[lustre-discuss] Nodemap and setreuid/setregid

Hans Henrik Happe happe at nbi.dk
Thu Feb 6 05:29:40 PST 2020 

Hi,

Thanks for a very quick reply :-) Here are the map:

# lctl get_param nodemap.sif.*
nodemap.sif.admin_nodemap=1
nodemap.sif.audit_mode=1
nodemap.sif.deny_unknown=0
nodemap.sif.exports=
[
 { nid: 172.25.10.51 at tcp, uuid: 56bb9b04-9bb5-d7b5-3f50-d62804690db1 },
]
nodemap.sif.fileset=/sif
nodemap.sif.id=2
nodemap.sif.idmap=
[
 { idtype: uid, client_id: 501, fs_id: 20501 },
 { idtype: gid, client_id: 501, fs_id: 20501 }
]
nodemap.sif.map_mode=both
nodemap.sif.ranges=
[
 { id: 11, start_nid: 172.25.1.28 at tcp, end_nid: 172.25.1.28 at tcp },
 { id: 10, start_nid: 172.25.1.27 at tcp, end_nid: 172.25.1.27 at tcp },
 { id: 9, start_nid: 172.25.10.51 at tcp, end_nid: 172.25.10.51 at tcp }
]
nodemap.sif.sepol=

nodemap.sif.squash_gid=20000
nodemap.sif.squash_uid=20000
nodemap.sif.trusted_nodemap=0

Cheers,
Hans Henrik

On 06.02.2020 14.17, Sebastien Buisson wrote:
> Hi,
>
> It might be due to a property on the nodemap you defined.
> Could you please dump your nodemap definition?
>
> Thanks,
> Sebastien.
>
>> Le 6 févr. 2020 à 14:14, Hans Henrik Happe <happe at nbi.dk> a écrit :
>>
>> Hi,
>>
>> Has anyone had success with gocryptfs 1.7.x on top of a Lustre nodemap?
>>
>> I've tested with Lustre 2.12.3.
>>
>> I found that gocryptfs 1.6 worked. However, with 1.7.x I got a lot of
>> "Permission denied". I tried all permutations of trusted and admin on
>> the nodemap.
>>
>> By stracing a bit, I've created a small peace of code provoking the issue:
>>
>> ---
>>
>> #include <unistd.h>
>> #include <sys/types.h>
>> #include <fcntl.h>
>> #include <stdio.h>
>>
>> int main() {
>>  int r;
>>
>>  setregid(-1, 501);
>>  setreuid(-1, 501);
>>
>>  r = open("foo", O_CREAT, S_IRWXU);
>>  if (r < 0) {
>>    perror("open");
>>  }
>>  return 0;
>> }
>>
>> ---
>>
>>
>>
>> When run as root in a directory owned by uid=501 and gid=501 in a
>> nodemap based Lustre fs it returns:
>>
>> open: Permission denied
>>
>> Works when I deactivate nodemap (lctl nodemap_activate 0) or just use a
>> plain local fs.
>>
>> I don't think this is intended behavior for nodemaps, but I might be wrong.
>>
>> Cheers,
>> Hans Henrik
>> _______________________________________________
>> lustre-discuss mailing list
>> lustre-discuss at lists.lustre.org
>> http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20200206/679d5130/attachment.html>

More information about the lustre-discuss mailing list