<html><body><p><font size="2">(seems my earlier reply created a new topic; hence trying to reply back original thread started by </font><tt><font size="2">Ilan Schwarts</font></tt><font size="2">...)</font><br><br><tt>>> # mount -t nfs 10.10.158.61:/fs_gpfs01/nfs /mnt/nfs4</tt><br><tt>>> [</tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss"><tt><u><font color="#0000FF">root at CentOS7286-64</font></u></tt></a><tt> nfs4]# nfs4_getfacl mydir11<br>>> Operation to request attribute not supported.<br>>> [</tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss"><tt><u><font color="#0000FF">root at CentOS7286-64</font></u></tt></a><tt> nfs4]#</tt><br><br><font size="2">On my test setup (rhel7.3 nodes gpfs cluster and rhel7.2 nfs client); I can successfully read nfsv4 acls (nfs4_getfacl).</font><br><br><font size="2">Can you please try following on your setup?</font><br><br><font size="2">1> capture network packets for above failure and check what does nfs server return to GETATTR ?</font><br><tt>=> tcpdump -i any host 10.10.158.61 -w /tmp/getfacl.cap &; nfs4_getfacl mydir11; kill %1</tt><br><br><font size="2">2> Also check nfs4_getfacl version is up to date.</font><br><tt>=> /usr/bin/nfs4_getfacl -H</tt><br><br><font size="2">3> If above doesn't help; then make sure you have sufficient nfsv4 acls to read acls </font><br><font size="2">(as per my understanding; for reading nfsv4 acls; one needs EXEC_SEARCH on /fs_gpfs01/nfs and READ_ACL on /fs_gpfs01/nfs/mydir11).</font><br><tt>=> mmgetacl -k nfs4 /fs_gpfs01/nfs</tt><br><tt>=> mmgetacl -k nfs4 /fs_gpfs01/nfs/mydir11</tt><br><br><font size="2">Thanks,</font><br><font size="2">Chetan.</font><br><br><img width="16" height="16" src="cid:1__=EABB0BE5DFC9D9308f9e8a93df938690918cEAB@" border="0" alt="Inactive hide details for gpfsug-discuss-request---08/08/2017 04:30:17 PM---Send gpfsug-discuss mailing list submissions to gp"><font size="2" color="#424282">gpfsug-discuss-request---08/08/2017 04:30:17 PM---Send gpfsug-discuss mailing list submissions to gpfsug-discuss@spectrumscale.org</font><br><br><font size="2" color="#5F5F5F">From: </font><font size="2">gpfsug-discuss-request@spectrumscale.org</font><br><font size="2" color="#5F5F5F">To: </font><font size="2">gpfsug-discuss@spectrumscale.org</font><br><font size="2" color="#5F5F5F">Date: </font><font size="2">08/08/2017 04:30 PM</font><br><font size="2" color="#5F5F5F">Subject: </font><font size="2">gpfsug-discuss Digest, Vol 67, Issue 21</font><br><font size="2" color="#5F5F5F">Sent by: </font><font size="2">gpfsug-discuss-bounces@spectrumscale.org</font><br><hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br><br><br><tt><font size="2">Send gpfsug-discuss mailing list submissions to<br> gpfsug-discuss@spectrumscale.org<br><br>To subscribe or unsubscribe via the World Wide Web, visit<br> </font></tt><tt><font size="2"><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font></tt><tt><font size="2"><br>or, via email, send a message with subject or body 'help' to<br> gpfsug-discuss-request@spectrumscale.org<br><br>You can reach the person managing the list at<br> gpfsug-discuss-owner@spectrumscale.org<br><br>When replying, please edit your Subject line so it is more specific<br>than "Re: Contents of gpfsug-discuss digest..."<br><br><br>Today's Topics:<br><br> 1. Re: How to use nfs4_getfacl (or set) on GPFS cluster<br> (Ilan Schwarts)<br> 2. How to use nfs4_getfacl (or set) on GPFS cluster<br> (Chetan R Kulkarni)<br><br><br>----------------------------------------------------------------------<br><br>Message: 1<br>Date: Tue, 8 Aug 2017 07:28:20 +0300<br>From: Ilan Schwarts <ilan84@gmail.com><br>To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org><br>Subject: Re: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS<br> cluster<br>Message-ID:<br> <CAJUuSvGwzKdL3NjsxEN+s-BDxXvBsmFQbDOZ=KakmU4KB+aH9g@mail.gmail.com><br>Content-Type: text/plain; charset="utf-8"<br><br>Hi,<br>The command should work from server side i know.. but isnt the scenario of:<br>Root user, that is mounted via nfsv4 to a gpfs filesystem, cannot edit any<br>of the mounted files/dirs acls?<br>The acls are editable only from server side?<br>Thanks!<br>On Aug 8, 2017 00:10, "James Davis" <jamiedavis@us.ibm.com> wrote:<br><br>> Hi Ilan,<br>><br>> 1. Your command might work from the server side; you said you tried it<br>> from the client side. Could you find anything in the docs about this? I<br>> could not.<br>><br>> 2. I can share this NFSv4-themed wrapper around mmputacl if it would be<br>> useful to you. You would have to run it from the GPFS side, not the NFS<br>> client side.<br>><br>> Regards,<br>><br>> Jamie<br>><br>> # ./updateNFSv4ACL -h<br>> Update the NFSv4 ACL governing a file's access permissions.<br>> Appends to the existing ACL, overwriting conflicting permissions.<br>> Usage: ./updateNFSv4ACL -file /path/to/file { ADD_PERM_SPEC |<br>> DEL_PERM_SPEC }+<br>> ADD_PERM_SPEC: { -owningUser PERM | -owningGroup PERM | -other PERM |<br>> -ace nameType:name:PERM:aceType }<br>> DEL_PERM_SPEC: { -noACEFor nameType:name }<br>> PERM: Specify a string composed of one or more of the following letters<br>> in no particular order:<br>> r (ead)<br>> w (rite)<br>> a (ppend) Must agree with write<br>> x (execute)<br>> d (elete)<br>> D (elete child) Dirs only<br>> t (read attrs)<br>> T (write attrs)<br>> c (read ACL)<br>> C (write ACL)<br>> o (change owner)<br>> You can also provide these, but they will have no effect in GPFS:<br>> n (read named attrs)<br>> N (write named attrs)<br>> y (support synchronous I/O)<br>><br>> To indicate no permissions, give a -<br>> nameType: 'user' or 'group'.<br>> aceType: 'allow' or 'deny'.<br>> Examples: ./updateNFSv4ACL -file /fs1/f -owningUser rtc -owningGroup<br>> rwaxdtc -other '-'<br>> Assign these permissions to 'owner', 'group', 'other'.<br>> ./updateNFSv4ACL -file /fs1/f -ace 'user:pfs001:rtc:allow'<br>> -noACEFor 'group:fvt001'<br>> Allow user pfs001 read/read attrs/read ACL permission<br>> Remove all ACEs (allow and deny) for group fvt001.<br>> Notes:<br>> Permissions you do not allow are denied by default.<br>> See the GPFS docs for some other restrictions.<br>> ace is short for Access Control Entry<br>><br>><br>> ----- Original message -----<br>> From: Ilan Schwarts <ilan84@gmail.com><br>> Sent by: gpfsug-discuss-bounces@spectrumscale.org<br>> To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org><br>> Cc:<br>> Subject: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS cluster<br>> Date: Mon, Aug 7, 2017 9:27 AM<br>><br>> Hi all,<br>> My setup is 2 nodes GPFS and 1 machine as NFS Client.<br>> All machines (3 total) run CentOS 7.2<br>><br>> The 3rd CentOS machine (not part of the cluster) used as NFS Client.<br>><br>> I mount the NFS Client machine to one of the nodes: mount -t nfs<br>> 10.10.158.61:/fs_gpfs01/nfs /mnt/nfs4<br>><br>> This gives me the following:<br>><br>> [root@CentOS7286-64 ~]# mount -v | grep gpfs<br>> 10.10.158.61:/fs_gpfs01/nfs on /mnt/nfs4 type nfs4<br>> (rw,relatime,vers=4.0,rsize=524288,wsize=524288,namlen=<br>> 255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,<br>> clientaddr=10.10.149.188,local_lock=none,addr=10.10.158.61)<br>><br>> Now, From the Client NFS Machine, I go to the mount directory ("cd<br>> /mnt/nfs4") and try to set an acl. Since NFSv4 should be supported, I<br>> use nfs4_getfacl:<br>> [root@CentOS7286-64 nfs4]# nfs4_getfacl mydir11<br>> Operation to request attribute not supported.<br>> [root@CentOS7286-64 nfs4]#<br>><br>> >From the NODE machine i see the status:<br>> [root@LH20-GPFS1 fs_gpfs01]# mmlsfs fs_gpfs01<br>> flag value description<br>> ------------------- ------------------------ ------------------------------<br>> -----<br>> -f 8192 Minimum fragment size in bytes<br>> -i 4096 Inode size in bytes<br>> -I 16384 Indirect block size in bytes<br>> -m 1 Default number of metadata<br>> replicas<br>> -M 2 Maximum number of metadata<br>> replicas<br>> -r 1 Default number of data<br>> replicas<br>> -R 2 Maximum number of data<br>> replicas<br>> -j cluster Block allocation type<br>> -D nfs4 File locking semantics in<br>> effect<br>> -k nfs4 ACL semantics in effect<br>> -n 32 Estimated number of nodes<br>> that will mount file system<br>> -B 262144 Block size<br>> -Q none Quotas accounting enabled<br>> none Quotas enforced<br>> none Default quotas enabled<br>> --perfileset-quota No Per-fileset quota enforcement<br>> --filesetdf No Fileset df enabled?<br>> -V 16.00 (4.2.2.0) File system version<br>> --create-time Wed Jul 5 12:28:39 2017 File system creation time<br>> -z No Is DMAPI enabled?<br>> -L 4194304 Logfile size<br>> -E Yes Exact mtime mount option<br>> -S No Suppress atime mount option<br>> -K whenpossible Strict replica allocation<br>> option<br>> --fastea Yes Fast external attributes<br>> enabled?<br>> --encryption No Encryption enabled?<br>> --inode-limit 171840 Maximum number of inodes<br>> in all inode spaces<br>> --log-replicas 0 Number of log replicas<br>> --is4KAligned Yes is4KAligned?<br>> --rapid-repair Yes rapidRepair enabled?<br>> --write-cache-threshold 0 HAWC Threshold (max 65536)<br>> -P system Disk storage pools in file<br>> system<br>> -d nynsd1;nynsd2 Disks in file system<br>> -A yes Automatic mount option<br>> -o none Additional mount options<br>> -T /fs_gpfs01 Default mount point<br>> --mount-priority 0 Mount priority<br>><br>><br>><br>> I saw this thread:<br>> </font></tt><tt><font size="2"><a href="https://serverfault.com/questions/655112/nfsv4-acls-on-gpfs/722200">https://serverfault.com/questions/655112/nfsv4-acls-on-gpfs/722200</a></font></tt><tt><font size="2"><br>><br>> Is it still relevant ? Since 2014..<br>><br>> Thanks !<br>> _______________________________________________<br>> gpfsug-discuss mailing list<br>> gpfsug-discuss at spectrumscale.org<br>> </font></tt><tt><font size="2"><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font></tt><tt><font size="2"><br>><br>><br>><br>><br>><br>> _______________________________________________<br>> gpfsug-discuss mailing list<br>> gpfsug-discuss at spectrumscale.org<br>> </font></tt><tt><font size="2"><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font></tt><tt><font size="2"><br>><br>><br>-------------- next part --------------<br>An HTML attachment was scrubbed...<br>URL: <</font></tt><tt><font size="2"><a href="http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170808/0e20196d/attachment-0001.html">http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170808/0e20196d/attachment-0001.html</a></font></tt><tt><font size="2">><br><br>------------------------------<br><br>Message: 2<br>Date: Tue, 8 Aug 2017 10:20:10 +0530<br>From: "Chetan R Kulkarni" <chetkulk@in.ibm.com><br>To: gpfsug-discuss@spectrumscale.org<br>Subject: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS<br> cluster<br>Message-ID:<br> <OF349B0197.8D24F794-ON65258176.0018158D-65258176.001A9103@notes.na.collabserv.com><br> <br>Content-Type: text/plain; charset="us-ascii"<br><br><br><br>>> # mount -t nfs 10.10.158.61:/fs_gpfs01/nfs /mnt/nfs4<br>>> [root at CentOS7286-64 nfs4]# nfs4_getfacl mydir11<br>>> Operation to request attribute not supported.<br>>> [root at CentOS7286-64 nfs4]#<br><br>On my test setup (rhel7.3 nodes gpfs cluster and rhel7.2 nfs client); I can<br>successfully read nfsv4 acls (nfs4_getfacl).<br><br>Can you please try following on your setup?<br><br>1> capture network packets for above failure and check what does nfs server<br>return to GETATTR ?<br>=> tcpdump -i any host 10.10.158.61 -w /tmp/getfacl.cap &; nfs4_getfacl<br>mydir11; kill %1<br><br>2> Also check nfs4_getfacl version is up to date.<br>=> /usr/bin/nfs4_getfacl -H<br><br>3> If above doesn't help; then make sure you have sufficient nfsv4 acls to<br>read acls<br>(as per my understanding; for reading nfsv4 acls; one needs EXEC_SEARCH<br>on /fs_gpfs01/nfs and READ_ACL on /fs_gpfs01/nfs/mydir11).<br>=> mmgetacl -k nfs4 /fs_gpfs01/nfs<br>=> mmgetacl -k nfs4 /fs_gpfs01/nfs/mydir11<br><br>Thanks,<br>Chetan.<br>-------------- next part --------------<br>An HTML attachment was scrubbed...<br>URL: <</font></tt><tt><font size="2"><a href="http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170808/42fbe6c2/attachment-0001.html">http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170808/42fbe6c2/attachment-0001.html</a></font></tt><tt><font size="2">><br><br>------------------------------<br><br>_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br></font></tt><tt><font size="2"><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font></tt><tt><font size="2"><br><br><br>End of gpfsug-discuss Digest, Vol 67, Issue 21<br>**********************************************<br><br></font></tt><br><br><BR>
</body></html>