I have tested replacing POSIX with NFSv4, I have altered POSIX and altered NFSv4. The example below is NFSv4 changed to POSIX I have also tested on folders.
Action Details Pre Changes File is backed up, migrated and has a nfsv4 ACL > ls -l ---------- 1 root 16777221 102400000 Sep 18 15:07 100mb-9.dat > dsmls 102400000 0 0 m 100mb-9.dat > dsmc q backup “<file>” -inac 102,400,000 B 09/18/2019 15:53:41 NHM_DATA_MC A /…/100mb-9.dat 102,400,000 B 09/18/2019 15:08:58 NHM_DATA_MC I /…/100mb-9.dat >mmgetacl #NFSv4 ACL #owner:root #group:16777221 group:1399645580:rwx-:allow:Inherited (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED group:16783540:rwx-:allow:Inherited (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED group:16777360:r-x-:allow:Inherited (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED group:1399621272:r-x-:allow:Inherited (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED Erase the nfsv4 acl chown root:root chmod 770 POSIX permissions changed and NFSv4 ACL gone > ls -l -rwxrwx--- 1 root root 102400000 Sep 18 15:07 100mb-9.dat > dsmls 102400000 0 0 m 100mb-9.dat > dsmc q backup “<file>” -inac 102,400,000 B 09/18/2019 15:53:41 NHM_DATA_MC A /…/100mb-9.dat 102,400,000 B 09/18/2019 15:08:58 NHM_DATA_MC I /…/100mb-9.dat >mmgetacl #owner:root #group:root user::rwxc group::rwx- other::---- Incremental backup Backup ‘updates’ the backup, but doesn’t transfer any data. dsmc incr "100mb-9.dat" IBM Tivoli Storage Manager Command Line Backup-Archive Client Interface Client Version 7, Release 1, Level 6.4 Client date/time: 10/15/2019 17:57:59 (c) Copyright by IBM Corporation and other(s) 1990, 2016. All Rights Reserved. Node Name: NHM-XXX-XXX Session established with server TSM-XXXXXX: Windows Server Version 7, Release 1, Level 7.0 Server date/time: 10/15/2019 17:57:58 Last access: 10/15/2019 17:57:52 Accessing as node: XXX-XXX Incremental backup of volume '100mb-9.dat' Updating--> 102,400,000 /…/100mb-9.dat [Sent] Successful incremental backup of '/…/100mb-9.dat' Total number of objects inspected: 1 Total number of objects backed up: 0 Total number of objects updated: 1 Total number of objects rebound: 0 Total number of objects deleted: 0 Total number of objects expired: 0 Total number of objects failed: 0 Total number of objects encrypted: 0 Total number of objects grew: 0 Total number of retries: 0 Total number of bytes inspected: 97.65 MB Total number of bytes transferred: 0 B Data transfer time: 0.00 sec Network data transfer rate: 0.00 KB/sec Aggregate data transfer rate: 0.00 KB/sec Objects compressed by: 0% Total data reduction ratio: 100.00% Elapsed processing time: 00:00:01 Post backup Active Backup timestamp hasn’t changed, and file is still migrated. > ls -l -rwxrwx--- 1 root root 102400000 Sep 18 15:07 100mb-9.dat > dsmls 102400000 0 0 m 100mb-9.dat > dsmc q backup “<file>” -inac 102,400,000 B 09/18/2019 15:53:41 NHM_DATA_MC A /…/100mbM/100mb-9.dat 102,400,000 B 09/18/2019 15:08:58 NHM_DATA_MC I /…/100mbM/100mb-9.dat >mmgetacl #owner:root #group:root user::rwxc group::rwx- other::---- Restore dsmc restore "100mb-9.dat" "100mb-9.dat.restore" IBM Tivoli Storage Manager Command Line Backup-Archive Client Interface Client Version 7, Release 1, Level 6.4 Client date/time: 10/15/2019 18:02:09 (c) Copyright by IBM Corporation and other(s) 1990, 2016. All Rights Reserved. Node Name: NHM-XXX-XXX Session established with server TSM-XXXXXX: Windows Server Version 7, Release 1, Level 7.0 Server date/time: 10/15/2019 18:02:08 Last access: 10/15/2019 18:02:07 Accessing as node: HSM-NHM Restore function invoked. Restoring 102,400,000 /…/100mb-9.dat --> /…/100mb-9.dat.restore [Done] Restore processing finished. Total number of objects restored: 1 Total number of objects failed: 0 Total number of bytes transferred: 97.66 MB Data transfer time: 1.20 sec Network data transfer rate: 83,317.88 KB/sec Aggregate data transfer rate: 689.11 KB/sec Elapsed processing time: 00:02:25 Restored file Restored file has the same permissions as the last backup > ls -l -rwxrwx--- 1 root root 102400000 Sep 18 15:07 100mb-9.dat.restore > dsmls 102400000 102400000 160 r 100mb-9.dat.restore > dsmc q backup “<file>” -inac ANS1092W No files matching search criteria were found >mmgetacl #owner:root #group:root user::rwxc group::rwx- other::---- I have just noticed: File backedup with POSIX – restored file permissions POSIX File backedup with POSIX, changed to NFSv4 permissions, incremental backup – restore file permissions POSIX File backedup with NFSv4, Changed to POSIX permissions, incremental backup – restore file permissions POSIX File backedup with NFSv4, restore file permissions NFSv4 (there may be other variables involved) Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: p.w...@nhm.ac.uk From: gpfsug-discuss-boun...@spectrumscale.org <gpfsug-discuss-boun...@spectrumscale.org> On Behalf Of Frederick Stock Sent: 15 October 2019 17:50 To: gpfsug-discuss@spectrumscale.org Cc: gpfsug-discuss@spectrumscale.org Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs Thanks Paul. Could you please clarify which ACL you changed, the GPFS NFSv4 ACL or the POSIX ACL? Fred __________________________________________________ Fred Stock | IBM Pittsburgh Lab | 720-430-8821 sto...@us.ibm.com<mailto:sto...@us.ibm.com> ----- Original message ----- From: Paul Ward <p.w...@nhm.ac.uk<mailto:p.w...@nhm.ac.uk>> Sent by: gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org> To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org<mailto:gpfsug-discuss@spectrumscale.org>> Cc: Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLs Date: Tue, Oct 15, 2019 12:18 PM Hi Fred, From the tests I have done changing the ACL results in just an ‘update’ to when using Spectrum Protect, even on migrated files. Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: p.w...@nhm.ac.uk<mailto:p.w...@nhm.ac.uk> From: gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org> <gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org>> On Behalf Of Frederick Stock Sent: 15 October 2019 17:09 To: gpfsug-discuss@spectrumscale.org<mailto:gpfsug-discuss@spectrumscale.org> Cc: gpfsug-discuss@spectrumscale.org<mailto:gpfsug-discuss@spectrumscale.org> Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs As I understand if you change only the POSIX attributes on a file then you are correct that TSM will only backup the file metadata, actually just the POSIX relevant metadata. However, if you change ACLs or other GPFS specific metadata then TSM will backup the entire file, TSM does not keep all file metadata separate from the actual file data. Fred __________________________________________________ Fred Stock | IBM Pittsburgh Lab | 720-430-8821 sto...@us.ibm.com<mailto:sto...@us.ibm.com> ----- Original message ----- From: Simon Thompson <s.j.thomp...@bham.ac.uk<mailto:s.j.thomp...@bham.ac.uk>> Sent by: gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org> To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org<mailto:gpfsug-discuss@spectrumscale.org>> Cc: Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLs Date: Tue, Oct 15, 2019 11:41 AM I thought Spectrum Protect didn't actually backup again on a file owner change. Sure mmbackup considers it, but I think Protect just updates the metadata. There are also some other options for dsmc that can stop other similar issues if you change ctime maybe. (Other backup tools are available) Simon On 15/10/2019, 15:31, "gpfsug-discuss-boun...@spectrumscale.org on behalf of Jonathan Buzzard<mailto:gpfsug-discuss-boun...@spectrumscale.org%20on%20behalf%20of%20Jonathan%20Buzzard>" <gpfsug-discuss-boun...@spectrumscale.org on behalf of jonathan.buzz...@strath.ac.uk<mailto:gpfsug-discuss-boun...@spectrumscale.org%20on%20behalf%20of%20jonathan.buzz...@strath.ac.uk>> wrote: On Tue, 2019-10-15 at 12:34 +0000, Paul Ward wrote: > We are in the process of changing the way GPFS assigns UID/GIDs from > internal tdb to using AD RIDs with an offset that matches our linux > systems. We, therefore, need to change the ACLs for all the files in > GPFS (up to 80 million). You do realize that will mean backing everything up again.... > We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs > being applied. (This system was set up 14 years ago and has changed > roles over time) We are running on linux, so need to have POSIX > permissions enabled. We run on Linux and only have NFSv4 ACL's applied. I am not sure why you need POSIX ACL's if you are running Linux. Very very few applications will actually check ACL's or even for that matter permissions. They just do an fopen call or similar and the OS either goes yeah or neah, and the app needs to do something in the case of neah. > > What I want to know for those in a similar environment, what do you > have as the POSIX owner and group, when NFSv4 ACLs are in use? > root:root > > or do you have all files owned by a filesystem administrator account > and group: > <ad service account>:<ad fileserver admin group> > > on our samba shares we have : > admin users = @<ad fileserver admin group> > So don’t actually need the group defined in POSIX. > Samba works much better with NFSv4 ACL's. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org gpfsug.org<https://eur03.safelinks.protection.outlook.com/?url=outlook.com&data=02%7C01%7Cp.ward%40nhm.ac.uk%7C655b1d7b22244a274c4208d7518fb84b%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637067550028504673&sdata=IlugzXm8rZUK%2B2vKqZD9ScLiqsH%2F%2FaWvAP00wsK0AZI%3D&reserved=0> _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org gpfsug.org<https://eur03.safelinks.protection.outlook.com/?url=outlook.com&data=02%7C01%7Cp.ward%40nhm.ac.uk%7C655b1d7b22244a274c4208d7518fb84b%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637067550028514667&sdata=GTpx9XQJv8fux5v0l72bfi%2FuNUhn94KVOEdkLVT4W5s%3D&reserved=0> _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7Cp.ward%40nhm.ac.uk%7C655b1d7b22244a274c4208d7518fb84b%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637067550028514667&sdata=gkDED2GmyMs0j8OZfRyBLhCSDnExf%2B8GYYPItDo%2BQ08%3D&reserved=0>
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss