--- /dev/null
+.TH LFS-FLUSHCTX 1 2021-01-04 "Lustre" "Lustre Utilities"
+.SH NAME
+lfs flushctx \- flush security context of current user.
+.SH SYNOPSIS
+.B lfs flushctx
+.RB [ --help | -h "] [" -k "] [" -r "] [" \fIrootpath\fR "]"
+.br
+.SH DESCRIPTION
+Flush security context of current user, for Lustre file system as specified by
+\fBrootpath\fR, or for all mounted Lustre file systems.
+.P
+If \fB-k\fR is specified, proceed to Kerberos credentials cache destroy as well,
+by calling kdestroy.
+.P
+If \fB-r\fR is specified, reap revoked keys from the session keyring.
+.SH OPTIONS
+.TP
+.BR -k
+Proceed to Kerberos credentials cache destroy.
+.TP
+.BR -r
+Reap revoked keys from the session keyring.
+.TP
+.BR -h
+Display helper.
+.SH EXAMPLES
+.TP
+.B $ lfs flushctx -k -r /mnt/lustre
+This flushes security context of current user for Lustre file system mounted
+under /mnt/lustre, as well as destroys its Kerberos credentials cache and reaps
+revoked keys from its session keyring. This is the recommended way of using the
+command.
+.TP
+.B $ lfs flushctx
+This simply flushes security context of current user for all mounted Lustre file
+systems.
+.SH AUTHOR
+The lfs command is part of the Lustre filesystem.
+.SH SEE ALSO
+.BR lfs (1),
[[\fB!\fR] \fB--uid\fR|\fB-u\fR|\fB--user\fR|\fB-U
\fR<\fIuname\fR>|<\fIuid\fR>]
.br
+.B lfs flushctx
+.RB [ --help | -h "] [" -k "] [" -r "] [" \fIrootpath\fR "]"
+.br
.B lfs getname
.RB [ --help | -h "] [" --instance | -i "] [" --fsname | -n "] ["
.IR path ...]
operation, and by OST migration, primarily for verifying that file data has not
been changed during a data copy, when done in non-blocking mode.
.TP
+.B flushctx
+See lfs-flushctx(1).
+.TP
.B osts
.RB [ path ]
List all the OSTs for all mounted filesystems. If a \fBpath\fR is provided
.SH NOTES
The usage of \fBlfs find\fR, \fBlfs getstripe\fR, \fBlfs hsm_*\fR,
\fBlfs setstripe\fR, \fBlfs migrate\fR, \fBlfs getdirstripe\fR,
-\fBlfs setdirstripe\fR, \fBlfs mkdir\fR, and \fBlfs project\fR are explained
-in separate man pages.
+\fBlfs setdirstripe\fR, \fBlfs mkdir\fR, \fBlfs flushctx\fR
+and \fBlfs project\fR are explained in separate man pages.
.SH AUTHOR
The lfs command is part of the Lustre filesystem.
.SH SEE ALSO
.BR lfs-df (1),
.BR lfs-fid2path (1),
.BR lfs-find (1),
+.BR lfs-flushctx (1),
.BR lfs-getdirstripe (1),
.BR lfs-getname (1),
.BR lfs-getstripe (1),
static int sec_install_rctx_kr(struct ptlrpc_sec *sec,
struct ptlrpc_svc_ctx *svc_ctx);
+static void request_key_unlink(struct key *key);
/*
* the timeout is only for the case that upcall child process die abnormally.
*/
static void unbind_ctx_kr(struct ptlrpc_cli_ctx *ctx)
{
- struct key *key = ctx2gctx_keyring(ctx)->gck_key;
+ struct key *key = ctx2gctx_keyring(ctx)->gck_key;
- if (key) {
+ if (key) {
LASSERT(key_get_payload(key, 0) == ctx);
- key_get(key);
- down_write(&key->sem);
- unbind_key_ctx(key, ctx);
- up_write(&key->sem);
- key_put(key);
- }
+ key_get(key);
+ down_write(&key->sem);
+ unbind_key_ctx(key, ctx);
+ up_write(&key->sem);
+ key_put(key);
+ request_key_unlink(key);
+ }
}
/*
" clear the project inherit flag and ID on the file or directory\n"
},
#endif
- {"flushctx", lfs_flushctx, 0, "Flush security context for current user.\n"
- "usage: flushctx [-k] [mountpoint...]"},
+ {"flushctx", lfs_flushctx, 0,
+ "Flush security context for current user.\n"
+ "usage: flushctx [-k] [-r] [mountpoint...]"},
{"changelog", lfs_changelog, 0,
"Show the metadata changes on an MDT."
"\nusage: changelog <mdtname> [startrec [endrec]]"},
static int lfs_flushctx(int argc, char **argv)
{
- int kdestroy = 0, c;
+ int kdestroy = 0, reap = 0, c;
char mntdir[PATH_MAX] = {'\0'};
int index = 0;
int rc = 0;
- while ((c = getopt(argc, argv, "k")) != -1) {
+ while ((c = getopt(argc, argv, "kr")) != -1) {
switch (c) {
case 'k':
kdestroy = 1;
break;
+ case 'r':
+ reap = 1;
+ break;
default:
fprintf(stderr,
"error: %s: option '-%c' unrecognized\n",
rc = -1;
}
}
+
+ if (reap) {
+ rc = system("keyctl reap > /dev/null");
+ if (rc != 0) {
+ rc = WEXITSTATUS(rc);
+ fprintf(stderr, "error reaping keyring: %d\n", rc);
+ }
+ }
+
return rc;
}