X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=blobdiff_plain;f=lustre%2Ftests%2Fsanity-sec.sh;h=c5d966360edab91ff071b978294a62ef197a9e24;hp=885ec8458c0e7c5bc08e2951c7d51f6af012e1fa;hb=87383c55e74a219e72bcf861a2d2e81d978a927f;hpb=bb22454d2203553f657f26e13d6bbeea66270a48

diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh
index 885ec84..c5d9663 100755
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -9,10 +9,6 @@ set -e
 ONLY=${ONLY:-"$*"}
 # bug number for skipped test:
 ALWAYS_EXCEPT="              $SANITY_SEC_EXCEPT"
-if $SHARED_KEY; then
-# bug number for skipped test: 9145 9145 9671 9145 9145 9145 9145 9245
-	ALWAYS_EXCEPT="        17   18   19   20   21   22   23   27 $ALWAYS_EXCEPT"
-fi
 # UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
 
 SRCDIR=$(dirname $0)
@@ -1160,6 +1156,12 @@ fops_test_setup() {
 # fileset test directory needs to be initialized on a privileged client
 fileset_test_setup() {
 	local nm=$1
+
+	if [ -n "$FILESET" -a -z "$SKIP_FILESET" ]; then
+		cleanup_mount $MOUNT
+		FILESET="" zconf_mount_clients $CLIENTS $MOUNT
+	fi
+
 	local admin=$(do_facet mgs $LCTL get_param -n \
 		nodemap.${nm}.admin_nodemap)
 	local trust=$(do_facet mgs $LCTL get_param -n \
@@ -1227,6 +1229,10 @@ fileset_test_cleanup() {
 
 	wait_nm_sync $nm admin_nodemap
 	wait_nm_sync $nm trusted_nodemap
+	if [ -n "$FILESET" -a -z "$SKIP_FILESET" ]; then
+		cleanup_mount $MOUNT
+		zconf_mount_clients $CLIENTS $MOUNT
+	fi
 }
 
 do_create_delete() {
@@ -1545,6 +1551,11 @@ test_16() {
 run_test 16 "test nodemap all_off fileops"
 
 test_17() {
+	if $SHARED_KEY &&
+	[ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+		skip "Need MDS >= 2.11.55"
+	fi
+
 	nodemap_version_check || return 0
 	nodemap_test_setup
 
@@ -1556,6 +1567,11 @@ test_17() {
 run_test 17 "test nodemap trusted_noadmin fileops"
 
 test_18() {
+	if $SHARED_KEY &&
+	[ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+		skip "Need MDS >= 2.11.55"
+	fi
+
 	nodemap_version_check || return 0
 	nodemap_test_setup
 
@@ -1567,6 +1583,11 @@ test_18() {
 run_test 18 "test nodemap mapped_noadmin fileops"
 
 test_19() {
+	if $SHARED_KEY &&
+	[ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+		skip "Need MDS >= 2.11.55"
+	fi
+
 	nodemap_version_check || return 0
 	nodemap_test_setup
 
@@ -1578,6 +1599,11 @@ test_19() {
 run_test 19 "test nodemap trusted_admin fileops"
 
 test_20() {
+	if $SHARED_KEY &&
+	[ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+		skip "Need MDS >= 2.11.55"
+	fi
+
 	nodemap_version_check || return 0
 	nodemap_test_setup
 
@@ -1589,6 +1615,11 @@ test_20() {
 run_test 20 "test nodemap mapped_admin fileops"
 
 test_21() {
+	if $SHARED_KEY &&
+	[ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+		skip "Need MDS >= 2.11.55"
+	fi
+
 	nodemap_version_check || return 0
 	nodemap_test_setup
 
@@ -1611,6 +1642,11 @@ test_21() {
 run_test 21 "test nodemap mapped_trusted_noadmin fileops"
 
 test_22() {
+	if $SHARED_KEY &&
+	[ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+		skip "Need MDS >= 2.11.55"
+	fi
+
 	nodemap_version_check || return 0
 	nodemap_test_setup
 
@@ -1751,10 +1787,11 @@ test_23a() {
 run_test 23a "test mapped regular ACLs"
 
 test_23b() { #LU-9929
-	remote_mgs_nodsh && skip "remote MGS with nodsh" && return
+	[ $num_clients -lt 2 ] && skip "Need 2 clients at least" && return
 	[ $(lustre_version_code mgs) -lt $(version_code 2.10.53) ] &&
 		skip "Need MGS >= 2.10.53" && return
 
+	export SK_UNIQUE_NM=true
 	nodemap_test_setup
 	trap nodemap_test_cleanup EXIT
 
@@ -1766,11 +1803,16 @@ test_23b() { #LU-9929
 
 	do_facet mgs $LCTL nodemap_modify --name c0 --property admin --value 1
 	wait_nm_sync c0 admin_nodemap
+	do_facet mgs $LCTL nodemap_modify --name c1 --property admin --value 1
+	wait_nm_sync c1 admin_nodemap
+	do_facet mgs $LCTL nodemap_modify --name c1 --property trusted --value 1
+	wait_nm_sync c1 trusted_nodemap
 
 	# Add idmap $ID0:$fs_id (500:60010)
 	do_facet mgs $LCTL nodemap_add_idmap --name c0 --idtype gid \
 		--idmap $ID0:$fs_id ||
 		error "add idmap $ID0:$fs_id to nodemap c0 failed"
+	wait_nm_sync c0 idmap
 
 	# set/getfacl default acl on client0 (unmapped gid=500)
 	rm -rf $testdir
@@ -1783,20 +1825,18 @@ test_23b() { #LU-9929
 	[ "$unmapped_id" = "$USER0" ] ||
 		error "gid=$ID0 was not unmapped correctly on ${clients_arr[0]}"
 
-	# getfacl default acl on MGS (mapped gid=60010)
-	zconf_mount $mgs_HOST $MOUNT
-	do_rpc_nodes $mgs_HOST is_mounted $MOUNT ||
-		error "mount lustre on MGS failed"
-	mapped_id=$(do_node $mgs_HOST getfacl $testdir |
+	# getfacl default acl on client2 (mapped gid=60010)
+	mapped_id=$(do_node ${clients_arr[1]} getfacl $testdir |
 			grep -E "default:group:.*:rwx" | awk -F: '{print $3}')
-	fs_user=$(do_facet mgs getent passwd |
+	fs_user=$(do_node ${clients_arr[1]} getent passwd |
 			grep :$fs_id:$fs_id: | cut -d: -f1)
+	[ -z "$fs_user" ] && fs_user=$fs_id
 	[ $mapped_id -eq $fs_id -o "$mapped_id" = "$fs_user" ] ||
-		error "Should return gid=$fs_id or $fs_user on MGS"
+		error "Should return gid=$fs_id or $fs_user on client2"
 
 	rm -rf $testdir
-	do_facet mgs umount $MOUNT
 	nodemap_test_cleanup
+	export SK_UNIQUE_NM=false
 }
 run_test 23b "test mapped default ACLs"
 
@@ -1804,8 +1844,7 @@ test_24() {
 	nodemap_test_setup
 
 	trap nodemap_test_cleanup EXIT
-	do_nodes $(comma_list $(all_server_nodes)) $LCTL get_param -R nodemap ||
-		error "proc readable file read failed"
+	do_nodes $(comma_list $(all_server_nodes)) $LCTL get_param -R nodemap
 
 	nodemap_test_cleanup
 }
@@ -1991,13 +2030,18 @@ nodemap_exercise_fileset() {
 }
 
 test_27a() {
-	[ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.10.59) ] &&
-		skip "Need MDS >= 2.10.59" && return
+	[ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.50) ] &&
+		skip "Need MDS >= 2.11.50" && return
 
 	for nm in "default" "c0"; do
 		local subdir="subdir_${nm}"
 		local subsubdir="subsubdir_${nm}"
 
+		if [ "$nm" == "default" ] && [ "$SHARED_KEY" == "true" ]; then
+			echo "Skipping nodemap $nm with SHARED_KEY";
+			continue;
+		fi
+
 		echo "Exercising fileset for nodemap $nm"
 		nodemap_exercise_fileset "$nm"
 	done
@@ -2005,8 +2049,8 @@ test_27a() {
 run_test 27a "test fileset in various nodemaps"
 
 test_27b() { #LU-10703
-	[ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.10.59) ] &&
-		skip "Need MDS >= 2.10.59" && return
+	[ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.50) ] &&
+		skip "Need MDS >= 2.11.50" && return
 	[[ $MDSCOUNT -lt 2 ]] && skip "needs >= 2 MDTs" && return
 
 	nodemap_test_setup
@@ -2137,6 +2181,331 @@ test_30() {
 }
 run_test 30 "check for invalid shared key"
 
+cleanup_31() {
+	# unmount client
+	zconf_umount $HOSTNAME $MOUNT || error "unable to umount client"
+
+	# remove ${NETTYPE}999 network on all nodes
+	do_nodes $(comma_list $(all_nodes)) \
+		 "$LNETCTL net del --net ${NETTYPE}999 && \
+		  $LNETCTL lnet unconfigure 2>/dev/null || true"
+
+	# necessary to do writeconf in order to de-register
+	# @${NETTYPE}999 nid for targets
+	KZPOOL=$KEEP_ZPOOL
+	export KEEP_ZPOOL="true"
+	stopall
+	export SK_MOUNTED=false
+	writeconf_all
+	setupall || echo 1
+	export KEEP_ZPOOL="$KZPOOL"
+}
+
+test_31() {
+	local nid=$(lctl list_nids | grep ${NETTYPE} | head -n1)
+	local addr=${nid%@*}
+	local net=${nid#*@}
+
+	export LNETCTL=$(which lnetctl 2> /dev/null)
+
+	[ -z "$LNETCTL" ] && skip "without lnetctl support." && return
+	local_mode && skip "in local mode."
+
+	stack_trap cleanup_31 EXIT
+
+	# umount client
+	if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
+		umount_client $MOUNT2 || error "umount $MOUNT2 failed"
+	fi
+	if $(grep -q $MOUNT' ' /proc/mounts); then
+		umount_client $MOUNT || error "umount $MOUNT failed"
+	fi
+
+	# check exports on servers are empty for client
+	do_facet mgs "lctl get_param -n *.MGS*.exports.'$nid'.uuid 2>/dev/null |
+		      grep -q -" && error "export on MGS should be empty"
+	do_nodes $(comma_list $(mdts_nodes) $(osts_nodes)) \
+		 "lctl get_param -n *.${FSNAME}*.exports.'$nid'.uuid \
+		  2>/dev/null | grep -q -" &&
+		error "export on servers should be empty"
+
+	# add network ${NETTYPE}999 on all nodes
+	do_nodes $(comma_list $(all_nodes)) \
+		 "$LNETCTL lnet configure && $LNETCTL net add --if \
+		  $($LNETCTL net show --net $net | awk 'BEGIN{inf=0} \
+		  {if (inf==1) print $2; fi; inf=0} /interfaces/{inf=1}') \
+		  --net ${NETTYPE}999" ||
+		error "unable to configure NID ${NETTYPE}999"
+
+	# necessary to do writeconf in order to register
+	# new @${NETTYPE}999 nid for targets
+	KZPOOL=$KEEP_ZPOOL
+	export KEEP_ZPOOL="true"
+	stopall
+	export SK_MOUNTED=false
+	writeconf_all
+	setupall server_only || echo 1
+	export KEEP_ZPOOL="$KZPOOL"
+
+	# backup MGSNID
+	local mgsnid_orig=$MGSNID
+	# compute new MGSNID
+	MGSNID=$(do_facet mgs "$LCTL list_nids | grep ${NETTYPE}999")
+
+	# on client, turn LNet Dynamic Discovery on
+	lnetctl set discovery 1
+
+	# mount client with -o network=${NETTYPE}999 option:
+	# should fail because of LNet Dynamic Discovery
+	mount_client $MOUNT ${MOUNT_OPTS},network=${NETTYPE}999 &&
+		error "client mount with '-o network' option should be refused"
+
+	# on client, reconfigure LNet and turn LNet Dynamic Discovery off
+	$LNETCTL net del --net ${NETTYPE}999 && lnetctl lnet unconfigure
+	lustre_rmmod
+	modprobe lnet
+	lnetctl set discovery 0
+	modprobe ptlrpc
+	$LNETCTL lnet configure && $LNETCTL net add --if \
+	  $($LNETCTL net show --net $net | awk 'BEGIN{inf=0} \
+	  {if (inf==1) print $2; fi; inf=0} /interfaces/{inf=1}') \
+	  --net ${NETTYPE}999 ||
+	error "unable to configure NID ${NETTYPE}999 on client"
+
+	# mount client with -o network=${NETTYPE}999 option
+	mount_client $MOUNT ${MOUNT_OPTS},network=${NETTYPE}999 ||
+		error "unable to remount client"
+
+	# restore MGSNID
+	MGSNID=$mgsnid_orig
+
+	# check export on MGS
+	do_facet mgs "lctl get_param -n *.MGS*.exports.'$nid'.uuid 2>/dev/null |
+		      grep -q -"
+	[ $? -ne 0 ] ||	error "export for $nid on MGS should not exist"
+
+	do_facet mgs \
+		"lctl get_param -n *.MGS*.exports.'${addr}@${NETTYPE}999'.uuid \
+		 2>/dev/null | grep -q -"
+	[ $? -eq 0 ] ||
+		error "export for ${addr}@${NETTYPE}999 on MGS should exist"
+
+	# check {mdc,osc} imports
+	lctl get_param mdc.${FSNAME}-*.import | grep current_connection |
+	    grep -q ${NETTYPE}999
+	[ $? -eq 0 ] ||
+		error "import for mdc should use ${addr}@${NETTYPE}999"
+	lctl get_param osc.${FSNAME}-*.import | grep current_connection |
+	    grep -q ${NETTYPE}999
+	[ $? -eq 0 ] ||
+		error "import for osc should use ${addr}@${NETTYPE}999"
+}
+run_test 31 "client mount option '-o network'"
+
+cleanup_32() {
+	# umount client
+	zconf_umount_clients ${clients_arr[0]} $MOUNT
+
+	# disable sk flavor enforcement on MGS
+	set_rule _mgs any any null
+
+	# stop gss daemon on MGS
+	if ! combined_mgs_mds ; then
+		send_sigint $mgs_HOST lsvcgssd
+	fi
+
+	# re-mount client
+	MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
+	mountcli
+
+	restore_to_default_flavor
+}
+
+test_32() {
+	if ! $SHARED_KEY; then
+		skip "need shared key feature for this test"
+	fi
+
+	stack_trap cleanup_32 EXIT
+
+	# restore to default null flavor
+	save_flvr=$SK_FLAVOR
+	SK_FLAVOR=null
+	restore_to_default_flavor || error "cannot set null flavor"
+	SK_FLAVOR=$save_flvr
+
+	# umount client
+	if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
+		umount_client $MOUNT2 || error "umount $MOUNT2 failed"
+	fi
+	if $(grep -q $MOUNT' ' /proc/mounts); then
+	umount_client $MOUNT || error "umount $MOUNT failed"
+	fi
+
+	# start gss daemon on MGS
+	if combined_mgs_mds ; then
+		send_sigint $mds_HOST lsvcgssd
+	fi
+	start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g"
+
+	# add mgs key type and MGS NIDs in key on MGS
+	do_nodes $mgs_HOST "lgss_sk -t mgs,server -g $MGSNID -m \
+				$SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
+		error "could not modify keyfile on MGS"
+
+	# load modified key file on MGS
+	do_nodes $mgs_HOST "lgss_sk -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
+		error "could not load keyfile on MGS"
+
+	# add MGS NIDs in key on client
+	do_nodes ${clients_arr[0]} "lgss_sk -g $MGSNID -m \
+				$SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
+		error "could not modify keyfile on MGS"
+
+	# set perms for per-nodemap keys else permission denied
+	do_nodes $(comma_list $(all_nodes)) \
+		 "keyctl show | grep lustre | cut -c1-11 |
+				sed -e 's/ //g;' |
+				xargs -IX keyctl setperm X 0x3f3f3f3f"
+
+	# re-mount client with mgssec=skn
+	save_opts=$MOUNT_OPTS
+	if [ -z "$MOUNT_OPTS" ]; then
+		MOUNT_OPTS="-o mgssec=skn"
+	else
+		MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
+	fi
+	zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
+		error "mount ${clients_arr[0]} with mgssec=skn failed"
+	MOUNT_OPTS=$save_opts
+
+	# umount client
+	zconf_umount_clients ${clients_arr[0]} $MOUNT ||
+		error "umount ${clients_arr[0]} failed"
+
+	# enforce ska flavor on MGS
+	set_rule _mgs any any ska
+
+	# re-mount client without mgssec
+	zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS &&
+		error "mount ${clients_arr[0]} without mgssec should fail"
+
+	# re-mount client with mgssec=skn
+	save_opts=$MOUNT_OPTS
+	if [ -z "$MOUNT_OPTS" ]; then
+		MOUNT_OPTS="-o mgssec=skn"
+	else
+		MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
+	fi
+	zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS &&
+		error "mount ${clients_arr[0]} with mgssec=skn should fail"
+	MOUNT_OPTS=$save_opts
+
+	# re-mount client with mgssec=ska
+	save_opts=$MOUNT_OPTS
+	if [ -z "$MOUNT_OPTS" ]; then
+		MOUNT_OPTS="-o mgssec=ska"
+	else
+		MOUNT_OPTS="$MOUNT_OPTS,mgssec=ska"
+	fi
+	zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
+		error "mount ${clients_arr[0]} with mgssec=ska failed"
+	MOUNT_OPTS=$save_opts
+
+	exit 0
+}
+run_test 32 "check for mgssec"
+
+cleanup_33() {
+	# disable sk flavor enforcement
+	set_rule $FSNAME any cli2mdt null
+	wait_flavor cli2mdt null
+
+	# umount client
+	zconf_umount_clients ${clients_arr[0]} $MOUNT
+
+	# stop gss daemon on MGS
+	if ! combined_mgs_mds ; then
+		send_sigint $mgs_HOST lsvcgssd
+	fi
+
+	# re-mount client
+	MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS)
+	mountcli
+
+	restore_to_default_flavor
+}
+
+test_33() {
+	if ! $SHARED_KEY; then
+		skip "need shared key feature for this test"
+	fi
+
+	stack_trap cleanup_33 EXIT
+
+	# restore to default null flavor
+	save_flvr=$SK_FLAVOR
+	SK_FLAVOR=null
+	restore_to_default_flavor || error "cannot set null flavor"
+	SK_FLAVOR=$save_flvr
+
+	# umount client
+	if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then
+		umount_client $MOUNT2 || error "umount $MOUNT2 failed"
+	fi
+	if $(grep -q $MOUNT' ' /proc/mounts); then
+	umount_client $MOUNT || error "umount $MOUNT failed"
+	fi
+
+	# start gss daemon on MGS
+	if combined_mgs_mds ; then
+		send_sigint $mds_HOST lsvcgssd
+	fi
+	start_gss_daemons $mgs_HOST "$LSVCGSSD -vvv -s -g"
+
+	# add mgs key type and MGS NIDs in key on MGS
+	do_nodes $mgs_HOST "lgss_sk -t mgs,server -g $MGSNID -m \
+				$SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
+		error "could not modify keyfile on MGS"
+
+	# load modified key file on MGS
+	do_nodes $mgs_HOST "lgss_sk -l $SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
+		error "could not load keyfile on MGS"
+
+	# add MGS NIDs in key on client
+	do_nodes ${clients_arr[0]} "lgss_sk -g $MGSNID -m \
+				$SK_PATH/$FSNAME.key >/dev/null 2>&1" ||
+		error "could not modify keyfile on MGS"
+
+	# set perms for per-nodemap keys else permission denied
+	do_nodes $(comma_list $(all_nodes)) \
+		 "keyctl show | grep lustre | cut -c1-11 |
+				sed -e 's/ //g;' |
+				xargs -IX keyctl setperm X 0x3f3f3f3f"
+
+	# re-mount client with mgssec=skn
+	save_opts=$MOUNT_OPTS
+	if [ -z "$MOUNT_OPTS" ]; then
+		MOUNT_OPTS="-o mgssec=skn"
+	else
+		MOUNT_OPTS="$MOUNT_OPTS,mgssec=skn"
+	fi
+	zconf_mount_clients ${clients_arr[0]} $MOUNT $MOUNT_OPTS ||
+		error "mount ${clients_arr[0]} with mgssec=skn failed"
+	MOUNT_OPTS=$save_opts
+
+	# enforce ska flavor for cli2mdt
+	set_rule $FSNAME any cli2mdt ska
+	wait_flavor cli2mdt ska
+
+	# check error message
+	$LCTL dk | grep "faked source" &&
+		error "MGS connection srpc flags incorrect"
+
+	exit 0
+}
+run_test 33 "correct srpc flags for MGS connection"
+
 log "cleanup: ======================================================"
 
 sec_unsetup() {