https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-8659 Lustre <p>This issue was created by maloo for Saurabh Tandan &lt;saurabh.tandan@intel.com&gt;</p> <p>This issue relates to the following test suite run: <a href="https://testing.hpdd.intel.com/test_sets/b0261008-85e9-11e6-a8b7-5254006e85c2" class="external-link" target="_blank" rel="nofollow noopener">https://testing.hpdd.intel.com/test_sets/b0261008-85e9-11e6-a8b7-5254006e85c2</a>.</p> <p>The sub-test test_20a failed with the following error:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>localhost: ssh exited with exit code 255 </pre> </div></div> <p>Test_logs:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>== sanity-selinux test 20a: [atomicity] concurrent access from another client (file) ================= 02:04:40 (1475114680) CMD: trevis-66vm1.trevis.hpdd.intel.com /usr/sbin/lctl set_param fail_val=20 fail_loc=0x1409 fail_val=20 fail_loc=0x1409 localhost: Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. localhost: Permission denied, please try again. localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr pdsh@trevis-66vm1: localhost: ssh exited with exit code 255 ls: cannot access /mnt/lustre/df20a: No such file or directory Resetting fail_loc on all nodes...CMD: trevis-66vm1.trevis.hpdd.intel.com,trevis-66vm2,trevis-66vm3,trevis-66vm7,trevis-66vm8 lctl set_param -n fail_loc=0 fail_val=0 2&gt;/dev/null done. CMD: trevis-66vm1.trevis.hpdd.intel.com,trevis-66vm2,trevis-66vm3,trevis-66vm7,trevis-66vm8 rc=0; val=\$(/usr/sbin/lctl get_param -n catastrophe 2&gt;&amp;1); if [[ \$? -eq 0 &amp;&amp; \$val -ne 0 ]]; then echo \$(hostname -s): \$val; rc=\$val; fi; exit \$rc CMD: trevis-66vm1.trevis.hpdd.intel.com,trevis-66vm2,trevis-66vm3,trevis-66vm7,trevis-66vm8 dmesg </pre> </div></div> <p>test_20 passing even when the localhost is returning Permission denied.</p> master LU-8659

sanity-selinux test_20a: test_20 passing even when localhost returning Permission Denied

Bug Major Resolved Fixed Sebastien Buisson Maloo Fri, 30 Sep 2016 21:31:40 +0000 Sat, 20 May 2017 19:25:47 +0000 Sat, 20 May 2017 19:25:47 +0000 Lustre 2.9.0 Lustre 2.10.0 0 7 <p>Similar failures for tests 3 and 4 at <a href="https://testing.hpdd.intel.com/test_sets/420ef8f0-897c-11e6-a9b0-5254006e85c2" class="external-link" target="_blank" rel="nofollow noopener">https://testing.hpdd.intel.com/test_sets/420ef8f0-897c-11e6-a9b0-5254006e85c2</a></p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>== sanity-selinux test 3: access with unconfined user ================================================ 15:11:56 (1475507516) sanityusr mapped as unconfined_u: touch /mnt/lustre/df3 localhost: Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. localhost: Permission denied, please try again. localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr pdsh@trevis-66vm1: localhost: ssh exited with exit code 255 sanity-selinux test_3: @@@@@@ FAIL: can't touch /mnt/lustre/df3 </pre> </div></div> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>== sanity-selinux test 4: access with specific SELinux user ========================================== 15:12:08 (1475507528) sanityusr mapped as guest_u: touch /mnt/lustre/df4 localhost: Permission denied, please try again. localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr pdsh@trevis-66vm1: localhost: ssh exited with exit code 255 sanityusr mapped as user_u: touch /mnt/lustre/df4 localhost: Permission denied, please try again. localhost: Received disconnect from UNKNOWN: 2: Too many authentication failures for sanityusr pdsh@trevis-66vm1: localhost: ssh exited with exit code 255 sanity-selinux test_4: @@@@@@ FAIL: can't touch /mnt/lustre/df4 </pre> </div></div> <p>Sebastien, I see that the failing test is using <tt>$PDSH ${uname}@localhost "touch $filename" &amp;</tt> to run the command on the local file. Is $PDSH (ssh) used to initialize the security context for $uname, instead of just using $RUNAS directly? Would "su - $uname touch $filename" or similar work without the need to allow passwordless ssh for $uname?</p> <p>On a related note, it would be useful to set <tt>$RUNAS_USER</tt> in <tt>lustre/tests/cfg/local.sh</tt> and as a fallback in <tt>test-framework.sh::init_test_env()</tt> if it is not set, instead of fetching it repeatedly in the test:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">init_test_env() { RUNAS_USER=${RUNAS_USER:-$(getent passwd $RUNAS_ID | cut -d: -f1)} } </pre> </div></div> <p>Using <tt>su - USER</tt> keeps the original security context.</p> <p>There are utilities <tt>runcon</tt> and <tt>newrole</tt> which we should try to use here (see <a href="https://linux.die.net/man/1/newrole" class="external-link" target="_blank" rel="nofollow noopener">https://linux.die.net/man/1/newrole</a> and <a href="https://linux.die.net/man/1/runcon" class="external-link" target="_blank" rel="nofollow noopener">https://linux.die.net/man/1/runcon</a>).</p> <p>Hi,</p> <p>I think I figured out how to replace 'ssh user@localhost' with 'runas runcon'.<br/> The thing is it requires that the SELinux policy allows transitions from unconfined_t to user_t and guest_t:<br/> #============= unconfined_r ==============<br/> allow unconfined_r guest_r;<br/> allow unconfined_r user_r;</p> <p>I will push a patch that modifies sanity-selinux.</p> <p>Thanks,<br/> Sebastien.</p> <p>Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: <a href="http://review.whamcloud.com/23962" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/23962</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-8659" title="sanity-selinux test_20a: test_20 passing even when localhost returning Permission Denied" class="issue-link" data-issue-key="LU-8659"><del>LU-8659</del></a> tests: use runcon in sanity-selinux<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 0cd696c19a837efe2a44a6530b01323960c839fc</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="https://review.whamcloud.com/23962/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/23962/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-8659" title="sanity-selinux test_20a: test_20 passing even when localhost returning Permission Denied" class="issue-link" data-issue-key="LU-8659"><del>LU-8659</del></a> tests: use runcon in sanity-selinux<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 9d9a5ac444bcd796fe8757b092069570c24bc26a</p> <p>Landed for 2.10</p> Development Rank 1|hzyq5z: Rank (Obsolete) 9223372036854775807 Severity