An equally weird option is to install the GPFS GUI and use the /usr/lpp/mmfs/gui/cli/chacl command. It has all the capabilities you ask for. This CLI is internally used to do the test automation of the GUI's backend layer and not really supported, but it works just fine. Drawback is that this command exists only on nodes running the GUI.
Mit freundlichen Grüßen / Kind regards
![]()
| |
|
IBM Deutschland Research & Development GmbH / Vorsitzende des Aufsichtsrats: Matthias Hartmann / Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
----- Original message -----
From: Jonathan Buzzard <[email protected]>
Sent by: [email protected]
To: [email protected]
Cc:
Subject: Re: [gpfsug-discuss] Adding to an existing GPFS ACL
Date: Wed, Mar 27, 2019 11:58 PM
On 27/03/2019 15:59, Buterbaugh, Kevin L wrote:
[SNIP]
> So am I missing something?
Nope you are not missing anything. Setting NFSv4 ACL's on GPFS on
*LINUX* has always been a steaming pile of Brontosaurus droppings.
I have been on about since 2011... Search the mailing list archives.
> Is there an easier solution than writing a
> script which recurses over the fileset, gets the existing ACL with
> mmgetacl and outputs that to a file, edits that file to add in the new
> group, and passes that as input to mmputacl? That seems very cumbersome
> and error prone, especially if I’m the one writing the script!
>
The best option is to get yourself a pSeries machine, install AIX and
GPFS and use the native AIX ACL command to set the ACL's. This works
because AIX has a mechanism for passing NFSv4 ACL's through it's VFS
interface. The RichACL kernel patches for Linux to give it the same
functionality went nowhere. Noting that the XFS and JFS file systems,
internally have NFSv4 ACL support.
The next best option is to export it as an NSFv4 file system and use a
Linux/FreeBSD machine to set the ACL's (a Mac might even work). Expect
performance to not be great.
The next best option is to do an SMB export, mount it on Linux and use
setcifsacl or map it on Windows and use cacls command. Some
experimentation on working out exactly how NFSv4 ACLS get mapped to
Windows ACLS would be advisable before a mass apply though. I don't
think it is possible to set all NFSv4 ACL options using this method.
Probably the best option, but which is not publicly available is to use
my modified version of the Linux nfs4_setacl command :-)
You just modify nfs4_acl_for_path.c and nfs4_set_acl.c so they
read/write the GPFS ACL struct and convert between the GPFS
representation and the internal data structure used by the
nfs4-acl-tools to hold NFSv4 ACL's.
However I have not put it any where public because the GPFS API
documentation is incomplete when it comes to ACL's. Consequently I can't
be sure it is safe so I am not releasing it. I have two questions that I
would like answering before I make it public. I will ask them for the
third time, in hopes someone at IBM is actually listening.
1. What's the purpose of a special flag to indicate that it is smbd
setting the ACL? Does this tie in with the undocumented "mmchfs -k
samba" feature?
2. There is a whole bunch of stuff in the documentation about v4.1
ACL's. How does one trigger that. All I seem to be able to do is
get POSIX and v4 ACL's. Do you get v4.1 ACL's if you set the file
system to "Samba" ACL's or am I missing something.
The other option is to write a script. Personally I would use
Perl/Python rather than a shell script as it would be easier to read the
result of mmgetacl into a buffer, append the extra bits and write it out
again with mmputacl. It is horribly slow however if you have millions of
files to iterate over. Trust me back in 2011 I had Perl scripts for
setting ACL's.
The final option though not quick would be for IBM to actually implement
a mmsetfacl command. Surely it would not be too hard to take the code
from AIX and modify the bits that set ACL's to use the GPFS API.
Alternatively take the FreeBSD ACL commands and use them as a starting
point. However I would not hold your breath for IBM if you expect them
to fix the situation.
JAB.
--
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
