<div dir="ltr">Stephen, (And Helge, some interesting SMB stuff at the very end),<br> The answer is no, it won't cause a conversion or take a long time, but that is a bit of speculation based on the documentation...<br><br>--- inexplicably long answer below ---<br><br>The GPFS documentation quite clearly states that ACL's are managed on a per file basis, so you may have intermingled POSIX and NFS4 ACL's. Past versions going back to 3.1 seem to indicate they work the same way..<br><a href="https://www.ibm.com/docs/en/spectrum-scale/4.2.0?topic=lists-nfs-v4-acl-administration" rel="noreferrer" target="_blank">https://www.ibm.com/docs/en/spectrum-scale/4.2.0?topic=lists-nfs-v4-acl-administration</a><br><br>A simple test:<br><font face="monospace">$ mmlsfs ${FS} -k<br>flag value description<br>------------------- ------------------------ -----------------------------------<br> -k all ACL semantics in effect<br>$ touch nfsv4acl posixacl<br>$ mmgetacl -k nfs4 nfsv4acl | mmputacl nfsv4acl<br>$ mmgetacl -k posix posixacl | mmputacl posixacl<br>$ mmgetacl nfsv4acl<br>#NFSv4 ACL<br>#owner:XXXXXXXXXXXX<br>#group:XXX<br>special:owner@:rw-c:allow<br> (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<br> (-)DELETE (-)DELETE_CHILD (X)CHOWN (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED<br>...</font><div><font face="monospace"><br>$ mmgetacl posixacl<br>#owner:XXXXXXXXXXX<br>#group:XXX<br>user::rw-c<br>...</font></div><div><font face="monospace"><br>$ mmgetacl -k nfs4 posixacl<br>#NFSv4 ACL<br>#owner:XXXXXXXXXXXX<br>#group:XXX<br>special:owner@:rw-c:allow<br> (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<br>...</font><div><br>The man page for -k indicates that the user can't <b>ASSIGN </b>these ACL's it doesn't state that it won't serve or store them, so going to a more restricted mode doesn't seem to indicate that it would remove the existing ACL's. It also doesn't indicate that any conversion is happening in any circumstance (from a mmchfs).<br><br>Finally the mmgetacl command has a man page that explains EXACTLY what is going on:<br> 1. By default, mmgetacl returns the ACL in a format<br> consistent with the file system setting, specified using the<br> -k flag on the mmcrfs or mmchfs commands.<br><br> If the setting is posix, the ACL is shown as a<br> traditional ACL.<br><br> If the setting is nfs4, the ACL is shown as an NFS V4<br> ACL.<br><br> If the setting is all, the ACL is returned in its true<br> form.<br><br> 2. The command mmgetacl -k nfs4 always produces an NFS V4<br> ACL.<br><br> 3. The command mmgetacl -k posix always produces a<br> traditional ACL.<br><br> 4. The command mmgetacl -k native always shows the ACL in<br> its true form regardless of the file system setting.<br><br>So the short answer is after changing -k to nfsv4 it seems mmgetacl would intuit that you want to see ACL's in nfsv4 format since POSIX isn't allowed. But you can run mmgetacl -k native to see what ACL was (and continues to be) stored for the file object. I can't change any of my FS's to not be -k all, so I couldn't test out my mmgetacl assertions.<br><br>Maybe I got some details wrong here but this one seems pretty straight forward based on the documentation.<br><br>Also I'm not sure I'd say that a mention of a flag embedded in a ksh script is "documented" but I expect it is more related to how SMB integrates to Spectrum Scale and perhaps there is some secret sauce leveraged here. We don't do SMB on Scale, but if I we were, this would be an interesting read: <a href="https://manpages.debian.org/testing/samba-vfs-modules/vfs_gpfs.8.en.html" rel="noreferrer" target="_blank">https://manpages.debian.org/testing/samba-vfs-modules/vfs_gpfs.8.en.html</a>.<br><br>Alec<br><div><div class="gmail-adm" style="margin:5px 0px"><div id="gmail-q_179" class="gmail-ajR gmail-h4" style="background-color:rgb(232,234,237);border:none;clear:both;line-height:6px;outline:none;width:24px;color:rgb(80,0,80);font-size:11px;border-radius:5.5px"><br class="gmail-Apple-interchange-newline"></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Aug 30, 2022 at 3:03 AM Helge Hauglin <<a href="mailto:helge.hauglin@usit.uio.no">helge.hauglin@usit.uio.no</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Stephen.<br>
<br>
> Also I didn't mention that we also need NFSv4 access and<br>
> native GPFS, this will not be SMB-only. It will actually be mostly<br>
> GPFS native.<br>
<br>
Beware that when writing via SMB, samba default permissions will be applied<br>
to new files and folders, which might not give the permissions your<br>
users need.<br>
<br>
On our CES clusters, the samba default permission is 0755 / 0744 [1].<br>
We want either 0770 or 0775 by default. This we get by setting these<br>
permissions in NFSv4 ACLs in relevant folders, plus turn on inheritance<br>
for the ACEs to new files and folders. The side effect of having NFSv4<br>
ACLs with inheritance is that 'umask' in processes writing via GPFS or<br>
NFS is ignored. I have not tried. but I guees it works similarly with<br>
POSIX ACLs.<br>
<br>
[1]<br>
<br>
| # testparm -s -v | grep mask<br>
| Load smb config files from /var/mmfs/ces/smb.conf<br>
| [...]<br>
| create mask = 0744<br>
| directory mask = 0755<br>
<br>
> I don't think existing ACLs will be adversely<br>
> affected. In a test filesystem with "-k all" I set some POSIX ACLs and<br>
> converted the filesystem to "-k nfs4" and the result looked<br>
> reasonable. Plus I ran mmgetacl -k nfs4 on numerous files/dirs with<br>
> POSIX ACLs in our production filesystem and the results looked<br>
> promising.<br>
<br>
I would recommend standardizing on one type of ACLs, which will give you<br>
less variants to deal with, simplifying administration.<br>
<br>
-- <br>
Regards,<br>
<br>
Helge Hauglin<br>
<br>
----------------------------------------------------------------<br>
Mr. Helge Hauglin, Senior Engineer<br>
System administrator<br>
Center for Information Technology, University of Oslo, Norway<br>
<br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at <a href="http://gpfsug.org" rel="noreferrer" target="_blank">gpfsug.org</a><br>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org" rel="noreferrer" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org</a><br>
</blockquote></div>