Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-11850

Relocating /proc/fs/lustre/ost to /sys/kernel/debug/lustre/ost prevents non-root access

Details

    • Bug
    • Resolution: Unresolved
    • Minor
    • Upstream
    • Lustre 2.12.0
    • 3
    • 9223372036854775807

    Description

      For security reasons /sys/kernel/debug is restrict to root only so by relocating /proc/fs/lustre/ost & mdt to /sys/kenrnel/debug/lustre breaks many tools such as 'performance co pilot" that run as non-privilege users. We rely on such tools to collect lustre metric.

      We could change the permissions on /sys/kernel/debug but that is not good security practice. Can there be a build option to selected the location?

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. LU-11988 Some lctl *_param values only readable by root

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-11988 Some lctl *_param values only readable by root

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-12244 lfs check subcommand no longer works as non-root user

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-12513 Address YAML limitations

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-17471 Add symlink /proc/fs/lustre/osd-*/*/brw_stats to /sys/kernel/debug/lustre/osd-*/*/brw_stats

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. LU-18709 High frequency performance counters accessible to non-root users

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. LU-12841 Add ability for lctl get_param to get subfield of YAML output

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. LU-16164 Check params and make them valid YAML if they are designed to be

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. LU-17472 Create programming wrappers (python, go) for liblustreapi Netlink stats API

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. LU-8066 Move lustre procfs handling to sysfs and debugfs.

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. LU-9680 Improve the user land to kernel space interface for lustre

          • Major - Major loss of function.
          • In Progress

          Activity

            [LU-11850] Relocating /proc/fs/lustre/ost to /sys/kernel/debug/lustre/ost prevents non-root access
            simmonsja James A Simmons added a comment -

            I managed to get the basics working using netlink with obd stats. Just need to figure out how to link into the ptlrpc service.

            simmonsja James A Simmons added a comment - I managed to get the basics working using netlink with obd stats. Just need to figure out how to link into the ptlrpc service.
            simmonsja James A Simmons added a comment - - edited

            The kernel has rules about what can be in sysfs. An excellent article covering these rules is here:

            https://lwn.net/Articles/378884

            Since Lustre has complex data files they are not allowed in sysfs. So the quick fix done for the linux client was moving it to debugfs . The point of this policy was due to proc becoming a dumpster. Now the dumpster is debugfs  Note I have been avoiding the move of several files like stats to debugfs for the OpenSFS tree.

            No fear netlink will resolve these issues. I have a prototypes partially working. I just need to work out the nesting of data. I see its the ptlrpc service stats.

            simmonsja James A Simmons added a comment - - edited The kernel has rules about what can be in sysfs. An excellent article covering these rules is here: https://lwn.net/Articles/378884 Since Lustre has complex data files they are not allowed in sysfs. So the quick fix done for the linux client was moving it to debugfs . The point of this policy was due to proc becoming a dumpster. Now the dumpster is debugfs  Note I have been avoiding the move of several files like stats to debugfs for the OpenSFS tree. No fear netlink will resolve these issues. I have a prototypes partially working. I just need to work out the nesting of data. I see its the ptlrpc service stats.
            mhanafi Mahmoud Hanafi added a comment -

            But why are we considering /sys/kenrel/debug/lustre/ost/... part of "debugging"

             

            mhanafi Mahmoud Hanafi added a comment - But why are we considering /sys/kenrel/debug/lustre/ost/... part of "debugging"  
            simmonsja James A Simmons added a comment -

            Because all debugfs files go into /sys/kernel/debug. That is the mount point.

            simmonsja James A Simmons added a comment - Because all debugfs files go into /sys/kernel/debug. That is the mount point.
            mhanafi Mahmoud Hanafi added a comment -

            Why is /sys/kernel/debug/lustre not located at /sys/kernel/lustre?

            mhanafi Mahmoud Hanafi added a comment - Why is /sys/kernel/debug/lustre not located at /sys/kernel/lustre?
            jaylan Jay Lan (Inactive) added a comment -

            James, this is great! Performance is very important! Thanks!

            jaylan Jay Lan (Inactive) added a comment - James, this is great! Performance is very important! Thanks!
            adilger Andreas Dilger added a comment -

            We could change the permissions on /sys/kernel/debug but that is not good security practice.

            There is no need to change the permissions for the whole of /sys/kernel/debug to be world readable. Currently, it looks like /sys/kernel/debug is itself the only directory that blocks access. It would be possible in the short term to recursively change the permissions of this tree to remove world-readable permissions ("chmod -R go-rw /sys/kernel/debug") and then enable group access permissions for the monitoring tools to the Lustre tree after the filesystem is mounted ("chmod -R g+rX /sys/kernel/debug/lustre; chgrp -R collectd /sys/kernel/debug/lustre" or similar).

            adilger Andreas Dilger added a comment - We could change the permissions on /sys/kernel/debug but that is not good security practice. There is no need to change the permissions for the whole of /sys/kernel/debug to be world readable. Currently, it looks like /sys/kernel/debug is itself the only directory that blocks access. It would be possible in the short term to recursively change the permissions of this tree to remove world-readable permissions (" chmod -R go-rw /sys/kernel/debug ") and then enable group access permissions for the monitoring tools to the Lustre tree after the filesystem is mounted (" chmod -R g+rX /sys/kernel/debug/lustre; chgrp -R collectd /sys/kernel/debug/lustre " or similar).
            pjones Peter Jones added a comment -

            ok James

            pjones Peter Jones added a comment - ok James
            simmonsja James A Simmons added a comment -

            BTW here is an excellent article about a solution which I'm modeling my work after.

            https://lwn.net/Articles/406975

            The article cover why stats in proc is bad.

            simmonsja James A Simmons added a comment - BTW here is an excellent article about a solution which I'm modeling my work after. https://lwn.net/Articles/406975 The article cover why stats in proc is bad.
            simmonsja James A Simmons added a comment -

            Proc is the worst place for this kind of information. Not only is frowned on by the kernel maintainers but if we every placed a large amount of data into an seq_file, which is used by procfs, the node would be brought to its knees by the cpu load. Actually this has been under discussion on the lustre-devel mailing list. If you are talking about "stats" I'm working a netlink implementation which is way more flexible and has better performance. Give me a few days to roll something out.

            simmonsja James A Simmons added a comment - Proc is the worst place for this kind of information. Not only is frowned on by the kernel maintainers but if we every placed a large amount of data into an seq_file, which is used by procfs, the node would be brought to its knees by the cpu load. Actually this has been under discussion on the lustre-devel mailing list. If you are talking about "stats" I'm working a netlink implementation which is way more flexible and has better performance. Give me a few days to roll something out.
            jaylan Jay Lan (Inactive) added a comment -

            I think the question we should ask is "should the information revealed in lustre/ost and lustre/mdt be kept away from non-privileged users?" If not, maybe we can reconsider the decision and move the information back to procfs? Or other sysfs location that do not require root privilege to read?

            jaylan Jay Lan (Inactive) added a comment - I think the question we should ask is "should the information revealed in lustre/ost and lustre/mdt be kept away from non-privileged users?" If not, maybe we can reconsider the decision and move the information back to procfs? Or other sysfs location that do not require root privilege to read?

            People

              simmonsja James A Simmons
              mhanafi Mahmoud Hanafi
              Votes:
              1 Vote for this issue
              Watchers:
              17 Start watching this issue

              Dates

                Created:
                Updated: