Bug 231118 - [NetApp 4.6 feat] setfacl not supported on NFSv4 mounted filesystem
[NetApp 4.6 feat] setfacl not supported on NFSv4 mounted filesystem
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nfs-utils (Show other bugs)
4.6
All Linux
high Severity high
: ---
: ---
Assigned To: Peter Staubach
David Lawrence
: FutureFeature
Depends On:
Blocks: 217206 232471 232477
  Show dependency treegraph
 
Reported: 2007-03-06 02:58 EST by Ricardo Labiaga
Modified: 2007-11-30 17:07 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-18 14:11:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
strace of failed call to setfacl (6.25 KB, text/plain)
2007-03-06 02:58 EST, Ricardo Labiaga
no flags Details
Purposed upstream patch (94.85 KB, patch)
2007-03-08 18:19 EST, Steve Dickson
no flags Details | Diff

  None (edit)
Description Ricardo Labiaga 2007-03-06 02:58:46 EST
Description of problem:
Can not set ACLs on an NFSv4 mounted filesystem when the client is running a
vanilla RHEL or Fedora Core system.  Other Linux distros probably ship with the
same limitation.  The setfacl call fails with EOPTNOTSUPP.

Version-Release number of selected component (if applicable):
- Tested on RHEL 4.4 and FC6.  FC6 kernel details:
    2.6.19-1.2911.fc6
    libacl-2.2.39-1.1
    acl-2.2.39-1.1

How reproducible:
- Every time

Steps to Reproduce:

> mount -t nfs4 proto-u38:/vol/vol0 /mnt
> cd /mnt
> touch foo
> getfacl foo
# file: foo
# owner: nobody
# group: nobody
user::rw-
group::r--
other::r--

> setfacl -m user:user1:rwx foo
setfacl: foo: Operation not supported

  
Actual results:
Fails with error: EOPNOTSUPP

Expected results:
Should succeed and set an Access Control Entry on file 'foo' for 'user1' giving
read/write/execute permission.

Additional info:
Tested against NetApp filer with NFSv4 enabled, and NFS ACL support enabled. 
NetApp filer is running ONTAP 7.2.1.  Any NFsv4 server will produce the same
behavior, since the call errs on the client without calling the server.

strace shows that getfacl("foo", ...) uses getxattr(2) to obtain the ACL 
extended attribute.  The default POSIX-style ACL tool expects the
name of the ACL extended attribute to be "system.posix_acl_access".

getxattr("foo", "system.posix_acl_access", 0xbff77d50, 132) =
-1 EOPNOTSUPP (Operation not supported)

This eventually traps into the kernel calling:
sys_getattr()->getxattr()->vfs_getattr()->nfs4_getxattr().

nfs4_getxattr() (in fs/nfs/nfs4proc.c) expects a different extended attribute 
name: "system.nfs4_acl", which differs from what is passed in, making it return
error: EOPNOTSUPP

fs/nfs/nfs4proc.c:
...
#define XATTR_NAME_NFSV4_ACL "system.nfs4_acl"
...
ssize_t nfs4_getxattr(struct dentry *dentry, const char *key, void *buf,
                size_t buflen)
{
    ...
        if (strcmp(key, XATTR_NAME_NFSV4_ACL) != 0)
                return -EOPNOTSUPP;
    ....
}

Citi has a set of patches that modify the library behavior to better map
POSIX ACLs to NFSv4 ACLs.  One of the many things it does is use 
"system.nfs4_acl".  It's not a perfect mapping, so they
recommend to use instead the nfs4-acl-tools which use NFSv4 ACLs
directly.  

Customers that require use of ACLs on NFSv4 filesystems, are forced to compile
these tools themselves (this after generating customer calls to their respective
support providers).

The CITI patches and libraries can be found at:
   http://www.citi.umich.edu/projects/nfsv4/linux/
Comment 1 Ricardo Labiaga 2007-03-06 02:58:46 EST
Created attachment 149325 [details]
strace of failed call to setfacl
Comment 2 Andrius Benokraitis 2007-03-06 11:06:13 EST
Since this is a feature request, adding this to the RHEL 4.6 request list.
Comment 3 Andrius Benokraitis 2007-03-06 11:07:35 EST
FYI: If this is needed in RHEL 5.2, another bug should be created for RHEL 5.
Comment 4 Andrius Benokraitis 2007-03-06 16:34:09 EST
Corresponding bug for RHEL 5 can be found at bug 231231.
Comment 5 Steve Dickson 2007-03-08 18:19:42 EST
Created attachment 149657 [details]
Purposed upstream patch
Comment 9 RHEL Product and Program Management 2007-07-18 14:11:37 EDT
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request. 
Comment 10 Andrius Benokraitis 2007-07-18 14:35:34 EDT
NetApp:

Red Hat Engineering has reviewed this feature request and has concluded that
support for Linux ACLs over NFSv4 is not stable enough upstream for inclusion
into RHEL 4. Also, the design of NFSv4 makes it almost impossible to completely
emulate Linux ACLs. The solution is to add protocol support for Linux ACLs in a
future version of NFSv4, maybe NFSv4.2. Furthermore, with only a few more minor
releases in the RHEL 4 time frame, this may seem unlikely at all for inclusion.

Note You need to log in before you can comment on or make changes to this bug.