<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi,<div><br></div><div>Thanks Niels, your hints about those two options did the trick although I had to enable both of them and I had to add nscd (sssd provides user identities) to this mix as well. </div><div><br></div><div>Now back to the problem with ACL’s. Is your test setup something like this: GlusterFS 3.7.2 replicated volume on Centos/RHEL 7 and client or clients accessing GlusterFS volumes by NFS protocol, correct?</div><div><br></div><div><div># gluster volume info acltest</div><div>Volume Name: acltest</div><div>Type: Replicate</div><div>Volume ID: 9e0de3f5-45ba-4612-a4f1-16bc5d1eb985</div><div>Status: Started</div><div>Number of Bricks: 1 x 2 = 2</div><div>Transport-type: tcp</div><div>Bricks:</div><div>Brick1: vfs-node-01:/data/gfs/acltest/brick0/brick</div><div>Brick2: vfs-node-02:/data/gfs/acltest/brick0/brick</div><div>Options Reconfigured:</div><div>server.manage-gids: on</div><div>nfs.server-aux-gids: on</div><div>performance.readdir-ahead: on</div><div>server.event-threads: 32</div><div>performance.cache-size: 2GB</div><div>storage.linux-aio: on</div><div>nfs.disable: off</div><div>performance.write-behind-window-size: 1GB</div><div>performance.nfs.io-cache: on</div><div>performance.nfs.write-behind-window-size: 250MB</div><div>performance.nfs.stat-prefetch: on</div><div>performance.nfs.read-ahead: on</div><div>performance.nfs.io-threads: on</div><div>cluster.readdir-optimize: on</div><div>network.remote-dio: on</div><div>auth.allow: 10.1.1.32,10.1.1.42</div><div>diagnostics.latency-measurement: on</div><div>diagnostics.count-fop-hits: on</div><div>nfs.rpc-auth-allow: 10.1.1.32,10.1.1.42</div><div>nfs.trusted-sync: on</div></div><div><br></div><div>Maybe there is a way to increase verbosity of nfs server which could help me to trace this problem. I did not find any good hints for increasing verbosity of nfs server in documentation.</div><div><br></div><div>Regards,</div><div>J.</div><div><br><div><div>On 30 Jul 2015, at 10:09, Jiffin Tony Thottan <<a href="mailto:jthottan@redhat.com">jthottan@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br><br>On 29/07/15 20:14, Niels de Vos wrote:<br><blockquote type="cite">On Wed, Jul 29, 2015 at 05:22:31PM +0300, Jüri Palis wrote:<br><blockquote type="cite">Hi,<br><br>Another issue with NFS and sec=sys mode. As we all know there is a<br>limit of 15 security ids involved when running NFS in sec=sys mode.<br>This limit makes effective and granular usage of ACL assigned through<br>groups almost unusable. One way to overcome this limit is to use<br>kerberised NFS but GlusterFS does not natively support this access<br>mode . Another option, at least according to one email thread, states<br>that GlusterFS has an option server.manage-gids which should mitigate<br>this limit and raise it to 90 something. Is this the option, which<br>can be used for increasing sec=sys limit. Sadly documentation does not<br>have clear description about this option, what exactly this option<br>does and how it should be used.<br></blockquote>server.manage-gids is an option to resolve the groups of a uid in the<br>brick process. You probably need to also use the nfs.server-aux-gids<br>option so that the NFS-server resolves the gids of the uid accessing the<br>NFS-server.<br><br>The nfs.server-aux-gids option is used to overcome the<br>AUTH_SYS/AUTH_UNIX limit of (I thought 32?) groups.<br><br>The server.manage-gids option is used to overcome the GlusterFS protocol<br>limit of ~93 groups.<br><br>If your users do not belong to 90+ groups, you would not need to set the<br>server.manage-gids option, and nfs.server-aux-gids might be sufficient.<br><br>HTH,<br>Niels<br><br><blockquote type="cite">J.<br><br><br>On 29 Jul 2015, at 16:16, Jiffin Tony Thottan <<a href="mailto:jthottan@redhat.com">jthottan@redhat.com</a>> wrote:<br><br><blockquote type="cite"><br>On 29/07/15 18:04, Jüri Palis wrote:<br><blockquote type="cite">Hi,<br><br>setfacl for dir on local filesystem:<br><br>1. set acl setfacl -m g:x_meie_sec-test02:rx test<br>2. get acl<br><br># getfacl test<br>user::rwx<br>group::r-x<br>group:x_meie_sec-test02:r-x<br>mask::r-x<br>other::r-x<br><br>setfacl for dir on GlusterFS volume which is NFS mounted to client system<br><br>1. same command is used for setting ACE, no error is returned by that command<br>2. get acl<br><br>#getfacl test<br>user::rwx<br>group::r-x<br>other::---<br><br><br>If I use ordinary file as a target on GlusterFS like this<br><br>setfacl -m g:x_meie_sec-test02:rw dummy<br><br>then ACE entry is set for file dummy stored on GlusterFS<br><br># getfacl dummy<br>user::rw-<br>group::r--<br>group:x_meie_sec-test02:rw-<br>mask::rw-<br>other::—<br><br>So, as you can see setting ACLs for files works but does not work for directories.<br><br>This all is happening on CentOS7, running GlusterFS 3.7.2<br></blockquote>Hi Jyri,<br><br>It seems there are couple of issues ,<br><br>1.) when u set a named group acl for file/directory, it clears the permission of others too.<br>2.) named group acl is not working properly for directories ,<br><br>I will try the same on my setup and share my findings.<br>--<br>Jiffin<br></blockquote></blockquote></blockquote><br>In my setup (glusterfs 3.7.2 and RHEL 7.1 client) it worked properly<br><br>I followed the same steps mentioned by you.<br>#cd /mnt<br># mkdir dir<br># touch file<br># getfacl file<br># file: file<br># owner: root<br># group: root<br>user::rw-<br>group::r--<br>other::r--<br><br># getfacl dir<br># file: dir<br># owner: root<br># group: root<br>user::rwx<br>group::r-x<br>other::r-x<br><br># setfacl -m g:gluster:rw file<br># getfacl file<br># file: file<br># owner: root<br># group: root<br>user::rw-<br>group::r--<br>group:gluster:rw-<br>mask::rw-<br>other::r--<br><br>setfacl -m g:gluster:r-x dir<br>getfacl dir<br># file: dir<br># owner: root<br># group: root<br>user::rwx<br>group::r-x<br>group:gluster:r-x<br>mask::r-x<br>other::r-x<br><br><br>So can u share the following information from the server.<br>1.) gluster vol info<br>2.) nfs.log (nfs-server log)<br>3.) brick logs<br><br>and also can u try the same on fuse mount(gluster native mount).<br><br>--<br>Jiffin<br><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">J.<br>On 29 Jul 2015, at 15:16, Jiffin Thottan <<a href="mailto:jthottan@redhat.com">jthottan@redhat.com</a>> wrote:<br><br><blockquote type="cite">----- Original Message -----<br>From: "Jüri Palis" <<a href="mailto:jyri.palis@gmail.com">jyri.palis@gmail.com</a>><br>To: <a href="mailto:gluster-users@gluster.org">gluster-users@gluster.org</a><br>Sent: Wednesday, July 29, 2015 4:19:20 PM<br>Subject: [Gluster-users] GlusterFS 3.7.2 and ACL<br><br>Hi<br><br>Setup:<br>GFS 3.7.2, NFS is used for host access<br><br>Problem:<br>POSIX ACL work correctly when ACLs are applied to files but do not work when ACLs are applied to directories on GFS volumes.<br><br>How can I debug this issue more deeply?<br><br>Can you please explain the issue with more details, i.e what exactly not working properly , is it setting acl or any functionality issue, in which client?<br>__<br>Jiffin<br><br>Regards,<br>Jyri<br>_______________________________________________<br>Gluster-users mailing list<br><a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br>http://www.gluster.org/mailman/listinfo/gluster-users<br></blockquote>_______________________________________________<br>Gluster-users mailing list<br><a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br>http://www.gluster.org/mailman/listinfo/gluster-users<br></blockquote>_______________________________________________<br>Gluster-users mailing list<br><a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br>http://www.gluster.org/mailman/listinfo/gluster-users<br></blockquote>_______________________________________________<br>Gluster-users mailing list<br><a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br>http://www.gluster.org/mailman/listinfo/gluster-users<br></blockquote>_______________________________________________<br>Gluster-users mailing list<br><a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br><a href="http://www.gluster.org/mailman/listinfo/gluster-users">http://www.gluster.org/mailman/listinfo/gluster-users</a><br></blockquote><br>_______________________________________________<br>Gluster-users mailing list<br><a href="mailto:Gluster-users@gluster.org">Gluster-users@gluster.org</a><br><a href="http://www.gluster.org/mailman/listinfo/gluster-users">http://www.gluster.org/mailman/listinfo/gluster-users</a></div></blockquote></div><br></div></body></html>