Bug 231118

Summary: [NetApp 4.6 feat] setfacl not supported on NFSv4 mounted filesystem
Product: Red Hat Enterprise Linux 4 Reporter: Ricardo Labiaga <ricardo.labiaga>
Component: nfs-utilsAssignee: Peter Staubach <staubach>
Status: CLOSED WONTFIX QA Contact: David Lawrence <dkl>
Severity: high Docs Contact:
Priority: high    
Version: 4.6CC: andriusb, coughlan, ricardo.labiaga, sct, steved, xdl-redhat-bugzilla
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-18 18:11:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 217206, 232471, 232477    
Attachments:
Description Flags
strace of failed call to setfacl
none
Purposed upstream patch none

Description Ricardo Labiaga 2007-03-06 07:58:46 UTC 
Description of problem:
Can not set ACLs on an NFSv4 mounted filesystem when the client is running a
vanilla RHEL or Fedora Core system.  Other Linux distros probably ship with the
same limitation.  The setfacl call fails with EOPTNOTSUPP.

Version-Release number of selected component (if applicable):
- Tested on RHEL 4.4 and FC6.  FC6 kernel details:
    2.6.19-1.2911.fc6
    libacl-2.2.39-1.1
    acl-2.2.39-1.1

How reproducible:
- Every time

Steps to Reproduce:

> mount -t nfs4 proto-u38:/vol/vol0 /mnt
> cd /mnt
> touch foo
> getfacl foo
# file: foo
# owner: nobody
# group: nobody
user::rw-
group::r--
other::r--

> setfacl -m user:user1:rwx foo
setfacl: foo: Operation not supported

  
Actual results:
Fails with error: EOPNOTSUPP

Expected results:
Should succeed and set an Access Control Entry on file 'foo' for 'user1' giving
read/write/execute permission.

Additional info:
Tested against NetApp filer with NFSv4 enabled, and NFS ACL support enabled. 
NetApp filer is running ONTAP 7.2.1.  Any NFsv4 server will produce the same
behavior, since the call errs on the client without calling the server.

strace shows that getfacl("foo", ...) uses getxattr(2) to obtain the ACL 
extended attribute.  The default POSIX-style ACL tool expects the
name of the ACL extended attribute to be "system.posix_acl_access".

getxattr("foo", "system.posix_acl_access", 0xbff77d50, 132) =
-1 EOPNOTSUPP (Operation not supported)

This eventually traps into the kernel calling:
sys_getattr()->getxattr()->vfs_getattr()->nfs4_getxattr().

nfs4_getxattr() (in fs/nfs/nfs4proc.c) expects a different extended attribute 
name: "system.nfs4_acl", which differs from what is passed in, making it return
error: EOPNOTSUPP

fs/nfs/nfs4proc.c:
...
#define XATTR_NAME_NFSV4_ACL "system.nfs4_acl"
...
ssize_t nfs4_getxattr(struct dentry *dentry, const char *key, void *buf,
                size_t buflen)
{
    ...
        if (strcmp(key, XATTR_NAME_NFSV4_ACL) != 0)
                return -EOPNOTSUPP;
    ....
}

Citi has a set of patches that modify the library behavior to better map
POSIX ACLs to NFSv4 ACLs.  One of the many things it does is use 
"system.nfs4_acl".  It's not a perfect mapping, so they
recommend to use instead the nfs4-acl-tools which use NFSv4 ACLs
directly.  

Customers that require use of ACLs on NFSv4 filesystems, are forced to compile
these tools themselves (this after generating customer calls to their respective
support providers).

The CITI patches and libraries can be found at:
   http://www.citi.umich.edu/projects/nfsv4/linux/
Comment 1 Ricardo Labiaga 2007-03-06 07:58:46 UTC 
Created attachment 149325 [details]
strace of failed call to setfacl
Comment 2 Andrius Benokraitis 2007-03-06 16:06:13 UTC 
Since this is a feature request, adding this to the RHEL 4.6 request list.
Comment 3 Andrius Benokraitis 2007-03-06 16:07:35 UTC 
FYI: If this is needed in RHEL 5.2, another bug should be created for RHEL 5.
Comment 4 Andrius Benokraitis 2007-03-06 21:34:09 UTC 
Corresponding bug for RHEL 5 can be found at bug 231231.
Comment 5 Steve Dickson 2007-03-08 23:19:42 UTC 
Created attachment 149657 [details]
Purposed upstream patch
Comment 9 RHEL Program Management 2007-07-18 18:11:37 UTC 
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.
Comment 10 Andrius Benokraitis 2007-07-18 18:35:34 UTC 
NetApp:

Red Hat Engineering has reviewed this feature request and has concluded that
support for Linux ACLs over NFSv4 is not stable enough upstream for inclusion
into RHEL 4. Also, the design of NFSv4 makes it almost impossible to completely
emulate Linux ACLs. The solution is to add protocol support for Linux ACLs in a
future version of NFSv4, maybe NFSv4.2. Furthermore, with only a few more minor
releases in the RHEL 4 time frame, this may seem unlikely at all for inclusion.