Re: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS cluster
(seems my earlier reply created a new topic; hence trying to reply back original thread started by Ilan Schwarts...) >> # mount -t nfs 10.10.158.61:/fs_gpfs01/nfs /mnt/nfs4 >> [root at CentOS7286-64 nfs4]# nfs4_getfacl mydir11 >> Operation to request attribute not supported. >> [root at CentOS7286-64 nfs4]# On my test setup (rhel7.3 nodes gpfs cluster and rhel7.2 nfs client); I can successfully read nfsv4 acls (nfs4_getfacl). Can you please try following on your setup? 1> capture network packets for above failure and check what does nfs server return to GETATTR ? => tcpdump -i any host 10.10.158.61 -w /tmp/getfacl.cap &; nfs4_getfacl mydir11; kill %1 2> Also check nfs4_getfacl version is up to date. => /usr/bin/nfs4_getfacl -H 3> If above doesn't help; then make sure you have sufficient nfsv4 acls to read acls (as per my understanding; for reading nfsv4 acls; one needs EXEC_SEARCH on /fs_gpfs01/nfs and READ_ACL on /fs_gpfs01/nfs/mydir11). => mmgetacl -k nfs4 /fs_gpfs01/nfs => mmgetacl -k nfs4 /fs_gpfs01/nfs/mydir11 Thanks, Chetan. From: gpfsug-discuss-requ...@spectrumscale.org To: gpfsug-discuss@spectrumscale.org Date: 08/08/2017 04:30 PM Subject:gpfsug-discuss Digest, Vol 67, Issue 21 Sent by:gpfsug-discuss-boun...@spectrumscale.org Send gpfsug-discuss mailing list submissions to gpfsug-discuss@spectrumscale.org To subscribe or unsubscribe via the World Wide Web, visit http://gpfsug.org/mailman/listinfo/gpfsug-discuss or, via email, send a message with subject or body 'help' to gpfsug-discuss-requ...@spectrumscale.org You can reach the person managing the list at gpfsug-discuss-ow...@spectrumscale.org When replying, please edit your Subject line so it is more specific than "Re: Contents of gpfsug-discuss digest..." Today's Topics: 1. Re: How to use nfs4_getfacl (or set) on GPFS cluster (Ilan Schwarts) 2. How to use nfs4_getfacl (or set) on GPFS cluster (Chetan R Kulkarni) -- Message: 1 Date: Tue, 8 Aug 2017 07:28:20 +0300 From: Ilan Schwarts To: gpfsug main discussion list Subject: Re: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS cluster Message-ID: Content-Type: text/plain; charset="utf-8" Hi, The command should work from server side i know.. but isnt the scenario of: Root user, that is mounted via nfsv4 to a gpfs filesystem, cannot edit any of the mounted files/dirs acls? The acls are editable only from server side? Thanks! On Aug 8, 2017 00:10, "James Davis" wrote: > Hi Ilan, > > 1. Your command might work from the server side; you said you tried it > from the client side. Could you find anything in the docs about this? I > could not. > > 2. I can share this NFSv4-themed wrapper around mmputacl if it would be > useful to you. You would have to run it from the GPFS side, not the NFS > client side. > > Regards, > > Jamie > > # ./updateNFSv4ACL -h > Update the NFSv4 ACL governing a file's access permissions. > Appends to the existing ACL, overwriting conflicting permissions. > Usage: ./updateNFSv4ACL -file /path/to/file { ADD_PERM_SPEC | > DEL_PERM_SPEC }+ > ADD_PERM_SPEC: { -owningUser PERM | -owningGroup PERM | -other PERM | > -ace nameType:name:PERM:aceType } > DEL_PERM_SPEC: { -noACEFor nameType:name } > PERM: Specify a string composed of one or more of the following letters > in no particular order: > r (ead) > w (rite) > a (ppend) Must agree with write > x (execute) > d (elete) > D (elete child)Dirs only > t (read attrs) > T (write attrs) > c (read ACL) > C (write ACL) > o (change owner) > You can also provide these, but they will have no effect in GPFS: > n (read named attrs) > N (write named attrs) > y (support synchronous I/O) > > To indicate no permissions, give a - > nameType: 'user' or 'group'. > aceType: 'allow' or 'deny'. > Examples: ./updateNFSv4ACL -file /fs1/f -owningUser rtc -owningGroup > rwaxdtc -other '-' > Assign these permissions to 'owner', 'group', 'other'. > ./updateNFSv4ACL -file /fs1/f -ace 'user:pfs001:rtc:allow' > -noACEFor 'group:fvt001' > Allow user pfs001 read/read attrs/read ACL permission > Remove all ACEs (allow and deny) for group fvt001. > Notes: > Permissions you do not allow are denied by default. > See the GPFS docs for some other restrictions. > ace is short for Access Control Entry > > > -
Re: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS cluster
Hi, The command should work from server side i know.. but isnt the scenario of: Root user, that is mounted via nfsv4 to a gpfs filesystem, cannot edit any of the mounted files/dirs acls? The acls are editable only from server side? Thanks! On Aug 8, 2017 00:10, "James Davis" wrote: > Hi Ilan, > > 1. Your command might work from the server side; you said you tried it > from the client side. Could you find anything in the docs about this? I > could not. > > 2. I can share this NFSv4-themed wrapper around mmputacl if it would be > useful to you. You would have to run it from the GPFS side, not the NFS > client side. > > Regards, > > Jamie > > # ./updateNFSv4ACL -h > Update the NFSv4 ACL governing a file's access permissions. > Appends to the existing ACL, overwriting conflicting permissions. > Usage: ./updateNFSv4ACL -file /path/to/file { ADD_PERM_SPEC | > DEL_PERM_SPEC }+ > ADD_PERM_SPEC: { -owningUser PERM | -owningGroup PERM | -other PERM | > -ace nameType:name:PERM:aceType } > DEL_PERM_SPEC: { -noACEFor nameType:name } > PERM: Specify a string composed of one or more of the following letters > in no particular order: > r (ead) > w (rite) > a (ppend) Must agree with write > x (execute) > d (elete) > D (elete child)Dirs only > t (read attrs) > T (write attrs) > c (read ACL) > C (write ACL) > o (change owner) > You can also provide these, but they will have no effect in GPFS: > n (read named attrs) > N (write named attrs) > y (support synchronous I/O) > > To indicate no permissions, give a - > nameType: 'user' or 'group'. > aceType: 'allow' or 'deny'. > Examples: ./updateNFSv4ACL -file /fs1/f -owningUser rtc -owningGroup > rwaxdtc -other '-' > Assign these permissions to 'owner', 'group', 'other'. > ./updateNFSv4ACL -file /fs1/f -ace 'user:pfs001:rtc:allow' > -noACEFor 'group:fvt001' > Allow user pfs001 read/read attrs/read ACL permission > Remove all ACEs (allow and deny) for group fvt001. > Notes: > Permissions you do not allow are denied by default. > See the GPFS docs for some other restrictions. > ace is short for Access Control Entry > > > - Original message - > From: Ilan Schwarts > Sent by: gpfsug-discuss-boun...@spectrumscale.org > To: gpfsug main discussion list > Cc: > Subject: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS cluster > Date: Mon, Aug 7, 2017 9:27 AM > > Hi all, > My setup is 2 nodes GPFS and 1 machine as NFS Client. > All machines (3 total) run CentOS 7.2 > > The 3rd CentOS machine (not part of the cluster) used as NFS Client. > > I mount the NFS Client machine to one of the nodes: mount -t nfs > 10.10.158.61:/fs_gpfs01/nfs /mnt/nfs4 > > This gives me the following: > > [root@CentOS7286-64 ~]# mount -v | grep gpfs > 10.10.158.61:/fs_gpfs01/nfs on /mnt/nfs4 type nfs4 > (rw,relatime,vers=4.0,rsize=524288,wsize=524288,namlen= > 255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys, > clientaddr=10.10.149.188,local_lock=none,addr=10.10.158.61) > > Now, From the Client NFS Machine, I go to the mount directory ("cd > /mnt/nfs4") and try to set an acl. Since NFSv4 should be supported, I > use nfs4_getfacl: > [root@CentOS7286-64 nfs4]# nfs4_getfacl mydir11 > Operation to request attribute not supported. > [root@CentOS7286-64 nfs4]# > > From the NODE machine i see the status: > [root@LH20-GPFS1 fs_gpfs01]# mmlsfs fs_gpfs01 > flagvaluedescription > --- -- > - > -f 8192 Minimum fragment size in bytes > -i 4096 Inode size in bytes > -I 16384Indirect block size in bytes > -m 1Default number of metadata > replicas > -M 2Maximum number of metadata > replicas > -r 1Default number of data > replicas > -R 2Maximum number of data > replicas > -j cluster Block allocation type > -D nfs4 File locking semantics in > effect > -k nfs4 ACL semantics in effect > -n 32 Estimated number of nodes > that will mount file system > -B 262144 Block size > -Q none Quotas accounting enabled > none Quotas enforced > none Default quotas enabled > --perfileset-quota No Per-fileset quota enforcement > --filesetdfNo Fileset df enabled? > -V 16.00 (4.2.2.0) File system version > --create-time Wed Jul 5 12:28:39
Re: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS cluster
Hi Ilan, 1. Your command might work from the server side; you said you tried it from the client side. Could you find anything in the docs about this? I could not. 2. I can share this NFSv4-themed wrapper around mmputacl if it would be useful to you. You would have to run it from the GPFS side, not the NFS client side. Regards, Jamie # ./updateNFSv4ACL -hUpdate the NFSv4 ACL governing a file's access permissions. Appends to the existing ACL, overwriting conflicting permissions. Usage: ./updateNFSv4ACL -file /path/to/file { ADD_PERM_SPEC | DEL_PERM_SPEC }+ ADD_PERM_SPEC: { -owningUser PERM | -owningGroup PERM | -other PERM | -ace nameType:name:PERM:aceType } DEL_PERM_SPEC: { -noACEFor nameType:name } PERM: Specify a string composed of one or more of the following letters in no particular order: r (ead) w (rite) a (ppend) Must agree with write x (execute) d (elete) D (elete child) Dirs only t (read attrs) T (write attrs) c (read ACL) C (write ACL) o (change owner) You can also provide these, but they will have no effect in GPFS: n (read named attrs) N (write named attrs) y (support synchronous I/O) To indicate no permissions, give a - nameType: 'user' or 'group'. aceType: 'allow' or 'deny'. Examples: ./updateNFSv4ACL -file /fs1/f -owningUser rtc -owningGroup rwaxdtc -other '-' Assign these permissions to 'owner', 'group', 'other'. ./updateNFSv4ACL -file /fs1/f -ace 'user:pfs001:rtc:allow' -noACEFor 'group:fvt001' Allow user pfs001 read/read attrs/read ACL permission Remove all ACEs (allow and deny) for group fvt001.Notes: Permissions you do not allow are denied by default. See the GPFS docs for some other restrictions. ace is short for Access Control Entry - Original message -From: Ilan Schwarts Sent by: gpfsug-discuss-boun...@spectrumscale.orgTo: gpfsug main discussion list Cc:Subject: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS clusterDate: Mon, Aug 7, 2017 9:27 AM Hi all,My setup is 2 nodes GPFS and 1 machine as NFS Client.All machines (3 total) run CentOS 7.2The 3rd CentOS machine (not part of the cluster) used as NFS Client.I mount the NFS Client machine to one of the nodes: mount -t nfs10.10.158.61:/fs_gpfs01/nfs /mnt/nfs4This gives me the following:[root@CentOS7286-64 ~]# mount -v | grep gpfs10.10.158.61:/fs_gpfs01/nfs on /mnt/nfs4 type nfs4(rw,relatime,vers=4.0,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.10.149.188,local_lock=none,addr=10.10.158.61)Now, From the Client NFS Machine, I go to the mount directory ("cd/mnt/nfs4") and try to set an acl. Since NFSv4 should be supported, Iuse nfs4_getfacl:[root@CentOS7286-64 nfs4]# nfs4_getfacl mydir11Operation to request attribute not supported.[root@CentOS7286-64 nfs4]#From the NODE machine i see the status:[root@LH20-GPFS1 fs_gpfs01]# mmlsfs fs_gpfs01flag value description--- --- -f 8192 Minimum fragment size in bytes -i 4096 Inode size in bytes -I 16384 Indirect block size in bytes -m 1 Default number of metadata replicas -M 2 Maximum number of metadata replicas -r 1 Default number of data replicas -R 2 Maximum number of data replicas -j cluster Block allocation type -D nfs4 File locking semantics in effect -k nfs4 ACL semantics in effect -n 32 Estimated number of nodesthat will mount file system -B 262144 Block size -Q none Quotas accounting enabled none Quotas enforced none Default quotas enabled --perfileset-quota No Per-fileset quota enforcement --filesetdf No Fileset df enabled? -V 16.00 (4.2.2.0) File system version --create-time Wed Jul 5 12:28:39 2017 File system creation time -z No Is DMAPI enabled? -L 4194304 Logfile size -E Yes Exact mtime mount option -S No Suppress atime mount option -K whenpossible Strict replica allocation option --fastea Yes Fast external attributes enabled? --encryption No Encryption enabled? --inode-limit 171840 Maximum number of inodesin al