#!/bin/bash
#
-# Run select tests by setting SEC_ONLY, or as arguments to the script.
+# Run select tests by setting ONLY, or as arguments to the script.
# Skip specific tests by setting EXCEPT.
#
set -e
+ONLY=${ONLY:-"$*"}
+# bug number for skipped test: 19430 19967 19967
+ALWAYS_EXCEPT=" 2 5 6 $SANITY_SEC_EXCEPT"
+# UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
+
+[ "$ALWAYS_EXCEPT$EXCEPT" ] && \
+ echo "Skipping tests: $ALWAYS_EXCEPT $EXCEPT"
+
SRCDIR=`dirname $0`
export PATH=$PWD/$SRCDIR:$SRCDIR:$PWD/$SRCDIR/../utils:$PATH:/sbin
+export NAME=${NAME:-local}
-SEC_ONLY=${SEC_ONLY:-"$*"}
-ALWAYS_EXCEPT=${ALWAYS_EXCEPT:-""}
-# UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
+LUSTRE=${LUSTRE:-`dirname $0`/..}
+. $LUSTRE/tests/test-framework.sh
+init_test_env $@
+. ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
+init_logging
-[ "$ALWAYS_EXCEPT$EXCEPT" ] && \
- echo "Skipping tests: `echo $ALWAYS_EXCEPT $EXCEPT`"
+RUNAS="runas"
+
+WTL=${WTL:-"$LUSTRE/tests/write_time_limit"}
+
+CONFDIR=/etc/lustre
+PERM_CONF=$CONFDIR/perm.conf
+FAIL_ON_ERROR=false
+
+HOSTNAME_CHECKSUM=$(hostname | sum | awk '{ print $1 }')
+SUBNET_CHECKSUM=$(expr $HOSTNAME_CHECKSUM % 250 + 1)
+NODEMAP_COUNT=10
+NODEMAP_RANGE_COUNT=3
+NODEMAP_IPADDR_COUNT=30
+NODEMAP_MAX_ID=600
+
+require_dsh_mds || exit 0
+require_dsh_ost || exit 0
-TMP=${TMP:-/tmp}
-LFS=${LFS:-lfs}
-LCTL=${LCTL:-lctl}
-RUNAS=${RUNAS:-runas}
+ID0=${ID0:-500}
+ID1=${ID1:-501}
+USER0=`cat /etc/passwd|grep :$ID0:$ID0:|cut -d: -f1`
+USER1=`cat /etc/passwd|grep :$ID1:$ID1:|cut -d: -f1`
+
+[ -z "$USER0" ] && \
+ echo "Please add user0 (uid=$ID0 gid=$ID0)! Skip sanity-sec" && exit 0
+
+[ -z "$USER1" ] && \
+ echo "Please add user1 (uid=$ID1 gid=$ID1)! Skip sanity-sec" && exit 0
-log() {
- echo "$*"
- $LCTL mark "$*" 2> /dev/null || true
+check_and_setup_lustre
+
+sec_cleanup() {
+ if [ "$I_MOUNTED" = "yes" ]; then
+ cleanupall -f || error "sec_cleanup"
+ fi
}
-SANITYSECLOG=${SANITYSECLOG:-/tmp/sanity-sec.log}
+DIR=${DIR:-$MOUNT}
+[ -z "`echo $DIR | grep $MOUNT`" ] && \
+ error "$DIR not in $MOUNT" && sec_cleanup && exit 1
-[ "$SANITYSECLOG" ] && rm -f $SANITYSECLOG || true
+[ `echo $MOUNT | wc -w` -gt 1 ] && \
+ echo "NAME=$MOUNT mounted more than once" && sec_cleanup && exit 0
-sec_error() {
- log "FAIL: $TESTNAME $@"
- if [ "$SANITYSECLOG" ]; then
- echo "FAIL: $TESTNAME $@" >> $SANITYSECLOG
- else
+[ $MDSCOUNT -gt 1 ] && \
+ echo "skip multi-MDS test" && sec_cleanup && exit 0
+
+# for GSS_SUP
+GSS_REF=$(lsmod | grep ^ptlrpc_gss | awk '{print $3}')
+if [ ! -z "$GSS_REF" -a "$GSS_REF" != "0" ]; then
+ GSS_SUP=1
+ echo "with GSS support"
+else
+ GSS_SUP=0
+ echo "without GSS support"
+fi
+
+MDT=$(do_facet $SINGLEMDS lctl get_param -N "mdt.\*MDT0000" |
+ cut -d. -f2 || true)
+[ -z "$MDT" ] && error "fail to get MDT device" && exit 1
+do_facet $SINGLEMDS "mkdir -p $CONFDIR"
+IDENTITY_FLUSH=mdt.$MDT.identity_flush
+MDSCAPA=mdt.$MDT.capa
+CAPA_TIMEOUT=mdt.$MDT.capa_timeout
+MDSSECLEVEL=mdt.$MDT.sec_level
+
+# for CLIENT_TYPE
+if [ -z "$(lctl get_param -n llite.*.client_type | grep remote 2>/dev/null)" ]; then
+ CLIENT_TYPE="local"
+ echo "local client"
+else
+ CLIENT_TYPE="remote"
+ echo "remote client"
+fi
+
+SAVE_PWD=$PWD
+
+build_test_filter
+
+sec_login() {
+ local user=$1
+ local group=$2
+
+ if ! $RUNAS -u $user krb5_login.sh; then
+ error "$user login kerberos failed."
exit 1
fi
+
+ if ! $RUNAS -u $user -g $group ls $DIR > /dev/null 2>&1; then
+ $RUNAS -u $user lfs flushctx -k
+ $RUNAS -u $user krb5_login.sh
+ if ! $RUNAS -u $user -g $group ls $DIR > /dev/null 2>&1; then
+ error "init $user $group failed."
+ exit 2
+ fi
+ fi
}
-pass() {
- echo PASS $@
+declare -a identity_old
+
+sec_setup() {
+ for num in `seq $MDSCOUNT`; do
+ switch_identity $num true || identity_old[$num]=$?
+ done
+
+ if ! $RUNAS -u $ID0 ls $DIR > /dev/null 2>&1; then
+ sec_login $USER0 $USER0
+ fi
+
+ if ! $RUNAS -u $ID1 ls $DIR > /dev/null 2>&1; then
+ sec_login $USER1 $USER1
+ fi
}
+sec_setup
-ID1=500
-ID2=501
+# run as different user
+test_0() {
+ umask 0022
-USER1=`cat /etc/passwd|grep :$ID1:$ID1:|cut -d: -f1`
-USER2=`cat /etc/passwd|grep :$ID2:$ID2:|cut -d: -f1`
+ chmod 0755 $DIR || error "chmod (1)"
+ rm -rf $DIR/$tdir || error "rm (1)"
+ mkdir -p $DIR/$tdir || error "mkdir (1)"
-if [ ! "$USER1" ]; then
- echo "===== Please add user1 (uid=$ID1 gid=$ID1)! Skip sanity-sec ====="
- sec_error "===== Please add user1 (uid=$ID1 gid=$ID1)! ====="
- exit 0
-fi
+ if [ "$CLIENT_TYPE" = "remote" ]; then
+ do_facet $SINGLEMDS "echo '* 0 normtown' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ chown $USER0 $DIR/$tdir && error "chown (1)"
+ do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ else
+ chown $USER0 $DIR/$tdir || error "chown (2)"
+ fi
-if [ ! "$USER2" ]; then
- echo "===== Please add user2 (uid=$ID2 gid=$ID2)! Skip sanity-sec ====="
- sec_error "===== Please add user2 (uid=$ID2 gid=$ID2)! ====="
- exit 0
-fi
+ $RUNAS -u $ID0 ls $DIR || error "ls (1)"
+ rm -f $DIR/f0 || error "rm (2)"
+ $RUNAS -u $ID0 touch $DIR/f0 && error "touch (1)"
+ $RUNAS -u $ID0 touch $DIR/$tdir/f1 || error "touch (2)"
+ $RUNAS -u $ID1 touch $DIR/$tdir/f2 && error "touch (3)"
+ touch $DIR/$tdir/f3 || error "touch (4)"
+ chown root $DIR/$tdir || error "chown (3)"
+ chgrp $USER0 $DIR/$tdir || error "chgrp (1)"
+ chmod 0775 $DIR/$tdir || error "chmod (2)"
+ $RUNAS -u $ID0 touch $DIR/$tdir/f4 || error "touch (5)"
+ $RUNAS -u $ID1 touch $DIR/$tdir/f5 && error "touch (6)"
+ touch $DIR/$tdir/f6 || error "touch (7)"
+ rm -rf $DIR/$tdir || error "rm (3)"
-export NAME=${NAME:-local}
+ if [ "$CLIENT_TYPE" = "remote" ]; then
+ do_facet $SINGLEMDS "rm -f $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ fi
+}
+run_test 0 "uid permission ============================="
-LUSTRE=${LUSTRE:-`dirname $0`/..}
-. $LUSTRE/tests/test-framework.sh
-init_test_env $@
-. ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
+# setuid/gid
+test_1() {
+ [ $GSS_SUP = 0 ] && skip "without GSS support." && return
-if [ ! -z "$USING_KRB5" ]; then
- $RUNAS -u $ID1 krb5_login.sh || exit 1
- $RUNAS -u $ID2 krb5_login.sh || exit 1
-fi
+ if [ "$CLIENT_TYPE" = "remote" ]; then
+ do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ fi
-sec_run_one() {
- BEFORE=`date +%s`
- log "== test $1 $2= `date +%H:%M:%S` ($BEFORE)"
- export TESTNAME=test_$1
- test_$1 || sec_error "exit with rc=$?"
- unset TESTNAME
- pass "($((`date +%s` - $BEFORE))s)"
-}
-
-build_test_filter() {
- for O in $SEC_ONLY; do
- eval SEC_ONLY_${O}=true
- done
- for E in $EXCEPT $ALWAYS_EXCEPT; do
- eval EXCEPT_${E}=true
- done
-}
-
-_basetest() {
- echo $*
-}
-
-basetest() {
- IFS=abcdefghijklmnopqrstuvwxyz _basetest $1
-}
-
-sec_run_test() {
- base=`basetest $1`
- if [ "$SEC_ONLY" ]; then
- testname=SEC_ONLY_$1
- if [ ${!testname}x != x ]; then
- sec_run_one $1 "$2"
- return $?
- fi
- testname=SEC_ONLY_$base
- if [ ${!testname}x != x ]; then
- sec_run_one $1 "$2"
- return $?
- fi
- echo -n "."
- return 0
- fi
- testname=EXCEPT_$1
- if [ ${!testname}x != x ]; then
- echo "skipping excluded test $1"
- return 0
- fi
- testname=EXCEPT_$base
- if [ ${!testname}x != x ]; then
- echo "skipping excluded test $1 (base $base)"
- return 0
- fi
- sec_run_one $1 "$2"
- return $?
+ rm -rf $DIR/$tdir
+ mkdir -p $DIR/$tdir
+
+ chown $USER0 $DIR/$tdir || error "chown (1)"
+ $RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f0 && error "touch (2)"
+ echo "enable uid $ID1 setuid"
+ do_facet $SINGLEMDS "echo '* $ID1 setuid' >> $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ $RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f1 || error "touch (3)"
+
+ chown root $DIR/$tdir || error "chown (4)"
+ chgrp $USER0 $DIR/$tdir || error "chgrp (5)"
+ chmod 0770 $DIR/$tdir || error "chmod (6)"
+ $RUNAS -u $ID1 -g $ID1 touch $DIR/$tdir/f2 && error "touch (7)"
+ $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f3 && error "touch (8)"
+ echo "enable uid $ID1 setuid,setgid"
+ do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f4 || error "touch (9)"
+ $RUNAS -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/$tdir/f5 || error "touch (10)"
+
+ rm -rf $DIR/$tdir
+
+ do_facet $SINGLEMDS "rm -f $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
}
+run_test 1 "setuid/gid ============================="
-mounted_lustre_filesystems() {
- awk '($3 ~ "lustre" && $1 ~ ":") { print $2 }' /proc/mounts
+run_rmtacl_subtest() {
+ $SAVE_PWD/rmtacl/run $SAVE_PWD/rmtacl/$1.test
+ return $?
}
-MOUNTED="`mounted_lustre_filesystems`"
-if [ -z "$MOUNTED" ]; then
- formatall
- setupall
- MOUNTED="`mounted_lustre_filesystems`"
- [ -z "$MOUNTED" ] && sec_error "NAME=$NAME not mounted"
- S_MOUNTED=yes
-fi
+# remote_acl
+# for remote client only
+test_2 () {
+ [ "$CLIENT_TYPE" = "local" ] && \
+ skip "remote_acl for remote client only" && return
+ [ -z "$(lctl get_param -n mdc.*-mdc-*.connect_flags | grep ^acl)" ] && \
+ skip "must have acl enabled" && return
+ [ -z "$(which setfacl 2>/dev/null)" ] && \
+ skip "could not find setfacl" && return
+ [ "$UID" != 0 ] && skip "must run as root" && return
-[ `echo $MOUNT | wc -w` -gt 1 ] && sec_error "NAME=$NAME mounted more than once"
+ do_facet $SINGLEMDS "echo '* 0 rmtacl,rmtown' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-DIR=${DIR:-$MOUNT}
-[ -z "`echo $DIR | grep $MOUNT`" ] && echo "$DIR not in $MOUNT" && \
- sec_cleanup && exit 99
+ sec_login root root
+ sec_login bin bin
+ sec_login daemon daemon
+ sec_login games users
-[ `ls -l $LPROC/ldlm 2> /dev/null | grep lustre-MDT | wc -l` -gt 1 ] \
- && echo "skip multi-MDS test" && sec_cleanup && exit 0
+ SAVE_UMASK=`umask`
+ umask 0022
+ cd $DIR
-if [ -z "`lsmod | grep mdt`" ]; then
- LOCAL_MDT=0
- echo "remote mdt"
- EXCEPT="$EXCEPT 1 3"
-else
- LOCAL_MDT=1
- echo "local mdt"
- EXCEPT="$EXCEPT 1 2 3"
-fi
+ echo "performing cp ..."
+ run_rmtacl_subtest cp || error "cp"
+ echo "performing getfacl-noacl..."
+ run_rmtacl_subtest getfacl-noacl || error "getfacl-noacl"
+ echo "performing misc..."
+ run_rmtacl_subtest misc || error "misc"
+ echo "performing permissions..."
+ run_rmtacl_subtest permissions || error "permissions"
+ echo "performing setfacl..."
+ run_rmtacl_subtest setfacl || error "setfacl"
-LPROC=/proc/fs/lustre
-ENABLE_IDENTITY=/usr/sbin/l_getidentity
-DISABLE_IDENTITY=NONE
-LUSTRE_CONF_DIR=/etc/lustre
-SETXID_CONF=$LUSTRE_CONF_DIR/setxid.conf
-SETXID_CONF_BAK=$LUSTRE_CONF_DIR/setxid.conf.bak
-
-if [ $LOCAL_MDT -eq 1 ]; then
- MDT=$(\ls $LPROC/mdt 2> /dev/null | grep -v num_refs | tail -n 1)
- IDENTITY_UPCALL=$LPROC/mdt/$MDT/identity_upcall
- IDENTITY_UPCALL_BAK=`more $IDENTITY_UPCALL`
- IDENTITY_FLUSH=$LPROC/mdt/$MDT/identity_flush
- ROOTSQUASH_UID=$LPROC/mdt/$MDT/rootsquash_uid
- ROOTSQUASH_GID=$LPROC/mdt/$MDT/rootsquash_gid
- NOSQUASH_NIDS=$LPROC/mdt/$MDT/nosquash_nids
-fi
+ # inheritance test got from HP
+ echo "performing inheritance..."
+ cp $SAVE_PWD/rmtacl/make-tree .
+ chmod +x make-tree
+ run_rmtacl_subtest inheritance || error "inheritance"
+ rm -f make-tree
-CLIENT_TYPE=$LPROC/llite/*/client_type
-grep "local client" $CLIENT_TYPE > /dev/null 2>&1 && EXCEPT="$EXCEPT 2"
-grep "remote client" $CLIENT_TYPE > /dev/null 2>&1 && EXCEPT="$EXCEPT 1 3"
+ cd $SAVE_PWD
+ umask $SAVE_UMASK
-build_test_filter
+ do_facet $SINGLEMDS "rm -f $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+}
+run_test 2 "rmtacl ============================="
-setup() {
- if [ -f "$SETXID_CONF" ]; then
- mv -f $SETXID_CONF $SETXID_CONF_BAK
+# rootsquash
+# root_squash will be redesigned in Lustre 1.7
+test_3() {
+ skip "root_squash will be redesigned in Lustre 1.7" && return
+}
+run_test 3 "rootsquash ============================="
+
+# bug 3285 - supplementary group should always succeed.
+# NB: the supplementary groups are set for local client only,
+# as for remote client, the groups of the specified uid on MDT
+# will be obtained by upcall /sbin/l_getidentity and used.
+test_4() {
+ if [ "$CLIENT_TYPE" = "remote" ]; then
+ do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ fi
+
+ rm -rf $DIR/$tdir
+ mkdir -p $DIR/$tdir
+ chmod 0771 $DIR/$tdir
+ chgrp $ID0 $DIR/$tdir
+ $RUNAS -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
+ if [ "$CLIENT_TYPE" = "local" ]; then
+ do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ $RUNAS -u $ID1 -G1,2,$ID0 ls $DIR/$tdir || error "setgroups (2)"
+ fi
+ $RUNAS -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
+ rm -rf $DIR/$tdir
+
+ do_facet $SINGLEMDS "rm -f $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+}
+run_test 4 "set supplementary group ==============="
+
+mds_capability_timeout() {
+ [ $# -lt 1 ] && echo "Miss mds capability timeout value" && return 1
+
+ echo "Set mds capability timeout as $1 seconds"
+ do_facet $SINGLEMDS "lctl set_param -n $CAPA_TIMEOUT=$1"
+ return 0
+}
+
+mds_sec_level_switch() {
+ [ $# -lt 1 ] && echo "Miss mds sec level switch value" && return 1
+
+ case $1 in
+ 0) echo "Disable capa for all clients";;
+ 1) echo "Enable capa for remote client";;
+ 3) echo "Enable capa for all clients";;
+ *) echo "Invalid mds sec level switch value" && return 2;;
+ esac
+
+ do_facet $SINGLEMDS "lctl set_param -n $MDSSECLEVEL=$1"
+ return 0
+}
+
+oss_sec_level_switch() {
+ [ $# -lt 1 ] && echo "Miss oss sec level switch value" && return 1
+
+ case $1 in
+ 0) echo "Disable capa for all clients";;
+ 1) echo "Enable capa for remote client";;
+ 3) echo "Enable capa for all clients";;
+ *) echo "Invalid oss sec level switch value" && return 2;;
+ esac
+
+ for i in `seq $OSTCOUNT`; do
+ local j=`expr $i - 1`
+ local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
+ [ -z "$OST" ] && return 3
+ do_facet ost$i "lctl set_param -n obdfilter.$OST.sec_level=$1"
+ done
+ return 0
+}
+
+mds_capability_switch() {
+ [ $# -lt 1 ] && echo "Miss mds capability switch value" && return 1
+
+ case $1 in
+ 0) echo "Turn off mds capability";;
+ 3) echo "Turn on mds capability";;
+ *) echo "Invalid mds capability switch value" && return 2;;
+ esac
+
+ do_facet $SINGLEMDS "lctl set_param -n $MDSCAPA=$1"
+ return 0
+}
+
+oss_capability_switch() {
+ [ $# -lt 1 ] && echo "Miss oss capability switch value" && return 1
+
+ case $1 in
+ 0) echo "Turn off oss capability";;
+ 1) echo "Turn on oss capability";;
+ *) echo "Invalid oss capability switch value" && return 2;;
+ esac
+
+ for i in `seq $OSTCOUNT`; do
+ local j=`expr $i - 1`
+ local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
+ [ -z "$OST" ] && return 3
+ do_facet ost$i "lctl set_param -n obdfilter.$OST.capa=$1"
+ done
+ return 0
+}
+
+turn_mds_capa_on() {
+ mds_capability_switch 3 || return 1
+ mds_sec_level_switch 3 || return 2
+ return 0
+}
+
+turn_oss_capa_on() {
+ oss_capability_switch 1 || return 1
+ oss_sec_level_switch 3 || return 2
+ return 0
+}
+
+turn_capability_on() {
+ local capa_timeout=${1:-"1800"}
+
+ # To turn on fid capability for the system,
+ # there is a requirement that fid capability
+ # is turned on on all MDS/OSS servers before
+ # client mount.
+
+ turn_mds_capa_on || return 1
+ turn_oss_capa_on || return 2
+ mds_capability_timeout $capa_timeout || return 3
+ remount_client $MOUNT || return 4
+ return 0
+}
+
+turn_mds_capa_off() {
+ mds_sec_level_switch 0 || return 1
+ mds_capability_switch 0 || return 2
+ return 0
+}
+
+turn_oss_capa_off() {
+ oss_sec_level_switch 0 || return 1
+ oss_capability_switch 0 || return 2
+ return 0
+}
+
+turn_capability_off() {
+ # to turn off fid capability, you can just do
+ # it in a live system. But, please turn off
+ # capability of all OSS servers before MDS servers.
+
+ turn_oss_capa_off || return 1
+ turn_mds_capa_off || return 2
+ return 0
+}
+
+# We demonstrate that access to the objects in the filesystem are not
+# accessible without supplying secrets from the MDS by disabling a
+# proc variable on the mds so that it does not supply secrets. We then
+# try and access objects which result in failure.
+test_5() {
+ local file=$DIR/f5
+
+ [ $GSS_SUP = 0 ] && skip "without GSS support." && return
+ if ! remote_mds; then
+ skip "client should be separated from server."
+ return
+ fi
+
+ rm -f $file
+
+ turn_capability_off
+ if [ $? != 0 ]; then
+ error "turn_capability_off"
+ return 1
+ fi
+
+ turn_oss_capa_on
+ if [ $? != 0 ]; then
+ error "turn_oss_capa_on"
+ return 2
+ fi
+
+ if [ "$CLIENT_TYPE" = "remote" ]; then
+ remount_client $MOUNT && return 3
+ turn_oss_capa_off
+ return 0
else
- rm -f $SETXID_CONF_BAK
+ remount_client $MOUNT || return 4
fi
- if [ $LOCAL_MDT -eq 1 ]; then
- echo $ENABLE_IDENTITY > $IDENTITY_UPCALL
- echo -1 > $IDENTITY_FLUSH
+ # proc variable disabled -- access to the objects in the filesystem
+ # is not allowed
+ echo "Should get Write error here : (proc variable are disabled "\
+ "-- access to the objects in the filesystem is denied."
+ $WTL $file 30
+ if [ $? == 0 ]; then
+ error "Write worked well even though secrets not supplied."
+ return 5
+ fi
+
+ turn_capability_on
+ if [ $? != 0 ]; then
+ error "turn_capability_on"
+ return 6
fi
- $RUNAS -u $ID1 ls $DIR
- $RUNAS -u $ID2 ls $DIR
+ sleep 5
+
+ # proc variable enabled, secrets supplied -- write should work now
+ echo "Should not fail here : (proc variable enabled, secrets supplied "\
+ "-- write should work now)."
+ $WTL $file 30
+ if [ $? != 0 ]; then
+ error "Write failed even though secrets supplied."
+ return 7
+ fi
+
+ turn_capability_off
+ if [ $? != 0 ]; then
+ error "turn_capability_off"
+ return 8
+ fi
+ rm -f $file
}
-setup
+run_test 5 "capa secrets ========================="
-# run as different user
-test_0() {
- rm -rf $DIR/d0
- mkdir $DIR/d0
-
- chown $USER1 $DIR/d0 || sec_error
- $RUNAS -u $ID1 ls $DIR || sec_error
- $RUNAS -u $ID1 touch $DIR/f0 && sec_error
- $RUNAS -u $ID1 touch $DIR/d0/f1 || sec_error
- $RUNAS -u $ID2 touch $DIR/d0/f2 && sec_error
- touch $DIR/d0/f3 || sec_error
- chown root $DIR/d0
- chgrp $USER1 $DIR/d0
- chmod 775 $DIR/d0
- $RUNAS -u $ID1 touch $DIR/d0/f4 || sec_error
- $RUNAS -u $ID2 touch $DIR/d0/f5 && sec_error
- touch $DIR/d0/f6 || sec_error
-
- rm -rf $DIR/d0
-}
-sec_run_test 0 "uid permission ============================="
+# Expiry: A test program is performing I/O on a file. It has credential
+# with an expiry half a minute later. While the program is running the
+# credentials expire and no automatic extensions or renewals are
+# enabled. The program will demonstrate an I/O failure.
+test_6() {
+ local file=$DIR/f6
-# setuid/gid
-test_1() {
- rm -rf $DIR/d1
- mkdir $DIR/d1
-
- chown $USER1 $DIR/d1 || sec_error
- $RUNAS -u $ID2 -v $ID1 touch $DIR/d1/f0 && sec_error
- echo "* $ID2 setuid" > $SETXID_CONF
- echo "enable uid $ID2 setuid"
- echo -1 > $IDENTITY_FLUSH
- $RUNAS -u $ID2 -v $ID1 touch $DIR/d1/f1 || sec_error
-
- chown root $DIR/d1
- chgrp $USER1 $DIR/d1
- chmod 770 $DIR/d1
- $RUNAS -u $ID2 -g $ID2 touch $DIR/d1/f2 && sec_error
- echo "* $ID2 setuid,setgid" > $SETXID_CONF
- echo "enable uid $ID2 setuid,setgid"
- echo -1 > $IDENTITY_FLUSH
- $RUNAS -u $ID2 -g $ID2 -j $ID1 touch $DIR/d1/f3 || sec_error
- $RUNAS -u $ID2 -v $ID1 -g $ID2 -j $ID1 touch $DIR/d1/f4 || sec_error
-
- rm -f $SETXID_CONF
- rm -rf $DIR/d1
- echo -1 > $IDENTITY_FLUSH
-}
-sec_run_test 1 "setuid/gid ============================="
-
-# lfs getfacl/setfacl
-test_2() {
- rm -rf $DIR/d2
- mkdir $DIR/d2
- chmod 755 $DIR/d2
- echo xxx > $DIR/d2/f0
- chmod 644 $DIR/d2/f0
-
- $LFS getfacl $DIR/d2/f0 || sec_error
- $RUNAS -u $ID1 cat $DIR/d2/f0 || sec_error
- $RUNAS -u $ID1 touch $DIR/d2/f0 && sec_error
-
- $LFS setfacl -m u:$USER1:w $DIR/d2/f0 || sec_error
- $LFS getfacl $DIR/d2/f0 || sec_error
- echo "set user $USER1 write permission on file $DIR/d2/fo"
- $RUNAS -u $ID1 touch $DIR/d2/f0 || sec_error
- $RUNAS -u $ID1 cat $DIR/d2/f0 && sec_error
-
- rm -rf $DIR/d2
-}
-sec_run_test 2 "lfs getfacl/setfacl ============================="
+ [ $GSS_SUP = 0 ] && skip "without GSS support." && return
+ if ! remote_mds; then
+ skip "client should be separated from server."
+ return
+ fi
-# rootsquash
-test_3() {
- $LCTL conf_param $MDT.mdt.nosquash_nids=none
- while grep LNET_NID_ANY $NOSQUASH_NIDS > /dev/null; do sleep 1; done
- $LCTL conf_param $MDT.mdt.rootsquash_uid=0
- while [ "`cat $ROOTSQUASH_UID`" -ne 0 ]; do sleep 1; done
- $LCTL conf_param $MDT.mdt.rootsquash_gid=0
- while [ "`cat $ROOTSQUASH_GID`" -ne 0 ]; do sleep 1; done
-
- rm -rf $DIR/d3
- mkdir $DIR/d3
- chown $USER1 $DIR/d3
- chmod 700 $DIR/d3
- $LCTL conf_param $MDT.mdt.rootsquash_uid=$ID1
- echo "set rootsquash uid = $ID1"
- while [ "`cat $ROOTSQUASH_UID`" -ne $ID1 ]; do sleep 1; done
- touch $DIR/f3_0 && sec_error
- touch $DIR/d3/f3_1 || sec_error
-
- $LCTL conf_param $MDT.mdt.rootsquash_uid=0
- echo "disable rootsquash"
- while [ "`cat $ROOTSQUASH_UID`" -ne 0 ]; do sleep 1; done
- chown root $DIR/d3
- chgrp $USER2 $DIR/d3
- chmod 770 $DIR/d3
-
- $LCTL conf_param $MDT.mdt.rootsquash_uid=$ID1
- echo "set rootsquash uid = $ID1"
- while [ "`cat $ROOTSQUASH_UID`" -ne $ID1 ]; do sleep 1; done
- touch $DIR/d3/f3_2 && sec_error
- $LCTL conf_param $MDT.mdt.rootsquash_gid=$ID2
- echo "set rootsquash gid = $ID2"
- while [ "`cat $ROOTSQUASH_GID`" -ne $ID2 ]; do sleep 1; done
- touch $DIR/d3/f3_3 || sec_error
-
- $LCTL conf_param $MDT.mdt.nosquash_nids=*
- echo "add host in rootsquash skip list"
- while ! grep LNET_NID_ANY $NOSQUASH_NIDS > /dev/null;
- do sleep 1;
+ turn_capability_off
+ if [ $? != 0 ]; then
+ error "turn_capability_off"
+ return 1
+ fi
+
+ rm -f $file
+
+ turn_capability_on 30
+ if [ $? != 0 ]; then
+ error "turn_capability_on 30"
+ return 2
+ fi
+
+ # Token expiry
+ $WTL $file 60
+ if [ $? != 0 ]; then
+ error "$WTL $file 60"
+ return 3
+ fi
+
+ # Reset MDS capability timeout
+ mds_capability_timeout 30
+ if [ $? != 0 ]; then
+ error "mds_capability_timeout 30"
+ return 4
+ fi
+
+ $WTL $file 60 &
+ local PID=$!
+ sleep 5
+
+ # To disable automatic renew, only need turn capa off on MDS.
+ turn_mds_capa_off
+ if [ $? != 0 ]; then
+ error "turn_mds_capa_off"
+ return 5
+ fi
+
+ echo "We expect I/O failure."
+ wait $PID
+ if [ $? == 0 ]; then
+ echo "no I/O failure got."
+ return 6
+ fi
+
+ turn_capability_off
+ if [ $? != 0 ]; then
+ error "turn_capability_off"
+ return 7
+ fi
+ rm -f $file
+}
+run_test 6 "capa expiry ========================="
+
+create_nodemaps() {
+ local i
+ local out
+ local rc
+
+ for (( i = 0; i < NODEMAP_COUNT; i++ )); do
+ if ! do_facet mgs $LCTL nodemap_add \
+ ${HOSTNAME_CHECKSUM}_${i}; then
+ return 1
+ fi
+ out=$(do_facet mgs $LCTL get_param \
+ nodemap.${HOSTNAME_CHECKSUM}_${i}.id)
+ ## This needs to return zero if the following statement is 1
+ rc=$(echo $out | grep -c ${HOSTNAME_CHECKSUM}_${i})
+ [[ $rc == 0 ]] && return 1
done
- touch $DIR/f3_4 || sec_error
-
- $LCTL conf_param $MDT.mdt.rootsquash_uid=0
- while [ "`cat $ROOTSQUASH_UID`" -ne 0 ]; do sleep 1; done
- $LCTL conf_param $MDT.mdt.rootsquash_gid=0
- while [ "`cat $ROOTSQUASH_GID`" -ne 0 ]; do sleep 1; done
- $LCTL conf_param $MDT.mdt.nosquash_nids=none
- rm -rf $DIR/d3
- rm -f $DIR/f3_?
-}
-sec_run_test 3 "rootsquash ============================="
-
-# bug 3285 - supplementary group should always succeed (see do_init_ucred),
-# NB: the supplementary groups are set for local client only, as for remote
-# client, the groups of the specified uid on MDT will be obtained by
-# upcall /sbin/l_getidentity and used.
-test_4() {
- mkdir $DIR/d4
- chmod 771 $DIR/d4
- chgrp $ID1 $DIR/d4
- $RUNAS -u $ID1 ls $DIR/d4 || sec_error "setgroups(1) failed"
- grep "local client" $CLIENT_TYPE > /dev/null 2>&1 && \
- ($RUNAS -u $ID2 -G1,2,$ID1 ls $DIR/d4 || \
- sec_error "setgroups(2) failed")
- $RUNAS -u $ID2 -G1,2 ls $DIR/d4 && sec_error "setgroups(3) failed"
- rm -rf $DIR/d4
-}
-sec_run_test 4 "set supplementary group ==============="
+ return 0
+}
-log "cleanup: ======================================================"
+delete_nodemaps() {
+ local i
+ local out
+ local rc
+
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! do_facet mgs $LCTL nodemap_del \
+ ${HOSTNAME_CHECKSUM}_${i}; then
+ error "nodemap_del ${HOSTNAME_CHECKSUM}_${i} \
+ failed with $rc"
+ return 3
+ fi
+ out=$(do_facet mgs $LCTL get_param \
+ nodemap.${HOSTNAME_CHECKSUM}_${i}.id)
+ rc=$(echo $out | grep -c ${HOSTNAME_CHECKSUM}_${i})
+ [[ $rc != 0 ]] && return 1
+ done
+ return 0
+}
+
+add_range() {
+ local j
+ local cmd="$LCTL nodemap_add_range"
+ local range
+ local rc=0
-unsetup() {
- if [ -f "$SETXID_CONF_BAK" ]; then
- mv -f $SETXID_CONF_BAK $SETXID_CONF
+ for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
+ range="$SUBNET_CHECKSUM.${2}.${j}.[1-253]@tcp"
+ if ! do_facet mgs $cmd --name $1 \
+ --range $range; then
+ rc=$(($rc + 1))
+ fi
+ done
+ return $rc
+}
+
+delete_range() {
+ local j
+ local cmd="$LCTL nodemap_del_range"
+ local range
+ local rc=0
+
+ for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
+ range="$SUBNET_CHECKSUM.${2}.${j}.[1-253]@tcp"
+ if ! do_facet mgs $cmd --name $1 \
+ --range $range; then
+ rc=$(($rc + 1))
+ fi
+ done
+
+ return $rc
+}
+
+add_idmaps() {
+ local i
+ local j
+ local client_id
+ local fs_id
+ local cmd="$LCTL nodemap_add_idmap"
+ local rc=0
+
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ for ((j = 500; j < NODEMAP_MAX_ID; j++)); do
+ client_id=$j
+ fs_id=$(($j + 1))
+ if ! do_facet mgs $cmd \
+ --name ${HOSTNAME_CHECKSUM}_${i} \
+ --idtype uid --idmap $client_id:$fs_id; then
+ rc=$(($rc + 1))
+ fi
+ if ! do_facet mgs $cmd \
+ --name ${HOSTNAME_CHECKSUM}_${i} \
+ --idtype gid --idmap $client_id:$fs_id; then
+ rc=$(($rc + 1))
+ fi
+ done
+ done
+
+ return $rc
+}
+
+delete_idmaps() {
+ local i
+ local j
+ local client_id
+ local fs_id
+ local cmd="$LCTL nodemap_del_idmap"
+ local rc=0
+
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ for ((j = 500; j < NODEMAP_MAX_ID; j++)); do
+ client_id=$j
+ fs_id=$(($j + 1))
+ if ! do_facet mgs $cmd \
+ --name ${HOSTNAME_CHECKSUM}_${i} \
+ --idtype uid --idmap $client_id:$fs_id; then
+ rc=$(($rc + 1))
+ fi
+ if ! do_facet mgs $cmd \
+ --name ${HOSTNAME_CHECKSUM}_${i} \
+ --idtype gid --idmap $client_id:$fs_id; then
+ rc=$(($rc + 1))
+ fi
+ done
+ done
+
+ return $rc
+}
+
+modify_flags() {
+ local i
+ local proc
+ local option
+ local cmd="$LCTL nodemap_modify"
+ local rc=0
+
+ proc[0]="admin_nodemap"
+ proc[1]="trusted_nodemap"
+ option[0]="admin"
+ option[1]="trusted"
+
+ for ((idx = 0; idx < 2; idx++)); do
+ if ! do_facet mgs $cmd --name $1 \
+ --property ${option[$idx]} \
+ --value 1; then
+ rc=$((rc + 1))
+ fi
+
+ if ! do_facet mgs $cmd --name $1 \
+ --property ${option[$idx]} \
+ --value 0; then
+ rc=$((rc + 1))
+ fi
+ done
+
+ return $rc
+}
+
+squash_id() {
+ local cmd
+
+ cmd[0]="$LCTL nodemap_modify --property squash_uid"
+ cmd[1]="$LCTL nodemap_modify --property squash_gid"
+
+ if ! do_facet mgs ${cmd[$3]} --name $1 --value $2; then
+ return 1
fi
+}
+
+test_nid() {
+ local cmd
- if [ $LOCAL_MDT -eq 1 ]; then
- echo $IDENTITY_UPCALL_BAK > $IDENTITY_UPCALL
- echo -1 > $IDENTITY_FLUSH
+ cmd="$LCTL nodemap_test_nid"
+
+ nid=$(do_facet mgs $cmd $1)
+
+ if [ $nid == $2 ]; then
+ return 0
fi
- $RUNAS -u $ID1 ls $DIR
- $RUNAS -u $ID2 ls $DIR
+ return 1
}
-unsetup
-sec_cleanup() {
- if [ "$S_MOUNTED" = "yes" ]; then
- cleanupall -f || sec_error "cleanup failed"
+test_idmap() {
+ local i
+ local j
+ local fs_id
+ local cmd="$LCTL nodemap_test_id"
+ local rc=0
+
+ ## nodemap deactivated
+ if ! do_facet mgs lctl nodemap_activate 0; then
+ return 1
fi
+ for ((id = 500; id < NODEMAP_MAX_ID; id++)); do
+ for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
+ nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
+ fs_id=$(do_facet mgs $cmd --nid $nid \
+ --idtype uid --id $id)
+ if [ $fs_id != $id ]; then
+ rc=$((rc + 1))
+ fi
+ done
+ done
+
+ ## nodemap activated
+ if ! do_facet mgs lctl nodemap_activate 1; then
+ return 2
+ fi
+
+ for ((id = 500; id < NODEMAP_MAX_ID; id++)); do
+ for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
+ nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
+ fs_id=$(do_facet mgs $cmd --nid $nid \
+ --idtype uid --id $id)
+ expected_id=$((id + 1))
+ if [ $fs_id != $expected_id ]; then
+ rc=$((rc + 1))
+ fi
+ done
+ done
+
+ ## trust client ids
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! do_facet mgs $LCTL nodemap_modify \
+ --name ${HOSTNAME_CHECKSUM}_${i} \
+ --property trusted --value 1; then
+ error "nodemap_modify ${HOSTNAME_CHECKSUM}_${i} "
+ "failed with $rc"
+ return 3
+ fi
+ done
+
+ for ((id = 500; id < NODEMAP_MAX_ID; id++)); do
+ for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
+ nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
+ fs_id=$(do_facet mgs $cmd --nid $nid \
+ --idtype uid --id $id)
+ expected_id=$((id + 1))
+ if [ $fs_id != $id ]; then
+ rc=$((rc + 1))
+ fi
+ done
+ done
+
+ ## ensure allow_root_access is enabled
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! do_facet mgs $LCTL nodemap_modify \
+ --name ${HOSTNAME_CHECKSUM}_${i} \
+ --property admin --value 1; then
+ error "nodemap_modify ${HOSTNAME_CHECKSUM}_${i} "
+ "failed with $rc"
+ return 3
+ fi
+ done
+
+ ## check that root is mapped to 99
+ for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
+ nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
+ fs_id=$(do_facet mgs $cmd --nid $nid --idtype uid --id 0)
+ expected_id=$((id + 1))
+ if [ $fs_id != 0 ]; then
+ rc=$((rc + 1))
+ fi
+ done
+
+ ## ensure allow_root_access is disabled
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! do_facet mgs $LCTL nodemap_modify \
+ --name ${HOSTNAME_CHECKSUM}_${i} \
+ --property admin --value 0; then
+ error "nodemap_modify ${HOSTNAME_CHECKSUM}_${i} "
+ "failed with $rc"
+ return 3
+ fi
+ done
+
+ ## check that root allowed
+ for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
+ nid="$SUBNET_CHECKSUM.0.${j}.100@tcp"
+ fs_id=$(do_facet mgs $cmd --nid $nid --idtype uid --id 0)
+ expected_id=$((id + 1))
+ if [ $fs_id != 99 ]; then
+ rc=$((rc + 1))
+ fi
+ done
+
+ ## reset client trust to 0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! do_facet mgs $LCTL nodemap_modify \
+ --name ${HOSTNAME_CHECKSUM}_${i} \
+ --property trusted --value 0; then
+ error "nodemap_modify ${HOSTNAME_CHECKSUM}_${i} "
+ "failed with $rc"
+ return 3
+ fi
+ done
+
+ return $rc
+}
+
+test_7() {
+ local rc
+
+ remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+ [ $(lustre_version_code $SINGLEMGS) -lt $(version_code 2.5.53) ] &&
+ skip "No nodemap on $(get_lustre_version) MGS, need 2.5.53+" &&
+ return
+
+ create_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
+
+ delete_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 2
+
+ return 0
+}
+run_test 7 "nodemap create and delete"
+
+test_8() {
+ local rc
+
+ remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+ [ $(lustre_version_code $SINGLEMGS) -lt $(version_code 2.5.53) ] &&
+ skip "No nodemap on $(get_lustre_version) MGS, need 2.5.53+" &&
+ return
+
+ # Set up nodemaps
+
+ create_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
+
+ # Try duplicates
+
+ create_nodemaps
+ rc=$?
+ [[ $rc == 0 ]] && error "duplicate nodemap_add allowed with $rc" &&
+ return 2
+
+ # Clean up
+ delete_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 3
+
+ return 0
+}
+run_test 8 "nodemap reject duplicates"
+
+test_9() {
+ local i
+ local rc
+
+ remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+ [ $(lustre_version_code $SINGLEMGS) -lt $(version_code 2.5.53) ] &&
+ skip "No nodemap on $(get_lustre_version) MGS, need 2.5.53+" &&
+ return
+
+ rc=0
+ create_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
+ rc=$((rc + 1))
+ fi
+ done
+ [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! delete_range ${HOSTNAME_CHECKSUM}_${i} $i; then
+ rc=$((rc + 1))
+ fi
+ done
+ [[ $rc != 0 ]] && error "nodemap_del_range failed with $rc" && return 4
+
+ rc=0
+ delete_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 4
+
+ return 0
+}
+run_test 9 "nodemap range add"
+
+test_10() {
+ local rc
+
+ remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+ [ $(lustre_version_code $SINGLEMGS) -lt $(version_code 2.5.53) ] &&
+ skip "No nodemap on $(get_lustre_version) MGS, need 2.5.53+" &&
+ return
+
+ rc=0
+ create_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
+ rc=$((rc + 1))
+ fi
+ done
+ [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
+ rc=$((rc + 1))
+ fi
+ done
+ [[ $rc == 0 ]] && error "nodemap_add_range duplicate add with $rc" &&
+ return 2
+
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! delete_range ${HOSTNAME_CHECKSUM}_${i} $i; then
+ rc=$((rc + 1))
+ fi
+ done
+ [[ $rc != 0 ]] && error "nodemap_del_range failed with $rc" && return 4
+
+ delete_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 5
+
+ return 0
+}
+run_test 10 "nodemap reject duplicate ranges"
+
+test_11() {
+ local rc
+
+ remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+ [ $(lustre_version_code $SINGLEMGS) -lt $(version_code 2.5.53) ] &&
+ skip "No nodemap on $(get_lustre_version) MGS, need 2.5.53+" &&
+ return
+
+ rc=0
+ create_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! modify_flags ${HOSTNAME_CHECKSUM}_${i}; then
+ rc=$((rc + 1))
+ fi
+ done
+ [[ $rc != 0 ]] && error "nodemap_modify with $rc" && return 2
+
+ rc=0
+ delete_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 3
+
+ return 0
+}
+run_test 11 "nodemap modify"
+
+test_12() {
+ local rc
+
+ remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+ [ $(lustre_version_code $SINGLEMGS) -lt $(version_code 2.5.53) ] &&
+ skip "No nodemap on $(get_lustre_version) MGS, need 2.5.53+" &&
+ return
+
+ rc=0
+ create_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 0; then
+ rc=$((rc + 1))
+ fi
+ done
+ [[ $rc != 0 ]] && error "nodemap squash_uid with $rc" && return 2
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! squash_id ${HOSTNAME_CHECKSUM}_${i} 88 1; then
+ rc=$((rc + 1))
+ fi
+ done
+ [[ $rc != 0 ]] && error "nodemap squash_gid with $rc" && return 3
+
+ rc=0
+ delete_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
+
+ return 0
+}
+run_test 12 "nodemap set squash ids"
+
+test_13() {
+ local rc
+
+ remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+ [ $(lustre_version_code $SINGLEMGS) -lt $(version_code 2.5.53) ] &&
+ skip "No nodemap on $(get_lustre_version) MGS, need 2.5.53+" &&
+ return
+
+ rc=0
+ create_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
+ rc=$((rc + 1))
+ fi
+ done
+ [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
+ for ((k = 1; k < 253; k++)); do
+ if ! test_nid $SUBNET_CHECKSUM.$i.$j.$k \
+ ${HOSTNAME_CHECKSUM}_${i}; then
+ rc=$((rc + 1))
+ fi
+ done
+ done
+ done
+ [[ $rc != 0 ]] && error "nodemap_test_nid failed with $rc" && return 3
+
+ rc=0
+ delete_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
+
+ return 0
}
+run_test 13 "test nids"
+
+test_14() {
+ local rc
+
+ remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+ [ $(lustre_version_code $SINGLEMGS) -lt $(version_code 2.5.53) ] &&
+ skip "No nodemap on $(get_lustre_version) MGS, need 2.5.53+" &&
+ return
+
+ rc=0
+ create_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ for ((j = 0; j < NODEMAP_RANGE_COUNT; j++)); do
+ for ((k = 1; k < 253; k++)); do
+ if ! test_nid $SUBNET_CHECKSUM.$i.$j.$k \
+ default; then
+ rc=$((rc + 1))
+ fi
+ done
+ done
+ done
+ [[ $rc != 0 ]] && error "nodemap_test_nid failed with $rc" && return 3
+
+ rc=0
+ delete_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_del failed with $rc" && return 4
+
+ return 0
+}
+run_test 14 "test default nodemap nid lookup"
+
+test_15() {
+ local rc
+
+ remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+ [ $(lustre_version_code $SINGLEMGS) -lt $(version_code 2.5.53) ] &&
+ skip "No nodemap on $(get_lustre_version) MGS, need 2.5.53+" &&
+ return
+
+ rc=0
+ create_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add failed with $rc" && return 1
+
+ rc=0
+ for ((i = 0; i < NODEMAP_COUNT; i++)); do
+ if ! add_range ${HOSTNAME_CHECKSUM}_${i} $i; then
+ rc=$((rc + 1))
+ fi
+ done
+ [[ $rc != 0 ]] && error "nodemap_add_range failed with $rc" && return 2
+
+ rc=0
+ add_idmaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_add_idmap failed with $rc" && return 3
+
+ rc=0
+ test_idmap
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_test_id failed with $rc" && return 4
+
+ rc=0
+ delete_idmaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_del_idmap failed with $rc" && return 5
+
+ rc=0
+ delete_nodemaps
+ rc=$?
+ [[ $rc != 0 ]] && error "nodemap_delete failed with $rc" && return 6
+
+ return 0
+}
+run_test 15 "test id mapping"
+
+log "cleanup: ======================================================"
+
+sec_unsetup() {
+ for num in `seq $MDSCOUNT`; do
+ if [ "${identity_old[$num]}" = 1 ]; then
+ switch_identity $num false || identity_old[$num]=$?
+ fi
+ done
+
+ $RUNAS -u $ID0 ls $DIR
+ $RUNAS -u $ID1 ls $DIR
+}
+sec_unsetup
+
sec_cleanup
-echo '=========================== finished ==============================='
-[ -f "$SANITYSECLOG" ] && cat $SANITYSECLOG && exit 1 || true
+complete $SECONDS
+exit_status