From 9fc12ca7f29bd70be19471c2b9143d50d2e24eda Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Mon, 13 Nov 2023 11:03:38 +0100 Subject: [PATCH] LU-17173 tests: fix security related tests Several cleanups required in security related tests. In sanity-krb5, in order to get proper access to keyrings, use su - instead of runas to initialize process more completely. Also fix use of 'lfs flushctx', as some tests do not call it properly. And in test_8, avoid waiting arbitrarily and change fail_loc to just sleep once. In sanity-krb5 and sanity-sec, fix parameters passed to start_gss_daemons(). Test-Parameters: trivial Test-Parameters: kerberos=true testlist=sanity-krb5 Test-Parameters: testgroup=review-dne-selinux-ssk-part-2 Signed-off-by: Sebastien Buisson Change-Id: I4598ae5a7d28afbc39d7cc2d0afd1096d877d03b Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/53012 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Aurelien Degremont Reviewed-by: Oleg Drokin Reviewed-by: Andreas Dilger --- lustre/tests/sanity-krb5.sh | 29 ++++++++++++++++++----------- lustre/tests/sanity-sec.sh | 16 ++++++++-------- lustre/tests/test-framework.sh | 24 +++++++++++++++++++----- 3 files changed, 45 insertions(+), 24 deletions(-) diff --git a/lustre/tests/sanity-krb5.sh b/lustre/tests/sanity-krb5.sh index cbfce32..656fb2e 100755 --- a/lustre/tests/sanity-krb5.sh +++ b/lustre/tests/sanity-krb5.sh @@ -37,6 +37,11 @@ DBENCH_PID=0 GSS=true GSS_KRB5=true +# Overwrite RUNAS command to use su - instead, +# to initialize the process more completely. +# This is required to get proper access to keyrings. +RUNAS="runas_su $(id -n -u $RUNAS_ID)" + check_krb_env() { which klist || skip "Kerberos env not setup" which kinit || skip "Kerberos env not setup" @@ -294,7 +299,7 @@ test_3() { $RUNAS $LFS flushctx -k -r $MOUNT || error "can't flush context" echo "destroyed credentials/contexs for $RUNAS_ID" $RUNAS $CHECKSTAT -p 0666 $file && error "checkstat succeed" - kill -s 10 $OPPID + kill -s 10 $(pgrep -u $USER0 $MULTIOP) wait $OPPID || error "read file data failed" echo "read file data OK" @@ -335,7 +340,7 @@ test_5() { # restart lsvcgssd, expect touch succeed echo "restart $LSVCGSSD and recovering" - start_gss_daemons $(comma_list $(mdts_nodes)) "$LSVCGSSD -vvv" + start_gss_daemons $(comma_list $(mdts_nodes)) $LSVCGSSD "-vvv" sleep 5 check_gss_daemon_nodes $(comma_list $(mdts_nodes)) $LSVCGSSD $RUNAS touch $file2 || error "should not fail now" @@ -396,6 +401,12 @@ test_8() mkdir -p $DIR/$tdir chmod a+w $DIR/$tdir + $RUNAS ls $DIR/$tdir + $RUNAS keyctl show @u + echo Flushing gss ctxs + $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" + $RUNAS keyctl show @u + $LCTL dk > /dev/null debugsave stack_trap debugrestore EXIT @@ -414,19 +425,15 @@ test_8() # sleep sometime in ctx handle do_facet $SINGLEMDS $LCTL set_param fail_val=$req_delay - #define OBD_FAIL_SEC_CTX_HDL_PAUSE 0x1204 - do_facet $SINGLEMDS $LCTL set_param fail_loc=0x1204 - - $RUNAS $LFS flushctx -k -r $MOUNT || - error "can't flush context on $MOUNT" - restore_krb5_cred + #define OBD_FAIL_SEC_CTX_HDL_PAUSE 0x00001204 + #define CFS_FAIL_ONCE 0x80000000 + do_facet $SINGLEMDS $LCTL set_param fail_loc=0x80001204 $RUNAS touch $DIR/$tdir/$tfile & TOUCHPID=$! echo "waiting for touch (pid $TOUCHPID) to finish..." - sleep 30 # give it a chance to really trigger context init rpc - do_facet $SINGLEMDS $LCTL set_param fail_loc=0 wait $TOUCHPID || error "touch should have succeeded" + $RUNAS keyctl show @u $LCTL dk | grep -i "Early reply #" || error "No early reply" } @@ -755,7 +762,7 @@ test_151() { stopall # start gss daemon on mgs node - combined_mgs_mds || start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv" + combined_mgs_mds || start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv" # start mgs start mgs $(mgsdevname 1) $MDS_MOUNT_OPTS diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh index 4f1b8ba..b654679 100755 --- a/lustre/tests/sanity-sec.sh +++ b/lustre/tests/sanity-sec.sh @@ -2222,7 +2222,7 @@ test_28() { error "read before rotation failed" fi # store top key identity to ensure rotation has occurred - SK_IDENTITY_OLD=$(lctl get_param *.*.*srpc* | grep "expire" | + SK_IDENTITY_OLD=$(lctl get_param *.*.*srpc* 2>/dev/null | grep "expire"| head -1 | awk '{print $15}' | cut -c1-8) do_facet $SINGLEMDS lfs flushctx || error "could not run flushctx on $SINGLEMDS" @@ -2230,7 +2230,7 @@ test_28() { lfs flushctx || error "could not run flushctx on client" sleep 5 # verify new key is in place - SK_IDENTITY_NEW=$(lctl get_param *.*.*srpc* | grep "expire" | + SK_IDENTITY_NEW=$(lctl get_param *.*.*srpc* 2>/dev/null | grep "expire"| head -1 | awk '{print $15}' | cut -c1-8) if [ $SK_IDENTITY_OLD == $SK_IDENTITY_NEW ]; then error "key did not rotate correctly" @@ -2536,7 +2536,7 @@ cleanup_32() { # re-start gss daemon on MDS if necessary if combined_mgs_mds ; then - start_gss_daemons $mds_HOST "$LSVCGSSD -vvv -s -m -o -z" + start_gss_daemons $mds_HOST $LSVCGSSD "-vvv -s -m -o -z" fi # re-mount client @@ -2572,9 +2572,9 @@ test_32() { # start gss daemon on MGS if combined_mgs_mds ; then - start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g -m -o -z" + start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g -m -o -z" else - start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g" + start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g" fi # add mgs key type and MGS NIDs in key on MGS @@ -2658,7 +2658,7 @@ cleanup_33() { # re-start gss daemon on MDS if necessary if combined_mgs_mds ; then - start_gss_daemons $mds_HOST "$LSVCGSSD -vvv -s -m -o -z" + start_gss_daemons $mds_HOST $LSVCGSSD "-vvv -s -m -o -z" fi # re-mount client @@ -2694,9 +2694,9 @@ test_33() { # start gss daemon on MGS if combined_mgs_mds ; then - start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g -m -o -z" + start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g -m -o -z" else - start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g" + start_gss_daemons $mgs_HOST $LSVCGSSD "-vvv -s -g" fi # add mgs key type and MGS NIDs in key on MGS diff --git a/lustre/tests/test-framework.sh b/lustre/tests/test-framework.sh index 749b2ba..430e1ea 100755 --- a/lustre/tests/test-framework.sh +++ b/lustre/tests/test-framework.sh @@ -1171,6 +1171,19 @@ fs_inode_ksize() { echo -n $size } +runas_su() { + local user=$1 + local cmd=$2 + shift 2 + local opts="$*" + + if $VERBOSE; then + echo Running as $user: $cmd $opts + fi + cmd=$(which $cmd) + su - $user -c "$cmd $opts" +} + check_gss_daemon_nodes() { local list=$1 local dname=$2 @@ -1179,6 +1192,7 @@ check_gss_daemon_nodes() { local node local ret + dname=$(basename "$dname" | awk '{print $1}') do_nodesv $list "num=\\\$(ps -o cmd -C $dname | grep $dname | wc -l); if [ \\\"\\\$num\\\" -ne 1 ]; then echo \\\$num instance of $dname; @@ -1205,7 +1219,8 @@ check_gss_daemon_facet() { local facet=$1 local dname=$2 - num=`do_facet $facet ps -o cmd -C $dname | grep $dname | wc -l` + dname=$(basename "$dname" | awk '{print $1}') + num=$(do_facet $facet ps -o cmd -C $dname | grep $dname | wc -l) if [ $num -ne 1 ]; then echo "$num instance of $dname on $facet" return 1 @@ -1230,7 +1245,7 @@ start_gss_daemons() { if [ "$nodes" ] && [ "$daemon" ] ; then echo "Starting gss daemon on nodes: $nodes" do_nodes $nodes "$daemon" "$options" || return 8 - check_gss_daemon_nodes $nodes lsvcgssd || return 9 + check_gss_daemon_nodes $nodes "$daemon" || return 9 return 0 fi @@ -1261,7 +1276,7 @@ start_gss_daemons() { # check daemons are running # nodes=$(comma_list $(mdts_nodes) $(osts_nodes)) - check_gss_daemon_nodes $nodes lsvcgssd || return 5 + check_gss_daemon_nodes $nodes "$LSVCGSSD" || return 5 } stop_gss_daemons() { @@ -7955,8 +7970,7 @@ check_runas_id_ret() { mkdir $DIR/d0_runas_test chmod 0755 $DIR chown $myRUNAS_UID:$myRUNAS_GID $DIR/d0_runas_test - $myRUNAS -u $myRUNAS_UID -g $myRUNAS_GID touch $DIR/d0_runas_test/f$$ || - myRC=$? + $myRUNAS touch $DIR/d0_runas_test/f$$ || myRC=$? rm -rf $DIR/d0_runas_test return $myRC } -- 1.8.3.1