ACLs over NFSv4

tilo972 · August 21, 2008, 12:33pm

Hi all,

First post on the openSUSE forums, for a problem I’ve been working on for more than 2 weeks, without success.

In my company, we moved to NFSv4 a few days ago, and since ACLs over NFS are not working anymore.
The client mount itself works fine, the getfacl and setfacl are also working when applying on regular Linux permission (rwx on owner, group or others).

But when it comes to real ACLs (e.g setting a permission for a specific user or group, that’s not the owner or the owner’s group), it’s just not possible.

In fact I don’t even see the “+” that should be at the end of the permissions list when doing a “ls -l” command on one of the mounted folders.

It’s a bit difficult to make screenshots of my fstab and exports files right now, but I’ll do in my next post if needed.

The only information I really need right now is:

Are ACLs over NFSv4 supposed to work with a SLES 10 server and an openSUSE 11.0 client, both installed with an ext3 system ?
Do other people here experience the same problem ?
Do someone use successfully ACLs over NFSv4 ?

Just to know if I need to try other solutions, because I feel a bit desperate

Thanks for your help,

Laurent

tilo972 · August 22, 2008, 11:51am

UP with some of my conf files.

Server /etc/exports:

/export *(rw,no_root_squash,acl,sync,no_subtree_check,fsid=0)

Server /etc/fstab:

/dev/xvda2           /                       ext3       acl,user_xattr               1 1
/dev/xvda1           swap                    swap       defaults                     0 0
/dev/xvdc1           /export/public          ext3       rw,nosuid,nodev,noexec,acl   0 0

proc                 /proc                   proc       defaults                     0 0
sysfs                /sys                    sysfs      noauto                       0 0
debugfs              /sys/kernel/debug       debugfs    noauto                       0 0
devpts               /dev/pts                devpts     mode=0620,gid=5              0 0
nfsd                 /proc/fs/nfsd           nfsd       defaults                     0 0
rpc_pipefs           /var/lib/nfs/rpc_pipefs rpc_pipefs defaults                     0 0

Client /etc/fstab:

/dev/sda2       /       ext3    acl,user_xattr 1 1
/dev/sda1       swap    swap    defaults 0 0
proc    /proc   proc    defaults 0 0
sysfs   /sys    sysfs   noauto 0 0
debugfs /sys/kernel/debug       debugfs noauto 0 0
usbfs   /proc/bus/usb   usbfs   noauto 0 0
devpts  /dev/pts        devpts  mode=0620,gid=5 0 0
servernfs:/             /import         nfs4    defaults 0 0

rpc_pipefs      /var/lib/nfs/rpc_pipefs rpc_pipefs defaults   0 0
nfsd    /proc/fs/nfsd   nfsd    defaults        0 0

Server rpc:

servernfs:~ # rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100024    1   udp  32768  status
    100021    1   udp  32768  nlockmgr
    100021    3   udp  32768  nlockmgr
    100021    4   udp  32768  nlockmgr
    100024    1   tcp  53992  status
    100021    1   tcp  53992  nlockmgr
    100021    3   tcp  53992  nlockmgr
    100021    4   tcp  53992  nlockmgr
    100005    1   udp   2050  mountd
    100005    1   tcp   2050  mountd
    100005    3   udp   2050  mountd
    100005    3   tcp   2050  mountd

Server ACL parameters:

servernfs:~ # grep ACL /boot/config-2.6.16.57-0.9-xen
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_GENERIC_ACL=y

Client rpc:

client:~ # rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

Client ACL parameters:

client:~ # grep ACL /boot/config-2.6.22.17-0.1-default
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT3_FS_NFS4ACL=y
CONFIG_EXT4DEV_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_FS_NFS4ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_JFFS2_FS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m

I already installed both nfs4-acl-tools.tar,gz acl-xxx.tar.gz (with the patch) tarballs on my test configuration, and I still have this “Operation not supported” message.

Any idea ? Even without native NFSv4 ACL support, it would be great if at least the POSIX<->NFSv4 ACL translation could work.

tilo972 · August 26, 2008, 10:12am

Any idea about my problem ?

I 've been looking on these 2 websites:
Native NFSv4 ACLs on Linux

CITI: Projects: NFS Version 4 Open Source Reference Implementation

and it seems that patches are needed to make Linux support the native NFSv4 ACLs. But for the NFSv4-aware POSIX ACL tools, can it works without ?
I saw on the 2nd web page some patch for the acl tarball. I applied it and tried to compile, but I’ve got an error related to some library in my kernel (not due to a missing package), so I guess :

I also need to update my kernel
OR
the tarball is too old

Can someone help ??

jengelh · August 27, 2008, 1:08am

Can you check that rpc.idmapd is running?

tilo972 · August 27, 2008, 5:00pm

rpc.idmapd is running on both (it wasn’t the case before as you noticed, and it also solved some problems, but no all).

I subscribed to the NFSv4 mailing list, and J. Bruce Fields solve partially my problem: my kernel and packages are OK, I just needed to install an NFSv4 ACL editor.

Right now my “only” remaining problem is that I’m still not able to export ACLs over NFSv4. Even the POSIX ACLs are not supported.

It means that when I run the getfacl command on the client, I only get the Unix permissions, not the POSIX (but they are defined, as I’m able to see them on the same file if I type getfacl on the server).

I also still get this “Operation not supported” message when trying a setfacl on the client (the same command on the same file on the server works fine).

I also removed the “acl” option from my /etc/exports file, it was useless.

tilo972 · September 1, 2008, 8:28am

UP:

For the POSIX ACLs over NFSv4, I have the confirmation that it’s not possible. To use them, libacl need to be patched.

So the “only” problem that I still have is my nfsv4-acl-editor, it brings me a “operation to request attribute not supported” when trying to add a nfsv4 ACL on afile or folder.

A guy from the nfsv4 mailing list told me that “it may be a bug”, which isn’t very helpful in my situation.

I’ll try to install other editors to see if I get better results.

user · February 13, 2009, 2:24pm

Hi…

as I also need to provide directories vie NFS4 and ACL I wonder if there are any news whether this is possible.
Up to now I cannot see the ACLs that have been set using setfacl on the server.

Any news?

Cheers
Micha

tilo972 · May 22, 2009, 5:59pm

Hi,

I’ve just had a quick look on some NFSv4 “official” websites, and it seems to be still in development.