From 8cffc4a0255d007d358e7e1ed843bacb4d9c7f7c Mon Sep 17 00:00:00 2001 From: Andrew Korty Date: Mon, 9 Dec 2013 15:14:51 -0800 Subject: [PATCH] LU-4371 gss: Generalize testing of GSSAPI code Rename sanity-gss.sh to sanity-krb5.sh and make sanity-gss.sh a mechanism-agnostic test suite for just the GSSAPI code itself using the gssnull security flavor, which in turn uses the null GSSAPI mechanism. Test-Parameters: testlist=sanity-gss Signed-off-by: Andrew Korty Change-Id: I149ce66c4b044e20b9e8e1b93058ec4f62aba881 Reviewed-on: http://review.whamcloud.com/8525 Reviewed-by: Andreas Dilger Tested-by: Jenkins Reviewed-by: Jian Yu Tested-by: Maloo --- lustre/tests/Makefile.am | 3 +- lustre/tests/sanity-gss.sh | 445 ++++++----------------- lustre/tests/sanity-krb5.sh | 794 +++++++++++++++++++++++++++++++++++++++++ lustre/tests/test-framework.sh | 5 +- 4 files changed, 917 insertions(+), 330 deletions(-) mode change 100644 => 100755 lustre/tests/sanity-gss.sh create mode 100755 lustre/tests/sanity-krb5.sh mode change 100644 => 100755 lustre/tests/test-framework.sh diff --git a/lustre/tests/Makefile.am b/lustre/tests/Makefile.am index 27f6e62..909894b 100644 --- a/lustre/tests/Makefile.am +++ b/lustre/tests/Makefile.am @@ -24,7 +24,8 @@ noinst_SCRIPTS += mdsrate-create-large.sh mdsrate-lookup-1dir.sh noinst_SCRIPTS += mdsrate-lookup-10dirs.sh sanity-benchmark.sh noinst_SCRIPTS += mdsrate-stat-small.sh mdsrate-stat-large.sh noinst_SCRIPTS += lockorder.sh socketclient socketserver runmultiop_bg_pause -noinst_SCRIPTS += sanity-sec.sh sanity-gss.sh krb5_login.sh setup_kerberos.sh +noinst_SCRIPTS += sanity-sec.sh sanity-gss.sh +noinst_SCRIPTS += sanity-krb5.sh krb5_login.sh setup_kerberos.sh noinst_SCRIPTS += recovery-mds-scale.sh run_dd.sh run_tar.sh run_iozone.sh noinst_SCRIPTS += run_dbench.sh run_IOR.sh recovery-double-scale.sh noinst_SCRIPTS += recovery-random-scale.sh parallel-scale.sh metadata-updates.sh diff --git a/lustre/tests/sanity-gss.sh b/lustre/tests/sanity-gss.sh old mode 100644 new mode 100755 index 8b695b6..541eeac --- a/lustre/tests/sanity-gss.sh +++ b/lustre/tests/sanity-gss.sh @@ -12,15 +12,9 @@ ALWAYS_EXCEPT=${ALWAYS_EXCEPT:-"$SANITY_GSS_EXCEPT"} # UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT! SRCDIR=`dirname $0` -export PATH=$PWD/$SRCDIR:$SRCDIR:$SRCDIR/../utils:$SRCDIR/../utils/gss:$PATH:/sbin -export NAME=${NAME:-local} -SAVE_PWD=$PWD export MULTIOP=${MULTIOP:-multiop} -CLEANUP=${CLEANUP:-""} -SETUP=${SETUP:-""} - LUSTRE=${LUSTRE:-`dirname $0`/..} . $LUSTRE/tests/test-framework.sh init_test_env $@ @@ -40,26 +34,10 @@ unset SEC # # global variables of this sanity # -KRB5_CCACHE_DIR=/tmp -KRB5_CRED=$KRB5_CCACHE_DIR/krb5cc_$RUNAS_ID -KRB5_CRED_SAVE=$KRB5_CCACHE_DIR/krb5cc.sanity.save DBENCH_PID=0 # set manually GSS=true -GSS_KRB5=true - -prepare_krb5_creds() { - echo prepare krb5 cred - rm -f $KRB5_CRED_SAVE - echo RUNAS=$RUNAS - $RUNAS krb5_login.sh || exit 1 - [ -f $KRB5_CRED ] || exit 2 - echo CRED=$KRB5_CRED - cp $KRB5_CRED $KRB5_CRED_SAVE -} - -prepare_krb5_creds # we want double mount MOUNT_2=${MOUNT_2:-"yes"} @@ -121,85 +99,22 @@ stop_dbench() sync || true } -restore_krb5_cred() { - cp $KRB5_CRED_SAVE $KRB5_CRED - chown $RUNAS_ID:$RUNAS_ID $KRB5_CRED - chmod 0600 $KRB5_CRED -} - -check_multiple_gss_daemons() { - local facet=$1 - local gssd=$2 - local gssd_name=`basename $gssd` - - for ((i=0;i<10;i++)); do - do_facet $facet "$gssd -v &" - done - - # wait daemons entering "stable" status - sleep 5 - - num=`do_facet $facet ps -o cmd -C $gssd_name | grep $gssd_name | wc -l` - echo "$num instance(s) of $gssd_name are running" - - if [ $num -ne 1 ]; then - error "$gssd_name not unique" - fi -} - calc_connection_cnt umask 077 -test_0() { - local my_facet=mds - - echo "bring up gss daemons..." - start_gss_daemons - - echo "check with someone already running..." - check_multiple_gss_daemons $my_facet $LSVCGSSD - if $GSS_PIPEFS; then - check_multiple_gss_daemons $my_facet $LGSSD - fi - - echo "check with someone run & finished..." - do_facet $my_facet killall -q -2 lgssd lsvcgssd || true - sleep 5 # wait fully exit - check_multiple_gss_daemons $my_facet $LSVCGSSD - if $GSS_PIPEFS; then - check_multiple_gss_daemons $my_facet $LGSSD - fi - - echo "check refresh..." - do_facet $my_facet killall -q -2 lgssd lsvcgssd || true - sleep 5 # wait fully exit - do_facet $my_facet ipcrm -S 0x3b92d473 - check_multiple_gss_daemons $my_facet $LSVCGSSD - if $GSS_PIPEFS; then - do_facet $my_facet ipcrm -S 0x3a92d473 - check_multiple_gss_daemons $my_facet $LGSSD - fi -} -run_test 0 "start multiple gss daemons" - -set_flavor_all krb5p +set_flavor_all gssnull test_1() { - local file=$DIR/$tfile - - chmod 0777 $DIR || error "chmod $DIR failed" - $RUNAS touch $DIR - # access w/o cred - $RUNAS kdestroy - $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" - $RUNAS touch $file && error "unexpected success" - - # access w/ cred - restore_krb5_cred - $RUNAS touch $file || error "should not fail" - [ -f $file ] || error "$file not found" + local file=$DIR/$tfile + + chmod 0777 $DIR || error "chmod $DIR failed" + # access w/o context + $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" + $RUNAS touch $DIR + $RUNAS touch $file || error "should not fail" + [ -f $file ] || error "$file not found" } -run_test 1 "access with or without krb5 credential" +run_test 1 "create file" test_2() { local file1=$DIR/$tfile-1 @@ -210,15 +125,9 @@ test_2() { $RUNAS touch $file1 || error "can't touch $file1" [ -f $file1 ] || error "$file1 not found" - # cleanup all cred/ctx and touch - $RUNAS kdestroy - $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" - $RUNAS touch $file2 && error "unexpected success" - - # restore and touch - restore_krb5_cred - $RUNAS touch $file2 || error "should not fail" - [ -f $file2 ] || error "$file2 not found" + # cleanup all cred/ctx and touch + $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" + $RUNAS touch $file2 && error "unexpected success" } run_test 2 "lfs flushctx" @@ -241,97 +150,15 @@ test_3() { # cleanup all cred/ctx and check # metadata check should fail, but file data check should success # because we always use root credential to OSTs - $RUNAS kdestroy $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" echo "destroied credentials/contexs for $RUNAS_ID" $RUNAS $CHECKSTAT -p 0666 $file && error "checkstat succeed" kill -s 10 $OPPID wait $OPPID || error "read file data failed" echo "read file data OK" - - # restore and check again - restore_krb5_cred - echo "restored credentials for $RUNAS_ID" - $RUNAS $CHECKSTAT -p 0666 $file || error "$RUNAS_ID checkstat (2) error" - echo "$RUNAS_ID checkstat OK" - $CHECKSTAT -p 0666 $file || error "$UID checkstat (2) error" - echo "$UID checkstat OK" - $RUNAS cat $file > /dev/null || error "$RUNAS_ID cat (2) error" - echo "$RUNAS_ID read file data OK" } run_test 3 "local cache under DLM lock" -test_4() { - local file1=$DIR/$tfile-1 - local file2=$DIR/$tfile-2 - - ! $GSS_PIPEFS && skip "pipefs not used" && return - - chmod 0777 $DIR || error "chmod $DIR failed" - # current access should be ok - $RUNAS touch $file1 || error "can't touch $file1" - [ -f $file1 ] || error "$file1 not found" - - # stop lgssd - send_sigint client lgssd - sleep 5 - check_gss_daemon_facet client lgssd && error "lgssd still running" - - # flush context, and touch - $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" - $RUNAS touch $file2 & - TOUCHPID=$! - echo "waiting touch pid $TOUCHPID" - wait $TOUCHPID && error "touch should fail" - - # restart lgssd - do_facet client "$LGSSD -v" - sleep 5 - check_gss_daemon_facet client lgssd - - # touch new should succeed - $RUNAS touch $file2 || error "can't touch $file2" - [ -f $file2 ] || error "$file2 not found" -} -run_test 4 "lgssd dead, operations should wait timeout and fail" - -test_5() { - local file1=$DIR/$tfile-1 - local file2=$DIR/$tfile-2 - local wait_time=$((TIMEOUT + TIMEOUT / 2)) - - chmod 0777 $DIR || error "chmod $DIR failed" - # current access should be ok - $RUNAS touch $file1 || error "can't touch $file1" - [ -f $file1 ] || error "$file1 not found" - - # stop lsvcgssd - send_sigint $(comma_list $(mdts_nodes)) lsvcgssd - sleep 5 - check_gss_daemon_nodes $(comma_list $(mdts_nodes)) lsvcgssd && error "lsvcgssd still running" - - # flush context, and touch - $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" - $RUNAS touch $file2 & - TOUCHPID=$! - - # wait certain time - echo "waiting $wait_time seconds for touch pid $TOUCHPID" - sleep $wait_time - num=`ps --no-headers -p $TOUCHPID | wc -l` - [ $num -eq 1 ] || error "touch already ended ($num)" - echo "process $TOUCHPID still hanging there... OK" - - # restart lsvcgssd, expect touch suceed - echo "restart lsvcgssd and recovering" - start_gss_daemons $(comma_list $(mdts_nodes)) "$LSVCGSSD -v" - sleep 5 - check_gss_daemon_nodes $(comma_list $(mdts_nodes)) lsvcgssd - wait $TOUCHPID || error "touch fail" - [ -f $file2 ] || error "$file2 not found" -} -run_test 5 "lsvcgssd dead, operations lead to recovery" - test_6() { local nfile=10 @@ -435,8 +262,8 @@ test_90() { fi restore_to_default_flavor - set_rule $FSNAME any any krb5p - wait_flavor all2all krb5p + set_rule $FSNAME any any gssnull + wait_flavor all2all gssnull start_dbench @@ -466,7 +293,7 @@ test_99() { echo "original general rules: $nrule_old" for ((i = $nrule_old; i < $max; i++)); do - set_rule $FSNAME elan$i any krb5n || error "set rule $i" + set_rule $FSNAME elan$i any gssnull || error "set rule $i" done for ((i = $nrule_old; i < $max; i++)); do set_rule $FSNAME elan$i any || error "remove rule $i" @@ -477,26 +304,6 @@ test_99() { if [ $nrule_new != $nrule_old ]; then error "general rule: $nrule_new != $nrule_old" fi - - # - # target-specific rules - # - nrule_old=`do_facet mgs lctl get_param -n mgs.MGS.live.$FSNAME 2>/dev/null \ - | grep "$FSNAME-MDT0000.srpc.flavor." | wc -l` - echo "original target rules: $nrule_old" - - for ((i = $nrule_old; i < $max; i++)); do - set_rule $FSNAME-MDT0000 elan$i any krb5i || error "set rule $i" - done - for ((i = $nrule_old; i < $max; i++)); do - set_rule $FSNAME-MDT0000 elan$i any || error "remove rule $i" - done - - nrule_new=`do_facet mgs lctl get_param -n mgs.MGS.live.$FSNAME 2>/dev/null \ - | grep "$FSNAME-MDT0000.srpc.flavor." | wc -l` - if [ $nrule_new != $nrule_old ]; then - error "general rule: $nrule_new != $nrule_old" - fi } run_test 99 "set large number of sptlrpc rules" @@ -511,96 +318,86 @@ error_dbench() } test_100() { - # started from default flavors - restore_to_default_flavor - - # running dbench background - start_dbench + # started from default flavors + restore_to_default_flavor - # - # all: null -> krb5n -> krb5a -> krb5i -> krb5p -> plain - # - set_rule $FSNAME any any krb5n - wait_flavor all2all krb5n || error_dbench "1" - check_dbench + # running dbench background + start_dbench - set_rule $FSNAME any any krb5a - wait_flavor all2all krb5a || error_dbench "2" - check_dbench + # + # all: null -> gssnull -> plain + # + set_rule $FSNAME any any gssnull + wait_flavor all2all gssnull || error_dbench "1" + check_dbench - set_rule $FSNAME any any krb5i - wait_flavor all2all krb5i || error_dbench "3" - check_dbench + set_rule $FSNAME any any plain + wait_flavor all2all plain || error_dbench "2" + check_dbench - set_rule $FSNAME any any krb5p - wait_flavor all2all krb5p || error_dbench "4" - check_dbench + # + # M - M: gssnull + # C - M: gssnull + # M - O: gssnull + # C - O: gssnull + # + set_rule $FSNAME any mdt2mdt gssnull + wait_flavor mdt2mdt gssnull || error_dbench "3" + check_dbench - set_rule $FSNAME any any plain - wait_flavor all2all plain || error_dbench "5" - check_dbench + set_rule $FSNAME any cli2mdt gssnull + wait_flavor cli2mdt gssnull || error_dbench "4" + check_dbench - # - # M - M: krb5a - # C - M: krb5i - # M - O: krb5p - # C - O: krb5n - # - set_rule $FSNAME any mdt2mdt krb5a - wait_flavor mdt2mdt krb5a || error_dbench "6" - check_dbench + set_rule $FSNAME any mdt2ost gssnull + wait_flavor mdt2ost gssnull || error_dbench "5" + check_dbench - set_rule $FSNAME any cli2mdt krb5i - wait_flavor cli2mdt krb5i || error_dbench "7" - check_dbench + set_rule $FSNAME any cli2ost gssnull + wait_flavor cli2ost gssnull || error_dbench "6" + check_dbench - set_rule $FSNAME any mdt2ost krb5p - wait_flavor mdt2ost krb5p || error_dbench "8" - check_dbench - - set_rule $FSNAME any cli2ost krb5n - wait_flavor cli2ost krb5n || error_dbench "9" - check_dbench - - # - # * - MDT0: krb5p - # * - OST0: krb5i - # - # nothing should be changed because they are override by above dir rules - # - set_rule $FSNAME-MDT0000 any any krb5p - set_rule $FSNAME-OST0000 any any krb5i - wait_flavor mdt2mdt krb5a || error_dbench "10" - wait_flavor cli2mdt krb5i || error_dbench "11" - check_dbench - wait_flavor mdt2ost krb5p || error_dbench "12" - wait_flavor cli2ost krb5n || error_dbench "13" + # + # * - MDT0: plain + # * - OST0: plain + # + # nothing should be changed because they are override by above dir rules + # + set_rule $FSNAME-MDT0000 any any plain + set_rule $FSNAME-OST0000 any any plain + wait_flavor mdt2mdt gssnull || error_dbench "7" + wait_flavor cli2mdt gssnull || error_dbench "8" + check_dbench + wait_flavor mdt2ost gssnull || error_dbench "9" + wait_flavor cli2ost gssnull || error_dbench "10" - # - # delete all dir-specific rules - # - set_rule $FSNAME any mdt2mdt - set_rule $FSNAME any cli2mdt - set_rule $FSNAME any mdt2ost - set_rule $FSNAME any cli2ost - wait_flavor mdt2mdt krb5p $((MDSCOUNT - 1)) || error_dbench "14" - wait_flavor cli2mdt krb5p $(get_clients_mount_count) || error_dbench "15" - check_dbench - wait_flavor mdt2ost krb5i $MDSCOUNT || error_dbench "16" - wait_flavor cli2ost krb5i $(get_clients_mount_count) || error_dbench "17" - check_dbench + # + # delete all dir-specific rules + # + set_rule $FSNAME any mdt2mdt + set_rule $FSNAME any cli2mdt + set_rule $FSNAME any mdt2ost + set_rule $FSNAME any cli2ost + wait_flavor mdt2mdt gssnull $((MDSCOUNT - 1)) || error_dbench "11" + wait_flavor cli2mdt gssnull $(get_clients_mount_count) || + error_dbench "12" + check_dbench + wait_flavor mdt2ost gssnull $MDSCOUNT || error_dbench "13" + wait_flavor cli2ost gssnull $(get_clients_mount_count) || + error_dbench "14" + check_dbench - # - # remove: - # * - MDT0: krb5p - # * - OST0: krb5i - # - set_rule $FSNAME-MDT0000 any any - set_rule $FSNAME-OST0000 any any || error_dbench "18" - wait_flavor all2all plain || error_dbench "19" - check_dbench + # + # remove: + # * - MDT0: gssnull + # * - OST0: gssnull + # + set_rule $FSNAME-MDT0000 any any + set_rule $FSNAME-OST0000 any any || error_dbench "15" + wait_flavor all2all plain || error_dbench "16" + check_dbench - stop_dbench + stop_dbench } run_test 100 "change security flavor on the fly under load" @@ -648,19 +445,15 @@ switch_sec_test() test_101() { - # started from default flavors - restore_to_default_flavor - - switch_sec_test null plain - switch_sec_test plain krb5n - switch_sec_test krb5n krb5a - switch_sec_test krb5a krb5i - switch_sec_test krb5i krb5p - switch_sec_test krb5p null - switch_sec_test null krb5p - switch_sec_test krb5p krb5i - switch_sec_test krb5i plain - switch_sec_test plain krb5p + # started from default flavors + restore_to_default_flavor + + switch_sec_test null plain + switch_sec_test plain gssnull + switch_sec_test gssnull null + switch_sec_test null gssnull + switch_sec_test gssnull plain + switch_sec_test plain gssnull } run_test 101 "switch ctx/sec for resending request" @@ -681,13 +474,10 @@ test_102() { # run dbench background start_dbench - echo "Testing null->krb5n->krb5a->krb5i->krb5p->plain->null" - set_rule $FSNAME any any krb5n - set_rule $FSNAME any any krb5a - set_rule $FSNAME any any krb5i - set_rule $FSNAME any any krb5p - set_rule $FSNAME any any plain - set_rule $FSNAME any any null + echo "Testing null->gssnull->plain->null" + set_rule $FSNAME any any gssnull + set_rule $FSNAME any any plain + set_rule $FSNAME any any null check_dbench wait_flavor all2all null || error_dbench "1" @@ -697,16 +487,16 @@ test_102() { sleep 15 check_dbench - echo "Testing null->krb5i->null->krb5i->null..." - for ((i=0; i<10; i++)); do - set_rule $FSNAME any any krb5i - set_rule $FSNAME any any null - done - set_rule $FSNAME any any krb5i + echo "Testing null->gssnull->null->gssnull->null..." + for ((i=0; i<10; i++)); do + set_rule $FSNAME any any gssnull + set_rule $FSNAME any any null + done + set_rule $FSNAME any any gssnull - check_dbench - wait_flavor all2all krb5i || error_dbench "2" - check_dbench + check_dbench + wait_flavor all2all gssnull || error_dbench "2" + check_dbench echo "waiting for 15s and check again" sleep 15 @@ -735,9 +525,9 @@ test_150() { # mount client with conflict flavor - should fail save_opts=$MOUNTOPT - MOUNTOPT="$MOUNTOPT,mgssec=krb5p" - zconf_mount_clients $clients $MOUNT && \ - error "mount with conflict flavor should have failed" + MOUNTOPT="$MOUNTOPT,mgssec=gssnull" + zconf_mount_clients $clients $MOUNT && + error "mount with conflict flavor should have failed" MOUNTOPT=$save_opts # mount client with same flavor - should succeed @@ -755,10 +545,10 @@ test_150() { run_test 150 "secure mgs connection: client flavor setting" test_151() { - local save_opts + local save_opts - # set mgs only accept krb5p - set_rule _mgs any any krb5p + # set mgs only accept gssnull + set_rule _mgs any any gssnull # umount everything, modules still loaded stopall @@ -776,11 +566,12 @@ test_151() { # mount with designated flavor should succeed save_opts=$MDS_MOUNT_OPTS - MDS_MOUNT_OPTS="$MDS_MOUNT_OPTS,mgssec=krb5p" - start mds1 $DEVNAME $MDS_MOUNT_OPTS || error "mount with designated flavor should have succeeded" - MDS_MOUNT_OPTS=$save_opts + MDS_MOUNT_OPTS="$MDS_MOUNT_OPTS,mgssec=gssnull" + start mds1 $DEVNAME $MDS_MOUNT_OPTS || + error "mount with designated flavor should have succeeded" + MDS_MOUNT_OPTS=$save_opts - stop mds1 -f + stop mds1 -f } run_test 151 "secure mgs connection: server flavor control" diff --git a/lustre/tests/sanity-krb5.sh b/lustre/tests/sanity-krb5.sh new file mode 100755 index 0000000..6d3ba8e --- /dev/null +++ b/lustre/tests/sanity-krb5.sh @@ -0,0 +1,794 @@ +#!/bin/bash +# +# Run select tests by setting ONLY, or as arguments to the script. +# Skip specific tests by setting EXCEPT. +# +# e.g. ONLY="22 23" or ONLY="`seq 32 39`" or EXCEPT="31" +set -e + +ONLY=${ONLY:-"$*"} +# bug number for skipped test: +ALWAYS_EXCEPT=${ALWAYS_EXCEPT:-"$SANITY_GSS_EXCEPT"} +# UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT! + +SRCDIR=$(dirname $0) +SAVE_PWD=$PWD + +export MULTIOP=${MULTIOP:-multiop} + +LUSTRE=${LUSTRE:-$(dirname $0)/..} +. $LUSTRE/tests/test-framework.sh +init_test_env $@ +. ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh} +init_logging + +require_dsh_mds || exit 0 + +[ "$SLOW" = "no" ] && EXCEPT_SLOW="100 101" + +# $RUNAS_ID may get set incorrectly somewhere else +[ $UID -eq 0 -a $RUNAS_ID -eq 0 ] && + error "RUNAS_ID set to 0, but UID is also 0!" + +# remove $SEC, we'd like to control everything by ourselves +unset SEC + +# +# global variables of this sanity +# +KRB5_CCACHE_DIR=/tmp +KRB5_CRED=$KRB5_CCACHE_DIR/krb5cc_$RUNAS_ID +KRB5_CRED_SAVE=$KRB5_CCACHE_DIR/krb5cc.sanity.save +DBENCH_PID=0 + +# set manually +GSS=true +GSS_KRB5=true + +prepare_krb5_creds() { + echo prepare krb5 cred + rm -f $KRB5_CRED_SAVE + echo RUNAS=$RUNAS + $RUNAS krb5_login.sh || exit 1 + [ -f $KRB5_CRED ] || exit 2 + echo CRED=$KRB5_CRED + cp $KRB5_CRED $KRB5_CRED_SAVE +} + +prepare_krb5_creds + +# we want double mount +MOUNT_2=${MOUNT_2:-"yes"} +check_and_setup_lustre + +rm -rf $DIR/[df][0-9]* + +check_runas_id $RUNAS_ID $RUNAS_ID $RUNAS + +build_test_filter + +start_dbench() +{ + local NPROC=$(grep -c ^processor /proc/cpuinfo) + [ $NPROC -gt 2 ] && NPROC=2 + sh rundbench $NPROC 1>/dev/null & + DBENCH_PID=$! + sleep 2 + + num=$(ps --no-headers -p $DBENCH_PID 2>/dev/null | wc -l) + if [ $num -ne 1 ]; then + error "failed to start dbench $NPROC" + else + echo "started dbench with $NPROC processes at background" + fi + + return 0 +} + +check_dbench() +{ + num=$(ps --no-headers -p $DBENCH_PID 2>/dev/null | wc -l) + if [ $num -eq 0 ]; then + echo "dbench $DBENCH_PID already finished" + wait $DBENCH_PID || error "dbench $PID exit with error" + start_dbench + elif [ $num -ne 1 ]; then + killall -9 dbench + error "found $num instance of pid $DBENCH_PID ???" + fi + + return 0 +} + +stop_dbench() +{ + for ((;;)); do + killall dbench 2>/dev/null + local num=$(ps --no-headers -p $DBENCH_PID | wc -l) + if [ $num -eq 0 ]; then + echo "dbench finished" + break + fi + echo "dbench $DBENCH_PID is still running, waiting 2s..." + sleep 2 + done + + wait $DBENCH_PID || true + sync || true +} + +restore_krb5_cred() { + cp $KRB5_CRED_SAVE $KRB5_CRED + chown $RUNAS_ID:$RUNAS_ID $KRB5_CRED + chmod 0600 $KRB5_CRED +} + +check_multiple_gss_daemons() { + local facet=$1 + local gssd=$2 + local gssd_name=$(basename $gssd) + + for ((i = 0; i < 10; i++)); do + do_facet $facet "$gssd -v &" + done + + # wait daemons entering "stable" status + sleep 5 + + local num=$(do_facet $facet ps -o cmd -C $gssd_name | + grep -c $gssd_name) + echo "$num instance(s) of $gssd_name are running" + + if [ $num -ne 1 ]; then + error "$gssd_name not unique" + fi +} + +calc_connection_cnt +umask 077 + +test_0() { + local my_facet=mds + + echo "bring up gss daemons..." + start_gss_daemons + + echo "check with someone already running..." + check_multiple_gss_daemons $my_facet $LSVCGSSD + if $GSS_PIPEFS; then + check_multiple_gss_daemons $my_facet $LGSSD + fi + + echo "check with someone run & finished..." + do_facet $my_facet killall -q -2 lgssd lsvcgssd || true + sleep 5 # wait fully exit + check_multiple_gss_daemons $my_facet $LSVCGSSD + if $GSS_PIPEFS; then + check_multiple_gss_daemons $my_facet $LGSSD + fi + + echo "check refresh..." + do_facet $my_facet killall -q -2 lgssd lsvcgssd || true + sleep 5 # wait fully exit + do_facet $my_facet ipcrm -S 0x3b92d473 + check_multiple_gss_daemons $my_facet $LSVCGSSD + if $GSS_PIPEFS; then + do_facet $my_facet ipcrm -S 0x3a92d473 + check_multiple_gss_daemons $my_facet $LGSSD + fi +} +run_test 0 "start multiple gss daemons" + +set_flavor_all krb5p + +test_1() { + local file=$DIR/$tfile + + chmod 0777 $DIR || error "chmod $DIR failed" + $RUNAS touch $DIR + # access w/o cred + $RUNAS kdestroy + $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" + $RUNAS touch $file && error "unexpected success" + + # access w/ cred + restore_krb5_cred + $RUNAS touch $file || error "should not fail" + [ -f $file ] || error "$file not found" +} +run_test 1 "access with or without krb5 credential" + +test_2() { + local file1=$DIR/$tfile-1 + local file2=$DIR/$tfile-2 + + chmod 0777 $DIR || error "chmod $DIR failed" + # current access should be ok + $RUNAS touch $file1 || error "can't touch $file1" + [ -f $file1 ] || error "$file1 not found" + + # cleanup all cred/ctx and touch + $RUNAS kdestroy + $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" + $RUNAS touch $file2 && error "unexpected success" + + # restore and touch + restore_krb5_cred + $RUNAS touch $file2 || error "should not fail" + [ -f $file2 ] || error "$file2 not found" +} +run_test 2 "lfs flushctx" + +test_3() { + local file=$DIR/$tfile + + # create file + echo "aaaaaaaaaaaaaaaaa" > $file + chmod 0666 $file + $CHECKSTAT -p 0666 $file || error "$UID checkstat error" + $RUNAS $CHECKSTAT -p 0666 $file || error "$RUNAS_ID checkstat error" + $RUNAS cat $file > /dev/null || error "$RUNAS_ID cat error" + + # start multiop + $RUNAS $MULTIOP $file o_r & + OPPID=$! + # wait multiop finish its open() + sleep 1 + + # cleanup all cred/ctx and check + # metadata check should fail, but file data check should success + # because we always use root credential to OSTs + $RUNAS kdestroy + $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" + echo "destroyed credentials/contexs for $RUNAS_ID" + $RUNAS $CHECKSTAT -p 0666 $file && error "checkstat succeed" + kill -s 10 $OPPID + wait $OPPID || error "read file data failed" + echo "read file data OK" + + # restore and check again + restore_krb5_cred + echo "restored credentials for $RUNAS_ID" + $RUNAS $CHECKSTAT -p 0666 $file || error "$RUNAS_ID checkstat (2) error" + echo "$RUNAS_ID checkstat OK" + $CHECKSTAT -p 0666 $file || error "$UID checkstat (2) error" + echo "$UID checkstat OK" + $RUNAS cat $file > /dev/null || error "$RUNAS_ID cat (2) error" + echo "$RUNAS_ID read file data OK" +} +run_test 3 "local cache under DLM lock" + +test_4() { + local file1=$DIR/$tfile-1 + local file2=$DIR/$tfile-2 + + ! $GSS_PIPEFS && skip "pipefs not used" && return + + chmod 0777 $DIR || error "chmod $DIR failed" + # current access should be ok + $RUNAS touch $file1 || error "can't touch $file1" + [ -f $file1 ] || error "$file1 not found" + + # stop lgssd + send_sigint client lgssd + sleep 5 + check_gss_daemon_facet client lgssd && error "lgssd still running" + + # flush context, and touch + $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" + $RUNAS touch $file2 & + TOUCHPID=$! + echo "waiting touch pid $TOUCHPID" + wait $TOUCHPID && error "touch should fail" + + # restart lgssd + do_facet client "$LGSSD -v" + sleep 5 + check_gss_daemon_facet client lgssd + + # touch new should succeed + $RUNAS touch $file2 || error "can't touch $file2" + [ -f $file2 ] || error "$file2 not found" +} +run_test 4 "lgssd dead, operations should wait timeout and fail" + +test_5() { + local file1=$DIR/$tfile-1 + local file2=$DIR/$tfile-2 + local wait_time=$((TIMEOUT + TIMEOUT / 2)) + + chmod 0777 $DIR || error "chmod $DIR failed" + # current access should be ok + $RUNAS touch $file1 || error "can't touch $file1" + [ -f $file1 ] || error "$file1 not found" + + # stop lsvcgssd + send_sigint $(comma_list $(mdts_nodes)) lsvcgssd + sleep 5 + check_gss_daemon_nodes $(comma_list $(mdts_nodes)) lsvcgssd && + error "lsvcgssd still running" + + # flush context, and touch + $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" + $RUNAS touch $file2 & + TOUCHPID=$! + + # wait certain time + echo "waiting $wait_time seconds for touch pid $TOUCHPID" + sleep $wait_time + num=$(ps --no-headers -p $TOUCHPID | wc -l) + [ $num -eq 1 ] || error "touch already ended ($num)" + echo "process $TOUCHPID still hanging there... OK" + + # restart lsvcgssd, expect touch suceed + echo "restart lsvcgssd and recovering" + start_gss_daemons $(comma_list $(mdts_nodes)) "$LSVCGSSD -v" + sleep 5 + check_gss_daemon_nodes $(comma_list $(mdts_nodes)) lsvcgssd + wait $TOUCHPID || error "touch fail" + [ -f $file2 ] || error "$file2 not found" +} +run_test 5 "lsvcgssd dead, operations lead to recovery" + +test_6() { + local nfile=10 + + mkdir $DIR/d6 || error "mkdir $DIR/d6 failed" + for ((i=0; i<$nfile; i++)); do + dd if=/dev/zero of=$DIR/d6/file$i bs=8k count=1 || + error "dd file$i failed" + done + ls -l $DIR/d6/* > /dev/null || error "ls failed" + rm -rf $DIR2/d6/* || error "rm failed" + rmdir $DIR2/d6/ || error "rmdir failed" +} +run_test 6 "test basic DLM callback works" + +test_7() { + local tdir=$DIR/d7 + local num_osts + + # for open(), client only reserve space for default stripe count lovea, + # and server may return larger lovea in reply (because of larger stripe + # count), client need call enlarge_reqbuf() and save the replied lovea + # in request for future possible replay. + # + # Note: current script does NOT guarantee enlarge_reqbuf() will be in + # the path, however it does work in local test which has 2 OSTs and + # default stripe count is 1. + num_osts=$($LFS getstripe $MOUNT | egrep -c "^[0-9]*:.*ACTIVE") + echo "found $num_osts active OSTs" + [ $num_osts -lt 2 ] && + echo "skipping $TESTNAME (must have >= 2 OSTs)" && return + + mkdir $tdir || error "mkdir $tdir failed" + $LFS setstripe -c $num_osts $tdir || error "setstripe -c $num_osts" + + echo "creating..." + for ((i = 0; i < 20; i++)); do + dd if=/dev/zero of=$tdir/f$i bs=4k count=16 2>/dev/null + done + echo "reading..." + for ((i = 0; i < 20; i++)); do + dd if=$tdir/f$i of=/dev/null bs=4k count=16 2>/dev/null + done + rm -rf $tdir +} +run_test 7 "exercise enlarge_reqbuf()" + +test_8() +{ + local ATHISTORY=$(do_facet $SINGLEMDS "find /sys/ -name at_history") + local ATOLDBASE=$(do_facet $SINGLEMDS "cat $ATHISTORY") + local REQ_DELAY + do_facet $SINGLEMDS "echo 8 >> $ATHISTORY" + + mkdir -p $DIR/d8 + chmod a+w $DIR/d8 + + $LCTL dk > /dev/null + debugsave + sysctl -w lnet.debug="+other" + + # wait for the at estimation come down, this is faster + while [ true ]; do + REQ_DELAY=$(lctl get_param -n \ + mdc.${FSNAME}-MDT0000-mdc-*.timeouts | + awk '/portal 12/ {print $5}' | tail -1) + [ $REQ_DELAY -le 5 ] && break + echo "current AT estimation is $REQ_DELAY, wait a little bit" + sleep 8 + done + REQ_DELAY=$((${REQ_DELAY} + ${REQ_DELAY} / 4 + 5)) + + # sleep sometime in ctx handle + do_facet $SINGLEMDS lctl set_param fail_val=$REQ_DELAY + #define OBD_FAIL_SEC_CTX_HDL_PAUSE 0x1204 + do_facet $SINGLEMDS lctl set_param fail_loc=0x1204 + + $RUNAS $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" + + $RUNAS touch $DIR/d8/f & + TOUCHPID=$! + echo "waiting for touch (pid $TOUCHPID) to finish..." + sleep 2 # give it a chance to really trigger context init rpc + do_facet $SINGLEMDS $LCTL set_param fail_loc=0 + wait $TOUCHPID || error "touch should have succeeded" + + $LCTL dk | grep "Early reply #" || error "No early reply" + + debugrestore + do_facet $SINGLEMDS "echo $ATOLDBASE >> $ATHISTORY" || true +} +run_test 8 "Early reply sent for slow gss context negotiation" + +# +# following tests will manipulate flavors and may end with any flavor set, +# so each test should not assume any start flavor. +# + +test_90() { + if [ "$SLOW" = "no" ]; then + total=10 + else + total=60 + fi + + restore_to_default_flavor + set_rule $FSNAME any any krb5p + wait_flavor all2all krb5p + + start_dbench + + for ((n=0;n<$total;n++)); do + sleep 2 + check_dbench + echo "flush ctx ($n/$total) ..." + $LFS flushctx $MOUNT || error "can't flush context on $MOUNT" + done + check_dbench + #sleep to let ctxs be re-established + sleep 10 + stop_dbench +} +run_test 90 "recoverable from losing contexts under load" + +test_99() { + local nrule_old + local nrule_new=0 + local max=64 + + # + # general rules + # + nrule_old=$(do_facet mgs lctl get_param -n mgs.MGS.live.$FSNAME \ + 2>/dev/null | grep -c "$FSNAME.srpc.flavor.") + echo "original general rules: $nrule_old" + + for ((i = $nrule_old; i < $max; i++)); do + set_rule $FSNAME elan$i any krb5n || error "set rule $i" + done + for ((i = $nrule_old; i < $max; i++)); do + set_rule $FSNAME elan$i any || error "remove rule $i" + done + + nrule_new=$(do_facet mgs lctl get_param -n mgs.MGS.live.$FSNAME \ + 2>/dev/null | grep -c "$FSNAME.srpc.flavor.") + if [ $nrule_new != $nrule_old ]; then + error "general rule: $nrule_new != $nrule_old" + fi + + # + # target-specific rules + # + nrule_old=$(do_facet mgs lctl get_param -n mgs.MGS.live.$FSNAME \ + 2>/dev/null | grep -c "$FSNAME-MDT0000.srpc.flavor.") + echo "original target rules: $nrule_old" + + for ((i = $nrule_old; i < $max; i++)); do + set_rule $FSNAME-MDT0000 elan$i any krb5i || error "set rule $i" + done + for ((i = $nrule_old; i < $max; i++)); do + set_rule $FSNAME-MDT0000 elan$i any || error "remove rule $i" + done + + nrule_new=$(do_facet mgs lctl get_param -n mgs.MGS.live.$FSNAME \ + 2>/dev/null \ | grep -c "$FSNAME-MDT0000.srpc.flavor.") + if [ $nrule_new != $nrule_old ]; then + error "general rule: $nrule_new != $nrule_old" + fi +} +run_test 99 "set large number of sptlrpc rules" + +error_dbench() +{ + local err_str=$1 + + killall -9 dbench + sleep 1 + + error $err_str +} + +test_100() { + # started from default flavors + restore_to_default_flavor + + # running dbench background + start_dbench + + # + # all: null -> krb5n -> krb5a -> krb5i -> krb5p -> plain + # + set_rule $FSNAME any any krb5n + wait_flavor all2all krb5n || error_dbench "1" + check_dbench + + set_rule $FSNAME any any krb5a + wait_flavor all2all krb5a || error_dbench "2" + check_dbench + + set_rule $FSNAME any any krb5i + wait_flavor all2all krb5i || error_dbench "3" + check_dbench + + set_rule $FSNAME any any krb5p + wait_flavor all2all krb5p || error_dbench "4" + check_dbench + + set_rule $FSNAME any any plain + wait_flavor all2all plain || error_dbench "5" + check_dbench + + # + # M - M: krb5a + # C - M: krb5i + # M - O: krb5p + # C - O: krb5n + # + set_rule $FSNAME any mdt2mdt krb5a + wait_flavor mdt2mdt krb5a || error_dbench "6" + check_dbench + + set_rule $FSNAME any cli2mdt krb5i + wait_flavor cli2mdt krb5i || error_dbench "7" + check_dbench + + set_rule $FSNAME any mdt2ost krb5p + wait_flavor mdt2ost krb5p || error_dbench "8" + check_dbench + + set_rule $FSNAME any cli2ost krb5n + wait_flavor cli2ost krb5n || error_dbench "9" + check_dbench + + # + # * - MDT0: krb5p + # * - OST0: krb5i + # + # nothing should be changed because they are override by above dir rules + # + set_rule $FSNAME-MDT0000 any any krb5p + set_rule $FSNAME-OST0000 any any krb5i + wait_flavor mdt2mdt krb5a || error_dbench "10" + wait_flavor cli2mdt krb5i || error_dbench "11" + check_dbench + wait_flavor mdt2ost krb5p || error_dbench "12" + wait_flavor cli2ost krb5n || error_dbench "13" + + # + # delete all dir-specific rules + # + set_rule $FSNAME any mdt2mdt + set_rule $FSNAME any cli2mdt + set_rule $FSNAME any mdt2ost + set_rule $FSNAME any cli2ost + wait_flavor mdt2mdt krb5p $((MDSCOUNT - 1)) || error_dbench "14" + wait_flavor cli2mdt krb5p $(get_clients_mount_count) || + error_dbench "15" + check_dbench + wait_flavor mdt2ost krb5i $MDSCOUNT || error_dbench "16" + wait_flavor cli2ost krb5i $(get_clients_mount_count) || + error_dbench "17" + check_dbench + + # + # remove: + # * - MDT0: krb5p + # * - OST0: krb5i + # + set_rule $FSNAME-MDT0000 any any + set_rule $FSNAME-OST0000 any any || error_dbench "18" + wait_flavor all2all plain || error_dbench "19" + check_dbench + + stop_dbench +} +run_test 100 "change security flavor on the fly under load" + +switch_sec_test() +{ + local flavor0=$1 + local flavor1=$2 + local filename=$DIR/$tfile + local multiop_pid + local num + + # + # after set to flavor0, start multop which use flavor0 rpc, and let + # server drop the reply; then switch to flavor1, the resend should be + # completed using flavor1. To exercise the code of switching ctx/sec + # for a resend request. + # + log ">>>>>>>>>>>>>>> Testing $flavor0 -> $flavor1 <<<<<<<<<<<<<<<<<<<" + + set_rule $FSNAME any cli2mdt $flavor0 + wait_flavor cli2mdt $flavor0 + rm -f $filename || error "remove old $filename failed" + + #MDS_REINT = 36 + #define OBD_FAIL_PTLRPC_DROP_REQ_OPC 0x513 + do_facet $SINGLEMDS lctl set_param fail_val=36 + do_facet $SINGLEMDS lctl set_param fail_loc=0x513 + log "starting multiop" + $MULTIOP $filename m & + multiop_pid=$! + echo "multiop pid=$multiop_pid" + sleep 1 + + set_rule $FSNAME any cli2mdt $flavor1 + wait_flavor cli2mdt $flavor1 + + num=$(ps --no-headers -p $multiop_pid 2>/dev/null | wc -l) + [ $num -eq 1 ] || error "multiop($multiop_pid) already ended ($num)" + echo "process $multiop_pid is still hanging there... OK" + + do_facet $SINGLEMDS lctl set_param fail_loc=0 + log "waiting for multiop ($multiop_pid) to finish" + wait $multiop_pid || error "multiop returned error" +} + +test_101() +{ + # started from default flavors + restore_to_default_flavor + + switch_sec_test null plain + switch_sec_test plain krb5n + switch_sec_test krb5n krb5a + switch_sec_test krb5a krb5i + switch_sec_test krb5i krb5p + switch_sec_test krb5p null + switch_sec_test null krb5p + switch_sec_test krb5p krb5i + switch_sec_test krb5i plain + switch_sec_test plain krb5p +} +run_test 101 "switch ctx/sec for resending request" + +error_102() +{ + local err_str=$1 + + killall -9 dbench + sleep 1 + + error $err_str +} + +test_102() { + # started from default flavors + restore_to_default_flavor + + # run dbench background + start_dbench + + echo "Testing null->krb5n->krb5a->krb5i->krb5p->plain->null" + set_rule $FSNAME any any krb5n + set_rule $FSNAME any any krb5a + set_rule $FSNAME any any krb5i + set_rule $FSNAME any any krb5p + set_rule $FSNAME any any plain + set_rule $FSNAME any any null + + check_dbench + wait_flavor all2all null || error_dbench "1" + check_dbench + + echo "waiting for 15s and check again" + sleep 15 + check_dbench + + echo "Testing null->krb5i->null->krb5i->null..." + for ((i=0; i<10; i++)); do + set_rule $FSNAME any any krb5i + set_rule $FSNAME any any null + done + set_rule $FSNAME any any krb5i + + check_dbench + wait_flavor all2all krb5i || error_dbench "2" + check_dbench + + echo "waiting for 15s and check again" + sleep 15 + check_dbench + + stop_dbench +} +run_test 102 "survive from insanely fast flavor switch" + +test_150() { + local save_opts + local count + local clients=$CLIENTS + + [ -z $clients ] && clients=$HOSTNAME + + # started from default flavors + restore_to_default_flavor + + # at this time no rules has been set on mgs; mgc use null + # flavor connect to mgs. + count=$(flvr_cnt_mgc2mgs null) + [ $count -eq 1 ] || error "$count mgc connection use null flavor" + + zconf_umount_clients $clients $MOUNT || return 1 + + # mount client with conflict flavor - should fail + save_opts=$MOUNTOPT + MOUNTOPT="$MOUNTOPT,mgssec=krb5p" + zconf_mount_clients $clients $MOUNT && + error "mount with conflict flavor should have failed" + MOUNTOPT=$save_opts + + # mount client with same flavor - should succeed + save_opts=$MOUNTOPT + MOUNTOPT="$MOUNTOPT,mgssec=null" + zconf_mount_clients $clients $MOUNT || + error "mount with same flavor should have succeeded" + MOUNTOPT=$save_opts + zconf_umount_clients $clients $MOUNT || return 2 + + # mount client with default flavor - should succeed + zconf_mount_clients $clients $MOUNT || + error "mount with default flavor should have succeeded" +} +run_test 150 "secure mgs connection: client flavor setting" + +test_151() { + local save_opts + + # set mgs only accept krb5p + set_rule _mgs any any krb5p + + # umount everything, modules still loaded + stopall + + # mount mgs with default flavor, in current framework it means mgs+mdt1. + # the connection of mgc of mdt1 to mgs is expected fail. + DEVNAME=$(mdsdevname 1) + start mds1 $DEVNAME $MDS_MOUNT_OPTS && + error "mount with default flavor should have failed" + + # mount with unauthorized flavor should fail + save_opts=$MDS_MOUNT_OPTS + MDS_MOUNT_OPTS="$MDS_MOUNT_OPTS,mgssec=null" + start mds1 $DEVNAME $MDS_MOUNT_OPTS && + error "mount with unauthorized flavor should have failed" + MDS_MOUNT_OPTS=$save_opts + + # mount with designated flavor should succeed + save_opts=$MDS_MOUNT_OPTS + MDS_MOUNT_OPTS="$MDS_MOUNT_OPTS,mgssec=krb5p" + start mds1 $DEVNAME $MDS_MOUNT_OPTS || + error "mount with designated flavor should have succeeded" + MDS_MOUNT_OPTS=$save_opts + + stop mds1 -f +} +run_test 151 "secure mgs connection: server flavor control" + +complete $SECONDS +check_and_cleanup_lustre +exit_status diff --git a/lustre/tests/test-framework.sh b/lustre/tests/test-framework.sh old mode 100644 new mode 100755 index 8744cc5..5aae14f --- a/lustre/tests/test-framework.sh +++ b/lustre/tests/test-framework.sh @@ -649,7 +649,6 @@ start_gss_daemons() { fi local list=$(comma_list $(mdts_nodes)) - echo "Starting gss daemon on mds: $list" do_nodes $list "$LSVCGSSD -v" || return 1 if $GSS_PIPEFS; then @@ -703,7 +702,9 @@ init_gss() { module_loaded ptlrpc_gss || error_exit "init_gss : GSS=$GSS, but gss/krb5 is not supported!" fi - start_gss_daemons || error_exit "start gss daemon failed! rc=$?" + if $GSS_KRB5; then + start_gss_daemons || error_exit "start gss daemon failed! rc=$?" + fi if [ -n "$LGSS_KEYRING_DEBUG" ]; then echo $LGSS_KEYRING_DEBUG > /proc/fs/lustre/sptlrpc/gss/lgss_keyring/debug_level -- 1.8.3.1