LU-17609 sec: nodemap readonly_mount for remount

The readonly_mount property on nodemaps forces read-only mount from
clients. Clients trying rw remount (via mount -o remount,rw) should
also be forced to read-only.

Also improve sanity-sec test_61 to exercise client remount.

Lustre-change: https://review.whamcloud.com/54282
Lustre-commit: 27cf3e0ac8576841106b3fcbd58fd5d7d419197d

Fixes: e7ce67de92 ("LU-15451 sec: read-only nodemap flag")
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I61f8141001d2ff9e832e5c93d8f5997479af98a6
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Arshad Hussain <arshad.hussain@aeoncomputing.com>
Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/54561
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>

diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c
index 6c4f620..c4a9145 100644 (file)
--- a/lustre/mdt/mdt_handler.c
+++ b/lustre/mdt/mdt_handler.c
@@ -2758,6 +2758,22 @@ static int mdt_set_info(struct tgt_session_info *tsi)
 
        /* Swab any part of val you need to here */
        if (KEY_IS(KEY_READ_ONLY)) {
+               /* If client wants rw, make sure nodemap does not enforce ro. */
+               if (!*(__u32 *)val) {
+                       struct lu_nodemap *nm = NULL;
+                       bool readonly = false;
+
+                       if (req->rq_export)
+                               nm = nodemap_get_from_exp(req->rq_export);
+
+                       if (!IS_ERR_OR_NULL(nm)) {
+                               readonly = nm->nmf_readonly_mount;
+                               nodemap_putref(nm);
+                       }
+
+                       if (unlikely(readonly))
+                               RETURN(-EROFS);
+               }
                spin_lock(&req->rq_export->exp_lock);
                if (*(__u32 *)val)
                        *exp_connect_flags_ptr(req->rq_export) |=

diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh
index 15844ba..cae6c61 100755 (executable)
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -5460,13 +5460,17 @@ test_61() {
        do_facet mgs $LCTL nodemap_modify --name c0 \
                --property readonly_mount --value 1
        wait_nm_sync c0 readonly_mount
+
+       # mount without option should turn into ro
        zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS} ||
-               error "mount failed"
+               error "mount failed (1)"
        findmnt $MOUNT --output=options -n -f | grep -q "ro," ||
                error "mount should have been turned into ro"
        cat $testfile || error "read $testfile failed (1)"
        echo b > $testfile && error "write $testfile should fail (1)"
        umount_client $MOUNT || error "umount $MOUNT failed (3)"
+
+       # mount rw should turn into ro
        zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},rw ||
                error "mount '-o rw' failed"
        findmnt $MOUNT --output=options -n -f | grep -q "ro," ||
@@ -5474,12 +5478,24 @@ test_61() {
        cat $testfile || error "read $testfile failed (2)"
        echo b > $testfile && error "write $testfile should fail (2)"
        umount_client $MOUNT || error "umount $MOUNT failed (4)"
+
+       # mount ro should work as expected
        zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},ro ||
                error "mount '-o ro' failed"
        wait_ssk
        cat $testfile || error "read $testfile failed (3)"
        echo b > $testfile && error "write $testfile should fail (3)"
        umount_client $MOUNT || error "umount $MOUNT failed (5)"
+
+       # remount rw should not work
+       zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS} ||
+               error "mount failed (2)"
+       mount_client $MOUNT remount,rw || error "remount failed"
+       findmnt $MOUNT --output=options -n -f | grep -q "ro," ||
+               error "remount rw should have been turned into ro"
+       cat $testfile || error "read $testfile failed (4)"
+       echo b > $testfile && error "write $testfile should fail (4)"
+       umount_client $MOUNT || error "umount $MOUNT failed (6)"
 }
 run_test 61 "Nodemap enforces read-only mount"