3

I'm running ZFS on a Ubuntu machine that hosts our home directories. The pool has the following ACL setting:

# zfs get all homes | grep acl
homes  aclinherit            restricted             default
homes  acltype               off                    default

Here I have two regular files with the same permissions:

# getfacl 1.txt 2.txt 
# file: 1.txt
# owner: usr
# group: grp
user::rw-
group::r--
other::r--

# file: 2.txt
# owner: usr
# group: grp
user::rw-
group::r--
other::r--

Every night I send an incremental snapshot to a machine running ZFS on Solaris 8

zfs send -i homes@$PREV_BACKUP homes@$CURRENT_BACKUP | \
   ssh solarishost zfs receive -vFd homes_backup

The file system on the Solaris host has the following ACL settings:

# zfs get all homes_backup | grep acl
homes_backup  aclmode               passthrough            local
homes_backup  aclinherit            restricted             default

When I inspect the files in the snapshot on the Solaris host, I see that the more recent one (1.txt) does not have any ACLs set:

# /usr/bin/ls -v 1.txt 2.txt 
-rw-r--r--   1 2428     2000        2170 Oct 12 13:42 1.txt
-rw-r--r--   1 2428     2000        2146 May 31  2013 2.txt
     0:owner@:execute:deny
     1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl/write_owner:allow
     2:group@:write_data/append_data/execute:deny
     3:group@:read_data:allow
     4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow

Now when I mount the solarishost-snapshot on a Ubuntu client, I can see the files and they appear to have identical permissions, but I cannot read 1.txt:

# cat 2.txt >/dev/null; echo $?
0
# cat 1.txt >/dev/null; echo $?
cat: 1.txt: Permission denied
1

Again, the look the same to the Ubuntu client:

# getfacl 1.txt 2.txt
# file: 1.txt
# owner: usr
# group: grp
user::rw-
group::r--
mask::rwx
other::r--

# file: 2.txt
# owner: usr
# group: grp
user::rw-
group::r--
mask::rwx
other::r--

# ls -l 1.txt 2.txt 
-rw-r--r--+ 1 usr grp 2.2K Oct 12 13:42 1.txt
-rw-r--r--+ 1 usr grp 2.1K May 31  2013 2.txt

My question is now: how do I set up the snapshot creation from Ubuntu to Solaris such that the ACLs on the Solaris host allow users to mount the snapshots and read their own files? Looks like all recently backed up files are affected.

Pavel
  • 1,038
  • 1
  • 11
  • 30
  • Did you run `chmod` on `1.txt` on the Solaris server? Something like `chmod 640 1.txt`? Running `chmod` on Solaris to set absolute permission will set **absolute** permissions - meaning all permissions outside of the absolute bits you specified are removed. – Andrew Henle Jan 23 '16 at 18:39
  • No, it's not possible since the snapshot is read-only: `chmod: changing permissions of '1.txt': Read-only file system` – Pavel Jan 23 '16 at 18:44
  • Has either server been upgraded recently? Have the NFS share or mount options changed? – Andrew Henle Jan 23 '16 at 23:59
  • Yes, we moved the homes from an old Solaris server to Ubuntu 14.04 and set up `zfsonlinux` about 4 months ago. Recently we started observing troubles with read permissions when accessing backups from external snapshots. I don't mind setting up a new ZFS for the backup, but I'd like to know what to do to avoid the ACL problems. I'm perfectly happy with the posix groups we maintain in the team so it would be great to keep those permissions. – Pavel Jan 24 '16 at 01:33

1 Answers1

3

Solaris 11 ZFS uses NFSv4 ACLs rather than POSIX ACLs. Linux doesn't have NFSv4 ACLs on ZFS at all, and seems like it never will. While NFSv4 ACLs are a superset of POSIX ACLs, seems like only Solaris can transfer/translate POSIX ACLs to NFSv4 ones during file moving/copying.

So, concluding, I don't see a way to preserve ACL in ZFS snapshots. Either use Linux -> Linux scheme, or use Solaris -> Solaris, Solaris -> FreeBSD or FreeBSD -> FreeBSD scheme (both do have NFSv4 ACLs).

drookie
  • 8,625
  • 1
  • 19
  • 29