BACKGROUND
Lustre filesystem can be easily instructed to stopped when -f
parameter is provided on umount command.
As we can read in the lustre documentation:
To stop a server:
$ umount -f /mnt/test/ost0 The '-f' flag means "force"; force the
server to stop WITHOUT RECOVERY.
Although it is a handy feature that might be used when dealing with
unresponsive lustre server, it creates a
possibility of carrying out a DOS attack by a malicious user.
The problem is only real if we have a hosting server running OpenVZ
and a group of containers (used by outside users)
mounting the same lustre filesystem. In such setup one of the users
can type:
umount -f /mnt/shared/lustre/fs
inside a container which will cause the lustre filesystem to stop
without any warning, preventing all the other containers
that use the same filesystem from reading data.
Such event gets logged to /var/log/messsages as:
kernel: Lustre: setting import lustre-server-MDT0000_UUID INACTIVE by
administrator request
Important: the above is also likely to happen when one of the
containers gets stopped since a lot of linux distributions,
as a part of of shutdown process, run umount -f command on the
filesystems found in /etc/mtab file.
PATCH
I attach a patch bellow that addresses the issue. It is for the newest
OpenVZ kernel (2.6.18-92.1.18.el5.028stab060.2).
The patch prevents users from running umount -f command on lustre
filesystems inside container. If umount -f gets run inside
a container, -f option will get removed and a standard, not forced
umount will be performed (writing an appropriate alert message
to the logs). If umount -f gets run on the host server it will work as
expected - forcing a lustre filesystem to stop.
Best Regards,
Dawid Golunski
--- linux-2.6.18.i686/fs/namespace.c 2009-03-26 11:09:57.000000000 +0000
+++ linux-2.6.18.i686-lustre-umount-patch/fs/namespace.c 2009-03-27
01:41:49.000000000 +0000
@@ -728,10 +728,15 @@ asmlinkage long sys_umount(char __user *
if (!check_mnt(nd.mnt))
goto dput_and_out;
+
+ if (!memcmp(nd.mnt->mnt_sb->s_type->name, "lustre", 6) && !
ve_is_super(get_exec_env()) && (flags & MNT_FORCE)) {
+ printk(KERN_ALERT "Forced umount of lustre fs is not allowed inside
container (%d). Overriding MNT_FORCE flag.\n", get_exec_env()->veid);
+ flags &= (~MNT_FORCE);
+ }
+
retval = -EPERM;
if (!capable(CAP_VE_SYS_ADMIN))
goto dput_and_out;
-
retval = do_umount(nd.mnt, flags);
dput_and_out:
path_release_on_umount(&nd);
_______________________________________________
Devel mailing list
[email protected]
https://openvz.org/mailman/listinfo/devel
