set -e
ONLY=${ONLY:-"$*"}
-# bug number for skipped test:
-ALWAYS_EXCEPT=${ALWAYS_EXCEPT:-"$SANITY_SELINUX_EXCEPT"}
-# UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
-
-SRCDIR=$(dirname $0)
-SAVE_PWD=$PWD
LUSTRE=${LUSTRE:-$(dirname $0)/..}
. $LUSTRE/tests/test-framework.sh
init_test_env $@
-. ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
init_logging
-require_dsh_mds || exit 0
+ALWAYS_EXCEPT="$SANITY_SELINUX_EXCEPT"
[ "$SLOW" = "no" ] && EXCEPT_SLOW="xxx"
+build_test_filter
+
+require_dsh_mds || exit 0
+
RUNAS_CMD=${RUNAS_CMD:-runas}
# $RUNAS_ID may get set incorrectly somewhere else
[ $UID -eq 0 -a $RUNAS_ID -eq 0 ] &&
check_runas_id $RUNAS_ID $RUNAS_ID $RUNAS
-build_test_filter
-
umask 077
check_selinux_xattr() {
echo $xattrval
}
+get_sel_ctx() {
+ local file=$1
+
+ [ -n "$file" ] || return;
+ [ -f $file ] || return;
+ stat $file | awk '$1 == "Context:" {print $2}'
+}
test_1() {
local devname=$(mdsdevname 1)
mds_path=${mds_path#/}
- $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir failed"
+ mkdir_on_mdt0 ${DIR}/$tdir || error "create dir failed"
mkdir $dirname || error "cannot mkdir $dirname"
local xattrval=$(check_selinux_xattr "mds1" $mds_path)
# get sec context
ls -lZ $filename
- local secctxseen=$(ls -lZ $filename | awk '{print $4}' | cut -d: -f3)
+ local secctxseen=$(get_sel_ctx $filename | cut -d: -f3)
[ "$newsecctx" == "$secctxseen" ] ||
error "sec context seen from 1st mount point is not correct"
# get sec context from 1st mount point
ls -lZ $filename1
- local secctxseen=$(ls -lZ $filename1 | awk '{print $4}' | cut -d: -f3)
+ local secctxseen=$(get_sel_ctx $filename1 | cut -d: -f3)
[ "$newsecctx" == "$secctxseen" ] ||
error_ignore LU-6784 \
# get sec info on second mount point
if [ -e "$filename2" ]; then
- secinfo2=$(ls -lZ $filename2 | awk '{print $4}')
+ secinfo2=$(get_sel_ctx $filename2)
fi
# get sec info on first mount point
wait $touchpid
- secinfo1=$(ls -lZ $filename1 | awk '{print $4}')
+ secinfo1=$(get_sel_ctx $filename1)
# compare sec contexts
[ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] ||
}
test_20d() {
- if [ $MDS1_VERSION -lt $(version_code 2.12.50) ] ||
- [ $CLIENT_VERSION -lt $(version_code 2.12.50) ]; then
+ if [ "$MDS1_VERSION" -lt $(version_code 2.12.50) ] ||
+ [ "$CLIENT_VERSION" -lt $(version_code 2.12.50) ]; then
skip "Need version >= 2.12.50"
fi
[ $MDSCOUNT -lt 2 ] && skip "needs >= 2 MDTs"
}
run_test 20d "[atomicity] avoid getxattr for security context"
+test_20e() {
+ [ "$CLIENT_VERSION" -lt $(version_code 2.13.54) ] &&
+ skip "Need client version >= 2.13.54"
+ local filename1=$DIR/$tdir/df20e
+ local delay=5
+ local evict
+ local unconctx="-u unconfined_u -r unconfined_r -t unconfined_t -l s0"
+
+ mkdir -p $DIR/$tdir
+ chmod 777 $DIR/$tdir
+ #define OBD_FAIL_LLITE_CREATE_FILE_PAUSE2 0x1416
+ do_facet client "$LCTL set_param fail_val=$delay fail_loc=0x80001416"
+
+ # create file on first mount point
+ $RUNAS_CMD -u $RUNAS_ID runcon $unconctx touch $filename1 &
+ local touchpid=$!
+ sleep 1
+ cancel_lru_locks mdc
+ sysctl -w vm.drop_caches=2
+ $RUNAS_CMD -u $RUNAS_ID runcon $unconctx stat $DIR/$tdir &
+
+ wait $touchpid
+
+ evict=$($LCTL get_param mdc.$FSNAME-MDT*.state |
+ awk -F"[ [,]" '/EVICTED ]$/ { if (mx<$5) {mx=$5;} } END { print mx }')
+
+ [ -z "$evict" ] || [[ $evict -le $before ]] || error "eviction happened"
+}
+run_test 20e "client deadlock and eviction form MDS"
+
check_nodemap() {
local nm=$1
local key=$2
local val=$3
+ local facets=""
local i
if [ "$nm" == "active" ]; then
else
proc_param="$nm.$key"
fi
- is_sync=false
- for i in $(seq 1 20); do
- out=$(do_facet mds1 $LCTL get_param -n \
+ # check all MDS nodes, in reverse order to privilege remote ones first
+ for i in $(seq $MDSCOUNT); do
+ facets="mds$i $facets"
+ done
+ for facet in $facets; do
+ is_sync=false
+ for i in {1..20}; do
+ out=$(do_facet $facet $LCTL get_param -n \
nodemap.$proc_param 2>/dev/null)
- echo "On mds1, ${proc_param} = $out"
- [ "$val" == "$out" ] && is_sync=true && break
- sleep 1
+ echo "On $facet, ${proc_param} = $out"
+ [ "$val" == "$out" ] && is_sync=true && break
+ sleep 1
+ done
+ if ! $is_sync; then
+ error "$proc_param not updated on $facet after 20 secs"
+ fi
done
- if ! $is_sync; then
- error "$proc_param not updated on mds1 after 20 secs"
- fi
}
create_nodemap() {
check_nodemap $nm admin_nodemap 1
check_nodemap $nm trusted_nodemap 1
+ sleep 10
+ l_getsepol || error "cannot get sepol"
sepol=$(l_getsepol | cut -d':' -f2- | xargs)
- do_facet mgs $LCTL set_param nodemap.$nm.sepol="$sepol"
+ [ -n "$sepol" ] || error "sepol is empty"
do_facet mgs $LCTL set_param -P nodemap.$nm.sepol="$sepol"
check_nodemap $nm sepol $sepol
do_facet mgs $LCTL nodemap_del $nm
+ wait_update_facet --verbose mds1 \
+ "$LCTL get_param nodemap.$nm.id 2>/dev/null | \
+ grep -c $nm || true" 0 30 ||
+ error "nodemap $nm could not be removed"
+
do_facet mgs $LCTL nodemap_activate 0
check_nodemap active x 0
}
test_21a() {
- local sepol
-
- [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.56) ] &&
+ [ "$MDS1_VERSION" -lt $(version_code 2.11.56) ] &&
skip "Need MDS >= 2.11.56"
+ local sepol
+
# umount client
if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
umount_client $MOUNT2 || error "umount $MOUNT2 failed"
fi
# create nodemap entry with sepol
- create_nodemap nm1
+ create_nodemap c0
+
+ if $GSS_SK; then
+ # update mount option with skpath
+ MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
+ export SK_UNIQUE_NM=true
+
+ # load specific key on servers
+ do_nodes $(comma_list $(all_server_nodes)) "lgss_sk -t server \
+ -l $SK_PATH/nodemap/c0.key"
+
+ # set perms for per-nodemap keys else permission denied
+ do_nodes $(comma_list $(all_server_nodes)) \
+ "keyctl show | grep lustre | cut -c1-11 |
+ sed -e 's/ //g;' |
+ xargs -IX keyctl setperm X 0x3f3f3f3f"
+
+ fi
# mount client without sending sepol
mount_client $MOUNT $MOUNT_OPTS &&
# store wrong sepol in nodemap
sepol="0:policy:0:0000000000000000000000000000000000000000000000000000000000000000"
- do_facet mgs $LCTL set_param nodemap.nm1.sepol="$sepol"
- do_facet mgs $LCTL set_param -P nodemap.nm1.sepol="$sepol"
- check_nodemap nm1 sepol $sepol
+ do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
+ check_nodemap c0 sepol $sepol
# mount client with sepol
mount_client $MOUNT $MOUNT_OPTS &&
error "client mount without matching sepol should be refused"
# remove nodemap
- remove_nodemap nm1
+ remove_nodemap c0
+
+ if $GSS_SK; then
+ export SK_UNIQUE_NM=false
+ fi
# remount client normally
echo 0 > /sys/module/ptlrpc/parameters/send_sepol
run_test 21a "Send sepol at connect"
test_21b() {
- local sepol
-
- [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.56) ] &&
+ [ "$MDS1_VERSION" -lt $(version_code 2.11.56) ] &&
skip "Need MDS >= 2.11.56"
- mkdir -p $DIR/$tdir || error "failed to create $DIR/$tdir"
+ stack_trap "restore_opencache" EXIT
+ disable_opencache
+
+ local sepol
+
+ mkdir_on_mdt0 $DIR/$tdir || error "failed to create $DIR/$tdir"
echo test > $DIR/$tdir/toopen ||
error "failed to write to $DIR/$tdir/toopen"
touch $DIR/$tdir/ftoremove ||
echo 3 > /proc/sys/vm/drop_caches
# create nodemap entry with sepol
- create_nodemap nm1
+ create_nodemap c0
+
+ if $GSS_SK; then
+ export SK_UNIQUE_NM=true
+
+ # load specific key on servers
+ do_nodes $(comma_list $(all_server_nodes)) "lgss_sk -t server \
+ -l $SK_PATH/nodemap/c0.key"
+
+ # set perms for per-nodemap keys else permission denied
+ do_nodes $(comma_list $(all_server_nodes)) \
+ "keyctl show | grep lustre | cut -c1-11 |
+ sed -e 's/ //g;' |
+ xargs -IX keyctl setperm X 0x3f3f3f3f"
+
+ fi
# metadata ops without sending sepol
touch $DIR/$tdir/f0 && error "touch (1)"
# store wrong sepol in nodemap
sepol="0:policy:0:0000000000000000000000000000000000000000000000000000000000000000"
- do_facet mgs $LCTL set_param nodemap.nm1.sepol="$sepol"
- do_facet mgs $LCTL set_param -P nodemap.nm1.sepol="$sepol"
- check_nodemap nm1 sepol $sepol
+ do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
+ check_nodemap c0 sepol $sepol
# metadata ops with sepol
touch $DIR/$tdir/f4 && error "touch (3)"
ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl3 && error "hardlink (3)"
# reset correct sepol
+ l_getsepol || error "cannot get sepol"
sepol=$(l_getsepol | cut -d':' -f2- | xargs)
- do_facet mgs $LCTL set_param nodemap.nm1.sepol="$sepol"
- do_facet mgs $LCTL set_param -P nodemap.nm1.sepol="$sepol"
- check_nodemap nm1 sepol $sepol
+ [ -n "$sepol" ] || error "sepol is empty"
+ do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
+ check_nodemap c0 sepol $sepol
- # metadata ops with sepol every 10 seconds only
- echo 10 > /sys/module/ptlrpc/parameters/send_sepol
+ # metadata ops with sepol every 1000 seconds only
+ echo 1000 > /sys/module/ptlrpc/parameters/send_sepol
+ local before=$(date +%s)
touch $DIR/$tdir/f6 || error "touch (4)"
lfs setstripe -c1 $DIR/$tdir/f7 || error "lfs setstripe (4)"
mkdir $DIR/$tdir/d6 || error "mkdir (4)"
ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl5 || error "hardlink (5)"
echo 3 > /proc/sys/vm/drop_caches
- sleep 10
+ local after=$(date +%s)
+ # change send_sepol to a smaller, already expired, value
+ echo $((after-before-1)) > /sys/module/ptlrpc/parameters/send_sepol
# metadata ops without matching sepol: should fail now
touch $DIR/$tdir/f10 && error "touch (6)"
lfs setstripe -c1 $DIR/$tdir/f11 && error "lfs setstripe (6)"
fi
# remove nodemap
- remove_nodemap nm1
+ remove_nodemap c0
echo 0 > /sys/module/ptlrpc/parameters/send_sepol
+
+ if $GSS_SK; then
+ export SK_UNIQUE_NM=false
+ fi
}
run_test 21b "Send sepol for metadata ops"