zfs crypto discuss - May 2008 - [Bug 2094] New: tests/encryption/ inherit_encrypt_002 - clone inheritation works incorrectly

http://defect.opensolaris.org/bz/show_bug.cgi?id=2094

           Summary: tests/encryption/inherit_encrypt_002 - clone
                    inheritation works incorrectly
    Classification: Development
           Product: zfs-crypto
           Version: unspecified
          Platform: Other
        OS/Version: Solaris
            Status: NEW
          Severity: minor
          Priority: P4
         Component: other
        AssignedTo: darrenm at opensolaris.org
        ReportedBy: hua.tang at sun.com
         QAContact: hua.tang at sun.com
                CC: zfs-crypto-discuss at opensolaris.org
   Estimated Hours: 0.0


Msg| 102936 | These tests verify a clone inherits its parent''s
encryption
property and inheritance doesn''t base on the pool hierarchy.
Msg| 102936 | INTERFACE:
Msg| 102936 | zpool,zfs
Msg| 102936 |
Msg| 102936 | [ - Progress ]
Msg| 102936 | 1: Testing a clone of an encrypted file system inherits its
parent''s encryption property
Msg| 102936 |
stdout| 102936| /usr/sbin/mkfile 1g /export/home/vdev_file_1
stdout| 102936| /usr/sbin/zpool create -f -o
keysource=hex,file:///export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/etc/hex
_key_file pool_102936 /export/home/vdev_file_1
stdout| 102936| /usr/sbin/zfs create -o encryption=on -o keyscope=pool
pool_102936/fs_encrypted
stdout| 102936| /usr/sbin/zfs create -o encryption=off -o keyscope=pool
pool_102936/fs_unencrypted
stdout| 102936| /usr/sbin/zfs snapshot pool_102936/fs_encrypted at sh_encrypted
stdout| 102936| /usr/sbin/zfs clone pool_102936/fs_encrypted at sh_encrypted
pool_102936/fs_unencrypted/clone_encrypted
Msg| 102936 | [ - Progress ]
Msg| 102936 | Testing encryption=on, SOURCE=inherited from
pool_102936/fs_encrypted of pool_102936/fs_unencrypted/clone_encrypted
Msg| 102936 |
stdout| 102936| Expected SOURCE=inherited from pool_102936/fs_encrypted
stdout| 102936| Actual SOURCE=local
Msg| 102936 | [ - Result ]
Msg| 102936 | RESULT:  FAIL
Msg| 102936 |
Msg| 102936 | [ - Progress ]
Msg| 102936 | 2: Testing a clone of an unencryped file system inherits its
parent''s encryption property
Msg| 102936 |
stdout| 102936| /usr/sbin/zfs snapshot
pool_102936/fs_unencrypted at sh_unencrypted
stdout| 102936| /usr/sbin/zfs clone pool_102936/fs_unencrypted at sh_unencrypted
pool_102936/fs_encrypted/clone_unencrypted
Msg| 102936 | [ - Progress ]
Msg| 102936 | Testing encryption=off, SOURCE=inherited from
pool_102936/fs_unencrypted of pool_102936/fs_encrypted/clone_unencrypted
Msg| 102936 |
Msg| 102936 | [ - Result ]
Msg| 102936 | RESULT:  FAIL
stdout| 102936| Expected encryption=off
stdout| 102936| Actual encryption=on
Msg| 102936 |
Msg| 102936 | [ - Progress ]
Msg| 102936 | Testing the encrypted clone data is encrypted on disk
Msg| 102936 |
stdout| 102936| cp
/export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/etc/file1.txt
/pool_102936/fs_unencrypted/clone_encryp
ted
stdout| 102936| cp
/export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/etc/file2.txt
/pool_102936/fs_unencrypted/clone_encryp
ted
stdout| 102936| cp
/export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/etc/file3.txt
/pool_102936/fs_unencrypted/clone_encryp
ted
stdout| 102936| cp
/export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/etc/file4.txt
/pool_102936/fs_unencrypted/clone_encryp
ted
stdout| 102936| cp
/export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/etc/file5.txt
/pool_102936/fs_unencrypted/clone_encryp
ted
stdout| 102936| cp
/export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/etc/file6.txt
/pool_102936/fs_unencrypted/clone_encryp
ted
stdout| 102936| cp
/export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/etc/file7.txt
/pool_102936/fs_unencrypted/clone_encryp
ted
stdout| 102936| cp
/export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/etc/Hamlet.txt
/pool_102936/fs_unencrypted/clone_encry
pted
stdout| 102936| /usr/sbin/zpool export pool_102936
stdout| 102936| /usr/sbin/zpool import -d /export/home pool_102936
stdout| 102936| cannot mount
''pool_102936/fs_unencrypted/clone_encrypted'': I/O
error
Msg| 102936 | [ - Result ]
Msg| 102936 | RESULT:  UNRESOLVED
Msg| 102936 |
stdout| 102936| /usr/sbin/zpool destroy pool_102936
Test_Case_End| 102935 tests/encryption/inherit_encrypt_002 | UNRESOLVED |
22:51:46 0 |

-- 
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://defect.opensolaris.org/bz/show_bug.cgi?id=2094


Grace <hua.tang at sun.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P4                          |P3
           Severity|minor                       |normal




-- 
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://defect.opensolaris.org/bz/show_bug.cgi?id=2094





--- Comment #1 from Darren J Moffat <darrenm at opensolaris.org> 
2008-06-06 08:05:29 ---
There two distinct tests here.

The first is creating a clone of an encrypted dataset but placing it below an
unencrypted one elsewhere in the dataset hierarchy.  In this case the
encryption property is working as designed it has to be source of local because
you can''t inherit except from your parent because it may have a
different value
and in this case the parent is unencrypted.  We can''t inherit
encryption from
the parent of the clone because that would turn encryption off and that
isn''t
allowed when we are a clone of an encrypted dataset.

This is different to what happens with property inheritance normally but to
ensure that all data in a dataset (regardless of wither it is a clone or not)
is always either clear or encrypted it has to be this way.

Compare this to what happens with compression:

braveheart# zfs create -o compression=on tank/compon
braveheart# zfs snapshot tank/compon at sh_compressed
braveheart# zfs clone tank/compon at sh_compressed 
braveheart# zfs create -o compression=off tank/compoff
braveheart# zfs clone tank/compon at sh_compressed tank/compoff/compon
braveheart# zfs get compression tank/compoff/compon
NAME                 PROPERTY     VALUE                SOURCE
tank/compoff/compon  compression  off                  inherited from
tank/compoff
braveheart# zfs get compression tank/compon        
NAME         PROPERTY     VALUE        SOURCE
tank/compon  compression  on           local
braveheart# zfs get compression tank/compoff
NAME          PROPERTY     VALUE         SOURCE
tank/compoff  compression  off           local

So even here the test would be wrong, but unlike compression we have to keep
encryption=on and mark the source as local for the clone.


The second case is both a test bug and a code bug but not for the reason the
test claims.  The bug is that we even allow this encryption=off dataset to be
placed there and in doing so incorrectly set its encryption property to on (via
inheritance).

Since we don''t allow creation of unencrypted datasets below encrypted
ones we
also shouldn''t allow clones of unencrypted datasets to be placed below
encrypted ones.  So a) the test shouldn''t be getting performed, the
test should
be that an unencrypted clone isn''t allowed to be placed below an
encrypted one
and b) the code is wrong in that we need to disallow placing an unencrypted
clone below an encrypted parent just like we wouldn''t allow a create to
do
that.

What is even worse in the cleartext clone below encrypted dataset case is
we will be able to read the existing clear text data but we won''t be
able
to write to the dataset.  The write(2) will succeed but we won''t
actually be
able to sync this to disk because there isn''t a valid encryption key. 
This
puts the pool in to an unresolvable situation where a sync will hang.

-- 
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://defect.opensolaris.org/bz/show_bug.cgi?id=2094


Darren J Moffat <darrenm at opensolaris.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CAUSEKNOWN




-- 
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://defect.opensolaris.org/bz/show_bug.cgi?id=2094


Darren J Moffat <darrenm at opensolaris.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P2
           Severity|normal                      |critical




-- 
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://defect.opensolaris.org/bz/show_bug.cgi?id=2094


Darren J Moffat <darrenm at opensolaris.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|                            |BUGSTER:6719706
             Status|CAUSEKNOWN                  |CLOSED
         Resolution|                            |TRACKEDINBUGSTER




--- Comment #2 from Darren J Moffat <darrenm at opensolaris.org> 
2008-06-26 10:30:54 ---
BUGSTER:6719706

-- 
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://defect.opensolaris.org/bz/show_bug.cgi?id=2094


David Comay <David.Comay at Sun.COM> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Status Whiteboard|                            |BugsterCR=6719706
                 CC|                            |David.Comay at Sun.COM




-- 
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.