Date: Thu, 10 May 2012 17:23:12 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Andrew Leonard <lists@hurricane-ridge.com> Cc: freebsd-fs@freebsd.org Subject: Re: Unable to set ACLs on ZFS file system over NFSv4? Message-ID: <353146957.236642.1336684992583.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <1446179418.236280.1336684418582.JavaMail.root@erie.cs.uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I wrote: > Andrew Leonard wrote: > > I have a ZFS file system on which I can successfully manipulate ACLs > > locally, but am unable to do so when it is mounted remotely using > > NFSv4 on both FreeBSD and Linux (CentOS 5) clients. > > > > The system in question is running 8-STABLE: > > > > FreeBSD zfs07.example.com 8.2-STABLE FreeBSD 8.2-STABLE #0: Thu Nov > > 17 > > 17:46:00 PST 2011 > > root@zfs07.example.com:/usr/obj/usr/src/sys/GENERIC amd64 > > > > ACLs can be successfully manipulated locally; e.g. the following > > returns no error and works as expected: > > > > > setfacl -m g:group2:rwxpDaRWcs:fd:allow /tank01/ngs/test.dir > > > > The file system is exported as follows in /etc/exports: > > > > /tank01/ngs -sec=sys > > V4: /tank01 -sec=sys > > > > On the FreeBSD client, it is mounted using NFSv4, and behaves as > > follows under the same user (sanitized to "user1", who is in > > "group1"): > > > > > whoami > > user1 > > > groups > > group1 [...] > > > mount | grep /mnt > > zfs07b:/ngs on /mnt (newnfs, nfsv4acls) > > > getfacl /mnt/test2.dir > > # file: /mnt/test2.dir > > # owner: user1 > > # group: group1 > > group:group1:rwxpDdaARWcCo-:fd----:allow > > owner@:rwxp--aARWcCo-:------:allow > > group@:r-x---a-R-c---:------:allow > > everyone@:r-x---a-R-c---:------:allow > > > setfacl -m g:group2:rwxpDaRWcs:fd:allow /mnt/test2.dir > > setfacl: /mnt/test2.dir: acl_set_file() failed: Input/output error > > > > In all other respects, ACLs appear to be honored over NFSv4 - the > > user > > can access, create, modify and delete files as expected, and ACLs > > are > > appropriately inherited - the ACLs just cannot be manipulated. > > > > Linux client behavior is functionally identical: > > > > > mount | grep /mnt > > zfs07b:/ngs on /mnt type nfs4 (rw,addr=192.168.x.y) > > > nfs4_setfacl -a A:gfd:group2:rwxaDdtnNcy test2.dir > > Failed setxattr operation: Input/output error > > > > Is this a misconfiguration on my part, a known limitation, or a bug? > > > As far as I know, it should work. I only use UFS, but my understanding > is that ZFS always supports NFSv4 ACLs. > > If you capture a packet trace from before you do the NFSv4 mount, I > can > take a look and see what the server is saying. (Basically, at mount > time > a reply to a Getattr should including the supported attributes and > that > should include the ACL bit. Then the setfacl becomes a Setattr of the > ACL > attribute.) > # tcpdump -s 0 -w acl.pcap host <server> > - run on the client should do it > > If you want to look at it, use wireshark. If you want me to look, just > email acl.pcap as an attachment. > > rick > ps: Although I suspect it is the server that isn't behaving, please > use > the FreeBSD client for the above. > pss: I've cc'd trasz@ in case he can spot some reason why it wouldn't > work. > Oh, and make sure "user1" isn't in more than 16 groups, because that is the limit for AUTH_SYS. (I'm not sure what the effect of user1 being in more than 16 groups would be, but might as well eliminate it as a cause.) > > More details: > > > > > zfs get version tank01/ngs > > NAME PROPERTY VALUE SOURCE > > tank01/ngs version 5 - > > > zpool get version tank01 > > NAME PROPERTY VALUE SOURCE > > tank01 version 28 default > > > zfs get all tank01/ngs > > NAME PROPERTY VALUE SOURCE > > tank01/ngs type filesystem - > > tank01/ngs creation Tue May 1 16:15 2012 - > > tank01/ngs used 61.6G - > > tank01/ngs available 4.47T - > > tank01/ngs referenced 33.8G - > > tank01/ngs compressratio 4.23x - > > tank01/ngs mounted yes - > > tank01/ngs quota none default > > tank01/ngs reservation none default > > tank01/ngs recordsize 128K default > > tank01/ngs mountpoint /tank01/ngs default > > tank01/ngs sharenfs off default > > tank01/ngs checksum on default > > tank01/ngs compression gzip local > > tank01/ngs atime on default > > tank01/ngs devices on default > > tank01/ngs exec on default > > tank01/ngs setuid off inherited from tank01 > > tank01/ngs readonly off default > > tank01/ngs jailed off default > > tank01/ngs snapdir hidden default > > tank01/ngs aclmode passthrough local > > tank01/ngs aclinherit passthrough-x local > > tank01/ngs canmount on default > > tank01/ngs xattr off temporary > > tank01/ngs copies 1 default > > tank01/ngs version 5 - > > tank01/ngs utf8only off - > > tank01/ngs normalization none - > > tank01/ngs casesensitivity sensitive - > > tank01/ngs vscan off default > > tank01/ngs nbmand off default > > tank01/ngs sharesmb off default > > tank01/ngs refquota none default > > tank01/ngs refreservation none default > > tank01/ngs primarycache all default > > tank01/ngs secondarycache all default > > tank01/ngs usedbysnapshots 27.8G - > > tank01/ngs usedbydataset 33.8G - > > tank01/ngs usedbychildren 0 - > > tank01/ngs usedbyrefreservation 0 - > > tank01/ngs logbias latency default > > tank01/ngs dedup off default > > tank01/ngs mlslabel - > > tank01/ngs sync standard default > > tank01/ngs refcompressratio 4.14x - > > > egrep 'nfs|zfs' /etc/rc.conf.local > > nfscbd_enable="YES" > > nfs_client_enable="YES" > > nfsuserd_enable="YES" > > nfsv4_server_enable="YES" > > nfs_server_enable="YES" > > zfs_enable="YES" > > > > Thanks, > > Andy > > _______________________________________________ > > freebsd-fs@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > > To unsubscribe, send any mail to > > "freebsd-fs-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?353146957.236642.1336684992583.JavaMail.root>