[LU-10531] GSS, Shared Key and Kerberos support broken in master and lustre 2.10 - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: Lustre 2.11.0, Lustre 2.10.4
Affects Version/s: Lustre 2.11.0, Lustre 2.10.2
Labels:
- gss
- kerberos
- patch

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

GSS, Shared Key and Kerberos support is currently broken in master branch. It is indeed impossible to set any flavor for sptlrpc, whereas it is gssnull or ski or krb5

{n,a,i,p}

For instance, when doing 'lctl conf_param lustre.srpc.flavor.default=krb5n' or 'lctl set_param -P lustre.srpc.flavor.default=krb5n', the command returns no error, but the value is never applied.

The commit introducing this regression is the following, and aims at making 'lctl set_param -P' functional:
https://review.whamcloud.com/28590

As mentioned in this patch's comment, "currently virtual attributes failover.nid, sptlrpc, and quota
are not fully supported. They will be addressed in later patches".

As I understand 'lctl set_param -P' needs more work to make it work for sptlrpc, the patch should not break 'lctl conf_param' functionality for sptlrpc.

Attachments

Issue Links

is related to

LU-7854 sanity-gss test_1 fails with 'chmod /lustre/scratch failed'

Resolved

is related to

LU-9795 SSK test failures in many suites when SHARED_KEY is enabled

Reopened

Activity

[LU-10531] GSS, Shared Key and Kerberos support broken in master and lustre 2.10

Gerrit Updater added a comment - 09/Feb/18 10:30 PM

John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/31209/
Subject: ~~LU-10531~~ gss: fix GSS support for DNE
Project: fs/lustre-release
Branch: b2_10
Current Patch Set:
Commit: 3d270d3a5a9ffec79aa7d6ab4a7f131afbfb06d2

Gerrit Updater added a comment - 09/Feb/18 10:30 PM John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/31209/ Subject: LU-10531 gss: fix GSS support for DNE Project: fs/lustre-release Branch: b2_10 Current Patch Set: Commit: 3d270d3a5a9ffec79aa7d6ab4a7f131afbfb06d2

Gerrit Updater added a comment - 09/Feb/18 10:30 PM

John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/31208/
Subject: ~~LU-10531~~ obd: handle case tgt equals fsname for obdname2fsname
Project: fs/lustre-release
Branch: b2_10
Current Patch Set:
Commit: e23318986fa839997c504c1d87f73e937f7e9a7b

Gerrit Updater added a comment - 09/Feb/18 10:30 PM John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/31208/ Subject: LU-10531 obd: handle case tgt equals fsname for obdname2fsname Project: fs/lustre-release Branch: b2_10 Current Patch Set: Commit: e23318986fa839997c504c1d87f73e937f7e9a7b

Gerrit Updater added a comment - 07/Feb/18 7:25 PM

Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/31209
Subject: ~~LU-10531~~ gss: fix GSS support for DNE
Project: fs/lustre-release
Branch: b2_10
Current Patch Set: 1
Commit: d577c60fdcaf59cd407c7e4e84074f04f1ae1466

Gerrit Updater added a comment - 07/Feb/18 7:25 PM Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/31209 Subject: LU-10531 gss: fix GSS support for DNE Project: fs/lustre-release Branch: b2_10 Current Patch Set: 1 Commit: d577c60fdcaf59cd407c7e4e84074f04f1ae1466

Gerrit Updater added a comment - 07/Feb/18 7:25 PM

Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/31208
Subject: ~~LU-10531~~ obd: handle case tgt equals fsname for obdname2fsname
Project: fs/lustre-release
Branch: b2_10
Current Patch Set: 1
Commit: 107076812f7ec31ce8c01fabc582282320965ea8

Gerrit Updater added a comment - 07/Feb/18 7:25 PM Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/31208 Subject: LU-10531 obd: handle case tgt equals fsname for obdname2fsname Project: fs/lustre-release Branch: b2_10 Current Patch Set: 1 Commit: 107076812f7ec31ce8c01fabc582282320965ea8

Peter Jones added a comment - 06/Feb/18 4:57 AM

Landed for 2.11

Peter Jones added a comment - 06/Feb/18 4:57 AM Landed for 2.11

Gerrit Updater added a comment - 06/Feb/18 4:25 AM

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30984/
Subject: ~~LU-10531~~ gss: fix GSS support for DNE
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 7327f66c2ca1d9762f6ea722f1433e4435f0a5b5

Gerrit Updater added a comment - 06/Feb/18 4:25 AM Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30984/ Subject: LU-10531 gss: fix GSS support for DNE Project: fs/lustre-release Branch: master Current Patch Set: Commit: 7327f66c2ca1d9762f6ea722f1433e4435f0a5b5

Gerrit Updater added a comment - 31/Jan/18 5:52 AM

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30937/
Subject: ~~LU-10531~~ obd: handle case tgt equals fsname for obdname2fsname
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: ac01abc2db2e82f87061eb0e6b2c03e28dad6a5b

Gerrit Updater added a comment - 31/Jan/18 5:52 AM Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30937/ Subject: LU-10531 obd: handle case tgt equals fsname for obdname2fsname Project: fs/lustre-release Branch: master Current Patch Set: Commit: ac01abc2db2e82f87061eb0e6b2c03e28dad6a5b

Sebastien Buisson (Inactive) added a comment - 23/Jan/18 1:00 PM - edited

Thanks to the patch https://review.whamcloud.com/30937 from James, I am again able to set sptlrpc flavor with 'lctl conf_param' commands (however it does not work with 'lctl set_param -P').
Then I managed to have a working kerberized Lustre on my test system. I can access the FS from Lustre clients, and do not see the error messages showed by James here.

However, for DNE setups the new patch I just pushed in https://review.whamcloud.com/30984 is mandatory. This is indeed another regression in Kerberos support, inadvertently introduced by patch https://review.whamcloud.com/27823.
This new patch needs to be landed for 2.11.

I agree we need more regular testing of GSS/SSK/Kerberos functionality. Manual testing of single patches cannot cover all cases all the time. At DDN we already have some resources for Lustre non-regression tests. I will see if it is possible to dedicate part of them to continuous Kerberos testing. I should get back to you on this matter in a couple of weeks.

Sebastien Buisson (Inactive) added a comment - 23/Jan/18 1:00 PM - edited Thanks to the patch https://review.whamcloud.com/30937 from James, I am again able to set sptlrpc flavor with 'lctl conf_param' commands (however it does not work with 'lctl set_param -P'). Then I managed to have a working kerberized Lustre on my test system. I can access the FS from Lustre clients, and do not see the error messages showed by James here . However, for DNE setups the new patch I just pushed in https://review.whamcloud.com/30984 is mandatory. This is indeed another regression in Kerberos support, inadvertently introduced by patch https://review.whamcloud.com/27823 . This new patch needs to be landed for 2.11. I agree we need more regular testing of GSS/SSK/Kerberos functionality. Manual testing of single patches cannot cover all cases all the time. At DDN we already have some resources for Lustre non-regression tests. I will see if it is possible to dedicate part of them to continuous Kerberos testing. I should get back to you on this matter in a couple of weeks.

Gerrit Updater added a comment - 23/Jan/18 12:46 PM

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/30984
Subject: ~~LU-10531~~ gss: fix GSS support for DNE
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 0781aab3dabd84f9ad65c3e29613f8c29d4a8aa1

Gerrit Updater added a comment - 23/Jan/18 12:46 PM Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/30984 Subject: LU-10531 gss: fix GSS support for DNE Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 0781aab3dabd84f9ad65c3e29613f8c29d4a8aa1

Andreas Dilger added a comment - 19/Jan/18 8:20 PM

It seems that we are still not getting regular enough testing of the Kerberos and SSK functionality to avoid regressions, and playing catch-up with regressions added a long time ago is a lot more work than finding recent regressions or preventing them in the first place.

Nathan, Chris, Sebastien, is it possible for you guys to start running automated regression tests against master with SSK/Kerberos configured on a regular basis (e.g. daily against master, and as often as possible against new patches as time permits)? That would avoid these kinds of problems from being introduced in the first place.

Andreas Dilger added a comment - 19/Jan/18 8:20 PM It seems that we are still not getting regular enough testing of the Kerberos and SSK functionality to avoid regressions, and playing catch-up with regressions added a long time ago is a lot more work than finding recent regressions or preventing them in the first place. Nathan, Chris, Sebastien, is it possible for you guys to start running automated regression tests against master with SSK/Kerberos configured on a regular basis (e.g. daily against master, and as often as possible against new patches as time permits)? That would avoid these kinds of problems from being introduced in the first place.

People

Assignee:: James A Simmons

Reporter:: Sebastien Buisson (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 18/Jan/18 9:57 AM

Updated:: 09/Feb/18 11:33 PM

Resolved:: 06/Feb/18 4:57 AM