Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-15787

clients built without encryption support can corrupt encrypted directories

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Blocker
    • Lustre 2.15.0
    • None
    • None
    • 3
    • 9223372036854775807

    Description

      Clients build without encryption support can create files in encrypted directories. The names of the created files may collide with the names of existing decrypted files.

      One way to see this is to build a CentOS 7 (3.10.0) based client and then to mount an encryption enabled FS.

      On the old client:

      # grep ENCRYPT ex/lustre-release/config.h
/* #undef CONFIG_LDISKFS_FS_ENCRYPTION */
/* #undef CONFIG_LL_ENCRYPTION */

      new-server# fscrypt setup /mnt/lustre
Metadata directories created at "/mnt/lustre/.fscrypt".
new-server# mkdir /mnt/lustre/private
new-server# fscrypt encrypt --user=root /mnt/lustre/private
...
"/mnt/lustre/private" is now encrypted, unlocked, and ready for use.
new-server# echo XXX > /mnt/lustre/private/f0
new-server# ls /mnt/lustre/private/
f0

old-client# mount new-server@tcp:/lustre /mnt/lustre -t lustre
old-client# mount -t lustre
192.168.122.63@tcp:/lustre on /mnt/lustre type lustre (rw,flock,lazystatfs,noencrypt)
old-client# ls /mnt/lustre/private/
j?"n5?<=??7?Jj?"=@????x??]|??lqdX?
old-client# echo YYY > /mnt/lustre/private/f0
old-client# ls /mnt/lustre/private/
f0  j?"n5?<=??7?Jj?"=@????x??]|??lqdX?

new-server# ls /mnt/lustre/private/
ls: reading directory '/mnt/lustre/private/': Structure needs cleaning
f0
new-server# rm -rf /mnt/lustre/private
rm: traversal failed: /mnt/lustre/private: Structure needs cleaning
new-server# ls /mnt/lustre/private
ls: reading directory '/mnt/lustre/private': Structure needs cleaning
new-server# rmdir /mnt/lustre/private
rmdir: failed to remove '/mnt/lustre/private': Directory not empty

      Another thing I notice here is that when the old client tries to read the encrypted file, read() just returns 0.

      This seems like a serious issue to me. If a site is running a mix of old and new client kernels then it seems relatively easy to wander into this situation unawares.

      As discussed on chat, the MDT should protect against this situation. If the directory is encrypted (has LUSTRE_ENCRYPT_FL set) and the client does not have the encryption connect flag (OBD_CONNECT2_ENCRYPT) then the MDT could disallow creates in the directory. But this needs investigation.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-15767 If the user regain access to the encrypted directory from another client, the contents of the files will be deleted

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. LU-13717 Client-side encryption - support file name encryption

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              sebastien Sebastien Buisson
              jhammond John Hammond
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: