[gpfsug-discuss] mmchfs -k nfs4 impacts?

Alec anacreo at gmail.com
Fri Sep 2 10:36:50 BST 2022 

Stephen, (And Helge, some interesting SMB stuff at the very end),
  The answer is no, it won't cause a conversion or take a long time, but
that is a bit of speculation based on the documentation...

--- inexplicably long answer below ---

The GPFS documentation quite clearly states that ACL's are managed on a per
file basis, so you may have intermingled POSIX and NFS4 ACL's.  Past
versions going back to 3.1 seem to indicate they work the same way..
https://www.ibm.com/docs/en/spectrum-scale/4.2.0?topic=lists-nfs-v4-acl-administration

A simple test:
$ mmlsfs ${FS} -k
flag                value                    description
------------------- ------------------------
-----------------------------------
 -k                 all                      ACL semantics in effect
$ touch nfsv4acl posixacl
$ mmgetacl -k nfs4 nfsv4acl | mmputacl nfsv4acl
$ mmgetacl -k posix posixacl | mmputacl posixacl
$ mmgetacl nfsv4acl
#NFSv4 ACL
#owner:XXXXXXXXXXXX
#group:XXX
special:owner@:rw-c:allow
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL
(X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (X)CHOWN        (-)EXEC/SEARCH (X)WRITE_ACL
(X)WRITE_ATTR (X)WRITE_NAMED
...

$ mmgetacl posixacl
#owner:XXXXXXXXXXX
#group:XXX
user::rw-c
...

$ mmgetacl -k nfs4 posixacl
#NFSv4 ACL
#owner:XXXXXXXXXXXX
#group:XXX
special:owner@:rw-c:allow
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL
(X)READ_ATTR  (X)READ_NAMED
...

The man page for -k indicates that the user can't *ASSIGN *these ACL's it
doesn't state that it won't serve or store them, so going to a more
restricted mode doesn't seem to indicate that it would remove the existing
ACL's.  It also doesn't indicate that any conversion is happening in any
circumstance (from a mmchfs).

Finally the mmgetacl command has a man page that explains EXACTLY what is
going on:
     1. By default, mmgetacl returns the ACL in a format
        consistent with the file system setting, specified using the
        -k flag on the mmcrfs or mmchfs commands.

        If the setting is posix, the ACL is shown as a
        traditional ACL.

        If the setting is nfs4, the ACL is shown as an NFS V4
        ACL.

        If the setting is all, the ACL is returned in its true
        form.

     2. The command mmgetacl -k nfs4 always produces an NFS V4
        ACL.

     3. The command mmgetacl -k posix always produces a
        traditional ACL.

     4. The command mmgetacl -k native always shows the ACL in
        its true form regardless of the file system setting.

So the short answer is after changing -k to nfsv4 it seems mmgetacl would
intuit that you want to see ACL's in nfsv4 format since POSIX isn't
allowed.  But you can run mmgetacl -k native to see what ACL was (and
continues to be) stored for the file object.  I can't change any of my FS's
to not be -k all, so I couldn't test out my mmgetacl assertions.

Maybe I got some details wrong here but this one seems pretty straight
forward based on the documentation.

Also I'm not sure I'd say that a mention of a flag embedded in a ksh script
is "documented" but I expect it is more related to how SMB integrates to
Spectrum Scale and perhaps there is some secret sauce leveraged here.  We
don't do SMB on Scale, but if I we were, this would be an interesting read:
https://manpages.debian.org/testing/samba-vfs-modules/vfs_gpfs.8.en.html.

Alec


On Tue, Aug 30, 2022 at 3:03 AM Helge Hauglin <helge.hauglin at usit.uio.no>
wrote:

> Hi Stephen.
>
> > Also I didn't mention that we also need NFSv4 access and
> > native GPFS, this will not be SMB-only. It will actually be mostly
> > GPFS native.
>
> Beware that when writing via SMB, samba default permissions will be applied
> to new files and folders, which might not give the permissions your
> users need.
>
> On our CES clusters, the samba default permission is 0755 / 0744 [1].
> We want either 0770 or 0775 by default.  This we get by setting these
> permissions in NFSv4 ACLs in relevant folders, plus turn on inheritance
> for the ACEs to new files and folders.  The side effect of having NFSv4
> ACLs with inheritance is that 'umask' in processes writing via GPFS or
> NFS is ignored.  I have not tried. but I guees it works similarly with
> POSIX ACLs.
>
> [1]
>
> | # testparm  -s -v | grep mask
> | Load smb config files from /var/mmfs/ces/smb.conf
> | [...]
> |         create mask = 0744
> |         directory mask = 0755
>
> > I don't think existing ACLs will be adversely
> > affected. In a test filesystem with "-k all" I set some POSIX ACLs and
> > converted the filesystem to "-k nfs4" and the result looked
> > reasonable.  Plus I ran mmgetacl -k nfs4 on numerous files/dirs with
> > POSIX ACLs in our production filesystem and the results looked
> > promising.
>
> I would recommend standardizing on one type of ACLs, which will give you
> less variants to deal with, simplifying administration.
>
> --
> Regards,
>
> Helge Hauglin
>
> ----------------------------------------------------------------
> Mr. Helge Hauglin, Senior Engineer
> System administrator
> Center for Information Technology, University of Oslo, Norway
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20220902/4ca3d68b/attachment-0001.htm>

More information about the gpfsug-discuss mailing list