#!/bin/bash
-# vim:expandtab:shiftwidth=4:softtabstop=4:tabstop=4:
+# -*- mode: Bash; tab-width: 4; indent-tabs-mode: t; -*-
+# vim:shiftwidth=4:softtabstop=4:tabstop=4:
#
# setup_kerberos.sh - setup the Kerberos environment on Lustre cluster
# usage
my_usage() {
cat <<EOF
-Usage: $(basename $0) <KDC_distro> <KDC_node> <MDS_node>[:MDS_node:...]
+Usage: $(basename $0) <KDC_distro> <KDC_node> <MGS_node> <MDS_node>[:MDS_node:...]
<OSS_node>[:OSS_node:...] <CLIENT_node>[:CLIENT_node:...]
This script is used to setup the Kerberos environment on Lustre cluster.
KDC_distro distribution on the KDC node (rhel5 or sles10)
KDC_node KDC node name
+ MGS_node Lustre MGS node name
MDS_node Lustre MDS node name
OSS_node Lustre OSS node name
CLIENT_node Lustre client node name
- e.g.: $(basename $0) rhel5 scsi2 sata2 sata3 client5
- e.g.: $(basename $0) sles10 scsi2 scsi2 sata3:sata5 client2:client3
- e.g.: $(basename $0) rhel5 scsi2 scsi2 scsi2 scsi2
+ e.g.: $(basename $0) rhel5 scsi2 scsi2 sata2 sata3 client5
+ e.g.: $(basename $0) sles10 scsi2 scsi2 scsi2 sata3:sata5 client2:client3
+ e.g.: $(basename $0) rhel5 scsi2 scsi2 scsi2 scsi2 scsi2
Notes:
1) The script will destroy all the old Kerberos settings by default. If you
"RESET_KDC=false".
2) The script will create principals for some runas users and add them into
- the Kerberos database by default. The UIDs of the runas users specified in
+ the Kerberos database by default. The UIDs of the runas users specified in
"LOCAL_UIDS" variable need exist on KDC, MDS and Client nodes. If you do not
need runas users, please set "CFG_RUNAS=false".
- 3) The script will create idmap.conf and perm.conf under /etc/lustre dir on
- MDS node for remote ACL by default. If you do not need remote ACL, please
- set "CFG_IDMAP=false".
-
EOF
}
# ************************ Parameters and Variables ************************ #
MY_KDC_DISTRO=$1
MY_KDCNODE=$2
-MY_MDSNODES=$3
-MY_OSSNODES=$4
-MY_CLIENTNODES=$5
+MY_MGSNODE=$3
+MY_MDSNODES=$4
+MY_OSSNODES=$5
+MY_CLIENTNODES=$6
# translate to lower case letters
MY_KDC_DISTRO=$(echo $MY_KDC_DISTRO | tr '[A-Z]' '[a-z]')
if [ -z "$MY_KDC_DISTRO" -o -z "$MY_KDCNODE" -o -z "$MY_MDSNODES" -o \
- -z "$MY_OSSNODES" -o -z "$MY_CLIENTNODES" ]; then
+ -z "$MY_OSSNODES" -o -z "$MY_CLIENTNODES" -o -z "$MY_MGSNODE" ]; then
my_usage
exit 1
fi
# check and configure runas users
CFG_RUNAS=${CFG_RUNAS:-true}
-# uids for local and remote users
+# uids for local users
LOCAL_UIDS=${LOCAL_UIDS:-"500 501"}
-REMOTE_UIDS=${REMOTE_UIDS:-"500 501"} # for remote ACL testing
# remove the original Kerberos and KDC settings
RESET_KDC=${RESET_KDC:-true}
SPLIT_KEYTAB=${SPLIT_KEYTAB:-true}
# encryption types for generating keytab
-MDS_ENCTYPE=${MDS_ENCTYPE:-"des3-hmac-sha1"}
-OSS_ENCTYPE=${OSS_ENCTYPE:-"des3-hmac-sha1"}
-CLIENT_ENCTYPE=${CLIENT_ENCTYPE:-"des3-hmac-sha1"}
+MDS_ENCTYPE=${MDS_ENCTYPE:-"aes128-cts"}
+MGS_ENCTYPE=${MGS_ENCTYPE:-"$MDS_ENCTYPE"}
+OSS_ENCTYPE=${OSS_ENCTYPE:-"aes128-cts"}
+CLIENT_ENCTYPE=${CLIENT_ENCTYPE:-"aes128-cts"}
# configuration file for Kerberos
KRB5_CONF=${KRB5_CONF:-"/etc/krb5.conf"}
GSSAPI_MECH_CONF=${GSSAPI_MECH_CONF:-"/etc/gssapi_mech.conf"}
REQUEST_KEY_CONF=${REQUEST_KEY_CONF:-"/etc/request-key.conf"}
-# create configuration files for remote ACL testing
-CFG_IDMAP=${CFG_IDMAP:-true}
-LUSTRE_CONF_DIR=${LUSTRE_CONF_DIR:-"/etc/lustre"}
-IDMAP_CONF=$LUSTRE_CONF_DIR/idmap.conf
-PERM_CONF=$LUSTRE_CONF_DIR/perm.conf
-
# krb5 realm & domain
KRB5_REALM=${KRB5_REALM:-"CO.CFS"}
KRB5_DOMAIN=$(echo $KRB5_REALM | tr '[A-Z]' '[a-z]')
return $rc
fi
+ # MGS node
+ MY_MGSNODE=$(get_fqdn $MY_MGSNODE)
+ rc=${PIPESTATUS[0]}
+ if [ $rc -ne 0 ]; then
+ echo $MY_MGSNODE
+ return $rc
+ fi
+
# MDS nodes
MY_MDSNODES=$(get_fqdn $MY_MDSNODES)
rc=${PIPESTATUS[0]}
echo "+++ Checking remote shell"
- for node in $MY_KDCNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
+ for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
+ do
is_part_of $node $checked && continue
echo -n "Checking remote shell on $node..."
echo "+++ Checking users and groups"
- for node in $MY_KDCNODE $MY_MDSNODES $MY_CLIENTNODES; do
+ for node in $MY_KDCNODE $MY_MGSNODE $MY_MDSNODES $MY_CLIENTNODES; do
is_part_of $node $checked && continue
for id in $LOCAL_UIDS; do
echo -n "Checking uid/gid $id/$id on $node..."
user=$(my_do_node $node getent passwd | grep :$id:$id: | cut -d: -f1)
if [ -z "$user" ]; then
- echo -e "\nPlease set LOCAL_UIDS and REMOTE_UIDS to some users \
+ echo -e "\nPlease set LOCAL_UIDS to some users \
which exist on KDC, MDS and client or add user/group $id/$id on these nodes."
return 1
fi
echo "+++ Configuring nfsd mount"
- for node in $MY_OSSNODES $MY_MDSNODES; do
+ for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES; do
is_part_of $node $checked && continue
cfg_mount $node nfsd /proc/fs/nfsd || return ${PIPESTATUS[0]}
checked="$checked $node"
local krb5pkg_cli
echo "+++ Checking Kerberos 5 installation"
- for node in $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
+ for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
is_part_of $node $checked && continue
echo -n "Checking $node..."
return $rc
fi
- for node in $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
+ for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
is_part_of $node $checked && continue
echo -n "Checking $node..."
echo "+++ Updating $GSSAPI_MECH_CONF"
- for node in $MY_KDCNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
+ for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
+ do
is_part_of $node $checked && continue
krb5pkg_lib=$(get_krb5pkgname $node lib)
echo "+++ Updating $REQUEST_KEY_CONF"
- for node in $MY_MDSNODES $MY_CLIENTNODES; do
+ for node in $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
is_part_of $node $checked && continue
lgss_keyring=$(my_do_node $node "which lgss_keyring") || \
return ${PIPESTATUS[0]}
cfg_kdc_princs() {
local node
+ add_svc_princ $MY_MGSNODE mgs || return ${PIPESTATUS[0]}
+
for node in $MY_MDSNODES; do
add_svc_princ $node mds || return ${PIPESTATUS[0]}
done
[realms]
$KRB5_REALM = {
- master_key_type = des3-hmac-sha1
+ master_key_type = aes128-cts
supported_enctypes = des3-hmac-sha1:normal aes128-cts:normal aes256-cts:normal des-cbc-md5:normal
}
EOF
EOF
# install krb5.conf remotely
- for node in $MY_KDCNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
+ for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
+ do
is_part_of $node $checked && continue
echo -n "Installing krb5.conf on $node..."
rkt $tab
wkt $KRB5_KEYTAB
EOF" || return ${PIPESTATUS[0]}
- do_node_mute $node "rm -f $tab" || true
}
#
# remove old keytabs
echo -n "Deleting old keytabs on all nodes..."
- for node in $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
+ for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
do_node_mute $node "rm -f $KRB5_KEYTAB $TMP/krb5cc*"
done
echo "OK!"
echo -n "Preparing for MDS $node..."
do_kdc_mute "rm -f $tmptab"
add_keytab_svc $tmptab $node mds $MDS_ENCTYPE || return ${PIPESTATUS[0]}
+
+ if is_part_of $node $MY_MGSNODE; then
+ echo -n "also be an MGS..."
+ add_keytab_svc $tmptab $node mgs $MGS_ENCTYPE || \
+ return ${PIPESTATUS[0]}
+ fi
+
if is_part_of $node $MY_OSSNODES; then
echo -n "also be an OSS..."
add_keytab_svc $tmptab $node oss $OSS_ENCTYPE || \
rm -f $tmptab
done
+ # install for MGS node
+ echo -n "Preparing for MGS $MY_MGSNODE..."
+ if ! is_part_of $MY_MGSNODE $MY_MDSNODES; then
+ do_kdc_mute "rm -f $tmptab"
+ add_keytab_svc $tmptab $MY_MGSNODE mgs $MGS_ENCTYPE || \
+ return ${PIPESTATUS[0]}
+
+ if is_part_of $MY_MGSNODE $MY_OSSNODES; then
+ echo -n "also be an OSS..."
+ add_keytab_svc $tmptab $MY_MGSNODE oss $OSS_ENCTYPE || \
+ return ${PIPESTATUS[0]}
+ fi
+ echo "OK!"
+
+ echo -n "Installing krb5.keytab on $MY_MGSNODE..."
+ $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
+ $SCP $tmptab root@$MY_MGSNODE:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
+ echo "OK!"
+ rm -f $tmptab
+ else
+ echo "also be an MDS, already done, skip"
+ fi
+
# install for OSS nodes
for node in $MY_OSSNODES; do
echo -n "Preparing for OSS $node..."
- if ! is_part_of $node $MY_MDSNODES; then
+ if is_part_of $node $MY_MDSNODES; then
+ echo "also be an MDS, already done, skip"
+ elif is_part_of $node $MY_MGSNODE; then
+ echo "also be an MGS, already done, skip"
+ else
do_kdc_mute "rm -f $tmptab"
add_keytab_svc $tmptab $node oss $OSS_ENCTYPE || \
return ${PIPESTATUS[0]}
$SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
echo "OK!"
rm -f $tmptab
- else
- echo "also be an MDS, already done, skip"
fi
done
echo -n "Preparing for client..."
add_keytab_root $tmptab $CLIENT_ENCTYPE || return ${PIPESTATUS[0]}
$SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
+ echo "OK!"
else
for node in $MY_CLIENTNODES; do
echo -n "Preparing for client $node..."
add_keytab_svc $tmptab $node root $CLIENT_ENCTYPE || \
return ${PIPESTATUS[0]}
$SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
+ echo "OK!"
done
fi
- echo "OK!"
for node in $MY_CLIENTNODES; do
echo -n "Installing krb5.keytab on client $node..."
continue
fi
+ # merge keytab if it's also an MGS
+ if is_part_of $node $MY_MGSNODE; then
+ echo -n "also be an MGS, merging keytab..."
+ merge_keytab $tmptab $node || return ${PIPESTATUS[0]}
+ echo "OK!"
+ continue
+ fi
+
# merge keytab if it's also an OSS
if is_part_of $node $MY_OSSNODES; then
echo -n "also be an OSS, merging keytab..."
return 0
}
-#
-# create and install idmap.conf on the MDS
-#
-cfg_idmap_conf() {
- local tmpcfg="$TMP/idmap.conf"
- local fqdn
- local user
- local uid
- local client_nids client_nid
- local rc
-
- echo "+++ Installing idmap.conf on MDS"
- echo "Getting Client NID..."
- client_nids=$(get_client_nids)
- rc=${PIPESTATUS[0]}
- if [ $rc -ne 0 ]; then
- echo $client_nids
- return $rc
- fi
-
- rm -f $tmpcfg
- if $SPLIT_KEYTAB; then
- for fqdn in $MY_CLIENTNODES; do
- echo "lustre_root/$fqdn@$KRB5_REALM * 0" >> $tmpcfg
- done
- else
- echo "lustre_root@$KRB5_REALM * 0" >> $tmpcfg
- fi
- cat <<EOF >> $tmpcfg
-bin@$KRB5_REALM * 1
-daemon@$KRB5_REALM * 2
-games@$KRB5_REALM * 12
-EOF
-
- for node in $MY_MDSNODES; do
- for uid in $LOCAL_UIDS; do
- user=$(my_do_node $node getent passwd $uid | cut -d: -f1)
- for client_nid in $client_nids; do
- echo "$user@$KRB5_REALM $client_nid $uid" >> $tmpcfg
- done
- done
- done
-
- for node in $MY_MDSNODES; do
- my_do_node $node "mkdir -p $LUSTRE_CONF_DIR" || return ${PIPESTATUS[0]}
- $SCP $tmpcfg root@$node:$IDMAP_CONF || return ${PIPESTATUS[0]}
- done
- rm -f $tmpcfg
- echo "OK!"
-}
-
-#
-# create and install perm.conf on the MDS for remote ACL testing
-#
-cfg_perm_conf() {
- local tmpcfg="$TMP/perm.conf"
- local uid
-
- echo "+++ Installing perm.conf on MDS"
-
- rm -f $tmpcfg
- for node in $MY_MDSNODES; do
- my_do_node $node "mkdir -p $LUSTRE_CONF_DIR" || return ${PIPESTATUS[0]}
-
- for uid in $LOCAL_UIDS $REMOTE_UIDS; do
- if ! grep -q " $uid " $tmpcfg 2>/dev/null; then
- echo "* $uid rmtacl" >> $tmpcfg
- fi
- done
-
- echo "* 0 setgid" >> $tmpcfg
-
- $SCP $tmpcfg root@$node:$PERM_CONF || return ${PIPESTATUS[0]}
- done
- rm -f $tmpcfg
- echo "OK!"
-}
-
# ******************************** Main Flow ******************************** #
normalize_names || exit ${PIPESTATUS[0]}
check_rsh || exit ${PIPESTATUS[0]}
if $CFG_RUNAS; then
check_users || exit ${PIPESTATUS[0]}
-elif $CFG_IDMAP; then
- echo "Remote ACL operations need local and remote users!"
- exit 1
fi
check_kdc || exit ${PIPESTATUS[0]}
echo " KDC: $MY_KDCNODE"
echo " realm: $KRB5_REALM, domain: $KRB5_DOMAIN"
echo " Using gssapi package: $LIBGSSAPI"
+echo " MGS node:"
+echo " $MY_MGSNODE"
echo " OSS nodes:"
for i in $MY_OSSNODES; do echo " $i"; done
echo " MDS nodes:"
cfg_kdc_princs || exit ${PIPESTATUS[0]}
cfg_keytab || exit ${PIPESTATUS[0]}
-if $CFG_IDMAP; then
- cfg_idmap_conf || exit ${PIPESTATUS[0]}
- cfg_perm_conf || exit ${PIPESTATUS[0]}
-fi
-
echo "Complete successfully!"