[gpfsug-discuss] Changing filesystem from -k all to -k nfs4 with mmchfs

Losen, Stephen C (scl) scl at virginia.edu
Thu Sep 29 22:45:01 BST 2022 

Thanks Fred,
Yes I have played with –allow-permission-change. It basically allows permissions to be changed by 1) chmod only or 2) set ACL only, or 3) either. So if you allow either, then chmod replaces any nfs4 ACL with the traditional Unix permission bits. I played with “setaclonly” and it disables the C library chmod() call so it returns an error code. So the chmod command fails with an error. Depending on its options rsync prints errors, in particular “rsync -a” which tries to preserve permissions. cp -r works fine.

Apparently SS supports three styles of permisisons: classic Unix mode bits, posix ACLs, or nfs4 ACLs. (Classic may just be a subset of posix ACLs) If you have a file with a nfs4 ACL and call chmod() on it, then that converts the nfs4 ACL to classic Unix mode bits. If you run mmgetacl -k native you see what looks like a posix ACL but it only has entries for user::, group::, and other::. And the nfs4 representation is analogous with special:owner@, special:group@, and special:everyone at . If you start with a posix ACL and call chmod() then you get the expected posix behavior. Chmod may modify the user::, mask::, and other:: entries but it leaves any other posix ACL entries intact. (Of course the mask:: may effectively remove permissions from some ACL entries.)

Steve Losen
Research Computing
University of Virginia
scl at virginia.edu<mailto:scl at virginia.edu>  434-924-0640

From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> on behalf of Frederick Stock <stockf at us.ibm.com>
Reply-To: gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Date: Thursday, September 29, 2022 at 3:59 PM
To: gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Subject: Re: [gpfsug-discuss] Changing filesystem from -k all to -k nfs4 with mmchfs

There is a setting at the fileset level (mmcrfileset/mmchfilest), --allow-permission-change, that allows you to control how ACLs and permission bits interact, including having both on a file.

Fred

Fred Stock, Spectrum Scale Development Advocacy
stockf at us.ibm.com<mailto:stockf at us.ibm.com> | 720-430-8821



From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> on behalf of Losen, Stephen C (scl) <scl at virginia.edu>
Date: Thursday, September 29, 2022 at 3:16 PM
To: gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Subject: [EXTERNAL] [gpfsug-discuss] Changing filesystem from -k all to -k nfs4 with mmchfs
Hi folks, Recently I asked what happens when you use “mmchfs -k nfs4” when you already have numerous files (we have millions) with posix ACLs. I have discovered the answer – NOTHING. No existing ACLs change. However, you cannot feed posix ACLs
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
Hi folks,
Recently I asked what happens when you use “mmchfs -k nfs4” when you already have numerous files (we have millions) with posix ACLs. I have discovered the answer – NOTHING.  No existing ACLs change. However, you cannot feed posix ACLs to mmputacl, it only accepts nfs4 ACLs. You cannot run setfacl, it fails. If you run mmgetacl it shows the ACL in nfs4 format. But if you use mmgetacl -k native it shows you the “real” ACL, which may be a posix ACL. If you have a default posix ACL set on a directory, new files inherit from the posix ACL and they themselves end up with a posix ACL. The behavior of chmod is different. If a file has a nfs4 ACL then chmod destroys it and replaces it with a nfs4 ACL that essentially mimics the permissions set by the chmod command. In particular, the new ACL only has ACEs for special:owner@, special:group@, and special:everyone at . Any other ACEs are lost. However, if the file has a posix ACL, then chmod  works as expected for a posix ACL. It does not completely replace the ACL, but it may change the mask:: entry or the user:: entry or the other:: entry. If you set a nfs4 ACL on a file with a posix ACL, then it converts to a nfs4 ACL (mmgetacl -k native outputs the nfs4 ACL).

Needless to say this is all rather confusing, but we had to run mmchfs -k nfs4 in order to enable SMB access, which we need.

Steve Losen
Research Computing
University of Virginia
scl at virginia.edu<mailto:scl at virginia.edu>  434-924-0640
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20220929/9d525672/attachment-0002.htm>

More information about the gpfsug-discuss mailing list