[lustre-discuss] Lustre secure client mount

Strikwerda, Ger g.j.c.strikwerda at rug.nl
Mon Oct 16 02:56:57 PDT 2023 

Hi all,

We are trying to get Lustre secure client mount with distributed key:

[root at dh5-mds01 ger]# rpm -qa | grep lustre
lustre-2.15.3-1.el8.x86_64
kmod-lustre-2.15.3-1.el8.x86_64
lustre-osd-ldiskfs-mount-2.15.3-1.el8.x86_64
kmod-lustre-osd-ldiskfs-2.15.3-1.el8.x86_64

followed the instructions:

- created key
- distributed key to mds/oss/client
- set SPTLRPC security flavor to Shared Key Integrity(ski) on MGS
- create /etc/request-key.d/lgssc.conf on all systems
- create  /etc/sysconfig/lsvcgss on mds
- create  /etc/sysconfig/lsvcgss on oss
- systemctl start lsvcgss on mds/oss
- modprobe ptlrpc_gss on mds/oss
- mount mgs: mount -t lustre -o skpath=/root/umcg2.key
/dev/mapper/mgs01-umcg /lustre/umcg/mgs01
- mount mdt: mount -t lustre -o skpath=/root/umcg2.key
/dev/mapper/mdt01-umcg /lustre/umcg/mdt01/
- mount oss: mount -t lustre -o skpath=/root/umcg2.key
/dev/mapper/umcg_ost01-01_v0000 /lustre/umcg/umcg_ost01-01_v0000/
- mount cli: mount -t lustre -o skpath=/root/umcg2.key 172.23.15.xxx at tcp15
:172.23.15.xx2 at tcp15:/umcg /test
- works!
- but also this works (should fail):
- mount cli without key: mount -t lustre 172.23.15.xxx at tcp15
:172.23.15.xxx2 at tcp15:/umcg /test

If I check the rcp_flavor/bulk flavor (should be ski) I get:

lctl get_param *.*.srpc_* :

mdc.umcg-MDT0000-mdc-ffff9c7e5e416000.srpc_info=
rpc flavor:     null
bulk flavor:    null

mgc.MGC172.23.15.xxx at tcp15.srpc_info=
rpc flavor:     null
bulk flavor:    null

Clearly the ski bits are not working. What are we missing? Do we need the
lustre-software to recompile with GSS enabled?

Please enlighten us,

-- 

Vriendelijke groet,

Ger Strikwerdasenior expert multidisciplinary enabler
simple solution architect
Rijksuniversiteit Groningen
CIT/RDMS/HPC

Smitsborg
Nettelbosje 1
9747 AJ Groningen
Tel. 050 363 9276
"God is hard, God is fair
 some men he gave brains, others he gave hair"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20231016/a288fefd/attachment.htm>

More information about the lustre-discuss mailing list