[gpfsug-discuss] default owner and group for POSIX ACLs
Paul Ward
p.ward at nhm.ac.uk
Tue Oct 15 19:27:01 BST 2019
I have tested replacing POSIX with NFSv4, I have altered POSIX and altered NFSv4.
The example below is NFSv4 changed to POSIX
I have also tested on folders.
Action
Details
Pre Changes
File is backed up, migrated and has a nfsv4 ACL
> ls -l
---------- 1 root 16777221 102400000 Sep 18 15:07 100mb-9.dat
> dsmls
102400000 0 0 m 100mb-9.dat
> dsmc q backup “<file>” -inac
102,400,000 B 09/18/2019 15:53:41 NHM_DATA_MC A /…/100mb-9.dat
102,400,000 B 09/18/2019 15:08:58 NHM_DATA_MC I /…/100mb-9.dat
>mmgetacl
#NFSv4 ACL
#owner:root
#group:16777221
group:1399645580:rwx-:allow:Inherited
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
group:16783540:rwx-:allow:Inherited
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
group:16777360:r-x-:allow:Inherited
(X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
group:1399621272:r-x-:allow:Inherited
(X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
Erase the nfsv4 acl
chown root:root
chmod 770
POSIX permissions changed and NFSv4 ACL gone
> ls -l
-rwxrwx--- 1 root root 102400000 Sep 18 15:07 100mb-9.dat
> dsmls
102400000 0 0 m 100mb-9.dat
> dsmc q backup “<file>” -inac
102,400,000 B 09/18/2019 15:53:41 NHM_DATA_MC A /…/100mb-9.dat
102,400,000 B 09/18/2019 15:08:58 NHM_DATA_MC I /…/100mb-9.dat
>mmgetacl
#owner:root
#group:root
user::rwxc
group::rwx-
other::----
Incremental backup
Backup ‘updates’ the backup, but doesn’t transfer any data.
dsmc incr "100mb-9.dat"
IBM Tivoli Storage Manager
Command Line Backup-Archive Client Interface
Client Version 7, Release 1, Level 6.4
Client date/time: 10/15/2019 17:57:59
(c) Copyright by IBM Corporation and other(s) 1990, 2016. All Rights Reserved.
Node Name: NHM-XXX-XXX
Session established with server TSM-XXXXXX: Windows
Server Version 7, Release 1, Level 7.0
Server date/time: 10/15/2019 17:57:58 Last access: 10/15/2019 17:57:52
Accessing as node: XXX-XXX
Incremental backup of volume '100mb-9.dat'
Updating--> 102,400,000 /…/100mb-9.dat [Sent]
Successful incremental backup of '/…/100mb-9.dat'
Total number of objects inspected: 1
Total number of objects backed up: 0
Total number of objects updated: 1
Total number of objects rebound: 0
Total number of objects deleted: 0
Total number of objects expired: 0
Total number of objects failed: 0
Total number of objects encrypted: 0
Total number of objects grew: 0
Total number of retries: 0
Total number of bytes inspected: 97.65 MB
Total number of bytes transferred: 0 B
Data transfer time: 0.00 sec
Network data transfer rate: 0.00 KB/sec
Aggregate data transfer rate: 0.00 KB/sec
Objects compressed by: 0%
Total data reduction ratio: 100.00%
Elapsed processing time: 00:00:01
Post backup
Active Backup timestamp hasn’t changed, and file is still migrated.
> ls -l
-rwxrwx--- 1 root root 102400000 Sep 18 15:07 100mb-9.dat
> dsmls
102400000 0 0 m 100mb-9.dat
> dsmc q backup “<file>” -inac
102,400,000 B 09/18/2019 15:53:41 NHM_DATA_MC A /…/100mbM/100mb-9.dat
102,400,000 B 09/18/2019 15:08:58 NHM_DATA_MC I /…/100mbM/100mb-9.dat
>mmgetacl
#owner:root
#group:root
user::rwxc
group::rwx-
other::----
Restore
dsmc restore "100mb-9.dat" "100mb-9.dat.restore"
IBM Tivoli Storage Manager
Command Line Backup-Archive Client Interface
Client Version 7, Release 1, Level 6.4
Client date/time: 10/15/2019 18:02:09
(c) Copyright by IBM Corporation and other(s) 1990, 2016. All Rights Reserved.
Node Name: NHM-XXX-XXX
Session established with server TSM-XXXXXX: Windows
Server Version 7, Release 1, Level 7.0
Server date/time: 10/15/2019 18:02:08 Last access: 10/15/2019 18:02:07
Accessing as node: HSM-NHM
Restore function invoked.
Restoring 102,400,000 /…/100mb-9.dat --> /…/100mb-9.dat.restore [Done]
Restore processing finished.
Total number of objects restored: 1
Total number of objects failed: 0
Total number of bytes transferred: 97.66 MB
Data transfer time: 1.20 sec
Network data transfer rate: 83,317.88 KB/sec
Aggregate data transfer rate: 689.11 KB/sec
Elapsed processing time: 00:02:25
Restored file
Restored file has the same permissions as the last backup
> ls -l
-rwxrwx--- 1 root root 102400000 Sep 18 15:07 100mb-9.dat.restore
> dsmls
102400000 102400000 160 r 100mb-9.dat.restore
> dsmc q backup “<file>” -inac
ANS1092W No files matching search criteria were found
>mmgetacl
#owner:root
#group:root
user::rwxc
group::rwx-
other::----
I have just noticed:
File backedup with POSIX – restored file permissions POSIX
File backedup with POSIX, changed to NFSv4 permissions, incremental backup – restore file permissions POSIX
File backedup with NFSv4, Changed to POSIX permissions, incremental backup – restore file permissions POSIX
File backedup with NFSv4, restore file permissions NFSv4
(there may be other variables involved)
Kindest regards,
Paul
Paul Ward
TS Infrastructure Architect
Natural History Museum
T: 02079426450
E: p.ward at nhm.ac.uk
From: gpfsug-discuss-bounces at spectrumscale.org <gpfsug-discuss-bounces at spectrumscale.org> On Behalf Of Frederick Stock
Sent: 15 October 2019 17:50
To: gpfsug-discuss at spectrumscale.org
Cc: gpfsug-discuss at spectrumscale.org
Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs
Thanks Paul. Could you please clarify which ACL you changed, the GPFS NFSv4 ACL or the POSIX ACL?
Fred
__________________________________________________
Fred Stock | IBM Pittsburgh Lab | 720-430-8821
stockf at us.ibm.com<mailto:stockf at us.ibm.com>
----- Original message -----
From: Paul Ward <p.ward at nhm.ac.uk<mailto:p.ward at nhm.ac.uk>>
Sent by: gpfsug-discuss-bounces at spectrumscale.org<mailto:gpfsug-discuss-bounces at spectrumscale.org>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>>
Cc:
Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLs
Date: Tue, Oct 15, 2019 12:18 PM
Hi Fred,
From the tests I have done changing the ACL results in just an ‘update’ to when using Spectrum Protect, even on migrated files.
Kindest regards,
Paul
Paul Ward
TS Infrastructure Architect
Natural History Museum
T: 02079426450
E: p.ward at nhm.ac.uk<mailto:p.ward at nhm.ac.uk>
From: gpfsug-discuss-bounces at spectrumscale.org<mailto:gpfsug-discuss-bounces at spectrumscale.org> <gpfsug-discuss-bounces at spectrumscale.org<mailto:gpfsug-discuss-bounces at spectrumscale.org>> On Behalf Of Frederick Stock
Sent: 15 October 2019 17:09
To: gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>
Cc: gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs
As I understand if you change only the POSIX attributes on a file then you are correct that TSM will only backup the file metadata, actually just the POSIX relevant metadata. However, if you change ACLs or other GPFS specific metadata then TSM will backup the entire file, TSM does not keep all file metadata separate from the actual file data.
Fred
__________________________________________________
Fred Stock | IBM Pittsburgh Lab | 720-430-8821
stockf at us.ibm.com<mailto:stockf at us.ibm.com>
----- Original message -----
From: Simon Thompson <S.J.Thompson at bham.ac.uk<mailto:S.J.Thompson at bham.ac.uk>>
Sent by: gpfsug-discuss-bounces at spectrumscale.org<mailto:gpfsug-discuss-bounces at spectrumscale.org>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>>
Cc:
Subject: [EXTERNAL] Re: [gpfsug-discuss] default owner and group for POSIX ACLs
Date: Tue, Oct 15, 2019 11:41 AM
I thought Spectrum Protect didn't actually backup again on a file owner change. Sure mmbackup considers it, but I think Protect just updates the metadata. There are also some other options for dsmc that can stop other similar issues if you change ctime maybe.
(Other backup tools are available)
Simon
On 15/10/2019, 15:31, "gpfsug-discuss-bounces at spectrumscale.org on behalf of Jonathan Buzzard<mailto:gpfsug-discuss-bounces at spectrumscale.org%20on%20behalf%20of%20Jonathan%20Buzzard>" <gpfsug-discuss-bounces at spectrumscale.org on behalf of jonathan.buzzard at strath.ac.uk<mailto:gpfsug-discuss-bounces at spectrumscale.org%20on%20behalf%20of%20jonathan.buzzard at strath.ac.uk>> wrote:
On Tue, 2019-10-15 at 12:34 +0000, Paul Ward wrote:
> We are in the process of changing the way GPFS assigns UID/GIDs from
> internal tdb to using AD RIDs with an offset that matches our linux
> systems. We, therefore, need to change the ACLs for all the files in
> GPFS (up to 80 million).
You do realize that will mean backing everything up again....
> We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs
> being applied. (This system was set up 14 years ago and has changed
> roles over time) We are running on linux, so need to have POSIX
> permissions enabled.
We run on Linux and only have NFSv4 ACL's applied. I am not sure why
you need POSIX ACL's if you are running Linux. Very very few
applications will actually check ACL's or even for that matter
permissions. They just do an fopen call or similar and the OS either
goes yeah or neah, and the app needs to do something in the case of
neah.
>
> What I want to know for those in a similar environment, what do you
> have as the POSIX owner and group, when NFSv4 ACLs are in use?
> root:root
>
> or do you have all files owned by a filesystem administrator account
> and group:
> <ad service account>:<ad fileserver admin group>
>
> on our samba shares we have :
> admin users = @<ad fileserver admin group>
> So don’t actually need the group defined in POSIX.
>
Samba works much better with NFSv4 ACL's.
JAB.
--
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
gpfsug.org<https://eur03.safelinks.protection.outlook.com/?url=outlook.com&data=02%7C01%7Cp.ward%40nhm.ac.uk%7C655b1d7b22244a274c4208d7518fb84b%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637067550028504673&sdata=IlugzXm8rZUK%2B2vKqZD9ScLiqsH%2F%2FaWvAP00wsK0AZI%3D&reserved=0>
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
gpfsug.org<https://eur03.safelinks.protection.outlook.com/?url=outlook.com&data=02%7C01%7Cp.ward%40nhm.ac.uk%7C655b1d7b22244a274c4208d7518fb84b%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637067550028514667&sdata=GTpx9XQJv8fux5v0l72bfi%2FuNUhn94KVOEdkLVT4W5s%3D&reserved=0>
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7Cp.ward%40nhm.ac.uk%7C655b1d7b22244a274c4208d7518fb84b%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637067550028514667&sdata=gkDED2GmyMs0j8OZfRyBLhCSDnExf%2B8GYYPItDo%2BQ08%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20191015/79a63055/attachment.htm>
More information about the gpfsug-discuss
mailing list