X-Git-Url: https://git.whamcloud.com/?a=blobdiff_plain;f=lustre%2Ftests%2Fsanity-sec.sh;h=eec2f88cd9dcffea1c6f7062e6591733e6a8e215;hb=62ed4f22e21075daa074f2c7f92be6509d76e51c;hp=9f303c20bee8fa651de7f405a4cd4582a67835ad;hpb=88299272c512c006ce8207affc6cc8e1514471a6;p=fs%2Flustre-release.git diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh index 9f303c2..eec2f88 100755 --- a/lustre/tests/sanity-sec.sh +++ b/lustre/tests/sanity-sec.sh @@ -9,6 +9,10 @@ set -e ONLY=${ONLY:-"$*"} # bug number for skipped test: 19430 19967 19967 ALWAYS_EXCEPT=" 2 5 6 $SANITY_SEC_EXCEPT" +if $SHARED_KEY; then +# bug number for skipped test: 9145 9145 9671 9145 9145 9145 9145 9245 + ALWAYS_EXCEPT=" 17 18 19 20 21 22 23 27 $ALWAYS_EXCEPT" +fi # UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT! SRCDIR=$(dirname $0) @@ -21,6 +25,13 @@ init_test_env $@ . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh} init_logging +NODEMAP_TESTS=$(seq 7 26) + +if ! check_versions; then + echo "It is NOT necessary to test nodemap under interoperation mode" + EXCEPT="$EXCEPT $NODEMAP_TESTS" +fi + [ "$SLOW" = "no" ] && EXCEPT_SLOW="26" [ "$ALWAYS_EXCEPT$EXCEPT$EXCEPT_SLOW" ] && @@ -50,14 +61,14 @@ clients_arr=($clients) ID0=${ID0:-500} ID1=${ID1:-501} -USER0=$(grep :$ID0:$ID0: /etc/passwd | cut -d: -f1) -USER1=$(grep :$ID1:$ID1: /etc/passwd | cut -d: -f1) +USER0=$(getent passwd | grep :$ID0:$ID0: | cut -d: -f1) +USER1=$(getent passwd | grep :$ID1:$ID1: | cut -d: -f1) [ -z "$USER0" ] && - skip "need to add user0 ($ID0:$ID0) to /etc/passwd" && exit 0 + skip "need to add user0 ($ID0:$ID0)" && exit 0 [ -z "$USER1" ] && - skip "need to add user1 ($ID1:$ID1) to /etc/passwd" && exit 0 + skip "need to add user1 ($ID1:$ID1)" && exit 0 IDBASE=${IDBASE:-60000} @@ -98,17 +109,6 @@ MDT=$(do_facet $SINGLEMDS lctl get_param -N "mdt.\*MDT0000" | do_facet $SINGLEMDS "mkdir -p $CONFDIR" IDENTITY_FLUSH=mdt.$MDT.identity_flush IDENTITY_UPCALL=mdt.$MDT.identity_upcall -MDSSECLEVEL=mdt.$MDT.sec_level - -# for CLIENT_TYPE -if [ -z "$(lctl get_param -n llite.*.client_type | grep remote 2>/dev/null)" ] -then - CLIENT_TYPE="local" - echo "local client" -else - CLIENT_TYPE="remote" - echo "remote client" -fi SAVE_PWD=$PWD @@ -118,6 +118,7 @@ sec_login() { local user=$1 local group=$2 + $GSS_KRB5 || return if ! $RUNAS_CMD -u $user krb5_login.sh; then error "$user login kerberos failed." exit 1 @@ -157,17 +158,7 @@ test_0() { chmod 0755 $DIR || error "chmod (1)" rm -rf $DIR/$tdir || error "rm (1)" mkdir -p $DIR/$tdir || error "mkdir (1)" - - if [ "$CLIENT_TYPE" = "remote" ]; then - do_facet $SINGLEMDS "echo '* 0 normtown' > $PERM_CONF" - do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1" - chown $USER0 $DIR/$tdir && error "chown (1)" - do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF" - do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1" - else - chown $USER0 $DIR/$tdir || error "chown (2)" - fi - + chown $USER0 $DIR/$tdir || error "chown (2)" $RUNAS_CMD -u $ID0 ls $DIR || error "ls (1)" rm -f $DIR/f0 || error "rm (2)" $RUNAS_CMD -u $ID0 touch $DIR/f0 && error "touch (1)" @@ -181,11 +172,6 @@ test_0() { $RUNAS_CMD -u $ID1 touch $DIR/$tdir/f5 && error "touch (6)" touch $DIR/$tdir/f6 || error "touch (7)" rm -rf $DIR/$tdir || error "rm (3)" - - if [ "$CLIENT_TYPE" = "remote" ]; then - do_facet $SINGLEMDS "rm -f $PERM_CONF" - do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1" - fi } run_test 0 "uid permission =============================" @@ -193,11 +179,6 @@ run_test 0 "uid permission =============================" test_1() { [ $GSS_SUP = 0 ] && skip "without GSS support." && return - if [ "$CLIENT_TYPE" = "remote" ]; then - do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF" - do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1" - fi - rm -rf $DIR/$tdir mkdir -p $DIR/$tdir @@ -228,60 +209,6 @@ test_1() { } run_test 1 "setuid/gid =============================" -run_rmtacl_subtest() { - $SAVE_PWD/rmtacl/run $SAVE_PWD/rmtacl/$1.test - return $? -} - -# remote_acl -# for remote client only -test_2 () { - [ "$CLIENT_TYPE" = "local" ] && - skip "remote_acl for remote client only" && return - [ -z "$(lctl get_param -n mdc.*-mdc-*.connect_flags | grep ^acl)" ] && - skip "must have acl enabled" && return - [ -z "$(which setfacl 2>/dev/null)" ] && - skip "could not find setfacl" && return - [ "$UID" != 0 ] && skip "must run as root" && return - - do_facet $SINGLEMDS "echo '* 0 rmtacl,rmtown' > $PERM_CONF" - do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1" - - sec_login root root - sec_login bin bin - sec_login daemon daemon - sec_login games users - - SAVE_UMASK=$(umask) - umask 0022 - cd $DIR - - echo "performing cp ..." - run_rmtacl_subtest cp || error "cp" - echo "performing getfacl-noacl..." - run_rmtacl_subtest getfacl-noacl || error "getfacl-noacl" - echo "performing misc..." - run_rmtacl_subtest misc || error "misc" - echo "performing permissions..." - run_rmtacl_subtest permissions || error "permissions" - echo "performing setfacl..." - run_rmtacl_subtest setfacl || error "setfacl" - - # inheritance test got from HP - echo "performing inheritance..." - cp $SAVE_PWD/rmtacl/make-tree . - chmod +x make-tree - run_rmtacl_subtest inheritance || error "inheritance" - rm -f make-tree - - cd $SAVE_PWD - umask $SAVE_UMASK - - do_facet $SINGLEMDS "rm -f $PERM_CONF" - do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1" -} -run_test 2 "rmtacl =============================" - # bug 3285 - supplementary group should always succeed. # NB: the supplementary groups are set for local client only, # as for remote client, the groups of the specified uid on MDT @@ -294,22 +221,15 @@ test_4() { $server_version -lt $(version_code 2.5.50) ]] || { skip "Need MDS version at least 2.6.93 or 2.5.35"; return; } - if [ "$CLIENT_TYPE" = "remote" ]; then - do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF" - do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1" - fi - rm -rf $DIR/$tdir mkdir -p $DIR/$tdir chmod 0771 $DIR/$tdir chgrp $ID0 $DIR/$tdir $RUNAS_CMD -u $ID0 ls $DIR/$tdir || error "setgroups (1)" - if [ "$CLIENT_TYPE" = "local" ]; then - do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF" - do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1" - $RUNAS_CMD -u $ID1 -G1,2,$ID0 ls $DIR/$tdir || - error "setgroups (2)" - fi + do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF" + do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1" + $RUNAS_CMD -u $ID1 -G1,2,$ID0 ls $DIR/$tdir || + error "setgroups (2)" $RUNAS_CMD -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)" rm -rf $DIR/$tdir @@ -949,16 +869,57 @@ test_15() { } run_test 15 "test id mapping" -# Until nodemaps are distributed by MGS, they need to be distributed manually -# This function and all calls to it should be removed once the MGS distributes -# nodemaps to the MDS and OSS nodes directly. -do_servers_not_mgs() { - local mgs_ip=$(host_nids_address $mgs_HOST $NETTYPE) - for node in $(all_server_nodes); do - local node_ip=$(host_nids_address $node $NETTYPE) - [ $node_ip == $mgs_ip ] && continue - do_node $node_ip $* +wait_nm_sync() { + local nodemap_name=$1 + local key=$2 + local value=$3 + local proc_param="${nodemap_name}.${key}" + [ "$nodemap_name" == "active" ] && proc_param="active" + + local is_active=$(do_facet mgs $LCTL get_param -n nodemap.active) + (( is_active == 0 )) && [ "$proc_param" != "active" ] && return + + local max_retries=20 + local is_sync + local out1="" + local out2 + local mgs_ip=$(host_nids_address $mgs_HOST $NETTYPE | cut -d' ' -f1) + local i + + if [ -z "$value" ]; then + out1=$(do_facet mgs $LCTL get_param nodemap.${proc_param}) + echo "On MGS ${mgs_ip}, ${proc_param} = $out1" + else + out1=$value; + fi + + # wait up to 10 seconds for other servers to sync with mgs + for i in $(seq 1 10); do + for node in $(all_server_nodes); do + local node_ip=$(host_nids_address $node $NETTYPE | + cut -d' ' -f1) + + is_sync=true + if [ -z "$value" ]; then + [ $node_ip == $mgs_ip ] && continue + fi + + out2=$(do_node $node_ip $LCTL get_param \ + nodemap.$proc_param 2>/dev/null) + echo "On $node ${node_ip}, ${proc_param} = $out2" + [ "$out1" != "$out2" ] && is_sync=false && break + done + $is_sync && break + sleep 1 done + if ! $is_sync; then + echo MGS + echo $out1 + echo OTHER - IP: $node_ip + echo $out2 + error "mgs and $nodemap_name ${key} mismatch, $i attempts" + fi + echo "waited $((i - 1)) seconds for sync" } create_fops_nodemaps() { @@ -966,30 +927,19 @@ create_fops_nodemaps() { local client for client in $clients; do local client_ip=$(host_nids_address $client $NETTYPE) - local client_nid=$(h2$NETTYPE $client_ip) + local client_nid=$(h2nettype $client_ip) do_facet mgs $LCTL nodemap_add c${i} || return 1 do_facet mgs $LCTL nodemap_add_range \ --name c${i} --range $client_nid || return 1 - do_servers_not_mgs $LCTL set_param nodemap.add_nodemap=c${i} || - return 1 - do_servers_not_mgs "$LCTL set_param " \ - "nodemap.add_nodemap_range='c${i} $client_nid'" || - return 1 for map in ${FOPS_IDMAPS[i]}; do do_facet mgs $LCTL nodemap_add_idmap --name c${i} \ --idtype uid --idmap ${map} || return 1 - do_servers_not_mgs "$LCTL set_param " \ - "nodemap.add_nodemap_idmap='c$i uid ${map}'" || - return 1 do_facet mgs $LCTL nodemap_add_idmap --name c${i} \ --idtype gid --idmap ${map} || return 1 - do_servers_not_mgs "$LCTL set_param " \ - " nodemap.add_nodemap_idmap='c$i gid ${map}'" || - return 1 done - out1=$(do_facet mgs $LCTL get_param nodemap.c${i}.idmap) - out2=$(do_facet ost0 $LCTL get_param nodemap.c${i}.idmap) - [ "$out1" != "$out2" ] && error "mgs and oss maps mismatch" + + wait_nm_sync c$i idmap + i=$((i + 1)) done return 0 @@ -1000,8 +950,6 @@ delete_fops_nodemaps() { local client for client in $clients; do do_facet mgs $LCTL nodemap_del c${i} || return 1 - do_servers_not_mgs $LCTL set_param nodemap.remove_nodemap=c$i || - return 1 i=$((i + 1)) done return 0 @@ -1028,8 +976,9 @@ fops_test_setup() { do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1 - do_servers_not_mgs $LCTL set_param nodemap.c0.admin_nodemap=1 - do_servers_not_mgs $LCTL set_param nodemap.c0.trusted_nodemap=1 + + wait_nm_sync c0 admin_nodemap + wait_nm_sync c0 trusted_nodemap do_node ${clients_arr[0]} rm -rf $DIR/$tdir nm_test_mkdir @@ -1039,12 +988,79 @@ fops_test_setup() { --property admin --value $admin do_facet mgs $LCTL nodemap_modify --name c0 \ --property trusted --value $trust - do_servers_not_mgs $LCTL set_param nodemap.c0.admin_nodemap=$admin - do_servers_not_mgs $LCTL set_param nodemap.c0.trusted_nodemap=$trust # flush MDT locks to make sure they are reacquired before test do_node ${clients_arr[0]} $LCTL set_param \ ldlm.namespaces.$FSNAME-MDT*.lru_size=clear + + wait_nm_sync c0 admin_nodemap + wait_nm_sync c0 trusted_nodemap +} + +# fileset test directory needs to be initialized on a privileged client +fileset_test_setup() { + local admin=$(do_facet mgs $LCTL get_param -n nodemap.c0.admin_nodemap) + local trust=$(do_facet mgs $LCTL get_param -n \ + nodemap.c0.trusted_nodemap) + + do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1 + do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1 + + wait_nm_sync c0 admin_nodemap + wait_nm_sync c0 trusted_nodemap + + # create directory and populate it for subdir mount + do_node ${clients_arr[0]} mkdir $MOUNT/$subdir || + error "unable to create dir $MOUNT/$subdir" + do_node ${clients_arr[0]} touch $MOUNT/$subdir/this_is_$subdir || + error "unable to create file $MOUNT/$subdir/this_is_$subdir" + do_node ${clients_arr[0]} mkdir $MOUNT/$subdir/$subsubdir || + error "unable to create dir $MOUNT/$subdir/$subsubdir" + do_node ${clients_arr[0]} touch \ + $MOUNT/$subdir/$subsubdir/this_is_$subsubdir || + error "unable to create file \ + $MOUNT/$subdir/$subsubdir/this_is_$subsubdir" + + do_facet mgs $LCTL nodemap_modify --name c0 \ + --property admin --value $admin + do_facet mgs $LCTL nodemap_modify --name c0 \ + --property trusted --value $trust + + # flush MDT locks to make sure they are reacquired before test + do_node ${clients_arr[0]} $LCTL set_param \ + ldlm.namespaces.$FSNAME-MDT*.lru_size=clear + + wait_nm_sync c0 admin_nodemap + wait_nm_sync c0 trusted_nodemap +} + +# fileset test directory needs to be initialized on a privileged client +fileset_test_cleanup() { + local admin=$(do_facet mgs $LCTL get_param -n nodemap.c0.admin_nodemap) + local trust=$(do_facet mgs $LCTL get_param -n \ + nodemap.c0.trusted_nodemap) + + do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1 + do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1 + + wait_nm_sync c0 admin_nodemap + wait_nm_sync c0 trusted_nodemap + + # cleanup directory created for subdir mount + do_node ${clients_arr[0]} rm -rf $MOUNT/$subdir || + error "unable to remove dir $MOUNT/$subdir" + + do_facet mgs $LCTL nodemap_modify --name c0 \ + --property admin --value $admin + do_facet mgs $LCTL nodemap_modify --name c0 \ + --property trusted --value $trust + + # flush MDT locks to make sure they are reacquired before test + do_node ${clients_arr[0]} $LCTL set_param \ + ldlm.namespaces.$FSNAME-MDT*.lru_size=clear + + wait_nm_sync c0 admin_nodemap + wait_nm_sync c0 trusted_nodemap } do_create_delete() { @@ -1079,8 +1095,8 @@ do_fops_quota_test() { local qused_high=$((qused_orig + quota_fuzz)) local qused_low=$((qused_orig - quota_fuzz)) local testfile=$DIR/$tdir/$tfile - chmod 777 $DIR/$tdir - $run_u dd if=/dev/zero of=$testfile bs=1M count=1 >& /dev/null + $run_u dd if=/dev/zero of=$testfile oflag=sync bs=1M count=1 \ + >& /dev/null || error "unable to write quota test file" sync; sync_all_data || true local qused_new=$(nodemap_check_quota "$run_u") @@ -1088,8 +1104,8 @@ do_fops_quota_test() { $((qused_new)) -gt $((qused_high + 1024)) ] && error "$qused_new != $qused_orig + 1M after write, " \ "fuzz is $quota_fuzz" - $run_u rm $testfile && d=1 - $NODEMAP_TEST_QUOTA && wait_delete_completed_mds + $run_u rm $testfile || error "unable to remove quota test file" + wait_delete_completed_mds qused_new=$(nodemap_check_quota "$run_u") [ $((qused_new)) -lt $((qused_low)) \ @@ -1169,6 +1185,68 @@ get_cr_del_expected() { echo $FAILURE } +test_fops_admin_cli_i="" +test_fops_chmod_dir() { + local current_cli_i=$1 + local perm_bits=$2 + local dir_to_chmod=$3 + local new_admin_cli_i="" + + # do we need to set up a new admin client? + [ "$current_cli_i" == "0" ] && [ "$test_fops_admin_cli_i" != "1" ] && + new_admin_cli_i=1 + [ "$current_cli_i" != "0" ] && [ "$test_fops_admin_cli_i" != "0" ] && + new_admin_cli_i=0 + + # if only one client, and non-admin, need to flip admin everytime + if [ "$num_clients" == "1" ]; then + test_fops_admin_client=$clients + test_fops_admin_val=$(do_facet mgs $LCTL get_param -n \ + nodemap.c0.admin_nodemap) + if [ "$test_fops_admin_val" != "1" ]; then + do_facet mgs $LCTL nodemap_modify \ + --name c0 \ + --property admin \ + --value 1 + wait_nm_sync c0 admin_nodemap + fi + elif [ "$new_admin_cli_i" != "" ]; then + # restore admin val to old admin client + if [ "$test_fops_admin_cli_i" != "" ] && + [ "$test_fops_admin_val" != "1" ]; then + do_facet mgs $LCTL nodemap_modify \ + --name c${test_fops_admin_cli_i} \ + --property admin \ + --value $test_fops_admin_val + wait_nm_sync c${test_fops_admin_cli_i} admin_nodemap + fi + + test_fops_admin_cli_i=$new_admin_cli_i + test_fops_admin_client=${clients_arr[$new_admin_cli_i]} + test_fops_admin_val=$(do_facet mgs $LCTL get_param -n \ + nodemap.c${new_admin_cli_i}.admin_nodemap) + + if [ "$test_fops_admin_val" != "1" ]; then + do_facet mgs $LCTL nodemap_modify \ + --name c${new_admin_cli_i} \ + --property admin \ + --value 1 + wait_nm_sync c${new_admin_cli_i} admin_nodemap + fi + fi + + do_node $test_fops_admin_client chmod $perm_bits $DIR/$tdir || return 1 + + # remove admin for single client if originally non-admin + if [ "$num_clients" == "1" ] && [ "$test_fops_admin_val" != "1" ]; then + do_facet mgs $LCTL nodemap_modify --name c0 --property admin \ + --value 0 + wait_nm_sync c0 admin_nodemap + fi + + return 0 +} + test_fops() { local mapmode="$1" local single_client="$2" @@ -1195,8 +1273,6 @@ test_fops() { local cli_i=0 for client in $clients; do local u - local admin=$(do_facet mgs $LCTL get_param -n \ - nodemap.c$cli_i.admin_nodemap) for u in ${client_user_list[$cli_i]}; do local run_u="do_node $client \ $RUNAS_CMD -u$u -g$u -G$u" @@ -1204,25 +1280,15 @@ test_fops() { local mode=$(printf %03o $perm_bits) local key key="$mapmode:$user:c$cli_i:$u:$mode" - do_facet mgs $LCTL nodemap_modify \ - --name c$cli_i \ - --property admin \ - --value 1 - do_servers_not_mgs $LCTL set_param \ - nodemap.c$cli_i.admin_nodemap=1 - do_node $client chmod $mode $DIR/$tdir \ - || error unable to chmod $key - do_facet mgs $LCTL nodemap_modify \ - --name c$cli_i \ - --property admin \ - --value $admin - do_servers_not_mgs $LCTL set_param \ - nodemap.c$cli_i.admin_nodemap=$admin - + test_fops_chmod_dir $cli_i $mode \ + $DIR/$tdir || + error cannot chmod $key do_create_delete "$run_u" "$key" done # check quota + test_fops_chmod_dir $cli_i 777 $DIR/$tdir || + error cannot chmod $key do_fops_quota_test "$run_u" done @@ -1244,7 +1310,9 @@ nodemap_version_check () { nodemap_test_setup() { local rc - local active_nodemap=$1 + local active_nodemap=1 + + [ "$1" == "0" ] && active_nodemap=0 do_nodes $(comma_list $(all_mdts_nodes)) \ $LCTL set_param mdt.*.identity_upcall=NONE @@ -1254,20 +1322,14 @@ nodemap_test_setup() { rc=$? [[ $rc != 0 ]] && error "adding fops nodemaps failed $rc" - if [ "$active_nodemap" == "0" ]; then - do_facet mgs $LCTL set_param nodemap.active=0 - do_servers_not_mgs $LCTL set_param nodemap.active=0 - return - fi + do_facet mgs $LCTL nodemap_activate $active_nodemap + wait_nm_sync active - do_facet mgs $LCTL nodemap_activate 1 - do_servers_not_mgs $LCTL set_param nodemap.active=1 do_facet mgs $LCTL nodemap_modify --name default \ --property admin --value 1 do_facet mgs $LCTL nodemap_modify --name default \ --property trusted --value 1 - do_servers_not_mgs $LCTL set_param nodemap.default.admin_nodemap=1 - do_servers_not_mgs $LCTL set_param nodemap.default.trusted_nodemap=1 + wait_nm_sync default trusted_nodemap } nodemap_test_cleanup() { @@ -1276,6 +1338,16 @@ nodemap_test_cleanup() { rc=$? [[ $rc != 0 ]] && error "removing fops nodemaps failed $rc" + do_facet mgs $LCTL nodemap_modify --name default \ + --property admin --value 0 + do_facet mgs $LCTL nodemap_modify --name default \ + --property trusted --value 0 + wait_nm_sync default trusted_nodemap + + do_facet mgs $LCTL nodemap_activate 0 + wait_nm_sync active 0 + + export SK_UNIQUE_NM=false return 0 } @@ -1286,14 +1358,12 @@ nodemap_clients_admin_trusted() { for client in $clients; do do_facet mgs $LCTL nodemap_modify --name c0 \ --property admin --value $admin - do_servers_not_mgs $LCTL set_param \ - nodemap.c${i}.admin_nodemap=$admin do_facet mgs $LCTL nodemap_modify --name c0 \ --property trusted --value $tr - do_servers_not_mgs $LCTL set_param \ - nodemap.c${i}.trusted_nodemap=$tr i=$((i + 1)) done + wait_nm_sync c$((i - 1)) admin_nodemap + wait_nm_sync c$((i - 1)) trusted_nodemap } test_16() { @@ -1362,13 +1432,11 @@ test_21() { --property admin --value 0 do_facet mgs $LCTL nodemap_modify --name c${i} \ --property trusted --value $x - do_servers_not_mgs $LCTL set_param \ - nodemap.c${i}.admin_nodemap=0 - do_servers_not_mgs $LCTL set_param \ - nodemap.c${i}.trusted_nodemap=$x x=0 i=$((i + 1)) done + wait_nm_sync c$((i - 1)) trusted_nodemap + test_fops mapped_trusted_noadmin nodemap_test_cleanup } @@ -1386,13 +1454,11 @@ test_22() { --property admin --value 1 do_facet mgs $LCTL nodemap_modify --name c${i} \ --property trusted --value $x - do_servers_not_mgs $LCTL set_param \ - nodemap.c${i}.admin_nodemap=1 - do_servers_not_mgs $LCTL set_param \ - nodemap.c${i}.trusted_nodemap=$x x=0 i=$((i + 1)) done + wait_nm_sync c$((i - 1)) trusted_nodemap + test_fops mapped_trusted_admin nodemap_test_cleanup } @@ -1406,8 +1472,9 @@ nodemap_acl_test_setup() { do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1 - do_servers_not_mgs $LCTL set_param nodemap.c0.admin_nodemap=1 - do_servers_not_mgs $LCTL set_param nodemap.c0.trusted_nodemap=1 + + wait_nm_sync c0 admin_nodemap + wait_nm_sync c0 trusted_nodemap do_node ${clients_arr[0]} rm -rf $DIR/$tdir nm_test_mkdir @@ -1418,9 +1485,8 @@ nodemap_acl_test_setup() { --property admin --value $admin do_facet mgs $LCTL nodemap_modify --name c0 \ --property trusted --value $trust - do_servers_not_mgs $LCTL set_param nodemap.c0.admin_nodemap=$admin - do_servers_not_mgs $LCTL set_param nodemap.c0.trusted_nodemap=$trust + wait_nm_sync c0 trusted_nodemap } # returns 0 if the number of ACLs does not change on the second (mapped) client @@ -1474,13 +1540,11 @@ test_23() { do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1 - do_servers_not_mgs $LCTL set_param nodemap.c0.admin_nodemap=1 - do_servers_not_mgs $LCTL set_param nodemap.c0.trusted_nodemap=1 do_facet mgs $LCTL nodemap_modify --name c1 --property admin --value 0 do_facet mgs $LCTL nodemap_modify --name c1 --property trusted --value 0 - do_servers_not_mgs $LCTL set_param nodemap.c1.admin_nodemap=0 - do_servers_not_mgs $LCTL set_param nodemap.c1.trusted_nodemap=0 + + wait_nm_sync c1 trusted_nodemap # setfacl on trusted cluster to unmapped user, verify it's not seen nodemap_acl_test $unmapped_fs ${clients_arr[0]} ${clients_arr[1]} || @@ -1501,8 +1565,8 @@ test_23() { # 2 mapped clusters do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 0 do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 0 - do_servers_not_mgs $LCTL set_param nodemap.c0.admin_nodemap=0 - do_servers_not_mgs $LCTL set_param nodemap.c0.trusted_nodemap=0 + + wait_nm_sync c0 trusted_nodemap # setfacl to mapped user on c1, also mapped to c0, verify it's seen nodemap_acl_test $mapped_c1 ${clients_arr[1]} ${clients_arr[0]} && @@ -1528,40 +1592,272 @@ test_24() { run_test 24 "check nodemap proc files for LBUGs and Oopses" test_25() { + local tmpfile=$(mktemp) + local tmpfile2=$(mktemp) + local tmpfile3=$(mktemp) + local tmpfile4=$(mktemp) + local subdir=c0dir + local client + nodemap_version_check || return 0 + + # stop clients for this test + zconf_umount_clients $CLIENTS $MOUNT || + error "unable to umount clients $CLIENTS" + + export SK_UNIQUE_NM=true nodemap_test_setup + # enable trusted/admin for setquota call in cleanup_and_setup_lustre() + i=0 + for client in $clients; do + do_facet mgs $LCTL nodemap_modify --name c${i} \ + --property admin --value 1 + do_facet mgs $LCTL nodemap_modify --name c${i} \ + --property trusted --value 1 + ((i++)) + done + wait_nm_sync c$((i - 1)) trusted_nodemap + trap nodemap_test_cleanup EXIT - local tmpfile=$(mktemp) + + # create a new, empty nodemap, and add fileset info to it + do_facet mgs $LCTL nodemap_add test25 || + error "unable to create nodemap $testname" + do_facet mgs $LCTL set_param -P nodemap.$testname.fileset=/$subdir || + error "unable to add fileset info to nodemap test25" + + wait_nm_sync test25 id + do_facet mgs $LCTL nodemap_info > $tmpfile - cleanup_and_setup_lustre - diff -q <(do_facet mgs $LCTL nodemap_info) $tmpfile >& /dev/null || - error "nodemap_info diff after remount" + do_facet mds $LCTL nodemap_info > $tmpfile2 + + if ! $SHARED_KEY; then + # will conflict with SK's nodemaps + cleanup_and_setup_lustre + fi + # stop clients for this test + zconf_umount_clients $CLIENTS $MOUNT || + error "unable to umount clients $CLIENTS" + + do_facet mgs $LCTL nodemap_info > $tmpfile3 + diff -q $tmpfile3 $tmpfile >& /dev/null || + error "nodemap_info diff on MGS after remount" + + do_facet mds $LCTL nodemap_info > $tmpfile4 + diff -q $tmpfile4 $tmpfile2 >& /dev/null || + error "nodemap_info diff on MDS after remount" + # cleanup nodemap + do_facet mgs $LCTL nodemap_del test25 || + error "cannot delete nodemap test25 from config" nodemap_test_cleanup - rm -f $tmpfile + # restart clients previously stopped + zconf_mount_clients $CLIENTS $MOUNT || + error "unable to mount clients $CLIENTS" + + rm -f $tmpfile $tmpfile2 + export SK_UNIQUE_NM=false } run_test 25 "test save and reload nodemap config" test_26() { nodemap_version_check || return 0 - local large_i=13000 + local large_i=32000 - for ((i = 0; i < large_i; i++)); do - ((i % 1000 == 0)) && echo $i - do_facet mgs $LCTL nodemap_add c$i || - error "cannot add nodemap $i to config" - done + do_facet mgs "seq -f 'c%g' $large_i | xargs -n1 $LCTL nodemap_add" + wait_nm_sync c$large_i admin_nodemap - for ((i = 0; i < large_i; i++)); do - ((i % 1000 == 0)) && echo $i - do_facet mgs $LCTL nodemap_del c$i || - error "cannot delete nodemap $i from config" - done + do_facet mgs "seq -f 'c%g' $large_i | xargs -n1 $LCTL nodemap_del" + wait_nm_sync c$large_i admin_nodemap } run_test 26 "test transferring very large nodemap" +test_27() { + local subdir=c0dir + local subsubdir=c0subdir + local fileset_on_mgs="" + local loop=0 + + nodemap_test_setup + if $SHARED_KEY; then + export SK_UNIQUE_NM=true + else + # will conflict with SK's nodemaps + trap nodemap_test_cleanup EXIT + fi + + fileset_test_setup + + # add fileset info to nodemap + do_facet mgs $LCTL set_param -P nodemap.c0.fileset=/$subdir || + error "unable to add fileset info to nodemap c0" + wait_nm_sync c0 fileset "nodemap.c0.fileset=/$subdir" + + # re-mount client + zconf_umount_clients ${clients_arr[0]} $MOUNT || + error "unable to umount client ${clients_arr[0]}" + # set some generic fileset to trigger SSK code + export FILESET=/ + zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS || + error "unable to remount client ${clients_arr[0]}" + unset FILESET + + # test mount point content + do_node ${clients_arr[0]} test -f $MOUNT/this_is_$subdir || + error "fileset not taken into account" + + # re-mount client with sub-subdir + zconf_umount_clients ${clients_arr[0]} $MOUNT || + error "unable to umount client ${clients_arr[0]}" + export FILESET=/$subsubdir + zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS || + error "unable to remount client ${clients_arr[0]}" + unset FILESET + + # test mount point content + do_node ${clients_arr[0]} test -f $MOUNT/this_is_$subsubdir || + error "subdir of fileset not taken into account" + + # remove fileset info from nodemap + do_facet mgs $LCTL nodemap_set_fileset --name c0 --fileset \'\' || + error "unable to delete fileset info on nodemap c0" + fileset_on_mgs=$(do_facet mgs $LCTL get_param nodemap.c0.fileset) + while [ "${fileset_on_mgs}" != "nodemap.c0.fileset=" ]; do + if [ $loop -eq 10 ]; then + error "On MGS, fileset cannnot be cleared" + break; + else + loop=$((loop+1)) + echo "On MGS, fileset is still ${fileset_on_mgs}, waiting..." + sleep 20; + fi + fileset_on_mgs=$(do_facet mgs $LCTL get_param nodemap.c0.fileset) + done + do_facet mgs $LCTL set_param -P nodemap.c0.fileset=\'\' || + error "unable to reset fileset info on nodemap c0" + wait_nm_sync c0 fileset + + # re-mount client + zconf_umount_clients ${clients_arr[0]} $MOUNT || + error "unable to umount client ${clients_arr[0]}" + zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS || + error "unable to remount client ${clients_arr[0]}" + + # test mount point content + do_node ${clients_arr[0]} test -d $MOUNT/$subdir || + (ls $MOUNT ; error "fileset not cleared on nodemap c0") + + # back to non-nodemap setup + if $SHARED_KEY; then + export SK_UNIQUE_NM=false + zconf_umount_clients ${clients_arr[0]} $MOUNT || + error "unable to umount client ${clients_arr[0]}" + fi + fileset_test_cleanup + nodemap_test_cleanup + if $SHARED_KEY; then + zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS || + error "unable to remount client ${clients_arr[0]}" + fi +} +run_test 27 "test fileset in nodemap" + +test_28() { + if ! $SHARED_KEY; then + skip "need shared key feature for this test" && return + fi + mkdir -p $DIR/$tdir || error "mkdir failed" + touch $DIR/$tdir/$tdir.out || error "touch failed" + if [ ! -f $DIR/$tdir/$tdir.out ]; then + error "read before rotation failed" + fi + # store top key identity to ensure rotation has occurred + SK_IDENTITY_OLD=$(lctl get_param *.*.*srpc* | grep "expire" | + head -1 | awk '{print $15}' | cut -c1-8) + do_facet $SINGLEMDS lfs flushctx || + error "could not run flushctx on $SINGLEMDS" + sleep 5 + lfs flushctx || error "could not run flushctx on client" + sleep 5 + # verify new key is in place + SK_IDENTITY_NEW=$(lctl get_param *.*.*srpc* | grep "expire" | + head -1 | awk '{print $15}' | cut -c1-8) + if [ $SK_IDENTITY_OLD == $SK_IDENTITY_NEW ]; then + error "key did not rotate correctly" + fi + if [ ! -f $DIR/$tdir/$tdir.out ]; then + error "read after rotation failed" + fi +} +run_test 28 "check shared key rotation method" + +test_29() { + if ! $SHARED_KEY; then + skip "need shared key feature for this test" && return + fi + if [ $SK_FLAVOR != "ski" ] && [ $SK_FLAVOR != "skpi" ]; then + skip "test only valid if integrity is active" + fi + rm -r $DIR/$tdir + mkdir $DIR/$tdir || error "mkdir" + touch $DIR/$tdir/$tfile || error "touch" + zconf_umount_clients ${clients_arr[0]} $MOUNT || + error "unable to umount clients" + keyctl show | awk '/lustre/ { print $1 }' | + xargs -IX keyctl unlink X + OLD_SK_PATH=$SK_PATH + export SK_PATH=/dev/null + if zconf_mount_clients ${clients_arr[0]} $MOUNT; then + export SK_PATH=$OLD_SK_PATH + if [ -e $DIR/$tdir/$tfile ]; then + error "able to mount and read without key" + else + error "able to mount without key" + fi + else + export SK_PATH=$OLD_SK_PATH + keyctl show | awk '/lustre/ { print $1 }' | + xargs -IX keyctl unlink X + fi +} +run_test 29 "check for missing shared key" + +test_30() { + if ! $SHARED_KEY; then + skip "need shared key feature for this test" && return + fi + if [ $SK_FLAVOR != "ski" ] && [ $SK_FLAVOR != "skpi" ]; then + skip "test only valid if integrity is active" + fi + mkdir -p $DIR/$tdir || error "mkdir failed" + touch $DIR/$tdir/$tdir.out || error "touch failed" + zconf_umount_clients ${clients_arr[0]} $MOUNT || + error "unable to umount clients" + # unload keys from ring + keyctl show | awk '/lustre/ { print $1 }' | + xargs -IX keyctl unlink X + # invalidate the key with bogus filesystem name + lgss_sk -w $SK_PATH/$FSNAME-bogus.key -f $FSNAME.bogus \ + -t client -d /dev/urandom || error "lgss_sk failed (1)" + do_facet $SINGLEMDS lfs flushctx || error "could not run flushctx" + OLD_SK_PATH=$SK_PATH + export SK_PATH=$SK_PATH/$FSNAME-bogus.key + if zconf_mount_clients ${clients_arr[0]} $MOUNT; then + SK_PATH=$OLD_SK_PATH + if [ -a $DIR/$tdir/$tdir.out ]; then + error "mount and read file with invalid key" + else + error "mount with invalid key" + fi + fi + SK_PATH=$OLD_SK_PATH + zconf_umount_clients ${clients_arr[0]} $MOUNT || + error "unable to umount clients" +} +run_test 30 "check for invalid shared key" + log "cleanup: ======================================================" sec_unsetup() {