USER0=$(getent passwd | grep :$ID0:$ID0: | cut -d: -f1)
USER1=$(getent passwd | grep :$ID1:$ID1: | cut -d: -f1)
-NODEMAP_COUNT=16
-NODEMAP_RANGE_COUNT=3
-NODEMAP_IPADDR_LIST="1 10 64 128 200 250"
-NODEMAP_ID_COUNT=10
+if [ "$SLOW" == "yes" ]; then
+ NODEMAP_COUNT=16
+ NODEMAP_RANGE_COUNT=3
+ NODEMAP_IPADDR_LIST="1 10 64 128 200 250"
+ NODEMAP_ID_COUNT=10
+else
+ NODEMAP_COUNT=3
+ NODEMAP_RANGE_COUNT=2
+ NODEMAP_IPADDR_LIST="1 250"
+ NODEMAP_ID_COUNT=3
+fi
NODEMAP_MAX_ID=$((ID0 + NODEMAP_ID_COUNT))
[ -z "$USER0" ] &&
[ $GSS_SUP = 0 ] && skip "without GSS support." && return
rm -rf $DIR/$tdir
- mkdir -p $DIR/$tdir
+ mkdir_on_mdt0 $DIR/$tdir
chown $USER0 $DIR/$tdir || error "chown (1)"
$RUNAS_CMD -u $ID1 -v $ID0 touch $DIR/$tdir/f0 && error "touch (2)"
fi
}
-wait_nm_sync() {
- local nodemap_name=$1
- local key=$2
- local value=$3
- local opt=$4
- local proc_param
- local is_active=$(do_facet mgs $LCTL get_param -n nodemap.active)
- local max_retries=20
- local is_sync
- local out1=""
- local out2
- local mgs_ip=$(host_nids_address $mgs_HOST $NETTYPE | cut -d' ' -f1)
- local i
-
- if [ "$nodemap_name" == "active" ]; then
- proc_param="active"
- elif [ -z "$key" ]; then
- proc_param=${nodemap_name}
- else
- proc_param="${nodemap_name}.${key}"
- fi
- if [ "$opt" == "inactive" ]; then
- # check nm sync even if nodemap is not activated
- is_active=1
- opt=""
- fi
- (( is_active == 0 )) && [ "$proc_param" != "active" ] && return
-
- if [ -z "$value" ]; then
- out1=$(do_facet mgs $LCTL get_param $opt \
- nodemap.${proc_param} 2>/dev/null)
- echo "On MGS ${mgs_ip}, ${proc_param} = $out1"
- else
- out1=$value;
- fi
-
- # wait up to 10 seconds for other servers to sync with mgs
- for i in $(seq 1 10); do
- for node in $(all_server_nodes); do
- local node_ip=$(host_nids_address $node $NETTYPE |
- cut -d' ' -f1)
-
- is_sync=true
- if [ -z "$value" ]; then
- [ $node_ip == $mgs_ip ] && continue
- fi
-
- out2=$(do_node $node_ip $LCTL get_param $opt \
- nodemap.$proc_param 2>/dev/null)
- echo "On $node ${node_ip}, ${proc_param} = $out2"
- [ "$out1" != "$out2" ] && is_sync=false && break
- done
- $is_sync && break
- sleep 1
- done
- if ! $is_sync; then
- echo MGS
- echo $out1
- echo OTHER - IP: $node_ip
- echo $out2
- error "mgs and $nodemap_name ${key} mismatch, $i attempts"
- fi
- echo "waited $((i - 1)) seconds for sync"
-}
-
# ensure that the squash defaults are the expected defaults
squash_id default 99 0
wait_nm_sync default squash_uid '' inactive
test_fops() {
local mapmode="$1"
local single_client="$2"
- local client_user_list=([0]="0 $((IDBASE+3)) $((IDBASE+4))"
- [1]="0 $((IDBASE+5)) $((IDBASE+6))")
+ local client_user_list=([0]="0 $((IDBASE+3))"
+ [1]="0 $((IDBASE+5))")
+ local mds_users="-1 0"
local mds_i
local rc=0
- local perm_bit_list="0 3 $((0300)) $((0303))"
+ local perm_bit_list="3 $((0300))"
# SLOW tests 000-007, 010-070, 100-700 (octal modes)
- [ "$SLOW" == "yes" ] &&
+ if [ "$SLOW" == "yes" ]; then
perm_bit_list="0 $(seq 1 7) $(seq 8 8 63) $(seq 64 64 511) \
$((0303))"
+ client_user_list=([0]="0 $((IDBASE+3)) $((IDBASE+4))"
+ [1]="0 $((IDBASE+5)) $((IDBASE+6))")
+ mds_users="-1 0 1 2"
+ fi
+ # force single_client to speed up test
+ [ "$SLOW" == "yes" ] ||
+ single_client=1
# step through mds users. -1 means root
- for mds_i in -1 0 1 2; do
+ for mds_i in $mds_users; do
local user=$((mds_i + IDBASE))
local client
local x
cleanup_nodemap_after_enc_tests() {
do_facet mgs $LCTL nodemap_modify --name default \
- --property forbid_encryption --value 1
+ --property forbid_encryption --value 0
wait_nm_sync default forbid_encryption
do_facet mgs $LCTL nodemap_activate 0
wait_nm_sync active
local srvsz=0
local filesz
local bsize
+ local pagesz=$(getconf PAGE_SIZE)
$LCTL get_param mdc.*.import | grep -q client_encryption ||
skip "client encryption not supported"
dd if=$tmpfile of=$testfile bs=4 count=1 seek=$blksz \
oflag=seek_bytes conv=fsync
+ blksz=$(($blksz > $pagesz ? $blksz : $pagesz))
# check that in-memory representation of file is correct
bsize=$(stat --format=%B $testfile)
filesz=$(stat --format=%b $testfile)
# create file
tr '\0' '1' < /dev/zero |
- dd of=$tmpfile bs=$pagesz count=1 conv=fsync
+ dd of=$tmpfile bs=1 count=$pagesz conv=fsync
$LFS setstripe -c1 -i0 -S 256k $testfile
cp $tmpfile $testfile
test_44() {
local testfile=$DIR/$tdir/$tfile
+ local tmpfile=$TMP/abc
+ local resfile=$TMP/resfile
+ local pagesz=$(getconf PAGESIZE)
+ local respage
$LCTL get_param mdc.*.import | grep -q client_encryption ||
skip "client encryption not supported"
which vmtouch || skip "This test needs vmtouch utility"
- # Direct I/O is not supported on encrypted files.
- # Attempts to use direct I/O on such files should fall back to
- # buffered I/O.
+ # Direct I/O is now supported on encrypted files.
stack_trap cleanup_for_enc_tests EXIT
setup_for_enc_tests
- # write a page in file with O_DIRECT
$LFS setstripe -c1 -i0 $testfile
- dd if=/dev/urandom of=$testfile bs=4096 count=1 conv=fsync oflag=direct
+ dd if=/dev/urandom of=$tmpfile bs=$pagesz count=2 conv=fsync
+ dd if=$tmpfile of=$testfile bs=$pagesz count=2 oflag=direct ||
+ error "could not write to file with O_DIRECT (1)"
- respage=$(vmtouch $testfile | awk '/Resident\ Pages:/ {print $3}')
- [ "$respage" == "1/1" ] ||
- error "write to enc file did not fall back to buffered IO"
+ respage=$(vmtouch $testfile | awk '/Resident Pages:/ {print $3}')
+ [ "$respage" == "0/2" ] ||
+ error "write to enc file fell back to buffered IO"
- cancel_lru_locks osc ; cancel_lru_locks mdc
+ cancel_lru_locks
+
+ dd if=$testfile of=$resfile bs=$pagesz count=2 iflag=direct ||
+ error "could not read from file with O_DIRECT (1)"
+
+ respage=$(vmtouch $testfile | awk '/Resident Pages:/ {print $3}')
+ [ "$respage" == "0/2" ] ||
+ error "read from enc file fell back to buffered IO"
+
+ cmp -bl $tmpfile $resfile ||
+ error "file $testfile is corrupted (1)"
- dd if=$testfile of=/dev/null bs=4096 count=1 iflag=direct
+ rm -f $resfile
- respage=$(vmtouch $testfile | awk '/Resident\ Pages:/ {print $3}')
- [ "$respage" == "1/1" ] ||
- error "write to enc file did not fall back to buffered IO"
+ $TRUNCATE $tmpfile $pagesz
+ dd if=$tmpfile of=$testfile bs=$pagesz count=1 seek=13 oflag=direct ||
+ error "could not write to file with O_DIRECT (2)"
+
+ cancel_lru_locks
+
+ dd if=$testfile of=$resfile bs=$pagesz count=1 skip=13 iflag=direct ||
+ error "could not read from file with O_DIRECT (2)"
+ cmp -bl $tmpfile $resfile ||
+ error "file $testfile is corrupted (2)"
+
+ rm -f $testfile $resfile
+ $LFS setstripe -c1 -i0 $testfile
+
+ $TRUNCATE $tmpfile $((pagesz/2 - 5))
+ cp $tmpfile $testfile
+
+ cancel_lru_locks
+
+ dd if=$testfile of=$resfile bs=$pagesz count=1 iflag=direct ||
+ error "could not read from file with O_DIRECT (3)"
+ cmp -bl $tmpfile $resfile ||
+ error "file $testfile is corrupted (3)"
+
+ rm -f $tmpfile $resfile
}
run_test 44 "encrypted file access semantics: direct IO"
$MULTIOP $tmpfile OSMWUc || error "$MULTIOP $tmpfile failed"
$MMAP_CAT $tmpfile > ${tmpfile}2
- cancel_lru_locks osc ; cancel_lru_locks mdc
+ cancel_lru_locks
+ $MULTIOP $testfile OSMRUc
$MMAP_CAT $testfile > ${testfile}2
cmp -bl ${tmpfile}2 ${testfile}2 ||
error "file $testfile is corrupted"
error "link from encrypted to unencrypted dir should succeed"
rm -f $tmpfile
- mrename $testfile2 $tmpfile ||
- error "rename from encrypted to unencrypted dir should succeed"
+ # check we are limited in the number of hard links
+ # we can create for encrypted files, to what can fit into LinkEA
+ for i in $(seq 1 160); do
+ ln $testfile2 ${testfile}_$i || break
+ done
+ [ $i -lt 160 ] || error "hard link $i should fail"
+
+ mrename $testfile2 $tmpfile &&
+ error "rename from encrypted to unencrypted dir should fail"
+ touch $tmpfile
dd if=/dev/zero of=$testfile bs=512K count=1
mkdir $DIR/$tdir/mydir
# create file, 4 x PAGE_SIZE long
tr '\0' '1' < /dev/zero |
- dd of=$tmpfile bs=4x$pagesz count=1 conv=fsync
+ dd of=$tmpfile bs=1 count=4x$pagesz conv=fsync
$LFS setstripe -c1 -i0 $testfile
cp $tmpfile $testfile
echo "abc" > $tmpfile2
local cmd="$@"
local xattr_name="security.c"
- cancel_lru_locks osc ; cancel_lru_locks mdc
+ cancel_lru_locks
$LCTL set_param debug=+info
$LCTL clear
echo $cmd
eval $cmd
+ [ $? -eq 0 ] || error "$cmd failed"
$LCTL dk | grep -E "get xattr '${xattr_name}'|get xattrs"
[ $? -ne 0 ] || error "get xattr event was triggered"
trace_cmd $TRUNCATE $dirname/f1 10240
trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
- trace_cmd $LFS setdirstripe -i 1 $dirname/d2
- trace_cmd $LFS migrate -m 0 $dirname/d2
-
- $LFS setdirstripe -i 1 -c 1 $dirname/d3
- dirname=$dirname/d3/subdir
- mkdir $dirname
- trace_cmd stat $dirname
- trace_cmd touch $dirname/f1
- trace_cmd stat $dirname/f1
- trace_cmd cat $dirname/f1
- dd if=/dev/zero of=$dirname/f1 bs=1M count=10 conv=fsync
- trace_cmd $TRUNCATE $dirname/f1 10240
- trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
- trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
+ if [[ $MDSCOUNT -gt 1 ]]; then
+ trace_cmd $LFS setdirstripe -i 1 $dirname/d2
+ trace_cmd $LFS migrate -m 0 $dirname/d2
+ touch $dirname/d2/subf
+ # migrate a non-empty encrypted dir
+ trace_cmd $LFS migrate -m 1 $dirname/d2
+
+ $LFS setdirstripe -i 1 -c 1 $dirname/d3
+ dirname=$dirname/d3/subdir
+ mkdir $dirname
+
+ trace_cmd stat $dirname
+ trace_cmd touch $dirname/f1
+ trace_cmd stat $dirname/f1
+ trace_cmd cat $dirname/f1
+ dd if=/dev/zero of=$dirname/f1 bs=1M count=10 conv=fsync
+ trace_cmd $TRUNCATE $dirname/f1 10240
+ trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
+ trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
+ else
+ skip_noexit "2nd part needs >= 2 MDTs"
+ fi
}
run_test 49 "Avoid getxattr for encryption context"
}
run_test 51 "FS capabilities ==============="
+test_52() {
+ local testfile=$DIR/$tdir/$tfile
+ local tmpfile=$TMP/$tfile
+ local mirror1=$TMP/$tfile.mirror1
+ local mirror2=$TMP/$tfile.mirror2
+
+ $LCTL get_param mdc.*.import | grep -q client_encryption ||
+ skip "client encryption not supported"
+
+ mount.lustre --help |& grep -q "test_dummy_encryption:" ||
+ skip "need dummy encryption support"
+
+ [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
+
+ stack_trap cleanup_for_enc_tests EXIT
+ setup_for_enc_tests
+
+ dd if=/dev/urandom of=$tmpfile bs=5000 count=1 conv=fsync
+
+ $LFS mirror create -N -i0 -N -i1 $testfile ||
+ error "could not create mirror"
+
+ dd if=$tmpfile of=$testfile bs=5000 count=1 conv=fsync ||
+ error "could not write to $testfile"
+
+ $LFS mirror resync $testfile ||
+ error "could not resync mirror"
+
+ $LFS mirror verify -v $testfile ||
+ error "verify mirror failed"
+
+ $LFS mirror read -N 1 -o $mirror1 $testfile ||
+ error "could not read from mirror 1"
+
+ cmp -bl $tmpfile $mirror1 ||
+ error "mirror 1 is corrupted"
+
+ $LFS mirror read -N 2 -o $mirror2 $testfile ||
+ error "could not read from mirror 2"
+
+ cmp -bl $tmpfile $mirror2 ||
+ error "mirror 2 is corrupted"
+
+ tr '\0' '2' < /dev/zero |
+ dd of=$tmpfile bs=1 count=9000 conv=fsync
+
+ $LFS mirror write -N 1 -i $tmpfile $testfile ||
+ error "could not write to mirror 1"
+
+ $LFS mirror verify -v $testfile &&
+ error "mirrors should be different"
+
+ rm -f $tmpfile $mirror1 $mirror2
+}
+run_test 52 "Mirrored encrypted file"
+
+test_53() {
+ local testfile=$DIR/$tdir/$tfile
+ local testfile2=$DIR2/$tdir/$tfile
+ local tmpfile=$TMP/$tfile.tmp
+ local resfile=$TMP/$tfile.res
+ local pagesz
+ local filemd5
+
+ $LCTL get_param mdc.*.import | grep -q client_encryption ||
+ skip "client encryption not supported"
+
+ mount.lustre --help |& grep -q "test_dummy_encryption:" ||
+ skip "need dummy encryption support"
+
+ pagesz=$(getconf PAGESIZE)
+ [[ $pagesz == 65536 ]] || skip "Need 64K PAGE_SIZE client"
+
+ do_node $mds1_HOST \
+ "mount.lustre --help |& grep -q 'test_dummy_encryption:'" ||
+ skip "need dummy encryption support on MDS client mount"
+
+ # this test is probably useless now, but may turn out to be useful when
+ # Lustre supports servers with PAGE_SIZE != 4KB
+ pagesz=$(do_node $mds1_HOST getconf PAGESIZE)
+ [[ $pagesz == 4096 ]] || skip "Need 4K PAGE_SIZE MDS client"
+
+ stack_trap cleanup_for_enc_tests EXIT
+ stack_trap "zconf_umount $mds1_HOST $MOUNT2" EXIT
+ setup_for_enc_tests
+
+ $LFS setstripe -c1 -i0 $testfile
+
+ # write from 1st client
+ cat /dev/urandom | tr -dc 'a-zA-Z0-9' |
+ dd of=$tmpfile bs=$((pagesz+3)) count=2 conv=fsync
+ dd if=$tmpfile of=$testfile bs=$((pagesz+3)) count=2 conv=fsync ||
+ error "could not write to $testfile (1)"
+
+ # read from 2nd client
+ # mount and IOs must be done in the same shell session, otherwise
+ # encryption key in session keyring is missing
+ do_node $mds1_HOST "mkdir -p $MOUNT2"
+ do_node $mds1_HOST \
+ "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
+ $MGSNID:/$FSNAME $MOUNT2 && \
+ dd if=$testfile2 of=$resfile bs=$((pagesz+3)) count=2" ||
+ error "could not read from $testfile2 (1)"
+
+ # compare
+ filemd5=$(do_node $mds1_HOST md5sum $resfile | awk '{print $1}')
+ [ $filemd5 = $(md5sum $tmpfile | awk '{print $1}') ] ||
+ error "file is corrupted (1)"
+ do_node $mds1_HOST rm -f $resfile
+ cancel_lru_locks
+
+ # truncate from 2nd client
+ $TRUNCATE $tmpfile $((pagesz+3))
+ zconf_umount $mds1_HOST $MOUNT2 ||
+ error "umount $mds1_HOST $MOUNT2 failed (1)"
+ do_node $mds1_HOST "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
+ $MGSNID:/$FSNAME $MOUNT2 && \
+ $TRUNCATE $testfile2 $((pagesz+3))" ||
+ error "could not truncate $testfile2 (1)"
+
+ # compare
+ cmp -bl $tmpfile $testfile ||
+ error "file is corrupted (2)"
+ rm -f $tmpfile $testfile
+ cancel_lru_locks
+ zconf_umount $mds1_HOST $MOUNT2 ||
+ error "umount $mds1_HOST $MOUNT2 failed (2)"
+
+ # do conversly
+ do_node $mds1_HOST \
+ dd if=/dev/urandom of=$tmpfile bs=$((pagesz+3)) count=2 conv=fsync
+ # write from 2nd client
+ do_node $mds1_HOST \
+ "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
+ $MGSNID:/$FSNAME $MOUNT2 && \
+ dd if=$tmpfile of=$testfile2 bs=$((pagesz+3)) count=2 conv=fsync" ||
+ error "could not write to $testfile2 (2)"
+
+ # read from 1st client
+ dd if=$testfile of=$resfile bs=$((pagesz+3)) count=2 ||
+ error "could not read from $testfile (2)"
+
+ # compare
+ filemd5=$(do_node $mds1_HOST md5sum -b $tmpfile | awk '{print $1}')
+ [ $filemd5 = $(md5sum -b $resfile | awk '{print $1}') ] ||
+ error "file is corrupted (3)"
+ rm -f $resfile
+ cancel_lru_locks
+
+ # truncate from 1st client
+ do_node $mds1_HOST "$TRUNCATE $tmpfile $((pagesz+3))"
+ $TRUNCATE $testfile $((pagesz+3)) ||
+ error "could not truncate $testfile (2)"
+
+ # compare
+ zconf_umount $mds1_HOST $MOUNT2 ||
+ error "umount $mds1_HOST $MOUNT2 failed (3)"
+ do_node $mds1_HOST "$MOUNT_CMD -o ${MOUNT_OPTS},test_dummy_encryption \
+ $MGSNID:/$FSNAME $MOUNT2 && \
+ cmp -bl $tmpfile $testfile2" ||
+ error "file is corrupted (4)"
+
+ do_node $mds1_HOST rm -f $tmpfile
+ rm -f $tmpfile
+}
+run_test 53 "Mixed PAGE_SIZE clients"
+
+test_54() {
+ local testdir=$DIR/$tdir/$ID0
+ local testfile=$testdir/$tfile
+ local testfile2=$testdir/${tfile}2
+ local tmpfile=$TMP/${tfile}.tmp
+ local resfile=$TMP/${tfile}.res
+
+ $LCTL get_param mdc.*.import | grep -q client_encryption ||
+ skip "client encryption not supported"
+
+ mount.lustre --help |& grep -q "test_dummy_encryption:" ||
+ skip "need dummy encryption support"
+
+ which fscrypt || skip "This test needs fscrypt userspace tool"
+
+ fscrypt setup --force --verbose || error "fscrypt global setup failed"
+ sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
+ /etc/fscrypt.conf
+ fscrypt setup --verbose $MOUNT || error "fscrypt setup $MOUNT failed"
+ mkdir -p $testdir
+ chown -R $ID0:$ID0 $testdir
+
+ echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
+ --source=custom_passphrase --name=protector $testdir" ||
+ error "fscrypt encrypt failed"
+
+ echo -e 'mypass\nmypass' | su - $USER0 -c "fscrypt encrypt --verbose \
+ --source=custom_passphrase --name=protector2 $testdir" &&
+ error "second fscrypt encrypt should have failed"
+
+ mkdir -p ${testdir}2 || error "mkdir ${testdir}2 failed"
+ touch ${testdir}2/f || error "mkdir ${testdir}2/f failed"
+ cancel_lru_locks
+
+ echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
+ --source=custom_passphrase --name=protector3 ${testdir}2 &&
+ error "fscrypt encrypt on non-empty dir should have failed"
+
+ $RUNAS dd if=/dev/urandom of=$testfile bs=127 count=1 conv=fsync ||
+ error "write to encrypted file $testfile failed"
+ cp $testfile $tmpfile
+ $RUNAS dd if=/dev/urandom of=$testfile2 bs=127 count=1 conv=fsync ||
+ error "write to encrypted file $testfile2 failed"
+ $RUNAS mkdir $testdir/subdir || error "mkdir subdir failed"
+ $RUNAS touch $testdir/subdir/subfile || error "mkdir subdir failed"
+
+ $RUNAS fscrypt lock --verbose $testdir ||
+ error "fscrypt lock $testdir failed (1)"
+
+ $RUNAS ls -R $testdir || error "ls -R $testdir failed"
+ local filecount=$($RUNAS find $testdir -type f | wc -l)
+ [ $filecount -eq 3 ] || error "found $filecount files"
+
+ $RUNAS hexdump -C $testfile &&
+ error "reading $testfile should have failed without key"
+
+ $RUNAS touch ${testfile}.nokey &&
+ error "touch ${testfile}.nokey should have failed without key"
+
+ echo mypass | $RUNAS fscrypt unlock --verbose $testdir ||
+ error "fscrypt unlock $testdir failed (1)"
+
+ $RUNAS cat $testfile > $resfile ||
+ error "reading $testfile failed"
+
+ cmp -bl $tmpfile $resfile || error "file read differs from file written"
+
+ $RUNAS fscrypt lock --verbose $testdir ||
+ error "fscrypt lock $testdir failed (2)"
+
+ $RUNAS hexdump -C $testfile2 &&
+ error "reading $testfile2 should have failed without key"
+
+ echo mypass | $RUNAS fscrypt unlock --verbose $testdir ||
+ error "fscrypt unlock $testdir failed (2)"
+
+ rm -rf $testdir/*
+ $RUNAS fscrypt lock --verbose $testdir ||
+ error "fscrypt lock $testdir failed (3)"
+
+ rm -f $tmpfile $resfile
+}
+run_test 54 "Encryption policies with fscrypt"
+
+cleanup_55() {
+ # unmount client
+ if is_mounted $MOUNT; then
+ umount_client $MOUNT || error "umount $MOUNT failed"
+ fi
+
+ do_facet mgs $LCTL nodemap_del c0
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property admin --value 0
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property trusted --value 0
+ wait_nm_sync default admin_nodemap
+ wait_nm_sync default trusted_nodemap
+
+ do_facet mgs $LCTL nodemap_activate 0
+ wait_nm_sync active 0
+
+ if $SHARED_KEY; then
+ export SK_UNIQUE_NM=false
+ fi
+
+ # remount client
+ mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed"
+ if [ "$MOUNT_2" ]; then
+ mount_client $MOUNT2 ${MOUNT_OPTS} || error "remount failed"
+ fi
+}
+
+test_55() {
+ (( $MDS1_VERSION > $(version_code 2.12.6.2) )) ||
+ skip "Need MDS version at least 2.12.6.3"
+
+ local client_ip
+ local client_nid
+
+ mkdir -p $DIR/$tdir/$USER0/testdir_groups
+ chown root:$ID0 $DIR/$tdir/$USER0
+ chmod 770 $DIR/$tdir/$USER0
+ chmod g+s $DIR/$tdir/$USER0
+ chown $ID0:$ID0 $DIR/$tdir/$USER0/testdir_groups
+ chmod 770 $DIR/$tdir/$USER0/testdir_groups
+ chmod g+s $DIR/$tdir/$USER0/testdir_groups
+
+ # unmount client completely
+ umount_client $MOUNT || error "umount $MOUNT failed"
+ if is_mounted $MOUNT2; then
+ umount_client $MOUNT2 || error "umount $MOUNT2 failed"
+ fi
+
+ do_nodes $(comma_list $(all_mdts_nodes)) \
+ $LCTL set_param mdt.*.identity_upcall=NONE
+
+ stack_trap cleanup_55 EXIT
+
+ do_facet mgs $LCTL nodemap_activate 1
+ wait_nm_sync active
+
+ do_facet mgs $LCTL nodemap_del c0 || true
+ wait_nm_sync c0 id ''
+
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property admin --value 1
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property trusted --value 1
+ wait_nm_sync default admin_nodemap
+ wait_nm_sync default trusted_nodemap
+
+ client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
+ client_nid=$(h2nettype $client_ip)
+ do_facet mgs $LCTL nodemap_add c0
+ do_facet mgs $LCTL nodemap_add_range \
+ --name c0 --range $client_nid
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property admin --value 0
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property trusted --value 1
+ wait_nm_sync c0 admin_nodemap
+ wait_nm_sync c0 trusted_nodemap
+
+ if $SHARED_KEY; then
+ export SK_UNIQUE_NM=true
+ # set some generic fileset to trigger SSK code
+ export FILESET=/
+ fi
+
+ # remount client to take nodemap into account
+ zconf_mount_clients $HOSTNAME $MOUNT $MOUNT_OPTS ||
+ error "remount failed"
+ unset FILESET
+
+ euid_access $USER0 $DIR/$tdir/$USER0/testdir_groups/file
+}
+run_test 55 "access with seteuid"
+
+test_56() {
+ local testfile=$DIR/$tdir/$tfile
+
+ [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
+
+ $LCTL get_param mdc.*.import | grep -q client_encryption ||
+ skip "client encryption not supported"
+
+ mount.lustre --help |& grep -q "test_dummy_encryption:" ||
+ skip "need dummy encryption support"
+
+ [[ $OSTCOUNT -lt 2 ]] && skip_env "needs >= 2 OSTs"
+
+ stack_trap cleanup_for_enc_tests EXIT
+ setup_for_enc_tests
+
+ $LFS setstripe -c1 $testfile
+ dd if=/dev/urandom of=$testfile bs=1M count=3 conv=fsync
+ filefrag -v $testfile || error "filefrag $testfile failed"
+ (( $(filefrag -v $testfile | grep -c encrypted) >= 1 )) ||
+ error "filefrag $testfile does not show encrypted flag"
+ (( $(filefrag -v $testfile | grep -c encoded) >= 1 )) ||
+ error "filefrag $testfile does not show encoded flag"
+}
+run_test 56 "FIEMAP on encrypted file"
+
+test_57() {
+ local testdir=$DIR/$tdir/mytestdir
+ local testfile=$DIR/$tdir/$tfile
+
+ [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
+
+ $LCTL get_param mdc.*.import | grep -q client_encryption ||
+ skip "client encryption not supported"
+
+ mount.lustre --help |& grep -q "test_dummy_encryption:" ||
+ skip "need dummy encryption support"
+
+ mkdir $DIR/$tdir
+ mkdir $testdir
+ setfattr -n security.c -v myval $testdir &&
+ error "setting xattr on $testdir should have failed (1)"
+ touch $testfile
+ setfattr -n security.c -v myval $testfile &&
+ error "setting xattr on $testfile should have failed (1)"
+
+ rm -rf $DIR/$tdir
+
+ stack_trap cleanup_for_enc_tests EXIT
+ setup_for_enc_tests
+
+ mkdir $testdir
+ setfattr -n security.c -v myval $testdir &&
+ error "setting xattr on $testdir should have failed (2)"
+ touch $testfile
+ setfattr -n security.c -v myval $testfile &&
+ error "setting xattr on $testfile should have failed (2)"
+ return 0
+}
+run_test 57 "security.c xattr protection"
+
log "cleanup: ======================================================"
sec_unsetup() {