ONLY=${ONLY:-"$*"}
# bug number for skipped test: 19430 19967 19967
ALWAYS_EXCEPT=" 2 5 6 $SANITY_SEC_EXCEPT"
+if $SHARED_KEY; then
+# bug number for skipped test: 9145 9145 9671 9145 9145 9145 9145 9245
+ ALWAYS_EXCEPT=" 17 18 19 20 21 22 23 27 $ALWAYS_EXCEPT"
+fi
# UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
SRCDIR=$(dirname $0)
do_facet $SINGLEMDS "mkdir -p $CONFDIR"
IDENTITY_FLUSH=mdt.$MDT.identity_flush
IDENTITY_UPCALL=mdt.$MDT.identity_upcall
-MDSSECLEVEL=mdt.$MDT.sec_level
-
-# for CLIENT_TYPE
-if [ -z "$(lctl get_param -n llite.*.client_type | grep remote 2>/dev/null)" ]
-then
- CLIENT_TYPE="local"
- echo "local client"
-else
- CLIENT_TYPE="remote"
- echo "remote client"
-fi
SAVE_PWD=$PWD
local user=$1
local group=$2
+ $GSS_KRB5 || return
if ! $RUNAS_CMD -u $user krb5_login.sh; then
error "$user login kerberos failed."
exit 1
chmod 0755 $DIR || error "chmod (1)"
rm -rf $DIR/$tdir || error "rm (1)"
mkdir -p $DIR/$tdir || error "mkdir (1)"
-
- if [ "$CLIENT_TYPE" = "remote" ]; then
- do_facet $SINGLEMDS "echo '* 0 normtown' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- chown $USER0 $DIR/$tdir && error "chown (1)"
- do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- else
- chown $USER0 $DIR/$tdir || error "chown (2)"
- fi
-
+ chown $USER0 $DIR/$tdir || error "chown (2)"
$RUNAS_CMD -u $ID0 ls $DIR || error "ls (1)"
rm -f $DIR/f0 || error "rm (2)"
$RUNAS_CMD -u $ID0 touch $DIR/f0 && error "touch (1)"
$RUNAS_CMD -u $ID1 touch $DIR/$tdir/f5 && error "touch (6)"
touch $DIR/$tdir/f6 || error "touch (7)"
rm -rf $DIR/$tdir || error "rm (3)"
-
- if [ "$CLIENT_TYPE" = "remote" ]; then
- do_facet $SINGLEMDS "rm -f $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- fi
}
run_test 0 "uid permission ============================="
test_1() {
[ $GSS_SUP = 0 ] && skip "without GSS support." && return
- if [ "$CLIENT_TYPE" = "remote" ]; then
- do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- fi
-
rm -rf $DIR/$tdir
mkdir -p $DIR/$tdir
}
run_test 1 "setuid/gid ============================="
-run_rmtacl_subtest() {
- $SAVE_PWD/rmtacl/run $SAVE_PWD/rmtacl/$1.test
- return $?
-}
-
-# remote_acl
-# for remote client only
-test_2 () {
- [ "$CLIENT_TYPE" = "local" ] &&
- skip "remote_acl for remote client only" && return
- [ -z "$(lctl get_param -n mdc.*-mdc-*.connect_flags | grep ^acl)" ] &&
- skip "must have acl enabled" && return
- [ -z "$(which setfacl 2>/dev/null)" ] &&
- skip "could not find setfacl" && return
- [ "$UID" != 0 ] && skip "must run as root" && return
-
- do_facet $SINGLEMDS "echo '* 0 rmtacl,rmtown' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-
- sec_login root root
- sec_login bin bin
- sec_login daemon daemon
- sec_login games users
-
- SAVE_UMASK=$(umask)
- umask 0022
- cd $DIR
-
- echo "performing cp ..."
- run_rmtacl_subtest cp || error "cp"
- echo "performing getfacl-noacl..."
- run_rmtacl_subtest getfacl-noacl || error "getfacl-noacl"
- echo "performing misc..."
- run_rmtacl_subtest misc || error "misc"
- echo "performing permissions..."
- run_rmtacl_subtest permissions || error "permissions"
- echo "performing setfacl..."
- run_rmtacl_subtest setfacl || error "setfacl"
-
- # inheritance test got from HP
- echo "performing inheritance..."
- cp $SAVE_PWD/rmtacl/make-tree .
- chmod +x make-tree
- run_rmtacl_subtest inheritance || error "inheritance"
- rm -f make-tree
-
- cd $SAVE_PWD
- umask $SAVE_UMASK
-
- do_facet $SINGLEMDS "rm -f $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-}
-run_test 2 "rmtacl ============================="
-
# bug 3285 - supplementary group should always succeed.
# NB: the supplementary groups are set for local client only,
# as for remote client, the groups of the specified uid on MDT
$server_version -lt $(version_code 2.5.50) ]] ||
{ skip "Need MDS version at least 2.6.93 or 2.5.35"; return; }
- if [ "$CLIENT_TYPE" = "remote" ]; then
- do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- fi
-
rm -rf $DIR/$tdir
mkdir -p $DIR/$tdir
chmod 0771 $DIR/$tdir
chgrp $ID0 $DIR/$tdir
$RUNAS_CMD -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
- if [ "$CLIENT_TYPE" = "local" ]; then
- do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- $RUNAS_CMD -u $ID1 -G1,2,$ID0 ls $DIR/$tdir ||
- error "setgroups (2)"
- fi
+ do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ $RUNAS_CMD -u $ID1 -G1,2,$ID0 ls $DIR/$tdir ||
+ error "setgroups (2)"
$RUNAS_CMD -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
rm -rf $DIR/$tdir
wait_nm_sync() {
local nodemap_name=$1
local key=$2
+ local value=$3
local proc_param="${nodemap_name}.${key}"
[ "$nodemap_name" == "active" ] && proc_param="active"
local max_retries=20
local is_sync
- local out1=$(do_facet mgs $LCTL get_param nodemap.${proc_param})
+ local out1=""
local out2
- local mgs_ip=$(host_nids_address $mgs_HOST $NETTYPE)
+ local mgs_ip=$(host_nids_address $mgs_HOST $NETTYPE | cut -d' ' -f1)
local i
+ if [ -z "$value" ]; then
+ out1=$(do_facet mgs $LCTL get_param nodemap.${proc_param})
+ echo "On MGS ${mgs_ip}, ${proc_param} = $out1"
+ else
+ out1=$value;
+ fi
+
# wait up to 10 seconds for other servers to sync with mgs
for i in $(seq 1 10); do
for node in $(all_server_nodes); do
- local node_ip=$(host_nids_address $node $NETTYPE)
+ local node_ip=$(host_nids_address $node $NETTYPE |
+ cut -d' ' -f1)
- is_sync=true
+ is_sync=true
+ if [ -z "$value" ]; then
[ $node_ip == $mgs_ip ] && continue
+ fi
- out2=$(do_node $node_ip $LCTL get_param \
- nodemap.$proc_param 2>/dev/null)
- [ "$out1" != "$out2" ] && is_sync=false && break
+ out2=$(do_node $node_ip $LCTL get_param \
+ nodemap.$proc_param 2>/dev/null)
+ echo "On $node ${node_ip}, ${proc_param} = $out2"
+ [ "$out1" != "$out2" ] && is_sync=false && break
done
$is_sync && break
sleep 1
local client
for client in $clients; do
local client_ip=$(host_nids_address $client $NETTYPE)
- local client_nid=$(h2$NETTYPE $client_ip)
+ local client_nid=$(h2nettype $client_ip)
do_facet mgs $LCTL nodemap_add c${i} || return 1
do_facet mgs $LCTL nodemap_add_range \
--name c${i} --range $client_nid || return 1
wait_nm_sync c0 trusted_nodemap
}
+# fileset test directory needs to be initialized on a privileged client
+fileset_test_setup() {
+ local admin=$(do_facet mgs $LCTL get_param -n nodemap.c0.admin_nodemap)
+ local trust=$(do_facet mgs $LCTL get_param -n \
+ nodemap.c0.trusted_nodemap)
+
+ do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
+ do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
+
+ wait_nm_sync c0 admin_nodemap
+ wait_nm_sync c0 trusted_nodemap
+
+ # create directory and populate it for subdir mount
+ do_node ${clients_arr[0]} mkdir $MOUNT/$subdir ||
+ error "unable to create dir $MOUNT/$subdir"
+ do_node ${clients_arr[0]} touch $MOUNT/$subdir/this_is_$subdir ||
+ error "unable to create file $MOUNT/$subdir/this_is_$subdir"
+ do_node ${clients_arr[0]} mkdir $MOUNT/$subdir/$subsubdir ||
+ error "unable to create dir $MOUNT/$subdir/$subsubdir"
+ do_node ${clients_arr[0]} touch \
+ $MOUNT/$subdir/$subsubdir/this_is_$subsubdir ||
+ error "unable to create file \
+ $MOUNT/$subdir/$subsubdir/this_is_$subsubdir"
+
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property admin --value $admin
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property trusted --value $trust
+
+ # flush MDT locks to make sure they are reacquired before test
+ do_node ${clients_arr[0]} $LCTL set_param \
+ ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
+
+ wait_nm_sync c0 admin_nodemap
+ wait_nm_sync c0 trusted_nodemap
+}
+
+# fileset test directory needs to be initialized on a privileged client
+fileset_test_cleanup() {
+ local admin=$(do_facet mgs $LCTL get_param -n nodemap.c0.admin_nodemap)
+ local trust=$(do_facet mgs $LCTL get_param -n \
+ nodemap.c0.trusted_nodemap)
+
+ do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
+ do_facet mgs $LCTL nodemap_modify --name c0 --property trusted --value 1
+
+ wait_nm_sync c0 admin_nodemap
+ wait_nm_sync c0 trusted_nodemap
+
+ # cleanup directory created for subdir mount
+ do_node ${clients_arr[0]} rm -rf $MOUNT/$subdir ||
+ error "unable to remove dir $MOUNT/$subdir"
+
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property admin --value $admin
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property trusted --value $trust
+
+ # flush MDT locks to make sure they are reacquired before test
+ do_node ${clients_arr[0]} $LCTL set_param \
+ ldlm.namespaces.$FSNAME-MDT*.lru_size=clear
+
+ wait_nm_sync c0 admin_nodemap
+ wait_nm_sync c0 trusted_nodemap
+}
+
do_create_delete() {
local run_u=$1
local key=$2
local qused_high=$((qused_orig + quota_fuzz))
local qused_low=$((qused_orig - quota_fuzz))
local testfile=$DIR/$tdir/$tfile
- $run_u dd if=/dev/zero of=$testfile bs=1M count=1 >& /dev/null ||
- error "unable to write quota test file"
+ $run_u dd if=/dev/zero of=$testfile oflag=sync bs=1M count=1 \
+ >& /dev/null || error "unable to write quota test file"
sync; sync_all_data || true
local qused_new=$(nodemap_check_quota "$run_u")
# if only one client, and non-admin, need to flip admin everytime
if [ "$num_clients" == "1" ]; then
+ test_fops_admin_client=$clients
test_fops_admin_val=$(do_facet mgs $LCTL get_param -n \
nodemap.c0.admin_nodemap)
if [ "$test_fops_admin_val" != "1" ]; then
rc=$?
[[ $rc != 0 ]] && error "removing fops nodemaps failed $rc"
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property admin --value 0
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property trusted --value 0
+ wait_nm_sync default trusted_nodemap
+
+ do_facet mgs $LCTL nodemap_activate 0
+ wait_nm_sync active 0
+
+ export SK_UNIQUE_NM=false
return 0
}
run_test 24 "check nodemap proc files for LBUGs and Oopses"
test_25() {
+ local tmpfile=$(mktemp)
+ local tmpfile2=$(mktemp)
+ local tmpfile3=$(mktemp)
+ local tmpfile4=$(mktemp)
+ local subdir=c0dir
+ local client
+
nodemap_version_check || return 0
+
+ # stop clients for this test
+ zconf_umount_clients $CLIENTS $MOUNT ||
+ error "unable to umount clients $CLIENTS"
+
+ export SK_UNIQUE_NM=true
nodemap_test_setup
+ # enable trusted/admin for setquota call in cleanup_and_setup_lustre()
+ i=0
+ for client in $clients; do
+ do_facet mgs $LCTL nodemap_modify --name c${i} \
+ --property admin --value 1
+ do_facet mgs $LCTL nodemap_modify --name c${i} \
+ --property trusted --value 1
+ ((i++))
+ done
+ wait_nm_sync c$((i - 1)) trusted_nodemap
+
trap nodemap_test_cleanup EXIT
- local tmpfile=$(mktemp)
+
+ # create a new, empty nodemap, and add fileset info to it
+ do_facet mgs $LCTL nodemap_add test25 ||
+ error "unable to create nodemap $testname"
+ do_facet mgs $LCTL set_param -P nodemap.$testname.fileset=/$subdir ||
+ error "unable to add fileset info to nodemap test25"
+
+ wait_nm_sync test25 id
+
do_facet mgs $LCTL nodemap_info > $tmpfile
- cleanup_and_setup_lustre
- diff -q <(do_facet mgs $LCTL nodemap_info) $tmpfile >& /dev/null ||
- error "nodemap_info diff after remount"
+ do_facet mds $LCTL nodemap_info > $tmpfile2
+
+ if ! $SHARED_KEY; then
+ # will conflict with SK's nodemaps
+ cleanup_and_setup_lustre
+ fi
+ # stop clients for this test
+ zconf_umount_clients $CLIENTS $MOUNT ||
+ error "unable to umount clients $CLIENTS"
+
+ do_facet mgs $LCTL nodemap_info > $tmpfile3
+ diff -q $tmpfile3 $tmpfile >& /dev/null ||
+ error "nodemap_info diff on MGS after remount"
+ do_facet mds $LCTL nodemap_info > $tmpfile4
+ diff -q $tmpfile4 $tmpfile2 >& /dev/null ||
+ error "nodemap_info diff on MDS after remount"
+
+ # cleanup nodemap
+ do_facet mgs $LCTL nodemap_del test25 ||
+ error "cannot delete nodemap test25 from config"
nodemap_test_cleanup
- rm -f $tmpfile
+ # restart clients previously stopped
+ zconf_mount_clients $CLIENTS $MOUNT ||
+ error "unable to mount clients $CLIENTS"
+
+ rm -f $tmpfile $tmpfile2
+ export SK_UNIQUE_NM=false
}
run_test 25 "test save and reload nodemap config"
}
run_test 26 "test transferring very large nodemap"
+test_27() {
+ local subdir=c0dir
+ local subsubdir=c0subdir
+ local fileset_on_mgs=""
+ local loop=0
+
+ nodemap_test_setup
+ if $SHARED_KEY; then
+ export SK_UNIQUE_NM=true
+ else
+ # will conflict with SK's nodemaps
+ trap nodemap_test_cleanup EXIT
+ fi
+
+ fileset_test_setup
+
+ # add fileset info to nodemap
+ do_facet mgs $LCTL set_param -P nodemap.c0.fileset=/$subdir ||
+ error "unable to add fileset info to nodemap c0"
+ wait_nm_sync c0 fileset "nodemap.c0.fileset=/$subdir"
+
+ # re-mount client
+ zconf_umount_clients ${clients_arr[0]} $MOUNT ||
+ error "unable to umount client ${clients_arr[0]}"
+ # set some generic fileset to trigger SSK code
+ export FILESET=/
+ zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
+ error "unable to remount client ${clients_arr[0]}"
+ unset FILESET
+
+ # test mount point content
+ do_node ${clients_arr[0]} test -f $MOUNT/this_is_$subdir ||
+ error "fileset not taken into account"
+
+ # re-mount client with sub-subdir
+ zconf_umount_clients ${clients_arr[0]} $MOUNT ||
+ error "unable to umount client ${clients_arr[0]}"
+ export FILESET=/$subsubdir
+ zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
+ error "unable to remount client ${clients_arr[0]}"
+ unset FILESET
+
+ # test mount point content
+ do_node ${clients_arr[0]} test -f $MOUNT/this_is_$subsubdir ||
+ error "subdir of fileset not taken into account"
+
+ # remove fileset info from nodemap
+ do_facet mgs $LCTL nodemap_set_fileset --name c0 --fileset \'\' ||
+ error "unable to delete fileset info on nodemap c0"
+ fileset_on_mgs=$(do_facet mgs $LCTL get_param nodemap.c0.fileset)
+ while [ "${fileset_on_mgs}" != "nodemap.c0.fileset=" ]; do
+ if [ $loop -eq 10 ]; then
+ error "On MGS, fileset cannnot be cleared"
+ break;
+ else
+ loop=$((loop+1))
+ echo "On MGS, fileset is still ${fileset_on_mgs}, waiting..."
+ sleep 20;
+ fi
+ fileset_on_mgs=$(do_facet mgs $LCTL get_param nodemap.c0.fileset)
+ done
+ do_facet mgs $LCTL set_param -P nodemap.c0.fileset=\'\' ||
+ error "unable to reset fileset info on nodemap c0"
+ wait_nm_sync c0 fileset
+
+ # re-mount client
+ zconf_umount_clients ${clients_arr[0]} $MOUNT ||
+ error "unable to umount client ${clients_arr[0]}"
+ zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
+ error "unable to remount client ${clients_arr[0]}"
+
+ # test mount point content
+ do_node ${clients_arr[0]} test -d $MOUNT/$subdir ||
+ (ls $MOUNT ; error "fileset not cleared on nodemap c0")
+
+ # back to non-nodemap setup
+ if $SHARED_KEY; then
+ export SK_UNIQUE_NM=false
+ zconf_umount_clients ${clients_arr[0]} $MOUNT ||
+ error "unable to umount client ${clients_arr[0]}"
+ fi
+ fileset_test_cleanup
+ nodemap_test_cleanup
+ if $SHARED_KEY; then
+ zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
+ error "unable to remount client ${clients_arr[0]}"
+ fi
+}
+run_test 27 "test fileset in nodemap"
+
+test_28() {
+ if ! $SHARED_KEY; then
+ skip "need shared key feature for this test" && return
+ fi
+ mkdir -p $DIR/$tdir || error "mkdir failed"
+ touch $DIR/$tdir/$tdir.out || error "touch failed"
+ if [ ! -f $DIR/$tdir/$tdir.out ]; then
+ error "read before rotation failed"
+ fi
+ # store top key identity to ensure rotation has occurred
+ SK_IDENTITY_OLD=$(lctl get_param *.*.*srpc* | grep "expire" |
+ head -1 | awk '{print $15}' | cut -c1-8)
+ do_facet $SINGLEMDS lfs flushctx ||
+ error "could not run flushctx on $SINGLEMDS"
+ sleep 5
+ lfs flushctx || error "could not run flushctx on client"
+ sleep 5
+ # verify new key is in place
+ SK_IDENTITY_NEW=$(lctl get_param *.*.*srpc* | grep "expire" |
+ head -1 | awk '{print $15}' | cut -c1-8)
+ if [ $SK_IDENTITY_OLD == $SK_IDENTITY_NEW ]; then
+ error "key did not rotate correctly"
+ fi
+ if [ ! -f $DIR/$tdir/$tdir.out ]; then
+ error "read after rotation failed"
+ fi
+}
+run_test 28 "check shared key rotation method"
+
+test_29() {
+ if ! $SHARED_KEY; then
+ skip "need shared key feature for this test" && return
+ fi
+ if [ $SK_FLAVOR != "ski" ] && [ $SK_FLAVOR != "skpi" ]; then
+ skip "test only valid if integrity is active"
+ fi
+ rm -r $DIR/$tdir
+ mkdir $DIR/$tdir || error "mkdir"
+ touch $DIR/$tdir/$tfile || error "touch"
+ zconf_umount_clients ${clients_arr[0]} $MOUNT ||
+ error "unable to umount clients"
+ keyctl show | awk '/lustre/ { print $1 }' |
+ xargs -IX keyctl unlink X
+ OLD_SK_PATH=$SK_PATH
+ export SK_PATH=/dev/null
+ if zconf_mount_clients ${clients_arr[0]} $MOUNT; then
+ export SK_PATH=$OLD_SK_PATH
+ if [ -e $DIR/$tdir/$tfile ]; then
+ error "able to mount and read without key"
+ else
+ error "able to mount without key"
+ fi
+ else
+ export SK_PATH=$OLD_SK_PATH
+ keyctl show | awk '/lustre/ { print $1 }' |
+ xargs -IX keyctl unlink X
+ fi
+}
+run_test 29 "check for missing shared key"
+
+test_30() {
+ if ! $SHARED_KEY; then
+ skip "need shared key feature for this test" && return
+ fi
+ if [ $SK_FLAVOR != "ski" ] && [ $SK_FLAVOR != "skpi" ]; then
+ skip "test only valid if integrity is active"
+ fi
+ mkdir -p $DIR/$tdir || error "mkdir failed"
+ touch $DIR/$tdir/$tdir.out || error "touch failed"
+ zconf_umount_clients ${clients_arr[0]} $MOUNT ||
+ error "unable to umount clients"
+ # unload keys from ring
+ keyctl show | awk '/lustre/ { print $1 }' |
+ xargs -IX keyctl unlink X
+ # invalidate the key with bogus filesystem name
+ lgss_sk -w $SK_PATH/$FSNAME-bogus.key -f $FSNAME.bogus \
+ -t client -d /dev/urandom || error "lgss_sk failed (1)"
+ do_facet $SINGLEMDS lfs flushctx || error "could not run flushctx"
+ OLD_SK_PATH=$SK_PATH
+ export SK_PATH=$SK_PATH/$FSNAME-bogus.key
+ if zconf_mount_clients ${clients_arr[0]} $MOUNT; then
+ SK_PATH=$OLD_SK_PATH
+ if [ -a $DIR/$tdir/$tdir.out ]; then
+ error "mount and read file with invalid key"
+ else
+ error "mount with invalid key"
+ fi
+ fi
+ SK_PATH=$OLD_SK_PATH
+ zconf_umount_clients ${clients_arr[0]} $MOUNT ||
+ error "unable to umount clients"
+}
+run_test 30 "check for invalid shared key"
+
log "cleanup: ======================================================"
sec_unsetup() {