Re: [gpfsug-discuss] default owner and group for POSIX ACLs
On Wed, Oct 16, 2019 at 09:32:50PM +, Jonathan Buzzard wrote: > On 15/10/2019 16:41, Simon Thompson wrote: > > I thought Spectrum Protect didn't actually backup again on a file > > owner change. Sure mmbackup considers it, but I think Protect just > > updates the metadata. There are also some other options for dsmc that > > can stop other similar issues if you change ctime maybe. > > > > (Other backup tools are available) > > > > It certainly used too. I spent six months carefully chown'ing files one > user at a time so as not to overwhelm the backup, because the first > group I did meant no backup for about a week... > > I have not kept a close eye on it and have just worked on the assumption > for the last decade of "don't do that". If it is no longer the case I > apologize for spreading incorrect information. TSM can store some amount of metadata in its database without spilling over to a storage pool, so whether a metadata update is cheap or expensive depends not just on ACLs/extended attributes but also the directory entry name length. It can definitely make for some seemingly non-deterministic backup behavior. -- -- Skylar Thompson (skyl...@u.washington.edu) -- Genome Sciences Department, System Administrator -- Foege Building S046, (206)-685-7354 -- University of Washington School of Medicine ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
On 15/10/2019 16:41, Simon Thompson wrote: > I thought Spectrum Protect didn't actually backup again on a file > owner change. Sure mmbackup considers it, but I think Protect just > updates the metadata. There are also some other options for dsmc that > can stop other similar issues if you change ctime maybe. > > (Other backup tools are available) > It certainly used too. I spent six months carefully chown'ing files one user at a time so as not to overwhelm the backup, because the first group I did meant no backup for about a week... I have not kept a close eye on it and have just worked on the assumption for the last decade of "don't do that". If it is no longer the case I apologize for spreading incorrect information. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
Paul in regards to your question I would think you want to use NFSv4 ACLs and set the chmodAndUpdateAcl option on the fileset (see mmcrfileset/mmchfileset). Fred__Fred Stock | IBM Pittsburgh Lab | 720-430-8821sto...@us.ibm.com - Original message -From: Paul Ward Sent by: gpfsug-discuss-boun...@spectrumscale.orgTo: gpfsug main discussion list Cc:Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLsDate: Wed, Oct 16, 2019 7:00 AM We are running GPFS 4.2.3 with Arcpix build 3.5.10 or 3.5.12.We don't have Ganesha in the build. I'm not sure about the NFS service.Thanks for the responses, its interesting how the discussion has branched into Ganesha and what ACL changes are picked up by Spectrum Protect and mmbackup (my next major change).Any more responses on what is the best practice for the default POSIX owner and group of files and folders, when NFSv4 ACLs are used for SMB shares?Kindest regards,PaulPaul WardTS Infrastructure ArchitectNatural History MuseumT: 02079426450E: p.w...@nhm.ac.uk-Original Message-From: gpfsug-discuss-boun...@spectrumscale.org On Behalf Of Jonathan BuzzardSent: 16 October 2019 10:36To: gpfsug main discussion list Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLsOn Wed, 2019-10-16 at 08:21 +, Malahal R Naineni wrote: >> Ganesha shows functions for converting between GPFS ACL's and the ACL format as used by Ganesha. Ganesha only supports NFSv4 ACLs, so the conversion is a quick one. kernel NFS server converts NFSv4 ACLs to POSIX ACLs (the mapping isn't perfect) as many of the Linux file systems only support POSIX ACLs (at least this was the behavior). Yes but the point is you don't need POSIX ACL's on your file system if you are doing NFS exports if you use Ganesha as your NFS server and only do NFSv4 exports. It is then down to the client to deal with the ACL's which the Linux client does. In fact it has for as long as I can remember. There are even tools to manipulate the NFSv4 ACL's (see nfs4- acl-tools on RHEL and derivatives).What's missing is "rich ACL" support in the Linux kernel.https://l.antigena.com/l/wElAOKB71BMteh5p3MJsrMJ1piEPqSzVv7jGE7WAADAaMiBDMV~~SJdC~qYZEePn7-JksRn9_H6cg21GWyrYE77TnWcAWsMEnF3Nwuug0tRR7ud7GDl9vPM3iafYImA3LyGuQInuXsXilJ6R9e2qmotMPRr~Lsq9CHJ2fsu1dBR1EL622lakpWuKLhjucFNsxUODYLWWFMzVbWj_AigKVAIMEX8Xqs0hGKXpOmjJOTejZDjM8bOCA1-jl06wU3DoT-ad3latFOtGR-oTHHwhAmu792L7Grmas12aetAuhTHnCQ6BBtRLGR_-iVJFYKfdyJNMVsDeKcBEBKKFSZdF~7ozqBouoIAZPE6cOA8KQIeh6mt1~_n which seems to be down at the moment. Though there has been activity on the user space utilities.https://eur03.safelinks.protection.outlook.com/?url=""> Is it possible to get IBM to devote some resources to moving this along. It would make using GPFS on Linux with ACL's a more pleasant experience.JAB.--Jonathan A. Buzzard Tel: +44141-5483420HPC System Administrator, ARCHIE-WeSt.University of Strathclyde, John Anderson Building, Glasgow. G4 0NG___gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttps://eur03.safelinks.protection.outlook.com/?url=""> ___gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttp://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
We are running GPFS 4.2.3 with Arcpix build 3.5.10 or 3.5.12. We don't have Ganesha in the build. I'm not sure about the NFS service. Thanks for the responses, its interesting how the discussion has branched into Ganesha and what ACL changes are picked up by Spectrum Protect and mmbackup (my next major change). Any more responses on what is the best practice for the default POSIX owner and group of files and folders, when NFSv4 ACLs are used for SMB shares? Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: p.w...@nhm.ac.uk -Original Message- From: gpfsug-discuss-boun...@spectrumscale.org On Behalf Of Jonathan Buzzard Sent: 16 October 2019 10:36 To: gpfsug main discussion list Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs On Wed, 2019-10-16 at 08:21 +, Malahal R Naineni wrote: >> Ganesha shows functions for converting between GPFS ACL's and the ACL format as used by Ganesha. Ganesha only supports NFSv4 ACLs, so the conversion is a quick one. kernel NFS server converts NFSv4 ACLs to POSIX ACLs (the mapping isn't perfect) as many of the Linux file systems only support POSIX ACLs (at least this was the behavior). Yes but the point is you don't need POSIX ACL's on your file system if you are doing NFS exports if you use Ganesha as your NFS server and only do NFSv4 exports. It is then down to the client to deal with the ACL's which the Linux client does. In fact it has for as long as I can remember. There are even tools to manipulate the NFSv4 ACL's (see nfs4- acl-tools on RHEL and derivatives). What's missing is "rich ACL" support in the Linux kernel. https://l.antigena.com/l/wElAOKB71BMteh5p3MJsrMJ1piEPqSzVv7jGE7WAADAaMiBDMV~~SJdC~qYZEePn7-JksRn9_H6cg21GWyrYE77TnWcAWsMEnF3Nwuug0tRR7ud7GDl9vPM3iafYImA3LyGuQInuXsXilJ6R9e2qmotMPRr~Lsq9CHJ2fsu1dBR1EL622lakpWuKLhjucFNsxUODYLWWFMzVbWj_AigKVAIMEX8Xqs0hGKXpOmjJOTejZDjM8bOCA1-jl06wU3DoT-ad3latFOtGR-oTHHwhAmu792L7Grmas12aetAuhTHnCQ6BBtRLGR_-iVJFYKfdyJNMVsDeKcBEBKKFSZdF~7ozqBouoIAZPE6cOA8KQIeh6mt1~_n which seems to be down at the moment. Though there has been activity on the user space utilities. https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fandreas-gruenbacher%2Frichacl%2Fdata=02%7C01%7Cp.ward%40nhm.ac.uk%7C2c1e0145dadd4d35842508d7521c4b9c%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637068153793755413sdata=aUmCoKIC1N5TU95ILatCp2IlmdJ1gKKL8y%2F1V3kWb3M%3Dreserved=0 Is it possible to get IBM to devote some resources to moving this along. It would make using GPFS on Linux with ACL's a more pleasant experience. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discussdata=02%7C01%7Cp.ward%40nhm.ac.uk%7C2c1e0145dadd4d35842508d7521c4b9c%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637068153793755413sdata=ZXLszye50npdSFIu1FuLK3eDbUd%2BV5h29xP1N3XD0jQ%3Dreserved=0 ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
On Wed, 2019-10-16 at 08:21 +, Malahal R Naineni wrote: > >> Ganesha shows functions for converting between GPFS ACL's and the > ACL format as used by Ganesha. > > Ganesha only supports NFSv4 ACLs, so the conversion is a quick one. > kernel NFS server converts NFSv4 ACLs to POSIX ACLs (the mapping > isn't perfect) as many of the Linux file systems only support POSIX > ACLs (at least this was the behavior). > Yes but the point is you don't need POSIX ACL's on your file system if you are doing NFS exports if you use Ganesha as your NFS server and only do NFSv4 exports. It is then down to the client to deal with the ACL's which the Linux client does. In fact it has for as long as I can remember. There are even tools to manipulate the NFSv4 ACL's (see nfs4- acl-tools on RHEL and derivatives). What's missing is "rich ACL" support in the Linux kernel. www.bestbits.at/richacl/ which seems to be down at the moment. Though there has been activity on the user space utilities. https://github.com/andreas-gruenbacher/richacl/ Is it possible to get IBM to devote some resources to moving this along. It would make using GPFS on Linux with ACL's a more pleasant experience. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
>> Ganesha shows functions for converting between GPFS ACL's and the ACL format as used by Ganesha. Ganesha only supports NFSv4 ACLs, so the conversion is a quick one. kernel NFS server converts NFSv4 ACLs to POSIX ACLs (the mapping isn't perfect) as many of the Linux file systems only support POSIX ACLs (at least this was the behavior). Regards, Malahal. - Original message -From: Jonathan Buzzard Sent by: gpfsug-discuss-boun...@spectrumscale.orgTo: "gpfsug-discuss@spectrumscale.org" Cc:Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLsDate: Wed, Oct 16, 2019 2:04 AM On 15/10/2019 17:15, Paul Ward wrote:[SNIP]>> ...I am not sure why you need POSIX ACL's if you are running Linux...> From what I have recently read...> https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_admnfsaclg.htm> "Linux does not allow a file system to be NFS V4 exported unless it supports POSIX ACLs.">Only if you are using the inbuilt kernel NFS server, which IMHO is awfulfrom a management perspective. That is you have zero visibility intowhat the hell it is doing when it all goes pear shaped unless you breakout dtrace. I am not sure that using dtrace on a production service tofind out what is going on is "best practice". It also in my experiencestops you cleanly shutting down most of the time. The sooner it getsremoved from the kernel the better IMHO.If you are using protocol nodes which is the only supported option asfar as I am aware then that does not apply. I would imagined if you arerolling your own Ganesha NFS server it won't matter either.Checking the code of the FSAL in Ganesha shows functions for convertingbetween GPFS ACL's and the ACL format as used by Ganesha. Myunderstanding was one of the drivers for using Ganesha as an NFS serverwith GPFS was you can write a FSAL to do just that, in the same way ason Samba you load the vfs_gpfs module, unless you are into selfflagellation I guess.JAB.--Jonathan A. Buzzard Tel: +44141-5483420HPC System Administrator, ARCHIE-WeSt.University of Strathclyde, John Anderson Building, Glasgow. G4 0NG___gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttp://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
Hi In case you want to review with ls -l the POSIX permissions, please put the relevant permissions on the SMB share, and add CREATOROWNER & CREATETORGROUP. Than ls -l will show you the owner + group + everyone permissions. Regards Yaron Daniel 94 Em Ha'Moshavot Rd Storage Architect – IL Lab Services (Storage) Petach Tiqva, 49527 IBM Global Markets, Systems HW Sales Israel Phone: +972-3-916-5672 Fax: +972-3-916-5672 Mobile: +972-52-8395593 e-mail: y...@il.ibm.com Webex:https://ibm.webex.com/meet/yard IBM Israel From: Jonathan Buzzard To: "gpfsug-discuss@spectrumscale.org" Date: 15/10/2019 23:34 Subject:[EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLs Sent by:gpfsug-discuss-boun...@spectrumscale.org On 15/10/2019 17:15, Paul Ward wrote: [SNIP] >> ...I am not sure why you need POSIX ACL's if you are running Linux... > From what I have recently read... > https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_admnfsaclg.htm > "Linux does not allow a file system to be NFS V4 exported unless it supports POSIX ACLs." > Only if you are using the inbuilt kernel NFS server, which IMHO is awful from a management perspective. That is you have zero visibility into what the hell it is doing when it all goes pear shaped unless you break out dtrace. I am not sure that using dtrace on a production service to find out what is going on is "best practice". It also in my experience stops you cleanly shutting down most of the time. The sooner it gets removed from the kernel the better IMHO. If you are using protocol nodes which is the only supported option as far as I am aware then that does not apply. I would imagined if you are rolling your own Ganesha NFS server it won't matter either. Checking the code of the FSAL in Ganesha shows functions for converting between GPFS ACL's and the ACL format as used by Ganesha. My understanding was one of the drivers for using Ganesha as an NFS server with GPFS was you can write a FSAL to do just that, in the same way as on Samba you load the vfs_gpfs module, unless you are into self flagellation I guess. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss=DwICAg=jf_iaSHvJObTbx-siA1ZOg=Bn1XE9uK2a9CZQ8qKnJE3Q=b8w1GtIuT4M2ayhd-sZvIeIGVRrqM7QoXlh1KVj4Zq4=huFx7k3Vx10aZ-7AVq1HSVo825JPWVdFaEu3G3Dh-78= ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
On 15/10/2019 17:15, Paul Ward wrote: [SNIP] >> ...I am not sure why you need POSIX ACL's if you are running Linux... > From what I have recently read... > https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_admnfsaclg.htm > "Linux does not allow a file system to be NFS V4 exported unless it supports > POSIX ACLs." > Only if you are using the inbuilt kernel NFS server, which IMHO is awful from a management perspective. That is you have zero visibility into what the hell it is doing when it all goes pear shaped unless you break out dtrace. I am not sure that using dtrace on a production service to find out what is going on is "best practice". It also in my experience stops you cleanly shutting down most of the time. The sooner it gets removed from the kernel the better IMHO. If you are using protocol nodes which is the only supported option as far as I am aware then that does not apply. I would imagined if you are rolling your own Ganesha NFS server it won't matter either. Checking the code of the FSAL in Ganesha shows functions for converting between GPFS ACL's and the ACL format as used by Ganesha. My understanding was one of the drivers for using Ganesha as an NFS server with GPFS was you can write a FSAL to do just that, in the same way as on Samba you load the vfs_gpfs module, unless you are into self flagellation I guess. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
Fred, I thought like you that an ACL change caused a backup with mmbackup. Maybe only if you change the NFSv4 ACL. I'm sure it's documented somewhere and there is a flag to Protect to stop this from happening. Maybe a POSIX permission (setfacl style) doesn't trigger a backup. This would tie in with Paul's suggestion that changing via SMB caused the backup to occur. Simon From: gpfsug-discuss-boun...@spectrumscale.org on behalf of sto...@us.ibm.com Sent: Tuesday, October 15, 2019 5:49:34 PM To: gpfsug-discuss@spectrumscale.org Cc: gpfsug-discuss@spectrumscale.org Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs Thanks Paul. Could you please clarify which ACL you changed, the GPFS NFSv4 ACL or the POSIX ACL? Fred __ Fred Stock | IBM Pittsburgh Lab | 720-430-8821 sto...@us.ibm.com - Original message - From: Paul Ward Sent by: gpfsug-discuss-boun...@spectrumscale.org To: gpfsug main discussion list Cc: Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLs Date: Tue, Oct 15, 2019 12:18 PM Hi Fred, From the tests I have done changing the ACL results in just an ‘update’ to when using Spectrum Protect, even on migrated files. Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: p.w...@nhm.ac.uk From: gpfsug-discuss-boun...@spectrumscale.org On Behalf Of Frederick Stock Sent: 15 October 2019 17:09 To: gpfsug-discuss@spectrumscale.org Cc: gpfsug-discuss@spectrumscale.org Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs As I understand if you change only the POSIX attributes on a file then you are correct that TSM will only backup the file metadata, actually just the POSIX relevant metadata. However, if you change ACLs or other GPFS specific metadata then TSM will backup the entire file, TSM does not keep all file metadata separate from the actual file data. Fred __ Fred Stock | IBM Pittsburgh Lab | 720-430-8821 sto...@us.ibm.com<mailto:sto...@us.ibm.com> - Original message - From: Simon Thompson mailto:s.j.thomp...@bham.ac.uk>> Sent by: gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org> To: gpfsug main discussion list mailto:gpfsug-discuss@spectrumscale.org>> Cc: Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLs Date: Tue, Oct 15, 2019 11:41 AM I thought Spectrum Protect didn't actually backup again on a file owner change. Sure mmbackup considers it, but I think Protect just updates the metadata. There are also some other options for dsmc that can stop other similar issues if you change ctime maybe. (Other backup tools are available) Simon On 15/10/2019, 15:31, "gpfsug-discuss-boun...@spectrumscale.org on behalf of Jonathan Buzzard<mailto:gpfsug-discuss-boun...@spectrumscale.org%20on%20behalf%20of%20Jonathan%20Buzzard>" mailto:gpfsug-discuss-boun...@spectrumscale.org%20on%20behalf%20of%20jonathan.buzz...@strath.ac.uk>> wrote: On Tue, 2019-10-15 at 12:34 +, Paul Ward wrote: > We are in the process of changing the way GPFS assigns UID/GIDs from > internal tdb to using AD RIDs with an offset that matches our linux > systems. We, therefore, need to change the ACLs for all the files in > GPFS (up to 80 million). You do realize that will mean backing everything up again > We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs > being applied. (This system was set up 14 years ago and has changed > roles over time) We are running on linux, so need to have POSIX > permissions enabled. We run on Linux and only have NFSv4 ACL's applied. I am not sure why you need POSIX ACL's if you are running Linux. Very very few applications will actually check ACL's or even for that matter permissions. They just do an fopen call or similar and the OS either goes yeah or neah, and the app needs to do something in the case of neah. > > What I want to know for those in a similar environment, what do you > have as the POSIX owner and group, when NFSv4 ACLs are in use? > root:root > > or do you have all files owned by a filesystem administrator account > and group: > : > > on our samba shares we have : > admin users = @ > So don’t actually need the group defined in POSIX. > Samba works much better with NFSv4 ACL's. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
Only the top level of the project is root:root, not all files. The owner inherit is like CREATOROWNER in Windows, so the parent owner isn't inherited, but the permission inherits to newly created files. It was a while ago we worked out our permission defaults but without it we could have users create a file/directory but not be able to edit/change it as whilst the group had permission, the owner didn't. I should note we are all at 5.x code and not 4.2. Simon From: gpfsug-discuss-boun...@spectrumscale.org on behalf of Paul Ward Sent: Tuesday, October 15, 2019 5:15:50 PM To: gpfsug main discussion list Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs An amalgamated answer... > You do realize that will mean backing everything up again... >From the tests that I have done, it appears not. A Spectrum protect incremental backup performs an 'update' when the ACL is changed via mmputacl or chown. when I do a backup after an mmputacl or chown ACL change on a migrated file, it isn't recalled, so it cant be backing up the file. If I do the same change from windows over a smb mount, it does cause the file to be recalled and backedup. > ...I am not sure why you need POSIX ACL's if you are running Linux... >From what I have recently read... https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_admnfsaclg.htm "Linux does not allow a file system to be NFS V4 exported unless it supports POSIX ACLs." As I said this system has had roles added to it. The original purpose was to only support NFS exports, then as a staging area for IT, as end user access wasn't needed, only POSIX permissions were used. No it has end user SMB mounts. >“chmodAndSetAcl” Saw this recently - will look at changing to that! https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_authoriziefileprotocolusers.htm "To allow proper use of ACLs, it is recommended to prevent chmod from overwriting the ACLs by setting this parameter to setAclOnly or chmodAndSetAcl." >#owner:root OK so you do have root as the owner. > special:owner@:rwxc:allow:FileInherit:DirInherit And have it propagated to children. > group:gITS_BEAR_2019- some-project:rwxc:allow:FileInherit:DirInherit We by default assign two groups to a folder, a RW and R only. > special:everyone@::allow > special:owner@:rwxc:allow > special:group@:rwx-:allow I have been removing these. This seems to work, but was set via windows: POSIX: d-2 root root 512 Apr 11 2019 #NFSv4 ACL #owner:root #group:root #ACL flags: # DACL_PRESENT # DACL_AUTO_INHERITED # SACL_AUTO_INHERITED # NULL_SACL group:dg--ro:r-x-:allow:FileInherit:DirInherit (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE(-)DELETE_CHILD (-)CHOWN(X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED group:dg--rwm:rwx-:allow:FileInherit:DirInherit (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE(X)DELETE_CHILD (-)CHOWN(X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED group:dl-:r-x-:allow:FileInherit:DirInherit:Inherited (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE(-)DELETE_CHILD (-)CHOWN(X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED So is root as the owner the norm? Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: p.w...@nhm.ac.uk -Original Message- From: gpfsug-discuss-boun...@spectrumscale.org On Behalf Of Jonathan Buzzard Sent: 15 October 2019 15:30 To: gpfsug main discussion list Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs On Tue, 2019-10-15 at 12:34 +, Paul Ward wrote: > We are in the process of changing the way GPFS assigns UID/GIDs from > internal tdb to using AD RIDs with an offset that matches our linux > systems. We, therefore, need to change the ACLs for all the files in > GPFS (up to 80 million). You do realize that will mean backing everything up again... > We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs > being applied. (This system was set up 14 years ago and has changed > roles over time) We are running on linux, so need to have POSIX > permissions enabled. We run on Linux and only have NFSv4 ACL's applied. I am not sure why you need POSIX ACL's if you are running Linux. Very very few applications will actually check ACL's or even for that matter permissions. They just do an fopen call or similar and the OS either goes yeah or neah, and the app needs to do something in the case of neah. > > What I want to know for those in a similar environment, what
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
n invoked. Restoring 102,400,000 /…/100mb-9.dat --> /…/100mb-9.dat.restore [Done] Restore processing finished. Total number of objects restored: 1 Total number of objects failed: 0 Total number of bytes transferred:97.66 MB Data transfer time:1.20 sec Network data transfer rate: 83,317.88 KB/sec Aggregate data transfer rate:689.11 KB/sec Elapsed processing time: 00:02:25 Restored file Restored file has the same permissions as the last backup > ls -l -rwxrwx--- 1 root root 10240 Sep 18 15:07 100mb-9.dat.restore > dsmls 1024010240 160 r 100mb-9.dat.restore > dsmc q backup “” -inac ANS1092W No files matching search criteria were found >mmgetacl #owner:root #group:root user::rwxc group::rwx- other:: I have just noticed: File backedup with POSIX – restored file permissions POSIX File backedup with POSIX, changed to NFSv4 permissions, incremental backup – restore file permissions POSIX File backedup with NFSv4, Changed to POSIX permissions, incremental backup – restore file permissions POSIX File backedup with NFSv4, restore file permissions NFSv4 (there may be other variables involved) Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: p.w...@nhm.ac.uk From: gpfsug-discuss-boun...@spectrumscale.org On Behalf Of Frederick Stock Sent: 15 October 2019 17:50 To: gpfsug-discuss@spectrumscale.org Cc: gpfsug-discuss@spectrumscale.org Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs Thanks Paul. Could you please clarify which ACL you changed, the GPFS NFSv4 ACL or the POSIX ACL? Fred __ Fred Stock | IBM Pittsburgh Lab | 720-430-8821 sto...@us.ibm.com<mailto:sto...@us.ibm.com> - Original message - From: Paul Ward mailto:p.w...@nhm.ac.uk>> Sent by: gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org> To: gpfsug main discussion list mailto:gpfsug-discuss@spectrumscale.org>> Cc: Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLs Date: Tue, Oct 15, 2019 12:18 PM Hi Fred, From the tests I have done changing the ACL results in just an ‘update’ to when using Spectrum Protect, even on migrated files. Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: p.w...@nhm.ac.uk<mailto:p.w...@nhm.ac.uk> From: gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org> mailto:gpfsug-discuss-boun...@spectrumscale.org>> On Behalf Of Frederick Stock Sent: 15 October 2019 17:09 To: gpfsug-discuss@spectrumscale.org<mailto:gpfsug-discuss@spectrumscale.org> Cc: gpfsug-discuss@spectrumscale.org<mailto:gpfsug-discuss@spectrumscale.org> Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs As I understand if you change only the POSIX attributes on a file then you are correct that TSM will only backup the file metadata, actually just the POSIX relevant metadata. However, if you change ACLs or other GPFS specific metadata then TSM will backup the entire file, TSM does not keep all file metadata separate from the actual file data. Fred __ Fred Stock | IBM Pittsburgh Lab | 720-430-8821 sto...@us.ibm.com<mailto:sto...@us.ibm.com> - Original message - From: Simon Thompson mailto:s.j.thomp...@bham.ac.uk>> Sent by: gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org> To: gpfsug main discussion list mailto:gpfsug-discuss@spectrumscale.org>> Cc: Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLs Date: Tue, Oct 15, 2019 11:41 AM I thought Spectrum Protect didn't actually backup again on a file owner change. Sure mmbackup considers it, but I think Protect just updates the metadata. There are also some other options for dsmc that can stop other similar issues if you change ctime maybe. (Other backup tools are available) Simon On 15/10/2019, 15:31, "gpfsug-discuss-boun...@spectrumscale.org on behalf of Jonathan Buzzard<mailto:gpfsug-discuss-boun...@spectrumscale.org%20on%20behalf%20of%20Jonathan%20Buzzard>" mailto:gpfsug-discuss-boun...@spectrumscale.org%20on%20behalf%20of%20jonathan.buzz...@strath.ac.uk>> wrote: On Tue, 2019-10-15 at 12:34 +, Paul Ward wrote: > We are in the process of changing the way GPFS assigns UID/GIDs from > internal tdb to using AD RIDs with an offset that matches our linux > systems. We, therefore, need to change the ACLs for all the files in > GPFS (up to 80 milli
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
Thanks Paul. Could you please clarify which ACL you changed, the GPFS NFSv4 ACL or the POSIX ACL? Fred__Fred Stock | IBM Pittsburgh Lab | 720-430-8821sto...@us.ibm.com - Original message -From: Paul Ward Sent by: gpfsug-discuss-boun...@spectrumscale.orgTo: gpfsug main discussion list Cc:Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLsDate: Tue, Oct 15, 2019 12:18 PM Hi Fred, From the tests I have done changing the ACL results in just an ‘update’ to when using Spectrum Protect, even on migrated files. Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: p.w...@nhm.ac.uk From: gpfsug-discuss-boun...@spectrumscale.org On Behalf Of Frederick StockSent: 15 October 2019 17:09To: gpfsug-discuss@spectrumscale.orgCc: gpfsug-discuss@spectrumscale.orgSubject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs As I understand if you change only the POSIX attributes on a file then you are correct that TSM will only backup the file metadata, actually just the POSIX relevant metadata. However, if you change ACLs or other GPFS specific metadata then TSM will backup the entire file, TSM does not keep all file metadata separate from the actual file data. Fred__Fred Stock | IBM Pittsburgh Lab | 720-430-8821sto...@us.ibm.com - Original message -From: Simon Thompson <s.j.thomp...@bham.ac.uk>Sent by: gpfsug-discuss-boun...@spectrumscale.orgTo: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org>Cc:Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLsDate: Tue, Oct 15, 2019 11:41 AM I thought Spectrum Protect didn't actually backup again on a file owner change. Sure mmbackup considers it, but I think Protect just updates the metadata. There are also some other options for dsmc that can stop other similar issues if you change ctime maybe.(Other backup tools are available)SimonOn 15/10/2019, 15:31, "gpfsug-discuss-boun...@spectrumscale.org on behalf of Jonathan Buzzard" <gpfsug-discuss-boun...@spectrumscale.org on behalf of jonathan.buzz...@strath.ac.uk> wrote: On Tue, 2019-10-15 at 12:34 +, Paul Ward wrote: > We are in the process of changing the way GPFS assigns UID/GIDs from > internal tdb to using AD RIDs with an offset that matches our linux > systems. We, therefore, need to change the ACLs for all the files in > GPFS (up to 80 million). You do realize that will mean backing everything up again > We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs > being applied. (This system was set up 14 years ago and has changed > roles over time) We are running on linux, so need to have POSIX > permissions enabled. We run on Linux and only have NFSv4 ACL's applied. I am not sure why you need POSIX ACL's if you are running Linux. Very very few applications will actually check ACL's or even for that matter permissions. They just do an fopen call or similar and the OS either goes yeah or neah, and the app needs to do something in the case of neah. > > What I want to know for those in a similar environment, what do you > have as the POSIX owner and group, when NFSv4 ACLs are in use? > root:root > > or do you have all files owned by a filesystem administrator account > and group: > : > > on our samba shares we have : > admin users = @ > So don’t actually need the group defined in POSIX. > Samba works much better with NFSv4 ACL's. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org gpfsug.org ___gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orggpfsug.org ___gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttp://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
Hi Fred, From the tests I have done changing the ACL results in just an ‘update’ to when using Spectrum Protect, even on migrated files. Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: p.w...@nhm.ac.uk From: gpfsug-discuss-boun...@spectrumscale.org On Behalf Of Frederick Stock Sent: 15 October 2019 17:09 To: gpfsug-discuss@spectrumscale.org Cc: gpfsug-discuss@spectrumscale.org Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs As I understand if you change only the POSIX attributes on a file then you are correct that TSM will only backup the file metadata, actually just the POSIX relevant metadata. However, if you change ACLs or other GPFS specific metadata then TSM will backup the entire file, TSM does not keep all file metadata separate from the actual file data. Fred __ Fred Stock | IBM Pittsburgh Lab | 720-430-8821 sto...@us.ibm.com<mailto:sto...@us.ibm.com> - Original message - From: Simon Thompson mailto:s.j.thomp...@bham.ac.uk>> Sent by: gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org> To: gpfsug main discussion list mailto:gpfsug-discuss@spectrumscale.org>> Cc: Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLs Date: Tue, Oct 15, 2019 11:41 AM I thought Spectrum Protect didn't actually backup again on a file owner change. Sure mmbackup considers it, but I think Protect just updates the metadata. There are also some other options for dsmc that can stop other similar issues if you change ctime maybe. (Other backup tools are available) Simon On 15/10/2019, 15:31, "gpfsug-discuss-boun...@spectrumscale.org on behalf of Jonathan Buzzard<mailto:gpfsug-discuss-boun...@spectrumscale.org%20on%20behalf%20of%20Jonathan%20Buzzard>" mailto:gpfsug-discuss-boun...@spectrumscale.org%20on%20behalf%20of%20jonathan.buzz...@strath.ac.uk>> wrote: On Tue, 2019-10-15 at 12:34 +, Paul Ward wrote: > We are in the process of changing the way GPFS assigns UID/GIDs from > internal tdb to using AD RIDs with an offset that matches our linux > systems. We, therefore, need to change the ACLs for all the files in > GPFS (up to 80 million). You do realize that will mean backing everything up again > We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs > being applied. (This system was set up 14 years ago and has changed > roles over time) We are running on linux, so need to have POSIX > permissions enabled. We run on Linux and only have NFSv4 ACL's applied. I am not sure why you need POSIX ACL's if you are running Linux. Very very few applications will actually check ACL's or even for that matter permissions. They just do an fopen call or similar and the OS either goes yeah or neah, and the app needs to do something in the case of neah. > > What I want to know for those in a similar environment, what do you > have as the POSIX owner and group, when NFSv4 ACLs are in use? > root:root > > or do you have all files owned by a filesystem administrator account > and group: > : > > on our samba shares we have : > admin users = @ > So don’t actually need the group defined in POSIX. > Samba works much better with NFSv4 ACL's. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org gpfsug.org ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org gpfsug.org ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
As I understand if you change only the POSIX attributes on a file then you are correct that TSM will only backup the file metadata, actually just the POSIX relevant metadata. However, if you change ACLs or other GPFS specific metadata then TSM will backup the entire file, TSM does not keep all file metadata separate from the actual file data. Fred__Fred Stock | IBM Pittsburgh Lab | 720-430-8821sto...@us.ibm.com - Original message -From: Simon Thompson Sent by: gpfsug-discuss-boun...@spectrumscale.orgTo: gpfsug main discussion list Cc:Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLsDate: Tue, Oct 15, 2019 11:41 AM I thought Spectrum Protect didn't actually backup again on a file owner change. Sure mmbackup considers it, but I think Protect just updates the metadata. There are also some other options for dsmc that can stop other similar issues if you change ctime maybe.(Other backup tools are available)SimonOn 15/10/2019, 15:31, "gpfsug-discuss-boun...@spectrumscale.org on behalf of Jonathan Buzzard" wrote: On Tue, 2019-10-15 at 12:34 +, Paul Ward wrote: > We are in the process of changing the way GPFS assigns UID/GIDs from > internal tdb to using AD RIDs with an offset that matches our linux > systems. We, therefore, need to change the ACLs for all the files in > GPFS (up to 80 million). You do realize that will mean backing everything up again... > We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs > being applied. (This system was set up 14 years ago and has changed > roles over time) We are running on linux, so need to have POSIX > permissions enabled. We run on Linux and only have NFSv4 ACL's applied. I am not sure why you need POSIX ACL's if you are running Linux. Very very few applications will actually check ACL's or even for that matter permissions. They just do an fopen call or similar and the OS either goes yeah or neah, and the app needs to do something in the case of neah. > > What I want to know for those in a similar environment, what do you > have as the POSIX owner and group, when NFSv4 ACLs are in use? > root:root > > or do you have all files owned by a filesystem administrator account > and group: > : > > on our samba shares we have : > admin users = @ > So don’t actually need the group defined in POSIX. > Samba works much better with NFSv4 ACL's. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss ___gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttp://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
I thought Spectrum Protect didn't actually backup again on a file owner change. Sure mmbackup considers it, but I think Protect just updates the metadata. There are also some other options for dsmc that can stop other similar issues if you change ctime maybe. (Other backup tools are available) Simon On 15/10/2019, 15:31, "gpfsug-discuss-boun...@spectrumscale.org on behalf of Jonathan Buzzard" wrote: On Tue, 2019-10-15 at 12:34 +, Paul Ward wrote: > We are in the process of changing the way GPFS assigns UID/GIDs from > internal tdb to using AD RIDs with an offset that matches our linux > systems. We, therefore, need to change the ACLs for all the files in > GPFS (up to 80 million). You do realize that will mean backing everything up again... > We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs > being applied. (This system was set up 14 years ago and has changed > roles over time) We are running on linux, so need to have POSIX > permissions enabled. We run on Linux and only have NFSv4 ACL's applied. I am not sure why you need POSIX ACL's if you are running Linux. Very very few applications will actually check ACL's or even for that matter permissions. They just do an fopen call or similar and the OS either goes yeah or neah, and the app needs to do something in the case of neah. > > What I want to know for those in a similar environment, what do you > have as the POSIX owner and group, when NFSv4 ACLs are in use? > root:root > > or do you have all files owned by a filesystem administrator account > and group: > : > > on our samba shares we have : > admin users = @ > So don’t actually need the group defined in POSIX. > Samba works much better with NFSv4 ACL's. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] default owner and group for POSIX ACLs
On Tue, 2019-10-15 at 12:34 +, Paul Ward wrote: > We are in the process of changing the way GPFS assigns UID/GIDs from > internal tdb to using AD RIDs with an offset that matches our linux > systems. We, therefore, need to change the ACLs for all the files in > GPFS (up to 80 million). You do realize that will mean backing everything up again... > We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs > being applied. (This system was set up 14 years ago and has changed > roles over time) We are running on linux, so need to have POSIX > permissions enabled. We run on Linux and only have NFSv4 ACL's applied. I am not sure why you need POSIX ACL's if you are running Linux. Very very few applications will actually check ACL's or even for that matter permissions. They just do an fopen call or similar and the OS either goes yeah or neah, and the app needs to do something in the case of neah. > > What I want to know for those in a similar environment, what do you > have as the POSIX owner and group, when NFSv4 ACLs are in use? > root:root > > or do you have all files owned by a filesystem administrator account > and group: > : > > on our samba shares we have : > admin users = @ > So don’t actually need the group defined in POSIX. > Samba works much better with NFSv4 ACL's. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
[gpfsug-discuss] default owner and group for POSIX ACLs
We are in the process of changing the way GPFS assigns UID/GIDs from internal tdb to using AD RIDs with an offset that matches our linux systems. We, therefore, need to change the ACLs for all the files in GPFS (up to 80 million). We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs being applied. (This system was set up 14 years ago and has changed roles over time) We are running on linux, so need to have POSIX permissions enabled. What I want to know for those in a similar environment, what do you have as the POSIX owner and group, when NFSv4 ACLs are in use? root:root or do you have all files owned by a filesystem administrator account and group: : on our samba shares we have : admin users = @ So don't actually need the group defined in POSIX. Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: p.w...@nhm.ac.uk ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
