2 # -*- mode: Bash; tab-width: 4; indent-tabs-mode: t; -*-
3 # vim:shiftwidth=4:softtabstop=4:tabstop=4:
6 # setup_kerberos.sh - setup the Kerberos environment on Lustre cluster
9 # * Only one KDC involved, no slave KDC.
10 # * Only one Kerberos realm involved, no multiple Kerberos realms.
12 ###############################################################################
17 Usage: $(basename $0) <KDC_distro> <KDC_node> <MGS_node> <MDS_node>[:MDS_node:...]
18 <OSS_node>[:OSS_node:...] <CLIENT_node>[:CLIENT_node:...]
20 This script is used to setup the Kerberos environment on Lustre cluster.
22 KDC_distro distribution on the KDC node (rhel5 or sles10)
23 KDC_node KDC node name
24 MGS_node Lustre MGS node name
25 MDS_node Lustre MDS node name
26 OSS_node Lustre OSS node name
27 CLIENT_node Lustre client node name
29 e.g.: $(basename $0) rhel5 scsi2 scsi2 sata2 sata3 client5
30 e.g.: $(basename $0) sles10 scsi2 scsi2 scsi2 sata3:sata5 client2:client3
31 e.g.: $(basename $0) rhel5 scsi2 scsi2 scsi2 scsi2 scsi2
34 1) The script will destroy all the old Kerberos settings by default. If you
35 want to reserve the original krb5.conf and KDC configuration, please set
38 2) The script will create principals for some runas users and add them into
39 the Kerberos database by default. The UIDs of the runas users specified in
40 "LOCAL_UIDS" variable need exist on KDC, MDS and Client nodes. If you do not
41 need runas users, please set "CFG_RUNAS=false".
43 3) The script will create idmap.conf and perm.conf under /etc/lustre dir on
44 MDS node for remote ACL by default. If you do not need remote ACL, please
45 set "CFG_IDMAP=false".
50 # ************************ Parameters and Variables ************************ #
58 # translate to lower case letters
59 MY_KDC_DISTRO=$(echo $MY_KDC_DISTRO | tr '[A-Z]' '[a-z]')
61 if [ -z "$MY_KDC_DISTRO" -o -z "$MY_KDCNODE" -o -z "$MY_MDSNODES" -o \
62 -z "$MY_OSSNODES" -o -z "$MY_CLIENTNODES" -o -z "$MY_MGSNODE" ]; then
67 LUSTRE=${LUSTRE:-$(cd $(dirname $0)/..; echo $PWD)}
68 . $LUSTRE/tests/test-framework.sh
70 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
73 ACCEPTOR_PORT=${ACCEPTOR_PORT:-988}
75 # check and configure runas users
76 CFG_RUNAS=${CFG_RUNAS:-true}
77 # uids for local and remote users
78 LOCAL_UIDS=${LOCAL_UIDS:-"500 501"}
79 REMOTE_UIDS=${REMOTE_UIDS:-"500 501"} # for remote ACL testing
81 # remove the original Kerberos and KDC settings
82 RESET_KDC=${RESET_KDC:-true}
84 # generate unique keytab for each client node
85 SPLIT_KEYTAB=${SPLIT_KEYTAB:-true}
87 # encryption types for generating keytab
88 MDS_ENCTYPE=${MDS_ENCTYPE:-"aes128-cts"}
89 MGS_ENCTYPE=${MGS_ENCTYPE:-"$MDS_ENCTYPE"}
90 OSS_ENCTYPE=${OSS_ENCTYPE:-"aes128-cts"}
91 CLIENT_ENCTYPE=${CLIENT_ENCTYPE:-"aes128-cts"}
93 # configuration file for Kerberos
94 KRB5_CONF=${KRB5_CONF:-"/etc/krb5.conf"}
95 KRB5_KEYTAB=${KRB5_KEYTAB:-"/etc/krb5.keytab"}
96 KRB5_TICKET_LIFETIME=${KRB5_TICKET_LIFETIME:-"24h"}
98 # configuration files for libgssapi and keyutils
99 GSSAPI_MECH_CONF=${GSSAPI_MECH_CONF:-"/etc/gssapi_mech.conf"}
100 REQUEST_KEY_CONF=${REQUEST_KEY_CONF:-"/etc/request-key.conf"}
102 # create configuration files for remote ACL testing
103 CFG_IDMAP=${CFG_IDMAP:-true}
104 LUSTRE_CONF_DIR=${LUSTRE_CONF_DIR:-"/etc/lustre"}
105 IDMAP_CONF=$LUSTRE_CONF_DIR/idmap.conf
106 PERM_CONF=$LUSTRE_CONF_DIR/perm.conf
108 # krb5 realm & domain
109 KRB5_REALM=${KRB5_REALM:-"CO.CFS"}
110 KRB5_DOMAIN=$(echo $KRB5_REALM | tr '[A-Z]' '[a-z]')
112 MY_MDSNODES=${MY_MDSNODES//:/ }
113 MY_OSSNODES=${MY_OSSNODES//:/ }
114 MY_CLIENTNODES=${MY_CLIENTNODES//:/ }
116 # set vars according to the KDC distribution
117 KRB5PKG_SVR="krb5-server"
118 KRB5PKG_DEV="krb5-devel"
119 case $MY_KDC_DISTRO in
121 KRB5PKG_CLI="krb5-workstation"
122 KRB5PKG_LIB="krb5-libs"
123 KDC_CONF_DIR="/var/kerberos/krb5kdc"
126 KRB5PKG_CLI="krb5-client"
128 KDC_CONF_DIR="/var/lib/kerberos/krb5kdc"
131 echo "Unsupported KDC distro: $MY_KDC_DISTRO!"
134 KDC_CONF="$KDC_CONF_DIR/kdc.conf"
135 KDC_ACL="$KDC_CONF_DIR/kadm5.acl"
137 # ******************************** Functions ******************************** #
143 if [ -z "$name" -o -z "$list" ]; then
148 if [[ " $list " == *\ $name\ * ]]; then
160 local nodename=${node%.$KRB5_DOMAIN}
161 do_node $node "PATH=\$PATH:/usr/kerberos/sbin:/usr/kerberos/bin:\
162 /usr/lib/mit/sbin:/usr/lib/mit/bin $@" | sed "s/^${nodename}: //"
163 return ${PIPESTATUS[0]}
168 output=$(my_do_node "$@" 2>&1)
169 return ${PIPESTATUS[0]}
173 my_do_node $MY_KDCNODE "$@"
174 return ${PIPESTATUS[0]}
178 do_node_mute $MY_KDCNODE "$@"
179 return ${PIPESTATUS[0]}
183 # convert a space-delimited node name list to a canonical name list
186 local nodename_list="$@"
192 for name in $nodename_list; do
193 fqdn=$(do_kdc "gethostip -n $name 2>&1")
195 if [ $rc -ne 0 ]; then
196 echo "Can not get the FQDN of node $name: $fqdn"
199 [ -z "$fqdn_list" ] && fqdn_list="$fqdn" \
200 || fqdn_list="$fqdn_list $fqdn"
209 # convert MDS/OSS nodes to their canonical name, it required by
210 # kerberos. we also convert kdc and client too in order to make
211 # node name comparison easier
217 MY_KDCNODE=$(get_fqdn $MY_KDCNODE)
219 if [ $rc -ne 0 ]; then
225 MY_MGSNODE=$(get_fqdn $MY_MGSNODE)
227 if [ $rc -ne 0 ]; then
233 MY_MDSNODES=$(get_fqdn $MY_MDSNODES)
235 if [ $rc -ne 0 ]; then
241 MY_OSSNODES=$(get_fqdn $MY_OSSNODES)
243 if [ $rc -ne 0 ]; then
249 MY_CLIENTNODES=$(get_fqdn $MY_CLIENTNODES)
251 if [ $rc -ne 0 ]; then
260 # verify remote shell works on all nodes
266 echo "+++ Checking remote shell"
268 for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
270 is_part_of $node $checked && continue
272 echo -n "Checking remote shell on $node..."
273 do_node_mute $node true || return ${PIPESTATUS[0]}
276 checked="$checked $node"
281 # verify the entropy (random numbers) on the KDC node, which is
282 # used by kdb5_util to create Kerberos database
288 echo "+++ Checking the entropy on the KDC"
290 echo -n "Checking $MY_KDCNODE..."
291 avail=$(do_kdc "sysctl -n kernel.random.entropy_avail")
292 local rc=${PIPESTATUS[0]}
293 if [ $rc -eq 0 ]; then
294 if [ $avail -lt $limit ]; then
295 echo -e "\nWarning: The entropy on the KDC node is only $avail, \
296 which is not enough for kdb5_util to create Kerberos database! \
297 Let's use /dev/urandom!"
298 do_kdc "rm -f /dev/random.bak && mv /dev/random{,.bak} && \
299 mknod /dev/random c 1 9"
300 return ${PIPESTATUS[0]}
303 echo "Can not get the entropy on the KDC node!"
310 # verify runas users and groups
318 echo "+++ Checking users and groups"
320 for node in $MY_KDCNODE $MY_MGSNODE $MY_MDSNODES $MY_CLIENTNODES; do
321 is_part_of $node $checked && continue
323 for id in $LOCAL_UIDS; do
324 echo -n "Checking uid/gid $id/$id on $node..."
325 user=$(my_do_node $node getent passwd | grep :$id:$id: | cut -d: -f1)
326 if [ -z "$user" ]; then
327 echo -e "\nPlease set LOCAL_UIDS and REMOTE_UIDS to some users \
328 which exist on KDC, MDS and client or add user/group $id/$id on these nodes."
333 checked="$checked $node"
342 echo -n "Checking $dev mount on $node..."
343 if do_node_mute $node "grep -q $dir' ' /proc/mounts"; then
348 if ! do_node_mute $node "grep -q ^$dev /etc/fstab"; then
349 my_do_node $node "echo '$dev $dir $dev defaults 0 0' >> /etc/fstab" || \
350 return ${PIPESTATUS[0]}
352 my_do_node $node "mkdir -p $dir && mount $dir" || true
354 if ! do_node_mute $node "grep -q $dir' ' /proc/mounts"; then
355 echo "Failed to mount fs $dev at $dir!"
362 # configure nfsd mount on MDS and OSS nodes
368 echo "+++ Configuring nfsd mount"
370 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES; do
371 is_part_of $node $checked && continue
372 cfg_mount $node nfsd /proc/fs/nfsd || return ${PIPESTATUS[0]}
373 checked="$checked $node"
381 my_do_node $node "rpm -q $pkg 2>&1" | tail -n1
382 return ${PIPESTATUS[0]}
389 my_do_node $node cat /etc/SuSE-release 2>/dev/null | \
390 grep -q 'Enterprise Server 10'
391 if [ ${PIPESTATUS[1]} -eq 0 ]; then
393 cli) echo "krb5-client";;
398 cli) echo "krb5-workstation";;
399 lib) echo "krb5-libs";;
408 echo "+++ Checking KDC installation"
410 echo -n "Checking $MY_KDCNODE..."
411 pkg=$(get_pkgname $MY_KDCNODE $KRB5PKG_SVR)
413 if [ $rc -ne 0 ]; then
414 echo -e "\nCan not find $KRB5PKG_SVR package on $MY_KDCNODE: $pkg"
426 echo "+++ Checking Kerberos 5 installation"
427 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
428 is_part_of $node $checked && continue
430 echo -n "Checking $node..."
431 krb5pkg_cli=$(get_krb5pkgname $node cli)
433 pkg=$(get_pkgname $node $krb5pkg_cli)
435 if [ $rc -ne 0 ]; then
436 echo -e "\nCan not find $krb5pkg_cli package on $node: $pkg"
440 checked="$checked $node"
450 echo "+++ Checking libgssapi installation"
452 LIBGSSAPI=$(get_pkgname $MY_KDCNODE libgssapi)
454 if [ $rc -ne 0 ]; then
455 echo "Can not find libgssapi package on $MY_KDCNODE: $LIBGSSAPI"
459 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
460 is_part_of $node $checked && continue
462 echo -n "Checking $node..."
463 pkg=$(get_pkgname $node libgssapi)
465 if [ $rc -ne 0 ]; then
466 echo -e "\nCan not find libgssapi package on $node: $pkg"
470 checked="$checked $node"
475 # check and update the /etc/gssapi_mech.conf file on each node
476 # We only support MIT Kerberos 5 GSS-API mechanism.
486 echo "+++ Updating $GSSAPI_MECH_CONF"
488 for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
490 is_part_of $node $checked && continue
492 krb5pkg_lib=$(get_krb5pkgname $node lib)
493 pkg=$(get_pkgname $node $krb5pkg_lib)
495 if [ $rc -ne 0 ]; then
496 echo -e "\nCan not find $krb5pkg_lib package on $node: $pkg"
500 krb5_lib=$(my_do_node $node "rpm -ql $pkg" | \
501 grep libgssapi_krb5.so | head -n1)
503 if ! do_node_mute $node \
504 "egrep -q \\\"^$krb5_lib|^$(basename $krb5_lib)\\\" $GSSAPI_MECH_CONF"; then
506 "echo '$krb5_lib mechglue_internal_krb5_init' >> $GSSAPI_MECH_CONF"
508 checked="$checked $node"
514 # check and update the /etc/request-key.conf file on each MDS and client node
521 echo "+++ Updating $REQUEST_KEY_CONF"
523 for node in $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
524 is_part_of $node $checked && continue
525 lgss_keyring=$(my_do_node $node "which lgss_keyring") || \
526 return ${PIPESTATUS[0]}
528 if ! do_node_mute $node \
529 "grep -q \\\"^create.*$lgss_keyring\\\" $REQUEST_KEY_CONF"; then
531 "echo 'create lgssc * * $lgss_keyring %o %k %t %d %c %u %g %T %P %S' \
532 >> $REQUEST_KEY_CONF"
534 checked="$checked $node"
543 echo -n "Creating service principal lustre_$type/$fqdn@$KRB5_REALM..."
544 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
545 addprinc -randkey lustre_$type/$fqdn@$KRB5_REALM
547 local rc=${PIPESTATUS[0]}
548 [ $rc -ne 0 ] && echo "Failed!" || echo "OK!"
553 add_svc_princ_root() {
554 echo -n "Creating service principal lustre_root@$KRB5_REALM..."
555 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
556 addprinc -randkey lustre_root@$KRB5_REALM
558 local rc=${PIPESTATUS[0]}
559 [ $rc -ne 0 ] && echo "Failed!" || echo "OK!"
567 echo -n "Creating user principal $user@$KRB5_REALM..."
568 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
569 addprinc -pw $user $user@$KRB5_REALM
571 local rc=${PIPESTATUS[0]}
572 [ $rc -ne 0 ] && echo "Failed!" || echo "OK!"
577 add_test_princ_id() {
581 user=$(do_kdc getent passwd $id | cut -d: -f1)
582 if [ -z "$user" ]; then
583 echo "Can not find the user with uid $id on the KDC!"
587 add_user_princ $user || return ${PIPESTATUS[0]}
591 # create principals for the client, MDS, OSS, runas users and add them to
592 # the Kerberos database
597 add_svc_princ $MY_MGSNODE mgs || return ${PIPESTATUS[0]}
599 for node in $MY_MDSNODES; do
600 add_svc_princ $node mds || return ${PIPESTATUS[0]}
603 for node in $MY_OSSNODES; do
604 add_svc_princ $node oss || return ${PIPESTATUS[0]}
607 for node in $MY_CLIENTNODES; do
608 if $SPLIT_KEYTAB; then
609 add_svc_princ $node root || return ${PIPESTATUS[0]}
611 add_svc_princ_root || return ${PIPESTATUS[0]}
615 if ! $SPLIT_KEYTAB; then
616 add_user_princ lustre_root || return ${PIPESTATUS[0]}
618 add_user_princ bin || return ${PIPESTATUS[0]}
619 add_user_princ daemon || return ${PIPESTATUS[0]}
620 add_user_princ games || return ${PIPESTATUS[0]}
623 for uid in $LOCAL_UIDS; do
624 add_test_princ_id $uid || return ${PIPESTATUS[0]}
630 # create and install the KDC configuration file kdc.conf on the KDC, which
631 # will destroy the old KDC setting
634 local tmpdir="$TMP/krb5_cfg_tmp_$UID"
635 local tmpcfg=$tmpdir/kdc.conf
636 local tmpacl=$tmpdir/kadm5.acl
638 echo "+++ Configuring KDC on $MY_KDCNODE"
639 echo "Warning: old KDC setting on $MY_KDCNODE will be destroied!!!"
641 echo -n "Checking the existence of KDC config dir..."
642 do_kdc_mute "[ -d $KDC_CONF_DIR ]"
643 if [ ${PIPESTATUS[0]} -ne 0 ]; then
644 echo -e "\nUnrecognized krb5 distribution!"
651 do_kdc_mute "/etc/init.d/krb5kdc stop < /dev/null" || true
653 echo -n "Removing old KDC configurations..."
654 do_kdc_mute "rm -f $KDC_CONF_DIR/*"
657 # create kdc.conf locally
659 mkdir -p $tmpdir || return ${PIPESTATUS[0]}
666 master_key_type = aes128-cts
667 supported_enctypes = des3-hmac-sha1:normal aes128-cts:normal aes256-cts:normal des-cbc-md5:normal
671 # install kdc.conf remotely
672 echo -n "Installing kdc.conf on $MY_KDCNODE..."
673 $SCP $tmpcfg root@$MY_KDCNODE:$KDC_CONF || return ${PIPESTATUS[0]}
676 # initialize KDC database
677 echo -n "Creating Kerberos database on $MY_KDCNODE..."
678 do_kdc_mute "kdb5_util create -r $KRB5_REALM -s -P 111111"
679 local rc=${PIPESTATUS[0]}
680 if [ $rc -ne 0 ]; then
687 # create ACL file locally & install remotely
689 */admin@$KRB5_REALM *
692 echo -n "Installing kadm5.acl on $MY_KDCNODE..."
693 $SCP $tmpacl root@$MY_KDCNODE:$KDC_ACL || return ${PIPESTATUS[0]}
695 rm -rf $tmpdir || true
698 do_kdc "/etc/init.d/krb5kdc restart < /dev/null" || return ${PIPESTATUS[0]}
702 # create and install the Kerberos configuration file krb5.conf on the KDC,
703 # client, MDS and OSS
706 local tmpdir="$TMP/krb5_cfg_tmp_$UID"
707 local tmpcfg="$tmpdir/krb5.conf"
710 echo "+++ Installing krb5.conf on all nodes"
712 # create krb5.conf locally
714 mkdir -p $tmpdir || return ${PIPESTATUS[0]}
717 default_realm = $KRB5_REALM
718 dns_lookup_realm = false
719 dns_lookup_kdc = false
720 ticket_lifetime = $KRB5_TICKET_LIFETIME
726 admin_server = $MY_KDCNODE:749
727 default_domain = $KRB5_DOMAIN
731 .$KRB5_DOMAIN = $KRB5_REALM
732 $KRB5_DOMAIN = $KRB5_REALM
745 # install krb5.conf remotely
746 for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
748 is_part_of $node $checked && continue
750 echo -n "Installing krb5.conf on $node..."
751 $SCP $tmpcfg root@$node:$KRB5_CONF || return ${PIPESTATUS[0]}
754 checked="$checked $node"
756 rm -rf $tmpdir || true
764 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
765 ktadd -k $tab -e $enctype:normal $princ@$KRB5_REALM
775 add_keytab $tab lustre_$type/$fqdn $enctype
782 add_keytab $tab lustre_root $enctype
789 $SCP $tab root@$node:$tab || return ${PIPESTATUS[0]}
790 do_node_mute $node "ktutil <<EOF
793 EOF" || return ${PIPESTATUS[0]}
797 # create and install the keytab file krb5.keytab on the client, MDS and OSS
800 local tmptab="$TMP/keytab.tmp"
803 echo "+++ Generating keytabs"
806 echo -n "Deleting old keytabs on all nodes..."
807 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
808 do_node_mute $node "rm -f $KRB5_KEYTAB $TMP/krb5cc*"
812 # install for MDS nodes
813 for node in $MY_MDSNODES; do
814 echo -n "Preparing for MDS $node..."
815 do_kdc_mute "rm -f $tmptab"
816 add_keytab_svc $tmptab $node mds $MDS_ENCTYPE || return ${PIPESTATUS[0]}
818 if is_part_of $node $MY_MGSNODE; then
819 echo -n "also be an MGS..."
820 add_keytab_svc $tmptab $node mgs $MGS_ENCTYPE || \
821 return ${PIPESTATUS[0]}
824 if is_part_of $node $MY_OSSNODES; then
825 echo -n "also be an OSS..."
826 add_keytab_svc $tmptab $node oss $OSS_ENCTYPE || \
827 return ${PIPESTATUS[0]}
831 echo -n "Installing krb5.keytab on $node..."
832 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
833 $SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
838 # install for MGS node
839 echo -n "Preparing for MGS $MY_MGSNODE..."
840 if ! is_part_of $MY_MGSNODE $MY_MDSNODES; then
841 do_kdc_mute "rm -f $tmptab"
842 add_keytab_svc $tmptab $MY_MGSNODE mgs $MGS_ENCTYPE || \
843 return ${PIPESTATUS[0]}
845 if is_part_of $MY_MGSNODE $MY_OSSNODES; then
846 echo -n "also be an OSS..."
847 add_keytab_svc $tmptab $MY_MGSNODE oss $OSS_ENCTYPE || \
848 return ${PIPESTATUS[0]}
852 echo -n "Installing krb5.keytab on $MY_MGSNODE..."
853 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
854 $SCP $tmptab root@$MY_MGSNODE:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
858 echo "also be an MDS, already done, skip"
861 # install for OSS nodes
862 for node in $MY_OSSNODES; do
863 echo -n "Preparing for OSS $node..."
864 if is_part_of $node $MY_MDSNODES; then
865 echo "also be an MDS, already done, skip"
866 elif is_part_of $node $MY_MGSNODE; then
867 echo "also be an MGS, already done, skip"
869 do_kdc_mute "rm -f $tmptab"
870 add_keytab_svc $tmptab $node oss $OSS_ENCTYPE || \
871 return ${PIPESTATUS[0]}
874 echo -n "Installing krb5.keytab on $node..."
875 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
876 $SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
882 # install for client nodes
883 do_kdc_mute "rm -f $tmptab"
884 if ! $SPLIT_KEYTAB; then
885 echo -n "Preparing for client..."
886 add_keytab_root $tmptab $CLIENT_ENCTYPE || return ${PIPESTATUS[0]}
887 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
890 for node in $MY_CLIENTNODES; do
891 echo -n "Preparing for client $node..."
892 # don't generate keytabs if it's also an MDS
893 if is_part_of $node $MY_MDSNODES; then
894 echo "also be an MDS, already done, skip"
898 add_keytab_svc $tmptab $node root $CLIENT_ENCTYPE || \
899 return ${PIPESTATUS[0]}
900 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
904 for node in $MY_CLIENTNODES; do
905 echo -n "Installing krb5.keytab on client $node..."
907 # don't install if it's also an MDS
908 if is_part_of $node $MY_MDSNODES; then
909 echo "also be an MDS, already done, skip"
913 # merge keytab if it's also an MGS
914 if is_part_of $node $MY_MGSNODE; then
915 echo -n "also be an MGS, merging keytab..."
916 merge_keytab $tmptab $node || return ${PIPESTATUS[0]}
921 # merge keytab if it's also an OSS
922 if is_part_of $node $MY_OSSNODES; then
923 echo -n "also be an OSS, merging keytab..."
924 merge_keytab $tmptab $node || return ${PIPESTATUS[0]}
929 # simply install otherwise
930 $SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
933 rm -f $tmptab || true
936 check_acceptor_port() {
940 if [ -z "$port" ]; then
941 echo "Missing acceptor port!"
947 while [ $WAIT -lt $MAX_WAIT ]; do
949 my_do_node $node "netstat -tpan" | grep -q ":$port .*TIME_WAIT"
950 if [ ${PIPESTATUS[1]} -ne 0 ]; then
956 echo "LNET acceptor port $port is in use on node $node!"
967 # get the fqdn of the local host
968 local_fqdn=$(get_fqdn $HOSTNAME)
970 if [ $rc -ne 0 ]; then
975 for node in $MY_CLIENTNODES; do
976 my_do_node $node lsmod | grep -q lnet || \
977 my_do_node $node "modprobe lnet" || {
978 if [ "$node" = "$local_fqdn" ]; then
979 lsmod | grep -q lnet || load_modules
981 echo "Failed to load lnet module on node $node!"
986 check_acceptor_port $node $ACCEPTOR_PORT || return ${PIPESTATUS[0]}
988 nid=$(set +x; my_do_node $node \
989 "$LCTL net up 1>/dev/null && $LCTL list_nids" 2>&1 | head -n1
990 exit ${PIPESTATUS[0]})
992 if [ $rc -ne 0 ]; then
993 echo "Failed to get the nid for node $node: $nid"
996 [ -z "$client_nids" ] && client_nids="$nid" \
997 || client_nids="$client_nids $nid"
999 my_do_node $node "$LCTL net down 1>/dev/null" || true
1007 # create and install idmap.conf on the MDS
1010 local tmpcfg="$TMP/idmap.conf"
1014 local client_nids client_nid
1017 echo "+++ Installing idmap.conf on MDS"
1018 echo "Getting Client NID..."
1019 client_nids=$(get_client_nids)
1021 if [ $rc -ne 0 ]; then
1027 if $SPLIT_KEYTAB; then
1028 for fqdn in $MY_CLIENTNODES; do
1029 echo "lustre_root/$fqdn@$KRB5_REALM * 0" >> $tmpcfg
1032 echo "lustre_root@$KRB5_REALM * 0" >> $tmpcfg
1034 cat <<EOF >> $tmpcfg
1036 daemon@$KRB5_REALM * 2
1037 games@$KRB5_REALM * 12
1040 for node in $MY_MDSNODES; do
1041 for uid in $LOCAL_UIDS; do
1042 user=$(my_do_node $node getent passwd $uid | cut -d: -f1)
1043 for client_nid in $client_nids; do
1044 echo "$user@$KRB5_REALM $client_nid $uid" >> $tmpcfg
1049 for node in $MY_MDSNODES; do
1050 my_do_node $node "mkdir -p $LUSTRE_CONF_DIR" || return ${PIPESTATUS[0]}
1051 $SCP $tmpcfg root@$node:$IDMAP_CONF || return ${PIPESTATUS[0]}
1058 # create and install perm.conf on the MDS for remote ACL testing
1061 local tmpcfg="$TMP/perm.conf"
1064 echo "+++ Installing perm.conf on MDS"
1067 for node in $MY_MDSNODES; do
1068 my_do_node $node "mkdir -p $LUSTRE_CONF_DIR" || return ${PIPESTATUS[0]}
1070 for uid in $LOCAL_UIDS $REMOTE_UIDS; do
1071 if ! grep -q " $uid " $tmpcfg 2>/dev/null; then
1072 echo "* $uid rmtacl" >> $tmpcfg
1076 echo "* 0 setgid" >> $tmpcfg
1078 $SCP $tmpcfg root@$node:$PERM_CONF || return ${PIPESTATUS[0]}
1084 # ******************************** Main Flow ******************************** #
1085 normalize_names || exit ${PIPESTATUS[0]}
1086 check_rsh || exit ${PIPESTATUS[0]}
1087 check_entropy || exit ${PIPESTATUS[0]}
1090 check_users || exit ${PIPESTATUS[0]}
1091 elif $CFG_IDMAP; then
1092 echo "Remote ACL operations need local and remote users!"
1096 check_kdc || exit ${PIPESTATUS[0]}
1097 check_krb5 || exit ${PIPESTATUS[0]}
1098 check_libgssapi || exit ${PIPESTATUS[0]}
1100 echo "===================================================================="
1101 echo " Configure Kerberos testing environment for Lustre"
1102 echo " KDC: $MY_KDCNODE"
1103 echo " realm: $KRB5_REALM, domain: $KRB5_DOMAIN"
1104 echo " Using gssapi package: $LIBGSSAPI"
1108 for i in $MY_OSSNODES; do echo " $i"; done
1110 for i in $MY_MDSNODES; do echo " $i"; done
1111 echo " CLIENT nodes:"
1112 for i in $MY_CLIENTNODES; do echo " $i"; done
1113 echo "===================================================================="
1115 cfg_nfs_mount || exit ${PIPESTATUS[0]}
1116 cfg_libgssapi || exit ${PIPESTATUS[0]}
1117 cfg_keyutils || exit ${PIPESTATUS[0]}
1120 cfg_krb5_conf || exit ${PIPESTATUS[0]}
1121 cfg_kdc || exit ${PIPESTATUS[0]}
1124 cfg_kdc_princs || exit ${PIPESTATUS[0]}
1125 cfg_keytab || exit ${PIPESTATUS[0]}
1128 cfg_idmap_conf || exit ${PIPESTATUS[0]}
1129 cfg_perm_conf || exit ${PIPESTATUS[0]}
1132 echo "Complete successfully!"