EX-7331 sec: disable compression for encrypted files

In case a read-modify-write io pattern is carried out on a compressed
file, it has to be handled on server side.
But because encryption cannot be done on server side for security
reasons, we are not able to handle that kind of io pattern if the file
is encrypted + compressed.
So just disable compression for all encrypted files.

Fixes: eb70ba19e9 ("EX-7331 sec: add support for encryption plus compression")
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I84881fb1235f015d022751d4cce2d43a7231c2b4
Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/52746
Reviewed-by: Artem Blagodarenko <ablagodarenko@ddn.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>

diff --git a/lustre/osc/osc_request.c b/lustre/osc/osc_request.c
index 75a3a36..2cca646 100644 (file)
--- a/lustre/osc/osc_request.c
+++ b/lustre/osc/osc_request.c
@@ -1577,12 +1577,26 @@ osc_brw_prep_request(int cmd, struct client_obd *cli, struct obdo *oa,
         if (req == NULL)
                 RETURN(-ENOMEM);
 
-       if (opc == OST_WRITE && inode && IS_ENCRYPTED(inode) &&
-           llcrypt_has_encryption_key(inode)) {
-               struct osc_async_page *oap = brw_page2oap(pga[page_count - 1]);
+       if (opc == OST_WRITE && inode && IS_ENCRYPTED(inode)) {
+               if (compressed) {
+                       static time64_t next_print;
+
+                       if (unlikely(next_print < ktime_get_seconds())) {
+                               next_print = ktime_get_seconds() + 24 * 3600;
+                               CWARN("%s: encrypted file "DFID" will not be compressed\n",
+                                     obd_name, oa->o_parent_seq,
+                                     oa->o_parent_oid,
+                                     oa->o_parent_ver);
+                       }
+                       compressed = 0;
+               }
+               if (llcrypt_has_encryption_key(inode)) {
+                       struct osc_async_page *oap;
 
-               oa->o_size = oap->oap_count + oap->oap_obj_off +
-                       oap->oap_page_off;
+                       oap = brw_page2oap(pga[page_count - 1]);
+                       oa->o_size = oap->oap_count + oap->oap_obj_off +
+                               oap->oap_page_off;
+               }
        }
 
        if (compressed && !page_access_allowed)

diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh
index c26e8f9..96f06e2 100755 (executable)
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -15,9 +15,7 @@ init_test_env $@
 init_logging
 
 ALWAYS_EXCEPT="$SANITY_SEC_EXCEPT "
-# bug number for skipped test:
-ALWAYS_EXCEPT+=" "
-# UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
+always_except EX-7601  66
 
 [ "$SLOW" = "no" ] && EXCEPT_SLOW="26"
 

diff --git a/lustre/utils/liblustreapi_layout.c b/lustre/utils/liblustreapi_layout.c
index 5580850..77f066d 100644 (file)
--- a/lustre/utils/liblustreapi_layout.c
+++ b/lustre/utils/liblustreapi_layout.c
@@ -1593,7 +1593,7 @@ int llapi_layout_compress_set(struct llapi_layout *layout,
 
        if (getenv("LFS_SETSTRIPE_COMPR_OK") == NULL) {
                fprintf(stderr,
-                       "WARNING: File compression is a technology preview feature and is not yet intended for production use.\n");
+                       "WARNING: File compression is a technology preview feature and is not yet intended for production use. Compression is skipped for encrypted files.\n");
        }
 
        for (i = 0; i < ARRAY_SIZE(compr_type_table); i++) {