[zfs-discuss] zfs sharenfs and ACLs

Mark Gardner mkg at vt.edu
Wed Jan 20 11:03:07 EST 2016


I am new to zfsonlinux but so far I am very impressed. The performance
seems to be very good and I like the additional safety ZFS gives over ext4
which we were using previously. Now the problem...

We switched to using a ZFS pool (2 8-disk vdevs in RAIDZ3) for the storage
server with several datasets. One of the datasets is our git repository in
which we use ACLs to control access. Previously we exported the git repo on
an ext4 file system to a server using NFS. We are now attempting to do the
same but with ZFS instead of ext4.

I followed the same pattern as before by bind mounting the git dataset into
the NFSv4 hierarchy. Here is the relevant lines from /etc/fstab:

    /pool/git /srv/nfs/git nfs4 rw,bind,acl 0 0

Then I exported them via NFSv4 utilizing the same /etc/exports as before:

    /srv/nfs         10.0.0.0/8(fsid=0,rw,sync,no_subtree_check,root_squash)
    /srv/nfs/home
10.0.0.1/8(fsid=5,rw,sync,no_subtree_check,no_root_squash)
    /srv/nfs/git   10.0.0.1/8(fsid=2,rw,sync,no_subtree_check,root_squash)

Note: the git repo is not the only directory being exported:

$ showmount -e
/srv/nfs/git  10.0.0.1/8
/srv/nfs/home  10.0.0.1/8

Using this /etc/fstab entry on the client (where the storage server is
10.0.0.3):

    10.0.0.3:/home /home nfs4 rw,acl 0 0
    10.0.0.3:/git /git nfs4 rw,acl 0 0

The mount works except that ACLs are not being propagated completely:

$ cd /
$ getfacl git/test
# file: git/test
# owner: user1
# group: root
# flags: -s-
user::rwx
group::rwx
other::r-x

Instead of the following on the storage servert:

$ cd /
$ getfacl git/test
# file: git/test
# owner: user1
# group: root
# flags: -s-
user::rwx
user:user1:rwx
user:user2:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:user1:rwx
default:user:user2:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

I expected this to work and wonder why it doesn't...?

Searching and reading more, I discovered that zfs sharenfs=... will do the
export for me. (Except that I don't really know how to use it properly. ) I
commented out the entry in /etc/exports and shared the dataset with:

$ zfs set sharenfs='rw=@10.0.0.1/8' pool/git
$ zfs share pool/git
$ showmount -e
/srv/nfs/home  10.0.0.1/8
/pool/git  10.0.0.1/8

Mounting on the client as before leads to an empty /git directory.  (I
suspect that is because NFSv4 expects exported directories to be in a
hierarchy so it is unable to find the /pool/git export.) So I added back a
modified /etc/exports line with the /pool/git mount point:

    /pool/git   10.0.0.1/8(fsid=2,rw,sync,no_subtree_check,root_squash)

But the directory is still empty when mounted on the client. At this point,
I have run out of thoughts. What is the proper way to NFSv4 export a ZFS
dataset so that ACLs are correct? Any help is greatly appreciated.

Mark
-- 
Mark Gardner
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.zfsonlinux.org/pipermail/zfs-discuss/attachments/20160120/386bf3ab/attachment.html>


More information about the zfs-discuss mailing list