancel_lru_locks osc ; cancel_lru_locks mdc
4025 cmp -bl $tmpfile $testfile ||
4026 error "file $testfile is corrupted (2)"
4029 seek=$((pagesz+100))
4030 dd if=$tmpfile2 of=$tmpfile bs=4 count=1 seek=$seek oflag=seek_bytes \
4032 dd if=$tmpfile2 of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
4034 cancel_lru_locks osc ; cancel_lru_locks mdc
4035 cmp -bl $tmpfile $testfile ||
4036 error "file $testfile is corrupted (3)"
4038 # truncate to PAGE_SIZE / 2
4040 $TRUNCATE $tmpfile $sz
4041 $TRUNCATE $testfile $sz
4042 cancel_lru_locks osc ; cancel_lru_locks mdc
4043 cmp -bl $tmpfile $testfile ||
4044 error "file $testfile is corrupted (4)"
4046 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16
4048 $TRUNCATE $tmpfile $sz
4049 $TRUNCATE $testfile $sz
4050 cancel_lru_locks osc ; cancel_lru_locks mdc
4051 cmp -bl $tmpfile $testfile ||
4052 error "file $testfile is corrupted (5)"
4054 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16
4056 $TRUNCATE $tmpfile $sz
4057 $TRUNCATE $testfile $sz
4058 cancel_lru_locks osc ; cancel_lru_locks mdc
4059 cmp -bl $tmpfile $testfile ||
4060 error "file $testfile is corrupted (6)"
4062 # truncate to a larger, non-multiple of PAGE_SIZE, in a different page
4063 sz=$((sz+pagesz+30))
4064 $TRUNCATE $tmpfile $sz
4065 $TRUNCATE $testfile $sz
4066 cancel_lru_locks osc ; cancel_lru_locks mdc
4067 cmp -bl $tmpfile $testfile ||
4068 error "file $testfile is corrupted (7)"
4070 sync ; echo 3 > /proc/sys/vm/drop_caches
4072 # remount without dummy encryption key
4073 remount_client_normally
4075 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -type f)
4076 $TRUNCATE $scrambledfile 0 &&
4077 error "truncate $scrambledfile should have failed without key"
4079 rm -f $tmpfile $tmpfile2
4081 run_test 48a "encrypted file access semantics: truncate"
4083 cleanup_for_enc_tests_othercli() {
4086 # remount othercli normally
4087 zconf_umount $othercli $MOUNT ||
4088 error "umount $othercli $MOUNT failed"
4089 zconf_mount $othercli $MOUNT ||
4090 error "remount $othercli $MOUNT failed"
4096 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4097 skip "client encryption not supported"
4099 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4100 skip "need dummy encryption support"
4102 [ "$num_clients" -ge 2 ] || skip "Need at least 2 clients"
4104 if [ "$HOSTNAME" == ${clients_arr[0]} ]; then
4105 othercli=${clients_arr[1]}
4107 othercli=${clients_arr[0]}
4110 stack_trap cleanup_for_enc_tests EXIT
4111 stack_trap "cleanup_for_enc_tests_othercli $othercli" EXIT
4113 zconf_umount $othercli $MOUNT ||
4114 error "umount $othercli $MOUNT failed"
4116 cp /bin/sleep $DIR/$tdir/
4117 cancel_lru_locks osc ; cancel_lru_locks mdc
4118 $DIR/$tdir/sleep 30 &
4119 # mount and IOs must be done in the same shell session, otherwise
4120 # encryption key in session keyring is missing
4121 do_node $othercli "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4122 $MGSNID:/$FSNAME $MOUNT && \
4123 $TRUNCATE $DIR/$tdir/sleep 7"
4124 wait || error "wait error"
4125 cmp --silent /bin/sleep $DIR/$tdir/sleep ||
4126 error "/bin/sleep and $DIR/$tdir/sleep differ"
4128 run_test 48b "encrypted file: concurrent truncate"
4134 $LCTL set_param debug=+info
4139 [ $? -eq 0 ] || error "$cmd failed"
4141 if [ -z "$MATCHING_STRING" ]; then
4142 $LCTL dk | grep -E "get xattr 'encryption.c'|get xattrs"
4144 $LCTL dk | grep -E "$MATCHING_STRING"
4146 [ $? -ne 0 ] || error "get xattr event was triggered"
4150 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4151 skip "client encryption not supported"
4153 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4154 skip "need dummy encryption support"
4156 stack_trap cleanup_for_enc_tests EXIT
4159 local dirname=$DIR/$tdir/subdir
4163 trace_cmd stat $dirname
4164 trace_cmd echo a > $dirname/f1
4165 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4166 trace_cmd stat $dirname/f1
4167 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4168 trace_cmd cat $dirname/f1
4169 dd if=/dev/zero of=$dirname/f1 bs=1M count=10 conv=fsync
4170 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4171 MATCHING_STRING="get xattr 'encryption.c'" \
4172 trace_cmd $TRUNCATE $dirname/f1 10240
4173 trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
4174 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4175 trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
4177 if [[ $MDSCOUNT -gt 1 ]]; then
4178 trace_cmd $LFS setdirstripe -i 1 $dirname/d2
4179 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4180 trace_cmd $LFS migrate -m 0 $dirname/d2
4181 echo b > $dirname/d2/subf
4182 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4183 if (( "$MDS1_VERSION" > $(version_code 2.14.54.54) )); then
4184 # migrate a non-empty encrypted dir
4185 trace_cmd $LFS migrate -m 1 $dirname/d2
4186 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4187 [ -f $dirname/d2/subf ] || error "migrate failed (1)"
4188 [ $(cat $dirname/d2/subf) == "b" ] ||
4189 error "migrate failed (2)"
4192 $LFS setdirstripe -i 1 -c 1 $dirname/d3
4193 dirname=$dirname/d3/subdir
4195 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4196 trace_cmd stat $dirname
4197 trace_cmd echo c > $dirname/f1
4198 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4199 trace_cmd stat $dirname/f1
4200 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4201 trace_cmd cat $dirname/f1
4202 dd if=/dev/zero of=$dirname/f1 bs=1M count=10 conv=fsync
4203 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4204 MATCHING_STRING="get xattr 'encryption.c'" \
4205 trace_cmd $TRUNCATE $dirname/f1 10240
4206 trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
4207 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4208 trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
4210 skip_noexit "2nd part needs >= 2 MDTs"
4213 run_test 49 "Avoid getxattr for encryption context"
4216 local testfile=$DIR/$tdir/$tfile
4217 local tmpfile=$TMP/abc
4218 local pagesz=$(getconf PAGESIZE)
4221 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4222 skip "client encryption not supported"
4224 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4225 skip "need dummy encryption support"
4227 stack_trap cleanup_for_enc_tests EXIT
4230 # write small file, data on MDT only
4231 tr '\0' '1' < /dev/zero |
4232 dd of=$tmpfile bs=1 count=5000 conv=fsync
4233 $LFS setstripe -E 1M -L mdt -E EOF $testfile
4234 cp $tmpfile $testfile
4236 # check that in-memory representation of file is correct
4237 cmp -bl $tmpfile $testfile ||
4238 error "file $testfile is corrupted in memory"
4240 remove_enc_key ; insert_enc_key
4242 # check that file read from server is correct
4243 cmp -bl $tmpfile $testfile ||
4244 error "file $testfile is corrupted on server"
4246 # decrease size: truncate to PAGE_SIZE
4247 $TRUNCATE $tmpfile $pagesz
4248 $TRUNCATE $testfile $pagesz
4249 remove_enc_key ; insert_enc_key
4250 cmp -bl $tmpfile $testfile ||
4251 error "file $testfile is corrupted (1)"
4253 # increase size: truncate to 2 x PAGE_SIZE
4255 $TRUNCATE $tmpfile $sz
4256 $TRUNCATE $testfile $sz
4257 remove_enc_key ; insert_enc_key
4258 cmp -bl $tmpfile $testfile ||
4259 error "file $testfile is corrupted (2)"
4261 # truncate to PAGE_SIZE / 2
4263 $TRUNCATE $tmpfile $sz
4264 $TRUNCATE $testfile $sz
4265 remove_enc_key ; insert_enc_key
4266 cmp -bl $tmpfile $testfile ||
4267 error "file $testfile is corrupted (3)"
4269 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16
4271 $TRUNCATE $tmpfile $sz
4272 $TRUNCATE $testfile $sz
4273 remove_enc_key ; insert_enc_key
4274 cmp -bl $tmpfile $testfile ||
4275 error "file $testfile is corrupted (4)"
4277 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16
4279 $TRUNCATE $tmpfile $sz
4280 $TRUNCATE $testfile $sz
4281 remove_enc_key ; insert_enc_key
4282 cmp -bl $tmpfile $testfile ||
4283 error "file $testfile is corrupted (5)"
4285 # truncate to a larger, non-multiple of PAGE_SIZE, in a different page
4286 sz=$((sz+pagesz+30))
4287 $TRUNCATE $tmpfile $sz
4288 $TRUNCATE $testfile $sz
4289 remove_enc_key ; insert_enc_key
4290 cmp -bl $tmpfile $testfile ||
4291 error "file $testfile is corrupted (6)"
4294 remove_enc_key ; insert_enc_key
4296 # write hole in file, data spread on MDT and OST
4297 tr '\0' '2' < /dev/zero |
4298 dd of=$tmpfile bs=1 count=1539 seek=1539074 conv=fsync,notrunc
4299 $LFS setstripe -E 1M -L mdt -E EOF $testfile
4300 cp --sparse=always $tmpfile $testfile
4302 # check that in-memory representation of file is correct
4303 cmp -bl $tmpfile $testfile ||
4304 error "file $testfile is corrupted in memory"
4306 remove_enc_key ; insert_enc_key
4308 # check that file read from server is correct
4309 cmp -bl $tmpfile $testfile ||
4310 error "file $testfile is corrupted on server"
4312 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16,
4313 # inside OST part of data
4314 sz=$((1024*1024+13))
4315 $TRUNCATE $tmpfile $sz
4316 $TRUNCATE $testfile $sz
4317 remove_enc_key ; insert_enc_key
4318 cmp -bl $tmpfile $testfile ||
4319 error "file $testfile is corrupted (7)"
4321 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16,
4322 # inside MDT part of data
4324 $TRUNCATE $tmpfile $sz
4325 $TRUNCATE $testfile $sz
4326 remove_enc_key ; insert_enc_key
4327 cmp -bl $tmpfile $testfile ||
4328 error "file $testfile is corrupted (8)"
4330 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16,
4331 # inside MDT part of data
4332 sz=$((1024*1024-13))
4333 $TRUNCATE $tmpfile $sz
4334 $TRUNCATE $testfile $sz
4335 remove_enc_key ; insert_enc_key
4336 cmp -bl $tmpfile $testfile ||
4337 error "file $testfile is corrupted (9)"
4339 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16,
4340 # inside OST part of data
4342 $TRUNCATE $tmpfile $sz
4343 $TRUNCATE $testfile $sz
4344 remove_enc_key ; insert_enc_key
4345 cmp -bl $tmpfile $testfile ||
4346 error "file $testfile is corrupted (10)"
4350 run_test 50 "DoM encrypted file"
4353 [ "$MDS1_VERSION" -gt $(version_code 2.13.53) ] ||
4354 skip "Need MDS version at least 2.13.53"
4356 mkdir $DIR/$tdir || error "mkdir $tdir"
4357 local mdts=$(comma_list $(mdts_nodes))
4358 local cap_param=mdt.*.enable_cap_mask
4360 old_cap=($(do_nodes $mdts $LCTL get_param -n $cap_param 2>/dev/null))
4361 if [[ -n "$old_cap" ]]; then
4362 do_nodes $mdts $LCTL set_param $cap_param=0xf
4363 stack_trap "do_nodes $mdts $LCTL set_param $cap_param=$old_cap"
4366 touch $DIR/$tdir/$tfile || error "touch $tfile"
4367 cp $(which chown) $DIR/$tdir || error "cp chown"
4368 $RUNAS_CMD -u $ID0 $DIR/$tdir/chown $ID0 $DIR/$tdir/$tfile &&
4369 error "chown $tfile should fail"
4370 setcap 'CAP_CHOWN=ep' $DIR/$tdir/chown || error "setcap CAP_CHOWN"
4371 $RUNAS_CMD -u $ID0 $DIR/$tdir/chown $ID0 $DIR/$tdir/$tfile ||
4372 error "chown $tfile"
4373 rm $DIR/$tdir/$tfile || error "rm $tfile"
4375 touch $DIR/$tdir/$tfile || error "touch $tfile"
4376 cp $(which touch) $DIR/$tdir || error "cp touch"
4377 $RUNAS_CMD -u $ID0 $DIR/$tdir/touch $DIR/$tdir/$tfile &&
4378 error "touch should fail"
4379 setcap 'CAP_FOWNER=ep' $DIR/$tdir/touch || error "setcap CAP_FOWNER"
4380 $RUNAS_CMD -u $ID0 $DIR/$tdir/touch $DIR/$tdir/$tfile ||
4381 error "touch $tfile"
4382 rm $DIR/$tdir/$tfile || error "rm $tfile"
4385 for cap in "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH"; do
4386 touch $DIR/$tdir/$tfile || error "touch $tfile"
4387 chmod 600 $DIR/$tdir/$tfile || error "chmod $tfile"
4388 cp $(which cat) $DIR/$tdir || error "cp cat"
4389 $RUNAS_CMD -u $ID0 $DIR/$tdir/cat $DIR/$tdir/$tfile &&
4390 error "cat should fail"
4391 setcap $cap=ep $DIR/$tdir/cat || error "setcap $cap"
4392 $RUNAS_CMD -u $ID0 $DIR/$tdir/cat $DIR/$tdir/$tfile ||
4394 rm $DIR/$tdir/$tfile || error "rm $tfile"
4397 run_test 51 "FS capabilities ==============="
4400 local testfile=$DIR/$tdir/$tfile
4401 local tmpfile=$TMP/$tfile
4402 local mirror1=$TMP/$tfile.mirror1
4403 local mirror2=$TMP/$tfile.mirror2
4405 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4406 skip "client encryption not supported"
4408 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4409 skip "need dummy encryption support"
4411 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
4413 stack_trap "cleanup_for_enc_tests $tmpfile $mirror1 $mirror2" EXIT
4416 dd if=/dev/urandom of=$tmpfile bs=5000 count=1 conv=fsync
4418 $LFS mirror create -N -i0 -N -i1 $testfile ||
4419 error "could not create mirror"
4421 dd if=$tmpfile of=$testfile bs=5000 count=1 conv=fsync ||
4422 error "could not write to $testfile"
4424 $LFS mirror resync $testfile ||
4425 error "could not resync mirror"
4427 $LFS mirror verify -v $testfile ||
4428 error "verify mirror failed"
4430 $LFS mirror read -N 1 -o $mirror1 $testfile ||
4431 error "could not read from mirror 1"
4433 cmp -bl $tmpfile $mirror1 ||
4434 error "mirror 1 is corrupted"
4436 $LFS mirror read -N 2 -o $mirror2 $testfile ||
4437 error "could not read from mirror 2"
4439 cmp -bl $tmpfile $mirror2 ||
4440 error "mirror 2 is corrupted"
4442 tr '\0' '2' < /dev/zero |
4443 dd of=$tmpfile bs=1 count=9000 conv=fsync
4445 $LFS mirror write -N 1 -i $tmpfile $testfile ||
4446 error "could not write to mirror 1"
4448 $LFS mirror verify -v $testfile &&
4449 error "mirrors should be different"
4451 rm -f $testfile $mirror1 $mirror2
4453 $LFS setstripe -c1 -i0 $testfile
4454 dd if=$tmpfile of=$testfile bs=9000 count=1 conv=fsync ||
4455 error "write to $testfile failed"
4456 $LFS getstripe $testfile
4459 $LFS migrate -i1 $testfile ||
4460 error "migrate $testfile failed"
4461 $LFS getstripe $testfile
4462 stripe=$($LFS getstripe -i $testfile)
4463 [ $stripe -eq 1 ] || error "migrate file $testfile failed"
4466 cmp -bl $tmpfile $testfile ||
4467 error "migrated file is corrupted"
4469 $LFS mirror extend -N -i0 $testfile ||
4470 error "mirror extend $testfile failed"
4471 $LFS getstripe $testfile
4472 mirror_count=$($LFS getstripe -N $testfile)
4473 [ $mirror_count -eq 2 ] ||
4474 error "mirror extend file $testfile failed (1)"
4475 stripe=$($LFS getstripe --mirror-id=1 -i $testfile)
4476 [ $stripe -eq 1 ] || error "mirror extend file $testfile failed (2)"
4477 stripe=$($LFS getstripe --mirror-id=2 -i $testfile)
4478 [ $stripe -eq 0 ] || error "mirror extend file $testfile failed (3)"
4481 $LFS mirror verify -v $testfile ||
4482 error "mirror verify failed"
4483 $LFS mirror read -N 1 -o $mirror1 $testfile ||
4484 error "read from mirror 1 failed"
4485 cmp -bl $tmpfile $mirror1 ||
4486 error "corruption of mirror 1"
4487 $LFS mirror read -N 2 -o $mirror2 $testfile ||
4488 error "read from mirror 2 failed"
4489 cmp -bl $tmpfile $mirror2 ||
4490 error "corruption of mirror 2"
4492 $LFS mirror split --mirror-id 1 -f ${testfile}.mirror $testfile &&
4493 error "mirror split -f should fail"
4495 $LFS mirror split --mirror-id 1 $testfile &&
4496 error "mirror split without -d should fail"
4498 $LFS mirror split --mirror-id 1 -d $testfile ||
4499 error "mirror split failed"
4500 $LFS getstripe $testfile
4501 mirror_count=$($LFS getstripe -N $testfile)
4502 [ $mirror_count -eq 1 ] ||
4503 error "mirror split file $testfile failed (1)"
4504 stripe=$($LFS getstripe --mirror-id=1 -i $testfile)
4505 [ -z "$stripe" ] || error "mirror extend file $testfile failed (2)"
4506 stripe=$($LFS getstripe --mirror-id=2 -i $testfile)
4507 [ $stripe -eq 0 ] || error "mirror extend file $testfile failed (3)"
4510 cmp -bl $tmpfile $testfile ||
4511 error "extended/split file is corrupted"
4513 run_test 52 "Mirrored encrypted file"
4516 local testfile=$DIR/$tdir/$tfile
4517 local testfile2=$DIR2/$tdir/$tfile
4518 local tmpfile=$TMP/$tfile.tmp
4519 local resfile=$TMP/$tfile.res
4523 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4524 skip "client encryption not supported"
4526 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4527 skip "need dummy encryption support"
4529 pagesz=$(getconf PAGESIZE)
4530 [[ $pagesz == 65536 ]] || skip "Need 64K PAGE_SIZE client"
4532 do_node $mds1_HOST \
4533 "mount.lustre --help |& grep -q 'test_dummy_encryption:'" ||
4534 skip "need dummy encryption support on MDS client mount"
4536 # this test is probably useless now, but may turn out to be useful when
4537 # Lustre supports servers with PAGE_SIZE != 4KB
4538 pagesz=$(do_node $mds1_HOST getconf PAGESIZE)
4539 [[ $pagesz == 4096 ]] || skip "Need 4K PAGE_SIZE MDS client"
4541 stack_trap cleanup_for_enc_tests EXIT
4542 stack_trap "zconf_umount $mds1_HOST $MOUNT2" EXIT
4545 $LFS setstripe -c1 -i0 $testfile
4547 # write from 1st client
4548 cat /dev/urandom | tr -dc 'a-zA-Z0-9' |
4549 dd of=$tmpfile bs=$((pagesz+3)) count=2 conv=fsync
4550 dd if=$tmpfile of=$testfile bs=$((pagesz+3)) count=2 conv=fsync ||
4551 error "could not write to $testfile (1)"
4553 # read from 2nd client
4554 # mount and IOs must be done in the same shell session, otherwise
4555 # encryption key in session keyring is missing
4556 do_node $mds1_HOST "mkdir -p $MOUNT2"
4557 do_node $mds1_HOST \
4558 "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4559 $MGSNID:/$FSNAME $MOUNT2 && \
4560 dd if=$testfile2 of=$resfile bs=$((pagesz+3)) count=2" ||
4561 error "could not read from $testfile2 (1)"
4564 filemd5=$(do_node $mds1_HOST md5sum $resfile | awk '{print $1}')
4565 [ $filemd5 = $(md5sum $tmpfile | awk '{print $1}') ] ||
4566 error "file is corrupted (1)"
4567 do_node $mds1_HOST rm -f $resfile
4570 # truncate from 2nd client
4571 $TRUNCATE $tmpfile $((pagesz+3))
4572 zconf_umount $mds1_HOST $MOUNT2 ||
4573 error "umount $mds1_HOST $MOUNT2 failed (1)"
4574 do_node $mds1_HOST "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4575 $MGSNID:/$FSNAME $MOUNT2 && \
4576 $TRUNCATE $testfile2 $((pagesz+3))" ||
4577 error "could not truncate $testfile2 (1)"
4580 cmp -bl $tmpfile $testfile ||
4581 error "file is corrupted (2)"
4582 rm -f $tmpfile $testfile
4584 zconf_umount $mds1_HOST $MOUNT2 ||
4585 error "umount $mds1_HOST $MOUNT2 failed (2)"
4588 do_node $mds1_HOST \
4589 dd if=/dev/urandom of=$tmpfile bs=$((pagesz+3)) count=2 conv=fsync
4590 # write from 2nd client
4591 do_node $mds1_HOST \
4592 "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4593 $MGSNID:/$FSNAME $MOUNT2 && \
4594 dd if=$tmpfile of=$testfile2 bs=$((pagesz+3)) count=2 conv=fsync" ||
4595 error "could not write to $testfile2 (2)"
4597 # read from 1st client
4598 dd if=$testfile of=$resfile bs=$((pagesz+3)) count=2 ||
4599 error "could not read from $testfile (2)"
4602 filemd5=$(do_node $mds1_HOST md5sum -b $tmpfile | awk '{print $1}')
4603 [ $filemd5 = $(md5sum -b $resfile | awk '{print $1}') ] ||
4604 error "file is corrupted (3)"
4608 # truncate from 1st client
4609 do_node $mds1_HOST "$TRUNCATE $tmpfile $((pagesz+3))"
4610 $TRUNCATE $testfile $((pagesz+3)) ||
4611 error "could not truncate $testfile (2)"
4614 zconf_umount $mds1_HOST $MOUNT2 ||
4615 error "umount $mds1_HOST $MOUNT2 failed (3)"
4616 do_node $mds1_HOST "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4617 $MGSNID:/$FSNAME $MOUNT2 && \
4618 cmp -bl $tmpfile $testfile2" ||
4619 error "file is corrupted (4)"
4621 do_node $mds1_HOST rm -f $tmpfile
4624 run_test 53 "Mixed PAGE_SIZE clients"
4627 local testdir=$DIR/$tdir/$ID0
4628 local testdir2=$DIR2/$tdir/$ID0
4629 local testfile=$testdir/$tfile
4630 local testfile2=$testdir/${tfile}withveryverylongnametoexercisecode
4631 local testfile3=$testdir/_${tfile}
4632 local tmpfile=$TMP/${tfile}.tmp
4633 local resfile=$TMP/${tfile}.res
4638 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4639 skip "client encryption not supported"
4641 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4642 skip "need dummy encryption support"
4644 which fscrypt || skip "This test needs fscrypt userspace tool"
4646 yes | fscrypt setup --force --verbose ||
4647 error "fscrypt global setup failed"
4648 sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
4650 yes | fscrypt setup --verbose $MOUNT ||
4651 error "fscrypt setup $MOUNT failed"
4653 chown -R $ID0:$ID0 $testdir
4655 echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
4656 --source=custom_passphrase --name=protector $testdir" ||
4657 error "fscrypt encrypt failed"
4659 echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
4660 --source=custom_passphrase --name=protector2 $testdir" &&
4661 error "second fscrypt encrypt should have failed"
4663 mkdir -p ${testdir}2 || error "mkdir ${testdir}2 failed"
4664 touch ${testdir}2/f || error "mkdir ${testdir}2/f failed"
4667 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
4668 --source=custom_passphrase --name=protector3 ${testdir}2 &&
4669 error "fscrypt encrypt on non-empty dir should have failed"
4671 $RUNAS dd if=/dev/urandom of=$testfile bs=127 count=1 conv=fsync ||
4672 error "write to encrypted file $testfile failed"
4673 cp $testfile $tmpfile
4674 $RUNAS dd if=/dev/urandom of=$testfile2 bs=127 count=1 conv=fsync ||
4675 error "write to encrypted file $testfile2 failed"
4676 $RUNAS dd if=/dev/urandom of=$testfile3 bs=127 count=1 conv=fsync ||
4677 error "write to encrypted file $testfile3 failed"
4678 $RUNAS mkdir $testdir/subdir || error "mkdir subdir failed"
4679 $RUNAS touch $testdir/subdir/subfile || error "mkdir subdir failed"
4681 $RUNAS fscrypt lock --verbose $testdir ||
4682 error "fscrypt lock $testdir failed (1)"
4684 $RUNAS ls -R $testdir || error "ls -R $testdir failed"
4685 local filecount=$($RUNAS find $testdir -type f | wc -l)
4686 [ $filecount -eq 4 ] || error "found $filecount files"
4688 # check enable_filename_encryption default value
4689 # tunable only available for client built against embedded llcrypt
4690 $LCTL get_param mdc.*.connect_flags | grep -q name_encryption &&
4691 nameenc=$(lctl get_param -n llite.*.enable_filename_encryption |
4693 # If client is built against in-kernel fscrypt, it is not possible
4694 # to decide to encrypt file names or not: they are always encrypted.
4695 if [ -n "$nameenc" ]; then
4696 [ $nameenc -eq 0 ] ||
4697 error "enable_filename_encryption should be 0 by default"
4699 # $testfile, $testfile2 and $testfile3 should exist because
4700 # names are not encrypted
4702 error "$testfile should exist because name not encrypted"
4703 [ -f $testfile2 ] ||
4704 error "$testfile2 should exist because name not encrypted"
4705 [ -f $testfile3 ] ||
4706 error "$testfile3 should exist because name not encrypted"
4708 [ $? -eq 0 ] || error "cannot stat $testfile3 without key"
4711 scrambledfiles=( $(find $testdir/ -maxdepth 1 -type f) )
4712 $RUNAS hexdump -C ${scrambledfiles[0]} &&
4713 error "reading ${scrambledfiles[0]} should fail without key"
4715 $RUNAS touch ${testfile}.nokey &&
4716 error "touch ${testfile}.nokey should have failed without key"
4718 echo mypass | $RUNAS fscrypt unlock --verbose $testdir ||
4719 error "fscrypt unlock $testdir failed (1)"
4721 $RUNAS cat $testfile > $resfile ||
4722 error "reading $testfile failed"
4724 cmp -bl $tmpfile $resfile || error "file read differs from file written"
4726 [ $? -eq 0 ] || error "cannot stat $testfile3 with key"
4728 $RUNAS fscrypt lock --verbose $testdir ||
4729 error "fscrypt lock $testdir failed (2)"
4731 $RUNAS hexdump -C ${scrambledfiles[1]} &&
4732 error "reading ${scrambledfiles[1]} should fail without key"
4734 # server local client incompatible with SSK keys installed
4735 if [ "$SHARED_KEY" != true ]; then
4737 stack_trap umount_mds_client EXIT
4738 do_facet $SINGLEMDS touch $DIR2/$tdir/newfile
4739 mdsscrambledfile=$(do_facet $SINGLEMDS find $testdir2/ \
4740 -maxdepth 1 -type f | head -n1)
4741 [ -n "$mdsscrambledfile" ] || error "could not find file"
4742 do_facet $SINGLEMDS cat "$mdsscrambledfile" &&
4743 error "reading $mdsscrambledfile should fail on MDS"
4744 do_facet $SINGLEMDS "echo aaa >> \"$mdsscrambledfile\"" &&
4745 error "writing $mdsscrambledfile should fail on MDS"
4746 do_facet $SINGLEMDS $MULTIOP $testdir2/fileA m &&
4747 error "creating $testdir2/fileA should fail on MDS"
4748 do_facet $SINGLEMDS mkdir $testdir2/dirA &&
4749 error "mkdir $testdir2/dirA should fail on MDS"
4750 do_facet $SINGLEMDS ln -s $DIR2/$tdir/newfile $testdir2/sl1 &&
4751 error "ln -s $testdir2/sl1 should fail on MDS"
4752 do_facet $SINGLEMDS ln $DIR2/$tdir/newfile $testdir2/hl1 &&
4753 error "ln $testdir2/hl1 should fail on MDS"
4754 do_facet $SINGLEMDS mv "$mdsscrambledfile" $testdir2/fB &&
4755 error "mv $mdsscrambledfile should fail on MDS"
4756 do_facet $SINGLEMDS mrename "$mdsscrambledfile" $testdir2/fB &&
4757 error "mrename $mdsscrambledfile should fail on MDS"
4758 do_facet $SINGLEMDS rm -f $DIR2/$tdir/newfile
4761 echo mypass | $RUNAS fscrypt unlock --verbose $testdir ||
4762 error "fscrypt unlock $testdir failed (2)"
4765 $RUNAS fscrypt lock --verbose $testdir ||
4766 error "fscrypt lock $testdir failed (3)"
4768 rm -rf $tmpfile $resfile $testdir ${testdir}2 $MOUNT/.fscrypt
4770 # remount client with subdirectory mount
4771 umount_client $MOUNT || error "umount $MOUNT failed (1)"
4772 export FILESET=/$tdir
4773 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed (1)"
4777 # setup encryption from inside this subdir mount
4778 # the .fscrypt directory is going to be created at the real fs root
4779 yes | fscrypt setup --verbose $MOUNT ||
4780 error "fscrypt setup $MOUNT failed (2)"
4781 testdir=$MOUNT/vault
4783 chown -R $ID0:$ID0 $testdir
4784 fid1=$(path2fid $MOUNT/.fscrypt)
4785 echo "With FILESET $tdir, .fscrypt FID is $fid1"
4787 # enable name encryption, only valid if built against embedded llcrypt
4788 if [ -n "$nameenc" ]; then
4789 do_facet mgs $LCTL set_param -P \
4790 llite.*.enable_filename_encryption=1
4792 error "set_param -P \
4793 llite.*.enable_filename_encryption failed"
4795 wait_update_facet --verbose client \
4796 "$LCTL get_param -n llite.*.enable_filename_encryption \
4798 error "enable_filename_encryption not set on client"
4801 # encrypt 'vault' dir inside the subdir mount
4802 echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
4803 --source=custom_passphrase --name=protector $testdir" ||
4804 error "fscrypt encrypt failed"
4808 $RUNAS cp $tmpfile $testdir/encfile
4810 $RUNAS fscrypt lock --verbose $testdir ||
4811 error "fscrypt lock $testdir failed (4)"
4813 # encfile should actually have its name encrypted
4814 if [ -n "$nameenc" ]; then
4815 [ -f $testdir/encfile ] &&
4816 error "encfile name should be encrypted"
4818 filecount=$(find $testdir -type f | wc -l)
4819 [ $filecount -eq 1 ] || error "found $filecount files instead of 1"
4821 # remount client with encrypted dir as subdirectory mount
4822 umount_client $MOUNT || error "umount $MOUNT failed (2)"
4823 export FILESET=/$tdir/vault
4824 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed (2)"
4828 fid2=$(path2fid $MOUNT/.fscrypt)
4829 echo "With FILESET $tdir/vault, .fscrypt FID is $fid2"
4830 [ "$fid1" == "$fid2" ] || error "fid1 $fid1 != fid2 $fid2 (1)"
4832 # all content seen by this mount is encrypted, but .fscrypt is virtually
4833 # presented, letting us call fscrypt lock/unlock
4834 echo mypass | $RUNAS fscrypt unlock --verbose $MOUNT ||
4835 error "fscrypt unlock $MOUNT failed (3)"
4838 [ $(cat $MOUNT/encfile) == "abc" ] || error "cat encfile failed"
4840 # remount client without subdir mount
4841 umount_client $MOUNT || error "umount $MOUNT failed (3)"
4842 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed (3)"
4845 fid2=$(path2fid $MOUNT/.fscrypt)
4846 echo "Without FILESET, .fscrypt FID is $fid2"
4847 [ "$fid1" == "$fid2" ] || error "fid1 $fid1 != fid2 $fid2 (2)"
4849 # because .fscrypt was actually created at the real root of the fs,
4850 # we can call fscrypt lock/unlock on the encrypted dir
4851 echo mypass | $RUNAS fscrypt unlock --verbose $DIR/$tdir/vault ||
4852 error "fscrypt unlock $$DIR/$tdir/vault failed (4)"
4855 echo c >> $DIR/$tdir/vault/encfile || error "write to encfile failed"
4857 rm -rf $DIR/$tdir/vault/*
4858 $RUNAS fscrypt lock --verbose $DIR/$tdir/vault ||
4859 error "fscrypt lock $DIR/$tdir/vault failed (5)"
4861 # disable name encryption, only valid if built against embedded llcrypt
4862 if [ -n "$nameenc" ]; then
4863 do_facet mgs $LCTL set_param -P \
4864 llite.*.enable_filename_encryption=0
4866 error "set_param -P \
4867 llite.*.enable_filename_encryption failed"
4869 wait_update_facet --verbose client \
4870 "$LCTL get_param -n llite.*.enable_filename_encryption \
4872 error "enable_filename_encryption not set back to default"
4875 rm -rf $tmpfile $MOUNT/.fscrypt
4877 run_test 54 "Encryption policies with fscrypt"
4881 if is_mounted $MOUNT; then
4882 umount_client $MOUNT || error "umount $MOUNT failed"
4885 do_facet mgs $LCTL nodemap_del c0
4886 do_facet mgs $LCTL nodemap_modify --name default \
4887 --property admin --value 0
4888 do_facet mgs $LCTL nodemap_modify --name default \
4889 --property trusted --value 0
4890 wait_nm_sync default admin_nodemap
4891 wait_nm_sync default trusted_nodemap
4893 do_facet mgs $LCTL nodemap_activate 0
4894 wait_nm_sync active 0
4896 if $SHARED_KEY; then
4897 export SK_UNIQUE_NM=false
4901 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed"
4902 if [ "$MOUNT_2" ]; then
4903 mount_client $MOUNT2 ${MOUNT_OPTS} || error "remount failed"
4909 (( $MDS1_VERSION > $(version_code 2.12.6.2) )) ||
4910 skip "Need MDS version at least 2.12.6.3"
4915 mkdir -p $DIR/$tdir/$USER0/testdir_groups
4916 chown root:$USER0 $DIR/$tdir/$USER0
4917 chmod 770 $DIR/$tdir/$USER0
4918 chmod g+s $DIR/$tdir/$USER0
4919 chown $USER0:$USER0 $DIR/$tdir/$USER0/testdir_groups
4920 chmod 770 $DIR/$tdir/$USER0/testdir_groups
4921 chmod g+s $DIR/$tdir/$USER0/testdir_groups
4923 # unmount client completely
4924 umount_client $MOUNT || error "umount $MOUNT failed"
4925 if is_mounted $MOUNT2; then
4926 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
4929 do_nodes $(comma_list $(all_mdts_nodes)) \
4930 $LCTL set_param mdt.*.identity_upcall=NONE
4932 stack_trap cleanup_55 EXIT
4934 do_facet mgs $LCTL nodemap_activate 1
4937 do_facet mgs $LCTL nodemap_del c0 || true
4938 wait_nm_sync c0 id ''
4940 do_facet mgs $LCTL nodemap_modify --name default \
4941 --property admin --value 1
4942 do_facet mgs $LCTL nodemap_modify --name default \
4943 --property trusted --value 1
4944 wait_nm_sync default admin_nodemap
4945 wait_nm_sync default trusted_nodemap
4947 client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
4948 client_nid=$(h2nettype $client_ip)
4949 do_facet mgs $LCTL nodemap_add c0
4950 do_facet mgs $LCTL nodemap_add_range \
4951 --name c0 --range $client_nid
4952 do_facet mgs $LCTL nodemap_modify --name c0 \
4953 --property admin --value 0
4954 do_facet mgs $LCTL nodemap_modify --name c0 \
4955 --property trusted --value 1
4956 wait_nm_sync c0 admin_nodemap
4957 wait_nm_sync c0 trusted_nodemap
4959 if $SHARED_KEY; then
4960 export SK_UNIQUE_NM=true
4961 # set some generic fileset to trigger SSK code
4965 # remount client to take nodemap into account
4966 zconf_mount_clients $HOSTNAME $MOUNT $MOUNT_OPTS ||
4967 error "remount failed"
4971 euid_access $USER0 $DIR/$tdir/$USER0/testdir_groups/file
4973 run_test 55 "access with seteuid"
4976 local testfile=$DIR/$tdir/$tfile
4978 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
4980 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4981 skip "client encryption not supported"
4983 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4984 skip "need dummy encryption support"
4986 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
4988 stack_trap cleanup_for_enc_tests EXIT
4991 $LFS setstripe -c1 $testfile
4992 dd if=/dev/urandom of=$testfile bs=1M count=3 conv=fsync
4993 filefrag -v $testfile || error "filefrag $testfile failed"
4994 (( $(filefrag -v $testfile | grep -c encrypted) >= 1 )) ||
4995 error "filefrag $testfile does not show encrypted flag"
4996 (( $(filefrag -v $testfile | grep -c encoded) >= 1 )) ||
4997 error "filefrag $testfile does not show encoded flag"
4999 run_test 56 "FIEMAP on encrypted file"
5002 local testdir=$DIR/$tdir/mytestdir
5003 local testfile=$DIR/$tdir/$tfile
5005 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
5007 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5008 skip "client encryption not supported"
5010 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5011 skip "need dummy encryption support"
5015 setfattr -n security.c -v myval $testdir &&
5016 error "setting xattr on $testdir should have failed (1.1)"
5017 setfattr -n encryption.c -v myval $testdir &&
5018 error "setting xattr on $testdir should have failed (1.2)"
5020 setfattr -n security.c -v myval $testfile &&
5021 error "setting xattr on $testfile should have failed (1.1)"
5022 setfattr -n encryption.c -v myval $testfile &&
5023 error "setting xattr on $testfile should have failed (1.2)"
5027 stack_trap cleanup_for_enc_tests EXIT
5031 if [ $(getfattr -n security.c $testdir 2>&1 |
5032 grep -ci "Operation not permitted") -eq 0 ]; then
5033 error "getting xattr on $testdir should have failed (1.1)"
5035 if [ $(getfattr -n encryption.c $testdir 2>&1 |
5036 grep -ci "Operation not supported") -eq 0 ]; then
5037 error "getting xattr on $testdir should have failed (1.2)"
5039 getfattr -d -m - $testdir 2>&1 | grep security\.c &&
5040 error "listing xattrs on $testdir should not expose security.c"
5041 getfattr -d -m - $testdir 2>&1 | grep encryption\.c &&
5042 error "listing xattrs on $testdir should not expose encryption.c"
5043 if [ $(setfattr -n security.c -v myval $testdir 2>&1 |
5044 grep -ci "Operation not permitted") -eq 0 ]; then
5045 error "setting xattr on $testdir should have failed (2.1)"
5047 if [ $(setfattr -n encryption.c -v myval $testdir 2>&1 |
5048 grep -ci "Operation not supported") -eq 0 ]; then
5049 error "setting xattr on $testdir should have failed (2.2)"
5052 if [ $(getfattr -n security.c $testfile 2>&1 |
5053 grep -ci "Operation not permitted") -eq 0 ]; then
5054 error "getting xattr on $testfile should have failed (1.1)"
5056 if [ $(getfattr -n encryption.c $testfile 2>&1 |
5057 grep -ci "Operation not supported") -eq 0 ]; then
5058 error "getting xattr on $testfile should have failed (1.2)"
5060 getfattr -d -m - $testfile 2>&1 | grep security\.c &&
5061 error "listing xattrs on $testfile should not expose security.c"
5062 getfattr -d -m - $testfile 2>&1 | grep encryption\.c &&
5063 error "listing xattrs on $testfile should not expose encryption.c"
5064 if [ $(setfattr -n security.c -v myval $testfile 2>&1 |
5065 grep -ci "Operation not permitted") -eq 0 ]; then
5066 error "setting xattr on $testfile should have failed (2.1)"
5068 if [ $(setfattr -n encryption.c -v myval $testfile 2>&1 |
5069 grep -ci "Operation not supported") -eq 0 ]; then
5070 error "setting xattr on $testfile should have failed (2.2)"
5074 run_test 57 "security.c/encryption.c xattr protection"
5077 local testdir=$DIR/$tdir/mytestdir
5078 local testfile=$DIR/$tdir/$tfile
5080 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
5082 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5083 skip "client encryption not supported"
5085 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5086 skip "need dummy encryption support"
5088 stack_trap cleanup_for_enc_tests EXIT
5091 touch $DIR/$tdir/$tfile
5092 mkdir $DIR/$tdir/subdir
5096 echo 3 > /proc/sys/vm/drop_caches
5098 ll_decode_linkea $DIR/$tdir/$tfile || error "cannot read $tfile linkea"
5099 ll_decode_linkea $DIR/$tdir/subdir || error "cannot read subdir linkea"
5101 for ((i = 0; i < 1000; i = $((i+1)))); do
5102 mkdir -p $DIR/$tdir/d${i}
5103 touch $DIR/$tdir/f${i}
5104 createmany -m $DIR/$tdir/d${i}/f 5 > /dev/null
5109 echo 3 > /proc/sys/vm/drop_caches
5112 ls -ailR $DIR/$tdir > /dev/null || error "fail to ls"
5114 run_test 58 "access to enc file's xattrs"
5117 local mirror1=$TMP/$tfile.mirror1
5118 local mirror2=$TMP/$tfile.mirror2
5122 $LFS mirror verify -vvv $testfile ||
5123 error "verifying mirror failed (1)"
5124 if [ $($LFS mirror verify -v $testfile 2>&1 |
5125 grep -ci "only valid") -ne 0 ]; then
5126 error "verifying mirror failed (2)"
5129 $LFS mirror read -N 1 -o $mirror1 $testfile ||
5130 error "read from mirror 1 failed"
5131 cmp -bl $reffile $mirror1 ||
5132 error "corruption of mirror 1"
5133 $LFS mirror read -N 2 -o $mirror2 $testfile ||
5134 error "read from mirror 2 failed"
5135 cmp -bl $reffile $mirror2 ||
5136 error "corruption of mirror 2"
5140 local testfile=$DIR/$tdir/$tfile
5141 local tmpfile=$TMP/$tfile
5142 local mirror1=$TMP/$tfile.mirror1
5143 local mirror2=$TMP/$tfile.mirror2
5146 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5147 skip "client encryption not supported"
5149 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5150 skip "need dummy encryption support"
5152 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
5154 stack_trap "cleanup_for_enc_tests $tmpfile $mirror1 $mirror2" EXIT
5157 dd if=/dev/urandom of=$tmpfile bs=5000 count=1 conv=fsync
5159 $LFS mirror create -N -i0 -N -i1 $testfile ||
5160 error "could not create mirror"
5161 dd if=$tmpfile of=$testfile bs=5000 count=1 conv=fsync ||
5162 error "could not write to $testfile"
5163 $LFS getstripe $testfile
5165 # remount without dummy encryption key
5166 remount_client_normally
5168 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
5169 $LFS mirror resync $scrambledfile ||
5170 error "could not resync mirror"
5172 $LFS mirror verify -vvv $scrambledfile ||
5173 error "mirror verify failed (1)"
5174 if [ $($LFS mirror verify -v $scrambledfile 2>&1 |
5175 grep -ci "only valid") -ne 0 ]; then
5176 error "mirror verify failed (2)"
5179 $LFS mirror read -N 1 -o $mirror1 $scrambledfile &&
5180 error "read from mirror should fail"
5183 remount_client_dummykey
5184 verify_mirror $testfile $tmpfile
5186 run_test 59a "mirror resync of encrypted files without key"
5189 local testfile=$DIR/$tdir/$tfile
5190 local tmpfile=$TMP/$tfile
5191 local mirror1=$TMP/$tfile.mirror1
5192 local mirror2=$TMP/$tfile.mirror2
5195 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5196 skip "client encryption not supported"
5198 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5199 skip "need dummy encryption support"
5201 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
5203 stack_trap "cleanup_for_enc_tests $tmpfile $mirror1 $mirror2" EXIT
5206 tr '\0' '2' < /dev/zero |
5207 dd of=$tmpfile bs=1 count=9000 conv=fsync
5209 $LFS setstripe -c1 -i0 $testfile
5210 dd if=$tmpfile of=$testfile bs=9000 count=1 conv=fsync ||
5211 error "write to $testfile failed"
5212 $LFS getstripe $testfile
5214 # remount without dummy encryption key
5215 remount_client_normally
5217 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
5218 $LFS migrate -i1 $scrambledfile ||
5219 error "migrate $scrambledfile failed"
5220 $LFS getstripe $scrambledfile
5221 stripe=$($LFS getstripe -i $scrambledfile)
5222 [ $stripe -eq 1 ] || error "migrate file $scrambledfile failed"
5226 remount_client_dummykey
5227 cmp -bl $tmpfile $testfile ||
5228 error "migrated file is corrupted"
5230 # remount without dummy encryption key
5231 remount_client_normally
5233 $LFS mirror extend -N -i0 $scrambledfile ||
5234 error "mirror extend $scrambledfile failed (1)"
5235 $LFS getstripe $scrambledfile
5236 mirror_count=$($LFS getstripe -N $scrambledfile)
5237 [ $mirror_count -eq 2 ] ||
5238 error "mirror extend file $scrambledfile failed (2)"
5239 stripe=$($LFS getstripe --mirror-id=1 -i $scrambledfile)
5240 [ $stripe -eq 1 ] ||
5241 error "mirror extend file $scrambledfile failed (3)"
5242 stripe=$($LFS getstripe --mirror-id=2 -i $scrambledfile)
5243 [ $stripe -eq 0 ] ||
5244 error "mirror extend file $scrambledfile failed (4)"
5246 $LFS mirror verify -vvv $scrambledfile ||
5247 error "mirror verify failed (1)"
5248 if [ $($LFS mirror verify -v $scrambledfile 2>&1 |
5249 grep -ci "only valid") -ne 0 ]; then
5250 error "mirror verify failed (2)"
5254 remount_client_dummykey
5255 verify_mirror $testfile $tmpfile
5257 # remount without dummy encryption key
5258 remount_client_normally
5260 $LFS mirror split --mirror-id 1 -d $scrambledfile ||
5261 error "mirror split file $scrambledfile failed (1)"
5262 $LFS getstripe $scrambledfile
5263 mirror_count=$($LFS getstripe -N $scrambledfile)
5264 [ $mirror_count -eq 1 ] ||
5265 error "mirror split file $scrambledfile failed (2)"
5266 stripe=$($LFS getstripe --mirror-id=1 -i $scrambledfile)
5267 [ -z "$stripe" ] || error "mirror split file $scrambledfile failed (3)"
5268 stripe=$($LFS getstripe --mirror-id=2 -i $scrambledfile)
5269 [ $stripe -eq 0 ] || error "mirror split file $scrambledfile failed (4)"
5272 remount_client_dummykey
5274 cmp -bl $tmpfile $testfile ||
5275 error "extended/split file is corrupted"
5277 run_test 59b "migrate/extend/split of encrypted files without key"
5280 local dirname=$DIR/$tdir/subdir
5283 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5284 skip "client encryption not supported"
5286 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5287 skip "need dummy encryption support"
5289 [[ $MDSCOUNT -ge 2 ]] || skip_env "needs >= 2 MDTs"
5291 (( "$MDS1_VERSION" > $(version_code 2.14.54.54) )) ||
5292 skip "MDT migration not supported with older server"
5294 stack_trap cleanup_for_enc_tests EXIT
5297 $LFS setdirstripe -i 0 $dirname
5298 echo b > $dirname/subf
5300 # remount without dummy encryption key
5301 remount_client_normally
5303 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
5305 # migrate a non-empty encrypted dir
5306 $LFS migrate -m 1 $scrambleddir ||
5307 error "migrate $scrambleddir between MDTs failed (1)"
5309 stripe=$($LFS getdirstripe -i $scrambleddir)
5310 [ $stripe -eq 1 ] ||
5311 error "migrate $scrambleddir between MDTs failed (2)"
5315 [ -f $dirname/subf ] ||
5316 error "migrate $scrambleddir between MDTs failed (3)"
5317 [ $(cat $dirname/subf) == "b" ] ||
5318 error "migrate $scrambleddir between MDTs failed (4)"
5320 run_test 59c "MDT migrate of encrypted files without key"
5323 local testdir=$DIR/$tdir/mytestdir
5324 local testfile=$DIR/$tdir/$tfile
5326 (( $MDS1_VERSION > $(version_code 2.14.53) )) ||
5327 skip "Need MDS version at least 2.14.53"
5329 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5330 skip "client encryption not supported"
5332 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5333 skip "need dummy encryption support"
5335 stack_trap cleanup_for_enc_tests EXIT
5338 echo a > $DIR/$tdir/file1
5339 mkdir $DIR/$tdir/subdir
5340 echo b > $DIR/$tdir/subdir/subfile1
5343 # unmount client completely
5344 umount_client $MOUNT || error "umount $MOUNT failed"
5345 if is_mounted $MOUNT2; then
5346 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
5349 # remount client with subdirectory mount
5350 export FILESET=/$tdir
5351 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed"
5352 if [ "$MOUNT_2" ]; then
5353 mount_client $MOUNT2 ${MOUNT_OPTS} || error "remount failed"
5357 ls -Rl $DIR || error "ls -Rl $DIR failed (1)"
5360 remount_client_dummykey
5363 ls -Rl $DIR || error "ls -Rl $DIR failed (2)"
5364 cat $DIR/file1 || error "cat $DIR/$tdir/file1 failed"
5365 cat $DIR/subdir/subfile1 ||
5366 error "cat $DIR/$tdir/subdir/subfile1 failed"
5368 run_test 60 "Subdirmount of encrypted dir"
5371 if $SHARED_KEY; then
5372 export SK_UNIQUE_NM=true
5376 do_facet mgs $LCTL nodemap_activate 1
5379 do_facet mgs $LCTL nodemap_del c0 || true
5380 wait_nm_sync c0 id ''
5382 do_facet mgs $LCTL nodemap_modify --name default \
5383 --property admin --value 1
5384 do_facet mgs $LCTL nodemap_modify --name default \
5385 --property trusted --value 1
5386 wait_nm_sync default admin_nodemap
5387 wait_nm_sync default trusted_nodemap
5389 client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
5390 client_nid=$(h2nettype $client_ip)
5391 [[ "$client_nid" =~ ":" ]] && client_nid+="/128"
5392 do_facet mgs $LCTL nodemap_add c0
5393 do_facet mgs $LCTL nodemap_add_range \
5394 --name c0 --range $client_nid || {
5395 do_facet mgs $LCTL nodemap_del c0
5398 do_facet mgs $LCTL nodemap_modify --name c0 \
5399 --property admin --value 1
5400 do_facet mgs $LCTL nodemap_modify --name c0 \
5401 --property trusted --value 1
5402 wait_nm_sync c0 admin_nodemap
5403 wait_nm_sync c0 trusted_nodemap
5407 do_facet mgs $LCTL nodemap_del c0
5408 do_facet mgs $LCTL nodemap_modify --name default \
5409 --property admin --value 0
5410 do_facet mgs $LCTL nodemap_modify --name default \
5411 --property trusted --value 0
5412 wait_nm_sync default admin_nodemap
5413 wait_nm_sync default trusted_nodemap
5415 do_facet mgs $LCTL nodemap_activate 0
5416 wait_nm_sync active 0
5418 if $SHARED_KEY; then
5420 export SK_UNIQUE_NM=false
5423 mount_client $MOUNT ${MOUNT_OPTS} || error "re-mount failed"
5428 local testfile=$DIR/$tdir/$tfile
5431 readonly=$(do_facet mgs \
5432 lctl get_param -n nodemap.default.readonly_mount)
5433 [ -n "$readonly" ] ||
5434 skip "Server does not have readonly_mount nodemap flag"
5436 stack_trap cleanup_61 EXIT
5437 for idx in $(seq 1 $MDSCOUNT); do
5438 wait_recovery_complete mds$idx
5440 umount_client $MOUNT || error "umount $MOUNT failed (1)"
5442 # Activate nodemap, and mount rw.
5443 # Should succeed as rw mount is not forbidden by default.
5445 readonly=$(do_facet mgs \
5446 lctl get_param -n nodemap.default.readonly_mount)
5447 [ $readonly -eq 0 ] ||
5448 error "wrong default value for readonly_mount on default nodemap"
5449 readonly=$(do_facet mgs \
5450 lctl get_param -n nodemap.c0.readonly_mount)
5451 [ $readonly -eq 0 ] ||
5452 error "wrong default value for readonly_mount on nodemap c0"
5454 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},rw ||
5455 error "mount '-o rw' failed with default"
5457 findmnt $MOUNT --output=options -n -f | grep -q "rw," ||
5458 error "should be rw mount"
5459 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5460 echo a > $testfile || error "write $testfile failed"
5461 umount_client $MOUNT || error "umount $MOUNT failed (2)"
5463 # Now enforce read-only, and retry.
5464 do_facet mgs $LCTL nodemap_modify --name c0 \
5465 --property readonly_mount --value 1
5466 wait_nm_sync c0 readonly_mount
5467 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS} ||
5468 error "mount failed"
5469 findmnt $MOUNT --output=options -n -f | grep -q "ro," ||
5470 error "mount should have been turned into ro"
5471 cat $testfile || error "read $testfile failed (1)"
5472 echo b > $testfile && error "write $testfile should fail (1)"
5473 umount_client $MOUNT || error "umount $MOUNT failed (3)"
5474 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},rw ||
5475 error "mount '-o rw' failed"
5476 findmnt $MOUNT --output=options -n -f | grep -q "ro," ||
5477 error "mount rw should have been turned into ro"
5478 cat $testfile || error "read $testfile failed (2)"
5479 echo b > $testfile && error "write $testfile should fail (2)"
5480 umount_client $MOUNT || error "umount $MOUNT failed (4)"
5481 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},ro ||
5482 error "mount '-o ro' failed"
5484 cat $testfile || error "read $testfile failed (3)"
5485 echo b > $testfile && error "write $testfile should fail (3)"
5486 umount_client $MOUNT || error "umount $MOUNT failed (5)"
5488 run_test 61 "Nodemap enforces read-only mount"
5491 local testdir=$DIR/$tdir/mytestdir
5492 local testfile=$DIR/$tdir/$tfile
5494 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
5496 (( $MDS1_VERSION > $(version_code 2.15.51) )) ||
5497 skip "Need MDS version at least 2.15.51"
5499 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5500 skip "client encryption not supported"
5502 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5503 skip "need dummy encryption support"
5505 stack_trap cleanup_for_enc_tests EXIT
5508 lfs setstripe -c -1 $DIR/$tdir
5509 touch $DIR/$tdir/${tfile}_1 || error "touch ${tfile}_1 failed"
5510 dd if=/dev/zero of=$DIR/$tdir/${tfile}_2 bs=1 count=1 conv=fsync ||
5511 error "dd ${tfile}_2 failed"
5513 # unmount the Lustre filesystem
5514 stopall || error "stopping for e2fsck run"
5516 # run e2fsck on the MDT and OST devices
5517 local mds_host=$(facet_active_host $SINGLEMDS)
5518 local ost_host=$(facet_active_host ost1)
5519 local mds_dev=$(mdsdevname ${SINGLEMDS//mds/})
5520 local ost_dev=$(ostdevname 1)
5522 run_e2fsck $mds_host $mds_dev "-n"
5523 run_e2fsck $ost_host $ost_dev "-n"
5525 # mount the Lustre filesystem
5526 setupall || error "remounting the filesystem failed"
5528 run_test 62 "e2fsck with encrypted files"
5533 for path in "${paths[@]}"; do
5541 for path in "${paths[@]}"; do
5542 fids+=("$(lfs path2fid $path)")
5547 for fid in "${fids[@]}"; do
5549 respath=$(lfs fid2path $MOUNT $fid)
5550 echo -e "\t" $respath
5551 ls -li $respath >/dev/null
5552 [ $? -eq 0 ] || error "fid2path $fid failed"
5559 local vaultdir1=$DIR/$tdir/vault1==dir
5560 local vaultdir2=$DIR/$tdir/vault2==dir
5561 local longfname1="longfilenamewitha=inthemiddletotestbehaviorregardingthedigestedform"
5562 local longdname="longdirectorynamewitha=inthemiddletotestbehaviorregardingthedigestedform"
5563 local longfname2="$longdname/${longfname1}2"
5565 (( $MDS1_VERSION > $(version_code 2.15.53) )) ||
5566 skip "Need MDS version at least 2.15.53"
5568 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5569 skip "client encryption not supported"
5571 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5572 skip "need dummy encryption support"
5574 which fscrypt || skip "This test needs fscrypt userspace tool"
5576 yes | fscrypt setup --force --verbose ||
5577 echo "fscrypt global setup already done"
5578 sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
5580 yes | fscrypt setup --verbose $MOUNT ||
5581 echo "fscrypt setup $MOUNT already done"
5583 # enable_filename_encryption tunable only available for client
5584 # built against embedded llcrypt. If client is built against in-kernel
5585 # fscrypt, file names are always encrypted.
5586 $LCTL get_param mdc.*.connect_flags | grep -q name_encryption &&
5587 nameenc=$(lctl get_param -n llite.*.enable_filename_encryption |
5589 if [ -n "$nameenc" ]; then
5590 do_facet mgs $LCTL set_param -P \
5591 llite.*.enable_filename_encryption=1
5593 error "set_param -P \
5594 llite.*.enable_filename_encryption=1 failed"
5596 wait_update_facet --verbose client \
5597 "$LCTL get_param -n llite.*.enable_filename_encryption \
5599 error "enable_filename_encryption not set on client"
5603 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
5604 --source=custom_passphrase --name=protector_63_1 $vaultdir1 ||
5605 error "fscrypt encrypt $vaultdir1 failed"
5607 mkdir $vaultdir1/dirA
5608 mkdir $vaultdir1/$longdname
5609 paths=("$vaultdir1/fileA")
5610 paths+=("$vaultdir1/dirA/fileB")
5611 paths+=("$vaultdir1/$longfname1")
5612 paths+=("$vaultdir1/$longfname2")
5615 paths+=("$vaultdir1/dirA")
5616 paths+=("$vaultdir1/$longdname")
5621 fscrypt lock --verbose $vaultdir1 ||
5622 error "fscrypt lock $vaultdir1 failed (1)"
5626 if [ -z "$nameenc" ]; then
5627 echo "Rest of the test requires disabling name encryption"
5631 # disable name encryption
5632 do_facet mgs $LCTL set_param -P llite.*.enable_filename_encryption=0
5634 error "set_param -P llite.*.enable_filename_encryption=0 failed"
5636 wait_update_facet --verbose client \
5637 "$LCTL get_param -n llite.*.enable_filename_encryption \
5639 error "enable_filename_encryption not set back to default"
5642 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
5643 --source=custom_passphrase --name=protector_63_2 $vaultdir2 ||
5644 error "fscrypt encrypt $vaultdir2 failed"
5646 mkdir $vaultdir2/dirA
5647 mkdir $vaultdir2/$longdname
5650 paths=("$vaultdir2/fileA")
5651 paths+=("$vaultdir2/dirA/fileB")
5652 paths+=("$vaultdir2/$longfname1")
5653 paths+=("$vaultdir2/$longfname2")
5656 paths+=("$vaultdir2/dirA")
5657 paths+=("$vaultdir2/$longdname")
5662 fscrypt lock --verbose $vaultdir2 ||
5663 error "fscrypt lock $vaultdir2 failed (2)"
5667 rm -rf $MOUNT/.fscrypt
5669 run_test 63 "fid2path with encrypted files"
5672 do_facet mgs $LCTL nodemap_activate 1
5675 do_facet mgs $LCTL nodemap_del c0 || true
5676 wait_nm_sync c0 id ''
5678 do_facet mgs $LCTL nodemap_modify --name default \
5679 --property admin --value 1
5680 do_facet mgs $LCTL nodemap_modify --name default \
5681 --property trusted --value 1
5682 wait_nm_sync default admin_nodemap
5683 wait_nm_sync default trusted_nodemap
5685 client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
5686 client_nid=$(h2nettype $client_ip)
5687 do_facet mgs $LCTL nodemap_add c0
5688 do_facet mgs $LCTL nodemap_add_range \
5689 --name c0 --range $client_nid
5690 do_facet mgs $LCTL nodemap_modify --name c0 \
5691 --property admin --value 1
5692 do_facet mgs $LCTL nodemap_modify --name c0 \
5693 --property trusted --value 1
5694 wait_nm_sync c0 admin_nodemap
5695 wait_nm_sync c0 trusted_nodemap
5699 do_facet mgs $LCTL nodemap_del c0
5700 do_facet mgs $LCTL nodemap_modify --name default \
5701 --property admin --value 0
5702 do_facet mgs $LCTL nodemap_modify --name default \
5703 --property trusted --value 0
5704 wait_nm_sync default admin_nodemap
5705 wait_nm_sync default trusted_nodemap
5707 do_facet mgs $LCTL nodemap_activate 0
5708 wait_nm_sync active 0
5712 local testfile=$DIR/$tdir/$tfile
5715 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5716 skip "Need MDS >= 2.15.54 for role-based controls"
5718 stack_trap cleanup_64 EXIT
5719 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5722 # check default value for rbac is all
5723 rbac=$(do_facet mds $LCTL get_param -n nodemap.c0.rbac)
5724 for role in file_perms \
5732 [[ "$rbac" =~ "$role" ]] ||
5733 error "role '$role' not in default '$rbac'"
5736 do_facet mgs $LCTL nodemap_modify --name c0 \
5737 --property rbac --value file_perms
5738 wait_nm_sync c0 rbac
5740 stack_trap "set +vx"
5742 chmod 777 $testfile || error "chmod failed"
5743 chown $TSTUSR:$TSTUSR $testfile || error "chown failed"
5744 chgrp $TSTUSR $testfile || error "chgrp failed"
5745 $LFS project -p 1000 $testfile || error "setting project failed"
5748 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5749 wait_nm_sync c0 rbac
5752 chmod 777 $testfile && error "chmod should fail"
5753 chown $TSTUSR:$TSTUSR $testfile && error "chown should fail"
5754 chgrp $TSTUSR $testfile && error "chgrp should fail"
5755 $LFS project -p 1000 $testfile && error "setting project should fail"
5758 run_test 64a "Nodemap enforces file_perms RBAC roles"
5761 local testdir=$DIR/$tdir/${tfile}.d
5764 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5765 skip "Need MDS >= 2.15.54 for role-based controls"
5767 (( MDSCOUNT >= 2 )) || skip "mdt count $MDSCOUNT, skipping dne_ops role"
5769 stack_trap cleanup_64 EXIT
5770 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5773 dir_restripe=$(do_node $mds1_HOST \
5774 "$LCTL get_param -n mdt.*MDT0000.enable_dir_restripe")
5775 [ -n "$dir_restripe" ] || dir_restripe=0
5776 do_nodes $(comma_list $(all_mdts_nodes)) \
5777 $LCTL set_param mdt.*.enable_dir_restripe=1 ||
5778 error "enabling dir_restripe failed"
5779 stack_trap "do_nodes $(comma_list $(all_mdts_nodes)) \
5780 $LCTL set_param mdt.*.enable_dir_restripe=$dir_restripe" EXIT
5781 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
5783 wait_nm_sync c0 rbac
5784 $LFS mkdir -i 0 ${testdir}_for_migr ||
5785 error "$LFS mkdir ${testdir}_for_migr failed (1)"
5786 touch ${testdir}_for_migr/file001 ||
5787 error "touch ${testdir}_for_migr/file001 failed (1)"
5788 $LFS mkdir -i 0 ${testdir}_mdt0 ||
5789 error "$LFS mkdir ${testdir}_mdt0 failed (1)"
5790 $LFS mkdir -i 1 ${testdir}_mdt1 ||
5791 error "$LFS mkdir ${testdir}_mdt1 failed (1)"
5793 $LFS mkdir -i 1 $testdir || error "$LFS mkdir failed (1)"
5795 $LFS mkdir -c 2 $testdir || error "$LFS mkdir failed (2)"
5798 $LFS setdirstripe -c 2 $testdir || error "$LFS setdirstripe failed"
5800 $LFS migrate -m 1 ${testdir}_for_migr || error "$LFS migrate failed"
5801 touch ${testdir}_mdt0/fileA || error "touch fileA failed (1)"
5802 mv ${testdir}_mdt0/fileA ${testdir}_mdt1/ || error "mv failed (1)"
5805 $LFS mkdir -i 0 ${testdir}_for_migr ||
5806 error "$LFS mkdir ${testdir}_for_migr failed (2)"
5807 touch ${testdir}_for_migr/file001 ||
5808 error "touch ${testdir}_for_migr/file001 failed (2)"
5809 $LFS mkdir -i 0 ${testdir}_mdt0 ||
5810 error "$LFS mkdir ${testdir}_mdt0 failed (2)"
5811 $LFS mkdir -i 1 ${testdir}_mdt1 ||
5812 error "$LFS mkdir ${testdir}_mdt1 failed (2)"
5814 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5815 wait_nm_sync c0 rbac
5817 $LFS mkdir -i 1 $testdir && error "$LFS mkdir should fail (1)"
5818 $LFS mkdir -c 2 $testdir && error "$LFS mkdir should fail (2)"
5820 $LFS setdirstripe -c 2 $testdir && error "$LFS setdirstripe should fail"
5822 $LFS migrate -m 1 ${testdir}_for_migr &&
5823 error "$LFS migrate should fail"
5824 touch ${testdir}_mdt0/fileA || error "touch fileA failed (2)"
5825 mv ${testdir}_mdt0/fileA ${testdir}_mdt1/ || error "mv failed (2)"
5828 run_test 64b "Nodemap enforces dne_ops RBAC roles"
5831 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5832 skip "Need MDS >= 2.15.54 for role-based controls"
5834 stack_trap cleanup_64 EXIT
5835 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5838 do_facet mgs $LCTL nodemap_modify --name c0 \
5839 --property rbac --value quota_ops
5840 wait_nm_sync c0 rbac
5842 $LFS setquota -u $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT ||
5843 error "lfs setquota -u failed"
5844 $LFS setquota -u $USER0 --delete $MOUNT
5845 $LFS setquota -g $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT ||
5846 error "lfs setquota -g failed"
5847 $LFS setquota -g $USER0 --delete $MOUNT
5848 $LFS setquota -p 1000 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT ||
5849 error "lfs setquota -p failed"
5850 $LFS setquota -p 1000 --delete $MOUNT
5852 $LFS setquota -U -b 10G -B 11G -i 100K -I 105K $MOUNT ||
5853 error "lfs setquota -U failed"
5854 $LFS setquota -U -b 0 -B 0 -i 0 -I 0 $MOUNT
5855 $LFS setquota -G -b 10G -B 11G -i 100K -I 105K $MOUNT ||
5856 error "lfs setquota -G failed"
5857 $LFS setquota -G -b 0 -B 0 -i 0 -I 0 $MOUNT
5858 $LFS setquota -P -b 10G -B 11G -i 100K -I 105K $MOUNT ||
5859 error "lfs setquota -P failed"
5860 $LFS setquota -P -b 0 -B 0 -i 0 -I 0 $MOUNT
5861 $LFS setquota -u $USER0 -D $MOUNT ||
5862 error "lfs setquota -u -D failed"
5863 $LFS setquota -u $USER0 --delete $MOUNT
5864 $LFS setquota -g $USER0 -D $MOUNT ||
5865 error "lfs setquota -g -D failed"
5866 $LFS setquota -g $USER0 --delete $MOUNT
5867 $LFS setquota -p 1000 -D $MOUNT ||
5868 error "lfs setquota -p -D failed"
5869 $LFS setquota -p 1000 --delete $MOUNT
5872 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5873 wait_nm_sync c0 rbac
5876 $LFS setquota -u $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT &&
5877 error "lfs setquota -u should fail"
5878 $LFS setquota -u $USER0 --delete $MOUNT
5879 $LFS setquota -g $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT &&
5880 error "lfs setquota -g should fail"
5881 $LFS setquota -g $USER0 --delete $MOUNT
5882 $LFS setquota -p 1000 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT &&
5883 error "lfs setquota -p should fail"
5884 $LFS setquota -p 1000 --delete $MOUNT
5886 $LFS setquota -U -b 10G -B 11G -i 100K -I 105K $MOUNT &&
5887 error "lfs setquota -U should fail"
5888 $LFS setquota -G -b 10G -B 11G -i 100K -I 105K $MOUNT &&
5889 error "lfs setquota -G should fail"
5890 $LFS setquota -P -b 10G -B 11G -i 100K -I 105K $MOUNT &&
5891 error "lfs setquota -P should fail"
5892 $LFS setquota -u $USER0 -D $MOUNT &&
5893 error "lfs setquota -u -D should fail"
5894 $LFS setquota -u $USER0 --delete $MOUNT
5895 $LFS setquota -g $USER0 -D $MOUNT &&
5896 error "lfs setquota -g -D should fail"
5897 $LFS setquota -g $USER0 --delete $MOUNT
5898 $LFS setquota -p 1000 -D $MOUNT &&
5899 error "lfs setquota -p -D should fail"
5900 $LFS setquota -p 1000 --delete $MOUNT
5903 run_test 64c "Nodemap enforces quota_ops RBAC roles"
5906 local testfile=$DIR/$tdir/$tfile
5909 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5910 skip "Need MDS >= 2.15.54 for role-based controls"
5912 stack_trap cleanup_64 EXIT
5913 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5916 do_facet mgs $LCTL nodemap_modify --name c0 \
5917 --property rbac --value byfid_ops
5918 wait_nm_sync c0 rbac
5921 fid=$(lfs path2fid $testfile)
5923 $LFS fid2path $MOUNT $fid || error "fid2path $fid failed (1)"
5924 cat $MOUNT/.lustre/fid/$fid || error "cat by fid failed"
5925 lfs rmfid $MOUNT $fid || error "lfs rmfid failed"
5928 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5929 wait_nm_sync c0 rbac
5932 fid=$(lfs path2fid $testfile)
5934 $LFS fid2path $MOUNT $fid || error "fid2path $fid failed (2)"
5935 cat $MOUNT/.lustre/fid/$fid && error "cat by fid should fail"
5936 lfs rmfid $MOUNT $fid && error "lfs rmfid should fail"
5940 run_test 64d "Nodemap enforces byfid_ops RBAC roles"
5943 local testfile=$DIR/$tdir/$tfile
5944 local testdir=$DIR/$tdir/${tfile}.d
5946 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5947 skip "Need MDS >= 2.15.54 for role-based controls"
5949 stack_trap cleanup_64 EXIT
5950 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5953 # activate changelogs
5954 changelog_register || error "changelog_register failed"
5955 local cl_user="${CL_USERS[$SINGLEMDS]%% *}"
5956 changelog_users $SINGLEMDS | grep -q $cl_user ||
5957 error "User $cl_user not found in changelog_users"
5958 changelog_chmask ALL
5961 mkdir $testdir || error "failed to mkdir $testdir"
5962 touch $testfile || error "failed to touch $testfile"
5964 do_facet mgs $LCTL nodemap_modify --name c0 \
5965 --property rbac --value chlg_ops
5966 wait_nm_sync c0 rbac
5969 echo "changelogs dump"
5970 changelog_dump || error "failed to dump changelogs"
5971 echo "changelogs clear"
5972 changelog_clear 0 || error "failed to clear changelogs"
5974 rm -rf $testdir $testfile || error "rm -rf $testdir $testfile failed"
5976 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5977 wait_nm_sync c0 rbac
5980 mkdir $testdir || error "failed to mkdir $testdir"
5981 touch $testfile || error "failed to touch $testfile"
5984 echo "changelogs dump"
5985 changelog_dump && error "dump changelogs should fail"
5986 echo "changelogs clear"
5987 changelog_clear 0 && error "clear changelogs should fail"
5988 rm -rf $testdir $testfile
5990 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value all
5991 wait_nm_sync c0 rbac
5993 run_test 64e "Nodemap enforces chlg_ops RBAC roles"
5996 local vaultdir=$DIR/$tdir/vault
6001 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
6002 skip "Need MDS >= 2.15.54 for role-based controls"
6004 cli_enc=$($LCTL get_param mdc.*.import | grep client_encryption)
6005 [ -n "$cli_enc" ] || skip "Need enc support, skip fscrypt_admin role"
6006 which fscrypt || skip "Need fscrypt, skip fscrypt_admin role"
6008 stack_trap cleanup_64 EXIT
6009 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
6012 yes | fscrypt setup --force --verbose ||
6013 echo "fscrypt global setup already done"
6014 sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
6016 yes | fscrypt setup --verbose $MOUNT ||
6017 echo "fscrypt setup $MOUNT already done"
6018 stack_trap "rm -rf $MOUNT/.fscrypt"
6020 # file_perms is required because fscrypt uses chmod/chown
6021 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
6022 --value fscrypt_admin,file_perms
6023 wait_nm_sync c0 rbac
6027 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
6028 --source=custom_passphrase --name=protector_64 $vaultdir ||
6029 error "fscrypt encrypt $vaultdir failed"
6030 fscrypt lock $vaultdir || error "fscrypt lock $vaultdir failed (1)"
6031 policy=$(fscrypt status $vaultdir | awk '$1 == "Policy:"{print $2}')
6032 [ -n "$policy" ] || error "could not get enc policy"
6033 protector=$(fscrypt status $vaultdir |
6034 awk 'BEGIN {found=0} { if (found == 1) { print $1 }} \
6035 $1 == "PROTECTOR" {found=1}')
6036 [ -n "$protector" ] || error "could not get enc protector"
6040 # file_perms is required because fscrypt uses chmod/chown
6041 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
6043 wait_nm_sync c0 rbac
6046 echo mypass | fscrypt unlock $vaultdir ||
6047 error "fscrypt unlock $vaultdir failed"
6048 fscrypt lock $vaultdir || error "fscrypt lock $vaultdir failed (2)"
6049 fscrypt metadata destroy --protector=$MOUNT:$protector --force &&
6050 error "destroy protector should fail"
6051 fscrypt metadata destroy --policy=$MOUNT:$policy --force &&
6052 error "destroy policy should fail"
6053 mkdir -p ${vaultdir}2
6054 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
6055 --source=custom_passphrase \
6056 --name=protector_64bis ${vaultdir}2 &&
6057 error "fscrypt encrypt ${vaultdir}2 should fail"
6061 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value all
6062 wait_nm_sync c0 rbac
6065 fscrypt metadata destroy --protector=$MOUNT:$protector --force ||
6066 error "destroy protector failed"
6067 fscrypt metadata destroy --policy=$MOUNT:$policy --force ||
6068 error "destroy policy failed"
6073 run_test 64f "Nodemap enforces fscrypt_admin RBAC roles"
6082 (( neg == 1 )) || neg=""
6083 $LFS find -type f ${neg:+"!"} --attrs $pattern $path > $TMP/res
6085 res=$(cat $TMP/res | wc -l)
6086 (( res == $expected )) ||
6087 error "Find $pattern $path: found $res, expected $expected"
6091 local dirbis=$DIR/${tdir}_bis
6092 local testfile=$DIR/$tdir/$tfile
6095 $LCTL get_param mdc.*.import | grep -q client_encryption ||
6096 skip "client encryption not supported"
6098 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
6099 skip "need dummy encryption support"
6101 # $dirbis is not going to be encrypted, as client
6102 # is not mounted with -o test_dummy_encryption yet
6104 stack_trap "rm -rf $dirbis" EXIT
6105 touch $dirbis/$tfile.1
6106 touch $dirbis/$tfile.2
6107 chattr +i $dirbis/$tfile.2
6108 stack_trap "chattr -i $dirbis/$tfile.2" EXIT
6110 stack_trap cleanup_for_enc_tests EXIT
6113 # All files/dirs under $DIR/$tdir are encrypted
6116 chattr +i $testfile.2
6117 stack_trap "chattr -i $testfile.2" EXIT
6119 $LFS find -printf "%p %LA\n" $dirbis/$tfile.1
6120 res=$($LFS find -printf "%LA" $dirbis/$tfile.1)
6121 [ "$res" == "---" ] ||
6122 error "$dirbis/$tfile.1 should have no attr, showed $res (1)"
6123 $LFS find -printf "%p %La\n" $dirbis/$tfile.1
6124 res=$($LFS find -printf "%La" $dirbis/$tfile.1)
6125 [ "$res" == "---" ] ||
6126 error "$dirbis/$tfile.1 should have no attr, showed $res (2)"
6127 $LFS find -printf "%p %LA\n" $dirbis/$tfile.2
6128 res=$($LFS find -printf "%LA" $dirbis/$tfile.2)
6129 [ "$res" == "Immutable" ] ||
6130 error "$dirbis/$tfile.2 should be Immutable, showed $res"
6131 $LFS find -printf "%p %La\n" $dirbis/$tfile.2
6132 res=$($LFS find -printf "%La" $dirbis/$tfile.2)
6133 [ "$res" == "i" ] ||
6134 error "$dirbis/$tfile.2 should be 'i', showed $res"
6135 $LFS find -printf "%p %LA\n" $testfile.1
6136 res=$($LFS find -printf "%LA" $testfile.1)
6137 [ "$res" == "Encrypted" ] ||
6138 error "$testfile.1 should be Encrypted, showed $res"
6139 $LFS find -printf "%p %La\n" $testfile.1
6140 res=$($LFS find -printf "%La" $testfile.1)
6141 [ "$res" == "E" ] ||
6142 error "$testfile.1 should be 'E', showed $res"
6143 $LFS find -printf "%p %LA\n" $testfile.2
6144 res=$($LFS find -printf "%LA" $testfile.2)
6145 [ "$res" == "Immutable,Encrypted" ] ||
6146 error "$testfile.2 should be Immutable,Encrypted, showed $res"
6147 $LFS find -printf "%p %La\n" $testfile.2
6148 res=$($LFS find -printf "%La" $testfile.2)
6149 [ "$res" == "iE" ] ||
6150 error "$testfile.2 should be 'iE', showed $res"
6152 echo Expecting to find 2 encrypted files
6153 look_for_files Encrypted 0 "$DIR/${tdir}*" 2
6154 echo Expecting to find 2 encrypted files
6155 look_for_files E 0 "$DIR/${tdir}*" 2
6157 echo Expecting to find 2 non-encrypted files
6158 look_for_files Encrypted 1 "$DIR/${tdir}*" 2
6159 echo Expecting to find 2 non-encrypted files
6160 look_for_files E 1 "$DIR/${tdir}*" 2
6162 echo Expecting to find 1 encrypted+immutable file
6163 look_for_files "Encrypted,Immutable" 0 "$DIR/${tdir}*" 1
6164 echo Expecting to find 1 encrypted+immutable file
6165 look_for_files "Ei" 0 "$DIR/${tdir}*" 1
6167 echo Expecting to find 1 encrypted+^immutable file
6168 look_for_files "Encrypted,^Immutable" 0 "$DIR/${tdir}*" 1
6169 echo Expecting to find 1 encrypted+^immutable file
6170 look_for_files "E^i" 0 "$DIR/${tdir}*" 1
6172 echo Expecting to find 1 ^encrypted+immutable file
6173 look_for_files "^Encrypted,Immutable" 0 "$DIR/${tdir}*" 1
6174 echo Expecting to find 1 ^encrypted+immutable file
6175 look_for_files "^Ei" 0 "$DIR/${tdir}*" 1
6177 echo Expecting to find 1 ^encrypted+^immutable file
6178 look_for_files "^Encrypted,^Immutable" 0 "$DIR/${tdir}*" 1
6179 echo Expecting to find 1 ^encrypted+^immutable file
6180 look_for_files "^E^i" 0 "$DIR/${tdir}*" 1
6182 run_test 65 "lfs find -printf %La and --attrs support"
6185 lctl set_param fail_loc=0 fail_val=0
6186 mount_client $MOUNT ${MOUNT_OPTS} || error "re-mount $MOUNT failed"
6187 if is_mounted $MOUNT2; then
6188 mount_client $MOUNT2 ${MOUNT_OPTS} ||
6189 error "re-mount $MOUNT2 failed"
6194 stack_trap cleanup_68 EXIT
6196 # unmount client completely
6197 umount_client $MOUNT || error "umount $MOUNT failed"
6198 if is_mounted $MOUNT2; then
6199 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
6202 #define CFS_FAIL_ONCE|OBD_FAIL_PTLRPC_DROP_MGS 0x51d
6203 lctl set_param fail_loc=0x8000051d fail_val=20
6205 zconf_mount_clients $HOSTNAME $MOUNT $MOUNT_OPTS ||
6206 error "mount failed"
6208 umount_client $MOUNT || error "re-umount $MOUNT failed"
6210 run_test 68 "all config logs are processed"
6212 log "cleanup: ======================================================"
6215 for ((num = 1; num <= $MDSCOUNT; num++)); do
6216 if [[ "${identity_old[$num]}" == 1 ]]; then
6217 switch_identity $num false || identity_old[$num]=$?
6221 $RUNAS_CMD -u $ID0 ls $DIR
6222 $RUNAS_CMD -u $ID1 ls $DIR
6226 complete_test $SECONDS
6227 check_and_cleanup_lustre