3 # Run select tests by setting ONLY, or as arguments to the script.
4 # Skip specific tests by setting EXCEPT.
10 # bug number for skipped test: 19430 19967 19967
11 ALWAYS_EXCEPT=" 2 5 6 $SANITY_SEC_EXCEPT"
12 # UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
14 [ "$ALWAYS_EXCEPT$EXCEPT" ] && \
15 echo "Skipping tests: $ALWAYS_EXCEPT $EXCEPT"
18 export PATH=$PWD/$SRCDIR:$SRCDIR:$PWD/$SRCDIR/../utils:$PATH:/sbin
19 export NAME=${NAME:-local}
21 LUSTRE=${LUSTRE:-`dirname $0`/..}
22 . $LUSTRE/tests/test-framework.sh
24 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
29 WTL=${WTL:-"$LUSTRE/tests/write_time_limit"}
32 PERM_CONF=$CONFDIR/perm.conf
35 HN=$(hostname | sum | awk '{ print $1 }')
38 NODEMAP_IPADDR_COUNT=30
41 require_dsh_mds || exit 0
42 require_dsh_ost || exit 0
46 USER0=`cat /etc/passwd|grep :$ID0:$ID0:|cut -d: -f1`
47 USER1=`cat /etc/passwd|grep :$ID1:$ID1:|cut -d: -f1`
50 echo "Please add user0 (uid=$ID0 gid=$ID0)! Skip sanity-sec" && exit 0
53 echo "Please add user1 (uid=$ID1 gid=$ID1)! Skip sanity-sec" && exit 0
55 check_and_setup_lustre
58 if [ "$I_MOUNTED" = "yes" ]; then
59 cleanupall -f || error "sec_cleanup"
64 [ -z "`echo $DIR | grep $MOUNT`" ] && \
65 error "$DIR not in $MOUNT" && sec_cleanup && exit 1
67 [ `echo $MOUNT | wc -w` -gt 1 ] && \
68 echo "NAME=$MOUNT mounted more than once" && sec_cleanup && exit 0
70 [ $MDSCOUNT -gt 1 ] && \
71 echo "skip multi-MDS test" && sec_cleanup && exit 0
74 GSS_REF=$(lsmod | grep ^ptlrpc_gss | awk '{print $3}')
75 if [ ! -z "$GSS_REF" -a "$GSS_REF" != "0" ]; then
77 echo "with GSS support"
80 echo "without GSS support"
83 MDT=$(do_facet $SINGLEMDS lctl get_param -N "mdt.\*MDT0000" |
85 [ -z "$MDT" ] && error "fail to get MDT device" && exit 1
86 do_facet $SINGLEMDS "mkdir -p $CONFDIR"
87 IDENTITY_FLUSH=mdt.$MDT.identity_flush
89 CAPA_TIMEOUT=mdt.$MDT.capa_timeout
90 MDSSECLEVEL=mdt.$MDT.sec_level
93 if [ -z "$(lctl get_param -n llite.*.client_type | grep remote 2>/dev/null)" ]; then
109 if ! $RUNAS -u $user krb5_login.sh; then
110 error "$user login kerberos failed."
114 if ! $RUNAS -u $user -g $group ls $DIR > /dev/null 2>&1; then
115 $RUNAS -u $user lfs flushctx -k
116 $RUNAS -u $user krb5_login.sh
117 if ! $RUNAS -u $user -g $group ls $DIR > /dev/null 2>&1; then
118 error "init $user $group failed."
124 declare -a identity_old
127 for num in `seq $MDSCOUNT`; do
128 switch_identity $num true || identity_old[$num]=$?
131 if ! $RUNAS -u $ID0 ls $DIR > /dev/null 2>&1; then
132 sec_login $USER0 $USER0
135 if ! $RUNAS -u $ID1 ls $DIR > /dev/null 2>&1; then
136 sec_login $USER1 $USER1
141 # run as different user
145 chmod 0755 $DIR || error "chmod (1)"
146 rm -rf $DIR/$tdir || error "rm (1)"
147 mkdir -p $DIR/$tdir || error "mkdir (1)"
149 if [ "$CLIENT_TYPE" = "remote" ]; then
150 do_facet $SINGLEMDS "echo '* 0 normtown' > $PERM_CONF"
151 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
152 chown $USER0 $DIR/$tdir && error "chown (1)"
153 do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
154 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
156 chown $USER0 $DIR/$tdir || error "chown (2)"
159 $RUNAS -u $ID0 ls $DIR || error "ls (1)"
160 rm -f $DIR/f0 || error "rm (2)"
161 $RUNAS -u $ID0 touch $DIR/f0 && error "touch (1)"
162 $RUNAS -u $ID0 touch $DIR/$tdir/f1 || error "touch (2)"
163 $RUNAS -u $ID1 touch $DIR/$tdir/f2 && error "touch (3)"
164 touch $DIR/$tdir/f3 || error "touch (4)"
165 chown root $DIR/$tdir || error "chown (3)"
166 chgrp $USER0 $DIR/$tdir || error "chgrp (1)"
167 chmod 0775 $DIR/$tdir || error "chmod (2)"
168 $RUNAS -u $ID0 touch $DIR/$tdir/f4 || error "touch (5)"
169 $RUNAS -u $ID1 touch $DIR/$tdir/f5 && error "touch (6)"
170 touch $DIR/$tdir/f6 || error "touch (7)"
171 rm -rf $DIR/$tdir || error "rm (3)"
173 if [ "$CLIENT_TYPE" = "remote" ]; then
174 do_facet $SINGLEMDS "rm -f $PERM_CONF"
175 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
178 run_test 0 "uid permission ============================="
182 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
184 if [ "$CLIENT_TYPE" = "remote" ]; then
185 do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
186 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
192 chown $USER0 $DIR/$tdir || error "chown (1)"
193 $RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f0 && error "touch (2)"
194 echo "enable uid $ID1 setuid"
195 do_facet $SINGLEMDS "echo '* $ID1 setuid' >> $PERM_CONF"
196 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
197 $RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f1 || error "touch (3)"
199 chown root $DIR/$tdir || error "chown (4)"
200 chgrp $USER0 $DIR/$tdir || error "chgrp (5)"
201 chmod 0770 $DIR/$tdir || error "chmod (6)"
202 $RUNAS -u $ID1 -g $ID1 touch $DIR/$tdir/f2 && error "touch (7)"
203 $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f3 && error "touch (8)"
204 echo "enable uid $ID1 setuid,setgid"
205 do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
206 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
207 $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f4 || error "touch (9)"
208 $RUNAS -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/$tdir/f5 || error "touch (10)"
212 do_facet $SINGLEMDS "rm -f $PERM_CONF"
213 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
215 run_test 1 "setuid/gid ============================="
217 run_rmtacl_subtest() {
218 $SAVE_PWD/rmtacl/run $SAVE_PWD/rmtacl/$1.test
223 # for remote client only
225 [ "$CLIENT_TYPE" = "local" ] && \
226 skip "remote_acl for remote client only" && return
227 [ -z "$(lctl get_param -n mdc.*-mdc-*.connect_flags | grep ^acl)" ] && \
228 skip "must have acl enabled" && return
229 [ -z "$(which setfacl 2>/dev/null)" ] && \
230 skip "could not find setfacl" && return
231 [ "$UID" != 0 ] && skip "must run as root" && return
233 do_facet $SINGLEMDS "echo '* 0 rmtacl,rmtown' > $PERM_CONF"
234 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
238 sec_login daemon daemon
239 sec_login games users
245 echo "performing cp ..."
246 run_rmtacl_subtest cp || error "cp"
247 echo "performing getfacl-noacl..."
248 run_rmtacl_subtest getfacl-noacl || error "getfacl-noacl"
249 echo "performing misc..."
250 run_rmtacl_subtest misc || error "misc"
251 echo "performing permissions..."
252 run_rmtacl_subtest permissions || error "permissions"
253 echo "performing setfacl..."
254 run_rmtacl_subtest setfacl || error "setfacl"
256 # inheritance test got from HP
257 echo "performing inheritance..."
258 cp $SAVE_PWD/rmtacl/make-tree .
260 run_rmtacl_subtest inheritance || error "inheritance"
266 do_facet $SINGLEMDS "rm -f $PERM_CONF"
267 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
269 run_test 2 "rmtacl ============================="
272 # root_squash will be redesigned in Lustre 1.7
274 skip "root_squash will be redesigned in Lustre 1.7" && return
276 run_test 3 "rootsquash ============================="
278 # bug 3285 - supplementary group should always succeed.
279 # NB: the supplementary groups are set for local client only,
280 # as for remote client, the groups of the specified uid on MDT
281 # will be obtained by upcall /sbin/l_getidentity and used.
283 if [ "$CLIENT_TYPE" = "remote" ]; then
284 do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
285 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
290 chmod 0771 $DIR/$tdir
291 chgrp $ID0 $DIR/$tdir
292 $RUNAS -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
293 if [ "$CLIENT_TYPE" = "local" ]; then
294 do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
295 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
296 $RUNAS -u $ID1 -G1,2,$ID0 ls $DIR/$tdir || error "setgroups (2)"
298 $RUNAS -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
301 do_facet $SINGLEMDS "rm -f $PERM_CONF"
302 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
304 run_test 4 "set supplementary group ==============="
306 mds_capability_timeout() {
307 [ $# -lt 1 ] && echo "Miss mds capability timeout value" && return 1
309 echo "Set mds capability timeout as $1 seconds"
310 do_facet $SINGLEMDS "lctl set_param -n $CAPA_TIMEOUT=$1"
314 mds_sec_level_switch() {
315 [ $# -lt 1 ] && echo "Miss mds sec level switch value" && return 1
318 0) echo "Disable capa for all clients";;
319 1) echo "Enable capa for remote client";;
320 3) echo "Enable capa for all clients";;
321 *) echo "Invalid mds sec level switch value" && return 2;;
324 do_facet $SINGLEMDS "lctl set_param -n $MDSSECLEVEL=$1"
328 oss_sec_level_switch() {
329 [ $# -lt 1 ] && echo "Miss oss sec level switch value" && return 1
332 0) echo "Disable capa for all clients";;
333 1) echo "Enable capa for remote client";;
334 3) echo "Enable capa for all clients";;
335 *) echo "Invalid oss sec level switch value" && return 2;;
338 for i in `seq $OSTCOUNT`; do
339 local j=`expr $i - 1`
340 local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
341 [ -z "$OST" ] && return 3
342 do_facet ost$i "lctl set_param -n obdfilter.$OST.sec_level=$1"
347 mds_capability_switch() {
348 [ $# -lt 1 ] && echo "Miss mds capability switch value" && return 1
351 0) echo "Turn off mds capability";;
352 3) echo "Turn on mds capability";;
353 *) echo "Invalid mds capability switch value" && return 2;;
356 do_facet $SINGLEMDS "lctl set_param -n $MDSCAPA=$1"
360 oss_capability_switch() {
361 [ $# -lt 1 ] && echo "Miss oss capability switch value" && return 1
364 0) echo "Turn off oss capability";;
365 1) echo "Turn on oss capability";;
366 *) echo "Invalid oss capability switch value" && return 2;;
369 for i in `seq $OSTCOUNT`; do
370 local j=`expr $i - 1`
371 local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
372 [ -z "$OST" ] && return 3
373 do_facet ost$i "lctl set_param -n obdfilter.$OST.capa=$1"
379 mds_capability_switch 3 || return 1
380 mds_sec_level_switch 3 || return 2
385 oss_capability_switch 1 || return 1
386 oss_sec_level_switch 3 || return 2
390 turn_capability_on() {
391 local capa_timeout=${1:-"1800"}
393 # To turn on fid capability for the system,
394 # there is a requirement that fid capability
395 # is turned on on all MDS/OSS servers before
398 turn_mds_capa_on || return 1
399 turn_oss_capa_on || return 2
400 mds_capability_timeout $capa_timeout || return 3
401 remount_client $MOUNT || return 4
405 turn_mds_capa_off() {
406 mds_sec_level_switch 0 || return 1
407 mds_capability_switch 0 || return 2
411 turn_oss_capa_off() {
412 oss_sec_level_switch 0 || return 1
413 oss_capability_switch 0 || return 2
417 turn_capability_off() {
418 # to turn off fid capability, you can just do
419 # it in a live system. But, please turn off
420 # capability of all OSS servers before MDS servers.
422 turn_oss_capa_off || return 1
423 turn_mds_capa_off || return 2
427 # We demonstrate that access to the objects in the filesystem are not
428 # accessible without supplying secrets from the MDS by disabling a
429 # proc variable on the mds so that it does not supply secrets. We then
430 # try and access objects which result in failure.
434 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
435 if ! remote_mds; then
436 skip "client should be separated from server."
444 error "turn_capability_off"
450 error "turn_oss_capa_on"
454 if [ "$CLIENT_TYPE" = "remote" ]; then
455 remount_client $MOUNT && return 3
459 remount_client $MOUNT || return 4
462 # proc variable disabled -- access to the objects in the filesystem
464 echo "Should get Write error here : (proc variable are disabled "\
465 "-- access to the objects in the filesystem is denied."
468 error "Write worked well even though secrets not supplied."
474 error "turn_capability_on"
480 # proc variable enabled, secrets supplied -- write should work now
481 echo "Should not fail here : (proc variable enabled, secrets supplied "\
482 "-- write should work now)."
485 error "Write failed even though secrets supplied."
491 error "turn_capability_off"
496 run_test 5 "capa secrets ========================="
498 # Expiry: A test program is performing I/O on a file. It has credential
499 # with an expiry half a minute later. While the program is running the
500 # credentials expire and no automatic extensions or renewals are
501 # enabled. The program will demonstrate an I/O failure.
505 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
506 if ! remote_mds; then
507 skip "client should be separated from server."
513 error "turn_capability_off"
519 turn_capability_on 30
521 error "turn_capability_on 30"
528 error "$WTL $file 60"
532 # Reset MDS capability timeout
533 mds_capability_timeout 30
535 error "mds_capability_timeout 30"
543 # To disable automatic renew, only need turn capa off on MDS.
546 error "turn_mds_capa_off"
550 echo "We expect I/O failure."
553 echo "no I/O failure got."
559 error "turn_capability_off"
564 run_test 6 "capa expiry ========================="
571 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
572 if ! do_facet mgs $LCTL nodemap_add ${HN}_${i}; then
575 out=$(do_facet mgs $LCTL get_param nodemap.${HN}_${i}.id)
576 ## This needs to return zero if the following statement is 1
577 rc=$(echo $out | grep -c ${HN}_${i})
578 [[ $rc == 0 ]] && return 1
588 for ((i = 0; i < NODEMAP_COUNT; i++)); do
589 if ! do_facet mgs $LCTL nodemap_del ${HN}_${i}; then
590 error "nodemap_del ${HN}_${i} failed with $rc"
593 out=$(do_facet mgs $LCTL get_param nodemap.${HN}_${i}.id)
594 rc=$(echo $out | grep -c ${HN}_${i})
595 [[ $rc != 0 ]] && return 1
605 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
609 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 2
613 run_test 7 "nodemap create and delete"
622 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
628 [[ $rc == 0 ]] && error "duplicate nodemap_add allowed with $rc" &&
634 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 3
638 run_test 8 "nodemap reject duplicates"
640 log "cleanup: ======================================================"
643 for num in `seq $MDSCOUNT`; do
644 if [ "${identity_old[$num]}" = 1 ]; then
645 switch_identity $num false || identity_old[$num]=$?
649 $RUNAS -u $ID0 ls $DIR
650 $RUNAS -u $ID1 ls $DIR