3 # Run select tests by setting ONLY, or as arguments to the script.
4 # Skip specific tests by setting EXCEPT.
11 LUSTRE=${LUSTRE:-$(dirname $0)/..}
12 . $LUSTRE/tests/test-framework.sh
17 ALWAYS_EXCEPT="$SANITY_SEC_EXCEPT "
18 # bug number for skipped test:
20 # UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
22 [ "$SLOW" = "no" ] && EXCEPT_SLOW="26"
24 NODEMAP_TESTS=$(seq 7 26)
26 if ! check_versions; then
27 echo "It is NOT necessary to test nodemap under interoperation mode"
28 EXCEPT="$EXCEPT $NODEMAP_TESTS"
33 RUNAS_CMD=${RUNAS_CMD:-runas}
35 WTL=${WTL:-"$LUSTRE/tests/write_time_limit"}
38 PERM_CONF=$CONFDIR/perm.conf
40 HOSTNAME_CHECKSUM=$(hostname | sum | awk '{ print $1 }')
41 SUBNET_CHECKSUM=$(expr $HOSTNAME_CHECKSUM % 250 + 1)
43 require_dsh_mds || exit 0
44 require_dsh_ost || exit 0
46 clients=${CLIENTS//,/ }
47 num_clients=$(get_node_count ${clients})
48 clients_arr=($clients)
50 echo "was USER0=$(getent passwd | grep :${ID0:-500}:)"
51 echo "was USER1=$(getent passwd | grep :${ID1:-501}:)"
56 echo "now USER0=$USER0=$ID0:$(id -g $USER0), USER1=$USER1=$ID1:$(id -g $USER1)"
58 if [ "$SLOW" == "yes" ]; then
61 NODEMAP_IPADDR_LIST="1 10 64 128 200 250"
66 NODEMAP_IPADDR_LIST="1 250"
69 NODEMAP_MAX_ID=$((ID0 + NODEMAP_ID_COUNT))
72 skip "need to add user0 ($ID0:$ID0)" && exit 0
75 skip "need to add user1 ($ID1:$ID1)" && exit 0
77 IDBASE=${IDBASE:-60000}
79 # changes to mappings must be reflected in test 23
81 [0]="$((IDBASE+3)):$((IDBASE+0)) $((IDBASE+4)):$((IDBASE+2))"
82 [1]="$((IDBASE+5)):$((IDBASE+1)) $((IDBASE+6)):$((IDBASE+2))"
85 check_and_setup_lustre
90 GSS_REF=$(lsmod | grep ^ptlrpc_gss | awk '{print $3}')
91 if [ ! -z "$GSS_REF" -a "$GSS_REF" != "0" ]; then
93 echo "with GSS support"
96 echo "without GSS support"
99 MDT=$(mdtname_from_index 0 $MOUNT)
100 [[ -z "$MDT" ]] && error "fail to get MDT0000 device name" && exit 1
101 do_facet $SINGLEMDS "mkdir -p $CONFDIR"
102 IDENTITY_FLUSH=mdt.$MDT.identity_flush
111 if ! $RUNAS_CMD -u $user krb5_login.sh; then
112 error "$user login kerberos failed."
116 if ! $RUNAS_CMD -u $user -g $group ls $DIR > /dev/null 2>&1; then
117 $RUNAS_CMD -u $user lfs flushctx -k
118 $RUNAS_CMD -u $user krb5_login.sh
119 if ! $RUNAS_CMD -u$user -g$group ls $DIR > /dev/null 2>&1; then
120 error "init $user $group failed."
126 declare -a identity_old
129 # wait for SSK flavor to be applied if necessary
132 wait_flavor all2all $SK_FLAVOR
134 wait_flavor cli2mdt $SK_FLAVOR
135 wait_flavor cli2ost $SK_FLAVOR
141 for ((num = 1; num <= $MDSCOUNT; num++)); do
142 switch_identity $num true || identity_old[$num]=$?
145 if ! $RUNAS_CMD -u $ID0 ls $DIR > /dev/null 2>&1; then
146 sec_login $USER0 $USER0
149 if ! $RUNAS_CMD -u $ID1 ls $DIR > /dev/null 2>&1; then
150 sec_login $USER1 $USER1
156 # run as different user
160 chmod 0755 $DIR || error "chmod (1) Failed"
161 rm -rf $DIR/$tdir || error "rm (1) Failed"
162 mkdir -p $DIR/$tdir || error "mkdir (1) Failed"
164 # $DIR/$tdir owner changed to USER0(sanityusr)
165 chown $USER0 $DIR/$tdir || error "chown (2) Failed"
166 chmod 0755 $DIR/$tdir || error "chmod (2) Failed"
168 # Run as ID0 cmd must pass
169 $RUNAS_CMD -u $ID0 ls -ali $DIR || error "ls (1) Failed"
170 # Remove non-existing file f0
171 rm -f $DIR/f0 || error "rm (2) Failed"
173 # It is expected that this cmd should fail
174 # $DIR has only r-x rights for group and other
175 $RUNAS_CMD -u $ID0 touch $DIR/f0
176 (( $? == 0 )) && error "touch (1) should not pass"
178 # This must pass. $DIR/$tdir/ is owned by ID0/USER0
179 $RUNAS_CMD -u $ID0 touch $DIR/$tdir/f1 || error "touch (2) Failed"
181 # It is expected that this cmd should fail
182 # $tdir has rwxr-xr-x rights for $ID0
183 $RUNAS_CMD -u $ID1 touch $DIR/$tdir/f2
184 (( $? == 0 )) && error "touch (3) should not pass"
186 touch $DIR/$tdir/f3 || error "touch (4) Failed"
187 chown root $DIR/$tdir || error "chown (3) Failed"
188 chgrp $USER0 $DIR/$tdir || error "chgrp (1) Failed"
189 chmod 0775 $DIR/$tdir || error "chmod (3) Failed"
191 # Owner is root and group is USER0
192 $RUNAS_CMD -u $USER0 -g $USER0 touch $DIR/$tdir/f4 ||
193 error "touch (5) Failed"
195 # It is expected that this cmd should fail
196 # $tdir has rwxrwxr-x rights for group sanityusr/ID0, ID1 will fail
197 $RUNAS_CMD -u $ID1 -g $ID1 touch $DIR/$tdir/f5
198 (( $? == 0 )) && error "touch (6) should not pass"
200 touch $DIR/$tdir/f6 || error "touch (7) Failed"
201 rm -rf $DIR/$tdir || error "rm (3) Failed"
203 run_test 0 "uid permission ============================="
207 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
210 mkdir_on_mdt0 $DIR/$tdir
212 chown $USER0 $DIR/$tdir || error "chown (1)"
213 $RUNAS_CMD -u $ID1 -v $ID0 touch $DIR/$tdir/f0 && error "touch (2)"
214 echo "enable uid $ID1 setuid"
215 do_facet $SINGLEMDS "echo '* $ID1 setuid' >> $PERM_CONF"
216 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
217 $RUNAS_CMD -u $ID1 -v $ID0 touch $DIR/$tdir/f1 || error "touch (3)"
219 chown root $DIR/$tdir || error "chown (4)"
220 chgrp $USER0 $DIR/$tdir || error "chgrp (5)"
221 chmod 0770 $DIR/$tdir || error "chmod (6)"
222 $RUNAS_CMD -u $ID1 -g $ID1 touch $DIR/$tdir/f2 && error "touch (7)"
223 $RUNAS_CMD -u$ID1 -g$ID1 -j$ID0 touch $DIR/$tdir/f3 && error "touch (8)"
224 echo "enable uid $ID1 setuid,setgid"
225 do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
226 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
227 $RUNAS_CMD -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f4 ||
229 $RUNAS_CMD -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/$tdir/f5 ||
234 do_facet $SINGLEMDS "rm -f $PERM_CONF"
235 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
237 run_test 1 "setuid/gid ============================="
239 # bug 3285 - supplementary group should always succeed.
240 # NB: the supplementary groups are set for local client only,
241 # as for remote client, the groups of the specified uid on MDT
242 # will be obtained by upcall /usr/sbin/l_getidentity and used.
244 [[ "$MDS1_VERSION" -ge $(version_code 2.6.93) ]] ||
245 [[ "$MDS1_VERSION" -ge $(version_code 2.5.35) &&
246 "$MDS1_VERSION" -lt $(version_code 2.5.50) ]] ||
247 skip "Need MDS version at least 2.6.93 or 2.5.35"
250 mkdir_on_mdt0 -p $DIR/$tdir
251 chmod 0771 $DIR/$tdir
252 chgrp $ID0 $DIR/$tdir
253 $RUNAS_CMD -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
254 do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
255 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
256 $RUNAS_CMD -u $ID1 -G1,2,$ID0 ls $DIR/$tdir ||
257 error "setgroups (2)"
258 $RUNAS_CMD -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
261 do_facet $SINGLEMDS "rm -f $PERM_CONF"
262 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
264 run_test 4 "set supplementary group ==============="
270 squash_id default ${NOBODY_UID:-65534} 0
271 wait_nm_sync default squash_uid '' inactive
272 squash_id default ${NOBODY_UID:-65534} 1
273 wait_nm_sync default squash_gid '' inactive
274 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
275 local csum=${HOSTNAME_CHECKSUM}_${i}
277 do_facet mgs $LCTL nodemap_add $csum
279 if [ $rc -ne 0 ]; then
280 echo "nodemap_add $csum failed with $rc"
284 wait_update_facet --verbose mgs \
285 "$LCTL get_param nodemap.$csum.id 2>/dev/null | \
286 grep -c $csum || true" 1 30 ||
289 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
290 local csum=${HOSTNAME_CHECKSUM}_${i}
292 wait_nm_sync $csum id '' inactive
300 for ((i = 0; i < NODEMAP_COUNT; i++)); do
301 local csum=${HOSTNAME_CHECKSUM}_${i}
303 if ! do_facet mgs $LCTL nodemap_del $csum; then
304 error "nodemap_del $csum failed with $?"
308 wait_update_facet --verbose mgs \
309 "$LCTL get_param nodemap.$csum.id 2>/dev/null | \
310 grep -c $csum || true" 0 30 ||
313 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
314 local csum=${HOSTNAME_CHECKSUM}_${i}
316 wait_nm_sync $csum id '' inactive
323 local cmd="$LCTL nodemap_add_range"
327 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
328 range="$SUBNET_CHECKSUM.${2}.${j}.[1-253]@tcp"
329 if ! do_facet mgs $cmd --name $1 --range $range; then
338 local cmd="$LCTL nodemap_del_range"
342 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
343 range="$SUBNET_CHECKSUM.${2}.${j}.[1-253]@tcp"
344 if ! do_facet mgs $cmd --name $1 --range $range; then
354 local cmd="$LCTL nodemap_add_idmap"
358 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || do_proj=false
360 echo "Start to add idmaps ..."
361 for ((i = 0; i < NODEMAP_COUNT; i++)); do
364 for ((j = $ID0; j < NODEMAP_MAX_ID; j++)); do
365 local csum=${HOSTNAME_CHECKSUM}_${i}
367 local fs_id=$((j + 1))
369 if ! do_facet mgs $cmd --name $csum --idtype uid \
370 --idmap $client_id:$fs_id; then
373 if ! do_facet mgs $cmd --name $csum --idtype gid \
374 --idmap $client_id:$fs_id; then
378 if ! do_facet mgs $cmd --name $csum \
379 --idtype projid --idmap \
380 $client_id:$fs_id; then
392 local cmd="$LCTL nodemap_add_idmap"
395 echo "Start to add root idmaps ..."
396 for ((i = 0; i < NODEMAP_COUNT; i++)); do
397 local csum=${HOSTNAME_CHECKSUM}_${i}
399 if ! do_facet mgs $cmd --name $csum --idtype uid \
403 if ! do_facet mgs $cmd --name $csum --idtype gid \
412 update_idmaps() { #LU-10040
413 [ "$MGS_VERSION" -lt $(version_code 2.10.55) ] &&
414 skip "Need MGS >= 2.10.55"
416 local csum=${HOSTNAME_CHECKSUM}_0
417 local old_id_client=$ID0
418 local old_id_fs=$((ID0 + 1))
419 local new_id=$((ID0 + 100))
424 echo "Start to update idmaps ..."
426 #Inserting an existed idmap should return error
427 cmd="$LCTL nodemap_add_idmap --name $csum --idtype uid"
429 $cmd --idmap $old_id_client:$old_id_fs 2>/dev/null; then
430 error "insert idmap {$old_id_client:$old_id_fs} " \
431 "should return error"
436 #Update id_fs and check it
437 if ! do_facet mgs $cmd --idmap $old_id_client:$new_id; then
438 error "$cmd --idmap $old_id_client:$new_id failed"
442 tmp_id=$(do_facet mgs $LCTL get_param -n nodemap.$csum.idmap |
443 awk '{ print $7 }' | sed -n '2p')
444 [ $tmp_id != $new_id ] && { error "new id_fs $tmp_id != $new_id"; \
445 rc=$((rc + 1)); return $rc; }
447 #Update id_client and check it
448 if ! do_facet mgs $cmd --idmap $new_id:$new_id; then
449 error "$cmd --idmap $new_id:$new_id failed"
453 tmp_id=$(do_facet mgs $LCTL get_param -n nodemap.$csum.idmap |
454 awk '{ print $5 }' | sed -n "$((NODEMAP_ID_COUNT + 1)) p")
455 tmp_id=$(echo ${tmp_id%,*}) #e.g. "501,"->"501"
456 [ $tmp_id != $new_id ] && { error "new id_client $tmp_id != $new_id"; \
457 rc=$((rc + 1)); return $rc; }
459 #Delete above updated idmap
460 cmd="$LCTL nodemap_del_idmap --name $csum --idtype uid"
461 if ! do_facet mgs $cmd --idmap $new_id:$new_id; then
462 error "$cmd --idmap $new_id:$new_id failed"
467 #restore the idmaps to make delete_idmaps work well
468 cmd="$LCTL nodemap_add_idmap --name $csum --idtype uid"
469 if ! do_facet mgs $cmd --idmap $old_id_client:$old_id_fs; then
470 error "$cmd --idmap $old_id_client:$old_id_fs failed"
480 local cmd="$LCTL nodemap_del_idmap"
484 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || do_proj=false
486 echo "Start to delete idmaps ..."
487 for ((i = 0; i < NODEMAP_COUNT; i++)); do
490 for ((j = $ID0; j < NODEMAP_MAX_ID; j++)); do
491 local csum=${HOSTNAME_CHECKSUM}_${i}
493 local fs_id=$((j + 1))
495 if ! do_facet mgs $cmd --name $csum --idtype uid \
496 --idmap $client_id:$fs_id; then
499 if ! do_facet mgs $cmd --name $csum --idtype gid \
500 --idmap $client_id:$fs_id; then
504 if ! do_facet mgs $cmd --name $csum \
505 --idtype projid --idmap \
506 $client_id:$fs_id; then
516 delete_root_idmaps() {
518 local cmd="$LCTL nodemap_del_idmap"
521 echo "Start to delete root idmaps ..."
522 for ((i = 0; i < NODEMAP_COUNT; i++)); do
523 local csum=${HOSTNAME_CHECKSUM}_${i}
525 if ! do_facet mgs $cmd --name $csum --idtype uid \
529 if ! do_facet mgs $cmd --name $csum --idtype gid \
542 local cmd="$LCTL nodemap_modify"
545 proc[0]="admin_nodemap"
546 proc[1]="trusted_nodemap"
550 for ((idx = 0; idx < 2; idx++)); do
551 if ! do_facet mgs $cmd --name $1 --property ${option[$idx]} \
556 if ! do_facet mgs $cmd --name $1 --property ${option[$idx]} \
566 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
567 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
571 cmd[0]="$LCTL nodemap_modify --property squash_uid"
572 cmd[1]="$LCTL nodemap_modify --property squash_gid"
573 cmd[2]="$LCTL nodemap_modify --property squash_projid"
575 if ! do_facet mgs ${cmd[$3]} --name $1 --value $2; then
580 # ensure that the squash defaults are the expected defaults
581 squash_id default ${NOBODY_UID:-65534} 0
582 wait_nm_sync default squash_uid '' inactive
583 squash_id default ${NOBODY_UID:-65534} 1
584 wait_nm_sync default squash_gid '' inactive
585 if [ "$MDS1_VERSION" -ge $(version_code 2.14.50) ]; then
586 squash_id default ${NOBODY_UID:-65534} 2
587 wait_nm_sync default squash_projid '' inactive
593 cmd="$LCTL nodemap_test_nid"
595 nid=$(do_facet mgs $cmd $1)
597 if [ $nid == $2 ]; then
605 # restore activation state
606 do_facet mgs $LCTL nodemap_activate 0
612 local cmd="$LCTL nodemap_test_id"
613 local do_root_idmap=true
616 (( $MDS1_VERSION >= $(version_code 2.15.60) )) || do_root_idmap=false
618 echo "Start to test idmaps ..."
619 ## nodemap deactivated
620 if ! do_facet mgs $LCTL nodemap_activate 0; then
623 for ((id = $ID0; id < NODEMAP_MAX_ID; id++)); do
626 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
627 local nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
628 local fs_id=$(do_facet mgs $cmd --nid $nid \
629 --idtype uid --id $id)
630 if [ $fs_id != $id ]; then
631 echo "expected $id, got $fs_id"
638 if ! do_facet mgs $LCTL nodemap_activate 1; then
642 for ((id = $ID0; id < NODEMAP_MAX_ID; id++)); do
643 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
644 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
645 fs_id=$(do_facet mgs $cmd --nid $nid \
646 --idtype uid --id $id)
647 expected_id=$((id + 1))
648 if [ $fs_id != $expected_id ]; then
649 echo "expected $expected_id, got $fs_id"
656 for ((i = 0; i < NODEMAP_COUNT; i++)); do
657 local csum=${HOSTNAME_CHECKSUM}_${i}
659 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
660 --property trusted --value 1; then
661 error "nodemap_modify $csum failed with $?"
666 for ((id = $ID0; id < NODEMAP_MAX_ID; id++)); do
667 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
668 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
669 fs_id=$(do_facet mgs $cmd --nid $nid \
670 --idtype uid --id $id)
671 if [ $fs_id != $id ]; then
672 echo "expected $id, got $fs_id"
678 ## ensure allow_root_access is enabled
679 for ((i = 0; i < NODEMAP_COUNT; i++)); do
680 local csum=${HOSTNAME_CHECKSUM}_${i}
682 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
683 --property admin --value 1; then
684 error "nodemap_modify $csum failed with $?"
689 ## check that root allowed
690 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
691 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
692 fs_id=$(do_facet mgs $cmd --nid $nid --idtype uid --id 0)
693 if [ $fs_id != 0 ]; then
694 echo "root allowed expected 0, got $fs_id"
699 if $do_root_idmap; then
700 ## add mapping for root
703 ## check that root allowed
704 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
705 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
706 fs_id=$(do_facet mgs $cmd --nid $nid \
708 if [ $fs_id != 0 ]; then
709 echo "root allowed expected 0, got $fs_id"
714 ## delete mapping for root
718 ## ensure allow_root_access is disabled
719 for ((i = 0; i < NODEMAP_COUNT; i++)); do
720 local csum=${HOSTNAME_CHECKSUM}_${i}
722 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
723 --property admin --value 0; then
724 error "nodemap_modify ${HOSTNAME_CHECKSUM}_${i} "
730 ## check that root is mapped to NOBODY_UID
731 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
732 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
733 fs_id=$(do_facet mgs $cmd --nid $nid --idtype uid --id 0)
734 if [ $fs_id != ${NOBODY_UID:-65534} ]; then
735 error "root squash expect ${NOBODY_UID:-65534} got $fs_id"
740 if $do_root_idmap; then
741 ## add mapping for root
744 ## check root is mapped
745 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
746 nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
747 fs_id=$(do_facet mgs $cmd --nid $nid \
750 if [ $fs_id != $expected_id ]; then
751 echo "expected $expected_id, got $fs_id"
756 ## delete mapping for root
760 ## reset client trust to 0
761 for ((i = 0; i < NODEMAP_COUNT; i++)); do
762 if ! do_facet mgs $LCTL nodemap_modify \
763 --name ${HOSTNAME_CHECKSUM}_${i} \
764 --property trusted --value 0; then
765 error "nodemap_modify ${HOSTNAME_CHECKSUM}_${i} "
777 remote_mgs_nodsh && skip "remote MGS with nodsh"
778 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
779 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
783 [[ $rc != 0 ]] && error "nodemap_add failed with $rc"
787 [[ $rc != 0 ]] && error "nodemap_del failed with $rc"
791 run_test 7 "nodemap create and delete"
796 remote_mgs_nodsh && skip "remote MGS with nodsh"
797 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
798 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
804 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
810 [[ $rc == 0 ]] && error "duplicate nodemap_add allowed with $rc" &&
816 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 3
820 run_test 8 "nodemap reject duplicates"
826 remote_mgs_nodsh && skip "remote MGS with nodsh"
827 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
828 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
833 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
836 for ((i = 0; i < NODEMAP_COUNT; i++)); do
837 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
841 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
844 for ((i = 0; i < NODEMAP_COUNT; i++)); do
845 if ! delete_range ${HOSTNAME_CHECKSUM}_${i} $i; then
849 [[ $rc != 0 ]] && error "nodemap_del_range failed with $rc" && return 4
854 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
858 run_test 9 "nodemap range add"
863 remote_mgs_nodsh && skip "remote MGS with nodsh"
864 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
865 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
870 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
873 for ((i = 0; i < NODEMAP_COUNT; i++)); do
874 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
878 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
881 for ((i = 0; i < NODEMAP_COUNT; i++)); do
882 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
886 [[ $rc == 0 ]] && error "nodemap_add_range duplicate add with $rc" &&
891 for ((i = 0; i < NODEMAP_COUNT; i++)); do
892 if ! delete_range ${HOSTNAME_CHECKSUM}_${i} $i; then
896 [[ $rc != 0 ]] && error "nodemap_del_range failed with $rc" && return 4
900 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 5
904 run_test 10a "nodemap reject duplicate ranges"
907 [ "$MGS_VERSION" -lt $(version_code 2.10.53) ] &&
908 skip "Need MGS >= 2.10.53"
912 local nids="192.168.19.[0-255]@o2ib20"
914 do_facet mgs $LCTL nodemap_del $nm1 2>/dev/null
915 do_facet mgs $LCTL nodemap_del $nm2 2>/dev/null
917 do_facet mgs $LCTL nodemap_add $nm1 || error "Add $nm1 failed"
918 do_facet mgs $LCTL nodemap_add $nm2 || error "Add $nm2 failed"
919 do_facet mgs $LCTL nodemap_add_range --name $nm1 --range $nids ||
920 error "Add range $nids to $nm1 failed"
921 [ -n "$(do_facet mgs $LCTL get_param nodemap.$nm1.* |
922 grep start_nid)" ] || error "No range was found"
923 do_facet mgs $LCTL nodemap_del_range --name $nm2 --range $nids &&
924 error "Deleting range $nids from $nm2 should fail"
925 [ -n "$(do_facet mgs $LCTL get_param nodemap.$nm1.* |
926 grep start_nid)" ] || error "Range $nids should be there"
928 do_facet mgs $LCTL nodemap_del $nm1 || error "Delete $nm1 failed"
929 do_facet mgs $LCTL nodemap_del $nm2 || error "Delete $nm2 failed"
932 run_test 10b "delete range from the correct nodemap"
934 test_10c() { #LU-8912
935 [ "$MGS_VERSION" -lt $(version_code 2.10.57) ] &&
936 skip "Need MGS >= 2.10.57"
938 local nm="nodemap_lu8912"
939 local nid_range="10.210.[32-47].[0-255]@o2ib3"
940 local start_nid="10.210.32.0@o2ib3"
941 local end_nid="10.210.47.255@o2ib3"
942 local start_nid_found
945 do_facet mgs $LCTL nodemap_del $nm 2>/dev/null
946 do_facet mgs $LCTL nodemap_add $nm || error "Add $nm failed"
947 do_facet mgs $LCTL nodemap_add_range --name $nm --range $nid_range ||
948 error "Add range $nid_range to $nm failed"
950 start_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
951 awk -F '[,: ]' /start_nid/'{ print $9 }')
952 [ "$start_nid" == "$start_nid_found" ] ||
953 error "start_nid: $start_nid_found != $start_nid"
954 end_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
955 awk -F '[,: ]' /end_nid/'{ print $13 }')
956 [ "$end_nid" == "$end_nid_found" ] ||
957 error "end_nid: $end_nid_found != $end_nid"
959 do_facet mgs $LCTL nodemap_del $nm || error "Delete $nm failed"
962 run_test 10c "verfify contiguous range support"
964 test_10d() { #LU-8913
965 [ "$MGS_VERSION" -lt $(version_code 2.10.59) ] &&
966 skip "Need MGS >= 2.10.59"
968 local nm="nodemap_lu8913"
969 local nid_range="*@o2ib3"
970 local start_nid="0.0.0.0@o2ib3"
971 local end_nid="255.255.255.255@o2ib3"
972 local start_nid_found
975 do_facet mgs $LCTL nodemap_del $nm 2>/dev/null
976 do_facet mgs $LCTL nodemap_add $nm || error "Add $nm failed"
977 do_facet mgs $LCTL nodemap_add_range --name $nm --range $nid_range ||
978 error "Add range $nid_range to $nm failed"
980 start_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
981 awk -F '[,: ]' /start_nid/'{ print $9 }')
982 [ "$start_nid" == "$start_nid_found" ] ||
983 error "start_nid: $start_nid_found != $start_nid"
984 end_nid_found=$(do_facet mgs $LCTL get_param nodemap.$nm.* |
985 awk -F '[,: ]' /end_nid/'{ print $13 }')
986 [ "$end_nid" == "$end_nid_found" ] ||
987 error "end_nid: $end_nid_found != $end_nid"
989 do_facet mgs $LCTL nodemap_del $nm || error "Delete $nm failed"
992 run_test 10d "verfify nodemap range format '*@<net>' support"
997 remote_mgs_nodsh && skip "remote MGS with nodsh"
998 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
999 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1004 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1007 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1008 if ! modify_flags ${HOSTNAME_CHECKSUM}_${i}; then
1012 [[ $rc != 0 ]] && error "nodemap_modify with $rc" && return 2
1017 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 3
1021 run_test 11 "nodemap modify"
1026 remote_mgs_nodsh && skip "remote MGS with nodsh"
1027 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1028 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1033 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1036 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1037 if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 0; then
1041 [[ $rc != 0 ]] && error "nodemap squash_uid with $rc" && return 2
1044 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1045 if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 1; then
1049 [[ $rc != 0 ]] && error "nodemap squash_gid with $rc" && return 3
1052 if (( $MDS1_VERSION >= $(version_code 2.14.52) )); then
1053 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1054 if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 2; then
1059 [[ $rc != 0 ]] && error "nodemap squash_projid with $rc" && return 5
1064 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
1068 run_test 12 "nodemap set squash ids"
1073 remote_mgs_nodsh && skip "remote MGS with nodsh"
1074 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1075 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1080 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1083 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1084 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
1088 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
1091 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1092 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
1093 for k in $NODEMAP_IPADDR_LIST; do
1094 if ! test_nid $SUBNET_CHECKSUM.$i.$j.$k \
1095 ${HOSTNAME_CHECKSUM}_${i}; then
1101 [[ $rc != 0 ]] && error "nodemap_test_nid failed with $rc" && return 3
1106 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
1110 run_test 13 "test nids"
1115 remote_mgs_nodsh && skip "remote MGS with nodsh"
1116 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1117 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1122 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1125 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1126 for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
1127 for k in $NODEMAP_IPADDR_LIST; do
1128 if ! test_nid $SUBNET_CHECKSUM.$i.$j.$k \
1135 [[ $rc != 0 ]] && error "nodemap_test_nid failed with $rc" && return 3
1140 [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
1144 run_test 14 "test default nodemap nid lookup"
1149 remote_mgs_nodsh && skip "remote MGS with nodsh"
1150 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1151 skip "No nodemap on $MGS_VERSION MGS < 2.5.53"
1156 [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
1158 for (( i = 0; i < NODEMAP_COUNT; i++ )); do
1159 local csum=${HOSTNAME_CHECKSUM}_${i}
1161 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
1162 --property admin --value 0; then
1165 if ! do_facet mgs $LCTL nodemap_modify --name $csum \
1166 --property trusted --value 0; then
1170 [[ $rc != 0 ]] && error "nodemap_modify failed with $rc" && return 1
1173 for ((i = 0; i < NODEMAP_COUNT; i++)); do
1174 if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
1178 [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
1183 [[ $rc != 0 ]] && error "nodemap_add_idmap failed with $rc" && return 3
1185 activedefault=$(do_facet mgs $LCTL get_param -n nodemap.active)
1186 if [[ "$activedefault" != "1" ]]; then
1187 stack_trap cleanup_active EXIT
1193 [[ $rc != 0 ]] && error "nodemap_test_id failed with $rc" && return 4
1198 [[ $rc != 0 ]] && error "update_idmaps failed with $rc" && return 5
1203 [[ $rc != 0 ]] && error "nodemap_del_idmap failed with $rc" && return 6
1208 [[ $rc != 0 ]] && error "nodemap_delete failed with $rc" && return 7
1212 run_test 15 "test id mapping"
1214 create_fops_nodemaps() {
1217 for client in $clients; do
1218 local client_ip=$(host_nids_address $client $NETTYPE)
1219 local client_nid=$(h2nettype $client_ip)
1220 [[ "$client_nid" =~ ":" ]] && client_nid+="/128"
1221 do_facet mgs $LCTL nodemap_add c${i} || return 1
1222 do_facet mgs $LCTL nodemap_add_range \
1223 --name c${i} --range $client_nid || {
1224 do_facet mgs $LCTL nodemap_del c${i}
1227 for map in ${FOPS_IDMAPS[i]}; do
1228 do_facet mgs $LCTL nodemap_add_idmap --name c${i} \
1229 --idtype uid --idmap ${map} || return 1
1230 do_facet mgs $LCTL nodemap_add_idmap --name c${i} \
1231 --idtype gid --idmap ${map} || return 1
1234 wait_nm_sync c$i idmap
1241 delete_fops_nodemaps() {
1244 for client in $clients; do
1245 do_facet mgs $LCTL nodemap_del c${i} || return 1
1253 if [ $MDSCOUNT -le 1 ]; then
1254 do_node ${clients_arr[0]} mkdir -p $DIR/$tdir
1256 # round-robin MDTs to test DNE nodemap support
1257 [ ! -d $DIR ] && do_node ${clients_arr[0]} mkdir -p $DIR
1258 do_node ${clients_arr[0]} $LFS setdirstripe -c 1 -i \
1259 $((fops_mds_index % MDSCOUNT)) $DIR/$tdir
1260 ((fops_mds_index++))
1264 # acl test directory needs to be initialized on a privileged client
1266 local admin=$(do_facet mgs $LCTL get_param -n nodemap.c0.admin_nodemap)
1267 local trust=$(do_facet mgs $LCTL get_param -n \
1268 nodemap.c0.trusted_nodemap)
1270 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1271 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
1273 wait_nm_sync c0 admin_nodemap
1274 wait_nm_sync c0 trusted_nodemap
1276 do_node ${clients_arr[0]} rm -rf $DIR/$tdir
1278 do_node ${clients_arr[0]} chown $user $DIR/$tdir
1280 do_facet mgs $LCTL nodemap_modify --name c0 \
1281 --property admin --value $admin
1282 do_facet mgs $LCTL nodemap_modify --name c0 \
1283 --property trusted --value $trust
1285 # flush MDT locks to make sure they are reacquired before test
1286 do_node ${clients_arr[0]} $LCTL set_param \
1287 ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
1289 wait_nm_sync c0 admin_nodemap
1290 wait_nm_sync c0 trusted_nodemap
1293 # fileset test directory needs to be initialized on a privileged client
1294 fileset_test_setup() {
1297 if [ -n "$FILESET" -a -z "$SKIP_FILESET" ]; then
1298 cleanup_mount $MOUNT
1299 FILESET="" zconf_mount_clients $CLIENTS $MOUNT
1302 local admin=$(do_facet mgs $LCTL get_param -n \
1303 nodemap.${nm}.admin_nodemap)
1304 local trust=$(do_facet mgs $LCTL get_param -n \
1305 nodemap.${nm}.trusted_nodemap)
1307 do_facet mgs $LCTL nodemap_modify --name $nm --property admin --value 1
1308 do_facet mgs $LCTL nodemap_modify --name $nm --property trusted \
1311 wait_nm_sync $nm admin_nodemap
1312 wait_nm_sync $nm trusted_nodemap
1314 # create directory and populate it for subdir mount
1315 do_node ${clients_arr[0]} mkdir $MOUNT/$subdir ||
1316 error "unable to create dir $MOUNT/$subdir"
1317 do_node ${clients_arr[0]} touch $MOUNT/$subdir/this_is_$subdir ||
1318 error "unable to create file $MOUNT/$subdir/this_is_$subdir"
1319 do_node ${clients_arr[0]} mkdir $MOUNT/$subdir/$subsubdir ||
1320 error "unable to create dir $MOUNT/$subdir/$subsubdir"
1321 do_node ${clients_arr[0]} touch \
1322 $MOUNT/$subdir/$subsubdir/this_is_$subsubdir ||
1323 error "unable to create file \
1324 $MOUNT/$subdir/$subsubdir/this_is_$subsubdir"
1326 do_facet mgs $LCTL nodemap_modify --name $nm \
1327 --property admin --value $admin
1328 do_facet mgs $LCTL nodemap_modify --name $nm \
1329 --property trusted --value $trust
1331 # flush MDT locks to make sure they are reacquired before test
1332 do_node ${clients_arr[0]} $LCTL set_param \
1333 ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
1335 wait_nm_sync $nm admin_nodemap
1336 wait_nm_sync $nm trusted_nodemap
1339 # fileset test directory needs to be initialized on a privileged client
1340 fileset_test_cleanup() {
1342 local admin=$(do_facet mgs $LCTL get_param -n \
1343 nodemap.${nm}.admin_nodemap)
1344 local trust=$(do_facet mgs $LCTL get_param -n \
1345 nodemap.${nm}.trusted_nodemap)
1347 do_facet mgs $LCTL nodemap_modify --name $nm --property admin --value 1
1348 do_facet mgs $LCTL nodemap_modify --name $nm --property trusted \
1351 wait_nm_sync $nm admin_nodemap
1352 wait_nm_sync $nm trusted_nodemap
1354 # cleanup directory created for subdir mount
1355 do_node ${clients_arr[0]} rm -rf $MOUNT/$subdir ||
1356 error "unable to remove dir $MOUNT/$subdir"
1358 do_facet mgs $LCTL nodemap_modify --name $nm \
1359 --property admin --value $admin
1360 do_facet mgs $LCTL nodemap_modify --name $nm \
1361 --property trusted --value $trust
1363 # flush MDT locks to make sure they are reacquired before test
1364 do_node ${clients_arr[0]} $LCTL set_param \
1365 ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
1367 wait_nm_sync $nm admin_nodemap
1368 wait_nm_sync $nm trusted_nodemap
1369 if [ -n "$FILESET" -a -z "$SKIP_FILESET" ]; then
1370 cleanup_mount $MOUNT
1371 zconf_mount_clients $CLIENTS $MOUNT
1375 do_create_delete() {
1378 local testfile=$DIR/$tdir/$tfile
1382 if $run_u touch $testfile >& /dev/null; then
1384 $run_u rm $testfile && d=1
1388 local expected=$(get_cr_del_expected $key)
1389 [ "$res" != "$expected" ] &&
1390 error "test $key, wanted $expected, got $res" && rc=$((rc + 1))
1394 nodemap_check_quota() {
1396 $run_u lfs quota -q $DIR | awk '{ print $2; exit; }'
1399 do_fops_quota_test() {
1401 # fuzz quota used to account for possible indirect blocks, etc
1402 local quota_fuzz=$(fs_log_size)
1403 local qused_orig=$(nodemap_check_quota "$run_u")
1404 local qused_high=$((qused_orig + quota_fuzz))
1405 local qused_low=$((qused_orig - quota_fuzz))
1406 local testfile=$DIR/$tdir/$tfile
1407 $run_u dd if=/dev/zero of=$testfile oflag=sync bs=1M count=1 \
1408 >& /dev/null || error "unable to write quota test file"
1409 sync; sync_all_data || true
1411 local qused_new=$(nodemap_check_quota "$run_u")
1412 [ $((qused_new)) -lt $((qused_low + 1024)) -o \
1413 $((qused_new)) -gt $((qused_high + 1024)) ] &&
1414 error "$qused_new != $qused_orig + 1M after write, " \
1415 "fuzz is $quota_fuzz"
1416 $run_u rm $testfile || error "unable to remove quota test file"
1417 wait_delete_completed_mds
1419 qused_new=$(nodemap_check_quota "$run_u")
1420 [ $((qused_new)) -lt $((qused_low)) \
1421 -o $((qused_new)) -gt $((qused_high)) ] &&
1422 error "quota not reclaimed, expect $qused_orig, " \
1423 "got $qused_new, fuzz $quota_fuzz"
1426 get_fops_mapped_user() {
1429 for ((i=0; i < ${#FOPS_IDMAPS[@]}; i++)); do
1430 for map in ${FOPS_IDMAPS[i]}; do
1431 if [ $(cut -d: -f1 <<< "$map") == $cli_user ]; then
1432 cut -d: -f2 <<< "$map"
1440 get_cr_del_expected() {
1442 IFS=":" read -a key <<< "$1"
1443 local mapmode="${key[0]}"
1444 local mds_user="${key[1]}"
1445 local cluster="${key[2]}"
1446 local cli_user="${key[3]}"
1447 local mode="0${key[4]}"
1454 [[ $mapmode == *mapped* ]] && mapped=1
1455 # only c1 is mapped in these test cases
1456 [[ $mapmode == mapped_trusted* ]] && [ "$cluster" == "c0" ] && mapped=0
1457 [[ $mapmode == *noadmin* ]] && noadmin=1
1459 # o+wx works as long as the user isn't mapped
1460 if [ $((mode & 3)) -eq 3 ]; then
1464 # if client user is root, check if root is squashed
1465 if [ "$cli_user" == "0" ]; then
1466 # squash root succeed, if other bit is on
1469 1) [ "$other" == "1" ] && echo $SUCCESS
1470 [ "$other" == "0" ] && echo $FAILURE;;
1474 if [ "$mapped" == "0" ]; then
1475 [ "$other" == "1" ] && echo $SUCCESS
1476 [ "$other" == "0" ] && echo $FAILURE
1480 # if mapped user is mds user, check for u+wx
1481 mapped_user=$(get_fops_mapped_user $cli_user)
1482 [ "$mapped_user" == "-1" ] &&
1483 error "unable to find mapping for client user $cli_user"
1485 if [ "$mapped_user" == "$mds_user" -a \
1486 $(((mode & 0300) == 0300)) -eq 1 ]; then
1490 if [ "$mapped_user" != "$mds_user" -a "$other" == "1" ]; then
1497 test_fops_admin_cli_i=""
1498 test_fops_chmod_dir() {
1499 local current_cli_i=$1
1501 local dir_to_chmod=$3
1502 local new_admin_cli_i=""
1504 # do we need to set up a new admin client?
1505 [ "$current_cli_i" == "0" ] && [ "$test_fops_admin_cli_i" != "1" ] &&
1507 [ "$current_cli_i" != "0" ] && [ "$test_fops_admin_cli_i" != "0" ] &&
1510 # if only one client, and non-admin, need to flip admin everytime
1511 if [ "$num_clients" == "1" ]; then
1512 test_fops_admin_client=$clients
1513 test_fops_admin_val=$(do_facet mgs $LCTL get_param -n \
1514 nodemap.c0.admin_nodemap)
1515 if [ "$test_fops_admin_val" != "1" ]; then
1516 do_facet mgs $LCTL nodemap_modify \
1520 wait_nm_sync c0 admin_nodemap
1522 elif [ "$new_admin_cli_i" != "" ]; then
1523 # restore admin val to old admin client
1524 if [ "$test_fops_admin_cli_i" != "" ] &&
1525 [ "$test_fops_admin_val" != "1" ]; then
1526 do_facet mgs $LCTL nodemap_modify \
1527 --name c${test_fops_admin_cli_i} \
1529 --value $test_fops_admin_val
1530 wait_nm_sync c${test_fops_admin_cli_i} admin_nodemap
1533 test_fops_admin_cli_i=$new_admin_cli_i
1534 test_fops_admin_client=${clients_arr[$new_admin_cli_i]}
1535 test_fops_admin_val=$(do_facet mgs $LCTL get_param -n \
1536 nodemap.c${new_admin_cli_i}.admin_nodemap)
1538 if [ "$test_fops_admin_val" != "1" ]; then
1539 do_facet mgs $LCTL nodemap_modify \
1540 --name c${new_admin_cli_i} \
1543 wait_nm_sync c${new_admin_cli_i} admin_nodemap
1547 do_node $test_fops_admin_client chmod $perm_bits $DIR/$tdir || return 1
1549 # remove admin for single client if originally non-admin
1550 if [ "$num_clients" == "1" ] && [ "$test_fops_admin_val" != "1" ]; then
1551 do_facet mgs $LCTL nodemap_modify --name c0 --property admin \
1553 wait_nm_sync c0 admin_nodemap
1561 local single_client="$2"
1562 local client_user_list=([0]="0 $((IDBASE+3))"
1563 [1]="0 $((IDBASE+5))")
1564 local mds_users="-1 0"
1567 local perm_bit_list="3 $((0300))"
1568 # SLOW tests 000-007, 010-070, 100-700 (octal modes)
1569 if [ "$SLOW" == "yes" ]; then
1570 perm_bit_list="0 $(seq 1 7) $(seq 8 8 63) $(seq 64 64 511) \
1572 client_user_list=([0]="0 $((IDBASE+3)) $((IDBASE+4))"
1573 [1]="0 $((IDBASE+5)) $((IDBASE+6))")
1574 mds_users="-1 0 1 2"
1577 # force single_client to speed up test
1578 [ "$SLOW" == "yes" ] ||
1580 # step through mds users. -1 means root
1581 for mds_i in $mds_users; do
1582 local user=$((mds_i + IDBASE))
1586 [ "$mds_i" == "-1" ] && user=0
1588 echo mkdir -p $DIR/$tdir
1591 for client in $clients; do
1593 for u in ${client_user_list[$cli_i]}; do
1594 local run_u="do_node $client \
1595 $RUNAS_CMD -u$u -g$u -G$u"
1596 for perm_bits in $perm_bit_list; do
1597 local mode=$(printf %03o $perm_bits)
1599 key="$mapmode:$user:c$cli_i:$u:$mode"
1600 test_fops_chmod_dir $cli_i $mode \
1602 error cannot chmod $key
1603 do_create_delete "$run_u" "$key"
1607 test_fops_chmod_dir $cli_i 777 $DIR/$tdir ||
1608 error cannot chmod $key
1609 do_fops_quota_test "$run_u"
1612 cli_i=$((cli_i + 1))
1613 [ "$single_client" == "1" ] && break
1620 nodemap_version_check () {
1621 remote_mgs_nodsh && skip "remote MGS with nodsh" && return 1
1622 [ "$MGS_VERSION" -lt $(version_code 2.5.53) ] &&
1623 skip "No nodemap on $MGS_VERSION MGS < 2.5.53" &&
1628 nodemap_test_setup() {
1630 local active_nodemap=1
1632 [ "$1" == "0" ] && active_nodemap=0
1634 do_nodes $(comma_list $(all_mdts_nodes)) \
1635 $LCTL set_param mdt.*.identity_upcall=NONE
1638 create_fops_nodemaps
1640 [[ $rc != 0 ]] && error "adding fops nodemaps failed $rc"
1642 do_facet mgs $LCTL nodemap_activate $active_nodemap
1645 do_facet mgs $LCTL nodemap_modify --name default \
1646 --property admin --value 1
1647 wait_nm_sync default admin_nodemap
1648 do_facet mgs $LCTL nodemap_modify --name default \
1649 --property trusted --value 1
1650 wait_nm_sync default trusted_nodemap
1653 nodemap_test_cleanup() {
1655 delete_fops_nodemaps
1657 [[ $rc != 0 ]] && error "removing fops nodemaps failed $rc"
1659 do_facet mgs $LCTL nodemap_modify --name default \
1660 --property admin --value 0
1661 wait_nm_sync default admin_nodemap
1662 do_facet mgs $LCTL nodemap_modify --name default \
1663 --property trusted --value 0
1664 wait_nm_sync default trusted_nodemap
1666 do_facet mgs $LCTL nodemap_activate 0
1667 wait_nm_sync active 0
1669 export SK_UNIQUE_NM=false
1673 nodemap_clients_admin_trusted() {
1677 for client in $clients; do
1678 do_facet mgs $LCTL nodemap_modify --name c0 \
1679 --property admin --value $admin
1680 do_facet mgs $LCTL nodemap_modify --name c0 \
1681 --property trusted --value $tr
1684 wait_nm_sync c$((i - 1)) admin_nodemap
1685 wait_nm_sync c$((i - 1)) trusted_nodemap
1689 nodemap_version_check || return 0
1690 nodemap_test_setup 0
1692 trap nodemap_test_cleanup EXIT
1694 nodemap_test_cleanup
1696 run_test 16 "test nodemap all_off fileops"
1700 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1701 skip "Need MDS >= 2.11.55"
1703 local check_proj=true
1705 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || check_proj=false
1707 nodemap_version_check || return 0
1710 trap nodemap_test_cleanup EXIT
1711 nodemap_clients_admin_trusted 0 1
1712 test_fops trusted_noadmin 1
1713 if $check_proj; then
1714 do_facet mgs $LCTL nodemap_modify --name c0 \
1715 --property map_mode --value projid
1716 wait_nm_sync c0 map_mode
1718 test_fops trusted_noadmin 1
1719 nodemap_test_cleanup
1721 run_test 17 "test nodemap trusted_noadmin fileops"
1725 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1726 skip "Need MDS >= 2.11.55"
1729 nodemap_version_check || return 0
1732 trap nodemap_test_cleanup EXIT
1733 nodemap_clients_admin_trusted 0 0
1734 test_fops mapped_noadmin 1
1735 nodemap_test_cleanup
1737 run_test 18 "test nodemap mapped_noadmin fileops"
1741 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1742 skip "Need MDS >= 2.11.55"
1745 nodemap_version_check || return 0
1748 trap nodemap_test_cleanup EXIT
1749 nodemap_clients_admin_trusted 1 1
1750 test_fops trusted_admin 1
1751 nodemap_test_cleanup
1753 run_test 19 "test nodemap trusted_admin fileops"
1757 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1758 skip "Need MDS >= 2.11.55"
1761 nodemap_version_check || return 0
1764 trap nodemap_test_cleanup EXIT
1765 nodemap_clients_admin_trusted 1 0
1766 test_fops mapped_admin 1
1767 nodemap_test_cleanup
1769 run_test 20 "test nodemap mapped_admin fileops"
1773 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1774 skip "Need MDS >= 2.11.55"
1777 nodemap_version_check || return 0
1780 trap nodemap_test_cleanup EXIT
1783 for client in $clients; do
1784 do_facet mgs $LCTL nodemap_modify --name c${i} \
1785 --property admin --value 0
1786 do_facet mgs $LCTL nodemap_modify --name c${i} \
1787 --property trusted --value $x
1791 wait_nm_sync c$((i - 1)) trusted_nodemap
1793 test_fops mapped_trusted_noadmin
1794 nodemap_test_cleanup
1796 run_test 21 "test nodemap mapped_trusted_noadmin fileops"
1800 [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then
1801 skip "Need MDS >= 2.11.55"
1804 nodemap_version_check || return 0
1807 trap nodemap_test_cleanup EXIT
1810 for client in $clients; do
1811 do_facet mgs $LCTL nodemap_modify --name c${i} \
1812 --property admin --value 1
1813 do_facet mgs $LCTL nodemap_modify --name c${i} \
1814 --property trusted --value $x
1818 wait_nm_sync c$((i - 1)) trusted_nodemap
1820 test_fops mapped_trusted_admin
1821 nodemap_test_cleanup
1823 run_test 22 "test nodemap mapped_trusted_admin fileops"
1825 # acl test directory needs to be initialized on a privileged client
1826 nodemap_acl_test_setup() {
1827 local admin=$(do_facet mgs $LCTL get_param -n \
1828 nodemap.c0.admin_nodemap)
1829 local trust=$(do_facet mgs $LCTL get_param -n \
1830 nodemap.c0.trusted_nodemap)
1832 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1833 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
1835 wait_nm_sync c0 admin_nodemap
1836 wait_nm_sync c0 trusted_nodemap
1838 do_node ${clients_arr[0]} rm -rf $DIR/$tdir
1840 do_node ${clients_arr[0]} chmod a+rwx $DIR/$tdir ||
1841 error unable to chmod a+rwx test dir $DIR/$tdir
1843 do_facet mgs $LCTL nodemap_modify --name c0 \
1844 --property admin --value $admin
1845 do_facet mgs $LCTL nodemap_modify --name c0 \
1846 --property trusted --value $trust
1848 wait_nm_sync c0 trusted_nodemap
1851 # returns 0 if the number of ACLs does not change on the second (mapped) client
1852 # after being set on the first client
1853 nodemap_acl_test() {
1855 local set_client="$2"
1856 local get_client="$3"
1857 local check_setfacl="$4"
1858 local setfacl_error=0
1859 local testfile=$DIR/$tdir/$tfile
1860 local RUNAS_USER="$RUNAS_CMD -u $user"
1862 local acl_count_post=0
1864 nodemap_acl_test_setup
1867 do_node $set_client $RUNAS_USER touch $testfile
1868 # remove from cache, otherwise ACLs will not be fetched from server
1869 do_rpc_nodes $set_client cancel_lru_locks
1870 do_node $set_client "sync ; echo 3 > /proc/sys/vm/drop_caches"
1872 # ACL masks aren't filtered by nodemap code, so we ignore them
1873 acl_count=$(do_node $get_client getfacl $testfile | grep -v mask |
1875 # remove from cache, otherwise ACLs will not be fetched from server
1876 do_rpc_nodes $get_client cancel_lru_locks
1877 do_node $get_client "sync ; echo 3 > /proc/sys/vm/drop_caches"
1878 do_node $set_client $RUNAS_USER setfacl -m $user:rwx $testfile ||
1880 # remove from cache, otherwise ACLs will not be fetched from server
1881 do_rpc_nodes $set_client cancel_lru_locks
1882 do_node $set_client "sync ; echo 3 > /proc/sys/vm/drop_caches"
1884 # if check setfacl is set to 1, then it's supposed to error
1885 if [ "$check_setfacl" == "1" ]; then
1886 [ "$setfacl_error" != "1" ] && return 1
1889 [ "$setfacl_error" == "1" ] && echo "WARNING: unable to setfacl"
1891 acl_count_post=$(do_node $get_client getfacl $testfile | grep -v mask |
1893 # remove from cache, otherwise ACLs will not be fetched from server
1894 do_rpc_nodes $get_client cancel_lru_locks
1895 do_node $get_client "sync ; echo 3 > /proc/sys/vm/drop_caches"
1896 [ $acl_count -eq $acl_count_post ] && return 0
1901 [ $num_clients -lt 2 ] && skip "Need 2 clients at least" && return
1902 nodemap_version_check || return 0
1905 trap nodemap_test_cleanup EXIT
1906 # 1 trusted cluster, 1 mapped cluster
1907 local unmapped_fs=$((IDBASE+0))
1908 local unmapped_c1=$((IDBASE+5))
1909 local mapped_fs=$((IDBASE+2))
1910 local mapped_c0=$((IDBASE+4))
1911 local mapped_c1=$((IDBASE+6))
1913 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1914 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
1916 do_facet mgs $LCTL nodemap_modify --name c1 --property admin --value 0
1917 do_facet mgs $LCTL nodemap_modify --name c1 --property trusted --value 0
1919 wait_nm_sync c1 trusted_nodemap
1921 # setfacl on trusted cluster to unmapped user, verify it's not seen
1922 nodemap_acl_test $unmapped_fs ${clients_arr[0]} ${clients_arr[1]} ||
1923 error "acl count (1)"
1925 # setfacl on trusted cluster to mapped user, verify it's seen
1926 nodemap_acl_test $mapped_fs ${clients_arr[0]} ${clients_arr[1]} &&
1927 error "acl count (2)"
1929 # setfacl on mapped cluster to mapped user, verify it's seen
1930 nodemap_acl_test $mapped_c1 ${clients_arr[1]} ${clients_arr[0]} &&
1931 error "acl count (3)"
1933 # setfacl on mapped cluster to unmapped user, verify error
1934 nodemap_acl_test $unmapped_fs ${clients_arr[1]} ${clients_arr[0]} 1 ||
1935 error "acl count (4)"
1938 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 0
1939 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 0
1941 wait_nm_sync c0 trusted_nodemap
1943 # setfacl to mapped user on c1, also mapped to c0, verify it's seen
1944 nodemap_acl_test $mapped_c1 ${clients_arr[1]} ${clients_arr[0]} &&
1945 error "acl count (5)"
1947 # setfacl to mapped user on c1, not mapped to c0, verify not seen
1948 nodemap_acl_test $unmapped_c1 ${clients_arr[1]} ${clients_arr[0]} ||
1949 error "acl count (6)"
1951 nodemap_test_cleanup
1953 run_test 23a "test mapped regular ACLs"
1955 test_23b() { #LU-9929
1956 [ $num_clients -lt 2 ] && skip "Need 2 clients at least"
1957 [ "$MGS_VERSION" -lt $(version_code 2.10.53) ] &&
1958 skip "Need MGS >= 2.10.53"
1960 export SK_UNIQUE_NM=true
1962 trap nodemap_test_cleanup EXIT
1964 local testdir=$DIR/$tdir
1965 local fs_id=$((IDBASE+10))
1970 do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
1971 wait_nm_sync c0 admin_nodemap
1972 do_facet mgs $LCTL nodemap_modify --name c1 --property admin --value 1
1973 wait_nm_sync c1 admin_nodemap
1974 do_facet mgs $LCTL nodemap_modify --name c1 --property trusted --value 1
1975 wait_nm_sync c1 trusted_nodemap
1977 # Add idmap $ID0:$fs_id (500:60010)
1978 do_facet mgs $LCTL nodemap_add_idmap --name c0 --idtype gid \
1979 --idmap $ID0:$fs_id ||
1980 error "add idmap $ID0:$fs_id to nodemap c0 failed"
1981 wait_nm_sync c0 idmap
1983 # set/getfacl default acl on client 1 (unmapped gid=500)
1984 do_node ${clients_arr[0]} rm -rf $testdir
1985 do_node ${clients_arr[0]} mkdir -p $testdir
1986 # Here, USER0=$(getent passwd | grep :$ID0:$ID0: | cut -d: -f1)
1987 do_node ${clients_arr[0]} setfacl -R -d -m group:$USER0:rwx $testdir ||
1988 error "setfacl $testdir on ${clients_arr[0]} failed"
1989 unmapped_id=$(do_node ${clients_arr[0]} getfacl $testdir |
1990 grep -E "default:group:.*:rwx" | awk -F: '{print $3}')
1991 [ "$unmapped_id" = "$USER0" ] ||
1992 error "gid=$ID0 was not unmapped correctly on ${clients_arr[0]}"
1994 # getfacl default acl on client 2 (mapped gid=60010)
1995 mapped_id=$(do_node ${clients_arr[1]} getfacl $testdir |
1996 grep -E "default:group:.*:rwx" | awk -F: '{print $3}')
1997 fs_user=$(do_node ${clients_arr[1]} getent passwd |
1998 grep :$fs_id:$fs_id: | cut -d: -f1)
1999 [ -z "$fs_user" ] && fs_user=$fs_id
2000 [ $mapped_id -eq $fs_id -o "$mapped_id" = "$fs_user" ] ||
2001 error "Should return gid=$fs_id or $fs_user on client2"
2004 nodemap_test_cleanup
2005 export SK_UNIQUE_NM=false
2007 run_test 23b "test mapped default ACLs"
2012 trap nodemap_test_cleanup EXIT
2013 do_nodes $(comma_list $(all_server_nodes)) $LCTL get_param -R nodemap
2015 nodemap_test_cleanup
2017 run_test 24 "check nodemap proc files for LBUGs and Oopses"
2020 local tmpfile=$(mktemp)
2021 local tmpfile2=$(mktemp)
2022 local tmpfile3=$(mktemp)
2023 local tmpfile4=$(mktemp)
2027 nodemap_version_check || return 0
2029 # stop clients for this test
2030 zconf_umount_clients $CLIENTS $MOUNT ||
2031 error "unable to umount clients $CLIENTS"
2033 export SK_UNIQUE_NM=true
2036 # enable trusted/admin for setquota call in cleanup_and_setup_lustre()
2038 for client in $clients; do
2039 do_facet mgs $LCTL nodemap_modify --name c${i} \
2040 --property admin --value 1
2041 do_facet mgs $LCTL nodemap_modify --name c${i} \
2042 --property trusted --value 1
2045 wait_nm_sync c$((i - 1)) trusted_nodemap
2047 trap nodemap_test_cleanup EXIT
2049 # create a new, empty nodemap, and add fileset info to it
2050 do_facet mgs $LCTL nodemap_add test25 ||
2051 error "unable to create nodemap $testname"
2052 do_facet mgs $LCTL set_param -P nodemap.$testname.fileset=/$subdir ||
2053 error "unable to add fileset info to nodemap test25"
2055 wait_nm_sync test25 id
2057 do_facet mgs $LCTL nodemap_info > $tmpfile
2058 do_facet mds $LCTL nodemap_info > $tmpfile2
2060 if ! $SHARED_KEY; then
2061 # will conflict with SK's nodemaps
2062 cleanup_and_setup_lustre
2064 # stop clients for this test
2065 zconf_umount_clients $CLIENTS $MOUNT ||
2066 error "unable to umount clients $CLIENTS"
2068 do_facet mgs $LCTL nodemap_info > $tmpfile3
2069 diff -q $tmpfile3 $tmpfile >& /dev/null ||
2070 error "nodemap_info diff on MGS after remount"
2072 do_facet mds $LCTL nodemap_info > $tmpfile4
2073 diff -q $tmpfile4 $tmpfile2 >& /dev/null ||
2074 error "nodemap_info diff on MDS after remount"
2077 do_facet mgs $LCTL nodemap_del test25 ||
2078 error "cannot delete nodemap test25 from config"
2079 nodemap_test_cleanup
2080 # restart clients previously stopped
2081 zconf_mount_clients $CLIENTS $MOUNT ||
2082 error "unable to mount clients $CLIENTS"
2084 rm -f $tmpfile $tmpfile2
2085 export SK_UNIQUE_NM=false
2087 run_test 25 "test save and reload nodemap config"
2090 nodemap_version_check || return 0
2094 do_facet mgs "seq -f 'c%g' $large_i | xargs -n1 $LCTL nodemap_add"
2095 wait_nm_sync c$large_i admin_nodemap
2097 do_facet mgs "seq -f 'c%g' $large_i | xargs -n1 $LCTL nodemap_del"
2098 wait_nm_sync c$large_i admin_nodemap
2100 run_test 26 "test transferring very large nodemap"
2102 nodemap_exercise_fileset() {
2105 local check_proj=true
2107 (( $MDS1_VERSION >= $(version_code 2.14.52) )) || check_proj=false
2110 if [ "$nm" == "default" ]; then
2111 do_facet mgs $LCTL nodemap_activate 1
2113 do_facet mgs $LCTL nodemap_modify --name default \
2114 --property admin --value 1
2115 do_facet mgs $LCTL nodemap_modify --name default \
2116 --property trusted --value 1
2117 wait_nm_sync default admin_nodemap
2118 wait_nm_sync default trusted_nodemap
2123 if $SHARED_KEY; then
2124 export SK_UNIQUE_NM=true
2126 # will conflict with SK's nodemaps
2127 trap "fileset_test_cleanup $nm" EXIT
2129 fileset_test_setup "$nm"
2131 # add fileset info to $nm nodemap
2132 if ! combined_mgs_mds; then
2133 do_facet mgs $LCTL set_param nodemap.${nm}.fileset=/$subdir ||
2134 error "unable to add fileset info to $nm nodemap on MGS"
2136 do_facet mgs $LCTL set_param -P nodemap.${nm}.fileset=/$subdir ||
2137 error "unable to add fileset info to $nm nodemap for servers"
2138 wait_nm_sync $nm fileset "nodemap.${nm}.fileset=/$subdir"
2140 if $check_proj; then
2141 do_facet mgs $LCTL nodemap_modify --name $nm \
2142 --property admin --value 1
2143 wait_nm_sync $nm admin_nodemap
2144 do_facet mgs $LCTL nodemap_modify --name $nm \
2145 --property trusted --value 0
2146 wait_nm_sync $nm trusted_nodemap
2147 do_facet mgs $LCTL nodemap_modify --name $nm \
2148 --property map_mode --value projid
2149 wait_nm_sync $nm map_mode
2150 do_facet mgs $LCTL nodemap_add_idmap --name $nm \
2151 --idtype projid --idmap 1:1
2152 do_facet mgs $LCTL nodemap_modify --name $nm \
2153 --property deny_unknown --value 1
2154 wait_nm_sync $nm deny_unknown
2158 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2159 error "unable to umount client ${clients_arr[0]}"
2160 # set some generic fileset to trigger SSK code
2162 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2163 error "unable to remount client ${clients_arr[0]}"
2166 # test mount point content
2167 do_node ${clients_arr[0]} test -f $MOUNT/this_is_$subdir ||
2168 error "fileset not taken into account"
2170 if $check_proj; then
2171 do_node ${clients_arr[0]} $LFS setquota -p 1 -b 10000 -B 11000 \
2172 -i 0 -I 0 $MOUNT || error "setquota -p 1 failed"
2173 do_node ${clients_arr[0]} $LFS setquota -p 2 -b 10000 -B 11000 \
2174 -i 0 -I 0 $MOUNT && error "setquota -p 2 should fail"
2177 # re-mount client with sub-subdir
2178 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2179 error "unable to umount client ${clients_arr[0]}"
2180 export FILESET=/$subsubdir
2181 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2182 error "unable to remount client ${clients_arr[0]}"
2185 # test mount point content
2186 do_node ${clients_arr[0]} test -f $MOUNT/this_is_$subsubdir ||
2187 error "subdir of fileset not taken into account"
2189 # remove fileset info from nodemap
2190 do_facet mgs $LCTL nodemap_set_fileset --name $nm --fileset clear ||
2191 error "unable to delete fileset info on $nm nodemap"
2192 wait_update_facet mgs "$LCTL get_param nodemap.${nm}.fileset" \
2193 "nodemap.${nm}.fileset=" ||
2194 error "fileset info still not cleared on $nm nodemap"
2195 do_facet mgs $LCTL set_param -P nodemap.${nm}.fileset=clear ||
2196 error "unable to reset fileset info on $nm nodemap"
2197 wait_nm_sync $nm fileset "nodemap.${nm}.fileset="
2198 do_facet mgs $LCTL set_param -P -d nodemap.${nm}.fileset ||
2199 error "unable to remove fileset rule on $nm nodemap"
2202 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2203 error "unable to umount client ${clients_arr[0]}"
2204 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2205 error "unable to remount client ${clients_arr[0]}"
2207 # test mount point content
2208 if ! $(do_node ${clients_arr[0]} test -d $MOUNT/$subdir); then
2210 error "fileset not cleared on $nm nodemap"
2213 # back to non-nodemap setup
2214 if $SHARED_KEY; then
2215 export SK_UNIQUE_NM=false
2216 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2217 error "unable to umount client ${clients_arr[0]}"
2219 fileset_test_cleanup "$nm"
2220 if [ "$nm" == "default" ]; then
2221 do_facet mgs $LCTL nodemap_modify --name default \
2222 --property admin --value 0
2223 do_facet mgs $LCTL nodemap_modify --name default \
2224 --property trusted --value 0
2225 wait_nm_sync default admin_nodemap
2226 wait_nm_sync default trusted_nodemap
2227 do_facet mgs $LCTL nodemap_activate 0
2228 wait_nm_sync active 0
2230 export SK_UNIQUE_NM=false
2232 nodemap_test_cleanup
2234 if $SHARED_KEY; then
2235 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2236 error "unable to remount client ${clients_arr[0]}"
2241 [ "$MDS1_VERSION" -lt $(version_code 2.11.50) ] &&
2242 skip "Need MDS >= 2.11.50"
2244 # if servers run on the same node, it is impossible to tell if they get
2245 # synced with the mgs, so this test needs to be skipped
2246 if [ $(facet_active_host mgs) == $(facet_active_host mds) ] &&
2247 [ $(facet_active_host mgs) == $(facet_active_host ost1) ]; then
2248 skip "local mode not supported"
2251 for nm in "default" "c0"; do
2252 local subdir="subdir_${nm}"
2253 local subsubdir="subsubdir_${nm}"
2255 if [ "$nm" == "default" ] && [ "$SHARED_KEY" == "true" ]; then
2256 echo "Skipping nodemap $nm with SHARED_KEY";
2260 echo "Exercising fileset for nodemap $nm"
2261 nodemap_exercise_fileset "$nm"
2264 run_test 27a "test fileset in various nodemaps"
2266 test_27b() { #LU-10703
2267 [ "$MDS1_VERSION" -lt $(version_code 2.11.50) ] &&
2268 skip "Need MDS >= 2.11.50"
2269 [[ $MDSCOUNT -lt 2 ]] && skip "needs >= 2 MDTs"
2271 # if servers run on the same node, it is impossible to tell if they get
2272 # synced with the mgs, so this test needs to be skipped
2273 if [ $(facet_active_host mgs) == $(facet_active_host mds) ] &&
2274 [ $(facet_active_host mgs) == $(facet_active_host ost1) ]; then
2275 skip "local mode not supported"
2279 trap nodemap_test_cleanup EXIT
2281 # Add the nodemaps and set their filesets
2282 for i in $(seq 1 $MDSCOUNT); do
2283 do_facet mgs $LCTL nodemap_del nm$i 2>/dev/null
2284 do_facet mgs $LCTL nodemap_add nm$i ||
2285 error "add nodemap nm$i failed"
2286 wait_nm_sync nm$i "" "" "-N"
2288 if ! combined_mgs_mds; then
2290 $LCTL set_param nodemap.nm$i.fileset=/dir$i ||
2291 error "set nm$i.fileset=/dir$i failed on MGS"
2293 do_facet mgs $LCTL set_param -P nodemap.nm$i.fileset=/dir$i ||
2294 error "set nm$i.fileset=/dir$i failed on servers"
2295 wait_nm_sync nm$i fileset "nodemap.nm$i.fileset=/dir$i"
2298 # Check if all the filesets are correct
2299 for i in $(seq 1 $MDSCOUNT); do
2300 fileset=$(do_facet mds$i \
2301 $LCTL get_param -n nodemap.nm$i.fileset)
2302 [ "$fileset" = "/dir$i" ] ||
2303 error "nm$i.fileset $fileset != /dir$i on mds$i"
2304 do_facet mgs $LCTL set_param -P -d nodemap.nm$i.fileset ||
2305 error "unable to remove fileset rule for nm$i nodemap"
2306 do_facet mgs $LCTL nodemap_del nm$i ||
2307 error "delete nodemap nm$i failed"
2310 nodemap_test_cleanup
2312 run_test 27b "The new nodemap won't clear the old nodemap's fileset"
2315 if ! $SHARED_KEY; then
2316 skip "need shared key feature for this test" && return
2318 mkdir -p $DIR/$tdir || error "mkdir failed"
2319 touch $DIR/$tdir/$tdir.out || error "touch failed"
2320 if [ ! -f $DIR/$tdir/$tdir.out ]; then
2321 error "read before rotation failed"
2323 # check srpc_contexts is valid YAML
2324 $LCTL get_param -n *.*.srpc_contexts 2>/dev/null | verify_yaml ||
2325 error "srpc_contexts is not valid YAML"
2326 # store top key identity to ensure rotation has occurred
2327 SK_IDENTITY_OLD=$($LCTL get_param -n *.*.srpc_contexts 2>/dev/null |
2328 head -n 1 | awk 'BEGIN{RS=", "} $1=="expire:"{print $2}')
2329 do_facet $SINGLEMDS lfs flushctx ||
2330 error "could not run flushctx on $SINGLEMDS"
2332 lfs flushctx || error "could not run flushctx on client"
2334 # verify new key is in place
2335 SK_IDENTITY_NEW=$($LCTL get_param -n *.*.srpc_contexts 2>/dev/null |
2336 head -n 1 | awk 'BEGIN{RS=", "} $1=="expire:"{print $2}')
2337 if [ $SK_IDENTITY_OLD == $SK_IDENTITY_NEW ]; then
2338 error "key did not rotate correctly"
2340 if [ ! -f $DIR/$tdir/$tdir.out ]; then
2341 error "read after rotation failed"
2344 run_test 28 "check shared key rotation method"
2347 if ! $SHARED_KEY; then
2348 skip "need shared key feature for this test" && return
2350 if [ $SK_FLAVOR != "ski" ] && [ $SK_FLAVOR != "skpi" ]; then
2351 skip "test only valid if integrity is active"
2354 mkdir $DIR/$tdir || error "mkdir"
2355 touch $DIR/$tdir/$tfile || error "touch"
2356 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2357 error "unable to umount clients"
2358 do_node ${clients_arr[0]} "keyctl show |
2359 awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
2360 OLD_SK_PATH=$SK_PATH
2361 export SK_PATH=/dev/null
2362 if zconf_mount_clients ${clients_arr[0]} $MOUNT; then
2363 export SK_PATH=$OLD_SK_PATH
2364 do_node ${clients_arr[0]} "ls $DIR/$tdir/$tfile"
2365 if [ $? -eq 0 ]; then
2366 error "able to mount and read without key"
2368 error "able to mount without key"
2371 export SK_PATH=$OLD_SK_PATH
2372 do_node ${clients_arr[0]} "keyctl show |
2373 awk '/lustre/ { print \\\$1 }' |
2374 xargs -IX keyctl unlink X"
2376 zconf_mount_clients ${clients_arr[0]} $MOUNT ||
2377 error "unable to mount clients"
2379 run_test 29 "check for missing shared key"
2382 if ! $SHARED_KEY; then
2383 skip "need shared key feature for this test" && return
2385 if [ $SK_FLAVOR != "ski" ] && [ $SK_FLAVOR != "skpi" ]; then
2386 skip "test only valid if integrity is active"
2388 mkdir -p $DIR/$tdir || error "mkdir failed"
2389 touch $DIR/$tdir/$tdir.out || error "touch failed"
2390 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2391 error "unable to umount clients"
2392 # unload keys from ring
2393 do_node ${clients_arr[0]} "keyctl show |
2394 awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
2395 # generate key with bogus filesystem name
2396 do_node ${clients_arr[0]} "$LGSS_SK -w $SK_PATH/$FSNAME-bogus.key \
2397 -f $FSNAME.bogus -t client -d /dev/urandom" ||
2398 error "lgss_sk failed (1)"
2399 do_facet $SINGLEMDS lfs flushctx || error "could not run flushctx"
2400 OLD_SK_PATH=$SK_PATH
2401 export SK_PATH=$SK_PATH/$FSNAME-bogus.key
2402 if zconf_mount_clients ${clients_arr[0]} $MOUNT; then
2403 SK_PATH=$OLD_SK_PATH
2404 do_node ${clients_arr[0]} "ls $DIR/$tdir/$tdir.out"
2405 if [ $? -eq 0 ]; then
2406 error "mount and read file with invalid key"
2408 error "mount with invalid key"
2411 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2412 error "unable to umount clients"
2413 # unload keys from ring
2414 do_node ${clients_arr[0]} "keyctl show |
2415 awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
2417 SK_PATH=$OLD_SK_PATH
2418 zconf_mount_clients ${clients_arr[0]} $MOUNT ||
2419 error "unable to mount clients"
2421 run_test 30 "check for invalid shared key"
2426 mkdir -p $DIR/$tdir/dir0 || error "mkdir $flvr"
2427 touch $DIR/$tdir/dir0/f0 || error "touch $flvr"
2428 ls $DIR/$tdir/dir0 || error "ls $flvr"
2429 dd if=/dev/zero of=$DIR/$tdir/dir0/f0 conv=fsync bs=1M count=10 \
2430 >& /dev/null || error "dd $flvr"
2431 rm -f $DIR/$tdir/dir0/f0 || error "rm $flvr"
2432 rmdir $DIR/$tdir/dir0 || error "rmdir $flvr"
2435 echo 3 > /proc/sys/vm/drop_caches
2439 # restore clients' idle_timeout
2440 for c in ${clients//,/ }; do
2441 param=IDLETIME_$(echo $c | cut -d'.' -f1 | sed s+-+_+g)
2442 do_node $c "lctl set_param osc.*.idle_timeout=${!param}"
2447 local save_flvr=$SK_FLAVOR
2449 if ! $SHARED_KEY; then
2450 skip "need shared key feature for this test"
2453 # save clients' idle_timeout, and set all to 0 for this test,
2454 # as we do not want connections to go idle
2455 for c in ${clients//,/ }; do
2456 param=IDLETIME_$(echo $c | cut -d'.' -f1 | sed s+-+_+g)
2457 idle=$(do_node $c lctl get_param -n osc.*.idle_timeout |
2459 eval export $param=\$idle
2460 do_node $c lctl set_param osc.*.idle_timeout=0
2463 stack_trap cleanup_30b EXIT
2464 stack_trap restore_to_default_flavor EXIT
2466 lfs mkdir -i 0 -c 1 $DIR/$tdir || error "mkdir $DIR/$tdir failed"
2467 lfs setstripe -c -1 $DIR/$tdir/fileA ||
2468 error "setstripe $DIR/$tdir/fileA failed"
2469 echo 30b > $DIR/$tdir/fileA ||
2470 error "wrtie to $DIR/$tdir/fileA failed"
2472 for flvr in skn ska ski skpi; do
2475 restore_to_default_flavor || error "cannot set $flvr flavor"
2476 SK_FLAVOR=$save_flvr
2481 run_test 30b "basic test of all different SSK flavors"
2484 local failover_mds1=$1
2487 zconf_umount $HOSTNAME $MOUNT || error "unable to umount client"
2489 # necessary to do writeconf in order to de-register
2490 # @${NETTYPE}999 nid for targets
2492 export KEEP_ZPOOL="true"
2494 LOAD_MODULES_REMOTE=true unload_modules
2495 LOAD_MODULES_REMOTE=true load_modules
2497 do_facet mds1 $TUNEFS --erase-param failover.node $(mdsdevname 1)
2498 if [ -n "$failover_mds1" ]; then
2499 do_facet mds1 $TUNEFS \
2500 --servicenode=$failover_mds1 $(mdsdevname 1)
2502 # If no service node previously existed, setting one in test_31
2503 # added the no_primnode flag to the target. To remove everything
2504 # and clear the flag, add a meaningless failnode and remove it.
2505 do_facet mds1 $TUNEFS \
2506 --failnode=$(do_facet mds1 $LCTL list_nids | head -1) \
2508 do_facet mds1 $TUNEFS \
2509 --erase-param failover.node $(mdsdevname 1)
2512 export SK_MOUNTED=false
2515 export KEEP_ZPOOL="$KZPOOL"
2519 local nid=$(lctl list_nids | grep ${NETTYPE} | head -n1)
2520 local addr=${nid%@*}
2522 local net2=${NETTYPE}999
2523 local mdsnid=$(do_facet mds1 $LCTL list_nids | head -1)
2524 local addr1=${mdsnid%@*}
2525 local addr2 failover_mds1
2527 export LNETCTL=$(which lnetctl 2> /dev/null)
2529 [ -z "$LNETCTL" ] && skip "without lnetctl support." && return
2530 local_mode && skip "in local mode."
2532 if $SHARED_KEY; then
2533 skip "Conflicting test with SSK"
2536 if [[ $addr1 =~ ^([0-9a-f]{0,4}:){2,7}[0-9a-f]{0,4}$ ]]; then
2537 local tmp=$(printf "%x" $(((0x${addr1##*:} + 11) % 65536)))
2539 addr2=${addr1%:*}:${tmp}
2540 elif [[ $addr1 =~ ^([0-9]{1,3}\.){3,3}[0-9]{1,3}$ ]]; then
2541 addr2=${addr1%.*}.$(((${addr1##*.} + 11) % 256))
2542 elif [[ $addr1 =~ ^[0-9]+$ ]]; then
2543 addr2=$((addr1 + 11))
2546 # build list of interface on nodes
2547 for node in $(all_nodes); do
2548 infname=inf_$(echo $node | cut -d'.' -f1 | sed s+-+_+g)
2549 itf=$(do_node $node $LNETCTL net show --net $net |
2551 {if (inf==1) { print $2; exit; } fi} /interfaces/{inf=1}')
2556 local mgsnid_orig=$MGSNID
2557 # compute new MGSNID
2558 local mgsnid_new=${MGSNID%@*}@$net2
2560 # save mds failover nids for restore at cleanup
2561 failover_mds1=$(do_facet mds1 $TUNEFS --dryrun $(mdsdevname 1))
2562 if [ -n "$failover_mds1" ]; then
2563 failover_mds1=${failover_mds1##*Parameters:}
2564 failover_mds1=${failover_mds1%%exiting*}
2565 failover_mds1=$(echo $failover_mds1 | tr ' ' '\n' |
2566 grep failover.node | cut -d'=' -f2-)
2568 stack_trap "cleanup_31 $failover_mds1" EXIT
2571 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
2572 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
2574 if $(grep -q $MOUNT' ' /proc/mounts); then
2575 umount_client $MOUNT || error "umount $MOUNT failed"
2578 # check exports on servers are empty for client
2579 do_facet mgs "lctl get_param *.MGS*.exports.*.export"
2580 do_facet mgs "lctl get_param -n *.MGS*.exports.'$nid'.uuid 2>/dev/null |
2581 grep -q -" && error "export on MGS should be empty"
2582 do_nodes $(comma_list $(mdts_nodes) $(osts_nodes)) \
2583 "lctl get_param -n *.${FSNAME}*.exports.'$nid'.uuid \
2584 2>/dev/null | grep -q -" &&
2585 error "export on servers should be empty"
2588 export KEEP_ZPOOL="true"
2589 stopall || error "stopall failed"
2590 LOAD_MODULES_REMOTE=true unload_modules ||
2591 error "Failed to unload modules"
2593 # add network $net2 on all nodes
2594 do_rpc_nodes $(comma_list $(all_nodes)) load_modules ||
2595 error "unable to load modules on $(all_nodes)"
2596 for node in $(all_nodes); do
2597 do_node $node "$LNETCTL lnet configure" ||
2598 error "unable to configure lnet on node $node"
2599 infname=inf_$(echo $node | cut -d'.' -f1 | sed s+-+_+g)
2600 do_node $node "$LNETCTL net add --if ${!infname} --net $net2" ||
2601 error "unable to configure NID on $net2 for node $node"
2604 LOAD_MODULES_REMOTE=true load_modules || error "failed to load modules"
2606 # necessary to do writeconf in order to register
2607 # new @$net2 nid for targets
2608 export SK_MOUNTED=false
2609 writeconf_all || error "writeconf failed"
2611 nids="${addr1}@$net,${addr1}@$net2:${addr2}@$net,${addr2}@$net2"
2612 do_facet mds1 "$TUNEFS --servicenode="$nids" $(mdsdevname 1)" ||
2613 error "tunefs failed"
2615 setupall server_only || error "setupall failed"
2616 export KEEP_ZPOOL="$KZPOOL"
2620 stack_trap "MGSNID=$mgsnid_orig" EXIT
2622 # on client, reconfigure LNet and turn LNet Dynamic Discovery off
2623 $LUSTRE_RMMOD || error "$LUSTRE_RMMOD failed (1)"
2624 load_modules || error "Failed to load modules"
2625 $LNETCTL set discovery 0 || error "Failed to disable discovery"
2626 $LNETCTL lnet configure ||
2627 error "unable to configure lnet on client"
2628 infname=inf_$(echo $(hostname -s) | sed s+-+_+g)
2629 $LNETCTL net add --if ${!infname} --net $net2 ||
2630 error "unable to configure NID on $net2 on client (1)"
2632 # mount client with -o network=$net2 option
2633 mount_client $MOUNT ${MOUNT_OPTS},network=$net2 ||
2634 error "unable to remount client"
2636 # check export on MGS
2637 do_facet mgs "lctl get_param *.MGS*.exports.*.export"
2638 do_facet mgs "lctl get_param -n *.MGS*.exports.'$nid'.uuid 2>/dev/null |
2640 [ $? -ne 0 ] || error "export for $nid on MGS should not exist"
2643 "lctl get_param -n *.MGS*.exports.'${addr}@$net2'.uuid \
2644 2>/dev/null | grep -"
2646 error "export for ${addr}@$net2 on MGS should exist"
2648 # check {mdc,osc} imports
2649 lctl get_param mdc.${FSNAME}-*.import | grep current_connection |
2652 error "import for mdc should use ${addr1}@$net2"
2653 lctl get_param osc.${FSNAME}-*.import | grep current_connection |
2656 error "import for osc should use ${addr1}@$net2"
2658 # no NIDs on other networks should be listed
2659 lctl get_param mdc.${FSNAME}-*.import | grep failover_nids |
2660 grep -w ".*@$net" &&
2661 error "MDC import shouldn't have failnids at @$net"
2663 # failover NIDs on net999 should be listed
2664 lctl get_param mdc.${FSNAME}-*.import | grep failover_nids |
2665 grep ${addr2}@$net2 ||
2666 error "MDC import should have failnid ${addr2}@$net2"
2669 zconf_umount $HOSTNAME $MOUNT || error "unable to umount client"
2671 # on client, configure LNet and turn LNet Dynamic Discovery on (default)
2672 $LUSTRE_RMMOD || error "$LUSTRE_RMMOD failed (2)"
2673 load_modules || error "Failed to load modules"
2674 $LNETCTL lnet configure ||
2675 error "unable to configure lnet on client"
2676 infname=inf_$(echo $(hostname -s) | sed s+-+_+g)
2677 $LNETCTL net add --if ${!infname} --net $net2 ||
2678 error "unable to configure NID on $net2 on client (2)"
2680 # mount client with -o network=$net2 option:
2681 # should fail because of LNet Dynamic Discovery
2682 mount_client $MOUNT ${MOUNT_OPTS},network=$net2 &&
2683 error "client mount with '-o network' option should be refused"
2687 run_test 31 "client mount option '-o network'"
2691 zconf_umount_clients ${clients_arr[0]} $MOUNT
2693 # disable sk flavor enforcement on MGS
2694 set_rule _mgs any any null
2696 # stop gss daemon on MGS
2697 send_sigint $mgs_HOST lsvcgssd
2699 # re-start gss daemon on MDS if necessary
2700 if combined_mgs_mds ; then
2701 start_gss_daemons $mds_HOST $LSVCGSSD "-vvv -s -m -o -z"
2704 # restore MGS NIDs in key on MGS
2705 do_nodes $mgs_HOST "$LGSS_SK -g $MGSNID -m \
2706 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2707 error "could not modify keyfile on MGS (3)"
2709 # load modified key file on MGS
2710 do_nodes $mgs_HOST "$LGSS_SK -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2711 error "could not load keyfile on MGS (3)"
2713 # restore MGS NIDs in key on client
2714 do_nodes ${clients_arr[0]} "$LGSS_SK -g $MGSNID -m \
2715 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2716 error "could not modify keyfile on client (3)"
2719 MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
2722 restore_to_default_flavor
2726 local mgsnid2=$(host_nids_address $ost1_HOST $NETTYPE)@${MGSNID#*@}
2727 local mgsorig=$MGSNID
2729 if ! $SHARED_KEY; then
2730 skip "need shared key feature for this test"
2733 stack_trap cleanup_32 EXIT
2735 # restore to default null flavor
2736 save_flvr=$SK_FLAVOR
2738 restore_to_default_flavor || error "cannot set null flavor"
2739 SK_FLAVOR=$save_flvr
2742 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
2743 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
2745 if $(grep -q $MOUNT' ' /proc/mounts); then
2746 umount_client $MOUNT || error "umount $MOUNT failed"
2749 # kill daemon on MGS to start afresh
2750 send_sigint $mgs_HOST lsvcgssd
2752 # start gss daemon on MGS
2753 if combined_mgs_mds ; then
2754 start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g -m -o -z"
2756 start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g"
2759 # add mgs key type and MGS NIDs in key on MGS
2760 do_nodes $mgs_HOST "$LGSS_SK -t mgs,server -g $MGSNID -m \
2761 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2762 error "could not modify keyfile on MGS (1)"
2764 # load modified key file on MGS
2765 do_nodes $mgs_HOST "$LGSS_SK -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2766 error "could not load keyfile on MGS (1)"
2768 # add MGS NIDs in key on client
2769 do_nodes ${clients_arr[0]} "$LGSS_SK -g $MGSNID -m \
2770 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2771 error "could not modify keyfile on client (1)"
2773 # set perms for per-nodemap keys else permission denied
2774 do_nodes $(comma_list $(all_nodes)) \
2775 "keyctl show | grep lustre | cut -c1-11 |
2777 xargs -IX keyctl setperm X 0x3f3f3f3f"
2779 # re-mount client with mgssec=skn
2780 save_opts=$MOUNT_OPTS
2781 stack_trap "MOUNT_OPTS=$save_opts" EXIT
2782 if [ -z "$MOUNT_OPTS" ]; then
2783 MOUNT_OPTS="-o mgssec=skn"
2785 MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
2787 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2788 error "mount ${clients_arr[0]} with mgssec=skn failed"
2789 MOUNT_OPTS=$save_opts
2792 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2793 error "umount ${clients_arr[0]} failed"
2795 # enforce ska flavor on MGS
2796 set_rule _mgs any any ska
2798 # re-mount client without mgssec
2799 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS &&
2800 error "mount ${clients_arr[0]} without mgssec should fail"
2802 # re-mount client with mgssec=skn
2803 save_opts=$MOUNT_OPTS
2804 if [ -z "$MOUNT_OPTS" ]; then
2805 MOUNT_OPTS="-o mgssec=skn"
2807 MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
2809 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS &&
2810 error "mount ${clients_arr[0]} with mgssec=skn should fail"
2811 MOUNT_OPTS=$save_opts
2813 # re-mount client with mgssec=ska
2814 save_opts=$MOUNT_OPTS
2815 if [ -z "$MOUNT_OPTS" ]; then
2816 MOUNT_OPTS="-o mgssec=ska"
2818 MOUNT_OPTS="$MOUNT_OPTS,mgssec=ska"
2820 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2821 error "mount ${clients_arr[0]} with mgssec=ska failed"
2823 MGSNID=$mgsnid2:$mgsorig
2824 stack_trap "MGSNID=$mgsorig" EXIT
2827 zconf_umount_clients ${clients_arr[0]} $MOUNT ||
2828 error "umount ${clients_arr[0]} failed"
2830 # add MGS NIDs in key on MGS
2831 do_nodes $mgs_HOST "$LGSS_SK -g ${MGSNID//:/,} -m \
2832 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2833 error "could not modify keyfile on MGS (2)"
2835 # load modified key file on MGS
2836 do_nodes $mgs_HOST "$LGSS_SK -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2837 error "could not load keyfile on MGS (2)"
2839 # add MGS NIDs in key on client
2840 do_nodes ${clients_arr[0]} "$LGSS_SK -g ${MGSNID//:/,} -m \
2841 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2842 error "could not modify keyfile on client (2)"
2844 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2845 error "mount ${clients_arr[0]} with alternate mgsnid failed"
2847 run_test 32 "check for mgssec"
2850 # disable sk flavor enforcement
2851 set_rule $FSNAME any cli2mdt null
2852 wait_flavor cli2mdt null
2855 zconf_umount_clients ${clients_arr[0]} $MOUNT
2857 # stop gss daemon on MGS
2858 send_sigint $mgs_HOST lsvcgssd
2860 # re-start gss daemon on MDS if necessary
2861 if combined_mgs_mds ; then
2862 start_gss_daemons $mds_HOST $LSVCGSSD "-vvv -s -m -o -z"
2866 MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
2869 restore_to_default_flavor
2873 if ! $SHARED_KEY; then
2874 skip "need shared key feature for this test"
2877 stack_trap cleanup_33 EXIT
2879 # restore to default null flavor
2880 save_flvr=$SK_FLAVOR
2882 restore_to_default_flavor || error "cannot set null flavor"
2883 SK_FLAVOR=$save_flvr
2886 if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
2887 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
2889 if $(grep -q $MOUNT' ' /proc/mounts); then
2890 umount_client $MOUNT || error "umount $MOUNT failed"
2893 # kill daemon on MGS to start afresh
2894 send_sigint $mgs_HOST lsvcgssd
2896 # start gss daemon on MGS
2897 if combined_mgs_mds ; then
2898 start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g -m -o -z"
2900 start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g"
2903 # add mgs key type and MGS NIDs in key on MGS
2904 do_nodes $mgs_HOST "$LGSS_SK -t mgs,server -g $MGSNID -m \
2905 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2906 error "could not modify keyfile on MGS"
2908 # load modified key file on MGS
2909 do_nodes $mgs_HOST "$LGSS_SK -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2910 error "could not load keyfile on MGS"
2912 # add MGS NIDs in key on client
2913 do_nodes ${clients_arr[0]} "$LGSS_SK -g $MGSNID -m \
2914 $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
2915 error "could not modify keyfile on MGS"
2917 # set perms for per-nodemap keys else permission denied
2918 do_nodes $(comma_list $(all_nodes)) \
2919 "keyctl show | grep lustre | cut -c1-11 |
2921 xargs -IX keyctl setperm X 0x3f3f3f3f"
2923 # re-mount client with mgssec=skn
2924 save_opts=$MOUNT_OPTS
2925 if [ -z "$MOUNT_OPTS" ]; then
2926 MOUNT_OPTS="-o mgssec=skn"
2928 MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
2930 zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
2931 error "mount ${clients_arr[0]} with mgssec=skn failed"
2932 MOUNT_OPTS=$save_opts
2934 # enforce ska flavor for cli2mdt
2935 set_rule $FSNAME any cli2mdt ska
2936 wait_flavor cli2mdt ska
2938 # check error message
2939 $LCTL dk | grep "faked source" &&
2940 error "MGS connection srpc flags incorrect"
2944 run_test 33 "correct srpc flags for MGS connection"
2947 # restore deny_unknown
2948 do_facet mgs $LCTL nodemap_modify --name default \
2949 --property deny_unknown --value $denydefault
2950 if [ $? -ne 0 ]; then
2951 error_noexit "cannot reset deny_unknown on default nodemap"
2955 wait_nm_sync default deny_unknown
2962 [ $MGS_VERSION -lt $(version_code 2.12.51) ] &&
2963 skip "deny_unknown on default nm not supported before 2.12.51"
2965 activedefault=$(do_facet mgs $LCTL get_param -n nodemap.active)
2967 if [[ "$activedefault" != "1" ]]; then
2968 do_facet mgs $LCTL nodemap_activate 1
2970 stack_trap cleanup_active EXIT
2973 denydefault=$(do_facet mgs $LCTL get_param -n \
2974 nodemap.default.deny_unknown)
2975 [ -z "$denydefault" ] &&
2976 error "cannot get deny_unknown on default nodemap"
2977 if [ "$denydefault" -eq 0 ]; then
2983 do_facet mgs $LCTL nodemap_modify --name default \
2984 --property deny_unknown --value $denynew ||
2985 error "cannot set deny_unknown on default nodemap"
2987 [ "$(do_facet mgs $LCTL get_param -n nodemap.default.deny_unknown)" \
2989 error "setting deny_unknown on default nodemap did not work"
2991 stack_trap cleanup_34_deny EXIT
2993 wait_nm_sync default deny_unknown
2995 run_test 34 "deny_unknown on default nodemap"
2998 (( $MDS1_VERSION >= $(version_code 2.13.50) )) ||
2999 skip "Need MDS >= 2.13.50"
3001 # activate changelogs
3002 changelog_register || error "changelog_register failed"
3003 local cl_user="${CL_USERS[$SINGLEMDS]%% *}"
3004 changelog_users $SINGLEMDS | grep -q $cl_user ||
3005 error "User $cl_user not found in changelog_users"
3006 changelog_chmask ALL
3009 mkdir $DIR/$tdir || error "failed to mkdir $tdir"
3010 touch $DIR/$tdir/$tfile || error "failed to touch $tfile"
3012 # access changelogs with root
3013 changelog_dump || error "failed to dump changelogs"
3014 changelog_clear 0 || error "failed to clear changelogs"
3016 # put clients in non-admin nodemap
3018 stack_trap nodemap_test_cleanup EXIT
3019 for i in $(seq 0 $((num_clients-1))); do
3020 do_facet mgs $LCTL nodemap_modify --name c${i} \
3021 --property admin --value 0
3023 for i in $(seq 0 $((num_clients-1))); do
3024 wait_nm_sync c${i} admin_nodemap
3027 # access with mapped root
3028 changelog_dump && error "dump changelogs should have failed"
3029 changelog_clear 0 && error "clear changelogs should have failed"
3033 run_test 35 "Check permissions when accessing changelogs"
3036 local mode='\x00\x00\x00\x00'
3037 local raw="$(printf ""\\\\x%02x"" {0..63})"
3041 [[ $(lscpu) =~ Byte\ Order.*Little ]] && size='\x40\x00\x00\x00' ||
3042 size='\x00\x00\x00\x40'
3043 key="${mode}${raw}${size}"
3044 echo -n -e "${key}" | keyctl padd logon fscrypt:4242424242424242 @s
3049 sync ; echo 3 > /proc/sys/vm/drop_caches
3056 $LCTL set_param -n ldlm.namespaces.*.lru_size=clear
3057 sync ; echo 3 > /proc/sys/vm/drop_caches
3058 dummy_key=$(keyctl show | awk '$7 ~ "^fscrypt:" {print $1}')
3059 if [ -n "$dummy_key" ]; then
3060 keyctl revoke $dummy_key
3065 remount_client_normally() {
3066 # remount client without dummy encryption key
3067 if is_mounted $MOUNT; then
3068 umount_client $MOUNT || error "umount $MOUNT failed"
3070 mount_client $MOUNT ${MOUNT_OPTS} ||
3071 error "remount failed"
3073 if is_mounted $MOUNT2; then
3074 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
3076 if [ "$MOUNT_2" ]; then
3077 mount_client $MOUNT2 ${MOUNT_OPTS} ||
3078 error "remount failed"
3085 remount_client_dummykey() {
3088 # remount client with dummy encryption key
3089 if is_mounted $MOUNT; then
3090 umount_client $MOUNT || error "umount $MOUNT failed"
3092 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
3093 error "remount failed"
3098 setup_for_enc_tests() {
3099 # remount client with test_dummy_encryption option
3100 if is_mounted $MOUNT; then
3101 umount_client $MOUNT || error "umount $MOUNT failed"
3103 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
3104 error "mount with '-o test_dummy_encryption' failed"
3108 # this directory will be encrypted, because of dummy mode
3112 cleanup_for_enc_tests() {
3113 rm -rf $DIR/$tdir $*
3115 remount_client_normally
3118 cleanup_nodemap_after_enc_tests() {
3119 umount_client $MOUNT || true
3121 if (( MGS_VERSION >= $(version_code 2.13.55) )); then
3122 do_facet mgs $LCTL nodemap_modify --name default \
3123 --property forbid_encryption --value 0
3124 if (( MGS_VERSION >= $(version_code 2.15.51) )); then
3125 do_facet mgs $LCTL nodemap_modify --name default \
3126 --property readonly_mount --value 0
3129 do_facet mgs $LCTL nodemap_modify --name default \
3130 --property trusted --value 0
3131 do_facet mgs $LCTL nodemap_modify --name default \
3132 --property admin --value 0
3133 do_facet mgs $LCTL nodemap_activate 0
3135 if (( MGS_VERSION >= $(version_code 2.13.55) )); then
3136 wait_nm_sync default forbid_encryption '' inactive
3137 if (( MGS_VERSION >= $(version_code 2.15.51) )); then
3138 wait_nm_sync default readonly_mount '' inactive
3141 wait_nm_sync default trusted_nodemap '' inactive
3142 wait_nm_sync default admin_nodemap '' inactive
3145 mount_client $MOUNT ${MOUNT_OPTS} || error "re-mount failed"
3150 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3151 skip "client encryption not supported"
3153 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3154 skip "need dummy encryption support"
3156 stack_trap cleanup_for_enc_tests EXIT
3158 # first make sure it is possible to enable encryption
3159 # when nodemap is not active
3162 umount_client $MOUNT || error "umount $MOUNT failed (1)"
3164 # then activate nodemap, and retry
3165 # should succeed as encryption is not forbidden on default nodemap
3167 stack_trap cleanup_nodemap_after_enc_tests EXIT
3168 do_facet mgs $LCTL nodemap_activate 1
3170 forbid=$(do_facet mgs lctl get_param -n nodemap.default.forbid_encryption)
3171 [ $forbid -eq 0 ] || error "wrong default value for forbid_encryption"
3172 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption ||
3173 error "mount '-o test_dummy_encryption' failed with default"
3174 umount_client $MOUNT || error "umount $MOUNT failed (2)"
3176 # then forbid encryption, and retry
3177 do_facet mgs $LCTL nodemap_modify --name default \
3178 --property forbid_encryption --value 1
3179 wait_nm_sync default forbid_encryption
3180 mount_client $MOUNT ${MOUNT_OPTS},test_dummy_encryption &&
3181 error "mount '-o test_dummy_encryption' should have failed"
3184 run_test 36 "control if clients can use encryption"
3187 local testfile=$DIR/$tdir/$tfile
3188 local tmpfile=$TMP/abc
3189 local objdump=$TMP/objdump
3191 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3192 skip "client encryption not supported"
3194 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3195 skip "need dummy encryption support"
3197 [ "$ost1_FSTYPE" = ldiskfs ] || skip "ldiskfs only test (using debugfs)"
3199 stack_trap cleanup_for_enc_tests EXIT
3202 # write a few bytes in file
3203 echo "abc" > $tmpfile
3204 $LFS setstripe -c1 -i0 $testfile
3205 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync
3206 do_facet ost1 "sync; sync"
3208 # check that content on ost is encrypted
3209 local fid=($($LFS getstripe $testfile | grep 0x))
3210 local seq=${fid[3]#0x}
3214 if [ $seq == 0 ]; then
3217 oid_hex=${fid[2]#0x}
3219 do_facet ost1 "$DEBUGFS -c -R 'cat O/$seq/d$(($oid % 32))/$oid_hex' \
3220 $(ostdevname 1)" > $objdump
3221 cmp -s $objdump $tmpfile &&
3222 error "file $testfile is not encrypted on ost"
3224 # check that in-memory representation of file is correct
3225 cmp -bl ${tmpfile} ${testfile} ||
3226 error "file $testfile is corrupted in memory"
3228 cancel_lru_locks osc ; cancel_lru_locks mdc
3230 # check that file read from server is correct
3231 cmp -bl ${tmpfile} ${testfile} ||
3232 error "file $testfile is corrupted on server"
3234 rm -f $tmpfile $objdump
3236 run_test 37 "simple encrypted file"
3239 local testfile=$DIR/$tdir/$tfile
3240 local tmpfile=$TMP/abc
3244 local pagesz=$(getconf PAGE_SIZE)
3246 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3247 skip "client encryption not supported"
3249 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3250 skip "need dummy encryption support"
3252 stack_trap cleanup_for_enc_tests EXIT
3255 # get block size on ost
3256 blksz=$($LCTL get_param osc.$FSNAME*.import |
3257 awk '/grant_block_size:/ { print $2; exit; }')
3258 # write a few bytes in file at offset $blksz
3259 echo "abc" > $tmpfile
3260 $LFS setstripe -c1 -i0 $testfile
3261 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$blksz \
3262 oflag=seek_bytes conv=fsync
3264 blksz=$(($blksz > $pagesz ? $blksz : $pagesz))
3265 # check that in-memory representation of file is correct
3266 bsize=$(stat --format=%B $testfile)
3267 filesz=$(stat --format=%b $testfile)
3268 filesz=$((filesz*bsize))
3269 [ $filesz -le $blksz ] ||
3270 error "file $testfile is $filesz long in memory"
3272 cancel_lru_locks osc ; cancel_lru_locks mdc
3274 # check that file read from server is correct
3275 bsize=$(stat --format=%B $testfile)
3276 filesz=$(stat --format=%b $testfile)
3277 filesz=$((filesz*bsize))
3278 [ $filesz -le $blksz ] ||
3279 error "file $testfile is $filesz long on server"
3283 run_test 38 "encrypted file with hole"
3286 local testfile=$DIR/$tdir/$tfile
3287 local tmpfile=$TMP/abc
3289 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3290 skip "client encryption not supported"
3292 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3293 skip "need dummy encryption support"
3295 stack_trap cleanup_for_enc_tests EXIT
3298 # write a few bytes in file
3299 echo "abc" > $tmpfile
3300 $LFS setstripe -c1 -i0 $testfile
3301 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync
3303 # write a few more bytes in the same page
3304 dd if=$tmpfile of=$testfile bs=4 count=1 seek=1024 oflag=seek_bytes \
3307 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=1024 oflag=seek_bytes \
3310 # check that in-memory representation of file is correct
3311 cmp -bl $tmpfile $testfile ||
3312 error "file $testfile is corrupted in memory"
3314 cancel_lru_locks osc ; cancel_lru_locks mdc
3316 # check that file read from server is correct
3317 cmp -bl $tmpfile $testfile ||
3318 error "file $testfile is corrupted on server"
3322 run_test 39 "rewrite data in already encrypted page"
3325 local testfile=$DIR/$tdir/$tfile
3326 local tmpfile=$TMP/abc
3327 local tmpfile2=$TMP/abc2
3330 #define LUSTRE_ENCRYPTION_UNIT_SIZE (1 << 12)
3331 local UNIT_SIZE=$((1 << 12))
3334 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3335 skip "client encryption not supported"
3337 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3338 skip "need dummy encryption support"
3340 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
3342 stack_trap cleanup_for_enc_tests EXIT
3345 # write a few bytes in file
3346 echo "abc" > $tmpfile
3347 $LFS setstripe -c1 -i0 $testfile
3348 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync
3350 # check that in-memory representation of file is correct
3351 cmp -bl $tmpfile $testfile ||
3352 error "file $testfile is corrupted in memory (1)"
3354 cancel_lru_locks osc ; cancel_lru_locks mdc
3356 # check that file read from server is correct
3357 cmp -bl $tmpfile $testfile ||
3358 error "file $testfile is corrupted on server (1)"
3360 # write a few other bytes in same page
3361 dd if=$tmpfile of=$testfile bs=4 count=1 seek=256 oflag=seek_bytes \
3364 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=256 oflag=seek_bytes \
3367 # check that in-memory representation of file is correct
3368 cmp -bl $tmpfile $testfile ||
3369 error "file $testfile is corrupted in memory (2)"
3371 cancel_lru_locks osc ; cancel_lru_locks mdc
3373 # check that file read from server is correct
3374 cmp -bl $tmpfile $testfile ||
3375 error "file $testfile is corrupted on server (2)"
3377 rm -f $testfile $tmpfile
3378 cancel_lru_locks osc ; cancel_lru_locks mdc
3380 # write a few bytes in file, at end of first page
3381 echo "abc" > $tmpfile
3382 $LFS setstripe -c1 -i0 $testfile
3383 seek=$(getconf PAGESIZE)
3385 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3388 # write a few other bytes at beginning of first page
3389 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync,notrunc
3391 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3394 # check that in-memory representation of file is correct
3395 cmp -bl $tmpfile $testfile ||
3396 error "file $testfile is corrupted in memory (3)"
3398 cancel_lru_locks osc ; cancel_lru_locks mdc
3400 # check that file read from server is correct
3401 cmp -bl $tmpfile $testfile ||
3402 error "file $testfile is corrupted on server (3)"
3404 rm -f $testfile $tmpfile
3405 cancel_lru_locks osc ; cancel_lru_locks mdc
3407 # write a few bytes in file, at beginning of second page
3408 echo "abc" > $tmpfile
3409 $LFS setstripe -c1 -i0 $testfile
3410 seek=$(getconf PAGESIZE)
3411 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3413 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3416 # write a few other bytes at end of first page
3418 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3420 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3423 # check that in-memory representation of file is correct
3424 cmp -bl $tmpfile2 $testfile ||
3425 error "file $testfile is corrupted in memory (4)"
3427 cancel_lru_locks osc ; cancel_lru_locks mdc
3429 # check that file read from server is correct
3430 cmp -bl $tmpfile2 $testfile ||
3431 error "file $testfile is corrupted on server (4)"
3433 rm -f $testfile $tmpfile $tmpfile2
3434 cancel_lru_locks osc ; cancel_lru_locks mdc
3436 # write a few bytes in file, at beginning of first stripe
3437 echo "abc" > $tmpfile
3438 $LFS setstripe -S 256k -c2 $testfile
3439 dd if=$tmpfile of=$testfile bs=4 count=1 conv=fsync,notrunc
3441 # write a few other bytes, at beginning of second stripe
3442 dd if=$tmpfile of=$testfile bs=4 count=1 seek=262144 oflag=seek_bytes \
3444 dd if=$tmpfile of=$tmpfile bs=4 count=1 seek=262144 oflag=seek_bytes \
3447 # check that in-memory representation of file is correct
3448 cmp -bl $tmpfile $testfile ||
3449 error "file $testfile is corrupted in memory (5)"
3451 cancel_lru_locks osc ; cancel_lru_locks mdc
3453 # check that file read from server is correct
3454 cmp -bl $tmpfile $testfile ||
3455 error "file $testfile is corrupted on server (5)"
3457 filesz=$(stat --format=%s $testfile)
3458 filesz=$(((filesz+UNIT_SIZE-1)/UNIT_SIZE * UNIT_SIZE))
3460 # remount without dummy encryption key
3461 remount_client_normally
3463 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
3464 [ $(stat --format=%s $scrambledfile) -eq $filesz ] ||
3465 error "file size without key should be rounded up"
3469 run_test 40 "exercise size of encrypted file"
3472 local testfile=$DIR/$tdir/$tfile
3473 local tmpfile=$TMP/abc
3474 local tmpfile2=$TMP/abc2
3477 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3478 skip "client encryption not supported"
3480 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3481 skip "need dummy encryption support"
3483 stack_trap cleanup_for_enc_tests EXIT
3486 echo "abc" > $tmpfile
3487 seek=$(getconf PAGESIZE)
3488 seek=$((seek - 204))
3489 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3491 seek=$(getconf PAGESIZE)
3492 seek=$((seek + 1092))
3493 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3496 # write a few bytes in file
3497 $LFS setstripe -c1 -i0 -S 256k $testfile
3498 seek=$(getconf PAGESIZE)
3499 seek=$((seek - 204))
3500 #define OBD_FAIL_OST_WR_ATTR_DELAY 0x250
3501 do_facet ost1 "$LCTL set_param fail_loc=0x250 fail_val=15"
3502 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3506 # write a few other bytes, at a different offset
3507 seek=$(getconf PAGESIZE)
3508 seek=$((seek + 1092))
3509 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3510 conv=fsync,notrunc &
3512 do_facet ost1 "$LCTL set_param fail_loc=0x0"
3514 # check that in-memory representation of file is correct
3515 cmp -bl $tmpfile2 $testfile ||
3516 error "file $testfile is corrupted in memory (1)"
3518 cancel_lru_locks osc ; cancel_lru_locks mdc
3520 # check that file read from server is correct
3521 cmp -bl $tmpfile2 $testfile ||
3522 error "file $testfile is corrupted on server (1)"
3524 rm -f $tmpfile $tmpfile2
3526 run_test 41 "test race on encrypted file size (1)"
3529 local testfile=$DIR/$tdir/$tfile
3530 local testfile2=$DIR2/$tdir/$tfile
3531 local tmpfile=$TMP/abc
3532 local tmpfile2=$TMP/abc2
3533 local pagesz=$(getconf PAGESIZE)
3536 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3537 skip "client encryption not supported"
3539 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3540 skip "need dummy encryption support"
3542 stack_trap cleanup_for_enc_tests EXIT
3545 if is_mounted $MOUNT2; then
3546 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
3548 mount_client $MOUNT2 ${MOUNT_OPTS},test_dummy_encryption ||
3549 error "mount2 with '-o test_dummy_encryption' failed"
3551 # create file by writting one whole page
3552 $LFS setstripe -c1 -i0 -S 256k $testfile
3553 dd if=/dev/zero of=$testfile bs=$pagesz count=1 conv=fsync
3555 # read file from 2nd mount point
3556 cat $testfile2 > /dev/null
3558 echo "abc" > $tmpfile
3559 dd if=/dev/zero of=$tmpfile2 bs=$pagesz count=1 conv=fsync
3560 seek=$((2*pagesz - 204))
3561 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3563 seek=$((2*pagesz + 1092))
3564 dd if=$tmpfile of=$tmpfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3567 # write a few bytes in file from 1st mount point
3568 seek=$((2*pagesz - 204))
3569 #define OBD_FAIL_OST_WR_ATTR_DELAY 0x250
3570 do_facet ost1 "$LCTL set_param fail_loc=0x250 fail_val=15"
3571 dd if=$tmpfile of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3572 conv=fsync,notrunc &
3575 # write a few other bytes, at a different offset from 2nd mount point
3576 seek=$((2*pagesz + 1092))
3577 dd if=$tmpfile of=$testfile2 bs=4 count=1 seek=$seek oflag=seek_bytes \
3578 conv=fsync,notrunc &
3580 do_facet ost1 "$LCTL set_param fail_loc=0x0"
3582 # check that in-memory representation of file is correct
3583 cmp -bl $tmpfile2 $testfile ||
3584 error "file $testfile is corrupted in memory (1)"
3586 # check that in-memory representation of file is correct
3587 cmp -bl $tmpfile2 $testfile2 ||
3588 error "file $testfile is corrupted in memory (2)"
3590 cancel_lru_locks osc ; cancel_lru_locks mdc
3592 # check that file read from server is correct
3593 cmp -bl $tmpfile2 $testfile ||
3594 error "file $testfile is corrupted on server (1)"
3596 rm -f $tmpfile $tmpfile2
3598 run_test 42 "test race on encrypted file size (2)"
3601 local testfile=$DIR/$tdir/$tfile
3602 local testfile2=$DIR2/$tdir/$tfile
3603 local tmpfile=$TMP/abc
3604 local tmpfile2=$TMP/abc2
3605 local resfile=$TMP/res
3606 local pagesz=$(getconf PAGESIZE)
3609 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3610 skip "client encryption not supported"
3612 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3613 skip "need dummy encryption support"
3615 stack_trap cleanup_for_enc_tests EXIT
3618 if is_mounted $MOUNT2; then
3619 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
3621 mount_client $MOUNT2 ${MOUNT_OPTS},test_dummy_encryption ||
3622 error "mount2 with '-o test_dummy_encryption' failed"
3625 tr '\0' '1' < /dev/zero |
3626 dd of=$tmpfile bs=1 count=$pagesz conv=fsync
3627 $LFS setstripe -c1 -i0 -S 256k $testfile
3628 cp $tmpfile $testfile
3630 # read file from 2nd mount point
3631 cat $testfile2 > /dev/null
3633 # write a few bytes in file from 1st mount point
3634 echo "abc" > $tmpfile2
3635 seek=$((2*pagesz - 204))
3636 #define OBD_FAIL_OST_WR_ATTR_DELAY 0x250
3637 do_facet ost1 "$LCTL set_param fail_loc=0x250 fail_val=15"
3638 dd if=$tmpfile2 of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3639 conv=fsync,notrunc &
3642 # read file from 2nd mount point
3643 dd if=$testfile2 of=$resfile bs=$pagesz count=1 conv=fsync,notrunc
3644 cmp -bl $tmpfile $resfile ||
3645 error "file $testfile is corrupted in memory (1)"
3648 do_facet ost1 "$LCTL set_param fail_loc=0x0"
3650 # check that in-memory representation of file is correct
3651 dd if=$tmpfile2 of=$tmpfile bs=4 count=1 seek=$seek oflag=seek_bytes \
3653 cmp -bl $tmpfile $testfile2 ||
3654 error "file $testfile is corrupted in memory (2)"
3656 cancel_lru_locks osc ; cancel_lru_locks mdc
3658 # check that file read from server is correct
3659 cmp -bl $tmpfile $testfile ||
3660 error "file $testfile is corrupted on server (1)"
3662 rm -f $tmpfile $tmpfile2
3664 run_test 43 "test race on encrypted file size (3)"
3667 local testfile=$DIR/$tdir/$tfile
3668 local tmpfile=$TMP/abc
3669 local resfile=$TMP/resfile
3670 local pagesz=$(getconf PAGESIZE)
3673 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3674 skip "client encryption not supported"
3676 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3677 skip "need dummy encryption support"
3679 which vmtouch || skip "This test needs vmtouch utility"
3681 # Direct I/O is now supported on encrypted files.
3683 stack_trap cleanup_for_enc_tests EXIT
3686 $LFS setstripe -c1 -i0 $testfile
3687 dd if=/dev/urandom of=$tmpfile bs=$pagesz count=2 conv=fsync
3688 dd if=$tmpfile of=$testfile bs=$pagesz count=2 oflag=direct ||
3689 error "could not write to file with O_DIRECT (1)"
3691 respage=$(vmtouch $testfile | awk '/Resident Pages:/ {print $3}')
3692 [ "$respage" == "0/2" ] ||
3693 error "write to enc file fell back to buffered IO"
3697 dd if=$testfile of=$resfile bs=$pagesz count=2 iflag=direct ||
3698 error "could not read from file with O_DIRECT (1)"
3700 respage=$(vmtouch $testfile | awk '/Resident Pages:/ {print $3}')
3701 [ "$respage" == "0/2" ] ||
3702 error "read from enc file fell back to buffered IO"
3704 cmp -bl $tmpfile $resfile ||
3705 error "file $testfile is corrupted (1)"
3709 $TRUNCATE $tmpfile $pagesz
3710 dd if=$tmpfile of=$testfile bs=$pagesz count=1 seek=13 oflag=direct ||
3711 error "could not write to file with O_DIRECT (2)"
3715 dd if=$testfile of=$resfile bs=$pagesz count=1 skip=13 iflag=direct ||
3716 error "could not read from file with O_DIRECT (2)"
3717 cmp -bl $tmpfile $resfile ||
3718 error "file $testfile is corrupted (2)"
3720 rm -f $testfile $resfile
3721 $LFS setstripe -c1 -i0 $testfile
3723 $TRUNCATE $tmpfile $((pagesz/2 - 5))
3724 cp $tmpfile $testfile
3728 dd if=$testfile of=$resfile bs=$pagesz count=1 iflag=direct ||
3729 error "could not read from file with O_DIRECT (3)"
3730 cmp -bl $tmpfile $resfile ||
3731 error "file $testfile is corrupted (3)"
3733 rm -f $tmpfile $resfile $testfile
3735 if [ $OSTCOUNT -ge 2 ]; then
3736 dd if=/dev/urandom of=$tmpfile bs=$pagesz count=1 conv=fsync
3737 $LFS setstripe -S 256k -c2 $testfile
3739 # write in file, at beginning of first stripe, buffered IO
3740 dd if=$tmpfile of=$testfile bs=$pagesz count=1 \
3743 # write at beginning of second stripe, direct IO
3744 dd if=$tmpfile of=$testfile bs=$pagesz count=1 seek=256k \
3745 oflag=seek_bytes,direct conv=fsync,notrunc
3749 # read at beginning of first stripe, direct IO
3750 dd if=$testfile of=$resfile bs=$pagesz count=1 \
3751 iflag=direct conv=fsync
3753 cmp -bl $tmpfile $resfile ||
3754 error "file $testfile is corrupted (4)"
3756 # read at beginning of second stripe, buffered IO
3757 dd if=$testfile of=$resfile bs=$pagesz count=1 skip=256k \
3758 iflag=skip_bytes conv=fsync
3760 cmp -bl $tmpfile $resfile ||
3761 error "file $testfile is corrupted (5)"
3763 rm -f $tmpfile $resfile
3766 run_test 44 "encrypted file access semantics: direct IO"
3769 local testfile=$DIR/$tdir/$tfile
3770 local tmpfile=$TMP/junk
3772 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3773 skip "client encryption not supported"
3775 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3776 skip "need dummy encryption support"
3778 stack_trap cleanup_for_enc_tests EXIT
3781 $LFS setstripe -c1 -i0 $testfile
3782 dd if=/dev/zero of=$testfile bs=512K count=1
3783 $MULTIOP $testfile OSMRUc || error "$MULTIOP $testfile failed (1)"
3784 $MULTIOP $testfile OSMWUc || error "$MULTIOP $testfile failed (2)"
3786 dd if=/dev/zero of=$tmpfile bs=512K count=1
3787 $MULTIOP $tmpfile OSMWUc || error "$MULTIOP $tmpfile failed"
3788 $MMAP_CAT $tmpfile > ${tmpfile}2
3792 $MULTIOP $testfile OSMRUc
3793 $MMAP_CAT $testfile > ${testfile}2
3794 cmp -bl ${tmpfile}2 ${testfile}2 ||
3795 error "file $testfile is corrupted"
3797 rm -f $tmpfile ${tmpfile}2
3799 run_test 45 "encrypted file access semantics: MMAP"
3802 local testdir=$DIR/$tdir/mydir
3803 local testfile=$testdir/myfile
3804 local testdir2=$DIR/$tdir/mydirwithaveryverylongnametotestcodebehaviour0
3805 local testfile2=$testdir/myfilewithaveryverylongnametotestcodebehaviour0
3806 # testdir3, testfile3, testhl3 and testsl3 names are 255 bytes long
3807 local testdir3=$testdir2/dir_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz012345678
3808 local testfile3=$testdir2/file_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz01234567
3809 local testhl3=$testdir2/hl_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789
3810 local testsl3=$testdir2/sl_abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789
3811 local lsfile=$TMP/lsfile
3816 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3817 skip "client encryption not supported"
3819 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3820 skip "need dummy encryption support"
3822 stack_trap cleanup_for_enc_tests EXIT
3825 touch $DIR/$tdir/$tfile
3827 echo test > $testfile
3828 echo othertest > $testfile2
3829 if [[ $MDSCOUNT -gt 1 ]]; then
3830 $LFS setdirstripe -c1 -i1 $testdir2
3834 inum=$(stat -c %i $testdir2)
3835 if [ "$mds1_FSTYPE" = ldiskfs ]; then
3836 # For now, restrict this part of the test to ldiskfs backend,
3837 # as osd-zfs does not support 255 byte-long encrypted names.
3838 mkdir $testdir3 || error "cannot mkdir $testdir3"
3839 touch $testfile3 || error "cannot touch $testfile3"
3840 ln $testfile3 $testhl3 || error "cannot ln $testhl3"
3841 ln -s $testfile3 $testsl3 || error "cannot ln $testsl3"
3843 sync ; echo 3 > /proc/sys/vm/drop_caches
3845 # remount without dummy encryption key
3846 remount_client_normally
3849 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -inum $inum)
3850 stat $scrambleddir || error "stat $scrambleddir failed"
3851 if [ "$mds1_FSTYPE" = ldiskfs ]; then
3852 stat $scrambleddir/* || error "cannot stat in $scrambleddir"
3853 rm -rf $scrambleddir/* || error "cannot clean in $scrambleddir"
3855 rmdir $scrambleddir || error "rmdir $scrambleddir failed"
3857 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
3858 ls -1 $scrambleddir > $lsfile || error "ls $testdir failed (1)"
3860 scrambledfile=$scrambleddir/$(head -n 1 $lsfile)
3861 stat $scrambledfile || error "stat $scrambledfile failed (1)"
3864 cat $scrambledfile && error "cat $scrambledfile should have failed (1)"
3865 rm -f $scrambledfile || error "rm $scrambledfile failed (1)"
3867 ls -1 $scrambleddir > $lsfile || error "ls $testdir failed (2)"
3868 scrambledfile=$scrambleddir/$(head -n 1 $lsfile)
3869 stat $scrambledfile || error "stat $scrambledfile failed (2)"
3871 cat $scrambledfile && error "cat $scrambledfile should have failed (2)"
3873 touch $scrambleddir/otherfile &&
3874 error "touch otherfile should have failed"
3875 ls $scrambleddir/otherfile && error "otherfile should not exist"
3876 mkdir $scrambleddir/otherdir &&
3877 error "mkdir otherdir should have failed"
3878 ls -d $scrambleddir/otherdir && error "otherdir should not exist"
3881 rm -f $scrambledfile || error "rm $scrambledfile failed (2)"
3882 rmdir $scrambleddir || error "rmdir $scrambleddir failed"
3885 run_test 46 "encrypted file access semantics without key"
3888 local testfile=$DIR/$tdir/$tfile
3889 local testfile2=$DIR/$tdir/${tfile}.2
3890 local tmpfile=$DIR/junk
3895 $LCTL get_param mdc.*.import | grep -q client_encryption ||
3896 skip "client encryption not supported"
3898 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
3899 skip "need dummy encryption support"
3901 $LCTL get_param mdc.*.connect_flags | grep -q name_encryption ||
3904 stack_trap cleanup_for_enc_tests EXIT
3907 dd if=/dev/urandom of=$tmpfile bs=512K count=1
3908 mrename $tmpfile $testfile &&
3909 error "rename from unencrypted to encrypted dir should fail"
3911 ln $tmpfile $testfile &&
3912 error "link from encrypted to unencrypted dir should fail"
3914 cp $tmpfile $testfile ||
3915 error "cp from unencrypted to encrypted dir should succeed"
3918 mrename $testfile $testfile2 ||
3919 error "rename from within encrypted dir should succeed"
3921 ln $testfile2 $testfile ||
3922 error "link from within encrypted dir should succeed"
3923 cmp -bl $testfile2 $testfile ||
3924 error "cannot read from hard link (1.1)"
3925 echo a >> $testfile || error "cannot write to hard link (1)"
3927 cmp -bl $testfile2 $testfile ||
3928 error "cannot read from hard link (1.2)"
3931 ln $testfile2 $tmpfile ||
3932 error "link from unencrypted to encrypted dir should succeed"
3934 cmp -bl $testfile2 $tmpfile ||
3935 error "cannot read from hard link (2.1)"
3936 echo a >> $tmpfile || error "cannot write to hard link (2)"
3938 cmp -bl $testfile2 $tmpfile ||
3939 error "cannot read from hard link (2.2)"
3942 if [ $name_enc -eq 1 ]; then
3943 # check we are limited in the number of hard links
3944 # we can create for encrypted files, to what can fit into LinkEA
3945 for i in $(seq 1 160); do
3946 ln $testfile2 ${testfile}_$i || break
3948 [ $i -lt 160 ] || error "hard link $i should fail"
3952 mrename $testfile2 $tmpfile &&
3953 error "rename from encrypted to unencrypted dir should fail"
3955 dd if=/dev/urandom of=$tmpfile bs=512K count=1
3957 dd if=/dev/urandom of=$testfile bs=512K count=1
3958 mkdir $DIR/$tdir/mydir
3960 ln -s $testfile ${testfile}.sym ||
3961 error "symlink from within encrypted dir should succeed"
3963 cmp -bl $testfile ${testfile}.sym ||
3964 error "cannot read from sym link (1.1)"
3965 echo a >> ${testfile}.sym || error "cannot write to sym link (1)"
3967 cmp -bl $testfile ${testfile}.sym ||
3968 error "cannot read from sym link (1.2)"
3969 [ $(stat -c %s ${testfile}.sym) -eq ${#testfile} ] ||
3970 error "wrong symlink size (1)"
3972 ln -s $tmpfile ${testfile}.sl ||
3973 error "symlink from encrypted to unencrypted dir should succeed"
3975 cmp -bl $tmpfile ${testfile}.sl ||
3976 error "cannot read from sym link (2.1)"
3977 echo a >> ${testfile}.sl || error "cannot write to sym link (2)"
3979 cmp -bl $tmpfile ${testfile}.sl ||
3980 error "cannot read from sym link (2.2)"
3981 [ $(stat -c %s ${testfile}.sl) -eq ${#tmpfile} ] ||
3982 error "wrong symlink size (2)"
3983 rm -f ${testfile}.sl
3985 sync ; echo 3 > /proc/sys/vm/drop_caches
3987 # remount without dummy encryption key
3988 remount_client_normally
3990 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
3991 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -type f)
3992 scrambledlink=$(find $DIR/$tdir/ -maxdepth 1 -type l)
3993 ln $scrambledfile $scrambleddir/linkfile &&
3994 error "ln linkfile should have failed"
3995 mrename $scrambledfile $DIR/onefile2 &&
3996 error "mrename from $scrambledfile should have failed"
3998 mrename $DIR/onefile $scrambleddir/otherfile &&
3999 error "mrename to $scrambleddir should have failed"
4000 readlink $scrambledlink ||
4001 error "link should be read without key"
4002 [ $(stat -c %s $scrambledlink) -eq \
4003 $(expr length "$(readlink $scrambledlink)") ] ||
4004 error "wrong symlink size without key"
4005 if [ $name_enc -eq 1 ]; then
4006 readlink -e $scrambledlink &&
4007 error "link should not point to anywhere useful"
4009 ln -s $scrambledfile ${scrambledfile}.sym &&
4010 error "symlink without key should fail (1)"
4011 ln -s $tmpfile ${scrambledfile}.sl &&
4012 error "symlink without key should fail (2)"
4014 rm -f $tmpfile $DIR/onefile
4016 run_test 47 "encrypted file access semantics: rename/link"
4019 local save="$TMP/$TESTSUITE-$TESTNAME.parameters"
4020 local testfile=$DIR/$tdir/$tfile
4021 local tmpfile=$TMP/111
4022 local tmpfile2=$TMP/abc
4023 local pagesz=$(getconf PAGESIZE)
4028 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4029 skip "client encryption not supported"
4031 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4032 skip "need dummy encryption support"
4034 stack_trap cleanup_for_enc_tests EXIT
4037 # create file, 4 x PAGE_SIZE long
4038 tr '\0' '1' < /dev/zero |
4039 dd of=$tmpfile bs=1 count=4x$pagesz conv=fsync
4040 $LFS setstripe -c1 -i0 $testfile
4041 cp $tmpfile $testfile
4042 echo "abc" > $tmpfile2
4044 # decrease size: truncate to PAGE_SIZE
4045 $TRUNCATE $tmpfile $pagesz
4046 $TRUNCATE $testfile $pagesz
4047 cancel_lru_locks osc ; cancel_lru_locks mdc
4048 cmp -bl $tmpfile $testfile ||
4049 error "file $testfile is corrupted (1)"
4051 # increase size: truncate to 2 x PAGE_SIZE
4053 $TRUNCATE $tmpfile $sz
4054 $TRUNCATE $testfile $sz
4055 cancel_lru_locks osc ; cancel_lru_locks mdc
4056 cmp -bl $tmpfile $testfile ||
4057 error "file $testfile is corrupted (2)"
4060 seek=$((pagesz+100))
4061 dd if=$tmpfile2 of=$tmpfile bs=4 count=1 seek=$seek oflag=seek_bytes \
4063 dd if=$tmpfile2 of=$testfile bs=4 count=1 seek=$seek oflag=seek_bytes \
4065 cancel_lru_locks osc ; cancel_lru_locks mdc
4066 cmp -bl $tmpfile $testfile ||
4067 error "file $testfile is corrupted (3)"
4069 # truncate to PAGE_SIZE / 2
4071 $TRUNCATE $tmpfile $sz
4072 $TRUNCATE $testfile $sz
4073 cancel_lru_locks osc ; cancel_lru_locks mdc
4074 cmp -bl $tmpfile $testfile ||
4075 error "file $testfile is corrupted (4)"
4077 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16
4079 $TRUNCATE $tmpfile $sz
4080 $TRUNCATE $testfile $sz
4081 cancel_lru_locks osc ; cancel_lru_locks mdc
4082 cmp -bl $tmpfile $testfile ||
4083 error "file $testfile is corrupted (5)"
4085 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16
4087 $TRUNCATE $tmpfile $sz
4088 $TRUNCATE $testfile $sz
4089 cancel_lru_locks osc ; cancel_lru_locks mdc
4090 cmp -bl $tmpfile $testfile ||
4091 error "file $testfile is corrupted (6)"
4093 # truncate to a larger, non-multiple of PAGE_SIZE, in a different page
4094 sz=$((sz+pagesz+30))
4095 $TRUNCATE $tmpfile $sz
4096 $TRUNCATE $testfile $sz
4097 cancel_lru_locks osc ; cancel_lru_locks mdc
4098 cmp -bl $tmpfile $testfile ||
4099 error "file $testfile is corrupted (7)"
4101 sync ; echo 3 > /proc/sys/vm/drop_caches
4103 # remount without dummy encryption key
4104 remount_client_normally
4106 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -type f)
4107 $TRUNCATE $scrambledfile 0 &&
4108 error "truncate $scrambledfile should have failed without key"
4110 rm -f $tmpfile $tmpfile2
4112 run_test 48a "encrypted file access semantics: truncate"
4114 cleanup_for_enc_tests_othercli() {
4117 # remount othercli normally
4118 zconf_umount $othercli $MOUNT ||
4119 error "umount $othercli $MOUNT failed"
4120 zconf_mount $othercli $MOUNT ||
4121 error "remount $othercli $MOUNT failed"
4127 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4128 skip "client encryption not supported"
4130 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4131 skip "need dummy encryption support"
4133 [ "$num_clients" -ge 2 ] || skip "Need at least 2 clients"
4135 if [ "$HOSTNAME" == ${clients_arr[0]} ]; then
4136 othercli=${clients_arr[1]}
4138 othercli=${clients_arr[0]}
4141 stack_trap cleanup_for_enc_tests EXIT
4142 stack_trap "cleanup_for_enc_tests_othercli $othercli" EXIT
4144 zconf_umount $othercli $MOUNT ||
4145 error "umount $othercli $MOUNT failed"
4147 cp /bin/sleep $DIR/$tdir/
4148 cancel_lru_locks osc ; cancel_lru_locks mdc
4149 $DIR/$tdir/sleep 30 &
4150 # mount and IOs must be done in the same shell session, otherwise
4151 # encryption key in session keyring is missing
4152 do_node $othercli "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4153 $MGSNID:/$FSNAME $MOUNT && \
4154 $TRUNCATE $DIR/$tdir/sleep 7"
4155 wait || error "wait error"
4156 cmp --silent /bin/sleep $DIR/$tdir/sleep ||
4157 error "/bin/sleep and $DIR/$tdir/sleep differ"
4159 run_test 48b "encrypted file: concurrent truncate"
4165 $LCTL set_param debug=+info
4170 [ $? -eq 0 ] || error "$cmd failed"
4172 if [ -z "$MATCHING_STRING" ]; then
4173 $LCTL dk | grep -E "get xattr 'encryption.c'|get xattrs"
4175 $LCTL dk | grep -E "$MATCHING_STRING"
4177 [ $? -ne 0 ] || error "get xattr event was triggered"
4181 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4182 skip "client encryption not supported"
4184 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4185 skip "need dummy encryption support"
4187 stack_trap cleanup_for_enc_tests EXIT
4190 local dirname=$DIR/$tdir/subdir
4194 trace_cmd stat $dirname
4195 trace_cmd echo a > $dirname/f1
4196 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4197 trace_cmd stat $dirname/f1
4198 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4199 trace_cmd cat $dirname/f1
4200 dd if=/dev/zero of=$dirname/f1 bs=1M count=10 conv=fsync
4201 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4202 MATCHING_STRING="get xattr 'encryption.c'" \
4203 trace_cmd $TRUNCATE $dirname/f1 10240
4204 trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
4205 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4206 trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
4208 if [[ $MDSCOUNT -gt 1 ]]; then
4209 trace_cmd $LFS setdirstripe -i 1 $dirname/d2
4210 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4211 trace_cmd $LFS migrate -m 0 $dirname/d2
4212 echo b > $dirname/d2/subf
4213 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4214 if (( "$MDS1_VERSION" > $(version_code 2.14.54.54) )); then
4215 # migrate a non-empty encrypted dir
4216 trace_cmd $LFS migrate -m 1 $dirname/d2
4217 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4218 [ -f $dirname/d2/subf ] || error "migrate failed (1)"
4219 [ $(cat $dirname/d2/subf) == "b" ] ||
4220 error "migrate failed (2)"
4223 $LFS setdirstripe -i 1 -c 1 $dirname/d3
4224 dirname=$dirname/d3/subdir
4226 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4227 trace_cmd stat $dirname
4228 trace_cmd echo c > $dirname/f1
4229 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4230 trace_cmd stat $dirname/f1
4231 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4232 trace_cmd cat $dirname/f1
4233 dd if=/dev/zero of=$dirname/f1 bs=1M count=10 conv=fsync
4234 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4235 MATCHING_STRING="get xattr 'encryption.c'" \
4236 trace_cmd $TRUNCATE $dirname/f1 10240
4237 trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
4238 sync ; sync ; echo 3 > /proc/sys/vm/drop_caches
4239 trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
4241 skip_noexit "2nd part needs >= 2 MDTs"
4244 run_test 49 "Avoid getxattr for encryption context"
4247 local testfile=$DIR/$tdir/$tfile
4248 local tmpfile=$TMP/abc
4249 local pagesz=$(getconf PAGESIZE)
4252 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4253 skip "client encryption not supported"
4255 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4256 skip "need dummy encryption support"
4258 stack_trap cleanup_for_enc_tests EXIT
4261 # write small file, data on MDT only
4262 tr '\0' '1' < /dev/zero |
4263 dd of=$tmpfile bs=1 count=5000 conv=fsync
4264 $LFS setstripe -E 1M -L mdt -E EOF $testfile
4265 cp $tmpfile $testfile
4267 # check that in-memory representation of file is correct
4268 cmp -bl $tmpfile $testfile ||
4269 error "file $testfile is corrupted in memory"
4271 remove_enc_key ; insert_enc_key
4273 # check that file read from server is correct
4274 cmp -bl $tmpfile $testfile ||
4275 error "file $testfile is corrupted on server"
4277 # decrease size: truncate to PAGE_SIZE
4278 $TRUNCATE $tmpfile $pagesz
4279 $TRUNCATE $testfile $pagesz
4280 remove_enc_key ; insert_enc_key
4281 cmp -bl $tmpfile $testfile ||
4282 error "file $testfile is corrupted (1)"
4284 # increase size: truncate to 2 x PAGE_SIZE
4286 $TRUNCATE $tmpfile $sz
4287 $TRUNCATE $testfile $sz
4288 remove_enc_key ; insert_enc_key
4289 cmp -bl $tmpfile $testfile ||
4290 error "file $testfile is corrupted (2)"
4292 # truncate to PAGE_SIZE / 2
4294 $TRUNCATE $tmpfile $sz
4295 $TRUNCATE $testfile $sz
4296 remove_enc_key ; insert_enc_key
4297 cmp -bl $tmpfile $testfile ||
4298 error "file $testfile is corrupted (3)"
4300 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16
4302 $TRUNCATE $tmpfile $sz
4303 $TRUNCATE $testfile $sz
4304 remove_enc_key ; insert_enc_key
4305 cmp -bl $tmpfile $testfile ||
4306 error "file $testfile is corrupted (4)"
4308 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16
4310 $TRUNCATE $tmpfile $sz
4311 $TRUNCATE $testfile $sz
4312 remove_enc_key ; insert_enc_key
4313 cmp -bl $tmpfile $testfile ||
4314 error "file $testfile is corrupted (5)"
4316 # truncate to a larger, non-multiple of PAGE_SIZE, in a different page
4317 sz=$((sz+pagesz+30))
4318 $TRUNCATE $tmpfile $sz
4319 $TRUNCATE $testfile $sz
4320 remove_enc_key ; insert_enc_key
4321 cmp -bl $tmpfile $testfile ||
4322 error "file $testfile is corrupted (6)"
4325 remove_enc_key ; insert_enc_key
4327 # write hole in file, data spread on MDT and OST
4328 tr '\0' '2' < /dev/zero |
4329 dd of=$tmpfile bs=1 count=1539 seek=1539074 conv=fsync,notrunc
4330 $LFS setstripe -E 1M -L mdt -E EOF $testfile
4331 cp --sparse=always $tmpfile $testfile
4333 # check that in-memory representation of file is correct
4334 cmp -bl $tmpfile $testfile ||
4335 error "file $testfile is corrupted in memory"
4337 remove_enc_key ; insert_enc_key
4339 # check that file read from server is correct
4340 cmp -bl $tmpfile $testfile ||
4341 error "file $testfile is corrupted on server"
4343 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16,
4344 # inside OST part of data
4345 sz=$((1024*1024+13))
4346 $TRUNCATE $tmpfile $sz
4347 $TRUNCATE $testfile $sz
4348 remove_enc_key ; insert_enc_key
4349 cmp -bl $tmpfile $testfile ||
4350 error "file $testfile is corrupted (7)"
4352 # truncate to a smaller, non-multiple of PAGE_SIZE, non-multiple of 16,
4353 # inside MDT part of data
4355 $TRUNCATE $tmpfile $sz
4356 $TRUNCATE $testfile $sz
4357 remove_enc_key ; insert_enc_key
4358 cmp -bl $tmpfile $testfile ||
4359 error "file $testfile is corrupted (8)"
4361 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16,
4362 # inside MDT part of data
4363 sz=$((1024*1024-13))
4364 $TRUNCATE $tmpfile $sz
4365 $TRUNCATE $testfile $sz
4366 remove_enc_key ; insert_enc_key
4367 cmp -bl $tmpfile $testfile ||
4368 error "file $testfile is corrupted (9)"
4370 # truncate to a larger, non-multiple of PAGE_SIZE, non-multiple of 16,
4371 # inside OST part of data
4373 $TRUNCATE $tmpfile $sz
4374 $TRUNCATE $testfile $sz
4375 remove_enc_key ; insert_enc_key
4376 cmp -bl $tmpfile $testfile ||
4377 error "file $testfile is corrupted (10)"
4381 run_test 50 "DoM encrypted file"
4384 [ "$MDS1_VERSION" -gt $(version_code 2.13.53) ] ||
4385 skip "Need MDS version at least 2.13.53"
4387 mkdir $DIR/$tdir || error "mkdir $tdir"
4388 local mdts=$(comma_list $(mdts_nodes))
4389 local cap_param=mdt.*.enable_cap_mask
4391 old_cap=($(do_nodes $mdts $LCTL get_param -n $cap_param 2>/dev/null))
4392 if [[ -n "$old_cap" ]]; then
4393 do_nodes $mdts $LCTL set_param $cap_param=0xf
4394 stack_trap "do_nodes $mdts $LCTL set_param $cap_param=$old_cap"
4397 touch $DIR/$tdir/$tfile || error "touch $tfile"
4398 cp $(which chown) $DIR/$tdir || error "cp chown"
4399 $RUNAS_CMD -u $ID0 $DIR/$tdir/chown $ID0 $DIR/$tdir/$tfile &&
4400 error "chown $tfile should fail"
4401 setcap 'CAP_CHOWN=ep' $DIR/$tdir/chown || error "setcap CAP_CHOWN"
4402 $RUNAS_CMD -u $ID0 $DIR/$tdir/chown $ID0 $DIR/$tdir/$tfile ||
4403 error "chown $tfile"
4404 rm $DIR/$tdir/$tfile || error "rm $tfile"
4406 touch $DIR/$tdir/$tfile || error "touch $tfile"
4407 cp $(which touch) $DIR/$tdir || error "cp touch"
4408 $RUNAS_CMD -u $ID0 $DIR/$tdir/touch $DIR/$tdir/$tfile &&
4409 error "touch should fail"
4410 setcap 'CAP_FOWNER=ep' $DIR/$tdir/touch || error "setcap CAP_FOWNER"
4411 $RUNAS_CMD -u $ID0 $DIR/$tdir/touch $DIR/$tdir/$tfile ||
4412 error "touch $tfile"
4413 rm $DIR/$tdir/$tfile || error "rm $tfile"
4416 for cap in "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH"; do
4417 touch $DIR/$tdir/$tfile || error "touch $tfile"
4418 chmod 600 $DIR/$tdir/$tfile || error "chmod $tfile"
4419 cp $(which cat) $DIR/$tdir || error "cp cat"
4420 $RUNAS_CMD -u $ID0 $DIR/$tdir/cat $DIR/$tdir/$tfile &&
4421 error "cat should fail"
4422 setcap $cap=ep $DIR/$tdir/cat || error "setcap $cap"
4423 $RUNAS_CMD -u $ID0 $DIR/$tdir/cat $DIR/$tdir/$tfile ||
4425 rm $DIR/$tdir/$tfile || error "rm $tfile"
4428 run_test 51 "FS capabilities ==============="
4431 local testfile=$DIR/$tdir/$tfile
4432 local tmpfile=$TMP/$tfile
4433 local mirror1=$TMP/$tfile.mirror1
4434 local mirror2=$TMP/$tfile.mirror2
4436 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4437 skip "client encryption not supported"
4439 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4440 skip "need dummy encryption support"
4442 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
4444 stack_trap "cleanup_for_enc_tests $tmpfile $mirror1 $mirror2" EXIT
4447 dd if=/dev/urandom of=$tmpfile bs=5000 count=1 conv=fsync
4449 $LFS mirror create -N -i0 -N -i1 $testfile ||
4450 error "could not create mirror"
4452 dd if=$tmpfile of=$testfile bs=5000 count=1 conv=fsync ||
4453 error "could not write to $testfile"
4455 $LFS mirror resync $testfile ||
4456 error "could not resync mirror"
4458 $LFS mirror verify -v $testfile ||
4459 error "verify mirror failed"
4461 $LFS mirror read -N 1 -o $mirror1 $testfile ||
4462 error "could not read from mirror 1"
4464 cmp -bl $tmpfile $mirror1 ||
4465 error "mirror 1 is corrupted"
4467 $LFS mirror read -N 2 -o $mirror2 $testfile ||
4468 error "could not read from mirror 2"
4470 cmp -bl $tmpfile $mirror2 ||
4471 error "mirror 2 is corrupted"
4473 tr '\0' '2' < /dev/zero |
4474 dd of=$tmpfile bs=1 count=9000 conv=fsync
4476 $LFS mirror write -N 1 -i $tmpfile $testfile ||
4477 error "could not write to mirror 1"
4479 $LFS mirror verify -v $testfile &&
4480 error "mirrors should be different"
4482 rm -f $testfile $mirror1 $mirror2
4484 $LFS setstripe -c1 -i0 $testfile
4485 dd if=$tmpfile of=$testfile bs=9000 count=1 conv=fsync ||
4486 error "write to $testfile failed"
4487 $LFS getstripe $testfile
4490 $LFS migrate -i1 $testfile ||
4491 error "migrate $testfile failed"
4492 $LFS getstripe $testfile
4493 stripe=$($LFS getstripe -i $testfile)
4494 [ $stripe -eq 1 ] || error "migrate file $testfile failed"
4497 cmp -bl $tmpfile $testfile ||
4498 error "migrated file is corrupted"
4500 $LFS mirror extend -N -i0 $testfile ||
4501 error "mirror extend $testfile failed"
4502 $LFS getstripe $testfile
4503 mirror_count=$($LFS getstripe -N $testfile)
4504 [ $mirror_count -eq 2 ] ||
4505 error "mirror extend file $testfile failed (1)"
4506 stripe=$($LFS getstripe --mirror-id=1 -i $testfile)
4507 [ $stripe -eq 1 ] || error "mirror extend file $testfile failed (2)"
4508 stripe=$($LFS getstripe --mirror-id=2 -i $testfile)
4509 [ $stripe -eq 0 ] || error "mirror extend file $testfile failed (3)"
4512 $LFS mirror verify -v $testfile ||
4513 error "mirror verify failed"
4514 $LFS mirror read -N 1 -o $mirror1 $testfile ||
4515 error "read from mirror 1 failed"
4516 cmp -bl $tmpfile $mirror1 ||
4517 error "corruption of mirror 1"
4518 $LFS mirror read -N 2 -o $mirror2 $testfile ||
4519 error "read from mirror 2 failed"
4520 cmp -bl $tmpfile $mirror2 ||
4521 error "corruption of mirror 2"
4523 $LFS mirror split --mirror-id 1 -f ${testfile}.mirror $testfile &&
4524 error "mirror split -f should fail"
4526 $LFS mirror split --mirror-id 1 $testfile &&
4527 error "mirror split without -d should fail"
4529 $LFS mirror split --mirror-id 1 -d $testfile ||
4530 error "mirror split failed"
4531 $LFS getstripe $testfile
4532 mirror_count=$($LFS getstripe -N $testfile)
4533 [ $mirror_count -eq 1 ] ||
4534 error "mirror split file $testfile failed (1)"
4535 stripe=$($LFS getstripe --mirror-id=1 -i $testfile)
4536 [ -z "$stripe" ] || error "mirror extend file $testfile failed (2)"
4537 stripe=$($LFS getstripe --mirror-id=2 -i $testfile)
4538 [ $stripe -eq 0 ] || error "mirror extend file $testfile failed (3)"
4541 cmp -bl $tmpfile $testfile ||
4542 error "extended/split file is corrupted"
4544 run_test 52 "Mirrored encrypted file"
4547 local testfile=$DIR/$tdir/$tfile
4548 local testfile2=$DIR2/$tdir/$tfile
4549 local tmpfile=$TMP/$tfile.tmp
4550 local resfile=$TMP/$tfile.res
4554 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4555 skip "client encryption not supported"
4557 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4558 skip "need dummy encryption support"
4560 pagesz=$(getconf PAGESIZE)
4561 [[ $pagesz == 65536 ]] || skip "Need 64K PAGE_SIZE client"
4563 do_node $mds1_HOST \
4564 "mount.lustre --help |& grep -q 'test_dummy_encryption:'" ||
4565 skip "need dummy encryption support on MDS client mount"
4567 # this test is probably useless now, but may turn out to be useful when
4568 # Lustre supports servers with PAGE_SIZE != 4KB
4569 pagesz=$(do_node $mds1_HOST getconf PAGESIZE)
4570 [[ $pagesz == 4096 ]] || skip "Need 4K PAGE_SIZE MDS client"
4572 stack_trap cleanup_for_enc_tests EXIT
4573 stack_trap "zconf_umount $mds1_HOST $MOUNT2" EXIT
4576 $LFS setstripe -c1 -i0 $testfile
4578 # write from 1st client
4579 cat /dev/urandom | tr -dc 'a-zA-Z0-9' |
4580 dd of=$tmpfile bs=$((pagesz+3)) count=2 conv=fsync
4581 dd if=$tmpfile of=$testfile bs=$((pagesz+3)) count=2 conv=fsync ||
4582 error "could not write to $testfile (1)"
4584 # read from 2nd client
4585 # mount and IOs must be done in the same shell session, otherwise
4586 # encryption key in session keyring is missing
4587 do_node $mds1_HOST "mkdir -p $MOUNT2"
4588 do_node $mds1_HOST \
4589 "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4590 $MGSNID:/$FSNAME $MOUNT2 && \
4591 dd if=$testfile2 of=$resfile bs=$((pagesz+3)) count=2" ||
4592 error "could not read from $testfile2 (1)"
4595 filemd5=$(do_node $mds1_HOST md5sum $resfile | awk '{print $1}')
4596 [ $filemd5 = $(md5sum $tmpfile | awk '{print $1}') ] ||
4597 error "file is corrupted (1)"
4598 do_node $mds1_HOST rm -f $resfile
4601 # truncate from 2nd client
4602 $TRUNCATE $tmpfile $((pagesz+3))
4603 zconf_umount $mds1_HOST $MOUNT2 ||
4604 error "umount $mds1_HOST $MOUNT2 failed (1)"
4605 do_node $mds1_HOST "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4606 $MGSNID:/$FSNAME $MOUNT2 && \
4607 $TRUNCATE $testfile2 $((pagesz+3))" ||
4608 error "could not truncate $testfile2 (1)"
4611 cmp -bl $tmpfile $testfile ||
4612 error "file is corrupted (2)"
4613 rm -f $tmpfile $testfile
4615 zconf_umount $mds1_HOST $MOUNT2 ||
4616 error "umount $mds1_HOST $MOUNT2 failed (2)"
4619 do_node $mds1_HOST \
4620 dd if=/dev/urandom of=$tmpfile bs=$((pagesz+3)) count=2 conv=fsync
4621 # write from 2nd client
4622 do_node $mds1_HOST \
4623 "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4624 $MGSNID:/$FSNAME $MOUNT2 && \
4625 dd if=$tmpfile of=$testfile2 bs=$((pagesz+3)) count=2 conv=fsync" ||
4626 error "could not write to $testfile2 (2)"
4628 # read from 1st client
4629 dd if=$testfile of=$resfile bs=$((pagesz+3)) count=2 ||
4630 error "could not read from $testfile (2)"
4633 filemd5=$(do_node $mds1_HOST md5sum -b $tmpfile | awk '{print $1}')
4634 [ $filemd5 = $(md5sum -b $resfile | awk '{print $1}') ] ||
4635 error "file is corrupted (3)"
4639 # truncate from 1st client
4640 do_node $mds1_HOST "$TRUNCATE $tmpfile $((pagesz+3))"
4641 $TRUNCATE $testfile $((pagesz+3)) ||
4642 error "could not truncate $testfile (2)"
4645 zconf_umount $mds1_HOST $MOUNT2 ||
4646 error "umount $mds1_HOST $MOUNT2 failed (3)"
4647 do_node $mds1_HOST "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
4648 $MGSNID:/$FSNAME $MOUNT2 && \
4649 cmp -bl $tmpfile $testfile2" ||
4650 error "file is corrupted (4)"
4652 do_node $mds1_HOST rm -f $tmpfile
4655 run_test 53 "Mixed PAGE_SIZE clients"
4658 local testdir=$DIR/$tdir/$ID0
4659 local testdir2=$DIR2/$tdir/$ID0
4660 local testfile=$testdir/$tfile
4661 local testfile2=$testdir/${tfile}withveryverylongnametoexercisecode
4662 local testfile3=$testdir/_${tfile}
4663 local tmpfile=$TMP/${tfile}.tmp
4664 local resfile=$TMP/${tfile}.res
4669 $LCTL get_param mdc.*.import | grep -q client_encryption ||
4670 skip "client encryption not supported"
4672 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
4673 skip "need dummy encryption support"
4675 which fscrypt || skip "This test needs fscrypt userspace tool"
4677 yes | fscrypt setup --force --verbose ||
4678 error "fscrypt global setup failed"
4679 sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
4681 yes | fscrypt setup --verbose $MOUNT ||
4682 error "fscrypt setup $MOUNT failed"
4684 chown -R $ID0:$ID0 $testdir
4686 echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
4687 --source=custom_passphrase --name=protector $testdir" ||
4688 error "fscrypt encrypt failed"
4690 echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
4691 --source=custom_passphrase --name=protector2 $testdir" &&
4692 error "second fscrypt encrypt should have failed"
4694 mkdir -p ${testdir}2 || error "mkdir ${testdir}2 failed"
4695 touch ${testdir}2/f || error "mkdir ${testdir}2/f failed"
4698 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
4699 --source=custom_passphrase --name=protector3 ${testdir}2 &&
4700 error "fscrypt encrypt on non-empty dir should have failed"
4702 $RUNAS dd if=/dev/urandom of=$testfile bs=127 count=1 conv=fsync ||
4703 error "write to encrypted file $testfile failed"
4704 cp $testfile $tmpfile
4705 $RUNAS dd if=/dev/urandom of=$testfile2 bs=127 count=1 conv=fsync ||
4706 error "write to encrypted file $testfile2 failed"
4707 $RUNAS dd if=/dev/urandom of=$testfile3 bs=127 count=1 conv=fsync ||
4708 error "write to encrypted file $testfile3 failed"
4709 $RUNAS mkdir $testdir/subdir || error "mkdir subdir failed"
4710 $RUNAS touch $testdir/subdir/subfile || error "mkdir subdir failed"
4712 $RUNAS fscrypt lock --verbose $testdir ||
4713 error "fscrypt lock $testdir failed (1)"
4715 $RUNAS ls -R $testdir || error "ls -R $testdir failed"
4716 local filecount=$($RUNAS find $testdir -type f | wc -l)
4717 [ $filecount -eq 4 ] || error "found $filecount files"
4719 # check enable_filename_encryption default value
4720 # tunable only available for client built against embedded llcrypt
4721 $LCTL get_param mdc.*.connect_flags | grep -q name_encryption &&
4722 nameenc=$(lctl get_param -n llite.*.enable_filename_encryption |
4724 # If client is built against in-kernel fscrypt, it is not possible
4725 # to decide to encrypt file names or not: they are always encrypted.
4726 if [ -n "$nameenc" ]; then
4727 [ $nameenc -eq 0 ] ||
4728 error "enable_filename_encryption should be 0 by default"
4730 # $testfile, $testfile2 and $testfile3 should exist because
4731 # names are not encrypted
4733 error "$testfile should exist because name not encrypted"
4734 [ -f $testfile2 ] ||
4735 error "$testfile2 should exist because name not encrypted"
4736 [ -f $testfile3 ] ||
4737 error "$testfile3 should exist because name not encrypted"
4739 [ $? -eq 0 ] || error "cannot stat $testfile3 without key"
4742 scrambledfiles=( $(find $testdir/ -maxdepth 1 -type f) )
4743 $RUNAS hexdump -C ${scrambledfiles[0]} &&
4744 error "reading ${scrambledfiles[0]} should fail without key"
4746 $RUNAS touch ${testfile}.nokey &&
4747 error "touch ${testfile}.nokey should have failed without key"
4749 echo mypass | $RUNAS fscrypt unlock --verbose $testdir ||
4750 error "fscrypt unlock $testdir failed (1)"
4752 $RUNAS cat $testfile > $resfile ||
4753 error "reading $testfile failed"
4755 cmp -bl $tmpfile $resfile || error "file read differs from file written"
4757 [ $? -eq 0 ] || error "cannot stat $testfile3 with key"
4759 $RUNAS fscrypt lock --verbose $testdir ||
4760 error "fscrypt lock $testdir failed (2)"
4762 $RUNAS hexdump -C ${scrambledfiles[1]} &&
4763 error "reading ${scrambledfiles[1]} should fail without key"
4765 # server local client incompatible with SSK keys installed
4766 if [ "$SHARED_KEY" != true ]; then
4768 stack_trap umount_mds_client EXIT
4769 do_facet $SINGLEMDS touch $DIR2/$tdir/newfile
4770 mdsscrambledfile=$(do_facet $SINGLEMDS find $testdir2/ \
4771 -maxdepth 1 -type f | head -n1)
4772 [ -n "$mdsscrambledfile" ] || error "could not find file"
4773 do_facet $SINGLEMDS cat "$mdsscrambledfile" &&
4774 error "reading $mdsscrambledfile should fail on MDS"
4775 do_facet $SINGLEMDS "echo aaa >> \"$mdsscrambledfile\"" &&
4776 error "writing $mdsscrambledfile should fail on MDS"
4777 do_facet $SINGLEMDS $MULTIOP $testdir2/fileA m &&
4778 error "creating $testdir2/fileA should fail on MDS"
4779 do_facet $SINGLEMDS mkdir $testdir2/dirA &&
4780 error "mkdir $testdir2/dirA should fail on MDS"
4781 do_facet $SINGLEMDS ln -s $DIR2/$tdir/newfile $testdir2/sl1 &&
4782 error "ln -s $testdir2/sl1 should fail on MDS"
4783 do_facet $SINGLEMDS ln $DIR2/$tdir/newfile $testdir2/hl1 &&
4784 error "ln $testdir2/hl1 should fail on MDS"
4785 do_facet $SINGLEMDS mv "$mdsscrambledfile" $testdir2/fB &&
4786 error "mv $mdsscrambledfile should fail on MDS"
4787 do_facet $SINGLEMDS mrename "$mdsscrambledfile" $testdir2/fB &&
4788 error "mrename $mdsscrambledfile should fail on MDS"
4789 do_facet $SINGLEMDS rm -f $DIR2/$tdir/newfile
4792 echo mypass | $RUNAS fscrypt unlock --verbose $testdir ||
4793 error "fscrypt unlock $testdir failed (2)"
4796 $RUNAS fscrypt lock --verbose $testdir ||
4797 error "fscrypt lock $testdir failed (3)"
4799 rm -rf $tmpfile $resfile $testdir ${testdir}2 $MOUNT/.fscrypt
4801 # remount client with subdirectory mount
4802 umount_client $MOUNT || error "umount $MOUNT failed (1)"
4803 export FILESET=/$tdir
4804 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed (1)"
4808 # setup encryption from inside this subdir mount
4809 # the .fscrypt directory is going to be created at the real fs root
4810 yes | fscrypt setup --verbose $MOUNT ||
4811 error "fscrypt setup $MOUNT failed (2)"
4812 testdir=$MOUNT/vault
4814 chown -R $ID0:$ID0 $testdir
4815 fid1=$(path2fid $MOUNT/.fscrypt)
4816 echo "With FILESET $tdir, .fscrypt FID is $fid1"
4818 # enable name encryption, only valid if built against embedded llcrypt
4819 if [ -n "$nameenc" ]; then
4820 do_facet mgs $LCTL set_param -P \
4821 llite.*.enable_filename_encryption=1
4823 error "set_param -P \
4824 llite.*.enable_filename_encryption failed"
4826 wait_update_facet --verbose client \
4827 "$LCTL get_param -n llite.*.enable_filename_encryption \
4829 error "enable_filename_encryption not set on client"
4832 # encrypt 'vault' dir inside the subdir mount
4833 echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
4834 --source=custom_passphrase --name=protector $testdir" ||
4835 error "fscrypt encrypt failed"
4839 $RUNAS cp $tmpfile $testdir/encfile
4841 $RUNAS fscrypt lock --verbose $testdir ||
4842 error "fscrypt lock $testdir failed (4)"
4844 # encfile should actually have its name encrypted
4845 if [ -n "$nameenc" ]; then
4846 [ -f $testdir/encfile ] &&
4847 error "encfile name should be encrypted"
4849 filecount=$(find $testdir -type f | wc -l)
4850 [ $filecount -eq 1 ] || error "found $filecount files instead of 1"
4852 # remount client with encrypted dir as subdirectory mount
4853 umount_client $MOUNT || error "umount $MOUNT failed (2)"
4854 export FILESET=/$tdir/vault
4855 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed (2)"
4859 fid2=$(path2fid $MOUNT/.fscrypt)
4860 echo "With FILESET $tdir/vault, .fscrypt FID is $fid2"
4861 [ "$fid1" == "$fid2" ] || error "fid1 $fid1 != fid2 $fid2 (1)"
4863 # all content seen by this mount is encrypted, but .fscrypt is virtually
4864 # presented, letting us call fscrypt lock/unlock
4865 echo mypass | $RUNAS fscrypt unlock --verbose $MOUNT ||
4866 error "fscrypt unlock $MOUNT failed (3)"
4869 [ $(cat $MOUNT/encfile) == "abc" ] || error "cat encfile failed"
4871 # remount client without subdir mount
4872 umount_client $MOUNT || error "umount $MOUNT failed (3)"
4873 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed (3)"
4876 fid2=$(path2fid $MOUNT/.fscrypt)
4877 echo "Without FILESET, .fscrypt FID is $fid2"
4878 [ "$fid1" == "$fid2" ] || error "fid1 $fid1 != fid2 $fid2 (2)"
4880 # because .fscrypt was actually created at the real root of the fs,
4881 # we can call fscrypt lock/unlock on the encrypted dir
4882 echo mypass | $RUNAS fscrypt unlock --verbose $DIR/$tdir/vault ||
4883 error "fscrypt unlock $$DIR/$tdir/vault failed (4)"
4886 echo c >> $DIR/$tdir/vault/encfile || error "write to encfile failed"
4888 rm -rf $DIR/$tdir/vault/*
4889 $RUNAS fscrypt lock --verbose $DIR/$tdir/vault ||
4890 error "fscrypt lock $DIR/$tdir/vault failed (5)"
4892 # disable name encryption, only valid if built against embedded llcrypt
4893 if [ -n "$nameenc" ]; then
4894 do_facet mgs $LCTL set_param -P \
4895 llite.*.enable_filename_encryption=0
4897 error "set_param -P \
4898 llite.*.enable_filename_encryption failed"
4900 wait_update_facet --verbose client \
4901 "$LCTL get_param -n llite.*.enable_filename_encryption \
4903 error "enable_filename_encryption not set back to default"
4906 rm -rf $tmpfile $MOUNT/.fscrypt
4908 run_test 54 "Encryption policies with fscrypt"
4912 if is_mounted $MOUNT; then
4913 umount_client $MOUNT || error "umount $MOUNT failed"
4916 do_facet mgs $LCTL nodemap_del c0
4917 do_facet mgs $LCTL nodemap_modify --name default \
4918 --property admin --value 0
4919 do_facet mgs $LCTL nodemap_modify --name default \
4920 --property trusted --value 0
4921 wait_nm_sync default admin_nodemap
4922 wait_nm_sync default trusted_nodemap
4924 do_facet mgs $LCTL nodemap_activate 0
4925 wait_nm_sync active 0
4927 if $SHARED_KEY; then
4928 export SK_UNIQUE_NM=false
4932 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed"
4933 if [ "$MOUNT_2" ]; then
4934 mount_client $MOUNT2 ${MOUNT_OPTS} || error "remount failed"
4940 (( $MDS1_VERSION > $(version_code 2.12.6.2) )) ||
4941 skip "Need MDS version at least 2.12.6.3"
4946 mkdir -p $DIR/$tdir/$USER0/testdir_groups
4947 chown root:$USER0 $DIR/$tdir/$USER0
4948 chmod 770 $DIR/$tdir/$USER0
4949 chmod g+s $DIR/$tdir/$USER0
4950 chown $USER0:$USER0 $DIR/$tdir/$USER0/testdir_groups
4951 chmod 770 $DIR/$tdir/$USER0/testdir_groups
4952 chmod g+s $DIR/$tdir/$USER0/testdir_groups
4954 # unmount client completely
4955 umount_client $MOUNT || error "umount $MOUNT failed"
4956 if is_mounted $MOUNT2; then
4957 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
4960 do_nodes $(comma_list $(all_mdts_nodes)) \
4961 $LCTL set_param mdt.*.identity_upcall=NONE
4963 stack_trap cleanup_55 EXIT
4965 do_facet mgs $LCTL nodemap_activate 1
4968 do_facet mgs $LCTL nodemap_del c0 || true
4969 wait_nm_sync c0 id ''
4971 do_facet mgs $LCTL nodemap_modify --name default \
4972 --property admin --value 1
4973 do_facet mgs $LCTL nodemap_modify --name default \
4974 --property trusted --value 1
4975 wait_nm_sync default admin_nodemap
4976 wait_nm_sync default trusted_nodemap
4978 client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
4979 client_nid=$(h2nettype $client_ip)
4980 do_facet mgs $LCTL nodemap_add c0
4981 do_facet mgs $LCTL nodemap_add_range \
4982 --name c0 --range $client_nid
4983 do_facet mgs $LCTL nodemap_modify --name c0 \
4984 --property admin --value 0
4985 do_facet mgs $LCTL nodemap_modify --name c0 \
4986 --property trusted --value 1
4987 wait_nm_sync c0 admin_nodemap
4988 wait_nm_sync c0 trusted_nodemap
4990 if $SHARED_KEY; then
4991 export SK_UNIQUE_NM=true
4992 # set some generic fileset to trigger SSK code
4996 # remount client to take nodemap into account
4997 zconf_mount_clients $HOSTNAME $MOUNT $MOUNT_OPTS ||
4998 error "remount failed"
5002 euid_access $USER0 $DIR/$tdir/$USER0/testdir_groups/file
5004 run_test 55 "access with seteuid"
5007 local testfile=$DIR/$tdir/$tfile
5009 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
5011 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5012 skip "client encryption not supported"
5014 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5015 skip "need dummy encryption support"
5017 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
5019 stack_trap cleanup_for_enc_tests EXIT
5022 $LFS setstripe -c1 $testfile
5023 dd if=/dev/urandom of=$testfile bs=1M count=3 conv=fsync
5024 filefrag -v $testfile || error "filefrag $testfile failed"
5025 (( $(filefrag -v $testfile | grep -c encrypted) >= 1 )) ||
5026 error "filefrag $testfile does not show encrypted flag"
5027 (( $(filefrag -v $testfile | grep -c encoded) >= 1 )) ||
5028 error "filefrag $testfile does not show encoded flag"
5030 run_test 56 "FIEMAP on encrypted file"
5033 local testdir=$DIR/$tdir/mytestdir
5034 local testfile=$DIR/$tdir/$tfile
5036 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
5038 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5039 skip "client encryption not supported"
5041 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5042 skip "need dummy encryption support"
5046 setfattr -n security.c -v myval $testdir &&
5047 error "setting xattr on $testdir should have failed (1.1)"
5048 setfattr -n encryption.c -v myval $testdir &&
5049 error "setting xattr on $testdir should have failed (1.2)"
5051 setfattr -n security.c -v myval $testfile &&
5052 error "setting xattr on $testfile should have failed (1.1)"
5053 setfattr -n encryption.c -v myval $testfile &&
5054 error "setting xattr on $testfile should have failed (1.2)"
5058 stack_trap cleanup_for_enc_tests EXIT
5062 if [ $(getfattr -n security.c $testdir 2>&1 |
5063 grep -ci "Operation not permitted") -eq 0 ]; then
5064 error "getting xattr on $testdir should have failed (1.1)"
5066 if [ $(getfattr -n encryption.c $testdir 2>&1 |
5067 grep -ci "Operation not supported") -eq 0 ]; then
5068 error "getting xattr on $testdir should have failed (1.2)"
5070 getfattr -d -m - $testdir 2>&1 | grep security\.c &&
5071 error "listing xattrs on $testdir should not expose security.c"
5072 getfattr -d -m - $testdir 2>&1 | grep encryption\.c &&
5073 error "listing xattrs on $testdir should not expose encryption.c"
5074 if [ $(setfattr -n security.c -v myval $testdir 2>&1 |
5075 grep -ci "Operation not permitted") -eq 0 ]; then
5076 error "setting xattr on $testdir should have failed (2.1)"
5078 if [ $(setfattr -n encryption.c -v myval $testdir 2>&1 |
5079 grep -ci "Operation not supported") -eq 0 ]; then
5080 error "setting xattr on $testdir should have failed (2.2)"
5083 if [ $(getfattr -n security.c $testfile 2>&1 |
5084 grep -ci "Operation not permitted") -eq 0 ]; then
5085 error "getting xattr on $testfile should have failed (1.1)"
5087 if [ $(getfattr -n encryption.c $testfile 2>&1 |
5088 grep -ci "Operation not supported") -eq 0 ]; then
5089 error "getting xattr on $testfile should have failed (1.2)"
5091 getfattr -d -m - $testfile 2>&1 | grep security\.c &&
5092 error "listing xattrs on $testfile should not expose security.c"
5093 getfattr -d -m - $testfile 2>&1 | grep encryption\.c &&
5094 error "listing xattrs on $testfile should not expose encryption.c"
5095 if [ $(setfattr -n security.c -v myval $testfile 2>&1 |
5096 grep -ci "Operation not permitted") -eq 0 ]; then
5097 error "setting xattr on $testfile should have failed (2.1)"
5099 if [ $(setfattr -n encryption.c -v myval $testfile 2>&1 |
5100 grep -ci "Operation not supported") -eq 0 ]; then
5101 error "setting xattr on $testfile should have failed (2.2)"
5105 run_test 57 "security.c/encryption.c xattr protection"
5108 local testdir=$DIR/$tdir/mytestdir
5109 local testfile=$DIR/$tdir/$tfile
5111 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
5113 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5114 skip "client encryption not supported"
5116 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5117 skip "need dummy encryption support"
5119 stack_trap cleanup_for_enc_tests EXIT
5122 touch $DIR/$tdir/$tfile
5123 mkdir $DIR/$tdir/subdir
5127 echo 3 > /proc/sys/vm/drop_caches
5129 ll_decode_linkea $DIR/$tdir/$tfile || error "cannot read $tfile linkea"
5130 ll_decode_linkea $DIR/$tdir/subdir || error "cannot read subdir linkea"
5132 for ((i = 0; i < 1000; i = $((i+1)))); do
5133 mkdir -p $DIR/$tdir/d${i}
5134 touch $DIR/$tdir/f${i}
5135 createmany -m $DIR/$tdir/d${i}/f 5 > /dev/null
5140 echo 3 > /proc/sys/vm/drop_caches
5143 ls -ailR $DIR/$tdir > /dev/null || error "fail to ls"
5145 run_test 58 "access to enc file's xattrs"
5148 local mirror1=$TMP/$tfile.mirror1
5149 local mirror2=$TMP/$tfile.mirror2
5153 $LFS mirror verify -vvv $testfile ||
5154 error "verifying mirror failed (1)"
5155 if [ $($LFS mirror verify -v $testfile 2>&1 |
5156 grep -ci "only valid") -ne 0 ]; then
5157 error "verifying mirror failed (2)"
5160 $LFS mirror read -N 1 -o $mirror1 $testfile ||
5161 error "read from mirror 1 failed"
5162 cmp -bl $reffile $mirror1 ||
5163 error "corruption of mirror 1"
5164 $LFS mirror read -N 2 -o $mirror2 $testfile ||
5165 error "read from mirror 2 failed"
5166 cmp -bl $reffile $mirror2 ||
5167 error "corruption of mirror 2"
5171 local testfile=$DIR/$tdir/$tfile
5172 local tmpfile=$TMP/$tfile
5173 local mirror1=$TMP/$tfile.mirror1
5174 local mirror2=$TMP/$tfile.mirror2
5177 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5178 skip "client encryption not supported"
5180 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5181 skip "need dummy encryption support"
5183 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
5185 stack_trap "cleanup_for_enc_tests $tmpfile $mirror1 $mirror2" EXIT
5188 dd if=/dev/urandom of=$tmpfile bs=5000 count=1 conv=fsync
5190 $LFS mirror create -N -i0 -N -i1 $testfile ||
5191 error "could not create mirror"
5192 dd if=$tmpfile of=$testfile bs=5000 count=1 conv=fsync ||
5193 error "could not write to $testfile"
5194 $LFS getstripe $testfile
5196 # remount without dummy encryption key
5197 remount_client_normally
5199 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
5200 $LFS mirror resync $scrambledfile ||
5201 error "could not resync mirror"
5203 $LFS mirror verify -vvv $scrambledfile ||
5204 error "mirror verify failed (1)"
5205 if [ $($LFS mirror verify -v $scrambledfile 2>&1 |
5206 grep -ci "only valid") -ne 0 ]; then
5207 error "mirror verify failed (2)"
5210 $LFS mirror read -N 1 -o $mirror1 $scrambledfile &&
5211 error "read from mirror should fail"
5214 remount_client_dummykey
5215 verify_mirror $testfile $tmpfile
5217 run_test 59a "mirror resync of encrypted files without key"
5220 local testfile=$DIR/$tdir/$tfile
5221 local tmpfile=$TMP/$tfile
5222 local mirror1=$TMP/$tfile.mirror1
5223 local mirror2=$TMP/$tfile.mirror2
5226 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5227 skip "client encryption not supported"
5229 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5230 skip "need dummy encryption support"
5232 [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
5234 stack_trap "cleanup_for_enc_tests $tmpfile $mirror1 $mirror2" EXIT
5237 tr '\0' '2' < /dev/zero |
5238 dd of=$tmpfile bs=1 count=9000 conv=fsync
5240 $LFS setstripe -c1 -i0 $testfile
5241 dd if=$tmpfile of=$testfile bs=9000 count=1 conv=fsync ||
5242 error "write to $testfile failed"
5243 $LFS getstripe $testfile
5245 # remount without dummy encryption key
5246 remount_client_normally
5248 scrambledfile=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type f)
5249 $LFS migrate -i1 $scrambledfile ||
5250 error "migrate $scrambledfile failed"
5251 $LFS getstripe $scrambledfile
5252 stripe=$($LFS getstripe -i $scrambledfile)
5253 [ $stripe -eq 1 ] || error "migrate file $scrambledfile failed"
5257 remount_client_dummykey
5258 cmp -bl $tmpfile $testfile ||
5259 error "migrated file is corrupted"
5261 # remount without dummy encryption key
5262 remount_client_normally
5264 $LFS mirror extend -N -i0 $scrambledfile ||
5265 error "mirror extend $scrambledfile failed (1)"
5266 $LFS getstripe $scrambledfile
5267 mirror_count=$($LFS getstripe -N $scrambledfile)
5268 [ $mirror_count -eq 2 ] ||
5269 error "mirror extend file $scrambledfile failed (2)"
5270 stripe=$($LFS getstripe --mirror-id=1 -i $scrambledfile)
5271 [ $stripe -eq 1 ] ||
5272 error "mirror extend file $scrambledfile failed (3)"
5273 stripe=$($LFS getstripe --mirror-id=2 -i $scrambledfile)
5274 [ $stripe -eq 0 ] ||
5275 error "mirror extend file $scrambledfile failed (4)"
5277 $LFS mirror verify -vvv $scrambledfile ||
5278 error "mirror verify failed (1)"
5279 if [ $($LFS mirror verify -v $scrambledfile 2>&1 |
5280 grep -ci "only valid") -ne 0 ]; then
5281 error "mirror verify failed (2)"
5285 remount_client_dummykey
5286 verify_mirror $testfile $tmpfile
5288 # remount without dummy encryption key
5289 remount_client_normally
5291 $LFS mirror split --mirror-id 1 -d $scrambledfile ||
5292 error "mirror split file $scrambledfile failed (1)"
5293 $LFS getstripe $scrambledfile
5294 mirror_count=$($LFS getstripe -N $scrambledfile)
5295 [ $mirror_count -eq 1 ] ||
5296 error "mirror split file $scrambledfile failed (2)"
5297 stripe=$($LFS getstripe --mirror-id=1 -i $scrambledfile)
5298 [ -z "$stripe" ] || error "mirror split file $scrambledfile failed (3)"
5299 stripe=$($LFS getstripe --mirror-id=2 -i $scrambledfile)
5300 [ $stripe -eq 0 ] || error "mirror split file $scrambledfile failed (4)"
5303 remount_client_dummykey
5305 cmp -bl $tmpfile $testfile ||
5306 error "extended/split file is corrupted"
5308 run_test 59b "migrate/extend/split of encrypted files without key"
5311 local dirname=$DIR/$tdir/subdir
5314 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5315 skip "client encryption not supported"
5317 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5318 skip "need dummy encryption support"
5320 [[ $MDSCOUNT -ge 2 ]] || skip_env "needs >= 2 MDTs"
5322 (( "$MDS1_VERSION" > $(version_code 2.14.54.54) )) ||
5323 skip "MDT migration not supported with older server"
5325 stack_trap cleanup_for_enc_tests EXIT
5328 $LFS setdirstripe -i 0 $dirname
5329 echo b > $dirname/subf
5331 # remount without dummy encryption key
5332 remount_client_normally
5334 scrambleddir=$(find $DIR/$tdir/ -maxdepth 1 -mindepth 1 -type d)
5336 # migrate a non-empty encrypted dir
5337 $LFS migrate -m 1 $scrambleddir ||
5338 error "migrate $scrambleddir between MDTs failed (1)"
5340 stripe=$($LFS getdirstripe -i $scrambleddir)
5341 [ $stripe -eq 1 ] ||
5342 error "migrate $scrambleddir between MDTs failed (2)"
5346 [ -f $dirname/subf ] ||
5347 error "migrate $scrambleddir between MDTs failed (3)"
5348 [ $(cat $dirname/subf) == "b" ] ||
5349 error "migrate $scrambleddir between MDTs failed (4)"
5351 run_test 59c "MDT migrate of encrypted files without key"
5354 local testdir=$DIR/$tdir/mytestdir
5355 local testfile=$DIR/$tdir/$tfile
5357 (( $MDS1_VERSION > $(version_code 2.14.53) )) ||
5358 skip "Need MDS version at least 2.14.53"
5360 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5361 skip "client encryption not supported"
5363 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5364 skip "need dummy encryption support"
5366 stack_trap cleanup_for_enc_tests EXIT
5369 echo a > $DIR/$tdir/file1
5370 mkdir $DIR/$tdir/subdir
5371 echo b > $DIR/$tdir/subdir/subfile1
5374 # unmount client completely
5375 umount_client $MOUNT || error "umount $MOUNT failed"
5376 if is_mounted $MOUNT2; then
5377 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
5380 # remount client with subdirectory mount
5381 export FILESET=/$tdir
5382 mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed"
5383 if [ "$MOUNT_2" ]; then
5384 mount_client $MOUNT2 ${MOUNT_OPTS} || error "remount failed"
5388 ls -Rl $DIR || error "ls -Rl $DIR failed (1)"
5391 remount_client_dummykey
5394 ls -Rl $DIR || error "ls -Rl $DIR failed (2)"
5395 cat $DIR/file1 || error "cat $DIR/$tdir/file1 failed"
5396 cat $DIR/subdir/subfile1 ||
5397 error "cat $DIR/$tdir/subdir/subfile1 failed"
5399 run_test 60 "Subdirmount of encrypted dir"
5402 if $SHARED_KEY; then
5403 export SK_UNIQUE_NM=true
5407 do_facet mgs $LCTL nodemap_activate 1
5410 do_facet mgs $LCTL nodemap_del c0 || true
5411 wait_nm_sync c0 id ''
5413 do_facet mgs $LCTL nodemap_modify --name default \
5414 --property admin --value 1
5415 do_facet mgs $LCTL nodemap_modify --name default \
5416 --property trusted --value 1
5417 wait_nm_sync default admin_nodemap
5418 wait_nm_sync default trusted_nodemap
5420 client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
5421 client_nid=$(h2nettype $client_ip)
5422 [[ "$client_nid" =~ ":" ]] && client_nid+="/128"
5423 do_facet mgs $LCTL nodemap_add c0
5424 do_facet mgs $LCTL nodemap_add_range \
5425 --name c0 --range $client_nid || {
5426 do_facet mgs $LCTL nodemap_del c0
5429 do_facet mgs $LCTL nodemap_modify --name c0 \
5430 --property admin --value 1
5431 do_facet mgs $LCTL nodemap_modify --name c0 \
5432 --property trusted --value 1
5433 wait_nm_sync c0 admin_nodemap
5434 wait_nm_sync c0 trusted_nodemap
5438 do_facet mgs $LCTL nodemap_del c0
5439 do_facet mgs $LCTL nodemap_modify --name default \
5440 --property admin --value 0
5441 do_facet mgs $LCTL nodemap_modify --name default \
5442 --property trusted --value 0
5443 wait_nm_sync default admin_nodemap
5444 wait_nm_sync default trusted_nodemap
5446 do_facet mgs $LCTL nodemap_activate 0
5447 wait_nm_sync active 0
5449 if $SHARED_KEY; then
5451 export SK_UNIQUE_NM=false
5454 mount_client $MOUNT ${MOUNT_OPTS} || error "re-mount failed"
5459 local testfile=$DIR/$tdir/$tfile
5462 readonly=$(do_facet mgs \
5463 lctl get_param -n nodemap.default.readonly_mount)
5464 [ -n "$readonly" ] ||
5465 skip "Server does not have readonly_mount nodemap flag"
5467 stack_trap cleanup_61 EXIT
5468 for idx in $(seq 1 $MDSCOUNT); do
5469 wait_recovery_complete mds$idx
5471 umount_client $MOUNT || error "umount $MOUNT failed (1)"
5473 # Activate nodemap, and mount rw.
5474 # Should succeed as rw mount is not forbidden by default.
5476 readonly=$(do_facet mgs \
5477 lctl get_param -n nodemap.default.readonly_mount)
5478 [ $readonly -eq 0 ] ||
5479 error "wrong default value for readonly_mount on default nodemap"
5480 readonly=$(do_facet mgs \
5481 lctl get_param -n nodemap.c0.readonly_mount)
5482 [ $readonly -eq 0 ] ||
5483 error "wrong default value for readonly_mount on nodemap c0"
5485 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},rw ||
5486 error "mount '-o rw' failed with default"
5488 findmnt $MOUNT --output=options -n -f | grep -q "rw," ||
5489 error "should be rw mount"
5490 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5491 echo a > $testfile || error "write $testfile failed"
5492 umount_client $MOUNT || error "umount $MOUNT failed (2)"
5494 # Now enforce read-only, and retry.
5495 do_facet mgs $LCTL nodemap_modify --name c0 \
5496 --property readonly_mount --value 1
5497 wait_nm_sync c0 readonly_mount
5499 # mount without option should turn into ro
5500 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS} ||
5501 error "mount failed (1)"
5502 findmnt $MOUNT --output=options -n -f | grep -q "ro," ||
5503 error "mount should have been turned into ro"
5504 cat $testfile || error "read $testfile failed (1)"
5505 echo b > $testfile && error "write $testfile should fail (1)"
5506 umount_client $MOUNT || error "umount $MOUNT failed (3)"
5508 # mount rw should turn into ro
5509 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},rw ||
5510 error "mount '-o rw' failed"
5511 findmnt $MOUNT --output=options -n -f | grep -q "ro," ||
5512 error "mount rw should have been turned into ro"
5513 cat $testfile || error "read $testfile failed (2)"
5514 echo b > $testfile && error "write $testfile should fail (2)"
5515 umount_client $MOUNT || error "umount $MOUNT failed (4)"
5517 # mount ro should work as expected
5518 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},ro ||
5519 error "mount '-o ro' failed"
5521 cat $testfile || error "read $testfile failed (3)"
5522 echo b > $testfile && error "write $testfile should fail (3)"
5523 umount_client $MOUNT || error "umount $MOUNT failed (5)"
5525 # remount rw should not work
5526 zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS} ||
5527 error "mount failed (2)"
5528 mount_client $MOUNT remount,rw || error "remount failed"
5529 findmnt $MOUNT --output=options -n -f | grep -q "ro," ||
5530 error "remount rw should have been turned into ro"
5531 cat $testfile || error "read $testfile failed (4)"
5532 echo b > $testfile && error "write $testfile should fail (4)"
5533 umount_client $MOUNT || error "umount $MOUNT failed (6)"
5535 run_test 61 "Nodemap enforces read-only mount"
5538 local testdir=$DIR/$tdir/mytestdir
5539 local testfile=$DIR/$tdir/$tfile
5541 [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
5543 (( $MDS1_VERSION > $(version_code 2.15.51) )) ||
5544 skip "Need MDS version at least 2.15.51"
5546 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5547 skip "client encryption not supported"
5549 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5550 skip "need dummy encryption support"
5552 stack_trap cleanup_for_enc_tests EXIT
5555 lfs setstripe -c -1 $DIR/$tdir
5556 touch $DIR/$tdir/${tfile}_1 || error "touch ${tfile}_1 failed"
5557 dd if=/dev/zero of=$DIR/$tdir/${tfile}_2 bs=1 count=1 conv=fsync ||
5558 error "dd ${tfile}_2 failed"
5560 # unmount the Lustre filesystem
5561 stopall || error "stopping for e2fsck run"
5563 # run e2fsck on the MDT and OST devices
5564 local mds_host=$(facet_active_host $SINGLEMDS)
5565 local ost_host=$(facet_active_host ost1)
5566 local mds_dev=$(mdsdevname ${SINGLEMDS//mds/})
5567 local ost_dev=$(ostdevname 1)
5569 run_e2fsck $mds_host $mds_dev "-n"
5570 run_e2fsck $ost_host $ost_dev "-n"
5572 # mount the Lustre filesystem
5573 setupall || error "remounting the filesystem failed"
5575 run_test 62 "e2fsck with encrypted files"
5580 for path in "${paths[@]}"; do
5588 for path in "${paths[@]}"; do
5589 fids+=("$(lfs path2fid $path)")
5594 for fid in "${fids[@]}"; do
5596 respath=$(lfs fid2path $MOUNT $fid)
5597 echo -e "\t" $respath
5598 ls -li $respath >/dev/null
5599 [ $? -eq 0 ] || error "fid2path $fid failed"
5606 local vaultdir1=$DIR/$tdir/vault1==dir
5607 local vaultdir2=$DIR/$tdir/vault2==dir
5608 local longfname1="longfilenamewitha=inthemiddletotestbehaviorregardingthedigestedform"
5609 local longdname="longdirectorynamewitha=inthemiddletotestbehaviorregardingthedigestedform"
5610 local longfname2="$longdname/${longfname1}2"
5612 (( $MDS1_VERSION > $(version_code 2.15.53) )) ||
5613 skip "Need MDS version at least 2.15.53"
5615 $LCTL get_param mdc.*.import | grep -q client_encryption ||
5616 skip "client encryption not supported"
5618 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
5619 skip "need dummy encryption support"
5621 which fscrypt || skip "This test needs fscrypt userspace tool"
5623 yes | fscrypt setup --force --verbose ||
5624 echo "fscrypt global setup already done"
5625 sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
5627 yes | fscrypt setup --verbose $MOUNT ||
5628 echo "fscrypt setup $MOUNT already done"
5630 # enable_filename_encryption tunable only available for client
5631 # built against embedded llcrypt. If client is built against in-kernel
5632 # fscrypt, file names are always encrypted.
5633 $LCTL get_param mdc.*.connect_flags | grep -q name_encryption &&
5634 nameenc=$(lctl get_param -n llite.*.enable_filename_encryption |
5636 if [ -n "$nameenc" ]; then
5637 do_facet mgs $LCTL set_param -P \
5638 llite.*.enable_filename_encryption=1
5640 error "set_param -P \
5641 llite.*.enable_filename_encryption=1 failed"
5643 wait_update_facet --verbose client \
5644 "$LCTL get_param -n llite.*.enable_filename_encryption \
5646 error "enable_filename_encryption not set on client"
5650 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
5651 --source=custom_passphrase --name=protector_63_1 $vaultdir1 ||
5652 error "fscrypt encrypt $vaultdir1 failed"
5654 mkdir $vaultdir1/dirA
5655 mkdir $vaultdir1/$longdname
5656 paths=("$vaultdir1/fileA")
5657 paths+=("$vaultdir1/dirA/fileB")
5658 paths+=("$vaultdir1/$longfname1")
5659 paths+=("$vaultdir1/$longfname2")
5662 paths+=("$vaultdir1/dirA")
5663 paths+=("$vaultdir1/$longdname")
5668 fscrypt lock --verbose $vaultdir1 ||
5669 error "fscrypt lock $vaultdir1 failed (1)"
5673 if [ -z "$nameenc" ]; then
5674 echo "Rest of the test requires disabling name encryption"
5678 # disable name encryption
5679 do_facet mgs $LCTL set_param -P llite.*.enable_filename_encryption=0
5681 error "set_param -P llite.*.enable_filename_encryption=0 failed"
5683 wait_update_facet --verbose client \
5684 "$LCTL get_param -n llite.*.enable_filename_encryption \
5686 error "enable_filename_encryption not set back to default"
5689 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
5690 --source=custom_passphrase --name=protector_63_2 $vaultdir2 ||
5691 error "fscrypt encrypt $vaultdir2 failed"
5693 mkdir $vaultdir2/dirA
5694 mkdir $vaultdir2/$longdname
5697 paths=("$vaultdir2/fileA")
5698 paths+=("$vaultdir2/dirA/fileB")
5699 paths+=("$vaultdir2/$longfname1")
5700 paths+=("$vaultdir2/$longfname2")
5703 paths+=("$vaultdir2/dirA")
5704 paths+=("$vaultdir2/$longdname")
5709 fscrypt lock --verbose $vaultdir2 ||
5710 error "fscrypt lock $vaultdir2 failed (2)"
5714 rm -rf $MOUNT/.fscrypt
5716 run_test 63 "fid2path with encrypted files"
5719 do_facet mgs $LCTL nodemap_activate 1
5722 do_facet mgs $LCTL nodemap_del c0 || true
5723 wait_nm_sync c0 id ''
5725 do_facet mgs $LCTL nodemap_modify --name default \
5726 --property admin --value 1
5727 do_facet mgs $LCTL nodemap_modify --name default \
5728 --property trusted --value 1
5729 wait_nm_sync default admin_nodemap
5730 wait_nm_sync default trusted_nodemap
5732 client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
5733 client_nid=$(h2nettype $client_ip)
5734 do_facet mgs $LCTL nodemap_add c0
5735 do_facet mgs $LCTL nodemap_add_range \
5736 --name c0 --range $client_nid
5737 do_facet mgs $LCTL nodemap_modify --name c0 \
5738 --property admin --value 1
5739 do_facet mgs $LCTL nodemap_modify --name c0 \
5740 --property trusted --value 1
5741 wait_nm_sync c0 admin_nodemap
5742 wait_nm_sync c0 trusted_nodemap
5746 do_facet mgs $LCTL nodemap_del c0
5747 do_facet mgs $LCTL nodemap_modify --name default \
5748 --property admin --value 0
5749 do_facet mgs $LCTL nodemap_modify --name default \
5750 --property trusted --value 0
5751 wait_nm_sync default admin_nodemap
5752 wait_nm_sync default trusted_nodemap
5754 do_facet mgs $LCTL nodemap_activate 0
5755 wait_nm_sync active 0
5759 local testfile=$DIR/$tdir/$tfile
5762 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5763 skip "Need MDS >= 2.15.54 for role-based controls"
5765 stack_trap cleanup_64 EXIT
5766 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5769 # check default value for rbac is all
5770 rbac=$(do_facet mds $LCTL get_param -n nodemap.c0.rbac)
5771 for role in file_perms \
5779 [[ "$rbac" =~ "$role" ]] ||
5780 error "role '$role' not in default '$rbac'"
5783 do_facet mgs $LCTL nodemap_modify --name c0 \
5784 --property rbac --value file_perms
5785 wait_nm_sync c0 rbac
5787 stack_trap "set +vx"
5789 chmod 777 $testfile || error "chmod failed"
5790 chown $TSTUSR:$TSTUSR $testfile || error "chown failed"
5791 chgrp $TSTUSR $testfile || error "chgrp failed"
5792 $LFS project -p 1000 $testfile || error "setting project failed"
5795 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5796 wait_nm_sync c0 rbac
5799 chmod 777 $testfile && error "chmod should fail"
5800 chown $TSTUSR:$TSTUSR $testfile && error "chown should fail"
5801 chgrp $TSTUSR $testfile && error "chgrp should fail"
5802 $LFS project -p 1000 $testfile && error "setting project should fail"
5805 run_test 64a "Nodemap enforces file_perms RBAC roles"
5808 local testdir=$DIR/$tdir/${tfile}.d
5811 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5812 skip "Need MDS >= 2.15.54 for role-based controls"
5814 (( MDSCOUNT >= 2 )) || skip "mdt count $MDSCOUNT, skipping dne_ops role"
5816 stack_trap cleanup_64 EXIT
5817 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5820 dir_restripe=$(do_node $mds1_HOST \
5821 "$LCTL get_param -n mdt.*MDT0000.enable_dir_restripe")
5822 [ -n "$dir_restripe" ] || dir_restripe=0
5823 do_nodes $(comma_list $(all_mdts_nodes)) \
5824 $LCTL set_param mdt.*.enable_dir_restripe=1 ||
5825 error "enabling dir_restripe failed"
5826 stack_trap "do_nodes $(comma_list $(all_mdts_nodes)) \
5827 $LCTL set_param mdt.*.enable_dir_restripe=$dir_restripe" EXIT
5828 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
5830 wait_nm_sync c0 rbac
5831 $LFS mkdir -i 0 ${testdir}_for_migr ||
5832 error "$LFS mkdir ${testdir}_for_migr failed (1)"
5833 touch ${testdir}_for_migr/file001 ||
5834 error "touch ${testdir}_for_migr/file001 failed (1)"
5835 $LFS mkdir -i 0 ${testdir}_mdt0 ||
5836 error "$LFS mkdir ${testdir}_mdt0 failed (1)"
5837 $LFS mkdir -i 1 ${testdir}_mdt1 ||
5838 error "$LFS mkdir ${testdir}_mdt1 failed (1)"
5840 $LFS mkdir -i 1 $testdir || error "$LFS mkdir failed (1)"
5842 $LFS mkdir -c 2 $testdir || error "$LFS mkdir failed (2)"
5845 $LFS setdirstripe -c 2 $testdir || error "$LFS setdirstripe failed"
5847 $LFS migrate -m 1 ${testdir}_for_migr || error "$LFS migrate failed"
5848 touch ${testdir}_mdt0/fileA || error "touch fileA failed (1)"
5849 mv ${testdir}_mdt0/fileA ${testdir}_mdt1/ || error "mv failed (1)"
5852 $LFS mkdir -i 0 ${testdir}_for_migr ||
5853 error "$LFS mkdir ${testdir}_for_migr failed (2)"
5854 touch ${testdir}_for_migr/file001 ||
5855 error "touch ${testdir}_for_migr/file001 failed (2)"
5856 $LFS mkdir -i 0 ${testdir}_mdt0 ||
5857 error "$LFS mkdir ${testdir}_mdt0 failed (2)"
5858 $LFS mkdir -i 1 ${testdir}_mdt1 ||
5859 error "$LFS mkdir ${testdir}_mdt1 failed (2)"
5861 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5862 wait_nm_sync c0 rbac
5864 $LFS mkdir -i 1 $testdir && error "$LFS mkdir should fail (1)"
5865 $LFS mkdir -c 2 $testdir && error "$LFS mkdir should fail (2)"
5867 $LFS setdirstripe -c 2 $testdir && error "$LFS setdirstripe should fail"
5869 $LFS migrate -m 1 ${testdir}_for_migr &&
5870 error "$LFS migrate should fail"
5871 touch ${testdir}_mdt0/fileA || error "touch fileA failed (2)"
5872 mv ${testdir}_mdt0/fileA ${testdir}_mdt1/ || error "mv failed (2)"
5875 run_test 64b "Nodemap enforces dne_ops RBAC roles"
5878 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5879 skip "Need MDS >= 2.15.54 for role-based controls"
5881 stack_trap cleanup_64 EXIT
5882 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5885 do_facet mgs $LCTL nodemap_modify --name c0 \
5886 --property rbac --value quota_ops
5887 wait_nm_sync c0 rbac
5889 $LFS setquota -u $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT ||
5890 error "lfs setquota -u failed"
5891 $LFS setquota -u $USER0 --delete $MOUNT
5892 $LFS setquota -g $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT ||
5893 error "lfs setquota -g failed"
5894 $LFS setquota -g $USER0 --delete $MOUNT
5895 $LFS setquota -p 1000 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT ||
5896 error "lfs setquota -p failed"
5897 $LFS setquota -p 1000 --delete $MOUNT
5899 $LFS setquota -U -b 10G -B 11G -i 100K -I 105K $MOUNT ||
5900 error "lfs setquota -U failed"
5901 $LFS setquota -U -b 0 -B 0 -i 0 -I 0 $MOUNT
5902 $LFS setquota -G -b 10G -B 11G -i 100K -I 105K $MOUNT ||
5903 error "lfs setquota -G failed"
5904 $LFS setquota -G -b 0 -B 0 -i 0 -I 0 $MOUNT
5905 $LFS setquota -P -b 10G -B 11G -i 100K -I 105K $MOUNT ||
5906 error "lfs setquota -P failed"
5907 $LFS setquota -P -b 0 -B 0 -i 0 -I 0 $MOUNT
5908 $LFS setquota -u $USER0 -D $MOUNT ||
5909 error "lfs setquota -u -D failed"
5910 $LFS setquota -u $USER0 --delete $MOUNT
5911 $LFS setquota -g $USER0 -D $MOUNT ||
5912 error "lfs setquota -g -D failed"
5913 $LFS setquota -g $USER0 --delete $MOUNT
5914 $LFS setquota -p 1000 -D $MOUNT ||
5915 error "lfs setquota -p -D failed"
5916 $LFS setquota -p 1000 --delete $MOUNT
5919 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5920 wait_nm_sync c0 rbac
5923 $LFS setquota -u $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT &&
5924 error "lfs setquota -u should fail"
5925 $LFS setquota -u $USER0 --delete $MOUNT
5926 $LFS setquota -g $USER0 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT &&
5927 error "lfs setquota -g should fail"
5928 $LFS setquota -g $USER0 --delete $MOUNT
5929 $LFS setquota -p 1000 -b 307200 -B 309200 -i 10000 -I 11000 $MOUNT &&
5930 error "lfs setquota -p should fail"
5931 $LFS setquota -p 1000 --delete $MOUNT
5933 $LFS setquota -U -b 10G -B 11G -i 100K -I 105K $MOUNT &&
5934 error "lfs setquota -U should fail"
5935 $LFS setquota -G -b 10G -B 11G -i 100K -I 105K $MOUNT &&
5936 error "lfs setquota -G should fail"
5937 $LFS setquota -P -b 10G -B 11G -i 100K -I 105K $MOUNT &&
5938 error "lfs setquota -P should fail"
5939 $LFS setquota -u $USER0 -D $MOUNT &&
5940 error "lfs setquota -u -D should fail"
5941 $LFS setquota -u $USER0 --delete $MOUNT
5942 $LFS setquota -g $USER0 -D $MOUNT &&
5943 error "lfs setquota -g -D should fail"
5944 $LFS setquota -g $USER0 --delete $MOUNT
5945 $LFS setquota -p 1000 -D $MOUNT &&
5946 error "lfs setquota -p -D should fail"
5947 $LFS setquota -p 1000 --delete $MOUNT
5950 run_test 64c "Nodemap enforces quota_ops RBAC roles"
5953 local testfile=$DIR/$tdir/$tfile
5956 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5957 skip "Need MDS >= 2.15.54 for role-based controls"
5959 stack_trap cleanup_64 EXIT
5960 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
5963 do_facet mgs $LCTL nodemap_modify --name c0 \
5964 --property rbac --value byfid_ops
5965 wait_nm_sync c0 rbac
5968 fid=$(lfs path2fid $testfile)
5970 $LFS fid2path $MOUNT $fid || error "fid2path $fid failed (1)"
5971 cat $MOUNT/.lustre/fid/$fid || error "cat by fid failed"
5972 lfs rmfid $MOUNT $fid || error "lfs rmfid failed"
5975 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
5976 wait_nm_sync c0 rbac
5979 fid=$(lfs path2fid $testfile)
5981 $LFS fid2path $MOUNT $fid || error "fid2path $fid failed (2)"
5982 cat $MOUNT/.lustre/fid/$fid && error "cat by fid should fail"
5983 lfs rmfid $MOUNT $fid && error "lfs rmfid should fail"
5987 run_test 64d "Nodemap enforces byfid_ops RBAC roles"
5990 local testfile=$DIR/$tdir/$tfile
5991 local testdir=$DIR/$tdir/${tfile}.d
5993 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
5994 skip "Need MDS >= 2.15.54 for role-based controls"
5996 stack_trap cleanup_64 EXIT
5997 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
6000 # activate changelogs
6001 changelog_register || error "changelog_register failed"
6002 local cl_user="${CL_USERS[$SINGLEMDS]%% *}"
6003 changelog_users $SINGLEMDS | grep -q $cl_user ||
6004 error "User $cl_user not found in changelog_users"
6005 changelog_chmask ALL
6008 mkdir $testdir || error "failed to mkdir $testdir"
6009 touch $testfile || error "failed to touch $testfile"
6011 do_facet mgs $LCTL nodemap_modify --name c0 \
6012 --property rbac --value chlg_ops
6013 wait_nm_sync c0 rbac
6016 echo "changelogs dump"
6017 changelog_dump || error "failed to dump changelogs"
6018 echo "changelogs clear"
6019 changelog_clear 0 || error "failed to clear changelogs"
6021 rm -rf $testdir $testfile || error "rm -rf $testdir $testfile failed"
6023 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value none
6024 wait_nm_sync c0 rbac
6027 mkdir $testdir || error "failed to mkdir $testdir"
6028 touch $testfile || error "failed to touch $testfile"
6031 echo "changelogs dump"
6032 changelog_dump && error "dump changelogs should fail"
6033 echo "changelogs clear"
6034 changelog_clear 0 && error "clear changelogs should fail"
6035 rm -rf $testdir $testfile
6037 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value all
6038 wait_nm_sync c0 rbac
6040 run_test 64e "Nodemap enforces chlg_ops RBAC roles"
6043 local vaultdir=$DIR/$tdir/vault
6048 (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
6049 skip "Need MDS >= 2.15.54 for role-based controls"
6051 cli_enc=$($LCTL get_param mdc.*.import | grep client_encryption)
6052 [ -n "$cli_enc" ] || skip "Need enc support, skip fscrypt_admin role"
6053 which fscrypt || skip "Need fscrypt, skip fscrypt_admin role"
6055 stack_trap cleanup_64 EXIT
6056 mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
6059 yes | fscrypt setup --force --verbose ||
6060 echo "fscrypt global setup already done"
6061 sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
6063 yes | fscrypt setup --verbose $MOUNT ||
6064 echo "fscrypt setup $MOUNT already done"
6065 stack_trap "rm -rf $MOUNT/.fscrypt"
6067 # file_perms is required because fscrypt uses chmod/chown
6068 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
6069 --value fscrypt_admin,file_perms
6070 wait_nm_sync c0 rbac
6074 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
6075 --source=custom_passphrase --name=protector_64 $vaultdir ||
6076 error "fscrypt encrypt $vaultdir failed"
6077 fscrypt lock $vaultdir || error "fscrypt lock $vaultdir failed (1)"
6078 policy=$(fscrypt status $vaultdir | awk '$1 == "Policy:"{print $2}')
6079 [ -n "$policy" ] || error "could not get enc policy"
6080 protector=$(fscrypt status $vaultdir |
6081 awk 'BEGIN {found=0} { if (found == 1) { print $1 }} \
6082 $1 == "PROTECTOR" {found=1}')
6083 [ -n "$protector" ] || error "could not get enc protector"
6087 # file_perms is required because fscrypt uses chmod/chown
6088 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
6090 wait_nm_sync c0 rbac
6093 echo mypass | fscrypt unlock $vaultdir ||
6094 error "fscrypt unlock $vaultdir failed"
6095 fscrypt lock $vaultdir || error "fscrypt lock $vaultdir failed (2)"
6096 fscrypt metadata destroy --protector=$MOUNT:$protector --force &&
6097 error "destroy protector should fail"
6098 fscrypt metadata destroy --policy=$MOUNT:$policy --force &&
6099 error "destroy policy should fail"
6100 mkdir -p ${vaultdir}2
6101 echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
6102 --source=custom_passphrase \
6103 --name=protector_64bis ${vaultdir}2 &&
6104 error "fscrypt encrypt ${vaultdir}2 should fail"
6108 do_facet mgs $LCTL nodemap_modify --name c0 --property rbac --value all
6109 wait_nm_sync c0 rbac
6112 fscrypt metadata destroy --protector=$MOUNT:$protector --force ||
6113 error "destroy protector failed"
6114 fscrypt metadata destroy --policy=$MOUNT:$policy --force ||
6115 error "destroy policy failed"
6120 run_test 64f "Nodemap enforces fscrypt_admin RBAC roles"
6129 (( neg == 1 )) || neg=""
6130 $LFS find -type f ${neg:+"!"} --attrs $pattern $path > $TMP/res
6132 res=$(cat $TMP/res | wc -l)
6133 (( res == $expected )) ||
6134 error "Find $pattern $path: found $res, expected $expected"
6138 local dirbis=$DIR/${tdir}_bis
6139 local testfile=$DIR/$tdir/$tfile
6142 $LCTL get_param mdc.*.import | grep -q client_encryption ||
6143 skip "client encryption not supported"
6145 mount.lustre --help |& grep -q "test_dummy_encryption:" ||
6146 skip "need dummy encryption support"
6148 # $dirbis is not going to be encrypted, as client
6149 # is not mounted with -o test_dummy_encryption yet
6151 stack_trap "rm -rf $dirbis" EXIT
6152 touch $dirbis/$tfile.1
6153 touch $dirbis/$tfile.2
6154 chattr +i $dirbis/$tfile.2
6155 stack_trap "chattr -i $dirbis/$tfile.2" EXIT
6157 stack_trap cleanup_for_enc_tests EXIT
6160 # All files/dirs under $DIR/$tdir are encrypted
6163 chattr +i $testfile.2
6164 stack_trap "chattr -i $testfile.2" EXIT
6166 $LFS find -printf "%p %LA\n" $dirbis/$tfile.1
6167 res=$($LFS find -printf "%LA" $dirbis/$tfile.1)
6168 [ "$res" == "---" ] ||
6169 error "$dirbis/$tfile.1 should have no attr, showed $res (1)"
6170 $LFS find -printf "%p %La\n" $dirbis/$tfile.1
6171 res=$($LFS find -printf "%La" $dirbis/$tfile.1)
6172 [ "$res" == "---" ] ||
6173 error "$dirbis/$tfile.1 should have no attr, showed $res (2)"
6174 $LFS find -printf "%p %LA\n" $dirbis/$tfile.2
6175 res=$($LFS find -printf "%LA" $dirbis/$tfile.2)
6176 [ "$res" == "Immutable" ] ||
6177 error "$dirbis/$tfile.2 should be Immutable, showed $res"
6178 $LFS find -printf "%p %La\n" $dirbis/$tfile.2
6179 res=$($LFS find -printf "%La" $dirbis/$tfile.2)
6180 [ "$res" == "i" ] ||
6181 error "$dirbis/$tfile.2 should be 'i', showed $res"
6182 $LFS find -printf "%p %LA\n" $testfile.1
6183 res=$($LFS find -printf "%LA" $testfile.1)
6184 [ "$res" == "Encrypted" ] ||
6185 error "$testfile.1 should be Encrypted, showed $res"
6186 $LFS find -printf "%p %La\n" $testfile.1
6187 res=$($LFS find -printf "%La" $testfile.1)
6188 [ "$res" == "E" ] ||
6189 error "$testfile.1 should be 'E', showed $res"
6190 $LFS find -printf "%p %LA\n" $testfile.2
6191 res=$($LFS find -printf "%LA" $testfile.2)
6192 [ "$res" == "Immutable,Encrypted" ] ||
6193 error "$testfile.2 should be Immutable,Encrypted, showed $res"
6194 $LFS find -printf "%p %La\n" $testfile.2
6195 res=$($LFS find -printf "%La" $testfile.2)
6196 [ "$res" == "iE" ] ||
6197 error "$testfile.2 should be 'iE', showed $res"
6199 echo Expecting to find 2 encrypted files
6200 look_for_files Encrypted 0 "$DIR/${tdir}*" 2
6201 echo Expecting to find 2 encrypted files
6202 look_for_files E 0 "$DIR/${tdir}*" 2
6204 echo Expecting to find 2 non-encrypted files
6205 look_for_files Encrypted 1 "$DIR/${tdir}*" 2
6206 echo Expecting to find 2 non-encrypted files
6207 look_for_files E 1 "$DIR/${tdir}*" 2
6209 echo Expecting to find 1 encrypted+immutable file
6210 look_for_files "Encrypted,Immutable" 0 "$DIR/${tdir}*" 1
6211 echo Expecting to find 1 encrypted+immutable file
6212 look_for_files "Ei" 0 "$DIR/${tdir}*" 1
6214 echo Expecting to find 1 encrypted+^immutable file
6215 look_for_files "Encrypted,^Immutable" 0 "$DIR/${tdir}*" 1
6216 echo Expecting to find 1 encrypted+^immutable file
6217 look_for_files "E^i" 0 "$DIR/${tdir}*" 1
6219 echo Expecting to find 1 ^encrypted+immutable file
6220 look_for_files "^Encrypted,Immutable" 0 "$DIR/${tdir}*" 1
6221 echo Expecting to find 1 ^encrypted+immutable file
6222 look_for_files "^Ei" 0 "$DIR/${tdir}*" 1
6224 echo Expecting to find 1 ^encrypted+^immutable file
6225 look_for_files "^Encrypted,^Immutable" 0 "$DIR/${tdir}*" 1
6226 echo Expecting to find 1 ^encrypted+^immutable file
6227 look_for_files "^E^i" 0 "$DIR/${tdir}*" 1
6229 run_test 65 "lfs find -printf %La and --attrs support"
6232 lctl set_param fail_loc=0 fail_val=0
6233 mount_client $MOUNT ${MOUNT_OPTS} || error "re-mount $MOUNT failed"
6234 if is_mounted $MOUNT2; then
6235 mount_client $MOUNT2 ${MOUNT_OPTS} ||
6236 error "re-mount $MOUNT2 failed"
6241 stack_trap cleanup_68 EXIT
6243 # unmount client completely
6244 umount_client $MOUNT || error "umount $MOUNT failed"
6245 if is_mounted $MOUNT2; then
6246 umount_client $MOUNT2 || error "umount $MOUNT2 failed"
6249 #define CFS_FAIL_ONCE|OBD_FAIL_PTLRPC_DROP_MGS 0x51d
6250 lctl set_param fail_loc=0x8000051d fail_val=20
6252 zconf_mount_clients $HOSTNAME $MOUNT $MOUNT_OPTS ||
6253 error "mount failed"
6255 umount_client $MOUNT || error "re-umount $MOUNT failed"
6257 run_test 68 "all config logs are processed"
6260 local mdt="$(mdtname_from_index 0 $MOUNT)"
6264 param="mdt.$mdt.identity_upcall"
6265 orig="$(do_facet mds1 "$LCTL get_param -n $param")"
6266 stack_trap "do_facet mds1 $LCTL set_param $param=$orig" EXIT
6268 # identity_upcall accepts a path to an executable,
6269 # or NONE (case insensitive)
6270 do_facet mds1 $LCTL set_param $param=/path/to/prog ||
6271 error "set_param $param=/path/to/prog failed"
6272 do_facet mds1 $LCTL set_param $param=prog &&
6273 error "set_param $param=prog should failed"
6274 do_facet mds1 $LCTL set_param $param=NONE ||
6275 error "set_param $param=NONE failed"
6276 do_facet mds1 $LCTL set_param $param=none ||
6277 error "set_param $param=none failed"
6280 param="sptlrpc.gss.rsi_upcall"
6281 orig="$(do_facet mds1 "$LCTL get_param -n $param")"
6282 stack_trap "do_facet mds1 $LCTL set_param $param=$orig" EXIT
6284 # rsi_upcall only accepts a path to an executable
6285 do_facet mds1 $LCTL set_param $param=prog &&
6286 error "set_param $param=prog should failed"
6287 do_facet mds1 $LCTL set_param $param=NONE &&
6288 error "set_param $param=NONE should fail"
6289 do_facet mds1 $LCTL set_param $param=/path/to/prog ||
6290 error "set_param $param=/path/to/prog failed"
6293 run_test 69 "check upcall incorrect values"
6295 log "cleanup: ======================================================"
6298 for ((num = 1; num <= $MDSCOUNT; num++)); do
6299 if [[ "${identity_old[$num]}" == 1 ]]; then
6300 switch_identity $num false || identity_old[$num]=$?
6304 $RUNAS_CMD -u $ID0 ls $DIR
6305 $RUNAS_CMD -u $ID1 ls $DIR
6309 complete_test $SECONDS
6310 check_and_cleanup_lustre
git://git.whamcloud.com / fs / lustre-release.git / blob