[lustre-discuss] shared key security - issue with kernel key possession?

Steve Brasier steveb at stackhpc.com
Tue Feb 25 03:17:42 PST 2020 

Hi all,

I'm trying to configure a lustre 2.12.2 system with SSK and I believe I
have a problem with kernel keys which I'd be grateful for any suggestions
on.

Essentially I have followed the instructions/examples in the docs for SSK
except that:
- A host "lustre-storage" hosts the MGS, MDT and OST with the fileystem
"test_fs1".
- A host "lustre-client1" is in a nodeset "lustre_client1".
-  cli2ost and cli2mdt rules set as skn
(happy to provide more details if required but I think that's the major
differences from the examples)

Trying to mount the filesystem from the client fails:

[centos at lustre-client1 ~]$ sudo mount -t lustre 192.168.41.10 at tcp1:/test_fs1
-o skpath=/etc/lustre /mnt/lustre/test_fs1/
mount.lustre: mount 192.168.41.10 at tcp1:/test_fs1 at /mnt/lustre/test_fs1
failed: Connection refused

Looking in /var/log/messages I can see:

lustre-client1 lgss_keyring: [18756]:ERROR:sk_create_cred(): keyctl_read()
failed for key 1073636326: Permission denied

And in fact there is a problem reading this key:
[centos at lustre-client1 ~]$ sudo keyctl list @u
1 key in keyring:
1073636326: --alswrv     0     0 user: lustre:test_fs1
[centos at lustre-client1 ~]$ sudo keyctl read 1073636326
keyctl_read_alloc: Permission denied

If I try to create a key myself I can see it has the same permissions as
1073636326, and again reading it fails. Some googling led me to this
<https://mjg59.dreamwidth.org/37333.html> which suggests there's a
fundamental problem using sudo with kernel keys *. I can't be the only
person to try to deploy lustre using sudo though surely? So there must be
something I'm missing here to make this work.

To work around this I tried including "user" in the /etc/fstab options then
mounting as a normal user but that fails:
[centos at lustre-client1 ~]$ mount /mnt/lustre/test_fs1/
mount.lustre: mount 192.168.41.10 at tcp1:/test_fs1 at /mnt/lustre/test_fs1
failed: Operation not permitted

and in fact it appears lustre doesn't support the user option?
Feb 25 11:12:27 lustre-client1 kernel: LustreError: 152-6: Unknown option
'user', won't mount.


As I said any help appreciated!

Steve

* Although that link says key possession is tied to the original user,
which would suggest that the key should show up in centos's keyring, which
it doesn't.

http://stackhpc.com/
Please note I work Tuesday to Friday.

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20200225/7f7d9b2d/attachment.html>

More information about the lustre-discuss mailing list