X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=blobdiff_plain;f=lustre%2Ftests%2Fsetup_kerberos.sh;h=c5d8fb024c964278467ed4e2f768e38db3ee702d;hp=7763fb28212b88bf0b11c490d13a3db6091343cd;hb=364bd1d974bb5b08319fbe73c8eabc5736b9d76b;hpb=b94d4f7076b0a1ffd3c82c75505782c36073e8cb diff --git a/lustre/tests/setup_kerberos.sh b/lustre/tests/setup_kerberos.sh index 7763fb2..c5d8fb0 100755 --- a/lustre/tests/setup_kerberos.sh +++ b/lustre/tests/setup_kerberos.sh @@ -1,5 +1,6 @@ #!/bin/bash -# vim:expandtab:shiftwidth=4:softtabstop=4:tabstop=4: +# -*- mode: Bash; tab-width: 4; indent-tabs-mode: t; -*- +# vim:shiftwidth=4:softtabstop=4:tabstop=4: # # setup_kerberos.sh - setup the Kerberos environment on Lustre cluster @@ -13,20 +14,21 @@ # usage my_usage() { cat < [:MDS_node:...] +Usage: $(basename $0) [:MDS_node:...] [:OSS_node:...] [:CLIENT_node:...] This script is used to setup the Kerberos environment on Lustre cluster. KDC_distro distribution on the KDC node (rhel5 or sles10) KDC_node KDC node name + MGS_node Lustre MGS node name MDS_node Lustre MDS node name OSS_node Lustre OSS node name CLIENT_node Lustre client node name - e.g.: $(basename $0) rhel5 scsi2 sata2 sata3 client5 - e.g.: $(basename $0) sles10 scsi2 scsi2 sata3:sata5 client2:client3 - e.g.: $(basename $0) rhel5 scsi2 scsi2 scsi2 scsi2 + e.g.: $(basename $0) rhel5 scsi2 scsi2 sata2 sata3 client5 + e.g.: $(basename $0) sles10 scsi2 scsi2 scsi2 sata3:sata5 client2:client3 + e.g.: $(basename $0) rhel5 scsi2 scsi2 scsi2 scsi2 scsi2 Notes: 1) The script will destroy all the old Kerberos settings by default. If you @@ -34,29 +36,26 @@ Usage: $(basename $0) [:MDS_node:...] "RESET_KDC=false". 2) The script will create principals for some runas users and add them into - the Kerberos database by default. The UIDs of the runas users specified in + the Kerberos database by default. The UIDs of the runas users specified in "LOCAL_UIDS" variable need exist on KDC, MDS and Client nodes. If you do not need runas users, please set "CFG_RUNAS=false". - 3) The script will create idmap.conf and perm.conf under /etc/lustre dir on - MDS node for remote ACL by default. If you do not need remote ACL, please - set "CFG_IDMAP=false". - EOF } # ************************ Parameters and Variables ************************ # MY_KDC_DISTRO=$1 MY_KDCNODE=$2 -MY_MDSNODES=$3 -MY_OSSNODES=$4 -MY_CLIENTNODES=$5 +MY_MGSNODE=$3 +MY_MDSNODES=$4 +MY_OSSNODES=$5 +MY_CLIENTNODES=$6 # translate to lower case letters MY_KDC_DISTRO=$(echo $MY_KDC_DISTRO | tr '[A-Z]' '[a-z]') if [ -z "$MY_KDC_DISTRO" -o -z "$MY_KDCNODE" -o -z "$MY_MDSNODES" -o \ - -z "$MY_OSSNODES" -o -z "$MY_CLIENTNODES" ]; then + -z "$MY_OSSNODES" -o -z "$MY_CLIENTNODES" -o -z "$MY_MGSNODE" ]; then my_usage exit 1 fi @@ -71,9 +70,8 @@ ACCEPTOR_PORT=${ACCEPTOR_PORT:-988} # check and configure runas users CFG_RUNAS=${CFG_RUNAS:-true} -# uids for local and remote users +# uids for local users LOCAL_UIDS=${LOCAL_UIDS:-"500 501"} -REMOTE_UIDS=${REMOTE_UIDS:-"500 501"} # for remote ACL testing # remove the original Kerberos and KDC settings RESET_KDC=${RESET_KDC:-true} @@ -82,9 +80,10 @@ RESET_KDC=${RESET_KDC:-true} SPLIT_KEYTAB=${SPLIT_KEYTAB:-true} # encryption types for generating keytab -MDS_ENCTYPE=${MDS_ENCTYPE:-"des3-hmac-sha1"} -OSS_ENCTYPE=${OSS_ENCTYPE:-"des3-hmac-sha1"} -CLIENT_ENCTYPE=${CLIENT_ENCTYPE:-"des3-hmac-sha1"} +MDS_ENCTYPE=${MDS_ENCTYPE:-"aes128-cts"} +MGS_ENCTYPE=${MGS_ENCTYPE:-"$MDS_ENCTYPE"} +OSS_ENCTYPE=${OSS_ENCTYPE:-"aes128-cts"} +CLIENT_ENCTYPE=${CLIENT_ENCTYPE:-"aes128-cts"} # configuration file for Kerberos KRB5_CONF=${KRB5_CONF:-"/etc/krb5.conf"} @@ -95,12 +94,6 @@ KRB5_TICKET_LIFETIME=${KRB5_TICKET_LIFETIME:-"24h"} GSSAPI_MECH_CONF=${GSSAPI_MECH_CONF:-"/etc/gssapi_mech.conf"} REQUEST_KEY_CONF=${REQUEST_KEY_CONF:-"/etc/request-key.conf"} -# create configuration files for remote ACL testing -CFG_IDMAP=${CFG_IDMAP:-true} -LUSTRE_CONF_DIR=${LUSTRE_CONF_DIR:-"/etc/lustre"} -IDMAP_CONF=$LUSTRE_CONF_DIR/idmap.conf -PERM_CONF=$LUSTRE_CONF_DIR/perm.conf - # krb5 realm & domain KRB5_REALM=${KRB5_REALM:-"CO.CFS"} KRB5_DOMAIN=$(echo $KRB5_REALM | tr '[A-Z]' '[a-z]') @@ -217,6 +210,14 @@ normalize_names() { return $rc fi + # MGS node + MY_MGSNODE=$(get_fqdn $MY_MGSNODE) + rc=${PIPESTATUS[0]} + if [ $rc -ne 0 ]; then + echo $MY_MGSNODE + return $rc + fi + # MDS nodes MY_MDSNODES=$(get_fqdn $MY_MDSNODES) rc=${PIPESTATUS[0]} @@ -253,7 +254,8 @@ check_rsh() { echo "+++ Checking remote shell" - for node in $MY_KDCNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do + for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES + do is_part_of $node $checked && continue echo -n "Checking remote shell on $node..." @@ -304,14 +306,14 @@ check_users() { echo "+++ Checking users and groups" - for node in $MY_KDCNODE $MY_MDSNODES $MY_CLIENTNODES; do + for node in $MY_KDCNODE $MY_MGSNODE $MY_MDSNODES $MY_CLIENTNODES; do is_part_of $node $checked && continue for id in $LOCAL_UIDS; do echo -n "Checking uid/gid $id/$id on $node..." user=$(my_do_node $node getent passwd | grep :$id:$id: | cut -d: -f1) if [ -z "$user" ]; then - echo -e "\nPlease set LOCAL_UIDS and REMOTE_UIDS to some users \ + echo -e "\nPlease set LOCAL_UIDS to some users \ which exist on KDC, MDS and client or add user/group $id/$id on these nodes." return 1 fi @@ -354,7 +356,7 @@ cfg_nfs_mount() { echo "+++ Configuring nfsd mount" - for node in $MY_OSSNODES $MY_MDSNODES; do + for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES; do is_part_of $node $checked && continue cfg_mount $node nfsd /proc/fs/nfsd || return ${PIPESTATUS[0]} checked="$checked $node" @@ -411,7 +413,7 @@ check_krb5() { local krb5pkg_cli echo "+++ Checking Kerberos 5 installation" - for node in $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do + for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do is_part_of $node $checked && continue echo -n "Checking $node..." @@ -443,7 +445,7 @@ check_libgssapi() { return $rc fi - for node in $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do + for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do is_part_of $node $checked && continue echo -n "Checking $node..." @@ -472,7 +474,8 @@ cfg_libgssapi() { echo "+++ Updating $GSSAPI_MECH_CONF" - for node in $MY_KDCNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do + for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES + do is_part_of $node $checked && continue krb5pkg_lib=$(get_krb5pkgname $node lib) @@ -506,7 +509,7 @@ cfg_keyutils() { echo "+++ Updating $REQUEST_KEY_CONF" - for node in $MY_MDSNODES $MY_CLIENTNODES; do + for node in $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do is_part_of $node $checked && continue lgss_keyring=$(my_do_node $node "which lgss_keyring") || \ return ${PIPESTATUS[0]} @@ -580,6 +583,8 @@ add_test_princ_id() { cfg_kdc_princs() { local node + add_svc_princ $MY_MGSNODE mgs || return ${PIPESTATUS[0]} + for node in $MY_MDSNODES; do add_svc_princ $node mds || return ${PIPESTATUS[0]} done @@ -647,7 +652,7 @@ cfg_kdc() { [realms] $KRB5_REALM = { - master_key_type = des3-hmac-sha1 + master_key_type = aes128-cts supported_enctypes = des3-hmac-sha1:normal aes128-cts:normal aes256-cts:normal des-cbc-md5:normal } EOF @@ -727,7 +732,8 @@ cfg_krb5_conf() { EOF # install krb5.conf remotely - for node in $MY_KDCNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do + for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES + do is_part_of $node $checked && continue echo -n "Installing krb5.conf on $node..." @@ -774,7 +780,6 @@ merge_keytab() { rkt $tab wkt $KRB5_KEYTAB EOF" || return ${PIPESTATUS[0]} - do_node_mute $node "rm -f $tab" || true } # @@ -788,7 +793,7 @@ cfg_keytab() { # remove old keytabs echo -n "Deleting old keytabs on all nodes..." - for node in $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do + for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do do_node_mute $node "rm -f $KRB5_KEYTAB $TMP/krb5cc*" done echo "OK!" @@ -798,6 +803,13 @@ cfg_keytab() { echo -n "Preparing for MDS $node..." do_kdc_mute "rm -f $tmptab" add_keytab_svc $tmptab $node mds $MDS_ENCTYPE || return ${PIPESTATUS[0]} + + if is_part_of $node $MY_MGSNODE; then + echo -n "also be an MGS..." + add_keytab_svc $tmptab $node mgs $MGS_ENCTYPE || \ + return ${PIPESTATUS[0]} + fi + if is_part_of $node $MY_OSSNODES; then echo -n "also be an OSS..." add_keytab_svc $tmptab $node oss $OSS_ENCTYPE || \ @@ -812,10 +824,37 @@ cfg_keytab() { rm -f $tmptab done + # install for MGS node + echo -n "Preparing for MGS $MY_MGSNODE..." + if ! is_part_of $MY_MGSNODE $MY_MDSNODES; then + do_kdc_mute "rm -f $tmptab" + add_keytab_svc $tmptab $MY_MGSNODE mgs $MGS_ENCTYPE || \ + return ${PIPESTATUS[0]} + + if is_part_of $MY_MGSNODE $MY_OSSNODES; then + echo -n "also be an OSS..." + add_keytab_svc $tmptab $MY_MGSNODE oss $OSS_ENCTYPE || \ + return ${PIPESTATUS[0]} + fi + echo "OK!" + + echo -n "Installing krb5.keytab on $MY_MGSNODE..." + $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]} + $SCP $tmptab root@$MY_MGSNODE:$KRB5_KEYTAB || return ${PIPESTATUS[0]} + echo "OK!" + rm -f $tmptab + else + echo "also be an MDS, already done, skip" + fi + # install for OSS nodes for node in $MY_OSSNODES; do echo -n "Preparing for OSS $node..." - if ! is_part_of $node $MY_MDSNODES; then + if is_part_of $node $MY_MDSNODES; then + echo "also be an MDS, already done, skip" + elif is_part_of $node $MY_MGSNODE; then + echo "also be an MGS, already done, skip" + else do_kdc_mute "rm -f $tmptab" add_keytab_svc $tmptab $node oss $OSS_ENCTYPE || \ return ${PIPESTATUS[0]} @@ -826,8 +865,6 @@ cfg_keytab() { $SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]} echo "OK!" rm -f $tmptab - else - echo "also be an MDS, already done, skip" fi done @@ -837,6 +874,7 @@ cfg_keytab() { echo -n "Preparing for client..." add_keytab_root $tmptab $CLIENT_ENCTYPE || return ${PIPESTATUS[0]} $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]} + echo "OK!" else for node in $MY_CLIENTNODES; do echo -n "Preparing for client $node..." @@ -849,9 +887,9 @@ cfg_keytab() { add_keytab_svc $tmptab $node root $CLIENT_ENCTYPE || \ return ${PIPESTATUS[0]} $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]} + echo "OK!" done fi - echo "OK!" for node in $MY_CLIENTNODES; do echo -n "Installing krb5.keytab on client $node..." @@ -861,6 +899,14 @@ cfg_keytab() { continue fi + # merge keytab if it's also an MGS + if is_part_of $node $MY_MGSNODE; then + echo -n "also be an MGS, merging keytab..." + merge_keytab $tmptab $node || return ${PIPESTATUS[0]} + echo "OK!" + continue + fi + # merge keytab if it's also an OSS if is_part_of $node $MY_OSSNODES; then echo -n "also be an OSS, merging keytab..." @@ -946,84 +992,6 @@ exit ${PIPESTATUS[0]}) return 0 } -# -# create and install idmap.conf on the MDS -# -cfg_idmap_conf() { - local tmpcfg="$TMP/idmap.conf" - local fqdn - local user - local uid - local client_nids client_nid - local rc - - echo "+++ Installing idmap.conf on MDS" - echo "Getting Client NID..." - client_nids=$(get_client_nids) - rc=${PIPESTATUS[0]} - if [ $rc -ne 0 ]; then - echo $client_nids - return $rc - fi - - rm -f $tmpcfg - if $SPLIT_KEYTAB; then - for fqdn in $MY_CLIENTNODES; do - echo "lustre_root/$fqdn@$KRB5_REALM * 0" >> $tmpcfg - done - else - echo "lustre_root@$KRB5_REALM * 0" >> $tmpcfg - fi - cat <> $tmpcfg -bin@$KRB5_REALM * 1 -daemon@$KRB5_REALM * 2 -games@$KRB5_REALM * 12 -EOF - - for node in $MY_MDSNODES; do - for uid in $LOCAL_UIDS; do - user=$(my_do_node $node getent passwd $uid | cut -d: -f1) - for client_nid in $client_nids; do - echo "$user@$KRB5_REALM $client_nid $uid" >> $tmpcfg - done - done - done - - for node in $MY_MDSNODES; do - my_do_node $node "mkdir -p $LUSTRE_CONF_DIR" || return ${PIPESTATUS[0]} - $SCP $tmpcfg root@$node:$IDMAP_CONF || return ${PIPESTATUS[0]} - done - rm -f $tmpcfg - echo "OK!" -} - -# -# create and install perm.conf on the MDS for remote ACL testing -# -cfg_perm_conf() { - local tmpcfg="$TMP/perm.conf" - local uid - - echo "+++ Installing perm.conf on MDS" - - rm -f $tmpcfg - for node in $MY_MDSNODES; do - my_do_node $node "mkdir -p $LUSTRE_CONF_DIR" || return ${PIPESTATUS[0]} - - for uid in $LOCAL_UIDS $REMOTE_UIDS; do - if ! grep -q " $uid " $tmpcfg 2>/dev/null; then - echo "* $uid rmtacl" >> $tmpcfg - fi - done - - echo "* 0 setgid" >> $tmpcfg - - $SCP $tmpcfg root@$node:$PERM_CONF || return ${PIPESTATUS[0]} - done - rm -f $tmpcfg - echo "OK!" -} - # ******************************** Main Flow ******************************** # normalize_names || exit ${PIPESTATUS[0]} check_rsh || exit ${PIPESTATUS[0]} @@ -1031,9 +999,6 @@ check_entropy || exit ${PIPESTATUS[0]} if $CFG_RUNAS; then check_users || exit ${PIPESTATUS[0]} -elif $CFG_IDMAP; then - echo "Remote ACL operations need local and remote users!" - exit 1 fi check_kdc || exit ${PIPESTATUS[0]} @@ -1045,6 +1010,8 @@ echo " Configure Kerberos testing environment for Lustre" echo " KDC: $MY_KDCNODE" echo " realm: $KRB5_REALM, domain: $KRB5_DOMAIN" echo " Using gssapi package: $LIBGSSAPI" +echo " MGS node:" +echo " $MY_MGSNODE" echo " OSS nodes:" for i in $MY_OSSNODES; do echo " $i"; done echo " MDS nodes:" @@ -1065,9 +1032,4 @@ fi cfg_kdc_princs || exit ${PIPESTATUS[0]} cfg_keytab || exit ${PIPESTATUS[0]} -if $CFG_IDMAP; then - cfg_idmap_conf || exit ${PIPESTATUS[0]} - cfg_perm_conf || exit ${PIPESTATUS[0]} -fi - echo "Complete successfully!"