[gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS cluster
Chetan R Kulkarni
chetkulk at in.ibm.com
Tue Aug 8 17:30:13 BST 2017
(seems my earlier reply created a new topic; hence trying to reply back
original thread started by Ilan Schwarts...)
>> # mount -t nfs 10.10.158.61:/fs_gpfs01/nfs /mnt/nfs4
>> [root at CentOS7286-64 nfs4]# nfs4_getfacl mydir11
>> Operation to request attribute not supported.
>> [root at CentOS7286-64 nfs4]#
On my test setup (rhel7.3 nodes gpfs cluster and rhel7.2 nfs client); I can
successfully read nfsv4 acls (nfs4_getfacl).
Can you please try following on your setup?
1> capture network packets for above failure and check what does nfs server
return to GETATTR ?
=> tcpdump -i any host 10.10.158.61 -w /tmp/getfacl.cap &; nfs4_getfacl
mydir11; kill %1
2> Also check nfs4_getfacl version is up to date.
=> /usr/bin/nfs4_getfacl -H
3> If above doesn't help; then make sure you have sufficient nfsv4 acls to
read acls
(as per my understanding; for reading nfsv4 acls; one needs EXEC_SEARCH
on /fs_gpfs01/nfs and READ_ACL on /fs_gpfs01/nfs/mydir11).
=> mmgetacl -k nfs4 /fs_gpfs01/nfs
=> mmgetacl -k nfs4 /fs_gpfs01/nfs/mydir11
Thanks,
Chetan.
From: gpfsug-discuss-request at spectrumscale.org
To: gpfsug-discuss at spectrumscale.org
Date: 08/08/2017 04:30 PM
Subject: gpfsug-discuss Digest, Vol 67, Issue 21
Sent by: gpfsug-discuss-bounces at spectrumscale.org
Send gpfsug-discuss mailing list submissions to
gpfsug-discuss at spectrumscale.org
To subscribe or unsubscribe via the World Wide Web, visit
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
or, via email, send a message with subject or body 'help' to
gpfsug-discuss-request at spectrumscale.org
You can reach the person managing the list at
gpfsug-discuss-owner at spectrumscale.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of gpfsug-discuss digest..."
Today's Topics:
1. Re: How to use nfs4_getfacl (or set) on GPFS cluster
(Ilan Schwarts)
2. How to use nfs4_getfacl (or set) on GPFS cluster
(Chetan R Kulkarni)
----------------------------------------------------------------------
Message: 1
Date: Tue, 8 Aug 2017 07:28:20 +0300
From: Ilan Schwarts <ilan84 at gmail.com>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS
cluster
Message-ID:
<CAJUuSvGwzKdL3NjsxEN+s-BDxXvBsmFQbDOZ=KakmU4KB
+aH9g at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi,
The command should work from server side i know.. but isnt the scenario of:
Root user, that is mounted via nfsv4 to a gpfs filesystem, cannot edit any
of the mounted files/dirs acls?
The acls are editable only from server side?
Thanks!
On Aug 8, 2017 00:10, "James Davis" <jamiedavis at us.ibm.com> wrote:
> Hi Ilan,
>
> 1. Your command might work from the server side; you said you tried it
> from the client side. Could you find anything in the docs about this? I
> could not.
>
> 2. I can share this NFSv4-themed wrapper around mmputacl if it would be
> useful to you. You would have to run it from the GPFS side, not the NFS
> client side.
>
> Regards,
>
> Jamie
>
> # ./updateNFSv4ACL -h
> Update the NFSv4 ACL governing a file's access permissions.
> Appends to the existing ACL, overwriting conflicting permissions.
> Usage: ./updateNFSv4ACL -file /path/to/file { ADD_PERM_SPEC |
> DEL_PERM_SPEC }+
> ADD_PERM_SPEC: { -owningUser PERM | -owningGroup PERM | -other PERM |
> -ace nameType:name:PERM:aceType }
> DEL_PERM_SPEC: { -noACEFor nameType:name }
> PERM: Specify a string composed of one or more of the following letters
> in no particular order:
> r (ead)
> w (rite)
> a (ppend) Must agree with write
> x (execute)
> d (elete)
> D (elete child) Dirs only
> t (read attrs)
> T (write attrs)
> c (read ACL)
> C (write ACL)
> o (change owner)
> You can also provide these, but they will have no effect in GPFS:
> n (read named attrs)
> N (write named attrs)
> y (support synchronous I/O)
>
> To indicate no permissions, give a -
> nameType: 'user' or 'group'.
> aceType: 'allow' or 'deny'.
> Examples: ./updateNFSv4ACL -file /fs1/f -owningUser rtc -owningGroup
> rwaxdtc -other '-'
> Assign these permissions to 'owner', 'group', 'other'.
> ./updateNFSv4ACL -file /fs1/f -ace 'user:pfs001:rtc:allow'
> -noACEFor 'group:fvt001'
> Allow user pfs001 read/read attrs/read ACL permission
> Remove all ACEs (allow and deny) for group fvt001.
> Notes:
> Permissions you do not allow are denied by default.
> See the GPFS docs for some other restrictions.
> ace is short for Access Control Entry
>
>
> ----- Original message -----
> From: Ilan Schwarts <ilan84 at gmail.com>
> Sent by: gpfsug-discuss-bounces at spectrumscale.org
> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Cc:
> Subject: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS
cluster
> Date: Mon, Aug 7, 2017 9:27 AM
>
> Hi all,
> My setup is 2 nodes GPFS and 1 machine as NFS Client.
> All machines (3 total) run CentOS 7.2
>
> The 3rd CentOS machine (not part of the cluster) used as NFS Client.
>
> I mount the NFS Client machine to one of the nodes: mount -t nfs
> 10.10.158.61:/fs_gpfs01/nfs /mnt/nfs4
>
> This gives me the following:
>
> [root at CentOS7286-64 ~]# mount -v | grep gpfs
> 10.10.158.61:/fs_gpfs01/nfs on /mnt/nfs4 type nfs4
> (rw,relatime,vers=4.0,rsize=524288,wsize=524288,namlen=
> 255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,
> clientaddr=10.10.149.188,local_lock=none,addr=10.10.158.61)
>
> Now, From the Client NFS Machine, I go to the mount directory ("cd
> /mnt/nfs4") and try to set an acl. Since NFSv4 should be supported, I
> use nfs4_getfacl:
> [root at CentOS7286-64 nfs4]# nfs4_getfacl mydir11
> Operation to request attribute not supported.
> [root at CentOS7286-64 nfs4]#
>
> From the NODE machine i see the status:
> [root at LH20-GPFS1 fs_gpfs01]# mmlsfs fs_gpfs01
> flag value description
> ------------------- ------------------------
------------------------------
> -----
> -f 8192 Minimum fragment size in
bytes
> -i 4096 Inode size in bytes
> -I 16384 Indirect block size in bytes
> -m 1 Default number of metadata
> replicas
> -M 2 Maximum number of metadata
> replicas
> -r 1 Default number of data
> replicas
> -R 2 Maximum number of data
> replicas
> -j cluster Block allocation type
> -D nfs4 File locking semantics in
> effect
> -k nfs4 ACL semantics in effect
> -n 32 Estimated number of nodes
> that will mount file system
> -B 262144 Block size
> -Q none Quotas accounting enabled
> none Quotas enforced
> none Default quotas enabled
> --perfileset-quota No Per-fileset quota
enforcement
> --filesetdf No Fileset df enabled?
> -V 16.00 (4.2.2.0) File system version
> --create-time Wed Jul 5 12:28:39 2017 File system creation time
> -z No Is DMAPI enabled?
> -L 4194304 Logfile size
> -E Yes Exact mtime mount option
> -S No Suppress atime mount option
> -K whenpossible Strict replica allocation
> option
> --fastea Yes Fast external attributes
> enabled?
> --encryption No Encryption enabled?
> --inode-limit 171840 Maximum number of inodes
> in all inode spaces
> --log-replicas 0 Number of log replicas
> --is4KAligned Yes is4KAligned?
> --rapid-repair Yes rapidRepair enabled?
> --write-cache-threshold 0 HAWC Threshold (max 65536)
> -P system Disk storage pools in file
> system
> -d nynsd1;nynsd2 Disks in file system
> -A yes Automatic mount option
> -o none Additional mount options
> -T /fs_gpfs01 Default mount point
> --mount-priority 0 Mount priority
>
>
>
> I saw this thread:
> https://serverfault.com/questions/655112/nfsv4-acls-on-gpfs/722200
>
> Is it still relevant ? Since 2014..
>
> Thanks !
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>
>
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170808/0e20196d/attachment-0001.html
>
------------------------------
Message: 2
Date: Tue, 8 Aug 2017 10:20:10 +0530
From: "Chetan R Kulkarni" <chetkulk at in.ibm.com>
To: gpfsug-discuss at spectrumscale.org
Subject: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS
cluster
Message-ID:
<OF349B0197.8D24F794-ON65258176.0018158D-65258176.001A9103 at notes.na.collabserv.com>
Content-Type: text/plain; charset="us-ascii"
>> # mount -t nfs 10.10.158.61:/fs_gpfs01/nfs /mnt/nfs4
>> [root at CentOS7286-64 nfs4]# nfs4_getfacl mydir11
>> Operation to request attribute not supported.
>> [root at CentOS7286-64 nfs4]#
On my test setup (rhel7.3 nodes gpfs cluster and rhel7.2 nfs client); I can
successfully read nfsv4 acls (nfs4_getfacl).
Can you please try following on your setup?
1> capture network packets for above failure and check what does nfs server
return to GETATTR ?
=> tcpdump -i any host 10.10.158.61 -w /tmp/getfacl.cap &; nfs4_getfacl
mydir11; kill %1
2> Also check nfs4_getfacl version is up to date.
=> /usr/bin/nfs4_getfacl -H
3> If above doesn't help; then make sure you have sufficient nfsv4 acls to
read acls
(as per my understanding; for reading nfsv4 acls; one needs EXEC_SEARCH
on /fs_gpfs01/nfs and READ_ACL on /fs_gpfs01/nfs/mydir11).
=> mmgetacl -k nfs4 /fs_gpfs01/nfs
=> mmgetacl -k nfs4 /fs_gpfs01/nfs/mydir11
Thanks,
Chetan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170808/42fbe6c2/attachment-0001.html
>
------------------------------
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
End of gpfsug-discuss Digest, Vol 67, Issue 21
**********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170808/79a4e259/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170808/79a4e259/attachment-0002.gif>
More information about the gpfsug-discuss
mailing list