[LU-13999] sanity-sec test_54: fscrypt encrypt: user keyring not linked into session keyring Created: 29/Sep/20  Updated: 15/Jun/22

Status: Open
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.15.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Maloo Assignee: Sebastien Buisson
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Related
is related to LU-14401 Fix migrate for encrypted directory Resolved
Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

This issue was created by maloo for wangshilong <wshilong@ddn.com>

This issue relates to the following test suite run: https://testing.whamcloud.com/test_sets/80d98472-3223-4cd2-b009-4c3d6dce5639

test_54 failed with the following error:

fscrypt encrypt failed

<<Please provide additional information about the failure here>>

VVVVVVV DO NOT REMOVE LINES BELOW, Added by Maloo for auto-association VVVVVVV
sanity-sec test_54 - fscrypt encrypt failed

 Comments   
Comment by Sebastien Buisson [ 30/Sep/20 ]

Problem stems from the fscrypt version installed on Ubuntu client nodes. It is too old, and is not able to handle encryption policies v2, required for proper Lustre operation.

Comment by Sarah Liu [ 22/Mar/22 ]

Hit the same error in interop testing between master and 2.14 client
https://testing.whamcloud.com/test_sets/09838ea8-8c85-4a92-ba12-775d8994ed12

Comment by Vikentsi Lapa [ 15/Jun/22 ]

Just update with more details. I can reproduce this error with AlmaLinux 8.6. Ubuntu 20.04 does not show such issue.
Error: [ERROR] fscrypt encrypt: user keyring for "runas" is not linked into the session keyring

This is usually the result of a bad PAM configuration. Either correct the
problem in your PAM stack, enable pam_keyinit.so, or run "keyctl link @u @s".
2022/06/15 11:59:49 creating policy for "/lustre/es01a/client/userenc"
2022/06/15 11:59:49 keyringID(_uid.500) = 703180163, <nil>
2022/06/15 11:59:49 KeyctlLink(703180163, -1) = <nil>
2022/06/15 11:59:49 keyringID(session) = 55270648, <nil>
2022/06/15 11:59:49 KeyctlSearch(55270648, keyring, _uid.500) = -1, required key not available

Tested fscrypt version was v0.2.9
Also this error can be related to issues
https://github.com/google/fscrypt/issues/194
https://github.com/google/fscrypt/issues/34

as workaround suggested command was started "keyctl link @u @s" . After that fscrypt encrypt completed successfully.

Generated at Sat Feb 10 03:05:59 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.