Bug 231231 - [NetApp-N 5.2 feat] setfacl not supported on NFSv4 mounted filesystem
[NetApp-N 5.2 feat] setfacl not supported on NFSv4 mounted filesystem
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nfs4-acl-tools (Show other bugs)
5.0
All Linux
low Severity medium
: ---
: ---
Assigned To: Steve Dickson
David Lawrence
: FutureFeature, Reopened
: 815375 (view as bug list)
Depends On: 217909
Blocks: 217208 245746 249267
  Show dependency treegraph
 
Reported: 2007-03-06 16:28 EST by Ricardo Labiaga
Modified: 2015-07-27 07:00 EDT (History)
8 users (show)

See Also:
Fixed In Version: 5.1.0
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-09 13:32:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace of failed call to setfacl (6.25 KB, text/plain)
2007-03-06 16:28 EST, Ricardo Labiaga
no flags Details
Purposed upstream patch (94.85 KB, patch)
2007-03-08 12:15 EST, Steve Dickson
no flags Details | Diff

  None (edit)
Description Ricardo Labiaga 2007-03-06 16:28:04 EST
Description of problem:
Can not set ACLs on an NFSv4 mounted filesystem when the client is running a
vanilla RHEL or Fedora Core system.  Other Linux distros probably ship with the
same limitation.  The setfacl call fails with EOPTNOTSUPP.

Version-Release number of selected component (if applicable):
- Tested on RHEL 4.4, RHEL 5 Beta 2, and FC6.  FC6 kernel details:
    2.6.19-1.2911.fc6
    libacl-2.2.39-1.1
    acl-2.2.39-1.1

How reproducible:
- Every time

Steps to Reproduce:

> mount -t nfs4 proto-u38:/vol/vol0 /mnt
> cd /mnt
> touch foo
> getfacl foo
# file: foo
# owner: nobody
# group: nobody
user::rw-
group::r--
other::r--

> setfacl -m user:user1:rwx foo
setfacl: foo: Operation not supported

  
Actual results:
Fails with error: EOPNOTSUPP

Expected results:
Should succeed and set an Access Control Entry on file 'foo' for 'user1' giving
read/write/execute permission.

Additional info:
Tested against NetApp filer with NFSv4 enabled, and NFS ACL support enabled. 
NetApp filer is running ONTAP 7.2.1.  Any NFsv4 server will produce the same
behavior, since the call errs on the client without calling the server.

strace shows that getfacl("foo", ...) uses getxattr(2) to obtain the ACL 
extended attribute.  The default POSIX-style ACL tool expects the
name of the ACL extended attribute to be "system.posix_acl_access".

getxattr("foo", "system.posix_acl_access", 0xbff77d50, 132) =
-1 EOPNOTSUPP (Operation not supported)

This eventually traps into the kernel calling:
sys_getattr()->getxattr()->vfs_getattr()->nfs4_getxattr().

nfs4_getxattr() (in fs/nfs/nfs4proc.c) expects a different extended attribute 
name: "system.nfs4_acl", which differs from what is passed in, making it return
error: EOPNOTSUPP

fs/nfs/nfs4proc.c:
...
#define XATTR_NAME_NFSV4_ACL "system.nfs4_acl"
...
ssize_t nfs4_getxattr(struct dentry *dentry, const char *key, void *buf,
                size_t buflen)
{
    ...
        if (strcmp(key, XATTR_NAME_NFSV4_ACL) != 0)
                return -EOPNOTSUPP;
    ....
}

Citi has a set of patches that modify the library behavior to better map
POSIX ACLs to NFSv4 ACLs.  One of the many things it does is use 
"system.nfs4_acl".  It's not a perfect mapping, so they
recommend to use instead the nfs4-acl-tools which use NFSv4 ACLs
directly.  

Customers that require use of ACLs on NFSv4 filesystems, are forced to compile
these tools themselves (this after generating customer calls to their respective
support providers).

The CITI patches and libraries can be found at:
   http://www.citi.umich.edu/projects/nfsv4/linux/

RHEL 4.6 bug describes the same problem under bugzilla bug: 231118
Comment 1 Ricardo Labiaga 2007-03-06 16:28:04 EST
Created attachment 149387 [details]
strace of failed call to setfacl
Comment 2 Andrius Benokraitis 2007-03-06 16:35:29 EST
Corresponding bug for RHEL 4 can be found at bug 231118.
Comment 3 Steve Dickson 2007-03-07 14:33:08 EST
Which patches are you talking about on
http://www.citi.umich.edu/projects/nfsv4/linux/?

The close thing is nfs4-acl-tools-0.3.0.tar.gz 
and thats just two commands that show and 
set v4 acls... (Note: these commands will be part
of FC7 when it hits the street).... 

Comment 4 Ricardo Labiaga 2007-03-07 20:16:43 EST
There is also "acl-2.2.41-CITI_NFS4_ALL-3.dif" which is supposed to patch the
standard posix acl tools so they can deal with NFSv4 ACLs.  I haven't played
with this patch myself yet.
Comment 5 Steve Dickson 2007-03-08 12:15:37 EST
Created attachment 149590 [details]
Purposed upstream patch
Comment 10 Steve Dickson 2007-06-23 07:44:22 EDT

*** This bug has been marked as a duplicate of 243697 ***
Comment 11 Andrius Benokraitis 2007-06-26 11:12:34 EDT
Ricardo - per SteveD, this has to be deferred to RHEL 5.2.
Comment 16 Andrius Benokraitis 2007-08-15 16:15:25 EDT
Ricardo @ NetApp:

Please give RHEL 5.1 a shot for this - the newly added nfs4-acl-tools package is
in there which should help. Please let us know.
Comment 19 Steve Dickson 2007-11-01 19:18:47 EDT
Ricardo,

Does the nfs4-acl-tools package do what you want?
Comment 20 Daniel Riek 2007-11-09 13:28:17 EST
Please clarify what is requested here.

We shipped nfsv4-acl-tools in 5.1 and I am assuming that they address this
issue. Removing from 5.2 list for now. Please re-propose with new information or
close.
Comment 21 Ricardo Labiaga 2007-11-09 19:45:07 EST
Yes, having nfs4-acl-tools in RHEL 5.1 helps address this limitation.  It's okay
to close this bug.  Thanks.
Comment 23 Kamil Dudka 2015-07-27 07:00:00 EDT
*** Bug 815375 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.