From owner-freebsd-fs@FreeBSD.ORG Thu May 10 21:13:40 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 09A7F1065670; Thu, 10 May 2012 21:13:40 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.mail.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 8C9998FC16; Thu, 10 May 2012 21:13:39 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap8EANAurE+DaFvO/2dsb2JhbABEhXavMIIVAQEBAwEBAQEgKyALBRYOCgICDRkCKQEJJgYIBwQBHASHaAULqEWSfoEviWMZBIRogRgEk0+CLoERjy+DBYE6AQgR X-IronPort-AV: E=Sophos;i="4.75,567,1330923600"; d="scan'208";a="168771777" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-annu-pri.mail.uoguelph.ca with ESMTP; 10 May 2012 17:13:38 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 95B95B3F89; Thu, 10 May 2012 17:13:38 -0400 (EDT) Date: Thu, 10 May 2012 17:13:38 -0400 (EDT) From: Rick Macklem To: Andrew Leonard Message-ID: <1446179418.236280.1336684418582.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.91.201] X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraWebClient - FF3.0 (Win)/6.0.10_GA_2692) Cc: freebsd-fs@freebsd.org Subject: Re: Unable to set ACLs on ZFS file system over NFSv4? X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 May 2012 21:13:40 -0000 Andrew Leonard wrote: > I have a ZFS file system on which I can successfully manipulate ACLs > locally, but am unable to do so when it is mounted remotely using > NFSv4 on both FreeBSD and Linux (CentOS 5) clients. > > The system in question is running 8-STABLE: > > FreeBSD zfs07.example.com 8.2-STABLE FreeBSD 8.2-STABLE #0: Thu Nov 17 > 17:46:00 PST 2011 > root@zfs07.example.com:/usr/obj/usr/src/sys/GENERIC amd64 > > ACLs can be successfully manipulated locally; e.g. the following > returns no error and works as expected: > > > setfacl -m g:group2:rwxpDaRWcs:fd:allow /tank01/ngs/test.dir > > The file system is exported as follows in /etc/exports: > > /tank01/ngs -sec=sys > V4: /tank01 -sec=sys > > On the FreeBSD client, it is mounted using NFSv4, and behaves as > follows under the same user (sanitized to "user1", who is in > "group1"): > > > whoami > user1 > > groups > group1 [...] > > mount | grep /mnt > zfs07b:/ngs on /mnt (newnfs, nfsv4acls) > > getfacl /mnt/test2.dir > # file: /mnt/test2.dir > # owner: user1 > # group: group1 > group:group1:rwxpDdaARWcCo-:fd----:allow > owner@:rwxp--aARWcCo-:------:allow > group@:r-x---a-R-c---:------:allow > everyone@:r-x---a-R-c---:------:allow > > setfacl -m g:group2:rwxpDaRWcs:fd:allow /mnt/test2.dir > setfacl: /mnt/test2.dir: acl_set_file() failed: Input/output error > > In all other respects, ACLs appear to be honored over NFSv4 - the user > can access, create, modify and delete files as expected, and ACLs are > appropriately inherited - the ACLs just cannot be manipulated. > > Linux client behavior is functionally identical: > > > mount | grep /mnt > zfs07b:/ngs on /mnt type nfs4 (rw,addr=192.168.x.y) > > nfs4_setfacl -a A:gfd:group2:rwxaDdtnNcy test2.dir > Failed setxattr operation: Input/output error > > Is this a misconfiguration on my part, a known limitation, or a bug? > As far as I know, it should work. I only use UFS, but my understanding is that ZFS always supports NFSv4 ACLs. If you capture a packet trace from before you do the NFSv4 mount, I can take a look and see what the server is saying. (Basically, at mount time a reply to a Getattr should including the supported attributes and that should include the ACL bit. Then the setfacl becomes a Setattr of the ACL attribute.) # tcpdump -s 0 -w acl.pcap host - run on the client should do it If you want to look at it, use wireshark. If you want me to look, just email acl.pcap as an attachment. rick ps: Although I suspect it is the server that isn't behaving, please use the FreeBSD client for the above. pss: I've cc'd trasz@ in case he can spot some reason why it wouldn't work. > More details: > > > zfs get version tank01/ngs > NAME PROPERTY VALUE SOURCE > tank01/ngs version 5 - > > zpool get version tank01 > NAME PROPERTY VALUE SOURCE > tank01 version 28 default > > zfs get all tank01/ngs > NAME PROPERTY VALUE SOURCE > tank01/ngs type filesystem - > tank01/ngs creation Tue May 1 16:15 2012 - > tank01/ngs used 61.6G - > tank01/ngs available 4.47T - > tank01/ngs referenced 33.8G - > tank01/ngs compressratio 4.23x - > tank01/ngs mounted yes - > tank01/ngs quota none default > tank01/ngs reservation none default > tank01/ngs recordsize 128K default > tank01/ngs mountpoint /tank01/ngs default > tank01/ngs sharenfs off default > tank01/ngs checksum on default > tank01/ngs compression gzip local > tank01/ngs atime on default > tank01/ngs devices on default > tank01/ngs exec on default > tank01/ngs setuid off inherited from tank01 > tank01/ngs readonly off default > tank01/ngs jailed off default > tank01/ngs snapdir hidden default > tank01/ngs aclmode passthrough local > tank01/ngs aclinherit passthrough-x local > tank01/ngs canmount on default > tank01/ngs xattr off temporary > tank01/ngs copies 1 default > tank01/ngs version 5 - > tank01/ngs utf8only off - > tank01/ngs normalization none - > tank01/ngs casesensitivity sensitive - > tank01/ngs vscan off default > tank01/ngs nbmand off default > tank01/ngs sharesmb off default > tank01/ngs refquota none default > tank01/ngs refreservation none default > tank01/ngs primarycache all default > tank01/ngs secondarycache all default > tank01/ngs usedbysnapshots 27.8G - > tank01/ngs usedbydataset 33.8G - > tank01/ngs usedbychildren 0 - > tank01/ngs usedbyrefreservation 0 - > tank01/ngs logbias latency default > tank01/ngs dedup off default > tank01/ngs mlslabel - > tank01/ngs sync standard default > tank01/ngs refcompressratio 4.14x - > > egrep 'nfs|zfs' /etc/rc.conf.local > nfscbd_enable="YES" > nfs_client_enable="YES" > nfsuserd_enable="YES" > nfsv4_server_enable="YES" > nfs_server_enable="YES" > zfs_enable="YES" > > Thanks, > Andy > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"