Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-8659

sanity-selinux test_20a: test_20 passing even when localhost returning Permission Denied

Details

    • Bug
    • Resolution: Fixed
    • Major
    • Lustre 2.10.0
    • Lustre 2.9.0
    • None
    • master
    • 3
    • 9223372036854775807

    Description

      This issue was created by maloo for Saurabh Tandan <saurabh.tandan@intel.com>

      This issue relates to the following test suite run: https://testing.hpdd.intel.com/test_sets/b0261008-85e9-11e6-a8b7-5254006e85c2.

      The sub-test test_20a failed with the following error:

      localhost: ssh exited with exit code 255

      Test_logs:

      == sanity-selinux test 20a: [atomicity] concurrent access from another client (file) ================= 02:04:40 (1475114680)
CMD: trevis-66vm1.trevis.hpdd.intel.com /usr/sbin/lctl set_param fail_val=20 fail_loc=0x1409
fail_val=20
fail_loc=0x1409
localhost: Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
localhost: Permission denied, please try again.
localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr
pdsh@trevis-66vm1: localhost: ssh exited with exit code 255
ls: cannot access /mnt/lustre/df20a: No such file or directory
Resetting fail_loc on all nodes...CMD: trevis-66vm1.trevis.hpdd.intel.com,trevis-66vm2,trevis-66vm3,trevis-66vm7,trevis-66vm8 lctl set_param -n fail_loc=0 	    fail_val=0 2>/dev/null
done.
CMD: trevis-66vm1.trevis.hpdd.intel.com,trevis-66vm2,trevis-66vm3,trevis-66vm7,trevis-66vm8 rc=0;
val=\$(/usr/sbin/lctl get_param -n catastrophe 2>&1);
if [[ \$? -eq 0 && \$val -ne 0 ]]; then
	echo \$(hostname -s): \$val;
	rc=\$val;
fi;
exit \$rc
CMD: trevis-66vm1.trevis.hpdd.intel.com,trevis-66vm2,trevis-66vm3,trevis-66vm7,trevis-66vm8 dmesg

      test_20 passing even when the localhost is returning Permission denied.

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          Activity

            [LU-8659] sanity-selinux test_20a: test_20 passing even when localhost returning Permission Denied
            pjones Peter Jones added a comment -

            Landed for 2.10

            pjones Peter Jones added a comment - Landed for 2.10
            gerrit Gerrit Updater added a comment -

            Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/23962/
            Subject: LU-8659 tests: use runcon in sanity-selinux
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: 9d9a5ac444bcd796fe8757b092069570c24bc26a

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/23962/ Subject: LU-8659 tests: use runcon in sanity-selinux Project: fs/lustre-release Branch: master Current Patch Set: Commit: 9d9a5ac444bcd796fe8757b092069570c24bc26a
            gerrit Gerrit Updater added a comment -

            Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: http://review.whamcloud.com/23962
            Subject: LU-8659 tests: use runcon in sanity-selinux
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: 0cd696c19a837efe2a44a6530b01323960c839fc

            gerrit Gerrit Updater added a comment - Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: http://review.whamcloud.com/23962 Subject: LU-8659 tests: use runcon in sanity-selinux Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 0cd696c19a837efe2a44a6530b01323960c839fc
            sbuisson Sebastien Buisson (Inactive) added a comment -

            Hi,

            I think I figured out how to replace 'ssh user@localhost' with 'runas runcon'.
            The thing is it requires that the SELinux policy allows transitions from unconfined_t to user_t and guest_t:
            #============= unconfined_r ==============
            allow unconfined_r guest_r;
            allow unconfined_r user_r;

            I will push a patch that modifies sanity-selinux.

            Thanks,
            Sebastien.

            sbuisson Sebastien Buisson (Inactive) added a comment - Hi, I think I figured out how to replace 'ssh user@localhost' with 'runas runcon'. The thing is it requires that the SELinux policy allows transitions from unconfined_t to user_t and guest_t: #============= unconfined_r ============== allow unconfined_r guest_r; allow unconfined_r user_r; I will push a patch that modifies sanity-selinux. Thanks, Sebastien.
            jhammond John Hammond added a comment -

            There are utilities runcon and newrole which we should try to use here (see https://linux.die.net/man/1/newrole and https://linux.die.net/man/1/runcon).

            jhammond John Hammond added a comment - There are utilities runcon and newrole which we should try to use here (see https://linux.die.net/man/1/newrole and https://linux.die.net/man/1/runcon ).
            jhammond John Hammond added a comment -

            Using su - USER keeps the original security context.

            jhammond John Hammond added a comment - Using su - USER keeps the original security context.
            adilger Andreas Dilger added a comment -

            Sebastien, I see that the failing test is using $PDSH ${uname}@localhost "touch $filename" & to run the command on the local file. Is $PDSH (ssh) used to initialize the security context for $uname, instead of just using $RUNAS directly? Would "su - $uname touch $filename" or similar work without the need to allow passwordless ssh for $uname?

            On a related note, it would be useful to set $RUNAS_USER in lustre/tests/cfg/local.sh and as a fallback in test-framework.sh::init_test_env() if it is not set, instead of fetching it repeatedly in the test:

            init_test_env() {
        RUNAS_USER=${RUNAS_USER:-$(getent passwd $RUNAS_ID | cut -d: -f1)}
}
            adilger Andreas Dilger added a comment - Sebastien, I see that the failing test is using $PDSH ${uname}@localhost "touch $filename" & to run the command on the local file. Is $PDSH (ssh) used to initialize the security context for $uname, instead of just using $RUNAS directly? Would "su - $uname touch $filename" or similar work without the need to allow passwordless ssh for $uname? On a related note, it would be useful to set $RUNAS_USER in lustre/tests/cfg/local.sh and as a fallback in test-framework.sh::init_test_env() if it is not set, instead of fetching it repeatedly in the test: init_test_env() { RUNAS_USER=${RUNAS_USER:-$(getent passwd $RUNAS_ID | cut -d: -f1)} }
            jamesanunez James Nunez (Inactive) added a comment -

            Similar failures for tests 3 and 4 at https://testing.hpdd.intel.com/test_sets/420ef8f0-897c-11e6-a9b0-5254006e85c2

            == sanity-selinux test 3: access with unconfined user ================================================ 15:11:56 (1475507516)
sanityusr mapped as unconfined_u: touch /mnt/lustre/df3
localhost: Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
localhost: Permission denied, please try again.
localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr
pdsh@trevis-66vm1: localhost: ssh exited with exit code 255
 sanity-selinux test_3: @@@@@@ FAIL: can't touch /mnt/lustre/df3 

            == sanity-selinux test 4: access with specific SELinux user ========================================== 15:12:08 (1475507528)
sanityusr mapped as guest_u: touch /mnt/lustre/df4
localhost: Permission denied, please try again.
localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr
pdsh@trevis-66vm1: localhost: ssh exited with exit code 255
sanityusr mapped as user_u: touch /mnt/lustre/df4
localhost: Permission denied, please try again.
localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr
pdsh@trevis-66vm1: localhost: ssh exited with exit code 255
 sanity-selinux test_4: @@@@@@ FAIL: can't touch /mnt/lustre/df4
            jamesanunez James Nunez (Inactive) added a comment - Similar failures for tests 3 and 4 at https://testing.hpdd.intel.com/test_sets/420ef8f0-897c-11e6-a9b0-5254006e85c2 == sanity-selinux test 3: access with unconfined user ================================================ 15:11:56 (1475507516) sanityusr mapped as unconfined_u: touch /mnt/lustre/df3 localhost: Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. localhost: Permission denied, please try again. localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr pdsh@trevis-66vm1: localhost: ssh exited with exit code 255 sanity-selinux test_3: @@@@@@ FAIL: can't touch /mnt/lustre/df3 == sanity-selinux test 4: access with specific SELinux user ========================================== 15:12:08 (1475507528) sanityusr mapped as guest_u: touch /mnt/lustre/df4 localhost: Permission denied, please try again. localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr pdsh@trevis-66vm1: localhost: ssh exited with exit code 255 sanityusr mapped as user_u: touch /mnt/lustre/df4 localhost: Permission denied, please try again. localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr pdsh@trevis-66vm1: localhost: ssh exited with exit code 255 sanity-selinux test_4: @@@@@@ FAIL: can't touch /mnt/lustre/df4

            People

              sbuisson Sebastien Buisson (Inactive)
              maloo Maloo
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: