Bug 980302 - should add ACL as default attribute when mount a disk for libguestfs in rhel6
should add ACL as default attribute when mount a disk for libguestfs in rhel6
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libguestfs (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Richard W.M. Jones
Virtualization Bugs
Depends On:
  Show dependency treegraph
Reported: 2013-07-01 23:24 EDT by bfan
Modified: 2013-07-05 08:12 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-05 08:12:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description bfan 2013-07-01 23:24:58 EDT
Description of problem:
We must use "mount-options acl" to activate ACL in libguestfsīŧŒ however, acl is a default attribute in rhel 6, libguestfs is better to be consistent with host.
Expect that acl can work well though just use "mount" without any options in libguestfs

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
[root]# guestfish -N fs mount /dev/sda1 / : acl-get-file / default
libguestfs: error: acl_get_file: /: Operation not supported

specified acl option, works well
[root]# guestfish -N fs mount-options acl /dev/sda1 / : acl-get-file / default


Actual results:
Need manually activate ACL

Expected results:
ACL as a default attribute to be activated

Additional info:
In rhel7, acl works well without "mount-options acl"
Comment 1 Richard W.M. Jones 2013-07-05 07:46:19 EDT
There's actually a lot of subtle machinery going on here.

The 'getfacl' external command uses the following system call to
get ACLs:

getxattr("/sysroot", "system.posix_acl_default", 0x7fffb2d46720, 132)

Inside the RHEL 6 appliance, this fails with EOPNOTSUPP
(Operation not supported).  The getfacl command *ignores* this
error and just reports an empty list of ACLs.

The daemon uses the library call 'acl_get_file' which fails with
ENOTSUP (this is the same as EOPNOTSUPP).  The daemon *does not ignore*
this error and reports it back to the user, as reported above.

The following code from getfacl shows how it ignores ENOTSUP
and just uses fstat instead:

        if (opt_print_acl) {
                acl = acl_get_file(path_p, ACL_TYPE_ACCESS);
                if (acl == NULL && (errno == ENOSYS || errno == ENOTSUP))
                        acl = acl_get_file_mode(path_p);
                if (acl == NULL)
                        goto fail;

        if (opt_print_default_acl && S_ISDIR(st->st_mode)) {
                default_acl = acl_get_file(path_p, ACL_TYPE_DEFAULT);
                if (default_acl == NULL) {
                        if (errno != ENOSYS && errno != ENOTSUP)
                                goto fail;
                } else if (acl_entries(default_acl) == 0) {
                        default_acl = NULL;

I don't think we should try ignoring errors in libguestfs.  It's
going to cause confusion in upper layers.


On the RHEL 6 host, things are different.  The same system call
fails with ENODATA.  Note the mount options and filesystem type
are identical.

So the real bug is why does the same getxattr call fail in two
different ways?
Comment 2 Richard W.M. Jones 2013-07-05 08:12:01 EDT
OK, I see.  If you use the following command you can see the
real kernel options, instead of having them filtered by mount.

RHEL 6 host:

$ awk '$2=="/"' /proc/mounts 
rootfs / rootfs rw 0 0
/dev/mapper/vg_builderrhel6-lv_root / ext4 rw,seclabel,relatime,barrier=1,data=ordered 0 0

Appliance (using virt-rescue):

><rescue> mount /dev/sda1 /sysroot
[  217.365747] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: 
><rescue> awk '$2=="/sysroot"' /proc/mounts 
/dev/sda1 /sysroot ext4 rw,relatime,barrier=1,data=ordered 0 0

The key here is "seclabel".  This is not a real mount option, but
it's printed by the Linux Security Module if security labels are being
used, which implies that xattrs have been turned on (implicitly?).

That explains it.  However I don't think this is a bug.  People
should use the 'acl' option if it's not the default, and it's
not the default in RHEL 6.

Note You need to log in before you can comment on or make changes to this bug.