From 9f1fdbb921e2be21a06498a324d3c983b1742105 Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Thu, 3 Nov 2022 17:18:05 +0100 Subject: [PATCH] LUDOC-505 sec: nodemap must be used for root squash Nodemap is the preferred way to implement root squash, so it should be documented to use it instead of the legacy root squash mechanism. Signed-off-by: Sebastien Buisson Change-Id: Ie453d843eced825b0e381f6a02cb2676bc8da3a1 Reviewed-on: https://review.whamcloud.com/c/doc/manual/+/49031 Tested-by: jenkins Reviewed-by: Andreas Dilger --- LustreNodemap.xml | 4 +- ManagingSecurity.xml | 175 ++++----------------------------------------------- 2 files changed, 13 insertions(+), 166 deletions(-) diff --git a/LustreNodemap.xml b/LustreNodemap.xml index 8f0d08c..5113b39 100644 --- a/LustreNodemap.xml +++ b/LustreNodemap.xml @@ -271,7 +271,7 @@ drwxr-xr-x 3 root root 4096 Jul 23 09:02 .. explicit label such as “TrustedSystems” or some identifier that makes the association clear. -
+
Managing the Properties Several properties exist, off by default, which change @@ -365,7 +365,7 @@ mgs# lctl nodemap_modify --name BirdAdminSite --prope change is distributed.
-
+
Mixing Properties With both admin and trusted diff --git a/ManagingSecurity.xml b/ManagingSecurity.xml index 6eeab96..262f29c 100644 --- a/ManagingSecurity.xml +++ b/ManagingSecurity.xml @@ -146,173 +146,20 @@ other::--- rights to a Lustre file system. Without the root squash feature enabled, Lustre file system users on untrusted clients could access or modify files owned by root on the file system, including deleting them. Using the root - squash feature restricts file access/modifications as the root user to - only the specified clients. Note, however, that this does - not prevent users on insecure clients from accessing - files owned by other users. + squash feature restricts file access/modifications as the root user. + Note, however, that this does not prevent users + from accessing files owned by other users. The root squash feature works by re-mapping the user ID (UID) and group ID (GID) of the root user to a UID and GID specified by the system - administrator, via the Lustre configuration management server (MGS). The - root squash feature also enables the Lustre file system administrator to - specify a set of client for which UID/GID re-mapping does not apply. + administrator. The preferred way to configure root squash is via nodemaps + and the admin property. Nodemaps allow root squash on a + per-client basis. With UID maps, the clients can even have a local root + UID without actually having root access to the filesystem itself. + + Please refer to explanations about the admin + property in the chapter dedicated to Nodemaps, in + . - Nodemaps () are an - alternative to root squash, since it also allows root squash on a per-client - basis. With UID maps, the clients can even have a local root UID without - actually having root access to the filesystem itself. -
- <indexterm> - <primary>root squash</primary> - <secondary>configuring</secondary> - </indexterm>Configuring Root Squash - Root squash functionality is managed by two configuration - parameters, root_squash and - nosquash_nids. - - - The root_squash parameter specifies the UID - and GID with which the root user accesses the Lustre file system. - - - - The nosquash_nids parameter specifies the set - of clients to which root squash does not apply. LNet NID range - syntax is used for this parameter (see the NID range syntax rules - described in ). For - example: - - - nosquash_nids=172.16.245.[0-255/2]@tcp - In this example, root squash does not apply to TCP clients on subnet - 172.16.245.0 that have an even number as the last component of their IP - address. -
-
- <indexterm> - <primary>root squash</primary><secondary>enabling</secondary> - </indexterm>Enabling and Tuning Root Squash - The default value for nosquash_nids is NULL, - which means that root squashing applies to all clients. Setting the root - squash UID and GID to 0 turns root squash off. - Root squash parameters can be set when the MDT is created - (mkfs.lustre --mdt). For example: - mds# mkfs.lustre --reformat --fsname=testfs --mdt --mgs \ - --param "mdt.root_squash=500:501" \ - --param "mdt.nosquash_nids='0@elan1 192.168.1.[10,11]'" /dev/sda1 - Root squash parameters can also be changed on an unmounted device - with tunefs.lustre. For example: - tunefs.lustre --param "mdt.root_squash=65534:65534" \ ---param "mdt.nosquash_nids=192.168.0.13@tcp0" /dev/sda1 - - Root squash parameters can also be changed with the - lctl conf_param command. For example: - mgs# lctl conf_param testfs.mdt.root_squash="1000:101" -mgs# lctl conf_param testfs.mdt.nosquash_nids="*@tcp" - To retrieve the current root squash parameter settings, the - following lctl get_param commands can be used: - mgs# lctl get_param mdt.*.root_squash -mgs# lctl get_param mdt.*.nosquash_nids - - When using the lctl conf_param command, keep in mind: - - - lctl conf_param must be run on a live MGS - - - - lctl conf_param causes the parameter to - change on all MDSs - - - lctl conf_param is to be used once per a - parameter - - - - The root squash settings can also be changed temporarily with - lctl set_param or persistently with - lctl set_param -P. For example: - mgs# lctl set_param mdt.testfs-MDT0000.root_squash="1:0" -mgs# lctl set_param -P mdt.testfs-MDT0000.root_squash="1:0" - The nosquash_nids list can be cleared with: - mgs# lctl conf_param testfs.mdt.nosquash_nids="NONE" - - OR - - mgs# lctl conf_param testfs.mdt.nosquash_nids="clear" - If the nosquash_nids value consists of several - NID ranges (e.g. 0@elan, 1@elan1), - the list of NID ranges must be quoted with single (') or double - ('') quotation marks. List elements must be separated with a - space. For example: - mds# mkfs.lustre ... --param "mdt.nosquash_nids='0@elan1 1@elan2'" /dev/sda1 -lctl conf_param testfs.mdt.nosquash_nids="24@elan 15@elan1" - These are examples of incorrect syntax: - mds# mkfs.lustre ... --param "mdt.nosquash_nids=0@elan1 1@elan2" /dev/sda1 -lctl conf_param testfs.mdt.nosquash_nids=24@elan 15@elan1 - To check root squash parameters, use the lctl get_param command: - - mds# lctl get_param mdt.testfs-MDT0000.root_squash -lctl get_param mdt.*.nosquash_nids - - An empty nosquash_nids list is reported as NONE. - -
-
- <indexterm> - <primary>root squash</primary> - <secondary>tips</secondary> - </indexterm>Tips on Using Root Squash - Lustre configuration management limits root squash in several ways. - - - - The lctl conf_param value overwrites the - parameter's previous value. If the new value uses an incorrect - syntax, then the system continues with the old parameters and the - previously-correct value is lost on remount. That is, be careful - doing root squash tuning. - - - mkfs.lustre and - tunefs.lustre do not perform parameter syntax - checking. If the root squash parameters are incorrect, they are - ignored on mount and the default values are used instead. - - - Root squash parameters are parsed with rigorous syntax checking. - The root_squash parameter should be specified as - <decnum>:<decnum>. The - nosquash_nids parameter should follow LNet NID - range list syntax. - - - LNet NID range syntax: - <nidlist> :== <nidrange> [ ' ' <nidrange> ] -<nidrange> :== <addrrange> '@' <net> -<addrrange> :== '*' | - <ipaddr_range> | - <numaddr_range> -<ipaddr_range> :== -<numaddr_range>.<numaddr_range>.<numaddr_range>.<numaddr_range> -<numaddr_range> :== <number> | - <expr_list> -<expr_list> :== '[' <range_expr> [ ',' <range_expr>] ']' -<range_expr> :== <number> | - <number> '-' <number> | - <number> '-' <number> '/' <number> -<net> :== <netname> | <netname><number> -<netname> :== "lo" | "tcp" | "o2ib" - | "ra" | "elan" -<number> :== <nonnegative decimal> | <hexadecimal> - - For networks using numeric addresses (e.g. elan), the address - range must be specified in the - <numaddr_range> syntax. For networks using - IP addresses, the address range must be in the - <ipaddr_range>. For example, if elan is using - numeric addresses, 1.2.3.4@elan is incorrect. - - -
<indexterm><primary>Isolation</primary></indexterm> -- 1.8.3.1