3 # Run select tests by setting ONLY, or as arguments to the script.
4 # Skip specific tests by setting EXCEPT.
10 [ "$EXCEPT" ] && echo "Skipping tests: `echo $EXCEPT`"
13 export PATH=$PWD/$SRCDIR:$SRCDIR:$PWD/$SRCDIR/../utils:$PATH:/sbin
14 export NAME=${NAME:-local}
16 LUSTRE=${LUSTRE:-`dirname $0`/..}
17 . $LUSTRE/tests/test-framework.sh
19 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
21 RUNAS=${RUNAS:-"$LUSTRE/tests/runas"}
22 WTL=${WTL:-"$LUSTRE/tests/write_time_limit"}
25 PERM_CONF=$CONFDIR/perm.conf
26 SANITYSECLOG=${TESTSUITELOG:-$TMP/$(basename $0 .sh).log}
29 remote_mds_nodsh && skip "remote MDS with nodsh" && exit 0
30 remote_ost_nodsh && skip "remote OST with nodsh" && exit 0
34 USER0=`cat /etc/passwd|grep :$ID0:$ID0:|cut -d: -f1`
35 USER1=`cat /etc/passwd|grep :$ID1:$ID1:|cut -d: -f1`
38 echo "Please add user0 (uid=$ID0 gid=$ID0)! Skip sanity-sec" && exit 0
41 echo "Please add user1 (uid=$ID1 gid=$ID1)! Skip sanity-sec" && exit 0
43 check_and_setup_lustre
46 if [ "$I_MOUNTED" = "yes" ]; then
47 cleanupall -f || error "sec_cleanup"
52 [ -z "`echo $DIR | grep $MOUNT`" ] && \
53 error "$DIR not in $MOUNT" && sec_cleanup && exit 1
55 [ `echo $MOUNT | wc -w` -gt 1 ] && \
56 echo "NAME=$MOUNT mounted more than once" && sec_cleanup && exit 0
58 [ $MDSCOUNT -gt 1 ] && \
59 echo "skip multi-MDS test" && sec_cleanup && exit 0
62 GSS_REF=$(lsmod | grep ^ptlrpc_gss | awk '{print $3}')
63 if [ ! -z "$GSS_REF" -a "$GSS_REF" != "0" ]; then
65 echo "with GSS support"
68 echo "without GSS support"
71 MDT="`do_facet $SINGLEMDS "lctl get_param -N mdt.\*MDT\*/stats 2>/dev/null | cut -d"." -f2" || true`"
72 if [ ! -z "$MDT" ]; then
73 do_facet $SINGLEMDS "mkdir -p $CONFDIR"
74 IDENTITY_FLUSH=mdt.$MDT.identity_flush
76 CAPA_TIMEOUT=mdt.$MDT.capa_timeout
77 MDSSECLEVEL=mdt.$MDT.sec_level
84 if [ -z "$(lctl get_param -n llite.*.client_type | grep remote 2>/dev/null)" ]; then
100 if ! $RUNAS -u $user krb5_login.sh; then
101 error "$user login kerberos failed."
105 if ! $RUNAS -u $user -g $group ls $DIR > /dev/null 2>&1; then
106 $RUNAS -u $user lfs flushctx -k
107 $RUNAS -u $user krb5_login.sh
108 if ! $RUNAS -u $user -g $group ls $DIR > /dev/null 2>&1; then
109 error "init $user $group failed."
115 declare -a identity_old
118 for num in `seq $MDSCOUNT`; do
119 switch_identity $num true || identity_old[$num]=$?
122 if ! $RUNAS -u $ID0 ls $DIR > /dev/null 2>&1; then
123 sec_login $USER0 $USER0
126 if ! $RUNAS -u $ID1 ls $DIR > /dev/null 2>&1; then
127 sec_login $USER1 $USER1
132 # run as different user
136 chmod 0755 $DIR || error "chmod (1)"
137 rm -rf $DIR/$tdir || error "rm (1)"
138 mkdir -p $DIR/$tdir || error "mkdir (1)"
140 if [ "$CLIENT_TYPE" = "remote" ]; then
141 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
142 do_facet $SINGLEMDS "echo '* 0 normtown' > $PERM_CONF"
143 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
144 chown $USER0 $DIR/$tdir && error "chown (1)"
145 do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
146 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
148 chown $USER0 $DIR/$tdir || error "chown (2)"
151 $RUNAS -u $ID0 ls $DIR || error "ls (1)"
152 rm -f $DIR/f0 || error "rm (2)"
153 $RUNAS -u $ID0 touch $DIR/f0 && error "touch (1)"
154 $RUNAS -u $ID0 touch $DIR/$tdir/f1 || error "touch (2)"
155 $RUNAS -u $ID1 touch $DIR/$tdir/f2 && error "touch (3)"
156 touch $DIR/$tdir/f3 || error "touch (4)"
157 chown root $DIR/$tdir || error "chown (3)"
158 chgrp $USER0 $DIR/$tdir || error "chgrp (1)"
159 chmod 0775 $DIR/$tdir || error "chmod (2)"
160 $RUNAS -u $ID0 touch $DIR/$tdir/f4 || error "touch (5)"
161 $RUNAS -u $ID1 touch $DIR/$tdir/f5 && error "touch (6)"
162 touch $DIR/$tdir/f6 || error "touch (7)"
163 rm -rf $DIR/$tdir || error "rm (3)"
165 if [ "$CLIENT_TYPE" = "remote" ]; then
166 do_facet $SINGLEMDS "rm -f $PERM_CONF"
167 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
170 run_test 0 "uid permission ============================="
174 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
175 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
177 if [ "$CLIENT_TYPE" = "remote" ]; then
178 do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
179 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
185 chown $USER0 $DIR/$tdir || error "chown (1)"
186 $RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f0 && error "touch (2)"
187 echo "enable uid $ID1 setuid"
188 do_facet $SINGLEMDS "echo '* $ID1 setuid' >> $PERM_CONF"
189 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
190 $RUNAS -u $ID1 -v $ID0 touch $DIR/$tdir/f1 || error "touch (3)"
192 chown root $DIR/$tdir || error "chown (4)"
193 chgrp $USER0 $DIR/$tdir || error "chgrp (5)"
194 chmod 0770 $DIR/$tdir || error "chmod (6)"
195 $RUNAS -u $ID1 -g $ID1 touch $DIR/$tdir/f2 && error "touch (7)"
196 $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f3 && error "touch (8)"
197 echo "enable uid $ID1 setuid,setgid"
198 do_facet $SINGLEMDS "echo '* $ID1 setuid,setgid' > $PERM_CONF"
199 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
200 $RUNAS -u $ID1 -g $ID1 -j $ID0 touch $DIR/$tdir/f4 || error "touch (9)"
201 $RUNAS -u $ID1 -v $ID0 -g $ID1 -j $ID0 touch $DIR/$tdir/f5 || error "touch (10)"
205 do_facet $SINGLEMDS "rm -f $PERM_CONF"
206 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
208 run_test 1 "setuid/gid ============================="
210 run_rmtacl_subtest() {
211 $SAVE_PWD/rmtacl/run $SAVE_PWD/rmtacl/$1.test
216 # for remote client only
218 [ "$CLIENT_TYPE" = "local" ] && \
219 skip "remote_acl for remote client only" && return
220 [ -z "$(lctl get_param -n mdc.*-mdc-*.connect_flags | grep ^acl)" ] && \
221 skip "must have acl enabled" && return
222 [ -z "$(which setfacl 2>/dev/null)" ] && \
223 skip "could not find setfacl" && return
224 [ "$UID" != 0 ] && skip "must run as root" && return
225 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
227 do_facet $SINGLEMDS "echo '* 0 rmtacl,rmtown' > $PERM_CONF"
228 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
232 sec_login daemon daemon
233 sec_login games users
239 echo "performing cp ..."
240 run_rmtacl_subtest cp || error "cp"
241 echo "performing getfacl-noacl..."
242 run_rmtacl_subtest getfacl-noacl || error "getfacl-noacl"
243 echo "performing misc..."
244 run_rmtacl_subtest misc || error "misc"
245 echo "performing permissions..."
246 run_rmtacl_subtest permissions || error "permissions"
247 echo "performing setfacl..."
248 run_rmtacl_subtest setfacl || error "setfacl"
250 # inheritance test got from HP
251 echo "performing inheritance..."
252 cp $SAVE_PWD/rmtacl/make-tree .
254 run_rmtacl_subtest inheritance || error "inheritance"
260 do_facet $SINGLEMDS "rm -f $PERM_CONF"
261 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
263 run_test 2 "rmtacl ============================="
266 # root_squash will be redesigned in Lustre 1.7
268 skip "root_squash will be redesigned in Lustre 1.7" && return
270 run_test 3 "rootsquash ============================="
272 # bug 3285 - supplementary group should always succeed.
273 # NB: the supplementary groups are set for local client only,
274 # as for remote client, the groups of the specified uid on MDT
275 # will be obtained by upcall /sbin/l_getidentity and used.
277 if [ "$CLIENT_TYPE" = "remote" ]; then
278 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
279 do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
280 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
285 chmod 0771 $DIR/$tdir
286 chgrp $ID0 $DIR/$tdir
287 $RUNAS -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
288 if [ "$CLIENT_TYPE" = "local" ]; then
289 if [ ! -z "$MDT" ]; then
290 do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
291 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
292 $RUNAS -u $ID1 -G1,2,$ID0 ls $DIR/$tdir || error "setgroups (2)"
295 $RUNAS -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
298 if [ ! -z "$MDT" ]; then
299 do_facet $SINGLEMDS "rm -f $PERM_CONF"
300 do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
303 run_test 4 "set supplementary group ==============="
305 mds_capability_timeout() {
306 [ $# -lt 1 ] && echo "Miss mds capability timeout value" && return 1
308 echo "Set mds capability timeout as $1 seconds"
309 do_facet $SINGLEMDS "lctl set_param -n $CAPA_TIMEOUT=$1"
313 mds_sec_level_switch() {
314 [ $# -lt 1 ] && echo "Miss mds sec level switch value" && return 1
317 0) echo "Disable capa for all clients";;
318 1) echo "Enable capa for remote client";;
319 3) echo "Enable capa for all clients";;
320 *) echo "Invalid mds sec level switch value" && return 2;;
323 do_facet $SINGLEMDS "lctl set_param -n $MDSSECLEVEL=$1"
327 oss_sec_level_switch() {
328 [ $# -lt 1 ] && echo "Miss oss sec level switch value" && return 1
331 0) echo "Disable capa for all clients";;
332 1) echo "Enable capa for remote client";;
333 3) echo "Enable capa for all clients";;
334 *) echo "Invalid oss sec level switch value" && return 2;;
337 for i in `seq $OSTCOUNT`; do
338 local j=`expr $i - 1`
339 local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
340 [ -z "$OST" ] && return 3
341 do_facet ost$i "lctl set_param -n obdfilter.$OST.sec_level=$1"
346 mds_capability_switch() {
347 [ $# -lt 1 ] && echo "Miss mds capability switch value" && return 1
350 0) echo "Turn off mds capability";;
351 3) echo "Turn on mds capability";;
352 *) echo "Invalid mds capability switch value" && return 2;;
355 do_facet $SINGLEMDS "lctl set_param -n $MDSCAPA=$1"
359 oss_capability_switch() {
360 [ $# -lt 1 ] && echo "Miss oss capability switch value" && return 1
363 0) echo "Turn off oss capability";;
364 1) echo "Turn on oss capability";;
365 *) echo "Invalid oss capability switch value" && return 2;;
368 for i in `seq $OSTCOUNT`; do
369 local j=`expr $i - 1`
370 local OST="`do_facet ost$i "lctl get_param -N obdfilter.\*OST\*$j/stats 2>/dev/null | cut -d"." -f2" || true`"
371 [ -z "$OST" ] && return 3
372 do_facet ost$i "lctl set_param -n obdfilter.$OST.capa=$1"
378 mds_capability_switch 3 || return 1
379 mds_sec_level_switch 3 || return 2
384 oss_capability_switch 1 || return 1
385 oss_sec_level_switch 3 || return 2
389 turn_capability_on() {
390 local capa_timeout=${1:-"1800"}
392 # To turn on fid capability for the system,
393 # there is a requirement that fid capability
394 # is turned on on all MDS/OSS servers before
397 turn_mds_capa_on || return 1
398 turn_oss_capa_on || return 2
399 mds_capability_timeout $capa_timeout || return 3
400 remount_client $MOUNT || return 4
404 turn_mds_capa_off() {
405 mds_sec_level_switch 0 || return 1
406 mds_capability_switch 0 || return 2
410 turn_oss_capa_off() {
411 oss_sec_level_switch 0 || return 1
412 oss_capability_switch 0 || return 2
416 turn_capability_off() {
417 # to turn off fid capability, you can just do
418 # it in a live system. But, please turn off
419 # capability of all OSS servers before MDS servers.
421 turn_oss_capa_off || return 1
422 turn_mds_capa_off || return 2
426 # We demonstrate that access to the objects in the filesystem are not
427 # accessible without supplying secrets from the MDS by disabling a
428 # proc variable on the mds so that it does not supply secrets. We then
429 # try and access objects which result in failure.
433 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
434 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
435 [ ! -z "$LOCALMDT" ] && skip "client should be separated from server." && return
440 error "turn_capability_off"
446 error "turn_oss_capa_on"
450 if [ "$CLIENT_TYPE" = "remote" ]; then
451 remount_client $MOUNT && return 3
455 remount_client $MOUNT || return 4
458 # proc variable disabled -- access to the objects in the filesystem
460 echo "Should get Write error here : (proc variable are disabled "\
461 "-- access to the objects in the filesystem is denied."
464 error "Write worked well even though secrets not supplied."
470 error "turn_capability_on"
476 # proc variable enabled, secrets supplied -- write should work now
477 echo "Should not fail here : (proc variable enabled, secrets supplied "\
478 "-- write should work now)."
481 error "Write failed even though secrets supplied."
487 error "turn_capability_off"
492 run_test 5 "capa secrets ========================="
494 # Expiry: A test program is performing I/O on a file. It has credential
495 # with an expiry half a minute later. While the program is running the
496 # credentials expire and no automatic extensions or renewals are
497 # enabled. The program will demonstrate an I/O failure.
501 [ $GSS_SUP = 0 ] && skip "without GSS support." && return
502 [ -z "$MDT" ] && skip "do not support do_facet operations." && return
503 [ ! -z "$LOCALMDT" ] && skip "client should be separated from server." && return
507 error "turn_capability_off"
513 turn_capability_on 30
515 error "turn_capability_on 30"
522 error "$WTL $file 60"
526 # Reset MDS capability timeout
527 mds_capability_timeout 30
529 error "mds_capability_timeout 30"
537 # To disable automatic renew, only need turn capa off on MDS.
540 error "turn_mds_capa_off"
544 echo "We expect I/O failure."
547 echo "no I/O failure got."
553 error "turn_capability_off"
558 run_test 6 "capa expiry ========================="
560 log "cleanup: ======================================================"
563 for num in `seq $MDSCOUNT`; do
564 if [ "${identity_old[$num]}" = 1 ]; then
565 switch_identity $num false || identity_old[$num]=$?
569 $RUNAS -u $ID0 ls $DIR
570 $RUNAS -u $ID1 ls $DIR
576 echo '=========================== finished ==============================='
577 [ -f "$SANITYSECLOG" ] && \
578 cat $SANITYSECLOG && grep -q FAIL $SANITYSECLOG && exit 1 || true
git://git.whamcloud.com / fs / lustre-release.git / blob