-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Native NFSv4-style ZFS ACL support for Linux #13186
Conversation
A few builders seem to be missing the rpcgen tool. I'll see about sorting that out in the zfs-buildbot repo. |
Can I use this feature in production? The Linux kernel 5.8.18 ubuntu zfs |
This feature is available in TrueNAS SCALE. We are still working on getting it upstreamed here, so it is not in any release of OpenZFS yet. |
The native NFSv4-style ACL support for Linux PR (openzfs/zfs#13186) uses rpcgen to generate the XDR codec for encoding/decoding ACLs transferred between kernel and userspace via an xattr. CentOS and Fedora builders were missing rpcgen.
The native NFSv4-style ACL support for Linux PR (openzfs/zfs#13186) uses rpcgen to generate the XDR codec for encoding/decoding ACLs transferred between kernel and userspace via an xattr. CentOS and Fedora builders were missing rpcgen.
The native NFSv4-style ACL support for Linux PR (openzfs/zfs#13186) uses rpcgen to generate the XDR codec for encoding/decoding ACLs transferred between kernel and userspace via an xattr. CentOS 8 and Fedora builders were missing rpcgen.
Are these features tested and stable by you? Can I pull branches and merge your features and apply them? |
We have test coverage for the features in our CI and haven't encountered issues. Feel free to apply the commits here and try things out. |
|
I tried generating the From the build log:
There doesn't seem to be a rule in the Kbuild system to build an object from a source file in the obj dir. |
Is Samba ACL mapping supported ? |
We have patches in our Samba repo for this. @anodos325 can comment on that in more detail. |
Yeah, part of the reason for the exact xattr specification is that it allows dropping in on Samba without change. You just need to configure the vfs modules correctly.
As a stretch goal I'm currently writing a common ACL library for FreeBSD / Linux in our samba repo and on Linux side using it to provide libsunacl so that upstream vfs_zfsacl also works on Linux. Will upstream once done and sufficiently tested (libraries). But kind of need to get this into OpenZFS first. :) |
You will also want our NFSv4 ACL management tool: https://github.com/truenas/nfs4xdr-acl-tools |
The native NFSv4-style ACL support for Linux PR (openzfs/zfs#13186) uses rpcgen to generate the XDR codec for encoding/decoding ACLs transferred between kernel and userspace via an xattr. CentOS 8 and Fedora builders were missing rpcgen.
root@ying:/tank# zfs get acltype tank/tech root@ying:/tank# mount | grep tank root@ying:/tank# nfs4_setfacl -a A::ying@localdomain:rxtncy /tank/tech/my10m.log I pulled your ACL branch and compiled it,But I can't use nfs4_setfacl. Can only use your NFS4xDR-ACL-tools? |
You're still using the wrong tool. nfs4xdr_getfacl nfsxdr_setfacl. I've also written python bindings. nfs4_setfacl expects RFC3530 ACLs, not RFC5661 ACLs. Use the correct tool. If you intend to use kernel NFS server with this ACL type you'll need my patch for that. Will link tomorrow. |
To clarify, xattr path and data structure is different. With non-patched kernel, Samba should work fine with parameters provided above. ACLs can be managed with provided tool. I wrote a common ACL library (for FreeBSD and Linux) that I currently am building in our samba repo. If desired I can move into this PR and have it get built with ZFS package. In this case on Linux it provides a libsunacl interface as well (provides The python bindings use python's C API and seem to work pretty well (cross platform in this case as well). |
Including the tools and libraries here sounds good to me. The Python bindings could help writing cross-platform tests for the test suite. |
Great project, thanks for your reply and contribution, but our CEO decided to continue using BTRFS, it's a shame, ZFS should be used in the future. |
This implements NFSv41 (RFC 5661) ACLs in a manner compatible with vfs_nfs4acl_xattr in Samba and nfs4xdr-acl-tools. There are three key areas of change in this commit: 1) NFSv4 ACL management through system.nfs4_acl_xdr xattr. Install an xattr handler for "system.nfs4_acl_xdr" that presents an xattr containing full NFSv41 ACL structures generated through rpcgen using specification from the Samba project. This xattr is used by userspace programs to read and set permissions. 2) add an i_op->permissions endpoint: zpl_permissions(). This is used by the VFS in Linux to determine whether to allow / deny an operation. Wherever possible, we try to avoid having to call zfs_access(). If kernel has NFSv4 patch for VFS, then perform more complete check of avaiable access mask. 3) add capability-based overrides to secpolicy_vnode_access2() there are various situations in which ACL may need to be overridden based on capabilities. This logic is almost directly copied from Linux VFS. For instance, root needs to be able to always read / write ACLs (otherwise admin can get locked out from files). This is commit was initially inspired by work from Paul B. Henson to implement NFSv4.0 (RFC3530) ACLs in ZFS on Linux. Key areas of divergence are as follows: - ACL specification, xattr format, xattr name - Addition of handling for NFSv4 masks from Linux VFS - Addition of ACL overrides based on capabilities Signed-off-by: Andrew Walker <[email protected]>
The "permission" inode operation takes a new `struct user_namespace *` parameter starting in Linux 5.12. Add a configure check and adapt accordingly. Signed-off-by: Ryan Moeller <[email protected]>
Properly evaluate edge cases where user credential may grant capability to override DAC in various situations. Switch to using ns-aware checks rather than capable(). Expand optimization allow bypass of zfs_zaccess() in case of trivial ACL if MAY_OPEN is included in requested mask. This will be evaluated in generic_permission() check, which is RCU walk safe. This means that in most cases evaluating permissions on boot volume with NFSv4 ACLs will follow the fast path on checking inode permissions. Additionally, CAP_SYS_ADMIN is granted to nfsd process, and so override for this capability in access2 policy check is removed in favor of a simple check for fsid == 0. Checks for CAP_DAC_OVERRIDE and other override capabilities are kept as-is. Signed-off-by: Andrew Walker <[email protected]>
@anodos325 @ixhamza Can i may ask if iX still plan to upstream this? Would be really great. Not sure but i guess since the last push here, there were some updates on SCALE regarding this feature... https://github.com/ truenas/zfs/pull/54 In any case, much thanks. |
@anodos325 |
Is there any way to get a status update on this feature? Slash can someone point me to what (if any) work remains? I would be happy to pitch in if time permits and the task is in my wheelhouse. |
This PR is superseded by #16967. |
Motivation and Context
ZFS on Linux has so far not supported the native ZFS ACL type because the Linux kernel lacks support for NFSv4-style ACLs. Instead, ZFS on Linux implemented a new POSIX ACL type. The ACL types are not interchangeable, so existing pools with ACLs on illumos or FreeBSD cannot be used on Linux without loss of those ACLs, and conversely a pool created on Linux with POSIX ACLs cannot use those ACLs on other platforms where only the native ZFS NFSv4-style ACLs are implemented.
See also: #9709
Description
We have implemented NFSv4 ACLs for Linux in ZFS. This is mostly functional with a stock Linux kernel, and we have patches for the kernel to fix the few mishandled edge cases that exist.
Details in the commit messages for now, I'm just getting this PR open early for some initial test coverage across the broad range of Linux distros in the OpenZFS CI.
How Has This Been Tested?
We have a suite of tests in TrueNAS that test this functionality. I intend to port what I can of these tests to ZTS for regular testing outside of our internal infrastructure.
Types of changes
Checklist:
Signed-off-by
.