Bug 231231

Summary: [NetApp-N 5.2 feat] setfacl not supported on NFSv4 mounted filesystem
Product: Red Hat Enterprise Linux 5 Reporter: Ricardo Labiaga <ricardo.labiaga>
Component: nfs4-acl-toolsAssignee: Steve Dickson <steved>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: low    
Version: 5.0CC: andriusb, coughlan, ondrejv, ricardo.labiaga, sct, staubach, steved, xdl-redhat-bugzilla
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.1.0 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-09 18:32:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 217909    
Bug Blocks: 217208, 245746, 249267    
Attachments:
Description Flags
strace of failed call to setfacl
none
Purposed upstream patch none

Description Ricardo Labiaga 2007-03-06 21:28:04 UTC 
Description of problem:
Can not set ACLs on an NFSv4 mounted filesystem when the client is running a
vanilla RHEL or Fedora Core system.  Other Linux distros probably ship with the
same limitation.  The setfacl call fails with EOPTNOTSUPP.

Version-Release number of selected component (if applicable):
- Tested on RHEL 4.4, RHEL 5 Beta 2, and FC6.  FC6 kernel details:
    2.6.19-1.2911.fc6
    libacl-2.2.39-1.1
    acl-2.2.39-1.1

How reproducible:
- Every time

Steps to Reproduce:

> mount -t nfs4 proto-u38:/vol/vol0 /mnt
> cd /mnt
> touch foo
> getfacl foo
# file: foo
# owner: nobody
# group: nobody
user::rw-
group::r--
other::r--

> setfacl -m user:user1:rwx foo
setfacl: foo: Operation not supported

  
Actual results:
Fails with error: EOPNOTSUPP

Expected results:
Should succeed and set an Access Control Entry on file 'foo' for 'user1' giving
read/write/execute permission.

Additional info:
Tested against NetApp filer with NFSv4 enabled, and NFS ACL support enabled. 
NetApp filer is running ONTAP 7.2.1.  Any NFsv4 server will produce the same
behavior, since the call errs on the client without calling the server.

strace shows that getfacl("foo", ...) uses getxattr(2) to obtain the ACL 
extended attribute.  The default POSIX-style ACL tool expects the
name of the ACL extended attribute to be "system.posix_acl_access".

getxattr("foo", "system.posix_acl_access", 0xbff77d50, 132) =
-1 EOPNOTSUPP (Operation not supported)

This eventually traps into the kernel calling:
sys_getattr()->getxattr()->vfs_getattr()->nfs4_getxattr().

nfs4_getxattr() (in fs/nfs/nfs4proc.c) expects a different extended attribute 
name: "system.nfs4_acl", which differs from what is passed in, making it return
error: EOPNOTSUPP

fs/nfs/nfs4proc.c:
...
#define XATTR_NAME_NFSV4_ACL "system.nfs4_acl"
...
ssize_t nfs4_getxattr(struct dentry *dentry, const char *key, void *buf,
                size_t buflen)
{
    ...
        if (strcmp(key, XATTR_NAME_NFSV4_ACL) != 0)
                return -EOPNOTSUPP;
    ....
}

Citi has a set of patches that modify the library behavior to better map
POSIX ACLs to NFSv4 ACLs.  One of the many things it does is use 
"system.nfs4_acl".  It's not a perfect mapping, so they
recommend to use instead the nfs4-acl-tools which use NFSv4 ACLs
directly.  

Customers that require use of ACLs on NFSv4 filesystems, are forced to compile
these tools themselves (this after generating customer calls to their respective
support providers).

The CITI patches and libraries can be found at:
   http://www.citi.umich.edu/projects/nfsv4/linux/

RHEL 4.6 bug describes the same problem under bugzilla bug: 231118
Comment 1 Ricardo Labiaga 2007-03-06 21:28:04 UTC 
Created attachment 149387 [details]
strace of failed call to setfacl
Comment 2 Andrius Benokraitis 2007-03-06 21:35:29 UTC 
Corresponding bug for RHEL 4 can be found at bug 231118.
Comment 3 Steve Dickson 2007-03-07 19:33:08 UTC 
Which patches are you talking about on
http://www.citi.umich.edu/projects/nfsv4/linux/?

The close thing is nfs4-acl-tools-0.3.0.tar.gz 
and thats just two commands that show and 
set v4 acls... (Note: these commands will be part
of FC7 when it hits the street)....
Comment 4 Ricardo Labiaga 2007-03-08 01:16:43 UTC 
There is also "acl-2.2.41-CITI_NFS4_ALL-3.dif" which is supposed to patch the
standard posix acl tools so they can deal with NFSv4 ACLs.  I haven't played
with this patch myself yet.
Comment 5 Steve Dickson 2007-03-08 17:15:37 UTC 
Created attachment 149590 [details]
Purposed upstream patch
Comment 10 Steve Dickson 2007-06-23 11:44:22 UTC 

*** This bug has been marked as a duplicate of 243697 ***
Comment 11 Andrius Benokraitis 2007-06-26 15:12:34 UTC 
Ricardo - per SteveD, this has to be deferred to RHEL 5.2.
Comment 16 Andrius Benokraitis 2007-08-15 20:15:25 UTC 
Ricardo @ NetApp:

Please give RHEL 5.1 a shot for this - the newly added nfs4-acl-tools package is
in there which should help. Please let us know.
Comment 19 Steve Dickson 2007-11-01 23:18:47 UTC 
Ricardo,

Does the nfs4-acl-tools package do what you want?
Comment 20 Daniel Riek 2007-11-09 18:28:17 UTC 
Please clarify what is requested here.

We shipped nfsv4-acl-tools in 5.1 and I am assuming that they address this
issue. Removing from 5.2 list for now. Please re-propose with new information or
close.
Comment 21 Ricardo Labiaga 2007-11-10 00:45:07 UTC 
Yes, having nfs4-acl-tools in RHEL 5.1 helps address this limitation.  It's okay
to close this bug.  Thanks.
Comment 23 Kamil Dudka 2015-07-27 11:00:00 UTC 
*** Bug 815375 has been marked as a duplicate of this bug. ***