Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-13361] setregid or setreuid does not work as expected when cli2mdt SSK is on https://jira.whamcloud.com/browse/LU-13361 Lustre <p>During tests of gocryptfs 1.7 I found that it didn't work on-top of Lustre with cli2mdt SSK. After a bit of tracing I found that after some setreuid/setregid calls it hadn't got permission to open files.</p> <p>I've attached a test program that causes the issue. The 501 uid/gid is arbitrary, but it must be run in a directory with with the same uid/gid as chosen here.</p> <p>When cli2mdt SSK is of it works as expected. When cli2mdt SSK is on it returns:</p> <p>"open: Permission denied"</p> <p>Cheers,<br/> Hans Henrik</p> Centos 7.7. ZFS on both MDTs and OSTs. TCP network. LU-13361 setregid or setreuid does not work as expected when cli2mdt SSK is on Bug Minor Open Unresolved Sebastien Buisson Hans Henrik Happe Mon, 16 Mar 2020 13:31:51 +0000 Fri, 15 May 2020 07:17:01 +0000 Lustre 2.12.3 Lustre 2.12.4 0 2 <p>Hi,</p> <p>I am able to reproduce this behavior. It stems from the fact that when using SSK, Lustre makes use of the identity upcall that is defined for the MDT targets. You can check with the command:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre># lctl get_param mdt.*.identity_upcall mdt.lustre-MDT0000.identity_upcall=/usr/sbin/l_getidentity mdt.lustre-MDT0001.identity_upcall=/usr/sbin/l_getidentity </pre> </div></div> <p>By default, as shown above, l_getidentity is defined as the identity upcall. For it to handle permissions, you have to create a file named <tt>/etc/lustre/perm.conf</tt> on your MDS nodes, with the following syntax for each line:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>permission file format is like this: {nid} {uid} {perms} '*' nid means any nid '*' uid means any uid the valid values for perms are: setuid/setgid/setgrp -- enable corresponding perm nosetuid/nosetgid/nosetgrp -- disable corresponding perm </pre> </div></div> <p>In the case of your test program, you can insert a line with:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>* 0 setuid,setgid </pre> </div></div> <p>It will grant setuid and setgid permissions to user root, from any client node.</p> <p>Once you have created the file, remember to flush the identity cache on your MDS nodes by doing:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>lctl set_param mdt.*.identity_flush=-1 </pre> </div></div> <p>This way, new content in <tt>/etc/lustre/perm.conf</tt> will be taken into account.</p> <p>Alternatively, you can disable identity upcall by doing:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>lctl set_param mdt.*.identity_upcall=NONE </pre> </div></div> <p>In this case, Lustre grants setuid, setgid and setgrp permissions.</p> <p>Thanks Sebastien, that works for me.</p> <p>I would love to help document this, but I'm not sure why there is a difference when turning on SSK?</p> <p>This is because when SSK is enabled, credentials checking is carried out a little bit differently on server side.</p> Development Rank 1|i00vjb: Rank (Obsolete) 9223372036854775807 Severity