Date: Thu, 10 May 2012 17:13:38 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Andrew Leonard <lists@hurricane-ridge.com> Cc: freebsd-fs@freebsd.org Subject: Re: Unable to set ACLs on ZFS file system over NFSv4? Message-ID: <1446179418.236280.1336684418582.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <CADUQDp9ytTTUqRvqzySBfugkqL56okEgZOOs_vvbKmOYi=mL0Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrew Leonard wrote:
> I have a ZFS file system on which I can successfully manipulate ACLs
> locally, but am unable to do so when it is mounted remotely using
> NFSv4 on both FreeBSD and Linux (CentOS 5) clients.
>
> The system in question is running 8-STABLE:
>
> FreeBSD zfs07.example.com 8.2-STABLE FreeBSD 8.2-STABLE #0: Thu Nov 17
> 17:46:00 PST 2011
> root@zfs07.example.com:/usr/obj/usr/src/sys/GENERIC amd64
>
> ACLs can be successfully manipulated locally; e.g. the following
> returns no error and works as expected:
>
> > setfacl -m g:group2:rwxpDaRWcs:fd:allow /tank01/ngs/test.dir
>
> The file system is exported as follows in /etc/exports:
>
> /tank01/ngs -sec=sys
> V4: /tank01 -sec=sys
>
> On the FreeBSD client, it is mounted using NFSv4, and behaves as
> follows under the same user (sanitized to "user1", who is in
> "group1"):
>
> > whoami
> user1
> > groups
> group1 [...]
> > mount | grep /mnt
> zfs07b:/ngs on /mnt (newnfs, nfsv4acls)
> > getfacl /mnt/test2.dir
> # file: /mnt/test2.dir
> # owner: user1
> # group: group1
> group:group1:rwxpDdaARWcCo-:fd----:allow
> owner@:rwxp--aARWcCo-:------:allow
> group@:r-x---a-R-c---:------:allow
> everyone@:r-x---a-R-c---:------:allow
> > setfacl -m g:group2:rwxpDaRWcs:fd:allow /mnt/test2.dir
> setfacl: /mnt/test2.dir: acl_set_file() failed: Input/output error
>
> In all other respects, ACLs appear to be honored over NFSv4 - the user
> can access, create, modify and delete files as expected, and ACLs are
> appropriately inherited - the ACLs just cannot be manipulated.
>
> Linux client behavior is functionally identical:
>
> > mount | grep /mnt
> zfs07b:/ngs on /mnt type nfs4 (rw,addr=192.168.x.y)
> > nfs4_setfacl -a A:gfd:group2:rwxaDdtnNcy test2.dir
> Failed setxattr operation: Input/output error
>
> Is this a misconfiguration on my part, a known limitation, or a bug?
>
As far as I know, it should work. I only use UFS, but my understanding
is that ZFS always supports NFSv4 ACLs.
If you capture a packet trace from before you do the NFSv4 mount, I can
take a look and see what the server is saying. (Basically, at mount time
a reply to a Getattr should including the supported attributes and that
should include the ACL bit. Then the setfacl becomes a Setattr of the ACL
attribute.)
# tcpdump -s 0 -w acl.pcap host <server>
- run on the client should do it
If you want to look at it, use wireshark. If you want me to look, just
email acl.pcap as an attachment.
rick
ps: Although I suspect it is the server that isn't behaving, please use
the FreeBSD client for the above.
pss: I've cc'd trasz@ in case he can spot some reason why it wouldn't work.
> More details:
>
> > zfs get version tank01/ngs
> NAME PROPERTY VALUE SOURCE
> tank01/ngs version 5 -
> > zpool get version tank01
> NAME PROPERTY VALUE SOURCE
> tank01 version 28 default
> > zfs get all tank01/ngs
> NAME PROPERTY VALUE SOURCE
> tank01/ngs type filesystem -
> tank01/ngs creation Tue May 1 16:15 2012 -
> tank01/ngs used 61.6G -
> tank01/ngs available 4.47T -
> tank01/ngs referenced 33.8G -
> tank01/ngs compressratio 4.23x -
> tank01/ngs mounted yes -
> tank01/ngs quota none default
> tank01/ngs reservation none default
> tank01/ngs recordsize 128K default
> tank01/ngs mountpoint /tank01/ngs default
> tank01/ngs sharenfs off default
> tank01/ngs checksum on default
> tank01/ngs compression gzip local
> tank01/ngs atime on default
> tank01/ngs devices on default
> tank01/ngs exec on default
> tank01/ngs setuid off inherited from tank01
> tank01/ngs readonly off default
> tank01/ngs jailed off default
> tank01/ngs snapdir hidden default
> tank01/ngs aclmode passthrough local
> tank01/ngs aclinherit passthrough-x local
> tank01/ngs canmount on default
> tank01/ngs xattr off temporary
> tank01/ngs copies 1 default
> tank01/ngs version 5 -
> tank01/ngs utf8only off -
> tank01/ngs normalization none -
> tank01/ngs casesensitivity sensitive -
> tank01/ngs vscan off default
> tank01/ngs nbmand off default
> tank01/ngs sharesmb off default
> tank01/ngs refquota none default
> tank01/ngs refreservation none default
> tank01/ngs primarycache all default
> tank01/ngs secondarycache all default
> tank01/ngs usedbysnapshots 27.8G -
> tank01/ngs usedbydataset 33.8G -
> tank01/ngs usedbychildren 0 -
> tank01/ngs usedbyrefreservation 0 -
> tank01/ngs logbias latency default
> tank01/ngs dedup off default
> tank01/ngs mlslabel -
> tank01/ngs sync standard default
> tank01/ngs refcompressratio 4.14x -
> > egrep 'nfs|zfs' /etc/rc.conf.local
> nfscbd_enable="YES"
> nfs_client_enable="YES"
> nfsuserd_enable="YES"
> nfsv4_server_enable="YES"
> nfs_server_enable="YES"
> zfs_enable="YES"
>
> Thanks,
> Andy
> _______________________________________________
> freebsd-fs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1446179418.236280.1336684418582.JavaMail.root>