|
Apologies, this ticket got created early, I'll put my information in this comment as I can't edit the original description...
Our users are reporting intermittent permission denied problems when accessing directory on lustre over NFS. They trying to change to a directory returns permission denied and when retrying a few minutes later it is permitted. As far as I can tell nothing modifies the directory in the mean time. There are no problems of this sort when using native Lustre clients.
For one user this seems to happen when creating directories over NFS with mode 0700 but not (or much less frequently) when using a more permissive mode like 0755 for the directories. In this case we have a reproducer, which I'll attach. The reproducer creates directories below your current directory and attempts to write one file per directory. It will report permission denied eventually when we run it, depending on the file system we are trying it on, we need to run the reproducer with a different directory count to reproduce the problem.
This is a sample output for a failing case:
Reports from other users are less clear, so there might be other failing cases.
I will try to run the reproducer with debug enabled on the NFS server/lustre client and the MDS server on our test file system....
|
|
Lai
Could you please assist with this issue?
Thanks
Peter
|
|
I tested locally with nfsv3 and nfsv4, but couldn't reproduce. Once you have debug logs, please put it somewhere, and then I'll look into them.
|
|
This is an odd question but are you using LDAP?
If so are you using SSSD?
If so do you have enumerate enabled?
We ran into this exact issue when enumerate was not enabled as it breaks the secondary groups upcall.
|
|
Malcolm,
yes we are using LDAP, SSSD is not installed on our MDS servers (or the NFS servers), it might be installed on the clients but as you mention secondary groups upcall, I assume the MDS is what you were after.
Cheers,
Frederik
|
|
Lai,
I'm struggling slightly to gather the logs.
Initially I was going to use one of our (more powerful) test clients as NFS server, but failed to reproduce the issue with that machine. On the much less powerful machine I used earlier to reproduce the issue on our test system, I failed to trigger it after enabling the debug daemon. I'm currently trying without debug daemon again, hoping to catch it in time to use lctl dk to gather debug logs which contain the interesting information.
One difference between the NFS servers where I was able to reproduce the issue and the one where I couldn't is that the later use o2ib for lnet and the others ethernet only. I don't see how this would matter but thought I'd mention it.
Cheers,
Frederik
|
|
I have just managed to reproduce it, triggering 'lctl dk' on both lustre client/aka NFS server and MDS server directly after the permission denied message, both files are attached, so I'm hoping there might be some information in the dumps.
This was the error:
File "/home/bnh65367/bin/LU-6528-reproducer1.sh", line 15, in <module>
sub_dir = tempfile.mkdtemp(prefix='sub_', dir=top_dir)
File "/usr/lib64/python2.6/tempfile.py", line 318, in mkdtemp
_os.mkdir(file, 0700)
OSError: [Errno 13] Permission denied: '/dls/p45/data/2015/cm12185-2/tmp/frederik-test/top_39JlTW/sub_ju6qhK'
|
|
I don't see any failure in both logs, but I see there are create/setattr in MDS logs, while not found in client logs. Actually client log shows it's idle (only ping is sent to MDS).
Is there other lustre clients which is creating files simultaneously? And when does client log starts? If it does contain all the logs of this creation, I'm afraid _os.mkdir() failed before it's really done on lustre client, that is, NFS server returned -EACCES before calling into lustre code. If this is true, could you `echo 32767 > /proc/sys/sunrpc/nfsd_debug`, and tried to reproduce, and then upload messages which contains NFSD logs?
|
|
This is on our test file system, I believe it should be fairly quite at most times, so I don't think there are other clients creating files but I'm not absolutely sure.
I've noticed (now) that on the lustre client it seems the lnet/debug_mb was quite small (only 8) during the previous test, not sure if this meant that some of the interesting information has been overwritten, so I've increased this now (to 32) and repeated the test. I've verified that the string "setattr" now exists in the client dump file as well.
I'll upload the new dump files and /var/log/message from the lustre client/nfs server after reproducing it again: The error was
|
|
Also, we are receiving an increasing number of reports from users who are trying to access files and directories written days ago and are receiving intermittent permission denied (for example when running ls). This is obviously much harder to debug as we are not (yet) able to reproduce at will...
|
|
The log shows lustre client .lookup_nd failed with -13, and it looks quite possible to be inside kernel function reconnect_path() when it finds a disconnected dentry:
1. ->get_parent() found parent.
2. ->get_name() found child dentry name.
3. ->lookup_one_len() on parent for this name failed with -EACCES, MDS log shows it doesn't have EXEC right to parent.
I'm not clear of the cause yet, but first could you verify that the test user has EXEC access right to all directories in "/dls/p45/data/2015/cm12185-2/tmp/frederik-test/top_D19Rnh"?
|
could you verify that the test user has EXEC access right to all directories in "/dls/p45/data/2015/cm12185-2/tmp/frederik-test/top_D19Rnh"?
Yes, I've have checked and this is the case.
Thanks,
Frederik
|
|
This is a debug patch which will print mode and id information upon permission deny, could you apply it on MDS and reproduce? BTW it looks like only "trace" is enabled in debug log, could you `lctl set_param debug="super ioctl neterror warning dlmtrace error emerg ha rpctrace vfstrace config console lfsck trace" during reproduce?
|
|
The debug log lacks information, and I just uploaded a debug patch LU-6528_debug.diff, could you reproduce it again?
|
|
After applying the patch we initially failed to reproduce it until today (possibly related to restarting the MDS?)
I have just reproduced it again, though /var/log/messages on the MDS server doesn't quite contain what I was expecting:
Ah, dmesg contained this:
I'll upload the dumps as well, but in case it matters, here is the output:
And this is what seems to be the relevant bit of syslog entries on the NFS server:
As always, if you need more information, please ask.
|
|
Latest dumps, collected with these debug flags on both MDS and client/NFS server:
trace super ioctl neterror warning dlmtrace error emerg ha rpctrace vfstrace config console lfsck
|
|
shows uid doesn't match, which is the cause permission is denied.
Could you help verify '37058' is owner of "top_hT52pM"? and which should be current test user too. Besides, could you find the user with uid "1200328"?
BTW, what's the status of NFS root_squash? and if it's enabled, what's the uid for root_squash?
|
|
Yes, 37058 is the owner of top_hT52pM and is the user id that I'm running the tests as:
uid "1200328" is a random user where I don't recognise the name. Re-running the tests again shows the same mismatch but a different fsuid.
NFS root_squash is enabled, root user (uid=0) is mapped to nfsnobody (uid=65534).
Could you confirm which way round it is, is fsuid the user (apparently) trying to access the file system or is it the apparent owner of the file?
|
|
yes, it's fsuid that's used in permission check, and it looks like it's mistakenly set somewhere. I'm still checking related code, will update you later.
|
|
Is "no_subtree_check" set for the NFS export? It looks like if this feature is set (it's set by default), nfsd_set_fh_dentry() won't set fsuid correctly, but raise capability to allow reconnect_path(), but MDS cleared all FS privileges for lookup (see old_init_ucred()).
|
|
As the NFS export (on a RHEL6 machine) currently doesn't contain either "no_subtree_check" or "subtree_check" and by my reading of the documentation, it seems no_subtree_check is in force, yes. (also confirmed by running exportfs -v.)
I can try (at least on our test system) to re-export with explicit subtree_check and re-test.
Cheers,
Frederik
|
|
This patch will keep FS capability for intent getattr, this is because NFSD will raise FS capability to allow exportfs_decode_fh() to reconnect dentry into dcache, if MDS dropped this capability, reconnect path may fail with -EACCES.
|
|
I just uploaded a possible patch LU-6528.diff for this, could you apply it on MDS and test again?
|
|
I've applied the proposed patch on the MDS and I'm now running the tests.... I guess we'll see tomorrow, though I'll keep running those tests for a t least a day continuously...
|
|
I've had the reproducer running over night so far it hasn't triggered the issue, so looking good. I'll leave the reproducer running...
I noticed the patch had been directly attached to the ticket and not to review.whamcloud.com as I would have expected, does this mean it's not yet a good idea to consider applying it to production systems?
|
|
Once it works(I'll wait until tomorrow), I'll put it on gerrit later.
|
|
FWIW, I've been running our reproducer for nearly 24h after applying the patch. So far we have not seen the permission denied issue at all, so it looks good AFAICT.
|
|
Lai Siyao (lai.siyao@intel.com) uploaded a new patch: http://review.whamcloud.com/14978
Subject: LU-6528 mdt: keep FS capability for intent_getattr
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: b288a18408a59cf3ac8e3d9bd3ed074547689c57
|
|
Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14978/
Subject: LU-6528 mdt: keep FS capability for intent_getattr
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: a55aebd70e9073ef1d1bd7de280c8393af0ea30d
|
|
Landed for 2.8
|
Generated at Sat Feb 10 02:00:59 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.
LU-6528-reproducer1.sh