any

Assigning to Chris for initial assessment of changes required.

Also making this a major for now so it doesn't get lost in Chris's queue.

So it sounds like first of all there should be two separate options:

• --enable-gss
• --enable-krb5
  where the latter also implies the former.

Secondly Andreas suggested that these both should be enabled automatically, if the required packages are found in the build environment.

Is there a specific list of GSS/Kerberos -devel RPMs that are needed for RHEL6 and SLES11SP2?

Some more from Alex K:
1) "Configure" for kerberos flavor does not contain "kerberos" (or krb5) keyword explicitly, it is as follows (with/without --disable server) :

./configure -with-linux=/usr/src/kernels/`uname -r``arch` --disable-server --enable-dependency-tracking --enable-posix-osd \
--enable-panic_dumplog --enable-health_write --enable-lru-resize \
--enable-gss \
--enable-quota --enable-ext4 --enable-mindf

It is required in checklist to have gss libraries installed (libgssapi* / libgssglue* ) and krb* rpms .

2) Here at FNAL the following was used to build lustre servers with kerberised flavor on Scientific Linux ( which is RHEL rebuild which includes kerberos) :

./configure \
--with-linux=/lib/modules/2.6.18-274.12.1.el5_FNAL.Lustre.2.1.1/build
--with-krb5 \
--enable-gss \
--enable-ext4 --enable-quota

Alex.

So it sounds like first of all there should be two separate options:
--enable-gss
--enable-krb5

Note the separation of the build options also implies a separation of #ifdef macros inside of Lustre.

Also, the existing Lustre security tests eventually need to be separated – what follows is a wishlist:

• sanity-gss should become sanity-krb5
  • sanity-krg5 should add tests for krb5 "plain" mechanism
• sanity-gss should eventually use the gss-null mechanism that IU is developing
• sanity-sptlrpc should be written to test sptlrpc "null" in the absence of GSS.

These are the packages that are needed to configure Lustre with --enable-gss on a basic RHEL6.4 x86_64 install:

keyutils-libs-devel-1.4-4.el6.x86_64
libgssglue-0.1-11.el6.x86_64.rpm
libgssglue-devel-0.1-11.el6.x86_64.rpm
krb5-devel-1.10.3-10.el6_4.3.x86_64.rpm
these are requirements for krb5-devel:
libcom_err-devel-1.41.12-14.el6.x86_64.rpm
libselinux-2.0.94-5.3.el6_4.1.x86_64.rpm
libselinux-devel-2.0.94-5.3.el6_4.1.x86_64.rpm
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64.rpm
libsepol-devel-2.0.41-4.el6.x86_64.rpm

Joshua, could you please check that the above list of RPM packages (or their SLES equivalent) is available on our build nodes.

Ubuntu
libkeyutils-dev
libgssglue-dev
libkrb5-dev

SUSE
keyutils-devel
libgssglue-devel
krb5-devel

The other packages will get pulled since they are dependencies.

Looks like EL5 needs:

keyutils-libs-devel
libgssapi-devel
krb5-devel

I have installed the packages referenced. I have retriggered http://review.whamcloud.com/#/c/6740/

http://review.whamcloud.com/#/c/6740/ passed its build. Can someone verify that it contains the proper build products, and make sure it has linked against the proper libraries? ajk ?

I'm presuming that Andrew doesn't have privileges to view the build node. Is that presumption correct or is there a way he could do what you've asked?

ssimms: The above link gives a link to the build products which can be found here:

http://build.whamcloud.com/job/lustre-reviews/17615/

That is a public link, no special permissions required.

Thanks, I'll look through these.

From the meeting today, it at least looks like the packages are running configure and completing the build.

At this point, we aren't yet sure if the gssd is actually being built, or if it is missing from the lustre.spec file, but it looks like that needs to be tested locally by Andrew (using "make rpms" on a system with http://review.whamcloud.com/6740/ applied is probably the easiest). Any issues with what gets built will probably be addressed by a patch to the Lustre code.

FYI, we caught a problem with GSSAPI prerequisites checking from change #6740 and updated LU-3490.

seems like we need krb5-libs for suse.

build on suse failed due to
checking for Kerberos v5... /usr
The current KRBDIR is /usr
checking for gss_krb5_export_lucid_sec_context in -lgssapi_krb5... yes
checking for gss_krb5_set_allowable_enctypes in -lgssapi_krb5... yes
checking for gss_krb5_ccache_name in -lgssapi_krb5... yes
checking for krb5_get_error_message in -lgssapi_krb5... yes
checking for krb5_get_init_creds_opt_set_addressless in -lgssapi_krb5... no
checking for krb5int_derive_key in -lgssapi_krb5... no

http://build.whamcloud.com/job/lustre-reviews/18238/arch=x86_64,build_type=client,distro=sles11,ib_stack=inkernel/consoleFull

we also need gssapi for ubuntu

http://build.whamcloud.com/job/lustre-reviews/18264/arch=x86_64,build_type=client,distro=ubuntu1004,ib_stack=inkernel/consoleFull

Assign-ing to Minh, as I believe he is working on the Ubuntu libs issue.

afaik, LU-3490 has landed and all issues have been resolved. I am not sure what else needs to be done for this ticket. As for the Ubuntu, similar to sles11, it needs more works to include the proper functions

Sounds good. Probably a good idea, then, to close this ticket and open one specifically for Ubuntu.

Andrew,

Let me know if there's anything else or I can close this ticket. I will close if I don't hear from you by the end of this week.

Yes, I believe this ticket has been resolved. Thanks!